Audit 3222 Ch 6
the risk that an auditor expresses an inappropriate audit opinion when a financial report is materially misstated. a function of the risks of material misstatement and detection risk.
audit risk
controls in this category pertain to adherence to laws and regulations to which the entity is subject.
compliance objectives
____ are the actions established through policies and procedures that help ensure that managements directives to mitigate risks to the achievement of objectives are carried out. performed at all levels of the entity, at various stages within business processes, and over the technology environment.
control activities
___ is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
control environment
briefly explain why entity level controls are important, and only understanding transaction level controls is insufficient.
entity level controls provide oversight of the effective operation on transaction level controls. if entity level controls are not effective, it is less likely that transaction level controls will prevent, or detect and correct, transaction level misstatements.
____ is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. ____ is the continual, iterative process of providing, sharing, and obtaining necessary info.
information communication
the info and communication system relevant to financial reporting objectives consists of methods and records established to identify, assemble, analyze, classify, record and report entity transactions and to maintain accountability for the related assets and liabilities. it involves a clear understanding of individual roles and responsibilities pertaining to ICFR.
information and communication system
____ address both IT risks and risks related to financial statement assertions.
information processing controls
a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting and compliance.
internal control
name a generally accepted framework used to describe internal controls.
internal control--- integrated framework
a deficiency or a combination of deficiencies in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis.
material weakness
the most common forms of documentation include the following:
narratives flow charts and logic diagrams combination of narratives and flowcharts checklists and preformatted questionnaires
why is it important to understand and evaluate internal controls?
necessary in order to audit internal controls over financial reporting and to make a preliminary assessment of control risk.
the purpose of internal controls in this category is to meet internal and external financial and non financial reporting requirements and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity's policies.
reporting objectives
____ is the process for identifying and responding to risks that an organization will not achieve its objectives.
risk assessment process
a deficiency in the design exists when two things happen:
-a control necessary to meet the control objective is missing. -an existing control is not properly designed so that even if the control operates as designed the control objective would not be met.
5 internal risk factors are:
-a disruption in info systems processing can adversely affect the entity's operations. -the quality of personnel hired and methods of training and motivation can influence the level of control consciousness within the entity. -a change in management responsibilities can affect the way certain controls are implemented. -the nature of the entity's activities, and employee accessibility to assets can contribute to misappropriation of resources. -an unassertive or ineffective board or audit committee can provide opportunities for indiscretions.
explain the steps involved in a top down approach to understanding an entity's system of internal control.
-begins by developing a thorough understanding of the entity and its financial reporting risks. -next, the auditor understands the flow of the documents through the system for each major transaction, major transactions classes normally in the revenue cycle, the purchases cycle, the payroll cycle, inventory transactions, and financing and investing transactions. -the auditor then evaluates what can go wrong at the entity level and at the transaction class level. -when internal controls appear to be well designed, then the auditor will test the controls to obtain evidence to support a control risk assessment of low.
what are the five components of internal control?
-control environment -risk assessment process -info system, the related business process, relevant to financial reporting and communication -control activities -monitoring of controls
computer general controls function at an entity level to control a wide variety of IT risks and maintain the integrity of info and security of data. they commonly include controls over:
-data center and network operations -system software acquisition, change and maintenance -program changes -access security -application system acquisition, development and maintenance
the key to successful empowerment and an effective control environment is to:
-delegate only as much authority as is needed to achieve the organizations goals. -ensure that those making decisions understand that they will be held accountable -hold those who are responsible accountable for their actions.
a commitment to competence requires two management steps:
-first, management needs to decide what skills are required to appropriately perform job responsibilities. -second, management must staff those jobs with individual who have the needed skills.
the six inherent limitation of internal control are:
-human error -ineffective understanding of the purpose of a control -collusion by two or more individuals -management override of an internal control -cost/benefit -decisions made by management as to the nature and extent of the control it chooses to implement.
the identification and analysis of risk involves 4 steps:
-identifying risk relevant to the achievement of the entity's objectives. -estimating the significance of the risks. -assessing the likelihood of their occurrence. -deciding about actions to address those risks.
when assessing fraud risks, management should consider the three elements of the fraud triangle:
-incentives and pressures -opportunities to perpetrate fraud -attitudes and rationalization
the 6 external risk factors are:
-technological development can affect the nature and timing of research and development, or lead to changes in procurement. -changing customer needs or expectations can affect product development, production processes, customer service, pricing or warranties. -competition can alter marketing or service activities. -new legislation and regulation can force changes in operating policies and strategies. -natural catastrophes can lead to changes in operations or info systems and highlight the need for contingency planning. -economic changes can have an impact on decisions related to financing, capital expenditures, and expansion.
the process used for developing an audit strategy for various assertions involves the following:
-understanding the flow of transactions. -identifying what can go wrong -assessing whether controls exist to mitigate what can go wrong. -performing tests of controls -reporting internal control weaknesses to those charged with governance of the entity, based on controls that are absent or controls that are not operating effectively. -determining an audit strategy at the assertion level.
to gain an understanding of the clients monitoring process at the entity level, and determine how well they adhere to the monitoring principles above, the auditor needs to consider:
-whether periodic evaluations of internal control are made. -the extent to which personnel, is carrying out their regular duties, obtain evidence as to whether the system of internal controls continues to function. -the extent to which communications from external parties corroborate internally generated info, or indicate problems -whether management implements internal control recommendations made by internal and external auditors. -managements approach to correcting known significant deficiencies on a timely basis -managements approach to dealing with reports and recommendations from regulators.
in a good system of segregation of duties, which of the following duties should be segregated? a. authorization of transactions, physical access to assets, and recording transactions. b. authorization of transactions, physical access to assets, and management. c. physical access to assets, recording of transactions, and consideration. d. authorization of transactions, recording transactions, and management.
a. authorization of transactions, physical access to assets, and recording transactions.
the control environment: a. sets the tone of an entity with respect to internal control and influences the control consciousness of its people. b. is focused on how the entity addresses info technology risks. c. only applies to public companies. d. directly addresses adequacy of segregation of duties.
a. sets the tone of an entity with respect to internal control and influences the control consciousness of its people.
the entity level principle that addresses how an organization holds an individual accountable for his or her internal control responsibilities in pursuit of objectives is related to: a. the control environment b. risk assessment c. control activities d. information and communication e. monitoring
a. the control environment
a major purpose of proper authorization procedures is to ensure that every transaction is authorized by management personnel acting within the scope of their authority.
authorization controls
what are the five common categories of control activities?
authorization controls performance reviews info processing controls physical controls segregation of duties
internal control is defined as: a. the entity's system to prevent, or detect and correct misstatements in the financial statements. b. a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting and compliance. c. is a process, implemented by management, to ensure the integrity of the entity's management info system. d. is the entity's system to ensure that management and those charged with governance of the entity, have quality info for decision making.
b. a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting and compliance.
documenting internal controls: a. is always handled through the use of checklists and preformatted quastionnaires. b. is done after internal controls are tested so that eh results can be included in the documentation. c. can be handled with a combination of narratives and flowcharts or logic diagrams. d. is not done for smaller clients because of the risk of management override.
b. is done after internal controls are tested so that eh results can be included in the documentation.
an auditor normally obtains an understanding of transaction level controls by: a. conducting an interview with senior management. b. performing a system walkthrough c. reading the prior years management letter d. testing the entity's risk assessment process.
b. performing a system walkthrough
why is segregation of duties important when understanding internal control?
because failure to maintain strong segregation of duties makes it possible for an individual to commit an error or fraud and then be in a position to conceal it in the normal course of his or her duties.
a management letter: a. lists only the material weaknesses discovered during the audit. b. is written by management to the auditor at the start of the audit. c. contains recommendations for improving significant deficiencies and material weaknesses in internal control discovered during the course of the audit. d. all of the above
c. contains recommendations for improving significant deficiencies and material weaknesses in internal control discovered during the course of the audit.
an entity's risk assessment process: a. is designed to help an entity think about risk in the same way that an auditor thinks about risk. b. is established only if the entity is subject to unusually high risk. c. is the entity's process for identifying and responding to business risks and the results thereof. d. never allows management of an entity to decide to accept a risk without taking any action.
c. is the entity's process for identifying and responding to business risks and the results thereof.
the objectives of internal control include: a. operations objectives, internal control objectives and financial objectives. b. operations objectives, control environment objectives, and financial reporting objectives. c. operations objectives, reporting objectives and compliance objectives. d. risk assessment objectives, compliance objectives, and reporting objectives.
c. operations objectives, reporting objectives and compliance objectives.
when an auditor identifies internal control deficiencies, what levels of internal control deficiencies must be reported to those charged with governance of the entity? a. any deficiencies in internal control b. material weaknesses only c. significant deficiencies only d. deficiencies and significant deficiencies in internal control.
c. significant deficiencies only
technique used to systematically identify the most common types of internal control procedures that should be present. this is particularly helpful in industries that the auditor may not personally be familiar with auditing or when less experienced auditors find it difficult to identify which are the critical controls.
checklists and preformatted questionnaires
this form of documenting internal controls is typically a page divided into two sections with the process flowchart on the left hand side and the narrative describing each step in the flow on the right hand side. the flowchart side highlights the key activities from initiation to reporting, while the narrative column contains the details about what happens to the flow of the transaction.
combinations of narrative and flowcharts
___ are policies and procedures that help make sure managements directives are carried out. they help ensure that necessary actions are taken to address risks impacting the achievement of the organizations objectives.
control activities
the attitudes, awareness and actions of management and those charged with governance concerning the entity's internal control and its importance in the entity.
control environment
the five components of internal controls are:
control environment risk assessment control activities information and communication monitoring
it is important for an auditor to understand a public company's system of internal control in order to: a. audit internal control over financial reporting. b. make a preliminary assessment of control risk. c. develop an audit strategy. d. all of the above
d. all of the above
if the auditor collects evidence that computer general controls are strong, then the auditor can conclude that: a. application controls function properly and put the correct transactions on exception reports. b. computer applications are more likely to operate consistently over time. c. computer processed transactions are adequately supported by source documents. d. control risk can be assessed as low
d. control risk can be assessed as low
which of the following is not part of the common categorization of control activities: a. authorization controls b. performance reviews c. info processing controls d. controls over human error
d. controls over human error
____ exists when the design or operations of a control does not allow management or employees in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.
deficiency in internal control
internal control weaknesses are commonly categorized into three groups:
deficiency in internal control material weakness significant deficiency
proper authorization procedures often have a direct effect on control risk for ___ and ___ assertions, and in some cases, valuation or allocation assertions, such as the authorization of an expenditure or the authorization of a customers credit limit.
existence occurrence
___ are not often used as they usually take longer to prepare than narratives or checklists. ___ are more common. they provide a visual perspective of the flow of the transaction and key controls throughout the flow that is often simpler for the reader or reviewer to understand than narrative alone.
flowchart logic diagram
this form of documentation is used in larger and more complex environments. it involves the auditor summarizing each step of the flow of a transaction from start to finish.
flowcharts and logic diagrams
____ relates to the general conditions under which transactions are authorized, such as standard price lists for products and credit policies for charge sales.
general authorization
___ is a deliverable prepared by the audit team and provided to those charged with governance. this discusses internal control weaknesses and other matters discovered during the course of the audit. the purpose of this is to meet the auditors responsibility for communicating internal control matters in writing on a timely basis with those charged with governance and to inform those charged with governance of the auditors recommendations for improving its internal controls.
management letter (aka letter of recommendations)
a process that assesses the quality of internal control performance over time. it involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions.
monitoring
ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning.
monitoring
this is the most common form of documentation, particularly in smaller environments where accounting and internal controls are simple or where a particular flow of transaction is relatively simple and straightforward. it involves the auditor describing in words each step of the flow of a transaction from start to finish.
narratives
internal controls in this category help ensure the effectiveness and efficiency of the entity's operations, including operational and financial performance goals, and safeguarding assets against loss.
operations objectives
the three objectives of internal controls are:
operations objectives reporting objectives compliance objectives
the control environment is critical because it has a ____ effect on the other four components of internal control.
pervasive
every entity faces a variety of risks from external and internal sources. the possibility that an event will occur and adversely affect the achievement of objectives.
risk assessment
____ in the purchases cycle would have one individual authorize a purchase transaction, another individual being responsible for custody and receiving of inventory, and a third individual having responsibility for recording the transaction in the accounting records. this also involves comparing recorded accountability with assets on hand.
segregation of duties
a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
significant deficiency
___ relates to the granting of authorization on a case by case basis.
specific authorization
briefly explain the important aspects of a strong control environment
the control environment sets the tone of an entity and influences the control consciousness of its people. it is the foundation for all other components of internal control and is often though of as a combination of the culture, structure and discipline of an organization.
___ are controls that affect a particular transaction or group of transactions. controls that respond to things that can go wrong with transactions.
transaction level controls