Chapter 6 Flashcards
Responsibility for Internal Controls (I/C)?
Management is responsible, they have oversight/guidance of audit committee (Board of directors) as well.
COSO (Who/What is it?)
COSO is a management document, containing The 5 Components management should be doing.
AICPA/SEC develops technical guidance for I/C.
Five Components of I/C per the COSO Framework (The “COSO Cube”)
- Control Environment.
- The Entity’s Risk Assessment Process.
- Control Activities.
- Information and Communications.
- Monitoring of Controls.
Relationship of I/C Testing to Substantive Testing (Interplay/Inverse relationship between the two)
- If controls testing are effective, you can rely on controls and information in that area.
- If controls testing are NOT effective, you should do MORE substantive testing (Not rely on the info).
SOX requires testing for I/C.
Do this for each major account/assertion by management.
- Control Environment (5 Principles)
Tone of the organization or attitude.
1) Show commitment to integrity and ethical values.
2) How does the board demonstrate independence from mgmt?
3) Reporting lines.
4) Commitment to attract, develop, and retain competent controls (Training, wages, hiring).
5) Holding individuals accountable for I/C responsibilities?
- Entity’s Risk Assessment Process (4 Principles)
6) Do they make it clear to employees what they are doing and is F/S reporting consistent?
7) How does the company analyze risk?
8) Organizations considers potential for fraud?
9) Consider how changes impact the system of I/C.
- Control Activities (3 Principles)
10) What does the company do to mitigate risk?
11) IT controls, general, and application controls.
12) Do we have policies and procedures?
Segregation of Duties (Client employees)
Tells us about their overall control structure. See if client personnel duties are not in line with each other!
Information Processing Controls (Two of these)
General and Application Controls.
General Controls
IT controls that impact the whole overall company.
Application Controls
Controls that relate to particular IT applications. (Payroll application)
- Information and Communications (3 Principles)
13) How does the org. obtain and generate accounting info?
14) How does the org. communicate amongst itself (internally)?
15) How does the org. communicate with outside parties (externally)?
- Monitoring of Controls (2 Principles)
16) Activities mgmt, does on regular basis to see if I/C are working properly and suppose to.
17) How does mgmt communicate to how controls are working (Deficiencies)?
Effect of Size
Small: One accounting personnel. Has power of segregation of duties, and power of documentation. Harder to do because mgmt may be walking the floor.
GM: Ton of accounting personnel.
Normal Limitations of I/C
Management overrides. Human Error. Collusion.
Document Understanding of I/C
Flowchart, Narrative Description, Internal Control Questionnaire, and Procedural Manuals.
Planning and Audit Strategy
Develop understanding of I/C, Document Understanding of I/C. Reliance or Substantive Strategy?
Reliance Strategy (Three Steps) (RS)
1) Identify Controls we plan to rely on, and test those controls “key controls”.
2) Determine control risk based on test of controls.
3) Conclude regarding “achieved level of risk”.
RS: Identify Controls we plan to rely on, and test those controls “key controls”
See if they are designed properly and operate effectively.
RS: Determine Control Risk based on test of controls
Risk that the client’s controls will not catch or detect a material misstatement. Low, Medium, or High.
RS: Conclude regarding “Achieved level of risk”
Expect a low control risk due to reliance. Make sure to do substantive testing.
If test results do not allow you to conclude controls are operating as expected, what do you do?
Revise plan and do more substantive procedures.
Substantive Procedure
The auditor has decided not to rely on the entity’s controls and instead use SP as the main source of evidence.
Circumstances when we would want to use a Substantive approach instead of a reliance approach? (Three of these)
Controls are likely ineffective (do not work).
Controls do not pertain to the assertion being tested.
Testing controls would be inefficient (SOX does not allow this).
All these can be used under GAAS, but not SOX. Must test key controls.
Greater the reliability of controls, less substantive testing required (AGAIN!)
As controls are less reliable, you’ll have to do more tests.
Sometimes you’ll have to do a lot of both! (Papa’s interplay)
No matter what, you will have to do some substantive testing! (NEVER ZERO)
Advantages of Doing Work Early
Gives you a chance to change your approach/audit program.
Helps manage time or staff, getting work done in fall reduces it in the winter.
Can give our client an opportunity to fix a problem before the end of the year.
Prior knowledge says do it early.
May not be a significant area.
Other Items to Consider
Overall environment. Materiality and Risk.
Greater the risk, later the testing, HOWEVER…
Sometimes you want to get these important problems out of the way.
Identify these big problems (risk) earlier.
Ex: Test cash at end year (fluctuates a lot during the year)
Ex: Fixed Assets/Depreciation- do early in year (constant)
Ex: Allowance for bad debts: Want to both!
Update/Roll Forward (Important)
Must roll forward work from early date to end of the year! Influenced by risk, materiality and knowledge of client.
Service Bureaus (SB)
A third party that a client will hire to do something for them.
Ex: Do payroll, pension plan accounting, fixed assets or bookkeeping.
Why do Auditors care about Service Bureaus?
Now we need to figure out how to test our clients controls and even the third party! Need to see if the third parties controls are running properly and effectively!
Service Organization Controls (SOC) Report Type 1 Tests
Document describes only the controls of the service bureau, but DON’T test them! Tell you how it is designed.
SOC Report Type 2 Tests
Document how the system works and tests controls too!
Our Responsibility for SOC Reports
We must test what the client does even after the report.
If a Report is Type 1 or Type 2 and you are not satisfied with it, you can go in to do the testing or have the SB auditor do the testing more!
If a Report is Type 2, and done well, we can accept the report.
We MUST always roll forward though!!!
Communication of I/C Issues to Client (Nonpublic Company)
Three of these
Material Weakness. Significant Deficiency. Minor Deficiency.
No requirement under GAAS to do any reporting in the F/S!
Material Weakness
Deficiency in internal control that imposes a reasonable possibility of controls not catching misstatements.
Report in writing to management and those charged with governance (Board of Directors and Audit Committee).
Significant Deficiency
Deficiency that is less severe than a MW, but important to get to management and Audit Committee’s attention.
Report in writing to management and those charged with governance (Board of Directors and Audit Committee).
Minor Deficiency
Control weaknesses that are not significant to any level, “noise level”, just be aware of them.
Verbally reported to management.
4 Types of Control Activities that contribute to the Mitigation/Reduction of Risk
Performance Reviews. Segregation of Duties. Physical controls. Information Processing Controls.
5 Factors to consider where Substantive Procedures are Performed at Interim Date
Control Environment and other relevant controls.
Availability of info at a later date.
Purpose of the substantive procedure.
The assessed risk of material misstatement.
The nature of the class of transactions or account balance and relevant assertions.
