Topic 7

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

SOX created two provisions that relate to a public companies' system of internal controls:

(1) a company's management team must regularly report to investors regarding the quality of the company's internal controls governing the financial reporting process, (2) the external auditor must perform a full audit of the public company clients' internal controls and report to investors on the quality of those controls as part of the client's annual filing with the SEC.

When are the two aspects of a client's internal control system that must be evaluated?

(1) design effectiveness, (2) operating effectiveness

In what ways can an internal control procedure be monitored?

(1) people-based monitoring, (2) technology-based monitoring.

What characteristics are included in the control environment?

(1) the 'tone at the top' set by management and the board of directors, (2) management's integrity, goals and objectives, and (3) attitudes toward the role of internal control within the organization.

Each of the following is an example of control activities except? (a) Monitoring (b) Physical controls (c) Reconciliations (d) Authorizations and approvals

(a) Monitoring

The primary objectives achieved by a high-quality system of internal control are: (a) Operations, reporting, and compliance (b) Reporting and accuracy (c) Accuracy and compliance (d) Operations and compliance

(a) Operations, reporting, and compliance

Which of the following best describes the Risk Assessment component of internal control as outlined in the COSO framework? (a) The auditor performs high quality risk assessment procedures to identify risky areas in the client's internal control systems (b) The company maintains a robust risk assessment process which helps identify risks that might keep them from achieving the objectives of operations, reporting, and compliance (c) The auditor performs regular fraud risk assessments of the client to identify client fraud (d) Each of the above describes the Risk Assessment component of internal control as outlined in the COSO framework

(b) The company maintains a robust risk assessment process which helps identify risks that might keep them from achieving the objectives of operations, reporting, and compliance

The auditor's report on internal control quality can express which of the following opinions regarding the quality of internal control? (a) Unqualified or Qualified only (b) Unqualified or Adverse only (c) Unqualified, Qualified, or Adverse (d) Qualified or Adverse only

(b) Unqualified or Adverse only

Which of the following is the correct sequence with regards to the auditor's reliance on the client's internal controls? (a) Assess design and implementation of controls, testing controls, decision to rely on controls (b) Decision to rely on controls, assess design and implementation of controls, testing controls (c) Assess design and implementation of controls, decision to rely on controls, testing controls

(c) Assess design and implementation of controls, decision to rely on controls, testing controls

The principles outlined by COSO for the control environment component are:

1. Demonstrate commitment to integrity and ethical values 2. The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal controls 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives 4. Commitment to attract, develop, and retain competent individuals in alignment with objectives 5. Holds individuals accountable for their internal control responsibilities

The principles outlined by COSO for the information and communication component are:

1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of the internal control. 3. The organization communicates with external parties regarding matters affecting the functioning of internal controls.

The principles outlined by COSO for the control activities component are:

1. The organization selects and develops control activities that contribute to the mitigation of risks to acceptable levels. 2. The organization selects and develops general control activities over technology to support the achievement of objectives. 3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

The principles outlined by COSO for the monitoring component are:

1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The principles outlined by COSO for the risk assessment component are:

1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives 4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Make a decision whether or not the Audit Team can Rely on Internal Controls

Can the audit team rely on the I/C for financial statement audit evidence? Why? yes/no? - document results

Reconciliations

Comparison of 2 or more data elements Ex. Bank Reconciliations

Verifications

Comparison of two items ex. shipment date should precede the invoice date

(T/F) The Control Environment component of internal control relates to client integrity, proper board oversight and reporting channels, commitment to hiring competent employees, and proper accountability for internal control related actions.

True

(T/F) The auditor can issue either combined or separate audit reports when reporting on both the audit of financial statements and the audit of internal control.

True

(T/F) The internal audit function at the client often plays a significant role in evaluating the company's internal controls.

True

What is the COSO definition of internal control?

"a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance."

What are the three primary objections achieved by a high-quality system of internal control?

1) operations 2) reporting 3) compliance

FIVE COMPONENTS OF AN EFFECTIVE INTERNAL CONTROL SYSTEM

1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring

Significant Deficiency

A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.

Material Weakness

A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

What is an integrated audit?

A full audit of and opinion on the client's internal control over financial reporting (ICFR) that accompanies the audit of and opinion on the client's financial statements.

Auditor's Report over I/C Governance

AS 2201 states that the "auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting."

Authorizations and Approvals

Affirmation that a transaction is valid ex. authorization of credit

The officers of the company who sign these certifications also must certify that they have disclosed the following matters to the external auditors and to the audit committee:

All significant deficiencies in the design or operation of internal controls (material weaknesses in internal controls); Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls; and Management also must certify that it has indicated in the report filed with the SEC whether there have been significant changes in internal controls from the prior period as well as any corrective action taken to respond to previous internal control weaknesses.

What five professional organizations joined forces to create COSO in 1985?

American Accounting Association (AAA) American Institute of CPAs (AICPA) Financial Executives International (FEI) Institute of Management Accountants (IMA) Institute of Internal Auditors (IIA)

What is a control deficiency?

An observed instance where the design or operation of a control causes a failure to prevent or detect misstatements in a timely manner.

Supervisory Controls

Assess whether control activities are being properly performed Ex. Monitoring that controls are performed

Examples of Control Activities

Authorizations and approvals Verifications Physical Controls Controls over Standing Data Reconciliations Supervisory Controls

Examples of Substantive Procedures

Bank confirmation Accounts receivable confirmation Observe a physical inventory count Confirm inventories not on-site Observe fixed assets Match purchase orders and supplier invoices to fixed asset records Confirm accounts payable Confirm debt Analytical analysis of assets, liabilities, revenue, and expenses

How should the auditor evaluate the internal control?

Based on the likelihood of misstatements remaining undetected by the I/C and the magnitude of the potential misstatement.

Audit Report for Internal Controls

Can be either combined or separate reports. The auditor can report on the F/S and the I/C in the same report or two separate reports.

Weaknesses in the client's system of I/C can be categorized into three types:

Deficiency Significant Deficiency Material Weakness

Preventive Controls

Designed to ensure that negative events don't happen. For example, locks on doors and passwords on computers are examples of preventive controls that ensure unauthorized access doesn't happen.

Detective Controls

Designed to identify events that have already occurred. For example, the practice of performing a bank reconciliation at the end of each month is a control activity designed to identify errors or fraud that may have occurred during the period.

If the auditor chooses to issue two separate reports, he must include additional disclosures:

Disclosures indicating that the other audit was also conducted, The date of the other audit report, Summary of the opinion expressed in the other audit report.

Public & Private Company Auditor Responsibilities:

Ensure that controls are properly functioning when performing an audit of a client's financial statements, particularly if the auditor expects to use the effectiveness of internal controls as indirect evidence regarding the fair presentation of the financial statements.

Assess the design and implementation of the Internal Controls

Evaluate design (design effectiveness) If design is adequate, assess the implementation of the I/C

Deficiency

Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

(T/F) A significant deficiency is more serious than a material weakness.

False

(T/F) The auditor has primary responsibility for the proper functioning of their client's internal control.

False

(T/F) The materiality threshold used for the audit of financial statements is different from the materiality threshold used for determining whether a control deficiency is a material weakness or a significant deficiency.

False

(T/F) Using the COSO internal control framework as a benchmark for quality is mandatory for the audit of internal control over financial reporting.

False

Documenting an Understanding of Internal Controls

Flowcharts Questionnaires Written Narratives Documented Observations of Control Practices

What was one of the purposes of the Sarbanes-Oxley Act of 2002 (SOX)?

Help restore investor confidence in capital markets by requiring companies to improve the quality of their internal controls governing the financial accounting and reporting process.

Test the Internal Controls

If yes, test controls (operating effectiveness) After testing I/C, determine the level of substantive testing that needs to be performed. Note: Even with reliance on I/C - some level of substantive testing should be done. If no, perform extensive substantive audit testing since I/C cannot be relied upon. The auditor will not test I/C.

Public Company ONLY Auditor Responsibilities

In order to comply with SOX, the external auditor must perform a full audit of the public company clients' internal controls and report to investors on the quality of those controls as part of the client's annual filing with the SEC.

Auditor's Responsibility for Controls - Standard Audit Procedures on I/C

Inquiries of key personnel, Observations of control processes in action, Inspections of documents, Walk-throughs (i.e., observing sample transactions as they are processed through the system of controls)

What is the relationship between internal control quality & financial statement reporting quality?

Internal control quality and financial statement reporting quality go hand in hand.

Is risk assessment a process or a one-time event?

It is an ongoing process in which risks are continually being assessed and re-assessed as additional information arises.

What is required under SOX?

Large public companies must obtain both an audit of financial statements as well as an audit of internal controls.

Only required for accelerated filers with market capitalization > $75 million (doesn't apply to "small filers")

Market Capitalization: The value of a company that is traded on the stock market, calculated by multiplying the total number of shares by the present share price.

Auditor's Responsibility for Controls - SOX

Must be an Integrated Approach Purpose of Integrated Approach Only required for accelerated filers with market capitalization > $75 million (doesn't apply to "small filers")

Is use of the COSO framework mandatory?

No, but it has become the most widely used internal control framework in the U.S. and around the world.

Auditor's Responsibility for Controls:

Obtain an Understanding of the I/C to Determine the Audit Team's Reliance on the I/C

Objectives of Internal Control - Top of COSO Cube

Operations Reporting Compliance

Controls over Standing Data

Process of populating, updating, or maintaining accuracy of data Ex. Master Price Lists

Purpose of Integrated Approach

Provide investors with the auditor's opinion regarding the effectiveness of the client's internal controls over financial reporting. The I/C Audit is designed to identify Material Weaknesses that could lead to misstatements in the F/S.

Information and Communication

Relates to the processes and systems in place for recording and sharing information throughout the organization.

When auditing I/C, what is the auditor responsible for?

Reporting all deficiencies discovered in the course of the audit, regardless of their level of significance.

Section 404(a): Annual Report on Internal Controls

Requires that public company management provide a report detailing their evaluation of their company's system of internal control as part of the company's annual report (10-K). The internal control report should contain a statement by management taking responsibility for establishing and maintaining effective internal control as well as an assessment of the effectiveness of internal controls as of the end of the most recent fiscal year.

SOX Requirements Related to Management

Section 302: Management Certification of Responsibility Section 404(a): Annual Report on Internal Controls

Physical Controls

Securing assets by limiting access ex. locks, gates, etc.

Must be an Integrated Approach

The "audit" of internal controls should not be the subject of a separate engagement, but should be conducted by the same auditor that performs the financial statement audit.

What is the COSO Framework?

The 'established criteria' and benchmark to use when evaluating the effectiveness of internal controls.

What is COSO?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative to combat corporate fraud. COSO has established a common internal control model against which companies and organizations may assess their control systems.

Who is responsible for most of the work involved in assessing and evaluating internal controls?

The Internal Audit Department

What is the PCAOB's position on the COSO framework?

The PCAOB has stated that the COSO framework is an acceptable framework for evaluating the effectiveness of a company's ICFR (internal controls over financial reporting).

What are the auditor's responsibilities?

The auditor is required to understand and evaluate the client's system of internal control.

Adverse Opinion

The auditor's opinion that the I/C are NOT effective in both design and operation. Material Weaknesses Exist

Unqualified Opinion

The auditor's opinion that the I/C are effective in both design and operation.

Who has the primary responsibility for establishing and maintaining the internal control system?

The client

Where are the five components of an effective internal control system show on the cube?

The front panel

What is the focus of the internal control audit?

The identification of a Material Weakness

What is the primary concern of auditors in regards to their internal controls?

The impact of internal controls on financial reporting.

What is the primary determinant as to whether a control deficiency is a significant deficiency or a material weakness?

The size of the potential misstatement that could go undetected

Congress enacted Section 302 of The Sarbanes-Oxley Act of 2002 (SOX) to require that a public company's CEO and CFO provide the following written certifications in the annual (10-K) and quarterly (10-Q) filings:

They are responsible for establishing and maintaining internal controls; Have designed internal controls to ensure that material information is made known to such officers by others; Have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report; and Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.

What is the focus of Information and Communications?

This component focuses on the information systems used within an organization to ensure that decision makers have access to timely and relevant information when making important decisions.

What is the focus of the monitoring component of an internal control system?

This component relates to procedures put in place that are designed to ensure that internal control procedures are implemented effectively.

What is the purpose of the audit of I/C over financial reporting?

To ensure that controls related to financial reporting objectives are designed and implemented effectively.

Auditor must communicate in writing the following matters:

To management—All deficiencies identified during the audit (AS 2201). To audit committee— (1) The extent to which they plan to use the work of internal auditors, company management, or third parties under the direction of management (AS 1301). (2) All significant deficiencies and material weaknesses identified during the audit. (AS 2201) To Board—If auditor concludes that oversight by audit committee is ineffective. (AS 2201) To the Public—The identification of any material weaknesses.

What is the purpose of I/C over financial reporting?

To prevent or detect misstatements from appearing in the financial statements.

(T/F) If the auditor uses a pure substantive approach, he or she will typically not test the client's controls.

True

(T/F) The approach to documenting the auditor's understanding of internal control varies depending on the complexity of the system of internal control.

True

Only Two Opinions on Internal Controls

Unqualified Opinion Adverse Opinion

Why is risk assessment so important?

You cannot fix what you do not know is broken.

Why is the control environment important?

a system of internal control functions better in an environment that is conducive to and supportive of the proper functioning of those controls.

Substantive testing

an audit procedure that examines the financial statements and supporting documentation to see if they contain errors.

Risk assessment

an ongoing process that involves the identification and assessment of the probability and magnitude of potential risks faced by the entity.

During the risk assessment stage, auditors perform

assessments of the client's control risk.

COSO was originally founded by ______ organizations, including the AICPA. a) Three b) Five c) Seven d) Two

b) Five

With the release of its 1992 framework, COSO introduced a

graphic design to help users understand the relationship between the various components of effective internal control.

Operations Objectives

includes a focus on achieving effective and efficient business operations and the safeguarding of company assets

Compliance Objectives

includes adherence to applicable laws and regulations

Reporting Objectives

includes both internal and external reporting of financial and nonfinancial information.

A well-designed internal control activity that is not implemented well or operating appropriately

is also ineffective.

Substantive tests

needed as evidence to support the assertion that the financial records of an entity are complete, valid, and accurate.

A poorly-designed internal control activity that is implemented perfectly will

not have the desired effect.

Control Activities

relates to the specific actions (e.g., personnel, policies, procedures) put into place to address the threats identified through the risk assessment process.

Control Environment

the setting in which the system of control is meant to function.

What is the purpose of the COSO Framework?

to outline the committee's collective guidance regarding best practices for designing and implementing strong internal control systems.


Ensembles d'études connexes

Somatoform and Conversion Disorder

View Set

SCI002 Intro to Nutrition UNIT 1 MILESTONE

View Set