Week 7 (After Exam 1)

Ex: a management review control requires management each month to investigate unexpected sales variance over a certain $ amount Tests for design effectiveness of the management review control include:

-Analyze whether the appropriate level of management is performing this review -Is a monthly review frequent enough to detect errors on a timely basis -Determine if the $ amount for investigations is sufficiently low to trigger enough investigation to detect a material misstatement

What are standard control activities (principle 12) Principle 12 : Organization deploys control activities through 1) policies that establish expectations and 2) procedures that put policies into action

-Authorization and documentation (unique transaction identifier) -Physcial access controls (ex: restricted access to inventory) -Management review controls (effectively designed to detect material errors and are operating as intended)

Separation of Duties includes the following:

-Separation of the following duties : -Auorization -Recording -Custody of the related (ex:cash)

Describe Step 3: Likely sources of misstatements

-a walkthrough will frequently be the most effective way to understand likely sources of misstatement

Describe Step 1: Entity Level Controls

-control environment (tone at the top, code of conduct communicated, BOD oversight) -controls over period-end reporting process (information used, consolidation entries, adjustments) -controls to prevent management override -other high-level COS framework components (entity's risk assessment, monitoring)

Describe Step 2: Significant accounts and assertions

-susceptibility to errors or fraud -accounting complexity (ex: sales price allocations on contracts with multiple performance obligations) -volume of activity and or size of the account -existence of related parties -significant changes from the prior period

Example of operating effectiveness: see the management review control: Start with a sample of reviews and test (through observation and inspection of client documentation) whether:

-the appropriate manager (based on the control design) is conducting the review -the review was preformed each month -follow up investigation is performed when variance exceeds the materiality threshold (from the design)

When testing controls we must test for what two types of effectiveness

1) Design Effectiveness 2) Operating Effectiveness

What are the 4 steps for an ICFR audit that uses the risk based "top down" approach since it is integrated with a financial statement audit

1) Identify entity level controls that have a pervasive effect on the entity's ability to meet the COSO framework - Pervasive means that all accounts and assertions are affected by these controls 2) Identify significant accounts and relevant assertions 3) Understand likely sources of misstatements (including fraud) 4) Identify the important controls to test and then test the controls

an auditor must assess whether a control deficiency (or a combination of deficiencies) rises to the level of either a

1) significant deficiency 2) material weakness

What are COSO's 3 overall objectives for internal control

1. Accurate financial reporting (internal and external) 2. Effectiveness and Efficiency of operations 3. Complying with applicable laws and regulations

What are the 5 components of the COSO Framework

1. Control Environment 2. Entity's Risk Assessment Process (not the auditors) 3. Control Activities 4. Information and Communication 5. Monitoring of controls

What are the principles for the 1) Control Environment component

1. Integrity and ethical values, also called "tone at the top" 2. BOD independence from management and oversight over internal control 3. Management establishes an appropriate organizational structure with clear assignment of responsibility 4. Commitment to hire and retain competent personnel 5. Individuals are held accountable for internal control

What are the two primary purposes of internal control testing for publicly traded companies (issuers)

1. Proper assessment of control risk (RMM component) for the financial statement audit -Effective controls (lower CR and RMM) mean fewer substantive procedures are required (higher DR is okay) 2. Determine the auditor's opinion on internal control over financial reporting (ICFR) -the ICFR opinion is possibly more important to investors (forward-looking) than the financial statement opinion (past looking) New hires need solid training in ICFR

what are the principles for the 3) Control Activities component

10. Organization selects control activities to mitigate risks to the achievement of objectives 11. Organization selects general control activities over technology (ex: restricted access, software changes, backup, cybersecurity) 12. Organization deploys control activities through 1) policies that establish expectations and 2) procedures that put policies into action

what are the principles for 4) Information and Communication

13. Organization uses quality information to support the other internal control components 14. Objectives and responsibility for internal control is internally communicated 15. Organization communicates with external parties regarding the functioning of internal control components

what are the principles for the 5) Monitoring component

16. Organization uses ongoing and separate evaluation to ascertain whether the internal control components are functioning 17. Control deficiencies are evaluated and communicated in a timely matter to those responsible for corrective action

What are the principles for the 2) Entity's Risk Assessment Process component

6. Clear objectives are established (what are they trying to achieve?) 7. Risks to the objectives are identified and analyzed (likelihood and magnitude) 8. Potential for fraud is considered 9. Changes that could impact control (ex: new technology, legislation are considered)

What type of SOC 1 report will provide the auditor with sufficient evidence to reduce assessed CR for the relevant accounts and assertions

A Type 2 SOC 1 report will provide this assurance

An ICFR audit requires the auditor to express an opinion on internal control effectiveness (as of what time) in preventing or detecting a material misstatement

An ICFR audit requires the auditor to express an opinion on internal control effectiveness AS OF YEAR END in preventing or detecting a material misstatement

what type of approach does an ICFR audit that is integrated with a financial statement audit use?

An ICFR audit that is integrated with a financial statement audit uses a risk based, "top down" approach Focus first on entity level controls and high risk accounts and assertions then work down to test the specific control activities

If a company receives an adverse ICFR audit opinion what kind of financial statement opinion will they usually receive

An adverse ICFR audit opinion will still likely be accompanied with an unqualified financial statement opinion because the financial statements will be corrected prior to filing with the SEC Ex: Deloitte's financial statement opinion for Super Micros as of 6/30/2020 was unqualified even thought the ICFR audit opinion was adverse due to material weakness

what is a SOC 1 Report

An audited company (Company A) may outsource processes such as payroll to another company (Company B). How does Company A's auditor test the controls of Company B? Typically, the auditor will obtain a SOC 1 report from another auditor who has tested Company B's controls

What is the audit risk model

Audit Risk = Risk of Material Misstatement x Detection Risk (AR) = RMM x DR RMM = two components, Inherent Risk and Control Risk

Auditors assess Control Risk (CR) at what two levels

Auditors assess CR at the account and assertion level

what is COSO

Committee of Sponsoring Organizations (COSO) COSO established a framework for internal controls. Sponsoring organizations are: -American Accounting Association -American Institute of CPAs -Financial Executives International -Institute of Internal Auditors

what is the purpose of the 4) Information and Communication component

Communication of information both internally and externally to support achievement of objectives

Describe the timing of tests needed

Continuous controls (ex: transaction authorization) can be tested in the interim period Year end controls (ex: period end reporting) are tested at year end Controls over non-routine, complex, high risk transactions should be tested closer to year end -determine if roll forward procedures are necessary to update interim control tests to year end

what is control risk

Control Risk is the risk that controls fail to prevent misstatements -the auditor conducts a preliminary CR assessment in audit planning based on an understanding of the audited entity's processes -the auditor then performs tests of controls to update the CR assessment

If there is a control deficiency for ICFR purposes how is this communicated

Control deficiencies should be reported to management for remediation but are not required to be reported to the audit committee

what is Detection Risk

DR is the risk the auditor fails to detect misstatements -the updated CR assessment determines the appropriate level of DR to achieve

What are IT application controls

Data Capture: completeness and accuracy of info Data Validation/Processing: Valid entries of information ($ limits, allowable range, certain numeric/text characters) Output: authorized users of reports Errors: corrections made are resubmitted in the system

Describe Step 4: Testing Controls

First you must identify the correct population based on the related account and assertion (appropriateness of evidence) Then test for design and operating effectiveness: -Design Effectiveness: will the control, if operated as designed achieve its intended purpose -Operating Effectiveness: Does it operate as it is designed?

What must these company's with less than $100 million annual rev still do

Management of these companies must still 1) certify they are responsible for establishing effective ICFR 2) evaluate and report on ICFR effectiveness

If there is a material weakness for ICFR purposes how is this communicated

Material weaknesses are notes in the published audit report so all parties (internal and external) are aware of them

is inquiry alone enough evidence

NO, inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control

Is the ICFR audit required for both public and private company's by the Sarbanes Oxley Act

NO, the ICFR audit is only required for public companys

is there a qualified opinion for ICFR audit opinions

No, there are only adverse opinions and unqualified opinions Note that this is different from financial statement audit opinions which have adverse, qualified, and unqualified opinions

Suppose you are conducting the financial statement audit of Company A who outsources their payroll processing to Company B. How will you assess control effectiveness of your audit client's payroll processes

Obtain the SOC 1 report from the auditor who performed the SOC 1 audit of Company B's internal controls over payroll processing This report will support a lower CR assessment for payroll accounts and related assertions

What is the Reliance Strategy

Reliance Strategy = assessed control risk is low - plan to rely on test of controls -fewer substantive ($) tests are needed (increased of DR is okay because RMM is lower)

What does SOC stand for and what type of SOC report are we focused on in audit

SOC = System and Organization Controls We are focused on the SOC 1 report

If there is a significant deficiency for ICFR purposes how is this communicated

Significant deficiencies are not reported externally (unqualified ICFR opinion) but they are reported to the audit committee (a sub-committee of the BOD)

What is the Substantive Strategy

Substantive Strategy = assessed Control Risk is high - do not rely on tests of controls (if you do not think they are effective, do not spend time testing them) - Conduct increased substantive testing (lower DR needed because RMM is higher)

what is the ICFR audit exception that allows a public company not to have an ICFR audit

THE SEC adopted a rule that exempts all public companies with less than $100 million annual revenue from the ICFR audit

What is the purpose of a SOC 1 report

The SOC report replaces the need for all audit firms to conduct their own control tests of Company B's payroll processes. Ex: Company A outsources its payroll services to Company B. Company B also provides payroll services to many other companies in addition to Company A. Company A's auditor needs to assess control risk of Company A's payroll process. Auditors of other companies also need to assess control risk of the payroll process in their audits. Company A's auditor and the auditors of other companies will rely on the SOC 1 report issued by Company B's auditor.

What are the 2 Types of SOC 1 reports?

Type 1: Management's assertion and the auditor's opinion on the effective design of controls Type 2: Adds the auditor's opinion on the operating effectiveness of the organizations controls

if the control deficiency is not material or significant and is reasonably possible or probable it is deemed to be

a control deficiency

if the control deficiency is material and is reasonably possible or probable it is deemed to be

a material weakness

if the control deficiency is significant but not material and is reasonably possible or probable it is deemed to be

a significant deficiency

What is the purpose of the 5) Monitoring component

activities to determine the proper functioning of the other internal control components

What kind of ICFR audit opinion will an auditor release for a material weakness

an adverse opinion

What kind of ICFR audit opinion will an auditor release for a control deficiency

an unqualified opinion

What kind of ICFR audit opinion will an auditor release for a significant deficiency

an unqualified opinion

what does a walkthrough involve

following the transaction from the origination to the company's financial statements using the same process and documentation as entity's personnel. -use a combination of inquiry, observation, inspection of documents, and re-performance of controls -ask probing questions to understand the process and identify important points where a necessary control is missing or is not designed effectively

What is the purpose of the 3) control activities component

guidance for implementing controls to mitigate the identified risks

what is the nature of the tests that should be used

inquiry, observation, inspection of documentation, and re-performance

what is the 2) Entity's Risk Assessment Process component purpose

it is management's process for identifying risks to achieving its objectives

what is a control deficiency

lack of design and/or operating effectiveness results in a control deficiency

if the control deficiency is material, significant but not material, or not material or significant and the likelihood is remote it is deemed to be

nothing

what does the Control Environment Component do

reflects the organization's overall attitude towards internal controls, so it affects the other COSO components.

what does the extend of testing look like

select the appropriate sample size (sufficiency of evidence)

what does the auditor need to consider regarding roll forward procedures

significant changes in controls after the interim period length of time between interim date and year end controls relating to unusual, high risk transactions should be tested closer to year end

what is operating effectiveness

test whether the control operates as designed and is performed by someone with appropriate competence and authority

What is design effectiveness

test whether the control will achieve its financial reporting objective (ex: accuracy assertion for recorded sales revenue) if it operates as designed

how does an auditor document their understanding

through the use of: -Flowcharts (a picture/drawing of the process) -Narratives (a written description of the process)

How is testing controls done

through various audit procedures: -inquiry of client personnel -observation of control activities -inspection of documents -reperformance of control activities

T/F: auditors must try to understand the extent to which the audit client uses Robotic Process Automation (RPA) software, in the accounting process to process transactions and complete documentation

true

T/F: external auditors of these smaller companies must still consider ICFR effectiveness in the financial statement audit

true

T/F: the external auditor is required to provide an opinion on a company's ICFR for a public company

true

T/F: the original COSO framework was issued in 1992 and was updated in 2013 with specific principles identified within each component.

true

T/F: the external auditor's discovery of a material misstatement in the financial statement audit will most likely require an adverse ICFR audit opinion

true, because a material misstatement is an indicator of a material weakness in ICFR

T/F: As an external user reviewing the auditors ICFR audit opinion we only know if there is a material weakness or absence of a material weakness

true, we do not know if there is a significant deficiency because it receives the same ICFR audit opinion as the control deficiency