Chapter 5 Flashcards
The Committee of Sponsoring Organizations (COSO) included representatives from the Financial Executives Institute, the American Accounting Association, the Institute of Internal Auditors, the Institute of Management Accountants, and the AICPA.
The goal of the committee was to determine what business entities could do to improve financial reporting.
The primary purpose of the COSO framework is to provide a benchmark for internal control effectiveness.
What is the Committeee of Sponsoring Organization (COSO)? Briefly describe the purpose of the COSO framework of internal control effectiveness.
The three goals of an internal control system, according to the Committee of Sponsoring Organizations (COSO) Report, are:
· Reliability of financial reporting.
· Effectiveness and efficiency of operations.
· Compliance with applicable laws and regulations.
External auditors are primarily concerned with the reliability of financial reporting; however, some operating and compliance controls may be important for the financial statement audit depending on the facts and circumstances of the audit engagement.
What are the three goals of an internal control system according to the COSO report? Which is the most important?
Management is responsible for establishing the control environment, assessing the risks it wishes to control, specifying information and communication channels and content (including the accounting system and its reports), designing and implementing control activities, and monitoring, supervising, and maintaining the controls. Management of public companies must report their evaluation of the company’s financial reporting controls on an annual basis to the shareholders.
External auditors are not responsible for designing effective controls for audit clients. They are responsible for evaluating existing internal control and assessing the control risk in them. For public companies, auditors must give an opinion on the effectiveness of internal control over financial reporting based on an audit of internal control that is integrated with the financial statement audit.
What are management’s and auditors’ respective responsibilities regarding internal control?
Control risk is the probability that the client’s internal control activities will fail to prevent or detect material errors and frauds that enter the data processing system. Assessing control risk is part of using the audit risk model in the planning stage of the audit. That is, auditors determine the nature, timing, and extent of further substantive audit procedures (i.e., set detection risk) based, in part, on the assessment of control risk for each relevant financial statement assertion. The other important assessment that auditors have to make to determine the nature, timing and extend of further audit procedures is the inherent risk assessment.
Define control risk and explain the role of control risk assessment in audit planning.
The primary reason for conducting an evaluation of a client’s existing internal control system is to give the auditors a basis to determine the nature, timing, and extent of further substantive audit procedures. On a public company audit, Sarbanes-Oxley requires auditors of public companies to perform an audit of internal control over financial reporting that is integrated with the financial statement audit.
What are the primary reasons for conducting an evaluation of an audit client’s internal control?
The audit team assesses control risk to determine the risk of material misstatement (RMM) for each relevant assertion identified in the audit plan; the higher the assessment of control risk, the higher the assessment of RMM. Most audit teams express their control risk assessment decision with descriptive terminology (e.g., high, moderate, low), which recognizes the imprecise nature of evaluating risk.
How does control risk affect the nature timing and extent of further audit procedures?
The information and communication component is closely related to the accounting information system. The accounting information system produces a trail of activities from the identification of data elements in a transaction all the way to the general ledger (i.e., financial reports). This trail of activities is referred to as the audit trail. You can visualize that the audit trail begins with the source documents (purchase orders, sales orders, etc.) and proceeds through to the financial reports. Auditors often follow this trail frontward and backward, identifying and testing relevant control activities along the way. They follow it backward from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents (the occurrence assertion). They follow it forward from source documents to reports to determine whether everything that happened (transactions) was recorded in the accounts and reported in the financial statements (the completeness assertion).
What is meant by the information and communications components of an effective internal control system? How can an auditor evaluate whether a client’s internal controls system is functioning properly for this component?
Examples of everyday monitoring work that can be done by management would include:
· Periodic evaluation of controls by internal audit.
· Analysis of and appropriate follow-up of operating reports or metrics that might identify anomalies indicative of a control failure.
· Supervisory review of controls, such as reconciliation reviews as a normal part of processing.
· Self-assessments by boards and management regarding the tone they set in the organization and the effectiveness of their oversight functions.
· Audit committee inquiries of internal and external auditors.
· Quality assurance reviews of the internal audit department
Give some examples of everyday activities that an entity’s management can use to enact the monitoring component of internal control. when are such activities control activities, and when are they monitoring activities?
Reasonable assurance is closely related to the cost-benefit rule. By definition, reasonable assurance recognizes that the cost of an organization’s internal control should not exceed the benefits obtained by the control. Management is responsible for assessing the cost and benefits of internal controls in their own organizations, hence their reasonable assurance. Auditors get into the act of reasonable assurance assessment when they audit internal controls and when they consider whether to make recommendations about control improvement in a management letter
The key limitations in an internal control system generally relate to the people operating within the system. People make the system work at every level of company management. People establish the objectives, put control mechanisms in place, and operate them. There are at least four types of breakdowns related to people. They are human error, deliberate circumvention, management override, and improper collusion among people who are supposed to act independently. Internal control can help prevent and detect these people-caused failures, but it cannot guarantee that they will never happen.
What is the concept of reasonable assurance? What are the key limitations of an internal control system?
