Chapter 7: Internal Control

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Advantages of ERM

-Aligning org's risk tolerance and strategy -Enhancing risk response decisions by focusing on best technique for managing risk -Reduce operational surprises and losses -identifying multiple and cross-enterprise risk -seizing opportunities -Improving deployment of capital

Committee of Sponsoring Organizations commissioned a study to:

-Establish common definition of internal control -Provide a stnd against which busns can assess their control systems and determine how to improve

Written narratives of IC

-describe the flow of transactions cycles, identifying the employees performing tasks, the docs prepared, division of duties

Material weakness

-reasonable possibility that a material misstatement will not be prevented or detected on a timely basis

Walk-through

-tracing one or two transactions through each step in the cycle

Violations of the FCPA can result in...

-up to $1 million fines -imprisonment

PCAOB stnds for audits on IC

1) describe integrated audit 2) requires specific requirements for audit of IC

Entity-level risks vs. transaction risks

Entity: may arise from external/internal factors Transaction: found within company; generally relate directly to finc statement assertions

Are separate evaluations monitoring activities that occur on a routine basis?

NO; nonroutine

Risk tolerance

acceptable level of variation in performance relative to the achievement of objectives

No individual should perform more than one of the functions of ____________ transactions, ____________ them, and ______________ ___________ over assets

authorizing, recording, and maintaining custody

t or f; the actg department records financial transactions and handles financial assets

false; doesn't handle the assets

t or f; in smaller organizations, auditors will focus less on substantive procedures

false; they will focus more on them

Audit procedures to test effectiveness of IC

inquiries, inspection, observation, reperformance

A well-designed organization structure provides a basis for...

planning, directing, and controlling operations

Internal control used to be considered mainly as the steps taken by a business to...

prevent fraud

Should auditors focus on substance or form of controls

substance

Are the design of a control and the implementation of a control two separate operations?

yes

When auditors communicate significant **and** material weaknesses to mgmt, is it required to be in writing?

yes

Categories of risk responses

-Avoidance, reduction, sharing, (reducing likelihood by transferring risk; ex is ins.) and acceptance (when its consistent with risk tolerance)

Corp Gov's relationship to internal control

-Broader than internal control; focuses on ethical treatment of stakeholders, compliance with laws, regulations, customary busn practices, and effective risk mgmt -**control environment is significant to corp gov**

Corrective control

-Needed to remedy material misstatements -ex: backup copies of key transactions and naster files

Establishing accountability for assets

-One party holds custody of assets, one maintains an independent record, one can either be outside party or electronic device -actg records should be maintained independently of custody of related assets, should be reconciled at reasonable intervals

Basic principles of control activities

-Select activities that mitigate risks of achievement of objectives to acceptable level -Select general control activities over tech to support organizational objectives -Deploy activities though policies, establish what is expected

Service organizations and what auditors should do

-contact the organization through user entity to get info -visit the service and perform procedures about controls at service org -obtain report of a service auditor on service org

How can owner of small busn mitigate misstatements

1) reading daily cash register totals 2) reconciling monthly 3) signing all checks and cancelling supporting docs 4) approving all journal entries 5) critically reviewing comparative monthly statements of rev and expense

Risk assessment include an expectation of the operating effectiveness of controls when:

1) substantive procedures alone do not provide sufficient appropriate audit evidence or 2) auditors wish to reduce scope of substantive procedures through tests of controls

Which type of report from service organizations (type 1 or type 2) should be provided when user auditors's risk assessment includes an expectation that controls at service org are operating effectively?

Type 2

The Anti-bribery policies in the FCPA require that all corporations under the SEC (regardless of if its international) to maintain an internal control system that:

provides reasonable assurance that: -transaction are executed with knowledge/authorization of mgmt -transactions recorded to permit prep of reliable statements/maintain accountability for assets -Access to assets is limited to authorized people -Actg records of assets compared to existing assets at reasonable intervals and action is taken for differences

Both AICPA and IAS require tests of controls to be performed at least every ________ audit, while PCAOB requires it every __________ audit

third; annual

t or f; an AIS should include a chart of accts with a detailed description of the purpose of each

true

t or f; in the 3 areas of internal control (reporting, operations, and compliance) COSO states that a series of control objectives and subobjectives exist

true

t or f; public companies are required to provide reports on internal control by both mgmt and auditors

true

Control activities

-Policies/procedures that help mitigate the risk that organization's objectives are not met

Monitoring of Controls: basic principles and definition

-Process to assess quality of IC over time -Principles: --perform ongoing monitoring evaluations to determine that everything is present/functioning --Evaluate IC deficiencies in timely manner to those responsible for taking corrective actions

Section 404 of Sarbanes Oxley

-Requires each annual report to include a report in which: 1) mgmt acknowledges its responsibilities for establishing/maintaining IC 2) providing an assessment of IC effectiveness as of the the end of the most recent fiscal yr (the as-of date) Section b: requires company's auditors to attest to and report on IC (companies with over &75000000 mrkt capitalization)

Evaluating internal auditors

-Should assess **competence and objectivity** of internal audit function, and whether the auditors apply a **systematic and disciplined** approach to performing the work -if its appropriately staffed, if they're adequately trained, and the policies

"Top-down" approach

-Starts at finc statements and entity-level controls, and links them to significant accts, relevant assertions, and major classes of transactions

2 types of reports the AICPA says that service auditors may provide

-Type 1: report on mgmt's description of a service org's system and suitability of design of controls -Type 2: Report of mgmt's description of a service org's system and the suitability of design **and operating effectiveness of controls**

Preventive controls

-aimed at avoiding occurrence of misstatements -ex: segregation of duties, requiring approval of period-ending journal entries -operate at individual transaction level

National Commission on Fraudulent Financial Reporting

-aka the Treadway Commission -studies the casual factors associated with fraud reporting -recommendations made: --importance of competent audit committee and active internal audit function in prevent fraud --called on sponsoring organizations to work together to integrate internal control criteria

Basic principles of control environment

-commitment of integrity and ethical values -b of d demonstrates independence from mgmt and exercises effective oversight of internal control -Effective structure, including reporting lines, and authorities and responsibilities -Commitment to attract, develop, and retain competent employees -Holding employees accountable for IC responsibilities

Factors to consider when determining whether a risk deserves special attention

-complexity of calcs -risk of fraud -selection/application of actg principles -internal & external circumstances giving rise to busn risk -recent developments in industry/economy

Which component of IC is considered the foundation for the other components?

-control environment

Mgmt letter

-deficiencies communicated to mgmt -valuable reference doc for mgmt -minimizes auditor's legal liability is event of fraud

Significant deficiency definition

-deficiency in IC over finc reporting that is **less** severe than material weakness, yet important enough to merit attention

Detective controls

-designed to discover misstatements after they've occurred -ex: policy requiring the prep of monthly bank recs -operates at transaction level or a higher level

Systems flowchart

-divided into vertical columns representing departments -usually start in upper left-hand corner -Adv: provides clearer, more specific portrayal of client's system; updating it is easy -Disadv: IC weaknesses not identified as prominently as in questionnaires

Incompatible duties

-duties that allow an individual to both perpetrate and conceal errors or fraud

Assessing risk involves...

-evaluating likelihood of occurrence and potential impact -consideration of velocity/speed of occurrence and duration of impact of risk

Enterprise Risk Mgmt

-extends beyond IC to focus on how organization can max value for stakeholders by effectively managing all risks and opportunities

t or f; in an integrated audit, auditors have the option to test controls for a significant acct

-false; all significant accts should have test of controls

2 categories of transaction-level controls

-general control activities; ex. restrict access to tech to only authorized people -application controls

Tests of control address...

-how controls were applied, the consistency with which controls were applied, and by whom or what means the controls were applied

An AIS should include:

-identify and record valid transactions -Describe on timely basis the transactions in detail to permit proper classification -Measure value of transactions that records their monetary value in finc statements -determine time period the transactions occurred to record in right period -present properly the transactions

Fidelity bonds

-ins in which a bonding company agrees to reimburse an employer for losses attributable to theft or embezzlement by bonded employees

Transaction control activities - types

-major types: authorizations/approvals, verifications, physical controls, controls over standing data, reconciliations, and supervisory controls

Differences in auditor risk assessment vs. mgmt risk assessment

-mgmt is more into operations and compliance, with broader internal control

Decision aids for audit plan modification

-minimum audit sample sizes -checklist, standard form, or computer program that helps auditor

Who is the reconciliation process often performed by

-operations control group

Compensation committee of a company

-oversees policies and procedures for mgmt compensation to ensure that it is aligned with strategic objectives and risk appetite of organization

Types of control activities

-performance reviews, transaction processing controls, physical controls, and segregation of duties

Foreign Corrupt Practices Act

-pymts to foreign officials for the purpose of securing business are specifically prohibited for all american busns by anti-bribery provisions in the act

Compensating Control

-reduces the risk that an existing or potential control weakness will result in a misstatement -ex: small busn may not be able to segregate duties, so owner may carefully review actg records to compensate for weakness

Opinion on internal control under PCAOB

-that the company maintained, in all material respects, effective internal control over finc reporting

AIS definition

-the methods and records established to record, process, summarize, report an entity's transactions and to maintain accountability for a, l, and e.

When there is a low degree of interaction between the user entity's controls and those at the service organization, that may mean...

-the user entity's controls are adequate enough to ensure material errors/fraud are detected; when these are adequate, auditors only need to test client controls

Difference between knowing a control has been implemented and obtaining evidence on its operating effectiveness

-to perform an audit, auditors are required to determine that major controls have been implemented -they are **not** required to evaluate operating effectiveness

Finance department

-under direction of treasurer -responsible for finc operations and custody of liquid assets -activities include: planning future cash requirements, establishing customer credit policies, arranging to meet short/long-term financing needs of the busn

Auditor's responsibility with IC

-understanding IC (implementation and design), assessing risks, designing further audit procedures

Internal Control Questionnaire

-used for auditors to document their understanding of IC -usually has separate section for each transaction cycle -may provide distinction between minor and major weaknesses -Disadv: lack of flexibility

AIS: basic principles

-uses relevant info to support functioning of other IC components -Communicates internally info necessary to support functioning of other components -communicates with external parties regarding matters affecting functions of components

Deficiency in IC definition

-when design or operation of control doesn't allow mgmt in normal course of their assigned functions, to prevent/detect material misstatements on a timely basis

Sets of suitable criteria for integrated audits

1) COSO for IC audit 2) applicable finc statement framework for finc statement audit

ERM Framework components

1) Internal environment 2) Objective setting 3) Event identification (positive, neg, or both) 4) Risk assessment 5) Risk Response 6) Control activities 7) Info and communication 8) Monitoring

What steps are most directly related to IC from the auditor's 6 steps to approach a finc statement audit

1) Plan audit **2) Obtain understanding of client/environment** **3) Asses risks of misstatement/design further procedures** **4) Perform further audit procedures** 5) complete audit 6) Form opinion and issue audit report

5 Stages of IC audit

1) Plan engagement 2) Use top-down approach to identify controls 3) Test design effectiveness of IC 4) Test operating effectiveness of IC 5) Form opinion on effectiveness of IC over finc reporting

The organizational structure of an entity should separate responsibilities for:

1) authorization of transactions 2) record-keeping for transactions 3) custody of assets 4) execution of transaction should be segregated from the above 3 responsibilities

Five components of internal control

1) control environment 2) risk assessment process 3) control activities 4) information system relevant to finc reporting and communication 5) monitoring activities

External auditors may use the work of internal auditors by:

1) obtaining audit evidence by using internal auditors' worker performed as part of normal responsibilities 2) using internal auditors to provide direct assistance on external audit

Practices to improve IC in small businesses

1) record all cash receipts immediately --for over the counter collections, use registers easily visible to customers, and record register readings daily --Prepare list of all mail remittances immediately upon opening mail, retain this list for comparison with bank deposits and cash receipt entries 2) deposit cash receipts daily 3) Make pymts by serially #'d checks 4) reconcile bank accts monthly, keep on file 5) serially #'d sales invoices, p.o.'s, receiving reports 6) issue checks to vendors only in pymt of approved invoices that have been matched to p.o.s 7) Balance subsidiary ledger with control accts; mail statements monthly 8) Prepare comparative finc statements monthly

COSO's definition of internal control

A process, effected by entity's b of d and mgmt designed to proved **reasonable assurance** regarding the achievement of objectives relating to operations, reporting and compliance

Major difference between control objectives and assertions

control objectives are broader; they relate not only to finc reporting but also to operating and compliance

General vs. specific authorization

general: criteria for accepting a certain type of transaction. ex: credit policies for new customers, then credit department can approve the transaction specific: when transactions are authorized on individual basis

If auditors wish to assess control risk at a level below max, they should...

obtain evidence of operating effectiveness of these controls

What are the 3 ways that controls over finc reporting are often classified?

preventive, detective, and corrective

Emphasis for tests of controls should be on...

the operating effectiveness of controls directly related to relevant assertions


Kaugnay na mga set ng pag-aaral

Pharmacology Prep U Chapter 44: Cardiotonic Agents

View Set

unidad 29 palabras terminadas en dad

View Set

Chapter 2 Barron's AP Psychology

View Set

Computer Organization homework one

View Set

SOCIAL LEARNING THEORY - ALBERT BANDURA

View Set

Account 101- Ch 2: Accounting Cycle

View Set

Chapter 4 Nucleic Acids and RNA World.

View Set