Chapter 7: Internal Control Flashcards
What are the steps of an audit?
- Plan the audit
- obtain understanding of client and its environment including internal control
- assess risk of misstatements
- design further procedures
- depends on planned assessed CR perform tests of controls
- perform substantive procedures
- complete the audit
- issue audit report
why consider internal control?
to assess the risk of material misstatement
to assess control risk and then determine the nature, timing, and extent of further audit procedures
audit risk
the combined risk of material misstatement and the risk the auditor doesn’t detect the misstatement
risk of material misstatement
inherent risk and control risk
inherent risk
the risk of material misstatement before the controls
control risk
the risk of the internal controls failing to prevent or detect and correct material misstatements that occur
detection risk
the risk the auditor assumes/ restricts that they themselves won’t catch a material misstatement when there is one (disappears if no audit takes place)
internal control
process effected by the entity’s BOD management and other personnel designed to provide reasonable assurance regarding the achievement of objectives:
- reliability of financial reporting
- effectiveness of efficiency of operations
- compliance with applicable laws and regulations
control enviornment
managements and directors attitudes awareness and actions
risk assessment
the organization’s process of identifying potential risks to its financial reporting objectives and developing actions to address those risks
accounting information and communication system
an info system should include methods and records that:
- identify and record all valid transactions
- provide on a timely basis sufficient detailed info about transactions to permit proper classification for financial reporting
- allow for the recording of transactions at their proper monetary value in the financial statements
- provide sufficient info to permit recording of transactions in the proper accounting period
- properly present the transactions and related disclosures in the financial statements
control activities
an organization will establish policies and procedures to help ensure management directives are carried out: performance reviews info processing controls physical controls segregation of duties
monitoring
due to changes among personnel and within the organization it is essential that internal controls be monitored over time to determine whether they continue to be relevant and able to address new risks of the organization
implemented
placed in operation: to obtain use flowcharts. this must be done on ALL audits. used to identify types of potential misstatements, consider factors that affect the risk of material misstatements, design tests of controls, design substantive procedures
operating effectiveness
relates to tests of controls (why they are done), concerned with how a control was applied, consistency with which it was applied, by whom it was applied
actual control risk
the actual, unknown, risk that a material misstatement could occur in an assertion (or account) will not be prevented or detected on a timely basis by an entity’s internal control
planned assessed level of control risk
this level is lower than the maximum level when the assessed level of risk of material misstatement presumes that controls operate effectively. (before testing controls)
assessed level of control risk
the level at which control risk is assessed for purposes of determining the scope of substantive procedures. no test of controls this is at maximum
level of understanding of internal controls required
design of structure and whether it has been implemented (placed in operation), or in other words the company is using the control
level of knowledge required
controls have been placed in operation/implemented
not required
tests of controls to figure out operating effectiveness
documentation required
understanding obtained to plan the audit must be documented:
- internal control questionnaire
- checklists
- written narrative of IC
- flowcharts
planned and assessed risk below max requires
identify IC procedures relevant to account or assertion
if no test of controls have been performed control risk must be assessed at maximum
as the assessed level of control risk increases
the acceptable level of detection risk DECREASES, may modify nature, timing, and extent of substantive tests
nature
type of audit testing
timing
how closed to balance sheet date they are performed, the higher the risk of CR the later started
extent
the amount of work/ how in depth (a lot of work if max CR)
types of tests of controls
- inquiries
- inspection
- observation
- reperformance
inquiries
discuss with appropriate client personnel the manner in which the control functions
inspection
inspect invoices and determine whether evidence exists that the procedures have been performed
observation
observe application of the procedures being applied to the invoices several times during the year
reperformance
reperform the procedure by comparing quantities shown on each invoice to the quantities listed on the related shipping documents and by comparing unit prices to the client’s price lists
communication of control related matters
to management and those charged with governance (ordinarily the audit committee)
deficiency
when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect material misstatements on a timely basis (not severe not necessarily required to be communicated)
significant deficiency
a deficiency in internal control (or a combo of them) that is less severe than a material weakness, yet important enough to be required to communicate to those in charge of oversight of company’s financial reporting
material weakness
a deficiency in internal control (or a combo of them) that is most severe and there is possibility that a material misstatement of the company’s financial statements will not be prevented of detected on a timely basis (obviously communicated)
Use of internal auditors
objectivity- consider independence and policies for assuring they are object
competence- consider education, experience, professional certifications, audit policies, etc.
work performance- review their work
service organizations
provide processing services to companies, referred to as user entities that decide to outsource a portion of their processing – service auditor report or test their controls
integrated audit
required by publicly traded companies (done simultaneously)
the focus is primarily on significant accounts and disclosures and relevant assertions
an account is significant and an assertion is relevant if there is a reasonable possibility that the account/assertion could contain material misstatement
material weakness opinion
adverse opinion
scope limitation opinion
qualified opinion or a disclaimer of opinion
