mcgraw-hill/irwin © the mcgraw-hill companies 2010 auditing internal control over financial...

McGraw-Hill/Irwin© The McGraw-Hill Companies 2010

Auditing Internal Control over

Financial Reporting

Chapter Seven


Management Responsibilities under Section 404

Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue an internal control report that explicitly accepts responsibility for establishing and

maintaining ‘adequate’ internal control over financial reporting (ICFR).


Management Responsibilities under Section 404

Management must comply with the following in order for its public accounting firm to complete an

audit of ICFR.1. Accepts responsibility for the effectiveness of the

entity’s ICFR.

2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year.

1. Accepts responsibility for the effectiveness of the entity’s ICFR.

2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year.


Auditor Responsibilities under Section 404 and AS5

The entity’s independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated audit of the entity’s ICFR and its financial statements.


ICFR Defined

ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:1. Pertain to the maintenance of records that fairly reflect the

transactions and dispositions of the assets of the company.

2. Provide reasonable assurance that transactions are recorded in accordance with GAAP.

3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets.

1. Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.

2. Provide reasonable assurance that transactions are recorded in accordance with GAAP.

3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets.


Internal Control Deficiencies Defined

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.



A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis.

As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (reasonably possible) and magnitude (material, consequential, or inconsequential).



Material

Not materialbut significant

Not materialor significant

Remote Reasonably possible or probable

Materialweakness

Significant deficiency

Control deficiency

L I K E L I H O O D

MAGNITUDE


Management’s Assessment Process

Management must follow a top-down, risk-based approach:

1.Identify financial reporting risks and controls.

2.Evaluate evidence about the operating effectiveness of ICFR.

3.Consider which locations to include in the evaluation.

Management must follow a top-down, risk-based approach:

1.Identify financial reporting risks and controls.

2.Evaluate evidence about the operating effectiveness of ICFR.

3.Consider which locations to include in the evaluation.


Framework Used by Management to Conduct Its Assessment

Most entities use the framework developed by COSO.This framework identifies three primary objectives of

internal control: (1) reliable financial reporting;(2) efficiency and effectiveness of operations;and (3) compliance with laws and regulations.

COSO


Identify Entity-Level Controls


Management’s Documentation

Management must develop sufficient documentation to support its assessment of

the effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also

includes policy manuals, job descriptions, flowcharts, and process models.

Management must develop sufficient documentation to support its assessment of

the effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also

includes policy manuals, job descriptions, flowcharts, and process models.


Performing an Audit of ICFR


Integrating the Audits of Internal Control and Financial Statements

An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of

internal control.

Tests of internalcontrol

Tests of internalcontrol

Substantiveaudit

procedures

Substantiveaudit

procedures


Effect of the Audit of Internal Control on the Financial Statement AuditWhen the auditor performs an integrated audit, he or she will have access to a large amount of information about the client’s controls. This information can make the financial statement audit more efficient and result

in reduced substantive procedures.

Regardless of the level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to

perform some substantive procedures for all significant accounts and disclosures.

Regardless of the level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to

perform some substantive procedures for all significant accounts and disclosures.


Effect of the Financial Statement Audit on the Audit of Internal ControlThe effectiveness of the audit of internal controls should lead the auditor to determine the implications of these findings on the financial statement audit. The auditor’s evaluation should include:1. Misstatements detected.2. The auditor’s risk evaluations in connection with the

selection and application of substantive procedures, especially those related to fraud.

3. Findings with respect to illegal acts and related-party transactions.

4. Indications of management bias in making accounting estimates and in selecting accounting principles.

1. Misstatements detected.2. The auditor’s risk evaluations in connection with the

selection and application of substantive procedures, especially those related to fraud.

3. Findings with respect to illegal acts and related-party transactions.

4. Indications of management bias in making accounting estimates and in selecting accounting principles.


Planning the Audit of ICFR

The planning process is similar to the process used for the audit of financial statements.

Consider the following:

• Risk assessment and the risk of fraud.

• Scaling the audit.

• Using the work of others.

• Materiality.


Special Consideration:Using the Work of Others

A major consideration for the external auditor is how much work is to be performed by others. In determining the extent to which the auditor may use the work of others, the auditor should:(1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work.

As the risk associated with the control being tested increases, the external auditor should do more of the work.

A major consideration for the external auditor is how much work is to be performed by others. In determining the extent to which the auditor may use the work of others, the auditor should:(1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work.

As the risk associated with the control being tested increases, the external auditor should do more of the work.


Using a Top-Down Approach


Identifying Significant Accounts

Size and composition of the account;

Susceptibility to misstatement due to errors or fraud;

Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure;

Nature of the account or disclosure;

Accounting and reporting complexities associated with the account or disclosure.


Identifying Significant Accounts

Exposure to losses in the account;

Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure;

Existence of related-party transactions in the account; and

Changes from the prior period in account or disclosure characteristics.


Sources of MisstatementUnderstand the flow of transactions related to the relevant assertions, including initiation, authorization, processing, and recording;Identify the points within the entity’s processes at which a misstatement could arise that would be material;Identify the controls that management has implemented to address these potential misstatements; andIdentify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement of the financial statements.


Select Controls to Test


Test the Design and Operating Effectiveness of Controls

Evaluate design

Test and evaluate operating effectiveness• Nature: Inquiry, Inspection of documents, observation, and reperformance• Timing: Interim vs. ‘as of’ date•Extent: Consider :

(1) Nature of the control;

(2) Frequency of operation;

(3) Importance of the control.


Evaluate Identified Control Deficiencies


Remediation of a Material Weakness

Remediation is the process of correcting a material weakness in the ICFR• If a material weakness is corrected

before the 'as of’ date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued.


Written Representations

In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from

management related to the audit of ICFR.

Failure to obtain written representations from

management, including management’s refusal to

furnish them, constitutes a limitation on the scope of the

audit sufficient to preclude an unqualified opinion.

Failure to obtain written representations from

management, including management’s refusal to

furnish them, constitutes a limitation on the scope of the

audit sufficient to preclude an unqualified opinion.


Auditor Documentation Requirements

The auditor must properly document the processes, procedures, judgements, and results relating to the

audit of internal control.

When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.


Auditor Documentation RequirementsThe auditor’s documentation of the process, procedures, judgements and results relating to the audit of ICFR should include:

1. Auditor’s understanding and evaluation of the design of ICFR;

2. The process used to determine the points at which material misstatements could occur;

3. The extent to which the auditor relied upon the work of others; and

4. The evaluation of any deficiencies discovered or other findings which could result in a report modification.


Types of Reports Relating to the Audit of ICFR

An unqualified opinion signifies that the client’s internal control is designed and operating

effectively.

An unqualified opinion signifies that the client’s internal control is designed and operating

effectively.

A serious scope limitation requires the auditor to disclaim an opinion.

A serious scope limitation requires the auditor to disclaim an opinion.

An adverse opinion is required if a material weakness is identified.

An adverse opinion is required if a material weakness is identified.


Types of Reports Relating to the Audit of ICFR

Report Modification Based on Control Deficiencies

Likelihood/Magnitudeof Misstatement

Type ofAudit Report

Controldeficiency

Significantdeficiency

Materialweakness

Unqualifiedopinion

Adverseopinion


Types of Reports Relating to the Audit of Internal Control

Report Modification Based on Scope Limitation

Seriousness ofScope Limitation

Type ofAudit Report

Minoreffect

Severe limitation

Unqualifiedopinion

Disclaimopinion orwithdraw


Other Reporting Issues

1. Management’s report is incomplete or improperly presented.

2. The auditor decides to refer to the report of other auditors.

3. A significant subsequent event has occurred.

4. There is other information contained in management’s report on internal control.

5. There is a remediated material weakness at an interim date.


Additional Required Communications in an Audit of ICFR

The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5). This communication should be made prior to the issuance of the auditor’s report on ICFR. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.


Advanced Module: Use of Service Organisations

Many companies use a service organisation to process transactions. If the service organisation’s services make up part of a company’s information

system, then they are considered part of the information and communication component of the company’s internal control over financial report. Thus, both management and the auditor must

consider the activities of the service organisation.


Management and the auditor should perform the following procedures with respect to the activities performed by the service organisation:

(1)obtain an understanding of the controls at the service organisation that are relevant to the entity’s internal control and the controls at the user organisation over the activities of the service organisation; and

(2)obtain evidence that the controls which are relevant to management’s assessment and the auditor’s opinion are operating effectively.

Advanced Module: Use of Service Organisations

Sometimes a SAS 70 report is issued.


Advanced Module: Safeguarding of Assets

Safeguarding of assets is defined as policies and procedures that ‘provide

reasonable assurance regarding prevention or timely detection of unauthorized

acquisition, use, or disposition of the company’s assets that could have a

material effect on the financial statements.’


End of Chapter 7

mcgraw-hill/irwin © the mcgraw-hill companies 2010 auditing internal control over financial...

Documents