ACC 450 Chapter 7
Material Weakness
A deficiency in internal control (or combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis. Most severe classification.
Management letter
A report to management containing the auditors' recommendations for correcting any deficiencies disclosed by the auditors' consideration of internal control. In addition to providing management with useful information, a management letter also may help limit the auditors' liability in the event a control weakness subsequently results in a loss by the client.
integrated
AUDITS OF ICFR For publicly traded companies, Section 404 of the Sarbanes-Oxley Act requires an ___________________ audit.
detection risk
As the assessed level of control risk increases, the acceptable level of _______________ decreases. The auditor may modify the nature, timing and extent of substantive tests
preventive, detective, or corrective.
Controls over financial reporting are often classified as ....
A. Internal control questionnaire B. Checklists C. Written narrative of IC D. Flowcharts
Documentation is required for the Understanding obtained to plan the audit. Form and extent affected by size and complexity of client and nature of internal controls. What are some examples of documentation techniques? (4)
Foreign Corrupt Practices Act
Federal legislation prohibiting payments to foreign officials for the purpose of securing business. The act also requires all companies under SEC jurisdiction to maintain a system of internal control providing reasonable assurance that transactions are executed only with the knowledge and authorization of management.
1) Control environment 2) Risk assessment 3) control activities 4) accounting information system 5) monitoring of controls
Identify the five components of an organization's internal control?
1. Begin at the financial statement level 2. Identify significant accounts & disclosures 3. Identify relevant assertions 4. Identify & evaluate entity level controls first before drilling down to process level controls. Entity level controls apply to whole financial statements or whole company. Process level controls are more specific like payroll processing, manufacturing, etc. 5. Test and evaluate design effectiveness of ICFR 6. Test and evaluate operating effectiveness of ICFR 7. Form an opinion on effectiveness of ICFR
In IFCR, we use a top- down approach to identify controls to test. What are the 7 key points of emphasis?
A. Identify types of potential misstatements. B. Consider factors that affect the risk of material misstatement. C. Design tests of controls, when applicable D. Design substantive procedures.
Internal Control Concept of being Implemented (Placed in operation) 1. Auditors must on all audits determine that the IC has been implemented (placed in operation). 2. Auditors use this knowledge of whether the IC has been placed in operation to: (4) Implemented is Lower threshold.
walk-through
Internal control Level of knowledge required: After the Controls have been placed in operation (implemented). For the accounting information system, auditors perform a _____________ in which they trace one or two transactions of each major type through the system. For example, one might begin with a customer of the client's purchase order and follow the revenue cycle all the way through when that purchase is shipped, billed and cash is collected.
qualified The opinion for control year is for the fiscal year date ("as of"). Controls could be operating poorly Jan 1- Dec 28, bur if on Dec 29 the auditor is able to fix everything, you get a clean opinion "as of". We still care that the controls weren't operating effectively, but for the purpose of the opinion, we use "as of".
Internal control audits don't get ___________ opinions.
Actual control risk, Planned assessed level of control risk, and Assessed level of control risk
It's helpful to realize that there are 3 "control risks", What are they?
Internal control questionnaire
One of several methods of describing internal control in audit working papers. usually designed so that "no" answers prominently identify weaknesses in internal control.
1. How a control was applied 2. The consistency with which it was applied 3. By whom.
Operating Effectiveness- Relates to tests of controls. Tests of controls address operating effectiveness. Higher threshold. Controls could be implemented, but doesn't necessarily mean they're effective. Operating effectiveness is concerned with: 1. ? 2. ? 3. ? Auditors perform tests of controls to evaluate operating effectiveness. For example, recall our "approved customers list." An auditor may select a sample of 50 sales invoices to determine that the credit sale is to a properly approved customer. Evidence on operating effectiveness is always necessary to assess control risk at a level lower than the maximum.
Internal control (IC) "Process" is used as a vague term because internal controls can be a lot of things
Process, effected by the entity's board of directors, management and other personnel designed to provide reasonable assurance (we don't expect them all to be 100%) regarding the achievement of objectives in the following categories: 1. Reliability of financial reporting. Focus of our class. 2. Effectiveness and efficiency of operations. Goal and management of the board to make sure business is run properly. 3. Compliance with applicable laws and regulations.
user entities For example, a CPA's client (the user entity) may outsource its payroll function to a service organization. AICPA AU 402 (PCAOB 324) requires that the auditors of the user entity obtain an understanding of how the user entity uses the services of the service organization, including their nature, significance and effect on internal control
Service organizations provide processing services to companies, referred to as ______________, that decide to outsource a portion of their processing.
To get out of testing controls and do a more efficient audit. More audit work is more time consuming and more expensive.
Sometimes auditors will assess control risk as high, even though its very low. Why?
Actual control risk
The actual, unknown, risk that a material misstatement could occur in an assertion (or account) will not be prevented or detected on a timely basis by an entity's IC. This is unknown because the audit is based on a sample of evidence.
control; detection
The auditors make decisions about the proper combination of tests of controls (which allow a lower assessment of __________ risk) and substantive procedures (which restrict ____________ risk)
Assessed level of control risk
The level at which control risk is assessed for purposes of determining the scope of substantive procedures. If no tests of controls are performed this is at the maximum level. If tests of controls have been performed the results of these tests determines its levels.
whole year
The reports on financial statements and ICFR may be separate, or combined and should be dated the same. The financial statement opinion applies to the ___________.
1. Identifying IC policies and procedures relevant to specific assertions that are likely to prevent or detect misstatements in assertions. 2. Performing tests of controls to evaluate the effectiveness of such policies and procedures.
The tricky part with Planned assessed level of control risk is that the planned assessed level of control risk is not always at the same level as the auditor's guess of control risk. Why? The planned assessed level of control risk is at the maximum unless the auditor plans to perform tests of controls to obtain evidence on whether internal control operates effectively. Planning and assessing control risk below the maximum level requires: (2)
Operating Effectiveness
This internal control concept Relates to tests of controls. Tests of controls address _____________ . Higher threshold. Controls could be implemented, but doesn't necessarily mean they're effective.
Planned assessed level of control risk
This level is lower than the maximum level (the maximum level means the highest risk) when the assessed level of the risk of material misstatement presumes that controls operate effectively.
financial statements
To perform an audit of ICFR the auditor must also audit the ____________.
A. Plan the engagement B. Use a top-down approach to identify controls to test
What are the stages of audit of IFCR?
If substantive tests can achieve the same results, then we will do those instead of tests of controls.
What do you mean by tests being cost justified?
Deficiency
When the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis. Not something the partner feels should be communicated to the audit committee.
When they want to assess the internal controls at either moderate or low risk. Publicly traded clients need tests of controls because of the audit report.
When would an auditor perform tests of controls?
Design of structure and whether it has been implemented (previously referred to as placed in operation). This means the entity is using the control.
With internal controls, what is the level of understanding needed?
maximum; lower
if no tests of controls have been performed, control risk must be assessed at the _________ level. If some tests of controls have been performed it may be possible to assess it at a level ______ than the maximum.
Management Risk Assessment (not the same things as the auditor's risk assessment) Note: This is not the risk assessment we've been talking about with the "audit risk model."—i.e., audit risk is composed of inherent risk, control risk, and detection risk. Client management should have a process of going through and evaluating the risky areas of their own company.
the organization's process of identifying potential risks to its financial reporting objectives and developing actions to address those risks. Client management should have a process of going through and evaluating the risky areas of their own company.
Significant Deficiency
A deficiency in internal control (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting (basically the audit committee).
adverse
AUDITS OF ICFR If there are any material weaknesses, you go straight to _____________ opinion.
disclaimer
AUDITS OF ICFR If there's a scope limitation, we go straight to ______________ opinion.
Unqualified opinion may be issued when there have been no identified material weaknesses and when there have been no restrictions on the scope of the work.
AUDITS OF ICFR Unqualified opinion may be issued when there have been no ________________________
material weaknesses
An audit of ICFR is designed to obtain reasonable assurance that deficiencies, individually or in aggregate, that would represent _______________ are identified. It is not designed to detect less severe deficiencies
Remember PIPS P: Performance reviews. I: Information processing controls. Examples: transactions need to be approved a supervisor; people have a limit on how much they can approve P: Physical controls. Examples: Certain areas of the building are only accessible to certain employees. S: Segregation of duties (Authorization, Recording, and Custody).
Control Activities- An organization will establish policies and procedures to help ensure management directives are carried out. These policies and procedures represent Control Activities. They cover a range of activities and may include the following: (4)
A. No tests of controls performed: High, maximum. No reliance on internal controls. B. Tests of controls performed, system found not to be operating effectively: High C. Tests of controls performed, system operating somewhat effectively, but not as well as anticipated: Moderate. Will probably do more substantive procedures than you were planning, but not the maximum. D. Tests of controls performed, system operating as anticipated: Lowest level. We can rely on internal controls.
For the following 4 situations, determine the assessed level of control risk: A. No tests of controls performed B. Tests of controls performed, system found not to be operating effectively. We were planning on relying on internal controls then we test them and they're not operating effectively. C. Tests of controls performed, system operating somewhat effectively, but not as well as anticipated D. Tests of controls performed, system operating as anticipated
(example) an auditor may have obtained a flowchart of the revenue cycle, and s/he simply observes employees performing the duties outlined on that flowchart.
How may an auditor obtain the understanding of the concept of an internal control being Implemented (Placed in operation)?
A. Contacting the service organization, through the user entity, to obtain specific information. B. Visiting (or engaging another auditor to visit) the service organization and performing necessary procedures about the relevant controls at the service organization. C. Obtaining the report of a service auditor on the service organization's controls.
Service organizations provide processing services to companies, referred to as user entities, that decide to outsource a portion of their processing. For example, a CPA's client (the user entity) may outsource its payroll function to a service organization. AICPA AU 402 (PCAOB 324) requires that the auditors of the user entity obtain an understanding of how the user entity uses the services of the service organization, including their nature, significance and effect on internal control. If the auditor is unable to obtain sufficient understanding from the entity they should consider:
Audit ICFR: 1. Test sufficient period of time around "as of" date—may be less than entire period. 2. All significant controls tested. (When the auditors perform an integrated audit, the option of not testing controls for a significant account is not available, because controls over all significant accounts must be tested to provide a basis for the opinion on internal controls.) Financial statement audit: 1. Use a combination of test of controls and substantive procedures
The audit of ICFR should be integrated with the audit of the financial statements, although the objectives are not identical. Describe the Tests of controls for ICFR Audits and financial statement audits.
Misunderstandings mistakes of judgment carelessness collusion and/or management override Collusion is when 2 or more people are working together to commit a fraud or along those lines. Management override: when someone in charge (like the CFO) says something along the lines of "I don't care about the internal controls, I want this done" and accountants follow.
The best internal controls may break down due to: (4)
3
We need to consider Evidence from tests of controls performed in previous years. If nothing changes, you only have to test internal controls every ________ years according to AICPA standards. If something is new or changed, you only test that. According to PCAOB, you have to do testing every year.
Deficiency, Significant Deficiency, Material Weakness Classifying deficiencies is extremely subjective
What are the 3 classifications of deficiencies of internal controls?
1. Plan the Engagement 2. Use a Top-Down Approach to Identify Controls to Test 3. Test and Evaluate Design Effectiveness 4. Test and Evaluate Operating Effectiveness 5. Form an Opinion on the Effectiveness of Internal Control
What is the overall Approach for an Audit of Internal Control?
the maximum or highest level. May be referred to as "not being reliable to internal controls"
If no tests of controls have been performed, control risk must be assessed at......
1. Objectivity—Consider organizational status within company (e.g., reporting to audit committee is a plus) and policies for assuring that internal auditors are objective. 2. Competence—Consider education, experience, professional certification, audit policies and various work policies 3. Work performance—review their work. Someone from external audit team must review it.
We need to consider for internal controls that CPAs may use internal auditors to provide a direct assistance in performing procedures. Assessment of internal auditors include examining their: (3)
Testing controls can be expensive so substantive testing may be cheaper. Economically, if we can get out of testing controls we will and we will drop the highest level of control risk to do more substantive procedures.
Why would an auditor have a planned assessed level of control risk at the maximum level?
relevant
Client Monitoring (not auditor monitoring). Due to changes among personnel and within an organization, it is essential that internal controls be monitored over time to determine whether they continue to be __________ and able to address new risks of the organization.
A. Identify and record all valid transactions. B. Provide, on a timely basis, sufficient detailed information about transactions to permit proper classification for financial reporting. C. Allow for the recording of transactions at their proper monetary value in the financial statements. D. Provide sufficient information to permit recording of transactions in the proper accounting period. E. Properly present the transactions and related disclosures in the financial statements. All have corollaries to the management assertions.
The Accounting Information and Communication System-an information system should include methods and records that: (5)
A. Integrity and ethical values. B. Board of directors independence of management and oversight of internal control. C. Organizational structure. D. Attracting, developing, and retaining competent employees. E. Individual accountability.
What are 5 characteristics of a control environment?
External Auditor audits financial statements of audit client. The audit client outsources payroll to a payroll processing center. A service auditor will audit the internal controls of the payroll processing center and sends a service report back to the external auditor
What is the flowchart of a service report?
Control Activities
An organization will establish policies and procedures to help ensure management directives are carried out. These policies and procedures represent _____________________. They cover a range of activities and may include the following:
(1) substantive procedures alone do not provide sufficient appropriate audit evidence or (2) auditors wish to reduce the scope of substantive procedures through performance of tests of controls. Auditors will ordinarily wish to reduce the scope of substantive procedures and perform tests of controls in circumstances in which they believe such an approach is cost justified. However, in all circumstances, for relevant assertions some substantive procedures should be performed.
Auditors perform tests of controls when the risk assessment includes an expectation of the operating effectiveness of controls. The risk assessment includes such an expectation .....
This separation provides for independent records to be maintained that can be reviewed independently or collectively to reconcile assets on hand. This provides accountability over assets and provides the information necessary for financial reports. The accounting department maintains the independent records and the reconciliation is performed by the operations control group.
How does separation of the record keeping function from custody of assets contribute to internal control?
below
Internal Control flowchart: After the auditors perform a walk- through, The auditor may at this point choose to perform various tests of controls to obtain evidence on operating effectiveness (Not required, but possible). If these tests show the system to be operating effectively, the assessed level of control risk will be _______ the maximum level (this leads to less substantive procedures).
corporate governance A primary concern of corporate governance is the nature and extent of accountability of people in the corporation and procedures to try to assure that the organization works in the best interests of its stakeholders
The rules, processes, and laws by which businesses are operated, regulated, and controlled.
A. Changes in the organization's operating environment. B. New personnel. C. New or revised information systems/new technology. D. Rapid growth within the organization. E. New products and activities. F. Restructuring within the organization. G. New/changes in accounting principles.
What are some things that can be included in Management's Risk assessment? (7)
charged with governance (as well as to management) those charged with governance is ordinarily the audit committee
Communication of Control Related Matters The auditor's objective in an audit of financial statements is to form an opinion on the financial statements, not to identify significant deficiencies. But when an auditor becomes aware of significant deficiencies or material weaknesses they must be communicated in writing to those ________________.
1. Few or no exceptions the auditor will conclude that the controls operate effectively, and assess control risk at a low level. 2. More exceptions, the auditor will conclude that controls operate less effectively, and assess control risk at a level above the low level (perhaps "moderate."). 3. If many exceptions were found, the auditor will conclude that controls do not operate effectively, and assess control risk at the maximum level.
In assessed level of control risk, what does the auditor do if tests of controls found few or no exceptions, more exceptions, and many exceptions?
1. Identify types of potential misstatements 2. Consider factors that affect the risk of misstatements 3. Design tests of controls, when applicable 4. Design substantive procedures
Internal Control- Level of Understanding Design of structure and whether it has been implemented (previously referred to as placed in operation). This means the entity is using the control. In planning the audit, such knowledge should be used to: (4)
x
The auditor should design his/her testing of controls to accomplish the objectives of both icfr and financial statement audits simultaneously: A. Obtain sufficient evidence to support auditor's opinion on ICFR; and B. Obtain sufficient evidence to support auditor's control risk assessments for the purpose of audits of financial statements.
1. Adequacy of management's assessment 2. Results of auditor's evaluation of design 3. Results of tests of operating effectiveness 4. Negative results of substantive procedures performed during financial statement audit 5. Any identified control deficiencies
The company's external auditors to audit and report on internal control over financial reporting (ICFR). The auditors should evaluate: (5)
Remember IIOR: Inquiries, Inspection, Observation, Reperformance A. Inquiries—Discuss with appropriate client personnel the manner in which the control functions. For inspection and reperformance assume we have randomly selected a sample of 60 sales invoices from throughout the year. B. Inspection—Inspect invoices and determine whether evidence exists that the procedures have been performed (e.g., invoices bear initials of the individual who reviewed them). C. Observation—Observe application of the procedures being applied to the invoices several times during the year. D. Reperformance—Reperform the procedure by comparing quantities shown on each invoice to the quantities listed on the related shipping documents and by comparing unit prices to the client's price lists.
What are the 4 Types of tests of controls?
1. Control environment-Management's and directors' attitudes, awareness & actions. (Context, all of the stuff that's happening around the internal controls.) 2. Management Risk Assessment (not the same things as the auditor's risk assessment) 3. The Accounting Information and Communication System 4. Control Activities 5. Client Monitoring
What are the 5 components of effective internal control?
1. The overall responses to address the assessed risks of misstatement at the financial statement level. 2. The nature, timing, and extent of the further audit procedures. 3. The linkage of those procedures with the assessed risks at the relevant assertion level. 4. The results of the audit procedures. 5. The conclusions reached with regard to the use in the current audit of audit evidence about the operating effectiveness of controls that was obtained in a prior audit.
What are the documentation requirements of the internal control flowchart? (5)
A. To assess the risk of material misstatement. B. Assess control risk and then determine the nature, timing and extent of further audit procedures. C. . PCAOB 2nd Std. of Fieldwork: The auditor must obtain a sufficient understanding of the entity and its environment, INCLUDING ITS INTERNAL CONTROL, to assess the risk of material misstatement of the financial statements whether due to error or fraud to design the nature, timing and extent of further audit procedures. D. AICPA - GAAS: To obtain reasonable assurance, which is a high, but not absolute, level of assurance, the auditor identifies and assesses risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, INCLUDING THE ENTITY'S INTERNAL CONTROL.
Why do auditors consider internal control in a financial statement audit?