Internal Control (Chapter 7)
Higher Assessed Level of Control Risk
(Than planned assessed level of control risk) Situation: Tests of control performed, system operating somewhat effectively, but not as well as anticipated
Same Assessed Level of Control Risk
(as planned assessed level of control risk) Situation: Tests of control performed, system operating as anticipated
Internal Control Reporting by Public Companies and Their Auditors
- Section 404(a) of Sarbanes-Oxley Act: Management must provide an assessment of internal control effectiveness - Section 404(b): Auditors must attest to and report on IC over financial reporting a.) "Integrated Audit" that addresses both financial statements and IC i.) GAAP (or other reporting framework) for financial statement audit ii.) COSO for audit of Internal Control
IT Controls
- When a control is performed by the computer, must an auditor test the automated control numerous times (as in regular tests of controls) to conclude on operating effectiveness? NO. Generally, the auditor may limit the testing to one or a few instances. - Note, however, that the auditor must have confidence control operated in same manner throughout period (e.g., a computer programmer didn't inappropriately disable the program during part of the year).
Occurrence of Testing for Operating Effectiveness
- When controls have not changed since last tested, the auditor should test operating effectiveness of such controls at least once in every three years - When controls have changed, they must be tested that year - That is, at a minimum, a control should be tested every third year
Three Control Risks
1. Actual control risk 2. Planned assessed level of control risk 3. Assessed level of control risk
Five Stages of Internal Control Audit
1. Plan the engagement 2. Use a top-down approach to identify controls to test 3. Test and evaluate design effectiveness of IC 4. Test and evaluate operating effectiveness of IC 5. Form an opinion on the effectiveness of IC over financial reporting i.) Unqualified -- no material weaknesses and no scope restrictions ii.) Qualified -- some scope limitation iii.) Disclaimer -- scope limitation is severe and pervasive iv.) Adverse -- one or more material weaknesses found
Purpose of Consideration of Internal Control
1. To assess the risk of material misstatement 2. To design the nature, timing, and extent of further audit procedures
Significant Deficiency
A "control deficiency" or combination of control deficiencies, that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Material Weakness
A "deficiency," or combination of deficiencies such that there is a a reasonable possibility that a "material misstatement" of the financial statements will not be prevented or detected.
Control Deficiency
A [blank] exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
Internal Control
Process, effected by the entity's board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories: - Reliability of financial reporting (GAAP) - Effectiveness and efficiency of operations - Compliance with applicable laws and regulations
Test of Controls
Provide evidence about the "design" or "operation" of a control to assess its effectiveness in preventing or detecting material misstatements in a financial statement assertion.
Operating Effectiveness of Controls
Relates to tests of controls, concerned with: (1) How a control was applied (2) The consistency with which it was applied, and (3) By whom Again, auditors perform "tests of controls" to evaluate [blank]. Evidence on [blank] is always necessary to assess control risk at a level lower than the maximum.
Five Components of Internal Control
Remember, CRIME: - C: Control Activities - R: Risk Assessment - I: Information and Communication System - M: Monitoring - E: Environment (of control)
Control Activities
Remember, PIPS: - P: Performance Reviews - I: Information Processing - P: Physical controls - S: Segregation of Duties
Overall Types of Tests of Controls
Remember: IIOR- - I: Inquiries of appropriate client personnel - I: Inspection of documents and reports - O: Observation of application of policies and procedures - R: Reperformance of application (by auditor) of policies and procedures Test for "Design" - I,I,O Test for "Operation" - I,I,O,R
Sarbanes-Oxley Act of 2002
Requires public reports on internal control by management and the auditor. COSO has gained importance since it in general will supply the internal control criteria on which management and the auditors base their opinions.
Internal Control over Financial Reporting
Set of policies and procedures that pertain to the entity's ability to record, process, summarize and report financial data consistent with the assertions in the financial statements. - COSO framework
Report Issued to Audit Committee for Significant Deficiency
Should be: - Written - Indicate the purpose of an audit is to report on the financial statements and not to provide insurance on IC - Include significant deficiencies and material weaknesses, and indicate which are material weaknesses - State that the communication is for the use of the audit committee, management, and others in the organization and is not intended for others - A written reporting that no significant deficiencies were identified should not be issued. - The auditor should report known significant deficiencies and material weaknesses to management during the course of the audit rather than after the audit is concluded
Maximum Assessed Level of Control Risk
Situation: No tests of control performed Situation: Tests of control performed, system found NOT to be operating effectively
Deficiency in Design
Sub-type of control deficiency. Exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective is not always met.
Deficiency in Operation
Sub-type of control deficiency. Exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
Actual Control Risk
The actual, unknown, risk that a material misstatement could occur in an assertion (or account) will not be prevented or detected on a timely basis by an entity's IC. This is unknown because the audit is based on a sample of evidence.
Assessed Level of Control Risk
The level at which [blank] for purposes of determining the scope of substantive procedures. If no tests of controls are performed this is at the maximum level. If tests of controls have been performed the results of these tests determines its levels.
Planned Level of Control Risk
This level is lower than the maximum level (the max level means the highest risk) when the assessed level of the risk of material misstatement presumes that controls operated effectively. The tricky part here is that the [blank] is not always at the same level as the auditor's guess of control risk. The [blank] is at the maximum unless the auditor plans to perform tests of controls to obtain evidence on whether IC operates effectively. [Blank] below the max level requires: (1) Identifying IC policies and procedures relevant to specific assertions that are likely to prevent or detect misstatements in assertions (2) Performing tests of controls to evaluate the effectiveness of such policies and procedures
Implemented Control
To obtain this understanding, for example, an auditor may have obtained a flowchart of the revenue cycle, and s/he simply observes employees performing the duties outlined on that flowchart. (1) Auditors must on all audits determine that the IC has been placed in operation (2) Auditors use this knowledge of whether the IC has been placed in operation to: - Identify types of potential misstatements - Consider factors that affect the risk of material misstatement - Design tests of controls, when applicable - Design substantive procedures
Communication of Control Related Matters
To the Audit Committee. The auditor's objective in an audit of financial statements is to form an opinion on the financial statements, not to identify significant deficiencies. But when an auditor becomes aware of significant deficiencies or material weaknesses they must be communicated to the audit committee.
Perform Risk Assessment and Design Further Audit Procedures
To understand this area you need to understand the distinction between what an auditor's understanding of a control being "implemented (placed in operation)" as compared to his/her assessment of its "operating effectiveness."
Level of Required Knowledge
[Auditor's Consideration of IC] Controls have been placed in operation (implementation) For the accounting information system, auditors perform a "walk-through" in which they trace one or two transactions of each major type through the system
Necessary Level of Understanding
[Auditor's Consideration of IC] Obtain understanding of internal control by performing risk assessment procedures 1. Level of understanding needed: a.) Required--Design of structure and whether it has been implemented (previously referred to as placed in operation). This means the entity is using the control In planning the audit, such knowledge should be used to: - Identify types of potential misstatements - Consider factors that affect the risk of misstatements - Design tests of controls, when applicable - Design substantive procedures b. Not required, but possible--the auditor may at this point CHOOSE to perform various tests of controls to obtain evidence on operating effectiveness. If these tests show the system to be operating effectively, the assessed level of control risk will be below the maximum level (this leads to less substantive procedures).
Understanding for each Element of Internal Controls
[Auditor's Consideration of IC] Understanding needed for each of IC elements for purposes of "obtaining an understanding to plan the audit"
Required Documentation
[Auditor's Consideration of IC] Understanding obtained to plane the audit must be documented. Form and extent affected by size and complexity of client and nature of IC. Documentation techniques include: a.) internal control questionnaire b.) checklists c.) written narrative of IC d.) flowcharts e.) decision tables
