integrated audits of internal control · pdf fileintegrated audits of public companies chapter...

35
Integrated Audits of Public Companies Chapter 18 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Upload: vuongthu

Post on 05-Feb-2018

225 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

Integrated Audits

of Public Companies

Chapter 18

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Page 2: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-2

Nature of an Integrated Audit

Auditors of public companies should report

on:

Financial statements and

Internal control over financial reporting

Based on provisions of PCAOB Standard

No. 5, the audits of internal control and

financial reporting should be integrated

Page 3: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-3

Sarbanes-Oxley Act of 2002

Section 404

404(a) – requires annual report filed with SEC to

include an internal control report

• Management acknowledges responsibility for

establishing and maintaining adequate internal control

• Provides assessment of internal control effectiveness at

end of fiscal year

404(b) – requires CPA firm to audit internal

control and express an opinion on effectiveness

of internal control. (Required for companies with a

capitalization in excess of $75,000,000)

Page 4: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-4

Management’s Responsibility

Accept responsibility for effectiveness

Evaluate the effectiveness using suitable

criteria

Support the evaluation with sufficient

evidence

Provide a report on internal control

Page 5: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-5

Management’s Report on I/C

Report must:

State that it is management’s responsibility to establish and

maintain adequate internal control.

Identify management’s framework for evaluating internal control.

Include management’s assessment of the effectiveness of the

company’s internal control over financial reporting as of the end

of the most recent fiscal period, including a statement as to

whether internal control over financial reporting is effective.

Include a statement that the company’s auditors have issued an

attestation report on management’s assessment.

Page 6: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-6

Management Assessment

Management can be assisted by consultants but

not by the CPA firm that conducts the audit of

financial statements

Must understand definition of internal control

adopted by the SEC

Evaluation must use an accepted “control

framework” such as Internal Control-Integrated

Framework created by COSO.

Must understand concepts of control deficiency,

significant deficiency and material weakness

Page 7: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-7

Page 8: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-8

Relationships Among Deficiencies

Deficiency in

Internal Control

Less than Significant Material

Significant Deficiency Weakness

Page 9: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-9

Control concepts

Control deficiency exists when the design or operation of a control does not allow

management or employees, in the normal course of performing

their functions, to prevent or detect misstatements on a timely

basis

Levels of severity of control deficiencies

Less than a significant deficiency

Significant deficiency – less severe than material weakness yet

important enough to merit attention

Material weakness – reasonable possibility that a material

misstatement will not be prevented or detected

Page 10: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-10

Objective of Management’s

Evaluation of I/C Provide a reasonable basis for its annual

assessment

Process

Evaluate design effectiveness of controls

Evaluate operating effectiveness of internal

control

Documentation of process

Reporting

Page 11: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-11

Auditor’s Objective

Plan and perform the audit to obtain

reasonable assurance about whether

material weaknesses exist to express an

opinion on company’s internal control over

financial reporting

Evidence gathered as of date specified in

management’s assessment – normally the

last day of the company’s fiscal year

Page 12: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-12

Audit Steps

1. Plan the engagement

2. Use a top-down approach to identify

controls to test

3. Test and evaluate design effectiveness of

internal control

4. Test and evaluate operating effectiveness

of internal control

5. Form an opinion on the effectiveness of

internal control

Page 13: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-13

Page 14: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-14

Plan the Engagement

Efficient planning requires coordination

with financial statement audit

Consider matters such as:

Client’s industry

Regulatory matters

Client’s business

Recent changes in client’s operations

Page 15: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-15

Auditors’ Consideration of I/C

Difference between audit of internal

control and audit of financial statements

Time period

• Audit of internal control –as of date

• Audit of financial statements – entire financial

statement period

Differences between small and large

clients

Degree of complexity of operations

Page 16: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-16

Top-Down Approach

Page 17: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-17

Top-Down Approach

Goal is to focus on testing those controls that

are most important to auditor’s conclusion on

internal control, avoiding those that are less

important

Starts at top

Entity-level controls – those in control

environment or monitoring components of

internal control • Emphasize those relating to audit committee effectiveness,

fraud, and period-end process

• Direct or indirect effect

Page 18: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-18

Page 19: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-19

Significant Accounts and Disclosures

Account significant if reasonable possibility that it could contain a

misstatement that individually or in aggregate has a material effect

on financial statements

Factors

Size and composition.

Susceptibility of loss due to errors or fraud.

Volume of activity, complexity, and homogeneity of individual

transactions.

Nature of the account.

Accounting and reporting complexity.

Exposure to losses.

Possibility of significant contingent liabilities.

Existence of related party transactions.

Changes from the prior period.

Page 20: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-20

Identifying Relevant Assertions

Relevant

Those that have meaningful bearing on

whether account is presented fairly

(1) existence or occurrence;

(2) completeness;

(3) valuation or allocation;

(4) rights and obligations; and/or

(5) presentation and disclosure.

Page 21: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-21

Design Effectiveness

Routine transactions are for recurring activities,

Examples: sales, purchases, cash receipts and disbursements,

and payroll.

Nonroutine transactions occur only periodically; they

generally are not part of the routine flow of transactions

Examples: transactions such as counting and pricing inventory,

calculating depreciation expense, or determining prepaid

expenses.

Accounting estimates are activities involving

management’s judgments or assumptions,

Examples: determining the allowance for doubtful accounts,

estimating warranty reserves and assessing assets for

impairment

Page 22: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-22

Likely Source of Misstatements

Understand the flow of transactions;

Verify points within the company’s processes at which a

misstatement could arise that could be material;

Identify the controls management has implemented to

address these potential misstatements; and

Identify the controls management has implemented to

prevent or detect on a timely basis unauthorized

acquisition, use, or disposition of the company’s assets

that could result in a material misstatement.

Page 23: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-23

Selecting Controls

Not necessary to design tests of all

controls

Redundant controls

Do not need to test if duplicate control is

tested

Design tests for preventive and/or

detective controls

Complementary controls

Should both be tested

Page 24: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-24

Performing Walk-Throughs

Walk-through

Tracing a transaction from its origination through the

company’s information system until it is reflected in

the company’s financial reports

Provide evidence to: • Verify that they have identified points at which a significant risk of

misstatement to a relevant assertion exists.

• Verify their understanding of the design of controls, including those

related to the prevention or detection of fraud.

• Evaluate the effectiveness of the design of controls.

• Confirm whether controls have been placed in operation

(implemented).

Page 25: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-25

Tests of Operating Effectiveness

Nature

Inquiries, inspections, observations and

reperformance

Vary exact tests when possible

Timing

Sufficient period of time

Periodic controls – wait to after report date

Extent

Depend on frequency of control

Page 26: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-26

Frequency of Testing

Page 27: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-27

Relationship Between Audits

Tests of controls Same for internal control audit and financial statement

audit

Evidence from internal control audit can be used for

financial statement audit

Differences between audits Objectives are different

Integrated audit Testing should be spread through the year to satisfy

both objectives

Page 28: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-28

Effects of Internal Control Testing on

Audit Substantive Procedures

Integrated audit requires tests of controls

for all major account and relevant

assertions

Will lead to decreased scope of substantive

procedures

However, significant deficiencies or material

weaknesses could lead to more substantive

procedures

Not acceptable to omit substantive

procedures completely

Page 29: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-29

Effect of Substantive Procedures

on Audit of Internal Control

Findings from substantive procedures may

affect audit of internal control

Could provide evidence of effectiveness or

ineffectiveness of internal control over

financial reporting

Example: Identification of material

misstatement in financial statements is

indicative of at least a significant deficiency in

internal control

Page 30: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-30

Form an opinion

Evaluate:

1. The results of their evaluation of the

design,

2. The results of tests of the operating

effectiveness of controls,

3. Negative results of substantive

procedures performed during the financial

statement audit, and

4. Any identified control deficiencies.

Page 31: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-31

Page 32: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-32

Circumstances Affecting the Auditors’

Opinions

Page 33: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-33

Other Communication Requirements

Communicate in writing to management

All control deficiencies regardless of severity

To audit committee

Material weaknesses, significant deficiencies

and that all deficiencies have been

communicated to management

To board of directors

If conclude oversight of financial reporting and

internal control is ineffective

Page 34: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-34

Other Report

Reporting on Whether a Previously

Reported Material Weakness Continues to

Exist

Management believes material weakness has

been eliminated

Auditor engaged to report on whether material

weakness continues to exist

Engagement focused on evidence regarding

material weakness

Page 35: Integrated Audits of Internal Control · PDF fileIntegrated Audits of Public Companies Chapter 18 ... 18-2 Nature of an Integrated Audit ... Integrated Audits of Internal Control

18-35

Integrated Audis for

Nonpublic Companies

A nonpublic company may choose to have

an integrated audit of its financial

statements and its internal control. While

the service is very similar to that for public

companies, it differs as follows: