Auditing &
Assurance
Services,
6e
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 05
Risk Assessment:
Internal Control Evaluation
“Bernie doesn’t want you to use the words “internal controls” in any
more of your audit reports…it aggravates him. ”
-- Cynthia Cooper referring to advice given her by a colleague on how to best deal with
Bernie Ebbers, the then CEO of WorldCom right before she uncovered an $11 Billion dollar
fraud that Ebbers directed.
5-2
Learning Objectives
1.
2.
3.
4.
Define and describe internal control and explain the
limitations of all internal control systems.
Distinguish between the responsibilities of management
and auditors regarding an entity’s internal control.
Define and describe the five basic components of internal
control and specify some of their characteristics.
Explain the process the audit team uses to assess control
risk, understand its impact on the risk of material
misstatement, and, ultimately, to know how it affects the
nature, timing, and extent of substantive testing to be
performed on the audit.
5-3
Learning Objectives (cont.)
5. Describe additional responsibilities for management and
auditors of public companies required by Sarbanes-Oxley
and Auditing Standard No. 5.
6. List the major components of the auditors’ report on
internal control over financial reporting.
7. Describe situations in which the auditors’ report on
internal control over financial reporting would be
modified.
8. Explain the communication of internal control
deficiencies to those charged with governance such as the
audit committee and other key management personnel.
5-4
Internal Control Defined
Internal control is a process, effected by an
entity’s board of directors, management and other
personnel, designed to provide reasonable
assurance regarding the achievement of objectives
in the following three categories:
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with applicable laws and regulations
5-5
Responsibility for Internal Control
• Management’s responsibility
– Responsibility for establishing and maintaining
adequate internal control over financial reporting
– Assess and report on the effectiveness of internal
control over financial reporting
• Auditors’ responsibility
– For public companies, must audit and issue an opinion
about the effectiveness of the internal control over
financial reporting
– For each fraud risk, must evaluate whether controls are
in place to mitigate the fraud risk
– Must assess control risk to determine the nature, timing
and extent of substantive procedures to be performed
5-6
Internal Control Components
(COSO)
•
•
•
•
•
Control Environment
Risk Assessment
Control Activities
Monitoring
Information and Communication
5-7
Internal Control Evaluation
• Phase 1: Understand and document
– Understand the client’s internal control
– Document the understanding of internal control
• Internal Control questionnaire
• Narrative
• Accounting and control system flowcharts
• Phase 2: Assess control risk (Preliminary)
– Consider cost effectiveness of reliance/testing.
• Phase 3: Identify Controls to Test and Perform Test of Controls
– Perform test of controls audit procedures
– Re-assess control risk
5-8
Why Assess Control Risk?
• Determine nature, timing, and extent of audit
procedures.
• There is a trade-off between testing of controls
and substantive procedures.
• At least some substantive procedures are required.
• Control testing is required for public companies
(in accordance with PCOAB AS 5), but remains an
auditor judgment for other audits.
5-9
Should Test of Controls Be
Completed?
An auditor may choose not to test controls for one of two
reasons:
– Internal control system is too ineffective in preventing
or detecting misstatements to rely upon to justify
reductions in substantive testing
– It may take more time to test controls than it would to
just perform more substantive testing to provide
evidence needed to conclude about a financial
statement assertion
– For public company audits, an auditor MUST test
controls
5-10
Tests of Controls
• After identifying specific control activities that can be
relied on to reduce substantive testing for a financial
statement assertion, must test the control
• Procedures used from the least persuasive to the most
persuasive form of evidence:
– Inquiry
– Observation
– Inspection
– Reperformance
• Direction of test does matter
5-11
AS 5: An Audit of Internal Control over Financial
Reporting That Is Integrated with an Audit of Financial
Statements (Public Companies)
Phases of the engagement
1.
Planning the engagement
2.
Use a top-down approach
a) Identify entity-level controls
b) Walkthroughs
3.
Testing controls
a) Design effectiveness
b) Operating effectiveness
4.
Evaluating identified deficiencies
a) Deficiencies
b) Significant deficiencies
c) Material weaknesses
5.
Wrapping up
a) Unqualified opinion
b) Disclaimer of opinion
c) Adverse opinion
6.
Reporting on internal control
5-12
Summary of Internal Control Deficiencies
• Three categories
– Internal control deficiency
– Significant deficiency
– Material weaknesses
• The difference between a significant deficiency
and a material weakness is the (1) likelihood and
(2) materiality that a potential (or actual)
misstatement would not be detected on a timely
basis.
5-13
Auditor’s Report On Internal Control
Over Financial Reporting (ICFR)
•
•
•
•
•
•
•
•
Title—include the word independent
Responsibility of auditors and management
In accordance with PCAOB standards
Definition of internal control over ICFR
Inherent limitations
Opinion
Reference to opinion on financial statements
Date of report
5-14
Modifications to the Auditors’
Standard Report on Internal Control
• Material weaknesses in the entity’s internal
control over financial reporting
• Effect of an adverse opinion on internal
control on the auditor’s opinion on the
financial statements
• Restriction on the scope of the engagement
5-15