Transcript Chapter 9
Chapter 5
Internal Control Evaluation:
Assessing Control Risk
Accounting 408
Chapter 5
1
1.
Overview
Accounting 408
Chapter 5
2
2. Introduction
Management’s Responsibility for internal control
Responsibility under SOX
certify the financial statements (Section 302)
report on IC over fin. reporting (Section 404)
For nonissuer
must include a statement:
•
that management is responsible
•
identifying the framework
•
providing management's assessment
design, implement, and maintain control system
Foreign Corrupt Practices Act
Accounting 408
Chapter 5
3
2. Introduction (continued)
Auditor’s responsibility
Under SOX
For nonissuer
Accounting 408
auditor must conduct an integrated audit under PCAOB stds
not a separate engagement
issue opinion on f/s and IC
auditor must conduct audit under AICPA stds
use evaluation of the client’s business and it’s IC to identify
and assess risks of material misstatement
Chapter 5
4
2. Introduction (continued)
Performance Principle
The auditor must identify and assess risks of material misstatement,
whether due to fraud or error, based on an understanding of the
entity and its environment, including its internal control.
Standards
SAS
SAS
SAS
SAS
SAS
122
109
78 - COSO
55
1
Questions
Accounting 408
Chapter 5
5
2. Introduction (continued)
SAS 122 and 109 – Definition of IC
IC is a process, effected by those charged with
governance, management, and other personnel,
designed to provide reasonable assurance about
the achievement of objectives with regard to
Accounting 408
reliability of financial reporting
effectiveness and efficiency of operations
compliance with applicable laws and regulations
Chapter 5
6
2. Introduction (continued)
SAS 78 (COSO)
IC is a process, effected by an entity’s board
of directors, management, and other
personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories: (a)
reliability of financial reporting, (b) compliance
with laws and regulations, and (c)
effectiveness and efficiency of operations.
Accounting 408
Chapter 5
7
2. Introduction (continued)
SAS 55
An internal control structure consists of the
policies and procedures established by an
entity to provide reasonable assurance that
specific entity objectives will be achieved.
Accounting 408
Chapter 5
8
2. Introduction (continued)
SAS 1
Internal control includes the organization’s
plan and other measures designed to
accomplish the following objectives:
Accounting 408
safeguard assets
check the accuracy and reliability of accounting
data
promote operational efficiency
encourage adherence to managerial policies
Chapter 5
9
3. Control Structure
Relevance to an audit
Elements of IC – COSO
control environment
risk assessment
information and communication
control activities
monitoring
Accounting 408
Chapter 5
10
3. Control Structure (con’t)
Control environment – most important
integrity and ethical values
board of directors (includes audit committee)
management’s philosophy and operating style
organizational structure
financial reporting competencies
authority and responsibility
human resources
Accounting 408
Chapter 5
11
3. Control Structure (con’t)
Risk assessment
Examples of where risks may arise:
change in regulatory or operating environment
new personnel
new or revised AIS
rapid expansion
new technology
new business models or products
expansion or acquisition of foreign operations
Accounting 408
Chapter 5
12
3. Control Structure (con’t)
Information and communication
AIS
IT general controls
IT application controls
spreadsheet controls
Accounting 408
Chapter 5
13
3. Control Structure (con’t)
Control activities
prenumbered documents
segregation of duties
authorization
record keeping
custody
reconciliation
physical security
IT controls
preventive controls vs. detective controls
Accounting 408
Chapter 5
14
3. Control Structure (con’t)
Monitoring
internal auditing
follow-up of reporting errors
follow up of customer complaints
Questions
Accounting 408
Chapter 5
15
3. Control Structure (con’t)
Accounting 408
Chapter 5
16
3. Control Structure (con’t)
Elements – Enterprise Risk Mgt Framework
internal environment
objective setting
event identification
risk assessment
risk response
control procedures
information and communication
monitoring
Accounting 408
Chapter 5
17
3. Control Structure (con’t)
Accounting 408
Chapter 5
18
4. General Considerations
Entity’s specific context
Management’s responsibility
Extent of IT
Reasonable assurance
Limitations
Accounting 408
Chapter 5
19
4. General Considerations
(continued)
Limitations
cost benefit issues
misunderstandings
mistakes of judgment
carelessness
collusion
management override
unusual transactions
Accounting 408
Chapter 5
20
4. General Considerations
(continued)
Small business considerations
Design vs. implementation vs. operating
effectiveness
Auditability of entity
Accounting 408
Chapter 5
21
4. General Considerations
(continued)
Why assess risk of material
misstatement?
determine nature, timing, and extent
of audit procedures
tests of controls
substantive tests
Accounting 408
Chapter 5
22
4. General Considerations
(continued)
Trade-off Between Testing of Controls and
Substantive Testing
Detection Risk: High
Low
Substantive Testing
Tests of Controls
RMM:
Accounting 408
Low
High
Chapter 5
23
4. General Considerations
(continued)
Control risk never zero
Some substantive procedures always required
Tests of controls
required for issuers (AS 5)
optional for nonissuers
Use of TOC evidence from previous audits
inquire of management – if no changes, can use
but must test every three years
Accounting 408
Chapter 5
24
5. Obtaining an
Understanding
Extent of understanding necessary?
Must include understanding of (follows top down approach)
depends on
circumstances of the engagement
size and complexity of the entity
auditor’s experience with entity
identifying significant changes from prior years
sufficient to identify and assess RMM
design, implementation, effectiveness
significant accounts and disclosures, and their relevant assertions
entity-level controls and transaction-level controls
Must include knowledge of each IC element
Does not have to include all controls in the entity
Accounting 408
Chapter 5
25
5. Obtaining an
Understanding (continued)
Procedures to obtain an understanding
(Risk Assessment Procedures)
inquiries
inspection
observation
analytical procedures
walk through
previous experience
Accounting 408
Chapter 5
26
5. Obtaining an
Understanding (continued)
Documentation
Extent
Discussion among audit team
Key components and each element
Assessment of RMM at both f/s and assertion levels
Controls tested
Risks identified
Methods
Accounting 408
Narrative
Questionnaire
Flowchart
Decision tree
Check list
Chapter 5
27
6. Assessing RMM
Use top-down approach
identify risks at entity level and then relate to assertion level for
significant accounts and assertions
relate risks to what can go wrong at the relevant assertion level
consider if misstatements could raise to a material amount
consider the likelihood they would result in a material misstatement
Consider nature of transactions
routine transactions
nonroutine transactions
estimation transactions
Accounting 408
Chapter 5
28
6. Assessing RMM (con’t)
Examples of Risk Assessment Procedures used
to obtain understanding and assess risks
Inquires – use different levels
Analytical procedures – high level of aggregation
Observation and inspection – prior year info –
consider changes
Discussion with audit team
Accounting 408
Chapter 5
29
6. Assessing RMM (con’t)
After assessment
Determine:
Accounting 408
nature
timing
extent of testing (substantive and tests of
controls)
Chapter 5
30
6. Assessing RMM (con’t)
Assessment levels
at the maximum
below the maximum
Initial assessment
Additional concepts for assessment
pervasive vs. specific effect
direct vs. indirect effect
compensating strengths
qualitative or quantitative assessment
Accounting 408
Chapter 5
31
7. Tests of Controls
Types of tests
inquiries
inspection
observation
reperformance
Requirements to perform tests of controls
Accounting 408
Chapter 5
32
7. Tests of Controls (con’t)
Approach to tests of controls
directed toward the operation of a control (design or
implementation)
directed toward the effectiveness of a control
procedures used: inquiring, inspecting, observing
e.g., budget, IT general controls
procedures used: inquiring, inspecting, observing
reperforming
Dual purpose tests
Accounting 408
Chapter 5
33
7. Tests of Controls (con’t)
Internal control deficiency
Design deficiency
the design or operation of a control does not allow
management or employees to detect or prevent
misstatements in a timely fashion
control missing or so poorly designed it fails to detect or
prevent misstatements even if operating as designed
Operating deficiency
properly designed control is either ignored or inappropriately
applied
Accounting 408
Chapter 5
34
8. Reassess RMM
Based on results from tests of controls
Could support
lower assessment
same assessment
higher assessment
Cumulative process
Accounting 408
Chapter 5
35
9. Design Substantive Tests
Audit program
Relationship between final assessment of CR and
substantive testing
Effect on substantive testing
nature
timing
extent
Questions
Accounting 408
Chapter 5
36
10. Types of Audit Procedures
Tests Related to 2nd Field Work Standard
risk assessment procedures
inquiry, inspection, observation, analytical procedures,
walk through, and prior experience
tests of controls
Accounting 408
inquiry, inspection, observation, prior experience, and
reperforming
Chapter 5
37
10. Types of Audit Procedures
(continued)
Tests Related to 3rd Field Work Standard
substantive tests
substantive analytical procedures
tests of details
of transactions
of balances
Accounting 408
vouching, tracing, reperforming, etc.
confirming, reconciling, observing, etc.
Chapter 5
38
11. Communication of
Internal Control Matters
Responsibility of auditor
(nonissuer)
AU-C 265.02
Accounting 408
The auditor is required to obtain an understanding of internal
control relevant to the audit when identifying and assessing the
risks of material misstatement. In making those risk assessments,
the auditor considers internal control in order to design audit
procedures that are appropriate in the circumstances but not for
the purpose of expressing an opinion on the effectiveness of
internal control. The auditor may identify deficiencies in internal
control not only during this risk assessment process but also at
any other stage of the audit. This section specifies which
identified deficiencies the auditor is required to communicate to
those charged with governance and management.
Chapter 5
39
11. Communication of
Internal Control Matters
Levels of deficiencies
Must communicate both significant deficiencies and
material weaknesses to management and BOD
control deficiencies
significant deficiencies
material weaknesses
for issuers, must be in writing
Do not give statement of no deficiencies found
Accounting 408
Chapter 5
40
11. Communication of
Internal Control Matters
Control deficiencies could result from
deficiency in
Accounting 408
design – no control, or existing control not
properly designed
operation – properly designed control not
operating as designed, or person performing
control does not possess necessary authority
or competence
Chapter 5
41
11. Communication of
Internal Control Matters
Material weaknesses
a deficiency, or combination of deficiencies, such
that there is a reasonable possibility* that a
material misstatement of the f/s will not be
prevented or detected
* based on FASB Stmt. No. 5 – includes reasonably
possible and probable
Accounting 408
Chapter 5
42
11. Communication of
Internal Control Matters
Significant deficiencies
less severe than material weakness yet
important enough to merit attention
Accounting 408
Chapter 5
43
12. AS Requirements
Phases of AS 5 integrated audit
1.
2.
Plan the engagement
Use a top-down approach to gain an understanding
a)
b)
3.
Testing internal control effectiveness
a)
b)
4.
b)
c)
6.
Accounting 408
Design effectiveness
Operating effectiveness
Evaluating control deficiencies
a)
5.
Identify entity-level controls
Walkthroughs
Deficiencies
Significant deficiencies
Material weaknesses
Wrapping up: Forming an opinion on the effectiveness of internal control over
financial reporting
Reporting on internal control
Chapter 5
44
12. AS Requirements (con’t)
Must use top down approach
Must issue opinion on the effectiveness of internal control
Not separate engagement
integrated audit of internal control and financial statements
Report
Unqualified – no material weaknesses found
Disclaimer of opinion – cannot perform all procedures considered
necessary
Adverse opinion – one or more material weaknesses found
Evaluate management’s report
Accounting 408
Chapter 5
45
13. Review Questions for Discussion
Chapter 5
5.3
5.4
5.5
5.7
5.8
5.10
5.13
5.14
5.15
ACCT-4080
5.17
5.18
5.21
5.26
5.29
5.30
5.31
Chapter 3
46