Internal Control Flashcards
If internal control is poor and a company’s accounting practices are sloppy, which risk is higher?
Control risk increases with poor internal controls and sloppy accounting practices.
If internal control is poor, what is the effect on the audit?
Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.
What does internal control provide reasonable assurance for?
Internal control provides reasonable assurance that:
- Material misstatements will be prevented - Reliability/integrity of financial statements will be preserved - Assets are protected against misuse
What is required in an examination of internal control under Sarbanes-Oxley?
- CEO/CFO must disclose internal control deficiencies.
- Management must provide assessment of internal
control. - Management must certify financial statements.
What is the relationship between internal control and substantive testing?
Inverse Relationship
- Stronger Internal Controls = Less Testing Needed
- Weaker Internal Controls = More Testing Needed
What are the three objectives of internal control?
The objectives of internal control are:
1. Reliability of financial reporting 2. Operational efficiency/effectiveness 3. Compliance with laws and regulations
What are the five components of internal control?
The components of internal control are:
- Control Environment
- Risk Assessment
- Information and Communication
- Monitoring
- Control Activities
What is the purpose for a Control Environment assessment?
A Control Environment assessment sets tone for the entire company.
What are the components of the Control Environment?
The components of Control Environment are:
- Integrity/Ethics of Management
- Competence of Management
- Organizational Structure
- Human Resource Policies
- Assignment of Authority/Responsibility
- Management’s Style (riskier with a
dominant/aggressive individual) - Board/Audit Committee involvement
What does an auditor’s assessment of Detection Risk determine?
Detection Risk determines nature, timing, and extent of audit procedures.
What determines the acceptable level of Detection Risk?
Risk of material misstatement determines acceptable level of Detection Risk.
What situations or circumstances could increase the risk of material misstatement?
Rapid growth in the company
Major changes to
- Operations - Personnel - Systems - IT - Products - Corporate organization - Foreign operations
What happens when Control Risk is assessed to be at the maximum level?
No Internal Control testing is performed. All audit procedures are increased in intensity to compensate for increased risk.
What happens when Control Risk is below the maximum level?
Auditor tests Internal Controls. Auditor evaluates Control Risk based on tests. Auditor adjusts substantive tests accordingly.
Weaker Internal Control - More substantive tests Stronger Internal Control - Less substantive tests
Describe some common examples of Control Activities.
Control Activities include:
- Performance Reviews
- Information Processing
- Physical Controls
- Segregation of Duties
What should an auditor understand with respect to Information and Communication on an audit?
An auditor must understand client’s:
- Major transaction classes
- Transaction initiation
- Support records/documents
- Transaction processing
- Financial Statement internal reporting process
- Financial Statement external reporting process
How must an auditor document understanding of Internal Control?
An auditor documents understanding of Internal Control through written documentation such as:
- Internal Control memos,
- flowcharts,
- and questionnaires
What questions should be asked to determine the risk of material misstatement?
Were all transactions recorded?
Were they timely?
Were they measured appropriately?
Were they recorded in correct period?
Were they presented and disclosed properly?
Did management communicate their responsibilities?
What is the purpose of internal control testing and what procedures does the auditor perform to test internal controls?
Auditor needs reasonable assurance that controls are functioning as designed and effective.
Internal Control Testing should be strong as (IRON) so that nothing gets past them
- Inquiry - Interview company personnel - Re-performance - Can it be replicated? - Observation - Watch the control be applied - INspection - Dig into the details/documents
If results are as expected, substantive procedures do not need to be adjusted.
When can controls tested by an auditor in a prior year be used in the current year’s audit assessment?
Controls tested by auditor in a prior year can be used in the current year’s audit assuming they are re-tested every third year.
Exception: if the control has changed since the last audit
What happens if Internal Controls are deficient?
- Control Risk increases
- Scope of substantive procedures increases
- Detection Risk decreases
- Material Weakness - reasonable possibility that a
material misstatement in financial statements would
not be found - more than a remote chance of
occurrence.
What is a Material Weakness?
Reasonable possibility exists that a material misstatement in financial statements would NOT be found, and has more than a remote chance of occurrence.
What does Tracing test?
Tracing tests completeness. It starts with a source document and traces forward to the journal entry.
What does Vouching test?
Vouching tests Existence. It starts with a journal entry and searches for a voucher or source document to support the entry.
What activities represent Segregation of Duties?
Non-compatible duties performed by separate individuals such as:
Authorization of asset disbursement vs. Recording of assets vs. Custody of assets
- If supporting audit evidence doesn't exist, use - Observation and Inquiry. - Accounting should be segregated from production.
With respect to signing checks, how are duties segregated?
Employees who prepare vouchers/invoices should not also have the authority to SIGN CHECKS.
Tip: Remember this as an underlying theme with Segregation of Duties.
The authority to make a payment should not also lie in the hands of those creating invoices/vouchers. Why? People commit fraud by setting up fake companies and basically paying themselves.
With respect to custody of assets, how should duties be segregated?
- Employees who have custody of assets should not
also RECORD those assets. - Someone in charge of petty cash should not also
control the petty cash records. - Treasury Department (custodians) should NOT have
record keeping duties. They control assets and
should not be able to adjust any recording of those
assets.
What are the limitations on Control Activities?
- Controls can’t stop collusion or bad judgment.
- Management can override controls.
- Cost vs. Benefit relationship of Internal Control
What is required if a Material Weakness is identified?
- A written report to management is required.
- Report declaring that no material weaknesses were
found is allowed. - Previous weaknesses reported that still exist should
be reported again. - Should be reported no later than 60 days after audit
report release date. - If one or more material weaknesses is uncorrected at
year-end, an Adverse Opinion on Internal Control
must be given.
What is the effect of a Significant Deficiency? What is it?
A significant deficiency adversely affects a company’s ability to report in the financial statements according to GAAP.
A significant deficiency is more than a remote likelihood of material misstatement by more than an inconsequential amount.
What must occur if a Significant Deficiency is identified?
- If a Significant Deficiency is identified, a written report
to management is required. - Report declaring that no significant deficiencies exist
is not allowed. - Previous deficiencies reported that still exist should
be reported again. - Should be reported no later than 60 days after the
audit report release date.
What is a Control Deficiency?
A control is not operating as intended.
What must an auditor ask if using the work of third parties?
Are they competent? Are they objective?
What must an auditor understand with respect to internal auditors?
- Auditor needs to understand the role of Internal
Auditors within the organization because their work
affects the audit plan. - Responsibility for judgments about materiality or
appropriateness of entries or estimates cannot be
shared with third parties like Internal Auditors. - Internal Auditors should be asked to do some of the
legwork like preparing schedules or running reports. - They should not be asked to make any decisions or
judgments.
