Internal Control and Assessing Control Risk - General Information Flashcards

1
Q

What standards govern internal control and how they affect financial statement audits? (Provide name and paragraph #)

A

Statements on Auditing Standards (SASs) - Sections/Paragraphs 315 and 330

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does SASs AU-C 315 describe?

A

Obtaining an understanding of entity (IC included) and to design the nature, timing, and extent of further audit procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does SASs AU-C 330 describe?

A

Guidance on nature of FURTHER audit procedures as they relate to IC (tests of controls)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain the relationship of internal control to an audit in a flowchart?

A
  1. Plan the audit
  2. Understand the entity and IC
  3. Assess Risk of Misstatement and Design further tests
  4. Perform substantive procedures
  5. Complete the audit
  6. Issue the audit report
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Review sections the Statements on Auditing Standards and PCAOB Standards.

A

AU-C 260 - Auditor’s communication with those charged with governance
AU-C 265 - Communication of IC related matters noted in an audit
AU-C 315 - Understanding entity and assessing risks of material misstatement
AU-C 330 - Performing audit procedures in response to assessed risks and evaluating audit evidence obtained
AU-C 402 - Reports on the processing of transactions by service orgs
AU-C 610 - Auditor’s consideration of internal audit function in audit of financial stms
AT 501 - Examination of entity’s internal control over financial reporting that is integrated with an audit of its financial stmts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What framework did AU-C 315 obtain its concepts?

A

The 1992 Internal Control - Integrated Framework, which was published by the Committee of Sponsoring Organizations of the Treadway Commission (aka the COSO Commission)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What controls are most relevant to an audit?

A

The controls that pertain to the entity’s objective of preparing financial statements for external purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How many components does AU-C 315 divide internal control into and what are they?

A

5 components.

  1. Control environment
  2. Risk Assessment
  3. Control activities
  4. Information and communication
  5. Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Component 1: What is the control environment?

A

Sets the tone for the organization.

REMEMBER THE MNEOMIC: IC HAMBO

I = Integrity and ethical values
C = Commitment to competence
H = human resources policies and practices
A = Assignment of authority and responsibility
M = Management's philosophy and operating cycle
B = BOD or audit committee participation
O = Organizational structure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Component 2: What is Risk Assessment?

A

Its identification, analysis, and management of risks relevant to the preparation of financial statements following GAAP.

Examples:

  1. Changes in operating environment (incr. competition)
  2. New personnel
  3. New information systems
  4. Rapid growth
  5. New technology
  6. New lines, products, or activities
  7. Corporate restructuring
  8. Foreign operations
  9. Accounting pronouncements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Component 3: Control Activities

A

Policies and procedures that help insure that necessary actions are taken to address risks to achieving the entity’s objectives

REMEMBER: PIPS

P- Performance reviews (reviews of actual performance against budgets, forecasts, one another)
I - Information processing (controls that check accuracy, completeness, and authorization of transactions)
P - Physical controls (activities that assure the physical security of assets and records)
S - Segregation of duties (separate authorization, recordkeeping, and custody) .

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Component 4: Information and Communication

A

The accounting system, consisting of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of the related assets and liabilities

The goals for transactions are:

  1. Identify and record all valid transactions
  2. Describe on a timely basis
  3. Measure the value properly
  4. Record in proper time period
  5. Properly present and disclose
  6. Communication responsibilities to employees
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Component 5: Monitoring

A

Assesses the quality of IC performance over time. They may be ongoing, separate evaluations or a combination.

Ongoing activities are often designed into recurring activities such as sales and purchases
Separate evaluations are often performed by internal auditors or other personnel and include communication of info about strengths and weaknesses and recs for improvement
Monitoring can also be performed by external parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are financial statement assertions?

A

Assertions are management representations that are embodied in the transaction class, account balance, and dsiclosure components of financial statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the limitations to internal control?

A
  1. Human judgment in decision making can be faulty
  2. Breakdowns can occur b/c human failures such as simple errors or mistakes
  3. Controls, whether manual or automated, can be circumvented by collusion
  4. Management has ability to override internal control
  5. Cost constraints (cost of IC should be < expected benefits)
  6. Custom, culture, and corporate governance system may inhibit fraud, but they are not absolute deterrents
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In what act is administrative and accounting control distinguished?

A

It is distinguished in the Foreign Corrupt Practices Act of 1977.

AICPA Professional Standards no longer makes the distinguishment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Explain the Committee of Sponsoring Organizations.

A

COSO!

Is composed of representatives from various professional organizations, including AICPA, IMA (Institute of Management Accountants), the FEI (Financial Executives Institute), the IIA (Institute of Internal Auditors), and the AAA (American Accounting Association)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is COSO’s mission?

A

To provide leadership through development of comprehensive frameworks and guidance on enterprise risk management, IC, and fraud deterrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are 3 relevant sections of SOX?

A

Section 302: Makes officers responsible for maintaining effective internal control and requires the principal executive and financial officers to disclose all significant IC deficiencies to company’s auditors and committee

Section 404: Management acknowledges its responsibility for establishing adequate IC over financial reporting and provide an assessment in annual report of the effectiveness of IC. Requires CPA attest to management’s report on IC as part of audit

Section 906: Requires management certify reports filed with SEC (10-K and 10-Q) that reports comply with relevant securities laws and are fairly presented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How do auditors obtain understanding of internal control?

A
  1. Control environment
  2. Risk Assessment
  3. Accounting information and communication system
  4. Control activities
  5. Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How do auditors document the understanding of internal control?

A
  1. Questionnaires
  2. Written narratives
  3. Flowcharts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How to auditors assess risks of material misstatements and design further audit procedures?

A

Tests of controls and substantive procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How do auditors perform these tests of controls and evaluate their results?

A
  1. Inquiry
  2. Inspection
  3. Observation
  4. Reperformance
24
Q

If the controls do not operate as effectively as expected, what do auditors do?

A

Modify and complete the planned substantive procedures

25
Q

What are some examples of risk assessment procedures for internal control?

A
  1. Inquiries of management and others within the entity
  2. Observing the application of specific controls
  3. Inspecting docs and records
  4. Tracing transactions through information system
26
Q

What do the results from risk assessment procedures help with?

A
  1. Identify types of potential misstatements
  2. Consider factors that affect the risk of material misstatement
  3. Design tests of controls and substantive procedures
27
Q

How does an auditor evaluate operating effectiveness?

A
  1. How was the control applied
  2. Consistency with which it was applied
  3. By whom (or what means) it is applied

Effectiveness is ultimately tested by tests of controls

28
Q

For understanding the control environment, what must the auditor obtain?

A

The attitudes, awareness and actions of management and BOD.

29
Q

For understanding risk assessment, what must the auditor obtain?

A

Obtain understanding of how management identifies risk, estimates the significance of the risks and assesses the likelihood of occurrence

30
Q

For understanding of control activities, what must the auditor obtain?

A

Obtain understanding as necessary. Do not need to understand control activities related to all accounts or every assertion

31
Q

For understanding information and communication, what must the auditor obtain?

A
  1. Major transaction classes
  2. How transactions are initiated
  3. Available accounting records and support
  4. Manner of processing transactions
  5. Financial reporting process used to prepare fin. stmts
  6. Means the entity uses to communicate financial reporting roles and responsibilities
32
Q

For understanding monitoring, what must the auditor obtain?

A

Sufficient understanding of major types of monitoring activities

33
Q

What procedures help auditors understand the design of IC and whether controls have been implemented?

A
  1. Previous experiences with entity
  2. Inquiries
  3. Inspections of docs and records
  4. Observation of entity activities to obtain the needed understanding of IC
34
Q

How do auditors document understanding of internal control?

A

Questionnaire
Memoranda
Flowchart

35
Q

What are the advantages and disadvantages of using a questionnaire when documenting understanding of IC?

A

Advantages:

  1. Easy to complete
  2. Comprehensive list = less likely that important portions will be overlooked
  3. Weaknesses become obvious

Disadvantages:

  1. Answered without adequate thought
  2. Questions may not fit client adequately
36
Q

What are the advantages and disadvantages of using a memoranda when documenting understanding of IC?

A

Advantages:

  1. Tailor-made for engagement
  2. Requires a detailed analysis and thus forces auditor to understand functioning of structure

Disadvantages:

  1. May become very long and time-consuming
  2. Weaknesses in structure not obvious
  3. Auditor may overlook important portions of internal control
37
Q

What are the advantages and disadvantages of using a flowchart when documenting understanding of IC?

A

Advantages:

  1. Graphic representation of structure
  2. Usually makes it unlikely that important portions of IC overlooked
  3. Good for electronic systems
  4. No long wording

Disadvantages:

  1. Preparation = time consuming
  2. Weaknesses in structure not always obvious
38
Q

Describe a decision table.

A

Graphic methods of describing the logic of decisions. Various combos of conditions are matched to one of several actions

Efficient means of describing logic of an internal control process; does not provide analysis of document flow

39
Q

What is the approach of risk assessment of material misstatement?

A
  1. Identifying risks
  2. Relating risks to what can go wrong at the relevant assertion level
  3. Considering whether the risks are of a magnitude that could result in a material misstatement
  4. Considering the likelihood that risks could result in material misstatements
40
Q

If the control appears to be effective, will the auditor need to do tests of controls?

A

Yes - they will be performed.

If substantive procedures alone do not provide sufficient audit evidence, tests of controls will also be performed.

41
Q

When would risk assessment not include an expectation that controls operate effectively?

A
  1. Controls appear weak
  2. The auditor believes that performing extensive substantive procedures is likely more cost effective than performing a combination of tests of controls and a decreased scope of substantive procedures
42
Q

What is the objective of test of details?

A

To support relevant assertions or detect material misstatements at the assertion level.

43
Q

What is a dual purpose test?

A

Performance of test of controls and details concurrently.

Example: Test of whether an invoice has been properly approved (test of control) and to provide substantive evidence of a transaction (test of details)

44
Q

When is the best time to perform test of controls?

A

Perform tests of controls at an interim date prior to year-end and then update them to the extent considered necessary at year-end

45
Q

Rules on audit evidence on operating effectiveness from a prior period

A

PCAOB auditing standards do not allow this.
Auditing Standards Board allows in limited circumstances.
If so, auditor should obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit.

Test the operating effectiveness of such controls at least once every three years (once in every third year in an annual audit)

46
Q

Describe the results of tests of controls.

A

If tests of controls reveal that the system operates as expected, generally no change needed for the scope of planned substantive procedures.

If the system does not operate as effectively as expected (control risk is higher), the scope of substantive procedures for the relevant assertions involved will increase (thereby decreasing detection risk)

47
Q

When is information on operating effectiveness needed?

A

When control risk is to be assessed at a level below the minimum.

48
Q

What did SOX require in regards to audits (examinations) of internal control?

A

Requirement of an integrated audit of SEC registrants that provide assurance about the fairness of financial statements and about the effectiveness of internal control over financial reporting.

49
Q

What does the integrated audit of financial statements from SOX focus on?

A

More on internal controls and less on substantive procedures

50
Q

What does Section 404 of SOX state?

A

Internal control reporting by management and the auditor

A: Management assessment of IC in annual report filed with SEC
B: CPA firm to audit IC and express opinion on effectiveness of IC
-Note: market cap of $75 million+

51
Q

What standards is the requirement that it is auditor’s responsibility to report upon internal control for a public client?

A

PCAOB Standard 5
-require when performing an audit of internal control that auditor examine the design and operating effectiveness of IC over financial reporting to issue opinion on effectiveness of IC in preventing or detecting material misstatements of financial statements

52
Q

What standards is the requirement that it is auditor’s responsibility to report upon internal control for a nonpublic client?

A

Statements on Attestation Standards and Interpretations AT 501

53
Q

What is the objective of an audit of IC?

A

To express an opinion on the effectiveness of company’s IC?

54
Q

What is a control objective?

A

A specific target against which to evaluate the effectiveness of controls. A control objective for IC generally relates to a relevant assertion and states a criterion for evaluating whether the company’s control procedures in a specific area provide reasonable assurance that a misstatement in that relevant assertion is prevented or detected on a timely basis.

55
Q

What is management’s assertion?

A

The assessment required under provisions of SOX that is included in management’s annual report on internal control over financial reporting

56
Q

What is a relevant assertion?

A

A financial statement assertion that has a reasonable possibility of containing misstatements that could cause the financial statements to be materially misstated.

This determination is made without regard to the effect of controls.

57
Q

What is significant accounts and disclosures?

A

An account or disclosure for which there is a reasonable possibility of material misstatement.

The determination is based on inherent risk, without regard to the effect of controls.