Audit Chapter 7 - Auditing Internal Control over Financial Reporting
Management must comply with the following requirements in order for the external auditor to complete an audit of ICFR.(Section 404)
(1) Accept responsibility for the effectiveness of the entity's ICFR (2) Evaluate the effectiveness of the entity's ICFR using suitable control criteria (3) Support the evaluation with sufficient evidence, including documentation (4) Present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the entity's most recent fiscal year
ICFR includes procedures that:
(1) Pertain to the maintenance of records that accurately and fairly reflect the transactions and dispositions of the assets of the company. (2) Provide reasonable assurance that transactions are properly authorized and recorded in accordance with GAAP. (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets.
When does a design deficiency exist?
(1) a control necessary to meet the relevant control objective is missing (2) an existing control is not properly designed
When does a operation deficiency exist?
(1) a properly designed control does not operate as designed (2) the person performing the control does not possess he necessary authority or qualifications to perform the control effectively
Control Deficiency - magnitude and likelihood
-Not material or significant -More than remote (reasonably possible or probable)
△The auditor's documentation of the process, procedures, judgments and results relating to the audit of ICFR should include:
1. The auditor's understanding and evaluation of the design of each of the components of ICFR; 2. The process used to determine the points at which misstatements could occur; 3. The extent to which the auditor relied upon the work of others; 4. The scope of testing; and 5. The evaluation of any deficiencies discovered or other findings which could result in a report modification. (probability/likelihood and materiality)
Evaluate design
Are controls designed correctly to prevent or detect misstatement. If they aren't, there is a control deficiency already. Test if SD or MW. If they are, test the operation. If operating defectively, there is a CD
Those charged with governance
Audit Committee or Board of Directors
_____ are responsible for the reliability of ICFR and the preparation of the F/S.
CEO and CFO
the ___________ Framework is the standard against which most companies assess the effectiveness of their internal controls over financial reporting.
COSO
suppose a control over the recording of certain large dollar value transactions is not operating effectively. However, there is another control in place whereby management reviews and reconciles account balances associated with these transactions on a monthly basis and investigates unexpected or unusual transactions. How it is called?
Compensating Controls
Extent
Consider: (1) Nature of the control (2) Frequency of the operation (3) Importance of the control
The ______ testing impacts the planned ___________ ____________.
Control, Substantive Procedures
If a scope limitation has more than a minor effect...
Disclaim opinion or withdraw
If a scope limitation has a minor effect...
Issue an unqualified opinion in audit report
Significant Deficiency - magnitude and likelihood
Less severe ICFR deficiency than Material weakness, but merits attention -Not material but significant -More than remote (reasonably possible or probable)
Explain whether the following identified control deficiency represents a material weakness or a significant deficiency. Include an explanation of how you arrived at your answer. The company processes a significant number of intercompany transactions on a monthly basis. Individual intercompany transactions are frequently material. A formal management policy requires monthly reconciliation of intercompany accounts. However, detailed reconciliations of intercompany accounts are not performed on a timely basis. Management does not perform other procedures to investigate significant large-dollar intercompany account differences.
MATERIAL WEAKNESS (2 pts) - INDIVIDUAL TRANSACTIONS ARE FREQUENTLY MATERIAL (1 pt) - THE NORMAL CONTROL IS NOT OPERATING ON A TIMELY BASIS, AND THERE ARE NO COMPENSATING CONTROLS IN PLACE. (1 pt)
A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a _____________ in the system of internal control. A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis.
Material Weakness
which category moody's believes is most important?, why?
Moody's believes category B material weaknesses are most important to investors because they are pervasive and the auditor cannot audit around them.
Framework used by management to conduct its assessment
Most entities use COSO framework (Internal Control - integrated framework) 3 primary objectives of internal control: (1) reliable financial reporting (2) efficiency and effectiveness of operations (3) compliance with laws and regulations
Do material weaknesses mean there is a material misstatement?
NO
Does low control risk and no deficiencies indicate a lack of material misstatement?
NO
Test and evaluate operating effectiveness
Nature Timing Extent
Timing
Opinion on ICFR is "as of" the balance sheet date Interim vs "as of" date
Remediation
Remediation is the process of correcting a material weakness in the ICFR If a material weakness is corrected before the "as of" date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control - if not, an adverse opinion is still issued.
Material weakness - who to report to?
Report externally to audit committee and to management (MNGT and those charged with governance)
Significant Deficiency - who to report to?
Report to audit committee and to management (MNGT and those charged with governance)
Control Deficiency - who to report to?
Report to mangement
Explain whether the following identified control deficiency represents a material weakness or a significant deficiency. Include an explanation of how you arrived at your answer. The company processes a significant number of intercompany transactions on a monthly basis. Individual intercompany transactions are not material. A formal management policy requires monthly reconciliation of intercompany accounts. However, detailed reconciliations of intercompany accounts are not performed on a timely basis. Management performs monthly procedures to investigate selected large-dollar intercompany account differences.
SIGNIFICANT DEFICIENCY - INDIVIDUAL TRANSACTIONS ARE NOT MATERIAL. - EVEN THOUGH THE NORMAL CONTROL IS NOT OPERATING ON A TIMELY BASIS, MANAGEMENT HAS A COMPENSATING CONTROL THAT WOULD CATCH LARGE-DOLLAR (I.E., MATERIAL) DIFFERENCES
Material Weakness - magnitude and likelihood
Serious ICFR deficiency Reasonable possibility of material misstatement (of the annual or interim financial statements will not be prevented or detected on a timely basis) due to control failure -Material -More than remote (reasonably possible or probable)
A ____________________ is a control deficiency, or a combination of control deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Significant deficiency
The results of __________ __________ are considered in the evaluation of _________ _________.
Substantive procedures, internal control
What is an integrated audit of?
The entity's ICFR and its financial statements
3 types of audit reports
Unqualified: the company maintained, in all material respects, effective internal control over financial reporting. - No MWs exist as of the balance sheet date Adverse: the company has not maintained effective internal control over financial reporting - At least one MW exists as of the BS date Disclaimer: do not express an opinion (due to a scope limitation that is more than minor).
ICFR (Internal Control over Financial Reporting)
a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP
Inadequate documentation on the part of management can cause....
a significant deficiency or a material weakness
what type of audit report? - material weakness
adverse opinion
If there are Material Weaknesses at year end, the auditor must issue _____________. However, the entity can have deficiencies during the year and still receive _____________ at year end, as long as they remediate the deficiencies that have been identified and those can be testing and proved effective before year end.
an adverse opinion an unqualified opinion
_____ are responsible for implementing an effective internal control system.
board of director and management
When there is not sufficient time to correct material weakness before the "as of" date... When there is sufficient time to correct material weakness before the "as of" date and new control operation is effective...
can issue report that the ICFR is not operating effectively can issue report that the ICFR operating effectively.
Failure to obtain written representations from mngt
constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion
Compensating Controls
control procedures that compensate for the deficiency in other controls (Before concluding that a control deficiency is indicative of a significant deficiency or material weakness, the auditor should consider the effectiveness of any compensating controls. 統制の不備が重大な不備または重大な弱点を示していると結論付ける前に、監査人は、代替統制の有効性を検討する必要があります)
a control deficiency exists when ____________.
design or operation of a control does not allow management or employees
what type of audit report? - more than minor effect (reason for/ seriousness of scope limitation)
disclaim opinion or withdraw
Under Section 404 and AS5, the auditor must perform a __________ audit
integrated
Regardless of the ___________ in connection with the audit of the financial statements, auditing standards require the auditor to perform ____________ for ___________.
level of control risk some substantive procedures for all significant accounts and disclosures
what are the two dimensions of control deficiency the auditor must consider?
likelihood (reasonably possible) magnitude of misstatements (material, significant, or insignificant)
_____ are responsible for establishing and maintaining effective internal control over financial reporting.
management
Are all MW equally important?
maybe not
When the auditor performs an integrated audit, he or she will have access to a large amount of information about the client's controls. This information can make the financial statement audit __________ and result in __________.
more efficient reduced substantive procedures
section 404
requires the auditor to audit management's assertion about the effectiveness of ICFR
The auditor can consider _____________ in determining current year testing - Consider ____________ from _____________.
results of past controls testing any changes the prior year(s)
Steps in performing an audit of ICFR
steps in performing an Audit of ICFR 1. plan the audit of ICFR (PLAN) 2. identify controls to test (IDENTIFY) (1) identify entity-level controls (2) identify significant accounts and disclosures and their relevant assertions (3) understand likely sources of misstatement (4) select controls to test 3. evaluate the design and test the operating effectiveness of selected control (SCOPE) 4. evaluate identified control deficiencies (EVALUATE) 5. form an opinion on the effectiveness of ICFR (REPORT)
Nature
testing of manual vs. automated controls - also, consider the type of test (Inquiry, inspection of documents, observation, and reperformance_
An integrated audit is composed of _________ and _________. The __________ impacts the planned _________. Also, the results of the substantive procedures are considered in the evaluation of internal control.
the audits of internal control the financial statements control testing substantive procedures
Since we plan the nature, timing, and extent of substantive audit tests at ____________, we should identify and test controls at this level, too. ____________ helps us determine the achieved level of control risk at the _____________.
the relevant assertion level DR = AR / (IR x CR) the relevant assertion level
Remediation
to correct a material weakness
Inadequate documentation on the part of auditor can cause....
to increased scrutiny監視 by the PCAOB
The "as-of" nature of the assessment in many cases allows management to ________ and still _______.
to remediate deficiencies discovered prior to year-end receive an unqualified opinion on ICFR
what type of audit report? - control deficiency or significant deficiency
unqualified opinion
what type of audit report? - minor effect (reason for/ seriousness of scope limitation)
unqualified opinion
What is the auditor's responsibility?(SOX Section 404/ PCAOB AS 2201)
•Audit ICFR and express an opinion. Give two opinions: internal control & F/S -------- -Ultimate objective is to express an opinion on the effectiveness of ICFR "as of" the date of the financial statements. -Must conduct an integrated audit of ICFR and the FS using a "top-down risk-based approach" -Must identify significant accounts and test controls related to "relevant assertions"
Moody's Global Credit Research Group categorizes material weaknesses into two types
•Category A - material weaknesses that can be "audited around" because they relate to specific transaction level processes 特定のトランザクションレベルプロセスに関連しているため、「監査」できる重大な弱点 •Category B - company-level material weaknesses, such as material weaknesses in the control environment. These cannot be audited around and are pervasive to the financial statements. 制御環境の重大な弱点など、企業レベルの重大な弱点。 これらは周囲で監査することはできず、財務諸表に広まっています。
What is management's responsibility? (SOX Section 404/ PCAOB AS 2201)
•Establish and maintain adequate ICFR •Assess and assert whether ICFR is effective "as of" the BS date. (publicly-traded companies)
What documentations do SOX and the PCAOB have stressed?
•Management documentation of internal controls. •Auditor documentation of understanding and testing of internal controls. SOXとPCAOBはドキュメントを強調しています。 内部統制の管理文書。 内部統制の理解とテストに関する監査文書。
What risk factors do auditor assess to identify significant accounts and disclosures and their relevant assertions?
•Size and composition of the account •Susceptibility to misstatement due to errors or fraud •Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure •Nature of the account or disclosure •Accounting and reporting complexities associated with the account or disclosure •Exposure to losses in the account •Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure •Existence of related-party transactions in the account •Changes from the prior period in account or disclosure characteristics
What does this mean practically speaking for a business?
•management constantly has to do risk assessment