Internal Control Flashcards
If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?
Control risk increases with poor Internal Controls and sloppy accounting practices.
If Internal Control is poor - what is the effect on the audit?
Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.
High risk
Don’t perform test of controls (unless heavy use of IT)
Lots of substantive testing
What does Internal Control provide reasonable assurance for?
Internal control provides reasonable assurance that
Material misstatements will be prevented
Reliability/integrity of financial statements will be preserved
Assets are protected against misuse
What is required in an examination of Internal Control under Sarbanes-Oxley?
CEO/CFO must disclose Internal Control deficiencies
Management must provide assessment of Internal Control
Management must certify Financial Statements
What is the relationship between Internal Control and Substantive Testing?
Inverse Relationship
Stronger Internal Controls - Less Testing Needed (but never eliminated completely)
Weaker Internal Controls - More Testing Needed
What are the 3 objectives of Internal Control?
Reliability of Financial Reporting
Operational Efficiency/Effectiveness
Compliance with Law and Regulations
What are the 5 components of Internal Control?
"CRIME" Control Environment Risk Assessment Information and Communication Monitoring Existing Control Activities
What is the purpose for a Control Environment assessment?
Sets tone for the entire company
What are the components of the Control Environment?
1) Integrity/Ethics of Management
2) Competence of Management
3) Organizational Structure
4) Human Resource Policies
5) Assignment of authority, responsibility, and accountability
6) Management’s Philosophy & Style (riskier with a dominant/aggressive individual)
7) Governance (board/audit committee) involvement
What does an auditor’s assessment of Detection Risk determine?
Detection Risk determines nature- timing- and extent of audit procedures.
What determines the acceptable level of Detection Risk?
Risk of material misstatement determines acceptable level of Detection Risk
What items could increase the risk of material misstatement?
Rapid growth in the company.
The methods management uses to identify risk- estimate its significance and assess the likelihood of occurrence
Major changes to operations- personnel- systems- IT- products- corporate organization- and foreign operations.
What happens when Control Risk is assessed to be at the maximum level?
No Internal Control testing is performed.All audit procedures are increased in intensity to compensate for increased risk.
What happens when Control Risk is below the maximum level?
Auditor tests Internal Controls.
Auditor evaluates Control Risk based on tests
Auditor adjusts substantive tests accordingly
Weaker Internal Control - More substantive tests
Stronger Internal Control - Less substantive tests
Describe some common examples of Control Activities.
“PAID TIPS”
Pre-numbered documents Authorization of transactions Independent Checks Documentation Timely Performance Reviews Information Processing Physical Controls Segregation of Duties
What should an auditor understand with respect to Information and Communication on an audit?
Understand Client’s
Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external reporting process
What questions should be asked to determine the risk of material misstatement?
Were all transactions recorded?
Were they timely?
Measured appropriately?
Recorded in correct period?
Presented and disclosed properly?
Did Management communicate their responsibilities?
What is the purpose of testing Internal Controls?
Auditor needs reasonable assurance that controls are functioning as designed and effective
Internal Control Testing should be strong as (IRON) so that nothing gets past them
Inquiry - Interview company personnel
Walkthroughs:
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documentsIf results are as expected- substantive procedures do not need to be adjusted
When can controls tested by an auditor in a prior year be used in the current year’s audit assessment?
Controls tested by auditor in a prior year can be used in the current year’s audit assuming they are re-tested every third year
Exception If the control has changed since the last audit
What happens if Internal Controls are deficient?
Control Risk increases
Scope of substantive procedures increases
Detection Risk decreases
Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence
What is a Material Weakness?
- Worst
- Reasonable possibility exists that a material misstatement in Financial Statements would not be prevented, or detected and corrected and has more than a remote chance of occurrence.
- Not present in ISA’s
What activities represent Segregation of Duties?
Non-compatible duties performed by separate individuals- such as
Authorization of asset disbursement vs. Recording of Assets vs. Custody of assets
If supporting audit evidence doesn’t exit - use Observation and Inquiry
Accounting should be segregated from Production
What are the limitations on Control Activities?
Controls can’t stop collusion or bad judgment
Management can override controls
Cost vs. Benefit relationship of Internal Control
What is required if a Material Weakness is identified?
A written report to management is required.
Report declaring that no material weaknesses were found is allowed
Previous weaknesses reported that still exist should be reported again
Should be reported no later than 60 days after audit report release date
If one or more material weaknesses is uncorrected at year-end- an Adverse Opinion on Internal Control must be given