Ch 5 Flashcards
Internal control is a process that is designed to provide reasonable assurance regarding Achievement of what 3 objectives?
1 reliability of financial reporting
2 effectiveness and efficiency of operations
3 compliance with applicable laws and regulations
COSO
Committee of Sponsoring Organizations
Management objectives of financial reporting 2
Reliable financial reports
Safe guard assets
Management objectives of operations, 5 examples
1 good business reputation 2 ensuring positive return on investment 3 increasing market share 4 promoting new product innovation 5 using assets efficiently
Management objectives of compliance
Comply with laws and regulations that affect entity
4 common limitations to internal control systems
1 human error due to mistakes in judgement, fatigue, carelessness
2 deliberate circumvention by people in system
3 management can override controls
4 collusion among people who are supposed to act independently
When separation of duties is supposed to occur
Reasonable assurance recognizes that costs of controls…
Should not exceed benefits that are expected from the controls
Integrated audit process
Describes an audit process that is designed to provide an
Opinion on both the financial statements and internal control
System of entity
3 reasons auditors must evaluate entity’s internal control
1 assess effectiveness of internal control
2 identify fraud risk in planning stage of audit
3 assess risk of material misstatement for each relevant assertion
Risk of materials misstatement (RMM), why is it assessed?
Give audit team basis for planning audit
And determining nature, timing and extent of further audit
procedures
RMM is composed of…
Inherent risk and control risk
Inherent risk
Susceptibility of an account to misstatement
Control risk
Probability that an entity’s controls will fail to prevent
or detect Material misstatements due to errors or frauds that
Would otherwise have entered the system
What should an audit team do when entity’s control risks are high?
Nature, timing, extent?
Audit team would use substantive tests of details to obtain
External evidence (nature) near the entity’s fiscal year end
(Timing)
With large sample sizes (extent)
When there is higher control risk, detection risk is…
2) when there is lower control risk, detection risk is…
Lower
2) higher
More reliance is placed on internal control when control risk is…
Lower
Lower control risk: nature, timing, extent
Nature: less effective tests conducted
Timing: testing can be performed at interim of year
Extent: lower sample size
5 interrelated components of internal control
1 control environment 2 risk assessment 3 control activities 4 monitoring 5 information and communication
Control environment factors include 3 things
1 integrity
2 ethical values
3 competence of entity’s personnel
7 general principles of effective internal control environment
1 integrity and ethical values 2 board of directors 3 management's philosophy and operating style 4 organizational structure 5 financial reporting competences 6 authority and responsibility 7 human resources
Audit committee
Subcommittee of board of directors that is generally composed
Of 3 to 6 independent member (not involved in daily operations)
All members are financially literate and one is financial expert
Purpose of including independent members in audit committee
Provide buffer between audit team and operating management
Team
Business risks
Factors, events and conditions that prevent organization
From achieving business objectives,
including effective financial reporting
Purpose of risk assessment for an entity?
Identify risks, estimate their significance and likelihood
And how to manage risks
Control activities
Specific actions a client’s management and employees take to
Ensure that management’s directives are carried out
Important reason why professional standards require audit team to document their understanding of internal control system?
Their understanding of whether management has implemented
Control activities
that are sufficient to address risks of material misstatement
For each relevant assertion
How audit team should account for Control activity: information technology
Assess whether client has taken advantage of significant
advances in information technology
By using entirely automated control systems
How audit team should account for Control activity: level of integration with their risk assessment process
Has audit client’s management addressed identified risks
To achieve financial reporting objectives?
How audit team should account for Control activity: selection and development of control activities
Control activities are selected/developed considering their cost
And potential effectiveness in mitigating identified risks
How audit team should account for Control activity: policies and procedures
Have policies related to reliable financial reporting been
Documented and communicated throughout company?
Preventive controls, define,
Examples
Procedures that prevent misstatements before they occur
Ex. Limiting access, hiring competent people, requiring approval,
Separating duties
Detective controls
Procedures that detect misstatements after they occur
Performance reviews require what of management?
Require management’s active participation in supervision of
Operations
What 4 duties should be separated for entities accounting staff under separation of duties?
1 authorization to execute transactions
2 recording transactions
3 custody of assets involved in transactions
4 periodic reconciliation of existing assets to recorded amounts
Incompatible responsibilities
Combinations of responsibilities that place a person alone in
A position to create
and conceal misstatements due to errors Or frauds in his
Normal job
Information system
Entity’s system, usually built on technological Platform
that has been designed to produce information necessary for entity
to Operate and control its business operations
2 fundamental principles of monitoring
1 ongoing and separate evaluations
2 reporting deficiencies
Monitoring: ongoing and separate evaluations
Evaluations enable management to determine whether other
Components of internal control continue to function over time
Monitoring: reporting deficiencies
Internal control deficiencies identified and communicated in
Timely manner to parties taking corrective action
Also reported to management and board as appropriate
3 phases of internal control evaluation
1 understanding
2 assessment
3 testing
What 5 areas must be understood to understand internal control?
1 control environment 2 accounting system 3 risk assessment 4 control activities 5 monitoring
3 ways auditors document understanding of internal control?
1 narrative memo
2 questionnaire
3 flow chart
An accounts significance is based on its…
Inherent risk
Relevant assertions
Those that represent possibility of material misstatement
Entity level controls
Controls pervasive to internal control system and reliability of
Financial statements taken as a whole
How are the following types of entity level controls assessed? 2 things:
Controls related to control environment
Controls related to management override
Centralized processing and shared service environments
Controls to monitor results of operations
Controls to monitor other controls
1 primary evidence to test controls gather through observation,
inquiry and examination of documents
2 auditor must assess whether managements integrity, values
And operating style promote effective control consciousness throughout entity
Entity level control: managements risk assessment
What is audit teams assessment? 2 things
1 audit team needs to gain understanding of how client assesses
And responds to risk
2 if client already uses enterprise risk management, inquiry
And obtaining documentation of ERM is usually enough
Entity level control: period end financial reporting process
How does audit team assess? 3 things
1 assess processes used to produce financial statements and
How IT is involved in period end process
2 document who is participating from management team and
Where process takes place
3 needs to understand and document the types of adjusting
Entries that have occurred and understand oversight by
management, board, and audit committee
Entity level control: policies that address significant business control and risk management policies
4 aspects of assessment by audit team
1 review and evaluate documentation
2 review previous years audit work with entity
3 responses to inquiries by client personnel
4 examination of documents and records
Transaction level controls
Controls that pertain to specific classes of transactions, account
Balances and disclosures
The purpose of gaining an understanding of internal control is to evaluate…
Design effectiveness
Design effectiveness
Determines whether the controls over financial reporting (if
operating effectively)
would be expected to prevent/detect Errors or fraud that result in material misstatement on financial Statements
Walk through
Combination of inquiry of personnel, observation of entity’s
Operations
And document and examination while tracing transactions through
Audit trail from initiation of transaction to recording on financial st.
Operating effectiveness
Whether control is operating as designed
Whether person performing the control possesses the necessary
Authority and qualifications to perform control effectively
Internal control questionnaire
Organized under headings that identify questions related to
Relevant management assertions
and overall control environment
Narrative description (of each important control subsystem)
Describes all environmental elements, accounting system and
All control activities
Effective for audit of small businesses
Accounting and control system flow chart
Pictures that help audit team assess key control points in the
process
Can be helpful in identifying missing controls
2 reasons why audit team might not test internal controls
1 internal control system is too ineffective at preventing and
detecting misstatements
2 takes more time for the audit team to test the internal Controls
than it would to perform substantive tests for relevant Assertion
Phase 2: Assess control risk
Auditors seek to identify internal control activities that are
Explicitly designed to support reliable financial statement reporting
If audit assessment is less than maximum level, what does this mean?
Audit team wishes to rely on internal controls to modify the
Nature, timing and extent of further audit procedures
If audit assessment is less than maximum level, what must they do?
They must perform tests of controls
Perform tests on internal controls: required level of effectiveness is a matter of what?
Professional judgement
Generally the most effective test of controls is…
Reperformance
4 types of control tests from least persuasive to most persuasive
1 inquiry of client personnel (least persuasive)
2 observation of control activity being performed
3 inspection of relevant documentation
4 reperformance of the control activity (most persuasive)
Substantive procedures
Detect material misstatements in account balances and financial
Statement disclosures for each relevant assertion
Control risk is almost always raised, what is the one exception where it can be lowered?
If you were in error understanding the controls phase
There are additional controls you were unaware of
Dual-purpose tests
Single audit test that produces both control testing and
substantive testing
Focus in Auditing Standard 5 (AS 5)
Whether material weakness exists at end of year being reported
Scope of Internal control audit
Test each relevant control activity each year
Reporting of internal control audit
Opinion on effectiveness of internal control
Timing if internal control audit
Evaluate effectiveness of internal control as of fiscal year end
Scope of financial statement audit
Test relevant control activities if relying in them
Reporting of financial statement audit
No opinion in internal control
Timing of financial statement audit
Evaluate effectiveness if internal control throughout fiscal year
AS 5 emphasizes 6 step audit process designed to evaluate effectiveness of internal control system over financial reporting
1 planning the engagement 2 using top down approach 3 testing controls 4 evaluating identified deficiencies 5 wrapping up 6 reporting internal control
Control risk is used to determine…
The nature, timing and extent of further audit procedures
Inherent risk is used to determine…
The nature, timing and extent of tests of controls
Top down approach
Focuses on threats of integrity to external financial reporting
Internal control deficiency
Exists when either the design or operation of control under
Consideration
doesn’t allow company management or employees To detect
Or prevent material misstatement quick enough
Design deficiency
Problem relating to necessary control that is missing
Or existing control that is poorly designed, failing to satisfy
Control’s objective
Operating deficiency
Occurs when properly designed control is either ignored
Or inappropriately applied
Ex. Could result from poorly trained employees
2 groups of serious internal control deficiencies
1 material weakness
2 significant deficiency
Material weakness
Deficiencies that give reasonable possibility that material
misstatement would not be prevented or detected on timely
Basis
Ex. Restatement of previously issued financial statements, fraud by senior management
Significant deficiency
Combination of deficiencies in internal control that is less
Severe than material weakness
Important enough to merit attention by those charged with
Governance
Managements annual report on internal control over financial reporting
Report required by SOX that states management responsible
For establishing and maintaining internal control over financial
Reporting
Identifies framework management uses to evaluate effectiveness
Of internal control, provides management’s assessment of
Internal control
3 written representations audit team must obtain from managment
1 its responsibility for effective internal control over financial
Reporting
2 it’s evaluated effectiveness of internal control over financial
Reporting
3 it has disclosed all internal control deficiencies and frauds to
The audit team
AS 5 imposes 2 requirements for SEC registrants related to entity’s internal control over financial reporting at date of financial statements
1 management’s report on its assessment of internal control
Over financial reporting
2 auditor’s report on internal control over financial reporting
Auditors’ report on internal control over financial reporting
Provides opinion on effectiveness if entity’s internal control
Over financial reporting
Adverse opinion on internal control over financial reporting
Opinion issued when company has material weakness
And not maintained an effective internal control over financial
Reporting
Scope limitations
Audit teams could encounter scope limitations on their ability to
Evaluate effectiveness of entity’s internal control over financial
Reporting
Ex, failure to obtain written representations from managment,
Management has implemented new controls in response to
Identified martial weakness
Scope limitation may result in…
The issuance of disclaimer of opinion on internal control over
Financial reporting or withdrawal from engagement
Management letter
Letter contains commentary and suggestions on variety of
Matters in addition to internal control matters
Report audit teams issue to managment
