module 3 – internal control park avenue cpa review joseph a. maffia, cpa
TRANSCRIPT
module 3 – Internal Control
Park Avenue CPA ReviewPark Avenue CPA ReviewJoseph A. Maffia, CPAJoseph A. Maffia, CPA
Park Avenue CPA ReviewPark Avenue CPA ReviewJoseph A. Maffia, CPAJoseph A. Maffia, CPA
How to reach [email protected]@ParkAveCPAReview.c
omomJoseph A. Maffia, CPAJoseph A. Maffia, CPA
How to reach [email protected]@ParkAveCPAReview.c
omomJoseph A. Maffia, CPAJoseph A. Maffia, CPA
Session Objectives Clarity project and terms
Nature of Internal Control
Auditor’s Consideration of Internal Control
Audits of Internal Control
Accounting Cycles
Other Considerations
Clarity Project If your taking the exam before June 30, 2013 then AU
sections apply
If your taking the exam after June 30, 2012 then AU-C sections apply
Focus will be on AU-C
Will point out the differences
Nature of Internal control
Understanding Internal control The second standard of fieldwork states:
A sufficient understanding of the entity and its environment, including internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud to design the nature timing and extent of further audit procedures.
Summary of Internal Control Definition A process, effected by the entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives on: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
Control Objectives In each area of internal control (financial reporting,
operations and compliance) Control objectives and Sub objectives exist
Example: Area of financial reporting Top level objective – prepare and issue reliable financial information Detailed level applied to A/R sub objectives
All goods shipped are accurately billed in the proper period Invoices are accurately recorded for all authorized shipments and only
for such shipments Authorized and only authorized sales returns and allowances are
accurately recorded The continued completeness and accuracy of A/R is ensured Accounts receivable records are safeguarded
Controls over Financial Reporting• Preventive
– Aimed at avoiding the occurrence of misstatements in the financial statements– Example: Segregation of duties
• Detective– Designed to discover misstatements after they have occurred– Example: Monthly bank reconciliations
• Corrective– Needed to remedy the situation uncovered by detective controls– Example: Backups of master file
• Controls overlap– Complementary – function together– Redundant – address same assertion or control objective– Compensating – reduces risk existing weakness will result in misstatement
Components of Internal Control
The Control Environment Risk Assessment The Accounting Information and Communication
System Control Activities Monitoring
Ways to remember Components of Internal Control
CRIME
Control activities
Risk Assessment
Information and Communication
Monitoring
Control Environment
Ways to remember Components of Internal Control
CA CERAMIC
Control Environment Factors“ICHAMBO”
Integrity and ethical values
Commitment to competence
Human resource policies and practices
Assignment of authority and responsibility
Management philosophy and operating style
Board of directors or audit committee – independence and oversight
Organizational structure
Commitment to Integrity and ethical values
Board of directors – independent of mgmt and provides oversight
Management establishes structure, reporting lines and appropriate authority.
Organization committed to attract and retain competent individuals.
Organization holds individuals accountable
Risk Assessment
Changes in environment, technology, products or activities
New Accounting pronouncements
Foreign operations
Restructuring
Rapid growth
New information systems
Identify risks to achieving entity’s objectives
Clear objectives – identify and assess risks
Identifies and manages risks to achievement of objectives.
Segregation of duties ( separate authorization, recording, and custody)
Control Activities “PIPS”
Performance reviews ( reviews of act vs. budget, forecasts, etc)
Information processing (controls that check accuracy, completeness and authorization of transactions.
Physical controls ( activities that assure the physical security of assets and records)
Segregation of duties ( separate authorization, recording, and custody)
Mitigate risks to acceptable levels
General control activities over technology
Deploys control activities
Monitoring
Internal Control Performance over time
Ongoing – recurring activities
Separate evaluations
Combination
Performs ongoing and or separate evaluations
Communicates i/c deficiencies in a timely manner to senior management and Board
Information and Communication
Methods and records to record, process, summarize and report accounting transactions
Transactions goals All valid transaction recorded Describe on a timely basis Measure the value properly Proper period Properly disclose Communicate responsibilities to employees
Uses relevant and quality information
Communication information – including objectives and responsibility for internal control.
Communicates with external parties
New framework issued in December 2011 which is effective early 2013.
Won’t be covered till end of 2013.
Incorporates many new enhancements
Codification of the original internal control concepts into principles and attributes which provide clarity.
23
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), was formed in 1985 to improve the quality of financial reporting through business ethics, effective internal controls and corporate governance. Based on these principles, they developed and published the COSO framework in 1992 as a foundation for establishing internal control systems and determining their effectiveness.
Coso provides the framework for internal control – which is used to evaluate the internal control of an organization.
www.coso.org
24
Committee for sponsoring organizations of the Treadway Commission
Sponsoring organizationsAmerican Accounting AssociationAICPAFinancial Executives InternationalThe Association for Accountants and Financial Professionals in BusinessThe Institute of Internal Auditors
Who are the sponsors?
COSO Components Defined
Control Environment• The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors.
Risk Assessment• Every entity faces a variety of risks from external and internal sources that must be
assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Control Activities Control activities are the policies and procedures that help ensure management
directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
COSO Components Defined (cont.)
Information and Communication• Pertinent information must be identified, captured and communicated in a form and
timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring• Internal control systems need to be monitored -- a process that assesses the quality
of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
Financial Statement Assertions
Relevant assertions are those that, without regard for controls, have a reasonable possibility of containing a material misstatement; types Assertions about account balances (Accounts) Assertions about classes of transactions and events
(Transactions) Assertions about presentation and disclosure (Disclosures)
Financial Statement Assertions: Auditing
Standards Board and International Standards
Accounts Transactions Disclosures
Existence Occurrence Occurrence
Rights and obligations
Rights and obligations
Completeness Completeness Completeness
Valuation and allocation
Accuracy Accuracy and valuation
Cutoff
Classification Classification and understandability
Combined Assertions “PERVC”
Presentation and Disclosure--Accounts are described and classified in accordance with generally accepted accounting principles, and financial statement disclosures are complete, appropriate, and clearly expressed
Existence or Occurrence--Assets, liabilities, and equity interests exist and recorded transactions have occurred
Rights and Obligations--The company holds rights to the assets, and liability are the obligations of the company
Valuation, Allocation and Accuracy—All transactions, assets, liabilities and equity interests are included in the financial statements at proper amounts
Completeness and Cutoff--All assets, liabilities, equity interests, and transactions that should have been recorded have been recorded. Transactions and events have been recorded in the correct accounting period
Documenting the Understanding of Internal Control
Questionnaires Typically standardized by firm
Written Narratives Memos that describe flow of transactions
Flowcharts Systems flowcharts
Walk-through Trace one or two transaction through cycle
Decision tables
Limitations of Internal Control
Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc.
Controls that depend on the segregation of duties may be circumvented by collusion
Management may override the structure Compliance may deteriorate over time Cost constraints Custom and cultural limitations
Foreign Corrupt Practices Act
Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business
The Act Requires an effective system of internal control
(accounting control) Makes illegal payment of bribes to foreign officials Applies to SEC corporations Accurate set of books
Auditors’ Overall Approach with Internal Control
Overall approach of an audit1. Plan the audit2. Obtain an understanding of the client and its environment,
including internal control3. Assess the risks of material misstatement and design further
audit procedures4. Perform further audit procedures5. Complete the audit6. Form an opinion and issue the audit report
Steps 2-4 relate most directly to the role of internal control in financial statement audits
Auditors’ Overall Approach with Internal Control
2. Obtain an understanding of the client and its environment, including internal control
Risk Assessment procedures3. Assess the risks of material misstatement and design further
audit procedures4. Perform further audit procedures Test of controls Substantive procedures
Risk Assessment procedures
Inquiries of management Observing the application of specific controls Inspecting documents and records Tracing transactions through the information systemUsed to get an understanding of the components of internal
control – the design and whether implemented.
Use this information to: Identify types of potential misstatements Consider factors that affect the risk of material misstatement Design tests of controls and substantive procedures.
Internal Controls
Implemented Operating effectiveness Further audit procedures
Questions When must you test controls? What is a Dual purpose test Can you use prior years knowledge When do you perform test of controls? Any difference with IT Controls?
Four ways to test controls
Inspection
Observation
Inquiry
Re-performance
Assess risks of Material Misstatement
Identifying risks Relating the risks to what can go wrong at the relevant
assertion level Considering whether the risks are of a magnitude that could
result in a material misstatement Consider the likelihood that risks could result in material
misstatement.
Communication of Internal Control Matters
Required written communication
Internal control communication to management and those charged with governance.
Communication of significant deficiencies and material weakness
Relationships Among Deficiencies
Deficiency in
Internal Control
Less than Significant Material
Significant Deficiency Weakness
Material weakness
A deficiency or combination of deficiencies in internal control such that there is a reasonable possibility that a material misstatement will not be prevent or detected and corrected on a timely basis
Significant deficiency
A deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Deficiency
The design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
AKA as control deficiency
Indications of Material weakness
Fraud
Restatement of financial statements
Auditor found material misstatement
Ineffective oversight over financial reporting and internal control by TCWG.
Written communication
Required 60 days following the report release date.
Best if issued with the report.
PCAOB Audits
Integrated audits
Sarbanes-Oxley Act of 2002
Section 404 404(a) – requires annual report filed with SEC to
include an internal control report Management acknowledges responsibility for establishing
and maintaining adequate internal control Provides assessment of internal control effectiveness at end
of fiscal year 404(b) – requires CPA firm to audit internal control
and express an opinion on effectiveness of internal control. (Required for companies with a capitalization in excess of $75,000,000)
Management’s Report on Internal Control under Section 404a
Acknowledgment of responsibility for internal control
An assessment of internal control effectiveness as of the last day of the company’s fiscal yearn using suitable criteria
Support the evaluation with sufficient evidence
Goal – whether material weakness exist
Approach to Audit of Internal Control under Section 404b
This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit as follows: Plan the engagement Use a top-down approach to identify the controls to test Test and evaluate design effectiveness of internal control Test and evaluate operating effectiveness of internal control Form an opinion on effectiveness of internal control over
financial reporting
Internal control audits
Required for Issuers
Not required for Issuers
Nature of an Integrated Audit
Auditors of public companies should report on: Financial statements and Internal control over financial reporting
Based on provisions of PCAOB Standard No. 5, the audits of internal control and financial reporting should be integrated
Management’s Responsibility
Accept responsibility for effectiveness
Evaluate the effectiveness using suitable criteria
Support the evaluation with sufficient evidence
Provide a report on internal control
Management’s Report on I/C
Report must: State that it is management’s responsibility to establish and maintain
adequate internal control. Identify management’s framework for evaluating internal control. Include management’s assessment of the effectiveness of the
company’s internal control over financial reporting as of the end of the most recent fiscal period, including a statement as to whether internal control over financial reporting is effective.
Include a statement that the company’s auditors have issued an attestation report on management’s assessment.
Management Assessment
• Management can be assisted by consultants but not by the CPA firm that conducts the audit of financial statements
• Must understand definition of internal control adopted by the SEC
• Evaluation must use an accepted “control framework” such as Internal Control-Integrated Framework created by COSO.
• Must understand concepts of control deficiency, significant deficiency and material weakness
Objective of Management’s Evaluation of I/C
Provide a reasonable basis for its annual assessment
Process Evaluate design effectiveness of controls Evaluate operating effectiveness of internal control Documentation of process Reporting
Auditor’s Objective
Plan and perform the audit to obtain reasonable assurance about whether material weaknesses exist to express an opinion on company’s internal control over financial reporting
Evidence gathered as of date specified in management’s assessment – normally the last day of the company’s fiscal year
Audit Steps
1. Plan the engagement
2. Use a top-down approach to identify controls to test
3. Test and evaluate design effectiveness of internal control
4. Test and evaluate operating effectiveness of internal control
5. Form an opinion on the effectiveness of internal control
Plan the Engagement
Efficient planning requires coordination with financial statement audit
Consider matters such as: Client’s industry Regulatory matters Client’s business Recent changes in client’s operations
Auditors’ Consideration of I/C
Difference between audit of internal control and audit of financial statements Time period
Audit of internal control –as of date Audit of financial statements – entire financial statement period
Differences between small and large clients Degree of complexity of operations
Top-Down Approach
Top-Down Approach
Financial Statements ====Entity level controls
Significant accounts and disclosures
Relevant assertions
Major classes of transactions
Top-Down Approach
Goal is to focus on testing those controls that are most important to auditor’s conclusion on internal control, avoiding those that are less important
Starts at top Entity-level controls – those in control environment or
monitoring components of internal control Emphasize those relating to audit committee effectiveness, fraud,
and period-end process Direct or indirect effect
Significant Accounts and Disclosures
• Account significant if reasonable possibility that it could contain a misstatement that individually or in aggregate has a material effect on financial statements
• Factors– Size and composition.– Susceptibility of loss due to errors or fraud.– Volume of activity, complexity, and homogeneity of individual
transactions.– Nature of the account.– Accounting and reporting complexity.– Exposure to losses.– Possibility of significant contingent liabilities.– Existence of related party transactions.– Changes from the prior period.
Identifying Relevant Assertions
Relevant Those that have meaningful bearing on whether account is
presented fairly
(1) existence or occurrence;
(2) completeness;
(3) valuation or allocation;
(4) rights and obligations; and/or
(5) presentation and disclosure.
Design Effectiveness
Routine transactions are for recurring activities, Examples: sales, purchases, cash receipts and disbursements, and
payroll.
Nonroutine transactions occur only periodically; they generally are not part of the routine flow of transactions Examples: transactions such as counting and pricing inventory,
calculating depreciation expense, or determining prepaid expenses.
Accounting estimates are activities involving management’s judgments or assumptions, Examples: determining the allowance for doubtful accounts,
estimating warranty reserves and assessing assets for impairment
Likely Source of Misstatements
Understand the flow of transactions;
Verify points within the company’s processes at which a misstatement could arise that could be material;
Identify the controls management has implemented to address these potential misstatements; and
Identify the controls management has implemented to prevent or detect on a timely basis unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement.
Selecting Controls
Not necessary to design tests of all controls
Redundant controls Do not need to test if duplicate control is tested
Design tests for preventive and/or detective controls
Complementary controls Should both be tested
Performing Walk-Throughs Walk-through
Tracing a transaction from its origination through the company’s information system until it is reflected in the company’s financial reports
Provide evidence to: Verify that they have identified points at which a significant risk of
misstatement to a relevant assertion exists. Verify their understanding of the design of controls, including those
related to the prevention or detection of fraud. Evaluate the effectiveness of the design of controls. Confirm whether controls have been placed in operation (implemented).
Tests of Operating Effectiveness
• Nature– Inquiries, inspections, observations and reperformance– Vary exact tests when possible
• Timing– Sufficient period of time– Periodic controls – wait to after report date
• Extent – Depend on frequency of control
Relationship Between Audits Tests of controls
Same for internal control audit and financial statement audit
Evidence from internal control audit can be used for financial statement audit
Differences between audits Objectives are different
Integrated audit Testing should be spread through the year to satisfy both
objectives
Effects of Internal Control Testing on Audit Substantive Procedures
Integrated audit requires tests of controls for all major account and relevant assertions Will lead to decreased scope of substantive procedures However, significant deficiencies or material weaknesses could
lead to more substantive procedures Not acceptable to omit substantive procedures completely
Effect of Substantive Procedures on Audit of Internal Control
Findings from substantive procedures may affect audit of internal control Could provide evidence of effectiveness or ineffectiveness of
internal control over financial reporting Example: Identification of material misstatement in financial
statements is indicative of at least a significant deficiency in internal control
Form an opinion
Evaluate:
1. The results of their evaluation of the design,
2. The results of tests of the operating effectiveness of controls,
3. Negative results of substantive procedures performed during the financial statement audit, and
4. Any identified control deficiencies.
Circumstances Affecting the Auditors’ Opinions
Other Communication Requirements
• Communicate in writing to management– All control deficiencies regardless of severity
• To audit committee– Material weaknesses, significant deficiencies and that all
deficiencies have been communicated to management
• To board of directors– If conclude oversight of financial reporting and internal control
is ineffective
Other Report
Reporting on Whether a Previously Reported Material Weakness Continues to Exist Management believes material weakness has been eliminated Auditor engaged to report on whether material weakness
continues to exist Engagement focused on evidence regarding material weakness
Integrated Audis for Nonpublic Companies
A nonpublic company may choose to have an integrated audit of its financial statements and its internal control. While the service is very similar to that for public companies, it differs as follows:
Questions?
[email protected]@ParkAveCPAReview.comJoseph A. Maffia, CPAJoseph A. Maffia, CPA
Questions?
[email protected]@ParkAveCPAReview.comJoseph A. Maffia, CPAJoseph A. Maffia, CPA