Internal Control Flashcards
What is the primary purpose for obtaining an understanding of internal controls?
to determine the nature, timing, and extent of further audit procedures, including tests of controls and substantive procedures.
the A can document the understanding of IC by:
using flow charts of transaction cycles, completing internal control questionnaires, or y preparing written memoranda
what is a mgmt control method that could improve mgmt’s ability to supervise company activities effectively
est. budgets and forecasts to identify variances from expectations
Detection risk is effectively set by the A when
decisions about the nature, timing, and extent of substantive audit procedures are made.
A need to make a preliminary evaluation of the effectiveness of internal control. if ineffective -
if effective -
assess control risk at the maximum level.
Consider the possibility of assessing control risk at less than the max. consider cost-benefit issues
What is an example of the inherent limitation of internal controls?
possibility of mgmt override
A must collect evidence to support the reduction in control risk below the max. what kind of evidence should they collect?
identifying specific internal controls relevant to specific assertions and then performing test of controls to evaluate the effectiveness of the controls.
In what ways does an A gain an understanding of IC?
Consider factors that affect the risk of material misstatement.
Identify the types of potential misstatements that can occur.
Ascertain whether the IC have been placed in operation
Why does an A test IC?
in order to rely on them and to reduce substantive testing.
Inherent risk
the risk of a MM occuring
What makes up Control Activities?
Segregation of Duties Controls Authorization Review EDP/IT (info processing)
What should an auditor do if they discover a deviation from the prescribed control procedures?
Make inquiries to understand the potential consequence of the deviation.
What is a way to compensate for the lack of segregation of duties in a small organization?
Allowing for mgmt oversight of incompatible activities
Does GAAS require tests of controls to be performed?
Only if the auditor plans to assess control risk below maximum.
auditors are primarily concerned with internal controls that…
provide reasonable assurance as to an entity’s ability to prepare FSs.
the A uses the knowledge provided by the understanding of IC and the assessed level of the risk of MM primarily to…
Determine the nature, timing, and extent of substantive tests for FS assertions.
Why does an A obtain sufficient understanding of IC?
To assess the risks of MM.
To design the nature, timing, and extent of further audit procedures.
Foreign Corrupt Practices Act
Every publicly held company must devise, document, and maintain internal control sufficient to provide reasonable assurance that IC objectives are met.
What should an A do when the Control risk is assessed at the maximum level?
document the assessment of the risks of MM at the FS level and at the relevant assertion level. (this is true whether control risk is assessed at the max level or below)
Def: Significant Deficieny
A deficiency in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance
Def: Material Weakness
a deficiency in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.
How should deficiencies be communicated?
sig def and mat. weaknesses MUST be communicated in WRITING to mgmt and those charged with governance. (no later than 60 days following the report release date) Lesser matters - may be communicated orally, but should be doc.
Can an A include in a statement in the A’s communication related to IC that no sig def or mat weak were found?
Can say no Material weaknesses found. Cannot say no sig def were found.
Is an auditor required to search for sig def?
NO
What are factors that should be considered in evaluating deficiencies?
Entity’s size
Complexity
The nature and diversity of its business activities
A control deficiency that is more than a sig def is most likely to result in what form of audit opinion?
Adverse
How does an A evaluate the competence of an internal auditor?
Educational level and professional experience
Professional certification and cont. education
Audit policies programs and procedures
Assignment practices
Supervision and review
Quality of working paper documentation.
Performance evaluation
How does an auditor assess the objectivity of internal auditors
Consider the org. status and reporting structure of the dept as well as policies est. to maintain objectivity.. This would include determining the org level to which the internal auditors report and includes policies prohibiting the internal auditor from auditing areas where recently assigned.
What are the 2 ways the external auditor might use the work of an internal audit function?
To provide direct assistance
To obtain audit evidence
When using the work of an IA function to obtain audit evidence, what 3 matters should the external auditor evaluate?
Objectivity
Competence
Whether the IAF applies a systematic and disciplined approach including quality control
What could be so serious that the auditor concludes that a FS audit cannot be performed?
There is a substantial risk of intentional misapplication of acct principles.
An auditor may decide to assess the control risk at the max level for certain assertions bc the auditor believes
control policies and procedures are unlikely to pertain to the assertions
What is the objective of tests of details performed as tests of controls?
to evaluate whether internal controls operated effectively. It will enable the auditor to detect a control failure
regardless of the assessed level of control risk, an auditor would perform some
substantive tests to restrict detection risk for significant transaction classes.
An auditor may decide to assess the control risk at the mac level for certain assertions bc the auditor believes
control policies and procedures are unlikely to pertain to the assertions.
What are control activities?
policies and procedures that help ensure that mgmt directives are carried out
What make up control activities?
SCARE Segregation of duties Controls (physical) Authorization Review (performance) EDP/IT (info processing)
A transaction cycle
a group of transactions of a similar type
How is segregation of duties best tested?
By observing employees as they perform control activities
Why do auditors emphasize transaction cycles?
Control risk is generally constant within a particular category of transactions, as all transactions are processed the same way. The trans. cycle is the highest level of aggregation for which control risk may be viewed as a constant.
Examples of transaction cycles
revenue/receipts disbursements payroll inventory fixed assets investing
What are the 3 duties that must be separated?
Authorization of trans. (authorization)
Accounting/record keeping (recording)
Access to assets (custody)
Immediately upon receiving checks from customers by mail, a resp employee should
Prepare a duplicate listing of checks received.
There should be segregation between receiving cash and..
posting the AR ledger
Debit Memo
advises acct that the vendor invoice should not be paid in full due to returned goods. When the shipping dept returns nonconforming goods to a vendor, purchasing should send acct a debit memo.
Mailing disbursement checks and remittance advices should be controlled by the EE who
signs the check last
The authority to accept incoming goods in receiving should be based on a
approved purchase order. This will prevent the erroneous acceptance of goods never ordered.
