Chapter 7 Audit
Which of the following would be least likely to be considered an objective of internal control?
(1) Checking the accuracy and reliability of accounting data. (2) Detecting management fraud. (3) Encouraging adherence to managerial policies. (4) Safeguarding assets. (2) is least likely, management can override (limitation)
The two types of monitoring are
(1) ongoing monitoring activities (2) separate evaluations.
The accounting department uses a manual of accounting policies and procedures. (CRIME)
Accounting information and communication system.
Management surveys customers about their satisfaction with the company's service (CRIME)
Monitoring—ongoing
Under normal circumstances, the assessment of internal control significantly reduces the cost of an audit because
a reduction in the assessed level of control risk permits the auditors to perform much less substantive procedures than would otherwise be necessary.
Corporate governance is the system
by which companies are directed and controlled
management of large public companies are required to
evaluate the company's internal control using suitable control criteria, such as COSO's integrated control framework
the approval function may be omitted in an
extremely simple transaction such as a cash sale not involving a check
Management letter serves as a useful reference document
for management in implementing improvements in internal control and may also serve to limit the auditors' liability to the client in the event the control deficiencies subsequently give rise to defalcations or other losses.
planned assessed level of control risk
for the existence of accounts receivable which requires them to test as a sample of sales transactions
Foreign Corrupt Practices Act makes
illegal payment of bribes to foreign officials -Requires an effective system of internal control (applies to public companies)
external auditors are interested primarily
in the end results of the accounting process
internal auditors are interested
in the processes themselves
The external auditors have a responsibility to
stockholders, creditors, and the public as well as to management.
The four types of control activities are
(1) performance review (2) transaction processing (3) physical controls (4) segregation of duties
404a - Management Report
-Acknowledgment of responsibility for internal control -An assessment of internal control effectiveness as of the last day of the company's fiscal -Support the evaluation with sufficient evidence using suitable criteria
Responses to high risk at the financial statements level
-Assigning more experience staff or those with specialized skills -Providing more supervision and emphasizing the need to maintain professional skepticism -Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed -Increasing the overall scope of audit procedures, including the nature, timing or extent
Procedures to obtain an understanding
-Inquiring of entity personnel -Observing the application of specific controls -Inspecting documents and reports -Tracing transactions through the information system relevant to financial reporting (System Walkthrough) -May also obtain evidence on operating effectiveness of various controls
At least three employees or departments should usually participate in each transaction to achieve strong internal control
-One employee approves the transaction after determining that the details conform to company policies -Another employee records the transaction in the accounting records -Third employee executes the transaction by releasing and/or taking custody of the related assets
Control Activities
-Performance reviews -Transaction control activities -Physical controls -Segregation of duties (authorization, recording, and custody of assets)
Example of ongoing monitoring activities include
-monitoring of customer complaints -reviewing reasonableness of management reports
The primary objective of the internal auditor is
1) Aid corporate management in efficient administration by investigating and reporting upon compliance with company policies 2) Reliability of accounting and statistical records and reports 3) Adequacy of internal control 4) Efficiency of operating procedures 5) Effectiveness of performance in all areas of operation.
Factors that result in increased financial reporting risk are
1) Changes in organizations environment 2) Changes in personnel 3) New information system 4) Rapid growth of the organization 5) Changes in technology 6) New lines of business, products, or processes 7) Corporate restructure 8) Expansion or acquisition of foreign operations 9) New or change in accounting principles
The two subsections of Section 404 of the Sarbanes-Oxley Act are
404a - management 404b - auditor
Preventive
Aimed at avoiding the occurrence of misstatements in the financial statements Example: Segregation of duties
Components of Internal Control
CRIME
Controls overlap
Complementary - function together Redundant - address same assertion or control objective Compensating - reduces risk existing weakness will result in misstatement
Entry into the warehouse is strictly controlled by security personnel. (CRIME)
Control activities—physical controls.
preventive (P), detective (D), or corrective (C). Annual physical inventory. Monthly reconciliation of bank accounts. Segregation of duties over purchasing. Supervisory approval of time cards. Dual signatures for checks. Adjustment of perpetual inventory records to physical counts. Management review of budget/actual information. Internal audits of payroll.
D D P P P C D D
Service organizations example
Outsource processing of payroll or Internet sales; storage of data and records in the service organization's Cloud
Separate evaluations
Periodic audits by internal audit
Management periodically evaluates the threats to preparing reliable financial statements. (CRIME)
Risk assessment
At the completion of the audit, the auditors are least likely to know: (1) The assessed level of control risk. (2) The planned assessed level of control risk. (3) Actual control risk. (4) The scope of tests of controls.
The auditors never know the exact control risk involved—they always simply have an estimate of it.
Which of the following is least likely to be a test of controls? (1) Inquiries of client personnel. (2) Inspection of documents. (3) Observation of confirmations. (4) Reperformance of controls.
While tests of controls involve, inquiry, inspection, observation and re-performance, "observation of confirmations" doesn't have a clear meaning.
Key factors in protecting a business against losses through embezzlement include
adequate internal control, fidelity bonds, and regular audits by independent public accountants
The risk assessment component of internal control relates to the factors that
affect the risk that the organization's reporting objectives will not be achieved
Performance reviews provide management with
an overall indication of whether personnel at various levels are effectively pursuing the objectives of the organization.
firm policies, and "decision aids" or guides assist
auditors in gathering relevant information or combining the information to make decisions about the nature, timing, and extent of substantive procedures.
In conducting audits, internal auditors appraise
company policies, organization, records, and performance, whereas external auditors are essentially concerned with the verification of data affecting the financial statements. Internal auditors are charged with the responsibility of seeing that company accounting policies are being followed
flowcharting has become the most widely used method of
describing internal control in audit working papers
Estimation transactions
determining the allowance for doubtful accounts
COSO Framework
internal control and enterprise risk management
COSO has issued frameworks on both
internal control and enterprise risk management
Internal control
is a process designed to provided reasonable assurance of objectives in 1)operations, 2) reporting, 3) compliance
revised assessed level of control risk
is the level of risk based on the additional tests of controls performed to evaluate control risk for an assertion
Internal control has such other important objectives as assuring the
reliability of accounting data and other types of information needed by management for effective direction of business
An awareness of risk assessment contributes to internal control because management's consideration of the possibility that
reports (including financial statements) may be misstated decreases the likelihood of misstatement.
Section 404b
requires auditors of certain companies to attest to, and report on, internal control over financial reporting.
The major limitations of internal controls include:
(1) Errors in decisions may occur in designing, maintaining, or monitoring controls. (2) Mistakes may be made in the performance of controls as a result of misunderstanding of instructions, mistakes of judgments, carelessness, distraction, or fatigue. (3) Top management can override internal control. (4) Control activities dependent upon separation of duties may be circumvented by collusion among employees. (5) Design of controls is subject to cost-benefit considerations.
The five stages of an audit of internal control performed in accordance with PCAOB requirements are:
(1) Plan the engagement. (2) Obtain an understanding of internal control over financial reporting (internal control). (3) Test and evaluate design effectiveness of internal control. (4) Test and evaluate operating effectiveness of internal control. (5) Form an opinion on the effectiveness of internal control over financial reporting.
The auditors' understanding of the entity and its environment, including internal control allows them to
(1) assess the risks of material misstatements of the financial statements (2) design the nature, timing and extent of further audit procedures.
Risk Assessment
-Clearly specify objectives to allow the identification and assessment of risks related to those objectives. -Identify and analyze risks to the achievement of its objectives to determine how they may be managed. -Consider potential fraud relating to the achievement of objectives. -Identify and assess changes that could impact internal control.
Control Environment
-Commitment to integrity and ethical values. -Board of directors demonstrates independence from management and exercises oversight of internal control. -Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. -Commitment to attract, develop, and retain competent employees. -Holding employees accountable for internal control responsibilities.
Auditors should obtain understanding of the outsourced function by following one or more of:
-Contacting service organization to obtain information -Visiting service organization an performing necessary procedures -Obtaining a report from the auditors of the service organization
Ongoing monitoring activities
-Continuous monitoring of customer complaints -Management review control in which the Controller reviews gross profit on revenue transactions for unusual relationships
Responses to risk at the Assertion Level
-Decisions are made here as to the appropriate combination of tests of controls and substantive procedures that respond specifically to the risk
Area of reporting
-Detailed level applied to accounts receivable sub-objectives -All goods shipped are accurately billed in the proper period -Invoices are accurately recorded for all authorized shipments and only for such shipments -Authorized and only authorized sales returns and allowances are accurately recorded -The continued completeness and accuracy of accounts receivable is ensured -Accounts receivable records are safeguarded
Limitations of Internal Control
-Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. -Controls that depend on the segregation of duties may be circumvented by collusion -Management may override internal controls -Compliance may deteriorate over time
Assessing Risks at the Assertion Level example
-Failure to recognize an impairment losses on a long-lived assets affects only the valuation assertion -Inaccurate counting of inventory at year-end affects the valuation of inventory and the accuracy of cost of goods sold
Test of controls address
-How controls were applied -The consistency with which controls were applied -By whom -By what means (e.g., electronically) the controls were applied
Objectives of an accounting system
-Identify and record valid transactions -Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions -Measure the value of transactions appropriately -Determine the time period in which the transactions occurred to permit recording in the proper period -Present properly the transactions and related disclosures in the financial statement
Test of controls approach
-Identify controls likely to prevent or detect material misstatements -Perform tests of controls to determine whether they are operating effectively
Assess the risks of material misstatement include
-Identify risks while obtaining an understanding of the client and its environment, including its internal control -Relate the identified risks to what can go wrong at the relevant assertion level -Consider whether the risks are of a magnitude that could result in a material misstatement -Consider the likelihood that the risks could result in a material misstatement
The understanding of internal control is used to help the auditors to
-Identify types of potential misstatements -Consider factors that affect the risks of material misstatement -Design tests of controls (when applicable) and substantive procedures
Test of controls include
-Inquiries of appropriate client personnel -Inspection of documents and reports -Observation of the application of controls -Reperformance of the controls
Control environment includes
-Integrity and ethical values -independent board of directors -effective structure (reporting lines, authorities) -commitment to attract, develop, and retain employees -employee accountability
Assessing risk at the financial statements level examples
-Preparing the period-end financial statements, including the development of significant accounting estimates and preparation of the notes -The selection and application of significant accounting policies -IT general controls -The control environment
Due to lack of employees, internal control is seldom strong in small businesses. Specific practices for small businesses:
-Record all cash receipts immediately -Deposit all cash receipts intact daily -Make all payments by serially numbered checks, with exception of petty cash disbursements -Reconcile bank accounts monthly and retain copies -Use serially numbered purchase orders, invoices, and receiving reports -Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports -Balance subsidiary ledger with control accounts -Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense
The use of a flowchart in documenting internal control offers the advantage of
-a graphic presentation of a system or a series of sequential processes. -It shows the steps required and the flow of forms or other documents from person to person in carrying out the function depicted -avoids the detailed study of written descriptions of procedures without sacrificing the CPAs' ability to appraise the effectiveness of controls under review
Transaction processing controls are performed to check the
-completeness, -validity -authorization of transactions.
The primary objective of the external (independent) auditors is to
1) Determine whether the financial statements fairly reflect the financial position 2) operating results 3) Cash flows of the business
Five major objectives of an accounting information system:
1) Identify and record all valid transactions 2) Describe on a timely basis the transactions in sufficient detail to permit proper classification 3) Measure the value that records in monetary value 4) Determine the time period in which transactions occurred to recording in the proper accounting period 5) Properly present the transactions and related disclosures
Deficiency in Internal Control
1) Less than Significant 2) Significant Deficiency 3) Material Weakness
Work of Internal Auditors may be used in two ways:
1) Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities 2) Using internal auditors to provide direct assistance on the external audit.
Monitoring
1) Ongoing monitoring activities -Regularly performed supervisory and management activities 2) Separate evaluations -Performed on nonroutine basis
Documenting the Understanding of Internal Control
1) Questionnaires -Typically standardized by firm or industry 2) Written Narratives -Memos that describe flow of transactions and controls 3) Flowcharts
CPA firms attempt to reduce inconsistencies in judgments by developing
1) firm policies 2) "decision aids" or guides
Among the sources of information which auditors may use in preparing a working paper description of internal control are:
1) organization charts 2) charts of accounts 3) job descriptions 4) interviews and discussions with officers and employees 5) reports of internal auditors 6) accounting reports and records 7) inspection of facilities 8) working papers and reports from prior examinations.
Corporate governance includes
1) policies 2) procedures 3) mechanism Established to ensure that the company operates in the best interests of its major stakeholders and society as a whole
Documentation is usually in the form of
1)flowcharts 2)questionnaire3)written narratives of the system.
1. Compensating control 2. Complementary control 3. Corrective control 4. Deficiency in internal control 5. Material weakness in internal control 6. Walk-through 7. Transaction cycle
1. A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective 2. A control that functions together with another control to achieve the same control objective 3. A control established to remedy misstatements that are discovered 4. A situation in which a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis 5. A deficiency in internal control such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis 6. A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records 7. The sequence of procedures applied by the client in processing a particular type of recurring transaction
Five components of internal controls (CRIME)
1. Control activities 2. Risk assessment 3. Information 4. Monitoring 5. Control Environment
Controls Over Accounting Estimates:
1. Control environment policies and procedures that encourage proper estimates. 2. Risk assessment consideration of the risks of inaccurate accounting estimates. 3. Policies that ensure that qualified personnel are involved in developing the estimates. 4. Policies and procedures that ensure that relevant, sufficient and reliable data is considered in the development of the estimates, and the model used is appropriate. 5. Management review of sources of data, processes used to develop the assumptions, changes in the methods used, and the reasonableness of assumptions and estimates. 6. Policies to ensure use of the work of specialists when considered necessary. 7. Policies to improve estimation processes by comparison of prior estimates with subsequent results.
AICPA document on Antifraud Programs and Control Measures:
1. Create and maintain a culture of honesty and high ethics § Set tone at the top § Create a positive workplace environment § Hire and promote appropriate employees § Properly train employees § Discipline 2. Evaluate the risks of fraud and implement processes, procedures, and controls to mitigate those risks § Identify and measure fraud risks § Mitigate fraud risks § Implement and monitor controls and other measures 3. Develop an appropriate oversight process
Overall approach of an audit
1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report -Steps 2-4 relate to internal control of financial statement audits
1. Control environment 2. Less severe than a material weakness 3. Monitoring 4. Performance review 5. Walk-through 6. Reasonable assurance 7. Flowchart 8. Risk assessment 9. Operating effectiveness 10. Control activities
1. Tone at the top 2. Significant deficiency 3. Ongoing and separate evaluations 4. Comparison of actual performance to expectations 5. Determine implementation 6. Relationship of costs and benefits 7. Relationship of costs and benefits 8. Risk responses 9. Test of controls 10. Policies and procedures to mitigate risk
Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes? (1) Checklist. (2) Confirmation. (3) Flowchart. (4) Questionnaire.
A confirmation is designed to obtain evidence from a third-party. It is not used to document internal control.
An auditor may compensate for a weakness in internal control by increasing the extent of: (1) Tests of controls. (2) Detection risk. (3) Substantive tests of details. (4) Inherent risk.
An increase in the substantive procedures will decrease detection risk, and thereby compensate for the increased level of control risk due to a weakness in internal control. Answer (1) is incorrect because if the weakness exists, increasing the extent of tests will only provide more evidence on the weakness—not evidence that compensates for the weakness. Answers (2) and (4) are incorrect because a decrease in detection risk or inherent risk, not an increase, would compensate. Also, in the case of inherent risk, it may not be possible to change the assessment since it is a function of the firm's environment.
Tests of controls do not address: (1) How controls were applied. (2) How controls were originated. (3) The consistency with which controls were applied. (4) By what means the controls were applied
Auditors are not in general concerned with how controls originated
A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with: (1) Knowledge necessary to determine the nature, timing, and extent of further audit procedures. (2) Audit evidence to use in reducing detection risk. (3) A basis for modifying tests of controls. (4) An evaluation of the consistency of applicatio
Because the auditors' purposes are for considering internal control, and to obtain the necessary knowledge to (a) assess the risks of material misstatement, and (b) to determine the nature, timing, and extent of the tests to be performed, answer (1) is correct
Corporate governance is not only concerned with the effectiveness of financial reporting
But it also encompasses 1) ethical treatment of major stakeholders 2) compliance with laws, regulations, 3) customary business practices and effective risk management
Management compares actual performance with budgets and forecasts. (CRIME)
Control activities—performance reviews
Invoices are reviewed for accuracy before they are mailed to customers. (CRIME)
Control activities—transaction processing (or application) control.
The controls over the development of significant accounting estimates include:
Control environment policies and procedures that encourage proper estimates. (2) Policies that ensure that qualified personnel are involved in developing the estimates. (1) Policies and procedures that ensure that relevant, sufficient and reliable data is considered in the development of the estimates, and the model used can produce estimates consistent with the financial reporting framework (e.g., generally accepted accounting principles). (4) Management review of sources of data, processes used to development the assumptions, changes in the methods used, and the reasonableness of assumptions and estimates. (5) Policies to ensure consideration of the need to use the work of specialists. (6)Policies to improve estimation processes by comparison of prior estimates with subsequent results.
The human resources department investigates the educational background of prospective employees. (CRIME)
Control environment—commitment to attract, develop and retain competent employees
Management has prepared and distributed an organizational chart. (CRIME)
Control environment—effective structure, reporting lines, and authority and responsibility.
Management has developed and distributed a code of conduct. (CRIME)
Control environment—integrity and ethical values
Detective
Designed to discover misstatements after they have occurred Example: Monthly bank reconciliations
When the auditors are performing a first-time internal control audit in accordance with the Sarbanes-Oxley Act and PCAOB standards, they should: (1) Modify their report for any significant deficiencies identified. (2) Use a "bottom-up" approach to identify controls to test. (3) Test controls for all significant accounts. (4) Perform a separate assessment of controls over operations.
In an audit of internal control performed under PCAOB standards the auditors must test controls for all significant accounts.
Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by: (1) Employment of temporary personnel to aid in the separation of duties. (2) Direct participation by the owner in key record-keeping and control activities of the business. (3) Engaging a CPA to perform monthly write-up work. (4) Delegation of full, clear-cut responsibility for a separate major transaction cycle to each employee.
Involvement of the owner in key control functions should be a major step toward preventing material errors or defalcations. Answer (1) would not be cost-effective. Answer (3) would provide some measure of control, but not as much as would daily participation by the owner. If it were feasible to hire additional employees, it would be cheaper to hire permanent employees rather than temporary. The need for internal control is permanent. Answer (4) would weaken, not strengthen internal control.
To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must do all of the following, except: (1) Establish internal control with no material weakness. (2) Accept responsibility for the effectiveness of internal control. (3) Evaluate the effectiveness of internal control using suitable control criteria. (4) Support the evaluation with sufficient evidence.
Management may issue a report on internal control regardless of whether the system has a material weakness.
An entity's ongoing monitoring activities often include: (1) Periodic audits by internal auditors. (2) The audit of the annual financial statements. (3) Approval of cash disbursements. (4) Management review of weekly performance reports.
Management review of weekly performance reports is an ongoing monitoring activity that may detect errors or fraud. Answer (1) is incorrect because while periodic audits by internal audit represent a monitoring activity, they are best classified as separate evaluations, and not ongoing monitoring activities. Answer (2) is incorrect because the audit of the annual financial statements is the function of the external auditors. Answer (3) is incorrect because approvals of cash disbursements represent a control activity.
Type 1
Management's description of the system and the auditor's assessment of the suitability of the design of controls
Type 2
Management's description of the system and the auditor's assessment of the suitability of the design of controls plus assurance on the operating effectiveness of controls
The internal auditors periodically evaluate the controls in the various departments of the company (CRIME)
Monitoring—separate evaluations.
Corrective
Needed to remedy the situation uncovered by detective controls Example: Backups of master file used to reconstruct erroneous records
Foreign Corrupt Practices Act
Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business
Controls over financial reporting are often classified as preventative, detective, or corrective. Which of the following is an example of a detective control? (1) Segregation of duties over cash disbursements. (2) Requiring approval of purchase transactions. (3) Preparing bank reconciliations. (4) Maintaining backup copies of key transactions.
Preparing bank reconciliations will detect a variety of misstatements related to cash and is a detective control in the sense that it does not prevent the misstatement from occurring, but may detect it. Answers (1) and (2) are incorrect because segregating duties and requiring approvals are primarily designed to prevent misstatements. Answer (4) is incorrect because the primary purpose of keeping backup copies of key transactions (or all transactions) is prevent loss of information in the event of an information system failure.
Classification of Controls over Financial Reporting:
Preventive Detective Corrective Controls overlap
The auditors test the controls over the development of accounting estimates may include:
Review and test environment policies and procedures that communicate the need to develop proper estimates. (2) Review the documentation of the qualifications of individuals involved in developing accounting estimates. (3) Review the documentation of managements policies regarding the data considered in the development of estimates. (4) Consider the relevance and completeness of data used to develop estimates. (5) Test the control procedures over the accuracy of the data used to develop estimates. (6) Review documentation of management's consideration of the use of specialists to assist in the development of the estimates. (7) Review and test management's documentation of comparisons of prior estimates to subsequent results.
Tests of controls ordinarily are designed to provide evidence of: (1) Balance correctness. (2) Control implementation. (3) Disclosure adequacy. (4) Operating effectiveness.
Tests of controls address operating effectiveness of controls.
When a CPA decides that the work performed by internal auditors may have an effect on the nature, timing, and extent of the CPA's procedures, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA should: (1) Consider the organizational level to which the internal auditors report the results of their work. (2) Review the internal auditors' work. (3) Consider the qualifications of the internal audit staff. (4) Review the training program in effect for the internal audit staff.
The internal auditors' objectivity refers to their relative independence from the organizational units they have been evaluating. This may best be determined by considering the organizational level to which the internal auditors report. The other answers address the issues of the internal auditors' competence, not objectivity.
The preliminary assessments of control risk are often referred to as: (1) The assessed level of control risk. (2) The planned assessed level of control risk. (3) Control risk. (4) Internal control objectives risk.
The planned assessed level of control risk is determined during planning.
404b- Auditor
This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit. In doing so auditors: -Plan the engagement -Use a top-down approach to identify the controls to test -Test and evaluate design effectiveness of internal control -Test and evaluate operating effectiveness of internal control -Form an opinion on effectiveness of internal control over financial reporting
Types of service audit reports
Type 1 and Type 2
User auditor
Uses that report
The external auditors should consider the work of the internal auditors
as a portion of the control environment of internal control
The actual level of control risk for existence of receivables is,
as always, at an unknown level.
independent record holds the personnel of a custodial department accountable for
assets entrusted to their care
The overall auditing objective of the internal auditors is to
assist management in achieving the most efficient administration of the operations of organization
the comprehensive list of questions provides
assurance of complete coverage of significant control areas
Physical controls contribute by
assuring physical security over both records and other assets
Assuming that the general category of transaction has already been authorized by top management
at least three employees or departments should usually participate in each transaction to achieve strong internal control.
Control is more effective if the employees are
competent in performing their duties
The effectiveness of internal control depends
directly on the integrity and ethical values of the personnel responsible for creating, administering, and monitoring control of the organization.
The primary advantage of the internal control questionnaire
is that control weaknesses, including the absence of controls, are prominently identified by the "no" answers. Another advantage of the questionnaire is its simplicity
Control risk
is the actual, but unknown, level of risk pertaining to an assertion
Planned assessed level of control risk
is the level the auditors intend to use in performing the audit for a particular financial statement assertion
A management letter
is the written report to the client describing such deficiencies, along with the auditors' recommendations for corrective action.
Auditors consider internal control because
its quality has a major effect on the nature, timing, and extent of the audit procedures necessary to complete the audit
Public companies are required to
maintain effective internal control
In obtaining an understanding auditors
must consider all 5 components of internal controls (CRIME)
Auditors may forego tests of controls if they conclude that controls are so weak as to provide
no basis for assessing control risk at a level lower than the maximum.
The primary auditing objective of the external auditors is to
obtain sufficient appropriate evidence to express an opinion as to the fairness of the financial statements in accordance with generally accepted accounting principles. A secondary objective is to determine that the client recognizes the objectives
The external auditors may use the work of the internal auditors in
obtaining audit evidence, or they may use the internal auditors to provide direct assistance under direction, supervision, and review of the external auditors.
If the custodial department maintained the accounting records
opportunity would exist for that department to conceal its errors or shortages by manipulating the records
The board of directors oversees
oversees the quality of the organization's financial reporting, and acts as a deterrent to management override of controls and management fraud
Example of separate evaluations include
periodic audits by the internal auditors
Top level objective
prepare and issue reliable financial information
Separating record keeping from custody of the related assets
provides an independently maintained record that may periodically be reconciled with assets on hand
Service auditor
provides examination of service organizations controls
Performance reviews contribute to internal controls by
providing management with an overall indication of whether personnel at various levels are effectively pursuing the objectives of the organization
Segregation of duties
reduces the opportunities for any one person to both perpetuate and conceal errors or irregularities
Routine transactions
regular revenue, purchases, and cash receipts and disbursements -Have the strongest controls
Ongoing monitoring activities include
regularly performed supervisory and management activities, such as continuous monitoring of customer complaints, transactions, or reviewing the reasonableness of management reports
Section 404a
requires each annual report filed with the SEC to include a report in which management: (1) acknowledges its responsibility for establishing and maintaining adequate internal control over financial reporting (2) provides an assessment of internal control effectiveness as of the end of the most recent fiscal year.
the working paper description is
tailor-made for each engagement and thus offers flexibility in its design and application
Non-routine transactions
taking of inventory, calculating depreciation expense
Separate evaluations are monitoring activities
that are performed on a nonroutine basis, such as periodic audits by the internal auditors.
Based on the results of the tests of controls for sales, the auditors may arrive at an revised assessed level of control risk
that is either higher or lower than the level planned
The internal auditors are also a monitoring control
that serves as the eyes and ears of the audit committee of the board of directors. They help assure that management does not override other internal controls.
Even though internal control appears to be strong
the auditors are required to conduct tests of controls
During their consideration of internal control
the auditors will inevitably encounter some deficiencies that should be brought to the attention of management
To effectively exercise oversight
the board must be independent
Internal control is effected by
the board of directors, management, and other personnel
For a questionnaire, If the questions have been predetermined, as is usual, the auditors' responsibility includes
the completion of the questionnaire with yes-or-no answers, and written explanations are required only for the "no" or unfavorable answers.
An advantage of the written narrative approach in reviewing internal control is that
the description is designed to explain the precise controls applicable to each examination. A second advantage is that its preparation normally requires a penetrating analysis of the client's system
An assessment of internal control by the auditors is a prerequisite to
the determination of the nature, timing, and extent of the further audit procedures necessary to express an opinion on the financial statements
After evaluating the competence, objective, and disciplined approach of the internal auditors
the external auditors will determine the extent to which the work of the internal auditors may be used in determining the nature, timing, and extent of their testing
When internal controls are weak or absent
the losses from waste and inefficiency are apt to be far greater than losses from dishonest acts by employees.
In requiring a written description of the flow of transactions, records maintained, and the division of responsibilities, the memorandum method
the memorandum method minimizes the tendency to perform a perfunctory review.
The results of the tests of controls are used to determine
the nature, timing and extent of substantive procedures
Tests of controls are efficient auditing procedures when
the reduction in the substantive procedures that results from a lower assessed level of control risk exceeds the amount of work involved in performing the tests of controls.
A Type 2 report may provide
the user auditor with a basis for assessing control risk below the maximum
If the safeguarding of company assets were the only objective of internal control
then some basis might exist for the argument that the bonding of employees was an acceptable substitute for good internal control practices
Transaction processing controls are designed
to check the completeness, validity and authorization of transactions