Chapter 18 Flashcards
SOX + PCAOB
SOX: requires that in addition to reporting upon financial statements, auditors of public companies should also report upon internal control over financial reporting (internal control).
PCAOB N 5: recognizes this relationship and states that the internal control and financial statement audit should be viewed as integrated.
SOX section 404 (a)
Applies to all public companies, requires that each annual report filed with the SEC include an internal control report prepared by management in which management acknowledges its responsibility for establishing and maintaining adequate internal control and provides an assessment of internal control effectiveness as the end of the most recent fiscal year.
SOX section 404 (b)
applies to public companies with a market capitalization in excess of $75,000,000 requires the CPA firm to audit internal control and express an opinion on the effectiveness of internal control.
Management responsibility under SOX
- Accept responsibility for the effectiveness of internal control
- evaluate the effectiveness of internal control using suitable control criteria
- support the evaluation with sufficient evidence
- Provide a report on internal control
Control Deficiency
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis.
Material Weakness
It is a control deficiency, or combination of control deficiencies, in internal control over financial reporting, such that there is a reasonable possibility (possible or probable) that a material misstatement of the company’s annual or interim financial statements will not be presented or detected on a timely basis.
Significant Deficiency
It is control deficiency, or a combination of control deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.
Quantitative Factor
Address the potential amount of loss
Qualitative Factors
include consideration of the nature of the accounts and assertions involved and the possible future consequences of the deficiency.
Compensating Control
Exist to prevent or detect the possible misstatement.
- while a deficiency might exist, it might not be significant deficiency or a material weakness due to the existence of a compensating control.
Control over Major classes of transactions
Those that materially affect significant financial statement accounts- either directly through entries in the general ledger or indirectly through the creating of rights or obligations that may or may not be recorded in the general ledger.
objective of management’s evaluation of internal control
To provide it with reasonable basis for its annual assessment as o whether there are any material weaknesses in internal control as of the end of the fiscal year.
SEC guidance
Principles: ( 1 ) Evaluating the design of controls of identify controls and risks and
( 2 ) Evaluating the operation of the controls.
Evaluating Design effectiveness of Controls
1- Identify and assess the risk to reliable financial reporting
2- Management considers whether its has controls placed in operation.
a- Management uses top-down approach, which starts with identification of entity-level controls and works down to detailed controls only to the extent necessary.
Evaluating operating effectiveness of internal control
Evidence on operating effectiveness is obtained from tests of controls and from ongoing monitoring activities related to the controls.
Ongoing monitoring activities
Through assessments made by employees, assessments made by management ( referred to as self-assessment procedures), and the analysis of performance measures designed to track the operation of controls.
Nature of an Integrated Audit
Auditors of Public companies should report on:
- Financial statements and
- internal control over financial reporting.
Based on provision of PCAOB Standard No. 5 (as 2201), the audits of internal control and financial reporting should be integrated.
Auditor’s Objective
Plan and perform the audit to obtain reasonable assurance about whether material weaknesses exist to express an opinion on company’s internal control over financial reporting.
- Evidence gathered as of date specified in management’s assessment- normally the last day of the company’s fiscal year.
Audit Steps
1- Plan the engagement
2- Use a top-down approach to identify controls to test.
3- test and evaluate design effectiveness of internal control.
4- Test and evaluate operating effectiveness of internal control.
5- Form an opinion on the effectiveness of internal control.
Plan the Engagement
- Efficient planning requires coordination with financial statement audit.
- Consider matters such as:
- client’s industry
- Regulatory matters
- Client’s business
- Recent changes in client’s operations.
Audit of I/C vs. Audit of Financial Statements
Time period:
- Audit of I/C: As of date.
- Audit of F/S: Entire financial statement period.
Top-Down Approach
- Goal is to focus on testing those controls that are most important to auditor’s conclusion on internal control, avoiding those that are less important.
- Starts at top
Entity-level controls: Those in control environment or monitoring components of internal control.
Emphasize those relating to audit committee effectiveness, fraud, and period-end process.
Direct or indirect effect.
Antifraud Program or Element
Management accountability Audit committee Internal Audit Code of Conduct/ethics Whistleblower program Hiring and promotion procedures Remediation
Strong indicator of significant deficiency
Senior management conducts ineffective oversight of antifraud programs and controls.
- Audit committee passively conducts oversight. It does not actively engage the topic of fraud.
- Inadequate communication, involvement , and interaction with the audit committee.
- Nonexistent code or code that fails to address conflicts of interest, related party transactions, legal acts, and monitoring by management and the board.
- No program for anonymous submissions.
- Failure to perform substantive background investigations for individuals being considered for employment or promotion to a position of trust.
- Failure to take appropriate and consistent remedial actions with regard to identified significant deficiencies, material weaknesses actual fraud, or suspected fraud.
