AUDITING CHAPTER 8 Internal Control

  • 2,939 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,939
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
125
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. AUDITING CHAPTER 8 Internal Control By David N. Ricchiute
  • 2. TOPICS
    • COSO framework of internal control
    • Auditor’s consideration of internal control
    • Audit of internal control mandated by Sarbanes-Oxley
  • 3. INTRODUCTION
    • Auditor responsible for considering internal control in audit program design
      • Audit planning
        • What is assessed level of control risk?
        • Based on control risk assessment, can auditor relax nature, extent, timing of substantive tests?
    • Sarbanes-Oxley Act requires auditor to audit internal control
      • To comply with Act & SEC’s rules
  • 4. COSO FRAMEWORK
    • COSO provides guidance for auditor’s consideration of internal control
      • A framework to assess internal controls
      • Common definition for internal controls
      • Applies to financial reporting & other management objectives
    • Sarbanes-Oxley Act applies only to financial reporting
  • 5. INTERNAL CONTROL: COSO Definition
    • A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
      • Effectiveness & efficiency of operations
      • Reliability of financial reporting
      • Compliance with applicable laws & regulations
    • COSO, 1992, p. 9
  • 6. CONCEPTS OF COSO DEFINITION
    • Internal control is a process
    • Internal control accomplished by people at all levels
    • Internal control is means to achieve entity’s objectives
    • Internal controls provide reasonable, not absolute, assurance
  • 7. INTERNAL CONTROL OBJECTIVES
    • Operations objectives
      • Market share, ROI, product/service diversification
    • Financial reporting objectives
      • Producing reliable financial statements
    • Compliance objectives
      • Compliance with laws, regulations
  • 8. SEC & PCAOB Control Over Financial Reporting
    • Sarbanes-Oxley Act Section 404
      • Management to certify internal control over financial reporting is effective
      • Auditor to issue opinion on management’s certification
  • 9. INTERNAL CONTROL OVER FINANCIAL REPORTING
    • SEC, PCAOB definition Section 404
    • A process designed by, or under supervision of principal executive & principal financial officers . . . To provide reasonable assurance regarding reliability of financial reporting, preparation financial statements in accordance with GAAP
    • SEC, Final Rule. Washington, D. C.: SEC, 2003.
  • 10. INTERNAL CONTROL Policies & Procedures
    • Maintain records in reasonable detail
      • To accurately, fairly reflect transactions, dispositions of assets
    • Provide reasonable assurance that
      • Transactions recorded as necessary to prepare financial statements in accord with GAAP
      • Receipts, expenditures in accord with management’s, directors’ authorization
      • Unauthorized acquisition, use of assets having material effect on financial statements will be prevented, detected in timely manner
  • 11. COSO COMPONENTS OF INTERNAL CONTROL
    • Control environment
    • Risk assessment
    • Control activities
    • Information & communications support
    • Monitoring
      • COSO & adopted by SAS 94
  • 12. CONTROL ENVIRONMENT
    • Management’s & board of director’s attitude, awareness , & actions regarding internal control
    • Captures importance of control in management’s operating style
    • “Tone at the top”
  • 13. ELEMENTS OF CONTROL ENVIRONMENT
    • Attitude & awareness
    • Codes of conduct
    • Committed to quality
    • Board independent of management
    • Attitude about false records
    • Proper flow information
    • Responsibilities defined
    • Policies training, promotion, etc.
    Integrity Commitment Directors, audit committee Management philosophy Organization structure Authority HR policies, procedures
  • 14. RISK ASSESSMENT
    • Management’s responsibility to identify risks for
      • Financial reporting
      • Operations
      • Compliance
    • Management’s responsibility to take action to manage risks
  • 15. MANAGING RISKS IN CHANGE
    • Change agents
    • Divestiture
    • Organization culture
    • Time constraints for redesign
    • Back orders
    • Production delays
    • Unfamiliar risks
    • Staff reductions, inadequate supervision
    • Local customs, culture
    Operating environment New personnel New information system Rapid growth New technology New products, services Corporate restructuring Foreign operations
  • 16. CONTROL ACTIVITIES
    • Policies & procedures to provide reasonable assurance that objectives are met
      • Authorization, execution of transactions
      • Segregation of duties
      • Design & use of documents & records
      • Access to assets & records
  • 17. CONTROL ACTIVITIES Categories
    • Preventive controls
      • Intended to prevent misstatement
    • Detective controls
      • Detect misstatements that have occurred
  • 18. CONTROL ACTIVITIES Authorization
    • All transactions should be authorized by responsible personnel acting within scope of prescribed authority, responsibility
      • Specific authorization
        • Required for each transaction
        • Typically unusual transactions
      • General authorization
        • Policies, procedures for typical transactions
  • 19. SEGREGATION OF DUTIES
    • Optimum segregation of duties exists when collusion is necessary to circumvent controls
    • Separate functions for
      • Management (authorization)
      • Custody (transaction execution)
      • Accounting (recording transactions)
      • Monitoring (independent checks on performance
  • 20. DESIGN, USE DOCUMENTS & RECORDS
    • Evidence of executed transactions
      • Represent an audit trail
    • Impact efficiency
      • Designed for multiple use
      • Prenumbered consecutively
      • Easy to complete
  • 21. ACCESS TO ASSETS & RECORDS
    • Access limited to authorized personnel by
      • Locks for physical protection
      • Limits on employee access online
      • Codes to authorize access
  • 22. INFORMATION, COMMUNICATION: Defined
    • System identifies, captures, communicates external & internal information in form & timeframe to discharge responsibilities
    • Includes accounting system
  • 23. INFORMATION, COMMUNICATION: Sources
    • External
      • Market share, regulatory requirements, complaints
    • Internal
      • Identify valid transactions
      • Record proper time period
      • Sufficient detail to classify, measure, present in financial statements
  • 24. INFORMATION, COMMUNICATION: Accounting
    • Methods, records, to identify valid transactions
    • Transactions recorded in proper period
    • Describe transactions on timely basis, sufficient detail to properly
      • Classify
      • Measure
      • Summarize
      • Disclose
  • 25. TRANSATION CYCLES Defined
    • Accounting system organized & processes information in cycles
      • Financing
      • Expenditure & disbursement
      • Conversion
      • Revenue & receipt
  • 26. TRANSATION CYCLES Examples
    • Cycles
    • Capital funds received, used, invested
    • Goods, services acquired from vendors, employees & paid
    • Resources used, held, transformed
    • Resources distributed to outsiders; payment received
    Financing Expenditure/ disbursement Conversion Revenue/receipt
  • 27. MONITORING
    • Continuous or periodic evaluation
    • Resolution of discrepancies
    • To ensure reliability
  • 28. RESTATEMENT, FRAUD, & INTERNAL CONTROL
    • Section 13(b)(2)(B) of 1934 Securities Exchange Act requires issuers to devise, maintain system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accord with GAAP.
    • Internal control is a matter of law
  • 29. ASSESSING CONTROL RISK
    • A sufficient understanding of internal control is to be obtained to plan the audit & determine the nature, timing, and extent of tests to be performed. ( 2 nd GAAS fieldwork )
      • Obtain understanding
      • Assess control risk
      • Determine nature, timing, extent of substantive tests
  • 30. ASSESSING V. AUDITING COSO INTERNAL CONTROLS
    • Assessing controls Auditing Section 404
    • Evaluate effectiveness
    • Form opinion on internal control over financial reporting
    • Obtain understanding
    Obtain understanding Assess control risk for assertions about balances & transactions Determine nature, extent, timing of substantive tests
  • 31. OBTAIN UNDERSTANDING Audit Committee Effectiveness
    • Final authority over financial reporting
      • Challenge CEO, CFO over financial reporting
      • Seek advice of independent auditor
      • Engages independent counsel when necessary
  • 32. OBTAIN UNDERSTANDING Auditor’s Evaluation
    • Auditor evaluates audit committee effectiveness by considering
      • Nominating process & independence
      • Clarity of responsibilities
      • Level management cooperation
      • Committee involvement with auditor & internal auditing
      • Time devoted to audit, internal controls
  • 33. OBTAIN UNDERSTANDING Information Technology
    • Personal computers & local area networks
    • Database management systems
    • End-user computing
    • Telecommunications
    • Service bureaus
    • Internet technology
    • Software for information systems
      • Operating & applications software
  • 34. OBTAIN UNDERSTANDING IT & “Section 404 Documentation”
    • For information technology, did management
      • Document & test controls related to financial reporting?
      • Evaluate effectiveness, likelihood of failure?
      • Communicate findings to auditor?
      • Reach assessment that documentation supports?
  • 35. OBTAIN UNDERSTANDING D ocument System
    • To demonstrate compliance with requirement to understand & evaluate client’s system
      • Internal control questionnaire
      • Flowchart
      • Narrative memorandum
  • 36. OBTAIN UNDERSTANDING Identify Transactions Cycles
    • To identify cycles
      • Review account components for homogeneity
      • Identify representative cycles
      • Flowchart each cycle
      • Trace representative transactions through each cycle
      • Revise flowcharts if necessary
  • 37. OBTAIN UNDERSTANDING Perform Transaction Walkthroughs
    • Required by Section 404 of Sarbanes-Oxley Act
    • Trace wide range of transactions, common, uncommon, from each cycle through system from
      • Authorization to
      • Execution to
      • Recording to
      • Summarization
  • 38. OBTAIN UNDERSTANDING Auditor Responsibilities
    • In transactions walkthroughs, auditor must
      • Understand controls over end-of-period financial reporting
        • Especially for effects on earnings
  • 39. EVALUATE CONTROL EFFECTIVENESS : Reliability
    • When documenting controls
      • Identify controls to be relied upon
        • Test controls
        • If acceptable, assess control risk below maximum
      • Identify controls not suitable to justify reliance
        • Do not test these controls
        • Assess control risk at maximum
        • Plan audit to rely heavily on substantive tests
  • 40. EVALUATE CONTROL EFFECTIVENESS : Risk
    • Assess Control Risk
      • Consider errors, frauds that could occur
      • Identify relevant control activities to prevent, detect errors, frauds
      • Perform tests of controls on control activities that may prevent, detect errors, frauds
  • 41. EVALUATE CONTROL EFFECTIVENESS: Tests of Controls
    • Testing design of controls
      • Whether policy, procedure suitably designed to prevent, detect material misstatements
    • Testing operations of controls
      • Were control activities performed?
      • How were they performed?
      • By whom were they performed?
  • 42. EVALUATE CONTROL EFFECTIVENESS: General Controls
    • Computer assisted tests
      • Organization, operation controls
      • Systems development & documentation controls
      • Hardware controls
      • Access controls
      • Data & procedural controls
  • 43. GENERAL CONTROL EFFECTIVENESS: Operation
    • Organization & operation
      • Segregate computer department & users
      • Provide general authorization over execution of transactions
      • Segregate functions within the computer department
  • 44. GENERAL CONTROL EFFECTIVENESS: Documentation
    • Development & documentation
      • Participation by users, accounting personnel, internal auditors in system design
      • Review, approval of system specifications
      • Joint system testing by user, computer personnel
      • Approval new applications, changes
      • Control over master, transaction files
      • Procedures to create, maintain documentation
  • 45. GENERAL CONTROL EFFECTIVENESS: Hardware
    • Hardware controls
      • Controls built into computers by manufacturers
  • 46. GENERAL CONTROL EFFECTIVENESS: Access Controls
    • Limit access to authorized personnel for
      • Hardware
      • Software
      • Data files
      • Software support documentation
  • 47. GENERAL CONTROL EFFECTIVENESS: Data
    • Data & procedural controls
      • Written procedures, authorization manuals
      • Control groups
  • 48. EVALUATE CONTROL EFFECTIVENESS
    • Computer-Assisted Tests of Application Controls
      • Input controls
      • Processing controls
      • Output controls
  • 49. APPLICATION CONTROL EFFECTIVENESS: Input
    • Input controls
      • Input authorization, approval
      • Code verification
      • Data conversion
      • Data movement
      • Occurrence correction
  • 50. APPLICATION CONTROL EFFECTIVENESS: Processing
    • Processing controls
      • Control totals
      • File labels
      • Limit (reasonableness) tests
  • 51. APPLICATION CONTROL EFFECTIVENESS: Output
    • Output controls
      • Control totals comparisons
      • Output distribution
  • 52. COMPUTER-ASSISTED TESTS OF CONTROLS: Types
    • Test data : uses client software to process data with valid & invalid transactions
    • Base Case System Evaluation (BCSE): develops test data to text expected conditions
    • Integrated test facility : tests whether client actually uses software by running live and fictitious data simultaneously
    • Parallel simulation : processing client data with auditor’s software
  • 53. COMPUTER-ASSISTED TESTS OF CONTROLS: Types (cont.)
    • Embedded audit modules : selects client data for subsequent testing & analysis
      • SCARF s: logs created from embedded audit modules that collect transaction information
    • Audit hooks & tagging : transaction records tagged & traced through critical control points
  • 54. CONTROL DEFICIENCIES, MATERIAL WEAKNESSES
    • Deficiencies do not allow management, employees to prevent, detect misstatements in normal course of business
    • Material weakness is a significant deficiency more than remotely likely to cause a material misstatement that will not be prevented, detected
  • 55. NATURE, TIMING, EXTENT
    • Audit risk strategy
      • Determine acceptable detection risk
      • Design nature, timing, extent of substantive tests
  • 56. NATURE, TIMING, EXTENT & SUBSTANTIVE TESTS
    • Level of Detection Risk
    • Effect Lower Higher
    Test less (decrease sample size) Test more (increase sample size) Extent Test at interim dates Test at balance sheet date Timing Use less persuasive tests (documentation) Use more persuasive tests (confirmation) Nature
  • 57. AUDITOR’S OPINION ON INTERNAL CONTROLS
    • Auditor evaluates
      • Reports by internal auditors
      • Significant deficiencies
      • Results of test of controls
      • Results of substantive test of details
    • To issue an opinion on controls