Internal Control Flashcards
If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?
Control risk increases with poor Internal Controls and sloppy accounting practices.
If Internal Control is poor - what is the effect on the audit?
Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.
What does Internal Control provide reasonable assurance for?
Internal control provides reasonable assurance that:
Material misstatements will be prevented or detected
Reliability/integrity of financial statements will be preserved
Assets are protected against misuse
What is required in an audit of Internal Control under Sarbanes-Oxley?
Management must provide its assessment of Internal Control
auditor is required to audit internal control and express an opinion on the effectiveness of IC
What are the 3 objectives of Internal Control?
Reliability of Financial Reporting
Operational Efficiency/Effectiveness
Compliance with Law and Regulations
What are the 5 components of Internal Control?
Control Activties
Risk Assessment
Information and Communication
Monitoring
Control Environment
What is the purpose for a Control Environment assessment?
Sets tone for the entire company
Establishes the overall attitude, awareness and actions
What are the components of the Control Environment?
Philisophy of Mgt Humaran resources Reporting capabilities/competencies Authoirity and responsibility Structure of the organization Ethical values and integrity Directors (Board of) participation
What happens when Control Risk is assessed to be at the maximum level?
Controls not operating effectively
RMM is increased
Internal Control not tested
Extensive substantive testing at year end
What happens when Control Risk is below the maximum level?
Auditor tests Internal Controls.
Auditor evaluates Control Risk based on tests
Auditor adjusts substantive tests accordingly
Weaker Internal Control - More substantive tests
Stronger Internal Control - Less substantive tests
Describe some common examples of Control Activities.
Performance Reviews
Information Processing
Physical Controls
Segregation of Duties
What should an auditor understand with respect to Information and Communication on an audit?
How the company records, processes, summarizes, and reports financial data through:
- effective information systems
- identify and record all valid transactions
- in the proper time period
- at the proper amounts
How must an auditor document understanding of Internal Control?
Through written documentation such as Internal Control memos- flowcharts- and questionnaires
What is the purpose of testing Internal Controls?
Auditor needs reasonable assurance that controls are functioning as designed and are effective
How often should controls be tested?
Controls should be tested at least every 3 years, if there have been no changes
If a control has changed from prior year, it should be tested in the current year audit
Controls mitigating significant risk should be tested annually
PCAOB does not permit rotational testing
What happens if Internal Controls are deficient?
Control Risk increases
Scope of substantive procedures increases
Detection Risk decreases
Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence
What does Tracing test?
Tests Completeness
Starts with source document and traces forward to the journal entry.
What does Vouching test?
Tests Existence.
Starts with a journal entry and searches for a voucher or source document to support the entry.
What activities should be segregated?
authorization
bookkeeping
custody
With respect to custody of assets - how should duties be segregated?
Employees who have custody of assets should not also RECORD those assets
Someone in charge of petty cash should not also control the petty cash records
Treasury Department (custodians) should NOT have record keeping duties
They control assets and should not be able to adjust any recording of those assets
What are the limitations on internal control?
mistakes/human error/bad judgement
management override
collusion
What is a Material Weakness?
a deficiency or combination of deficiencies such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis
a material weakness must be reported to the audit committee in writing
must continue to report until resolved
report if found, no need to actively search for
should be reported before report date release, but no later than 60 days after release date
can result in an adverse opinion (in a report on internal control)
What is a Significant Deficiency?
a deficiency or combination of deficiencies less severe than a material weakness but important enough to merit attention by the audit committee (more than remote likelihood of material misstatement)
significant deficiencies must be reported to senior management in writing
must continue to report until resolved
report if found, no need to actively search for
should be reported before report date release, but no later than 60 days after release date
What is a Control Deficiency?
the design or operation of a control does not allow the prevention or detection of a misstatement on a timely basis
What must an auditor ask if using the work of third parties?
Are they competent?
Are they objective?
What must an auditor understand with respect to internal auditors?
Auditor needs to understand the role of Internal Auditors within the organization because their work affects the audit plan
Responsibility for judgments about materiality or appropriateness of entries or estimates cannot be shared with third parties like Internal Auditors
Internal Auditors should be asked to do some of the legwork like preparing schedules or running reports
They should not be asked to make any decisions or judgments
What is required in an examination of Internal Control under Sarbanes-Oxley?
CEO/CFO must disclose deficiencies
Management must provide assessment of Internal Controls
Management must certify Financial Statements
What is the purpose of testing Internal Controls?
Auditor needs reasonable assurance that controls are functioning as designed and effective
Internal Control Testing should be strong as (IRON) so that nothing gets past them
Inquiry - Interview company personnel
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documents
If results are as expected - substantive procedures do not need to be adjusted
What is the hierarchy of source docuemnts in the purchasing cycle?
purchase requisition purchase order receiving report vendor invoice voucher check purchasing journal
What is the hierarchy of source docuemtns in the sales cycle?
sales oder
bill of lading
sales invoice
sales journal
According to PCAOB, when will a control deficiency = significant deficiency?
weak controls over:
- the selection and application of accounting principles that in conformity with gasp
- anti fraud programs and controls
- non routine and nonsystematic transactions
- period-ending financial reporting process
