Internal Control and Assessing Control Risk - General Information

Question 1

What standards govern internal control and how they affect financial statement audits? (Provide name and paragraph #)

Answer 1

Statements on Auditing Standards (SASs) - Sections/Paragraphs 315 and 330

Question 2

What does SASs AU-C 315 describe?

Answer 2

Obtaining an understanding of entity (IC included) and to design the nature, timing, and extent of further audit procedures

Question 3

What does SASs AU-C 330 describe?

Answer 3

Guidance on nature of FURTHER audit procedures as they relate to IC (tests of controls)

Question 4

Explain the relationship of internal control to an audit in a flowchart?

Answer 4

1. Plan the audit
2. Understand the entity and IC
3. Assess Risk of Misstatement and Design further tests
4. Perform substantive procedures
5. Complete the audit
6. Issue the audit report

Question 5

Review sections the Statements on Auditing Standards and PCAOB Standards.

Answer 5

AU-C 260 - Auditor’s communication with those charged with governance
AU-C 265 - Communication of IC related matters noted in an audit
AU-C 315 - Understanding entity and assessing risks of material misstatement
AU-C 330 - Performing audit procedures in response to assessed risks and evaluating audit evidence obtained
AU-C 402 - Reports on the processing of transactions by service orgs
AU-C 610 - Auditor’s consideration of internal audit function in audit of financial stms
AT 501 - Examination of entity’s internal control over financial reporting that is integrated with an audit of its financial stmts

Question 6

What framework did AU-C 315 obtain its concepts?

Answer 6

The 1992 Internal Control - Integrated Framework, which was published by the Committee of Sponsoring Organizations of the Treadway Commission (aka the COSO Commission)

Question 7

What controls are most relevant to an audit?

Answer 7

The controls that pertain to the entity’s objective of preparing financial statements for external purposes

Question 8

How many components does AU-C 315 divide internal control into and what are they?

Answer 8

5 components.

1. Control environment
2. Risk Assessment
3. Control activities
4. Information and communication
5. Monitoring

Question 9

Component 1: What is the control environment?

Answer 9

Sets the tone for the organization.

REMEMBER THE MNEOMIC: IC HAMBO

I = Integrity and ethical values
C = Commitment to competence
H = human resources policies and practices
A = Assignment of authority and responsibility
M = Management's philosophy and operating cycle
B = BOD or audit committee participation
O = Organizational structure

Question 10

Component 2: What is Risk Assessment?

Answer 10

Its identification, analysis, and management of risks relevant to the preparation of financial statements following GAAP.

Examples:

1. Changes in operating environment (incr. competition)
2. New personnel
3. New information systems
4. Rapid growth
5. New technology
6. New lines, products, or activities
7. Corporate restructuring
8. Foreign operations
9. Accounting pronouncements

Question 11

Component 3: Control Activities

Answer 11

Policies and procedures that help insure that necessary actions are taken to address risks to achieving the entity’s objectives

REMEMBER: PIPS

P- Performance reviews (reviews of actual performance against budgets, forecasts, one another)
I - Information processing (controls that check accuracy, completeness, and authorization of transactions)
P - Physical controls (activities that assure the physical security of assets and records)
S - Segregation of duties (separate authorization, recordkeeping, and custody) .

Question 12

Component 4: Information and Communication

Answer 12

The accounting system, consisting of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of the related assets and liabilities

The goals for transactions are:

1. Identify and record all valid transactions
2. Describe on a timely basis
3. Measure the value properly
4. Record in proper time period
5. Properly present and disclose
6. Communication responsibilities to employees

Question 13

Component 5: Monitoring

Answer 13

Assesses the quality of IC performance over time. They may be ongoing, separate evaluations or a combination.

Ongoing activities are often designed into recurring activities such as sales and purchases
Separate evaluations are often performed by internal auditors or other personnel and include communication of info about strengths and weaknesses and recs for improvement
Monitoring can also be performed by external parties

Question 14

What are financial statement assertions?

Answer 14

Assertions are management representations that are embodied in the transaction class, account balance, and dsiclosure components of financial statements.

Question 15

What are the limitations to internal control?

Answer 15

1. Human judgment in decision making can be faulty
2. Breakdowns can occur b/c human failures such as simple errors or mistakes
3. Controls, whether manual or automated, can be circumvented by collusion
4. Management has ability to override internal control
5. Cost constraints (cost of IC should be < expected benefits)
6. Custom, culture, and corporate governance system may inhibit fraud, but they are not absolute deterrents

Question 16

In what act is administrative and accounting control distinguished?

Answer 16

It is distinguished in the Foreign Corrupt Practices Act of 1977.

AICPA Professional Standards no longer makes the distinguishment

Question 17

Explain the Committee of Sponsoring Organizations.

Answer 17

COSO!

Is composed of representatives from various professional organizations, including AICPA, IMA (Institute of Management Accountants), the FEI (Financial Executives Institute), the IIA (Institute of Internal Auditors), and the AAA (American Accounting Association)

Question 18

What is COSO’s mission?

Answer 18

To provide leadership through development of comprehensive frameworks and guidance on enterprise risk management, IC, and fraud deterrence

Question 19

What are 3 relevant sections of SOX?

Answer 19

Section 302: Makes officers responsible for maintaining effective internal control and requires the principal executive and financial officers to disclose all significant IC deficiencies to company’s auditors and committee

Section 404: Management acknowledges its responsibility for establishing adequate IC over financial reporting and provide an assessment in annual report of the effectiveness of IC. Requires CPA attest to management’s report on IC as part of audit

Section 906: Requires management certify reports filed with SEC (10-K and 10-Q) that reports comply with relevant securities laws and are fairly presented

Question 20

How do auditors obtain understanding of internal control?

Answer 20

1. Control environment
2. Risk Assessment
3. Accounting information and communication system
4. Control activities
5. Monitoring

Question 21

How do auditors document the understanding of internal control?

Answer 21

1. Questionnaires
2. Written narratives
3. Flowcharts

Question 22

How to auditors assess risks of material misstatements and design further audit procedures?

Answer 22

Tests of controls and substantive procedures

Question 23

How do auditors perform these tests of controls and evaluate their results?

Answer 23

1. Inquiry
2. Inspection
3. Observation
4. Reperformance

Question 24

If the controls do not operate as effectively as expected, what do auditors do?

Answer 24

Modify and complete the planned substantive procedures

Question 25

What are some examples of risk assessment procedures for internal control?

Answer 25

1. Inquiries of management and others within the entity
2. Observing the application of specific controls
3. Inspecting docs and records
4. Tracing transactions through information system

Question 26

What do the results from risk assessment procedures help with?

Answer 26

1. Identify types of potential misstatements
2. Consider factors that affect the risk of material misstatement
3. Design tests of controls and substantive procedures

Question 27

How does an auditor evaluate operating effectiveness?

Answer 27

1. How was the control applied
2. Consistency with which it was applied
3. By whom (or what means) it is applied

Effectiveness is ultimately tested by tests of controls

Question 28

For understanding the control environment, what must the auditor obtain?

Answer 28

The attitudes, awareness and actions of management and BOD.

Question 29

For understanding risk assessment, what must the auditor obtain?

Answer 29

Obtain understanding of how management identifies risk, estimates the significance of the risks and assesses the likelihood of occurrence

Question 30

For understanding of control activities, what must the auditor obtain?

Answer 30

Obtain understanding as necessary. Do not need to understand control activities related to all accounts or every assertion

Question 31

For understanding information and communication, what must the auditor obtain?

Answer 31

1. Major transaction classes
2. How transactions are initiated
3. Available accounting records and support
4. Manner of processing transactions
5. Financial reporting process used to prepare fin. stmts
6. Means the entity uses to communicate financial reporting roles and responsibilities

Question 32

For understanding monitoring, what must the auditor obtain?

Answer 32

Sufficient understanding of major types of monitoring activities

Question 33

What procedures help auditors understand the design of IC and whether controls have been implemented?

Answer 33

1. Previous experiences with entity
2. Inquiries
3. Inspections of docs and records
4. Observation of entity activities to obtain the needed understanding of IC

Question 34

How do auditors document understanding of internal control?

Answer 34

Questionnaire
Memoranda
Flowchart

Question 35

What are the advantages and disadvantages of using a questionnaire when documenting understanding of IC?

Answer 35

Advantages:

1. Easy to complete
2. Comprehensive list = less likely that important portions will be overlooked
3. Weaknesses become obvious

Disadvantages:

1. Answered without adequate thought
2. Questions may not fit client adequately

Question 36

What are the advantages and disadvantages of using a memoranda when documenting understanding of IC?

Answer 36

Advantages:

1. Tailor-made for engagement
2. Requires a detailed analysis and thus forces auditor to understand functioning of structure

Disadvantages:

1. May become very long and time-consuming
2. Weaknesses in structure not obvious
3. Auditor may overlook important portions of internal control

Question 37

What are the advantages and disadvantages of using a flowchart when documenting understanding of IC?

Answer 37

Advantages:

1. Graphic representation of structure
2. Usually makes it unlikely that important portions of IC overlooked
3. Good for electronic systems
4. No long wording

Disadvantages:

1. Preparation = time consuming
2. Weaknesses in structure not always obvious

Question 38

Describe a decision table.

Answer 38

Graphic methods of describing the logic of decisions. Various combos of conditions are matched to one of several actions

Efficient means of describing logic of an internal control process; does not provide analysis of document flow

Question 39

What is the approach of risk assessment of material misstatement?

Answer 39

1. Identifying risks
2. Relating risks to what can go wrong at the relevant assertion level
3. Considering whether the risks are of a magnitude that could result in a material misstatement
4. Considering the likelihood that risks could result in material misstatements

Question 40

If the control appears to be effective, will the auditor need to do tests of controls?

Answer 40

Yes - they will be performed.

If substantive procedures alone do not provide sufficient audit evidence, tests of controls will also be performed.

Question 41

When would risk assessment not include an expectation that controls operate effectively?

Answer 41

1. Controls appear weak
2. The auditor believes that performing extensive substantive procedures is likely more cost effective than performing a combination of tests of controls and a decreased scope of substantive procedures

Question 42

What is the objective of test of details?

Answer 42

To support relevant assertions or detect material misstatements at the assertion level.

Question 43

What is a dual purpose test?

Answer 43

Performance of test of controls and details concurrently.

Example: Test of whether an invoice has been properly approved (test of control) and to provide substantive evidence of a transaction (test of details)

Question 44

When is the best time to perform test of controls?

Answer 44

Perform tests of controls at an interim date prior to year-end and then update them to the extent considered necessary at year-end

Question 45

Rules on audit evidence on operating effectiveness from a prior period

Answer 45

PCAOB auditing standards do not allow this.
Auditing Standards Board allows in limited circumstances.
If so, auditor should obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit.

Test the operating effectiveness of such controls at least once every three years (once in every third year in an annual audit)

Question 46

Describe the results of tests of controls.

Answer 46

If tests of controls reveal that the system operates as expected, generally no change needed for the scope of planned substantive procedures.

If the system does not operate as effectively as expected (control risk is higher), the scope of substantive procedures for the relevant assertions involved will increase (thereby decreasing detection risk)

Question 47

When is information on operating effectiveness needed?

Answer 47

When control risk is to be assessed at a level below the minimum.

Question 48

What did SOX require in regards to audits (examinations) of internal control?

Answer 48

Requirement of an integrated audit of SEC registrants that provide assurance about the fairness of financial statements and about the effectiveness of internal control over financial reporting.

Question 49

What does the integrated audit of financial statements from SOX focus on?

Answer 49

More on internal controls and less on substantive procedures

Question 50

What does Section 404 of SOX state?

Answer 50

Internal control reporting by management and the auditor

A: Management assessment of IC in annual report filed with SEC
B: CPA firm to audit IC and express opinion on effectiveness of IC
-Note: market cap of $75 million+

Question 51

What standards is the requirement that it is auditor’s responsibility to report upon internal control for a public client?

Answer 51

PCAOB Standard 5
-require when performing an audit of internal control that auditor examine the design and operating effectiveness of IC over financial reporting to issue opinion on effectiveness of IC in preventing or detecting material misstatements of financial statements

Question 52

What standards is the requirement that it is auditor’s responsibility to report upon internal control for a nonpublic client?

Answer 52

Statements on Attestation Standards and Interpretations AT 501

Question 53

What is the objective of an audit of IC?

Answer 53

To express an opinion on the effectiveness of company’s IC?

Question 54

What is a control objective?

Answer 54

A specific target against which to evaluate the effectiveness of controls. A control objective for IC generally relates to a relevant assertion and states a criterion for evaluating whether the company’s control procedures in a specific area provide reasonable assurance that a misstatement in that relevant assertion is prevented or detected on a timely basis.

Question 55

What is management’s assertion?

Answer 55

The assessment required under provisions of SOX that is included in management’s annual report on internal control over financial reporting

Question 56

What is a relevant assertion?

Answer 56

A financial statement assertion that has a reasonable possibility of containing misstatements that could cause the financial statements to be materially misstated.

This determination is made without regard to the effect of controls.

Question 57

What is significant accounts and disclosures?

Answer 57

An account or disclosure for which there is a reasonable possibility of material misstatement.

The determination is based on inherent risk, without regard to the effect of controls.