Internal Control and Assessing Control Risk - General Information Flashcards
What standards govern internal control and how they affect financial statement audits? (Provide name and paragraph #)
Statements on Auditing Standards (SASs) - Sections/Paragraphs 315 and 330
What does SASs AU-C 315 describe?
Obtaining an understanding of entity (IC included) and to design the nature, timing, and extent of further audit procedures
What does SASs AU-C 330 describe?
Guidance on nature of FURTHER audit procedures as they relate to IC (tests of controls)
Explain the relationship of internal control to an audit in a flowchart?
- Plan the audit
- Understand the entity and IC
- Assess Risk of Misstatement and Design further tests
- Perform substantive procedures
- Complete the audit
- Issue the audit report
Review sections the Statements on Auditing Standards and PCAOB Standards.
AU-C 260 - Auditor’s communication with those charged with governance
AU-C 265 - Communication of IC related matters noted in an audit
AU-C 315 - Understanding entity and assessing risks of material misstatement
AU-C 330 - Performing audit procedures in response to assessed risks and evaluating audit evidence obtained
AU-C 402 - Reports on the processing of transactions by service orgs
AU-C 610 - Auditor’s consideration of internal audit function in audit of financial stms
AT 501 - Examination of entity’s internal control over financial reporting that is integrated with an audit of its financial stmts
What framework did AU-C 315 obtain its concepts?
The 1992 Internal Control - Integrated Framework, which was published by the Committee of Sponsoring Organizations of the Treadway Commission (aka the COSO Commission)
What controls are most relevant to an audit?
The controls that pertain to the entity’s objective of preparing financial statements for external purposes
How many components does AU-C 315 divide internal control into and what are they?
5 components.
- Control environment
- Risk Assessment
- Control activities
- Information and communication
- Monitoring
Component 1: What is the control environment?
Sets the tone for the organization.
REMEMBER THE MNEOMIC: IC HAMBO
I = Integrity and ethical values C = Commitment to competence H = human resources policies and practices A = Assignment of authority and responsibility M = Management's philosophy and operating cycle B = BOD or audit committee participation O = Organizational structure
Component 2: What is Risk Assessment?
Its identification, analysis, and management of risks relevant to the preparation of financial statements following GAAP.
Examples:
- Changes in operating environment (incr. competition)
- New personnel
- New information systems
- Rapid growth
- New technology
- New lines, products, or activities
- Corporate restructuring
- Foreign operations
- Accounting pronouncements
Component 3: Control Activities
Policies and procedures that help insure that necessary actions are taken to address risks to achieving the entity’s objectives
REMEMBER: PIPS
P- Performance reviews (reviews of actual performance against budgets, forecasts, one another)
I - Information processing (controls that check accuracy, completeness, and authorization of transactions)
P - Physical controls (activities that assure the physical security of assets and records)
S - Segregation of duties (separate authorization, recordkeeping, and custody) .
Component 4: Information and Communication
The accounting system, consisting of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of the related assets and liabilities
The goals for transactions are:
- Identify and record all valid transactions
- Describe on a timely basis
- Measure the value properly
- Record in proper time period
- Properly present and disclose
- Communication responsibilities to employees
Component 5: Monitoring
Assesses the quality of IC performance over time. They may be ongoing, separate evaluations or a combination.
Ongoing activities are often designed into recurring activities such as sales and purchases
Separate evaluations are often performed by internal auditors or other personnel and include communication of info about strengths and weaknesses and recs for improvement
Monitoring can also be performed by external parties
What are financial statement assertions?
Assertions are management representations that are embodied in the transaction class, account balance, and dsiclosure components of financial statements.
What are the limitations to internal control?
- Human judgment in decision making can be faulty
- Breakdowns can occur b/c human failures such as simple errors or mistakes
- Controls, whether manual or automated, can be circumvented by collusion
- Management has ability to override internal control
- Cost constraints (cost of IC should be < expected benefits)
- Custom, culture, and corporate governance system may inhibit fraud, but they are not absolute deterrents
In what act is administrative and accounting control distinguished?
It is distinguished in the Foreign Corrupt Practices Act of 1977.
AICPA Professional Standards no longer makes the distinguishment
Explain the Committee of Sponsoring Organizations.
COSO!
Is composed of representatives from various professional organizations, including AICPA, IMA (Institute of Management Accountants), the FEI (Financial Executives Institute), the IIA (Institute of Internal Auditors), and the AAA (American Accounting Association)
What is COSO’s mission?
To provide leadership through development of comprehensive frameworks and guidance on enterprise risk management, IC, and fraud deterrence
What are 3 relevant sections of SOX?
Section 302: Makes officers responsible for maintaining effective internal control and requires the principal executive and financial officers to disclose all significant IC deficiencies to company’s auditors and committee
Section 404: Management acknowledges its responsibility for establishing adequate IC over financial reporting and provide an assessment in annual report of the effectiveness of IC. Requires CPA attest to management’s report on IC as part of audit
Section 906: Requires management certify reports filed with SEC (10-K and 10-Q) that reports comply with relevant securities laws and are fairly presented
How do auditors obtain understanding of internal control?
- Control environment
- Risk Assessment
- Accounting information and communication system
- Control activities
- Monitoring
How do auditors document the understanding of internal control?
- Questionnaires
- Written narratives
- Flowcharts
How to auditors assess risks of material misstatements and design further audit procedures?
Tests of controls and substantive procedures