Chapter 10 Essays Flashcards
Describe each of the three broad objectives management typically has for internal control. With which of these objectives is the auditor primarily concerned?
The three objectives are:
Reliability of financial reporting. Management has both a legal and professional responsibility to be sure that the information is fairly presented in according with reporting requirements such as GAAP.
Efficiency and effectiveness of operations. Controls within an organization are meant to encourage efficient and effective use of its resources to optimize the company’s goals.
Compliance with laws and regulations. Public and non-public organizations are required to follow many laws and regulations. Some relate to accounting only indirectly, such as environmental protection and civil rights laws. Others are closely related to accounting, such as income tax regulations and fraud.
The auditor is primarily concerned with the objective of reliable financial reporting.
Briefly describe the responsibilities of management and external auditors for internal controls.
Management is responsible for establishing and maintaining the entity’s internal controls. For public companies, management is also required by Section 404 to publicly report on the operating effectiveness of those controls. In contrast, the auditor’s responsibilities include understanding and testing internal control over financial reporting. For public company clients, the auditor is also required by Section 404 to issue an audit report on management’s assessment of its internal controls, including the auditor’s opinion on the operating effectiveness of those controls.
Public)
medium There are four steps in the auditor’s process of understanding internal control and assessing control risk for a public company. Step one is obtain and document an understanding of internal control: design and operation. What are the remaining three steps?
The remaining three steps are:
Assess control risk.
Design, perform, and evaluate tests of controls.
Decide planned detection risk and substantive tests.
Certain principles dictate the proper design and use of documents and records. Briefly describe several of these principles.
Documents should be prenumbered consecutively to facilitate control over missing documents and as an aid in locating documents when they are needed at a later date.
Documents and records should be prepared at the time a transaction takes place, or as soon as possible thereafter, to minimize timing errors.
Documents and records should be designed for multiple uses, when possible, to minimize the number of different forms. For example, a properly designed and used shipping document can be the basis for releasing goods from storage to the shipping department, informing billing of the quantity of goods to bill to the customer and the appropriate billing date, and updating the perpetual inventory records.
Documents and records constructed in a manner that encourages correct preparation. This can be done by providing internal checks within the form or record. For example, a document might include instructions for proper routing, blank spaces for authorizations and approvals, and designated column spaces for numerical data.
Management’s identification and analysis of risk is an ongoing process and is a critical component of effective internal control. An important first step is for management to identify factors that may increase risk. Identify at least five factors, observable by management, which may lead to increased risk in a typical business organization.
There are many factors that may lead to increased risk in an organization. Some examples include:
failure to meet prior objectives,
decreasing quality of personnel,
increasing geographic dispersion of company operations,
increasing significance and complexity of core business processes,
introduction of new information technologies, and
entrance of new competitors.
During a financial statement audit of a private company, three steps must be completed by the auditor before concluding that control risk is low. What are these steps?
The three steps that must be completed by the auditor before concluding that control risk is low are:
obtaining an understanding of the control environment, risk assessment procedures, accounting information and communication system, and monitoring methods at a fairly detailed level;
identify specific controls that will reduce control risk and make an assessment of control risk; and
test the effectiveness of controls.
What are the two primary factors that auditors consider in determining if an entity is auditable?
The two primary factors are the integrity of management and the adequacy of accounting records.
Adequate separation of duties is an important control activity. Discuss the four general guidelines for separation of duties to prevent both intentional and unintentional misstatements that are of significance to auditors.
The general guidelines are:
Custody of assets should be separated from accounting,
Authorizing transactions should be separated from custody of related assets,
Operational responsibility should be separated from record-keeping, and
Duties within IT should be separated.
Auditing standards related to the audits of private companies specify the extent to which auditors can rely on evidence about internal controls obtained in prior years. Briefly describe this guidance.
When auditors plan to use evidence about the operating effectiveness of internal control obtained in prior audits, SAS 110 requires them to test their effectiveness at least every third year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. When there are a number of controls tested in prior audits that have not been changed, SAS 110 requires auditors to test some of those controls each year to ensure there is a rotation of controls testing throughout the three-year period.
The text suggested a five-step approach to identify deficiencies, significant deficiencies, and material weaknesses. Describe this approach.
- Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist.
- Identify the absence of key controls. Internal control questionnaires, flowcharts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of misstatement is therefore increased.
- Consider the possibility of compensating controls. A compensating control is one elsewhere in the system that offsets the absence of a key control. When a compensating control exists, there is no longer a significant deficiency or material weakness.
- Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses.
- Determine potential misstatements that could result. This step is intended to identify specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant deficiency or material weakness is directly related to the likelihood and materiality of potential misstatements.
Define the following terms: control deficiency, significant deficiency, and material weakness.
A control deficiency exists if the design or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis.
A significant deficiency exists if one or more control deficiencies exist that results in more than a remote likelihood that a misstatement that is more than inconsequential will not be prevented or detected.
A material weakness exists if a significant deficiency, by itself, or in combination with other significant deficiencies, results in a more than remote likelihood that internal control will not prevent or detect material financial statement misstatements.
Describe three inherent limitations of internal control.
The effectiveness of internal controls depends on the competency and dependability of the people using it. Inherent limitations of internal control include: employee carelessness, lack of understanding, management override, and collusion.
The internal control framework developed by COSO includes five so-called “components” of internal control. Discuss each of these five components.
Five components of internal control are:
The control environment. The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management about control and its importance to the company.
Risk assessment. This is management’s identification and analysis of risks relevant to the preparation of financial statements in accordance with GAAP.
Information and communication. This is the set of manual and/or computerized procedures that identifies, assembles, classifies, analyzes, records, and reports a company’s transactions and maintains accountability for the related assets.
Control activities. These are the policies and procedures that help ensure necessary actions are taken to address risks in the achievement of the company’s objectives.
Monitoring. This is management’s ongoing and periodic assessment of the quality of internal control performance
Discuss what is meant by the term “control environment” and identify four control environment subcomponents that the auditor should consider.
The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about control and its importance to the entity. Subcomponents include integrity and ethical values, commitment to competence, board of directors or audit committee participation, management’s philosophy and operating style, organizational structure, assignment of authority and responsibility and human resource policies and practices.
Describe the auditor’s responsibilities related to communications regarding internal control matters.
The auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as they become aware of their existence. The communication is usually addressed to the audit committee and to management. Timely communications may provide management an opportunity to address control deficiencies before management’s report on internal control must be issued. In some instances, deficiencies can be corrected sufficiently early such that both management and the auditor can conclude that controls are operating effectively as of the balance sheet date.