Auditing Exam# 2 Chapter 5
Terms in this set (71)
a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives
Three Compnents of Internal Control
Reliability of financial reporting;
Effectiveness and efficiency of operations;
Compliance with applicable laws and regulations
Limitations of Internal Control
the cost of an entity's internal control should not exceed the benefits that are expected to be derived.
Responsibility for establishing and maintaining adequate internal control over financial reporting
Assess and report on the effectiveness of internal control over financial reporting
For public companies, must audit and issue an opinion about the effectiveness of the internal control over financial reporting
For each fraud risk, must evaluate whether controls are in place to mitigate the fraud risk
Must assess control risk to determine the nature, timing and extent of substantive procedures to be performed
Less Reliance on Internal Control (Higher control risk; lower detection risk)
Nature - More effective tests (use of direct external evidence); Timing - Testing performed at year - end; Extent - Higher sample size
More reliance on internal control (lower control risk; higher detection risk)
Less effective tests (use of internal evidence); Testing can be performed at interim; Lower sample size
Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting
Internal Control Components (COSO)
Control Environment; Risk Assessment; Control Activities; Monitoring; Information and Communication
Interrelated Components of Internal Control
Control Environment > Risk Assessment > Control Procedures > Information and Communication > Monitoring
"tone at the top" of an organization; foundation; auditor must obtain a detailed understanding of the control environment and document that understanding.
Control Environment—General Principles
Integrity and ethical values
Board of directors
Management's philosophy and operating style
Financial reporting competencies
Authority and responsibility
3-6 "outside" members of Board.
Provides a buffer between the audit team and operating management.
Members must be "financially literate."
One "financial expert"
Audit Committee Duties
Appointment, compensation, and oversight of the public accounting firm conducting the entity's audit.;
Resolution of disagreements between management and the audit team.;
Oversight of the entity's internal audit function.;
Approval of nonaudit services provided by the public accounting firm performing the audit engagement.
Management's identification and analysis of relevant risks to achievement of its objectives.
Enterprise Risk Management
Provides framework for risk management
Auditors focus on risk of material misstatement
Auditor Focus - Risk Assessment
Assessing risks relevant to financial reporting objectives, including fraud risk
Assessing the likelihood and significance of risk of misstatements due to fraud
Deciding about actions to address these risks
The policies and procedures that help ensure management directives are carried out.
- Physical controls over the security of assets
- Separation of duties
- Information Processing
- Performance reviews
(Preventive controls vs. detective controls
Approvals and authorization
Verifications and reconciliations
Principles of control activities
Information technology; Level of integration with their risk assessment process; Selection and development of control activities; Policies and procedures
Risk of Material Misstatement
Sales revenue is recorded when the goods had not been shipped to the customers; Goods will be shipped to a new customer that is unable to pay for the goods; Goods will be shipped to a customer, and the revenue is not recorded
All sales invoices are matched to shipping documents before recording in general ledger; Credit department performs a detailed credit check for all new customers; All shipping documents are matched to sales invoices that have been recorded in general ledger
Test of Control Activity
For a sample of sales revenue entries in general ledger, vouch to proper shipping document; For a sample of new customers, examine documentation that indicates a proper credit checi was performed; For a sample of shipping documents, trace amount shipped to a sales invoice recoreded in the general ledger
Why Separate Duties??
Combining duties allows a single person to create and conceal errors and frauds.;
Segregating duties forces people to commit fraud through collusion—a much harder task!
Financial Statement Assertion Supported
Occurrence; Accuracy; Completeness
Purchase orders must be authorized by purchasing department before any purchase is made
All invoices received from vendors for payment must be matched to reciving report and purchase order to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed-upon prices
Prenumbered documents (checks, purchasre orders, and receiving reports) must be used and accounted for to ensure that all transactions have been recorded
produces a trail of activities from data identification to financial reports. This is known as the "audit trail"
Occurrence Assertion Direction
They follow it backward from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents
Completeness Assertion Direction
They follow it forward from source documents to reports to determine whether everything that happened (transaction) was recorded in the accounts and reported in the financial statements
Occurrence and Completeness of a sales transaction
Sales Order > Sales Authoriztion > Shipping Documents > Sales Invoice > Finanical Statements
Management's process that assesses the quality of the internal control's performance over time -
>Periodic evaluation by internal auditing
>Supervisory review of controls
>Follow-up of reporting errors
>Follow up of customer complaints
>Audit committee inquiries
Ongoing and separate evaluations; Reporting deficiencies
Internal Control Evaluation
Phase 1: Understand and document > Phase 2: Assess control risk (Preliminary) > Phase 3: Identify Controls to Test and Perform Test of Controls
Phase 1: Understand and document
Understand the client's internal control;
Document the understanding of internal control
>Internal Control questionnaire
>Accounting and control system flowcharts
Phase 2: Assess control risk (Preliminary)
Consider cost effectiveness of reliance/testing.
Phase 3: Identify Controls to Test and Perform Test of Controls
Perform test of controls audit procedures
Re-assess control risk
Documenting Internal Control Understanding
An auditor must document their understanding of internal control on every audit. Can be documented with:
An auditor may choose not to test controls for one of two reasons:
Internal control system is too ineffective in preventing or detecting misstatements;
It may take more time to test controls than it would to just perform more substantive testing to provide evidence needed to conclude about a financial statement assertion
For public company audits
an auditor MUST test controls
Tests of Controls
After identifying specific control activities that can be relied on to reduce substantive testing for a financial statement assertion, must test the control
Tests of Controls (from the least persuasive to the most persuasive form of evidence)
(Direction of test does matter
audit of internal control and financial statements
AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements
Auditors must provide their opinion on the effectiveness of client's internal control;
Not a separate engagement; Public Companies
Differences Between AS 5 Internal Control Audits and Financial Statement Audits
Scope > Reporting > Timing
Internal Control Audit (Scope)
Test each relevant control activity each year
Internal Control Audit (Reporting)
Opinion on the effectiveness of internal control
Internal Control Audit (Timing)
Evaluate effectiveness of internal control as of the fiscal year-end
Financial Statement Audits (Scope)
Test relevant control activities if relying on them
Financial Statement Audits (Reporting)
No opinion on internal control
Financial Statement Audits (Timing)
Evaluate effectiveness of internal control throughout the fiscal year
Phases of the engagement
>Planning the engagement
>Evaluating identified deficiencies
>Reporting on internal control
Step 1: Planning the engagement
Consider knowledge of industry
Consider knowledge of business
Consider extent of changes in operations
Consider extent of changes in internal control
Evaluate controls for all relevant assertions for all significant accounts or disclosures.
Using a top-down approach
Identify entity-level controls
Auditor must perform work related to:
>Company-wide anti-fraud programs
>Controls that have a pervasive effect
Auditor but can incorporate work of internal auditors and others
>Must obtain "principal evidence" for opinion on their own
>Must assess competence and objectivity
>Can't reduce work on control environment
Testing Controls: Design Effectiveness
Design effectiveness determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements.
After an understanding of internal controls is gained through inquiry, inspection, and observation, the controls are evaluated for the possibility that the controls would not prevent or detect a misstatement.
Testing Controls: Operating Effectiveness
Operating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.
A sample of transactions is examined using inquiry, observation, inspection, and reperformance.
Tests of controls would not be performed if design is not evaluated as effective.
Evaluate identified deficiencies
Whether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion.
More serious internal control deficiencies can be categorized into one of two groups, significant deficiencies or material weaknesses, depending on their severity.
is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective.
on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained).
Identify significant deficiencies
While not material, they are important enough to bring to the attention of those charged with governance (usually the audit committee).
>Absence of appropriate separation of duties.
>Absence of appropriate reviews and approvals of transactions.
>Evidence of failure of control procedures.
are defined as conditions, or combinations of conditions, that could adversely affect the organization's ability to initiate, record, process, and report financial data in the financial statements.
in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis.
Indicators of possible material weakness
>Restatement of previously issued financial statements to reflect the correction of a misstatement.
>Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client's internal controls.
>Ineffective oversight of financial reporting process by entity's audit committee.
>Indication of fraud (either material or immaterial) by senior management.
difference between a significant deficiency and a material weakness
the (1) likelihood and (2) materiality that a potential (or actual) misstatement would not be detected on a timely basis.
Auditors can issue one of three types of opinions on internal control over financial reporting (Evaluate management's report on the effectiveness of internal control.
No material weaknesses found
Disclaimer of opinion
The audit team cannot perform all of the procedures considered necessary
One or more material weaknesses found
Reporting on Internal Control
Can be a separate report on internal control
>Opinion on financial statements contained in separate audit report
>Extra paragraph added to report on internal control referencing opinion on financial statements.
Or an integrated audit report and report on internal control and the financial statements
>Includes auditor's opinions on 1) internal control effectiveness, and 2) the fairness of the company's financial statements.