Audit Ch 10
Section 404(a) requires management of all public companies to issue an internal control report that includes the following:
A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting and An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company's fiscal year.
The five categories of control activities are:
Adequate separation of duties Proper authorization of transactions and activities Adequate documents and records Physical control over assets and records Independent checks on performance
The following are the most important subcomponents the control environment:
Integrity and ethical values Commitment to competence Board of directors or audit committee participation Management's philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices
The auditor may issue an unqualified opinion on internal control over financial reporting when two conditions are present:
there are no identified material weaknesses; and there have been no restrictions on the scope of the auditor's work.
The most widely accepted internal control framework in the U.S.
COSO Internal Control - Integrated Framework
2. Efficiency and Effectiveness of Operations
Controls within an organization are meant to encourage efficient and effective use of its resources to optimize the company's goals. An important objective of these controls is accurate financial and non-financial information about the entity's operations for decision making.
Management's assessment of internal control over financial reporting consists of two key characteristics.
First, management must evaluate the design of internal control over financial reporting. Second, management must test the operating effectiveness of those controls.
When obtaining an understanding of internal control, the auditor must assess two aspects about those controls
First, the auditor must gather evidence about the design of internal controls. Second, the auditor must gather evidence about whether those controls have been implemented.
There are four phases in the process of understanding internal control and assessing control risk.
In the first phase the auditor obtains an understanding of internal controls, which includes an understanding of their design and whether they have been implemented. Next the auditor must make a preliminary assessment of control risk (phase 2) and perform tests of controls (phase 3). The auditor uses the results of tests of controls to assess control risk and to ultimately decide planned detection risk and substantive tests for the audit of financial statements, which is phase 4.
1. Reliability of Financial Reporting
Management is responsible for preparing financial statements for investors, creditors, and other users. Management has both a legal and professional responsibility to be sure that the information is fairly presented in accordance with reporting requirements such as GAAP or IFRS. The objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities.
To express an opinion on internal controls, the auditor obtains
an understanding of and performs tests of controls related to all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements.
Controls should be tested
at least every three years, and whenever there is a significant change in the control.
PCAOB Auditing Standard 5 requires the auditor to perform at least one walkthrough for
each major class of transactions.
PCAOB Auditing Standard 5 requires that the audit of the financial statements and the audit of internal control over financial reporting be
integrated.
PCAOB Auditing Standard 5 requires that the auditor
issue a report on the effectiveness of internal control over financial reporting.
When evaluating the design of internal control over financial reporting,
management evaluates whether the controls are designed to prevent or detect material misstatements in the financial statements.
Separation of the custody of assets from accounting for these assets is intended to
prevent misappropriation of assets.
The control environment consists of
the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity.
PCAOB Auditing Standard 5 requires the auditor's independent assessment of
the internal controls' design and operating effectiveness.
When testing the operating effectiveness of those controls that detect or prevent material misstatements
the objective is to determine whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.
When the auditor's risk assessment procedures identify significant risks, the auditor is required
to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on those controls to support a control risk assessment below 100%.
The COSO Internal Control - Integrated Framework consists of the following five components:
1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring
The six transaction-related audit objectives are:
1. Recorded transactions exist (occurrence). 2. Existing transactions are recorded (completeness). 3. Recorded transactions are stated at the correct amounts (accuracy). 4. Recorded transactions are properly included in the master files and correctly summarized (posting and summarization). 5. Transactions are properly classified (classification). 6. Transactions are recorded on the correct dates (timing).
Management typically has three broad objectives in designing effective internal controls.
1. Reliability of Financial Reporting 2. Efficiency and Effectiveness of Operations 3. Compliance with Laws and Regulations
3. Compliance with Laws and Regulations
Section 404 of the Sarbanes-Oxley Act requires all public companies to issue a report about the operating effectiveness of internal control over financial reporting. In addition to the legal provisions of Section 404, public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations. Some relate to accounting only indirectly, such as environmental protection and civil rights laws. Others are closely related to accounting, such as income tax regulations and anti-fraud regulations such as the Foreign Corrupt Practices Act of 1977 and certain provisions of the Sarbanes-Oxley Act.
Separation of operational responsibility from record keeping is intended to
reduce the likelihood of operational personnel biasing the results of their performance by incorrectly recording information.
In a walkthrough of internal control, the auditor
selects one or a few documents for the initiation of a transaction type and traces them through the entire accounting process.
In an integrated audit, the auditor must consider
the results of audit procedures performed to issue the audit report on the financial statements when issuing the audit report on internal control.