Chapter 6 Internal Control in a Financial Statement Audit Flashcards
COSO’s Internal Control- Integrated Framework
A system of internal control designed and carried out by and entity’s board of directors, management, and other personnel to provide reasonable assurance about the acheivement of the entitys objectives in the following categories
1. Reliability, timeliness, and transparency of int and ext financial and nonfinancial reporting
2. Effectiveness and Efficiency of Operations
3. Compliance with laws and regulations
Management has the responsibility to…
Design and maintain internal controls that provide reasonable assurance that:
-the entitys assets and records are properly safeguarded
-the information system generates reliable information for decision making
auditor needs assurance about the reliability of the data generated by the information system
Auditor uses risk assessment procedures to
-obtain understanding of the entitys internal control
-identify key controls
-recognize the types of potential misstatement
-design tests of controls and substantive procedures
Auditor has the responsibility to…
-Obtain an understanding of internal control and,
-assess control risk
auditors understanding of internal control is a major factor in determining the audit strategy
5 Components of Internal Control
- Control Environment
- Entity’s risk assessment process
- Control Activities
- Information and Communication
- Monitoring Activities
Control Environment
the set of standards, processesm and structures that provides the basis for carrying out internal control across the organization.
BOD and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct
Entitys Risk Assessment process
the process for identifying and analyzing risks to achieving the entitys objectives and forms a basis for determining how risks should be managed
*important management identifies the entitys risks and takes action against them
Most important to auditor about entitys risk assessment process is how management…
-identifys risks relevant to the preparation of financial statements
-estimates their significance
-assesses the liklihood of their occurrence
-decides on how to manage them
*Includes internal and external events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with mgmts assertions
Control Activities
actions established by policies and procedures to help ensure that management plan to reduce risks and achieve objectives are carried out
*performed at all levels of entity and at various stages w/in the business process
Examples of control activities
-Performance reviews
-Physical Controls
-Segregation of Duties
-Information Processing Controls
*org selects and develops general control activities over technology to support the achievement of objectives
Performance Reviews
Comparison of budget to actual performance (how the business is performing)
Physical Controls
Keeping assets locked up, restriction of access to records, IT
Segregation of Duties
Separate job functions so one individual does not have too much control
*prevents the ability of an individual to commit and conceal fraud
Information Processing Controls
Information
Information is necessary for the entity to carry out internal control responsibilities in support of achieving its objectives
Communication
Occurs both internally and externally and provides the organization with the info needed to carry out day to day internal control activities.
-enables personnel to understand internal control responsibilities and their importance to the achievement of objectives
*allows for flow of info to management
Internal Communication
communicates informations including objectives and responsibilities for int control necessary to support the functioning of internal control
External Communication
communicates with external parties regarding matters affecting the functioning of internal control
Monitoring of Controls
Ongoing evaluation, separate evaluations or a combination of both are used to tell whether each of the five components are present and functioning
*findings are evaluated and deficiencies are communicated in a timely manner with serious matter reported to senior management and to the board
Audit Risk Model
AR=IR x CR x DR
RMM=IR x CR
*in applying model auditor must assess control risk
Substantive Strategy
The auditor does not rely on controls and control risk is set high because
-Controls do not pertain to an assertion
-Controls are assessed as ineffective
-Testing the effectiveness of controls is inefficient
Requires more substantive testing to support assertion
Reliance Strategy
Rely on controls, assess control risk at a lower level, detection risk is then higher=less substantive testing and helps with the efficiency of the audit
*in order to rely on controls we must test and have an understanding of the controls
Why have an understanding of five components of internal controls to plan the audit
-helps to identify types of potential misstatement
-pinpoint controls meant to mitigate risk of material misstatement
-design test of controls and substantive procedures to reduce risk of misstatement to an acceptably low level
Effect of entities size on internal control
while the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than a large one
Limitations of an entities internal control
- managements override of internal control
- human error or mistakes
- Collusion
Collusion
2 or more parties working together to perpetrate fraud
Assessing Control Risk (3)
- Identify specific controls that will be relied upon
- perform test of controls
- conclude on the achieved level of control risk
Performing test of controls (4)
- Inquiry of appropriate entity personnel
- inspection of documents indicating performance of the control
- observation of the application of control risk
- Reperformance of the application of the control by the auditor
How to document achieved level of control risk (3 ways)
- a structured working paper
- an internal control questionnaire
- a memorandum
MUST DOCUMENT RESULTS
Performing substantive procedures
audit strategies for the nature, timing, and extent of substantive procedures based on different levels of detection risk for inventory
Low Detection Risk Strategy
audit tests for all significant audit asserions using the following types of audit procedures
Nature
-Physical examinations (year end)
-review of external documents
-confirmation
-reperformance
Timing
-all significant work completed at year yed
Extent
-extensive testing of significant accounts or transactions
acceptable level of detection risk low=auditor needs to provide more assurance
High Detection Risk Strategy
Corroborative audit tests using the following types of audit tests:
Nature
-Physical examination (Conducted at interim date)
-analytical procedures
-substantive tests of transactions and balances
Timing
-Interim and year-end
Extent
-limited testing of accounts or transactions
Timing of audit
auditor must conduct a test of controls AFTER any major changes in systems or procedures
Between interim test of controls and fin stmnts date auditors must ensure that systems are still running as designed
* very economical and efficient for auditors*
Interim test of controls
-controls have been effective in prior audits
-efficient use of staff time
Interim Substantive procedures
-Control environment
-purpose of substantive procedure
-the assessed risk of material misstatement
-the nature of the transactions or balances and relevant assertions
-the ability of the auditor to perform appropriate procedures to cover the remaining period
Auditing accounting applications processed by service organizations
Because what happens at the service organization affects the entity one of the auditors concerns is the internal control system of the service org
auditor can confer with service orgs auditor on their operations
Service Organiztions
Organizations that take over an accounting function from the entity like ADP or Paycor for payroll
Type 1 Report
A report on managements description of a service organization’s system and the suitability of the design of their controls
Type 2 Report
more in depth
provides assurance on the operating effectiveness of the service orgs controls based on the auditors test of controls
auditor can only reduce control risk using a service auditors type 2 report
Communication of Internal Control-Related matters (3)
- Control Deficiency
- Material Weakness
- Significant Deficiency
Control Deficiency
Exists when the design or operation of a control does not allow management or employees to prevent detect or correct misstatements on a timely basis
Material Weakness
A deficiency, or combination of deficiencies, in internal control, which could cause a reasonable possibility that a material misstatement of the entitys financial statement will not be prevented, detected, or corrected, on a timely basis
Significant Deficiency
A deficiency, or combo of deficiencys, in internal control that is less severe than a material weakness yet important enough to merit attention
Which deficiencys must an auditor communicate, in writing any deficiencies to management and those charged with governance
Significant deficiencies and Material weaknesses
General Controls
the overall information processing environment and have a pervasive effect on the entitys computer operations
Application Controls
apply to the processing of specific computer application and are part of the computer programs used in the accounting system
Limit test
a test to ensure that a numerical value does not exceed some predetermined value
Range Test
A check to ensure that the value in a field falls within an allowable range of values
Sequence Check
A check to determine if input data are in proper numerical or alphabetical sequence
Existence (validity) test
a test of ID number or code by comparison to a file or table containing valid ID numbers or codes
Field test
A check on a field to ensure that in contains either all numeric or alphabetic characters
Sign test
A check to ensure that the data in a field have the proper arithmetic sign
Check-digit verification
a numerical computed to provide assurance that the original value was not altered
Closed Loop Verification
a process that takes data entered into the system to find and present other related information, thus enabling the user to verify the correctness of the original data entry