Chapter 8 Flashcards
Def: internal control
policies + procedures instituted and maintained by the management to provide reasonable assurance that management’s objectives are met
who’s responsibility is internal controls
management’s
primary objectives of effective internal controls (4)
- strategic, high level that support the mission
- reliability of financial reporting
- efficiency and effectiveness of operations
- compliance with laws and regulations
management must ___+____ . the entity’s internal controls
establish + maintain
if the company is public, management is required to
publicly report on operating effectiveness of internal controls in financial reports
auditors are responsible for
understanding entity internal control relevant to the audit
why must auditors understand
to identify the risks of material misstatement at the financial statement and assertion level
when must auditor obtain understanding of controls
ALL the time even if he does not intend on placing reliance on internal controls
when assessing control risk, auditors are concerned with (2)
- entity level controls
2. transaction controls
Def: entity level controls
pervasive in nature and not address particular transaction cycles
entity level controls may prevent or detect and correct
misstatements in several cycles
def: transaction controls
implemented for specific transaction risks
transaction controls specifically prevent or detect and correct
misstatements in classes of transactions, account balances or disclosures and their related assertions
before the auditor can conclude that the total for any given class of transactions is fairly stated
five audit objectives must be met
what are the 5 audit objectives (transaction)
occurrence, completeness, accuracy, cut-off and classification
5 components of COSO internal control framework
- control environment
- risk assessment
- control activities
- info and communication
- monitoring
principles associated with control environment (5)
- commitment to integrity and ethical values
- BofD oversight responsibility
- management structure, authority and responsibility
- commitment to competence
- establish and enforce accountability
principles with risk assessment (4)
- specifies relevant objectives
- identify and assess risk
- consider potential for fraud when assessing
- identify and assess significant changes
principles with control activities (3)
- select and develop control activities
- select and develop general controls over techno
- policies and procedures
principles with info and communication (3)
- relevant and quality information
- communicate internal
- communicate external
principles with monitoring (2)
- select, develop and perform ongoing and separate evaluations
- evaluate and communicate deficiencies
def: control activities
actions established by policies and procedures to help ensure that management directives to mitigate risks are carried out
Def: transaction controls
control activities to mitigate transaction processing risk for specific business processes
control activities should be a combination of
preventive and detective controls
def: preventive controls
controls designed to avoid errors or irregularities
i.e. preventive controls
computer based and data entry
why not take preventive controls?
cost vs. benefit analysis if something goes wrong its cheaper to fix it with detective controls
def: detective controls
controls that identify errors or irregularities after they have occurred so corrective action can be taken
controls over the business process are
what you want to see in an organization
examples of controls in business process (5)
- proper authorization of transactions and activities
- adequate documents and records
- physical and logical control over assets and records
- adequate segregation of duties
- independent checks of performance, recorded data and actual results
def: business process
set of manual and/or computerized procedures that collect, record and process data and report results
business process can also be known as
application system
def: proper authorization of transaction and activities
authorization encompasses more than transactions, new programs and changes to programs since this affects the way that transactions are processed
adequate documents and records applies to?
paper or electronic files on which transactions are entered and summarized
adequate documents should be (2)
- pre-numbered or automatically numbered consecutively
2. prepared at the time a transaction takes place or asap after
why pre-numbered/automatically numbered? (2)
facilitate control over missing record + aid in locating records when they are needed later
which audit objective does pre-numbered documents help?
completeness (transaction related)
why should there be physical and logical control over assets and records?
stolen, duplicated, damaged or lost
an important safeguard is the use of
physical precautions
Which duties should be segregated? (6)
- custody of assets
- recording/data entry
- systems development/ acquisition and maintenance
- computer operations
- reconciliation
- authorization
example of segregation of duties
- custody assets + accounting
- authorization of transaction + custody of same assets
- operations + record keeping
- reconciliation +data entry
- IT duties + user departments
if there is issue in segregation of duties how is risk affected?
increase in fraud risk –> increase in control risk
why segregate duties?
reduce opportunity for a person to be in a position to perpetuate and conceal a fraud
need for independent checks of performance arises because
internal controls tend to change over time unless there is a mechanism for frequent review
how to automate internal verifications?
computerized accounting systems
how to complete understanding of internal controls in smaller firms
determine if client is auditable, assess management attitude and examine controls with accounting system
