Chapter 7- Audit
questionnaires are usually designed so that __ answers prominently identify weaknesses in internal control
"no"
deficiency in operation
exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively
___ alone is not sufficient to evaluate the design and control and determine whether it has been implemented
inquiry
internal control varies from corporations based on what?
organization size, nature of operations, and objectives
Section 404(a) requires each annual report (10-K), filed with the SEC to include a report which management does includes which two things regarding internal control?
1. acknowledges its responsibilities for establishing and maintaining adequate internal control over financial reporting 2. provides an assessment of internal control effectiveness as of the end of the most recent fiscal year
service auditor
A practitioner that reports on the internal controls at a service organization.
monitoring of controls
A process that assesses the quality of internal control performance over time.
internal control
A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of (1) operations, (2) reporting, and (3) compliance.
user entity
An entity that uses the services of a service organization and whose financial statements are being audited.
service organization
An organization or segment of an organization that provides services to user entities that are relevant to the user entities' internal control over financial reporting.
relevant assertions
Assertions that have a meaningful bearing on whether an account balance, class of transaction, or disclosure is fairly stated. For example, valuation may not be relevant to the cash account unless currency translation is involved; however, existence and completeness are always relevant.
incompatible duties
Assigned duties that place an individual in a position to both perpetrate and conceal errors or fraud in the normal course of job performance.
transaction cycle
The sequence of procedures applied by the client in processing a particular type of recurring transaction. The term cycle reflects the idea that the same sequence of procedures is applied to each similar transaction.
the organizational structure of an entity should separate responsibilities for
1. authorization of transactions 2. record keeping for transactions 3. custody of assets
sub objectives of internal control (sales transactions)
1. all sales transactions are recorded on a timely basis 2. sales transactions are recorded at the correct amounts in the right accounts 3. sales transactions are accurately and completely summarized in the company's books and records 4. presentations and disclosures relating to sales are properly described, sorted, and classified
risk responses fall into which categories?
1. avoidance- exiting the activity that gives risk 2. reduction- taking action to reduce the likelihood or impact 3. sharing- reducing risk likelihood or impact by transferring or sharing a portion of the risk 4. acceptance- no action because risk is tolerant
in performing risk assessment, organizations should
1. clearly specify objectives to allow the identification and assessment of risks related to those objectives 2. identify and analyze risks to the achievement of its objective to determine how they may be managed 3. consider potential fraud relating to the achievement of objectives 4. identify and assess changes that could impact potential control
the basic principles of the control environment include
1. commitment to integrity and ethical values 2. board of directors that demonstrates independence from management and exercises effective oversight over internal control 3. establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities 4. commitment to attract, develop and retain competent employees 5. holding employees accountable for internal control responsibilities
which two categories can transaction level controls be broken into?
1. general control activities- apply to all or multiple types of transactions 2. application control activities- apply to the processing of a single type of transaction
what is the 2017 ERM Framework?
1. governance and culture 2. strategy and objective setting 3. performance 4. review and revision 5. information, communication, and reporting
test of controls detect which three things?
1. how controls were applied 2. the consistency with which controls were applied 3. by whom or by what means the controls were applied
an accounting information system should
1. identify and record all valid transactions 2. describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting 3. measure the value of transactions in a manner that permits recording their proper monetary value 4. determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period 5. present properly the transactions and related disclosures in the financial statements
auditors perform tests of controls to obtain evidence about operating effectiveness of controls, what are the two approaches?
1. identify the controls likely to prevent or detect material misstatements 2. perform test of controls to determine whether they are operating effectively
the audit procedures used to test the effectiveness of internal control include
1. inquiries with appropriate personnel 2. inspection of documents and reports 3. observation of application of controls 4. re performance of the controls
procedures to obtain audit evidence about the design and implementation of relevant controls may include
1. inquiring of entity personnel 2. observing the application of specific controls 3. inspecting documents and reports 4. tracing transactions through the information system relevant to financial reporting
precision of review controls is affected by
1. level of aggregation of data (monthly or weekly) 2. frequency and consistency with which the review is performed 3. the predictability of the expectations developed by management 4. the criteria used to determine when an item or relationship is investigated
the AICPA and PCAOB state an external auditor may use the work on an internal auditor in two ways
1. obtaining audit evidence by using the internal auditors' work performed as part of their normal responsibilities 2. using internal auditors to provide direct assistance on the external audit
when documenting internal control, the auditors should include
1. overall responses to the assessed risks of material misstatement at the financial statement level 2. nature, timing, and extent of further audit procedures 3. linkage to those procedures with the assessed risks at the relevant assertion level 4. results of the audit procedures 5. conclusions reached with regard to the use of current audit evidence about operating effectiveness of controls obtained for a prior client
what are the five stages of an internal control audit?
1. plan the engagement 2. use a top-down approach to identify controls to test 3. test and evaluate design effectiveness of internal controls 4. test and evaluate operating effectiveness of internal controls 5. form an opinion on the effectiveness of internal control over financial reporting
internal control of an environment includes five components
1. the control environment 2. the risk assessment process 3. control activities 4. information system relevant to financial reporting and communication (accounting information system) 5. monitoring activities
all corporations under the jurisdiction of the SEC must maintain a system of internal control that will provide reasonable assurance that
1. transactions are executed with the knowledge and authorization of management 2. transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets 3. access to assets is limited to authorized individuals 4. accounting records of assets are compared to existing assets at reasonable intervals and appropriate action is taken with respect to any differences
what are the two types of reports that service auditors may provide?
1. type 1- a report on management's description of a service organizations system and the suitability of the design of internal controls 2. type 2- a report on management's description of a service organization's systems and the suitability of the design and operating effectiveness of controls
for repeating clients with no changes made to internal control systems, the AICPA require test of controls be performed every __ years
3
corrective control
A control established to remedy control problems (e.g., misstatements) that are discovered through detective controls.
compensating control
A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective (e.g., avoiding misstatements). Compensating controls are ordinarily controls performed to detect, rather than prevent, the original misstatement from occurring.
material weakness
A deficiency in internal control over financial reporting (or a combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis.
significant deficiency
A deficiency in internal control over financial reporting (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
fidelity bonds
A form of insurance in which a bonding company agrees to reimburse an employer for losses attributable to theft or embezzlement by bonded employees.
walk-through
A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use.
management letter
A report to management containing the auditors' recommendations for correcting any deficiencies disclosed by the auditors' consideration of internal control. In addition to providing management with useful information, a management letter also may help limit the auditors' liability in the event a control weakness subsequently results in a loss by the client.
deficiency of internal control
A situation in which the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis
audit decision aid
A standard checklist, form, or computer program that assists auditors in making audit decisions by ensuring that they consider all relevant information or that aids them in weighting and combining the information to make a decision.
systems flowchart
A symbolic representation of a system or series of procedures with each procedure shown in sequence. Systems flowcharts are a widely used method of describing internal control in audit working papers.
integrated audit
An audit of both financial statements and internal control over financial reporting, provided by the external auditor. Required for public companies.
as of date
An audit of internal control over financial reporting assesses internal control as of a particular point in time, the "as of" date, as opposed to the entire period under audit. This date is ordinarily the last day of the client's fiscal period.
what does COSO stand for?
Committee of Sponsoring Organizations
preventive controls
Controls that deter control problems before they occur. avoid the occurrence of misstatements in the financial statements.
complementary controls
Controls that function together to achieve the same control objective.
redundant controls
Duplicate controls that achieve a control objective.
how is enterprise risk management different than internal control risk?
ERM focuses beyond internal control in managing risks
Foreign Corrupt Practices Act
Federal legislation prohibiting payments to foreign officials for the purpose of securing business. The act also requires all companies under SEC jurisdiction to maintain a system of internal control providing reasonable assurance that transactions are executed only with the knowledge and authorization of management.
separate evaluations
Monitoring procedures that are conducted periodically, typically by objective management personnel, internal auditors, or external consultants.
management review controls
Reviews conducted by the management of estimates and other kinds of financial information for reasonableness
further audit procedures
Substantive procedures for all relevant assertions and tests of controls when the auditors' risk assessment includes an expectation that controls are operating effectively, or when substantive procedures alone do not provide sufficient appropriate audit evidence.
the Treadway commission
The National Commission on Fraudulent Financial Reporting that made recommendations related to financial statement fraud and other matters in 1987.
risk tolerance
The acceptable level of variation in performance relative to the achievement of objectives. For example, a company may expect staff to respond to all customer complaints within 24 hours, but accept that up to 10 percent of complaints receive a response within 36 hours.
organizational structure
The division of authority, responsibility, and duties among members of an organization.
Planned assessed level of control risk
The level of control risk the auditors assume in designing further audit procedures, which include an appropriate combination of tests of controls and substantive procedures.
assessed level of control risk
The level of control risk used by the auditors in determining the acceptable detection risk for a financial statement assertion and, accordingly, in deciding on the nature, timing, and extent of substantive procedures.
enterprise risk management
a process used by a company to identify its risks and develop responses to them that enable it to be reasonably assured of meeting its goals
PCAOB standards about internal control testing require the auditors to obtain evidence regarding operating effectiveness ____
annually
entity-level risks
arise from external and internal factors, such as economic, regulatory, technology, and personnel factors
what factors might increase financial reporting risk?
changes in regulatory or operating environment, changes in personnel, new or revamped information system, rapid growth, changes in technology affecting production processes or information systems, new business model or products, corporate restructuring, foreign expansion, adoption or changes in accounting principles
if auditors are unable to achieve a sufficient understanding from the user entity, they should
contact the service organization, through the user entity to obtain information visit the service organization and perform necessary procedures about relevant controls obtain and consider a Service Organization Control audit report of a service auditor on the service organization's internal controls
the __ ____ may be viewed as the foundation for the internal control components
control environment
detective controls
controls designed to discover control problems that were not prevented
culture is reflected in
decision making
substantive procedures restrict ___ risk
detection
controls are ___, the controls that were adequate last year may not be this year
ever changing
deficiency in design
exists when either a control necessary to meet a control objective is missing or the existing control is not designed to operate effectively.
test of controls can either focus on ___ ___ level or ___ level
financial statement; assertion
transaction-level risks
found within divisions, operating units, or functions of the organization
___ and ___ form a basis for all other components of ERM
governance and culture
to properly perform a financial statement audit, auditors are required to determine that the major controls have been ___; they are not required to evaluate their __ ____
implemented; operating effectiveness
preventive controls often operate at the ___ transaction level, and detective controls may operate at the ____ level or at a ____ level
individual; transaction; higher
The risk of misstatement is composed of _____ risk and _____ risk.
inherent and control
why is corporate governance broader than internal controls?
it is not only concerned with effectiveness of financial reporting but is also concerned with ethical treatment of all major stockholders, compliance with laws and regulations, customary business practices and ERM
top down approach to testing internal controls
it starts with the financial statements and entity level controls- and links the financial statement elements and entity level controls to significant accounts, relevant assertions, and the major classes of transactions
example of corrective controls
maintaining backup copies of key transactions and master files to allow the correction of data entry errors
examples of work that should not be given to internal auditors includes
making required inquiries of management related to the identification of fraud risks and determining procedures to respond to such risks
for a corporation, what are the major resources of corporate governance?
management compensation systems, the board of directors, external auditors, internal auditors, attorneys, regulators, creditors, security analysts, and internal control systems
written narratives of internal control
memoranda that describe the flow of transaction cycles, identifying the employees performing various tasks, the documents prepared, the records maintained, and the division of duties
management review controls are a type of ___ control
monitoring
written narratives
more flexible than questionnaires but by themselves are practical only for describing relatively small, simple systems.
if the external auditors plan to use the internal auditors for direct assistance they should
obtain written acknowledgement from management or those charged with governance that the internal auditors will be allowed to perform the work free from any interference make sure internal auditors are competent, objective, and approaches are appropriate
which control activities are relevant to an audit
performance reviews, transaction control activities, physical controls, and segregation of duties
a well designed organizational structure provides the basis for
planning, directing, and controlling operations
specific authorizations
policies and procedures that apply to designated levels of management, such as the policy that only the plant manager can authorize overtime pay
what are examples of risks at the financial statement level?
preparation of financial statements, developing accounting estimates, preparation of notes, selection and application of significant accounting policies, IT general controls, the control environment
what is the advantage of a flowchart over a questionnaire or narrative?
provides a clearer, more specific portrayal of the client's system
the documentation of internal control usually takes the form of
questionnaires, written narratives, and flow charts
examples of detective controls
reconciliations, performance reviews, audits
the auditors evaluate the design effectiveness of management review controls by considering which two things?
relevance and the precision of controls
Section 404(b) of SOX requires
requires most companies auditors to attest to, and report on, internal control over financial reporting does not apply to companies with less than 75 million in market capitalization or 100 million in revenue the preceding year
examples of preventive controls
separation of duties, physical controls, proper authorization, employee management, e-commerce controls
Corporate Governance
set of rules, processes, and laws by which businesses are operated, regulated, and controlled
governance
sets the entity's tone, reinforcing the importance of ERM and establishing oversight responsibilities
which types of deficiencies in internal control require communication to those charged with governance in writing?
significant deficiencies and material weaknesses
management review controls involve what?
significant judgement, knowledge, and experience in comparing recorded amounts with expectations of reviewers
an organizations sets its risk appetite in conjunction with
strategy setting
in a small business, the auditor must rely much more on ___ procedures of account balances and transactions than is required for larger organizations
substantive
general authorization
the authorization given employees to handle routine transactions without special approval
what is the major difference between control objectives and management assertions?
the control objectives are broader in that they not only relate to the financial reporting but also to operations and compliance
results of the risk assessment are used to design
the nature, timing, and extent of further audit procedures
internal control over financial reporting at the top level
the overall objective is to prepare and issue reliable financial statements
a weakness of an internal control questionnaire is
their lack of flexibility
separate systems flow charts are prepared for each major ___ ___
transaction cycle
the questionnaire usually contains a separate section for each major ___ ___
transaction cycle
what is an example of a compensating control?
when a small business does not have enough people to provide appropriate segregation of duties, so the manager reviews all accounting records
the lower assessed level of control risk is only appropriate when
when the auditors have evidence on the operating effectiveness gained by performing a test of controls