AUD Chap 7
True or false: When obtaining an understanding of the control environment, it is important that auditors focus on the substance of controls, rather than their form.
TRUE;Controls may be in place that are not enforced.
The Sarbanes-Oxley Act of 2002 requires public companies to provide reports on internal control by
management and auditors
PCAOB
Requires that annually some evidence regarding operating effectiveness should be obtained
In the consideration of internal control, the operating effectiveness of controls is tested by:
test of contols
Data analytics may be used ______ to certain sampling tests.
either as a supplement or an alternative
The existence of __that serve(s) as the standards or benchmarks to measure and present the subject matter is essential to performing an attest engagement.
suitable criteria
Controls that assess whether other transaction control activities are operating properly and are usually focused on high risk transactions are called ______ controls.
supervisory
After documenting internal control, auditors typically perform a(n) - , __which traces one or two transactions through each step in the cycle.
walk-through
Auditors' Overall Approach as it Relates to Internal Control
Overall approach of an audit: 1. Plan the audit. 2. Obtain an understanding of the client and its environment, including internal control. 3. Assess the risks of material misstatement and design further audit procedures. 4. Perform further audit procedures. 5. Complete the audit. 6. Form an opinion and issue the audit report. Steps 2-4 relate most directly to the role of internal control in financial statement audits.
True or false: The general approach to increasing evidence from a test of control is to increase the extent of the test, except in the case of automated controls.
TRUE
While obtaining an understanding of the other control components, auditors generally obtain some knowledge about the client's
control activities
Because of cost considerations, internal control is designed to provide__assurance, not absolute assurance.
reasonable
Controls that assess whether other transaction control activities are operating properly and are usually focused on high risk transactions are called
supervisory controls
Tests of controls address ______.
how controls were applied the consistency with which controls were applied by whom or by what means the controls were applied
Deficiencies that are less than significant are generally communicated in a(n)
management letter
Service Organizations 3
Types of Service Auditor Reports: • Type 1—Management's description of the system and the auditor's assessment of the suitability of the design of controls. • Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls. • A Type 2 report may provide the user auditor (user of report) with a basis for assessing control risk below the maximum.
In an audit of internal control, if one or more material weaknesses in internal control are identified a(n) ______ opinion should be issued.
adverse
Which of the following is not a COSO component of internal control?
board oversight
Clear guidance that will allow proper and uniform handling of transactions and events is provided by an accounting information system's ______.
chart of accounts policies and procedures manual
The auditor's report on internal control under PCAOB standards expresses an opinion on whether the ______.
company maintained, in all material respects, effective internal control over financial reporting
Before performing tests of controls to determine whether they are operating effectively, auditors must first ______.
identify the controls likely to prevent or detect material misstatements
To increase the evidence from a test of control, the number of items tested should be increased for ______.
non-automated controls only
External auditors can use the work of internal auditors to ______.
provide direct assistance to the external auditors provide audit evidence based on their normal internal audit work
True or false: Auditors test the design of controls immediately after determining if they operate effectively.
FALSE; If the design is not effective, it makes no sense to test whether the controls operate effectively.
The Foreign Corrupt Practices Act was passed to
require organizations to maintain an effective system of internal control prevent payments of bribes and kick-backs to officials in foreign businesses
In making a judgment about the extent of the understanding of ___necessary, auditors should realize the information will be used to identify types of potential misstatements and consider factors that affect the risks of material misstatement.
internal controls
A symbolic representation of a series of procedures with each procedure shown in sequence is an example of a systems
flowchart
Specific authorization occurs when transactions are authorized on an individual basis while ___authorization occurs when management establishes criteria for acceptance of a certain type of transaction.
general
Transaction-level controls may be broken down into two categories:
general control activities and application controls
Auditors understanding of internal control should include not only the design of controls but also whether they
have been implemented
Auditors typically use a management letter to communicate deficiencies that are ______ than significant.
less
When auditors consider internal control design to be strong, they need to determine whether the control has been implemented which normally involves ______.
observing the procedure
In an internal control audit, tests of th___ of controls are used to determine whether the controls function as designed and if the individuals performing the controls possess the necessary authority and qualifications.
operating effectiveness
Tests of controls ordinarily are designed to provide evidence of:
operating effectiveness
Internal control practices that can help strengthen internal control in small companies include ______.
recording all cash receipts immediately using prenumbered checks only issuing checks after matching approved invoices with purchase orders and receiving reports
A policy requiring the preparation of a monthly bank reconciliation is an example of a
detective control
Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes?
Confirmation
When assessing an internal auditor's objectivity, an independent auditor should:
Consider the policies that prohibit the internal auditor from auditing areas where relatives are employed in key management positions.
Tests of controls do not address:
How controls were originated.
What is the primary reason that auditors' assess internal control?
To determine the risk of misstatements of accounts.
If the test of controls results indicate the controls are not operating as effectively as planned, the assessed level of control risk needs to be ______ the planned assessed level.
higher than
For public companies, auditors are required to perform a(n) __audit that addresses both the financial statements and internal control.
integrated
In comparison to financial statement audits, auditors who perform integrated audits typically perform ______.
more audit procedures directed toward testing the effectiveness of internal control
This component of internal control assesses the quality of internal control performance over time.
monitoring
In general, auditors want evidence on operating effectiveness throughout the audit, so they ______ the year.
sample throughpout
A company operates an oil refinery. To reduce risk the company has decided to implement significant controls over safe operations. This is an example of:
risk reduction
The acceptable level of variation in performance relative to the achievement of objectives is called
risk tolerance
Accounting estimates are particularly difficult for management to control and often have a high risk of material misstatement because of the ______ estimates.
subjective nature of assumptions needed to make complexity of
Tests of controls are generally performed ______.
throughout the year
Preventive control
Choice, Aimed at avoiding the occurrence of misstatements Aimed at avoiding the occurrence of misstatements
Which of the following is not an advantage of establishing an enterprise risk management system within an organization?
Eliminates all risks.
True or false: The auditors should obtain an understanding of the client's processes for eliminating business risks.
FALSE; The auditors should obtain an understanding of the client's processes for identifying and responding to these risks, not eliminating them.
This document clearly describes the entity's methods of treating transactions which provides employees guidance that allows for proper and uniform handling of transactions.
Manual of accounting policies and procedures
Policies and procedures that help mitigate the risk that the organization's objectives are not met are called control
activities
The basic principles of the control environment include all of the following :
commitment to integrity and ethical values commitment to attract, develop, and retain competent employees effective board of directors
When internal auditors provide direct assistance to external auditors in preparing working papers and performing certain audit procedures, external auditors should ______.
direct, supervise, review, and test the work
Auditors use their understanding of which internal control component to identify risks of material misstatement that relate directly to the recording of transactions such as the recording of routine transactions like revenue?
information system
In addition to the typical journals, ledgers, and other record-keeping devices, a chart of accounts and manual of accounting policies and procedures should be included in an accounting__
information system
he risk of misstatement is composed of:
inherent risk and control risk
Management needs to assess risks that threaten their ability to meet their objectives in the areas of
operations, reporting, and compliance
The preliminary assessments of control risk are often referred to as the
planned assessed level of control risk
Control Objectives
In each area of internal control (reporting, operations and compliance). • Control objectives, and • Sub-objectives. Example: Area of reporting: • Top level objective - prepare and issue reliable financial information. • Detailed level applied to accounts receivable sub-objectives. • All goods shipped are accurately billed in the proper period. • Invoices are accurately recorded for all authorized shipments and only for such shipments. • Authorized and only authorized sales returns and allowances are accurately recorded. • The continued completeness and accuracy of accounts receivable is ensured. • Accounts receivable records are safeguarded.
Documenting the Understanding of Internal Control
Questionnaires. • Typically standardized by firm or industry. Written Narratives. • Memos that describe flow of transactions and controls. Flowcharts. • Systems flowcharts.
Use of the Work of Internal Auditors
Work of Internal Auditors may be used in two ways: • Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities, and • Using internal auditors to provide direct assistance on the external audit.
Auditors use their understanding of internal control to do all of the following except ______.
assess detection risk for use in the audit risk model DOES: consider factors that affect risks of material misstatements dentify types of potential misstatements design tests of controls and substantive procedures
reduction risk
managing the risk or adding additional controls to process it
Segregation of duties is a
preventative control
COSO's definition of internal control emphasizes that it is a(n)__ or a means to an end
process
Service Organizations 1
• Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data. • Examples: Outsource processing of payroll or Internet sales; storage of data and records in the service organization's Cloud.
Limitations of Internal Control
• Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. • Controls that depend on the segregation of duties may be circumvented by collusion. • Management may override internal controls. • Compliance may deteriorate over time.
Auditors perform tests of controls to obtain evidence about operating
effectiveness of controls
External auditors should assess the ___ (proficiency and training based on education, experience, and professional certifications) and ___(ability to perform their duties free from conflicting responsibilities or constraints) of the internal audit function before relying on their work.
competance; objectivity
Segregation of duties is an aspect of which of the following components of internal control?
control activity
acceptance risk
matches Choice, taking no action taking no action
When comparing a financial statement audit with an integrated audit, the procedures used to gain an understanding of internal control are ______.
the same
Controls Over Accounting Estimates
1. Control environment policies and procedures that encourage proper estimates. 2. Risk assessment consideration of the risks of inaccurate accounting estimates. 3. Policies that ensure that qualified personnel are involved in developing the estimates. 4. Policies and procedures that ensure that relevant, sufficient and reliable data is considered in the development of the estimates, and the model used is appropriate. 5. Management review of sources of data, processes used to develop the assumptions, changes in the methods used, and the reasonableness of assumptions and estimates. 6. Policies to ensure use of the work of specialists when considered necessary. 7. Policies to improve estimation processes by comparison of prior estimates with subsequent results.
Relationships Among Deficiencies
=Less than significant> significant deficiency> material weakness =Significant deficiency =Material weakness
Classification of Controls over Financial Reporting
Preventive: • Aimed at avoiding the occurrence of misstatements in the financial statements. • Example: Segregation of duties. Detective: • Designed to discover misstatements after they have occurred. • Example: Monthly bank reconciliations. Corrective: • Needed to remedy the situation uncovered by detective controls. • Example: Backups of master file used to reconstruct erroneous records. Controls overlap: • Complementary - function together. • Redundant - address same assertion or control objective. • Compensating - reduces risk existing weakness will result in misstatement.
Approach to Audit of Internal Control under Section 404b
This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit. In doing so, the auditors: • Plan the engagement. • Use a top-down approach to identify the controls to test. • Test and evaluate design effectiveness of internal control. • Test and evaluate operating effectiveness of internal control. • Form an opinion on effectiveness of internal control over financial reporting.
Auditors identify the company's control objectives and risks in each financial reporting area and then identify relevant controls that satisfy each control objective when testing design
effectiveness
AICPA standards require that tests of controls be performed ______ audit.
every thrird
After assessing the risks of material misstatement, auditors should design further audit procedures such as substantive procedures and tests of controls if planned assessed level of control risk is ______.
low
A deficiency in internal control over financial reporting (or combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis is a(n)
material weakness
In an audit of a small company, the auditor typically performs ______ internal control.
more substantive procedures because of the absence of strong
Risks at the financial statement level ______.
require considerable judgment for the auditor potentially affect many relevant assertions
When the assessed level of control risk is low, the auditor should ______.
restrict substantive procedures for that assertion
The nature of transactions
Consider the nature of the transactions: • Routine transactions—for example, regular revenue, purchases, and cash receipts and disbursements. • Non-routine transactions—for example, taking of inventory, calculating depreciation expense. • Estimation transactions—for example, determining the allowance for doubtful accounts. Generally routine transactions have the strongest controls.
Which of the following is of particular significance to corporate governance?
Control environment
3. Assess the risks of material misstatement
General approach: • Identify risks while obtaining an understanding of the client and its environment, including its internal control. • Relate the identified risks to what can go wrong at the relevant assertion level. • Consider whether the risks are of a magnitude that could result in a material misstatement. • Consider the likelihood that the risks could result in a material misstatement.
Ongoing evnluation
Monitoring customer complaints
Corrective control
Needed to remedy a situation after a misstatement is discovered
Obtaining the Understanding
Procedures include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting (System Walkthrough). May also obtain evidence on operating effectiveness of various controls.
AICPA and International Auditing Standards
Require that test of controls be performed at least every third audit
When auditors assess risk at the__ assertion level instead of the financial statement level, they consider both the design of the control and its implementation.
relevant
An integrated audit requires the auditors to test controls for all ______.
relevant assertions about major accounts
The controls that are most relevant to an audit are those that pertain to the
reliability of financial reporting
Which of the following is NOT a reason that internal control can only provide reasonable assurance from fraud and waste?
All designed controls to address fraud and waste are adopted.
In an integrated audit, auditors use a ______ approach in the internal control audit.
top-down
Assessing Risks at the Assertion Level
Examples: • Failure to recognize an impairment losses on a long-lived assets affects only the valuation assertion. • Inaccurate counting of inventory at year-end affects the valuation of inventory and the accuracy of cost of goods sold. Responses: • Decisions are made here as to the appropriate combination of tests of controls and substantive procedures that respond specifically to the risk.
4. Perform Further Audit Procedures - Test of Controls 2
Tests of controls include: • Inquiries of appropriate client personnel. • Inspection of documents and reports. • Observation of the application of controls. • Reperformance of the controls. The results of the tests of controls are used to determine the nature, timing and extent of substantive procedures.
Performance reviews are an integral part of which component of internal control?
control activities
A situation in which the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis is referred to as a:
control deficiency
Section 404 of the Sarbanes-Oxley Act requires public companies to provide reports on internal control by ______.
management external auditors
For a corporation, the major components of corporate governance include all of the following except
management of the company INCLUDES: External auditors BOD audit comittee
A deficiency in internal control over financial reporting (or combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis is a__
material weakness
Regarding deficiencies and weaknesses in internal control, auditing standards require auditors to communicate in writing ______.
material weaknesses significant deficiencies
Control Environment Factors
• Commitment to integrity and ethical values. • Board of directors demonstrates independence from management and exercises oversight of internal control. • Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. • Commitment to attract, develop, and retain competent employees. • Holding employees accountable for internal control responsibilities.
Internal Control Definition
A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity's) objectives relating to: • Operations. • Reporting, and • Compliance.
4. Perform Further Audit Procedures - Test of Controls 1
Approach: • Identify controls likely to prevent or detect material misstatements. • Perform tests of controls to determine whether they are operating effectively. Tests of controls address: • How controls were applied. • The consistency with which controls were applied • By whom or by what means (for example, electronically) the controls were applied.
Service Organizations 2
Auditors should obtain understanding of the outsourced function by following one or more of: • Contacting service organization to obtain information. • Visiting service organization an performing necessary procedures. • Obtaining a report from the auditors of the service organization. Terms: • Service auditor—provides examination of service organization's controls. • User auditor—Uses that report.
Effects of Data Analytics
Data analytics may be used to perform tests of controls (operating effectiveness); auditors may test controls over the entire population of transactions rather than a sample.
Detective control
Designed to discover misstatements after they have occurred
All organizations under the jurisdiction of the SEC are required to maintain a system of internal control that will provide certain reasonable assurances under The
Foreign Corrupt Practices Act
Objectives of an Accounting System
Identify and record valid transactions. • Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions. • Measure the value of transactions appropriately. • Determine the time period in which the transactions occurred to permit recording in the proper period. • Present properly the transactions and related disclosures in the financial statements.
Monitoring
Ongoing monitoring activities. • Regularly performed supervisory and management activities. • Examples: • Continuous monitoring of customer complaints. • Management review control in which the Controller reviews gross profit on revenue transactions for unusual relationships. Separate evaluations: • Performed on nonroutine basis. • Example: Periodic audits by internal audit.
Foreign Corrupt Practices Act
Passed in 19 77 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business. The Act: • Makes illegal payment of bribes to foreign officials. • Requires an effective system of internal control (applies to public companies).
Control Activities
Performance reviews. Transaction control activities. Physical controls. Segregation of duties. • Segregate authorization, recording and custody of assets.
An example of an area that tends to be difficult for management to control and usually results in a very high risk of material misstatement is
accounts valued at fair value
For the control environment component, professional standards require auditors should obtain sufficient knowledge about the company's
antifraud program
Controls over the authorization and processing of payroll are
application controls; only affects the reliability of payroll activiites
The major difference between control objectives and management assertions is that control objectives
are broader in scope; Control objectives relate to financial reporting, operations, and compliance.
Separate evaluation
audits by internal auditor
All of the following are examples of control activities
authorizations verifications performance reviews physical controls
Auditors should identify and assess the risks of material misstatement:
both the financial statement level and the relevant assertion level for account balances.
The company has one control that requires reconciliations of bank statements and another that requires all cash disbursements to be authorized. This is an example of ______ controls.
complementary
Proper segregation of duties should be applied to ______.
departments and individuals
avoidance risk
exiting the activity that gives rise to the risk
When assessing the risk of material misstatement, auditors rely on the ______ effectiveness of internal control.
expected
The goal of segregation of duties is not to allow an individual to have__
incompatible duties
Procedures to obtain an understanding of internal control include ______.
inquiry of entity personnel tracing of transactions through information system inspection of documents and reports
sharing risk
insurance, hedging, and outsourcing
The three categories of objectives of __control are reporting, operations, and compliance.
internal
The traditional method of describing internal control is to complete a(n) ______.
internal control questionnaire
Internal auditors monitor ______.
management branches departments
An accounting information system should ______.
measure the proper value of transactions ensure transactions are recorded in the proper time period identify and record all valid transactions
Most internal control questionnaires are designed so that a ______ answer to a question indicates a weakness in internal control.
no
Two controls that both address the existence of accounts receivable are referred to as
redundant controls
Risk assessment is management's process for
responding to risks identifying risks analyzing risks
To obtain an understanding of internal control auditors use
risk assessment procedures
One feature of well-designed forms and documents that can be used to control the number of documents issued and account for sequence of documents is ______.
serial numbers
The rule that management must approve all credit sales over $75,000 is an example of a(n)
specific authorization
Many CPA firms consider a(n) ______ to be more effective than the other methods for documenting their understanding of a client's accounting information system and related control activities.
systems flowchart
The foundation for the other internal control components is
the control environment
When an organization has senior management and a board of directors that establish values and expectations regarding appropriate behavior and lead by example, it is said to have a strong __at the__ .
tone at the top
Internal auditors are representatives of ______.
top management
Management's Report on Internal Control under Section 404a
• Acknowledgment of responsibility for internal control. • An assessment of internal control effectiveness as of the last day of the company's fiscal year Acknowledgment of responsibility for internal control. • An assessment of internal control effectiveness as of the last day of the company's fiscal yearn using suitable criteria. • Support the evaluation with sufficient evidence using suitable criteria. • Support the evaluation with sufficient evidence.
Responses to high risks:
• Assigning more experience staff or those with specialized skills. • Providing more supervision and emphasizing the need to maintain professional skepticism. • Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed. • Increasing the overall scope of audit procedures, including the nature, timing or extent.
Enterprise Risk Management (E R M)
• C O S O issued a framework in 2004 (revised in 2017) on Enterprise Risk Management. It does not replace the original C O S O internal control framework. • It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities. • The auditing standards are still structured around the original C O S O internal control framework but the risk management framework is useful in evaluating the risk assessment component of internal control.
Risk Assessment
• Clearly specify objectives to allow the identification and assessment of risks related to those objectives. • Identify and analyze risks to the achievement of its objectives to determine how they may be managed. • Consider potential fraud relating to the achievement of objectives. • Identify and assess changes that could impact internal control.
Components of Internal Control
• The Control Environment. • Risk Assessment. • Control Activities. • Information System Relevant to Financial Reporting and Communication. • Monitoring Activities.
Internal Control in the Small Company
Due to lack of employees, internal control is seldom strong in small businesses. Specific practices for small businesses: • Record all cash receipts immediately. • Deposit all cash receipts intact daily. • Make all payments by serially numbered checks, with exception of petty cash disbursements. • Reconcile bank accounts monthly and retain copies. • Use serially numbered purchase orders, invoices, and receiving reports. • Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports. • Balance subsidiary ledger with control accounts. • Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense.
Assessing Risks at the Financial Statement Level
Examples: • Preparing the period-end financial statements, including the development of significant accounting estimates and preparation of the notes. • The selection and application of significant accounting policies. • IT general controls. • The control environment.
True or false: To assist auditors with describing internal control in their working papers, auditors typically perform a walk-through of one or two transactions.
FALsE; A walk-through is typically performed after internal control has been described in order to verify that it has been implemented.
2. Obtain an understanding of the client and its environment, including internal control
The understanding of internal control is used to help the auditors to • Identify types of potential misstatements. • Consider factors that affect the risks of material misstatement. • Design tests of controls (when applicable) and substantive procedures. Auditors must consider all five internal control components: • Control environment. • Accounting information system. • Risk assessment. • Control activities. • Monitoring. In doing so, the auditors should also consider areas difficult to control like non-routine transactions.