CHAPTER 5 Flashcards
A process, affected by an entity’s board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives
internal control
3 categories of internal control:
- Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
management’s responsibilities
- in charge of establishing internal control
- responsible for internal controls.
- identifies the framework that they use to implement internal controls
- gives their assessment of whether they think controls are working or not.
auditor’s responsibilities
- assessing control risk and fraud risk
- expressing an opinion on ICFR (internal controls over financial reporting) for certain public companies
COSO stands for…
Committee Of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting
Components of COSO
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
control environment
- The tone of the organization
- Foundation for all other components
- Includes things like the integrity of management & level of oversight that the board and audit committee give to the company
risk assessment
- client identifying its own risks and assessing the likelihood that those risks could occur
audit committee consists of
3-6 “outside” board members, ALL must be “financially literate” and at least one must be a “financial expert”
Enterprise Risk Management (ERM) Framework
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control procedures
- Objective setting & Control procedures both related to Information & Communication
- Entire framework inside Monitoring
control activities
- policies and procedures put in place to ensure that management’s objectives are met
- auditors document their understanding of the client’s internal control system, including whether controls address risks of material misstatement.
types of control activities
- Management review controls (budget variances)
- Information processing controls (access, authorization, verification, and reconciliation)
- Physical security controls (limit access to assets, forms, computer equipment)
- Preventative vs detective controls
- Manual vs automated controls
- Separation of duties
information and communication
- identifying and capturing information so that employees can carry out their responsibilities
monitoring
- Assessing the quality of internal controls over time
ways of monitoring
- Internal auditing
- Supervisory review of controls
- Follow-up of reporting errors / customer complaints
- Audit committee inquiries
why would an auditor choose to NOT rely on internal controls?
- if they are not designed well
- if they are not functioning
- if the cost to test controls is MORE than the costs (effort) to perform substantive procedures (ex. testing the account balance)
Auditing controls:
top down process
Identifying areas of risk and then testing controls over those risks
Auditing controls:
Operating and design deficiencies
As auditors test controls they may find problems with some controls
Auditing controls:
entity level controls
Something not directly tied to a particular account / affects multiple accounts
operating deficiency
A control is not working as it is designed to work
design deficiency
Deals with the control that even if it were operating as designed,
it wouldn’t do anything to prevent or detect a specific type of misstatement
material weakness
Occurs when a deficiency results in a reasonable possibility that a material misstatement would not be prevented or detected
significant deficiencies
- Less severe than a material weakness.
- Exists if the potential misstatement is either less likely or smaller in magnitude than a material weakness.
audit opinions:
Unqualified
internal controls work
audit opinions:
Adverse
There is at least one material weakness
audit opinions:
Disclaimer
They were unable to or did not test controls
Auditors cannot give a Qualified opinion for internal controls bc
there is no “except for ‘’, if there’s a problem, auditors give it an Adverse opinion
regarding internal control, auditors are most concerned with
the reliability of financial statements
- since they give an opinion on financial statements
why do auditors assess control risk?
to determine the nature, timing, and extent of substantive audit procedures
to determine the appropriate levels of detection risk
to determine the risk of material misstatement
a company implements an automated program that counts the number of people using each ride, the number of people entering the gift shop, and the number of people eating at each restaurant. The program compiles the data into a report and sends it to the company’s management.
Which component of COSO does this best illustrate?
information & communication
Which ERM framework step?
If the workload gets too heavy, they will hire another plumber.
risk response
Which ERM framework step?
If more than 2 service calls took more than 24 hours in the last week, their office assistant will post an ad to hire another plumber.
control procedure
Which ERM framework step?
Each week, their office assistant compiles a report of response times for calls from the previous week
information and communication
Which ERM framework step?
The plumbing company become so popular that everyone wants to hire them.
event identification
Which ERM framework step?
The plumbing company’s desire to respond within 24 hours.
objective setting
