Week 7 (After Exam 1)
Ex: a management review control requires management each month to investigate unexpected sales variance over a certain $ amount Tests for design effectiveness of the management review control include:
-Analyze whether the appropriate level of management is performing this review -Is a monthly review frequent enough to detect errors on a timely basis -Determine if the $ amount for investigations is sufficiently low to trigger enough investigation to detect a material misstatement
What are standard control activities (principle 12) Principle 12 : Organization deploys control activities through 1) policies that establish expectations and 2) procedures that put policies into action
-Authorization and documentation (unique transaction identifier) -Physcial access controls (ex: restricted access to inventory) -Management review controls (effectively designed to detect material errors and are operating as intended)
Separation of Duties includes the following:
-Separation of the following duties : -Auorization -Recording -Custody of the related (ex:cash)
Describe Step 3: Likely sources of misstatements
-a walkthrough will frequently be the most effective way to understand likely sources of misstatement
Describe Step 1: Entity Level Controls
-control environment (tone at the top, code of conduct communicated, BOD oversight) -controls over period-end reporting process (information used, consolidation entries, adjustments) -controls to prevent management override -other high-level COS framework components (entity's risk assessment, monitoring)
Describe Step 2: Significant accounts and assertions
-susceptibility to errors or fraud -accounting complexity (ex: sales price allocations on contracts with multiple performance obligations) -volume of activity and or size of the account -existence of related parties -significant changes from the prior period
Example of operating effectiveness: see the management review control: Start with a sample of reviews and test (through observation and inspection of client documentation) whether:
-the appropriate manager (based on the control design) is conducting the review -the review was preformed each month -follow up investigation is performed when variance exceeds the materiality threshold (from the design)
When testing controls we must test for what two types of effectiveness
1) Design Effectiveness 2) Operating Effectiveness
What are the 4 steps for an ICFR audit that uses the risk based "top down" approach since it is integrated with a financial statement audit
1) Identify entity level controls that have a pervasive effect on the entity's ability to meet the COSO framework - Pervasive means that all accounts and assertions are affected by these controls 2) Identify significant accounts and relevant assertions 3) Understand likely sources of misstatements (including fraud) 4) Identify the important controls to test and then test the controls
an auditor must assess whether a control deficiency (or a combination of deficiencies) rises to the level of either a
1) significant deficiency 2) material weakness
What are COSO's 3 overall objectives for internal control
1. Accurate financial reporting (internal and external) 2. Effectiveness and Efficiency of operations 3. Complying with applicable laws and regulations
What are the 5 components of the COSO Framework
1. Control Environment 2. Entity's Risk Assessment Process (not the auditors) 3. Control Activities 4. Information and Communication 5. Monitoring of controls
What are the principles for the 1) Control Environment component
1. Integrity and ethical values, also called "tone at the top" 2. BOD independence from management and oversight over internal control 3. Management establishes an appropriate organizational structure with clear assignment of responsibility 4. Commitment to hire and retain competent personnel 5. Individuals are held accountable for internal control
What are the two primary purposes of internal control testing for publicly traded companies (issuers)
1. Proper assessment of control risk (RMM component) for the financial statement audit -Effective controls (lower CR and RMM) mean fewer substantive procedures are required (higher DR is okay) 2. Determine the auditor's opinion on internal control over financial reporting (ICFR) -the ICFR opinion is possibly more important to investors (forward-looking) than the financial statement opinion (past looking) New hires need solid training in ICFR
what are the principles for the 3) Control Activities component
10. Organization selects control activities to mitigate risks to the achievement of objectives 11. Organization selects general control activities over technology (ex: restricted access, software changes, backup, cybersecurity) 12. Organization deploys control activities through 1) policies that establish expectations and 2) procedures that put policies into action
what are the principles for 4) Information and Communication
13. Organization uses quality information to support the other internal control components 14. Objectives and responsibility for internal control is internally communicated 15. Organization communicates with external parties regarding the functioning of internal control components
what are the principles for the 5) Monitoring component
16. Organization uses ongoing and separate evaluation to ascertain whether the internal control components are functioning 17. Control deficiencies are evaluated and communicated in a timely matter to those responsible for corrective action
What are the principles for the 2) Entity's Risk Assessment Process component
6. Clear objectives are established (what are they trying to achieve?) 7. Risks to the objectives are identified and analyzed (likelihood and magnitude) 8. Potential for fraud is considered 9. Changes that could impact control (ex: new technology, legislation are considered)
What type of SOC 1 report will provide the auditor with sufficient evidence to reduce assessed CR for the relevant accounts and assertions
A Type 2 SOC 1 report will provide this assurance
An ICFR audit requires the auditor to express an opinion on internal control effectiveness (as of what time) in preventing or detecting a material misstatement
An ICFR audit requires the auditor to express an opinion on internal control effectiveness AS OF YEAR END in preventing or detecting a material misstatement
what type of approach does an ICFR audit that is integrated with a financial statement audit use?
An ICFR audit that is integrated with a financial statement audit uses a risk based, "top down" approach Focus first on entity level controls and high risk accounts and assertions then work down to test the specific control activities
If a company receives an adverse ICFR audit opinion what kind of financial statement opinion will they usually receive
An adverse ICFR audit opinion will still likely be accompanied with an unqualified financial statement opinion because the financial statements will be corrected prior to filing with the SEC Ex: Deloitte's financial statement opinion for Super Micros as of 6/30/2020 was unqualified even thought the ICFR audit opinion was adverse due to material weakness
what is a SOC 1 Report
An audited company (Company A) may outsource processes such as payroll to another company (Company B). How does Company A's auditor test the controls of Company B? Typically, the auditor will obtain a SOC 1 report from another auditor who has tested Company B's controls
What is the audit risk model
Audit Risk = Risk of Material Misstatement x Detection Risk (AR) = RMM x DR RMM = two components, Inherent Risk and Control Risk
Auditors assess Control Risk (CR) at what two levels
Auditors assess CR at the account and assertion level
what is COSO
Committee of Sponsoring Organizations (COSO) COSO established a framework for internal controls. Sponsoring organizations are: -American Accounting Association -American Institute of CPAs -Financial Executives International -Institute of Internal Auditors
what is the purpose of the 4) Information and Communication component
Communication of information both internally and externally to support achievement of objectives
Describe the timing of tests needed
Continuous controls (ex: transaction authorization) can be tested in the interim period Year end controls (ex: period end reporting) are tested at year end Controls over non-routine, complex, high risk transactions should be tested closer to year end -determine if roll forward procedures are necessary to update interim control tests to year end
what is control risk
Control Risk is the risk that controls fail to prevent misstatements -the auditor conducts a preliminary CR assessment in audit planning based on an understanding of the audited entity's processes -the auditor then performs tests of controls to update the CR assessment
If there is a control deficiency for ICFR purposes how is this communicated
Control deficiencies should be reported to management for remediation but are not required to be reported to the audit committee
what is Detection Risk
DR is the risk the auditor fails to detect misstatements -the updated CR assessment determines the appropriate level of DR to achieve
What are IT application controls
Data Capture: completeness and accuracy of info Data Validation/Processing: Valid entries of information ($ limits, allowable range, certain numeric/text characters) Output: authorized users of reports Errors: corrections made are resubmitted in the system
Describe Step 4: Testing Controls
First you must identify the correct population based on the related account and assertion (appropriateness of evidence) Then test for design and operating effectiveness: -Design Effectiveness: will the control, if operated as designed achieve its intended purpose -Operating Effectiveness: Does it operate as it is designed?
What must these company's with less than $100 million annual rev still do
Management of these companies must still 1) certify they are responsible for establishing effective ICFR 2) evaluate and report on ICFR effectiveness
If there is a material weakness for ICFR purposes how is this communicated
Material weaknesses are notes in the published audit report so all parties (internal and external) are aware of them
is inquiry alone enough evidence
NO, inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control
Is the ICFR audit required for both public and private company's by the Sarbanes Oxley Act
NO, the ICFR audit is only required for public companys
is there a qualified opinion for ICFR audit opinions
No, there are only adverse opinions and unqualified opinions Note that this is different from financial statement audit opinions which have adverse, qualified, and unqualified opinions
Suppose you are conducting the financial statement audit of Company A who outsources their payroll processing to Company B. How will you assess control effectiveness of your audit client's payroll processes
Obtain the SOC 1 report from the auditor who performed the SOC 1 audit of Company B's internal controls over payroll processing This report will support a lower CR assessment for payroll accounts and related assertions
What is the Reliance Strategy
Reliance Strategy = assessed control risk is low - plan to rely on test of controls -fewer substantive ($) tests are needed (increased of DR is okay because RMM is lower)
What does SOC stand for and what type of SOC report are we focused on in audit
SOC = System and Organization Controls We are focused on the SOC 1 report
If there is a significant deficiency for ICFR purposes how is this communicated
Significant deficiencies are not reported externally (unqualified ICFR opinion) but they are reported to the audit committee (a sub-committee of the BOD)
What is the Substantive Strategy
Substantive Strategy = assessed Control Risk is high - do not rely on tests of controls (if you do not think they are effective, do not spend time testing them) - Conduct increased substantive testing (lower DR needed because RMM is higher)
what is the ICFR audit exception that allows a public company not to have an ICFR audit
THE SEC adopted a rule that exempts all public companies with less than $100 million annual revenue from the ICFR audit
What is the purpose of a SOC 1 report
The SOC report replaces the need for all audit firms to conduct their own control tests of Company B's payroll processes. Ex: Company A outsources its payroll services to Company B. Company B also provides payroll services to many other companies in addition to Company A. Company A's auditor needs to assess control risk of Company A's payroll process. Auditors of other companies also need to assess control risk of the payroll process in their audits. Company A's auditor and the auditors of other companies will rely on the SOC 1 report issued by Company B's auditor.
What are the 2 Types of SOC 1 reports?
Type 1: Management's assertion and the auditor's opinion on the effective design of controls Type 2: Adds the auditor's opinion on the operating effectiveness of the organizations controls
if the control deficiency is not material or significant and is reasonably possible or probable it is deemed to be
a control deficiency
if the control deficiency is material and is reasonably possible or probable it is deemed to be
a material weakness
if the control deficiency is significant but not material and is reasonably possible or probable it is deemed to be
a significant deficiency
What is the purpose of the 5) Monitoring component
activities to determine the proper functioning of the other internal control components
What kind of ICFR audit opinion will an auditor release for a material weakness
an adverse opinion
What kind of ICFR audit opinion will an auditor release for a control deficiency
an unqualified opinion
What kind of ICFR audit opinion will an auditor release for a significant deficiency
an unqualified opinion
what does a walkthrough involve
following the transaction from the origination to the company's financial statements using the same process and documentation as entity's personnel. -use a combination of inquiry, observation, inspection of documents, and re-performance of controls -ask probing questions to understand the process and identify important points where a necessary control is missing or is not designed effectively
What is the purpose of the 3) control activities component
guidance for implementing controls to mitigate the identified risks
what is the nature of the tests that should be used
inquiry, observation, inspection of documentation, and re-performance
what is the 2) Entity's Risk Assessment Process component purpose
it is management's process for identifying risks to achieving its objectives
what is a control deficiency
lack of design and/or operating effectiveness results in a control deficiency
if the control deficiency is material, significant but not material, or not material or significant and the likelihood is remote it is deemed to be
nothing
what does the Control Environment Component do
reflects the organization's overall attitude towards internal controls, so it affects the other COSO components.
what does the extend of testing look like
select the appropriate sample size (sufficiency of evidence)
what does the auditor need to consider regarding roll forward procedures
significant changes in controls after the interim period length of time between interim date and year end controls relating to unusual, high risk transactions should be tested closer to year end
what is operating effectiveness
test whether the control operates as designed and is performed by someone with appropriate competence and authority
What is design effectiveness
test whether the control will achieve its financial reporting objective (ex: accuracy assertion for recorded sales revenue) if it operates as designed
how does an auditor document their understanding
through the use of: -Flowcharts (a picture/drawing of the process) -Narratives (a written description of the process)
How is testing controls done
through various audit procedures: -inquiry of client personnel -observation of control activities -inspection of documents -reperformance of control activities
T/F: auditors must try to understand the extent to which the audit client uses Robotic Process Automation (RPA) software, in the accounting process to process transactions and complete documentation
true
T/F: external auditors of these smaller companies must still consider ICFR effectiveness in the financial statement audit
true
T/F: the external auditor is required to provide an opinion on a company's ICFR for a public company
true
T/F: the original COSO framework was issued in 1992 and was updated in 2013 with specific principles identified within each component.
true
T/F: the external auditor's discovery of a material misstatement in the financial statement audit will most likely require an adverse ICFR audit opinion
true, because a material misstatement is an indicator of a material weakness in ICFR
T/F: As an external user reviewing the auditors ICFR audit opinion we only know if there is a material weakness or absence of a material weakness
true, we do not know if there is a significant deficiency because it receives the same ICFR audit opinion as the control deficiency