Day 9 Internal Control in a Financial Statement Audit - M2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

ASSERTION VS CONTROL ACTIVITIES accuracy

- Internal verification of amounts and calculations - Monthly reconciliation of subsidiary records by an independent person

ASSERTION VS CONTROL ACTIVITIES cutoff

- Procedures for prompt recording of transactions - Internal review and verification

ASSERTION VS CONTROL ACTIVITIES completeness

- Segregation of duties - Prenumbered documents that are accounted for - Daily or monthly reconciliation of subsidiary records with independent review

ASSERTION VS CONTROL ACTIVITIES occurrence

- Segregation of duties - Prenumbered documents that are accounted for - Daily or monthly reconciliation of subsidiary records with independent review

ASSERTION VS CONTROL ACTIVITIES classification and presentation

- chart of accounts - internal review and verification

some tools available to auditor for documenting understanding of internal controls

- entity's procedures manual and org charts - internal control questionnaires - flowcharts - narrative description

auditor may use the following audit procedures to obtain an understanding of entity's internal control

- inquiry of appropriate management, supervisory, and staff - inspection of entity documents and reports - observation of entity activities and operations - tracing transactions through info system

if auditor already examines controls over sample of transactions at interim, how does she determine the nature and extent of audit work for the remaining period? consider these factors

- significance of assertion - evaluation of design and operation of relevant controls - results of tests of controls - length of remaining period - planned substantive procedures *** at minimum, auditor would inquire about nature and extent of changes subsequent to interim period

what are the five components of internal control

1. Control Environment 2. Risk Assessment 3. Control Activities 4. information and communication 5. monitoring

which two steps must you complete for every audit

1. develop an understanding of internal controls - this is like the D&I of internal controls, or the design and implementation 2. document the understanding of internal control

steps to deciding on whether to do a substantive or reliance strategy

1. develop understanding of internal control by - evaluating design of controls - determining if controls have been implemented 2. document understanding of intenral controls 3. DECISON - does auditor intend to rely on Controls - no: substantive - a. set control risk at max - b. document level of control risk - yes: reliance strategy - a. plan and perform tests of controls - b. set control risk based on tests of controls - c. decision: does achieved level of control risk support planned level of control risk - yes: - document level of control risk - perform substantive procedures based on assessed level of control risk - no: - revise planned level of substantive procedures - document level of control risk - perform substantive procedures based on level of assessed control risk

After setting materiality, tolerable misstatment, and audit risk - what are the conceptual tools to use in an audit cycle (1-8)

1. know business, Industry, and cycle (including related parties) - PHASES 1 AND 2 2. perform preliminary analytical procedures and asses IR (by account/assertion) - PHASE 3 3. Identify Key Controls (by account/assertion) 4. Assess Preliminary CR (by account/assertions 5. if reliance strategiy (ie. CR less than 100%, not High) - Test Controls - With results, Reassess CR (by account/assertion) 6. Nature, timing and extent of Substantive Tests 7. Sample and perform Substantive Tests 8. Evaluate results and determine if there are are any material errors

according to the Association of Certified Fraud Examiners, what are the three main reasons why fraud occurs

1. lack of internal controls 2. lack of management review 3. override of existing internal controls

what are the three major limitations of Entity's Internal Control

1. override of internal control by management 2. human errors or mistakes 3. collusion

how does the assurance bucket normally go

1. risk assessment procedures 2. tests of controls 3. substantive analytical procedures 4. tests of details

which of the following test would be regarded as a test of controls? a. detailed test of items making up balance in general ledger account b. vouching inventory pricing to vendors invoices c. test of the signatures on canceled checks to verify that singer is authorized to sing checks d. physically inspecting additions to property, plan, and equipment

ANSWER: c. test of the signatures on canceled checks to verify that singer is authorized to sing checks a) substantive tests of balances b) substantive tests of transactions d) substantive tests of balances?

audit risk model

AR = RMM * DR AR = IR * CR * DR

why must auditors obtain an understanding of internal control?

Auditing standards require auditor to obtain an understanding of five components of internal control to plan the audit - which includes knowledge about design of relevant controls and whether they have been placed in operation by the entity Auditor uses this knowledge to · Identify the types of potential misstatement · Pinpoint the factors that affect the risk of material misstatement · Design tests of controls and substantive procedures

level of __ is used to determine scope of substantive tests

DR

T or F: auditors must gain an understanding of the internal controls for all material financial statement assertions in addition, whenever an auditor's understanding suggests that an internal control is likely to be effective at preventing or detecting and correcting material misstatements, the auditors must also perform tests of the operating effectiveness of controls (take a reliance strategy), regardless of how efficient this approach would be.

False - control risk isn't set yet, its just an understanding and a private company can choose to do a substantive strategy

For ____ companies subject to an audit of internal controls, the auditor will conduct an ____ audit - with the requirement to ____, ____, and ____ internal controls

For public companies subject to an audit of internal controls, the auditor will conduct an integrated audit - with the requirement to understand, assess, and test internal controls

ASSERTION VS CONTROL ACTIVITIES authorization

General and specific authorization of transactions at important control points

What does the PCAOB say about using a framework for internal controls?

PCAOB says companies need to use a framework and auditors need to judge the suitability of internal controls against an established framework developed by professions don't have to use COSO's but 95% of companies do

difference between SOC 1 Type 1 and SOC 1 Type 2 report

SOC 1 Type 1 - report includes auditor's opinion on suitability of design of service org's controls SOC 1 Type 2 - report not includes auditor's opinion on suitability of design of service org's controls, but also on the operating effectiveness of those controls

what does it mean if an auditor has a SOC 1 from the service org

SOC 1 reports can be relied on by auditors of all service org's customers, making separate audit by each of those auditor's unnecessary

major differences between substantive strategy and reliance strategy when auditor considers internal control in planning the audit

SUBSTANTIVE STRATEGY: When risk assessment procedures indicate controls are not properly designed or implemented, auditor will not rely on controls and set control risk at the maximum and use substantive procedures to reduce the risk of material misstatement to an acceptably low level Assurance bucket will be filled with mostly with substantive evidence RELIANCE STRATEGY: When auditors risk assessment procedures suggest controls are properly designed and implemented, auditor will rely on controls If auditor wants to rely on controls, tests of controls are required to be performed to obtain audit evidence that the controls are operating effectively Auditor will make assessment of control risk based on the results of the tests of controls

T o F: Conducting substantive procedures only at an interim date may increase the risk that material misstatements are present in the financial statements

True

T or F: Management override of internal control is one of the limitations of an entity's internal control system.

True

under what circumstances would an auditor decide not to rely on a company's internal control?

a. controls are considered to be ineffective for audit objective (CR at high or 100% b. (For private company who has the option of choosing) when the substantive approach is considered more efficient ex: some accounts/assertions there may be few large transactions and may be easier (more efficient) and effective to substantively tests the large transactions than investing additional time into controls testing

Which of the following audit techniques would most likely provide an auditor with the least assurance about the effectiveness of the operations of a control a. inquiry b. reperformance of control by auditor c. observation of entity personnel d. walkthrough

a. inquiry

Which of the following statements about internal control is correct? a. the cost-benefit relationship is a primary criterion that should be considered in designing an internal control b. a properly maintained internal control system reasonably ensures that collusion among employees cannot occur c. The establishment and maintenance of internal control is an important responsibility of the internal auditor d. An exceptionally strong internal control system is enough for the auditor to eliminate substantive procedures on a significant account balance

a. the cost-benefit relationship is a primary criterion that should be considered in designing an internal control

under the reliance strategy, auditor uses tests results to assess the ___ __ of control risk

achieved level

· Auditor uses both ___ & ___ to find the level of ___ needed to bring audit risk to acceptably low level

achieved level of control risk and assessed level of inherent risk detection risk

RQ 6-3 describe the five components of internal control: control activities

actions established by policies and procedures to help ensure management directives to mitigate risks to the achievement of objectives are carried out performed at all levels of entity and at various stages of business process, and over the tech environment

An auditor's primary consideration regarding an entity's internal controls is whether they

affect the financial statement assertions

Internal control is a process designed to provide reasonable assurance regarding the achievement of which objective? a. Reliability of financial reporting b. Effectiveness and efficiency of operations c. Compliance with applicable laws and regulations

all of the above

analytical procedures used in planning an audit should primarily focus on identifying?

areas that may represent risks the auditor should attend to in the audit

auditor may test controls at iterim date because

assertion being tested may not be significant control has been effective in prior years may be more efficient to conduct tests at that time

SOC 1, Type 2 reports issued by the service org's auditor typically

assess whether the service organizations controls are suitably designed AND operating effectively

many service orgs engage an auditor to issue an ___ ___ regarding the controls they have in place over transactions that might materially impact their customers financial reports. this is called ___

attestation report system and Organization Controls 1 or SOC 1

Extend of auditor's understanding of control activities is a function of the ___ ___ ___

audit strategy adopted o When auditor decides to follow substantive strategy, little work is done on understanding specific control activities o When a reliance strategy is followed, auditor has to understand the control activities that relate to assertions for which a lower level of control risk is expected

Assessing control risk below high involves all of the following except a. Identifying specific controls to rely on b. determining that controls are ineffective c. Performance tests of controls d. Analyzing the achieved level of control risk after performing tests of controls

b. determining that controls are ineffective

The highest quality and most reliable audit evidence that segregation of duties is properly implemented is obtained by a. inspection of documents prepared by thirds party b. observation by auditor of the employees performing control activities c. inspection of flowchart of duties performed and available personnel d. inquiries of employees who apply the control activities

b. observation by auditor of the employees performing control activities

what if an entity uses a service organization

because the enitty's transactions are subsjected to the controls of the service org, auditor is concerned with internal control system in place at service org - thus auditor's understanding of entity's internal control componnets may include controls placed in operation by the entity and the service organization

After obtaining an understanding of an entity's internal control system, an auditor may set control risk at high for some assertions because the auditor

believes internal controls are unlikely to be effective

under which strategy are substantive audit procedures used? reliance or substantive?

both! just substantive requires more because there is not reliance on internal controls

Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent a. disclosures of information that significantly contradict the auditor's going concern assumption b. material fraud or illegal acts perpetrated by high-level management c. significant deficiencies in the design or operation of the internal control d. manipulation or falsification of accounting records or documents from which financial statements are prepared

c. significant deficiencies in the design or operation of the internal control

Regardless of the assessed level of control risk, an auditor would perform some a. Tests of controls to determine the effectiveness of internal controls b. Analytical procedures to verify the design of internal control c. substantive procedures to restrict detection risk for significant transaction classes d. Or dual purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk

c. substantive procedures to restrict detection risk for significant transaction classes

which of the following audit tests would be regarded as a test of controls a. detailed tests of items making up the balance in a given general ledger account b. vouching inventory pricing to vendor's invoices c. tests of signatures on cancelled checks to verify that the singer is authorized to sing checks d. physically inspecting additions to property, plan and equipment

c. tests of signatures on cancelled checks to verify that the singer is authorized to sing checks

of the five components of internal control, which tow components are most likely to be formally tested and relied on? why?

control activities communication and information system they both relate to specific audit objectives the others are more likely to be overriding, company-level strengths or weaknesses that suggest we should or shouldn't look for specific controls for reducing CR and using a reliance strategy for a specific audit objective

RQ 6-3 describe the five components of internal control: control environment

control environment - set of standards, processes and structures that provide basis for internal control across org - tone at the top about importance of internal control and expected standards of conduct

what has to exist before we can use a reliance strategy?

control risk has to be less than high and we have to have an understanding of design an implementation of control

what has to exist before we can use a reliance strategy?

control risk has to be less than high, and what would allows us to do that? have an understanding of the design and implementation of the control

what three duties need to be separated in segregation of duties?

custody authorization recording CAR *just because someone might have two of those duties doesn't automatically mean their incompatible - what is important: can they commit fraud and conceal it?

Monitoring is a major component of the COSO Internal Control-Integrate Framework. Which of the following is not correct in how the company can implement the monitoring components a. Monitoring can be an ongoing process b. Monitoring can be conducted as a separate evaluation c. Monitoring and other audit work conducted by internal audit staff can reduce external audit costs d. The independent auditor can serve as part of the entity's control environment and continuous monitoring

d. The independent auditor can serve as part of the entity's control environment and continuous monitoring

· Tests of controls directed toward the ___ of a control are concerned with evaluating whether that control is suitably designed to prevent, or detect and correct, material misstatements

effectiveness of the design

internal control system should be desinged and operated to provide reasonable assurance that ___ rasonable assurance recognizes that

entity's objectives are being achieved cost of intneral control system should not exceed benefits that are expected to be derived

When an auditor increases the assessed level of control risk from the level initially planned because tests of controls indicate that certain control procedures are not operating effectively the auditor would most likely increase the level of inherent risk extent of tests of controls extent of tests of details level of detection risk

extent of tests of details

when an auditor increases the assessed level of control risk from the level initially planned because tests of control indicate that certain control procedures are not operating effectively, the auditor would most likely increase the a. extend of tests of details b. level of inherent risk c. extent of tests of controls d. level of detection risk

extent of tests of details

T or F: auditor may not reduce control risk below high for a client that uses a service org on the basis of a service auditor's Type 2 report

false - yes they can reduce control risk below high

True or False? Auditors must gain an understanding of the internal controls for all material financial statement assertions. In addition, whenever an auditor's understanding suggests that an internal control is likely to be effective at preventing or detecting and correcting material misstatements, the auditor must also perform tests of the operating effectiveness of the controls (i.e., take a reliance strategy), regardless of how efficient this approach is.

false - you do not know control risk yet

what is required for every audit relative to internal controls - private or public, high or low control risk? how is this done?

gaining an understanding of internal controls done by preparing flowcharts and narratives of processes

§ Purpose of COSO framework

help management better achieve the org's objectives and provide board of directors an added ability to oversee internal control

auditor uses understanding of internal controls to

identify types of potential misstatements pinpoint the factors that affect RMM design tests of controls and substantive procedures

under what circumstances can we choose a reliance strategy?

if we first determine there are controls in place to prevent or detect material misstatements (proper design and implementation) after this preliminary assessment of control risk, we have to test controls to see if they are operating effectively thus - need proper design and implementation, then need operating effectively it is a choice under the private company, whereas if control risk is low or moderate for a pulbic company, you have to do a reiliance strategy

if achieved control risk is higher than planned control risk if tests of controls support planned level of control risk

increase planned substantive procedures and document revised control risk no revisions of planned substantive procedures required

In the audit of financial statements, an auditor's primary consideration regarding an internal control policy or procedure is whether the policy or procedure

increases the likelihood that management's assertions are fairly stated

in the audit of financial statements, an auditor's primary consideration regarding an internal control policy or procedure is whether the policy or procedure?

increases the likelihood that management's assertions are fairly stated - NOT that it provides adequate safeguards over access to assets

RQ 6-3 describe the five components of internal control: information and communication

info necessary for entitiy to carry out internal contorl responsbilities in support of achievement of objectives communication occurs internally and externally and provides org with info needed for day to day internal control activities communication allows personnel to understand internal control responsibilities and importance of them to achieve objectives and allows for upward flow of operating info to management

what is the COSO framework to management?

it is a framework for management in establishing internal controls, and auditors use it to evaluate internal controls against the framework and see if they meet the guidelines about 95% use COSO framework

auditors understanding of internal control is used to identify controls that are

likely to prevent, detect and correct material misstatements in specific assertions

low versus high detection risk - which is okay with doing invntory account at interim and which is okay with checking invntory at year end

low detection risk means you have a low chance of not detecting risk - so you want to do it at year end closer to year end because control risk was assessed to be high for high detection risk, auditor can examine physical inventory at interim date because low control risk indicates little risk of material misstatment

what are three limitations on entity's internal control

management override of internal control human errors or mistakes collusion

which kinds of controls are more subject to errors - manual or automated?

manual - human error

what are the two types of controls, and which are more susceptible to errors?

manual and automated controls manual controls are more subject to errors

what does each component of the Nature, Timing and Extent of substative tests mean?

nature = type timing = when are we doing that test extent = how much

do you have to follow one audit procedure only throughout entire audit?

no! can change per business process or by specific assertion within business process

are all controls pervasive

no, entity level controls are for sure but not all are

will we ever decrease the control risk form our planned control risk?

no, not in this class

in segregation of duties, if one person has two of the types of duties, does that automatically mean their incompatible?

not exactly - what is important is this: can the employee commit fraud and conceal it?

o If ___strategy is followed, auditor may need a more detailed ___ to develop a preliminary or "planned" assessment of control risk - auditor will then plan and perform tests of controls

o If reliance strategy is followed, auditor may need a more detailed understanding of internal control to develop a preliminary or "planned" assessment of control risk - auditor will then plan and perform tests of controls

auditor may decide to follow substantive strategy for some of all assertions because of one or all of the following factors:

o Implemented controls do not pertain to assertion auditor is considering o Implemented controls are assessed as ineffective o Testing the operating effectiveness of the controls would be inefficient

a direct relationship exists between ____ (which reflect what an entity is striving to achieve), ___ (which represent what the entity needs to do in order to achieve the ____), and the ____ of the entity (the operating units, legal entities, and others)

objectives components, objectives structure

from the earthware case, what assertions did these two tests test? document package includes all documents appropriate for the transaction and all documents have been stamped paid

occurrence assertion

RQ 6-3 describe the five components of internal control: monitoring

ongoing evalautions, separated evaluations or some sombo used to ascertain whether each of 5 components of internal control, including controls to effect the principles within each component, are present and functioning findings are evaluated and deficiencies communicated in a timely manner, with serious matters reported to senior management and board

· Tests of controls directed toward ___ are concerned with assessing how the control was applied, the consistency with which it was applied during the audit period, and by whom it was applied

operating effectiveness

the substantive approach is considered more efficient for a ___ company

private

what is assessing control risk

process of evaluating effectiveness of entity's internal control in preventing or detecting and correcting material misstatements in the FS

it is expected that every __ __ will follow a reliance strategy for significant accounts balances and assertions

public company - public company auditors must test and report on design and effectiveness over internal control over financial reporting

which companies shave a choice on whether to do reliance or substantive approach

really only private companies, not public ones

the grad total of the control and substantive testing needs to result in

reasonable assurance that the financial statements are fairly stated in all material respects

which requires a deeper understanding of internal control? a substantive or reliance approach?

reliance - and it requires testing of controls to support the lower assessed level of control risk

What is the difference between a substantive strategy and a reliance strategy?

reliance strategy: - auditor intends to rely on entity's controls to reduce control risk below the maximum (less than H) - if chosen, auditor will need to plan and perform tests of controls, and controls will need to be deemed sufficiently effective to support reliance substantive strategy: - not relying on entity's internal control - control risk is at maximum (High or 100%) - must increase nature timing and extent of substantive audit procedures accordingly to lower detection risk

why must an auditor gain an understanding of internal control

required to plan the audit of financial statements, but also 1. identifies the types of potential misstatements 2. pinpoints factors that affect the risk of material misstatment 3. helps in the design of tests of controls and substantive procedures

when an auditor follows a substantive strategy, assurance bucket is filled with some evidence from ___ and extensive amount of evidence from ___

risk assessment procedures substantive process (substantive analytical procedures and tests of details)

RQ 6-3 describe the five components of internal control: risk assessment

risk assessment process - dynamic and iterative process for identifying and analyzing risks to achieve entity's objectives, forming basis for determining how risks should be managed management considers possible changes in external environment and within its own business model that may impede ability to achieve objectives

Analytical procedures used in planning an audit should primarily focus on identifying

risks

why would we need an internal control framework like COSO's?

so we know how to do it, gives us something to measure against

why are frauds hard to detect?

sometimes we see what we want to see

substantive procedures include

substantive analytical procedures tests of details - transactions and balances

what are the potential implications of testing controls on the audit plan?

testing controls can either confirm our preliminary control risk assessment OR reveal our understanding of controls was wrong and we need a substantive approach if we rely more on control evidence, we will have less room for other audit procedures (including substantive testing)

Definition of internal control

the method by which entity's board or directors, management, and other personnel provide reasonable assurance about the achievement of objectives in the following categories 1. reliability of financial reporting 2. effectiveness and efficiency of operations 3. compliance with applicable laws and regulations

what is the purpose of internal controls

to prevent or detect material misstatements from getting into the financial statements

control testing is generally over what?

transactions

T or F: A properly designed and functioning internal audit department is often used to "monitor" the operating effectiveness of internal control.

true

regardless of substantive or reliance strategy, auditor must always have sufficient ___ to know whether they are ___ this knowledge includes an ___

understanding of entity's internal controls properly designed and implemented understanding of 5 components on internal control

Public companies will do a reliance approach and test controls unless what

unless they know controls are ineffectvie

checking to see whether numbers agree on an invoice and related report or purchase order and that the invoice is mathematically correct assesses what assertion of tests of balances?

valuation

when reliance strategy is chosen, will amount of assurance obtained by controls testing vary from assertion to assertion or stay constant?

vary percentage of bucket filled with controls evidence will differ between assertions and across accounts in various business processes

what do auditors normally do to develop an understanding of control activities

walkthroughs

we document everything to show that

we did the audit in accordance with GAAP

When is the auditor required to test controls?

when auditor follows a reliance strategy (so CR is less than 100%, less than High) and when controls at a public company subject to an audit of internal control over financial reporting ICFR ARE DESIGNED AND ASSESSED AS EFFECTIVE

when will auditor choose a substantive strategy

when risk assessment procedures indicted controls are not properly designed or implimented- set control risk at max and use substantive procedures to reduce RMM to acceptably low level

when will auditor choose a reliance strategy

when risk assessment procedures suggest controls are properly designed and implemented - rely on controls auditor MUST test controls to obtain audit evidence that controls are operating effectively auditor makes assessment of control risk based on results of tests of controls

when would auditor assess CR as high?

when they want substantive approach

o An audit of internal control over financial reporting is required if the entity is a ___ company in such cases, significant testing of controls at interim or year end is necessary

year end

does the size of entity have an effect on internal control

yes - may be less formal in smaller entities

is substantive evidence always required?

yes, at least some for all significant accounts and assertions thus reliance strategy reduces but does not eliminate need to gather substantive evidence

What are the potential benefits to an entity's internal control from information technology

§ Consistent app of predefined business rules and performance of complex cals in processing large volumes of transactions or data § Greater timeliness, availability and accuracy of info § Facilitation of data analytics for enhanced internal decision making § Greater ability to monitor entity's activities, policies, and procedures on timely basis § Greater ability to prevent or detect circumvention of controls § Enhanced seg of duties through security controls in apps, databases, and operating systems

What are the potential risks to an entity's internal control from information technology

§ Reliance on systems or programs that, unknown to management, inacwcurately process data, process inaccurate data or both § Unauthorized access to data that may result in destruction of data or improper changes to data, including recording of unauthorized or nonexistent transaction or inaccurate recording of transactions § Unauthorized changes to data in master files § Unauthorized changes to systems or programs § Failure to make necessary changes to systems or programs § Inappropriate manual intervention

Definition of internal control: COSO - "system of internal control is designed and carried out by an entity's board of directors, management and other personnel to provide reasonable assurance about the achievement of the entity's objectives in the following categories

· 1. Reliability, timeliness and transparency of internal and external financial and nonfinancial reporting · 2. Effectiveness and efficiency of operations, including safeguarding of assets, and · 3. Compliance with applicable laws and regulations


Ensembles d'études connexes

Always, sometimes, never similar

View Set

Product Life Cycle : What's the Stage

View Set

Pharmacology Chapter Questions 5,6 ,7

View Set

QUIZ 3: THE INTERPRETATION AND APPLICATION OF THE BIBLE

View Set

Emergency Medicine History/Physical Exam

View Set