Chapters 6 & 7: Understanding and Auditing Internal Control Flashcards
What is the purpose of internal controls?
To provide reasonable, but not absolute, assurance that the financial statements are fairly stated (can never be regarded as completely effective)
What are the inherent limitations of an entity’s internal control?
- Management override
- Personnel errors or mistakes
- Collusion
Example of management override
A senior-level manager can force/require a lower-level employee to record entries in the accounting records that are not consistent with the substance of the transactions and that violate the entity’s controls.
OR
Management may enter into concealed side agreements with customers that after the terms and conditions of the entity’s standard sales contract in ways that should preclude revenue recognition.
Example of Human Error or Mistake
Errors may occur in designing, maintaining, or monitoring automated controls. If IT doesn’t understand how the revenue system should process sales transactions, they may make software programming errors in modifying or updating the system.
Example of Collusion
An individual who receives cash receipts from customers can collude with the one who records those receipts in the customers’ records to steal cash from the entity.
Collusion
Secret or illegal cooperations or conspiracy, especially in order to cheat or deceive others.
Why do auditors need to obtain an understanding of internal controls?
In order to properly assess the risk of material misstatements of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures.
Plan the audit (what is the strategy, reliance, or substantive procedure they’re going to rely on)
How do auditors obtain an understanding of internal controls?
- Update and evaluate auditor’s previous experience with the entity
- Inquiries of entity personnel
- Inspection of entity documents and records
- Observation of entity activities and operations
- Tracing transactions through the information system (walkthrough)
How do auditors document their understanding of internal controls?
- Procedure manuals and organizational charts
- Flowcharts
- Internal control questionnaires
- Narrative description
Auditor Documentation Requirements (in regards to ICFR)
- The auditor’s understanding and evaluation of the design of each of the components of ICFR
- The process used to determine the points at which misstatements could occur
- The extent to which the auditor relief upon the work of others
- The evaluation of any deficiencies discovered or other findings which could result in a report modification
How do auditors test controls?
- Inquiry of appropriate entity personnel
- Inspection of documents indicating the performance of the control
- Observation of the application of the control
- Reperformance of the application of the control by the auditor
Why do auditors test controls?
To see if they can rely on the controls, if not, then they need to make readjustments
Components of Internal Control
- Control Environment
- Entity’s Risk Assessment Process
- Control Activities
- Information and Communication
- Monitoring Activities
Relationship of control risk and controls testing
Control risk high =
1. Controls do not pertain to an assertion
2. Controls are assessed as ineffective (why bother testing them if you know they don’t work)
3. Testing the effectiveness of controls is inefficient (cost-benefit)
Control risk low =
Following a reliance strategy, but MUST TEST CONTROLS TO BE RELIED UPON
Types of control deficiencies and auditor’s responsibilities with respect to each one
- Material weakness: report externally to audit committee and to management (worst one tbh, material) (adverse)
- Significant deficiency: Report to audit committee and management (middle) (unqualified)
- Control deficiency: Report to management (least bad, not material nor significant) (unqualified)
ALL ARE REASONABLY POSSIBLE AND PROBABLE