Day 9 Internal Control in a Financial Statement Audit - M2
ASSERTION VS CONTROL ACTIVITIES accuracy
- Internal verification of amounts and calculations - Monthly reconciliation of subsidiary records by an independent person
ASSERTION VS CONTROL ACTIVITIES cutoff
- Procedures for prompt recording of transactions - Internal review and verification
ASSERTION VS CONTROL ACTIVITIES completeness
- Segregation of duties - Prenumbered documents that are accounted for - Daily or monthly reconciliation of subsidiary records with independent review
ASSERTION VS CONTROL ACTIVITIES occurrence
- Segregation of duties - Prenumbered documents that are accounted for - Daily or monthly reconciliation of subsidiary records with independent review
ASSERTION VS CONTROL ACTIVITIES classification and presentation
- chart of accounts - internal review and verification
some tools available to auditor for documenting understanding of internal controls
- entity's procedures manual and org charts - internal control questionnaires - flowcharts - narrative description
auditor may use the following audit procedures to obtain an understanding of entity's internal control
- inquiry of appropriate management, supervisory, and staff - inspection of entity documents and reports - observation of entity activities and operations - tracing transactions through info system
if auditor already examines controls over sample of transactions at interim, how does she determine the nature and extent of audit work for the remaining period? consider these factors
- significance of assertion - evaluation of design and operation of relevant controls - results of tests of controls - length of remaining period - planned substantive procedures *** at minimum, auditor would inquire about nature and extent of changes subsequent to interim period
what are the five components of internal control
1. Control Environment 2. Risk Assessment 3. Control Activities 4. information and communication 5. monitoring
which two steps must you complete for every audit
1. develop an understanding of internal controls - this is like the D&I of internal controls, or the design and implementation 2. document the understanding of internal control
steps to deciding on whether to do a substantive or reliance strategy
1. develop understanding of internal control by - evaluating design of controls - determining if controls have been implemented 2. document understanding of intenral controls 3. DECISON - does auditor intend to rely on Controls - no: substantive - a. set control risk at max - b. document level of control risk - yes: reliance strategy - a. plan and perform tests of controls - b. set control risk based on tests of controls - c. decision: does achieved level of control risk support planned level of control risk - yes: - document level of control risk - perform substantive procedures based on assessed level of control risk - no: - revise planned level of substantive procedures - document level of control risk - perform substantive procedures based on level of assessed control risk
After setting materiality, tolerable misstatment, and audit risk - what are the conceptual tools to use in an audit cycle (1-8)
1. know business, Industry, and cycle (including related parties) - PHASES 1 AND 2 2. perform preliminary analytical procedures and asses IR (by account/assertion) - PHASE 3 3. Identify Key Controls (by account/assertion) 4. Assess Preliminary CR (by account/assertions 5. if reliance strategiy (ie. CR less than 100%, not High) - Test Controls - With results, Reassess CR (by account/assertion) 6. Nature, timing and extent of Substantive Tests 7. Sample and perform Substantive Tests 8. Evaluate results and determine if there are are any material errors
according to the Association of Certified Fraud Examiners, what are the three main reasons why fraud occurs
1. lack of internal controls 2. lack of management review 3. override of existing internal controls
what are the three major limitations of Entity's Internal Control
1. override of internal control by management 2. human errors or mistakes 3. collusion
how does the assurance bucket normally go
1. risk assessment procedures 2. tests of controls 3. substantive analytical procedures 4. tests of details
which of the following test would be regarded as a test of controls? a. detailed test of items making up balance in general ledger account b. vouching inventory pricing to vendors invoices c. test of the signatures on canceled checks to verify that singer is authorized to sing checks d. physically inspecting additions to property, plan, and equipment
ANSWER: c. test of the signatures on canceled checks to verify that singer is authorized to sing checks a) substantive tests of balances b) substantive tests of transactions d) substantive tests of balances?
audit risk model
AR = RMM * DR AR = IR * CR * DR
why must auditors obtain an understanding of internal control?
Auditing standards require auditor to obtain an understanding of five components of internal control to plan the audit - which includes knowledge about design of relevant controls and whether they have been placed in operation by the entity Auditor uses this knowledge to · Identify the types of potential misstatement · Pinpoint the factors that affect the risk of material misstatement · Design tests of controls and substantive procedures
level of __ is used to determine scope of substantive tests
DR
T or F: auditors must gain an understanding of the internal controls for all material financial statement assertions in addition, whenever an auditor's understanding suggests that an internal control is likely to be effective at preventing or detecting and correcting material misstatements, the auditors must also perform tests of the operating effectiveness of controls (take a reliance strategy), regardless of how efficient this approach would be.
False - control risk isn't set yet, its just an understanding and a private company can choose to do a substantive strategy
For ____ companies subject to an audit of internal controls, the auditor will conduct an ____ audit - with the requirement to ____, ____, and ____ internal controls
For public companies subject to an audit of internal controls, the auditor will conduct an integrated audit - with the requirement to understand, assess, and test internal controls
ASSERTION VS CONTROL ACTIVITIES authorization
General and specific authorization of transactions at important control points
What does the PCAOB say about using a framework for internal controls?
PCAOB says companies need to use a framework and auditors need to judge the suitability of internal controls against an established framework developed by professions don't have to use COSO's but 95% of companies do
difference between SOC 1 Type 1 and SOC 1 Type 2 report
SOC 1 Type 1 - report includes auditor's opinion on suitability of design of service org's controls SOC 1 Type 2 - report not includes auditor's opinion on suitability of design of service org's controls, but also on the operating effectiveness of those controls
what does it mean if an auditor has a SOC 1 from the service org
SOC 1 reports can be relied on by auditors of all service org's customers, making separate audit by each of those auditor's unnecessary
major differences between substantive strategy and reliance strategy when auditor considers internal control in planning the audit
SUBSTANTIVE STRATEGY: When risk assessment procedures indicate controls are not properly designed or implemented, auditor will not rely on controls and set control risk at the maximum and use substantive procedures to reduce the risk of material misstatement to an acceptably low level Assurance bucket will be filled with mostly with substantive evidence RELIANCE STRATEGY: When auditors risk assessment procedures suggest controls are properly designed and implemented, auditor will rely on controls If auditor wants to rely on controls, tests of controls are required to be performed to obtain audit evidence that the controls are operating effectively Auditor will make assessment of control risk based on the results of the tests of controls
T o F: Conducting substantive procedures only at an interim date may increase the risk that material misstatements are present in the financial statements
True
T or F: Management override of internal control is one of the limitations of an entity's internal control system.
True
under what circumstances would an auditor decide not to rely on a company's internal control?
a. controls are considered to be ineffective for audit objective (CR at high or 100% b. (For private company who has the option of choosing) when the substantive approach is considered more efficient ex: some accounts/assertions there may be few large transactions and may be easier (more efficient) and effective to substantively tests the large transactions than investing additional time into controls testing
Which of the following audit techniques would most likely provide an auditor with the least assurance about the effectiveness of the operations of a control a. inquiry b. reperformance of control by auditor c. observation of entity personnel d. walkthrough
a. inquiry
Which of the following statements about internal control is correct? a. the cost-benefit relationship is a primary criterion that should be considered in designing an internal control b. a properly maintained internal control system reasonably ensures that collusion among employees cannot occur c. The establishment and maintenance of internal control is an important responsibility of the internal auditor d. An exceptionally strong internal control system is enough for the auditor to eliminate substantive procedures on a significant account balance
a. the cost-benefit relationship is a primary criterion that should be considered in designing an internal control
under the reliance strategy, auditor uses tests results to assess the ___ __ of control risk
achieved level
· Auditor uses both ___ & ___ to find the level of ___ needed to bring audit risk to acceptably low level
achieved level of control risk and assessed level of inherent risk detection risk
RQ 6-3 describe the five components of internal control: control activities
actions established by policies and procedures to help ensure management directives to mitigate risks to the achievement of objectives are carried out performed at all levels of entity and at various stages of business process, and over the tech environment
An auditor's primary consideration regarding an entity's internal controls is whether they
affect the financial statement assertions
Internal control is a process designed to provide reasonable assurance regarding the achievement of which objective? a. Reliability of financial reporting b. Effectiveness and efficiency of operations c. Compliance with applicable laws and regulations
all of the above
analytical procedures used in planning an audit should primarily focus on identifying?
areas that may represent risks the auditor should attend to in the audit
auditor may test controls at iterim date because
assertion being tested may not be significant control has been effective in prior years may be more efficient to conduct tests at that time
SOC 1, Type 2 reports issued by the service org's auditor typically
assess whether the service organizations controls are suitably designed AND operating effectively
many service orgs engage an auditor to issue an ___ ___ regarding the controls they have in place over transactions that might materially impact their customers financial reports. this is called ___
attestation report system and Organization Controls 1 or SOC 1
Extend of auditor's understanding of control activities is a function of the ___ ___ ___
audit strategy adopted o When auditor decides to follow substantive strategy, little work is done on understanding specific control activities o When a reliance strategy is followed, auditor has to understand the control activities that relate to assertions for which a lower level of control risk is expected
Assessing control risk below high involves all of the following except a. Identifying specific controls to rely on b. determining that controls are ineffective c. Performance tests of controls d. Analyzing the achieved level of control risk after performing tests of controls
b. determining that controls are ineffective
The highest quality and most reliable audit evidence that segregation of duties is properly implemented is obtained by a. inspection of documents prepared by thirds party b. observation by auditor of the employees performing control activities c. inspection of flowchart of duties performed and available personnel d. inquiries of employees who apply the control activities
b. observation by auditor of the employees performing control activities
what if an entity uses a service organization
because the enitty's transactions are subsjected to the controls of the service org, auditor is concerned with internal control system in place at service org - thus auditor's understanding of entity's internal control componnets may include controls placed in operation by the entity and the service organization
After obtaining an understanding of an entity's internal control system, an auditor may set control risk at high for some assertions because the auditor
believes internal controls are unlikely to be effective
under which strategy are substantive audit procedures used? reliance or substantive?
both! just substantive requires more because there is not reliance on internal controls
Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent a. disclosures of information that significantly contradict the auditor's going concern assumption b. material fraud or illegal acts perpetrated by high-level management c. significant deficiencies in the design or operation of the internal control d. manipulation or falsification of accounting records or documents from which financial statements are prepared
c. significant deficiencies in the design or operation of the internal control
Regardless of the assessed level of control risk, an auditor would perform some a. Tests of controls to determine the effectiveness of internal controls b. Analytical procedures to verify the design of internal control c. substantive procedures to restrict detection risk for significant transaction classes d. Or dual purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk
c. substantive procedures to restrict detection risk for significant transaction classes
which of the following audit tests would be regarded as a test of controls a. detailed tests of items making up the balance in a given general ledger account b. vouching inventory pricing to vendor's invoices c. tests of signatures on cancelled checks to verify that the singer is authorized to sing checks d. physically inspecting additions to property, plan and equipment
c. tests of signatures on cancelled checks to verify that the singer is authorized to sing checks
of the five components of internal control, which tow components are most likely to be formally tested and relied on? why?
control activities communication and information system they both relate to specific audit objectives the others are more likely to be overriding, company-level strengths or weaknesses that suggest we should or shouldn't look for specific controls for reducing CR and using a reliance strategy for a specific audit objective
RQ 6-3 describe the five components of internal control: control environment
control environment - set of standards, processes and structures that provide basis for internal control across org - tone at the top about importance of internal control and expected standards of conduct
what has to exist before we can use a reliance strategy?
control risk has to be less than high and we have to have an understanding of design an implementation of control
what has to exist before we can use a reliance strategy?
control risk has to be less than high, and what would allows us to do that? have an understanding of the design and implementation of the control
what three duties need to be separated in segregation of duties?
custody authorization recording CAR *just because someone might have two of those duties doesn't automatically mean their incompatible - what is important: can they commit fraud and conceal it?
Monitoring is a major component of the COSO Internal Control-Integrate Framework. Which of the following is not correct in how the company can implement the monitoring components a. Monitoring can be an ongoing process b. Monitoring can be conducted as a separate evaluation c. Monitoring and other audit work conducted by internal audit staff can reduce external audit costs d. The independent auditor can serve as part of the entity's control environment and continuous monitoring
d. The independent auditor can serve as part of the entity's control environment and continuous monitoring
· Tests of controls directed toward the ___ of a control are concerned with evaluating whether that control is suitably designed to prevent, or detect and correct, material misstatements
effectiveness of the design
internal control system should be desinged and operated to provide reasonable assurance that ___ rasonable assurance recognizes that
entity's objectives are being achieved cost of intneral control system should not exceed benefits that are expected to be derived
When an auditor increases the assessed level of control risk from the level initially planned because tests of controls indicate that certain control procedures are not operating effectively the auditor would most likely increase the level of inherent risk extent of tests of controls extent of tests of details level of detection risk
extent of tests of details
when an auditor increases the assessed level of control risk from the level initially planned because tests of control indicate that certain control procedures are not operating effectively, the auditor would most likely increase the a. extend of tests of details b. level of inherent risk c. extent of tests of controls d. level of detection risk
extent of tests of details
T or F: auditor may not reduce control risk below high for a client that uses a service org on the basis of a service auditor's Type 2 report
false - yes they can reduce control risk below high
True or False? Auditors must gain an understanding of the internal controls for all material financial statement assertions. In addition, whenever an auditor's understanding suggests that an internal control is likely to be effective at preventing or detecting and correcting material misstatements, the auditor must also perform tests of the operating effectiveness of the controls (i.e., take a reliance strategy), regardless of how efficient this approach is.
false - you do not know control risk yet
what is required for every audit relative to internal controls - private or public, high or low control risk? how is this done?
gaining an understanding of internal controls done by preparing flowcharts and narratives of processes
§ Purpose of COSO framework
help management better achieve the org's objectives and provide board of directors an added ability to oversee internal control
auditor uses understanding of internal controls to
identify types of potential misstatements pinpoint the factors that affect RMM design tests of controls and substantive procedures
under what circumstances can we choose a reliance strategy?
if we first determine there are controls in place to prevent or detect material misstatements (proper design and implementation) after this preliminary assessment of control risk, we have to test controls to see if they are operating effectively thus - need proper design and implementation, then need operating effectively it is a choice under the private company, whereas if control risk is low or moderate for a pulbic company, you have to do a reiliance strategy
if achieved control risk is higher than planned control risk if tests of controls support planned level of control risk
increase planned substantive procedures and document revised control risk no revisions of planned substantive procedures required
In the audit of financial statements, an auditor's primary consideration regarding an internal control policy or procedure is whether the policy or procedure
increases the likelihood that management's assertions are fairly stated
in the audit of financial statements, an auditor's primary consideration regarding an internal control policy or procedure is whether the policy or procedure?
increases the likelihood that management's assertions are fairly stated - NOT that it provides adequate safeguards over access to assets
RQ 6-3 describe the five components of internal control: information and communication
info necessary for entitiy to carry out internal contorl responsbilities in support of achievement of objectives communication occurs internally and externally and provides org with info needed for day to day internal control activities communication allows personnel to understand internal control responsibilities and importance of them to achieve objectives and allows for upward flow of operating info to management
what is the COSO framework to management?
it is a framework for management in establishing internal controls, and auditors use it to evaluate internal controls against the framework and see if they meet the guidelines about 95% use COSO framework
auditors understanding of internal control is used to identify controls that are
likely to prevent, detect and correct material misstatements in specific assertions
low versus high detection risk - which is okay with doing invntory account at interim and which is okay with checking invntory at year end
low detection risk means you have a low chance of not detecting risk - so you want to do it at year end closer to year end because control risk was assessed to be high for high detection risk, auditor can examine physical inventory at interim date because low control risk indicates little risk of material misstatment
what are three limitations on entity's internal control
management override of internal control human errors or mistakes collusion
which kinds of controls are more subject to errors - manual or automated?
manual - human error
what are the two types of controls, and which are more susceptible to errors?
manual and automated controls manual controls are more subject to errors
what does each component of the Nature, Timing and Extent of substative tests mean?
nature = type timing = when are we doing that test extent = how much
do you have to follow one audit procedure only throughout entire audit?
no! can change per business process or by specific assertion within business process
are all controls pervasive
no, entity level controls are for sure but not all are
will we ever decrease the control risk form our planned control risk?
no, not in this class
in segregation of duties, if one person has two of the types of duties, does that automatically mean their incompatible?
not exactly - what is important is this: can the employee commit fraud and conceal it?
o If ___strategy is followed, auditor may need a more detailed ___ to develop a preliminary or "planned" assessment of control risk - auditor will then plan and perform tests of controls
o If reliance strategy is followed, auditor may need a more detailed understanding of internal control to develop a preliminary or "planned" assessment of control risk - auditor will then plan and perform tests of controls
auditor may decide to follow substantive strategy for some of all assertions because of one or all of the following factors:
o Implemented controls do not pertain to assertion auditor is considering o Implemented controls are assessed as ineffective o Testing the operating effectiveness of the controls would be inefficient
a direct relationship exists between ____ (which reflect what an entity is striving to achieve), ___ (which represent what the entity needs to do in order to achieve the ____), and the ____ of the entity (the operating units, legal entities, and others)
objectives components, objectives structure
from the earthware case, what assertions did these two tests test? document package includes all documents appropriate for the transaction and all documents have been stamped paid
occurrence assertion
RQ 6-3 describe the five components of internal control: monitoring
ongoing evalautions, separated evaluations or some sombo used to ascertain whether each of 5 components of internal control, including controls to effect the principles within each component, are present and functioning findings are evaluated and deficiencies communicated in a timely manner, with serious matters reported to senior management and board
· Tests of controls directed toward ___ are concerned with assessing how the control was applied, the consistency with which it was applied during the audit period, and by whom it was applied
operating effectiveness
the substantive approach is considered more efficient for a ___ company
private
what is assessing control risk
process of evaluating effectiveness of entity's internal control in preventing or detecting and correcting material misstatements in the FS
it is expected that every __ __ will follow a reliance strategy for significant accounts balances and assertions
public company - public company auditors must test and report on design and effectiveness over internal control over financial reporting
which companies shave a choice on whether to do reliance or substantive approach
really only private companies, not public ones
the grad total of the control and substantive testing needs to result in
reasonable assurance that the financial statements are fairly stated in all material respects
which requires a deeper understanding of internal control? a substantive or reliance approach?
reliance - and it requires testing of controls to support the lower assessed level of control risk
What is the difference between a substantive strategy and a reliance strategy?
reliance strategy: - auditor intends to rely on entity's controls to reduce control risk below the maximum (less than H) - if chosen, auditor will need to plan and perform tests of controls, and controls will need to be deemed sufficiently effective to support reliance substantive strategy: - not relying on entity's internal control - control risk is at maximum (High or 100%) - must increase nature timing and extent of substantive audit procedures accordingly to lower detection risk
why must an auditor gain an understanding of internal control
required to plan the audit of financial statements, but also 1. identifies the types of potential misstatements 2. pinpoints factors that affect the risk of material misstatment 3. helps in the design of tests of controls and substantive procedures
when an auditor follows a substantive strategy, assurance bucket is filled with some evidence from ___ and extensive amount of evidence from ___
risk assessment procedures substantive process (substantive analytical procedures and tests of details)
RQ 6-3 describe the five components of internal control: risk assessment
risk assessment process - dynamic and iterative process for identifying and analyzing risks to achieve entity's objectives, forming basis for determining how risks should be managed management considers possible changes in external environment and within its own business model that may impede ability to achieve objectives
Analytical procedures used in planning an audit should primarily focus on identifying
risks
why would we need an internal control framework like COSO's?
so we know how to do it, gives us something to measure against
why are frauds hard to detect?
sometimes we see what we want to see
substantive procedures include
substantive analytical procedures tests of details - transactions and balances
what are the potential implications of testing controls on the audit plan?
testing controls can either confirm our preliminary control risk assessment OR reveal our understanding of controls was wrong and we need a substantive approach if we rely more on control evidence, we will have less room for other audit procedures (including substantive testing)
Definition of internal control
the method by which entity's board or directors, management, and other personnel provide reasonable assurance about the achievement of objectives in the following categories 1. reliability of financial reporting 2. effectiveness and efficiency of operations 3. compliance with applicable laws and regulations
what is the purpose of internal controls
to prevent or detect material misstatements from getting into the financial statements
control testing is generally over what?
transactions
T or F: A properly designed and functioning internal audit department is often used to "monitor" the operating effectiveness of internal control.
true
regardless of substantive or reliance strategy, auditor must always have sufficient ___ to know whether they are ___ this knowledge includes an ___
understanding of entity's internal controls properly designed and implemented understanding of 5 components on internal control
Public companies will do a reliance approach and test controls unless what
unless they know controls are ineffectvie
checking to see whether numbers agree on an invoice and related report or purchase order and that the invoice is mathematically correct assesses what assertion of tests of balances?
valuation
when reliance strategy is chosen, will amount of assurance obtained by controls testing vary from assertion to assertion or stay constant?
vary percentage of bucket filled with controls evidence will differ between assertions and across accounts in various business processes
what do auditors normally do to develop an understanding of control activities
walkthroughs
we document everything to show that
we did the audit in accordance with GAAP
When is the auditor required to test controls?
when auditor follows a reliance strategy (so CR is less than 100%, less than High) and when controls at a public company subject to an audit of internal control over financial reporting ICFR ARE DESIGNED AND ASSESSED AS EFFECTIVE
when will auditor choose a substantive strategy
when risk assessment procedures indicted controls are not properly designed or implimented- set control risk at max and use substantive procedures to reduce RMM to acceptably low level
when will auditor choose a reliance strategy
when risk assessment procedures suggest controls are properly designed and implemented - rely on controls auditor MUST test controls to obtain audit evidence that controls are operating effectively auditor makes assessment of control risk based on results of tests of controls
when would auditor assess CR as high?
when they want substantive approach
o An audit of internal control over financial reporting is required if the entity is a ___ company in such cases, significant testing of controls at interim or year end is necessary
year end
does the size of entity have an effect on internal control
yes - may be less formal in smaller entities
is substantive evidence always required?
yes, at least some for all significant accounts and assertions thus reliance strategy reduces but does not eliminate need to gather substantive evidence
What are the potential benefits to an entity's internal control from information technology
§ Consistent app of predefined business rules and performance of complex cals in processing large volumes of transactions or data § Greater timeliness, availability and accuracy of info § Facilitation of data analytics for enhanced internal decision making § Greater ability to monitor entity's activities, policies, and procedures on timely basis § Greater ability to prevent or detect circumvention of controls § Enhanced seg of duties through security controls in apps, databases, and operating systems
What are the potential risks to an entity's internal control from information technology
§ Reliance on systems or programs that, unknown to management, inacwcurately process data, process inaccurate data or both § Unauthorized access to data that may result in destruction of data or improper changes to data, including recording of unauthorized or nonexistent transaction or inaccurate recording of transactions § Unauthorized changes to data in master files § Unauthorized changes to systems or programs § Failure to make necessary changes to systems or programs § Inappropriate manual intervention
Definition of internal control: COSO - "system of internal control is designed and carried out by an entity's board of directors, management and other personnel to provide reasonable assurance about the achievement of the entity's objectives in the following categories
· 1. Reliability, timeliness and transparency of internal and external financial and nonfinancial reporting · 2. Effectiveness and efficiency of operations, including safeguarding of assets, and · 3. Compliance with applicable laws and regulations