Audit 1 Chapter 7
market capitalization formula
# of shares issued * current price per share
steps to issuing a f/s audit
1) plan the audit 2) obtain an understanding of the client, its environment, and internal control 3) assess the risks of misstatement and design further audit procedures 4) perform further audit procedures 5) complete the audit 6) form an opinion and issue the report
Service Organization Controls (SOC)
SOC 1 - about controls over financial reporting SOC 2 - about data integrity, privacy, and security
two types of service auditor reports
Type 1 Type 2
fidelity bonds
a form of insurance where a bonding company agrees to reimburse an employer within limits for losses attributable to theft or embezzlement by bonded employees
general control
apply to all or multiple types of transactions
application control
apply to the processing of a single type of transaction
when they should speak to management:
as discovered but no later than 60 days following the report release date
incompatible duties
assigned duties that place an individual in a position to both perpetrate and conceal errors or fraud in the normal course of job performance. these violate the segregation of duties
if using work of internal auditors
communicated how the work will be used to those charged with governance
risk of misstatement
composed of inherent risk and control risk. helps define the nature, timing, and extent of further audit procedures
4: AIS
consists of the methods and records established to record, process, summarize, and report an entity's transactions and to maintain accountability for the related A/L/E. make sure all transactions are recorded and that you have a chart of accounts
material weakness
deficiency in i/c over financial reporting such that there is a reasonable possibility that a material misstatement of the company's f/s will not be prevented or detected on a timely basis. required to speak to management with management letter.
significant deficiency
deficiency in i/c over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. required to speak to management with management letter.
3 classifications of issues in i/c
deficiency in internal control significant deficiency material weakness
redundant controls
duplicate controls that achieve a control objective (overlap)
deficiency in internal control
exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect material misstatements on a timely basis. speak with management if it merits attention
if deviations are found...
expand the sample size
Enterprise Risk Management
focuses on how org can obtain maximum value for stakeholders by managing all risks and opportunities effectively. COSO issued a framework for it
transaction level risks
found within divisions, operating units, or functions of the organization
nature of tests of i/c
inquiries of appropriate client personnel, inspection of documents and reports, observation of the application of controls, and re-performance of the controls.
if relying on internal auditors
make sure you've evaluated their competency and objectivity, and that they're using a systematic and disciplined approach. examine their education, training, external audit experience, and who they report to (should be the audit committee)
general authorization
management establishes criteria for acceptance of a certain type of transaction
Type 2 report
management's description of a service org's system and the suitability of the design and operating effectiveness of controls
Type 1 report
management's description of a service org's system and the suitability of the design of controls
i/c written narrative
memoranda that describe the flow of transaction cycles, identify the employees performing various tasks, the documents prepared, the records maintained, and the division of duties. good because its very flexible. bad because it's hard to read
limitations of internal control
mistakes in the performance of controls can be due to misunderstanding instructions, mistakes of judgment, carelessness, distraction, or fatigue. also can be due to inappropriate management, cost restrictions, and human error.
i/c of a small company
more difficult than a larger company because it's harder to segregate duties.
if getting assistance from internal auditors
obtain written acknowledgement from management and those charged with governance that the internal auditors will be allowed to perform the work free from any interference.
transaction control activities
performed to check the accuracy, completeness, validity, and authorization of transactions. includes authorizations and approvals, verification, physical controls of assets and records, controls over standing data, reconciliations, and supervisory controls. other examples: following up, adhering to budgets, pre-numbered documents.
3: control activities
policies and procedures that help mitigate the risk that the org's objectives will not be met. includes performance reviews, transaction control activities, general controls and application controls, and segregation of duties
3 types of internal control
preventive, detective, and corrective
Section 404(b) of SOX
requires that the auditor attest to and report on internal control over financial reporting (have to do an integrated audit). only applies to public companies with a market capitalization of $75 million or more.
internal control allows us to:
safeguard assets, comply with laws/regs, operate efficiently and effectively, and record things properly
effective organizational structure
should separate responsibilities for authorization of transactions, record keeping for transactions, and custody of assets treasury- treasurer - authorization and custody of assets accounting function- controller - record keeping
corporate governance
the system by which companies are directed and controlled
walk through
tracing one or two transactions through each step of the transaction cycle. it's a way to see if i/c is being implemented. (not a way to document the controls)
specific authorization
transactions are authorized on an individual basis
ways you can use internal auditors
using their work as evidence (note that it's PBC) or getting assistance from them on the audit.
segregation of duties
1) no one person or department should have complete control of a transaction from beginning to end 2) if you have physical access to an asset, you should not have access to the accounting record or be allowed to authorize transactions for that asset ( separate authorizing transactions, recording transactions, and maintaining custody of assets)
internal control
a process, effected by the entity;s board of director, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of operations, reporting, and compliance
corrective controls
control established to remedy control problems that are discovered through detective controls. ex: maintaining backup copies of key transactions to correct entry errors, disciplinary actions
compensating controls
control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective. they're performed to detect (rather than prevent) the original misstatement from occurring. ex: short staffed so have manager review all entries to make up for lack of segregation
detective controls
controls designed to discover control problems soon after they occur. ex: policy requiring preparation of monthly bank statements, inventory counts
preventive controls
controls that deter control problems before they occur. avoiding occurrence of misstatements. ex: segregation of duties, requiring approval of period ending journal entries, passwords/locks
complementary controls
controls that function together to achieve the same control objective (work together)
Treadway Commission
created Committee of Sponsoring Organizations to study internal control. set definition and standards that transactions need to be timely, in the correct amount, accurately recorded, and properly disclosed.
i/c flowchart
diagram of procedures, division of responsibilities, sources and distribution of docs, and types and location of accounting records for each major transaction cycle. good for clear visual portrayal and effectiveness with little room for misunderstanding. bad because it doesn't flag weaknesses as obviously as does the questionnaire.
effects of FCPA of 1977
eliminated ignorance is bliss defense. assures all transactions are done with the knowledge of management. system of i/c is now required by federal law.
entity level risks
from external or internal factors, such as economic, regulatory, technology, or personnel factors
2: risk assessment process
have to determine risk tolerance (avoidance, reduction, sharing, or acceptance) and how risks could prohibit achieving objectives
integrated audit requirements
have to test all significant accounts up to the as of date. have to comply with COSO.
why test i/c?
have to test them if you rely on them (don't test them if they're bad because you won't rely on them). they help determining nature, timing, and extent of substantive testing.
info from gaining understanding of i/c will be used to:
identify types of potential misstatements, consider factors that affect the risks of material misstatements, and design tests of control and substantive procedures
when to test for i/c
if a process is changed, you have to test for i/c PCAOB- some evidence regarding operational effectiveness is required annually AICPA- testing required every third year if there hasn't been a change
procedures to assess risk within i/c
inquire personnel, observe controls, inspect documents, trace transactions
5: monitoring activities
process to assess the quality of internal control performance over time. internal audit function performs ongoing monitoring evaluations on a routine basis and
three ways to document understanding of i/c
questionnaire, written narrative, flowchart
Foreign Corrupt Practices Act of 1977
requires that under the jurisdiction of the SEC, to maintain a system of i/c that will provide reasonable assurance that: transactions are executed with the knowledge and authorization of management, transactions are recorded as necessary to permit the prep of f/s and accountability for assets, access to assets is limited to authorized individuals, and accounting records of assets are compared to existing assets t reasonable intervals and appropriate action is taken with respect to any differences.
five components of internal control
the control environment, the risk assessment process, control activities, the information system relevant to financial reporting and communication (AIS), and the monitoring activities
service organizations
provide processing services to companies (user entities) that decide to outsource a portion of their processing (payroll, etc). should go and ask to test their controls or use the service auditor's report.
Section 404(a) of SOX
requires each annual report filed with SEC to include a letter from management that states they acknowledge responsibility for establishing and maintaining adequate i/c over financial reporting. also provides assessment of internal control effectiveness with evidence as of the end of the most recent fiscal year.
1: control environment
the standards, processes, and structures that guide individuals in carrying out their duties that make up the foundation for i/c. includes commitment to integrity and ethical values, effective BOD, effective organizational structure, attracting/developing/retaining competent employees, and individual accountability
i/c questionaire
yes or no questions where no's are considered a weakness. good because weaknesses are easy to spot. bad because inflexible, prewritten, and it's not easy to document the compensating controls (what they're doing to combat the weaknesses)