SU 06 Internal Control Flashcards
What are an auditors options as their response to assessed risk?
- Tests of controls
- Substantive Procedures
What do tests of controls consist of
- assessing controls over processes
- assessing the control environment overall
- assessing the operating effectiveness of controls
What affects the operating effectiveness of internal controls
Overall their value in reducing RMM
- are they designed well
- are they implemented and operating properly
What are substantive procedures
audit procedures designed to produce evidence that may be used in court
What circumstances may indicate increased risk
- changes in overall operating environment
- new personnel
- new/ revamped IT
- rapid growth
- new technology
- new business models-products-activities
- corporate restructuring
- expanded foreign operations
- new accounting pronouncements
- new
Is an auditor required to assess internal controls?
Yes - part of SOX
Internal control components
C.R.I.M.E
- Control activities
- Risk assessment
- Information and communication systems
- Monitoring
- Environment (control environment)
Who is responsible for internal controls
Client management / governance
What is the auditor’s responsibility in regard to internal controls
have the responsibility for assessing their existence/ management assertions about them
Control activities include
- performance reviews
- general vs application controls
- physical controls
- segregation of duties
Which duties must be segregated
authorization from recording from custody
what is the difference between general and application controls
- General controls are over the whole system - controls at the business level
- application controls are built into specific applications
Objectives of internal controls
1) to prevent or detect financial statement misstatements
2) to control operational objectives
3) to control compliance objectives
Limitations of internal controls
- human judgement is faulty
- collusion may circumvent controls
- management may override controls
- impossible to create perfect controls (esp not at reasonable cost)
Levels of internal controls
- entity level (general and application controls)
- transaction/ assertion level controls (address specific FS issues)
What might transaction/ assertion controls address
- CAPE CROC asssertions
- transactions and account balances
- IS & BS balances
Types of entity-level controls
- organizational structure
- clear assignment of authority and responsibility
- adequate segregation of duties
- IT planning in alignment with business strategy
- compliance with licensing , laws, and regulations
Classes of internal controls
- Automated vs Manual
classes of automated controls
- IT General Controls (ITGC)
- IT Application controls
- IT-dependent manual controls
Types of IT General Controls
- data center & network
- system software acquisition, change, and maintenance
- program change
- access
- application system acquisition, development, & maintenance
Preventive controls
- designed to stop errors before they occur
- often generate error messages/ alerts
- leave no documentary trail?
- informed by “WCGWs”
WCGSs
What can go wrong
Detective controls
Designed to catch fraud or errors after functions or transactions occur
- also informed by WCGWs
- important they can detect & intervene in a timely manner
- often use IT application controls for detection
- often built in as a post-processing procedure
- can be applied to each transaction or to batches
Preventive vs detective control
- preventive more frequent, more dependent than IT, but also generally more cost effective
- preventive produces less evidence than detective
- auditors tend to focus on detective due to the larger amount of evidence
Internal control functionalities
may be:
- complementary
- redundant
- compensation
Complementary internal controls
Two or more controls working together for the same objective
Redundant internal controls
two or more controls working separately for the same objective
Compensating internal controls
One control works to offset the lack of / weakness in another control
Types of tests of controls
inquiry (never sufficient alone)
inspection
observation
re-performance
Benchmarking as a test of controls
comparing current results with previous audit results
Service organizations
Organization that provides services to the client such that the service org’s services and controls are part of the client’s information system and relevant to financial reporting
Type 1 service auditor’s report
reports on controls implemented
opinion only on the the description of controls and suitability of the design to the environment
Type 2 service auditor’s report
Report on controls implemented AND test of operating effectiveness of internal controls
Are service auditor’s reports ever referred to in audit reports?
NEVER in an unmodified opinion (do not relieve auditor of liability)
may be referenced in modification of opinion but must indicate reference does not reduce liability
Risk assessment for service organizations
- must assess the degree of interaction between the service org and client (user) High = user initiates all processes, low = service org initiates, processes transactions independently
- must get written representations from service org’s management
Requirement for management documentation of IC
must provide a written assessment
Requirement for auditor response to IC
Must issue opinion on:
- management assessment of IC
- Actual effectiveness of IC
Must also communicate to management any material weaknesses and significant deficiencies discovered in the course of the audit
Significant deficiencies
Issues with internal controls that do not rise to the level of materiality
Internal control risks in IT
- system availability
- volatile transaction trails
- lack/ decrease in human involvement
- uniform processing (errors repeated)
- unauthorized access
- data vulnerability
- reduction in segregation of duties
Major types of application IT controls
- input controls
- processing controls
- output controls
When does data analytics outperform sampling
- when appropriate data is available, relatively clean and doesn’t require significant manipulation to be usable
- when the population is large
- when the auditor has a good understanding of the underlying business processes
Why does the XBRL requirement increase IC issues
- increased outsourcing for programming
- new software/ programming –> potential errors
- additional data manipulation
- requires additional control tests/ disclosures
Ways to document internal control assessments
- systems flowcharts
- questionnaires
- narrative memoranda
- decision tables
- checklists of procedures
- data analytics
System flowchart
overview of inputs, processes, outputs
Program flowchart
specific steps in computer programs
Document flowchart
tracks flow of documents through an entity
Management letter
prepared by the audit team
provided to board of directors
includes required internal control assessment
lists significant deficiencies and material weaknesses
