Audit 406 Class 9, Internal Controls in FS Audit, Ch 6: 174-201

Auditors normally use _________ to develop understanding of control activities

walkthroughs

When do auditors have to test controls?

when CR is not high

RQ 6-2 What are the potential benefits and risks to an entity's internal control from information technology? (LO 6-4)

*Benefits* •Consistent application of predefined business rules and performance of complex calculations in processing large volumes of transactions or data. •Greater timeliness, availability, and accuracy of information. •Facilitation of data analytics for enhanced internal decision making. •Greater ability to monitor the entity's activities, policies, and procedures on a timely basis. •Greater ability to prevent or detect circumvention of controls. •Enhanced segregation of duties through security controls in applications, databases, and operating systems. *Risks* •Reliance on systems or programs that, unknown to management, inaccurately process data, process inaccurate data, or both. •Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. •Unauthorized changes to data in master files. •Unauthorized changes to systems or programs. •Failure to make necessary changes to systems or programs. •Inappropriate manual intervention. •Potential loss of data.

17 Principles of COSO

*Control Environment* Demonstrate commitment to integrity and ethical values Ensure that board exercises oversight responsibility Establish structures, reporting lines, authorities and responsibilities Demonstrate commitment to a competent workforce Hold people accountable *Risk assessment* Specify appropriate objectives Identify and analyze risks Evaluate fraud risks Identify and analyze changes that could significantly affect internal controls *Control activities* Select and develop control activities that mitigate risks Select and develop technology controls Deploy control activities through policies and procedures *Information and communication* Use relevant, quality information to support the internal control function Communicate internal control information internally Communicate internal control information externally *Monitoring* Perform ongoing or periodic evaluations of internal controls (or a combination of the two) Communicate internal control deficiencies

4 Types of Tests of Controls

*Inquiry* of appropriate entity personnel ex: inquiry of credit manager about policies for writing off uncollectible accounts *Inspection of docs*, reports, electronic files indicating the performance of the control ex: inspect bank reconciliations prepared by internal auditors *Observation* of the application of the control ex: observe how controls are applied to handling of cash to ensure proper SoD *Reperformance* of the application of the control by the auditor ex: reperform authorization control used for granting credit

RQ 6-6 Why must the auditor obtain an understanding of internal control? (LO 6-7)

*important to plan the audit to:* identify types of potential misstatement pinpoint factors affecting risk of material misstatement design tests of controls & substantive procedures may determine that an IT specialist is needed *to obtain understanding of internal controls, auditor may:* inquire of management inspect docs/reports observe entity's activities/operations trace transactions through information system

RQ 6-5 What are the major differences between a substantive strategy and a reliance strategy when the auditor considers internal control in planning an audit? (LO 6-6)

*reliance strategy*-- public must use reliance, auditor *intends to rely on & perform tests of controls*--> plan & perform ToC, sets planned CR based on those ToC, if achieved level of CR doesn't match planned level of CR then revise planned level of substantive procedures, once achieved CR=planned CR then document CR, perform substantive procedures based on level of assessed CR *substantive strategy*-- auditor *doesn't intend to rely on tests of controls only on substant proced*, sets CR at max, documents level of CR, perform substantive proced based on level of assessed CR auditing standards require some substantive evidence for all significant accounts and assertions. Thus, a *reliance strategy reduces but does not eliminate the need to gather substantive evidence*

Major Phases of the Audit

1. Client acceptance/continuance 2. Preliminary engagement activities 3. Plan the audit *4. Consider and audit internal control* 5. Audit business processes and related accounts 6. Complete the audit 7. Evaluate results and issue audit report

RQ 6-3 Describe the five components of COSO internal control (LO 6-5)

1. Control Environment--tone at the top, management's attitudes 2. Entity's Risk Assessment Process 3. Control Activities 4. Information & Communication 5. Monitoring Activities **check notes for description of each

From TPS handout: 1. When is the auditor required to test controls? 2. What is required for every audit relative to internal controls?

1. When the auditor follows a reliance strategy & controls at a public company subject to an audit of internal control over financial reporting (ICFR) are designed and assessed as effective. 2. On every audit, auditors must gain an understanding of internal controls. This is done by preparing flowcharts and narratives of processes.

COSO's Internal Control-Integrated Framework

A comprehensive framework of internal control used to assess the effectiveness of internal control over financial reporting, as well as controls over operational and compliance objectives. Designed by entity's board of directors & management Provide reasonable assurance about: 1) reliability, timeliness, transparency 2) effectiveness & efficiency of operations * safeguarded assets 3) compliance with applicable laws

Control activities related to the assertion: Classification/Presentation

Chart of accounts Internal review & verification

When to not rely on company's internal controls?

Costs outweigh benefits Controls are ineffective

Control activities related to the assertion: Authorization

General & specific authorization of transactions at important control points

Reliance Strategy --- To set control risk below high, auditor must:

Identify specific controls that will be relied upon Perform tests of the identified controls Conclude on the achieved level of CR given results of testing

Control activities related to the assertion: Accuracy

Internal verification of amounts & calculations Monthly reconciliation of subsidiary records by independent person

RQ 6-1 What are management's incentives for establishing and maintaining strong internal control? What are the auditor's main concerns with internal control? (LO 6-1)

It's *management's responsibility* to establish system of internal control to provide reasonable assurance that --assets & records properly safeguarded --information system generates reliable info for decision making Auditor's main concerns: --auditor needs assurance about safeguarded assets & info system reliability --uses risk assessment procedures to *obtain an understanding* of the entity's internal control. --these procedures help the auditor to *identify key controls*, recognize the types of *potential misstatements* that are relatively likely to arise, and *design tests of controls & substantive procedures*

Control activities related to the assertion: Completeness

Prenumbered docs that are accounted for Segregation of duties Daily/monthly reconciliation of subsidiary records w/ independent review

Control activities related to the assertion: Cutoff

Procedures for prompt recording of transactions Internal review & verification

Control activities related to the assertion: Occurrence

Segregation of duties Prenumbered docs that are accounted for Daily/monthly reconciliation of subsidiary records w/ independent review

Private company must use reliance or substantive strategy?

They have the choice

MC 6-16 After obtaining an understanding of an entity's internal control system, an auditor may set control risk at high for some assertions because the auditor (LO 6-6) a. Believes the internal controls are unlikely to be effective. b. Determines that the pertinent internal control components are not well documented. c. Performs tests of controls to restrict detection risk to an acceptable level. d. Identifies internal controls that are likely to prevent material misstatements.

a. Believes the internal controls are unlikely to be effective.

MC 6-19 Which of the following audit techniques would most likely provide an auditor with the *least* assurance about the effectiveness of the operation of a control? (LO 6-10) a. Inquiry of entity personnel. b. Reperformance of the control by the auditor. c. Observation of entity personnel. d. Walkthrough.

a. Inquiry of entity personnel.

MC 6-18 Assessing control risk below high involves all of the following except (LO 6-9) a. Identifying specific controls to rely on. b. Concluding that controls are ineffective. c. Performing tests of controls. d. Analyzing the achieved level of control risk after performing tests of controls.

b. Concluding that controls are ineffective.

MC 6-20 The highest-quality and most reliable audit evidence that segregation of duties is properly implemented is obtained by (LO 6-10) a. Inspection of documents prepared by a third party but which contain the initials of those applying entity controls. b. Observation by the auditor of the employees performing control activities. c. Inspection of a flowchart of duties performed and available personnel. d. Inquiries of employees who apply control activities.

b. Observation by the auditor of the employees performing control activities.

MC 6-22 Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent (LO 6-14) a. Disclosures of information that significantly contradict the auditor's going concern assumption. b. Material fraud or illegal acts perpetrated by high-level management. c. Significant deficiencies in the design or operation of the internal control. d. Manipulation or falsification of accounting records or documents from which financial statements are prepared.

c. Significant deficiencies in the design or operation of the internal control.

MC 6-17 Regardless of the assessed level of control risk, an auditor would perform some (LO 6-6, 6-10) a. Tests of controls to determine the effectiveness of internal controls. b. Analytical procedures to verify the design of internal controls. c. Substantive procedures to restrict detection risk for significant transaction classes. d. Dual-purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk.

c. Substantive procedures to restrict detection risk for significant transaction classes.

Of the five components of internal control, which two are most likely to be formally tested & relied on?

control activities information system (monitoring & reporting)

MC 6-12 An auditor's primary consideration regarding an entity's internal controls is whether they (LO 6-1) a. Prevent management override. b. Relate to the control environment. c. Reflect management's philosophy and operating style. d. Affect the financial statement assertions.

d. Affect the financial statement assertions.

MC 6-14 Internal control is a process designed to provide reasonable assurance regarding the achievement of which objective? (LO 6-2, 6-3) a. Effectiveness and efficiency of operations. b. Reliability of financial reporting. c. Compliance with applicable laws and regulations. d. All of the above are correct

d. All of the above are correct

MC 6-21 SOC 1, Type 2 reports issued by the service organization's auditor typically (LO 6-13) a. Provide reasonable assurance that their financial statements are free of material misstatements. b. Ensure that the entity will not have any misstatements in areas related to the service organization's activities c. Ensure that the entity is billed correctly. d. Assess whether the service organization's controls are suitably designed and operating effectively.

d. Assess whether the service organization's controls are suitably designed and operating effectively.

MC 6-13 Which of the following statements about internal control is correct? (LO 6-1, 6-7) a. A properly maintained internal control system reasonably ensures that collusion among employees cannot occur. b. The establishment and maintenance of internal control is an important responsibility of the internal auditor. c. An exceptionally strong internal control system is enough for the auditor to eliminate substantive procedures on a significant account balance. d. The cost-benefit relationship is a primary criterion that should be considered in designing an internal control system.

d. The cost-benefit relationship is a primary criterion that should be considered in designing an internal control system.

MC 6-15 Monitoring is a major component of the COSO Internal Control— Integrated Framework. Which of the following is not correct in how the company can implement the monitoring component? (LO 6-5) a. Monitoring can be an ongoing process. b. Monitoring can be conducted as a separate evaluation. c. Monitoring and other audit work conducted by internal audit staff can reduce external audit costs. d. The independent auditor can serve as part of the entity's control environment and continuous monitoring.

d. The independent auditor can serve as part of the entity's control environment and continuous monitoring.

Public company must use reliance or substantive strategy?

reliance