Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CPA - AUD > Understanding Internal Control and Assessing Control Risk > Flashcards

Understanding Internal Control and Assessing Control Risk Flashcards

1
Q
  1. AU-C 315 divides internal control into five components, and the nature of each: control environment, risk assessment, control activities, information and communication, and monitoring.
  2. The seven control environment factors are Integrity and ethical values, Commitment to competence, Human resource policies and practices, Assignment of authority and responsibility, Management’s philosophy and operating style, Board of directors or audit committee participation, and Organizational structure. Remember this using mnemonic IC HAMBO.
  3. The following are considered risks that may affect an entity’s ability to properly record, process, summarize, and report financial data: Changes in the operating environment, New personnel, New information systems. Rapid growth, New technology, New lines products or activities, Corporate restructuring, Foreign operations, or Accounting pronouncements
A
  1. Major Components of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. The third component of internal control is composed of the various policies and procedures that help ensure that necessary actions are taken to address risks to achieving the entity’s objectives. These include performance reviews, Information processing, physical controls, and segregation of duties.
  2. To be effective, the information and communication system should accomplish the following foals for transactions: Identify and record all valid transactions, Describe on a timely basis, Measure the value properly, Record in the proper time period, Properly present and disclose, and Communicate responsibilities to employees.
  3. Monitoring assesses the quality of internal control over time.
A
  1. Major Components of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. A control seldom relates to all important assertions. For example, a control over processing sales orders might be effective at determining the existence of receivables, but would not directly address receivables valuations, or completeness.
  2. Internal control provides reasonable but not absolute assurance that specific entity objectives will be achieved.
  3. Previously, the AICPA Professional Standards distinguished between administrative and accounting controls, stating that auditors generally emphasize the latter. While the distinction no longer remains for purposes of the professional standards, it does remain in certain laws, such as the Foreign Corrupt Practices Act.
A
  1. Related Topics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. The Foreign Corrupt Practices Act is a law passed by Congress in 1977 with provisions requiring every corporation registered under the Securities Exchange Act of 1934 to maintain a system of strong internal accounting control, requiring corporations to maintain accurate books and records, and making it illegal for individuals or business entities to make payments to foreign officials to secure business. Violations of the Act can result in fines and imprisonment of the responsible individuals.
  2. The Committee of Sponsoring Organizations is composed of representatives from various professional organizations, including the AICPA, Institute of Management Accountants, Financial Executives Institute, Institute of Internal Auditors, and American Accounting Association. COSO commissions a study for the purpose of integrating various internal control concepts and definitions being used in the business community. The purposes of the study are to establish a common definition of internal control and to provide a standard against which business and other entities can assess internal control.
  3. The Sarbanes-Oxley Act of 2002 created a variety of new regulations and eliminated a significant portion of the accounting profession’s system of self-regulation. Three relevant sections include:
A
  1. Related Topics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Section 302: Makes officiers responsible for maintaining effective internal control and requires the principal executive and financial officers to disclose all significant internal control deficiencies to the company’s auditors and audit committee.
  2. Section 404: Requires that management acknowledge its responsibility for establishing adequate internal control over financial reporting and provide an assessment in the annual report of the effectiveness of internal control.
  3. Section 906: Requires that management certify reports filed with the SEC (primarily annual 10-K and quarterly 10-Qs) that the reports comply with relevant securities laws and also fairly present, in all material respects, the financial condition and results of the company.
A
  1. Related Topics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. The audit performs risk assessment procedures to obtain an understanding of the five components of internal control sufficient to assess the risk of material misstatement of the financial statements, and to design the nature, timing and extent of further audit procedures
  2. AU-C 315 distinguishes between determining that controls have been implemented vs. evaluating their operational effectiveness. In determining whether controls have been implemented, the auditor determines that the entity is using them.
  3. In evaluating operative effectiveness, the auditor goes further and considers how the control was applied, the consistency with which it was applied, and by whom (or what means) it is applied.
A
  1. Obtain An Understanding of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. The auditor should obtain an sufficient knowledge to understand management’s and the board of director’s attitude, awareness, and actions considering the control environment.
  2. The auditor should obtain a sufficient knowledge to understand how management considers risks relevant to financial reporting objectives and decides about actions to address those risks.
  3. The auditor needs to obtain a level of knowledge of the information systems and communication to understand the major transaction classes, how those transactions are initiated, the available accounting records and support, the manner of processing of transactions, the financial reporting process used to prepare financial statements, and the means the entity uses to communicate financial reporting roles and responsibilities.
A
  1. Obtain An Understanding of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. The auditor should obtain sufficient knowledge of the major types of monitoring activities the entity uses to monitor internal control over financial reporting, including how those activities are used to initiate corrective action.
  2. The auditor relies primarily upon a combination of previous experience with the entity, inquiries, inspection of documents and records, and observation of entity activities to obtain the needed understanding of the internal control.
  3. AU-C 315 points out that while obtaining an understanding of the design of a control, including whether it has been implemented, an auditor may either by plan or by chance obtain some information on operative effectiveness.
A
  1. Obtain An Understanding of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. The auditor’s documentation of his/her understanding of internal control for purposes of planning the audit is influenced by the size and complexity of the entity as well as the nature of the entity’s internal control.
A
  1. Obtain An Understanding of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. The effectiveness of internal control is important in many situations since particular controls may lessen the likelihood that risks could result in material misstatements.
  2. The decision sequence for considering internal control for the assertions related to classes of transactions, account balances, and disclosures depends upon whether controls appear effective.
  3. The overall approach as it relates to controls is to identify controls that are relevant to specific assertions that are likely to prevent or detect material misstatements, and perform tests of controls to evaluate the effectiveness of those controls.
A
  1. Assess Risks of Material Misstatement and Design Further Audit Procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Alternatively the risk assessment may not include an expectation that controls operate effectively. This will be the case when either controls appear weak or the auditor believes that performing extensive substantive procedures is likely to be more cost effective than performing a combination of tests of controls and a decreased scope of substantive procedures.
  2. When designing further audit procedures the auditor may design a test of controls to be performed concurrently with a substantive procedure test of details on the same transaction.
  3. Although the objectives of tests of controls and tests of details differ, both may be accomplished concurrently through performance of a test of controls and a test of details on the same transaction. This is known as a dual purpose test.
A
  1. Assess Risks of Material Misstatement and Design Further Audit Procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. For reasons of efficiency and practicality, auditors often perform tests of controls at an interim date prior to year-end and then update them to the extent considered necessary at year-end
  2. Is an auditor allowed to use the results of prior years’ tests of controls in the current audit? PCAOB standards do not allow this while Auditing Standards allow this in limited circumstances.
  3. When controls have changed since they were last tested, the auditor should test the operative effectiveness of such controls in the current audit. In circumstances where controls have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least once in every three years.
A
  1. Perform Tests of Controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Generally IT processing is inherently consistent. Therefore, the auditor may be able to limit the testing to one or a few instances of the control operation.
  2. Based on the results of the tests of controls, the auditor will determine whether it is necessary to modify the substantive procedures. If tests of control reveal that the system operatives as expected, there will be generally no need to change the scope of planned substantive procedures. Conversely, if the system does not operate as effectively as expected (control risk is higher than expected), the scope of substantive procedures for the relevant assertions involved will increase (thereby decreasing detection risk)
A
  1. Perform Tests of Controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Section 404 of the Sarbanes-Oxley Act of 2002 requires internal control reporting my management and the auditor.
  2. Section 404A requires management to include its assessment of internal control in the annual report filed with the SEC. Section 404B requires the CPA firm to audit internal control and express an opinion on the effectiveness of internal control. As implemented, the Act applies to companies with a market capitalization of $75,000,000 or more.
  3. Both PCAOB Standard 5 and SSAE 15 require when performing an audit of internal control that the auditor examine the design and operating effectiveness of internal control over financial reporting to provide a sufficient basis to issue an opinion on the effectiveness of internal control in preventing or detecting material misstatements of the financial statements.
A
  1. Audits (Examinations) of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Objective of audit of internal control is to express an opinion on the effectiveness of the company’s internal control. To form a basis for such an opinion, an auditor should plan and perform the audit to obtain reasonable assurance about whether material weaknesses exist as of the date of management’s assessment.
  2. Deficiency occurs when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
  3. A significant deficiency is when a deficiency or combination of deficiencies that occur in internal control that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.
A
  1. Audits (Examinations) of Internal Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. A material weakness is a deficiency or combination of deficiencies that occur in internal control such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis
  2. A control objective is a specific target against which to evaluate the effectiveness of control.
A
  1. Audits (Examinations) of Internal Control
17
Q
  1. The opinion on internal control is as to whether internal control is effective at a point in time - the “as of date” - as contrasted to a period of time. The as of date is the last day of the company’s fiscal period.
  2. In an internal control audit, to use the work of others, the auditor should assess their competence and objectivity; do not use the work of those with low competence and/or low objectivity. In general, use the work in lower risk areas.
A
  1. Plan the Audit
18
Q
  1. The auditor should evaluate the period-end financial reporting process (e.g. entering transaction totals to the general ledger, selection of accounting policies, adjustments, preparing financial statements).
A
  1. Use a top-down approach to identify controls to test.
19
Q
  1. Auditors are not responsible for obtaining sufficient evidence to support an opinion about the effectiveness of each individual control; rather, their objective is to express an overall opinion on internal control.
A
  1. Test design and operating effectiveness of controls.
20
Q
  1. The auditor need not identify a material misstatement for a deficiency to be considered a material weakness - rather, there should be a reasonable possibility of a material misstatement.
A
  1. Evaluate identified deficiencies
21
Q
  1. For material weaknesses, communicate, in writing to management and the audit committee prior to issuing the auditor’s report on internal control.
  2. For significant deficiencies, communicate in writing to management and the audit committee. For significant deficiencies or deficiencies that are nor material weaknesses, communicate in writing to management and inform the audit committee when such a communication has been made.
  3. Significant deficiencies and deficiencies previously communicated to management in writing by the auditor, internal auditors, or others in the organization need not be repeated to management. Significant deficiencies that are not corrected and were previously communicated to the audit committee should be recommunicated. The auditor may recommunicate them by referring to the prior communication.
  4. The auditor should not issue a report saying that no significant deficiencies or deficiencies were noted during the audit.
A
  1. Wrap-up of internal control audit
22
Q
  1. Separate reports on the financial statements and internal control or a combined report are acceptable.
  2. Material weaknesses result in an adverse opinion.
A
  1. Report on Internal Control
23
Q
  1. PCAOB 5 refers to this as an “audit” while SSAE 15 refers to it as an “examination”
  2. Both standards are structured about reporting on internal control at a point in time (the “as of date”) but SSAE 15 also allows an auditor to examine effectiveness of internal control for a period of time.
  3. Both standards provide for reporting on the subject matter (internal control) but SSAE 15 also allows for reporting on management’s assertion. However, when a material weakness exists in an SSAE 15 engagement the auditor should report on the subject matter.
A
  1. Differences Between PCAOB Standard 5 and SSAE 15
24
Q
  1. Both standards require that the auditor not issue a report stating that no significant deficiencies exist, but only SSAE 15 explicitly requires that no such report be issued stating that no material weaknesses were identified during the examination.
  2. The reports issued on internal control are very similar but differ in that PCAOB 5 states that the audit was conducted in accordance with standards of the PCAOB while SSAE 15 states that the examination was conducted in accordance with attestation standards established by the AICPA.
A
  1. Differences Between PCAOB Standard 5 and SSAE 15
25
Q
  1. After the existence of a material weakness has lead to an adverse opinion in an internal control audit report, the company is ordinarily motivated to eliminate the weakness as quickly as is reasonably possible.
A
  1. Reporting on Whether a Previously Reported Material Weakness Continues to Exist (PCAOB Standard 4)
26
Q
  1. AU-C 265 requires auditors to communicate significant deficiencies and material weaknesses to management and to those charged with governance.
  2. The report issued should be written and include purpose of consideration of internal control was to express an opinion on the financial statements, not to express an opinion on internal control; auditor is not expressing an opinion on internal control effectiveness; consideration of internal control not designed to identify all significant deficiencies or material weaknesses; definition of material weakness and significant deficiency; separately describe significant deficiencies and material weaknesses identified; indication that the communication is for management, those charged with governance, and others within the organization. It should not be used by others
  3. While a written report indicating that no significant deficiencies were identified should not be issued, a report indicating that no material weaknesses were identified may be issued.
A
  1. Additional Financial Statement Audit Communication
27
Q
  1. A previously communicated significant deficiency or material weakness that has not been corrected should be recommunicated; it may be communicated by simply referring to the prior communication and its date.
  2. AU-C 260 requires that a communication (orally or in writing) of certain information occur between the auditor and those charged with governance of the company being audited.
A
  1. Additional Financial Statement Audit Communication
28
Q
  1. AU-C 610 discusses the effect of an internal audit function on the CPA’s audit. Internal auditors have 2 primary effects on the audit: 1) their existence and work may affect the nature, timing, and extent of audit procedures, and 2) CPAs may use internal auditors to provide direct assistance in performing procedures
A
  1. Effects of an Internal Audit Function

CPA - AUD (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions