Internal Control and Assessing Control Risk - General Information Flashcards
What standards govern internal control and how they affect financial statement audits? (Provide name and paragraph #)
Statements on Auditing Standards (SASs) - Sections/Paragraphs 315 and 330
What does SASs AU-C 315 describe?
Obtaining an understanding of entity (IC included) and to design the nature, timing, and extent of further audit procedures
What does SASs AU-C 330 describe?
Guidance on nature of FURTHER audit procedures as they relate to IC (tests of controls)
Explain the relationship of internal control to an audit in a flowchart?
- Plan the audit
- Understand the entity and IC
- Assess Risk of Misstatement and Design further tests
- Perform substantive procedures
- Complete the audit
- Issue the audit report
Review sections the Statements on Auditing Standards and PCAOB Standards.
AU-C 260 - Auditor’s communication with those charged with governance
AU-C 265 - Communication of IC related matters noted in an audit
AU-C 315 - Understanding entity and assessing risks of material misstatement
AU-C 330 - Performing audit procedures in response to assessed risks and evaluating audit evidence obtained
AU-C 402 - Reports on the processing of transactions by service orgs
AU-C 610 - Auditor’s consideration of internal audit function in audit of financial stms
AT 501 - Examination of entity’s internal control over financial reporting that is integrated with an audit of its financial stmts
What framework did AU-C 315 obtain its concepts?
The 1992 Internal Control - Integrated Framework, which was published by the Committee of Sponsoring Organizations of the Treadway Commission (aka the COSO Commission)
What controls are most relevant to an audit?
The controls that pertain to the entity’s objective of preparing financial statements for external purposes
How many components does AU-C 315 divide internal control into and what are they?
5 components.
- Control environment
- Risk Assessment
- Control activities
- Information and communication
- Monitoring
Component 1: What is the control environment?
Sets the tone for the organization.
REMEMBER THE MNEOMIC: IC HAMBO
I = Integrity and ethical values C = Commitment to competence H = human resources policies and practices A = Assignment of authority and responsibility M = Management's philosophy and operating cycle B = BOD or audit committee participation O = Organizational structure
Component 2: What is Risk Assessment?
Its identification, analysis, and management of risks relevant to the preparation of financial statements following GAAP.
Examples:
- Changes in operating environment (incr. competition)
- New personnel
- New information systems
- Rapid growth
- New technology
- New lines, products, or activities
- Corporate restructuring
- Foreign operations
- Accounting pronouncements
Component 3: Control Activities
Policies and procedures that help insure that necessary actions are taken to address risks to achieving the entity’s objectives
REMEMBER: PIPS
P- Performance reviews (reviews of actual performance against budgets, forecasts, one another)
I - Information processing (controls that check accuracy, completeness, and authorization of transactions)
P - Physical controls (activities that assure the physical security of assets and records)
S - Segregation of duties (separate authorization, recordkeeping, and custody) .
Component 4: Information and Communication
The accounting system, consisting of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of the related assets and liabilities
The goals for transactions are:
- Identify and record all valid transactions
- Describe on a timely basis
- Measure the value properly
- Record in proper time period
- Properly present and disclose
- Communication responsibilities to employees
Component 5: Monitoring
Assesses the quality of IC performance over time. They may be ongoing, separate evaluations or a combination.
Ongoing activities are often designed into recurring activities such as sales and purchases
Separate evaluations are often performed by internal auditors or other personnel and include communication of info about strengths and weaknesses and recs for improvement
Monitoring can also be performed by external parties
What are financial statement assertions?
Assertions are management representations that are embodied in the transaction class, account balance, and dsiclosure components of financial statements.
What are the limitations to internal control?
- Human judgment in decision making can be faulty
- Breakdowns can occur b/c human failures such as simple errors or mistakes
- Controls, whether manual or automated, can be circumvented by collusion
- Management has ability to override internal control
- Cost constraints (cost of IC should be < expected benefits)
- Custom, culture, and corporate governance system may inhibit fraud, but they are not absolute deterrents
In what act is administrative and accounting control distinguished?
It is distinguished in the Foreign Corrupt Practices Act of 1977.
AICPA Professional Standards no longer makes the distinguishment
Explain the Committee of Sponsoring Organizations.
COSO!
Is composed of representatives from various professional organizations, including AICPA, IMA (Institute of Management Accountants), the FEI (Financial Executives Institute), the IIA (Institute of Internal Auditors), and the AAA (American Accounting Association)
What is COSO’s mission?
To provide leadership through development of comprehensive frameworks and guidance on enterprise risk management, IC, and fraud deterrence
What are 3 relevant sections of SOX?
Section 302: Makes officers responsible for maintaining effective internal control and requires the principal executive and financial officers to disclose all significant IC deficiencies to company’s auditors and committee
Section 404: Management acknowledges its responsibility for establishing adequate IC over financial reporting and provide an assessment in annual report of the effectiveness of IC. Requires CPA attest to management’s report on IC as part of audit
Section 906: Requires management certify reports filed with SEC (10-K and 10-Q) that reports comply with relevant securities laws and are fairly presented
How do auditors obtain understanding of internal control?
- Control environment
- Risk Assessment
- Accounting information and communication system
- Control activities
- Monitoring
How do auditors document the understanding of internal control?
- Questionnaires
- Written narratives
- Flowcharts
How to auditors assess risks of material misstatements and design further audit procedures?
Tests of controls and substantive procedures
How do auditors perform these tests of controls and evaluate their results?
- Inquiry
- Inspection
- Observation
- Reperformance
If the controls do not operate as effectively as expected, what do auditors do?
Modify and complete the planned substantive procedures
What are some examples of risk assessment procedures for internal control?
- Inquiries of management and others within the entity
- Observing the application of specific controls
- Inspecting docs and records
- Tracing transactions through information system
What do the results from risk assessment procedures help with?
- Identify types of potential misstatements
- Consider factors that affect the risk of material misstatement
- Design tests of controls and substantive procedures
How does an auditor evaluate operating effectiveness?
- How was the control applied
- Consistency with which it was applied
- By whom (or what means) it is applied
Effectiveness is ultimately tested by tests of controls
For understanding the control environment, what must the auditor obtain?
The attitudes, awareness and actions of management and BOD.
For understanding risk assessment, what must the auditor obtain?
Obtain understanding of how management identifies risk, estimates the significance of the risks and assesses the likelihood of occurrence
For understanding of control activities, what must the auditor obtain?
Obtain understanding as necessary. Do not need to understand control activities related to all accounts or every assertion
For understanding information and communication, what must the auditor obtain?
- Major transaction classes
- How transactions are initiated
- Available accounting records and support
- Manner of processing transactions
- Financial reporting process used to prepare fin. stmts
- Means the entity uses to communicate financial reporting roles and responsibilities
For understanding monitoring, what must the auditor obtain?
Sufficient understanding of major types of monitoring activities
What procedures help auditors understand the design of IC and whether controls have been implemented?
- Previous experiences with entity
- Inquiries
- Inspections of docs and records
- Observation of entity activities to obtain the needed understanding of IC
How do auditors document understanding of internal control?
Questionnaire
Memoranda
Flowchart
What are the advantages and disadvantages of using a questionnaire when documenting understanding of IC?
Advantages:
- Easy to complete
- Comprehensive list = less likely that important portions will be overlooked
- Weaknesses become obvious
Disadvantages:
- Answered without adequate thought
- Questions may not fit client adequately
What are the advantages and disadvantages of using a memoranda when documenting understanding of IC?
Advantages:
- Tailor-made for engagement
- Requires a detailed analysis and thus forces auditor to understand functioning of structure
Disadvantages:
- May become very long and time-consuming
- Weaknesses in structure not obvious
- Auditor may overlook important portions of internal control
What are the advantages and disadvantages of using a flowchart when documenting understanding of IC?
Advantages:
- Graphic representation of structure
- Usually makes it unlikely that important portions of IC overlooked
- Good for electronic systems
- No long wording
Disadvantages:
- Preparation = time consuming
- Weaknesses in structure not always obvious
Describe a decision table.
Graphic methods of describing the logic of decisions. Various combos of conditions are matched to one of several actions
Efficient means of describing logic of an internal control process; does not provide analysis of document flow
What is the approach of risk assessment of material misstatement?
- Identifying risks
- Relating risks to what can go wrong at the relevant assertion level
- Considering whether the risks are of a magnitude that could result in a material misstatement
- Considering the likelihood that risks could result in material misstatements
If the control appears to be effective, will the auditor need to do tests of controls?
Yes - they will be performed.
If substantive procedures alone do not provide sufficient audit evidence, tests of controls will also be performed.
When would risk assessment not include an expectation that controls operate effectively?
- Controls appear weak
- The auditor believes that performing extensive substantive procedures is likely more cost effective than performing a combination of tests of controls and a decreased scope of substantive procedures
What is the objective of test of details?
To support relevant assertions or detect material misstatements at the assertion level.
What is a dual purpose test?
Performance of test of controls and details concurrently.
Example: Test of whether an invoice has been properly approved (test of control) and to provide substantive evidence of a transaction (test of details)
When is the best time to perform test of controls?
Perform tests of controls at an interim date prior to year-end and then update them to the extent considered necessary at year-end
Rules on audit evidence on operating effectiveness from a prior period
PCAOB auditing standards do not allow this.
Auditing Standards Board allows in limited circumstances.
If so, auditor should obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit.
Test the operating effectiveness of such controls at least once every three years (once in every third year in an annual audit)
Describe the results of tests of controls.
If tests of controls reveal that the system operates as expected, generally no change needed for the scope of planned substantive procedures.
If the system does not operate as effectively as expected (control risk is higher), the scope of substantive procedures for the relevant assertions involved will increase (thereby decreasing detection risk)
When is information on operating effectiveness needed?
When control risk is to be assessed at a level below the minimum.
What did SOX require in regards to audits (examinations) of internal control?
Requirement of an integrated audit of SEC registrants that provide assurance about the fairness of financial statements and about the effectiveness of internal control over financial reporting.
What does the integrated audit of financial statements from SOX focus on?
More on internal controls and less on substantive procedures
What does Section 404 of SOX state?
Internal control reporting by management and the auditor
A: Management assessment of IC in annual report filed with SEC
B: CPA firm to audit IC and express opinion on effectiveness of IC
-Note: market cap of $75 million+
What standards is the requirement that it is auditor’s responsibility to report upon internal control for a public client?
PCAOB Standard 5
-require when performing an audit of internal control that auditor examine the design and operating effectiveness of IC over financial reporting to issue opinion on effectiveness of IC in preventing or detecting material misstatements of financial statements
What standards is the requirement that it is auditor’s responsibility to report upon internal control for a nonpublic client?
Statements on Attestation Standards and Interpretations AT 501
What is the objective of an audit of IC?
To express an opinion on the effectiveness of company’s IC?
What is a control objective?
A specific target against which to evaluate the effectiveness of controls. A control objective for IC generally relates to a relevant assertion and states a criterion for evaluating whether the company’s control procedures in a specific area provide reasonable assurance that a misstatement in that relevant assertion is prevented or detected on a timely basis.
What is management’s assertion?
The assessment required under provisions of SOX that is included in management’s annual report on internal control over financial reporting
What is a relevant assertion?
A financial statement assertion that has a reasonable possibility of containing misstatements that could cause the financial statements to be materially misstated.
This determination is made without regard to the effect of controls.
What is significant accounts and disclosures?
An account or disclosure for which there is a reasonable possibility of material misstatement.
The determination is based on inherent risk, without regard to the effect of controls.
