Audit CH. 6 & 7 - Internal Controls - (Exam 2)
Assertions about Classes of Transactions and Events and Related Control Procedures (Assertions and their Control Activities)
(certain control activities in place to help specifically to different assertions) 1.Occurrence (testing all transactions have been recorded that have occurred / A,L,E exist) • Segregation of duties. • Prenumbered documents that are accounted for. • Daily or monthly reconciliation of subsidiary records with independent review. 2.Completeness (testing transactions that have be recorded are and info needed is in f/s / A,L,A interests that should have been recorded are) • Prenumbered documents that are accounted for. • Segregation of duties. • Daily or monthly reconciliation of subsidiary records with independent review. 3.Authorization (all transactions are properly authorized) • General and specific authorization of transactions at important control points. 4.Accuracy (Amt.s recorded and measured appropriately / A,L,E included at appropriate amt.) • Internal verification of amounts and calculations. • Monthly reconciliation of subsidiary records by an independent person. 5.Cutoff (recorded in correct period) • Procedures for prompt recording of transactions. • Internal review and verification. 6.Classification (recorded in proper accounts) •Chart of accounts. 7.Presentation (properly aggregated and described and understood in applicable financial reporting framework) • Internal review and verification.
Factors to consider when identifying controls to test
(which controls are the key controls and where do errors occur / might occur) • Points at which errors or fraud could occur. • The nature of the controls implemented by management. • The significance of each control in achieving the objectives of the control criteria and whether more than one control achieves a particular objective or whether more than one control is necessary to achieve a particular objective. • The risk that the controls might not be operating effectively. Factors that affect whether the control might not be operating effectively include the following: - Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness; - Whether there have been changes in the design of controls; - The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or IT general controls); - Whether there have been changes in key personnel who perform the control or monitor its performance; - Whether the control relies on performance by an individual or is automated; and - The complexity of the control.
Auditor Responsibilities under Section 404 and AS5
**This is a main way public and private audits differ **auditors issuing SEPARATE opinion about internal controls **the auditor has to audit mgt's assertion and report on it = 2 reports issued by auditors and 2 reports for ic = 1 by mgt and 1 by auditors The entity's independent auditor must audit management's assertion about ICFR, and report on the effectiveness of ICFR. The auditor is required to conduct an integrated audit (auditing internal controls and f/s at the same time bc they work together --- more efficient -- the 2 audits should speak to each other due to integration - ie. 1 can explain the other) of the entity's ICFR and its financial statements. Plan and perform the audit to obtain reasonable assurance about whether the entity maintained effective internal control (i.e., no material weaknesses were found).
Per COSO, controls provide reasonable assurance about the achievement of the entity's objectives in the following categories:
1) Reliability, timeliness, and transparency of internal and external Financial and Nonfinancial Reporting 2) Effectiveness and Efficiency of Operations 3) Compliance with Laws and Regulations Generally, internal controls that contribute to the reliability, timeliness, and transparency of external financial reporting are the most relevant to an audit. •Operations and compliance controls may be relevant when they relate to data the auditor uses to apply auditing procedures. --Internal controls should help promote good external / financial reporting --delineate between general controls of the company and controls specific to financial reporting
Under Section 404 - Management must comply with the following requirements in order for the external auditor to complete an audit of ICFR:
1. Accept responsibility for the effectiveness of the entity's ICFR 2. Evaluate the effectiveness of the entity's ICFR using suitable control criteria 3. Support the evaluation with sufficient evidence, including documentation (probs provided by internal audit team) 4. Present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the entity's most recent fiscal year assessing the controls are "adequately designed" mgt is now putting themselves out there is ways they weren't before
5 components of internal controls (COSO cube)
1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring Activities
Audit Procedures to Test Controls (4 out of the 9 procedures)
1. Inquiry of appropriate entity personnel 2. Inspection of documents indicating the performance of the control -things getting stamped, signed, etc. 3. Observation of the application of the control 4. Reperformance of the application of the control by the auditor -run through false invoice to see what happens, try to break the system--try to access something in IT we shouldn't have access to
2 types of controls (control activities) to test
1. Preventative •Separating approval and payment •Limiting access to IT systems •Automated controls 2. Detective •Reconciliations •Management review controls (review of summary stmts, etc.)
Management has the responsibility to design and maintain a system of internal control that provides reasonable assurance: (2 objectives that internal controls/controls system should achieve)
1. That assets and records are properly safeguarded 2. That the entity's information system generates information that is reliable for decision-making
Flowchart: Auditor's consideration of internal control and its relation to substantive procedures
1st step = determining deign and implementation The assessment of the internal controls in the audit then guides the strategy you take in the audit @ decision auditor is evaluating how ICs were actually implemented vs. how they say they're implemented -- then deciding whether you rely on the controls or not @decision -- if no, substantive strategy @ decision -- if yes, reliance strategy -if you do rely on the controls you will have to do LESS substantive testing bc you have confirmed you can trust the control structure to detect misstatements -- don't have to test as many accounts bc you tested the controls left = substantive strategy = internal controls in the org are not well-designed or implemented, so don't intend to rely on the controls to any extend = set control risk to maximum = set it at high --remember control risk = risk that internal controls will fail to detect and prevent misstatements right side = reliance strategy -- will happen in public company audits (Reliance = test of controls) -controls look good, reasonably believe they're implemented; and intend to rely on them to some extent BUT before we can rely on them we have to test them -set control risk at moderate or low -then test the controls = the 2nd diamond low = risk of failure is low - after testing does it say the control is low or are there too many errors = reassessing to high and restarting testing at high --if it does you'll move on, document and then substantive test and if not -- you have to reassess and re-test **only going to rely on the controls if you test them AND they work
Internal Control Deficiencies Defined (3)
A control deficiency exists when the design or operation (can be well-designed but not operating) of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. --control deficiency = control is failing to detect / prevent errors / misstatements ; any control activity of any size (least severe deficiency - not material or significant) A significant deficiency is a control deficiency, or a combination of control deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. --not material weakness but needs to be reported to management to get fixed (moderate severity - not material but significant) **A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. - highest magnitude and changes auditor's opinion - deficiency that would allow a material misstatement; but you can have a material weakness and not end up with a material misstatement -- doesn't always happen but there's a reasonable chance there will be, BUT if you DO find a material misstatement, there MUST be a material weakness otherwise the controls should have prevented it (highest severity - material) **defining what we're looking for to say if controls are effective or not
Reliance Strategy
After obtaining an understanding of internal control, an auditor may choose to follow a reliance strategy for some accounts and assertions. This means the auditor intends to rely on the controls in order to reduce overall amount of testing. Appropriate when: •Controls pertain to the assertion •Controls are considered to be effective in design •Controls appear to be implemented as designed Set planned control risk at low or moderate for these accounts and assertions. The auditor must test controls for assertions with a planned control risk is set to be less than high (i.e., low or moderate).
Substantive Strategy
After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy for some accounts or assertions. This means the auditor will not rely on the controls in order to reduce overall amount of testing. Appropriate when: •Controls do not pertain to an assertion •Controls are considered to be ineffective in design •Testing the internal controls is deemed inefficient When following a substantive strategy, set control risk at high for the specific accounts or assertions and move to substantive testing. ***skip internal control testing and go straight to testing ending balances on BS or transactions throughout the year on the income stmts (inspecting documents for sales, tangible assets that send out confirmations -- probs sampling these for testing for large scale documents0
Types of Reports (opinions) Relating to the Audit of ICFR (3)
After testing controls - auditing controls = issue an opinion --> these are opinion types: An unqualified opinion signifies that the entity's internal control is designed and operating effectively (no material weaknesses). (Just to know: qualified opinion - the financial statements contain material misstatements or omissions.) An adverse opinion is required if a material weakness is identified. Types of Reports Relating to the Audit of ICFR -- even just 1 material misstatement = adverse opinion A disclaimer opinion is required if a significant scope limitation existed
Integrating the Audits of Internal Control and Financial Statements
An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control. **if internal controls work = less substantive procedures dual-procedures test internal controls and substantive audit procedures both at the same time -- they work together in the audit
Auditing Accounting Applications Processed by Service Organizations -In some instances, an entity may have some or all of its accounting transactions processed by an outside service organization.
Because the entity's transactions are subjected to the controls of the service organization, one of the auditor's concerns is the internal control system in place at the service organization. It is not uncommon for service organizations to have an auditor issue one of two types of reports on their operations. -Not all companies have all controls in house -- some companies provide services to other companies and the companies who need the service are relying on that external company's controls ---example = ADP Payroll for small businesses needing to handle payroll (ADP is a pain) --when auditors look at these second entities, they document the controls as outsourced and then seed a report on that second entities controls and based on the report, auditors can either rely on the controls or not
2 Important Areas of Entity-Level Controls
Control Environment: •Management philosophy and operating style to promote ICFR •Sound integrity and ethical values •Audit committee understands oversight role (do they have codes of conduct (think Tesla audit) to be explicit about how everyone should act and behaviors to be set by the company. think of Chickfila -- every cfa provides the same amount of service = consisted policies and procedures) Period-end financial reporting process: •Procedures used to enter transaction totals into GL •Select and apply accounting policies •Initiate, authorize, record, and process period-end journal entries in the GL •Record recurring and nonrecurring adjustments to the F/S •Prepare F/S (end of the fiscal year = pulled together f/s --> what controls are in place to help that task happen efficiently and effectively; identifying things not in the system that need to be added: - ex: of task that need to be scrutinized: ----payables straggling after year end ---making sure cutoff happens accurately ---journal entries posted for the year end)
Internal control audit characteristics/reason for consideration
In all audits, the auditor needs assurance about the reliability of the data generated by the information system. --regardless of audit (public or private) we need assurance of the control system; however, audits of public companies the level of rigor steps up bc need assurance of the effectiveness of the system and issue an opinion about it, so the system itself will be tested In audits of public companies, the auditor needs to obtain assurance and report on the effectiveness of internal controls over financial reporting (ICFR). all audits = data coming out of it is good ---public audits = isue specific opinion of the effectiveness of the internal controls over the financial reporting
The limitations of an entity's internal controls
Internal control is a balance of resources such that the cost should not exceed the benefits that are expected to be derived. Three concerns/limitations always present in an internal control system (no matter how robust, costly, etc, your system is, you will always have these limitations of the system present): 1. Management override of internal control (top-down force) 2. Human error/ mistakes 3. Collusion among employees (people working together to get around the controls)
ICFR Defined - Internal controls over financial reporting per the PCAOB: (Internal Control over Financial Reporting) **specific to public audits
PCAOB defines ICFR as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP, and includes procedures that: 1. Pertain to the maintenance of records that accurately and fairly reflect the transactions and dispositions of the assets of the company 2. Provide reasonable assurance that transactions are properly authorized and recorded/presented in accordance with GAAP 3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets --"safeguarding" **pretty much same definition aa COSOS just no laws/reg procedure - reporting, operations, and compliance
Remediation of a Material Weakness **know for exam
Remediation is the process of correcting a material weakness in the ICFR If a material weakness is corrected before the "as of" date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control •If additional testing supports control effectiveness (i.e., material weakness remediated), then an unqualified opinion may be issued. •If not, then an adverse opinion is still issued. •If insufficient time for testing, then an adverse opinion is still issued. ---found weakness in november and mgt fixes in december buttheres not enough documentation to fully test if the control is fixed, then an adverse opinion will still need to be issued "as of" = the control can be found ineffective by the auditor during the audit, but then auditors tell mgt o fix it and they do before year end so auditors can still issue a clean opinion ---> just have to have the controls working by end date
Section 404 of the Sarbanes-Oxley Act in relation to management's responsibilities for their internal controls **know word for word
Requires managements of publicly traded companies to issue a report that accepts responsibility for establishing and maintaining "adequate" internal control over financial reporting (ICFR) and assert whether ICFR is effective "as of" the end of the fiscal year ***^^^language of this is important -- know for exam Sarbanes-Oxley changed the game in testing --said you need to do more than the prior testing ---> this includes management needing to issue their own report about internal controls and take responsibility for establishing and monitoring the controls and assert whether they are effective as of the end of that year mgt is now asserting to investors that they have done a good job over internal controls in their financial reporting
2 types of SOC Reports
SOC Type 1 Report - (provides external evaluation, but no testing)Describes the service organization's controls and assesses whether they are suitably designed to achieve specified internal control objectives --ADP has their own auditor to do an attestation service or examination to evaluate the controls surrounding their payroll services and see if the controls are well designed --this is bc there are many companies that use ADP and all of those companies cannot have their individual auditor coming to ADP to do testing, so ADP hires an auditor of their own to provide the other auditors an opinion from evaluation if the controls are well-designed the ADP's auditor issues their own report to claim if the controls are well-designed or not -- this is not comforting bc although they may say they're well designed but they haven't tested the controls SOC Type 2 Report - (provides actual assurance) Goes further by providing assurance on the operating effectiveness of the service organization's controls based on the auditor's tests of controls --An auditor may reduce control risk below high only on the basis of a service auditor's Type 2 report. --ADP's hire its own external auditor to actually test ADP's payroll processing controls and then the auditor issues and opinion claiming they tested the effectiveness of ADP's controls and then other auditors from ADP's clients can rely on the report and reduce the substantive testi
Timing of Tests of Controls and Substantive Testing (FIGURE 6-5)
Test of controls is performed to obtain audit evidence of: - The suitability of the design of the accounting and internal control system - The effective operation of the system throughout the period of reliance. (Conclude on the Control Objectives) Substantive testing is performed at the end on the fy period, before issuing audit report to obtain evidence to detect material misstatements in the financial statements Consist of: - Tests of detail of transactions, balances and disclosures, confirmations for accounts receivables, etc. -- revenue transactions have already been recorded by now - Analytical procedures (Conclude on the Management Assertions)
1. For internal control, the auditor uses risk assessment procedures to: (4) 2. The auditor has a responsibility to: (2)
ie. - what are the key controls in place that would protect and prevent 1. •Obtain an understanding of the entity's internal control •Identify key controls •Recognize the types of potential misstatements •Design tests of controls and substantive procedures -The auditor's understanding of the internal control is a major factor in determining the overall audit strategy. 2. (find where misstatements could happen and respond with our testing) •Obtain an understanding of internal control and •Assess control risk.
Identify Entity-Level Controls
underlined = have to assess these and give specific attention (detailed on next slide/card)
An Example of Assessing Control Risks and Its Effects (Table 6-5)
• Control risk is assessed to be low bc test of controls conducted on relevant controls in the purchasing and inventory cycles were consistent with the planned assessment of control risk •Control risk is assessed at high bc there are few transactions and the procedures for amortizing advertising expenditures are simple, a substantive strategy is selected (so few transactions, so testing the controls doesn't really provide much coverage)
The auditor should obtain an understanding of each of the five components of internal control (see the COSO cube) in order to: (3)
•Identify sources and types of potential misstatement •Pinpoint factors that affect RMM •Design tests of controls and substantive procedures When doing so, pay special attention to understanding entity-level controls. --Thinking about where will misstatements occur in this system -- ie. where are their weak points
Achieved Level of Control Risk -- After testing a control or set of controls for an assertion, decide whether the control is operating effectively. If so, If not,
•If so, then your assessed level of control risk is supported and you may rely on the control. --asses, then test, then see if testing matches assessment and if it does not, revise the assessment and don't rely on the control •If not, then you need to revise your assessed level of control risk and your substantive testing plan. Do not rely on the control. The auditor's assessment of control risk and the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire, or a memorandum.
In determining the level of a deficiency, the auditor must consider two dimensions of the control deficiency: (figure 7-1)
•Likelihood (reasonably possible it will result in a misstatement) •Magnitude (material, significant, or insignificant) Material --> report externally, to audit committee, and to mgt Significant --> report to audit committee and mgt Control --> report to mgt
Sources of misstatements where are the weaknesses, what has management done to safeguard their assets and accomplish the goals of their internal controls To understand the likely sources of potential misstatements, the auditor needs to do the following: (4)
•Understand the flow of transactions related to the relevant assertions •Identify the points within the entity's processes at which a misstatement could arise that would be material •Identify the controls that management has implemented to address these potential misstatements •Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets