Ch 5 - Risk Assessment Internal Control - Parts A and B
To achieve the specific objectives for each of the three categories of objectives, the COSO report defines five basic components of a properly designed internal control system. The five components are what?
(1) control environment, (2) risk assessment, (3) control activities, (4) monitoring, and (5) information and communication.
The standard unqualified report on internal control may be modified for what two reasons:
(1) the existence of material weaknesses in internal control over financial reporting and/or (2) the existence of a limitation in the scope of the engagement. These modifications, along with those for other factors, are discussed in the following subsections.
Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in what three categories?
-Reliability of financial reporting. -Effectiveness and efficiency of operations. -Compliance with applicable laws and regulations.
AS 2201 emphasizes the use of a six-step audit process that is designed to evaluate the effectiveness of the internal control system over financial reporting. What are these six steps?
1) Planning the engagement. 2) Using a top-down approach 3) Testing controls 4) Evaluating identified deficiencies 5) Wrapping up 6) Reporting an internal control
What are three reasons an audit team has for evaluating an entity's system of internal controls?
1) Sarbanes-Oxley requires an audit of management's assessment of the effectiveness of internal control over financial reporting for public companies. 2)For each fraud risk identified during the planning stage, the audit team should evaluate whether the client has implemented control activities that are specifically designed to address the risk of fraud that has been identified. 3) The final reason for evaluating an entity's internal control is to assess preliminary risk of material misstatement (RMM) for each relevant assertion.
________ facilitate the assessment and mitigation of business risks that the entity faces.
Enterprise Risk Management (ERM) Framework
If the audit team identifies a material weakness in internal control, the firm expresses an ____________ on the effectiveness of the entity's internal control over financial reporting.
adverse opinion
In addition to certifying the entity's financial statements and disclosures under Section 302, Sarbanes-Oxley requires management to ______________
assess and report on the entity's internal control over financial reporting in Section 404.
The ________________________ is a subcommittee of the board of directors that is generally composed of three to six independent members (those not involved in the entity's day-to-day management) of the organization's board of directors. Each member must be financially literate, and one member must be a financial expert.
audit committee
AS 2201 encourages the audit team to use the work of internal auditors and others, but the audit team members must evaluate the internal auditors' __________________ and must perform some tests of their work.
competence and objectivity
_________________ are specific actions that a client's management and employees take to help ensure that management's directives are carried out.
control activities
The ________________________ sets the tone of the organization. It is the foundation for all other components of internal control. It provides discipline and structure to all participants and stakeholders. Factors include the integrity, ethical values, and competence of the entity's people
control environment
___________ is the probability that an entity's controls will fail to prevent or detect material misstatements due to errors or frauds that would otherwise have entered the system
control risk
The report issued when auditors cannot provide assurance on the effectiveness of internal control over financial reporting; issued when a significant scope limitation exists.
disclaimer of opinion on internal control over financial reporting
An audit procedure used as both a test of controls and a substantive test.
dual-purpose test
For all the relevant assertions for each significant account and disclosure, audit teams begin by examining _______________________, controls that are pervasive to the internal control system and the reliability of the financial statements taken as a whole.
entity-level controls
___________________ is designed to identify a violation of a particular control activity through the use of an automated test procedure designed to test all items in a population.
exception testing
Under Sarbanes-Oxley, an audit of the internal control system over _______________ is required.
financial reporting
The audit documentation that provides a visual display of the accounting system and control activities in an entity's internal control system.
flowchart
What are four limitations that exist with internal control systems?
human error, deliberate circumvention, management override, and collusion
_________________ are combinations of responsibilities that place a person alone in a position to create and conceal misstatements due to errors or frauds in her or his normal job.
incompatible responsibilities
Once the items have been selected for testing, the four methods of testing controls are:
inquiry, observation, document examination, and reperformance.
The internal control audit is conducted along with the financial statement audit as part of an overall _______________ that is completed at public companies.
integrated audit
An ______________ exists when either the design or the operation of the control under consideration does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion.
internal control deficiency
The audit documentation that uses a checklist of internal control-related questions to gain and document an understanding of the client's internal control.
internal control questionnaire
Recap, the three methods for documenting the auditors' understanding of accounting and control are?
internal control questionnaire, narrative description, flowcharts
Central among the provisions of SOX act is the emphasis that it places on the ________________ as an important means to prevent or detect material misstatements in the financial statements due to fraud.
internal control system
It is important to remember that a well-designed internal control system will clearly link __________ to _________
key internal control activities to the relevant financial statement assertions being supported.
The primary difference between a significant deficiency and a material weakness involves the _____ of the potential misstatement that could occur and would not be detected on a timely basis.
magnitude
In addition to expressing an opinion on the effectiveness of the entity's internal control over financial reporting, the audit team also should evaluate the completeness and presentation of _____________
management's annual report on internal control over financial reporting.
A _________ in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis.
material weakness
Under Section 302, management must also disclose any ______________________
material weaknesses in internal control.
The audit documentation that describes the environmental elements, the accounting system, and the control activities in an entity's internal control.
narrative description
An audit team's assessment of control risk will influence the _____________, ____________, and ___________ of substantive tests used by the team
nature, timing, and extent
______________________ refers to whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.
operating effectiveness
Ultimately, financial reporting control activities are imposed on the accounting system for the purpose of _______________,_____________, and_____________ errors and frauds that could enter and flow through to the financial statements.
preventing, detecting, and correcting
In the professional auditing standards, the concept of _______________________ recognizes that the costs of controls should not exceed the benefits that are expected from the controls. Hence, an entity can decide that certain controls are too costly considering the risk of loss that can occur.
reasonable assurance
_______________ are those that represent the possibility of a material misstatement.
relevant assertions
Recap, for an integrated audit at a public company, the auditor must test controls for all ___________ for each significant ______________________________
relevant assertions, account and disclosure
after understanding the design of controls, ______________ to provide evidence of operating effectiveness of controls
reperformance of critical controls along the transaction trail can take place at this time to
an account's __________- is based on its inherent risk
significance
A ______________ is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
significant deficiency
According to GAAS, when auditing nonpublic entities, the audit team must obtain an understanding of internal controls to determine the nature, timing, and extent of further audit procedures to be performed. If the team members plan to rely on controls to reduce substantive procedures, they must ________________
test the controls for operating effectiveness.
external auditors are primarily concerned with a client's internal control system as it relates to which category?
the financial reporting category
Gaining an understanding of internal controls should be performed in a _________________ that first identifies significant accounts and disclosures and their relevant assertions.
top-down risk based manner
In addition to entity-level controls, the audit team also identifies _______________, controls that pertain to specific classes of transactions, account balances, and disclosures.
transaction-level controls
what are the three steps of internal control evaluation?
understand and document the client's internal control, assess the control risk (preliminary), identify controls to test and perform tests of controls