Chapter 18 Flashcards
Auditors of public companies should report on what two things?
Financial statements and
Internal control over financial reporting (ICOFR), according to PCAOB No. 5 - the audits of internal control and financial reporting should be viewed as integrated
Based on section 404a, all public companies need to:
To include an internal control report when filing its annual report (10-K) with SEC. In this, Management acknowledges responsibility for establishing and maintaining adequate internal control. It also provides an assessment of internal control effectiveness at end of fiscal year, while increasing management’s responsibility for demonstrating that controls are effective
Management’s Responsibility for Internal Control under SOX is listed as the following (describe one)
- Accept responsibility for effectiveness of ICOFR
- Evaluate the effectiveness using suitable criteria
- Support the evaluation with sufficient evidence
- Provide a report on internal control
Which section of Sarbanes Oxley, 404a or 404b, requires auditors of public companies with market capitalization in excess of $75,000,000 to audit internal control and express an opinion on effectiveness of internal control
404b
Flip card to see SEC’s definition of ICOFR
Internal control over financial reporting is a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and affected by the company’s board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
What is the Auditor;s Objective when it comes to ICOFR?
Plan and perform the audit to obtain reasonable assurance about whether material weaknesses exist to express an opinion on effectiveness of company’s ICOFR. No material weakness = effective ICOFR. One or more material weaknesses = ineffective ICOFR
.
What is the Objective of Management’s Evaluation of ICOFR?
To provide a reasonable basis for its annual assessment as to whether there are any material weaknesses in ICOFR as of year-end
What is a Control Deficiency?
design/operation of control does not allow timely prevention/detection of misstatements
See slide 8 for levels of control deficiencies
Slide 8
Management Assessment of ICOFR includes the following:
- Process of identifying significant controls and testing their design and operating effectiveness
- Management can be assisted by consultants but not by the audit firm conducting financial statement audit
- Evaluation must use an accepted “control framework” such as Internal Control-Integrated Framework created by COSO
- Must understand concepts of control deficiency, significant deficiency, and material weakness
- Must understand SEC’s definition of internal control
The report on ICOFR does what? (Name one of the four following)
- State that it is management’s responsibility to establish and maintain adequate internal control
- Identify management’s framework for evaluating internal control
- Include management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the most recent fiscal period, including a statement as to whether internal control over financial reporting is effective
- Include a statement that the company’s auditors have issued an attestation report on management’s assessment
What are steps for auditing internl control?
- Plan the engagement
- Use a top-down approach to identify controls to test
- Test and evaluate design effectiveness of internal control
- Test and evaluate operating effectiveness of internal control
- Form an opinion on the effectiveness of internal control
Explain Planning the Engagmeent - the first step
Efficient planning requires coordination with financial statement audit.
Initial knowledge of ICOFR during planning will vary based on nature of client and experience with client. New auditor – little knowledge/much work on understanding ICOFR for planning. have much knowledge and just need to update this knowledge for planning
Auditors should use a top-down approach to identify controls to test. Further elaborate this 2nd step
Starts at the top with financial statement elements and entity-level controls.
Links these to significant accounts, relevant assertions, and major classes of transactions. The goal is to focus on testing most important controls. See slide 16
Define Entity-Level Controls
Controls with a pervasive effect on internal control system (as opposed to controls for specific objectives). Often those in control environment or monitoring components of internal control, for example:
- Tone at the top
- Assignment of authority/responsibility
- Corporate code of conduct
PCAOB Standard No. 5 emphasizes controls relating to what? (Name one of the three)
- Audit committee effectiveness
- Fraud
- Period-end reporting process (“financial statement close”)
Account is considered “significant” if
reasonable possibility that it could contain a misstatement that has a material effect on financial statements (does not consider internal control effectiveness). Auditor should obtain understanding of significant accounts and disclosures
See slide 18 for antifraud programs
slide 18
Do redundant controls need to be tested?
No.
Redundant controls – those that duplicate other controls (do not need to test if duplicate control is tested)
Accounting estimates - involve management’s judgments or assumptions (e.g., determining the allowance for doubtful accounts, estimating warranty reserves, assessing assets for impairment). True or false?
True
Once determinec significant accounts and disclosures, auditor must determine which of the assertions are relevant:
(1) existence or occurrence;
(2) completeness;
(3) valuation or allocation;
(4) rights and obligations; and/or
(5) presentation and disclosure.
Relevant assertions are those that have meaningful bearing on whether account is presented fairly (e.g., valuation may be very relevant to accounts receivable but not for cash)
Name one of the factors to determine significance of account:
- Size and composition.
- Susceptibility of loss due to errors or fraud.
- Volume of activity, complexity, and homogeneity of individual transactions.
- Nature of the account.
- Accounting and reporting complexity.
- Exposure to losses.
- Possibility of significant contingent liabilities.
- Existence of related party transactions.
- Changes from the prior period.
What are complementary controls?
work together to achieve particular control objective (both should be tested)
difference betwen preventive and detective controls
preventive – prevent error/fraud from occurring
Detective – detect errors or fraud that has already occurred
Auditor generally tests combination of both for relevant assertions
Tracing a transaction from its origination through the company’s information system until it is reflected in the company’s financial reports in known as a
Walk-Through. Frequently the most effective way to obtain an understanding of classes of transactions and likely sources of misstatement
When testing Operating Effectiveness, auditors consider Nature, Timing, and Extend. Define Timing
Sufficient period of time to determine effectiveness as of management internal control report date
Tests of Design Effectiveness of ICOFR are used to understand internal control design to determine whether controls, if operating properly, can prevent/detect material misstatements. They may be a combination of which four tests? (name one)
- Inquiries
- Observations
- Walk-throughs
- Document inspection
Evidence of effectiveness leads to (increased/decreased) scope of substantive procedures
Decreased (due to decreased control risk allowing increase of detection risk)
Review Risk model if necessary
When testing Operating Effectiveness, auditors consider Nature, Timing, and Extend. Define Extent
Depend on frequency of control activity (the more frequent, the more it should be tested) and importance of control (the more important, the more it should be tested)
Difference betwee the Financial Statement Audit’s objective and the ICOFR statement’s audit.
ICOFR: provide opinion on effectiveness of ICOFR
Financial Statement: assess control risk and test controls for any assessment below maximum risk
The (ICOFR/Financial Statement) Audit must test effectiveness of controls for the entire period they are being relied upon.
Financial Statement audit. For ICOFR Audits, Auditors must test effectiveness of controls over all relevant assertions for all significant accounts and disclosures as of management’s ICOFR report date.
With ICOFR report requirement, auditors now tend to rely (more/less) heavily on internal control in performing financial statement audit
More
Define an Integrated Audit
Testing spread throughout the year to satisfy both objectives of ICOFR and Financial Statement audits
When testing Operating Effectiveness, auditors consider Nature, Timing, and Extend. Define Timing
Sufficient period of time to determine effectiveness as of management internal control report date
A Disclaimer or Withdrawal from engagement (depending on extent) would lead to what to be included with the auditor’s opinion?
Scope limitation = Disclaimer or Withdrawal from engagement (depending on extent)
If management corrects material weakness with enough time for auditor to test, may issue unqualified report. True or false?
True.
When Forming an Opinion on Effectiveness of ICOFR, Auditors evaluate all evidence, including (name one)
- The results of their evaluation of the design of controls,
- The results of tests of the operating effectiveness of controls,
- Negative results of substantive procedures performed during the financial statement audit, and
- Any identified control deficiencies.
No material weaknesses as of year-end and no scope restrictions = Adverse Opinion. True or False?
False - No material weaknesses as of year-end and no scope restrictions = Unqualified opinion.
One or more material weaknesses = Adverse opinion
If a material weakness was corrected by management prior to year-end but without enough time to test, adverse opinion is still necessary. True or false?
False. If corrected prior to year-end but without enough time to test, scope restriction may force a disclaimer or withdrawal
Significant deficiencies or material weaknesses will lead to (increased/decreased) scope of substantive procedures
Increased (due to increased control risk requiring decreased detection risk)
If Management’s Internal Control Report is Incomplete or Improperly Presented, auditor should
Auditor should modify report to include explanatory paragraph describing inadequacy/improper presentation
If management fixes a critcal weakness after year-end, may issue unqualified report. True or false?
False -
If correct after year-end, adverse report necessary
If management does not disclose a material weakness in its report, auditor must:
- Include explanatory paragraph in auditor’s already adverse report
- Required to communicate this lack of disclosure in writing to audit committee
All control deficiencies, regardless of severity must be Communicated in writing to management, Prior to issuance of auditor report on ICOFR. True or False?
True, this is an extra requirement of PCAOB #5.
Other requirements include making sure the Material weaknesses, significant deficiencies, and all deficiencies have been communicated to management in writing.
Also, After auditors conclude ICOFR is ineffective, Communicate in writing to board of directors The reasons for this conclusion
A nonpublic company may choose to have an integrated audit of its financial statements and its internal control. True or false?
True, see image from slide 33
When management believes material weakness has been eliminated, can they engage auditor to report on whether material weakness continues to exist?
Sure. Adverse internal control opinion motivates management to correct material weakness as quickly as possible
A significant deficiency is less severe than a material weakness - true or false
true!
Significant deficiencies discovered by the auditors should be communicated to the body charged with oversight of financial reporting and internal control of the organization. True or false?
True
ection 404 of the Sarbanes-Oxley Act of 2002 emphasizes that investors must understand that financial statements and audit reports provide only limited, and not reasonable assurance. True or false?
False
True or false:
PCAOB Standard No. 5 considers the audits of financial statements and internal control as being integrated.
True - duh
The lack of effective anti fraud programs is considered at least a significant deficiency. True or false
true fosho
n an integrated audit, tests of controls need only be performed to determine that internal control is effective as of year-end for both the audit of the financial statements and the audit of internal control. True or False
False - Duh
The “as of” date relating to an audit of internal control is the date on which audit procedures are completed. True or false?
Falsey
A required part of management’s assessment process is appropriate documentation of internal control through flowcharts and walk-throughs. - True or false?
False
A control deficiency that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the financial reporting process is:
significant deficiency.
Effective internal control ordinarily involves a combination of both preventive and detective controls. - true or false?
truth
Tests of design effectiveness ordinarily do not include reperformance of the application of controls.
True
Walk throughs must be performed each year for each major classification of transactions. True or Falsizzy?
Falsizzy
A material weakness involves more than a remote likelihood that what size misstatement will not be prevented or detected?
material - dug
The internal control provisions of the Sarbanes-Oxley Act of 2002 apply to which companies in the United States:
SEC registrants.
Which is correct concerning the level of assistance auditors may provide in helping management with its assessment of internal control?
Only very limited assistance may be provided.
Walk-throughs provide evidence that helps auditors to:
evaluate design effectiveness of controls.
Reconciliation of cash accounts by a competent individual otherwise independent of the cash function might make the likelihood of a significant misstatement due to a control deficiency being detected to be remote. Reconciliation may be referred to as what type of control?
Compensating
An account is significant if there is at least a
remote likelihood that it could contain more than inconsequential misstatements.
