PCAOB & Auditing Standards - #5 ICFR integrated Audit Flashcards
Definitions Review
A.
“Control deficiency” – When the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
1.
Deficiency in design – When a control necessary to meet the control objective is missing or when an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.
2.
Deficiency in operation – When a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
B.
“Material weakness” – A deficiency, or a combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. (If one or more material weaknesses exist, the company’s ICFR is not considered to be effective.)
C.
“Significant deficiency” – A deficiency, or a combination of deficiencies, in ICFR that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.
Audit Timing
The audit of ICFR should be integrated with the audit of the financial statements (i.e., the tests of controls should be designed to address both the objectives of the audit of ICFR and the audit of the financial statements).
Materiality
should use the same materiality considerations in planning the audit of ICFR as for the audit of the company’s annual financial statements.
Top Down Approach
Begins at the financial statement level and with the auditor’s understanding of the overall risks to ICFR; the auditor then focuses on “entity-level” controls and works down to significant accounts and disclosures and their relevant assertions.
Identifying ELCs:
Entity-level controls
ELC: Control environment
ELC: Period-end financial reporting process
Include controls related to the control environment, controls over management override, the company’s risk assessment process, controls to monitor results of operations or other controls, controls over the period-end financial reporting process; and policies that address significant business control and risk management practices.
Because of its importance to ICFR, the auditor must evaluate the control environment at the
Because of its importance to ICFR, the auditor must evaluate the period-end financial reporting process
Identifying significant accounts and disclosures and their relevant assertions: Relevant Assertions.
Those financial statement assertions that have a reasonable possibility of containing a material misstatement. (Auditing Standard No. 5 specifically refers to (1) existence or occurrence; (2) completeness; (3) valuation or allocation; (4) rights and obligations; and (5) presentation and disclosure.)
Identifying significant accounts and disclosures and their relevant assertions: Risk Factors
The auditor should consider risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions, including the nature of the account or disclosure; size and composition of the account; susceptibility to misstatement, volume of activity and complexity of transactions; and changes from the prior period, among others.
Understanding likely sources of misstatement: The auditor should achieve these control objectives –
(a) Understand the flow of transactions related to the relevant assertions; (b) verify that the auditor has identified the points within the company’s processes at which a material misstatement could arise; (c) identify the controls that management has implemented to address these potential misstatements; and (d) identify the controls that management has implemented over the company’s assets that could materially misstate the financial statements.
Understanding likely sources of misstatement: Performing walkthroughs
Following a transaction from origination through the company’s processes until reflected in the financial records is frequently the most effective way to achieve the objectives above. (Procedures usually include inquiry, observation, inspection of relevant documentation, and re-performance of controls.)
TOCs: nature
From least to most evidence
Inquiry, observation, inspection of relevant documentation, and re-performance of a control:
TOCs: Testing design effectiveness
Procedures include inquiry of appropriate personnel, observation of the company’s operations, and inspection of relevant documentation (may be addressed by appropriate walkthroughs).
TOCs: Testing operating effectiveness
Procedures include inquiry of appropriate personnel, observation of the company’s operations, inspection of relevant documentation, and re-performance of the control.
Evaluating identified deficiencies: Basic responsibilities
The auditor must evaluate identified control deficiencies to determine whether, individually or in combination, they constitute material weaknesses as of the date of management’s assessment (based on whether there is a “reasonable possibility” that the controls will fail to prevent or detect a material misstatement, not whether a misstatement has actually occurred).
Indicators of material weaknesses
(1) identification of fraud involving senior management (whether or not material); (2) restatement of previously issued financial statements; (3) identification by the auditor of a material misstatement of the financial statements in the current period; and (4) ineffective oversight of the company’s external financial reporting and internal control by the company’s audit committee.
Communicating Identified Deficiencies
- The auditor must communicate (in writing) all material weaknesses identified to management and the audit committee.
- The auditor must also communicate (in writing) other significant deficiencies identified to the audit committee.
- The auditor should communicate (in writing) all other deficiencies in ICFR to management and inform the audit committee that such a communication has been made.
- If the auditor concludes that the audit committee’s oversight of financial reporting and ICFR is ineffective—must communicate that conclusion in writing to the board of directors.
