Document 7232413
Download
Report
Transcript Document 7232413
Section 404 Audits of
Internal Control and
Control Risk
Chapter 10
Internal Control Objectives
Reliability of financial reporting
Efficiency and effectiveness of operations
Compliance with laws and regulations
Management’s Responsibilities For Internal
Control
Management - responsible for establishing
and maintaining internal control
I/C offers reasonable assurance
I/C has inherent limitations
Management’s Responsibilities For Internal
Control
Management’s Section 404
reporting responsibilities
Design of internal control over financial reporting
• Focus is on controls over mgmt. assertions (Ch 6)
Operating effectiveness of controls
• Must be tested and evaluated for effectiveness
Auditor Responsibilities Related to
Internal Control
Second standard of fieldwork:
A sufficient understanding of internal control is to be
obtained in order to plan the audit and to determine
the nature, timing, and extent of tests to be performed.
Control over classes of transactions
(vs. account balances)
Auditor responsibilities for testing
and reporting (Ch. 2) on internal control
Five Components of Internal Control
Risk
assessment
Information and
communication
Control
activities
Monitoring
The Control Environment
Actions, policies and procedures that reflect overall
attitudes of top management (“tone from the top”)
•Integrity and ethical values
•Commitment to competence
•Board of directors or audit committee participation
•Management’s philosophy and operating style
•Organizational structure
•Assignment of authority and responsibility
•Human resources policies and practices
Risk Assessment
For audit purposes:
management’s identification and analysis of risks
relevant to the preparation of financial statements
in conformity with GAAP.
Control Activities
Policies and procedures (in addition to those in the
Other four components)
1.
2.
3.
4.
5.
Adequate separation of duties
Proper authorization of transactions and activities
Adequate documents and records
Physical control over assets and records
Independent checks on performance
Adequate Separation of Duties
Custody of assets
Accounting
Authorization
of transactions
The custody of
related assets
Operational
responsibility
Record-keeping
responsibility
IT duties
User departments
Proper Authorization of Transactions and
Activities
General authorization – policies for the
organization to follow.
Specific authorization – applies to
Individual transactions
Adequate Documents and Records
Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple use
Constructed to encourage correct preparation
Physical Control over Assets
and Records
The most important measure for safeguarding
assets and records is the use of physical
precautions – limit access to assets/records.
Independent Checks on Performance
The need for independent checks arises
because internal controls tend to change
over time unless there is a mechanism
for frequent review.
Information and Communication
The purpose of an accounting information
and communication system is to…
initiate, record, process, and report
the entity’s transactions and to maintain
accountability for the related assets.
Monitoring
Monitoring activities deal with management’s
ongoing and periodic assessment of the
quality of internal control performance…
to determine whether controls are operating
as intended and modified when needed.
How the Size of the Business Affects
Internal Control
In general the SEC believes that small
businesses should be expected to adhere
to the same internal control standards that
apply to larger public companies.
The SEC has also stated that the burden to
smaller companies can be disproportionate.
Four Phases of a Financial Statement Audit
Phase 1
Phase 2
Obtain an
understanding of
internal control:
design and
operation
Assess control
risk.
Phase 3
Design, perform,
and evaluate tests
of controls
Phase 4
Decide planned
detection risk
and substantive
tests.
Obtain and Document Understanding of
Internal Control
SAS 55 and PCAOB Standard 2 both require
the auditor to obtain an understanding
of internal control for every audit.
Procedures to obtain an understanding:
• Design of internal controls
• Whether placed in operation
• Uses this information as a basis for the
integrated audit.
Methods Used
Narrative
Flowchart
Internal
control
questionnaire
Narrative
1. The origin of every document
and record in the system
2. All processing that takes place
3. The disposition of every document
and record in the system
4. An indication of the controls relevant
to the assessment of control risk
Evaluating Internal Control Operation
Update and evaluate auditor’s previous
experience with the entity.
Make inquiries of client personnel.
Examine documents and records.
Observe entity activities and operations.
Perform walkthroughs of the accounting system.
Assess Control Risk
Assess whether the financial statements
are auditable.
Determine assessed control risk supported
by the understanding obtained assuming
the controls are being followed.
Use of a control risk matrix to assess control risk
Control Risk Matrix
Identify transaction-related audit objectives.
Identify existing controls.
Associate controls with transaction-related
audit objectives.
Identify and evaluate control deficiencies,
significant deficiencies, and material weaknesses
Evaluating Significant Control Deficiencies
SIGNIFICANCE
Material
Material
Weakness
LIKELIHOOD Remote
Probable
Immaterial
Communicate Internal Control Deficiencies
and Related Matters
Audit committee communications
•Significant deficiencies and material
weaknesses must be communicated
Management letters
Tests of Controls
The procedures to test effectiveness of controls
in support of a reduced assessed control
risk are called tests of controls.
Procedures for Tests of Controls
1. Make inquiries of client personnel.
2. Examine documents, records, and reports.
3. Observe control-related activities.
4. Reperform client procedures.
Extent of Procedures
PCAOB 2 requires public company auditors
to test controls each year for all relevant assertions
for all significant accounts and transactions
• Reliance on evidence from prior year’s audit
PCAOB 2 is concerned with adequacy of I/C as of
the end of the fiscal year
•Timing of tests depends on the nature of controls
and frequency at which they are performed.
Procedures to Obtain an Understanding vs.
Tests of Controls
In obtaining an understanding, procedures are applied
to all controls to identify those likely to prevent/detect
Material misstatements in specified assertions.
Test of of controls are applied only when the assessed
control risk has not been done in obtaining an understanding.
Procedures to obtain an understanding are performed on
few transactions, while tests of controls are performed on
larger samples.
Relationship of Assessed Control
Risk and Extent of Procedures (Table 10-3)
Assessed control risk
Type of
procedure
High level:
Procedures to obtain
an understanding
Inquiry
Yes–extensive
Documentation Yes–with transaction
walk-through
Observation
Yes–with transaction
walk-through
Reperformance No
Lower level:
Tests of controls
Yes–some
Yes–using sampling
Yes–at multiple times
Yes–using sampling
Decide Planned Detection Risk and Design
Substantive Tests
The auditor uses the results of the control risk
assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.
The auditor links the control risk assessments
to the balance-related audit objectives.
Section 404 Reporting on Internal Control
1
The auditor’s opinion on whether management’s
assessment of the effectiveness of internal
control over financial reporting as of the
end of the fiscal period is fairly stated,
in all material respects.
Section 404 Reporting on Internal Control
2
The auditor’s opinion on whether the company
maintained, in all material respects, effective
internal control over financial reporting
as of the specified date.
Types of Opinions on Internal Controls
Over Financial Reporting
Unqualified –
• No identified material weaknesses
• No scope limitations
Adverse
• Material weaknesses exist
Qualified or disclaimer of opinion
• Scope limitation
Differences in Scope of Controls Tested:
Nonpublic Company
Internal controls over financial reporting
Internal controls used to assess
control risk below maximum
Controls that must be tested in
an audit of internal controls
(ICFR opinion expressed)
Controls that must be tested in
an audit of financial statements