Chapter 7 Flashcards
What does COSO stand for?
Committee of Sponsoring Organizations. They make some rules of Internal Control
The three broad internal control objectives are
Compliance with laws and regulations
Reliability of financial reporting
Efficiency/effectiveness of operations
Internal Control is defined as
a process, effected by the entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding achievement of objectives in the following categories:
- Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
Auditor’s focus towards internal control is the on internal control over _____, or ICOFR
Internal Control Over Financial Reporting
This act, in addition to making bribes to foreign officials illegal, requires an effective system of internal control
Foreign Corrupt Practices Act of 1977
Define Segregation of Duties, a component
No one department or person shall handle all aspects of transaction from beginning to end to perpetrate and conceal errors/fraud.
• MUST segregate duties along the “arc” – must separate the authorizing of transactions, recording of transactions, and custody of related assets
Does management or the internal auditor establish internal controls?
Management does, along with preparation of financial statements.
Is reasonable or absolute assurance required?
Reasonable
Name the five components of internal control
The Control Environment
Risk Assessment Process
Control Activities
The Accounting Information and Communication system
Monitoring of Controls
Detailed employee responsibilities, open communication channels, and reporting exceptions/unusual items to management are also key in information and communication system. True or False?
True
Define Physical Controls, a component
providesw physical security over records and assets
Physical Controls – provide physical security over records and assets
• Maintaining control over unissued pre-numbered documents
• Restricting access to computer programs and data
• Restricting physical access in safes, locks, fences, guards etc
• Accounting records should be maintained independent of custody-related assets, and company should periodically compare/reconcile accounting records to assert on hand (to detect loss, waste, or theft)
Define the Risk Assessment Process component
management’s process for identifying, analyzing, and responding to such risks.
• Financial Reporting Risks
Changes in the regulatory or operating environment
Changes in personnel
Implementation of a new or modified information system
Rapid growth of the organization
Changes in technology affecting production processes or information systems
Introduction of new lines of business, products, or processes
Define a Performance Review
provide management with an overall indication of employee effectiveness at meeting objectives. By investigating deviations¸ management takes timely action to change strategy or take and other appropriate action.
Control Activities, a component of internal control, can be defined as
policies and procedures that address and mitigate risks identified by risk assessment process.
Actions, policies, and procedures that reflect overall attitudes of top management, directors, and owners of an entity establish which component of Internal control?
The Control Environment.
- Commitment to integrity and ethical values
- Effective BOD and audit committee
- Effective organizational structure
- Commitment to attract, develop, and retain competent employees
- Individual accountability for internal control responsibilities
Describe the six limitations of Internal Control
Human Errors
Systematic Errors
Collusion circumventing segregation of Duties
Override of internal Control by Management
Cot considerations
Compliance deteriorating over time
Should management perform ongoing monitoring to determine if controls are present and functioning?
Yes
Describe The Accounting Information and Communication System
Information is needed throughout company to meet objectives. Therefore, management must obtain, use, and communicate relevant, quality information to support controls.
Monitoring activities assess the quality of internal control over time. True or False?
True
What does ERM stand for?
Enterprise Risk Management.
- COSO, but doesn’t replace internal control framework
- Goes beyond internal control to focus on how organizations may be able to maximize value for stakeholders most effectively by managing risks and opportunities
- More robust, or strong and stable, for companies to manage business risk
Define Corporate Governance
“the system by which companies are directed and controlled.” It includes the policies, procedures, and mechanism that are established to ensure that the company operates in the best interests of its major stakeholders - including owners, customers, suppliers, employees, and society as a whole.
For example, for a corporation, the major instruments of corporate governance include management compensation systems, the boards of directors (including major committees), external auditors, internal auditors, attorneys, regulators, creditors, securities analysts, and internal control systems.governance
Define how systematic errors may occur
in designing, maintaining, or monitoring automated controls
Once again - steps of audit in order
Plan Audit - Obtain Understanding - Assess Risks of Material Misstatement - Perform further audit procedures - Complete the Audit - Form an Opinion - Issue audit report
Corporate Governance Mechanisms include
External auditors Regulators (such as the SEC) Creditors Securities analysts Major shareholders
revenue, purchases, and cash receipts and disbursements are names of what types of transactions?
routine transactions
Stage 2, obtaining understanding, regarding internal control:
Identify types of potential misstatements and consider factors that affect risk
Design tests of controls
Auditors must first understand the internal control design, so the client can provide narratives here or flowcharts of controls
Only test controls that work. No point in testing ineffective ones, because cant increase detection.
Also, Auditors must consider all five of the internal control components
Corporate Governance would be considered ____ (broader/smaller) than internal control
Broader, it also encompasses ethical treatment of all major stakeholders, compliance with laws, regulations, customary business practices, and effective risk management
Determining the allowance for doubtful accounts would be an example of which type of transaction?
Estimation
Test of controls include the following: (there are four)
Inquiries of appropriate client personnel
Inspection of documents and reports
Observation of the application
Reperformance of the controls
taking of inventory, calculating depreciation expense are examples of what type of transactions?
nonroutine
Results of ____ are often used to determine nature, extent, and timing of substantive proceudres
Tests of Controls
Which of the three types of transactions generally has the strongest control compared the other two?
Routine transactions
If controls have changed from prior year, new controls must be tested. True or false?
True
Advantages and disadvantages of Internal Control Questionnaires
A: Asks a series of questions about controls in each transaction cycle in order to identify deficiencies
D: 1. Inability to provide a system overview
- Inapplicability of many questions for some audits, especially smaller ones
Define a Narrative
Written description of each transaction cycle in
an accounting system
If controls have not changed, can one rely on past tests of controls?
Sure, but in a limited fashion.
AICPA and International Auditing Standards – tests of control must be performed at least every third year
PCAOB – more stringent – tests of controls must be performed to some extent annually when controls are relied upon
The four procedures to obtain understanding of control design and implementation include (usually a combo of):
- Inquiring of entity personnel
- Observing the application of specific controls
- Inspecting documents and reports
- Tracing transactions through the information system relevant to financial reporting (walk-throughs)
If tests of control show numerous control deviations, is substantive testing expanded or reduced?
Expanded to test the assertions
• Auditing standards require auditors to obtain and document an understanding of internal control. True or False?
True, through
- Internal Control Questionnaires
- Narratives
- Flowcharts
- Walk-throughs
Is a walk-through the same as a tour of the audit property?
No
Define a significant deficiency
control deficiency that is important but less severe than material weakness
Describe considerations taken if the work of internal auditors must be used
- CPA may rely on work of internal audit to reduce amount of testing if found to be effective
- CPA must assess internal audit competence (education, experience, certifications) and objectivity (report directly to audit committee?) and quality of their work (examine working papers)
- If intent is to rely upon work of internal audit, must test that work
Define Flowcharts
Diagram of each cycle in an accounting system that
serves as a visual representation of the series of procedures that occur in each sequence of processing
Define an advantage of a Narrative
Kind of like writing out a walk-through. Advantage is that it gives a good understanding of what a transaction look like.
Which report documents the organization’s suitability and effectiveness?
Type 2
Advantages of flowcharts?
Contains the same information as a narrative,
with the advantages of being:
1. Easier to read/visualize
2. Easier to update.
***Narratives/flowcharts to understand the system accompanied
by internal control questionnaires for checklist of potential
deficiencies = highly useful!
Define a walk-through
After documentation of internal controls, trace one or two transactions through cycle to ensure proper implementation
If auditor finds implementation of internal controls is different from description, modify working papers accordingly
Potential disadvantages of flowcharts are
that it’s not as clearly identifying areas of weakness/omitted controls
An Unqualified opinion on Internal Control means that
No material weaknesses or scope restrictions
Can a CPA obtain direct assistance from internal auditors?
Sure, for certain procedures (nothing high risk or subjective), but CPA remains responsible for the audit
A type _ (1/2) report is Management’s description of the system and the suitability of the design of controls
Type 1
• Auditors may also assist in effective internal control and improving client effectiveness and efficiency by communicating the following in a management letter:
- Internal control deficiencies (even less significant ones)
- Explanation of potential effects
- Recommendations for corrective action
Audit standards require WRITTEN communication of _____ (significant deficiencies/material weaknesses) to management no later than 60 days after report release date
Both, actually
SOX Section 404a Establishes a form 10k each year. This is a report that includes the following affects on management:
Acknowledges responsibility for establishing and maintaining adequate internal control over financial reporting
Assesses internal control effectiveness as of the last day of the company’s fiscal year using suitable criteria
Define a material weakness
control deficiency that creates a reasonable possibility of a material misstatement
An adverse opinion on Internal Control means that
there are one or more material weaknesses
A Qualified or Disclaimer opinion on Internal control means that
there is a Scope Limitation
Due to lack of employees, internal control is generally _____ (strong/weak) in small businesses
weak since, for example, adequate segregation of duties is not feasible. Auditors must rely much more on substantive procedures of account balances and transactions
Some key measures to ensure better control include
- Segregation of duties of cash handling and record keeping
* Active oversight and participation by the owner
Auditors selected by a service organization to assess systems are called
Service Auditors
Define a Service Organization
Organization that performs data processing/computer/or IT services, like payroll processing, for various clients
Preventive, Detective, or Corrective control? - Segregation of Duties
Preventive
Preventive, Detective, or Corrective control? - Requirement to prepare bank reconciliations
Detective
Preventive, Detective, or Corrective control? - Maintaining Backups of Data
Corrective
Preventive, Detective, or Corrective control? - Finding a misstatement that has already been made
Detective
Preventive, Detective, or Corrective control? - Finding a misstatement
Corrective
Preventive, Detective, or Corrective control? - Approving journal entries
Preventive
A common way to help detect misstatements that have been made is to
Prepare bank Reconciliations
Lifo calculations, Depreciation, Physical inventory, and financial statement closes are what type of transactions?
Nonroutine
Bad debt expense is what type of transaction?
Estimation
Cash receipts, payroll, cash disbursement, and inventory costing is considered what type of transaction?
Routine
The significance of accounts should be considered ______ (with/without) regard to internal control.
without
The first step of planning steps of the audit of internal control is
Management’s report on internal control
What kind of approach is sued to identify controls to a tesT?
top-down
An account is significant if there is a reasonable possibility that it could contain a misstatement that has a material effect on the financial statements. True or False
True
Accounting ______ (disclosures/estimates) involve management’s judgment or assumptions.
estimates
Is design or operating effectiveness tested first?
Design
Efficient planning of the evaluation of internal control requires coordination the financial statement audit. True or false?
True
Evidence as to the design of internal control and its operating effectiveness should be considered ____________ (as of, before, or after) the date specified in the assessment
as of
The audit committee is especially important as it exercises oversight responsibility over the financial statements. True or False
True
Who should develop a statement of ethical values?
Senior Management
Management’s evaluation process of internal control ____________ (concludes/begins with) with the management report on internal control–the first step of the audit process.
concludes
Organizational structure provides a basis for planning, directing, and controlling operations. True or False?
True
To enhance the control environment, management develops job descriptions. True or False?
True!
For well controlled operations, the same employee that maintains custody of assets should also keep the accounting records for the assets. True or False?
False
An employee has incompatible duties if the person is in a position to perpetrate and conceal errors or fraud in the normal course of performing his or her duties. True or False?
True
The controls over a client’s sales cycle are part of that client’s control environment. True or False?
False
The establishment of sales terms is an example of a control. True or False?
True
The internal audit function is an important part of the monitoring component of internal control. True or False?
True
All material weaknesses are also control deficiencies. True or False??
True
Both the design of controls and the operating effectiveness of controls is considered in an audit of internal control performed under PCAOB standards. True or False?
True
A control activity that leaves evidence of compliance is usually tested by inquiry and observation. True or False?
True
An advantage of an internal control questionnaire is that weaknesses in internal control are highlighted by the questionnaire. True or False?
True
In audits of both public and nonpublic companies significant deficiencies and material weaknesses noted by the auditors must be communicated to management in writing. True or false??
True
Before assessing control risk at a level lower than the maximum, the auditor obtains reasonable assurance that controls are in use and operating effectively. This assurance is most likely obtained in part by:
Analyzing tests of trends and ratios
preparing flowcharts
inspecting documents
performing substantive procedures
inspecting documents
Examine signatures on checks is considered a test of control?
Yes
When performing an audit of internal control, the period or date on which the opinion relates under PCAOB standards is the: as of date or the entire period under audit?
As of Date
Counting and listing cash on hand considered a test of control?
No
No one particular form of documentation of client’s internal control is required, and the extent of documentation may vary. True or false?
True
Obtaining or preparing reconciliations of bank accounts as of the balance sheet date considered a test of control?
No
Observation of client personnel applying the control is most likely to provide an auditor with utmost assurance about the effectiveness of the operation of internal control. True or false?
True
An auditor’s flowchart of a client’s internal control is a diagrammatic representation which depicts the auditors’:
documentation of control risk
understanding of the system
planned tests of controls
program for tests of controls
understanding of the system
Is monitoring considered a component of internal control?
Yes
