Section 404 Audits of Section 404 Audits of Internal Control and Internal Control and Control RiskControl Risk

Chapter 10Chapter 10

Compliance with laws and regulationsCompliance with laws and regulations

Efficiency and effectiveness of operationsEfficiency and effectiveness of operations

Reliability of financial reportingReliability of financial reporting

Internal Control ObjectivesInternal Control Objectives

Management’s Responsibilities For Internal Management’s Responsibilities For Internal ControlControl

Management - responsible for establishingManagement - responsible for establishingand maintaining internal controland maintaining internal control

I/C offers reasonable assuranceI/C offers reasonable assurance

I/C has inherent limitationsI/C has inherent limitations

Management’s Responsibilities For Internal Management’s Responsibilities For Internal ControlControl

Management’s Section 404Management’s Section 404reporting responsibilitiesreporting responsibilities

Design of internal control over financial reporting Design of internal control over financial reporting • Focus is on controls over mgmt. assertions Focus is on controls over mgmt. assertions (Ch 6)(Ch 6)

Operating effectiveness of controlsOperating effectiveness of controls• Must be tested and evaluated for effectivenessMust be tested and evaluated for effectiveness

Auditor Responsibilities Related to Auditor Responsibilities Related to Internal ControlInternal Control

Second standard of fieldwork: Second standard of fieldwork: A sufficient understanding of internal control is to be A sufficient understanding of internal control is to be obtained in order to obtained in order to plan the auditplan the audit and to determine and to determine the the nature,nature, timing,timing, and and extent extent of tests to be performed. of tests to be performed.

Control over classes of transactions Control over classes of transactions (vs. account balances)(vs. account balances)

Auditor responsibilities for testingAuditor responsibilities for testing and reporting (Ch. 2) on internal controland reporting (Ch. 2) on internal control

Five Components of Internal Control Five Components of Internal Control

RiskRiskassessmentassessment

ControlControlactivitiesactivities

Information andInformation andcommunicationcommunication

MonitoringMonitoring

The Control EnvironmentThe Control Environment

Actions, policies and procedures that reflect overallActions, policies and procedures that reflect overallattitudes of top management (“tone from the top”)attitudes of top management (“tone from the top”)

•Integrity and ethical values Integrity and ethical values •Commitment to competenceCommitment to competence•Board of directors or audit committee participationBoard of directors or audit committee participation•Management’s philosophy and operating styleManagement’s philosophy and operating style•Organizational structureOrganizational structure•Assignment of authority and responsibilityAssignment of authority and responsibility•Human resources policies and practicesHuman resources policies and practices

Risk AssessmentRisk Assessment

For audit purposes: For audit purposes: management’s identification and analysis of risksmanagement’s identification and analysis of risksrelevant to the preparation of financial statementsrelevant to the preparation of financial statementsin conformity with GAAP.in conformity with GAAP.

Control ActivitiesControl Activities

1.1. Adequate separation of dutiesAdequate separation of duties2.2. Proper authorization of transactions and activitiesProper authorization of transactions and activities3.3. Adequate documents and recordsAdequate documents and records4.4. Physical control over assets and recordsPhysical control over assets and records5.5. Independent checks on performanceIndependent checks on performance

Policies and procedures (in addition to those in thePolicies and procedures (in addition to those in theOther four components) Other four components)

Adequate Separation of DutiesAdequate Separation of Duties

Custody of assetsCustody of assets AccountingAccounting

AuthorizationAuthorizationof transactionsof transactions

The custody ofThe custody ofrelated assetsrelated assets

OperationalOperationalresponsibilityresponsibility

Record-keepingRecord-keepingresponsibilityresponsibility

IT dutiesIT duties User departmentsUser departments

Proper Authorization of Transactions and Proper Authorization of Transactions and ActivitiesActivities

General authorization – policies for the General authorization – policies for the organization to follow.organization to follow.

Specific authorization – applies to Specific authorization – applies to Individual transactionsIndividual transactions

Adequate Documents and RecordsAdequate Documents and Records

Prenumbered consecutivelyPrenumbered consecutively

Prepared at the time of transactionPrepared at the time of transaction

Designed for multiple useDesigned for multiple use

Constructed to encourage correct preparationConstructed to encourage correct preparation

Simple enough to ensure understandingSimple enough to ensure understanding

Physical Control over AssetsPhysical Control over Assetsand Recordsand Records

The most important measure for safeguarding The most important measure for safeguarding assets and records is the use of physical assets and records is the use of physical precautions – limit access to assets/records.precautions – limit access to assets/records.

Independent Checks on PerformanceIndependent Checks on Performance

The need for independent checks arisesThe need for independent checks arisesbecause internal controls tend to changebecause internal controls tend to changeover time unless there is a mechanismover time unless there is a mechanismfor frequent review.for frequent review.

Information and CommunicationInformation and Communication

The purpose of an accounting informationThe purpose of an accounting informationand communication system is to…and communication system is to…

initiate, record, process, and reportinitiate, record, process, and reportthe entity’s transactions and to maintainthe entity’s transactions and to maintainaccountability for the related assets.accountability for the related assets.

MonitoringMonitoring

Monitoring activities deal with management’sMonitoring activities deal with management’songoing and periodic assessment of theongoing and periodic assessment of thequality of internal control performance…quality of internal control performance…

to determine whether controls are operatingto determine whether controls are operatingas intended and modified when needed.as intended and modified when needed.

How the Size of the Business Affects How the Size of the Business Affects Internal ControlInternal Control

In general the SEC believes that smallIn general the SEC believes that smallbusinesses should be expected to adherebusinesses should be expected to adhereto the same internal control standards thatto the same internal control standards thatapply to larger public companies.apply to larger public companies.

The SEC has also stated that the burden toThe SEC has also stated that the burden tosmaller companies can be disproportionate.smaller companies can be disproportionate.

Four Phases of a Financial Statement AuditFour Phases of a Financial Statement Audit

Phase 1Phase 1

Obtain anObtain anunderstanding ofunderstanding ofinternal control:internal control:design anddesign andoperationoperation

Phase 2Phase 2Assess controlAssess controlrisk.risk.

Phase 3Phase 3Design, perform,Design, perform,and evaluate testsand evaluate testsof controlsof controls

Phase 4Phase 4

Decide plannedDecide planneddetection riskdetection riskand substantiveand substantivetests.tests.

Obtain and Document Understanding of Obtain and Document Understanding of Internal ControlInternal Control

SAS 55 and PCAOB Standard 2 SAS 55 and PCAOB Standard 2 both requireboth requirethe auditor to obtain an understandingthe auditor to obtain an understandingof internal control for every auditof internal control for every audit..

Procedures to obtain an understanding:Procedures to obtain an understanding:• Design of internal controlsDesign of internal controls• Whether placed in operationWhether placed in operation• Uses this information as a basis for theUses this information as a basis for the integrated audit.integrated audit.

Methods UsedMethods Used

NarrativeNarrative

FlowchartFlowchart

InternalInternalcontrolcontrol

questionnairequestionnaire

NarrativeNarrative

1. The origin of every document1. The origin of every document and record in the systemand record in the system

2. All processing that takes place2. All processing that takes place

3. The disposition of every document3. The disposition of every document and record in the systemand record in the system

4. An indication of the controls relevant4. An indication of the controls relevant to the assessment of control riskto the assessment of control risk

Evaluating Internal Control OperationEvaluating Internal Control Operation

Update and evaluate auditor’s previousUpdate and evaluate auditor’s previousexperience with the entity.experience with the entity.

Make inquiries of client personnel.Make inquiries of client personnel.

Examine documents and records.Examine documents and records.

Observe entity activities and operations.Observe entity activities and operations.

Perform walkthroughs of the accounting system.Perform walkthroughs of the accounting system.

Assess Control RiskAssess Control Risk

Assess whether the financial statementsAssess whether the financial statementsare auditable.are auditable.

Determine assessed control risk supportedDetermine assessed control risk supportedby the understanding obtained assumingby the understanding obtained assumingthe controls are being followed.the controls are being followed.

Use of a control risk matrix to assess control riskUse of a control risk matrix to assess control risk

Control Risk MatrixControl Risk Matrix

Identify transaction-related audit objectives.Identify transaction-related audit objectives.

Identify existing controls.Identify existing controls.

Associate controls with transaction-relatedAssociate controls with transaction-relatedaudit objectives.audit objectives.

Identify and evaluate control deficiencies,Identify and evaluate control deficiencies,significant deficiencies, and material weaknessessignificant deficiencies, and material weaknesses

Evaluating Significant Control DeficienciesEvaluating Significant Control Deficiencies

MaterialMaterialWeaknessWeakness

LIKELIHOODLIKELIHOOD

SIGNIFICANCESIGNIFICANCE

MaterialMaterial

ImmaterialImmaterial

ProbableProbableRemoteRemote

Communicate Internal Control Deficiencies Communicate Internal Control Deficiencies and Related Mattersand Related Matters

Management lettersManagement letters

Audit committee communicationsAudit committee communications•Significant deficiencies and material Significant deficiencies and material weaknesses must be communicatedweaknesses must be communicated

Tests of ControlsTests of Controls

The procedures to test effectiveness of controlsThe procedures to test effectiveness of controlsin support of a reduced assessed controlin support of a reduced assessed controlrisk are called risk are called tests oftests of controlscontrols..

Procedures for Tests of ControlsProcedures for Tests of Controls

1. Make inquiries of client personnel.1. Make inquiries of client personnel.

2. Examine documents, records, and reports.2. Examine documents, records, and reports.

3. Observe control-related activities.3. Observe control-related activities.

4. Reperform client procedures.4. Reperform client procedures.

Extent of ProceduresExtent of Procedures

PCAOB 2 requires public company auditorsPCAOB 2 requires public company auditorsto test controls each year for all relevant assertionsto test controls each year for all relevant assertionsfor all significant accounts and transactionsfor all significant accounts and transactions

• Reliance on evidence from prior year’s auditReliance on evidence from prior year’s audit

PCAOB 2 is concerned with adequacy of I/C as of PCAOB 2 is concerned with adequacy of I/C as of the end of the fiscal yearthe end of the fiscal year

•Timing of tests depends on the nature of controls Timing of tests depends on the nature of controls and frequency at which they are performed. and frequency at which they are performed.

Procedures to Obtain an Understanding vs.Procedures to Obtain an Understanding vs.Tests of ControlsTests of Controls

In obtaining an understanding, procedures are appliedIn obtaining an understanding, procedures are appliedto all controls to identify those likely to prevent/detect to all controls to identify those likely to prevent/detect Material misstatements in specified assertions.Material misstatements in specified assertions.

Test of of controls are applied only when the assessed Test of of controls are applied only when the assessed control risk has not been done in obtaining an understanding.control risk has not been done in obtaining an understanding.

Procedures to obtain an understanding are performed onProcedures to obtain an understanding are performed onfew transactions, while tests of controls are performed on few transactions, while tests of controls are performed on larger samples. larger samples.

Relationship of Assessed ControlRelationship of Assessed ControlRisk and Extent of Procedures (Table 10-3)Risk and Extent of Procedures (Table 10-3)

InquiryInquiryDocumentationDocumentation

ObservationObservation

ReperformanceReperformance

Yes–extensiveYes–extensiveYes–with transactionYes–with transaction

walk-throughwalk-throughYes–with transactionYes–with transaction walk-throughwalk-throughNoNo

Yes–someYes–someYes–using samplingYes–using sampling

Yes–at multiple timesYes–at multiple times

Yes–using samplingYes–using sampling

Type ofType ofprocedureprocedure

High level:High level:Procedures to obtainProcedures to obtain

an understandingan understandingLower level:Lower level:

Tests of controlsTests of controls

Assessed control riskAssessed control risk

Decide Planned Detection Risk and Design Decide Planned Detection Risk and Design Substantive TestsSubstantive Tests

The auditor uses the results of the control riskThe auditor uses the results of the control riskassessment process and tests of controls toassessment process and tests of controls todetermine the planned detection risk anddetermine the planned detection risk andrelated substantive tests.related substantive tests.

The auditor links the control risk assessmentsThe auditor links the control risk assessmentsto the balance-to the balance-related audit objectives.related audit objectives.

Section 404 Reporting on Internal ControlSection 404 Reporting on Internal Control

The auditor’s opinion on whether management’sThe auditor’s opinion on whether management’sassessment of the effectiveness of internalassessment of the effectiveness of internalcontrol over financial reporting as of thecontrol over financial reporting as of theend of the fiscal period is fairly stated, end of the fiscal period is fairly stated, in all material respects.in all material respects.

11

Section 404 Reporting on Internal ControlSection 404 Reporting on Internal Control

The auditor’s opinion on whether the companyThe auditor’s opinion on whether the companymaintained, in all material respects, effectivemaintained, in all material respects, effectiveinternal control over financial reportinginternal control over financial reportingas of the specified date.as of the specified date.

22

Types of Opinions on Internal Controls Types of Opinions on Internal Controls Over Financial ReportingOver Financial Reporting

Unqualified – Unqualified – • No identified material weaknessesNo identified material weaknesses• No scope limitationsNo scope limitations

AdverseAdverse• Material weaknesses existMaterial weaknesses exist

Qualified or disclaimer of opinionQualified or disclaimer of opinion• Scope limitationScope limitation

Differences in Scope of Controls Tested: Differences in Scope of Controls Tested: Nonpublic CompanyNonpublic Company

Internal controls over financial reportingInternal controls over financial reporting

Internal controls used to assessInternal controls used to assesscontrol risk below maximumcontrol risk below maximum

Controls that must be tested inControls that must be tested inan audit of financial statementsan audit of financial statements

Controls that must be tested inControls that must be tested inan audit of internal controlsan audit of internal controls(ICFR opinion expressed)(ICFR opinion expressed)