Quiz 3 Flashcards
Who designs and maintains a system of internal control?
Management
Internal control
The method by which a company’s Board of Directors, management, and other employees provide reasonable assurance.
*Good internal control helps to achieve the following objectives:
-RELIABILITY OF FINANCIAL STATEMENTS
-Effectiveness and efficiency of operations
-Compliance with laws and regulations
What kind of assurance does internal control provide
Reasonable Assurance
Internal control assessment impacts the amount of
Substantive evidence required
Auditor is most concerned with internal controls that pertain to
the preparation of external financial statements.
COSO
A committee designed to help businesses establish, assess, and enhance their internal control.
COSO components of internal control:
-Control Environment
-Risk Assessment
-Control Activities
-Information and Communication
-Monitoring activities
*Control Environment
Sets the tone of an organization influencing control consciousness of its people. AKA does management take internal controls seriously. “TONE AT THE TOP”
Risk Assessment
Management identifies its riskiest areas and implements controls to prevent, or detect errors/fraud that could result in material misstatement.
Control Activities
The policies, procedures, techniques, and mechanisms that help ensure that management’s response to reduce risks identified during the risk assessment process is carried out.
Information and communication
How organization obtains or generates and uses RELEVANT, QUALITY information to support the functioning of other parts of internal control.
Monitoring Activities
Intended to assess the quality of internal control performance over time. Separate evaluations, ongoing monitoring, report deficiencies.
What direct relationship exists in the COSO Framework?
Relationship between objectives (strive to do), components (what the entity needs to do to achieve objectives), and the structure of the company (operating units, legal entities)
4 types of control activities:
-Segregation of duties
-Information processing controls
-Physical controls
-Independent checks
Information processing controls (Definition of General and Application Controls)
General controls – relate to overall information processing environment and include controls over date center and network operations; software acquisition, development
and maintenance
Applications controls – apply to the processing of individual applications and help ensue occurrence, completeness and accuracy of the transaction processing
Physical controls examples
Fences, safes, locks, security monitoring system, authorization requirements for access to computer programs and data files.
After obtaining and understanding, of the entity’s internal controls,
The auditor decides whether to RELY or NOT RELY on client’s Internal structure
*Reliance Strategy
Auditor will rely on internal controls, will test effectiveness of controls. If they are effective, won’t have to do as much testing
*Substantive Strategy
Auditor does not rely on internal controls. Auditor will use substantive procedures as main source of evidence about assertions. Will involve more testing.
*Walkthrough
A procedure where auditors trace a transaction from its origin through an organization’s processes and systems to its final recording in financial records, to assess the effectiveness of internal controls.
To set control risk below HIGH, the auditor must
-Identify specific controls that will be relied upon
-Perform specific tests of the identified controls
-Conclude on the achieved level of control risk given results of testing.
Effectiveness of design
Is control designed suitably to prevent, or detect/correct misstatement.
Effectiveness of operation
“does the control work” –applied properly, consistently and who performs it.
Low Detection Risk Strategy
RMM is set high
AR = High RMM x Low DR = Higher and more extensive substantive testing. Year end
High Detection Risk Strategy
RMM is set low
AR = Low RMM x High DR = Less and less extensive substantive testing. Interim and year end
*SOC 1 Type 1 Report
Describes the service company’s controls and assesses whether they are suitably designed to achieve specified internal control objective
Helps auditor understand controls / where and how to test
Specific point in time
*SOC 1 Type 2 Report
Type 1 + provides assurance on the operating effectiveness of the
service company’s controls based on the auditor’s tests of controls
Over a specified period (usually 6 to 12 months)
*Important difference between SOC 1 Type 1 and 2:
An auditor may reduce control risk below high only on the basis of a
Type 2 report
3 Different levels of deficiency ranked from Least to Most impactful:
- Control deficiency
- Significant deficiency
- Material weakness
*SOX 404
Requires managemnt of publicly traded companies to issue a report that accepts responsibility for establishing and maintaining an adequate ICFR, and assert whether ICFR is effective “AS OF” the end of the fiscal year
To form an opinion of the effectiveness of ICFR, the auditor must
Plan and perform the audit
to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of the date specified in management’s assessment
ICFR
A process designed to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial statements in
accordance with GAAP
Control Deficiency
Exists when the design or operation of a control does not allow management (or employees), in the normal course of performing their assigned functions, to prevent or detect misstatements
on a timely basis.
Significant Deficiency
A control deficiency or combination of control deficiencies in ICFR that is less than a material weakness yet important enough to merit attention by those responsible for the oversight of the entity’s financial reporting.
Material Weakness
A deficiency or combination of deficiencies in ICFR so that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis
Main focus of ICFR
To detect Material Weakness [We hunt for BIG GAME]
When judging the significance of a control deficiency, the auditor must consider two dimensions:
list and define
Likelihood = is deficiency reasonably possible
Magnitude = is deficiency material, significant or insignificant (BASED ON MATERIALITY)
Management’s 3 step top-down evaluation approach:
- Identify financial reporting risks and related controls.
- Consider which locations to include in assessment.
- Evaluate evidence regarding the operating effectiveness of ICFR.
Most entities use what framework for ICFR Assessment?
Framework developed by COSO
Entity level controls
Controls that have a pervasive effect on the entity’s system of internal control.
Entity level controls benefits:
-Lower the risk that transaction controls may fail due to employees/communication/culture
-Lower the risk of fraud
-Lower the risk of significant impact caused by control failure
-Reduce the level of effort associated with transaction controls
*Management needs to evaluate the severity of the control deficiencies based on:
Likelihood and Magnitude
*If material weakness assessed, management must disclose the material weakness in its report on ICFR which should include:
-Nature of material weakness
-Its impact on the entity’s financial reporting and ICFR
-Management’s current plan to remediate the material weakness
Integrated audit approach
Auditor combines audits of internal control and financial statements.
*If one or more “material weaknesses” exist
then ICFR can not be considered effective
ONLY TAKES ON MATERIAL WEAKNESS = ADVERSE OPINION
*Auditor not required to search for deficiencies that are
less severe than “Material weakness”
Searching for BIG FISH
Two entity level controls that the auditor must specifically evaluate:
- Control Environment
- Period-End Financial Reporting Process
Relevant assertions
Financial statement assertions that have possibility of containing a misstatement that would cause the financial statements to be materially misstated
What is often the best way to identify potential sources of misstatement?
Walkthroughs
Key Controls
Only the controls that are important to the auditor’s conclusion on ICFR that address risk of misstatement to each relevant assertion.
Only controls that need to be tested
Prevent Control
Designed to prevent error before it occurs
Detect control
Designed to find errors (detect and correct)
Manual, higher frequency, higher importance of a control =
More testing of the control.
Auditors evaluate the severity of each control deficiency based on:
- Likelihood: reasonable possibility the control will fail to prevent or detect a
misstatement - Magnitude: significance of failure, significance of the potential
misstatement (think materiality, would it be a MM)
What to do if there is a material weakness
Company should remediate/ correct it. Must be re-tested before the “As-of” date
Scope Limitation
Management’s failure to provide written representations specific to the audit of ICFR to the Auditor
*Different opinions for ICFR:
Unqualified Opinion- No Material Weaknesses (Control and Significant Deficiencies allowed)
Adverse Opinion- A Material Weakness identified
Disclaimer Opinion- Issued due to serious (more than minor) scope limitation
NO QUALIFIED OPINIONS
Audit Sampling objective
To achieve a REASONABLE BASIS for the auditor to draw conclusions about the population from which the sample is selected.
Audit Standards recognize and permit the use of
Non-statisical sampling (Judgemental Sampling) and Statistical Sampling
Statistical Sampling
We use statistics to compute sample size and evaluate results
Non-Statistical sampling
Does not follow strict statistical techniques to determine sample size, sample selection, and evaluation of results. Relies more on auditor’s professional JUDGEMENT
Sampling
The selection and evaluation of less than 100% of the population of
audit relevance selected in such a way that the auditor expects the items selected to be representative of the population
Representative sample
A small quantity of something that accurately reflects the larger population
Sampling Risk
The risk that the sample may not be truly representative of the population
AKA Non-Representative Sample
Non-Sampling Risk
Refers to any other mistakes by the auditor (human error)
Detection risk =
Sampling risk + non-sampling risk
*Type 1 Audit Sampling Error
Auditor concludes IC not working effectively when they are working.
Risk assessing control risk as TOO HIGH
These errors are OKAY, but lead to more testing than needed and an inefficient audit
Type 2 Audit Sampling Error
Auditor concludes IC is working when they, in truth, ARE NOT working
Risk of assessing control risk TOO LOW
Potentially severe consequences such as audit failure.
Sample size designs by auditors are designed to guard against
Type 2 errors
Random Number Selection
Every item in the population has the same probability of being selected as
every other sampling unit in the population
Systematic Selection
The auditor determines a sampling interval by dividing the population by the sample size. A starting number is randomly selected in the first interval and then every nth item is selected
Haphazard sampling
Involves selecting items from a population without
consideration to know characteristics of items in the population
Block Sampling
Involves selecting items from the population in contiguous
groups (or blocks)
Judgmental Selection
Auditor chooses items based on judgement.
Confidence Level
The probability that the value of a parameter falls within a specified
range of values (think presidential polling)
Increase in sample size =
Increased confidence, Lower the sampling risk
Decrease in sample size =
Lower confidence, increase sampling risk
If 90% confidence, sampling risk is
10%
Tolerable Error / Tolerable Deviation Rate
The highest deviation rate the auditor could accept and still conclude that the internal control is still effective
Expected Error / Expected Deviation Rate
How much deviation the auditor expects
As Tolerable Error increases
Sample Size decreases
As Expected Error increases
Sample size increases
Allowance for sampling risk =
Tolerable Error - Expected Error
“CUSHION”
As allowance for sampling risk decreases,
Sample size increases
What is the impact of Population size on sample size?
Little to none
What is a deviation in sampling?
Auditor unable to examine a sample item. Too many and the auditor will stop testing
When it comes to sampling deviations, auditor should investigate:
- Nature/cause of deviation – is it an unintentional error or fraud (is important)
- Consider how do the deviations impact other phases of the audit
Attribute Sampling
Used to estimate the proportion of a population that possesses a specified characteristic
Data Analytics
Process of cleaning, transforming and modeling data with the goal of discovering useful information, in forming conclusions, and supporting
decision making
Big Data
Datasets that are too large and complex for businesses’ existing
systems to handle using their traditional capabilities to capture, store, manage and analyze these data sets
Volume
Sheer amount of data regardless of source
Velocity
The speed of data is being generated or the rate data is being
analyzed
Veracity
Refers to unstructured and unprocessed data
Variety
The quality of data
Two important limiting factors when dealing with Big Data:
Storage – many companies now use cloud platform to lower the cost of storage
Processing power – the processing power required to obtain information valuable to the company could be enormous or even impossible
ETL
Extract, transform and load the data
Two applications for data analytics in accounting:
1 Key performance indicators – critical measures from an organization’s strategy
- Audit data analytics (ADA) – process of “discovering and analyzing patterns, identifying anomalies, and extracting useful information in data…. For the purpose of planning or performing the audit
AICPA 5-step process for Data Analytics
- Plan the ADA (Audit Data Analytics)
- Access and prepare the data for purposes of AD
- Consider relevance and reliability of the data
- Perform the ADA
- Evaluate results and conclude
In its assessment of ICFR, a publicly traded company identified a material weakness, what is its reporting
responsibility (what disclosures are required to be reported by management)?
A publicly traded company that identifies a material weakness (at it as of date) in its Internal Control over
Financial Reporting (ICFR) is required to disclose the material weakness in a written report included int its
annual financial statement filing (10-k filing). The disclosure should include the following
a. Nature of material weakness – explain the material weakness (what is it)
b. The impact of the material weakness on the company’s financial reporting and ICFR
c. Management’s current plan to remediate the material weakness
