Auditing - Chapter 7

Controls typically included for testing

1. Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements. 2. Controls over the selection and application of accounting policies that are in conformity with GAAP 3. Antifraud programs and controls 4. Controls, including IT general controls, on which other controls are dependent 5. Controls over significant no routine and nonsystematic transactions, such as accounts involving judgments and estimates 6. Entity-level controls

Examples of Entity-Level Controls

1. Controls within the control environment (eg. Tone at the top, assignment of authority and responsibility, consistent policies and procedures, and companywide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units) 2. Controls over management override 3. The entity's risk assessment process 4. Centralized processing and controls, including shared service environments 5. Controls to monitor results of operations 6. Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs. 7. Controls over period-end financial reporting process. 8. Policies that address significant business control and risk management practices.

Indicators of Material Weaknesses

1. Identification of fraud, whether or not material, committed by senior management 2. Restatement of previously issued financial statements to reflect the correction of a material misstatement 3. Identification by the auditor of a material misstatement of financial statemetns in the current period in circumstances that indicate that the misstatement would not have been detected by the company's ICFR 4. Ineffective oversight of the company's external financial reporting and ICFR by the company's audit committee

Top-down, risk-based approach to the audit of ICFR

1. Identify entity-level controls 2. Identify significant accounts and disclosures and their relevant assertions 3. Understand likely sources of misstatement 4. Select controls to test

Factors that may affect planning an audit of ICFR

1. Knowledge of the entity's ICFR obtained during other engagements 2. Matters affecting the industry in which the entity operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes 3. Matters relating to the entity's business, including its organization, operating characteristics, and capital structure 4. The extent of recent changes in the entity, its operations, or its ICFR 5. Preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses 6. Control deficiencies previously communicated to the audit committee or management 7. Legal or regulatory matters of which the entity is aware 8. The type and extent of available evidence related to the effectiveness of the entity's ICFR 9. Preliminary judgements about the effectiveness of IFCR 10. Puclic info about the entity relevant to the evaluation of the likelihood of material financial statement misstatements and the effectiveness of the entity's ICFR 11. Knowledge about risks related to the entity evaluated as part of the auditor's client acceptance and retention evaluation 12. The relative complexity of the entity's operations

Written representations made by management to the auditor

1. Management is responsible for establishing and maintaining effective ICFR 2. Management has performed an evaluation and made an assessment of the effectiveness of the company's ICFR and specifying the control criteria 3. Management did not rely on work performed by the auditor in forming its assessment of the effectiveness of ICFR 4. Management's conclusion about the effectiveness of the entity's ICFR based on the control criteria as of specified date 5. Management has disclosed to the auditor all deficiencies in the design or operation of ICFR identified as part of management's evaluation and has identified all such deficiencies that it believes to be significant deficiencies or material weaknesses 6. Descriptions of any material fraud and any other fraud that, although not material, involves senior management or management or other employees who have a significant role in the company's ICFR 7. Control deficiencies identified and communicated to the audit committee during previous engagements have (or have not) been resolved (and specifically identifying any that have not) 8. Descriptions of any changes in ICFR or other factors that might significantly affect ICFR, including any corrective actions taken by management with regard to significant deficiencies and material weaknesses.

Steps in the Audit of ICFR

1. Plan the audit of ICFR 2. Identify controls to test using top-down, risk-based approach 3. Test the design and operating effectiveness of selected controls 4. Evaluate identified control deficiencies 5. Form an opinion on the effectiveness of ICFR

Factors commonly considered when identifying controls to test

1. Points at which errors or fraud could occur 2. The nature of the controls implemented by management 3. The significance of each control in achieving the objectives of the control criteria and whether more that one control achieves a particular objective or whether more than one control is necessary to achieve a particular objective 4. The risk that the controls might not be operating effectively. Factors that affect whether the control might not be operating effectively include the following: a. Whether there have been changes in the volume or nature of transaction that might adversely affect control design or operating effectiveness b. Whether there have been changes in the design of controls c. The degree to which the control relies on the effectiveness of other controls d. Whether there have been changes in key personnel who perform the control or monitor its performance e. Whether the control relies on performance by an individual or is automated; and f. The complexity of the control

Factors that affect the risk associated with a control

1. The nature and materiality of misstatements that the control is intended to prevent or detect 2. The inherent risk associated w/ the related account(s) and assertion(s) 3. Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness 4. Whether the account has a history of errors 5. The effectiveness of entity-level controls, especially controls that monitor other controls 6. The nature of the control and the frequency with which it operates 7. The degree to which the control relies on the effectiveness of other controls 8. The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance 9. Whether the control relies on performance by an individual or is automated 10. The complexity of the control and the significance of the judgments that must be made in connection with its operation

Risk factors that affect whether there is a reasonable possibility that a control deficiency (or a combination of control deficiencies) will result in a misstatement of an account balance or disclosure

1. The nature of the financial statement accounts, disclosures, and assertions involved 2. The susceptibility of the related asset or liability to loss or fraud 3. The subjectivity, complexity, or extent of judgment required to determine the amount involved 4. The interaction or relationship of the control with other controls, including whether they are interdependent or redundant 5. The interaction of the deficiencies 6. The possible future consequences of the deficiency

Material weakness

A deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the company's annual interim financial statements will not be prevented or detected on a timely basis

Relevant assertion

A financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated

Control deficiency

A weakness in the design or operation of a control such that management or employees, in the normal course of performing their assigned functions, fail to prevent or detect misstatements on a timely basis.

Significant account or disclosure

An account or disclosure is significant if there is a reasonable possibility that the account or disclosure could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering the risks of both overstatement and understatement.

Entity-level controls

Controls that have a pervasive effect on the entity's system of internal control such as controls related to the control environment; controls over management override; the company's risk assessment process; centralized processing and controls, including shared service environments; controls to monitor results of operations; controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; controls over the period-end financial reporting process; and policies that address significant business control and risk management practices.

Remediation

The process of correcting a material weakness as part of management's assessment of the effectiveness of ICFR

Safeguarding of Assets

Those policies and procedures that provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements

Internal control over financial reporting

a process designed by, or under supervision of, the company's principal executive and principal financial officers or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP.