ACCTG 431 Ch. 7 - Internal Controls

Risk assessment components

- Clearly specify objectives to allow the identification and assessment of risks related to those objectives. - Identify and analyze risks to the achievement of its objectives to determine how they may be managed. - Consider potential fraud relating to the achievement of objectives. - Identify and assess changes that could impact internal control.

Control environment components

- Commitment to integrity and ethical values. - Board of directors demonstrates independence from management and exercises oversight of internal control. - Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. - Commitment to attract, develop, and retain competent employees. - Holding employees accountable for internal control responsibilities.

What are the limitations to internal controls?

- Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. - Controls that depend on the segregation of duties may be circumvented by collusion - Management may override internal controls - Compliance may deteriorate over time

Accounting system components and objectives

- Identify and record valid transactions - Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions - Measure the value of transactions appropriately - Determine the time period in which the transactions occurred to permit recording in the proper period - Present properly the transactions and related disclosures in the financial statements

monitoring components

- Ongoing monitoring activities -->Regularly performed supervisory and management activities --->Example: Continuous monitoring of customer complaints - Separate evaluations -->Performed on nonroutine basis --->Example: Periodic audits by internal audit

control activities components

- Performance reviews - Transaction control activities - Physical controls - Segregation of duties -->Segregate authorization, recording, and custody of assets - Performance reviews contribute to internal control by providing management with an overall indication of whether personnel at various levels are effectively pursuing the objectives of the organization. - Transaction processing controls are performed to check the completeness, validity, and authorization of transactions. - Physical controls contribute by assuring physical security over both records and other assets. - Segregation of duties reduces the opportunities for any one person to both perpetuate and conceal errors or irregularities.

What are tests of design vs tests of operating effectiveness, and what purposes does each serve?

- Tests of design: auditors identify the company's control objectives and risks in each financial reporting area and then identify relevant controls that satisfy each control objective. They then evaluate the likelihood of control failure, the magnitude of the misstatement, and degree to which other controls achieve the same objectives. If the design is not effective, it does not make sense to test if the controls are operating effectively ex: inquiry, observation, walk-throughs, inspection of documents - Tests of operating effectiveness: used to determine whether the controls function as designed and whether the individuals performing the controls possess the necessary authority and qualifications

examples of detective controls

- bank reconciliations (detect misstatements with cash receipts or disbursements)

examples of preventative controls

- segregation of duties - approval of period-ending journal entries

5 components of internal control

1. The Control Environment 2. Risk Assessment 3. Control Activities 4. (Accounting) information and communication 5. Monitoring Activities

Three categories of objectives of internal control

1. reporting 2. operations 3. compliance

Discuss how the auditors' consideration of internal controls fits into the overall audit process especially how this consideration affects the nature, timing, and extent of substantive procedures.

Approach: - Identify controls likely to prevent or detect material misstatements - Perform tests of controls to determine whether they are operating effectively Tests of controls include: - Inquiries of appropriate client personnel - Inspection of documents and reports - Observation of the application of controls - Reperformance of the controls *The results of the tests of controls are used to determine the nature, timing, and extent of substantive procedures

Discuss how the auditors' consideration of internal controls fits into the overall audit process especially how this consideration affects the nature, timing, and extent of substantive procedures.

Auditors consider internal control because its quality has a major effect on the nature, timing, and extent and nature of the audit procedures necessary to complete the audit. More specifically, the auditors' understanding of the entity and its environment, including internal control allows them to (1) assess the risks of material misstatements of the financial statements and (2) design the nature, timing and extent of further audit procedures.

What are service organizations and how do they affect the auditors' considerations in testing internal controls?

Definition: provide processing services to companies that decide to outsource a portion of their processing. Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data Examples: Outsource processing of payroll or Internet sales; storage of data and records in the service organization's Cloud Auditors should obtain understanding of the outsourced function by following one or more of: 1. Contacting service organization to obtain information 2. Visiting service organization and performing necessary procedures 3. Obtaining a report from the auditors of the service organization Terms: - Service auditor—provides examination of service organization's controls - User auditor—Uses that report Types of Service Auditor Reports: - Type 1—Management's description of the system and the auditor's assessment of the suitability of the design of controls - Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls **A Type 2 report may provide the user auditor with a basis for assessing control risk below the maximum. Affect auditors: - When there is a low degree of interaction between the user entity's controls and those at the service organization, the controls applied by the user entity may be adequate to ensure material errors or fraud are detected --> auditors would need to only test client controls, not test of controls

Understand the requirements of Section 404a and 404b of SOX for audits of public companies

Management's Report on Internal Control under Section 404a: - Management acknowledges its responsibility for establishing and maintaining internal control - Management has assessed internal control effectiveness as of the last day of the company's fiscal year-end using suitable criteria - Management supports the evaluation with sufficient evidence Approach to Audit of Internal Control under Section 404b: This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit. In doing so, the auditors: - Plan the engagement - Use a top-down approach to identify the controls to test - Test and evaluate design effectiveness of internal control - Test and evaluate operating effectiveness of internal control - Form an opinion on effectiveness of internal control over financial reporting Textbook: - Section 404a requires each annual report filed with the SEC to include a report in which management (1) acknowledges its responsibility for establishing and maintaining adequate internal control over financial reporting, and (2) provides an assessment of internal control effectiveness as of the end of the most recent fiscal year. - Section 404b requires auditors of certain companies to attest to, and report on, internal control over financial reporting.

Auditors' Overall Approach as it Relates to Internal Control

Overall approach of an audit: 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report **Steps 2-4 relate most directly to the role of internal control in financial statement audits

How do auditors gain an understanding of a client's internal controls?

Procedures include: - Inquiring of entity personnel - Observing the application of specific controls - Inspecting documents and reports - Tracing transactions through the information system relevant to financial reporting (System Walkthrough) *May also obtain evidence on operating effectiveness of various controls

Understand the importance of segregation of duties, including which types of activities should be performed by different individuals/departments

Segregate authorization, recording, and custody of assets Segregation of duties reduces the opportunities for any one person to both perpetuate and conceal errors or irregularities.

Obtain an understanding of the client and its environment, including internal control

The understanding of internal control is used to help the auditors to: 1. Identify types of potential misstatements 2. Consider factors that affect the risks of material misstatement 3. Design tests of controls (when applicable) and substantive procedures

Objectives of internal control over financial reporting

Top level: prepare and issue reliable financial information Detailed level: sales transactions: 1. All sales transactions that occur are recorded on a timely basis 2. Sales transactions are recorded at correct amounts in the right accounts 3. Accurately and completely summarized in the company's books and records 4. Presentations and disclosures relating to sales are properly described, sorted, and classified Overall objective: prepare financial statements in accordance with generally accepted accounting principles Relevant to audit: - the controls that pertain to the reliability of financial reporting: those that affect the preparation of financial information for external reporting purposes

Understand the differences between external and internal auditors, especially related to the following factors: independence, primary objectives, external auditors' consideration of and reliance on the internal auditors' work

Work of Internal Auditors may be used in two ways: 1. Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities, and 2. Using internal auditors to provide direct assistance on the external audit.

a process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance

internal controls

Explain the auditor's communication requirements for the different types of internal control deficiencies (less than significant deficiency, significant deficiency, material weakness)

less than significant deficiency - required to communicate to management if deficiency merits management's attention significant deficiency- required to communicate to management and those charged with governance material weakness - required to communicate to management and those charged with governance

examples of corrective controls

maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing