Your SlideShare is downloading. ×
Auditing
                   Chapter 5
                   ( S u p p l e m e n t )
                                         ...
In response to the number of major corporate accounting scandals rocking the financial world
                    (e.g., En...
3.  provide reasonable assurance regarding prevention or timely detection of unauthorized
                         acquisi...
EXHIBIT 5.1 AIG Management's Report on Internal Control over Financial Reporting




                                     ...
Management of AIG and its consolidated subsidiaries is responsible for establishing and maintaining adequate internal cont...
ADDITIONAL PROCEDURES REQUIRED BY AS 2
LEARNING OBJECTIVE:

DESCRIBE ADDITIONAL
RESPONSIBILITIES REQUIRED BY

SARBANES-OXL...
For the auditor to satisfactorily complete an audit of internal control over financial reporting,
                    mana...
8


                                    © The McGraw-Hill Companies, Inc.,
2007
Auditing & Assurance Services             ...
Whether the result of a design deficiency or an operating deficiency, an internal control
                      deficiency...
3.   Gaining an understanding of internal control over financial reporting

                         •    Company-level co...
are one or more material weaknesses in the company's internal control over financial
                                   re...
12


                                     © The McGraw-Hill Companies, Inc.,
2007
Auditing & Assurance Services           ...
Effectiveness of internal control over financial reporting. The internal control report may be
                          i...
14


                                     © The McGraw-Hill Companies, Inc.,
2007
Auditing & Assurance Services           ...
REVIEW
                         CHECKPOINTS

                         5.26     What two reports are auditors of public com...
b. design effectiveness only
                 c.   both operating and design effectiveness

5.62     Which of the followin...
Upcoming SlideShare
Loading in...5
×

Supplemental Material for Chapter 5 (151.0K).doc

2,016

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,016
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
72
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Supplemental Material for Chapter 5 (151.0K).doc"

  1. 1. Auditing Chapter 5 ( S u p p l e m e n t ) Internal Control Evaluation for Public Companies Professional Standards References Compendium Document Section Reference Topic Various1 AS 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements 1 AS 2 amends AU 310, AU 319, AU 325, AU 326, AU 329, AU 339, AU 380 AT 501, ET 101, and ET 191 1 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  2. 2. In response to the number of major corporate accounting scandals rocking the financial world (e.g., Enron, WorldCom, Xerox, K-Mart), on July 30, 2002, Congress passed the most wide- sweeping financial reporting legislation since the 1930’s (when Congress established the SEC). The Sarbanes-Oxley Act is intended to strengthen corporate financial reporting by assessing stiffer criminal penalties for white-collar crimes, increasing management accountability, and enhancing auditor independence. The Act is very specific about management’s responsibility for organizational internal control. In addition to certifying the company’s financial statements (Section 302), management must also report on the company’s internal control over financial reporting (Section 404). Specifically, the company’s annual report must include: • A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting. • A statement identifying the framework management uses to evaluate the effectiveness of the company’s internal control. • A statement providing management's assessment of the effectiveness of the company’s internal control. Exhibit 5.1 provides an example of management's 2004 report over internal controls for American International Group, Inc. (AIG), a company that recorded a $2.7 billion restatement due to inappropriate accounting for investments and transactions with related parties Under the new rules, management must also disclose any material weaknesses in internal control. If any material weaknesses exist, management may not be able to conclude that the company's internal control over financial reporting is effective. The company’s auditor must also attest to the truthfulness of these management internal control assessments. AUDITING INSIGHT SARBANES-OXLEY DEFINITION OF INTERNAL CONTROL The Sarbanes Oxley Act of 2002 definition of "internal control over financial reporting" is very similar, although focused primarily on internal control over financial reporting: Internal control is a process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that 1. pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant; 2. provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and 2 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  3. 3. 3. provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements. Source: U.S. Congress, Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat/ 745 (2002). 3 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  4. 4. EXHIBIT 5.1 AIG Management's Report on Internal Control over Financial Reporting 4 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  5. 5. Management of AIG and its consolidated subsidiaries is responsible for establishing and maintaining adequate internal control over financial reporting. AIG’s internal control over financial reporting is a process, under the supervision of AIG’s Chief Executive Officer and Chief Financial Officer, designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of AIG’s financial statements for external reporting purposes in accordance with GAAP. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. AIG management conducted an assessment of the effectiveness of AIG’s internal control over financial reporting as of December 31, 2004 based on the criteria established in Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). A material weakness is a control deficiency, or a combination of control deficiencies, that results in more than a remote likelihood that a material misstatement of AIG’s annual or interim financial statements will not be prevented or detected. In connection with the assessment described above, AIG management identified control deficiencies as of December 31, 2004 in the following areas: Control environment: Certain of AIG’s controls within its control environment were not effective to prevent certain members of senior management, including the former Chief Executive Officer and former Chief Financial Officer, from having the ability, which in certain instances was utilized, to override certain controls and effect certain transactions and accounting entries. In certain of these instances, such transactions and accounting entries appear to have been largely motivated to achieve desired accounting results and were not properly accounted for in accordance with GAAP. Further, in certain of these instances, information critical to an effective review of transactions, accounting entries, and certain entities used in these transactions and accounting entries, were not disclosed to the appropriate financial and accounting personnel, regulators and AIG’s independent registered public accounting firm. As a result, discussion and thorough legal, accounting, actuarial or other professional analysis did not occur. This control deficiency is based primarily on these overrides. Specifically, this control deficiency permitted the following: * Creation of Capco, a special purpose entity used to effect transactions that were recorded to convert, improperly, underwriting losses to investment losses and that were not correctly accounted for in accordance with GAAP, resulting in a misstatement of premiums and other considerations, realized capital gains (losses), incurred policy losses and benefits and related balance sheet accounts. * Incorrect recording under GAAP of reinsurance transactions that did not involve sufficient risk transfer…. * Various transactions, such as Covered Calls and certain “Top Level” Adjustments, converted realized and unrealized gains into investment income…. * Incorrect recording under GAAP of changes to loss reserves and changes to loss reserves through “Top Level” Adjustments without adequate support, resulting in a misstatement of incurred policy losses and benefits, reserves for losses and loss expenses, foreign currency translation adjustments and retained earnings. Controls over the evaluation of risk transfer: AIG did not maintain effective controls over the proper evaluation, documentation and disclosure of whether certain insurance and reinsurance transactions involved sufficient risk transfer to qualify for insurance and reinsurance accounting…. Controls over certain balance sheet reconciliations: AIG did not maintain effective controls to ensure the accuracy of certain balance sheet accounts in certain key segments of AIG’s operations…. Specifically, accounting personnel did not perform timely reconciliations and did not properly resolve reconciling items for premium receivables, reinsurance recoverables and intercompany accounts. As a result, insurance acquisition and other operating expenses, premiums and insurance balances receivable, reinsurance assets, other assets and retained earnings were misstated under GAAP. Controls over the accounting for certain derivative transactions: AIG did not maintain effective controls over the evaluation and documentation of whether certain derivative transactions qualified under GAAP for hedge accounting…. Controls over income tax accounting: AIG did not maintain effective controls over the determination and reporting of certain components of the provision for income taxes and related deferred income tax balances. Specifically, AIG did not maintain effective controls to review and monitor the accuracy of the components of the income tax provision calculations and related deferred income taxes and to monitor the differences between the income tax basis and the financial reporting basis of assets and liabilities to effectively reconcile the differences to the deferred income tax balances. … The control deficiencies described above resulted in the restatement of AIG’s 2003, 2002, 2001 and 2000 annual consolidated financial statements and 2004 and 2003 interim consolidated financial statements, as well as adjustments, including audit adjustments relating to the derivative matter described above, to AIG’s 2004 annual consolidated financial statements. Furthermore, these control deficiencies could result in other misstatements in financial statement accounts and disclosures that would result in a material misstatement to the annual or interim AIG consolidated financial statements that would not be prevented or detected. Accordingly, management has concluded that these control deficiencies constitute material weaknesses. 5 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  6. 6. ADDITIONAL PROCEDURES REQUIRED BY AS 2 LEARNING OBJECTIVE: DESCRIBE ADDITIONAL RESPONSIBILITIES REQUIRED BY SARBANES-OXLEY AND AS 2. PCAOB Audit Standard No. 2 (AS 2) details the work that external auditors of public companies must perform to comply with Sarbanes-Oxley's Section 404. The standard requires the auditors to audit both (1) management's assessment of the effectiveness internal controls and (2) the controls themselves. The auditor must plan and perform the audit to obtain reasonable assurance about whether the company maintained effective control. Reasonable assurance is understood by the SEC to be a "high level of assurance." 2 It "includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis."3 For the auditors, this duty entails an increased amount of internal control testing concerning the client’s financial reporting processes and procedures. The audit of internal controls must be integrated with the financial statement audit and cannot be performed as a separate engagement. The controls subject to the reports are those that exist at the end of the year being reported on. Under the second fieldwork standard of GAAS, auditors must obtain an understanding of internal controls to determine the nature timing and extent of audit procedures. If they plan to rely on controls to reduce substantive procedures, they must test the controls for effectiveness. However, GAAS is designed for an audit of financial statements, but Sarbanes-Oxley requires an audit of financial reporting controls. Thus, the procedures are more extensive. REQUIREMENTS Much of the initial work, including documentation and testing controls is done by employees of the firm including the internal audit staff and outside parties hired by management. This puts an additional emphasis on SAS 65 Auditor’s Consideration of the Internal Audit Function (Chapter Four). Thus, the external auditor must evaluate the internal auditors' competence and objectivity, and must perform some tests of their work. AS 2 encourages the external auditor to use the work of internal auditor; however, the external auditor's own work must provide the principal evidence for the audit opinion on internal controls. Moreover, auditors cannot use the work of others to reduce work they perform on the control environment. Another important difference is that the audit of internal control is as of the end of the fiscal year. However, to meet the requirements of GAAS, the auditor must understand and evaluate the controls for the entire period to determine their effect on the nature, timing and extent of substantive procedures. 2 SEC Staff Statement on Management's Report on Internal Control over Financial Reporting May 16, 2005. para. C. 3 PCAOB AS 2, para 17. 6 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  7. 7. For the auditor to satisfactorily complete an audit of internal control over financial reporting, management must do the following: a. Accept responsibility for the effectiveness of the company's internal control over financial reporting; b. Evaluate the effectiveness of the company's internal control over financial reporting using suitable control criteria; c. Support its evaluation with sufficient evidence, including documentation; and d. Present a written assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year. AS 2 emphasizes the use of a six step audit procedure to audit financial reporting controls: 1. Planning the engagement. The auditor must be aware of the additional requirements and incorporate into the planning of the engagement any additional knowledge required and tests that need to be performed. Evaluation must be done for all relevant assertions for all significant accounts or disclosures. Thus significant accounts, locations, and assertions must be identified. A difficult decision in auditing controls of global organizations is deciding which locations are significant and must be visited. Each location is evaluated based on size, risks, and whether risks are mitigated by company-wide controls. The key to determining whether an account, location, or assertion is significant is whether there is a more than remote possibility that a material misstatement could be associated with it. Just as control risk is used to determine the nature timing, and extent of substantive procedures, inherent risk is used to determine the nature, timing, and extent of internal control audit procedures4. 2. Evaluating management’s assessment process. The auditor must gain an understanding of the process management used to assess the internal controls over the financial reporting process of the entity and must test the effectiveness of the process. Management's assessment process is similar to the auditor's and should address the following elements (para 40): • Determining which controls should be tested. • Evaluating the likelihood that failure of the controls could result in a misstatement. • Determining the locations or business units to include. • Evaluating the design effectiveness of controls. Design effectiveness is whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements. The evaluation and testing for each assertion must be performed annually. • Evaluating the operating effectiveness of controls. Operating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. • Determining the deficiencies in internal control that are of such a magnitude and likelihood of occurrence that they constitute significant deficiencies or material weaknesses. • Communicating findings to the auditor and to others if applicable • Evaluating whether findings are reasonable and support management's assessment. 4 Ibid. 7 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  8. 8. 8 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  9. 9. Whether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the company’s management or employees to detect or prevent misstatements in a timely fashion. A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control’s objective. An operating deficiency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly due to poorly trained employees). More serious internal control deficiencies can be categorized into one of two groups depending upon their severity. Significant deficiencies are defined as conditions that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements. The deficiency would provide a more than remote possibility of a misstatement that is more than inconsequential would not be prevented or detected. Examples include: oAbsence of appropriate segregation of duties. oAbsence of appropriate reviews and approvals of transactions. oEvidence of failure of control procedures. oEvidence of intentional management override of control procedures by persons in authority to the detriment of control objectives. A material weakness in internal control is defined as a condition that results in more than a remote likelihood of a material misstatement of the financial statements. The following circumstances should be regarded as strong indicators that a material weakness exists: oRestatement of previously issued financial statements to reflect the correction of a misstatement oEvidence of material misstatements (caught by the audit team) that were not prevented or detected by the client’s internal controls. oIneffective oversight of the financial reporting process by the company’s audit committee. oIneffective internal control or risk assessment function. oIneffective regulatory compliance functions, if applicable. oIndication of fraud by senior management oUncorrected significant deficiencies that were previously reported to management. oAn ineffective control environment. Probability of Magnitude of affecting financial statements financial statement effect Internal control deficiency Less than remote Inconsequential Significant deficiency More than remote More than inconsequential Material weakness More than remote Material misstatement 9 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  10. 10. 3. Gaining an understanding of internal control over financial reporting • Company-level controls have a pervasive impact on controls at the process, transaction, or application level, and understanding them should be the auditor's first step in gaining an understanding. • • The auditor is required to understand the working of the internal control process over financial reporting. This aspect of the standard places an emphasis on the auditor performing a walk through of the internal control process. The use of a walkthrough in conducting internal control testing related to PCAOB is more comprehensive than the use of a walkthrough in the financial statement audit. • AS 2 requires auditors to perform walkthroughs of all significant systems. 4. Testing and evaluating design effectiveness of internal control over financial reporting 5. Testing and evaluating operating effectiveness of internal control over financial reporting 6. Forming an opinion on the effectiveness of internal control over financial reporting. REPORTING Auditors are required to issue two audit opinions regarding financial reporting controls. Management's Assessment Inadequate or Report Inappropriate. If the auditor determines that management's process for assessing internal control over financial reporting is inadequate, the auditor should modify his or her opinion for a scope limitation. If the auditor determines that management's report is inappropriate, the auditor should modify his or her report to include, at a minimum, an explanatory paragraph describing the reasons for this conclusion. With respect to management's report on its assessment, the auditor should evaluate the following matters: a. Whether management has properly stated its responsibility for establishing and maintaining adequate internal control over financial reporting. b. Whether the framework used by management to conduct the evaluation is suitable. (As discussed in paragraph 14, the framework described in COSO constitutes a suitable and available framework.) c. Whether management's assessment of the effectiveness of internal control over financial reporting, as of the end of the company's most recent fiscal year, is free of material misstatement. d. Whether management has expressed its assessment in an acceptable form. – Management is required to state whether the company's internal control over financial reporting is effective. – A negative assurance statement indicating that, "Nothing has come to management's attention to suggest that the company's internal control over financial reporting is not effective," is not acceptable. – Management is not permitted to conclude that the company's internal control over financial reporting is effective if there 10 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  11. 11. are one or more material weaknesses in the company's internal control over financial reporting. e. Whether material weaknesses identified in the company's internal control over financial reporting, if any, have been properly disclosed, including material weaknesses corrected during the period. An example of management's report on internal controls for AIG Group, Inc. is presented in Exhibit 5.1. Exhibit 5.2 illustrates parts of the auditor's opinion on internal controls for AIG. Exhibit 5. 2 Excerpt from AIG auditor's opinion—explanatory and opinion paragraphs. REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM To the Board of Directors and Shareholders of American International Group, Inc.: [Standard Introductory Paragraph] [Consolidated financial statements and financial statement schedules] Internal control over financial reporting [Standard introductory and scope paragraphs describing audits of internal control] A material weakness is a control deficiency, or combination of control deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. As of December 31, 2004, the following material weaknesses have been identified and included in management's assessment. [A listing of the material weaknesses described in Exhibit 5.1] The control deficiencies described above resulted in the restatement of AIG’s 2003, 2002, 2001 and 2000 annual consolidated financial statements and 2004 and 2003 interim consolidated financial statements, as well as adjustments, including audit adjustments relating to the derivative matter described above, to AIG’s 2004 annual consolidated financial statements. Furthermore, these control deficiencies could result in other misstatements in financial statement accounts and disclosures that would result in a material misstatement to the annual or interim AIG consolidated financial statements that would not be prevented or detected. Accordingly, management has concluded that these control deficiencies constitute material weaknesses. These material weaknesses were considered in determining the nature, timing, and extent of audit tests applied in our audit of the 2004 consolidated financial statements, and our opinion regarding the effectiveness of AIG’s internal control over financial reporting does not affect our opinion on those consolidated financial statements. In our opinion, management’s assessment that AIG did not maintain effective internal control over financial reporting as of December 31, 2004, is fairly stated, in all material respects, based on criteria established in Internal Control – Integrated Framework issued by the COSO. Also, in our opinion, because of the effects of the material weaknesses described above on the achievement of the objectives of the control criteria, AIG has not maintained effective internal control over financial reporting as of December 31, 2004, based on criteria established in Internal Control – Integrated Framework issued by the COSO. PricewaterhouseCoopers LLP New York, New York May 27, 2005 11 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  12. 12. 12 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  13. 13. Effectiveness of internal control over financial reporting. The internal control report may be included with the external auditor’s opinion on the financial statement or may be a separate report. PCAOB 2 provides three types of deficiencies that the external auditor must classify as a significant deficiency in internal controls • Ineffective oversight by the audit committee • A material misstatement in the financial statements that was not identified by the system of internal control • Significant deficiencies in internal control that remain uncorrected after a reasonable period of time. As with reports on financial statements, auditors can issue one of three types of reports on internal controls: • Unqualified—no material weaknesses • Qualified or disclaimer—auditor cannot perform all of the procedures considered necessary • Adverse opinion—material weakness exists (the auditor may give an unqualified opinion on management's report if they identify the weakness and say internal control is not effective). Note that since the opinion on internal controls is as of the end of the fiscal year, the company may be able to correct or remediate deficiencies or weaknesses after they are detected. However, the auditor must have sufficient time to test the design effectiveness and operating effectiveness of the remediated control before providing an unqualified opinion5. Sarbanes-Oxley requires written reports for publicly traded companies; however, because the potential for misinterpretation is great, auditors should not issue reports stating that "no significant deficiencies were noted during the audit". A manager receiving such a report could conclude (incorrectly) that the auditors are stating positively that the company has no internal control problems. DOCUMENTATION In addition to the documentation requirements in AU sec. 339, Audit Documentation, the auditor should document: • The understanding obtained and the evaluation of the design of each of the five components of the company's internal control over financial reporting; • The process used to determine significant accounts and disclosures and major classes of transactions, including the determination of the locations or business units at which to perform testing; • The identification of the points at which misstatements related to relevant financial statement assertions could occur within significant accounts and disclosures and major classes of transactions; • The extent to which the auditor relied upon work performed by others as well as the auditor's assessment of their competence and objectivity; • The evaluation of any deficiencies noted as a result of the auditor's testing; and • Other findings that could result in a modification to the auditor's report. 5 Clients may request auditors to report separately on elimination of material weaknesses. Guidance on preparing such a report is provided by PCAOB's AS 4. 13 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  14. 14. 14 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  15. 15. REVIEW CHECKPOINTS 5.26 What two reports are auditors of public companies required to issue on financial reporting controls? 5.27 What is management's responsibility for reporting on financial reporting controls? 5.28 What are the six steps for auditors to take in auditing financial reporting controls? 5.29 What is an internal control deficiency? A significant deficiency? A material weakness? 5.30 What audit opinions may auditors provide on financial reporting controls? 5.32 What is the auditor required to document for the audit of financial reporting controls? AUDITING INSIGHT Trends in Internal Control Disclosures Reviews of the first year of internal disclosures under SOX indicate nearly 12% of companies reported material weaknesses, mostly reported by smaller companies. The most common general issues were deficiencies in documentation, weaknesses resulting in adjustments or restatements, and inadequate personnel. Specific areas related to tax accounting, revenue recognition, leases, and inventory. Source: Internal Control Disclosures: Key Trends to Watch Deloitte May 11, 2005. MULTIPLE-CHOICE QUESTIONS FOR PRACTICE AND REVIEW 5.58 The concept of reasonable assurance in AS 2 means the probability of a material misstatement not being prevented or detected on a timely basis is: a. remote b. reasonably possible c. likely d. certain 5.59 AS 2 requires auditors of public companies to report on Management's report on internal An audit of internal control control a. No No b. Yes No c. No Yes d. Yes Yes 5.60 AS 2 requires auditors of public companies to audit internal controls over a. operations b. compliance with regulations c. financial reporting d. all of the above 5.61 AS 2 requires auditors to test a. operating effectiveness only 15 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement
  16. 16. b. design effectiveness only c. both operating and design effectiveness 5.62 Which of the following would probably not be considered an indication of a material weakness? a. Evidence of a material misstatement b. Ineffective oversight by the audit committee c. Uncorrected previously reported significant deficiencies d. All of the above indicate material weaknesses. 5.63 Which report would not be appropriate for an auditor to provide on financial reporting controls? a. Unqualified—no material weaknesses? b. Qualified—unable to perform all necessary procedures c. Qualified—significant deficiencies exist d. Adverse—material weaknesses exist 5.64 Effects of Sarbanes-Oxley Act: Your long-time client, Central Office Supply, has been rapidly expanding, and the board of directors is considering taking the company public. The CEO, Foster Puckett has heard that costs of operating a public company have increased significantly as a result of The Sarbanes-Oxley act. He is particularly concerned with reports that audit fees have doubled because of internal control provisions of the act and PCAOB standard 2. He has asked you to explain the possible effects on the audit of complying with the requirements of Sarbanes-Oxley. Required: Draft a letter to Foster Puckett outlining the changes in the company's responsibilities for internal control and changes in the audit due to Sarbanes Oxley and AS 2. 16 © The McGraw-Hill Companies, Inc., 2007 Auditing & Assurance Services Chapter 5 Supplement

×