Risk Assessment - Part 2 Flashcards
what is internal control?
- a process effected by those charged with governance, by management, and other personnel, designed to provide reasonable assurance about the achievement of the entity’s objectives
- 3 categories of an entity’s objectives: financial reporting, operations, and compliance
1. reliability of financial reporting (FS fraud = lying)
2. effectiveness and efficiency of operations (asset misappropriation = stealing)
3. compliance with applicable laws and regulations (corruption = cheating)
which objective is most relevant to the audit?
- The reliability of the financial reporting objective is the most relevant to the audit
what are the 5 components of internal control?
CRIME - CPA is required to understand each element of CRIME as it relates to financial reporting;
- Control environment: leadership; tone at the top
- Risk assessment: management’s identification of risk NOT auditor
- Information and communication systems: a means of recording transactions and communication responsibilities; support the identification, capture, and exchange of info in a timely and useful manner
- Monitoring: assessment of internal control performance over time
- Existing control activities: control policies and procedures
It’s a CRIME not to have a strong internal control framework
What common circumstances would raise concern regarding management’s philosophy and operating style?
- management consumed with meeting the budget
- management dominated by one person
- management compensation contingent upon the entity’s financial performance
what effect if entity has a weak control environment?
affect NET; the auditor may perform more(extent) substantive procedures (nature) as of the balance sheet date (time) rather than at interim.
what are policies and procedures of existing control activities?
- in a well-designed internal control environment, fraud and errors should be PREVENTED and/or DELETED by employees in the ordinary course of their job/business
- PAID TIPS
1. Prenumbering of documents: “your checkbook”
2. Authorization of transactions: “signed approval”
3. Independent checks to maintain asset accountability: “checks and balances” verification of work previously done by others
4. Documentation: “paper trail”
5. Timely and appropriate financial performance reviews: “analytical review” comparison of actual performance to budgets, forecasts, and prior periods; comparison of financial to nonfinancial info
6. Information processing controls: ensure transactions are valid, properly authorized, completely and accurately recorded
7. Physical controls for safeguarding assets: “security”
8. Segregation of duties: provides a cross-check the work of one individual on the work of another one.
what are the 3 common functions that need segregation of duties?
- segregation of duties is your ARC to protect against a flood of troubles
- ARC
1. Authorizing transactions
2. Record keeping or recording transactions
3. Custody of related assets
what is the purpose of internal control? and exceptions?
- prevent and or detect and quickly correct
- exceptions: collusion (involve 2 or more people) and management override and human error
what are the procedures used to obtain evidence about the design and implementation of internal controls?
- Inquiry of entity personnel
- Observation of application of controls
- Inspection of documents and reports
- Walk-throughs: assist the auditor in obtaining and understanding of the IT systems that are used process and record financial transactions
How can a walk-through be performed?
One or both of the following
1. select a single transaction and trace it through the entity’s info processing system
2. identify the key steps
A complete and accurate list of walk-thru: Inquiry, observation, inspection of relevant documentation, and reperformance of controls
what items should auditor document?
Documentation may include any item the auditor can FIND:
1. Flowchart: depicts auditor’s understanding of internal control
2. Internal control questionnaire or checklists
3. Narrative: lengthy written version of flowchart, so it’s hard to “see” weakness in internal control
4. Documentation from client: including copies of the entity’s procedures manuals and org charts
what is IT general control?
- policies and procedures relate to many applications and support the effective functioning and proper operation of the information system
- ex: password, backup/recovery system, admin rights to the network
what is IT application control?
- apply to the processing of INDIVIDUAL transaction
- ex: maintain and review accounts and trial balances, check mathematical accuracy of records
what are benefits of IT?
- ability to process large volumes of transactions and data accurately and consistently
- improve timeliness
- enhance segregation of duties, ability to monitor the performance
what are IT risks?
- potential reliance on inaccurate system
- unauthorized access to data
- unauthorized changes to data
- failure to make required changes or updates to systems
- inappropriate manual intervention
- potential loss of data
Audit should:
1. document use of programs
2. perform tests more often during the year: to ensure the system is still working accurately
