Add to collection(s) Add to saved
  1. Business
  2. Management

Evaluating Internal Control over Financial Reporting

advertisement 
Rittenberg/Schwieger/Johnstone
Auditing: A Business Risk Approach
Sixth Edition
Chapter 7
Performing an
Integrated Audit
Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license.
1
The Integrated Audit
The Sarbanes-Oxley Act of 2002 requires
publicly held companies to report on the
effectiveness of their internal controls over
financial reporting
The Public Company Accounting Oversight
Board requires external auditors to perform an
integrated audit of the effectiveness of internal
controls and financial reporting
In essence, the auditor must attest to both the
financial statements and management's
assertions regarding the effectiveness of internal
controls over financial reporting
2
An Overview of Account
Processes and Audit Testing
3
Important Elements of the
Integrated Audit
 The objective of both internal control and the external
audit is developing confidence in the fairness of financial
reports including all material account balances and
needed disclosures.
 The control environment is pervasive and affects the
process of recording transactions, making estimates, and
making adjusting entries.
 If the control environment is strong and the controls over
transaction processing, adjusting, and estimating are
good, then both management and the auditor would have
a high degree of confidence that the financial accounts are
fairly stated and financial disclosures are adequate.
 There is potential for errors in input, processing,
estimating, or adjusting even if internal controls are
considered effective.
4
Important Elements of the
Integrated Audit (continued)
 Because errors could still occur, there is a need to do
some, albeit limited and selective, testing of account
balances and reviews of disclosures.
 There are three sources of evidence that the auditor
can use to gather and evaluate the fairness of the
financial statements. They are evidence derived from:
1. Tests that indicate that internal controls over transaction
processing, adjusting, and estimating financial statement line
items are effective
2. Tracing the recording of transactions through processes to
determine that they are appropriately recorded in the account
balances
3. Directly testing the account balance(s)
5
How do auditors form opinions of
the quality of internal controls?
The auditor gathers information on the quality of
internal controls by:
Assessing the quality of management’s process in
developing his or her opinion on internal control over
financial reporting
Evaluating the design of controls and the operation of
controls that the auditor believes are designed
effectively
Making inferences about the quality of internal control
based on findings in the financial statement audit
6
What is contained in the
unqualified report?
The internal control report
The auditor provides an opinion on the
effectiveness of internal control in the context of
agreed-upon criteria, i.e., the COSO internal
control integrated framework.
The auditor’s opinion considers both the design
and the operating effectiveness of internal
control.
The auditor recognizes and conveys to users
that there are limitations of internal control that
can affect its effectiveness in the future.
7
The Five Phases of Planning the
Integrated Audit
Phase 1: Identifies and assesses business risk and
determines the implications for audit risk. Business risk
is used to consider both the motivation for misstatement
as well as the areas in which misstatements may exist.
Phase 2: Assesses fraud risk and brainstorms how fraud
might occur within the organization (see Chapter 9).
Phase 3: Considers the process used by management to
assess internal control and addressing internal control
deficiencies in a timely manner, including the following:
(following slide)
8
The Five Phases of Planning the
Integrated Audit (Phase 3, ontinued)
 Documenting significant processes and controls within
those processes
 Documenting the other COSO control elements,
especially the control environment, risk analysis, and
monitoring process
 Testing the effectiveness of important controls as a basis
for establishing the quality of controls (first year and
potentially thereafter when new processes or controls
are introduced)
 Monitoring the effectiveness of previously identified
controls
 Testing of important control activities to determine that
there is no deterioration of controls
9
 Correcting control deficiencies
The Five Phases of Planning the
Integrated Audit (continued)
 Assessesing the effectiveness of internal control over
financial reporting
 Developing their report on internal control
Phase 4: Determines which controls must be tested within
each of the COSO elements, considering:
 The control environment, which having a pervasive effect on
internal control
 The importance of various processes, including transaction
processing, adjusting entries, and estimates, that affect material
financial statement accounts
 The controls that must be evaluated and tested in order to reach
a conclusion on the effectiveness of internal control
 The need to corroborate control testing with direct tests of
10
account balances
The Five Phases of Planning the
Integrated Audit (Continued)
Phase 5: Determines the most efficient
approach to achieve the dual objectives of
reporting on internal control and on the
financial statements and executing the
audit plan.
11
Top-Down, Risk Based Approach
A top-down, risk-based approach requires
auditors to consider the materiality of account
balances and processes along with the risks that
the account balance maybe misstated. The
approach requires auditors to identify:
Account balances or related disclosures that might be
materially misstated
Potential causes of the misstatement
 Important processes that may affect one or more
account balances
12
Top-Down, Risk Based Approach
Risk Analysis: The Starting Point
Understand the risk the business faces in
meeting objectives
Understand the risks that may motivate
management or others to misstate financial
statements
Account Balances and Risk Analysis
The Control Environment: Always
Important to an Integrated Audit
Materiality of Account Balances
13
Summary of Top-Down RiskBased Audit Approach
14
Searching for Audit Efficiency
1. How much assurance can be obtained regarding financial
reporting risk when a strong control environment is present
and working?
2. If control activities within major processes are working
properly throughout the year, what is the residual risk that
remains that an account balance can still be misstated?
3. What is the risk that the analysis of internal controls is
incorrect?
4. Which account balances might contain more than an
acceptable amount of risk that a material misstatement could
occur?
5. How would a misstatement in a material account balance
most likely occur?
6. What are the most effective direct tests of account balances
to determine whether there is a misstatement in the account
15
balance?
Residual Risk
Residual risk is the probability that an account
balance might be misstated after processing
and the application of internal controls.
From an auditor’s view, the residual risk is
based on:
The strength of the control environment
The design of the controls within major processes
The operation of the controls, management’s
process to monitor the effectiveness of its controls
The auditor’s confidence that the assessment of
residual risk is accurate
16
Likely Nature of Misstatements
and Efficiency of Audit Tests
Be recorded in the wrong period
Contain unusual rights of return provisions
Contain terms that are more consistent
with consignment rather than sale
Be concentrated in a very few customers,
many of which are international customers
and may have different credit risks than
most other customers
17
How do auditors minimize risk
related to the internal control audit?
 Only material processes and material account balances
need to be tested by the auditor.
 Material processes must be evaluated for design and
operation to support the auditor’s opinion on internal
controls.
 Some material account balances will need to be tested—
even with excellent internal controls—because the risk of
misstatement is too high to control audit risk at an
acceptable level.
 If there are no deficiencies in either the design or operation
of internal controls over significant processing, the
transactions associated with those processes will either
require minimal or no direct audit testing.
 • The time requirement to meet SEC filing requirements
encourages auditors, to the extent possible, to place more
18
reliance on the control processes that are effective.
Auditing Accounts
The riskiness of the account dictates the number
of direct tests of accounts that need to be
performed.
The subjectivity of estimates, where material,
requires that the affected account must be
addressed with direct tests of the accounts.
Non-standard and large adjusting entries should
be directly tested.
The size of the account (materiality) influences,
but does not totally dictate, whether direct
testing should be performed.
19
Auditing Accounts (continued)
 The extent of testing performed by management, as well
as the control testing performed by the auditor, will
influence the amount of direct testing of account
balances to be performed.
 The confidence the auditor has from all sources
(knowledge of the business and industry, results of
control testing, knowledge of system changes, previous
misstatements) influences the amount of direct testing.
 The existence of other corroborating tests of the account
balance, such as from knowledge gained from testing
related accounts, also affects the amount of direct
testing to be performed.
20
FACTORS AFFECTING EXTENT OF
DIRECT TESTING TO BE PERFORMED
Audit Evidence
Factors
Audit Risk
Auditor
Assessment
Effect on Direct
Testing Performed
Low
More direct testing
Business Risk
High
More direct testing
Subjectivity of
accounting process
Materiality of account
balance
Effectiveness of
internal control
High
More direct testing
Highly material More direct testing
account
Internal controls Less direct testing
are effective
21
Evaluating Internal Control over
Financial Reporting
Control Environment
Risk Management
Information and Communication
Monitoring
22
Testing Control Activities
Understand Important Supporting
Systems
Transaction-based Systems
Perform Test of Controls
23
Related documents
Case
Case
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
As the 2nd largest business support solutions (BSS) provider, CSG
As the 2nd largest business support solutions (BSS) provider, CSG
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
9.401 Auditing
9.401 Auditing
Standar Pekerjaan Lapangan
Standar Pekerjaan Lapangan
Senior Financial and Operational Auditor
Senior Financial and Operational Auditor
(financial and operational) auditor internal (financial and operational
(financial and operational) auditor internal (financial and operational
Download
advertisement