Lec 9 Flashcards
what is the purpose of the internal control structure
to manage business risk and produce fairly presented F/S and disclosures
Management’s and directors’ attitudes, awareness, and actions concerning the company’s internal controls set the tone for
the control environment
which is more effective, preventive or detective controls?
preventive controls because detective controls only come into play after the issue has occurred
“company tone” is synonymous with what
control environment
what does management’s risk assessment process do?
identify risks relevant to misstatements occurring in the preparation of financial statements and to estimate risks’ likelihood and magnitude
what are application controls
procedures performed at the application level in relation to date input, process and output
what is monitoring
ongoing process for reviewing and assessing whether the control procedures in place are adequate to address control risks
what is misappropriation of assets
the theft or misuse of an organization’s assets
what is embezzlement
fraud involving employ-ees or non-employees wrongfully taking money or property entrusted to their care, custody, and control; often accompan-ied by false accounting entries and other forms of lying and cover-up
what is defalcation
fraud in which an employee takes assets (money or property) from an organization for per-sonal gain; may be due to corruption or asset misappropriation
what is fraudulent financial reporting
intentional manipulation of reported financial results to portray a mis-stated economic picture of the firm by which the perpetrator seeks an increase in personal wealth through a rise in stock price or compensation
what is fraud risk
the risk that fraud has resulted in intentional misstatement in the financial statements
what are the two types of fraud risk
fraudulent financial reporting and asset misappropriation
what do auditors think is more important in recognizing signs of fraud, attitude or situational factors
attitude
what is fraud incentive
when management is under pressure to reach goals which may or may not be realistic; might involve having consequences if not met
what are the three part of the fraud triangle
incentive/pressure, opportunity, rationalization - when these three are apparent, auditors should look to further investigate
what stage of the audit process is materiality determined
planning
what stage of the audit do you determine the type of tests you will do and based on what?
planning stage. the types of tests are decided based on the risk assessment
understanding of internal controls is required in which of the tests?
both substantive and control
what two methods do auditors use to understand internal control and are they part of the procedures
a walkthrough and enquiry. at this point of the audit they are not substantive tests and are done just to get an understanding
the substantive and control method require how many substantive tests to be conducted and what are they
One requires 6 tests to be done and the other 4. recalculation, confirmation, observation, inquiry, analysis, inspection
what do substantive tests gain evidence on
DIRECTLY obtain evidence on whether an account or class of transaction has been misstated
the control method requires how many control tests to be conducted and what are they
the control method requires only 4 tests to be conducted. those are recalculation, inquiry, observation, inspection
what sort of evidence do control tests gain
INDIRECT evidence that misstatements exist in accounts and classes of transactions due to internal control
what do control tests aim to measure
control risk - whether it is high, medium, or low
if the identified control risk is low, what does that mean for the risk you are willing to accept for detection
the risk for detection will be higher
if the control risk, what does that meant about the amount of audit work you will be doing
the amount of audit work done will be lower because the detection risk acceptable will be higher
if you do control tests, will you do more or less substantive tests and what is the benefit of this
you will do less substantive tests and the benefit is that the audit cost will decrease since substantive tests cost more
based on what control risk levels can a combined audit be done
if the control risk levels assessed are low or medium
what does it mean if the control risks assessed are high, should you do combined testing and why
it means that the internal controls set up do not work. if they are assessed to not work, there is not point in doing further testing
what should you do if you discover in the middle of the control tests that internal control risks do not work
you should move over to doing substantive test
what are two advantages of doing control tests
cost benefits and having the ability to begin you audit procedures earlier - maybe Q3 (interim date)
can Canadian auditors use substantive or control method?
canadian auditors have a choice between the two methods
if a public company is being audited in canada which of the two methods will most likely be chosen and why
combined method because public companies typically are required to satisfy internal control guidelines in order to be listed publicly
do auditors have to comment on internal controls in canada?
no
what is the only reason the combined approach is done in canada
cost reductions
which companies would ask the auditor to issue an opinion on internal controls and why
typically companies in which tasks are outsourced to (e.g. payroll and Ceridian). this is done because auditors do not want to have to test the internal controls of ceridian if they are sending in confirmations for A/P - they want to just trust ceridians internal controls
in usa for public companies, do auditors have a choice between substantive and combined and why
no, they must use only combined approach due to the requirements by SOX
must american auditors give an opinion on internal controls and why
yes, and opinion on internal controls is required by SOX
what are two reasons the combined approach done for public companies
- better internal controls are required for the companies to be listed publicly
- it is too costly to do substantive tests for a big company
why is substantive method used for private corporations
because they most likely do not have strong internal controls
what is the purpose of internal controls for management and which ones do auditors care about
- reliability of financial reporting
- effectiveness and efficiency of operations
- compliance to laws and regulations
Auditors only care about reliability and compliance
definition of control risk
the risk that a company’s internal control system will not be able to prevent or detect material misstatements
what are the components of internal control
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
which of the components is considered the umbrella component
control environment
control environment contains a______, p_____ and p______ that reflect the a_____ of top management and board about c_______
actions, policies, procedures, attitudes, control
the essence of an effectively controlled business lies in the a_____ of management
attitude
control environment factors can be used to build what kind of profile
a client risk profile
what are the components of the control environment (HIPDOC)
- HR policies and practices
- Integrity and ethical values
- management’s Philosophy and operating style
- board of Directors (audit committee)
- Organization structure
- Commitment to competence
what does the hr policies of HIPDOC include
hiring practices, evaluation, and compensation
what does the management philosophy and operating style of HIPDOC include
behavior should be encouraged and documented in the code of ethics
what should the board of directors in HIPDOC include
- independent directors (required by stock exchange)
- audit committee composed of independent directors and financial experts
what does the organizational structure in HIPDOC include
- a structure appropriate for planning, directing and controlling
- clear authority and responsibility
what is risk assessment in internal controls
management identification and analysis of risks relevant to preparing f/s in relation to GAAP
what is the process in management risk assessment
- risk identification
- risk possibility/likelihood
- risk magnitude/significance
- develop action plan to reduce risk to acceptably low level
will risk increase if a company acquires anther company with great control systems
yes, because it will take time for the systems to integrate with one another
what are some risks a company can face
- new personnel
- changed I/S
- rapid growth
- new business model
- restructuring
- new accounting methods
should you use the risk assessments a business has done themselves
yes, you can use part of it if you deem it reliable
what are control activities
policies and procedures that ensure the entity reaches its goals, including financial reporting goals
what are the two components of control activities
general and application controls
what are general controls
policies and procedures that relate to applications and support the functioning of applications
include performance reviews
what are the components of general controls in control activities (SPAID)
- separation of duties
- physical controls
- authorization
- independent checks
- documents and records
what are application controls
the accounting systems that record transactions and produce the F/S
what are the essential functions of application controls/accounting system
- data preperation
- data entry
- transaction processing
- report production and distribution
what are the components of application controls in control activities (PPAC)
- program changes
- program development
- access to programs and data
- computer operations
the accounting system produces what sort of trail
audit trail
what are the components of information and communications system (IFSAI)
- initiation, authorization, recording, processing and reporting
- financial reporting process
- significant classes of transactions
- accounting records
- information technology
unlike human control measures, IT control measure operate in what % of times
100% of cases
what are the procedures in the information and communication systems
- record valid transactions
- classify transactions
- measure value of transactions
- determine time period of transaction
- present transaction in FS
what is the monitoring of controls
considerations whether the controls are working as intended
what may monitoring controls include
- reviews of reconciliations
- internal audit
- evaluation of compliance
what are some of managements objectives with internal control
- provide reliable accounting data
- safeguard assets
- operational efficiency
- prevent or detect errors
- ensure compliance with laws
auditor responsibilities in relation to internal controls
- assess control risk as part of audit planning process
- test controls if doing combined approach
- communicate weakness if required or asked to
