Audit I Internal Control Class Version
description
Transcript of Audit I Internal Control Class Version
Chapter 6Chapter 6
Internal Control in a Financial Statement Audit
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved
6-2
Internal Controls in Financial Statement Audits
What is internal control?
What does the auditor need to know about internal control?
How does the auditor use his/her knowledge of Internal control in conducting the audit?
What are the documentation requirements?
What are the communication requirements related to the auditor’s internal control findings?
6-3
Internal Control(315.04 and .13)
Generally, internal controls pertaining to the preparation of financial statements for external purposes are the controls
relevant to an audit…and not even all of those.However some operations or compliance controls may be
relevant to the audit, as well (315.04 and .13)
Reliability of Financial Reporting
Effectiveness & Efficiency of
Operations
Compliance with Laws & Regulations
Objectives
LO# 3
6-4
With which of the following categories of controls will the auditor likely be most
familiar? Controls focused on 1. Reliability of financial
reporting
2. Effectiveness & efficiency of operations
3. Compliance with laws and regulations
4. All of the above equally
5. 2 and 3
6-5
Components of Internal ControlCOSO Framework (315.15-.25)
Control Environment
Entity’s Risk Assessment
Process
Information System and Related Business Processes
Relevant to Financial Reporting & Communication
Control Activities
Monitoring of Controls
LO# 4
6-6
Control Environment (315.A71 – A.80)
What does the auditor need to know(see 315.15)
Factors affecting the auditor’s evaluation of the control environment include:
Communications and enforcement of integrity and ethical values
Commitment to competenceParticipation by those charged with governanceManagement’s philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resource policies and practices
6-7
The Entity’s Risk Assessment Process (315.A81 - .A83)
What does the auditor need to know (See 315.16)
Or.. how does the entity assess and manage risk related to the fair preparation of financial statements (for example the risk of failing to record a transaction or appropriate estimates)
The nature of the entity’s risk assessment process will vary greatly depending on the size and nature of the client
6-8
The importance of internal control to management relates to which of the
following internal control components?
1 2 3 4
25% 25%25%25%
1. Control environment
2. Control procedures
3. Risk assessment
4. Monitoring
6-9
Information System and Related Processes (315.19)
The auditor’s understanding of the information system should relate to the following:
The classes of transactions that are significant
The procedures (IT and manual) by which those transactions are initiated, authorized, recorded, processed, corrected, transferred to the general ledger and the financial statements
What accounting records support the information in the financial statements and accounting records
6-10
Information System and Related Processes (315.19)
The auditor’s understanding of the information system should relate to the following (cont.):
How the system captures events and conditions, other than transactions, that are significant to the financial statements (for example, depreciation)
The processes used to prepare the entity’s financial statements (including estimates and disclosures)
Controls surrounding journal entries, including those that are nonrecurring
6-11
Control ActivitiesThe auditor should understand the process of
reconciling detailed records to the general ledger for material accounts (315.21) and, as appropriate, details related to such control activities as (315.A91):
Information processing (when is the work done and how)
Physical controlsSegregation of duties (who does the work)Performance reviews (supervision)How the entity has responded to risk arising from IT
(See 315.A98-.A101)
6-12
Which of the following types of controls are least likely to be programmed
controls?
1 2 3 4
25% 25%25%25%
1. Application controls
2. General controls
3. Both of the above
4. What? Do I look like a geek
6-13
Monitoring of Controls (315.23 and .A102)
The auditor should obtain an understanding of:
Major activities the entity conducts to monitor controls over financial reporting
How the entity initiates remedial action
Impact of the internal audit function, if any
6-14
What Else Does the Auditor Need to Know About Internal Controls (315.14)
GAAS requires the auditor to:
1. Develop an appropriate understanding of the design of the client’s internal controls (the 5 components) AND
2. Determine whether those controls have been placed in operation (implemented)
Inquiry alone will not allow the auditor to determine if the controls have been implemented. More often than not, what auditors refer to as a “walk through” is necessary to determine whether controls have been placed in operation (implemented).
6-15
Auditor’s Use of His/Her Understanding of Internal Control
Identify types of potential
misstatements
Design tests of controls (where applicable) and substantive procedures
Consider factors that affect the risk of
material misstatement
The auditor should obtain an understanding of each of the five components of internal control in order to plan
the audit. This knowledge is used to (315.A42):
LO# 7
6-16
Auditor’s Use of His/Her Understanding of Internal Control
Remember the Audit Risk Model
AR = IR X CR X DR
Look at the flowchart on page 195 of the textbook
6-17
In a GAAS audit an auditor should be able to determine through inquiry
1 2 3 4
25% 25%25%25%1. If controls have been implemented
2. The design of many relevant controls
3. The efficiency and effectiveness of controls
4. All of the above
6-18
The auditor should develop an understanding of each of the 5 components
of internal control to allow for:
1 2 3 4 5
20% 20% 20%20%20%1. Proper design of tests of controls, where appropriate
2. Proper design of substantive test
3. A reduction in the level of assessed control risk
4. All of the above
5. Both 1 and 2
6-19
In a GAAS audit, an auditor is required to
1 2 3 4 5
20% 20% 20%20%20%1. Develop an
understanding of the client’s internal control
2. Determine that controls have been implemented
3. Test the efficiency and effectiveness of controls
4. All of the above
5. 1 and 2
6-20
Documenting the Understanding of Internal Control (see 315.33b)
Procedure Manuals and Organizational
ChartsNarrative Description
Internal Control Questionnaires
Flowcharts
LO# 8
6-21
Which of the following are required by GAAS?
1 2 3 4 5
20% 20% 20%20%20%1. Documentation of the
auditor’s understanding of internal control
2. Determination that key internal controls have been implemented
3. Tests of controls
4. All of the above
5. Both 1 and 2
6-22
Auditing Accounting Applications Processed by Service Organizations
(402)In some instances, a client may have some or all of its
accounting transactions processed by an outside service organization.
Because the client’s transactions are subjected to
the controls of the service organization, one of the
auditor’s concerns is the internal control system in
place at the service organization.
It is not uncommon for service organizations to have a service auditor issue one of two types of reports on their operations.
LO# 13
6-23
Type 1 Report Describes the service organization’s controls
and assesses whether they are suitably designed to achieve specified internal control
objectives and implemented.
Type 2 ReportGoes further by testing whether the
controls provide reasonable assurance that the related control objectives were
achieved during the period. (i.e., the auditor performs test of controls)
An auditor may reduce control riskcontrol risk below the maximum onlyonly on the
basis of a service auditor’s report that includes tests of the
controls (Type 2).
LO# 13Auditing Accounting Applications Processed by Service Organizations
(402)
6-24
The auditor can use a type 1 report related to a service center’s controls to
1. Document the understanding of the service center’s controls
2. Reduce the assessed level of control risk below the maximum
3. Both 1 and 2
4. None of the above
6-25
Communication of Internal Control-Related Matters
(See 265.07 and .11 through .16 )
Material Weakness
Significant Deficiency
The most serious of shortcomings. Must be
communicated in writing to both those charged with
governance and management
The second most serious of shortcoming. Must be
communicated in writing to both those charged with
governance and management
LO# 14
6-26
Communication of Internal Control-Related Matters
Other deficiencies should be communicate to management either in writing or orally if others have not so communicated and the auditor feels the issues merit management attention (265.12b)
All communications regarding internal control weaknesses should be made no later than 60 days following the report release date (265.13)
6-27
Communication of Internal Control-Related Matters
Written communications regarding significant deficiencies and material weaknesses should include (see 265.14)
Any written communication indicating that no significant deficiencies were identified would be inappropriate (265.15 and .16).
6-28
Which of the following, if discovered, is the auditor required to communicate to management
1. 2. 3. 4. 5.
20% 20% 20%20%20%1. Material weaknesses in internal control
2. Significant deficiencies in internal control
3. Deficiencies in internal control
4. All of the above
5. Both 1 and 2
6-29
Which of the following can the auditor not issue as a written communication?
1. 2. 3. 4.
25% 25%25%25%1. A statement that no material weaknesses were identified
2. A statement that no significant deficiencies were identified
3. A restriction on the use of the auditor’s internal control communication
4. All of the above can be issued in writing
6-30
Internal Control Under PCAOBAuditor’s responsibilities for both examining and
reporting on internal control in a PCAOB engagement per AS 5 are much more extensive
Management’s Responsibilities (CEO & CFO) Accept responsibility for the effectiveness of the
entity’s ICFR Evaluate the effectiveness of the entity’s ICFR using
suitable control criteria Support the evaluation with sufficient evidence,
including documentation Present a written assessment of the effectiveness of
ICFR as of the end of the most recent fiscal year
6-31
Internal Control Under PCAOB
Auditor’s Responsibility Integrate an audit of management’s assertion
about the effectiveness of ICFR with the audit of the financial statements
Express an opinion on the effectiveness of the entity’s ICFR as of a point in time
To express an opinion on ICFR, the auditor’s evaluation of ICFR would need to be much more extensive than the evaluation of ICFR required to support the opinion on the financial statements as required by GAAS
6-32
The examination of an audit client’s internal control in a PCAOB audit would be
A. In the same depth as in a SAS GAAS audit
B. In more depth than in a SAS GAAS audit
C. In less depth than in a SAS GAAS audit
In the s
ame depth
as in a S.
.
In more
depth th
an in
a SA...
In less
depth th
an in
a SA
S...
0% 0%0%
6-33
The auditor’s reporting responsibilities related to ICFR in a SAS GAAS audit differ from those in a
PCAOB audit in that A. A SAS GAAS audit
does not require the auditor to issue any report related to ICFR findings
B. A SAS GAAS audit requires the auditor to issue a report on ICFR findings for public distribution
C. A SAS GAAS audit does not allow the auditor to issue an opinion on ICFR
A SAS GAAS a
udit does n
ot ...
A SAS GAAS a
udit require
s t..
A SAS GAAS a
udit does n
ot ...
0% 0%0%