Sources of misstatement: identify controls at locations of sources, to walkthroughs, find exceptions during walkthroughTesting: Nature, timing, and extent (nature of the control (manual more), frequency of operation, importance of control)
Chapter 7Auditing Internal Control over Financial Reporting
Where we are• Introduction• Audit basics – Risk – Materiality – Evidence – Documentation• Audit Phases – Planning – Internal controls in a financial statement audit – Internal controls in an integrated audit
What we’ll cover• Difference between internal control in financial statement audit and internal control in integrated audit• Management’s responsibilities• Auditor’s responsibilities• Steps in auditing internal controls
Different approaches of evaluating internal controlsFinancial statement audits Integrated audits• Audits of non-public entities • Audits of public corporations• Regulated by AICPA • Regulated by PCAOB• No requirements of • Management has some management responsibilities• Auditors are required to understand internal controls • Auditors are required to understand internal controls• Auditors may choose to rely upon controls. If so, they must • Auditors are required to audit test controls. internal controls, including• Auditors communicate control testing. weaknesses to board of • Auditors issue report on directors. internal controls.
Management’s responsibilities• Accept responsibility for controls• Evaluate effectiveness of internal controls using COSO – Entity-level – Application controls – Risk-based• Document internal controls• Report on internal controls
Auditor’s responsibilities Controls over • unusual transactions • adjusting entries • Risk assessment and fraud risk • related-party transactions • Scaling the audit • Management estimates • Using work of others • Materiality • Entity level • Control environment controls • Year-end process • Identify significant assertions • Understand sources of misstatement • Select controls to test
Controls and tests• Controls – Authorization – Documents – Records – Segregation of duties – Independent checks – Safeguard assets• Tests – Walkthrough – Inquiry • How control is done • When is it done (frequency) • What happens if there is an exception (detective control) • Who performs the control – Observe – Inspect documents – Re-perform
Example – movie theater Planning • Risk assessment • Scaling • Work of others • Materiality Identify controls • Entity level controls • Assertions (transactions) • Occurrence • Completeness • Authorization • Accuracy Theater Theater • Cutoff • Classification • Understand sources of misstatement • Select controls to test
Assertion Source of Misstatement Control Tests Walkthrough transactionAll recorded sales occurred False sales recorded Monthly reconciliation of register Inquire what happens if reports to sales journal entries exceptions are found Monthly reconciliation of sales Re-perform sample of journal entries to deposits of cash reconciliationsAll sales events recorded Customers do not pay for entry Tickets disbursed to customers Observe process Clerk does not record sale and collectedAll sales authorized Low risk of misstatementSales recorded accurately Sales entered into register at Clerk selects ticket type rather Observe register use incorrect amount than entering amount Re-perform sample of Register total entered incorrectly Monthly reconciliation of register reconciliations into journal reports to sales journal entriesSales recorded in the correct fiscal Sales recorded in subsequent Sales recorded every night Vouch from journal to registerperiod period report 2 days before and after FYE Sales recorded in prior periodSales recorded in the correct NAaccountCash balances exist Cash balance not reported Monthly bank reconciliation Bank confirmations correctlyCash balances owned by client Low risk of misstatementAll cash balances are reported Low risk of misstatementCash accurately valued Low risk of misstatementAR balances exist Insignificant accountAR owned by client Insignificant accountAll AR reported Insignificant accountAR valued correctly Insignificant account
Evaluate deficiencies• Risk factors that a control deficiency will result in a misstatement (likelihood): – Nature of assertions involved – Susceptibility of balance to fraud – Amount of judgment required to determine amount involved – Relationship with other controls – Possible consequences of the deficiency• Factors that affect whether the misstatement may be material: – The amounts exposed to the deficiency – The volume of activity exposed to the deficiency
Adverse OpinionIncludes Would it be possible to give• Definition of material weakness an adverse opinion on• Description of particular weakness internal controls and an• Opinion unqualified opinion on the financial statements?
Report of Independent Registered Public Accounting FirmTo the Board of Directors and Shareholders of American International Group, Inc.:In our opinion, the consolidated financial statements listed in the accompanying index present fairly, in all material respects, the financialposition of American International Group, Inc. and its subsidiaries (AIG) at December 31, 2007 and 2006, and the results of their operationsand their cash flows for each of the three years in the period ended December 31, 2007 in conformity with accounting principles generallyaccepted in the United States of America. In addition, in our opinion, the financial statement schedules listed in the accompanying indexpresent fairly, in all material respects, the information set forth therein when read in conjunction with the related consolidated financialstatements. Also in our opinion, AIG did not maintain, in all material respects, effective internal control over financial reporting as ofDecember 31, 2007, based on criteria established in Internal Control — Integrated Framework issued by the Committee of SponsoringOrganizations of the Treadway Commission (COSO) because a material weakness in internal control over financial reporting related to theAIGFP super senior credit default swap portfolio valuation process and oversight thereof existed as of that date. A material weakness is adeficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that amaterial misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. The materialweakness referred to above is described in Management’s Report on Internal Control Over Financial Reporting appearing under Item 9A.We considered this material weakness in determining the nature, timing, and extent of audit tests applied in our audit of the 2007consolidated financial statements, and our opinion regarding the effectiveness of AIG’s internal control over financial reporting does notaffect our opinion on those consolidated financial statements. AIG’s management is responsible for these financial statements and financialstatement schedules, for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internalcontrol over financial reporting, included in management’s report referred to above. Our responsibility is to express opinions on thesefinancial statements, on the financial statement schedules, and on AIG’s internal control over financial reporting based on our integratedaudits. We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Thosestandards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free ofmaterial misstatement and whether effective internal control over financial reporting was maintained in all material respects. Our audits ofthe financial statements included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements,assessing the accounting principles used and significant estimates made by management, and evaluating the overall financial statementpresentation. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financialreporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internalcontrol based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in thecircumstances. We believe that our audits provide a reasonable basis for our opinions. A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding thereliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally acceptedaccounting principles. A company’s internal control over financial reporting includes those policies and procedures that (i) pertain to themaintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of thecompany; (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements inaccordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only inaccordance with authorizations of management and directors of the company; and (iii) provide reasonable assurance regarding preventionor timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on thefinancial statements. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements.Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate becauseof changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.PricewaterhouseCoopers LLPNew York, New YorkFebruary 28, 2008
CommunicationsFrom manager to auditorManagement is responsible for ICMgt has evaluated ICMgt did not rely on work of auditorMgt has disclosed all weaknessAny material fraudResolution of weaknessesChanges in ICFrom auditor to companyAll material weaknesses and significant deficiencies to bothmanagement and the boardControl deficiencies to management
Computer – Assisted audit techniques• Generalized audit software – File and database access – Selection of data – Statistical analysis• Custom audit software• Test date
Chapter summary• Difference between internal control in financial statement audit and internal control in integrated audit• Management’s responsibilities• Auditor’s responsibilities• Steps in auditing internal controls