Concepts of Auditing Chapter 7
Detective(Controls over Financial Reporting)
1- Designed to discover misstatements after they have occurred (Example: Monthly bank reconciliations)
objective of accounting system
1- identify and record valid transactions 2- describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions 3- measure the value of transactions appropriately 4- determine the time period in which the transactions occurred to permit recording in the prior period 5- present properly the transactions and related disclosures in the financial statements (examples: companies have accounting manuals)
Preventive (Controls over Financial Reporting)
1-Aimed at avoiding the occurrence of misstatements in the financial statements (Example: Segregation of duties)
Responses to high risks at the Financial Statement Level
1-Assigning more experience staff or those with specialized skills 2-Providing more supervision and emphasizing the need to maintain professional skepticism 3-Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed 4-Increasing the overall scope of audit procedures, including the nature, timing or extent
Enterprise Risk Management (ERM)
1-COSO issued a new internal control framework in 2004 on enterprise risk management. It does not replace the original COSO internal control framework. 2-It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities. 3-The auditing standards are still structured around the original COSO internal control framework.
Service Organizations (Auditor should obtain understanding of the outsourced function by following one or more of:)
1-Contacting service organization to obtain information. 2-Visiting service organization an performing necessary procedures. 3- Obtaining a report from service organization
Auditors must consider all five internal control components
1-Control environment 2-Accounting information system 3-Risk assessment 4-Control activities 5-Monitoring (Also consider areas difficult to control like non-routine transactions (e.g accounting estimates))
Tests of controls address:
1-How controls were applied 2-The consistency with which controls were applied 3-By whom or by what means (e.g., electronically) the controls were applied
Use of the Work of Internal Auditors
1-Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities, and 2- Using internal auditors to provide direct assistance on the external audit. (CPA can rely on work of internal auditors to reduce amount of testing CPA must assess internal auditors' competence and objectivity If intent is to rely upon work of internal auditors, test that work Can obtain assistance in performing procedures, but CPA remains responsible for the audit.)
Assessing Risks at the Financial Statement Level examples
1-Preparing the period-end financial statements, including the development of significant accounting estimates and preparation of the notes 2-The selection and application of significant accounting policies 3-IT general controls (are they designed appropriately?) 4-The control environment
transaction cycles
1-Revenue (Sales and Collections) 2-Purchases and Disbursements 3-Production 4-Payroll 5-Financing 6- Investing
Components of Internal Control
1-The Control Environment 2-Risk Assessment 3-Control Activities 4-Information System Relevant to Financial Reporting and Communication 5-Monitoring Activities
control environment factors
1-commitment to integrity and ethical values (TONE AT THE TOP) 2- board of directors demonstrates independence from management and exercises oversight of internal control 3- establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities 4- a commitment to attract, develop, and retain competent employees. Holding employees accountable for internal control responsibilities.
limitations of internal controls
1-errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc 2- controls that depend on the segregation of duties may by circumvented by collusion 3- management may override the structure 4- compliance may deteriorate
perform further audit procedures- test controls examples
1-inquiries of appropriate client personnel 2- inspection of documents and reports 3- observation of application of controls 4- re performance of the controls (the results of the tests of controls are used to determine the nature, timing, and extent of substantive procedures)
control activies
1-performance reviews: (review of actual vs budget, review of performance of employees) 2-transactions control activities (authorization, documentation to support transactions, use of serial numbers on documents) 3-physical controls (security of records, security of records) 4-segregation of duties ( segregation authorization, recording of custody of assets)
documenting the understanding of internal controls
1-questionnaires (typically standardized by the firm) 2-written narratives (memos that describe a flow of transactions) 3- flowcharts (systems flowcharts) 4-walkthrough (trace one or two transactions through the cycle)
Internal Control
A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity's) objectives relating to: 1-Operations 2-Reporting, and 3- Compliance
area of reporting(Control Objectives example)
Area of reporting Top level objective - prepare and issue reliable financial information Detailed level applied to A/R sub-objectives 1-All goods shipped are accurately billed in the proper period 2-Invoices are accurately recorded for all authorized shipments and only for such shipments 3-Authorized and only authorized sales returns and allowances are accurately recorded 4-The continued completeness and accuracy of A/R is ensured 5-Accounts receivable records are safeguarded
the nature of transactions
Auditors use their understanding of the client's information systems to identify risks Of material misstatement that relate to recording of transactions such as the following (1-routine transactions(e.g., revenue, purchases, and cash receipts and disbursements) 2-non routine transactions (e.g., taking of inventory, calculating depreciation expense) 3- estimation transactions (e.g., determining the allowance for doubtful accounts)) (Generally routine transactions have the strongest controls)
Controls overlap (Controls over Financial Reporting)
Complementary - function together (e.g. cash disbursements must be authorized and bank reconciliations should be prepared—ensures that unauthorized transactions are prevented or detected Redundant - address same assertion or control objective Compensating - reduces risk existing weakness will result in misstatement (e.g. owner of small business may look over accounting records)
Service Organizations
Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data (Examples: Outsource processing of payroll or Internet sales)
3. Assess the risks of material misstatement
General approach 1- Identify risks while obtaining an understanding of the client and its environment, including its internal control 2-Relate the identified risks to what can go wrong at the relevant assertion level (e.g - Existence of receviables—DO ALL EXIST?) 3- Consider whether the risks are of a magnitude that could result in a material misstatement 4- Consider the likelihood that the risks could result in a material misstatement (At this point -we only know if the DESIGN of the system of internal control is effective ---just by the "understanding phase")
type 1 (Types of Service Auditor Reports)
Management's description of the system and the suitability of the design of controls
Corrective(Controls over Financial Reporting)
Needed to remedy the situation uncovered by detective controls (Example: Backups of master file (to allow correction of data entry errors))
Foreign Corrupt Practices Act
Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business The Act Requires an effective system of internal control Makes illegal payment of bribes to foreign officials
Separate evaluations (monitoring)
Performed on nonroutine basis (Example: Periodic audits by internal audit)
Service Organizations (Terms)
Service auditor—provides examination of service organization's controls. User Auditor—Uses that report.
2. Obtain an understanding of the client and its environment, including internal control
The understanding of internal control is used to help the auditor to 1- identify types of potential misstatements 2- consider factors that affect the risks of material misstatement 3- design tests of controls( when applicable)
type 2 (Types of Service Auditor Reports)
Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls A Type 2 report may provide the user auditor with a basis for assessing control risk below the maximum.
4. perform further audit procedures- test controls
assume there is a lower planned assessed level of control risk Approach: 1- identify controls likely to prevent or detect a material misstatement 2-performs tests of control to determine whether they are operating effectively
ongoing monitoring activities:(monitoring)
enables management to assess the quality of internal control 1- regularly performed supervisory and management activities (Example: Continuous monitoring of customer complaints)
assessing risk at the assertion level
examples: 1-failure to recognize an impairment loss on a long lived asset affects only the valuation assertion 2- inaccurate counting of inventory at year end affect the valuation of inventory and the accuracy of cost of goods sold responses: decisions are made here as the appropriate combination of tests of controls and substantive procedures
Financing cycle
including processes, procedures, and policies for authorizing, executing, and recording transactions involving bank loans, leases, bonds payable, and capital stock.
Investing cycle
including processes, procedures, and policies for authorizing, executing, and recording transactions involving investments in fixed assets and securities.
Payroll cycle
including processes, procedures, and policies for hiring, terminating, and determining pay rates; timekeeping; computing gross payroll, payroll taxes, and amounts withheld from gross pay; maintaining payroll records; and preparing and distributing paychecks.
Acquisition (or purchases and disbursements) cycle
including processes, procedures, and policies for initiating purchases of inventory, other assets, and services; placing purchase orders, inspecting goods upon receipt, and preparing receiving reports; recording liabilities to vendors; authorizing payment; and making and recording cash disbursements.
Revenue (or sales and collections) cycle
including processes, procedures, and policies for obtaining orders from customers, approving credit, shipping merchandise, preparing sales invoices (billing), recording revenue and accounts receivable, and handling and recording cash receipts.
Conversion (production) cycle
including processes, procedures, and policies for storing materials, placing materials into production, assigning production costs to inventories, and accounting for the cost of goods sold.
management risk assessment
organizations should 1- clearly specify objectives to allow identification and assessment of risks related to those objectives 2-Identify and analyze risks to the achievement of its objectives to determine how they may be managed. 3-Consider potential fraud relating to the achievement of objectives. 4-Identify and assess changes that could impact internal control.
auditors' overall approach with internal control
overall approach of an audit 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report (Steps 2-4 relate most directly to the role of internal control in financial statement audits)
obtain the understanding
procedures include: 1- inquiring the entity personnel 2- observing the application of specific controls 3- inspecting documents and reports 4- tracing transactions through the information system relevant to financial reporting (may also obtain evidence on operating effectiveness of various controls)
planned assessed level of control risk (273)
the level of control risk the auditors assume in designing further audit procedures, which include an appropriate combination of tests of controls and substantive procedures