Chapter 11-12 Slides Flashcards
(75 cards)
1
Q
a system of internal control consists of policies and procedures designed to provide management with __ __ that the company achieves its objectives and goals
A
reasonable assurance
2
Q
3 primary objectives of effective internal controls
A
- reliability of reporting
- efficiency and effectiveness of operations
- compliance with laws and regulations
3
Q
two concepts when designing internal controls
A
- reasonable assurance (considering costs)
- inherent limitations
4
Q
SOX 404
A
requires management report and auditor report on internal controls for public companies
5
Q
management’s report must include
A
- statement of responsibility
- assessment of effectiveness of IC over financial reporting as of the end of the fiscal year
(and identify framework used for evaluation, often COSO)
6
Q
limitations of IC
A
- no system of IC can be completely effective
- effectiveness depends on competency/dependability of employees
- collusion is still possible
7
Q
effectiveness of IC depends on… (2)
A
competency and dependability of employees
8
Q
management’s assessment of IC over financial reporting has two key aspects
A
- evaluate design of IC
- test operating effectiveness of controls
9
Q
auditor’s responsibilities regarding IC
A
understand and test controls
over financial reporting and classes of transactions
10
Q
auditor’s report on IC deals with
A
effectiveness
11
Q
5 components of IC in COSO Framework
A
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
12
Q
3 principal IC objectives in COSO
A
- reporting
- operations
- compliance
13
Q
control environment
A
the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity
14
Q
5 underlying principles of control environment
A
- integrity and ethical values
- board of director or audit committee participation
- organizational structure
- commitment to competence
- accountability
15
Q
is an umbrella over the other four components of IC (COSO)
A
control environment
16
Q
risk assessment
A
a process for identifying and analyzing risks that may prevent the organization from achieving its objectives
management should identify and analyze risks relevant to the preparation of FS in conformity with appropriate accounting standards
17
Q
4 principles of risk assessment
A
- have clear objectives
- determine how risks should be managed
- consider potential for fraud
- monitor changes
18
Q
control activities
A
the policies and procedures that help ensure the necessary actions are taken to address the risks to the achievement of the entity’s objectives
19
Q
3 principles of control activities (COSO)
A
- develop control activities that mitigate risks to an acceptable level
- develop general controls over tech
- establish appropriate policies, procedures, and expectations
20
Q
five general types of control activities
A
- adequate separation of duties
- proper authorization of transactions and activities
- adequate documents and records
- physical control over assets and records
- independent checks on performance
21
Q
4 guidelines for adequate separation of duties to prevent fraud and errors
A
- CUSTODY from accounting
- AUTHORIZATION from custody
- operations from RECORD-KEEPING
- IT from user departments
22
Q
2 parts of proper authorization of transactions and activities
A
- general authorization (policies and procedures)
- specific authorization (individual transactions)
23
Q
proper design of documents and records include
A
- prenumbered consecutively
- prepared at the time a transaction takes place
- designed for multiple use
- constructed to encourage correct preparation
24
Q
to maintain IC, assets and records must be protected, so the company needs __ __ over them
A
physical control
25
independent checks on performance
careful and continuous review of the first four control activities by someone independent of those originally responsible for preparing data
26
purpose of information and communication system
to initiate, record, process, and report transactions and maintain accountability for related assets
27
monitoring
ongoing or periodic assessment of the quality of IC by management (by internal audit department in larger companies)
28
SEC's audit committee standards require them to have the following characteristics (5)
1. must be independent directors
2. responsible for hiring and firing external auditors
3. establish whistleblowing procedures
4. can hire advisors and legal team
5. must be adequately funded
29
3 batch input controls
1. financial total (summary total of field amounts for all records in a batch that represent a meaningful total)
2. hash total (summary total of codes from all records in a batch that do not represent a meaningful total)
3. record count (summary total of physical records in a batch)
30
financial total
summary total of field amounts for all records in a batch that represent a meaningful total
31
hash total
summary total of codes from all records in a batch that do not represent a meaningful total
32
record count
summary total of physical records in a batch
33
5 processing controls
1. validation test
2. sequence test
3. arithmetic accuracy test
4. data reasonableness test
5. completeness test
34
validation test
ensures that a particular type of transaction is appropriate for processing
35
sequence test
determines that data submitted for processing are in the correct order
36
arithmetic accuracy test
checks the accuracy of processed data
37
data reasonableness test
determines whether data exceed prespecified amounts
38
completeness test
determines that every field in a record has been completed
39
2 categories of IT controls
1. general (apply to all aspects of IT function)
2. application (operate at process level and apply to processing transactions)
40
4 steps in process of understanding controls
1. obtain and document understanding of IC
2. assess control risk
3. design, perform, and evaluate tests of controls
4. decide planned detection risk and substantive tests
41
3 techniques to obtain and document understanding of IC
1. narrative
2. flowchart
3. IC questionnaire
42
narrative (and four things it seeks to document)
written description of client's ICs including
1. origin of every document and record in the system
2. all processing that takes place
3. disposition of every document and record in the system
4. indication of controls relevant to assessment of control risk
43
flowchart (use in understanding internal controls)
a diagram of the client's documents flow in the organization
44
walkthrough
the auditor selects one or a few documents of a transaction type and traces them from initiation through the entire accounting process
45
5 methods to evaluate IC implementation
1. update and evaluate auditor's previous experience with the entity
2. make inquiries of client personnel
3. examine documents and records
4. observe entity activities and operations
5. perform walkthroughs of the accounting system
46
4 steps of assessing control risk with control risk matrix
1. identify audit objectives
2. identify existing controls
3. associate controls with related audit objectives
4. identify deficiencies, significant deficiencies, and material weaknesses
47
3 types of audit objectives for each class of transactions
1. transaction-related
2. balance-related
3. presentation and disclosure-related
48
can rely on controls even when one is weak or nonexistent if...
several controls exist (compensating controls)
49
3 levels of the absence of IC
1. control deficiency
2. significant deficiency
3. material weakness
50
control deficiency
the design or implementation of IC does not permit company personnel to prevent/detect misstatement
51
significant deficiency
a deficiency that is less severe than material weakness but important enough to merit attention
52
material weakness
exists if a significant deficiency, or combination of significant deficiencies, result in a reasonable possibility that IC will not prevent or detect material FS misstatement
53
5 steps in identifying deficiencies, significant deficiencies, and material weaknesses
1. identify existing controls
2. identify absence of key controls
3. consider possibility of compensating controls
4. decide whether there is a significant deficiency or material weakness
5. determine potential misstatements that could result
54
purpose of tests of controls
test effectiveness of controls in support of a reduced control risk for the audit
55
4 types of procedures used in tests of controls
1. make inquiries of appropriate client personnel
2. examine documents, records, and reports
3. observe control-related activities
4. reperform client procedures
(larger samples used during tests of transactions; reliance on service center auditors)
56
extent of procedures to test controls depends on
preliminary assessed control risk
57
to support lower control risk, need
more extensive tests of controls (in number and extent)
58
extent of tests of controls depends on 4 things
1. assessed control risk
2. reliance on evidence from PY audit
3. testing of controls related to significant risks
4. testing less than the entire audit period
59
2 primary differences between tests of controls and procedures to obtain understanding
1. understanding procedures applied to all controls identified during that phase, but tests of controls are applied only when the assessed control risk has not been satisfied
2. procedures to obtain understanding performed only on one/a few transactions; ToCs performed on larger samples, often at more than one point in time
60
when clients use service centers for processing transactions, the auditor may need to obtain an understanding of
the controls of the service center
61
service centers may engage an audit firm to obtain understanding and
issue a report to be used by the auditors of their customers
62
auditor uses control risk assessment and results of ToCs to determine
1. PDR
2. related substantive tests for the audit
63
the auditor links the control risk assessment to the __ __ __ __ for the accounts affected by the major transactions types and to the four __ __ __ __ __
balance-related audit objectives
presentation and disclosure audit objectives
64
the preliminary assessment for planning purposes allows the auditor to
design the testing phase and determine the amount of reliance that can be placed on IC
65
IC relationship with PDR
inverse (high CR = lower PDR)
66
when will auditor's verify if initial assessment of the reliance on IC was appropriate and, after additional testing, form an opinion to document for the controls?
test of transactions
67
the auditor must communicate __ __ __ __ __ in writing to those charged with governance as soon as the auditor becomes aware of their existence
significant deficiencies and material weaknesses
68
not required by auditing standards, but typically provided by auditors when less significant internal control-related issues exist
management letter
69
3 types of opinions on IC
1. unqualified
2. adverse
3. qualified or disclaimer of opinion
70
unqualified opinion conditions (IC)
1. no material weaknesses
2. no restrictions on scope
71
adverse opinion condition (IC)
one or more material weaknesses exist
72
qualified or disclaimer of opinion condition (IC)
scope limitation
73
are not subject to SOX 404 (2)
smaller public companies and private companies
74
5 differences in IC audits for companies not subject to Section 404(b)
1. reporting: no required IC report
2. extent of ICs: may be less extensive
3. extent of understanding needed: sufficient to assess risk for audit
4. assessing control risk: at maximum when controls are ineffective/nonexistent for any audit objectives
5. extent of tests of controls needed: auditor will not test controls when CR is at maximum (use other means)
75
7 common uses of generalized audit software
1. verify extensions and footings
2. examine records for quality, completeness, consistency, and correctness
3. compare data on separate files
4. summarize or resequence data and do analyses
5. select audit samples
6. print confirmation requests
7. compare data obtained through other audit procedures with company records
