Chapter 7 Understanding and Auditing Internal Control & Substantive Tests

Substantive Procedures Definition

The testing of account balances. Substantive tests are procedures designed to test for dollar or monetary misstatements that directly affect the correctness of the financial statements. The amount of substantive testing performed is driven by the results controls testing.

COSO Framework Control Environment

These actions, policies, and procedures set the tone for the organization. Five underlying principles... - Integrity and ethical values - Board or audit committee participation - Organizational structure - Commitment to competence - Accountability

COSO Framework Information and Communication

To initiate, record, process and report the entity's transactions and maintain accountability for related assets. Three underlying principles: - Use relevant, quality information to support the functioning of internal controls. - Communicate information internally, including objectives and responsibilities for internal control - Communicate with external parties any relevant information related to internal controls

Designing the Audit Program Considerations for the Audit Program

While designing the audit program the auditor will prepare to address all of the managements assertions, the audit program will consider... - Materiality - Evidence Mix - AR, IR, CR, & Fraud Risk - For public companies: the audit of internal controls. Similar to designing testing procedures, designing the audit plan can be quite challenging since many of the decisions are based on the anticipated results of the audit testing.

COSO Framework Five Components

COSO's Framework of Internal Control - Control Environment - Risk Assessment - Control Activities - Information and Communication - Monitoring Activities

COSO Framework Control Activities

Control activities = actions established by policies and procedures to help ensure management directives to mitigate risks are carried out. Three underlying principles: - Develop control activités that mitigate risks to an acceptable level - Develop general controls over technology - Establish appropriate policies, procedures, and expectations

Assessing Deficiencies in Internal Controls of Financial Reporting Control Deficiency Note

Control deficiencies / failure only indicate that there is the possibility of a monetary misstatement in the financial statements (not an actual misstatement).

Audit Tests Diagram

Figure 6-2, page 109... Flowchart of the auditor's consideration of internal control and its relation to substantive procedures.

COSO Framework Risk Assessment

Involves management's identification and analysis of risks relevant to the preparation of financial statements in conformity with accounting standards. Four underlying principles: - Have clear objectives - Determine how risks should be managed - Consider potential for fraud - Monitor changes

COSO Framework Monitoring

Involves ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether the internal controls are present and functioning. Some characteristics: - Performed by staff independent of operations and accounting - Report directly to high-level of organizations - Auditor might be able to rely on internal audit's work Two underlying principles: - Perform periodic evaluations - Communicate identified deficiencies to those who canremdiate

Assessing Deficiencies Reporting for each deficiency

Material ... Material weakness --> Report externally to audit committee and to management. Not material but significant ... Significant deficiency --> Report to audit committee and to management Not material or significant ... Control deficiency --> Report to management

ICFR Audit Opinions Unqualified Opinion

No identified material weakness as of the end of the fiscal year AND no scope limitations - need both

Controls & Control Risk Assessment Obtain and Document Understanding Controls pt. 2

Obtain and document understanding, auditors use: - The entity's procedures manual and organizational charts - Internal control checklist / questionnaire - Flowcharts: a diagram of the clients documents flow in the organization - Narrative description (documentation that includes origin of ever document and record in the system)

ICFR Audit Opinions Adverse Opinion

One or more material weaknesses exist.

Substantive Procedures Substantive Analytical Procedures

- Analytical procedures in which the auditor develops an expectation of recorded amounts or ratios to provide evidence supporting an account balance. - These procedures satisfy: assertions about account balances - Designed to test for dollar misstatements - Performed during audit testing - Not required by auditing standards - More detailed / require more precision than other Aps

Substantive Procedures Substantive Tests of Transactions

- Designed to test for actual monetary misstatements to transactions - Used to satisfy the assertions about transactions - Often performed concurrently on the same transactions used in tests of controls (Dual Purpose Test) - TOC = Operating effectiveness of control - SToT = Support assertions and / or detect material misstatements

Internal Control Over Financial Reporting Management Responsibilities

- Designing, implementing, and maintaining effective internal control over financial reporting - Maintain adequate documentation related to internal control over financial reporting - (SOX) management is required to issue a financial report on the effectiveness of internal control over financial reporting.

Substantive Procedures Substantive Tests of Details of Balances

- Focuses on the ending GL Balances (Balance Sheet) - These procedures satisfy: assertions about account balances. - Designed to Test for Actual Monetary Misstatements Examples: - Bank reconciliation supporting cash balance - Confirmations of customer balances: A/R - Physical examination of inventory

Test of Controls Considering Results of Test of Controls

- If control deficiencies are identified, assess the severity of those deficiencies to determine how the preliminary control risk assessment should be modified (i.e. L to H) and how this will affect the substantive procedures to be performed. - If the test results indicate that achieved control risk is higher than planned, the auditor will normally increase the planned substantive procedures and document the revised control risk assessment.

Test of Controls Considering Results of Test of Controls pt. 2

- If no control deficiencies are identified, determine the extent that controls can provide evidence on the accuracy of account balances, and determine planned substantive audit procedures. The substantive testing in this situation will be less than what is required in circumstances where deficiencies in internal control were identified. - If test of controls supports the planned level of control risk, no revisions of the planned substantive procedures are required.

Assessing Deficiencies in Internal Controls of Financial Reporting Three types of Control Deficiencies

- Material Weakness - Significant Deficiency - Control Deficiency

Internal Control Over Financial Reporting Auditors responsibilities

- The auditor must understand the client's internal control over financial reporting (ICFR) to assess control risk and conduct an effective audit. - (SOX) requires auditors of public companies must also test and report on the effectiveness of the clients internal controls over financial reporting.

Test of Controls Selecting Controls to Test

- The auditor selects controls that are most important to the organization's ability to adequately address the RMM. - The auditors selects both entity-wide and transaction controls for testing. - In determining which controls to select for testing, the auditor should explicitly link controls and assertions.

Assessing Deficiencies Material Weakness

1. Material Weakness (most severe)... - a deficiency in ICFR that there is a reasonable possibility that a material misstatement of the company annual or interim financial statements will not be prevented or detected on a timely basis.

Substantive Procedures Types of substantive tests

1. Substantive tests of transactions (SToT) 2. Substantive Analytical Procedures (SAP) 3. Substantive Tests of Details of Balances (STDB)

Assessing Deficiencies Significant Deficiency

2. Significant Deficiency... - a deficiency in ICFR that is less severe than a material weakness to merit attention by those responsible for oversight of the company's financial reporting.

Assessing Deficiencies Control Deficiency

3. Control Deficiency (Least Severe)... - a deficiency in the operations of controls that does not permit company personnel to prevent or detect and correct misstatements on a timely basis. - These are most often communicated to management as "recommendations from the auditor" for improvement of control environment.

Assessing Deficiencies in Internal Controls of Financial Reporting Control Deficiency Definition

A control deficiency (in design or operation) is some shortcoming in internal control such that the objective of reliable financial reporting may not be achieved. When assessing a control deficiency, management / auditor will consider: - Likelihood of misstatement (reasonably possible) - Magnitude of potential misstatement (material, significant, or insignificant)

ICFR Audit Opinions Disclaimer of Opinion

A material scope limitation requires the auditor to express disclaimer of opinion.

Internal Control Objectives Definition + Segments

A system of internal controls consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals. - Reliability of reporting - Efficiency & Effectiveness of Operations - Compliance with Laws and Regulations

Controls & Control Risk Assessment Obtain and Document Understanding Controls pt. 3

After obtained an understanding auditors use the information to: - Identify types of potential misstatement - Pinpoint the factors that affect the risk of material misstatement - Design tests of controls and substantive procedures

Designing the Audit Program Definition

As part of designing the audit program, an auditor will determine the optimal evidence mix of tests of controls, substantive tests of transactions, substantive analytical procedures, and tests of details balance.

Test of Controls Performing Test of Controls

Auditors begin with documentation from prior years and update their understanding using the following types of audit evidence: - Make inquiries of client personnel - Inspection of documents and records - Observe activities and operations - Reperform the application of the control

Controls & Control Risk Assessment Obtain and Document Understanding Controls pt. 1

Auditors consider the following factors: - Control environments - Understanding the entity's risk assessment process - Understanding the information system and communications - Control activities -Understanding monitoring of controls