Arens12e 10


Published on

Published in: Business, Economy & Finance
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Arens12e 10

  1. 1. Section 404 Audits of Internal Control and Control Risk Chapter 10
  2. 2. Learning Objective 1 <ul><li>Describe the three primary </li></ul><ul><li>objectives of effective </li></ul><ul><li>internal control. </li></ul>
  3. 3. Internal Control Objectives 3. Compliance with laws and regulations 2. Efficiency and effectiveness of operations 1. Reliability of financial reporting
  4. 4. Learning Objective 2 <ul><li>Contrast management’s </li></ul><ul><li>responsibilities for maintaining </li></ul><ul><li>and reporting on internal controls </li></ul><ul><li>with the auditor’s responsibilities </li></ul><ul><li>for understanding, testing, and </li></ul><ul><li>reporting on internal controls. </li></ul>
  5. 5. Management and Auditor Responsibilities Related to Internal Control <ul><li>Management’s responsibility </li></ul><ul><li>for establishing internal control </li></ul><ul><li>Reasonable assurance </li></ul><ul><li>Inherent limitations </li></ul>
  6. 6. Management and Auditor Responsibilities Related to Internal Control <ul><li>Management’s Section 404 </li></ul><ul><li>reporting responsibilities </li></ul><ul><li>Design of internal control </li></ul><ul><li>Operating effectiveness of controls </li></ul>
  7. 7. Management and Auditor Responsibilities Related to Internal Control <ul><li>Auditor responsibilities for </li></ul><ul><li>understanding internal control </li></ul><ul><li>Control over classes of transactions </li></ul><ul><li>Auditor responsibilities for testing </li></ul><ul><li>internal control </li></ul><ul><li>Controls over the reliability </li></ul><ul><li>of financial reporting </li></ul>
  8. 8. Sales Transaction-related Audit Objectives Sales Transaction-related Audit Objectives Sales are for shipments to existing customers Transaction-related Audit Objective – General form Recorded transactions exist (occurrence) Existing sales transactions are recorded Existing transactions are recorded (completeness) Transactions are stated correctly (accuracy) Sales for goods shipped are correctly billed
  9. 9. Sales Transaction-related Audit Objectives Transactions are correctly classified (classification) Sales transactions are correctly classified Transactions are recorded on correct dates (timing) Sales are recorded on the correct dates Transactions are correctly filed (posting and summarization) Sales transactions are correctly included in the master files Sales Transaction-related Audit Objectives Transaction-related Audit Objective – General form
  10. 10. Learning Objective 3 <ul><li>Explain the five components </li></ul><ul><li>of the COSO internal </li></ul><ul><li>control framework. </li></ul>
  11. 11. Five Components of Internal Control Risk assessment Control activities Information and communication Monitoring Control Environment
  12. 12. The Control Environment <ul><li>Integrity and ethical values </li></ul><ul><li>Commitment to competence </li></ul><ul><li>Board of directors or audit </li></ul><ul><li>committee participation </li></ul>
  13. 13. The Control Environment <ul><li>Management’s philosophy and operating style </li></ul><ul><li>Organizational structure </li></ul><ul><li>Human resource policies and practices </li></ul>
  14. 14. Risk Assessment <ul><li>Identify factors that may increase risk </li></ul><ul><li>Assess the likelihood of the risk occurring </li></ul><ul><li>Determine actions necessary to manage the risk </li></ul><ul><li>Estimate the significance of the risk </li></ul>
  15. 15. Control Activities 1. Adequate separation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance
  16. 16. Adequate Separation of Duties Custody of assets Accounting Authorization of transactions The custody of related assets Operational responsibility Record-keeping responsibility IT duties User departments from from from from
  17. 17. Proper Authorization of Transactions and Activities <ul><li>General authorization </li></ul><ul><li>Specific authorization </li></ul>
  18. 18. Adequate Documents and Records <ul><li>Prenumbered consecutively </li></ul><ul><li>Prepared at the time of transaction </li></ul><ul><li>Designed for multiple use </li></ul><ul><li>Constructed to encourage correct preparation </li></ul>
  19. 19. Physical Control Over Assets and Records The most important type of protective measure for safeguarding assets and records is the use of physical precautions.
  20. 20. Independent Checks on Performance The need for independent checks arises because internal control tends to change over time unless there is a mechanism for frequent review.
  21. 21. Information and Communication The purpose of an accounting information and communication system is to… initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets.
  22. 22. Monitoring Monitoring activities deal with management’s ongoing and periodic assessment of the quality of internal control performance… to determine whether controls are operating as intended and modified when needed.
  23. 23. SEC and COSO Focus on Smaller Public Companies The SEC has extended the deadline for small public companies compliance with Section 404 requirements. COSO issued guidance in Internal Control Over Financial Reporting for Smaller Public Companies.
  24. 24. Learning Objective 4 <ul><li>Obtain and document an </li></ul><ul><li>understanding of internal control. </li></ul>
  25. 25. Process for Understanding Internal Control and Assessing Control Risk Phase 1 Obtain an understanding of internal control: design and operation Phase 2 Assess control risk Phase 3 Design, perform, and evaluate tests of controls Phase 4 Decide planned detection risk and substantive tests
  26. 26. Obtain and Document Understanding of Internal Control SAS 109 and PCAOB Standard 2 both require auditors to obtain an understanding of internal control for every audit. <ul><li>Procedures to obtain an understanding: </li></ul><ul><li>Design of internal controls </li></ul><ul><li>Whether placed in operation </li></ul><ul><li>Uses this information as a basis for the </li></ul><ul><li>integrated audit </li></ul>
  27. 27. Methods Used Narrative Flowchart Internal control questionnaire
  28. 28. Narrative 1. The origin of every document and record in the system 2. All processing that takes place 3. The disposition of every document and record in the system 4. An indication of the controls relevant to the assessment of control risk
  29. 29. Evaluating Internal Control Operation <ul><li>Update and evaluate auditor’s previous </li></ul><ul><li>experience with the entity </li></ul><ul><li>Make inquiries of client personnel </li></ul><ul><li>Examine documents and records </li></ul><ul><li>Observe entity activities and operations </li></ul><ul><li>Perform walk-throughs of the accounting system </li></ul>
  30. 30. Learning Objective 5 <ul><li>Assess control risk by linking key </li></ul><ul><li>controls, significant deficiencies, </li></ul><ul><li>and material weaknesses to </li></ul><ul><li>transaction-related audit </li></ul><ul><li>objectives. </li></ul>
  31. 31. Assess Control Risk Assess whether the financial statements are auditable. Determine assessed control risk supported by the understanding obtained assuming the controls are being followed. Use of a control risk matrix to assess control risk.
  32. 32. Control Risk Matrix Many auditors use the control risk matrix to assist in the control risk assessment process.
  33. 33. Control Risk Matrix <ul><li>Identify audit objectives </li></ul><ul><li>Identify existing controls </li></ul><ul><li>Associate controls with related audit objectives </li></ul><ul><li>Identify and evaluate control deficiencies, </li></ul><ul><li>significant deficiencies, and material weaknesses </li></ul>
  34. 34. Evaluating Significant Control Deficiencies Material Weakness LIKELIHOOD SIGNIFICANCE Material Immaterial Probable Remote
  35. 35. Identify Deficiencies and Weakness <ul><li>Identify existing controls </li></ul><ul><li>Identify the absence of key controls </li></ul><ul><li>Consider the possibility of compensating controls </li></ul><ul><li>Decide whether there is a significant deficiency </li></ul><ul><li>or material weakness </li></ul><ul><li>Determine potential misstatements that could result </li></ul>
  36. 36. Communications <ul><li>Management letters </li></ul><ul><li>Communications to those </li></ul><ul><li>charged with governance </li></ul>
  37. 37. Learning Objective 6 <ul><li>Describe the process of designing </li></ul><ul><li>and performing tests of controls. </li></ul>
  38. 38. Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls .
  39. 39. Procedures for Tests of Controls 1. Make inquiries of client personnel 2. Examine documents, records, and reports 3. Observe control-related activities 4. Reperform client procedures
  40. 40. Extent of Procedures <ul><li>Reliance on evidence from prior year’s audit </li></ul><ul><li>Testing of controls related to significant risks </li></ul><ul><li>Testing less than the entire audit period </li></ul>
  41. 41. Relationship of Assessed Control Risk and Extent of Procedures Inquiry Documentation Observation Reperformance Yes–extensive Yes–with transaction walk-through Yes–with transaction walk-through No Yes–some Yes–using sampling Yes–at multiple times Yes–using sampling Type of procedure High level: Procedures to obtain an understanding Lower level: Tests of controls Assessed Control Risk
  42. 42. Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests. The auditor links the control risk assessments to the balance- related audit objectives.
  43. 43. Learning Objective 7 <ul><li>Understand Section 404 </li></ul><ul><li>requirements for auditor </li></ul><ul><li>reporting on internal control. </li></ul>
  44. 44. Section 404 Reporting on Internal Control 1. The auditor’s opinion on whether management’s assessment of the effectiveness of internal control over financial reporting as of the end of the fiscal period is fairly stated, in all material respects. 2. The auditor’s opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date.
  45. 45. Types of Opinions <ul><li>Unqualified </li></ul><ul><li>Adverse </li></ul><ul><li>Qualified or disclaimer of opinion </li></ul>
  46. 46. Learning Objective 8 <ul><li>Describe the differences in </li></ul><ul><li>evaluating, reporting, and </li></ul><ul><li>testing internal control for </li></ul><ul><li>nonpublic companies. </li></ul>
  47. 47. Evaluating, Reporting, and Testing Internal Control for Nonpublic Companies 1. Reporting requirements 2. Extent of required internal controls 4. Assessing control risk 5. Extent of tests of controls needed 3. Extent of understanding needed
  48. 48. Differences in Scope of Controls Tested Internal controls over financial reporting Internal controls used to assess control risk below maximum Controls that must be tested in an audit of financial statements Controls that must be tested in an audit of internal controls
  49. 49. End of Chapter 10