Ch 7 - internal controls Flashcards
all things related to internal controls
Process, affected by the entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories
Internal controls
A process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and affected by the company’s board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP
Internal Controls over Financial Reporting (ICFRs)
*related to the goal of reliable financial reporting
Auditors are primarily concerned with…
Internal Controls Over Financial Reporting (ICFRs)
An industry advocacy group that does a lot of things, including writing guidance for what makes for good controls.
COSO
COSO 5-part framework:
- Control environment
- Management’s risk assessment
- Accounting information system
- Control activities
- Monitoring
Everything around the internal controls that influence their effectiveness (e.g., company culture, the competency of employees, etc.)
Control Environment
Annual process where the client goes through and inventories their key risks, and the internal controls over them.
Management’s Risk Assessment
The strength / quality of the system that houses the financial statements. This is particularly relevant to the goal of reliable financial reporting.
Accounting Information System
The actual controls themselves, like approval requirements, locking up goods etc.
Control Activities
Some sort of system for checking that the controls are “working properly”. This is often done with periodic testing by the client (often annually as part of Management’s Risk Assessment).
Monitoring
3 Types of control activities:
ARC acronym:
1. Authorization
2. Recording
3. Custody (physical holding)
T/F: no one person can be responsible for more than one ARC duty.
True; causes an issue of segregation of duties if one person has multiple of these as their responsibility
T/F: The larger the firm, the harder it is going to be to fully separate the duties
False; smaller firms have a more difficult time separating duties because there are less employees, making smaller firms riskier
Internal Controls break down for 2 reasons:
- Collusion - Two or more people working together to circumvent controls
- Management override of ICs - A manager has the authority/ability to do things normally disallowed by the internal controls (can do every duty)
T/F: Control Risk is integral to understanding the Risk of Material Misstatement
True; inherent and control risks make up the total risk of material misstatement
2 Audit procedures used to check if controls are implemented correctly:
- Inquiries
- Observation
The control is being done all the time and people have not found a way of circumventing the control. Higher standard than implemented
Operating effectively
AICPA term
The control is actually being done some of the time.
Implementation/ implemented
AICPA term
Determining whether the company’s controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company’s control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements
Design effectiveness
PCAOB term (more detailed than implemented)
If Control Risk is medium or low, we can use this as a justification for less audit work later on. The phrase is known as…
“relying on the internal controls”
If control risk is lower, detection risk is _______
higher
If the auditor is going to rely on the Internal Controls, they must test them for…
Operating effectiveness
- control is operating as designed
- person performing the control has the authority and competence to
3 Audit procedures used to test for operative effectiveness?
- Inspections
- Observations (thorough)
- Reperformance
T/F: Public Companies in the US must get an annual audit of Internal Controls which tests ICFRs for Operating Effectiveness.
True; required by SOX
T/F: An integrated audit focuses on all ICFRs.
False; only focuses on material ICFRs
2 Types of ICFR opinions:
- Unqualified opinion: given if there are zero “Material Weaknesses in ICFRs” as of the end of the year.
- Adverse opinion: given when there are one or more Material Weaknesses in ICFR as of the end of the year.
A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.
Material weakness
T/F: Control Risk accounts for how the Controls functioned all year long, while ICFR opinion is only based on material weaknesses at the last day of the period.
True; companies can fix their ICFR opinion up until 12/31
T/F: A client cannot get an unqualified opinion on ICFR if their control risk is high
False; control risk can be high even though the firm got an unqualified opinion
T/F: The SEC will not allow a client to file an Adverse ICFR Opinion.
False; the SEC does allow adverse opinions for ICFRs
The actual, unknown, risk that a material misstatement could occur in an assertion and will not be prevented or detected on a timely basis by an entity’s ICs.
Actual Control Risk (ACR)
Why is actual control risk unknown?
because the audit is based on a sample and never tests every instance of all ICs.
The level of Control Risk the auditor is planning on using in their Audit Risk Model (to determine the nature, timing and extent of audit procedures) in the earliest stages of the audit.
Planned Assessed Level of Control Risk (PALCR)
if PALCR = “lower than the maximum level”, that means…
the auditor is planning on “relying on Internal Controls” and, therefore, must test them for Operating Effectiveness.
The level of Control Risk really used in the Audit Risk Model for determining the nature, timing and extent of Substantive Procedures.
Assessed Level of Control Risk (ALCR)
If no tests of controls are performed, _______ MUST BE at the maximum level.
Assessed Level of Control Risk (ALCR)
T/F: Frequently, the PALCR and ALCR are NOT the same
True
If controls operate as effectively
as expected, then PALCR = __________
ALCR
A deficiency, or a combination of deficiencies, in internal control over financial reporting, that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.
Significant deficiency
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.”
Deficiency (less than significant)
