Chapter 5 Flashcards
How does COSO define Internal Control?
a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Who is responsible for maintaining effective internal controls?
Management
What is the auditor required to do in terms of the client’s internal controls?
Gain an understanding of the client’s internal controls related to financial reporting
What is the purpose of the assessment of inherent risk for the auditor?
Gives the auditor a basis for planning the nature, timing, and the extent of substantive procedures (do the auditors want to rely on the controls?)
What are substantive procedures?
Procedures to address detection risk
Less Reliance on Internal Control (Higher CR, Lower DR)
Nature
More effective tests
Less Reliance on Internal Control (Higher CR, Lower DR)
Timing
More testing at year-end
Less Reliance on Internal Control (Higher CR, Lower DR)
Extent
More tests
More Reliance on Internal Control (Lower CR, Higher DR)
Nature
Less effective tests
More Reliance on Internal Control (Lower CR, Higher DR)
Timing
More testing at interim
More Reliance on Internal Control (Lower CR, Higher DR)
Extent
Fewer tests
If you gain an understanding that control risk is 50%, if you want to rely on that, you have to test the controls, to…
validate that the control risk really is 50%
If my understanding is 50% control risk, but you don’t want to rely on that, you can…
assess control risk higher
If my understanding is 50% control risk, but you start testing and they are failing…
Adjust risk lower
What is COSO?
An internal control framework
It is NOT required by law, but the SEC noted it as a possible framework for use by companies to evaluate the effectiveness of internal controls over financial report
The only framework that the SEC said was appropriate to follow (Not actually required but many companies adopted because it was the only framework that the SEC “approved.”)
What are the 3 types of internal control?
- Financial reporting
- Regulatory compliance
- Operations
What are the five components of internal control?
- Control environment
- Risk assessment
- Control activities
- Communication
- Monitoring
COSO defines internal control as the processes in place to provide reasonable assurance of:
- Reliability of financial reporting
- Compliance with laws and regulations
- Effectiveness and efficiency of operations
Strictly speaking, external auditors focus on which of these?
- Reliability of financial reporting
- Compliance with laws and regulations
- Effectiveness and efficiency of operations
The first category of reasonable assurance
“Reliability of financial reporting”
Audited pipeline company: chemicals/oil through pipe. Pipeline had a sensor – measured every mile (what was going through the pipe). Primary reason for the sensor operations (efficiency, bandwidth,etc.) also used from a compliance perspective (if there is a leak – regulations), also related to revenue recognition. Auditors were concerned how well the sensors worked…
In the end, as an auditor you care about how controls relate to financial reporting – but that doesn’t mean that the controls won’t ever have other implications.
What 5 principles relate to the control environment?
Principle 1: The organization demonstrates a commitment to integrity and ethical values.
Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Control Environment
Set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
Board of directors and senior management set the “tone at the top” of an organization, influencing the control consciousness of its people.
What is the foundational component for COSO?
Control Environment
Because control environment is the foundation for all other components, the auditor must…
obtain a detailed understanding of the control environment and document that understanding.
Risk Assessment Principles
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.
COSO Risk Assessment
Management’s identification and analysis of relevant risks related to the achievement of its objectives.
Is COSO Risk Assessment the same as the Auditor’s Risk Assessment?
NO!
What does management look at during risk assessment?
What are my strategic goals?
What are risks in achieving these goals?
Control Activity Principles
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.
Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
What are control activities?
The policies and procedures that help ensure management directives are carried out
The “guts” of the internal control system
When auditors get to control activities they have to…
map controls to an assertion
What are examples of control activities?
- Segregation of duties (e.g., separating authorization, physical transfer, and recording)
- Approval and co-signing requirements
- Documentation trails and prenumbered sequence controls
- Restricted physical access
- Reconciliations and independent cross-checks
What assertion is supported by the information processing control?
Purchase orders must be authorized by purchasing department before any purchase is made.
Occurrence
What assertion is supported by the information processing control?
All invoices received from vendors for payment must be matched to receiving report and purchase order to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed-upon prices.
Accuracy (valuation or allocation)
Completeness and existence deal with direction of things (should it be in the report and it isn’t? and vice versa)
”Agreeing quantity and amounts” – hard to find a direction… valuation
What assertion is supported by the information processing control?
Prenumbered documents (checks, purchase orders, and receiving reports) must be used and accounted for to ensure that all transactions have been recorded.
Completeness
Checkbook, checks numbered sequentially…helps you see that everything’s been reccorded
Information and Communication Principles
Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.
Information and Communication
Controls related to how the organization communicates to support the proper functioning of internal controls.
This includes controls over the quality of the information used within communication.
Can auditors rely on information produced by the company’s information system?
Auditors cannot blindly rely on information produced by the company’s information system.
Monitoring Principles
Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Monitoring
Management’s process that assesses the quality of the internal control’s performance over time
Monitoring Examples
Periodic evaluation by internal audit
Supervisory review of controls
Follow-up of reporting errors
Follow up of customer complaints
Audit committee inquiries
What is monitoring essentially?
Controls over controls
Audit committee is typically considered part of the control environment, however, audit committee INQUIRES are…
monitoring
What are the limitations of internal control?
Human error
Collusion
Management override
Cost/benefit analysis
Cost/benefit analysis of internal control
There is often a trade-off between the cost and the effectiveness of internal controls.
The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.
What type of controls are typically viewed to be more reliable?
Automated controls
Management override
CFO should have access to override certain controls – enabled to commit fraud if she wanted to
How do you develop an understanding of internal control?
- Evaluating the design of controls
- Determinng if the controls have been implemented
After auditors have developed an understanding of internal controls, what is the next steps?
Document the understanding of internal control
After documenting the understanding of internal control, what is the next question that should be considered by the auditor?
Does the auditor intent to rely on controls?
If the auditor intends to rely on controls what is the path of the “reliance strategy”?
- Plan and perform tests of controls
- Set control risk based on tests of controls
- If the achieved level of control risk does NOT support the level of control risk, revise the planned level of substantive procedures, and then document the level of control risk.
- If the achieved level of control risk supports the level of control risk, document the level of control risk
- Perform the substantive procedures based on level of assessed control risk
If the auditor intends to rely on controls what is the path of the “substantive strategy”?
- Set control risk at the maximum
- Document the level of control risk
- Perform substantive procedures based on level of assessed control risk
Substantive Strategy
After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at high for some or all assertions because of one or all of the following factors:
- Controls do not pertain to an assertion
- Controls are likely to be assessed as ineffective
- Testing the effectiveness of controls is inefficient
Reliance Strategy
After obtaining an understanding of internal control, an auditor may want to rely on a control to allow for an increased detection risk (i.e., to not have to gain as much assurance from substantive procedures).
If the auditor plans to rely on a control, they must assess control risk by testing the control to validate it is designed appropriately and operating effectively.
Integrated Audit
the auditor provides an opinion on the effectiveness of a company’s internal controls AND on the fairness of a company’s financial statements
SOX requires for some companies
SOX Section 404a applies to…
all issuers (public companies)
SOX section 404b applies to…
accelerated fileres
Who established the PCAOB?
SOX
What does the PCAOB do?
Oversees public company auditors
What does SOX 404a outline?
Management must…
1. report the results from its own tests of the company’s internal control over financial reporting (ICFR), identifying any deficiencies.
2. accept responsibility for internal controls
3. evaluate the effectiveness of ICFR using a suitable control criteria
4. support the evaluation with sufficient evidence, including documentation
Where is management’s ICFR opinion included?
Its annual report (10-K)
What kind of opinion is managment’s opinion over the effectiveness of ICFR?
“As of” the fiscal year end
What does SOX 404b outline?
ONLY applies to “accelerated filers”
Drawing on management’s findings and the auditor’s own tests, the external auditor must independently assess and report on the effectiveness of ICFR as of the fiscal year end. (integrated audit)
Large Accelerated Filers
(>$700 million in market capitalization) have to file their annual report within 60 days of year-end
Accelerated Filers
(>$75 million in market capitalization) have to file their annual report within 75 days of year-end
Non-Accelerated Filers
(<$75 million in market capitalization) have to file their annual report within 90 days of year-end
404b: What happens if the auditor finds a deficiency in ICFR? “All Deficiencies”
Discuss with management?
Report to audit committee?
Adverse external opinion on internal control?
Discuss with management: YES
Report to audit committee: NO
Adverse external opinion on internal control: NO
404b: What happens if the auditor finds a deficiency in ICFR? “Significant Deficiencies”
Discuss with management?
Report to audit committee?
Adverse external opinion on internal control?
Discuss with management: YES
Report to audit committee: YES
Adverse external opinion on internal control: NO
404b: What happens if the auditor finds a deficiency in ICFR? “Material Weakness”
Discuss with management?
Report to audit committee?
Adverse external opinion on internal control?
Discuss with management: YES
Report to audit committee: YES
Adverse external opinion on internal control: YES
There are three levels of deficiencies, which is the most severe?
Material weakness
Adverse opinion and you must tell everyone
Material Weakness
a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is areasonable possibilitythat a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.
Significant Deficiency
a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by the audit committee.
Deficiency
A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
Factors auditors use to distinguish a material weakness from a significant deficiency
Does the weakness involve the control environment?
Does the weakness repeat regularly?
What is the magnitude?
Does the weakness pertain to a complex and/or subjective process?
Does the weakness involve oversight processes?
Are there any compensating controls?
Has management taken actions to remediate the weakness?
Did the weakness result in an actual material error that had to be corrected?
Remediation
Because ICFR opinions are as of the fiscal year-end, remediation may result in no need to disclose a material weakness.
If the auditor detects material weaknesses in internal control as part of the interim audit procedures, the client can sometimes ____________ the problem and avoid negative reporting consequences.
remediate, or fix
When must remediation be completed and tested before?
The balance sheet date (before year end)
What are the 3 types of internal control opinions?
- Unqualified opinion
- Adverse opinion
- Scope limitation
Unqualified opinion
The entity’s internal conrol is designed and operating effectively (no material weakness)
Adverse Opinion
Required if material weakness is identified
Scope Limitation
A serious scope limitation requires the auditor to disclaim an opinion
Is there such thing as a qualified internal control opinion?
NO!!
What are the scope differences between an Integrated Audit (404b) and a Financial Statement Only Audit?
Integrated Audit (404b): Test each relevant control activity each year (all)
Financial Statement Audit: Test relevant control activities if relying on them
What are the reporting differences between an Integrated Audit (404b) and a Financial Statement Only Audit?
Integrated Audit (404b): Opinion on the effectiveness of internal control
Financial Statement Audit: No opinion on internal control
What are the timing differences between an Integrated Audit (404b) and a Financial Statement Only Audit?
Integrated Audit (404b): Evaluate effectiveness of internal control AS OF the fiscal year end (also need to evaluate throughout the year for the associated financial statement audit)
Financial Statement Audit: Evaluate effectiveness of internal control (where relying) throughout the fiscal year
AICPA governs
Private companies
AICPA rules relating to internal controls
Auditors must communicate known significant deficiencies and material weaknesses in internal control to management and to the entity’s governance body (e.g., audit committee, school board, etc.).
Under AICPA rules is the auditor required to search for control deficiencies?
NO, but the auditor is required to evaluate and communicate deficiences that have been identified over the normal course of an audit
SOC 1
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (internal control over an outsourced service)
What are the two types of SOC 1s?
Type 1: Only covers the design of ICFR at the service organization
Type 2: Covers the design AND effectiveness of ICFR at the service organization
If the auditor detects a material weakness in internal control over financial reporting, does this imply material misstatements in account balances?
Not necessarily, but there is a reasonable possibility that there may be a material misstatement.
If the auditor detects a material misstatement in an account balance, does this imply a material weakness in internal control over financial reporting?
Yes because management didn’t catch it before the auditor. If you find the material misstatement, then you found the misstatement (you are past the threshold). Typically if you have a material misstatement it is almost always because you had an internal control issue.
Why might disclosed material weaknesses almost always have a related material misstatement?
Market reacts negatively to material weaknesses. CEO argues that there is not a material weakness because of the “reasonable possibility.” Management and Auditor argue over when you are going to put your foot down and when you are not. It is a REALLY hard thing for an auditor to say there is a material weakness when there is not a related material misstatement.
The integrated audit report for an accelerated filer must include…
the auditor’s opinion on the fair presentation of the financial statements as well as the auditor’s assessment of internal control over financial reporting.
Can a company receive a clean opinion on its financial statements but an adverse opinion on internal controls?
Yes. The company can have bad controls and still have a clean opinion. The SEC requires “fairly presented” financial statements.
Can an auditor of an accelerated filer assess CR at its maximum (e.g., 1)?
Yes, but they have to assess it as such… they can’t just set it as such