Upgrade to remove ads
Audit Final: Chapter 7
Terms in this set (51)
SOX Standards: In General
We have Audit Standards... AS1-AS6. Based on GAAS but it is more incremental; "GAAS +." Public Company Audits follow this.
SOX Standards: What type of approach?
Top-down, risk-based approach.
SOX Standards: I/C Reporting Requirements
If the company has more >= $75mill in stock, management and auditors make ICFR reports. Below $75mill, only management needs to.
SOX 404: MGMT's Responsibility
Has to issue a report on ICFR as of year end on the 10-K, including the following: 1: Accept responsiblity for the effectiveness of ICFR, 2: Evaluate ICFR based off of criteria (COSO Criteria), 3: Support evaluation (test it), 4: Report evaluation
SOX 404: Auditor's Responsibility (Also from AS5)
Issue report on ICFR as of year end and the regular audit report of the F/S. Both need the
integraded audit approach
, reasonable assurance comfort level still required.
Transition from AS2 to AS5
AS2 was much stricter, included a 3rd report... report on mgmt's report... everyone agreed that was dumb so they created AS5, which overrides AS2 and makes things easier.
"As of year end"
based on the final day of the year, but you must test throughout the year so that you can say the controls are good. only testing the last day isn't reliable... mgmt could always change operations for the last day.
Integrated audit approach
do both ICFR and F/S planning and testing at the same time. the results from each test supports the other test (controls good, less substantive testing overall, not just of IC, etc)
ICFR stands for... and it is...
Internal Controls over Financial Reporting. A process designed / executed by mgmt, to get reasonable assurance of the F/Report. Involves supervision of executives and senior management.
Who is responsible for the overall implementation of ICFR?
The client, in particular the Board of Directors.
Who is responsble for the reliability of ICFR?
The client's management, in particular CEO and CFO... they report it and sign off on it.
Control Deficiency: Design
Exists when the control is missing, or exists, but is improperly designed such that it doesn't meet its objective.
Control Deficiency: Operating
The control is operating improperly. Such as the J/E can't be made. The operator doesn't have the skill or authority.
Public Company: The weakness is remote
no need to report it. only matters if it is possible/probable
Public Company: Material Weakness
Report to audit committee, management, and 10-K
Control Deficiency: Significant Deficiency
Report to audit committee and management
Control Deficiency: Minor Control Deficiency
Report to management. It's noise level so it's not that important. Can be verbally reported too.
Control Deficiency: LIkilihood and magnitude
determines if material, significant, or minor. the greater either is, the higher up the list it goes. Likelihood is either a remote chance or reasonably possible/probable. Magnitude is the size of the error (the materiality), which can be: not material or significant, not material but significant, or material.
other controls that make up for another control's deficiencies.
MGMT Process for Assessing ICFR: Steps
1: ID Financial reporting risks and related controls. 2: Consider Locations. 3: Evaluate/Test to determine operating effectiveness. 4: Documentation
MGMT Process for Assessing ICFR: Step 1
Identify financial reporting risks and related controls. So, detail specific controls and entity level controls (ELCs). The ELCs are similar to the IT's general controls.
MGMT Process for Assessing ICFR: Step 2
Consider Locations. Each location may have a different risk of materiality.
MGMT Process for Assessing ICFR: Step 3
Evaluate / Test to determine operating effectiveness. The higher risk items are the focus of the evaluation. The higher the risk the higher the amount of evidence needed. Can use direct and indirect testing (own people or outside firms, etc)
MGMT Process for Assessing ICFR: Step 4
Documentation. Just like auditors, they must document. Their documentation is as strict under SEC and PCAOB as our own.
Audit of ICFR: Steps
Planning, ID controls to test, Test Key Controls, Evaluate control deficiencies identified, form opinion/conclusion
Audit of ICFR: Planning
understand what mgmt did and results, but do not opine (make a statement) based on their work. assess the risk/fraud, and concider scaling the audit (based on client's size).
Audit of ICFR: Planning: Assess Risk/Fraud
SOX requires some testing no matter what, like test of controls or related party transactions, etc. SOX is not afraid to say you MUST do somethings, especially anything suspect to mgmt override and fraud.
Audit of ICFR: Identify Controls to test
Top-down approach. Steps: ID ELCs, 2: ID Significant accts/disclosures/assertations, 3: ID likely sources of misstatement, 4: Select Key Controls to Test
Audit of ICFR: Identify Controls to Test: ELCs
Consider the control environment (mgmts philosophy and integrity), and the period end reporting process.
Key Controls (for testing)
Any preventive and or detecitve controls. Preventive would be like higher-ups must approve purchases, etc. Detective would be things like bank reconciliations.
Audit of ICFR: Test Key Controls: Design and operating effectiveness
Consider the nature, timing, and extent.
Diseign and Operating Effectiveness: Nature
some are routine, some are unique/rare like a Fixed Asset purchase. Inquire, walkthrough, confirmations, etc. help.
Diseign and Operating Effectiveness: Timing
When will you test? Test so that we can report as of year end. Testing eary is okay, but you will have to rollforward for end of year.
Diseign and Operating Effectiveness: Extent
The more it is tested, the more audit comfort we have. Higher the risk or materiality, the higher the extent of testing.
Audit of ICFR: Test Key Controls: Using the PY knowledge in the CY
can use it thanks to AS5 to determine Nature/Timing/Extent. But using it isn't the same as skipping it. You will still have to do some testing at some point.
Audit of ICFR: IT Benchmarking
For IT items some can be skipped. Again (chap 6) there are General and Application Controls. If there are no significant chagnes to the application controls you can skip them.
Audit of ICFR: Evaluate Control Deficiencies Identified:
Focus on potential mistatements. Evaluate based on magnituded and likeliness of control failure. If there was a big auditing adjustment, mayve the controls aren't as appropriate as we thought.
Audit of ICFR: Evaluate Control Deficiencies Identified: Things to look out for
Table 7-7, here are some examples: Identification of ANY fraud, restatement of previously issued f/s to refelect the correction of a material misstatement, ineffective oversight of the company's external financial reporting and ICFR by the company's audit committee.
Audit of ICFR: Form an Opinoin / Conclusion:
Might need remediation. you also need to get representation from management (need them to tell us when a prior control hasn't been fixed and why.
MGMT Fixes the weakness early enough for auditors and clients to re-test it and see that it works.
Remediation: Fixed by year end and testing happens after. What happens?
You know its fixed but you still need to report it, because the report is as of 12/31. everything needs to be perfect as of 12/31. Usually fix it so that it can be tested at least twice.
Public Clients: MGMT's Reporting
deterine every deficiency's severedity, remediation status, and compensating controls. Tell auditor and audit committee it exists. Report material weaknessess on 10-K (unless properly remediated). Minor deficiencies just need to be told to auditors.
Public Clients: MGMT's Clean ICFR Reports
clean only if NO remaining material weaknesses as of 12/31. If even one material weakness, there is an ADVERSE opinion.
Public Clients: Auditor Reporting: In General
Can be separate or combined with the f/s opinion. 3 Types: Unqualified, Adverse, and Disclaimer.
What if an Adverse opinion on controls, but unqualified opinion on f/s?
Possible. unremediated material weakness as of year end so report is adverse. But material weakness does not equal material misstatement HAS occured, just that it could. so still possible that none have...yet.
Public Clients: Auditor Reporting: Unqualified Opinion
no material weaknesses at all.
Public Clients: Auditor Reporting: Adverse Opinion
One or more material weaknesses
Public Clients: Auditor Reporting: Disclaimer
can't do enough testing to say if its adverse or unqualified. like the client won't let you do the testing, etc.
Public Clients: Auditor Reporting: Interim Report on Remediation
After year-end to help client out, mid year before th enext audit you can say if they've fixed w/e control made your opinion adverse. that way they don't have to wait until the next year end...
Public Clients: Auditor Reporting: Minor Deficiencies
Report to audit committee. For SOX (public companies) it is always in writing.
Scope of Audit of ICFR
designed to find material weaknesses. Not set to find significant deficiences, so we can only report on the significant deficiencies we found. we also can't say there were none at all just because we didn't find them.
YOU MIGHT ALSO LIKE...
Auditing: Chapter 12
Chapter 12 Audit
Auditing Ch 7
Audit Class Assignments
OTHER SETS BY THIS CREATOR
Audit Final: Chapter 20
Audit Final: Chapter 19
Audit Final: Chapter 6
ECON 2301 Exam 3 Vocab