AUO1 Chap 7
Tests of controls address
(a) how controls were applied, (b) the consistency with which controls were applied, and (c) by whom or by what means the controls were applied.
Consider during risk assessment
(a) what can go wrong at the relevant assertion level, (b) whether the risks are of a magnitude that could result in a material misstatement, and (c) the likelihood that the risk could result in a material misstatement.
Corrective control
A control established to remedy control problems (e.g., misstatements) that are discovered through detective controls.
Compensating control
A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective (e.g., avoiding misstatements). They are ordinarily controls performed to detect, rather than prevent, the original misstatement from occurring.
Material weakness
A deficiency in internal control over financial reporting (or a combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis.
Significant deficiency
A deficiency in internal control over financial reporting (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Fidelity bonds
A form of insurance in which a bonding company agrees to reimburse an employer for losses attributable to theft or embezzlement by bonded employees
Walk-through
A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. These procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls.
Internal control
A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations.
Management letter
A report to management containing the auditors' recommendations for correcting any deficiencies disclosed by the auditors' consideration of internal control. In addition to providing management with useful information, it may also help limit the auditors' liability in the event a control weakness subsequently results in a loss by the client.
Deficiency in internal control
A situation in which the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis. Includes deficiencies in design and operation.
Audit decision aid
A standard checklist, form, or computer program that assists auditors in making audit decisions by ensuring they consider all relevant information or that aids them in weighing and combining information to make a decision.
Written narrative of internal control
A written summary of internal control for inclusion in audit working papers. They are more flexible than questionnaires, but by themselves are practical only for describing relatively small, simple systems.
Integrated audit
An audit where auditors, in addition to an opinion on the financial statements, express an opinion on the effectiveness of a company's internal control over financial reporting, in accordance with PCAOB Auditing Standard No. 5. Public companies with a market capitalization of $75,000,000 or more are required to undergo these audits.
Relevant assertions
Assertions that have a meaningful bearing on whether an account balance, class of transaction, or disclosure is fairly stated. For example, valuation may not be relevant to the cash account unless currency translation is involved; however, existence and completeness are always relevant.
Incompatible duties
Assigned duties that place an individual in a position to both perpetrate and conceal errors or fraud in the normal course of job performance.
Risk assessment procedures
Audit procedures performed to obtain an understanding of the client and its environment, including its internal control. Some of the information obtained by performing these procedures may be used by the auditor as audit evidence to support assessments of the risks of material misstatement. They include (a) inquiries of management and others within the entity, (b) analytical procedures, and (c) observation and other procedures, including inquiries of others outside the entity.
Detective controls
Controls designed to discover control problems soon after they occur.
Preventive controls
Controls that deter control problems before they occur.
Complementary controls
Controls that function together to achieve the same control objective.
Internal auditors
Corporation employees who design and execute audit programs to test the effectiveness and efficiency of all aspects of internal control. The primary objective is to evaluate and improve the effectiveness and efficiency of the various operating units of an organization rather than to express an opinion as to the fairness of financial statements.
Redundant controls
Duplicate controls that achieve a control objective.
Foreign Corrupt Practices Act
Federal legislation prohibiting payments to foreign officials for the purpose of securing business. The act also requires all companies under SEC jurisdiction to maintain a system of internal control providing reasonable assurance that transactions are executed only with the knowledge and authorization of management.
Sox and PCAOB require
Large public companies have an integrated audit
Internal control questionnaire
One of several methods of describing internal control in audit working papers. They are usually designed so that "no" answers prominently identify weaknesses in internal control.
Substantive procedures (tests)
Procedures performed by the auditor to detect material misstatements in account balances, classes of transactions, and disclosures.
Tests of controls
Procedures performed by the auditor to test the operating effectiveness of controls in preventing or detecting material misstatements at the relevant assertion level. These tests are performed when the auditor's risk assessment includes an expectation of the operating effectiveness of controls, including circumstances in which planned substantive procedures alone do not provide sufficient appropriate audit evidence.
Further audit procedures
Substantive procedures for all relevant assertions and tests of controls when the auditors' risk assessment includes an expectation that controls are operating effectively.
Organizational structure
The division of authority, responsibility, and duties among members of an organization.
Planned assessed level of control risk
The level of control risk the auditors assume in designing further audit procedures, which include an appropriate combination of tests of controls and substantive procedures.
Control risk
The possibility that a material misstatement due to error or fraud in a financial statement assertion will not be prevented or detected by the client's internal control.
Perform tests of controls when
The risk assessment includes (1) substantive procedures alone do not provide sufficient appropriate audit evidence, or (2) auditors wish to reduce the scope of substantive procedures through performance of tests of controls.
Inherent risk
The risk of material misstatement of a financial statement assertion, assuming there are no related controls.
Transaction cycle
The sequence of procedures applied by the client in processing a particular type of recurring transaction. The auditors' working paper description of internal control often is organized around these.
Internal control
a process to provide reasonable assurance of (a) effectiveness and efficiency of operations, (b) reliability of financial reporting, and (c) compliance with applicable laws and regulations.
2 Integrated audit types
an audit of internal control and an audit of the financial statements
Internal control relevant to auditors
entity's ability to prepare reliable financial statements
A deficiency in operation
exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
A deficiency in design
exists when either a control necessary to meet a control objective is missing or the existing control is not designed to operate effectively.
Audit report on internal control
includes both an opinion on management's assessment of internal control and the auditors' own assessment of internal control.
Tests of controls include
inquiries of appropriate client personnel, inspection of documents and reports, observation of the application of controls, and reperformance of controls.
Auditors responsibility
obtain an understanding of internal control, assess the risks of misstatement, and design further audit procedures (tests of controls)
Risk assessment procedures
performed to obtain an understanding of the client and its environment, including internal control. Auditors then determine the appropriate further audit procedures.
Suitable criteria
standards or benchmarks used to measure and present the subject matter and against which the CPA evaluates the subject matter. They are established or developed by groups composed of experts that follow due process procedures, including exposure of the proposed criteria for public comment. They must have each of the following attributes: objectivity, measurability, completeness, and relevance.
Systems flowchart
symbolic representation of a system or series of procedures with each procedure shown in sequence. method of describing internal control in audit working papers.
5 Internal Control Components
the control environment, risk assessment, control activities, the accounting information and communication system, and monitoring
As of date
the final day of the reporting period
Assessed level of control risk
used by the auditors in determining the acceptable detection risk for a financial statement assertion and in deciding on the nature, timing, and extent of substantive procedures.