Chapter 7 - Internal Control
COSO - the Committee of Sponsoring Organizations
In 2004, what organization issued Enterprise Risk Management- Integrated Framework?
serial numbers
_____ _____ provide control over the NUMBER of documents issued
AIS
an organization's _____ consists of the methods and records established to record, process, summarize, and report an entity's transactions and to maintain accountability for the related assets, liabilities, and equity.
specific authorization
authorization that occurs when transactions are authorized on an individual basis
control environent
defined by the standards, processes, and structures that guide individuals in carrying out their duties.
redundant controls
duplicate controls that achieve a control objective
1. audit evidence. 2. direct assistant on the external audit.
external auditors may use the internal auditors' work in two ways:
material weakness
is a deficiency in internal control over financial reporting (or combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis
transaction cycle
refers to the policies and the sequence of procedures for processing a particular type of transaction
_____
risk at the ____ level are those that relate to the overall financial statements and potentially affect many individual assertions
1. authorization. 2. recording. 3. custodianship. 4. executing.
separation of duties is between which four main aspects of a transaction?
finance
the _____ department is responsible for financial operations and custody of liquid assets
1. an opinion on management's assessment of internal control, and. 2. the auditors' own assessment of internal control.
the audit report on internal control includes both:
organizational structure
the division of authority, responsibility, and duties among members of an organization
operating
to test _____ effectiveness of controls, auditors determine whether the controls function as designed and whether the individuals performing the controls posses the necessary authority and qualifications
lack of flexibility
what is a disadvantage of an internal control questionnaire?
1. the control environment. 2. the risk assessment process. 3. control activities. 4. the information system relevant to financial reporting and communication. 5. monitoring activities.
5 components of internal control
written narratives of internal control
_____ are memoranda that describe the flow of transaction cycles, identifying the employees performing various tasks, the documents prepared, the records maintained, and the division of duties
separate evaluations
_____ are monitoring activities that are performed on a non-routine basis, such as a periodic audits by the internal auditors
risk assessment
_____ is management's process for identifying, analyzing, and responding to suck risks.
corrective controls
a control established to remedy control problems that are discovered through detective controls
walk-through
a procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records,
authorization
an important aspect of transaction processing controls (control activities) is proper _____
incompatible duties
assigned duties that place an individual in a position to both perpetrate and conceal errors or fraud in the normal course of job performance.
general authorization
authorization that occurs when management establishes criteria for acceptance of a certain type of transaction
design
before testing if an internal control has been implemented, auditors must first determine if the _____ is effective.
1. commitment to integrity and ethical values. 2. effective board of directors. 3. effective organizational structure. 4. attracting, developing, and retaining competent employees. 5. individual accountability.
components/principles of a control environment
1. plan the engagement. 2. use a top-down approach to identify controls to test. 3. test & evaluate design effectiveness of internal control. 4. test & evaluate operating effectiveness of internal control. 5. form an opinion on the effectiveness of internal control over financial reporting.
five stages to internal control
1. inquiring of entity personnel. 2. observing the application of specific controls. 3. inspecting documents and reports. 4. tracing transactions through the information system relevant to financial reporting.
how do auditors obtain an understanding of a client's internal control?
avoidance, reduction, sharing, and acceptance
risk responses fall in the following categories:
manual of accounting policies and procedures
states clearly in writing the methods of treating transactions
AICPA or international auditing standards - every 3 audits. PCAOB - annually
tests of controls should be performed when?
accounting
the _____ department is responsible for all accounting functions and, often, the design and implementation of internal control
operations (accounting) and custody of assets (finance)
the division of the responsibilities between the finance and accounting department illustrates the separation of the accounting function from _____ and ______
risk assessment
the results of ______ are used to design the nature, timing, and extent of further audit procedures
avoidance
this response involves exiting the activity that gives rise to the risk
design
to test _____ effectiveness of controls, the auditors identify the company's control objectives and risks in each financial reporting area and then identify relevant controls that satisfy each control objective
finance and accounting
two departments that are mostly involved in the financial affairs of a business enterprise
2
type _____ report is a report on a management's description of a service organization's system and the suitability of the design and operating effectiveness of controls
1. inquiries. 2. inspection. 3. observation. 4. reperformance.
what are the audit procedures that are used to test the effectiveness of internal control? (test of controls)
transaction level
_____ risks are found within divisions, operating units, or functions of the organization that are generally related directly to the financial statement assetsions
control activities
are policies and procedures that mitigate the risk that the organization's objectives are not met
risk assessment procedures
audit procedures performed to obtain an understanding of the client and its environment, including internal control. Include: inquiries of management, others within and outside of the entity, analytical procedures, and observations,
1. align risk tolerance and its strategy. 2. enhance risk response decisions. 3. reduce operational surprises and losses. 4. identity and manage multiple and cross-enterprise risks. 5. seizing opportunities. 6. improving the deployment of capital (increase profits)
What are the advantages of an enterprise risk management framework?
general
_____ control that apply to all or multiple types of transactions
supervisory
_____ controls are focused on high-risk transactions and assess whether other transaction control activities are operating properly
application
_____ controls that apply to the processing of a single type of transaction
Enterprise Risk Management
_____ extends beyond internal control to focus on how the organization can maximize value for stakeholders by effectively managing all risks and opportunities
fidelity bond
_____ form of insurance in which a bonding company agrees to reimburse an employer, within limits, for losses attributable to theft or embezzlement by bonded employees.
management letter
_____ helps auditors limit their liability in the event a control weakness subsequently results in a loss by the client
internal auditors
_____ investigate and appraise internal control and the efficiency with which the various units of the organization are performing their assigned functions, and they report their findings and recommendations to management and the audit committee
assessing risk
_____ involves evaluating likelihood of occurrence and potential impact and it also involves consideration of the velocity and speed of occurrence and duration of impact of the risk
audit decision aid
_____ is a checklist, standard form, or computer program that helps the auditors make a particular decision by ensuring that they consider all relevant information or by assisting them in combining the information to make the decision
monitoring of controls
_____ is a process to assess the quality of internal control performance over time
chart of accounts
_____ is classified listing of all accounts in use, accompanied by a detailed description of the purpose and content of each
audit committee
_____ is directly responsible for the appointment, compensation, and oversight of the work of the CPA firm (not management) (including resolution of any disagreements between management and the CPA firm)
corporate governance
_____ is somewhat broader than internal control, in that it is not only concerned with the effectiveness of financial reporting, but it also encompasses ethical treatment of all major stakeholders, compliance with laws, regulations, customary business practices, and effective risk management.
risk tolerance
_____ is the acceptable level of variation in performance relative to the achievement of objectives
master vendor list
_____ is the best internal control for accounts payable
control environment
_____ may be viewed as the foundation for the other internal control components
compensation committee
_____ oversees the policies and procedures for MANAGEMENT compensation to help ensure that it is aligned with the strategic objectives and risk appetite of the organization
corporate governance
_____ primarily concerned with controlling management and providing incentives for appropriate management behavior.
entity-level
_____ risks arise form external or internal factors, such as economic, regulatory, technology, and personnel factors
COSO
_____'s definition of internal control emphasizes that internal control is a process or a means to an end, and not an end in and of itself.
risk assessment
_____, auditors should obtain an understanding of the client's process for identifying and responding to business risks
control environment
_____, auditors should obtain sufficient knowledge to understand management's attitudes, awareness, and actions concerning the control environment
ongoing monitoring evaluations
______ include regularly performed supervisory and management activities, such as continuous monitoring of customer complaints, or reviewing the reasonableness of management reports
corporate governance
______ is the system by which companies are directed and controlled, that also includes the policies, procedures, and mechanism that are established to ensure that the company operates in the best interests of its major stakeholders.
compensating controls
a control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective. They are ordinarily controls performed to detect rather than prevent, the original misstatement from occuring
operations
a deficiency in _____ exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
design
a deficiency in _____ exists when either a control necessary to meet a control objective is missing or the existing control is not designed to operate properly
significant deficiency
a deficiency in internal control over financial reporting (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
internal control
a process effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of (1) operations, (2) reporting, and (3) compliance.
management letter
a report to management containing the auditor's recommendations for correcting any deficiencies disclosed by the auditors' consideration of internal control.
control deficiency
a situation in which the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis
systems flowchart
a symbolic representation of a system or series of procedures with each procedure shown in sequence. widely used method of describing internal control in audit working papers.
detective controls
controls designed to discover control problems soon after they occur
preventive controls
controls that deter control problems before they occur
complementary controls
controls that function together to achieve the same control objective
foreign corrupt practices act
required by all companies under SEC jurisdiction. 1. federal legislation prohibiting PAYMENTS to foreign officials for the purpose of securing business. 2. requires companies to maintain a system of internal control providing reasonable assurance that transactions are executed only with the knowledge and authorization of management
a. inquiries of management and others within the entity. b. analytical procedures. c. observation and other procedures, including inquiries of others outside the entity
risk assessment procedures include
1. internal environment. 2. objective setting. 3. event identification. 4. risk assessment. 5. risk response. 6. control activities. 7. information and communication. 8. monitoring.
similar to COSO's internal control framework, the enterprise risk management (ERM) framework has what 8 components?
integrity and ethical values
the effectiveness of internal control depends directly upon _____ and _____
planned assessed level of control risk
the level of control risk that auditors assume in designing further audit procedures, which include an appropriate combination of tests of controls and substantive procedures
assessed level of control risk
the level of control risk used by the auditors in determining the acceptable detection risk for a financial statement assertion and, accordingly, in deciding on the nature, timing, and extent of substantive procedures
sharing
this response involves reducing risk likelihood and impact by transferring or sharing a portion of the risk
reduction
this response involves taking action to reduce risk likelihood or impact, or both.
acceptance
this response involves taking no action because the risk is consistent with the risk tolerance of the organization
reporting, objetives, and compliance.
three areas of internal control (different from components of internal control)
1
type _____ report is a report on a management's description of a service organization's system and the suitability of the design of controls
1. complexity of calculations involved. 2. risk of fraud. 3. selection and application of accounting policies. 4. internal and external circumstances giving risk to business risks. 5. recent developments in the industry and economy.
when determining whether an identified risk of misstatement requires special audit consideration, the auditors consider factors such as:
2; appropriate tests of controls
when the user auditors' risk assessment includes an expectation that controls at the service organization operate effectively, the user auditors should obtain a type _____ report, or perform _____