ACCTG 403W Chapter 12 Assessing Control Risk and Reporting on Internal Controls

Obtain and document understanding of internal control

- Auditors need to understand controls that are relevant to financial statement audits in order to identify and assess the risks of material misstatements - auditing standards require auditors to obtain and document their understanding of internal control for every audit - the auditor uses procedures to obtain an understanding, which involve gathering evidence about the design of internal controls and whether they have been implemented, and then using that information as a basis for assessing control risk and for the integrated audit - auditors generally use inspection, inquiry of entity personnel, observation of employees performing control processes, and re-performance by tracing one or a few transactions through the accounting system from start to finish

qualified or disclaimer of opinion

- a scope limitation requires the auditor to express a qualified or disclaimer of opinion - this type of opinion is issued when the auditor is unable to determine if there are material weaknesses, due to a restriction on the scope of the audit of internal control over financial reporting or other circumstances where the auditor is unable to obtain sufficient appropriate evidence

management letters

- in addition to communications to those charged with governance, auditors often identify less significant internal control - related issues, as well as opportunities for the client to make operational improvements - form of communication is often a separate letter for that purpose - not required by auditing standards, yet auditors prepare them as a value-added service of the audit

reporting - smaller companies

- no requirement for a report on internal control - therefore, the auditor focuses on internal control only to the extent needed to assess the risks of material misstatements and do a quality audit of financial statements

extent of understanding needed - smaller companies

- sufficient to assess risk for the audit - For smaller companies, if the auditor determines that controls are not designed or implemented properly, or not operating effectively, the auditor assesses control risk at maximum and designs and performs detailed substantive procedures

Section 404 reporting requirements

- the auditor is required to issue an audit report on internal control over financial reporting for public companies - scope of the auditor's report on internal control is limited to obtaining reasonable assurance that material weaknesses in internal control are identified

communications to those charged with governance and management letters 60

- the auditor must communicate significant deficiencies and material weaknesses in writing to those charges with governance as soon as the auditor becomes aware of their existence - communication is usually addressed to the audit committee and to management - timely communications may provide management an opportunity to address control deficiencies before management's report on internal control must be issued - regardless, these communications must be made no later than __ days following the audit report release

extent of tests of controls needed - smaller companies

- the auditor will not perform tests of controls when control risk is assessed at maximum - When control risk is assessed below the maximum the auditor designs and performs a combination of tests of controls and substantive procedures to obtain reasonable assurance that the financial statements are fairly stated

control deficiency

- the design or implementation of internal controls does not permit company personnel to prevent or detect misstatement - if a well designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized

understanding internal controls on outsourced systems

- when clients use service centers for processing transactions, the auditor may need to obtain an understanding of the controls of the service center - auditing standards require the auditor to consider the need to obtain an understanding and test the service center's controls if the service center application involves processing significant financial data

common uses of generalized audit software

1. verify extensions and footings 2. examine records for quality, completeness, consistency, and correctness 3. compare data on separate files 4. summarize or resequence data and do analyses 5. select audit samples 6. print confirmation requests 7. compare data obtained through other audit procedures with company records

control matrix

Assess control risk for each related audit objective - the __ is useful for this assessment.

control matrix

Associate control deficiencies with related audit objectives - the __ is useful for this task.

1. control deficiency 2. significant deficiency 3. material weakness

Auditing standards define 3 levels of the absence of internal control: 1. 2. 3.

generalized audit software (GAS)

Auditors commonly do parallel simulation testing using ___

1. narrative 2. flowchart 3. internal control questionnaire

Auditors commonly use 3 types of documents to obtain and document their understanding of the design of internal control: 1. 2. 3.

entity level

Auditors generally assess __ controls before assessing transaction specific controls

embedded audit module approach

Auditors insert an audit module into the client's application system to identify specific types of transactions - usually used to identify unusual transactions for substantive testing - used to test automated controls - used to verify the client's account balances

1. internal controls over financial reporting 2. internal controls used to assess control risk below maximum

Controls that must be tested in an audit of internal controls: 1. 2.

automated controls

For __, as long as the computer is programmed accurately and that program remains unchanged, automated controls will consistently program as programmed until the software application is changed

manual controls

For __, the auditor will select a sample of transactions and test whether the control is operating effectively.

1. identify existing controls 2. identify the absence of key controls 3. consider the possibility of compensating controls 4. decide whether there is a significant deficiency or material weakness 5. determine potential misstatements that could result

Identify deficiencies, significant deficiencies, and material weaknesses - involves the following processes: 1. 2. 3. 4. 5.

application controls

If general controls are effective, the auditor may be able to place greater reliance on __ controls whose functionality is dependent on IT.

reasonable possibility material misstatement

If there is more than a ___ (likelihood) that a ___ (significance) could result from the significant deficiency, then it is considered a material weakness.

Evaluating internal control implementation

In addition to understanding the design of the internal controls, the auditor must also evaluate whether the design controls are implemented. Auditors use the following methods to evaluate implementation: - update and evaluate auditor's previous experience with the entity - make inquiries of client personnel - examine documents and records - observe entity activities and operations - perform walkthroughs of the accounting system

transaction level

Many auditors use a control risk matrix to assist in the control risk assessment process at the __.

1. reporting 2. extent of internal controls 3. extent of understanding needed 4. assessing control risk 5. extent of tests of controls needed

Smaller companies that are not subject to Section 404: 1. 2. 3. 4. 5.

date

The auditor is attesting to the effectiveness of internal controls as of the __ rather than attesting to the effectiveness of controls throughout the fiscal year.

procedures for tests of controls 1. make inquiries of appropriate client personnel 2. examine documents, records, and reports 3. observe control related activities 4. reperform client procedures

The auditor uses 4 types of procedures to test controls: 1. 2. 3. 4.

material class of transactions

The auditor uses preliminary assessment of control risk to plan the audit for each __.

planned detection risk substantive tests for the audit

The auditor uses the control risk assessment and results of tests of controls to determine __ and __. - the auditor links the control risk assessment and balance-related audit objectives for the accounts affected by the major transaction types and to the four presentation and disclosure audit objectives. The appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model.

1. reliance on evidence from the prior year's audit 2. testing of controls related to significant risks 3. testing less than the entire audit period *auditing standards require review at least every 3 years

The extent of tests of controls is also dependent on the following: 1. 2. 3.

questionnaires flowcharts

The use of ___ and __ together is useful for understanding the client's internal control design and identifying internal controls and deficiencies.

relationship between tests of controls and procedures to obtain an understanding

There is a significant overlap between tests of controls and procedures to obtain an understanding. However, there are 2 primary differences: 1. In obtaining an understanding of internal control, the procedures are applied to all controls identified during that phase. Tests of controls are applied only when the assessed control risk has not been satisfied. 2. Procedures to obtain an understanding are performed on only one or a few transactions. Tests of controls are performed on larger samples and often at more than one point in time.

1. likelihood 2. significance

To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along two dimensions: 1. 2.

control risk matrix

Use of a __ is used to assess control risk.

1. update and evaluate auditor's previous experience with the entity 2. make inquiries of client personnel 3. examine documents and records 4. observe entity activities and operations 5. perform walkthroughs of the accounting system

What 5 methods does the auditor use to evaluate implementation of internal controls?

easier to read and easier to update

What are 2 advantages of flowcharts over narratives?

inability to provide an overview of the system their inapplicability for some audits, especially smaller ones

What are 2 main disadvantages of internal control questionnaires?

1. obtain and document understanding of internal control 2. assess control risk 3. design, perform, and evaluate tests of controls 4. decide planned detection risk and substantive tests

What are the 4 steps in understanding controls?

1. identify audit objectives 2. identify existing controls 3. associate controls with related audit objectives

What are the components of the control risk matrix?

both include inspection, observation, and inquiry

What are the similarities in evidence for tests of controls and procedures to obtain an understanding?

Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls (type 2)

What service audit report helps the auditors obtain an understanding of internal control and effectiveness of internal controls?

Report on management's description of a service organization's system and suitability of the design of controls (type 1)

What service audit report helps the auditors obtain an understanding of internal control to plan the audit?

auditing in more complex IT environments test data approach parallel simulation embedded audit module approach

When traditional source documents and accounting records exist only electronically, the auditors must change their approach by auditing through the computer. This can be done using several approaches: 1. 2. 3.

extent of procedures

__ depends on preliminary assessed control risk - also depends on the frequency of the operation of the controls, and whether it is manual or automated - auditor will test year end controls, but also will test a sample of controls that operate quarterly or monthly - If the auditor wants a lower control risk, more extensive tests of controls are applied, both in number and extent of tests.

flowcharts questionnaires

___ provide an overview of the system, while ___ offer useful checklists to remind the auditor of many different types of internal controls that should exist.

extent of internal controls - smaller companies

a company's size has a significant effect on the nature of internal control and the specific controls that are implemented. Small company should have (1) competent, trustworthy personnel with clear lines of authority (2) proper procedures for authorization, execution, and recording of transactions (3) adequate documents, records, and reports (4) physical controls over assets and records (5) to a limited degree, independent checks on performance

flowchart

a diagram of the client's documents flow in the organization

Internal control questionnaire

asks a series of questions about the controls in each audit area as a means of identifying internal control deficiencies - most questionnaires require a "yes" or "no" response, with "no" responses indicating potential internal control deficiencies

identify and evaluate control deficiencies, significant deficiencies, and material weaknesses

auditors must evaluate whether key controls are absent in the design of internal control over financial reporting

key controls

auditors should identify and include only those controls that are expected to have the greatest effect on meeting the transaction-related audit objectives

summarize or resequence data and do analysis

change or aggregate fata EX: resequence inventory items by location to facilitate physical observation

compare data obtained through other audit procedures with company records

compare machine-readable data with audit evidence gathered manually, which is converted to machine-readable form EX: compare confirmation responses with AR master file

compare data on separate files

determine that information in two or more data files agrees EX: compare changed in AR balances between two dates using sales and cash receipts in transaction files.

material weakness

exists if a significant deficiency or combination of significant deficiencies, result in a reasonable possibility that internal control will not prevent or detect material financial statement misstatement on a timely basis

significant deficiency

exists if one or more control deficiencies exist that are less severe than a material weakness, but are important enough to merit attention by those responsible for oversight of the company's financial reporting

preliminary assessment of control risk

is a measure of the auditor's expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred

Update and evaluate auditor's previous experience with the entity

o After first year's audit, the auditor begins with a great deal of information from prior years about the client's internal control o It is especially useful to determine whether controls that were not previously operating effectively have been improved

parallel simulation

o Auditors often use auditor-controlled software to do the same operations that the client's software does, using the same data files. The purpose is to determine the effectiveness of automated controls and to obtain evidence about electronic account balances - used for substantive testing, such as recalculating transaction amounts and footing master file subsidiary records of account balances

Examine documents and reports

o By examining completed documents, records, and computer files, the auditor can evaluate whether information described in flowcharts, narratives, and questionnaires has been implemented

make inquiries of client personnel

o Careful questioning of appropriate personnel helps auditors evaluate whether employees understand their duties and do what is described in the client's control documentation

Perform walkthroughs of the accounting system

o In a walkthrough, the auditor selects one or a few documents of a transaction type and traces them from initiation through the entire accounting process o At each stage of processing, the auditor make inquiries, observes activities, and examines completed documents and records o Walkthroughs conveniently combine observation, inspection, and inquiry to assure that the controls designed by management have implemented

Observe entity activities and operations

o When auditors observe client personnel carrying out their normal accounting and control activities, including their preparation of documents and records, it further improves the auditors' understanding and knowledge that controls have been implemented

print confirmation requests

print data for sample items selected for confirmation testing EX: print customer name, address, and Account balance information from master file

examine records for quality, completeness, consistency, and correctness

scan all records using specified criteria EX: review payroll filed for terminate employees

select audit samples

select samples from machine-readable data EX: randomly select AR for confirmation

Determine assessed control risk supported by the understanding obtained

the auditor makes a preliminary assessment of control risk based on entity-level control risks as well as IT general controls

assessing control risk - smaller companies

the auditor will assess control risk at maximum when controls are ineffective or nonexistent for any audit objectives

adverse opinion

the auditor will express an adverse opinion on the effectiveness of internal control over financial reporting when one or more material weaknesses exist

Unqualified opinion

the auditor will issue an unqualified opinion on internal control over financial reporting when two conditions are met: - there are no identified material weaknesses as of the end of the fiscal year - there have been no restrictions on the scope of the auditor's work

tests of controls

the procedures to test effectiveness of controls in support of a reduced assessed control risk

Verify extensions and footings

verify the accuracy of the client's computations by calculating information independently EX: foot AR trial balance

narrative 1. the origin of every document and record in the system 2. all processing that takes place 3. the disposition of every document and record in the system 4. an indication of the controls relevant to the assessment of control risk

written description of client's internal controls include the following: 1. 2. 3. 4.

reliance on evidence from prior year's audit

• Auditing standards require tests of controls' effectiveness at least every 3rd year • If auditors determine that a key control has been changed since it was last tested, they should test it in the current year • When there are a number of controls tested in prior audits that have not been changed, auditing standards require auditors to test some of those controls each year to ensure there is a rotation of controls testing throughout the 3 year period

reliance on service center auditors

• In recent years, it has become increasingly common for service centers to engage a CPA firm to obtain an understanding and test internal controls of the service center and issue a SOC report for use by all customers and their independent auditors • Attestation standards provide guidance to auditors who issue reports on the internal control of service organizations (service auditors), while auditing standards provide guidance to auditors of user organizations (user auditors) that rely on the service auditor's report

Testing less than the entire audit period

• PCAOB auditing standards require the auditor to perform tests of controls that are adequate to determine whether controls are operating effectively at year end • The timing of the auditor's tests of controls will therefore depend on the nature of the controls and when the company uses them • For controls that are applied throughout the accounting period, it is usually practical to test them at an interim date • Controls dealing with financial statement preparation occur only quarterly or at year end and must therefore also be tested at quarter end and year end

testing of controls related to significant risks

• Significant risks are those risks that the auditor believes require special audit consideration • When the auditor's risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on those controls to support a control risk assessment below 100% • The greater the risk, the more audit evidence the auditor should obtain that controls are operating effectively

test data approach

• auditors process their own test data using the client's computer system and application program to determine whether the automated controls correctly process the test data o Auditors design the test data to include transactions that the client's system should either accept or reject o After the test data are processed on the client's system, auditors compare the actual output to the expected output to assess the effectiveness of the application program's automated controls o 3 main considerations ♣ test data should include all relevant conditions that the auditor wants tested ♣ application programs tested by auditors' test data must be the same as those the client used throughout the year ♣ test data must be eliminated from the client's records - used for tests of controls and substantive tests of transactions

purpose of tests of controls

♣ Assessing control risk requires the auditor to consider the design, implementation, and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives ♣ During the understanding phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementation by using procedures to obtain an understanding ♣ In most cases, the auditor will not have gathered enough evidence to reduce assessed control risk to a sufficiently low level