Chapters 6 & 7: Understanding and Auditing Internal Control

Question 1

What is the purpose of internal controls?

Answer 1

To provide reasonable, but not absolute, assurance that the financial statements are fairly stated (can never be regarded as completely effective)

Question 2

What are the inherent limitations of an entity’s internal control?

Answer 2

1. Management override
2. Personnel errors or mistakes
3. Collusion

Question 3

Example of management override

Answer 3

A senior-level manager can force/require a lower-level employee to record entries in the accounting records that are not consistent with the substance of the transactions and that violate the entity’s controls.

OR

Management may enter into concealed side agreements with customers that after the terms and conditions of the entity’s standard sales contract in ways that should preclude revenue recognition.

Question 4

Example of Human Error or Mistake

Answer 4

Errors may occur in designing, maintaining, or monitoring automated controls. If IT doesn’t understand how the revenue system should process sales transactions, they may make software programming errors in modifying or updating the system.

Question 5

Example of Collusion

Answer 5

An individual who receives cash receipts from customers can collude with the one who records those receipts in the customers’ records to steal cash from the entity.

Question 6

Collusion

Answer 6

Secret or illegal cooperations or conspiracy, especially in order to cheat or deceive others.

Question 7

Why do auditors need to obtain an understanding of internal controls?

Answer 7

In order to properly assess the risk of material misstatements of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures.
Plan the audit (what is the strategy, reliance, or substantive procedure they’re going to rely on)

Question 8

How do auditors obtain an understanding of internal controls?

Answer 8

• Update and evaluate auditor’s previous experience with the entity
• Inquiries of entity personnel
• Inspection of entity documents and records
• Observation of entity activities and operations
• Tracing transactions through the information system (walkthrough)

Question 9

How do auditors document their understanding of internal controls?

Answer 9

• Procedure manuals and organizational charts
• Flowcharts
• Internal control questionnaires
• Narrative description

Question 10

Auditor Documentation Requirements (in regards to ICFR)

Answer 10

• The auditor’s understanding and evaluation of the design of each of the components of ICFR
• The process used to determine the points at which misstatements could occur
• The extent to which the auditor relief upon the work of others
• The evaluation of any deficiencies discovered or other findings which could result in a report modification

Question 11

How do auditors test controls?

Answer 11

• Inquiry of appropriate entity personnel
• Inspection of documents indicating the performance of the control
• Observation of the application of the control
• Reperformance of the application of the control by the auditor

Question 12

Why do auditors test controls?

Answer 12

To see if they can rely on the controls, if not, then they need to make readjustments

Question 13

Components of Internal Control

Answer 13

• Control Environment
• Entity’s Risk Assessment Process
• Control Activities
• Information and Communication
• Monitoring Activities

Question 14

Relationship of control risk and controls testing

Answer 14

Control risk high =
1. Controls do not pertain to an assertion
2. Controls are assessed as ineffective (why bother testing them if you know they don’t work)
3. Testing the effectiveness of controls is inefficient (cost-benefit)

Control risk low =
Following a reliance strategy, but MUST TEST CONTROLS TO BE RELIED UPON

Question 15

Types of control deficiencies and auditor’s responsibilities with respect to each one

Answer 15

• Material weakness: report externally to audit committee and to management (worst one tbh, material) (adverse)
• Significant deficiency: Report to audit committee and management (middle) (unqualified)
• Control deficiency: Report to management (least bad, not material nor significant) (unqualified)

ALL ARE REASONABLY POSSIBLE AND PROBABLE

Question 16

Examples of Entity-Level Controls

Answer 16

• Controls within the control environment (e.g. tone at the top, assignment of authority and responsibility, consistent policies and procedures, and entitywide programs, such as codes of conduct & fraud prevention, that apply to all locations and business units)
• Controls over management override
• The entity’s risk assessment process
• Centralized processing and controls, including shared service environments
• Controls to monitor results of operations
• Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs
• Controls over period-end financial reporting process
• Policies that address significant business control and risk management practices

Question 17

Controls Typically Included for Testing

Answer 17

• Entity-level controls
• Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements
• Controls over the selection and application of accounting policies tat are in conformity with GAAP.
• Antifraud program and controls
• Controls, including IT general controls, on which other controls are dependent
• Controls over significant nonroutine and nonsystematic transactions, such as accounts involving judgments and estimates.

Question 18

Factors to Consider when Identifying Controls to Test

Answer 18

• Points at which errors or fraud could occur
• The nature of the controls implemented by management
• The significance of each control in achieving the objectives of he control criteria and whether more than one control achieves a particular objective or whether more than one control is necessary to achieve a particular objective
• The risk that the controls might not be operating effectively

Question 19

Factors that affect whether the control might not be operating effectively

Answer 19

• Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness
• Whether there have been changes in the design of controls
• The degree to which the control relies on the effectiveness of other controls
• Whether there have been changes in key personnel who perform the control or monitor its performance
• Whether the control relies on performance by an individual or is automated
• The complexity of the control

Question 20

Types of Reports Relating to Audit of ICFR

Answer 20

• Unqualified opinion: Signifies that the entity’s internal control is designed and operating (no material weakness)
• Disclaim: A serious (more than minor) scope limitation
• Adverse: Required if a material weakness is identified

Question 21

Identifying controls to test for integrated audit of ICFR

Answer 21

1. Identify entity-level controls
2. Identify significant accounts and disclosures and their relevant assertions
3. Understand likely source of misstatement
4. Select controls to test