Topic 7
SOX created two provisions that relate to a public companies' system of internal controls:
(1) a company's management team must regularly report to investors regarding the quality of the company's internal controls governing the financial reporting process, (2) the external auditor must perform a full audit of the public company clients' internal controls and report to investors on the quality of those controls as part of the client's annual filing with the SEC.
When are the two aspects of a client's internal control system that must be evaluated?
(1) design effectiveness, (2) operating effectiveness
In what ways can an internal control procedure be monitored?
(1) people-based monitoring, (2) technology-based monitoring.
What characteristics are included in the control environment?
(1) the 'tone at the top' set by management and the board of directors, (2) management's integrity, goals and objectives, and (3) attitudes toward the role of internal control within the organization.
Each of the following is an example of control activities except? (a) Monitoring (b) Physical controls (c) Reconciliations (d) Authorizations and approvals
(a) Monitoring
The primary objectives achieved by a high-quality system of internal control are: (a) Operations, reporting, and compliance (b) Reporting and accuracy (c) Accuracy and compliance (d) Operations and compliance
(a) Operations, reporting, and compliance
Which of the following best describes the Risk Assessment component of internal control as outlined in the COSO framework? (a) The auditor performs high quality risk assessment procedures to identify risky areas in the client's internal control systems (b) The company maintains a robust risk assessment process which helps identify risks that might keep them from achieving the objectives of operations, reporting, and compliance (c) The auditor performs regular fraud risk assessments of the client to identify client fraud (d) Each of the above describes the Risk Assessment component of internal control as outlined in the COSO framework
(b) The company maintains a robust risk assessment process which helps identify risks that might keep them from achieving the objectives of operations, reporting, and compliance
The auditor's report on internal control quality can express which of the following opinions regarding the quality of internal control? (a) Unqualified or Qualified only (b) Unqualified or Adverse only (c) Unqualified, Qualified, or Adverse (d) Qualified or Adverse only
(b) Unqualified or Adverse only
Which of the following is the correct sequence with regards to the auditor's reliance on the client's internal controls? (a) Assess design and implementation of controls, testing controls, decision to rely on controls (b) Decision to rely on controls, assess design and implementation of controls, testing controls (c) Assess design and implementation of controls, decision to rely on controls, testing controls
(c) Assess design and implementation of controls, decision to rely on controls, testing controls
The principles outlined by COSO for the control environment component are:
1. Demonstrate commitment to integrity and ethical values 2. The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal controls 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives 4. Commitment to attract, develop, and retain competent individuals in alignment with objectives 5. Holds individuals accountable for their internal control responsibilities
The principles outlined by COSO for the information and communication component are:
1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of the internal control. 3. The organization communicates with external parties regarding matters affecting the functioning of internal controls.
The principles outlined by COSO for the control activities component are:
1. The organization selects and develops control activities that contribute to the mitigation of risks to acceptable levels. 2. The organization selects and develops general control activities over technology to support the achievement of objectives. 3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
The principles outlined by COSO for the monitoring component are:
1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
The principles outlined by COSO for the risk assessment component are:
1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives 4. The organization identifies and assesses changes that could significantly impact the system of internal control.
Make a decision whether or not the Audit Team can Rely on Internal Controls
Can the audit team rely on the I/C for financial statement audit evidence? Why? yes/no? - document results
Reconciliations
Comparison of 2 or more data elements Ex. Bank Reconciliations
Verifications
Comparison of two items ex. shipment date should precede the invoice date
(T/F) The Control Environment component of internal control relates to client integrity, proper board oversight and reporting channels, commitment to hiring competent employees, and proper accountability for internal control related actions.
True
(T/F) The auditor can issue either combined or separate audit reports when reporting on both the audit of financial statements and the audit of internal control.
True
(T/F) The internal audit function at the client often plays a significant role in evaluating the company's internal controls.
True
What is the COSO definition of internal control?
"a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance."
What are the three primary objections achieved by a high-quality system of internal control?
1) operations 2) reporting 3) compliance
FIVE COMPONENTS OF AN EFFECTIVE INTERNAL CONTROL SYSTEM
1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring
Significant Deficiency
A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Material Weakness
A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
What is an integrated audit?
A full audit of and opinion on the client's internal control over financial reporting (ICFR) that accompanies the audit of and opinion on the client's financial statements.
Auditor's Report over I/C Governance
AS 2201 states that the "auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting."
Authorizations and Approvals
Affirmation that a transaction is valid ex. authorization of credit
The officers of the company who sign these certifications also must certify that they have disclosed the following matters to the external auditors and to the audit committee:
All significant deficiencies in the design or operation of internal controls (material weaknesses in internal controls); Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls; and Management also must certify that it has indicated in the report filed with the SEC whether there have been significant changes in internal controls from the prior period as well as any corrective action taken to respond to previous internal control weaknesses.
What five professional organizations joined forces to create COSO in 1985?
American Accounting Association (AAA) American Institute of CPAs (AICPA) Financial Executives International (FEI) Institute of Management Accountants (IMA) Institute of Internal Auditors (IIA)
What is a control deficiency?
An observed instance where the design or operation of a control causes a failure to prevent or detect misstatements in a timely manner.
Supervisory Controls
Assess whether control activities are being properly performed Ex. Monitoring that controls are performed
Examples of Control Activities
Authorizations and approvals Verifications Physical Controls Controls over Standing Data Reconciliations Supervisory Controls
Examples of Substantive Procedures
Bank confirmation Accounts receivable confirmation Observe a physical inventory count Confirm inventories not on-site Observe fixed assets Match purchase orders and supplier invoices to fixed asset records Confirm accounts payable Confirm debt Analytical analysis of assets, liabilities, revenue, and expenses
How should the auditor evaluate the internal control?
Based on the likelihood of misstatements remaining undetected by the I/C and the magnitude of the potential misstatement.
Audit Report for Internal Controls
Can be either combined or separate reports. The auditor can report on the F/S and the I/C in the same report or two separate reports.
Weaknesses in the client's system of I/C can be categorized into three types:
Deficiency Significant Deficiency Material Weakness
Preventive Controls
Designed to ensure that negative events don't happen. For example, locks on doors and passwords on computers are examples of preventive controls that ensure unauthorized access doesn't happen.
Detective Controls
Designed to identify events that have already occurred. For example, the practice of performing a bank reconciliation at the end of each month is a control activity designed to identify errors or fraud that may have occurred during the period.
If the auditor chooses to issue two separate reports, he must include additional disclosures:
Disclosures indicating that the other audit was also conducted, The date of the other audit report, Summary of the opinion expressed in the other audit report.
Public & Private Company Auditor Responsibilities:
Ensure that controls are properly functioning when performing an audit of a client's financial statements, particularly if the auditor expects to use the effectiveness of internal controls as indirect evidence regarding the fair presentation of the financial statements.
Assess the design and implementation of the Internal Controls
Evaluate design (design effectiveness) If design is adequate, assess the implementation of the I/C
Deficiency
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
(T/F) A significant deficiency is more serious than a material weakness.
False
(T/F) The auditor has primary responsibility for the proper functioning of their client's internal control.
False
(T/F) The materiality threshold used for the audit of financial statements is different from the materiality threshold used for determining whether a control deficiency is a material weakness or a significant deficiency.
False
(T/F) Using the COSO internal control framework as a benchmark for quality is mandatory for the audit of internal control over financial reporting.
False
Documenting an Understanding of Internal Controls
Flowcharts Questionnaires Written Narratives Documented Observations of Control Practices
What was one of the purposes of the Sarbanes-Oxley Act of 2002 (SOX)?
Help restore investor confidence in capital markets by requiring companies to improve the quality of their internal controls governing the financial accounting and reporting process.
Test the Internal Controls
If yes, test controls (operating effectiveness) After testing I/C, determine the level of substantive testing that needs to be performed. Note: Even with reliance on I/C - some level of substantive testing should be done. If no, perform extensive substantive audit testing since I/C cannot be relied upon. The auditor will not test I/C.
Public Company ONLY Auditor Responsibilities
In order to comply with SOX, the external auditor must perform a full audit of the public company clients' internal controls and report to investors on the quality of those controls as part of the client's annual filing with the SEC.
Auditor's Responsibility for Controls - Standard Audit Procedures on I/C
Inquiries of key personnel, Observations of control processes in action, Inspections of documents, Walk-throughs (i.e., observing sample transactions as they are processed through the system of controls)
What is the relationship between internal control quality & financial statement reporting quality?
Internal control quality and financial statement reporting quality go hand in hand.
Is risk assessment a process or a one-time event?
It is an ongoing process in which risks are continually being assessed and re-assessed as additional information arises.
What is required under SOX?
Large public companies must obtain both an audit of financial statements as well as an audit of internal controls.
Only required for accelerated filers with market capitalization > $75 million (doesn't apply to "small filers")
Market Capitalization: The value of a company that is traded on the stock market, calculated by multiplying the total number of shares by the present share price.
Auditor's Responsibility for Controls - SOX
Must be an Integrated Approach Purpose of Integrated Approach Only required for accelerated filers with market capitalization > $75 million (doesn't apply to "small filers")
Is use of the COSO framework mandatory?
No, but it has become the most widely used internal control framework in the U.S. and around the world.
Auditor's Responsibility for Controls:
Obtain an Understanding of the I/C to Determine the Audit Team's Reliance on the I/C
Objectives of Internal Control - Top of COSO Cube
Operations Reporting Compliance
Controls over Standing Data
Process of populating, updating, or maintaining accuracy of data Ex. Master Price Lists
Purpose of Integrated Approach
Provide investors with the auditor's opinion regarding the effectiveness of the client's internal controls over financial reporting. The I/C Audit is designed to identify Material Weaknesses that could lead to misstatements in the F/S.
Information and Communication
Relates to the processes and systems in place for recording and sharing information throughout the organization.
When auditing I/C, what is the auditor responsible for?
Reporting all deficiencies discovered in the course of the audit, regardless of their level of significance.
Section 404(a): Annual Report on Internal Controls
Requires that public company management provide a report detailing their evaluation of their company's system of internal control as part of the company's annual report (10-K). The internal control report should contain a statement by management taking responsibility for establishing and maintaining effective internal control as well as an assessment of the effectiveness of internal controls as of the end of the most recent fiscal year.
SOX Requirements Related to Management
Section 302: Management Certification of Responsibility Section 404(a): Annual Report on Internal Controls
Physical Controls
Securing assets by limiting access ex. locks, gates, etc.
Must be an Integrated Approach
The "audit" of internal controls should not be the subject of a separate engagement, but should be conducted by the same auditor that performs the financial statement audit.
What is the COSO Framework?
The 'established criteria' and benchmark to use when evaluating the effectiveness of internal controls.
What is COSO?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative to combat corporate fraud. COSO has established a common internal control model against which companies and organizations may assess their control systems.
Who is responsible for most of the work involved in assessing and evaluating internal controls?
The Internal Audit Department
What is the PCAOB's position on the COSO framework?
The PCAOB has stated that the COSO framework is an acceptable framework for evaluating the effectiveness of a company's ICFR (internal controls over financial reporting).
What are the auditor's responsibilities?
The auditor is required to understand and evaluate the client's system of internal control.
Adverse Opinion
The auditor's opinion that the I/C are NOT effective in both design and operation. Material Weaknesses Exist
Unqualified Opinion
The auditor's opinion that the I/C are effective in both design and operation.
Who has the primary responsibility for establishing and maintaining the internal control system?
The client
Where are the five components of an effective internal control system show on the cube?
The front panel
What is the focus of the internal control audit?
The identification of a Material Weakness
What is the primary concern of auditors in regards to their internal controls?
The impact of internal controls on financial reporting.
What is the primary determinant as to whether a control deficiency is a significant deficiency or a material weakness?
The size of the potential misstatement that could go undetected
Congress enacted Section 302 of The Sarbanes-Oxley Act of 2002 (SOX) to require that a public company's CEO and CFO provide the following written certifications in the annual (10-K) and quarterly (10-Q) filings:
They are responsible for establishing and maintaining internal controls; Have designed internal controls to ensure that material information is made known to such officers by others; Have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report; and Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.
What is the focus of Information and Communications?
This component focuses on the information systems used within an organization to ensure that decision makers have access to timely and relevant information when making important decisions.
What is the focus of the monitoring component of an internal control system?
This component relates to procedures put in place that are designed to ensure that internal control procedures are implemented effectively.
What is the purpose of the audit of I/C over financial reporting?
To ensure that controls related to financial reporting objectives are designed and implemented effectively.
Auditor must communicate in writing the following matters:
To management—All deficiencies identified during the audit (AS 2201). To audit committee— (1) The extent to which they plan to use the work of internal auditors, company management, or third parties under the direction of management (AS 1301). (2) All significant deficiencies and material weaknesses identified during the audit. (AS 2201) To Board—If auditor concludes that oversight by audit committee is ineffective. (AS 2201) To the Public—The identification of any material weaknesses.
What is the purpose of I/C over financial reporting?
To prevent or detect misstatements from appearing in the financial statements.
(T/F) If the auditor uses a pure substantive approach, he or she will typically not test the client's controls.
True
(T/F) The approach to documenting the auditor's understanding of internal control varies depending on the complexity of the system of internal control.
True
Only Two Opinions on Internal Controls
Unqualified Opinion Adverse Opinion
Why is risk assessment so important?
You cannot fix what you do not know is broken.
Why is the control environment important?
a system of internal control functions better in an environment that is conducive to and supportive of the proper functioning of those controls.
Substantive testing
an audit procedure that examines the financial statements and supporting documentation to see if they contain errors.
Risk assessment
an ongoing process that involves the identification and assessment of the probability and magnitude of potential risks faced by the entity.
During the risk assessment stage, auditors perform
assessments of the client's control risk.
COSO was originally founded by ______ organizations, including the AICPA. a) Three b) Five c) Seven d) Two
b) Five
With the release of its 1992 framework, COSO introduced a
graphic design to help users understand the relationship between the various components of effective internal control.
Operations Objectives
includes a focus on achieving effective and efficient business operations and the safeguarding of company assets
Compliance Objectives
includes adherence to applicable laws and regulations
Reporting Objectives
includes both internal and external reporting of financial and nonfinancial information.
A well-designed internal control activity that is not implemented well or operating appropriately
is also ineffective.
Substantive tests
needed as evidence to support the assertion that the financial records of an entity are complete, valid, and accurate.
A poorly-designed internal control activity that is implemented perfectly will
not have the desired effect.
Control Activities
relates to the specific actions (e.g., personnel, policies, procedures) put into place to address the threats identified through the risk assessment process.
Control Environment
the setting in which the system of control is meant to function.
What is the purpose of the COSO Framework?
to outline the committee's collective guidance regarding best practices for designing and implementing strong internal control systems.