Chapter 7
The more frequently a control operates, the _____ it should be tested, and controls that are more critical should be tested ______.
1. More often 2. More extensively
A company's commitment to integrity and ethical values are communicated through ____ and emphasized through ____
1. The organization's standards of conduct 2. Directives, actions, and behavior
Fidelity Bonds
A form of insurance in which a bonding company agrees to reimburse an employer, within limits, for losses attributable to theft or embezzlement by bonded employees
Monitoring controls
A process to assess the quality of internal control performance over time
Systems Flowchart
A symbolic representation of a system or a series of procedures with each procedure shown in sequence
Corporate governance is primarily concerned with
Controlling management and providing incentives for appropriate management behavior
Redundant Controls
Controls that address the same financial statement assertion or control objective
Transaction-level risks
Found within divisions, operating units, or functions of the organization
Payroll Cycle
Hiring, terminating and determining pay rates; timekeeping; computing gross payroll, payroll taxes, and amounts withheld from gross pay; maintaining payroll records; and preparing and distributing paychecks
Disadvantage of flowcharts
Internal control weaknesses are not identified as prominently as in questionnaires
Examples of work that should not be assigned to internal auditors
Making inquires of management related to the identification of fraud risks and determining the procedures to respond to such risks
Written narratives of internal control
Memoranda that describe the flow of transaction cycles, identifying the employees performing various tasks, the documents prepared, the records maintained, and the division of duties
Revenue Cycle
Obtaining orders from customers, approving credit, shipping merchandise, preparing sales invoices, recording revenue and accounts receivable, and handling and recording cash
The Foreign Corrupt Practices Act prohibits what?
Payments to foreign officials for the purpose of securing business
Control activities
Policies and procedures that help mitigate the risk that the organization's objectives are not met
Avoidance
Response involves exiting the activity that gives rise to the risk
Sharing
Response involves reducing risk likelihood or impact by transferring or sharing a portion of the risk. Techniques include: insurance, hedging, and outsourcing
Management should establish, with the board of director oversight, an effective organizational structure to properly
Separate authority, reporting lines, and responsibilities of the various positions within the organization
Conversion Cycle
Storing materials, placing materials into production, assigning production costs to inventories, and accounting for the cost of goods sold
For assertions with a high risk of material misstatement, the auditors will plan _______ procedures.
Substantial substantive
Timing of the performance of tests of controls depends on
The auditor's objectives
Who should hold the CEO accountable regarding a company's internal control policies and achievements
The board of directors
Tests of controls focus on
the operation of controls rather than on the accuracy of financial statement amounts
In performing effective risk assessment, organizations should
1. Clearly specify objectives to allow the identification and assessment of risks related to those objectives 2. Identify and analyze risks to the achievement of its objectives to determine how they may be managed 3. Consider potential fraud relating to the achievement of objectives 4. Identify and assess changes that could impact internal control
Finance Department
1. Under the direction of the treasurer 2. Responsible for financial operations and custody of liquid assets 3. Activities include: planning future cash requirements, establishing customer credit policies, and arranging to meet the short and long term financing needs of the business 4. Has custody of bank accounts and other liquid assets, invests idle cash, handles cash receipts, and makes cash disbursements
Investing Cycle
Authorizing, executing, and recording transactions involving investments in fixed assets and securities
Auditor's risk assessment is primarily concerned with
Evaluating the likelihood of material misstatements in the financial statements
Acceptance
Response involves taking no action because the risk is consistent with the risk tolerance of the organization
Types of reports that service auditors may provide
1. A report on a management's description of a service organization's systems and the suitability of the design of controls 2. A report on a management's description of a service organization's system and the suitability of the design AND operating effectiveness of controls
Preventive Controls
1. Aimed at avoiding the occurrence of misstatements in the financial statements 2. Ex: Segregation of duties and requiring approval of period-ending journal entries
Potential benefits of an Enterprise Risk Management System include
1. Aligning the organization's risk tolerance, strategy, and its operations 2. Identifying and managing both single and multiple risks, entity-wide and lower level risks 3. Reducing operational surprises and losses 4. Reducing performance variability 5. Identifying opportunities 6. Improving the deployment of capital
Control objectives, regarding sales transactions, established by COSO
1. All sales transactions that occur are recorded on a timely basis 2. Sales transactions are recorded at correct amounts in the right accounts 3. Sales transactions are accurately and completely summarized in the company's books and records 4. Presentation and disclosures relating to sales are properly described, sorted, and classified
If external auditors decide the work of the internal auditors' is relevant and that it would be efficient to use they should
1. Assess the competence and objectivity of the internal audit function 2. Determine whether the internal auditors apply a systematic and disciplined approach to performing the work
Responses to financial statement risks
1. Assigning more experienced staff or those with specialized skills 2. Providing more supervision and emphasizing the need to maintain professional skepticism 3. Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed 4. Increasing the overall scope of audit procedures, including their nature, timing, or extent
The organizational structure of an entity should separate the responsibilities for
1. Authorization of transactions 2. Record keeping for transactions 3. Custody of assets
Risk responses include
1. Avoidance 2. Reduction 3. Sharing 4. Acceptance
Factors indicative of increased financial reporting risk
1. Changes in the organization's regulatory or operating environment 2. Changes in personnel 3. New or revamped information systems 4. Rapid growth of the organization 5. Changes in technology affecting production processes or information systems 6. New business models, products, or activities 7. Corporate restructurings 8. Expansion or acquisition of foreign operations 9. Adoption of new accounting principles or changing accounting principles
Basic principles of the control environment
1. Commitment to integrity and ethical values 2. Board of directors that demonstrates independence from management and exercises effective oversight of internal control 3. Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities 4. Commitment to attract, develop, and retain competent employees 5. Holding employees accountable for internal control responsibilities
When determining whether an identified risk of misstatement is significant, requiring special audit consideration, the auditors consider factors such as
1. Complexity of calculations involved 2. Risk of fraud 3. Selection and application of accounting policies 4. Internal and external circumstances giving rise to business risks 5. Recent developments in the industry and economy
If auditors are unable to obtain a sufficient understanding from the user entity regarding the services provided by a service organization, they should
1. Contact the service organization to obtain specific information 2. Visit the service organization and perform necessary procedures about the relevant controls at the service organization 3. Obtain and consider the report of a service auditor on the service organization's controls
Detective Controls
1. Designed to discover misstatements after they have occurred 2. Ex: requiring the preparation of monthly bank reconciliations
The Enterprise Risk Management Framework has what five components?
1. Governance and Culture 2. Strategy and Objective-Setting 3. Performance 4. Review and Revision 5. Information, Communication, and Reporting
What do tests of controls address?
1. How controls were applied 2. The consistency with which controls were applied 3. By whom or by what means the controls were applied
An accounting information system should
1. Identify and record all valid transactions 2. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting 3. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements 4. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period 5. Present properly the transactions and related disclosures in the financial statements
Audit procedures used to test the effectiveness of internal control include
1. Inquiries of appropriate client personnel 2. Inspection of documents and reports 3. Observation of the application of controls 4. Re-performance of the controls
External auditors may use the work of internal auditors in what ways?
1. Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities 2. Using internal auditors to provide direct assistance on the external audit
Stages of an internal control audit
1. Plan the engagement 2. Use a top-down approach to identify controls to test 3. Test and evaluate design effectiveness of internal control 4. Test and evaluate operating effectiveness of internal control 5. Form an opinion on the effectiveness of internal control over financial reporting
Risks at the financial statement level
1. Preparation of the financial statements, including the development of significant accounting estimates and the preparation of the notes 2. Selection and application of significant accounting policies 3. IT general controls 4. The control environment
Service Organizations
1. Provide processing services to companies that decide to outsource a portion of their processing 2. Ex: A company that outsources their payroll function
Examples of internal control practices that are almost always capable of use in small businesses
1. Record all cash receipts immediately 2. Deposit all cash receipts intact daily 3. Make all payments by serially numbered checks 4. Reconcile bank accounts monthly and retain copies of the reconciliations in the files 5. Use serially numbered sales invoices, purchase orders, and receiving reports 6. Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports 7. Balance subsidiary ledger with control accounts at regular intervals and prepare and mail customers' statements monthly 8. Prepare comparative financial statements monthly in sufficient detail to disclose significant variations in any category of revenue or expense
Basic principles of control activities are that management should
1. Select and develop control activities that mitigate risks of the achievement of organization objectives to acceptable levels 2. Select and develop general control activities over technology to support organization objectives 3. Deploy control activities through policies that establish what is expected and in procedures that put policies into action
Basic principles of monitoring controls
1. Select, develop, and perform ongoing and separate monitoring evaluations to determine that the components of internal control are present and functioning 2. Evaluate and communicate internal control deficiencies in a timely manner to those responsible for taking corrective action
Five components of the internal control of an organization
1. The control environment 2. The risk assessment process 3. Control activities 4. The information system relevant to financial reporting and communication (the accounting information system) 5. The monitoring activities
In addition to documenting their overall understanding of internal control, the auditors should document
1. The overall responses to address the assessed risks of material misstatement at the financial statement level 2. The nature, timing, and extent of the further audit procedures 3. The linkage of those procedures with the assessed risks at the relevant assertion level 4. The results of the audit procedures 5. The conclusions reached with regard to the use of the current audit evidence about the operating effectiveness of controls that were obtained in a prior audit
The SEC requires that all corporations under their jurisdiction maintain a system of internal control that will provide reasonable assurance that
1. Transactions are executed with the knowledge and authorization of management 2. Transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets 3. Access to assets is limited to authorized individuals 4. Accounting records of assets are compared to existing assets at reasonable intervals and appropriate action is taken with respect to any differences
Accounting Department
1. Under the direction of the controller 2. Responsible for all accounting functions and often, the design and implementation of internal control
Corrective Control
1. Used to remedy a situation when detective controls discover a misstatement 2. Ex: maintaining backup copies of key transactions and master files to allow the correction of date entry errors
Audit Decision Aid
A checklist, standard form, or computer program that helps the auditors make a particular decision by ensuring that they consider all relevant information or by assisting them in combining the information to make the decision
Material Weakness
A deficiency in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis
Significant Deficiency
A deficiency in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting
The Committee of Sponsoring Organizations (COSO) defines internal control as
A process, effected by the entity's board of director, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance
Entity-level risks
Arise from external or internal factors such as economic, regulatory, technology, and personnel factors
Supervisory Controls
Assess whether other transaction control activities are operating properly. Typically aimed at high-risk transactions
Financing Cycle
Authorizing, executing, and recording transactions involving bank loans, leases, bonds payable, and capital stock
Difference between control objectives and assertions
Control objectives are broader in that they relate not only to financial reporting but also to operations and compliance
Section 404(a) of SOX requires
Each annual report filed with the SEC include a report in which management 1. Acknowledges its responsibility for establishing and maintaining adequate internal control over financial reporting 2. Provides an assessment of internal control effectiveness as of the end of the most recent fiscal year
Acquisition Cycle
Initiating purchases of inventory, other assets, and services; placing purchase orders, inspecting good upon receipt, and preparing receiving reports; recording liabilities to vendors; authorizing payment; and making and recording cash disbursements
Internal auditors investigate and appraise
Internal control and the efficiency with which the various units of the organization are performing their assigned functions, and they report their findings and recommendations to management and the audit committee
Major instruments of corporate governance
Management compensation systems, board of directors, external auditors, internal auditors, attorneys, regulators, creditors, securities analysts, and internal control systems
Separate evaluations
Monitoring activities that are performed on a non-routine basis, such as periodical audits by the internal auditors
Internal controls vary from organization to organization based on factors like
Organization size, nature of operations, and objectives
Compensating Control
Reduces the risk that an existing or potential control weakness will result in a misstatement
Ongoing monitoring evaluations include
Regularly performed supervisory and management activities, such as continuous monitoring of customer complaints, or reviewing the reasonableness of management reports
Reduction
Response involves taking action to reduce risk likelihood or impact or both. May involve managing the risk or adding additional controls to process
For assertions with a low risk of material misstatement, the auditors will _____ for that assertion.
Restrict or possibly eliminate substantive procedures
The cost of an organization's internal control __________ exceed the benefits expected to be obtained
Should not
Risk Tolerance
The acceptable level of variation in performance relative to the achievement of objectives
Management's risk assessment is primarily concerned with
The areas of operations and compliance and internal reporting
Section 404(b) of SOX requires
The company's auditors to attest to, and report on, internal control over financial reporting
Auditors' understanding of internal control should encompass
The control environment, risk assessment, control activities, the accounting information and communication system, and monitoring
Transaction Cycle
The policies and the sequences of procedures for processing a particular type of transaction
Planned assessed level of control risk
The preliminary assessments of control risk
Corporate Governance
The set of rules, processes, and laws by which businesses are operated, regulated, and controlled
The old definition of internal control
The steps taken by a business to prevent fraud - both the misappropriation of assets and fraudulent financial reporting
How must auditors respond when a client uses the service of a service organization?
They must obtain an understanding of how the entity uses the services of the service organization, including the nature and significance of the services and the effect on internal control
If internal auditors provide direct assistance to external auditors, how should the external auditors respond?
They should direct, supervise, review, and test the work that they perform
Management review controls
Those that operate through management review of information for evidence of errors, fraud, or breakdowns in other controls
Walk-through
Tracing one or two transactions through each step in the cycle
Risk Assessment Procedures
Used to obtain an understanding of internal control and to design the nature, timing, and extent of further audit procedures
General authorization
When management establishes criteria for acceptance of a certain type of transaction
Deficiency in Internal Control
When the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis
Specific authorization
When transactions are authorized on an individual basis
Internal auditors are interested in determining
Whether each branch or department has a clear understanding of its assignment; is adequately staffed; maintains good records; properly safeguards cash, inventories, and other assets; and cooperates harmoniously with other departments
