Internal Control - Concepts and Stds Flashcards
Analytical procedures used during risk assessment may enhance the auditor’s understanding of the client’s :
Analytical procedures used during risk assessment may enhance the auditor’s understanding of the client’s business and significant transactions and events that have occurred since the prior audit and also may help to identify the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have audit implications.
In assessing control risk, an auditor ordinarily selects from a variety of techniques, including
Auditors perform tests of controls to obtain evidence on the operating effectiveness of controls to assess control risk. Tests of controls include inquiries of appropriate entity personnel, inspection of documents and reports, observation of the application of the policy or procedure, and reperformance of the application of the policy or procedure.
AU-C 315 Assessing control risk
AU-C 315 indicates that assessing control risk may be performed concurrently during an audit with obtaining an understanding of internal control.
Assessment of Control Risk
- When Control Risk is assessed to be at Maximum No Internal Control testing is performed
- When Control Risk is below Maximum:
- Auditor tests Internal Controls
- Auditor evaluates Control Risk based on tests
- Auditor adjusts substantive tests accordingly
- Weaker Internal Control = More testing
- Stronger Internal Control = Less testing
AU-C 610 states that internal auditors may assist the CPA in:
AU-C 610 states that internal auditors may assist the CPA in obtaining an understanding of internal control, in performing tests of controls, and in performing substantive tests.
a basic tool used by the auditor to control the audit work and review the progress of the audit
audit plan aids in instructing assistants in the work and includes audit procedures to accomplish the objectives of the examination. Thus, it allows the auditor to control the audit work and to review the progress of the audit.
An auditor reviews a client’s accounting policies and procedures when considering planning matters, for what purpose?
Understanding of the client’s operations and business. Such information provides overall guidance to help an auditor understand the client’s operations and business
What judgments may an independent auditor share responsibility with an entity’s internal auditor who is assessed to be both competent and objective?
None
The auditor is required to make all significant judgments in the audit, including evaluating significant accounting estimates and determining the materiality of misstatements; other significant judgments include:
- assessing the risks of material misstatement
- evaluating the sufficiency of tests performed
- evaluating the going concern assumption
- evaluating the adequacy of disclosures
Can an independent auditor share responsibility with an entity’s internal auditor who is assessed to be both competent and objective
An independent auditor responsibility cannot be shared with the internal auditors for any judgments; the responsibility to report on the financial statements rests solely with the independent auditor
AU-C 265 compensating control
A compensating control is a control that lessens the severity of a deficiency (AU-C 265).
Components of Internal Control
The components of internal control:
- control environment,
- control activities,
- monitoring
- risk assessment
- information/communications are the components of internal control, but not inherent risk.
Inherent Risk is not part of internal control
CRIME
- Control
- Risk
- Info/Communications
- Monitoring
- Environment
Re-Testing Controls
Concerning current audit use of audit evidence about the operating effectiveness of controls obtained in prior year audits, professional standards allow the length of time permissable before retesting controls if the related controls are tested at least every third year.
Confirmations of Accounts Receivable
Confirmation of accounts receivable is a substantive test not a test of a control.
CONTROL ACTIVITIES
- Performance Reviews
- Information Processing
- Physical Controls
- Segregation of Duties
Control Environment Assessment
- Sets tone for the entire company
- How is Management Integrity/Ethics?
- Is Management Competent?
- Healthy Organizational Structure?
- Appropriate HR Policies?
- Authority/Responsibility Assignments?
- What is Managements’ Style?
- Riskier with a dominant, aggressive individual(s)
- Are the Board/Audit Committee Actively Involved?
Control Limitations
- Controls can’t stop collusion or bad judgment
- Management can override controls
- Cost vs. Benefit relationship of Internal Control
The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the risk that
Auditors are ultimately concerned with the existence of material misstatements in the financial statements.
An auditor assesses control risk because
An auditor uses the assessed levels of control and inherent risk to establish the level of detection risk that the auditor may accept.
An auditor assesses control risk because it
- Affects the level of detection risk that the auditor may accept
- Assessed levels of control risk and inherent risk are used to determine the acceptable level of detection risk for financial statement assertions.
audit risk = cr x ir x dr
An auditor assesses control risk because
An auditor uses the assessed levels of control and inherent risk to establish the level of detection risk that the auditor may accept.
Control risk should be assessed in terms of
AU-C 315 requires that control risk be assessed in terms of financial statement assertions
Controls Not Reliable
- Control Risk = Higher
- Aceptable Dection Risk = Lower
- Stop testing controls and do more substantive audit procedures
Controls Reliable
- Control Risk = Lower
- Aceptable Dection Risk = Higher
- Can continue substantive procedures for audit engagement as planned
Decision tables differ from program flowcharts in that decision tables emphasize
Logical relationships among conditions and actions. Decision tables include various combinations of conditions that are matched to one of several actions. In an internal control setting, the various important controls are reviewed and, based on the combination of answers received, an action such as a decision on whether to perform tests of controls is determined. Program flowcharts simply summarize the steps involved in a program.
Deficiencies in Internal Controls
If Internal Controls are deficient:
- Control Risk increases
- Scope of Substantive Procedures increases
- Detection Risk decreases
- Potential for Material Weakness
- resonable possibility that a material misstatement in F/s would not be found
Define control deficiency
A control deficiency is a condition in which the operation of a control does not allow management, or employees, in the normal course of performing their functions to prevent or detect misstatements on a timely basis—it does not explicitly consider likelihood of loss.
Documentation of Internal Control
Auditor must Document understanding of Internal
Control via:
- Memos
- Flowcharts (easy to follow)
- Questionnaires (easy to complete)
Five Components of Internal Control
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communciation
- Monitoring
the function of internal control, from the viewpoint of the independent auditor, is to
function of internal control, from the viewpoint of the independent auditor, is to provide reasonable assurance that material misstatements may either be prevented or discovered with reasonable promptness, thus assuring the reliability and integrity of the financial records.
A government internal audit function is presumed to be free from organizational independence impairments for reporting internally when the head of the organization
Is removed from political pressures to conduct audits objectively, without fear of political reprisal . When the head of the organization is removed from political pressures, such independence may be obtained
How would an auditor of a nonissuer most appropriately respond to a heightened assessed risk of material misstatement?
Heightened assessed risk of material misstatement may result in:
- the assignment of more experienced staff and/or those with specialized skills to high-risk areas; examples of other responses include
- providing more supervision and emphasizing the need for professional skepticism
- incorporating additional elements of unpredictability into audit procedures
- increasing the overall scope of audit procedures.
If the independent auditors decide that the work performed by the internal auditor may have a bearing on their own procedures, they should consider the internal auditor’s
The AICPA’s Professional Standards require independent auditors to consider internal auditor’s:
- competence
- objectivity
- work performance
In an audit of financial statements, an auditor’s primary consideration regarding a control risk should be assessed in terms of :
control risk should be assessed in terms of financial statement assertions.
In comparison to the external auditor, an internal auditor is more likely to be concerned with
Operational auditing, a broader concept than included in financial statement audits, is more important to the internal auditor because it includes budgets and other control devices.
In obtaining an understanding of an entity’s internal control relevant to audit planning, an auditor is required to obtain knowledge about
- An auditor must obtain an understanding of an entity’s internal control sufficient for audit planning.
- An auditor must obtain an understanding that includes knowledge about the design of relevant controls and records and whether the client has placed those controls in operation
Ineffective oversight of financial reporting by those charged with governance is
Ineffective oversight of financial reporting by those charged with governance is an indicator of a material weakness—AU-C 265
INFORMATION AND COMMUNICATION
Auditor needs to understand:
- Major transaction classes
- Transaction initiation
- Support records/documents
- Transaction processing
- Financial Statement Internal Reporting process
- Financial Statement External Reporting process
Inherent Limitation in an Internal Control System
Inherent Limitations
- Human judgment can be faulty and result in a breakdown in internal control because of human errror
- collusion of two or more people
- inappropriate management override of internal control.
Inspection of documents
- Inspection of documents is a form of a test of controls
- Such tests are used to obtain reasonable assurance that controls are in use and operating effectively.
An internal auditor’s work would most likely affect the nature, timing, and extent of an independent CPA’s auditing procedures when
An internal auditor’s work would most likely affect the nature, timing, and extent of a CPA’s auditing procedures.
When considering the effect of the internal auditors’ work, the CPA considers:
- (1) the materiality of financial statement amounts
- (2) the risk of material misstatement of the assertions
- (3) the degree of subjectivity involved in the evaluation of the audit evidence.
May an independent auditor share responsibility with an entity’s internal auditor who is assessed to be both competent and objective?
AU-C 610 requires that judgments about inherent and control risk always be those of the independent auditor. It also requires that judgments about the materiality of misstatements, the sufficiency of tests performed, the valuation of significant accounting estimates, and other matters affecting the auditor’s report should always be those of the independent auditor.
An independent auditor should assess the organizational status of the director of internal audit.
Correct - an auditor assesses the organizational status of the director of internal audit as a method of addressing the function’s likely independence from management.
AU-C 610 Internal Auditor Competence
AU-C 610 indicates when assessing internal auditors’ competence, auditors consider:
- the quality of internal auditors’ working paper documentation
- educational level
- professional experience
- professional certification
- audit policies
- practices regarding assignment, supervision and performance
An auditor uses the knowledge provided by the understanding of internal control and the assessed level of the risk of material misstatement primarily to
The auditor uses such knowledge in determining the nature, timing, and extent of substantive tests for financial statement assertions.
An auditor uses the knowledge provided by the understanding of internal control and the assessed level of the risks of material misstatements primarily to
- Determine the nature, timing, and further audit procedures.
- The auditor uses the knowledge provided by his/her understanding of internal control and the assessed level of the risks of material misstatement in determining the nature, timing, and extent of further audit procedures.
List the five components of internal control
- risk assessment
- control environment,
- control activities
- information system relevant to financial reporting
- monitoring of controls.
Observation
AU-C 315 indicates an auditor will observe the entity’s personnel applying the procedures to determine whether controls have been implemented
Internal Control Testing
Strong as IRON
- Inquiry - interview company personnel
- Re-Performance - can it be replicated
- Observation - Watch the control applied
- INspection - Dig into the details / documents
Internal Control Testing
Reasonalble Assurance that controls are functioning as designed and effective
AU-C 315 Understanding of Internal Control
AU-C 315 requires that the auditor document the understanding of the entity’s internal control.
This is a requirement when an audit of financial statements in accordance with generally accepted accounting principles (GAAP).
An auditor may compensate for a weakness in internal control by increasing
Increasing analytical procedures decreases detection risk in a manner which may counterbalance the condition in internal control. In effect, the weakness in internal control is compensated for by increased substantive testing.
audit risk and its component risks—inherent risk, control risk, and detection risk
AR = IR x CR X DR
The reliance placed on substantive tests in relation to the reliance placed on internal control varies in a relationship that is ordinarily
Inverse : as internal control is relied upon to a lesser extent, substantive tests are relied upon to a greater extent.
Letter to Audit Committee on Internal Control
AU-C 265 indicates that such a letter to the audit committee should
(1) indicate that the audit’s purpose was to report on the financial statements and not to express an opinion on internal control,
(2) include the definition of a significant deficiency
(3) restrict distribution of the report.
Ongoing Monitoring
Ongoing monitoring involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions and such an approach may be followed in reviewing the purchasing function.
Planned level of the risk of material misstatement at maximum level
When the planned level of the risk of material misstatement is at the maximum level, no tests of controls are performed
Reasonable Assurance
Internal Control provides reasonable assurance that:
- Material Misstatements will be prevented
- Reliability & Integrity of Financial Statements will be preserved
- Assets are protected against misuse
Define Reasonable Assurance
The concept of reasonable assurance recognizes that the cost of internal control should not exceed the benefits expected to be derived.
Report on Internal Control
Report on Internal Control now required for integrated audits
SAS 130
Risk Assessment
- Risk of Material Misstatement determines acceptable level of Detection Risk
- Detection Risk determines Nature, Timing, Extent of Auditing Procedures
Risk Assessment
- Rapid Growth - risky
- How does Management:
- Identify Risk
- Estimate Significance
A CPA will most likely perform during the risk assessment phase of a financial statement audit using
analytical procedures often include a comparison of financial information with nonfinancial operating data and because analytical procedures must be performed during risk assessment
Analytical procedures performed during the risk assessment phase of an audit should focus on
Analytical procedures used for risk assessment in the audit should focus on
- enhancing the auditor’s understanding of the client’s business and the transactions and events that have occurred since the last audit date
- identifying areas that may represent specific risks relevant to the audit.
Risk Assessment
Major Changes:
- Operations
- Personnel
- Systems
- IT
- Products
- Corporate Organization
- Foreign Ops
Risk Assessment
Risk assessment is a component of internal control—the other four components are
- control environment,
- control activities,
- information system relevant to financial reporting
- monitoring of controls.
While obtaining an understanding of a client’s risk assessment policies, an auditor ordinarily considers how management:
- how management identifies risks
- estimates risk significance
- assesses the likelihood of risk occurrence, and relates them to financial reporting.
Assessing the risk of material misstatement below the maximum based on controls involves
Assessing the risk of material misstatement below the maximum based on controls involves:
- Identifying specific controls relevant to specific assertions
- Performing tests of controls to evaluate their effectiveness.
Assessed level of the risk of material misstatement
An auditor uses the risk of material misstatement to determine the acceptable level of detection risk for financial statement assertions. The auditor then uses the acceptable level of detection risk to determine the nature, timing, and extent of the auditing procedures to be used to detect material misstatements in the financial statement assertions.
One use of assessed level of risk of material misstatement is
- Risk of material misstatement is used to determine the acceptable level of detection risk for financial statement assertions.
- The auditor then uses the acceptable level of detection risk to determine the nature, timing, and extent of the auditing procedures to be used to detect material misstatements in the financial statement assertions.
Risk of Material Misstatement
- Were all transactions recorded?
- Were they recorded timely?
- Recorded in the correct period?
- Presented and disclosed properly?
- Did Management communicate their
responsibilities?
In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement what proceedures would be applied
Risk assessment procedures to evaluate the design of relevant controls are performed to assess the risk of material misstatement throughout the financial statements
Substantive Procedures
If results are as expected, substantive procedures do
not need to be adjusted
Test of Controls
Tests of controls are used to:
- Test the effectiveness of the design or operation of a control.
- The auditor’s examination of sales invoices for specific initials would be an example of a procedure which provides assurance concerning the effectiveness of the operation of a control.
When tests of controls reveal that controls are not operating as anticipated:
When tests of controls reveal that controls are not operating as anticipated, it is most likely that the assessed level of the risk of material misstatement will be greater than the planned level.
When controls are not operating as anticipated the risk of material misstatement will be greater than the planned assessed level of control risk.
Tests of Controls Involve :
Tests of controls involve:
- inquiry (interviews)
- inspection
- observation
- reperformance.
Tests of controls will be performed when:
Tests of controls will be performed when they are expected to result in a cost effective reduction in planned substantive tests.
Tests of Internal Controls
- Controls tested by auditor in prior year can be used in current year if they are re-tested every 3rd year
- Exception: Control has changed since audit
Control Activities Include
Control activities include:
- performance reviews
- information processing
- physical controls
- segregation of duties
Examples of Inherent Limitation in Internal Control
- Human judgment is an inherent limitation since that judgment can be faulty and result in a breakdown in internal control because of human error
- additional inherent limitations of internal control include
- (1) collusion of two or more people and
- (2) inappropriate management override of internal control.
Three Objectives of Internal Control
- Reliability of Financial Reporting
- Operational Efficiency/Effectiveness
- Compliance with Law and Regulations
Understanding Internal Control
Understanding Internal Control allows the auditor to determine:
- Nature, Timing, and Extent of planned Audit Procedures
- Risk of Material Misstatement
Walk-throughs provide evidence that helps auditors
Walk-throughs provide evidence to confirm the understanding of the flow of transactions and the design of controls, to evaluate the effectiveness of the design of controls and to confirm whether controls have been implemented
Observation and Inquiry
When documentary evidence may not exist. An auditor would most likely test the procedures by Observation and Inquiry
Auditing procedures suggests that when no audit trail exists an auditor should use the observation and inquiry techniques
Which factors are included in an entity’s control environment?
audit committee, integrity and ethical values, and organization structure
In designing written audit plans, an auditor should establish specific audit objectives that relate primarily to
Financial statement assertions.
In obtaining audit evidence to support financial statement assertions, the auditor develops specific audit objectives in light of those assertions
Analytical procedures used in planning generally use data aggregated
Analytical procedures used in planning generally use data aggregated at a high level, data such as account balances from the prior year or from quarterly financial statements.
Audit procedures are primarily designed to
Audit procedures are primarily designed to gather audit evidence which forms the basis for the auditor’s opinion.
Completion of the audit program and any additional audit procedures should provide sufficient competent audit evidence for an opinion on the financial statements as required by the third standard of fieldwork
Internal Control - Substantive Testing
Has Inverse relationship with Substantive Testing
- Stronger Internal Controls = Less Testing Needed
- Weaker Internal Controls = More Testing Needed
planning analytical procedures use information aggregated at a high level
planning analytical procedures use information aggregated at a high level—often, both financial and nonfinancial information.
Segregation of Functional Responsibilites
The following should be segregated:
- Authorizing transactions
- Recording transactions
- Maintaining custody of assets
