Audit Chapter 7 - Internal Controls
When an organization integrates ERM throughout operations, it may be able to improve decision making in areas such as...
- governance - strategy - objective-setting - day-to-day operations
The timing of the performance of tests of controls depends upon...
... Auditor objectives
What is auditors 2 approaches to testing controls?
1) identify controls likely to prevent or detect material misstatements 2) perform tests of controls to determine whether they are operating effectively
These provisions require all corporations under the jurisdiction of ________________ to maintain a system of internal control that will provide reasonable assurance that...
1. Transactions are executed with the knowledge and authorization of management. 2. Transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets. 3. Access to assets is limited to authorized individuals. 4. Accounting records of assets are compared to existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
What is an audit decision aid?
A checklist, standard form, or computer program that helps auditors make a particular decision by ensuring that they consider all relevant information, or by assisting them in combining information to make the decision.
What are internal control flowcharts?
A symbolic representation of a system or a series of procedures with each procedures shown in sequence.
What is risk tolerance?
Acceptable level of variation in performance relative to achievement of objectives..
When there is 1 or more material weakness in internal controls, what kind of opinion must be issued?
Adverse
According to the PCAOB, how often should tests on controls that have been relied upon be performed?
Annually, some evidence regarding operating effectiveness should be obtained when controls are relied upon.
According to the AICPA and International Auditing Standards, how often should tests on controls that have been relied upon be performed?
At least every 3rd audit.
What is the decision to perform test of controls based on?
Auditor consideration of whether controls are likely to be operating effectively and whether testing them is likely to be cost-effective.
COSO =
Committee of Sponsoring Organizations
What is the major difference between control objectives and assertions?
Control objectives are broader in that they relate not only to financial reporting, but also to operating and compliance.
What do auditors consider when assessing risks at the relevant assertion level?
Design of control and its implementation.`
Why would auditors decide to test controls during the process of obtaining an understanding of the client's internal control?
For efficient purposes
What are fidelity bonds?
Form of insurance where a bonding company agrees to reimburse employer, within limits, for losses attributable to theft or embezzlement by bonded employees Can be individual or blanket
Transaction level controls can be broken down into what two categories?
General controls and application controls
How is the concept of corporate governance somewhat broader than internal control?
It is not only concerned with the effectiveness of financial reporting, but it also encompasses ethical treatment of major stakeholders, compliance, customary business practices, and effective risk management.
What does Section 404(b) of SOX say?
It requires company's auditors to attest to, and report on, internal control over financial reporting. Applies to companies with a market capitalization of 75mil+
What does the top-down approach mean?
It starts at the financial statement and entity level and links these controls to significant accounts, relevant assertions and major classes of transactions.
What is a disadvantage of the internal control questionnaire?
Lack of flexibility (questions that are "not applicable" to specific systems)
What are the risks associated with nonroutine transactions?
Managment or other employee intervention - often manual - to specify accounting treatment of complex calculations. May be with related parties.
What are written narratives of internal control?
Memoranda that describes the flow of transactions cycles, identifying the employees performing various tasks, documents prepared, records maintained, and the division of duties.
Is inquiry alone sufficient to evaluate the design of a control and determine whether it has been implemented?
NO
What are segregation of duties?
No one department or person should be Authorizing transactions, Recording transactions, and maintaining Custody over assets.
while obtaining an undestanding of internal control, auditors may also obtain evidence about ___________ ____________ of various controls.
Operating effectiveness.
What does corporate governance include?
Policies, procedures, and mechanisms that are established to ensure that the company operates in the best interests of its major stakeholders
How are controls over financial reporting often classified?
Preventative, Detective, or Corrective.
What is monitoring of controls?
Process to assess the quality of internal control performance over time
Scope limitations may result in the issuance of what kind of audit opinion?
Qualified or disclaimer of opinion, depending on the significance of the limitation.
What form is audit documentation in when it comes to understanding client internal control?
Questionnaires, written narratives, flowcharts.
What is the purpose of using decision aids in audits?
Reduce the variance in auditor judgement, promote the performance of audits that meet firm and professional requirements.
What is corporate governance?
Set of rules, processes, and laws by which businesses are operated, regulated, and controlled.
What are general controls?
The control activities that apply to all or multiple types of tranactions
What is a transaction cycle?
The policies and procedures for processing a particular type of transaction
What do user auditors need to consider when determining the sufficiency and appropriateness of service audit evidence?
The professional competence of the service auditors and their independence with respect to the service organization.
The form and extent of external auditors documentation in working papers is determined by....
The size and complexity of the client, as well as the nature of the client's internal controls.
What is the control environment?
The standards, processes and structures that guide individuals in carrying out their duties.
Preventative controls operate at which level?
The transaction level.
What are redundant controls?
Those that address the same financial statement assertion or control objective.
What are risk assessment procedures for?
To obtain an understanding of internal control. Results used to design NET of further audit procedures.
What do auditors consider after assessing the RoMM?
What can go wrong, and then design further audit procedures.
What is a deficiency in internal control over financial reporting?
When the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis.
When would an auditor issue an unqualified opinon on internal controls?
When there are no material weaknesses identified in internal control as of year-end and when there have been no restrictions on the scope of auditor's work
What kind of answers do internal control questionnaires usually contain?
Yes or No
Management's effective risk assessment requires...
establishement of performance measures to assess the achievement of objectives
After describing internal control in audit work papers, auditors often verify that it has been implemented by...
performing a walk-through.
What do tests of controls address?
- how controls were applied - consistency with which controls were applied - by whom or by what means (electronically) the controls were applied
If the client has implemented an ERM...
... auditors will obtain an understanding of the processes and controls that are implemented in the system.
Considering the design of a control and determining that it is implemented represent...
... two different operations.
A no answer to an internal control questionnaire indicates and requires what?
A weakness in internal control and requires auditors to identify types of potential misstatements.
What are the 4 risk respones?
Avoidance, Reduction, Sharing, and a Acceptance
What is the purpose of performance?
Business org identifies and asses risk that may affect achievement of business strategies/objectives. Prioritizes risk according to severity and entity risk appetite.
What is the foundation for other internal control components?
The control environment
What is MANAGEMENT's risk assessment?
The process for identifying, analyzing, and responding to risks from external and internal sources that threaten their ability to meet their objectives in the areas of operations, reporting, and compliance.
What are physical controls?
Those that provide physical security over both records and other assets
Internal auditors monitor management to...
help prevent management override of internal controls.
How do auditors increase evidence from a test of control?
increase the extent/scope of the test
What are the audit procedures used to test the effectiveness of internal control?
- Inquiries of appropriate client personnel - Inspection of documents and reports - Observation of the application of controls -Reperformance of the controls
When determining whether an identified risk of material misstatement is significant and requires specific audit consideration, what should auditors consider?
-Complexity of calculations involved - Risk of fraud - Selection and application of accounting policies - Internal and external circumstances giving rise to business risks (technological changes) - Recent developments in the industry or economy
When performing an integrated audit, the option of not testing controls for a significant account is.....
....not available because controls over all significant accounts should be tested to provide a basis on the opinion of internal control
What are the three categories of objectives of internal control?
1) Reporting 2) Operations 3) Compliance
What is a Type 2 report?
A report on a management's description of a service organization's system and the design AND operating effectiveness of controls throughout the period covered by the service auditors report
What is a chart of accounts?
Classified listing of all accounts in use, accompanied by a detailed description of the purpose and content of each
What is the enterprise risk management framework supposed to complement?
Company internal control
The extent of the controls adopted by a business is limited by...
Cost-benefit considerations
Auditors should identify and assess the RoMM at both the...
Financial statement level and the relevant assertion level for account balances, transcation classes, and disclosures.
What is the purpose of governance and culture?
Governance sets the entity's tone, reinforcing the importance of ERM, and establishing oversight responsibilities for it Culture is reflected in decision-making.
What level of risk do estimates have and why?
HIGH risk due to subjective or complex nature, or need to make assumptions about the effects of future events.
AIS should include...
Journals, ledgers, chart of accounts, and manuals of accounting policies and procedures
What is the Conversion (production) cycle?
Processes, procedures, and policies for storing materials, placing materials into production, assigning production costs to inventories, and accounting for the COGS
In terms of deficiencies, significant deficiencies, and material weaknesses in internal control, which is/are auditors required to communicate to management and those charged with governance?
Significant deficiencies and material weaknesses are required to be communicated (in writing). No longer than 60 days after the report release date.
If auditors plan to use evidence obtained in prior audits about the effectiveness of internal controls, what do they need to do?
They should obtain evidence about whether changes in the specific controls have occurred subsequent to the prior year's audit.
What are preventative controls?
Those aimed at avoiding the occurrence of misstatements in the FS. Examples: Authorization codes assigned to different personall
What are corrective controls?
Those designed to correct detected misstatements.
What are compensating controls?
Those that reduce the risk that an existing or potential control weakness will result in a misstatement.
What is the internal auditors function?
To investigate and appraise internal control and the efficient with which the various units of the organization are performing their assigned functions.
For many controls, auditors will want evidence on operating effectiveness by sampling the application of controls....
from throughout the period under audit, not just for a particular time.
What are the major instruments of corporate governance?
management compensation systems, BOD, external and internal auditors, attorneys, regulators, creditors, securities analysts, and IC systems.
What are the basic principles of MGMT monitoring controls?
1) Select, develop, and perform ongoing and separate monitoring evaluations to determine that the components of internal control are present and functioning. 2) Evaluate and communicate internal control deficiencies in a timely manner to those responsible for taking corrective action, including senior management and the board of directors and its audit committee as appropriate.
How can data analytics be applied in an audit?
1) test number of controls simultaneously electronically through a sample of transactions and follow up with the audit of the entire population of any controls whose operating effectiveness is in question 2) simultaneously test a number of controls over all transactions in a particular population
What is the point of review and revision?
By reviewing ERM capabilities, and performance relative to targets, ERM capabilities can be assessed and increase value over time and drive value even with substantial changes.
What is a significant deficiency in internal control over financial reporting?
Less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
What is the Investing cycle?
Processes, procedures, and policies for authorizing, executing, and recording transactions involving investments in fixed assets and securities.
How can control activities, whether automated or not, be circumvented?
by two or more people colluding together
If external auditors plan to use internal auditors for direct assistance, they should obtain...
written acknowledgement from management and those charged with governance that the internal auditors will be allowed to perform the work free from any interference.
What is the point of information, communication, and reporting?
MGMT uses relevant info from internal and external sources to support ERM. Report on risk, culture, and performance.
What is the Revenue (or sale or collections) cycle?
Processes, procedures, and policies for obtaining orders from customers, approving credit, shipping merchandise, preparing invoices (billing), recording revenue and AR, and handling and recording cash receipts.
What is the importance of a company's antifraud program to the auditors?
Professional standards require that the auditor evaluate whether such programs are suitably designed and implemented.
If internal auditor work is relevant, external auditors should assess and determine...
the competence and objectivity of the internal audit function, and whether the internal auditors apply a systematic and discipled approach to performing the work.
The AICPA and PCAOB indicate that external auditors can use internal auditor work in what 2 ways?
1) Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities and 2) Using internal auditors to provide direct assistance on the external audit.
What is internal control like for small companies and what does this mean for auditors?
Little or no opportunity for segregation of duties and responsibilities, very weak or absent internal control unless owner/ manager recognizes importance and participates in key activities. Auditors must rely much more on substantive testing and procedures of account balances and transactions compared to larger organizations.
What does a company's AIS consist of?
Methods and records established to initiate, authorize, record, process, summarize, and report an entity's transactions and to maintain accountability for the related assets, liabilities, and equity.
What is the Acquisition (or purchases and disbursements) cycle?
Processes, procedures, and policies for initiating purchases of inventory, other assets, and services; placing purchase orders, inspecting goods upon receipt, and preparing receiving reports; recording liabilities to vendors; authorizing payment; making and recording cash disbursements
How do auditors test design effectiveness?
They identify control objectives and risks in each financial reporting area and then identify relevant controls that satisfy each control objective. They then evaluate the likelihood of control failure, magnitude of any related misstatements due to such failure, and degree to which other compensating controls achieve the same control objectives. Then, they assess whether the controls, if operating properly, can effectively prevent or detect misstatements that could be material.
What are the benefits of an ERM?
1) Aligning the organization's risk tolerance, strategy, and its operations 2) Identifying and managing both single and mulitple risks, entity-wide and lower level risks 3) Reducing operational surprises and losses 4) Reducing performance variability 5) Identifying opportunities 6) Improving the deployment of capital
The COSO 2017 ERM framework has the following 5 components:
1) Governance and Culture 2) Strategy and Objective-Setting 3) Performance 4) Review and Revision 5) Information, Communication, and Reporting
What are the 5 stages for the overall approach of performing an audit of internal control?
1) Plan the engagement 2) Use a top-down approach to identify controls to test 3)Test and evaluate the design effectiveness of internal control 4)Test and evaluate operating effectiveness of internal control 5) Form an opinion on the effectiveness of internal control
What are transaction control activities?
Those performed to check the accuracy, completeness, validity, and authorization of transactions
What are nonrountine transactions?
Those that are unusual, due to either size or nature, and occur relatively infrequently.
What is a Type 1 report?
A report on a management's description of a service organization's system and the suitability of the design of internal controls
What does Section 404(a) of SOX say?
Each annual report filed with the SEC must include a report in which management (1) acknowledges its responsibility for establishing and maintaining adequate internal control over financial reporting and (2) provides an assessment of internal control effectiveness as of the end of the most recent fiscal year
What does it mean when a control is implemented?
It actually exists and is in use.
What is the goal of segregation of duties?
Not to allow an individual to have incompatible duties that would allow him or her to both perpetrate and conceal errors or fraud in the normal course of his or her duties.
What does the Foreign Corrupt Practices Act prohibit?
Payments to foreign officials for the purpose of securing business are specifically prohibited for all American businesses by the anti-bribery provisions of the act.
What is Sharing in terms of risk reduction?
Reducing likelihood or impact by transferring or sharing a portion of the risk (insurance, hedging, outsourcing)
What should auditors focus on when obtaining an understanding of the control environment?
Substance of controls, rather than form.
What are the further audit procedures?
Substantive procedures, and when the assessed level of risk presumes that controls operate effectively, tests of controls.
What happens when auditors determine it will be too costly to perform substantive procedures alone?
The most efficient course of action is to increase their understanding and testing of the client's internal control.
The transactions for a particular company depend on what?
The nature of the company's business activities.
How do auditors go about obtaining audit evidence about the design and implementation of relevant controls?
- Inquiring entity personnel - Observing the application of specific controls - Inspecting documents and reports - Tracing transactions through the information system relevant to financial reporting
What do auditors need to document when gathering an understanding of internal control?
- overall responses to address assessed RoMM at the financial statement level - NET of further audit procedures - linkage of those procedures with the assessed risks at the relevant assertion level - results of the audit procedures - conclusions reached with regard to use of the current audit evidence about the operating effectiveness of controls that was obtained in a prior audit
What are the components of the internal control system? (CRIME)
C - control environment R - risk assessment I - information system of accounting M - monitoring of controls E - existing control activities
What is the point of testing of operating effectiveness of controls?
To determine whether the controls function as designed and whether those performing them possess the necessary authority and qualifications
What does understanding the client's process for identifying and responding to business risk include?
- how management identifies these risks - how management estimates their significance - how management decided upon actions to manage them.
When internal control design seems strong, what should auditors do?
They should determine that it has been implemented which involves observing the procedure. The auditor will then check whether they operate effectively (test of controls)
What are detective controls?
Those designed to discover misstatements after they have occurred. Examples:Variance analysis, Periodic count of petty cash
What are complementary controls?
Those that function together to achieve the same control objective.
What are management review controls?
Those that operate through management review of information for evidence of errors, fraud, or breakdown in other controls Examples: review over unusual transactions, development of estimates
What are relevant controls?
Those that pertain to the reliability of preparation of financial information for external reporting purposes, also those that affect the reliability of data that the auditors use to perform auditing procedures.
What are risks at the financial statement level?
Those that relate to the overall financial statements and potentially affect many individual assertions (cannot effectively be isolated)
What is Acceptance in terms of risk response?
Taking no action because the risk is consistent with the risk tolerance of the organization.
What should auditors ask themselves when determining if they should test controls?
"Is the time required to perform test of controls to justify a lower assessment of control risk justified in terms of its resulting decrease in the scope of substantive procedures?"
What would an auditors response to assessing financial statement level risks?
- Assign more experienced staff or those with specialized skill - Provide more supervision and emphasizing the need to maintain prof. skepticism - Incorporate add'l elements of unpredictability in the selection of further audit procedures to be performed - Increase overall scope of audit procedures, including NET
Auditors may design additional tests of controls to...
...support their planned assessed level of control risk
After auditors have completed the tests of controls...
...they should determine if it is necessary to revise their assessed level of CR (or RoMM). If as assessed, no changes necessary. If assessed risk is higher, expand scope of substantive procedures. If assessed risk is lower, reduce scope of substantive procedures.
What are the basic principles of the control environment?
1) Commitment to integrity and ethical values. 2)BOD that demonstrates independence from MGMT and exercises oversight of internal control 3)Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. 4)Commitment to attract, develop, and retain competent employees 5) Holding employees accountable for internal control responsibilities.
What did COSO study?
1) Establish a common definition of internal control to serve the needs of different parties 2) Provide a standard against which businesses and other entities can assess their control systems and determine how to improve them
What are the basic principles of MGMT information system of accounting?
1) Obtain and use relevant and quality info to support the functioning of other internal control components 2)Communicate internally the info necessary to support the functioning of other IC components 3)Communicate with external parties regarding matters affecting the functioning of other components of IC
What are the types of control activities performed in organizations?
1) Performance review 2)Transaction control activities 3)General and application controls 4) physical controls 5) segregation of duties
What are the basic principles of existing control activities?
1) Select and develop control activities that mitigate risks of the achievement of organization objectives to acceptable levels 2) Select and develop general control activities over technology to support organization's objectives 3) Deploy control activities through policies that establish what is expected and in procedures that put policies into action
In performing effective risk assessment, organizations/management should
1) Specify objectives to identify and assess the risks related to those objectives 2) Identify and analyze risks to the achievement of its objectives 3)Consider potential fraud relating to the achievement of objectives 4) Identify and assess changes that could impact internal control
How does COSO define internal control?
A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
What is a material weakness in internal control over financial reporting?
A reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis.
What does an internal control flowchart show?
Clear image of the system, showing thr nature and sequence of procedures, division of responsibilities, sources and distribution of documents, and types and location of accounting records and files
What are the major types of transaction control activities?
Authorizatoins and approvals, verifications, physical controls, controls over standing data, reconciliations, and supervisory controls
What is the purpose of strategy and objective setting?
Businesses objectives allow strategy to be put into practice and shape entity's day-to-day operations and priorities.
What is Avoidance in terms of risk response?
Exiting the activity that gives rise to the risk,
What is a disadvantage of an internal flowchart?
Internal control weaknesses are not identified as prominently as in questionnaires and may not provide a clear signal that a particular control is absent or is not being properly enforced
What are the limitations of internal control?
Mistakes based on misunderstanding of instructions, judgement, carelessness, distraction, or fatigue
What is Reduction in terms of risk response?
Taking action to reduce risk liklihood or impact, or both.
What is the Financing cycle?
Processes, procedures, and policies for authorizing, executing, and recording transactions involving banks loans, leases, bonds payable, and capital stock
What is the Payroll cycle?
Processes, procedures, and policies for hiring, terminating, and determining pay rates; timekeeping; computing gross payroll, payroll taxes, and amounts withheld from gross pay; maintaining payroll records; preparing and distributing paychecks
What is an advantage of an internal control flowchart over a questionnaire or written narrative?
Provides a clearer, more specific portrayal of client's internal control system
Auditors ______ obtain some knowledge about the client's existing control activities.
Should
What is a manual of accounting policies and procedures?
States clearly in writing the methods of treating transactions, both should provide clear guidance that will allow proper and uniform handling of transactions.
What are application controls?
The control activities that apply to the processing of a single type of transaction
Why do automated controls provide an exception to increasing extent/scope of test of controls when an auditor needs more evidence?
They are inherently consistent. Auditors may use an approach to determine that it was working at a point in time and no inappropriate changes were made to the program during the period under audit.
How do external auditors evaluate the objectivity of internal auditors when using their work?
They consider organizational status of the director of internal audit, including whether they report to those charged with governance of the entity, like the audit committee or BOD
How do external auditors evaluate the competence of internal auditors when using their work?
They evaluate: - the policies for hiring, training, assigning personnel to engagements - that the internal audit function is adequately and appropriately staffed - whether individual auditors are adequately trained and proficient by evaluating their education level - internal auditors professional experience and professional certifications
What happens if the auditors determine substantive procedures, alone, cannot provide sufficient audit evidence?
They may be no other option then relying upon a combo of tests of controls and substantive procedures
What are service organizations for?
They provide processing services to companies (user entities) that decide to outsource a portion of their processing Example: payroll function
Who do internal auditors report to?
They report their findings to management and the audit committee.
What should auditors do to understand client's AIS?
They should become familiar with: - significant classes of transactions - adjustments - nonrountine transactions and estimates - procedures used to prepare financial statements and related disclosures and how misstatements may occur - how financial reporting roles and responsibilities relating to financial reporting are communicated.
What do external auditors need to communicate when using internal auditor's work?
They should communicate how the work will be used to those charged with governance.
What do auditors use the information they collect when obtaining an understanding of the client and its environment?
To identify types of potential misstatements, consider factors that affect the risks of material misstatement, and design tests of controls (when applicable) and substantive procedures.
Why do auditors perform tests of controls?
To obtain evidence about the operating effectiveness of controls.
Why were internal control provisions added to this act?
To prevent top management from asserting that they were not aware of the payments
What is s walk-through?
Tracing one or two transactions through each step in the cycle.
Detective controls operate at which level?
Transaction level or higher.
When would auditors not perform test of particular controls?
When it is more efficient to perform substantive procedures.
The expected effectiveness of internal control is a key factor in...
assessing the RoMM, yet they have little info on actual effectiveness. Allows them to only assess the design of the system
Assessing risk involves....
evaluating liklihood of occurrence, impact, frequency, and duration of the risk.
What is a performance review?
review of actual performance as compared to budgets, forecasts, and prior period performance; relating different sets of data to each other; performing overall reviews of performance
The emphasis for tests of controls should ordinarily be upon....
the operating effectiveness of controls that are directly related to relevant assertions.