Confirming Pages        Chapter     18     Learning objectives                                        Integrated Audits    ...
Confirming Pages                                                                                                           ...
Confirming Pages               698 Chapter Eighteen               FIGURE 18.1                                              ...
Confirming Pages                                                                                         Integrated Audits ...
Confirming Pages               700 Chapter Eighteen               FIGURE 18.3                                              ...
Confirming Pages                                                                                                           ...
Confirming Pages               702 Chapter Eighteen                                         There is a subtle difference be...
Confirming Pages                                                                                                  Integrate...
Confirming Pages               704 Chapter Eighteen               FIGURE 18.6                Antifraud Program             ...
Confirming Pages                                                                                       Integrated Audits of...
Confirming Pages               706 Chapter Eighteen               FIGURE 18.7 Relationships among Processes, Transaction Ty...
Confirming Pages                                                                                              Integrated Au...
Confirming Pages               708 Chapter Eighteen               FIGURE 18.8 Process: Accounts Receivable                 ...
Confirming Pages                                                                                           Integrated Audit...
Confirming Pages               710 Chapter Eighteen                                                    To illustrate, assum...
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Ac410 whittington 18 ed_ch18
Upcoming SlideShare
Loading in …5
×

Ac410 whittington 18 ed_ch18

2,807 views

Published on

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,807
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ac410 whittington 18 ed_ch18

  1. 1. Confirming Pages Chapter 18 Learning objectives Integrated Audits of Public Companies LO1 In this chapter, we provide information on integrated Describe the nature of an inte- audits based on the provisions of Public Company After studying this chapter, Accounting Oversight Board (PCAOB) Standard No. 5, grated audit. you should be able to: “An Audit of Internal Control Over Financial Reporting LO1 Describe the nature of That Is Integrated with an Audit of Financial Statements.” Throughout this chapter, an integrated audit. our emphasis is on presenting (1) details on audits of internal control over financial reporting and (2) information on how financial statement audits are modified when LO2 Discuss management’s responsibility for the auditors perform an integrated audit. Although we have referred to integrated reporting on internal audits earlier in the text, in this chapter we emphasize in detail the nature of a pub- control as required by lic company audit. While an integrated audit involves an enhanced consideration of the Sarbanes-Oxley Act internal control, the financial statement audit’s various planning, evidence gathering, of 2002. and reporting procedures remain largely unchanged. Accordingly, the focus of this LO3 Describe the audi- chapter is on audits of internal control over financial reporting (hereafter, internal tors’ responsibility for control). reporting on inter- nal control through integrated audits as Overview required by the Public Company Accounting The Sarbanes-Oxley Act of 2002 requires that, in addition to reporting upon financial Oversight Board. statements, auditors of public companies should also report upon internal control over LO4 Present the auditors’ financial reporting (hereafter, internal control). Consistently, PCAOB Standard No. 5 approach to analyzing recognizes this relationship and states that the internal control and financial statement internal control when audits should be viewed as integrated. performing an inte- Section 404 is composed of two distinct sections.1 Section 404(a), which applies grated audit. to all public companies, requires that each annual report filed with the Securities and LO5 Explain how findings Exchange Commission include an internal control report prepared by management in relating to the audits which management acknowledges its responsibility for establishing and maintaining of internal control and adequate internal control and provides an assessment of internal control effectiveness the financial state- as of the end of the most recent fiscal year. Section 404(b), which applies to public ments may affect one another. companies with a market capitalization in excess of $75,000,000, requires the CPA firm to audit internal control and express an opinion on the effectiveness of internal LO6 Discuss circumstances control. While the emphasis of this chapter is on the auditors’ responsibility under that require auditors Section 404(b), we will begin with an overview of management’s responsibility. to modify their report on internal control. 1 While we emphasize Section 404 in this chapter, we also incorporate information from Sec- tion 103, which requires auditor reporting on internal control. In addition, other sections of the Sarbanes-Oxley Act are also relevant to the overall area of audits of financial statements. Sec- tion 302 requires each of a company’s principal executives and financial officers to certify the financial and other information contained in the company’s quarterly and annual reports. These certifications must indicate that, based on the officer’s knowledge, the financial statements and other financial information included in the report fairly present, in all material respects, the financial condition and results of operations of the company as of, and for, the period pre- sented in the report. Section 906 includes a similar certification requirement but amends the Federal Criminal Code and explicitly sets forth possible criminal penalties for certifications that do not comply with the requirements.whi1103X_ch18_696-725.indd 696 07/02/11 3:52 PM
  2. 2. Confirming Pages Integrated Audits of Public Companies 697 Management’s Responsibility for Internal Control LO2 Management has always been responsible for maintaining effective internal control. However, the Sarbanes-Oxley Act of 2002 increases management’s responsibility Discuss management’s respon- sibility for reporting on internal for demonstrating that controls are effective. As operationalized by the Securities and control as required by the Sar- Exchange Commission (SEC), management is required to: banes-Oxley Act of 2002. • Accept responsibility for the effectiveness of internal control. • Evaluate the effectiveness of internal control using suitable control criteria. • Support the evaluation with sufficient evidence. • Provide a report on internal control. Management’s report and the auditors’ opinion must be included in Form 10-K, the annual report filed with the SEC. The Sarbanes-Oxley Act requires management to per- form the above steps in a meaningful manner to support its report. While the exact word- ing of the report is left to management’s discretion, Section 404(a) of the Sarbanes-Oxley Act requires the report to: • State that it is management’s responsibility to establish and maintain adequate internal control. • Identify management’s framework for evaluating internal control. • Include management’s assessment of the effectiveness of the company’s internal con- trol over financial reporting as of the end of the most recent fiscal period, including a statement as to whether internal control over financial reporting is effective. • Include a statement that the company’s auditors have issued an attestation report on management’s assessment. Management’s For most SEC registrants, passage of Sarbanes-Oxley resulted in a one-time major project Evaluation Process of evaluating and improving internal control to allow both management and the auditors and Assessment to conclude that the company’s internal control is effective. Then, for each subsequent year’s reporting, the analysis is updated. The overall process is one of identifying the significant controls and testing their design and operating effectiveness. The project is performed either by the company itself or by the company assisted by consultants—often personnel from a CPA firm that does not audit the company’s finan- cial statements. The company’s external auditing firm may provide only limited assis- tance to management to avoid a situation in which its assessment is in essence part of management’s assessment, as well as its own. That is, the CPA firm performing the audit should not create a situation in which management relies in any way on the CPA firm’s assessment in making its own assessment. As a starting point, the Securities and Exchange Commission, which provides oper- ational guidance for implementing the Sarbanes-Oxley requirements, has adopted the following definition for internal control: Internal control over financial reporting is a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar func- tions, and affected by the company’s board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: 1. Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; 2. Provide reasonable assurance that transactions are recorded as necessary to permit prepa- ration of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and 3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.whi1103X_ch18_696-725.indd 697 07/02/11 3:52 PM
  3. 3. Confirming Pages 698 Chapter Eighteen FIGURE 18.1 Does Existence Result Comparison of Control in Required Modification Deficiency, Significant of Management’s Assessment Deficiency, and Material Deficiency Severity and Auditors’ Report? Weakness Definitions Control Not directly considered in Only if it is a material Deficiency definition weakness Significant Less severe than a material No Deficiency weakness Material Reasonable possibility of a Yes Weakness material misstatement FIGURE 18.2 Levels of Severity of Control Deficiency Control Deficiencies Less than a Significant Significant Deficiency Material Weakness Deficiency Management’s report must be based on the preceding definition of internal control and must result from an evaluation using an accepted “control framework.” Although not required, the control framework ordinarily used is the Internal Control–Integrated Framework, created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO framework, discussed in detail in Chapter 7, is the internal control framework commonly used in audits of financial statements. To perform its evaluation and make its assessment,2 management must understand the concepts of control deficiency, significant deficiency, and material weakness—concepts originally presented in Chapter 7 of this text, although the latter two terms are defined differently for purposes of an integrated audit. A control deficiency exists when the design or operation of a control does not allow management or employees, in the nor- mal course of performing their functions, to prevent or detect misstatements on a timely basis. A material weakness is a control deficiency, or combination of control deficien- cies, in internal control over financial reporting, such that there is a reasonable possibil- ity that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. A reasonable possibility exists when the likelihood is either “reasonably possible” or “probable” as those terms are used in FASB ASC 450-20 “Loss Contingencies.” A significant deficiency is a control deficiency, or a combination of control defi- ciencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. Figures 18.1 and 18.2 illustrate relationships among deficiencies, significant deficien- cies, and material weaknesses. 2 The “evaluation” or “evaluation process” refers to the methods and procedures management implements to comply with the requirements. The “assessment” is the disclosure required in man- agement’s report on internal control discussing any material weaknesses and management’s assess- ment of the effectiveness of internal control.whi1103X_ch18_696-725.indd 698 07/02/11 3:52 PM
  4. 4. Confirming Pages Integrated Audits of Public Companies 699 In evaluating the significance of identified deficiencies, both quantitative and qualitative factors are considered. Quantitative factors address the potential amount of loss. Qualitative factors include consideration of the nature of the accounts and assertions involved and the possible future consequences of the deficiency. Chapters 6 and 16 of this text include discussions of qualitative factors affecting materiality judgments. Additionally, the consideration of a control deficiency should also include analysis of whether a compensating control exists to either prevent or detect the possible mis- statement. For example, assume a company has a deficiency in control over cash dis- bursements. The compensating control of reconciliation of cash accounts by a competent individual who is otherwise independent of the cash function might make the likelihood of not detecting a significant misstatement less than reasonably possible. Therefore, while a deficiency might exist, it might not be a significant deficiency or a material weakness due to the existence of a compensating control. Management must identify the significant financial statement accounts in order to evaluate the controls over major classes of transactions. Major classes of transac- tions are those that materially affect significant financial statement accounts—either directly through entries in the general ledger or indirectly through the creation of rights or obligations that may or may not be recorded in the general ledger. The overall objective of management’s evaluation of internal control is to provide it with a reasonable basis for its annual assessment as to whether there are any material weaknesses in internal control as of the end of the fiscal year. How does management go about achieving this objective? The SEC guidance is structured about two broad prin- ciples—(1) evaluating the design of controls to identify controls and risks and (2) evalu- ating the operation of the controls. This is consistent with the internal control coverage throughout the text—first consider the design, and then the operating effectiveness of controls. Evaluating Design Effectiveness of Controls The evaluation process begins with identifying and assessing the risks to reliable financial reporting. Management then considers whether it has controls placed in operation (imple- mented) that are designed to adequately address those risks. Management ordinarily uses a top-down approach in which it begins with the identification of entity-level controls and works down to detailed controls only to the extent necessary. For example, if man- agement determines that a control within the company’s period-end financial reporting process (an entity-level control) is designed to adequately address the risk of a material misstatement of interest expense, management may not need to identify any additional controls related to interest expense. When additional assurance is needed, consideration of additional controls becomes necessary. Since the process auditors go through is simi- lar, we discuss this in greater detail later in the chapter. Evaluating Operating Effectiveness of Internal Control Management then evaluates operating effectiveness of controls in those areas that pose a high risk to reliable financial reporting. Evidence on operating effectiveness is obtained from tests of controls and from ongoing monitoring activities related to the controls. Tests of controls are similar to those performed by financial statement auditors as described in detail in Chapter 7. Ongoing monitoring includes activities that provide information about the operation of controls. This information is obtained, for example, through assessments made by employees, assessments made by management (referred to as self-assessment procedures), and the analysis of performance measures designed to track the operation of controls (e.g., budgets). Documentation A required part of management’s evaluation process is appropriate documentation of internal control. The documentation often occurs throughout the entire evaluationwhi1103X_ch18_696-725.indd 699 07/02/11 3:52 PM
  5. 5. Confirming Pages 700 Chapter Eighteen FIGURE 18.3 Management is responsible for establishing and maintaining adequate internal control Management Report on over financial reporting. Carver Company’s internal control system was designed to pro- Internal Control vide reasonable assurance to the company’s management and board of directors regard- ing the preparation and fair presentation of published financial statements. All internal control systems, no matter how well designed, have inherent limitations. Therefore, even a system determined to be effective can provide only reasonable assur- ance with respect to financial statement preparation and presentation. [Note: This para- graph is not required.] We assessed the effectiveness of the company’s internal control over financial reporting as of December 31, 20X4. In making this assessment, we used the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal Control–Integrated Framework. Based on our assessment, we believe that, as of Decem- ber 31, 20X4, the company’s internal control over financial reporting is effective based on those criteria. Carver Company’s independent auditors have issued an audit report on our assessment of the company’s internal control over financial reporting. This report appears on page XX. Sally Jones John Hankson Chief Executive Officer Chief Financial Officer February 12, 20X5 process. Virtually all of the documentation tools included in Chapters 7 and 8 of this text are relevant for both management’s evaluation and the external auditors’ audit of internal control. Reporting Management’s evaluation process culminates with the issuance of management’s report on internal control, which includes management’s assessment. If management believes that no material weaknesses exist at year-end, it is able to issue a report concluding that the company maintained effective internal control over financial reporting. An illustration of such a report is included in Figure 18.3. In the next section, we will describe the audi- tors’ process for evaluating and reporting on internal control. The Auditors’ Responsibility for Reporting on Internal Control in PCAOB Audits The auditors’ objective in an audit of internal control is to express an opinion on the com- LO3 pany’s internal control over financial reporting. To meet this objective, the auditors must Describe the auditors’ responsibil- plan and perform the audit to obtain reasonable assurance about whether material weak- ity for reporting on internal con- trol through integrated audits as nesses exist as of the date specified in management’s assessment. Evidence is gathered required by the Public Company on both the design and operating effectiveness of internal control as of the date specified Accounting Oversight Board. in management’s assessment—normally the last day of the company’s fiscal year. The audit may be viewed as consisting of the following five stages. 1. Plan the engagement. 2. Use a top-down approach to identify controls to test. 3. Test and evaluate design effectiveness of internal control. 4. Test and evaluate operating effectiveness of internal control. 5. Form an opinion on the effectiveness of internal control.whi1103X_ch18_696-725.indd 700 07/02/11 3:52 PM
  6. 6. Confirming Pages Integrated Audits of Public Companies 701 Plan the As indicated in Figure 18.4, the auditors first plan the engagement. Efficient planning Engagement requires coordination with the financial statement audit. For purposes of both audits, the auditors consider matters related to the client’s industry, regulatory matters, the client’s business, and any recent changes in the client’s operations. The auditors’ knowledge of LO4 a client’s internal control at the planning stage of the engagement will differ significantly Present the auditors’ approach to depending upon the nature of the client and the auditors’ experience with that client, and analyzing internal control when performing an integrated audit. this in turn will affect the scope of the auditors’ procedures. For example, when the audi- tors have previously performed audits of the client, the auditors begin the integrated audit with more information than in a circumstance in which the company is a new audit client. Accordingly, they only have to perform procedures to update their knowledge. FIGURE 18.4 An Audit of Internal Company Control Criteria Control over Financial Internal (ordinarily COSO Reporting Control Internal Control Framework) Management‘s Evaluation of Internal Control Management’s report on internal control (with internal control assessment) Plan the engagement Use a top-down approach to identify controls to test Test and evaluate design effectiveness Test and evaluate operating effectiveness Form an opinion on the effectiveness of internal control over financial reporting Issue Auditors‘ Attestation Reportwhi1103X_ch18_696-725.indd 701 07/02/11 3:52 PM
  7. 7. Confirming Pages 702 Chapter Eighteen There is a subtle difference between the auditors’ consideration of internal control for the audit of internal control as compared to their consideration of internal control in an audit of financial statements. In the audit of internal control, the focus is on whether inter- nal control is effective at a point in time—the as of date—which is ordinarily the last day of the client’s fiscal period. To express the internal control opinion, the auditors must obtain sufficient evidence on the effectiveness of controls at the as of date. By itself, this would involve performing tests of controls for a period that is usually significantly less than the entire year. On the other hand, in a financial statement audit the consideration of internal control is performed to help plan the audit and to assess control risk for the entire financial statement period. Therefore, the auditors must perform tests of controls of transactions occurring throughout the year to meet the objective of obtaining sufficient evidence to support the opinion on internal control and assess control risk. This distinc- tion is discussed in more detail later in this chapter. When planning and performing the audit of internal control, the auditors should take into account the results of the financial statement fraud risk assessment. Specifically, the auditors should identify and test controls that address the risk of fraud, including man- agement override of other controls. These controls include those over: • Significant unusual transactions, particularly those reported late in the period and those related to the period-end financial reporting process. • Related party transactions. • Significant management estimates. • Incentives for management to falsify or inappropriately manage financial results. When planning and performing the audit of internal control, the auditors should also recognize internal control differences between small and large clients. Often these differ- ences are related to the degree of complexity of their operations. For example, when the auditors are auditing a small company, many control objectives may be accomplished through daily interaction of senior management and other company personnel rather than through formal policies and procedures. Because of the extensive involvement of senior management in performing controls and the period-end financial reporting process, the auditors of a small company should realize that controls to prevent management override are even more important than it is for a large company. Accordingly, for example, while detailed oversight by the audit committee may be an important control for most compa- nies, it may be particularly important for a small company. Use a Top-Down Figure 18.4 indicates that the auditors use a top-down approach to identify controls Approach to to test. What is a “top-down” approach? As indicated in Figure 18.5, the “top-down” Identify Controls approach starts at the top—the financial statements and entity-level controls—and links the financial statement elements and entity-level controls to significant accounts, relevant to Test3 assertions, and to the major classes of transactions. The goal is to focus on testing those controls that are most important to the auditor’s conclusion on internal control, while avoiding those that are less important. Entity-Level Controls Entity-level controls often are those included in the control environment or monitoring components of internal control. For example, the portions of the control environment deal- ing with the tone at the top, assignment of authority and responsibility, and corporate codes of conduct have a pervasive effect on internal control. Also, information technology general controls over program development, program changes, and computer controls over pro- cessing have a pervasive effect in that they help ensure that specific controls over process- ing are operating effectively. The pervasiveness of entity-level controls distinguishes them 3 This terminology is used in PCAOB Standard No. 5. This stage corresponds to obtaining an under- standing of internal control in a financial statement audit.whi1103X_ch18_696-725.indd 702 07/02/11 3:52 PM
  8. 8. Confirming Pages Integrated Audits of Public Companies 703 FIGURE 18.5 Overall Approach Illustration A Top-Down Approach to Testing Internal Entity- Financial Balance Centralized level Control statements sheet processing controls Significant accounts Accounts and disclosures receivable Various Detailed list Relevant Completeness other of cash assertions assertion controls receipts Major classes of Cash receipt and transactions and transactions remittance significant processes process from other controls that are designed to achieve the specific objectives. As an example of a control that is not an entity-level control, consider control of requiring accounting for all shipping documents. This control activity is aimed primarily at assuring the completeness of recorded sales and does not have the pervasive effect of an entity-level control. Entity-level controls relating to audit committee effectiveness, fraud, and the period- end financial reporting process are particularly emphasized in Standard No. 5. The audit committee is particularly important since an effective audit committee exercises over- sight responsibility over both financial reporting and internal control. Indeed, ineffec- tive audit committee oversight by itself is regarded as a strong indication that a material weakness in internal control exists. PCAOB Standard No. 5 also emphasizes the need for controls specifically intended to address the risk of fraud. These controls range from entity-level control environment controls, such as an appropriate tone at the top, corporate codes of conduct, and an effec- tive antifraud program, to control activities, such as the reconciliation of cash accounts. Figure 18.6 provides examples of antifraud programs and elements. The period-end financial reporting process (often referred to as “financial statement close”) is also very significant. The period-end process involves the procedures used to enter transaction totals into the general ledger through the end of the financial statement reporting process. Auditors must thoroughly evaluate this process, including the man- ner in which financial statements are produced, the extent of information technology involved, who participates from management, the locations involved, and the types of adjusting entries and oversight by appropriate parties. In considering entity-level controls, the auditors should be aware that controls may have either an indirect or a direct effect on the likelihood of misstatement. Controls with an indirect effect on the likelihood of misstatement might affect the auditors’ decisions about the other controls that the auditors select for testing, as well as the nature, timing, and extent of procedures the auditors perform on other controls. For example, a positive tone at the top of the organization may lead to more effective lower level control perfor- mance, yet it does not have a direct effect on the likelihood of misstatement for any par- ticular assertion. Such a control might allow the auditors to decrease the testing of other lower level controls. Controls with a direct effect on the likelihood of misstatement operate at varying levels of precision. Some of these controls might be designed to identify possible breakdowns in lower level controls and operate at a level of precision that would allow auditors to reduce, but not eliminate, the testing of other controls. As an example, a monitoring control that detects only relatively large misstatements may fall into this category. Whenwhi1103X_ch18_696-725.indd 703 07/02/11 3:52 PM
  9. 9. Confirming Pages 704 Chapter Eighteen FIGURE 18.6 Antifraud Program Entity-Level Antifraud or Element Strong Indicator of Significant Deficiency Programs and Elements Management accountability Senior management conducts ineffective oversight of antifraud programs and controls. Audit committee Audit committee passively conducts oversight. It does not actively engage the topic of fraud. Internal audit Inadequate scope of activities. Inadequate communication, involvement, and interaction with the audit committee. Code of conduct/ethics Nonexistent code or code that fails to address conflicts of interest, related party transac- tions, illegal acts, and monitoring by management and the board. Ineffective communication to all covered persons. “Whistleblower” program* No program for anonymous submissions. Inadequate process for responding to allega- tions of suspicions of fraud. Whistleblower program significantly defective in design or operation. Hiring and promotion procedures Failure to perform substantive background investigations for individuals being consid- ered for employment or promotion to a posi- tion of trust. Remediation Failure to take appropriate and consistent remedial actions with regard to identified significant deficiencies, material weaknesses, actual fraud, or suspected fraud. * A program for handling complaints and for accepting confidential submissions of concerns about questionable accounting, auditing, and other matters (e.g., hotlines). such a control is operating effectively, it might allow the auditor to reduce, but not elimi- nate, the testing of other controls. Other entity-level controls that have a direct effect on the likelihood of misstatement might be designed to operate at a level of precision that would adequately prevent or detect material misstatements to one or more relevant assertions. Such controls may allow the auditor to omit testing additional controls relating to that risk. Monitoring controls that identify relatively small misstatements may fall into this category. Note, however, that this area has been controversial as some have asked how frequently such controls actually exist, and thus allow the elimination of testing of controls beneath “the top.” Significant Accounts and Disclosures As shown in Figure 18.5, the auditors must obtain an understanding of significant accounts and disclosures. An account is significant if there is a reasonable possibility that it could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering both the risks of understatement and overstatement. The assessment should be made without giving any consideration to the effectiveness of internal control. Factors that the auditors consider in deciding whether an account is significant include: • Size and composition. • Susceptibility of loss due to errors or fraud.whi1103X_ch18_696-725.indd 704 07/02/11 3:52 PM
  10. 10. Confirming Pages Integrated Audits of Public Companies 705 • Volume of activity, complexity, and homogeneity of individual transactions. • Nature of the account. • Accounting and reporting complexity. • Exposure to losses. • Possibility of significant contingent liabilities. • Existence of related party transactions. • Changes from the prior period. Identifying Relevant Financial Statement Assertions Once they have determined the significant accounts and disclosures, the auditors must determine which financial statement assertions are relevant to the significant accounts: (1) existence or occurrence; (2) completeness; (3) valuation or allocation; (4) rights and obligations; and/or (5) presentation and disclosure. Relevant assertions for an account are those that have a meaningful bearing on whether the account is presented fairly. For example, valuation may be very relevant to determining the amount of receivables, but it is not ordinarily relevant to cash unless currency translation is involved. Obtaining a Further Understanding of Likely Sources of Misstatement To further understand the likely sources of potential misstatements, auditors should under- stand the flow of transactions related to the relevant assertions. This understanding allows the auditors to identify points within the company’s processes where a material misstate- ment could arise and to identify the controls to prevent or detect these misstatements. Throughout the text (e.g., Chapter 6, Chapters 11–16), we have discussed the concept of transaction cycles. Transaction cycles (also referred to as classes of transactions) are those transaction flows that have a meaningful bearing on the totals accumulated in the company’s significant accounts and, therefore, have a meaningful bearing on relevant assertions. Consider a company whose sales may be initiated by customers either through the Internet or in a retail store. These two types of sales may be viewed as representing two major classes of transactions within the sales process. Although not explicitly discussed in PCAOB Standard No. 5, it is helpful to classify transactions by transaction type—routine, nonroutine, or accounting estimates. Routine transactions are for recurring activities, such as sales, purchases, cash receipts and disbursements, and payroll. Nonroutine transactions occur only periodically; they generally are not part of the routine flow of transactions and include transactions such as counting and pricing inventory, calculating depreciation expense, or determining prepaid expenses. Accounting estimates are activities involving management’s judgments or assumptions, such as determining the allowance for doubtful accounts, estimating war- ranty reserves, and assessing assets for impairment. Throughout the audit of internal control, auditors must be concerned about all three transaction types. However, the auditors must be aware that the unique nature of non-routine transactions and the subjectivity involved with accounting estimate transactions make them particularly prone to misstatement unless they are properly controlled. To understand the likely sources of potential misstatements and as a part of selecting the controls to test, the auditors should: • Understand the flow of transactions; • Verify points within the company’s processes at which a misstatement could arise that could be material; • Identify the controls management has implemented to address these potential mis- statements; and • Identify the controls management has implemented to prevent or detect on a timely basis unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement.whi1103X_ch18_696-725.indd 705 07/02/11 3:52 PM
  11. 11. Confirming Pages 706 Chapter Eighteen FIGURE 18.7 Relationships among Processes, Transaction Types, and Significant Accounts Examples of Significant Accounts Allowance for Doubtful Accounts Property, Plant, & Equipment Stockholders’ Equity Accounts Receivable Inventory Reserves Other Accounts Inventories Prepaid Cash Transaction Example Processes Types Financial statement close Nonroutine X X X X X X X X X Cash receipts Routine X X X Cash disbursements Routine X X Payroll Routine Inventory costing (CGS) Routine X X Estimate purchase commitments Estimation X Estimate excess and obsolete inventory Estimation X Lower-of-cost-or-market calculation Estimation X LIFO calculation Nonroutine X Physical inventory count Nonroutine X Accounts receivable and sales Routine X Source: Adapted from Ernst & Young, Evaluating Internal Control: Considerations for Documenting Controls at the Process, Transaction, or Application Level, 2003. Figure 18.7 provides an illustration of the relationships among significant accounts, processes, and transaction types emphasizing inventory processes; it presumes one major class of transactions for each process. Selecting Controls to Test The auditors should test those controls that are important to their conclusion about whether the company’s controls sufficiently address the risk of misstatement for each relevant assertion. It is not necessary to design tests of all controls. For example, tests of redundant controls (those that duplicate other controls) need not be designed when tests of the related control are planned, unless redundancy itself is a control objective. The auditors may decide to design tests of preventive controls, detective controls, or a combination of both for the various assertions and significant accounts. Preventive con- trols have the objective of preventing errors or fraud from occurring; detective controls have the objective of detecting errors or fraud that have already occurred. Effective inter- nal control generally involves “levels” of controls composed of a combination of both preventive and detective controls. Some controls are complementary controls in that they work together to achieve a particular control objective. When tests are being per- formed related to that control objective, the complementary controls must be tested. A question that arises when a client has multiple locations is: Must the auditors design and perform tests at all locations? The answer is no. In determining the locations at which to perform tests of controls, the auditor should assess the risk of material misstatement to the financial statements of each location and base the amount of testing on the degree of risk.whi1103X_ch18_696-725.indd 706 07/02/11 3:52 PM
  12. 12. Confirming Pages Integrated Audits of Public Companies 707 Performing Walk-throughs While not required, performing walk-throughs may frequently be the most effective way to obtain an understanding of the likely sources of misstatement. A walk-through involves literally tracing a transaction from its origination through the company’s infor- mation system until it is reflected in the company’s financial reports. Walk-throughs pro- vide the auditors with evidence to: • Verify that they have identified points at which a significant risk of misstatement to a relevant assertion exists. • Verify their understanding of the design of controls, including those related to the prevention or detection of fraud. • Evaluate the effectiveness of the design of controls. • Confirm whether controls have been placed in operation (implemented). Because much judgment is required in performing a walk-through, the auditors should either perform walk-throughs themselves or supervise the work of others who provide assistance to them (e.g., internal auditors). While performing walk-throughs, the auditors ask those involved to describe their understanding of the processing involved and to demonstrate what they do. In addition, follow-up inquiries should be made to help identify abuse of controls or indicators of fraud. Examples of such follow-up inquiries include: • What do you do when you find an error? • What kind of errors have you found? • What happened as a result of finding the errors, and how were the errors resolved? • Have you ever been asked to override the process or controls? If yes, why did it occur and what happened? Test and Evaluate The auditors test the design effectiveness of controls by determining whether the com- Design pany’s controls, if operating properly, satisfy the company’s control objectives and can Effectiveness of effectively prevent or detect errors or fraud that could result in material misstatements. The procedures performed here include a combination of inquiry of appropriate person- Internal Control nel, observation of the company’s operations, and inspection of relevant documenta- over Financial tion. Figure 18.8 provides an example of control objectives, risks, and controls using the Reporting COSO framework. The auditors specifically consider whether the controls, if function- ing, would reduce the risks to an appropriately low level. Test and Evaluate Tests of the operating effectiveness of a control determine whether the control func- Operating tions as designed and whether the person performing the control possesses the necessary Effectiveness of authority and qualifications. In deciding how to design tests of operating effectiveness, the auditors must focus on the nature, timing, and extent of the tests. Internal Control over Financial Nature of Tests of Operating Effectiveness Reporting Tests of controls, in the order of increasing persuasiveness, include a combination of inquiries of appropriate personnel, inspection of relevant documents, observation of the company’s operations, and reperformance of the application of controls. For example, to evaluate whether the second control objective in Figure 18.8, the accurate and complete recording of invoices, is achieved, the auditors might use generalized audit software to inspect electronic documents to determine that no gaps exist in the sequence of shipping documents. Also, Standard No. 5 states that the auditors should vary the exact tests per- formed when possible to introduce unpredictability into the audit process. Evaluating responses to inquiries represents a particular challenge in that the responses may range from formal written inquiries (e.g., representation letters) to informal oral inquiries. Because of the possibility of misrepresentation or misunderstanding of thewhi1103X_ch18_696-725.indd 707 07/02/11 3:52 PM
  13. 13. Confirming Pages 708 Chapter Eighteen FIGURE 18.8 Process: Accounts Receivable Control Objective Risks Controls 1. Ensure that all goods Missing documents or • Use standard shipping or contract terms. shipped are accurately incorrect information • Communicate nonstandard shipping or contract billed in the proper terms to accounts receivable department. period. Improper cutoff of ship- • Identify shipments as being before or after period ment at the end of a end by means of a shipping log and prenumbered period shipping documents. 2. Accurately record Missing documents or • Prenumber and account for shipping documents invoices for all incorrect information and sales invoices. authorized shipments • Match orders, shipping documents, invoices, and and only for such customer information, and follow through on miss- shipments. ing or inconsistent information. • Mail customer statements periodically and investi- gate and resolve disputes or inquiries by individuals independent of the invoicing function. • Monitor number of customer complaints regarding improper invoices or statements. 3. Accurately record all Missing documents or • Authorization of credit memos by individuals inde- authorized sales incorrect information pendent of accounts receivable function. returns and • Prenumber and account for credit memos and allowances and only receiving documents. such returns and • Match credit memos and receiving documents and allowances. resolve unmatched items by individuals indepen- dent of the accounts receivable function. Inaccurate input of data • Mail customer statements periodically and investi- gate and resolve disputes or inquiries by individuals independent of the invoicing function. 4. Ensure continued Unauthorized input for • Review correspondence authorizing returns and completeness and nonexistent returns, allowances. accuracy of accounts allowances, and • Reconcile accounts receivable subsidiary ledger receivable. write-offs with sales and cash receipts transactions. • Resolve differences between the accounts receiv- able subsidiary ledger and the accounts receivable control account. 5. Safeguard accounts Unauthorized access to • Restrict access to accounts receivable files and data receivable records. accounts receivable used in processing receivables. records and stored data Source: Adapted from Internal Control–Integrated Framework, Evaluation Tools. responses, inquiry alone does not provide sufficient evidence to support the operating effectiveness of a control. Thus, auditors should substantiate the responses to inquiries by performing other procedures, such as inspecting reports or other documentation relating to the inquiries. Timing of Tests of Controls Tests of controls should be performed over a period of time sufficient to determine whether, as of the date specified in management’s report, the controls were operating effectively. The auditors are aware that some controls operate continuously (e.g., con- trols over routine transactions, such as sales), while others operate only periodically (e.g., controls over nonroutine transactions or events, such as the preparation and analysis of monthly or quarterly financial statements). For controls that operate only periodically, it may be necessary to wait until after the date of management’s report to test them; for example, controls over period-end financial reporting normally operate only after the datewhi1103X_ch18_696-725.indd 708 07/02/11 3:52 PM
  14. 14. Confirming Pages Integrated Audits of Public Companies 709 Illustrative Case Frequency of Testing One CPA firm provided the following guidance to its auditors as to frequency of testing: Frequency of Control Suggested Number of Items to Test Annual 1 Quarterly 2 Monthly 3–6 Weekly 10–20 Daily 20–40 Multiple times per day 30–60 of management’s report. The auditors’ tests can be performed only at the time the con- trols are operating. Extent of Tests of Controls PCAOB Standard No. 5 requires the auditors to obtain sufficient evidence about the effectiveness of controls for all relevant assertions related to all significant accounts. This means that the auditors must design procedures to provide a high level of assurance that the controls related to each relevant assertion are operating effectively. For man- ual controls, this generally involves more extensive testing than for automated controls. Generally, the more frequently controls operate, the more auditors should test them, and controls that are relatively more important should be tested more extensively. Also, the auditors cannot be satisfied with less-than-persuasive evidence because of a belief that management is honest. When control exceptions are identified, the auditors should critically assess the nature and extent of testing and consider whether additional testing is appropriate. Also, a con- clusion that an identified control exception does not represent a control deficiency is only appropriate if evidence beyond what the auditors had originally planned, and beyond inquiry, supports that conclusion. The issue of evaluating exceptions will be described in more detail later in this chapter. Can auditors use the work of others—internal auditors, company personnel, and third parties—in the audit of internal control? For example, if client personnel have already performed certain procedures that the auditors had intended, may the auditors use that work? The answer is yes because PCAOB Standard No. 5 allows auditors to use the work of others. It is expected that the work of others used by the auditors will often be related to relatively low-risk areas. In any event, the auditors must understand that when they use the work of others they remain responsible for their opinion and they cannot share responsibility with those others. In all cases in which the work of others is used, the auditors should evaluate the competence and objectivity of those individuals and test the work they have performed. Another issue relates to the degree to which auditors must retest controls in detail each year. In audits subsequent to the first year, auditors should incorporate knowledge obtained during past audits of internal control. Using this “cumulative audit knowledge” (knowledge obtained from prior audits), the auditors often may be able to reduce the amount of work performed. In making decisions as to the necessary testing, the auditors should consider the various risk factors related to a control as well as: • The nature, timing, and extent of procedures performed in previous audits, • The results of the previous years’ testing of the control, and • Whether there have been changes in the control, or the significant process in which it operates, since the previous audit.whi1103X_ch18_696-725.indd 709 07/02/11 3:52 PM
  15. 15. Confirming Pages 710 Chapter Eighteen To illustrate, assume that a control presents a low risk overall in that there is a low inher- ent risk, a low degree of complexity, few changes in controls, and the previous year revealed no deficiencies. In such a case, the auditors may determine that sufficient evi- dence of operating effectiveness could be obtained by performing a walk-through. In addition, the auditors may use the work of others to a greater extent than in the past. But, on an overall basis, the auditors must test controls every year and cannot “rotate” analysis of various transaction types between various years (e.g., consider controls over sales this year, and purchases next year). LO5 Relationship between Tests of Controls Performed for the Internal Control Audit and Those Performed for the Financial Statement Audit Explain how findings relating to the audits of internal control and Are the types of tests of controls performed for an internal control audit the same as those the financial statements may affect performed for a financial statement audit? May the evidence from tests performed for an one another. internal control audit be used for the financial statement audit? While the answer to both of these questions is yes, the auditors must consider the differences in the objectives of the tests. The objective of tests of controls in an audit of internal control is to obtain evidence about the effectiveness of controls to support the auditors’ opinion on whether manage- ment’s assessment of the effectiveness of internal control, taken as a whole, is fairly stated as of a point in time. Accordingly, to express this opinion the auditors must obtain evidence about the effectiveness of controls over all relevant assertions for all significant accounts and disclosures in the financial statements. The objective of tests of controls for a financial statement audit is to assess control risk. If the auditors decide to assess control risk at less than the maximum, they are required to obtain evidence that the relevant controls operated effectively during the entire period upon which they plan to place reliance on those controls. However, the auditors are not required to assess control risk at less than the maximum for all assertions. How may these two different approaches for tests of controls be reconciled in an inte- grated audit? PCAOB Standard No. 5, for purposes of the internal control audit, allows the auditors to obtain evidence about operating effectiveness at different times throughout the year—provided that the auditors update those tests or obtain other evidence that the controls still operated effectively at the end of the year. Thus, although the timing for issuing the internal control report will not ordinarily require tests from throughout the year, the inte- grated nature of the two audits suggests that testing should be spread throughout the year. The requirements of Standard No. 5 have had the effect of pushing auditors to perform financial statement audits using the systems approach—an approach with heavy reliance on internal control evidence. In essence, since extensive tests of controls are required for each significant account for the internal control audit, the auditors should have significant evidence about the effectiveness of internal control for the financial statement audit. The auditors generally must merely extend the tests to cover the financial statement period in order to assess control risk at a low level for purposes of the financial statement audit. Effect of Tests of Controls on Financial Statement Audit Substantive Procedures Historically, to enhance audit efficiency and effectiveness, auditors often have used a substantive audit approach that is not acceptable for integrated audits. Auditors have traditionally relied primarily (or completely) on evidence from substantive procedures rather than testing controls in audit areas when a substantive approach was considered the most cost-effective approach. To illustrate, when only a financial statement audit is being performed, auditors often rely heavily upon substantive procedures to audit areas such as property, plant, and equipment; investments; and long-term debt. Since auditors must now report on the effectiveness of internal control, approaches limiting the testing of controls are not acceptable. Historically, another efficiency that has developed in financial statement audits is min- imizing the testing of controls aimed at preventive controls (e.g., transaction level controls), and emphasizing the testing of detective controls (e.g., various types of reconciliations and exception reports). When auditors express an opinion on internalwhi1103X_ch18_696-725.indd 710 07/02/11 3:52 PM

×