auditing test 2 chapter 10
narrative
- a written description of a client's internal control -a proper narrative of an accounting system and related controls describe for things: 1. the origin of every document and record in the system 2. all processes that takes place 3. the disposition of every document and record in the system 4. an indication of the controls relevant to the assessment of control risk
identify and evaluate control deficiencies, significant deficiencies, and material weakness
-4th step is assessment of control risk -auditors must evaluate whether key controls are absent in the design of internal control over financial reporting as a part of evaluating control risks and the likelihood of financial misstatements
flow chart
-a diagram of the client's documents and their sequential flow in the organization -an adequate flowchart includes the same for characteristics identified for narratives -well prepared flowcharts are advantageous primarily because they provide a concise overview of the client's system, including separation of duties, which helps auditors identify controls and deficiencies in the client's system -flowcharts have two advantages over narratives 1. typically they are easier to read 2. easier to update -unusual to use both a narrative and a flowchart to describe the same system because both present the same information
specific authorization
-applies to individual transactions -for certain transactions, management prefers to authorize each transaction
separation of IT duties from user departments
-as the level of complexity of IT systems increases, the separation of authorization, record keeping, and custody often becomes blurred -to compensate for these potential overlaps of duties, it is important for companies to separate major IT-related functions from key user department functions
internal control questionnaire
-asks a series of questions about the controls in each audit area as a means of identifying internal control deficiencies -most questionnaires require a yes or no response, with no responses indicating potential internal control deficiencies -by using a questionnaire auditors cover each audit area reasonably quickly 2 main disadvantages- inability to provide an overview of the system and their inapplicability for some audits, especially smaller ones -questionnaire incorporates the six transaction-related audit objectives -the use of questionnaires and flowcharts together is useful for understanding the client's internal control design and identifying internal controls and deficiencies -flowcharts provide an overview of the system, while the questionnaires offer useful checklists to remind the auditor of many different types of intern controls that should exist
physical control over assets and records
-assets and records must be protected, if left unprotected they can be stolen -if not adequately protected, they can be stolen, damaged, altered, or lost, which can seriously disrupt the accounting process and business operations -most important type of protective measures for safeguarding assets and records is the use of physical precautions
phase 1
-auditing standards require auditors to obtain and document their understanding of internal control for every audit, which is necessary for both the audit of internal internal controls over financial reporting and the audit of financial statements -management's documentation is a major source of information in gaining the understating -auditor uses procedures to obtain an understanding - the auditor generally uses 4 of the 8 types of evidence to obtain an understating of the design and implementation of controls: inspection, inquiry of entity personnel, observation of employees performing control processes, and re-performance by tracing one or a few transactions through the accounting system from start to finish -auditors commonly use three types of documents to obtain and document their understanding of the design of internal control: narratives, flowcharts, and internal control questionnaires
communication to those charged with governance
-auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence -the communication is usually addressed to the audit committee and to management -communications must be made no later than 60 days following the audit report release
management letters
-auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements -these should be communicated to the client -form is often a separate letter, these management letters are not required by auditing standards, but auditors generally prepare them as a value-added service of the audit
make inquires of client personnel
-auditors should ask management, supervisors, and staff to explain their duties -careful questioning of appropriate personnel helps auditors evaluate whether employees understand their duties and do what is described in the client's control documentation
board of director or audit committee participation
-board of directors is essential for effective corporate governance because it has the ultimate responsibility to make sure management implements proper internal control and financial reporting processes -effective board is independent of management, and its members stay involved in and scrutinize management's activities -delegates responsibility for internal control to management -must regularly assess these controls -an active and objective board can reduce the likelihood that management overrides existing controls -creates audit committee -audit committee assist the board in its oversight, charged with oversight responsibility for financial reporting -also responsible for maintaining ongoing communication with both external and internal auditors, including the approval of audit and non audit services done by auditors for public companies -audit committee's independence from management and knowledge of financial reporting issues are important determinants of its ability to effectively evaluate internal controls and financial statements prepared by management - the sarbanes-oxley act directed the SEC to require the national stock exchanges to strengthen audit committee requirements for public companies listing securities on the exchanges -privately held companies governance may be provided by owners, partners, trustees, or a committee of management, such as a finance or budget committee
commitment to competence
-competence is the knowledge and skills necessary to accomplish tasks that define an individual's job -includes management's consideration of the competence levels for specific jobs and how those levels translate into requisite skills and knowledge
efficiency and effectiveness of operations
-controls within a company encourage efficient and effective use of its resources to optimize the company's goals -an important objective of these controls is accurate financial and non financial information about the company's operations for decision making
organizational structure
-defines the existing lines of responsibility and authority -by understanding this, the auditor can learn the management and functional elements of the business and perceive how controls are implements
separation of the authorization of transactions from the custody of related assets
-desirable to prevent persons who authorize transactions from having control over the related asset, to reduce the likelihood of embezzlement
assess control risk for each related audit objective
-done after controls and control deficiencies are identified and associated with transaction-related audit objectives -auditor assesses control risk for transaction-related objects -this is the critical decision in the evaluation of internal control -auditor uses all prior information gathered to make a subjective control risk assessment for each objective (some auditors say high, low, or moderate and some use numerical probabilities) -this assessment is not the final assessment -before making the final assessment at the end of the integrated audit, the auditor will test controls and perform substantive tests
associate control deficiencies with related audit objectives
-each significant deficiency or material weakness can apply to one or more related audit objectives
proper authorization of transactions and activities
-every transaction must be properly authorized if controls are to be satisfactory -if any person in an organization could acquire or expend assets at will, complete chaos would result -authorization can either be general or specific
material weakness
-exists if a significant deficiency, by itself or in combination with other significant deficiencies, results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis -to determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along two dimensions: LIKELIHOOD AND SIGNIFICANCE -horizontal line depicts the likelihood of a misstatement resulting from the significant deficiency -vertical line depicts its significance -if there is more than a reasonable possibility (likelihood) that a material misstatement (significance) could result from the significant deficiency or deficiencies, then it is considered a material weakness
significant deficiency
-exists if one or more control deficiencies exist that is less severe than a material weakness, but important enough to merit attention by those responsible for oversight of the company's financial reporting
control deficiency
-exists if the design or operation of controls does not permit the company personnel to prevent or detect misstatements on a timely in the normal course of performing their assigned functions -design efficiency exists is a necessary control is missing or not properly designed -operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized
perform walkthroughs of the accounting system
-in a walkthrough, the auditor selects one or a few of the documents of a transaction type and traces them from initiation through the entire accounting process -at each stage of processing, the auditor makes inquiries, observes activities, and examines completed documents and records -walkthroughs conveniently combing observation, inspection, and inquiry to assure that the controls designed by management have been implemented -encouraged by AS 5 as best way to understand controls and pick controls to test -walkthroughs require the auditor to pick "representative" transactions and then trace the transaction through the process by meeting sequentially with client personnel who are involved in processing the transaction and performing control functions (what tasks do they perform?, what are the objectives of the process?, what adaptations are made when unusual events occur?, are they aware of any control breakdowns, control over-rides, or fraud?) -primarily designed to help the auditor evaluate control design -also provide information about effectiveness of controls (i.e. during the walk-through, the auditor should be alert for exceptions to the company's prescribed procedures and controls) -enables to auditor to obtain and understanding of the overall structure of the control system and prepare a flowchart visual and enables the auditor to determine the certain control features are not actually being applied
5 common methods for evaluating whether the designed controls are implemented
-in practice the understanding of the design and implementation are often done simultaneously 1. update and evaluate auditor's previous experience with an entity 2. make inquiries of client personnel 3. examine documents and records 4, observe entity activities and operations 5. perform walkthroughs of the accounting system
inherent limitation
-internal controls can never be completely effective because its effectiveness depends on the competency and dependability of the people using it
general authorization
-management establishes policies and subordinates are instructed to implement these general authorizations by approving all transactions within the limits set by the policy -these decision include the issuance of fixed price lists for the sale of products, credit limits for customers, and fixed reorder points for making acquisitions
reliability of financial reporting
-management is responsible for preparing statements for investors, creditors, and other users -management has both a legal and professional responsibility to be sure that the information is fairly presented in accordance with reporting requirements of accounting frameworks like GAAP -the objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities
design of internal control
-management must evaluate whether the controls are designed and put in place to prevent or detect material misstatements in the financial statements -focus is on controls that address risks related to all relevant assertions for all significant accounts and disclosures in the financial statements (this includes evaluating how significant transactions are initiated, authorized, recorded, processed, and reported to identify points in the flow of transactions where material misstatements due to error or fraud could occur)
Risk assessment
-management's identification and analysis of risks relevant to the preparation of financial statements in conformity with appropriate accounting standards -failure to meet prior objectives, quality of personnel, geographic dispersion of company operations, significance and complexity of core business processes, introduction of new information technologies, economic downturns, and entrance of new competitors are examples of factors that may lead to increased risk -once management identifies a risk, it estimates the significance of that risk, assesses the likelihood of the risk occurring, and develops specific actions that need to be taken to reduce the risk to an acceptable level -management's risk assessment differs from, but is closely related to the auditor's risk assessment -management assesses risks as a part of designing and operating internal controls to minimize errors of fraud -auditors assess risks to decide the evidence needed in an audit -if management effectively assesses and responds to risks, the auditor will typically accumulate less evidence than when management fails to identify or respond to significant risks
management's philosophy and operating style
-management, through its activities, provides clear signals to employees about the importance of internal control -understanding these things gives the auditor a sense of management's attitude about internal control
monitoring
-monitoring actives deal with ongoing or periodic assessment of the quality of internal control by management to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions -information being assessed comes from a variety of sources, including studies of existing internal controls, internal auditor reports -for many companies, especially larger ones, an internal audit department is essential for effective monitoring of the operating performance of internal controls -to be effective, the internal audit function must be performed by staff independent of both the operating and accounting departments and report directly to high level authority within the organization
update and evaluate auditor's previous experience with an entity
-most audits of a compare are done annually by the same CPA firm -after the first year's audit, the auditor begins with a great deal of information from prior years about the client's internal control -it is especially useful to determine whether controls that were not previously operating effectively have been improved
human resource policies and practices
-most important aspect of internal control is personnel -the methods by which persons are hired, evaluated, trained promoted, and compensated are an important part of internal control
assessment of control risk
-part of the auditor's overall assessment of the risk of material misstatement -this assessment is a measure of the auditor's expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred
tests of controls
-procedures to test effectiveness of controls in support of a reduced assessed control risk
information and communication
-purpose of the system is to initiate, record, process, and report the entity's transactions and to maintain accountability for the related assets -for each class of transactions, the accounting system must satisfy all of the 6 transaction-related audit objectives -to understand the design of the accounting information system the auditor determines 1. the major classes of transactions of the entity 2. how those transactions are initiated and recorded 3. what accounting records exist and their nature 4. how the system captures other events that are significant to the financial statements, such as declines is asset values 5. the nature and details of the financial reporting process followed, including procedures to enter transactions and adjustments in the general ledger
identify existing controls
-second step in the control risk assessment -auditor uses the information of audit objectives on obtaining and documenting an understanding of internal control to identify the controls that contribute to accomplishing transaction-related objectives -one way for the auditor to do this is to identify controls to satisfy each objective -helpful for the auditor to use the five control activities (separation of duties, proper authorization, adequate documents and records, physical control over assets and records, and independent checks on performance) as reminders of control -auditor should identify and include only those controls that are expected to have the greatest effect on meeting the transaction-related audit objectives -the reason for including only key controls is that they will be sufficient to achieve the transaction-related audit objectives and also provide audit efficiency
compliance with laws and regulations
-section 404 requires management of all public companies to issue a report about the operating` effectiveness of internal control over financial reporting -public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations -some relate to accounting only indirectly, such as environmental protection and civil rights laws -others are closely related to accounting such as income tax regulations and anti-fraud legal provisions
control environment
-serves as the umbrella for the other 4 components- without an effective control environment, the other four are unlikely to result in effective internal control, regardless of their quality -consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its important to the entity
examine documents and records
-the 5 components of internal control all involve the creation of many documents and records -by examining completed documents, records, and computer files, the auditor can evaluate whether information described in flowcharts and narratives have been implemented
assess control risk
-the auditor obtains an understanding of the design and implementation of internal control to make a preliminary assessment of control risk as part of the auditor's overall assessment of the risk of material misstatements -the auditor uses this preliminary assessment of control risk to plan the audit for each material class of transactions -sometimes the auditor may learn that the control deficiencies are significant such that the client's financial statements may not be auditable, so before making a preliminary assessment of control risk for each material class of transactions, the auditor must first decide whether the entity is auditable
decide planned detection risk and design substantive tests
-the auditor uses the control risk assessment and results of tests of controls to determine planned detection risk and related substantive tests for the audit of financial statements -auditor does the by linking the control risk assessments to the balance-related audit objectives for the accounts affected by the major transaction types and to the 4 presentation and disclosure audit objectives -the appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model
independent checks on performance
-the careful and continuos review of the another for control activities -sometimes called internal verification -the need for independent checks arises because internal controls tend to change over time, unless their is frequent review
identify audit objectives
-the first step in the control risk assessment -identify audit objectives for classes of transactions, account balances, and presentation and disclosure to which the assessment applies
COSO
-the most widely accepted internal control framework in the United States -describes 5 components of internal control that management designs and implements to provide reasonable assurance that its control objectives will be met -each component contains many controls, but auditors concentrate on those designed to prevent or detect material misstatements in the financial statements
control activities
-the policies and procedures, in addition to those included in the other four control components, that help ensure that necessary actions are taken to address risks to the achievement of the entity's objectives
integrity and ethical values
-the product of the entity's ethical and behavioral standards, as well as how they are communicated and reinforced in practice -include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts -also include communication of entity values and behavioral standards through policy statements, codes of conduct, and by example
adequate documents and records
-the records upon which transactions are entered and summarized -they include such diverse items as sales invoices, purchase orders, subsidiary records, sales journals, and employee time cards -many of these documents and records are maintained in electronic rather than paper formats -adequate documents are essential for correct recording of transactions and control of assets -documents and records should be: 1. pre-numbered consecutively to facilitate control over missing documents (important for the completeness transaction-related audit objective) 2. prepared at the time the transaction takes place, or as soon as possible thereafter, to minimize timing errors 3. designed for multiple use, when possible, to minimize the number of different forms 4. constructed in a manner that encourages correct preparation
entity-level controls
-the starting point for most auditors -some entity-level controls are elements contained in the control environment, risk assessment, and monitoring components have an overachieving impact on most major types of transactions in each transaction style
operating effectiveness of controls
-the testing objective is to determine whether the controls are operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively) -managements test results, which must also be documented, form the basis for management's assertion at the end of the fiscal year about the controls' operating effectiveness -management must disclose any material weakness in internal control, even if only one material weakness is present, management must conclude that the company's internal control over financial reporting is not effective
associate controls with related audit objectives
-third step in the assessment of control risk -each control satisfies one or more related audit objectives -the body of the control risk matrix is used to show how each control contributes to the accomplishment of one or more transaction-related audit objectives, similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives
determine potential misstatements that could result
-this step is intended to identify specific misstatements that are likely to result because of the significant deficiency or material weakness -the importance of a significant deficiency or material weakness is directly related to the likelihood and materiality of potential misstatements
separation of operational responsibility from record- keeping responsibility
-to ensure unbiased information, record keeping is typically the responsibility of a separate department reporting to the controller
separation of the custody of assets from accounting
-to protect a company from embezzlement, a person who has temporary or permanent custody of an asset should not account for that asset -allowing one person to perform both functions increases the risk of that person disposing of the assets for personal gain and adjusting records to cover up the theft
control risk matrix
-used by many auditors to assist in the control risk assessment process at the transaction level -the purpose is to provide a convenient way to organize assessing control risk for each audit objective -used for assessing transaction-related audit objectives and a similar matrix format to assess control risk for balance-related and presentation and disclosure-related audit objectives
4 general guidelines for adequate separations
-used to prevent both fraud and errors, especially significant to auditors 1. separation of the custody of assets from accounting 2. separation of the authorization of transactions from the custody of related assets 3. separation of operational responsibility from record- keeping responsibility 4. separation of IT duties from user departments
observe entity activities and operations
-when auditors observe client personnel carrying out their normal accounting and control activities, including their preparation of documents and records, it further improves their understanding and knowledge that controls have been implemented
5 types of control activities
1. adequate separation of duties 2. proper authorization of transactions and activities 3. adequate documents and records 4. physical control over assets and records 5. independent checks on performance
auditor responsibility for internal control in public companies
1. auditors are required to apply the COSO (or equivalent) framework when evaluating controls 2. when performing integrated audits, auditors must evaluate both control design and operating effectiveness 3. auditors are not required to test all controls-only controls whose failure could result in a reasonable risk of material misstatements
auditor responsibility for internal control in private companies
1. auditors of private companies are required to perform control risk assessments in accordance with COSO or equivalent frameworks 2. requires auditors to evaluate design risk and determine whether controls have been placed into operation 3. auditors are not required to measure the level of operating effectiveness by testing control operations 4. auditors may choose to test control operations if they believe it to be necessary to obtain a reasonable level of assurance regarding the risk of material misstatement in the financial statement assertions or reducing overall costs
the 3 levels of the absence of internal controls defined by auditing standards
1. control deficiency 2. significant deficiency 3. material weakness
COSO 5 internal control components
1. control environment 2. risk assessment 3. control activities 4. information and communication 5. monitoring
5 step approach to identify deficiencies, significant deficiencies, and material weaknesses
1. identify existing controls- because deficiencies and martial weaknesses are the absence of adequate controls, the auditor must first know which controls exists 2. identify the absence of key controls- internal control questionnaires, flowcharts, and walkthroughs are useful to identify where controls are lacking and the likelihood of misstatement is therefor increased. It is useful to examine the control matrix to look for objectives where there are no or only a few controls to prevent or detect misstatements 3. consider the possibility of compensating controls- one elsewhere in the system that offsets the absence of a key control, when a compensating control exists, there is no longer a significant deficiency or material weakness 4. decide whether there is a significant deficiency or material weakness- the likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses
primary differences in the application of tests of controls and procedures to obtain an understanding
1. in obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase -tests of control are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding 2. procedures to obtain an understanding are performed only on one or a few transactions, or in the case of observations, at a single point in time -tests of controls are performed on larger samples of transactions (20-100) and often, observations are made at more than one point in time
control environment subcomponents
1. integrity and ethical values 2. commitment to competence 3. board of director of audit committee participation 4. management's philosophy and operating style 5. organizational structure 6. human resource policies and practices
4 types of procedures to support the operating effectiveness of internal controls
1. make inquiries of appropriate client personnel- although inquiry is not a highly reliable source of evidence about the effective operation of controls, it is still appropriate 2. examine documents, records, and reports- many controls leave a clear trail of documentary evidence that can be used to test controls 3. observe control-related activities- -some controls do not leave an evidence trail, which means that it is not possible to examine evidence that the control was executed at a later date, for controls that leave no documentary evidence, the auditor generally observes them being applied at various points during the year 4. re-perform client procedures- there are also control related activities for which there are related documents and records, but their content is insufficient for the auditor's purpose of assessing whether controls are operating effectively, in theses cases it is common for the auditor to re-perform the procedure by tracing the sales prices to the authorized price list in effect at the date of the transactions, if no misstatements are found, the auditor can conclude that the procedure is operating as intended
top-down approach
1. overall risks at financial statement level 2. identify entity-level controls 3. significant accounts, disclosures, and relevant assertions
4 phases for understanding internal control and assessing control risk
1. phase 1- obtain and document understanding of internal control design and operation 2. phase 2- assess control risk 3. phase 3- design, perform, and evaluate tests of controls 4. phase 4- decide planned detection risk and substantive tests
2 key concepts that underlie management's design and implementation of internal control
1. reasonable assurance 2. inherent limitations
3 objectives management has in designing an effective internal control system
1. reliability of financial reporting 2. efficiency and effectiveness of operations 3. compliance with laws and regulations
managements responsibilities for internal control
1. responsible for establishing and maintaining the entity's internal control 2. also required by section 404 to publicly report on the operating effectiveness of those controls (evaluate the design of internal control and report on the effectiveness of internal control as at the end of the financial year)
the 2 primary factors that determine auditability
1. the integrity of management- importance of management integrity is used for determining client acceptance and continuance. if management lacks integrity, most auditors will not accept the engagement 2. the adequacy of accounting records- the accounting records are an important source of audit evidence for most audit objectives. if the accounting records are deficient, necessary audit evidence may not be available
auditors responsibilities for internal control
1. understanding and testing internal control over financial reporting 2. assess control risk to plan audit of financial statements 3. auditors of larger public companies are required by the SEC to annually issue an audit report on the operating effectiveness of those controls 4. Auditing Standard 5 (Sarbanes Oxley 404)- express opinion on internal control (only for accelerated filers) 5. evaluation of inherent risk factors, evaluation of control risks (control design, control operations), evaluation of financial statement assertions **audit risk assessments and control evaluations are both sequential and recursive
types of internal control opinions
1. unqualified opinion-used when there are no identified material weaknesses and there have been no restrictions on the scope of the auditor's work 2. adverse opinion- when one or more material weaknesses exist, the most common cause is when management identified a material weakness in its report 3. qualified or disclaimer of opinion- a scope limitation, issued when the auditor is unable to determine if there are material weaknesses, due to a restriction on the scope of the audit or internal control over financial reporting or other circumstances where the auditor is unable to obtain sufficient appropriate evidence
authorization
a policy decision for either a general class class of transactions or specific transactions
collusion
an act of two or more employees who conspire to steal assets or misstate records
reasonable assurance
company should develop internal controls that provide reasonable, but not absolute, assurance that the financial statements are fairly stated -Internal controls are developed by management after considering both the costs and benefits of the controls -reasonable assurance is a high level of assurance that allows for only a low likelihood that material misstatements will not be prevented or detected on a timely basis by internal control
key controls
controls that are expected to have the greatest effect on meeting the transaction-related audit objectives
evaluation of internal control (AS 5: PUBLIC COMPANIES)
first to deal with design evaluation, the next three deal with operating effectiveness evaluation 1. plan the engagement 2. use a top-down approach to gain an understanding 3. testing internal control effectiveness a) design effectiveness b) operating effectiveness 4. evaluating control deficiencies 5. wrapping up: forming an opinion on the effectiveness of internal control over financial reporting 6. reporting on internal control
procedures to obtain and understanding
part of the auditor's risk assessment procedures which involve gathering evidence about the design and whether they have been implemented, and then uses that information as a basis for assessing control risk and for the integrated audit
internal control
policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals -a process, effected by an entity's board of directors, management, and other personnel , designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting -internal control is a PROCESS, it is a means to an end, not an end in itself -internal control can be expected to provide only REASONABLE ASSURANCE, not absolute assurance, to an entity's management and board -essence of internal control is that it is usually more effective to PREVENT problems than to CORRECT problems
approval
the implementation of management's general authorization duties