Chapter 3 - 3.1 & 3.2 Flashcards
What are the primary objectives of internal controls?
A ccurate and reliable financial reporting
C ompliance with applicable laws and regulations
E fficient and effective operations
What does it mean when you set control risk to a maximum?
It means there is a 100% probability that an entity’s internal control system will not prevent or detect a fraud or error or allow it for correction.
What are the financial statement assertions for the income statement?
C ompleteness
P eriod Cutoff
A ccuracy
C lassifiation
O ccurence
What are the financial statement assertions for the balance sheet?
R ights and obligations
A allocations and valuation
C ompleteness
E xistence
What are the financial statement assertions for disclosures?
R ights and obligations
A ccuracy and valuation
C ompleteness
O ccurence
U nderstandability
What are five components of internal control?
C ontrol activitites
R isk assessment
M onitoring
I nformation and communication
Control E nvironment
What are the parts of a good control environment?
C ommitment to competence
H uman resources policies & practices
O rganizational structure
P articipation of those charged with governance
P hilisophy of management and mgmt operating style
E thical values & integrity
R esponsibility assignment
What are the four principles of risk assessment for internal control?
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
What are the focus of control activities in internal controls?
P erformance reviews
I nformation processing
P hysical controls
S egregation of duties
What are the separate parts of segregation of duties?
A uthorization of transactions
R ecording (posting) of transactions
C ustody of assets
C omparisons
What does communication mean in terms of internal controls?
It means establishing individual duties and responsibilities relating to internal control and making them known to involved personnel
What is monitoring for internal controls?
The means by which management determines if internal controls are being followed and if they are effective.
What are the inherent limitations of internal controls?
C ollusion
O verride by management
P oor human judgement and errors
What are the steps to understanding internal control?
- Obtain an understanding of I/C components (CRIME)
- Document your understanding of I/C
- Assess risk of material misstatement
- Develop an audit strategy to either:
- Perform test of controls (rely on I/C)
- Assess control risk to a max (not rely)
- Reassess risk of material misstatement and evaluate results
- Documents conclusions and plan substantive testing
What type of risk assessment procedures do auditors do on internal controls?
Analytical procedures
Inquiries
Inspection
Observation
What are ways to document to the auditor’s understanding of internal control?
F lowchart
Internal control questionnaire (ICQ)
N arrative or memorandum
D ecision table/tree
What are the four types of tests of controls an auditor performs on internal control?
R eperformance
I nquiry
I nspection
O beservation
What does it mean when an auditor decides to NOT rely on controls related to a relevant assertion?
RMM will be equal to the assertion’s inherent risk assuming no relevant controls are in place.
Auditor will develop a test that applies substantive procedures to the assertion.
What does it mean when an auditor decides to RELY on controls related to an assertion?
RMM will be REDUCED from IR, taking CR being below maximum
Auditor will perform the TEST OF CONTROLS for a population covering the entire period.
How often should an auditor test operating effectiveness?
At least once every 3 years
What happens if the auditor concludes controls are effective?
The nature, timing, and extent of audit procedures will be reduced
What is dual purpose testing?
Doing both substantive testing and tests of controls for an assertion
What types of deficiencies and weaknesses is an auditor required to communicate to management or governance?
Significant deficiencies and/or material weaknesses
What are the different types of transactions or events in each operating cycle?
Initiation (Start)
Authorization
Completion or execution
Recording
Verification (Evaluate Defenses)
SACRED
What are the different things control activities watch for?
P hysical controls
R ecording
A uthorization
I ndependent checks
S egregation of duties
E valuate performance
(PRAISE)
When does a control deficiency exist?
When the design or operation of a control DOES NOT allow management or employees in the normal course of business to prevent, detect, or correct a misstatement on a timely basis.
Can be a deficiency in design or operation.
What is a control deficiency in design?
A deficiency that occurs when a control has not been put in place or it has been put into place but it was not designed to address its intended risk.
What is a control deficiency in operation?
A deficiency that occurs when a control is not operating as designed or the individual responsible for it lacks authority or ability to perform it effectively.
What is a material weakness?
Deficiency or combination of deficiencies where there is reasonable possibility that a material misstatement will not be prevented, detected, or corrected on a timely basis.
What is a significant deficiency?
Deficiency or combination of deficiencies that are less severe than a material weakness but more than a control deficiency.
What are some indicators of a material weakness?
Ineffective oversight by those charged with governance
Restatements of PY financial statements because of material misstatements from error or fraud
Material misstatements not detected by internal control, but detected by the auditor
Fraud by senior management. Both material and immaterial.
What must the auditor report to those charged with governance within 60 days after report release date?
Any significant deficiencies or material weaknesses found
What is in the report to governance/mgmt when communicating significant deficiencies and/or material weaknesses?
- State purpose of audit was to report on financial statements, NOT assurance on effectiveness of internal controls
- State auditor is NOT expressing an opinion on effectiveness of internal controls
- State auditor’s consideration of internal controls was not designed to find all significant deficiencies or material weaknesses
- Include the definition of material weaknesses and significant deficiencies (if applicable)
- Identify significant deficiencies and material weaknesses
- State communication is only for governance and management (limited use)
Can you write a report saying there are no material weaknesses or no significant deficiencies?
Can write report saying no material weaknesses but can’t say no significant deficiencies
What is the top down approach for an audit of financial statements and examination of internal controls?
- Auditor assesses risk at the financial statement level (concentrates on entity-level controls).
- The auditor looks at significant accounts and disclosures and their relevant assertions.
- The auditor identifies potential deficiencies in design or operation
- The auditor evaluates deficiencies based on magnitude and probability
What is included in the management representation letter for internal control over financial reporting?
- Mgmt responsibility for internal control
- Indication mgmt has performed an assessment of internal controls over financial reporting based on a set of criteria
- Mgmt assessment did not incorporate results of procedures done by auditor
- Mgmt assessment of internal controls over financial reporting as of a certain date
- Indication mgmt has informed the auditor all all deficiencies in internal controls over financial reporting
- Any fraud resulting in a material misstatement or involving people involved in internal controls over financial reporting
- Indication significant deficiencies and material weaknesses from before have or have not been addressed
- Indication of any changes to internal controls over financial reporting subsequent to date being reported on
What is included in an auditor’s report on internal controls?
- Title that includes the word independent
- Appropriate addressee
- Intro paragraph that contains
- Identity of entity who is being audited, and indication that internal controls over financial reporting has been audited
- Date of which internal controls over financial reporting were assessed
- Criteria it was measured against
- Management responsibility paragraph for:
- Design, implementation, and maintenance of internal controls over financial reporting (DIM)
- Assessment of effectiveness of ICFR
- Providing management report on ICFR
- Auditor responsibility paragraph for:
- Expressing opinion on ICFR
- Engagement in accordance with GAAS
- Description of audit auditor did procedures to obtain evidence about existence of material weaknesses
- Indication auditor believes examination supports opinion
- Definition and inherent limitations of internal controls over financial reporting
- Opinion
- Auditor signature with city, state, and date of report
What type of opinion does a report get if there is a material weakness that isn’t addressed?
An adverse opinion. Need a basis for adverse opinion before the opinion paragraph
What opinion does a report get if management applies a scope limitation to the auditor?
A disclaimer of opinion, or they can choose to withdraw from the engagement.
What is rule 404a of Sarbanes-Oxley?
Rule that requires the annual report for a public company to include a report on internal control that shows management’s responsibility for internal controls and mgmt’s assessment of its effectiveness.
What is rule 404b under Sarbanes-Oxley?
The rule that requires the auditor