Chapter 9 Flashcards
CAS 315 requires all five components of _____ internal control to be addressed and understood
COSO framework
what are the five components of COSO?
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
auditor uses his understanding of COSO to
identify potential errors or fraud and other irregularities that can increase risk material misstatement
the risk of material misstatement must be monitored at both
overall financial statement level and assertion level
once potential errors or fraud risks are identified
use to design the audit procedure to respond to the risks
items to understand information system and communication (7)
- financial reporting process (accounting estimates and disclosures)
- nature and details of procedures
- controls surrounding journal entries
- major classes of transactions of entity
- how transactions initiate and recorded
- accounting records exist and nature
- how information system get other events significant to fin. statements
methods to document understanding of control activities (3)
- narrative
- flowchart
- internal control questionnaire
def: narrative
written description of internal controls
what elements are included in narrative (4)
- origin
- processing
- disposition of documents and records
- relevant control activities
def: flowchart
diagrammatic representation of client’s documents and records and sequence in which processed
def: internal control questionnaire
series of questions about controls in each audit area
if questions in questionnaire are answered no?
failure of internal control so completeness objective not completed
how to evaluate if controls have been implemented
- consider if the control when in operation would achieve this objective
- is the control implemented
- is it carried out by appropriately qualified persons
methods to evaluate implementation of controls (6)
- previous experience with entity
- make inquiries of client personnel
- examine doc and records
- observe activities and operations
- walk through of accounting system or transaction
- assess control risk
before making preliminary assessment of control risk for each class of transactions
must see if entity is auditable
3 criteria for auditable entity
- management lacks integrity
- accounting records are deficient (lack evidence)
- complex IT environments (must have skills)
how to assess control risk at assertion level
control risk matrix
Def: control risk matrix
method used to help auditor assess control risk by matching key internal controls and internal control weaknesses with transaction related audit objectives
purpose of control risk matrix
provide a convenient way of organizing control risk for each assertion and related audit objective
process of assessing control risk with matrix
- identify audit objectives (assertions)
- identify specific relevant controls
- associate controls with objective (assertion)
- identify and evaluate control deficiencies, significant deficiencies and material weaknesses
a C in control matrix means
affects the objective listed at the top
a D in control matrix means
deficiency
a lot of Ds means
increase in control risk depending on importance of deficiency
three levels of absence of internal controls (CAS 265)
- control deficiency
- significant deficiency
- material weakness
def: control deficiency
design or operation of controls does not detect and correct misstatements in timely manner
def: significant deficiency
one or more control deficiencies exist that are less severe than material weakness
def: material weakness
significant deficiency results in reasonable possibility that internal control will not prevent or detect material financial misstatements on timely basis
five step approach to identify significant and/or material internal control weaknesses
- identify existing controls
- identify absence of key controls
- possibility of compensating or mitigating controls
- significant deficiency or material weakness
- potential material misstatements that could result
def: test of controls
procedures to test effectiveness of controls in support of reduced assessed control risk
five types of audit procedures to support operation of key internal controls
- inquiries of appropriate entity personnel
- inspect documents, records and reports
- observe control-related activities
- test data
- re-perform client procedures
def: procedures to obtain an understanding of internal controls
are applied to all controls identified while test of controls when assessed control risk has not been satisfied by procedure
CAS 402 requires auditor to consider the need to understand service center’s controls if
they process significant financial data
name for auditors who issue reports on the internal control of service orgs
service auditors
Type 1 report
management description of a service organization’s system and suitability of the design of controls
type 2 report
type 1 + operating effectiveness of controls
tests of controls are more ________ than substantive procedures in certain situations
cost efficient
in highly automated systems, the auditor has to
rely on internal controls
if the auditor relies on internal controls
they must be tested
if risk with simple IT system the IT specialist can (5)
- assist in documenting and assessing IT control environment
- test general controls
- document and assess key automated controls
- develop CAATs to test controls and perform substantive tests
- evaluate weaknesses and develop recommendations
audit in more complex IT environments
through the computer by testing automated internal controls and account balances electronically (since general controls exists)
3 approaches to test effectiveness of automated controls when audit through computer
- test data approach
- parallel simulation
- embedded audit module approach
def: test data approach
use auditor’s test data to determine whether the client’s computer program correctly processes valid and invalid transactions
when using a test data approach, auditors have three main considerations
- test data should include all relevant conditions that the auditor wants tested
- application programs used by auditor must be the same as those used by client throughout the year
- test data must be eliminated from client’s records
def: parallel simulation testing
auditor use of audit software to replicate some part of a client’s application system
auditors commonly do parallel simulation testing with
GAS (generalized audit software)
GAS provide
data retrieval, data manipulation and reporting capabilities oriented to needs of auditor
def: embedded audit module approach
audit transactions processed by IT where auditor embeds a module in client’s app software to identify transactions with characteristics of interest to the auditor
purpose of embedded audit module
analyze these transactions on a real-time, continuous basis as client transactions are processed
when the auditor finds significant control deficiencies he must
communicate in writing to the audit committee or equivalent
when must a report on internal controls be given to management AND board of directors
if it has significant impacts on financial statements
how must it be reported to management and board of directors
internal control letter
the description of internal control deficiency and recommendation is usually included
in a year end report or internal control letter to the audit committee
def: management letter
auditor’s written communication to management to point out less significant weaknesses in internal controls and possibilities to improve operations
difference between internal control audit and financial statements audit
IC: perform tests of control for ALL significant account balances, transactions and disclosures and related assertions while in financial statement audit they might or might not. only the controls that the auditor plans to rely on must be tested
in a financial statement audit the auditor is providing
assurance over financial statements and not internal controls
