Chapter 5 Class Flashcards
who publishes an integrated framework of internal controls?
The Committee of Sponsoring Organizations (COSO)
COSO’s 3 categories for internal control to provide assurance in:
- reliability of financial reporting
- effectiveness and efficiency of operations
- compliance with laws and regulations
how are auditors primarily concerned with a client’s internal control system?
how it relates to the reliability of financial reporting
SOX requires ________ to asses and report on the entity’s internal control over financial reporting
management
material weakness
a deficiency in internal control such that there is a reasonable possibility that a material misstatement will not be caught
what do auditors do only for issuer companies when evaluating internal controls?
issue an opinion on the effectiveness of the entity’s internal control over financial reporting
3 responsibilities of auditors when evaluating internal controls for public companies:
- issue an opinion on the effectiveness of their internal control over financial reporting
- assess the preliminary risk of material misstatement for each relevant assertion
- evaluate whether the client has implemented control activities that are specifically designed to address each fraud risk
2 responsibilities of auditors on nonissuer companies:
- assess the preliminary risk of material misstatement for each relevant assertion
- evaluate whether the client has implemented control activities that are specifically designed to address each fraud risk
high assessed control risk indicates:
controls are not effective at preventing or detecting misstatements
- use substantive testing
- large sample sizes
- lower detection risk
low assessed control risk indicates:
controls are effective at preventing or detecting material misstatements
- use analytical testing
- smaller sample sizes
- high detection risk
low assessed control risk needs ________ testing;
high assessed control risk needs _________ testing
analytical
substantive
COSO’s 5 components of a properly designed internal control system:
- control activities
- risk assessment
- information and communication
- monitoring
- control environment
(CRIME)
which risks have an inverse relationship?
control risk and detection risk
control environment
sets the tone of the organization and is the foundation for all other components
- integrity and values
- organizational structure
- financial reporting competencies
risk assessment
the business risks ultimately managed by management, boards, and employees
auditors have to gain an understanding of management’s _________ process
risk assessment
control activities
specific actions that management and employees take to help ensure management’s directions are carried out
what does an auditor determine in relation to control activities?
- what could go wrong
- what control activities management implements in response to what could go wrong
preventative controls
prevent misstatements before they occur
detective controls
detect misstatements after they occur
management review controls
periodic management reviews and follow-up actions to correct identified errors
information processing control activities
designed to ensure the completeness and accuracy of system-generated reports
physical security controls
physical access to data should be limited to authorized personnel only
4 types of separations of duties that should be performed by different persons:
- authorization to execute transactions
- recording transactions
- custody of assets involved in the transaction
- periodic reconciliation of existing assets
