Internal Control Flashcards
What is the primary goal of COSO?
Provide guidance and frameworks for enterprise risk management, internal control, and fraud deterrence.
Who are COSO members?
AICPA
American Accounting Association (AAA)
Financial Executives International (FEI)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)
What are the objectives of internal control?
Ensure effective and efficient operations
Accurate and reliable financial reporting
Compliance with laws and regulations
What are the components of internal control?
Control environment
Risk assessment
Information and communication
Monitoring
Control activities
Control Environment
Demonstrate commitment to integrity and ethics
Board of directors exercise oversight responsibility
Establish structure, authority & responsibility
Demonstrates commitment to competence
Enforces accountability
Risk Assessment
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
Information and Communication Systems
Uses relevant information
Communicates internally
Communicates externally
Monitoring
Conducts ongoing and/or separate evaluations
Control Activities
Selects and develops control activities
Selected and develops general controls over technology
Deploys control activities through policies and procedures
Segregation of Duties
Custody
Authorization
Recording
Reconciliation
What are the limitations of internal control?
Competence
Collusion
Override by management
Obsolescence
Cost constraints
What is a control deficiency?
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
What is a significant deficiency?
A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness yet important enough to merit attention of those charged with governance and management.
What is a material weakness?
A deficiency, or a combination of deficiencies, in internal control involving financial reporting, such that there is a reasonable possibility that a material misstatement exists.
What are the types of control?
Preventative
Detective
Corrective
Directive
Compensating
When is an auditor required to perform test of controls?
On audits of issuers. Audits of non-issuers does not require a test of controls, it’s optional.
When is an auditor required to opine on a client’s financial statements?
On audits of issuers & non-issuers.
When is an auditor required to perform substantive procedures?
On audits of issuers & non-issuers.
In assessing inherent risk, the auditor obtains an understanding…
of the entity and its environment
In assessing control risk, the auditor obtains an understanding…
of the entity’s internal control
What should the auditor consider when obtaining an understanding of the entity and its environment?
Objectives & strategies
Financial performance
External environment
Nature of operations
Ownership and governance
Investments
Financing structure
Accounting policies
How should the auditor obtain an understanding of the entity and its environment?
Analytical procedures
Inquiries
Inspection
What should the auditor consider when obtaining an understanding of the entity’s internal control?
Evaluate design of I/C
Assess implementation of I/C
How should the auditor obtain an understanding of the entity’s internal control?
Inquiries
Walkthroughs
Inspection
Observation
What is the top down approach (obtain an understanding of the entity’s internal control)?
Step 1: assess risk at financial statement level / entity level
Step 2: evaluate risk at account balances, transactions, & disclosures level
Step 3: evaluate risk at assertion level
What are the key elements of internal control to document?
Each of the I/C components
Any significant risks identified and related I/C
What are the types of documentation forms for internal control?
Flowcharts
Internal Control Questionnaire (ICQ)
Narratives
Decision tree
What is risk of material misstatement?
RMM = IR x CR
Risk of material misstatement = Inherent risk x Control risk
What are the steps to assess RMM?
Identify risks
Consider the likelihood of identified risks
Consider the magnitude of the impact on FS
Determine if identified risks are significant
What are the steps of the Non-Control Reliance Approach?
Improper design & implementation of controls > Controls are not designed properly and therefore not operating effectively > do not perform test of operating effectiveness of internal controls
What are the NET of the audit procedures of the Non-Control Reliance Approach?
Improper design & implementation of controls > Controls are not designed properly and therefore not operating effectively > do not perform test of operating effectiveness of internal controls.
Assess CR at maximum > RMM is high > DR is low > increase NET of audit procedures
What are the steps of the Control Reliance Approach?
Proper design & implementation of internal controls > controls are designed properly and therefore could be operating effectively > perform test of operating effectiveness of internal controls
What are the steps of the Control Reliance Approach?
Proper design & implementation of internal controls > controls are designed properly and therefore could be operating effectively > perform test of operating effectiveness of internal controls
What are the NET of the audit procedures of the Control Reliance Approach, when controls are not operating?
Proper design & implementation of internal controls > controls are designed properly and therefore could be operating effectively > perform test of operating effectiveness of internal controls
Controls are not operating > assess CR at maximum > RMM is high > DR is low > increase NET of audit procedures
What is the nature of test of controls?
See how controls were applied at relevant times during the period under audit
See the consistency with which controls were applied
See by whom or by what means they were applied
When should you have a smaller sample size or less frequent testing, assuming there have been no changes to the system?
When the controls are automated
When should you have a larger sample size and more frequent testing due to higher susceptibility to inconsistency and errors?
When controls are manual
When controls are tested during interim and there are significant changes in control, how much testing should be done?
Additional testing should be done
When controls are tested during interim and there are no significant changes in control, how much testing should be done?
No additional testing should be done
When there are changes in controls and controls were tested during the previous year audit of a non-issuer, what testing should be done?
The controls should be tested again in the current year
When there are no changes in controls and controls were tested during the previous year audit of a non-issuer, what testing should be done
If no significant changes have occurred, the controls should be tested at least once every third year.
Are auditors of issuers required to test controls each year?
Yes
What are the procedures for test of controls to determine operating effectiveness?
Reperformance
Inquiry
Inspection
Observation
What are the major transaction cycles?
Revenue
Cash receipts
Expenditure
Inventory
Personnel & payroll
What is a design deficiency?
The control is not designed properly
What is an operating deficiency?
The control is designed properly but doesn’t work
What are the levels of deficiency?
Low - control deficiency
Medium - significant deficiency
High - material weakness
Is communication of a control deficiency required in the audit of financial statements of a non-issuer?
No communication is required to management of TCWG
Is communication of a control deficiency required in the audit of financial statements & internal control of a non-issuer?
Communication is required to management within 60 days of the audit report release date, in writing or orally.
No communication is required to TCWG
Is communication of a control deficiency required in the audit of financial statements & internal control of an issuer?
Communication is required to management by the audit report release date in writing or orally.
No communication is required to TCWG
Is communication of a significant deficiency required in the audit of financial statements of a non-issuer?
Communication is required to management & TCWG within 60 days of the audit report release date, in writing or orally.
Is communication of a significant deficiency required in the audit of financial statements & internal control of a non-issuer?
Communication is required to management & TCWG by the audit report release date in writing.
Is communication of a significant deficiency required in the audit of financial statements & internal control of an issuer?
Communication is required to management & TCWG by the audit report release date in writing.
Is communication of a material weakness required in the audit of financial statements of a non-issuer?
Communication is required to management & TCWG within 60 days of the audit report release date, in writing or orally.
Is communication of a significant deficiency required in the audit of financial statements & internal control of a non-issuer?
Communication is required to management & TCWG by the audit report release date in writing.
Is communication of a material weakness required in the audit of financial statements & internal control of an issuer?
Communication is required to management & TCWG by the audit report release date in writing.
What is an example of a service organization?
IT services
Cloud computing
Payroll processing
Data center management
Application hosting
What is a SOC 1 report?
Report on controls related to financial reporting at the service organization
What is a SOC 2 report?
Restricted use report on controls related to the AICPA’s 5 Trust Service Categories (security, availability, processing integrity, confidentiality, and privacy) at the service organization
What is a SOC 3 report?
General use report on controls related to the AICPA’s 5 Trust Service Categories (security, availability, processing integrity, confidentiality, and privacy) at the service organization
What is the focus of a SOC 1 Type 1 report?
Design of internal controls
What is the focus of a SOC 1 Type 2 report?
Design and operating effectiveness of internal control
What does a SOC 1 Type 1 report assess?
Assess the suitability and effectiveness of the controls in place at the service organization.
What does a SOC 1 Type 2 report assess?
Assess the suitability and effectives of the controls, and how they are operating in practice
What is the timeframe of a SOC 1 Type 1 report?
Specific point in time
What is the timeframe of a SOC 1 Type 2 report?
Over a period of time
What does a SOC 2 Type 1 report focus on?
Design of internal controls related to the security, availability, confidentiality, privacy, and integrity of systems.
What does a SOC 2 Type 2 report focus on?
Design and operating effectiveness of internal controls related to the security, availability, confidentiality, privacy, and integrity of systems.
What does a SOC 2 Type 1 report assess?
Assesses the suitability and effectiveness of controls in place at the service organization.
What does a SOC 2 Type 2 report assess?
Assess the suitability and the effectiveness of the controls, and how they are operating in practice.
What is the timeframe of a SOC 2 Type 1 report?
Specific point in time
What is the timeframe of a SOC 2 Type 2 report?
Over a period of time
