Chapter 9 -- Internal Control Communications and Reports Flashcards
Section 9.1: Communicating Internal Control Related Matters
What is a control deficiency?
- A control deficiency may arise either in the design or operation of a control.
- It is the lowest level of deficiency identified in the standards.
Section 9.1: Communicating Internal Control Related Matters
What are examples of internal control design failures?
- Segregation of duties
- Employee skills and training mismatch
- Lack of an audit committee
- Failure to document internal controls
- Failure to safeguard assets
Section 9.1: Communicating Internal Control Related Matters
What is a design deficiency?
The control is operating effectively
* Is the control satisfying the objective?
* Can the control prevent, detect or correct fraud or errors that can result in a material misstatement?
* Is there documentation regarding the operation?
* Is the control operating when observing the performance?
Section 9.1: Communicating Internal Control Related Matters
What is an operating deficiency?
Is the control operating effectively?
* Has the control been implemented?
* Is the person operating the control authorized?
* Is the person operating the control competent?
* Is the application of the control consistent?
* Can management override the control?
Section 9.1: Communicating Internal Control Related Matters
What are examples of internal control operational failures?
- Failure to reconcile accounts
- Management override of internal controls
Section 9.1: Communicating Internal Control Related Matters
What issues related to internal control over financial reporting are required to be communicated in writing to management and those charged with governance?
- Significant deficiencies
- Material weaknesses
Section 9.1: Communicating Internal Control Related Matters
What is the objective of the auditor’s communication of significant control deficiencies?
- State that the purpose of the audit was to report on the financial statements, not to provide assurance on internal control
- Give the definition of significant control deficiencies and material weaknesses
- State that the report is intended solely for the information and use of those charged with governance, management, and others within the organization (or specified regulatory agency)
- The report is not intended to be, and should not be, used by anyone other than the specified parties.
Section 9.1: Communicating Internal Control Related Matters
What are examples of significant deficiencies and material weaknesses?
- Unqualified personnel
- Insufficient control consciousness within the organization
- Significant undisclosed related party transactions
Section 9.1: Communicating Internal Control Related Matters
What should the auditor communicate when communicating significant deficiencies to a non-issuer?
The purpose of the audit was to report on the financial statements, not to provide assurance on internal control.
Section 9.2: The Auditor’s Communication with Governance
What matters should the auditor discuss with those charged with governance?
- The auditors’ responsibility under GAAS
- Significant accounting policies
- Sensitive accounting estimates
- Uncorrected and material corrected misstatements
- Significant unusual transactions
- Auditor disagreements with management, whether or not satisfactorily resolved
- Management’s consultations with other accountants
- Issues discussed with management prior to the auditors’ retention
- Any serious difficulties the auditors may have had with management during the audit.
Section 9.2: The Auditor’s Communication with Governance
What should the auditor communicate to the audit committee?
- Significant adjustments arising from the audit that were recorded by management.
- The basis for the auditor’s conclusions about the reasonableness of management’s sensitive accounting estimates
- The level of responsibility assumed by the auditor under GAAS
Section 9.3: Reporting on an Entity’s Internal Control
What should an auditor test in internal control over financial reporting?
- Design effectiveness
- Operating effectiveness
Section 9.3: Reporting on an Entity’s Internal Control
What is design effectiveness?
Design effectiveness is tested by determining whether the controls:
* If they are operated as prescribed by persons with the necessary authority and competence to perform the control effectively
* The control satisfies the control objectives
* The control can effectively prevent, or detect and correct, fraud or errors that could result in material misstatements in the financial statements
Section 9.3: Reporting on an Entity’s Internal Control
What is operating effectiveness?
Operating effectiveness of a control is determined whether:
* The control is operating as designed
* The person performing the control possesses the necessary authority and competence to perform the control effectively.
Section 9.3: Reporting on an Entity’s Internal Control
How does an auditor begin an integrated audit?
- Understand the overall risks to internal control over financial reporting
- Focus on entity-level controls and work down to significant classes of transactions, account balances, disclosures and their relevant assertions
Section 9.3: Reporting on an Entity’s Internal Control
What are examples of entity-level controls?
- The control environment
- Controls over management override
- Monitoring of the results of operations
- Controls over the period-end financial reporting process
- Monitoring of other controls
- The risk assessment process.
Section 9.3: Reporting on an Entity’s Internal Control
What sources should an auditor review when forming an opinion on the effectiveness of an issuer’s internal control over financial reporting (ICFR)?
- Tests of controls (required in an integrated audit)
- Misstatements detected in the financial statement audit
- Identified control deficiencies
Section 9.3: Reporting on an Entity’s Internal Control
What sources should an auditor review when forming an opinion on the effectiveness of an non-issuer’s internal control over financial reporting (ICFR)?
- Tests of controls (excluding the operating effectiveness)
- Misstatements detected during the audit
- Identified deficiencies
Section 9.3: Reporting on an Entity’s Internal Control
What is a walkthrough?
- A walkthrough follows a transaction from its origination to being reflected in the financial statements using the same documents and information technology that company personnel use.
- Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls.
Section 9.3: Reporting on an Entity’s Internal Control
What procedures are performed in a walkthrough of an issuer’s integrated audit?
- Inquiry
- Observation
- Inspection of relevent documentation
- Reperformance of controls
Section 9.3: Reporting on an Entity’s Internal Control
What is the auditor’s objective in an audit of internal control over financial reporting?
To express an opinion on whether the entity maintained, in all material respects, effective internal control as of the specified date, based on the control criteria.
Section 9.3: Reporting on an Entity’s Internal Control
What type of reports does an auditor issue for an issuer under PCAOB regulations?
- An opinion on the financial statements
- An opinion on the internal control
- An assessment on management’s effectiveness of internal control
Section 9.3: Reporting on an Entity’s Internal Control
What is required to be included in the annual report of an issuer?
- Attest to and report on the internal control assessment made by management of th issuer
- The responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting
- An assessment of the effectiveness of the internal control structure and procedures for financial reporting.
NOTE: This requirement does not apply to nonaccelerated filers (issuers with market equity of less than $75,000,000).]
Section 9.3: Reporting on an Entity’s Internal Control
What is included in the determination of a risk assessment in an integrated audit of a non-issuer?
- Determining significant classes, transactions, account balances and relevant assertions
- Selecting controls to test
- Determining evidence necessary to conclude on the effectiveness of the given control
Section 9.4: Service Organizations
What is a service organization?
- A service organization is an organization that the entity uses to perform certain tasks (i.e. ADP for payroll)
- The auditor may need service provider’s audit report if the services provided are part of the entity’s financial statements.
Section 9.4: Service Organizations
What is the difference between a SOC1 and a SOC2 Report?
- SOC1 reporting is for service organizations whose controls impact the entity’s financial reporting (i.e. ADP)
- SOC2 reporting is for service organizations whose controls impact the entity’s oeprations and compliance (i.e. ComputerShare)
Section 9.4: Service Organizations
What are the different types of SOC1 Report?
- Type 1 report
- Type 2 report
Section 9.4: Service Organizations
What is an SOC Type 1 Report?
- Report on the design and implementation (ONLY) of the service organizations’ system of internal controls at a specific point in time.
- On the fairness of management’s description of the controls and whether the controls have been implemented and are suitably designed
- This report will not report on the operating effectiveness of internal controls.
- Will not report on a test of controls
- Further audit testing will be required by the user auditor.
- Type 1 reports will not allow the user auditor to reduce its overall control risk assessment.
- The type 1 report should include a disclaimer of opinion related to operating effectiveness of the controls.
Section 9.4: Service Organizations
What is an SOC Type 2 Report?
- Report on the design and implementation and operating effectiveness of the service organizations system of internal controls over a period of time.
- Type 2 reports provide more assurance because the work is done for the auditor throughout a period of time.
- Contains a description of the tests of controls performed and their results
- Type 2 reports will allow the user auditor to reduce its overall control risk assessment.
- An opinion on whether controls are operating effectively over a specified period.
- In a Type 2 report, the audit firm examines the control environment over a period of time.
Section 9.4: Service Organizations
What type of engagement is SOC reporting?
An attestation engagement to provide assurance.
Section 9.4: Service Organizations
What is the purpose of the service audit report in relation to the auditor’s work?
- A service auditor’s report should be helpful in providing a sufficient understanding to plan the audit of the user organization.
- The service auditor’s report may express an opinion on the fairness of the description of the controls implemented at the service organization and whether they were suitably designed.
- If the service auditor also has tested controls, the report may express an opinion on the operating effectiveness of the controls.
Section 9.4: Service Organizations
What is an auditor’s responsibility concerning making reference to service provider’s report?
- An auditor is not responsible for including a reference to the service provider’s report if the service auditor was not responsible for examining any portion of the user entity’s financial statements.
- If the user auditor’s opinion is modified, the service auditor’s work may be referred to if it is relevant to understanding the modification
Section 9.4: Service Organizations
When can an auditor use the service auditor’s report?
If the user auditor is unable to obtain a sufficient understanding of the controls of the user entity, the auditor may use either a SOC 1 Type 1 or SOC 1 Type 2 report.