Auditing Ch7
audit procedures used to test effectiveness of IC include: 4
1) inquiries of client personnel 2) inspection of documents and reports 3) observation of the application of controls 4) reperformance of the controls
Definition of IC
A process, effected by the entity's board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objective relating to operations, reporting, and compliance
service auditor report types Type 1 Type 2
Type 1: a report on management's description of a service organization's system and the suitability of the design controls Type 2: type1 and operating effectiveness of controls
policies and procedures that help mitigate the risk that the organization's objectives are not met are called control ______
activities
if one or more material weaknesses in IC are found an _____ ____ should be issued
adverse opinion
for the control environment component, professional standards require auditors should obtain sufficient knowledge about the company's ______
antifraud progam
the major difference between control objectives and management assertions is that control objectives
are broader in scope because they relate to reporting, operations, and compliance
_____ is a checklist, standard form, or computer program that helps the auditors make a particular decision by ensuring that they consider all relevant information or by assisting them in combining the information to make the decision
audit decision aid
organizational structure should separate responsibilities for
authorization of transactions record keeping for transactions custody of assets
reduces the risk that an existing or potential control waekness will result in a misstatement
compensating control (Ex: owner of small business examines FS extra carefully because they can't hire more personnel in accounting)
when assessing work of internal auditors, external auditors should look at _____ and ____
competency and objectivity
function together to achieve the same control objective
complementary controls
what is of particular significance to corporate governance
control environment
one major difference between control objectives and assertions:
control objectives are broader in that they relate not only to financial reporting, but also to operations and compliance
not only concerned with the effectiveness of financial reporting, but it also encompasses ethical treatment of all major stakeholders, compliance with laws, regulations, customary business practices, and effective risk management
corporate governance
a _________ over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis.
deficiency in internal control; only communicated if they think it deserves management's attention (put in management letter)
risks at the fs level are those that relate to the overall ____ _____ and potentially affect many individual assertions
financial statements Ex: accounting estimates, preparation of notes, accounting policies applied, control environment
transaction-level controls may be broken down into two categories: ______ control activities and ____ controls
general; application
enterprise risk management system
includes internal control but includes focusing beyond that
allow an individual to both perpetrate an conceal errors or fraud in the normal course of his or her duties
incompatible duties
example of work that should not be assigned to internal auditors
making required inquiries of management related to identification of fraud risks and determining procedures to respond to such risks
operate through management review of info for evidence of errors, fraud, or breakdowns in other controls
management review controls (ex: reviewing unusual transactions or reviewing calcs of estimates)
a _____ is a deficiency in IC over financial reporting such that there is a reasonable possibility that material misstatement of the company's fs will not be prevented or detected on a timely basis
material weakness; must be communicated IN WRITING
management needs to assess risks that threaten their ability to meet their objectives in the area of ______, ______, and _______
operations, reporting, and compliance
preliminary assessments of control risk are often referred to as
planned assessed level of control risk
controls over financial reporting are often classified as ____ _____ Or _____
preventative, detective, or corrective
if they address the same fs assertion or control objective
redundant controls
three category objectives of IC set by COSO
reporting, operations, and compliance
auditors use ______ ______ _____ to obtain an understanding of internal control
risk assessment procedures
the acceptable level of variation in performance relative to the achievement of objectives
risk tolerance
a ________ is a deficiency in internal control over financial reporting that is less sever than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting
significant deficiency; must be communicated IN WRITING
controls that assess whether other transaction control activities are operating properly and are usually focused on high-risk transactions are called _______ controls
supervisory
refers to tracing one or two transactions through each step in the cycle
walk-through
controls over the authorization and processing of payroll are ______ controls
application
controls over the authorization and processing of payroll are _______ controls
application
fives stages of internal control audit
1) Plan the engagement 2) Use a top-down approach to identify controls to test 3) test and evaluate design effectiveness of IC 4) test and evaluate operating effectiveness of IC 5) Form an opinion on the effectiveness of IC over financial reporting
Five components of IC; auditor should develop understanding of each
1) control environment 2) risk assessment process 3) control activities 4) Information system relevant to financial reporting and communication 5) Monitoring activities