Chapter 5 Class Flashcards
who publishes an integrated framework of internal controls?
The Committee of Sponsoring Organizations (COSO)
COSO’s 3 categories for internal control to provide assurance in:
- reliability of financial reporting
- effectiveness and efficiency of operations
- compliance with laws and regulations
how are auditors primarily concerned with a client’s internal control system?
how it relates to the reliability of financial reporting
SOX requires ________ to asses and report on the entity’s internal control over financial reporting
management
material weakness
a deficiency in internal control such that there is a reasonable possibility that a material misstatement will not be caught
what do auditors do only for issuer companies when evaluating internal controls?
issue an opinion on the effectiveness of the entity’s internal control over financial reporting
3 responsibilities of auditors when evaluating internal controls for public companies:
- issue an opinion on the effectiveness of their internal control over financial reporting
- assess the preliminary risk of material misstatement for each relevant assertion
- evaluate whether the client has implemented control activities that are specifically designed to address each fraud risk
2 responsibilities of auditors on nonissuer companies:
- assess the preliminary risk of material misstatement for each relevant assertion
- evaluate whether the client has implemented control activities that are specifically designed to address each fraud risk
high assessed control risk indicates:
controls are not effective at preventing or detecting misstatements
- use substantive testing
- large sample sizes
- lower detection risk
low assessed control risk indicates:
controls are effective at preventing or detecting material misstatements
- use analytical testing
- smaller sample sizes
- high detection risk
low assessed control risk needs ________ testing;
high assessed control risk needs _________ testing
analytical
substantive
COSO’s 5 components of a properly designed internal control system:
- control activities
- risk assessment
- information and communication
- monitoring
- control environment
(CRIME)
which risks have an inverse relationship?
control risk and detection risk
control environment
sets the tone of the organization and is the foundation for all other components
- integrity and values
- organizational structure
- financial reporting competencies
risk assessment
the business risks ultimately managed by management, boards, and employees
auditors have to gain an understanding of management’s _________ process
risk assessment
control activities
specific actions that management and employees take to help ensure management’s directions are carried out
what does an auditor determine in relation to control activities?
- what could go wrong
- what control activities management implements in response to what could go wrong
preventative controls
prevent misstatements before they occur
detective controls
detect misstatements after they occur
management review controls
periodic management reviews and follow-up actions to correct identified errors
information processing control activities
designed to ensure the completeness and accuracy of system-generated reports
physical security controls
physical access to data should be limited to authorized personnel only
4 types of separations of duties that should be performed by different persons:
- authorization to execute transactions
- recording transactions
- custody of assets involved in the transaction
- periodic reconciliation of existing assets
5 limitations of internal control
- human error
- deliberate circumvention
- management override
- collusion
- cot-benefit considerations
3 phases of an auditor’s internal control evaluation:
- understanding
- assessment
- testing
entity-level controls
controls pervasive to the internal control system
- evaluated during the understanding phase
transaction-level controls
controls that pertain to specific classes of transactions, balances, and disclosures
- evaluated during the understanding phase
how must the audit team document their understanding of the internal control system?
- narrative description
- flowchart
- questionnaire
4 essential parts of the narrative description
- the origin of every document and record in the system
- all processing that takes place
- disposition of every document and record
- an indication of the controls relevant to control risk
testing of controls is required for ________ companies
public
phase 2 of evaluating the internal control system
Assess the Control Risk
relevant assertions to the cash account
- existence
- valuation
phase 3 of evaluating the internal control system
Identify and Perform Tests of Controls
if controls are found to be operating effectively, the control risk is assessed _______ the maximum
below
control risk lower:
detection risk _______
_____ substantive testing
higher
less
control risk higher:
detection risk _______
_____ substantive testing
lower
more
if controls are not found to be operating effectively, control risk is assessed as ______
high
4 methods of testing controls (least to most persuasive):
- inquiry of personnel
- observation of the control
- inspection of documentation
- reperformance of the control activity
unqualified opinion
no material weaknesses exist
disclaimer of opinion
the audit team cannot perform all necessary procedures and therefore do not know if material weaknesses exist
adverse opinion
one or more material weaknesses exist
design deficiency
a problem relating to either a necessary control that is missing or an existing control that is poorly designed
operating deficiency
a properly designed control is either ignored or inappropriately applied
when auditing a non-issuer, when do auditors have to test internal controls for operating effectiveness?
when they plan to rely on those internal controls