AUDITING CH 5 RISK ASSESSMENT: INTERNAL CONTROL EVALUATION
Relationship Between Internal Control Reliance and Audit Procedures
-An audit team's assessment of control risk as high implies that the controls are not effective at preventing or detecting material misstatements and could not be relied upon by the audit team. In this situation, the audit team would likely use substantive tests of details designed to obtain evidence (nature) at or near the entity's fiscal year-end (timing) with large sample sizes (extent). -On the other hand, an audit team's assessment of control risk as low implies that the controls are effective at preventing or detecting material misstatements and could possibly be relied upon by the audit team. In this situation, the audit team might be able to use less time-consuming substantive analytical procedures to obtain evidence (nature) at an interim date before the entity's fiscal year-end (timing) with much smaller sample sizes (extent).
Step 4: Evaluating Identified Deficiencies
-An internal control deficiencies—whether resulting from a design or an operating defciency—exists when either the design or the operation of the control under consideration does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion. A design defciency is a problem relating to either a necessary control that is missing, or an existing control that is so poorly designed that it fails to satisfy the control's objective. An operating defciency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). More serious internal control defciencies can be categorized into one of two groups— material weaknesses or signifcant defciencies—depending on their severity. -A material weakness in internal control is defned as a defciency, or combination of defciencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis. -A significant deficiency is a defciency or a combination of defciencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. The primary difference between a signifcant defciency and a material weakness involves the magnitude of the potential misstatement that could occur and would not be detected on a timely basis. As the potential misstatement reaches overall materiality, an auditor may conclude that a material weakness exists. The fnal determination is always a matter of professional judgment.
audit committee duties
-Appointment, compensation, and oversight of the public accounting firm conducting the entity's audit. -Resolution of disagreements between management and the audit team. -Oversight of the entity's internal audit function. -Approval of non-audit services provided by the public accounting firm performing the audit engagement. -Oversight of the anonymous fraud hotline that is designed to provide employees a confidential and effective manner in which to report possible financial reporting issues. -Authority to engage legal counsel in the event of management fraud.
Step 5: Wrapping up
-Audit teams are required to issue an opinion on the effectiveness of internal controls. -They do so by evaluating evidence obtained from all sources, including the team's testing of controls, any misstatements detected during the fnancial statement audit, and any identifed control defciencies and material weaknesses. -Audit teams then form an opinion on the effectiveness of internal control over financial reporting. Audit teams can issue one of three types of opinions on internal controls: -Unqualifed. No material weaknesses exist. -Disclaimer of opinion. The audit team cannot perform all of the procedures considered necessary and is unable to determine whether material weaknesses exist. -Adverse opinion. One or more material weaknesses exist.
Key Decision: Deciding Whether to Continue to Test Controls
-For an integrated audit at an issuer, the auditor must test controls for all relevant assertions for each signifcant account and disclosure. -However, for audits of non-issuers, after the audit team members have documented their understanding of the entity's internal control, an important decision needs to be made: Should the audit team perform tests of the operating effectiveness of those controls? Audit teams may choose not to do so for one of two reasons: -(1) Internal control system is too ineffective in preventing or detecting misstatements to rely upon to justify reductions in substantive testing. -This conclusion is equivalent to assessing control risk at the highest level and planning more extensive substantive testing procedures. -(2) For the audits of non-issuers, a second reason that audit teams might not test controls would be the team's decision that it would take more time to test the operating effectiveness of the control activities than it would take to perform the substantive tests necessary for a relevant assertion (even if the controls turn out to be working well). In this situation, the cost of obtaining a low control risk assessment can be high. -In this case, the conclusion is also equivalent to assessing control risk at 100 percent, but this time it is because the audit team has not conducted the tests of operating effectiveness of control activities, not because the team has concluded that controls are ineffective.
auditors' internal control responsibilities
-For public companies, must audit and issue an opinion about the effectiveness of the internal control over financial reporting (ICFR) -For each fraud risk, must evaluate whether controls are in place to mitigate the fraud risk -Must assess control risk to determine the nature, timing and extent of substantive procedures to be performed -at least three reasons for conducting an evaluation of an entity's internal control system. -First, Sarbanes-Oxley requires an audit of the effectiveness of internal control over fnancial reporting for issuers. The internal control audit is conducted along with the fnancial statement audit as part of an overall integrated audit that is completed at issuers. -In essence, the audit frm employs one integrated process that culminates in two opinions being issued: one on the entity's fnancial statements and one on management's assessment of the effectiveness of the entity's internal control over fnancial reporting. -The second reason for evaluating an entity's internal control is to assess preliminary risk of material misstatement (RMM) for each relevant assertion. The assessment of RMM at the assertion level is completed for all fnancial statement audits in order to give the audit team a basis for planning the audit and determining the nature, timing, and extent of further audit procedures to be conducted for the fnancial statement audit. -Third, for each fraud risk identified during the planning stage, the audit team should evaluate whether the client has implemented control activities that are specifically designed to address the risk of fraud that has been identified.
limitations of internal control
-Internal control provides reasonable assurance, not absolute assurance, that management's objectives will be achieved. Because people operate the controls, breakdowns can occur. Internal control can help prevent and detect many errors, but it cannot guarantee that they will never happen. •Human error •Collusion •Management override •Cost/benefit analysis -There is often a trade-off between the cost and the effectiveness of internal controls. -The concept of reasonable assurance recognizes that the cost of an entity's internal control should not exceed the benefits that are expected to be derived.
audit sampling
-Of course, there are many control activities that do not lend themselves to automated audit testing. In such situations, auditors are likely to take a sample from the population of occurrences for the control activity being tested. Most importantly, in such situations, the population being sampled must include all occurrences of the relevant control activity for the entire period of reliance, and the sample must be representative of that population to be considered appropriate audit evidence. -Tests of controls, when performed, should be applied to samples of transactions and control activities executed throughout the period under audit. The reason for this requirement is that the conclusions about controls will be generalized to the whole period under audit. If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, additional audit evidence should be obtained for the remaining period. There are certain situations when audit teams can rely on tests from previous periods if they have evidence that the procedure has not changed and the auditor does not believe there is a signifcant risk of material misstatement. However, in an annual audit, the auditor may not rely on audit evidence about the operating effectiveness of controls obtained in prior audits, for controls that have changed since they were last tested or for controls that mitigate a signifcant risk. Audit sampling is discussed in detail in Module E.
exception testing
-One way to subject all items in a population of occurrences for a particular control activity is to use exception testing. Exception testing is designed to identify a violation of a particular control activity through the use of an automated test procedure designed to test all items in a population. For example, consider an entirely automated control activity that is designed to compare a customer's credit limit to the sum of (1) a potential sales transaction and (2) that customer's outstanding credit balance before approval of that sales transaction. If the control activity operated effectively throughout the year, a customer's outstanding credit balance would not exceed its credit limit. -Given the nature of the control activity, one way to test the operating effectiveness would be through the use of exception testing. That is, an auditor could obtain evidence about the control's operating effectiveness by using a procedure that compares each customer's credit limit to that customer's outstanding credit balance at the end of each day for the year under audit. Such a testing strategy would not have been possible (at least economically) historically. However, due to advances in information technology, such testing is now possible. As a direct result, entry-level audit professionals are now expected to consider the full extent of client data available for testing purposes, before they move forward with audit tests.
management responsibilities for internal control
-Responsibility for establishing and maintaining adequate internal control over financial reporting -Assess and report on the effectiveness of internal control over financial reporting -also responsible for maintaining documentation that is sufficient to provide evidence that the system of internal control has been designed and is operating effectively -must also disclose any material weaknesses in internal control (which would mean internal control is not effective)
Step 6: Reporting on Internal Control
-The next step in the process is reporting on internal control over fnancial reporting. For the auditors' report on internal control, two options are available. -One option is to have two separate reports: one on the fairness of the entity's fnancial statements and a separate report on internal control over fnancial reporting. -Each report would be separately titled, dated (although using the same date), and signed. -The auditors' separate report on internal control is discussed in detail in the following section. -The second option is to prepare a combined report that expresses one opinion on the fnancial statements and a second on the effectiveness of internal control over fnancial reporting.
Phase 1: Understand and Document
-The process of obtaining an understanding of internal controls should occur early in the audit engagement. -On every audit engagement, the audit team should evaluate the design of internal control and determine whether controls have been implemented over all relevant assertions related to each signifcant account and fnancial statement disclosure. -The procedures used to gain an understanding of internal controls provide the audit team an overall acquaintance with the control environment and management's risk assessment, the flow of transactions through the accounting system, and the design of some client control activities. -Gaining an understanding of internal controls should be performed in a "top-down" risk-based manner that first identifies significant accounts and disclosures and their relevant assertions. -an account's significance is based on its inherent risk (i.e., the likelihood of containing a material misstatement before the consideration of internal control). -Thus, audit teams focus on likely sources of signifcant misstatements. -Relevant assertions are those that represent the possibility of a material misstatement. -Thus, an assertion that does not represent a meaningful risk of misstatement (e.g., completeness of cash) is not relevant and should not be considered by the audit team. reperformance of critical controls along the transaction trail can take place at this time to provide evidence of operating effectiveness
Direction of the Test of Controls
-The tests of controls in Exhibit 5.18 are designed to test the payroll accounting cycle in two directions. One is the completeness direction, whereby the audit team is interested in ensuring that all valid hours are included in the entity's payroll; as a result, time logs (which represent valid hours worked) are traced to payroll department fles and the payroll register (which represents hours included in the payroll). -The purpose of the occurrence test of payroll is to ensure that all labor hours included in the payroll (represented by the payroll register) were actually worked (represented by time logs). As a result, entries would be selected from the payroll register and vouched back to the time logs by the auditor. Because payroll provides access to cash, this cycle is highly susceptible to fraudulent activity on the part of an organization's employees. If a fctitious employee were created and added to the payroll, his or her pay could be deposited into another person's account. This is relatively diffcult to detect in the era of direct deposit of paychecks.
Phase 3: Identify Controls to Test and Perform Test of Controls
-When audit teams reach the third phase of an evaluation of internal control, they already have identifed specifc control activities for relevant assertions on which risk could be assessed below the maximum (100 percent). This is often referred to as controls on which the audit team intends to rely. To support the reduced control risk assessment and the reduction of related substantive procedures for each relevant assertion, audit teams must test the control activities to determine whether they are operating effectively throughout the period. The required level of effectiveness is a matter of professional judgment. Audit teams know that compliance cannot realistically be expected to be perfect. -Generally, if a control is judged to be more important and would result in a more signifcant reduction in substantive testing, the level of compliance must be higher. -The professional standards make clear that when designing tests of controls, the auditor needs to consider the means of selecting items for testing. For tests of internal controls, there are two approaches that are commonly used: (1) testing all items in a population (exception testing) and (2) testing a sample from a population (audit sampling). The decision of which approach to use depends on the nature of the control that is being tested, along with the availability of data.
Level of Automation
-When gaining an understanding of an internal control system, it is important for the auditor to consider the level of automation used to execute each control activity. In general, control activities are categorized by auditors as purely manual controls, manual controls that rely on a system generated report, and entirely automated controls -Manual controls are control activities that operate in a manner that is fully dependent on a person. Since the control is operated manually without the use of the computer information system, there is no reliance on the computer information system for it to operate effectively. -Like purely manual controls, manual controls that rely on a system-generated report also depend on a person. However, the difference is that the person operating the control must rely on a report that is generated by the computer information system. -Entirely automated control activities operate completely within the computer information system. (ex: credit limit check)
internal control communications
-Whether auditing a non-issuer under GAAS or an issuer in an audit conducted under PCAOB standards, the audit team must communicate signifcant defciencies and material weaknesses in internal control that come to their attention during the performance of the audit. Auditors' communications of signifcant defciencies and material weaknesses are intended to help management carry out its responsibilities for internal control monitoring and change. However, external auditors' observations and recommendations are usually limited to external fnancial reporting matters. -For issuers, the auditors' report must be in writing and presented to those in charge of governance (usually the audit committee) before their report on internal control over fnancial reporting is issued to the public. The report is to be addressed to management, the board of directors, or the audit committee. In addition, all defciencies noted must be communicated in writing to management -If the audit team members do not identify any signifcant defciencies, they should not issue a report stating that "no signifcant defciencies were noted during the audit." Doing so might be misleading because an integrated audit is not designed to detect all signifcant defciencies. A manager receiving such a report could conclude (incorrectly) that the audit team is stating positively that the entity has no internal control problems. -Audit teams often issue another type of report to management called a management letter. This letter may contain commentary and suggestions on a variety of matters in addition to internal control matters. Examples include issues identifed during the audit related to operational and administrative effciency, business strategy, and proft-making possibilities. Auditing standards do not require management letters, but they represent a type of value-added management advice rendered as part of an audit.
material weakness
-a defciency, or combination of defciencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis. -The following circumstances should be regarded as strong indicators that a material weakness exists: -Restatement of previously issued financial statements to reflect the correction of a material misstatement. -Evidence of material misstatements (identified by the audit team) that were not prevented or detected by the client's internal controls. -Ineffective oversight of the financial reporting process by the entity's audit committee. -Indication of fraud (either material or immaterial) by senior management.
internal control defined
-a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: -Reliability of financial reporting. -Effectiveness and efficiency of operations. -Compliance with applicable laws and regulations. -a set of policies and procedures designed to achieve management objectives in three different categories. -In the financial reporting category, the management objectives are related to producing reliable fnancial reports and safeguarding assets. -In the operations category, some examples of management objectives are maintaining a good business reputation, ensuring a positive return on investment, increasing market share, promoting new product innovation, and using assets effectively and effciently. In the compliance category, the broad management objective is to comply with laws and regulations that affect the entity. -external auditors are primarily concerned with a client's internal control system as it relates to the fnancial reporting category.
dual-purpose tests
-a single audit test can produce both control and substantive testing evidence and, thus, serve both purposes. -For example, a selection of recorded payroll entries could be used to (1) vouch payroll to time cards and (2) calculate the correct dollar amount of payroll. The frst procedure provides relevant information about an important control activity. The second provides dollar value information that can help offer substantive evidence to support the account balance in the fnancial statements.
(1) audit committee
-a subcommittee of the board of directors that is generally composed of 3 to 6 independent members (those not involved in the entity's day-to-day management) of the organization's board of directors. -Each member must be financially literate, and one member must be a financial expert. -The purpose of including independent members is to provide a buffer between the audit team and the operating management team of the company. The buffer allows the audit team (and the corporate internal audit department) to report any controversial fndings to members of the board of directors without fear of reprisal. -Because the control environment sets the overall foundation for internal control, professional auditing standards require an auditor to obtain an understanding of the control environment on all engagements. As part of this understanding, auditors also have to take the time to consider the functioning of the client's board of directors and, in particular, the impact of its audit committee on the client's control environment.
incompatable responsibilities
-combinations of responsibilities that place a person alone in a position to create and conceal misstatements due to errors or frauds in her or his normal job. -Duties should be divided so that no one person can control more than one of these responsibilities. -If different departments or persons are forced to deal with these different facets of transactions, frauds are more difficult to commit because they would then require collusion of two or more persons, and most people hesitate to seek the help of others in order to conduct wrongful acts. -A second benefit of separating duties is that by acting in a coordinated manner (handling different aspects of the same transaction), innocent errors are more likely to be found and corrected. The old saying "Two heads are better than one" is often proven to be true.
walkthrough
-consists of a combination of inquiry of personnel, observation of an entity's operations, and document examination while tracing a single transaction through the entire audit trail from the beginning or the initiation of the transaction to its final inclusion in the financial statements. -Each client employee involved is asked to demonstrate the procedures that he or she follows in processing the transaction. -an important step in awareness because, often, the information that is contained in manuals and understood by supervisors may not be the same as the procedures actually being performed. -People can change procedures to make them more efficient, they can forget to perform procedures, they may go on vacation, they may intentionally not perform procedures, or the procedures may not be understood by a new person taking over that position.
Management Review of Controls
-control activity -An audit client's management team has primary responsibility for ensuring that the organization's objectives are being met. -As a result, management review controls are an important way for a management team to actively participate in the supervision of operations. -For example, management's study of budget variances with follow-up action is an example of a management review control. -In general, a management team that performs more frequent reviews has more opportunities to detect errors in the records than management that does not perform frequent reviews. -The frequency, of course, is governed by the costs and benefits. -In addition, subsequent action to investigate or correct differences is critically important to demonstrate that the control is truly operating in an effective manner. -Without a doubt, periodic management reviews and subsequent follow-up action to correct identified errors tends to lower the risk that material misstatements exist in the financial statement accounts.
separation of duties (functional responsibilities)
-control activity -Four types of functional responsibilities should be performed by different department, or at least by different persons on the entity's accounting staff: -Authorization to execute transactions. This duty belongs to people who have the authority and the responsibility for initiating or approving transactions. Authorization may be general, referring to a class of transactions (e.g., all purchases up to $100,000), or it may be specific (e.g., sale of a major asset). -Recording transactions. This duty refers to the accounting and record-keeping function, which in most organizations is delegated to a computerized information system. People who control computerized processing are the record keepers. -Custody of assets involved in the transactions. This duty refers to the actual physical possession or effective physical control of property. -Periodic reconciliation of existing assets to recorded amounts. This duty refers to making comparisons at regular intervals and taking appropriate action with respect to any differences
Information Processing Control Activities
-control activity -Generally speaking, all organizations employ computerized information processing on a routine basis. -When entities use computerized information processing, the professional standards make clear that information technology (IT) poses specifc risks to an entity's internal control system. -And, although the focus of this chapter is on providing a broad understanding of internal control, you should be aware that the use of computerized information processing requires entities to implement specifc control activities to enable it to support the relevant fnancial statement assertions. -For staff auditors in today's fnancial statement audit environment, the most important information processing control activities are the ones that are designed to ensure the completeness and accuracy of system-generated reports. -a system-generated report is a report generated by the audit client's information system that is used to execute its internal control procedures or produce its financial statements. -If such a report is used by the audit client's management for either of these purposes, the client must have control activities in place to ensure that each report is complete and accurate.
Physical Security Controls
-control activity -Physical access to assets, data and important records, documents, and blank forms should be limited to authorized personnel only. Assets such as inventory and securities should not be available to persons who have no need to handle them. Likewise, access to records should be denied to people who do not have a record-keeping responsibility for them. Some blank forms are very important for accounting and certain control activities, and their availability should also be restricted. -In addition, given the importance of the computerized information processing system, physical security of computer equipment and restricting access to the organization's data and computer application fles are important to achieving effective internal control. Access controls help prevent the improper use or manipulation of data files, unauthorized use of computer programs, and improper use of the computer equipment. Overall, in today's environment, it is essential that organizations have a robust set of cyber security control activities in place and operating effectively. -Also, locked doors, security passes, passwords, and check-in logs can be used to limit access to the computer system hardware. One way to detect inappropriate computer usage is by specifying a planned schedule for running large-scale computerized applications. A schedule can help detect unauthorized access because most software can produce usage reports that can be compared to the planned schedule. Applications that are being run at unauthorized times can then be investigated for inappropriate use of computer resources.
Identifying Entity-Level Controls
-controls that are pervasive to the internal control system and the reliability of the financial statements taken as a whole. -If the audit team decides that an entity-level control sufficiently reduces a specific risk of material misstatement for a relevant assertion, it may not need to delve further into transaction-level controls (discussed next) related to that risk.
transaction-level controls
-controls that pertain to specific classes of transactions, account balances, and disclosures. -The most effective method used to gain an understanding of (1) the flow of transactions; (2) the points at which a material misstatement could occur; and (3) the controls that management has implemented to mitigate each risk of material misstatement identified is to perform a walkthrough of a single transaction through the entire accounting system. -During the walkthrough, the auditor is able to learn by observing the activities that occur and the documents that are used within an internal control process. -The auditor must come to understand internal control in order to evaluate design effectiveness.
design effectiveness
-determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements.
operating effectiveness
-refers to whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. -Evidence of this nature will be obtained in a subsequent phase of the audit team's study of internal control.
control environment
-sets the tone of the organization. -It is the foundation for all other components of internal control. -It provides discipline and structure to all participants and stakeholders. -factors include the integrity, ethical values, and competence of the entity's people. -According to the COSO framework, a well-functioning internal control environment is characterized by philosophies such as the following: -Integrity and ethical values. Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for fnancial reporting. -Board of directors. The board of directors understands and exercises oversight responsibility related to fnancial reporting and related internal control. -Management's philosophy and operating style. Management's philosophy and operating style support achieving effective internal control over fnancial reporting. -Organizational structure. The company's organizational structure supports effective internal control over fnancial reporting by establishing clear and unambiguous reporting lines. -Financial reporting competencies. The company retains individuals who are competent in fnancial reporting and related oversight roles. -Authority and responsibility. Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over fnancial reporting. -Human resources. Human resource policies and practices are designed and implemented to facilitate effective internal control over fnancial reporting. -Most importantly, the effectiveness of the control environment is infuenced heavily by a company's management team and is strongly and unquestionably related to the "tone at the top" set by management. The key is for management to be deliberate in trying to impact the attitudes toward internal controls throughout the organization by setting the proper example for the organization to follow. (1) the organization demonstrates a commitment to integrity and ethical values (2) the board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control (3) management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives (4) the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives (5) the organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives
internal control deficiency
-whether resulting from a design or an operating defciency—exists when either the design or the operation of the control under consideration does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion. -A design defciency is a problem relating to either a necessary control that is missing, or an existing control that is so poorly designed that it fails to satisfy the control's objective. -An operating defciency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). -More serious internal control defciencies can be categorized into one of two groups— material weaknesses or signifcant defciencies—depending on their severity.
Audit Process to Evaluate the Effectiveness of ICFR (internal control system over financial reporting)
1. Planning the engagement 2. Using a top-down approach 3. Testing controls 4. Evaluating identified deficiencies 5. Wrapping up 6. Reporting on internal control
(5) monitoring
According to COSO, a well-functioning monitoring system is characterized by philosophies such as the following: -Ongoing and separate evaluations. Ongoing evaluations of controls that are separate from other types of evaluations (e.g., operational) enable management to determine whether the other components of internal control continue to function over time. -Reporting deficiencies. Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate. -does not include regular management and supervisory control activities and other actions that employees take in performing their everyday duties. -Effective monitoring involves ongoing evaluation of the controls. Some common monitoring controls include: -Periodic evaluation of controls by the internal audit department. -Analysis of and appropriate follow-up of operating reports or metrics that might identify anomalies indicative of a control failure. -Supervisory review of controls, such as reconciliation reviews as a normal part of processing. -Self-assessments by boards and management regarding the tone they set in the organization and the effectiveness of their oversight functions. -Audit committee inquiries of internal and external auditors. -Quality assurance reviews of the internal audit department -some of the control activities explained earlier in this chapter also serve as monitoring activities. For example, analyzing customer complaints for follow-up is a control activity, but analyzing them to determine whether the complaints result from a weakness in other controls (e.g., a failure to compare shipping documents to customer orders) is a monitoring activity. -Although the preceding procedures provide management daily monitoring opportunities, the oversight provided to the entity by the board of directors (and, more specifcally, the audit committee) provides the highest level of monitoring. In addition, management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data. (1) the organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning (2) the organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
controls on which the audit team intends to rely
When audit teams reach the third phase of an evaluation of internal control, they already have identifed specifc control activities for relevant assertions on which risk could be assessed below the maximum (100 percent).
significant deficiency
a defciency or a combination of defciencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
internal control evaluation
three phases to assess control risk •Phase 1: Understand and document the client's internal control •Phase 2: Assess control risk (Preliminary) •Phase 3: Identify Controls to Test and Perform Test of Controls -these phases must be completed for each relevant financial statement assertion if the auditor plans to rely on a control activity to modify the nature, timing, and extent of substantive audit procedures.
Perform tests of controls
•After identifying specific control activities that can be relied on to reduce substantive testing for a financial statement assertion, must test the control. •Hierarchy of the types of control tests from the least persuasive (inquiry) to the most persuasive type of evidence: -Inquiry of client personnel. -Observation of the control activity being performed. -Inspection of relevant documentation. -Reperformance of the control activity. -Generally, audit teams use inquiry about the existence of control activities and then corroborate the oral evidence by observing that the client-described control activities are actually being performed. -Observation occurs when auditors have eyewitness observation of employees at their jobs performing control activities. -Observation is typically used when certain control activities, such as separation of employees' duties, leave no documentary evidence for subsequent examination. -Observation also can produce evidence of access controls such as the use of password-secured access to the computerized information system, locked doors, and security guards. -The limitation of observation is that this test of control is performed as of one point in time (usually near year-end), and what is observed at that point in time may not be representative of prior time periods. -Some tests of controls depend on documentary evidence such as a payroll entry supported by a time card. In these cases, document examination for evidence of signatures, initials, checklists, reconciliations, and the like provides better evidence than procedures that leave no documentary tracks. Document examination might be enough; the audit team may look to see whether the documents were marked with an initial, signature, or stamp to indicate they had been checked. For example, audit teams could examine canceled checks for authorized signatures, inspect voucher packets for the initials of the employee who matched vendor invoices with supporting purchase orders and receiving reports, or examine bank reconciliations to make sure that they have been performed on a timely basis. -Generally, the most effective test of controls is reperformance. Reperformance can involve any client internal control activity, such as the detailed review of the monthly bank reconciliation by the entity's CFO. For this control, the auditor would follow up on each reconciling item reviewed by the CFO and then reperform each of the mathematical calculations. The key difference between document examination and reperformance is that with the former, audit teams inspect documents for evidence that employees have performed the control activity; reperformance provides direct evidence that the control activity was (or was not) done correctly. -Overall, the audit team's choice of which test of controls to use depends on the nature and importance of the control activity being tested. -Importantly, if the control activity has high risk, the audit team needs more persuasive evidence about its operating effectiveness than it would for a lower risk control in order to determine if it is operating effectively. Since gathering more persuasive evidence is typically associated with a higher cost than gathering less persuasive evidence, if the audit team wants to achieve a lower control risk assessment, it will be more costly. This is why it may be more effcient for the auditor to choose not to rely on controls and instead rely on substantive testing procedures to gain assurance for certain signifcant accounts.
Phase 2: Assess the Control Risk (Preliminary)
•Auditors seek to identify internal control activities that are explicitly designed to support reliable financial statement reporting for the relevant financial statement assertion identified about each significant account and disclosure. •Consider cost effectiveness of reliance/testing. •At this stage, auditors have established an assessment of the level of control risk. -At this stage of the process, auditors are trying to identify the controls that may be relied upon as part of the overall audit process. To do so, auditors need to identify the controls that they believe will mitigate the risks of material misstatement that have been identifed for each of the relevant assertions. As part of this process, auditors will often categorize controls as either preventive or detective, automated or manual, and will also note how often the control is performed (e.g., daily, weekly, monthly, etc.). The categorization process helps an auditor to better understand each control which facilitates internal control testing. Indeed, it is important to remember that any control that may be relied upon would have to be tested before the audit team could rely on them to reduce substantive testing. However, it is important to point out that audit teams should not perform tests of controls for those controls that will not be relied upon because there is no need to prove that they are operating effectively. Doing so would be ineffcient. Instead, the audit team would have to perform additional substantive procedures to compensate for the lack of internal controls that could be relied upon to obtain suffcient appropriate evidence that would allow the auditor to reach a conclusion for the related relevant assertions. -Tests of controls must be performed to obtain evidence about whether control activities that are candidates to be relied upon actually operate as described. The test of controls audit plan consists of procedures designed to produce evidence of how effectively the controls operate in practice. If they are determined to be operating effectively after testing, control risk can be assessed below the maximum. If they do not operate with the required level of effectiveness, the final conclusion is to assess a high or maximum control risk, revise the audit plan to consider the control weakness, and then proceed with additional substantive audit procedures. -To summarize, then, at this stage, the audit team members have established an assessment of the level of control risk based on its understanding of internal control and identifed control strengths and weaknesses. If this assessment is at a level less than the maximum level (i.e., the audit team members want to rely on internal controls to modify the nature, timing, and extent of further audit procedures), the auditors must next perform tests of controls.
components of internal control (COSO)
•Control Environment (and 5 principles) •Risk Assessment (and 4 principles) •Control Activities (and 3 principles) •Information and Communication (and 2 principles) •Monitoring (and 3 principles)
Step 2: Using a top-down approach
•Focuses on the threats to the integrity of the external financial reporting process. •Identify entity-level controls -Pervasive impact •Significant accounts and disclosures and their relevant assertions -Perform walkthroughs
(2) risk assessment
•Management's identification, analysis, and management of relevant risks to achievement of its objectives. •One way to do this is through using COSO's Enterprise risk management (ERM) framework. •Set management objectives and identify success factors. •Auditors focus on risk of material misstatement, in particular due to fraud. -One way managers address these concerns (BUSINESS RISKS) is to employ an enterprise risk management (ERM) framework such as the one developed by COSO to facilitate the assessment and mitigation of business risks that the entity faces. -COSO defines ERM as "a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." -In other words, management, boards, and employees have to be constantly thinking about what could go wrong with the business and how they can prevent it. -Although not all entities will employ a robust ERM framework, at a minimum, an effective internal control system will include some type of process where management takes the steps necessary to identify risks, estimate their significance and likelihood, and consider how to manage the risks. -By setting management objectives, management can identify critical success factors and institute policies and procedures to ensure that they are met. -(Note: The risk assessment element of the COSO framework is management's responsibility and is not related to an auditor's assessment of inherent risk, control risk, and the overall risk of material misstatement at the assertion level.) -In completing their work, the audit team members seek to understand whether management is specifying fnancial reporting objectives with suffcient clarity and criteria to enable the identifcation of risks of material misstatement in fnancial reporting, in particular due to fraud. -Once identifed, the audit team also would like to see that management has a basis for determining how to manage the identifed risks. (1) the organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives (2) the organization identifies risks to the achievement of its objectives across the entity and analyzes the risks as a basis for determining how the risks should be managed (3) the organization considers the potential for fraud in assessing risks to the achievement of objectives (4) the organization identifies and assess changes that could significantly impact the system of internal control
Step 1: Planning the Engagement
•Significant accounts, locations, and assertions must be identified •Inherent risk is used to determine the nature, timing, and extent of tests of controls •Evaluate controls for all relevant assertions for all significant accounts or disclosures
Step 3: Testing Controls
•The audit team decides which controls to test. •Tests of operating effectiveness: -A sample of transactions is examined using inquiry, observation, inspection, and reperformance. •Tests of controls would not be performed if design is not evaluated as effective. -After identifying signifcant controls over fnancial reporting in the previous step, the audit team decides which controls to test. The evaluation and testing for each assertion must be performed on an annual basis. After an understanding of internal controls is gained through inquiry, document examination, and observation, the controls are evaluated for the possibility that they would not prevent or detect a misstatement. The tests of operating effectiveness are similar to a test of controls discussed previously. A sample of transactions is examined using inquiry, observation, document examination, and reperformance. The more risk associated with a control, the more persuasive evidence is required for testing. Tests of controls are not performed if the internal control system design is not considered effective. Only the control activities for each relevant assertion that the auditor is relying on to mitigate the risk of material misstatement need to be tested.
Documenting Internal Control Understanding
•The audit team must document its understanding of internal control system. The understanding can be summarized and documented effectively in the form of: -Narrative Description (most common) -Questionnaires -Flowcharts -The narrative description can be quite useful for all audits. However, for a large entity, this description may make it diffcult to identify the points in the process where a material misstatement might occur, also known as process risk points. -Flowcharts tend to help the audit team better assess the points in the process where a material misstatement can occur which helps to reveal key points in the process where a control activity is needed. This of course can be quite benefcial in helping audit teams identify missing control activities in the process. -All organizations have unique features, and answers to the questions should not be taken as final and definitive evidence about how well controls actually function. Evidence obtained through the interview process is categorized as inquiry-level information that is not sufficient to demonstrate the operating effectiveness of a control activity. The person being interviewed could always give answers that reflect what the system should be rather than what it really is. The person can be unaware of informal ways in which duties have been changed or can be innocently ignorant of the system details. Nevertheless, interviews and questionnaires can be useful for detecting internal control weaknesses.
Responsibilities in the Audits of Issuers Required by PCAOB Auditing Standard NO. 2201
•The audit team must plan and perform the audit to obtain reasonable assurance about whether the entity maintained effective control over financial reporting. •Determine whether a material weakness exists at the end of the year being reported on. -According to GAAS, when auditing non-issuers, the audit team must obtain an understanding of internal controls to determine the nature, timing, and extent of further audit procedures to be performed. If the team members plan to rely on controls to reduce substantive procedures, they must test the controls for operating effectiveness. However, if they do not plan to rely on controls, tests of operating effectiveness are not required. Under Sarbanes-Oxley, an audit of the internal control system over financial reporting is required. The audit of internal controls must be integrated with the fnancial statement audit and cannot be performed as a separate engagement. Thus, the procedures related to internal control in an integrated audit performed under AS 2201 are far more extensive than those in a GAAS audit for a nonissuer. -Much of the initial work, including documenting and testing controls, is done by employees of the client, management, the internal audit staff, and even outside consultants hired by management. AS 2201 encourages the audit team to use the work of internal auditors and others, but the audit team members must evaluate the internal auditors' competence and objectivity and must perform some tests of their work. For more risky areas, audit teams should perform more of the work and the assessment of likely sources of misstatement themselves or supervise any others who assist them in the evaluation. -Another important difference between AS 2201 internal control audits and GAAS fnancial statement audits is that the audit of internal control is as of the end of the fscal year, whereas, for audits of the fnancial statements, the audit team must understand and evaluate internal control for the entire period to determine its effect on the nature, timing, and extent of further audit procedures.
(4) information and communication
•The auditor must understand the information systems that are relevant to financial reporting. •The auditor cannot ever rely on information produced by the company's information system without investigation. •Information systems produces a trail of activities from data identification to financial reports. This is known as the "audit trail". •Can visualize with source documents. -When evaluating the information and communication component of internal control, the "auditor should obtain an understanding of the information system including the related business processes, relevant to financial reporting. -As part of that process, the auditor must seek to understand the nature of the underlying accounting records, supporting information and the accounts that are used to fully execute a transaction." -The auditor should also understand "how the information system captures events and conditions, other than transactions, that are signifcant to the fnancial statements." -Clearly, the size of the entity will have an impact on this component. -Communication includes report production and distribution. The account balances are summarized in internal management reports and external fnancial statements. -The internal reports are management's feedback for monitoring operations. -The external reports are the fnancial information for outside investors, creditors, and others. -Communication also involves expectations, responsibilities of individuals and groups, and other important matters. -Specific duties must be made clear, and people need to know how their activities relate to the work ofothers. People also need to know what behavior is expected. In addition, personnel need a means of communicating signifcant information upstream in an organization. Outsiders also should know that fraudulent and unethical behavior by entity personnel is unacceptable and should be reported to management. -The professional standards are clear that an auditor cannot ever rely on information produced by the company's information system without investigation. Instead, the audit team is required to perform audit procedures that are designed either to test the controls that have been designed to ensure that the information is complete and accurate, or to test the completeness and accuracy of the information using substantive testing procedures. (1) the organization obtains or generates and uses relevant quality information to support the functioning of internal control (2) the organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control (3) the organization communicates with external parties regarding matters affecting the functioning of internal control
(3) control activities
•The policies and procedures that help ensure management directives are carried out. -Physical controls over the security of assets -Separation of duties -Information Processing •Approvals and authorization •Verifications and reconciliations -Management Review Controls •Preventive controls vs. detective controls (In some sense, all control activities can be thought of as preventive controls because the possibility of being caught by a detective control might prevent someone from committing an error or a fraud. -also include management review controls, information processing controls, physical security controls, and controls that allow for proper separation of duties. -In a well-functioning internal control system, once the risks to management's objectives have been identified, internal control activities are established to eliminate, mitigate, or compensate for the risks. -Control activities are specific actions that a client's management and employees take to help ensure that management's directives are carried out. -The professional standards require the audit team members to document their understanding of the internal control system on each audit, which includes their understanding of whether management has implemented control activities that are sufficient to address the risks of material misstatement for each relevant assertion related to each significant account or disclosure. -after considering what they learned about the internal control system as they were gaining an understanding of the other components of the COSO framework—in particular, the control environment and risk assessment components described earlier. -The next step in the process requires the audit team members to document their understanding of the extent to which each of the client's control activities has been designed to suffciently address a relevant fnancial statement assertion. To do so, an auditor frst considers "what could go wrong" for each of the identifed relevant assertions. -That is, an auditor must consider how a material misstatement could occur for each relevant assertion. -Once each "what could go wrong" is identifed, an auditor must then determine if management has implemented a control activity that is designed to mitigate the risk of material misstatement identifed for that assertion. (1) the organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels (2) the organization selects and develops general control activities over technology to support the achievement of objectives (3) the organization deploys control activities through policies that establish what is expected and procedures that put policies into action