Chapter 7
A major consideration for the external auditor is how much work is to be performed by others. In determining the extent to which the auditor may use the work of others, the auditor should:
(1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work. As the risk associated with the control being tested increases, the external auditor should do more of the work.
three primary objectives of internal control according to COSO
(1) reliable financial reporting; (2) efficiency and effectiveness of operations; and (3) compliance with laws and regulations.
Management Responsibilities under Section 404
-Accept responsibility for the effectiveness of the entity's ICFR. -Evaluate the effectiveness of the entity's ICFR using suitable control criteria. -Support the evaluation with sufficient evidence, including documentation. -Present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the entity's most recent fiscal year.
Types of Reports Relating to the Audit of ICFR
-An unqualified opinion signifies that the entity's internal control is designed and operating effectively (no material weaknesses). -A serious (more than minor) scope limitation requires the auditor to disclaim an opinion -An adverse opinion is required if a material weakness is identified
Examples of Entity-Level controls
-Controls over management override -Entities risk assessment process -Centralized processing and controls, including shared services environment -Controls to monitor results of operations -etc... look at powerpoint 11
Indicators of material weaknesses (ie always material)
-Identification of fraud -Restatement of previously issued financial statements to reflect the correction of a material misstatement -Identificaiton by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the entities ICFR -Ineffective oversight of the entities external financial reporting and ICFR by entitiy's audit committee
Preforming an audit of ICFR
-Plan the audit -Identify controls to test using a top-down, risk based approach -Test the design and operating effectiveness of selected controls -Evaluate identified control deficiencies -Form an opinion on the effectiveness of ICFR
Factors commonly considered when identifying controls to test
-Points at which errors or fraud could occur -The nature of the controls implemented -The significance of each control in achieving the objectives of the control criteria, -The risk that the controls might not be operating effectively
Identifying Significant Accounts
-Size and composition of the account -Susceptibility to misstatement due to errors or fraud -Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure -Nature of the account or disclosure -Accounting and reporting complexities associated with the account or disclosure
Risk factors that affect whether there is a reasonable possibility that a control deficiency will result in a misstatement of an account balance or disclosure
-The nature of the financial statement accounts, disclosures, and assertions involved -The susceptibility of the related asset or liability to loss or fraud -The subjectivity, complexity, or extent of judgement required to determine the amount involved -The interaction or relationship of the control with other controls, including whether they are interdependent or redundant -The interaction of the deficiencies -The possible consequences of the deficiency
Planning the Audit of ICFR
-The planning process is similar to the process used for the audit of financial statements. -Consider the following: -Role of risk assessment and the risk of fraud. -Scaling the audit. -Using the work of others.
Factors that effect whether the control might not be operating effectively include
-Whether there have been changes in the volume or nature of transactions -Whether there have been changes in design of the control -The degree to which the control relies on other controls Key personel changes the complexity
Top-down, risk-based approach to the audit of the audit of ICFR is...(4 things)
1) Identify entity-level controls 2) Identify significant accounts and disclosures and their relevant assertions 3) Understand likely sources of misstatement 4) Select controls to test
Other Reporting Issues
1) Management's report is incomplete or improperly presented. 2) The auditor decides to refer to the report of other auditors. 3) A significant subsequent event has occurred. 4) There is additional information contained in management's report on internal control. 5) There is a remediated material weakness at an interim date.
The auditor's documentation of the process, procedures, judgments and results relating to the audit of ICFR should include:
1. The auditor's understanding and evaluation of the design of each of the components of ICFR; 2. The process used to determine the points at which misstatements could occur; 3. The extent to which the auditor relied upon the work of others; and 4. The evaluation of any deficiencies discovered or other findings which could result in a report modification
Material weakness results in
Adverse opinion
ICFR Defined
ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:1)Pertain to the maintenance of records that accurately and fairly reflect the transactions and dispositions of the assets of the company. 2) Provide reasonable assurance that transactions are properly authorized and recorded in accordance with GAAP. 3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets.
Report Modification Based on Scope Limitation
Minor - Unqualified More than minor- Disclaimer or withdraw
Remediation of a Material Weakness
Remediation is the process of correcting a material weakness in the ICFR: -If a material weakness is corrected before the "as of" date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control - if not, an adverse opinion is still issued.
Auditor Responsibilities under Section 404 and AS5
The entity's independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated audit of the entity's ICFR and its financial statements.
Control deficiency and Significant deficiency result in
Unqualified opinion
A significant deficiency is
a control deficiency, or a combination of control deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Three kinds of deficiencies
control deficiency significant deficiency material weakness
material weakness
material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis.
In addition to the management representations obtained as part of a financial statement audit, the auditor also
obtains written representations from management related to the audit of ICFR. Failure to obtain written representations from management, including management's refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion.
An integrated audit is composed of
the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control
A control deficiency exists when ...
the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Two dimensions of the control deficiency: likelihood (reasonably possible), and magnitude (material, significant, or insignificant)
Management's Assessment Process. Management must follow a...
top-down, risk-based approach: 1) Identify financial reporting risks and controls. 2) Consider which locations to include in the evaluation. 3)Evaluate evidence about the operating effectiveness of ICFR.