section 404 audits of internal control and control risk chapter 10
Post on 22-Dec-2015
227 views
TRANSCRIPT
Section 404 Audits of Section 404 Audits of Internal Control and Internal Control and Control RiskControl Risk
Chapter 10Chapter 10
Compliance with laws and regulationsCompliance with laws and regulations
Efficiency and effectiveness of operationsEfficiency and effectiveness of operations
Reliability of financial reportingReliability of financial reporting
Internal Control ObjectivesInternal Control Objectives
Management’s Responsibilities For Internal Management’s Responsibilities For Internal ControlControl
Management - responsible for establishingManagement - responsible for establishingand maintaining internal controland maintaining internal control
I/C offers reasonable assuranceI/C offers reasonable assurance
I/C has inherent limitationsI/C has inherent limitations
Management’s Responsibilities For Internal Management’s Responsibilities For Internal ControlControl
Management’s Section 404Management’s Section 404reporting responsibilitiesreporting responsibilities
Design of internal control over financial reporting Design of internal control over financial reporting • Focus is on controls over mgmt. assertions Focus is on controls over mgmt. assertions (Ch 6)(Ch 6)
Operating effectiveness of controlsOperating effectiveness of controls• Must be tested and evaluated for effectivenessMust be tested and evaluated for effectiveness
Auditor Responsibilities Related to Auditor Responsibilities Related to Internal ControlInternal Control
Second standard of fieldwork: Second standard of fieldwork: A sufficient understanding of internal control is to be A sufficient understanding of internal control is to be obtained in order to obtained in order to plan the auditplan the audit and to determine and to determine the the nature,nature, timing,timing, and and extent extent of tests to be performed. of tests to be performed.
Control over classes of transactions Control over classes of transactions (vs. account balances)(vs. account balances)
Auditor responsibilities for testingAuditor responsibilities for testing and reporting (Ch. 2) on internal controland reporting (Ch. 2) on internal control
Five Components of Internal Control Five Components of Internal Control
RiskRiskassessmentassessment
ControlControlactivitiesactivities
Information andInformation andcommunicationcommunication
MonitoringMonitoring
The Control EnvironmentThe Control Environment
Actions, policies and procedures that reflect overallActions, policies and procedures that reflect overallattitudes of top management (“tone from the top”)attitudes of top management (“tone from the top”)
•Integrity and ethical values Integrity and ethical values •Commitment to competenceCommitment to competence•Board of directors or audit committee participationBoard of directors or audit committee participation•Management’s philosophy and operating styleManagement’s philosophy and operating style•Organizational structureOrganizational structure•Assignment of authority and responsibilityAssignment of authority and responsibility•Human resources policies and practicesHuman resources policies and practices
Risk AssessmentRisk Assessment
For audit purposes: For audit purposes: management’s identification and analysis of risksmanagement’s identification and analysis of risksrelevant to the preparation of financial statementsrelevant to the preparation of financial statementsin conformity with GAAP.in conformity with GAAP.
Control ActivitiesControl Activities
1.1. Adequate separation of dutiesAdequate separation of duties2.2. Proper authorization of transactions and activitiesProper authorization of transactions and activities3.3. Adequate documents and recordsAdequate documents and records4.4. Physical control over assets and recordsPhysical control over assets and records5.5. Independent checks on performanceIndependent checks on performance
Policies and procedures (in addition to those in thePolicies and procedures (in addition to those in theOther four components) Other four components)
Adequate Separation of DutiesAdequate Separation of Duties
Custody of assetsCustody of assets AccountingAccounting
AuthorizationAuthorizationof transactionsof transactions
The custody ofThe custody ofrelated assetsrelated assets
OperationalOperationalresponsibilityresponsibility
Record-keepingRecord-keepingresponsibilityresponsibility
IT dutiesIT duties User departmentsUser departments
Proper Authorization of Transactions and Proper Authorization of Transactions and ActivitiesActivities
General authorization – policies for the General authorization – policies for the organization to follow.organization to follow.
Specific authorization – applies to Specific authorization – applies to Individual transactionsIndividual transactions
Adequate Documents and RecordsAdequate Documents and Records
Prenumbered consecutivelyPrenumbered consecutively
Prepared at the time of transactionPrepared at the time of transaction
Designed for multiple useDesigned for multiple use
Constructed to encourage correct preparationConstructed to encourage correct preparation
Simple enough to ensure understandingSimple enough to ensure understanding
Physical Control over AssetsPhysical Control over Assetsand Recordsand Records
The most important measure for safeguarding The most important measure for safeguarding assets and records is the use of physical assets and records is the use of physical precautions – limit access to assets/records.precautions – limit access to assets/records.
Independent Checks on PerformanceIndependent Checks on Performance
The need for independent checks arisesThe need for independent checks arisesbecause internal controls tend to changebecause internal controls tend to changeover time unless there is a mechanismover time unless there is a mechanismfor frequent review.for frequent review.
Information and CommunicationInformation and Communication
The purpose of an accounting informationThe purpose of an accounting informationand communication system is to…and communication system is to…
initiate, record, process, and reportinitiate, record, process, and reportthe entity’s transactions and to maintainthe entity’s transactions and to maintainaccountability for the related assets.accountability for the related assets.
MonitoringMonitoring
Monitoring activities deal with management’sMonitoring activities deal with management’songoing and periodic assessment of theongoing and periodic assessment of thequality of internal control performance…quality of internal control performance…
to determine whether controls are operatingto determine whether controls are operatingas intended and modified when needed.as intended and modified when needed.
How the Size of the Business Affects How the Size of the Business Affects Internal ControlInternal Control
In general the SEC believes that smallIn general the SEC believes that smallbusinesses should be expected to adherebusinesses should be expected to adhereto the same internal control standards thatto the same internal control standards thatapply to larger public companies.apply to larger public companies.
The SEC has also stated that the burden toThe SEC has also stated that the burden tosmaller companies can be disproportionate.smaller companies can be disproportionate.
Four Phases of a Financial Statement AuditFour Phases of a Financial Statement Audit
Phase 1Phase 1
Obtain anObtain anunderstanding ofunderstanding ofinternal control:internal control:design anddesign andoperationoperation
Phase 2Phase 2Assess controlAssess controlrisk.risk.
Phase 3Phase 3Design, perform,Design, perform,and evaluate testsand evaluate testsof controlsof controls
Phase 4Phase 4
Decide plannedDecide planneddetection riskdetection riskand substantiveand substantivetests.tests.
Obtain and Document Understanding of Obtain and Document Understanding of Internal ControlInternal Control
SAS 55 and PCAOB Standard 2 SAS 55 and PCAOB Standard 2 both requireboth requirethe auditor to obtain an understandingthe auditor to obtain an understandingof internal control for every auditof internal control for every audit..
Procedures to obtain an understanding:Procedures to obtain an understanding:• Design of internal controlsDesign of internal controls• Whether placed in operationWhether placed in operation• Uses this information as a basis for theUses this information as a basis for the integrated audit.integrated audit.
Methods UsedMethods Used
NarrativeNarrative
FlowchartFlowchart
InternalInternalcontrolcontrol
questionnairequestionnaire
NarrativeNarrative
1. The origin of every document1. The origin of every document and record in the systemand record in the system
2. All processing that takes place2. All processing that takes place
3. The disposition of every document3. The disposition of every document and record in the systemand record in the system
4. An indication of the controls relevant4. An indication of the controls relevant to the assessment of control riskto the assessment of control risk
Evaluating Internal Control OperationEvaluating Internal Control Operation
Update and evaluate auditor’s previousUpdate and evaluate auditor’s previousexperience with the entity.experience with the entity.
Make inquiries of client personnel.Make inquiries of client personnel.
Examine documents and records.Examine documents and records.
Observe entity activities and operations.Observe entity activities and operations.
Perform walkthroughs of the accounting system.Perform walkthroughs of the accounting system.
Assess Control RiskAssess Control Risk
Assess whether the financial statementsAssess whether the financial statementsare auditable.are auditable.
Determine assessed control risk supportedDetermine assessed control risk supportedby the understanding obtained assumingby the understanding obtained assumingthe controls are being followed.the controls are being followed.
Use of a control risk matrix to assess control riskUse of a control risk matrix to assess control risk
Control Risk MatrixControl Risk Matrix
Identify transaction-related audit objectives.Identify transaction-related audit objectives.
Identify existing controls.Identify existing controls.
Associate controls with transaction-relatedAssociate controls with transaction-relatedaudit objectives.audit objectives.
Identify and evaluate control deficiencies,Identify and evaluate control deficiencies,significant deficiencies, and material weaknessessignificant deficiencies, and material weaknesses
Evaluating Significant Control DeficienciesEvaluating Significant Control Deficiencies
MaterialMaterialWeaknessWeakness
LIKELIHOODLIKELIHOOD
SIGNIFICANCESIGNIFICANCE
MaterialMaterial
ImmaterialImmaterial
ProbableProbableRemoteRemote
Communicate Internal Control Deficiencies Communicate Internal Control Deficiencies and Related Mattersand Related Matters
Management lettersManagement letters
Audit committee communicationsAudit committee communications•Significant deficiencies and material Significant deficiencies and material weaknesses must be communicatedweaknesses must be communicated
Tests of ControlsTests of Controls
The procedures to test effectiveness of controlsThe procedures to test effectiveness of controlsin support of a reduced assessed controlin support of a reduced assessed controlrisk are called risk are called tests oftests of controlscontrols..
Procedures for Tests of ControlsProcedures for Tests of Controls
1. Make inquiries of client personnel.1. Make inquiries of client personnel.
2. Examine documents, records, and reports.2. Examine documents, records, and reports.
3. Observe control-related activities.3. Observe control-related activities.
4. Reperform client procedures.4. Reperform client procedures.
Extent of ProceduresExtent of Procedures
PCAOB 2 requires public company auditorsPCAOB 2 requires public company auditorsto test controls each year for all relevant assertionsto test controls each year for all relevant assertionsfor all significant accounts and transactionsfor all significant accounts and transactions
• Reliance on evidence from prior year’s auditReliance on evidence from prior year’s audit
PCAOB 2 is concerned with adequacy of I/C as of PCAOB 2 is concerned with adequacy of I/C as of the end of the fiscal yearthe end of the fiscal year
•Timing of tests depends on the nature of controls Timing of tests depends on the nature of controls and frequency at which they are performed. and frequency at which they are performed.
Procedures to Obtain an Understanding vs.Procedures to Obtain an Understanding vs.Tests of ControlsTests of Controls
In obtaining an understanding, procedures are appliedIn obtaining an understanding, procedures are appliedto all controls to identify those likely to prevent/detect to all controls to identify those likely to prevent/detect Material misstatements in specified assertions.Material misstatements in specified assertions.
Test of of controls are applied only when the assessed Test of of controls are applied only when the assessed control risk has not been done in obtaining an understanding.control risk has not been done in obtaining an understanding.
Procedures to obtain an understanding are performed onProcedures to obtain an understanding are performed onfew transactions, while tests of controls are performed on few transactions, while tests of controls are performed on larger samples. larger samples.
Relationship of Assessed ControlRelationship of Assessed ControlRisk and Extent of Procedures (Table 10-3)Risk and Extent of Procedures (Table 10-3)
InquiryInquiryDocumentationDocumentation
ObservationObservation
ReperformanceReperformance
Yes–extensiveYes–extensiveYes–with transactionYes–with transaction
walk-throughwalk-throughYes–with transactionYes–with transaction walk-throughwalk-throughNoNo
Yes–someYes–someYes–using samplingYes–using sampling
Yes–at multiple timesYes–at multiple times
Yes–using samplingYes–using sampling
Type ofType ofprocedureprocedure
High level:High level:Procedures to obtainProcedures to obtain
an understandingan understandingLower level:Lower level:
Tests of controlsTests of controls
Assessed control riskAssessed control risk
Decide Planned Detection Risk and Design Decide Planned Detection Risk and Design Substantive TestsSubstantive Tests
The auditor uses the results of the control riskThe auditor uses the results of the control riskassessment process and tests of controls toassessment process and tests of controls todetermine the planned detection risk anddetermine the planned detection risk andrelated substantive tests.related substantive tests.
The auditor links the control risk assessmentsThe auditor links the control risk assessmentsto the balance-to the balance-related audit objectives.related audit objectives.
Section 404 Reporting on Internal ControlSection 404 Reporting on Internal Control
The auditor’s opinion on whether management’sThe auditor’s opinion on whether management’sassessment of the effectiveness of internalassessment of the effectiveness of internalcontrol over financial reporting as of thecontrol over financial reporting as of theend of the fiscal period is fairly stated, end of the fiscal period is fairly stated, in all material respects.in all material respects.
11
Section 404 Reporting on Internal ControlSection 404 Reporting on Internal Control
The auditor’s opinion on whether the companyThe auditor’s opinion on whether the companymaintained, in all material respects, effectivemaintained, in all material respects, effectiveinternal control over financial reportinginternal control over financial reportingas of the specified date.as of the specified date.
22
Types of Opinions on Internal Controls Types of Opinions on Internal Controls Over Financial ReportingOver Financial Reporting
Unqualified – Unqualified – • No identified material weaknessesNo identified material weaknesses• No scope limitationsNo scope limitations
AdverseAdverse• Material weaknesses existMaterial weaknesses exist
Qualified or disclaimer of opinionQualified or disclaimer of opinion• Scope limitationScope limitation
Differences in Scope of Controls Tested: Differences in Scope of Controls Tested: Nonpublic CompanyNonpublic Company
Internal controls over financial reportingInternal controls over financial reporting
Internal controls used to assessInternal controls used to assesscontrol risk below maximumcontrol risk below maximum
Controls that must be tested inControls that must be tested inan audit of financial statementsan audit of financial statements
Controls that must be tested inControls that must be tested inan audit of internal controlsan audit of internal controls(ICFR opinion expressed)(ICFR opinion expressed)