Chapter 18 Audit
An audit of internal control over financial reporting ordinarily assesses internal control: (1) As of the last day of the fiscal period. (2) As of the last day of the auditor's fieldwork. (3) For the entire fiscal period. (4) For the entire period plus the period of the auditor's fieldwork.
(1) An audit of internal control over financial reporting ordinarily assess internal control at an "as of date"—ordinarily the last day of the fiscal period
In an integrated audit, which of the following must be communicated by management to the audit committee? Known Material Weakness Known Significant Deficiencies (1)Yes Yes (2)Yes No (3)No Yes (4)No No
(1) Management must communicate both material weaknesses and significant deficiencies to the audit committee.
Which of the following is most likely to be considered a material weakness in internal control? (1) Ineffective oversight of financial reporting by the audit committee. (2) Restatement of previously issued financial statements due to a change in accounting principles. (3) Inadequate controls over nonroutine transactions. (4) Weaknesses in risk assessment.
(1) PCAOB AS 2201 includes ineffective oversight of financial reporting by the audit committee as an indicator of a material weakness in internal control.
In an integrated audit, which of the following must the auditors communicate to the audit committee? Known Material Weakness Known Significant Deficiencies (1)Yes Yes (2)Yes No (3)No Yes (4)No No
(1) PCAOB AS 2201 requires that the auditors to communicate both material weaknesses and significant deficiencies to the audit committee.
Recall that the relevant assertions about accounts and classes of transactions are:
(1) existence or occurrence; (2) completeness; (3) valuation or allocation; (4) rights and obligations; and/or (5) presentation and disclosure.
Which of the following is defined as a weakness in internal control that allows a reasonable possibility of a misstatement that is material? (1) Control deficiency. (2) Material weakness. (3) Reportable condition. (4) Significant deficiency.
(2) A material weakness involves a reasonable possibility of a material misstatement.
In an integrated audit, which of the following lead(s) to an adverse opinion on internal control? Known Material Weakness Known Significant Deficiencies (1)Yes Yes (2)Yes No (3)No Yes (4)No No
(2) An audit report on internal control is modified for material weaknesses, not significant deficiencies.
Management's documentation of internal control ordinarily should include information on: Controls Designed to Prevent Fraud Controls Designed to Ensure Employee Personal Integrity (1)Yes Yes (2)Yes No (3)No Yes (4)No No
(2) Management's documentation must include information on controls designed to prevent fraud, but not on controls designed to ensure employee personal integrity
The auditors identified a material weakness in internal control in August. The client was informed and the client corrected the material weakness prior to year-end (December 31); the auditors concluded that management eliminated the material weakness prior to year-end. The appropriate audit report on internal control is: (1) Adverse. (2) Qualified. (3) Unqualified. (4) Unqualified with explanatory language relating to the material weakness.
(3) An unqualified opinion with no explanatory language is appropriate when the material weakness has been eliminated (remediated) prior to the "as of date," year-end.
Which of the following is not a typical question asked during a walk-through? (1) Have you ever been asked to override the process or controls? (2) What do you do when you find an error? (3) What is the largest fraudulent transaction you ever processed? (4) What kind of errors have you found?
(3) Auditors will not ordinarily ask what was the largest fraudulent transaction an individual ever processed. The other three replies are recommended questions.
A material weakness is a control deficiency (or combination of control deficiencies) that results in a reasonable possibility that a misstatement of at least what amount will not be prevented or detected? (1) Any amount greater than zero. (2) A greater amount than zero, but an amount that is at least inconsequential. (3) A greater amount than inconsequential. (4) A material amount.
(4) A material weakness involves a material amount.
A procedure that involves tracing a transaction from origination through the company's information systems until it is reflected in the company's financial report is referred to as a(n): (1) Analytical analysis. (2) Substantive test. (3) Test of a control. (4) Walk-through.
(4) A walk-through involves tracing a transaction from origination through a company's information systems until it is reflected in the financial reporting system.
Extent (Test of Operating Effectiveness)
-Depend on frequency of control
Nature (Test of Operating Effectiveness)
-Inquiries, inspections, observations, and reperformance -Vary the tests when possible (make them unpredictable)
Tests of controls
-Same for internal control audit and financial statement audit -Evidence from internal control audit can be used for financial statement audit
Timing (Test of Operating Effectiveness)
-Sufficient period of time -Periodic controls - may have to wait to after report date
Management assessment must understand concepts of
-control deficiency -significant deficiency -material weakness
Findings from substantive procedures may affect audit of internal control:
1. Could provide evidence of effectiveness or ineffectiveness of internal control over financial reporting Example: Identification of material misstatement in financial statements is indicative of at least a significant deficiency in internal control
Communicate to audit committee
1. Material weaknesses 2. Significant deficiencies and that all other deficiencies have been communicated to management
Tests of Operating Effectiveness
1. Nature 2. Timing 3. Extent
Objective of Management's Evaluation of Internal Control
1. Provide a reasonable basis for its annual assessment 2. Process -Evaluate design effectiveness of controls -Evaluate operating effectiveness of internal control -Document the process -Issue the report
Transactions are classified as:
1. Routine transactions 2. Nonroutine transactions 3. Accounting estimates
The following information must be included in management's report on internal control over financial reporting:
1. State that it is management's responsibility to establish and maintain adequate internal control. 2. Identify management's framework for evaluating internal control. 3. Include management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the most recent fiscal period, including a statement as to whether internal control over financial reporting is effective. 4. Include a statement that the company's auditors have issued a report on management's assessment.
Form an opinion, evaluate:
1. The results of their evaluation of the design 2. The results of tests of the operating effectiveness of controls 3. Negative results of substantive procedures performed during the financial statement audit 4. Any identified control deficiencies.
Integrated audit requires tests of controls for all major account and relevant assertions:
1. Will lead to decreased scope of substantive procedures 2. Significant deficiencies or material weaknesses could lead to more substantive procedures 3. Not acceptable to omit substantive procedures completely
Auditors must first test
1. design effectiveness 2. test operating effectiveness -tests of operating effectiveness will not ordinarily be performed when the design is ineffective.
Management's Responsibility
1.Accept responsibility for effectiveness 2.Evaluate the effectiveness using suitable criteria 3.Support the evaluation with sufficient evidence 4.Provide a report on internal control
Management's four overall responsibilities relating to internal control over financial reporting:
1.Accept responsibility for the effectiveness of internal control. 2.Evaluate the effectiveness of internal control using suitable control criteria. 3.Support the evaluation with sufficient evidence. 4.Provide a report on internal control.
Although any number of inquiries may be made, inquiries such as the following are suggested:
1.Can you describe the part of the processing of the transaction with which you are involved? 2.What do you do when you find an error? 3.What kind of errors have you found? 4.What happened as a result of finding the errors, and how were the errors resolved? 5.Have you ever been asked to override the process or controls? If yes, why did it occur and what happened?
Efficient planning requires coordination with financial statement audit, consider matters such as:
1.Client's industry 2.Regulatory matters 3.Client's business 4.Recent changes in the client's operations
Components of Internal Control (CRIME)
1.Control Activities 2.Risk Assessment 3.Information System 4.Monitoring 5.Control Environment
Auditors of large public companies should report on:
1.Financial statements 2.Internal control over financial reporting
Transactions that are indicators of material weaknesses in internal control:
1.Identification of fraud, whether or not material, on the part of senior management 2.Restatement of previously issued financial statements to reflect the correction of a material misstatement. 3.Identification by the auditor of a material misstatement in circumstances that indicate that the misstatement would not have been detected by the company' internal control. 4.Ineffective oversight of the company's external financial reporting and internal control by the company's audit committee.
Levels of severity of control deficiencies
1.Less than a significant deficiency 2.Significant deficiency - less severe than material weakness yet important enough to merit attention 3.Material weakness - reasonable possibility that a material misstatement will not be prevented or detected
Antifraud programs include effective:
1.Management accountability. 2.Audit committee. 3.Code of conduct/ethics. 4."Whistleblower program." 5.Hiring and promotion procedures. 6.Remediation of significant deficiencies, material weaknesses, and fraud.
Reporting on Whether a Previously Reported Material Weakness Continues to Exist:
1.Management believes material weakness has been eliminated 2.Auditor engaged to report on whether material weakness continues to exist 3.Engagement focused on evidence regarding material weakness
Factors that should be considered in deciding whether an account is significant include its:
1.Size and composition. 2.Susceptibility of loss due to errors or fraud. 3.Volume of activity, complexity and homogeneity of individual transactions. 4.Nature of the account. 5.Accounting and reporting complexity. 6.Exposure to losses. 7.Likelihood of significant contingent liabilities 8.Existence of related party transactions. 9.Changes from the prior period.
Factors of a significant account
1.Size and composition. 2.Susceptibility of loss due to errors or fraud. 3.Volume of activity, complexity, and homogeneity of individual transactions. 4.Nature of the account. 5.Accounting and reporting complexity. 6.Exposure to losses. 7.Possibility of significant contingent liabilities. 8.Existence of related party transactions. 9.Changes from the prior period.
Management's Report on Internal Control includes:
1.State that it is management's responsibility to establish and maintain adequate internal control. 2.Identify management's framework for evaluating internal control 3.Include management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the most recent fiscal period, including a statement as to whether internal control over financial reporting is effective. 4.If, applicable, include a statement that the company's auditors have issued an attestation report on management's assessment.
Once the auditors understand entity-control controls and the flow of transactions, the auditors are in a position to:
1.Verify points within the company's processes at which a misstatement could arise that could be material 2.Identify the controls management has implemented to address these potential misstatements 3.Identify the controls management has implemented to prevent or detect on a timely basis unauthorized acquisition, use, or disposition of the company's assets that could result in a material misstatement
Walk-through provides evidence to:
1.Verify that the auditors have identified points at which a significant risk of misstatement to a relevant assertion exists. 2.Verify their understanding of the design of controls, including those related to the prevention or detection of fraud. 3.Evaluate the effectiveness of the design of controls. 4.Confirm whether controls have been placed in operation (implemented).
Walkthroughs provide the auditors with evidence to:
1.Verify that they have identified points at which a significant risk of misstatement to a relevant assertion exists. 2.Verify their understanding of the design of controls, including those related to the prevention or detection of fraud. 3.Evaluate the effectiveness of the design of controls. 4.Confirm whether controls have been place in operation (implemented).
Which of the following need not be included in management's report on internal control under Section 404(a) of the Sarbanes-Oxley Act of 2002? (1) A statement that the company's auditors have issued an audit report on management's assertion. (2) An identification of the framework used for evaluating internal control. (3) Management's assessment of the effectiveness of internal control. (4) Management's acknowledgment of its responsibility to establish and maintain internal control that detects all significant deficiencies.
4) Management's report on internal control under Section 404a of the Sarbanes-Oxley Act of 2002 need not state that it has a responsibility to establish and maintain internal control that detects ALL significant deficiencies.
Circumstance: Managements Report on Internal Control is Incomplete or Improperly Presented. The report does not acknowledge a material weakness identified by the auditor Auditors Opinion?
Adverse
Circumstance: Material Weakness Exists Auditors Opinion?
Adverse
Frequency of Testing, number of items to test
Annual: 1 Quarterly: 2 Monthly: 3-6 Weekly: 10-20 Daily: 20-40 Multiple times per day: 30-60
A weakness in the design or operation of a control that does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis
Control deficiency
Differences between small and large clients
Degree of complexity of operations
Circumstance: Scope Restriction Auditors Opinion?
Disclaimer of Withdraw from Engagement
Communicate to board of directors
If conclude oversight of financial reporting and internal control is ineffective
Those transaction flows that have a meaningful bearing on the totals accumulated in the company's significant accounts and, therefore, have a meaningful bearing on relevant assertions
Major classes of transactions
A control deficiency, or a combination of control deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis
Material weakness
Difference between material weaknesses and significant deficiencies
Material weaknesses result in adverse internal control audit reports, while significant deficiencies do not.
Does existence of significant deficiency result in required modification of managements assessment and auditors report?
No
Differences between audits
Objectives are different
Does existence of control deficiency result in required modification of managements assessment and auditors report?
Only if it is a material weakness
The primary section of the Sarbanes-Oxley Act dealing with management and auditor reporting on internal control over financial reporting
Section 404
An account for which there is a reasonable possibility that it could contain misstatements that individually, or when aggregated with others, could have a material effect on the financial statements
Significant account
Integrated audit
Testing should be spread through the year to satisfy both objectives
Difference between audit of internal control and audit of financial statements
Time period
Walk-through
Tracing a transaction from its origination through the company's information system until it is reflected in the company's financial reports
Circumstance: Material Weakness Existed during Year, Auditors do not have sufficient time to test new system Auditors Opinion?
Treat as scope restriction
Circumstance: Material Weakness Existed during Year, Auditors test the new system and material weakness eliminated Auditors Opinion?
Unqualified
Circumstance: Managements Report on Internal Control is Incomplete or Improperly Presented. Other Issues. Auditors Opinion?
Unqualified (but with an explanatory paragraph)
Tracing a transaction from origination through the company's information systems until it is reflected in the company's financial reports
Walk-through
Does existence of material weakness result in required modification of managements assessment and auditors report?
Yes
A significant deficiency is
a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
A material weakness is
a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis
Management assessment evaluation must use an
accepted "control framework" such as Internal Control-Integrated Framework created by COSO
Accounting estimates are
activities involving management's judgments or assumptions Examples: determining the allowance for doubtful accounts, estimating warranty reserves, and assessing assets for impairment
Section 404a requires
an internal control report prepared by management in which management acknowledges its responsibility for establishing and maintaining adequate internal control and an assessment of internal control effective as of the end of the most recent fiscal year.
Audit of internal control happens
as of date
The objectives of tests of controls for financial statement audits is to
assist the auditors in planning the audit and to assess control risk. To assess control risk at less than the maximum, the auditors are required to obtain evidence that the relevant controls operated effectively during the entire period upon which the auditors plan to place reliance on those controls.
Whether the auditors must perform tests at each location depends upon the individual importance of each location. Tests need only be performed
at locations (or business units) that, individually or when aggregated, could create a material misstatement of the financial statements.
Top-Down Approach starts
at the top
Both significant deficiencies and material weaknesses must
be communicated to the audit committee
The auditors may also issue a
combined report on control over financial reporting and the financial statements. -The reports include the components of both of the separate reports.
Management can be assisted by
consultants but not by the CPA firm that conducts the audit of financial statements
Communicate in writing to management all
control deficiencies regardless of severity
hen the auditors are engaged to report on whether a previously reported material weakness continues to exist, they plan and perform an engagement that focuses on
controls that are relevant to the particular weakness. If they determine that the controls are now effective, the auditors may issue an unqualified report indicating that the material weakness no longer exists.
Compensating controls are ordinarily controls performed to
detect, rather than prevent, a misstatement from occurring
Estimation transactions (sometimes referred to as nonsystematic transactions) are activities involving management's judgments or assumptions, such as
determining the allowance for doubtful accounts, establishing warranty reserves, and assessing assets for impairment.
The opinion paragraph concludes
directly on internal control.
A management imposed scope limitation is most likely to result in a
disclaimer of opinion on the company's internal control over financial reporting, or possibly withdrawal from the engagement.
walk-throughs are not required
during an audit of internal control over financial reporting. They may be performed by the auditors or by the client personnel under proper supervision of the auditors.
Audit of financial statements happens during the
entire financial statement period
Top-Down Approach goal
focus on testing those controls that are most important to auditor's conclusion on internal control, avoiding those that are less important
Routine transactions are
for recurring activities Examples: sales, purchases, cash receipts and disbursements, and payroll.
although a material weakness exists related to internal control, the financial statements may still follow
generally accepted accounting principles and an unqualified audit report may be appropriate.
In evaluating the design effectiveness of the company's internal control, the auditors ask themselves
if the controls are operating effectively, are internal controls effective?
Management assessment must understand definition of
internal control adopted by the SEC
When reporting on internal control over financial reporting, the opinion is on whether
internal control is effective "as of" a particular date, ordinarily the last day of the client's fiscal year. This is in contrast to reporting on the effectiveness of internal control over the entire year.
The evidence for an Auditors Objective
is gathered for an opinion as of the date specified in management's assessment - normally the last day of the company's fiscal year
Relevant assertions are those that have
meaningful bearing on whether account is presented fairly
An account is significant if there is
more than a remote likelihood that it could contain misstatements that individually, or when aggregated with others, could have a material effect on the financial statements.
In evaluating design effectiveness, the auditors often consider the
nature of the transactions making up the account.
Redundant controls do not
need to test if duplicate control is tested
The objective of tests of controls in an audit of internal control is to
obtain evidence about the effectiveness of controls to support the auditors' opinion on whether management's assessment of the effectiveness of internal control is fairly stated as of a point in time and taken as a whole.
Nonroutine transactions occur
only periodically; they generally are not part of the routine flow of transactions Examples: transactions such as counting and pricing inventory, calculating depreciation expense, or determining prepaid expenses.
Entity-level controls have a pervasive effect on the achievement of
overall control objectives (e.g., tone at the top) rather than a specific control objective.
Auditors' Objective is to
plan and perform the audit to obtain reasonable assurance about whether material weaknesses exist to express an opinion on the company's internal control over financial reporting
Selecting Controls, Design tests for
preventive and/or detective controls -Complementary contorls
An account is significant if there is a
reasonable possibility that it could contain a misstatement that individually or in aggregate has a material effect on financial statements
Sarbanes-Oxley Act of 2002, Section 404(b)
requires CPA firm to audit internal control and express an opinion on effectiveness of internal control. (Exempt: In general, companies with less than $75 million in market capitalization or less than $100 million in revenues in preceding year).
Sarbanes-Oxley Act of 2002, Section 404(a)
requires annual report filed with SEC to include an internal control report by management -Management acknowledges responsibility for establishing and maintaining adequate internal control -Report provides assessment of internal control effectiveness at end of fiscal year
Routine transactions are for recurring activities, such as
sales, purchases, cash receipts and disbursements, and payroll.
Auditors must communicate both
significant deficiencies and material weaknesses to the audit committee.
The auditors may use the work of others as a part of an audit of internal control. One would ordinarily expect that the work of others would involve
testing more low-risk, routine transactions rather than pervasive and control environment controls -the auditors should evaluate the competence and objectivity of those individuals and test the work they have performed.
The performance of substantive tests may be affected by
tests of controls in circumstances in which a control deficiency is identified. Substantive procedures may be increased to identify any possible material misstatement.
. PCAOB AS 2201 requires
that additional evidence beyond inquiry alone be gathered.
When a substantive procedure identifies a misstatement, this will ordinarily indicate
that controls have not operated effectively
Section 404b requires
that the CPA firm attest to and report on the assessment made by management as well as provide its own opinion on internal control.
Based on provisions of PCAOB Standard No. 5
the audits of internal control and financial reporting should be integrated
Control deficiencies exists when
the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis
Nonroutine transactions occur only periodically, such as
the taking of physical inventory, calculating depreciation expense or adjusting for foreign currencies; nonroutine transactions generally are not a part of the routine flow of transactions.
Entity-level controls
those in control environment or monitoring components of internal control -Emphasize those relating to audit committee effectiveness, fraud, and period-end process -Direct or indirect effect
Selecting Controls, it is not necessary
to perform tests of all controls
A walk-through involves literally
tracing a transaction though the entire information system from inception to financial reporting.