Uploaded by maxamed124

Chapter10

advertisement
Section 404 Audits of
Internal Control and
Control Risk
Chapter 10
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 1
Learning Objective 1
Describe the three primary
objectives of effective
internal control.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 2
Internal Control Objectives
Reliability of financial reporting
Efficiency and effectiveness of operations
Compliance with laws and regulations
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 3
Learning Objective 2
Contrast management’s
responsibilities for maintaining
and reporting on internal controls
with the auditor’s responsibilities
for understanding, testing, and
reporting on internal controls.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 4
Management and Auditor
Responsibilities Related
to Internal Control
Management’s responsibility
for establishing internal control
Reasonable assurance
Inherent limitations
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 5
Management and Auditor
Responsibilities Related
to Internal Control
Management’s Section 404
reporting responsibilities
Design of internal control
Operating effectiveness of controls
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 6
Management and Auditor
Responsibilities Related
to Internal Control
Auditor responsibilities for
understanding internal control
Control over classes of transactions
Auditor responsibilities for testing
and reporting on internal control
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 7
Sales Transaction-Related Audit
Objectives
Transaction-Related Audit
Objective – General form
Sales Transaction-Related
Audit Objectives
Recorded transactions
exist (existence).
Sales are for shipments
to existing customers.
Existing transactions are
recorded (completeness).
Existing sales transactions
are recorded.
Transactions are stated
correctly (accuracy).
Sales for goods shipped
are correctly billed.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 8
Sales Transaction-Related Audit
Objectives
Transaction-Related Audit
Objective – General form
Sales Transaction-Related
Audit Objectives
Transactions are properly
classified (classification).
Sales transactions are
properly classified.
Transactions are recorded Sales are recorded on
on correct dates (timing).
the correct dates.
Transactions are properly
filed (posting and
summarization).
Sales transactions are
properly included in the
master files.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 9
Learning Objective 3
Explain the five components
of the COSO internal
control framework.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 10
Five Components of Internal
Control
Risk
assessment
Information and
communication
Control
activities
Monitoring
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 11
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or audit committee participation
Management’s philosophy and operating style
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 12
The Control Environment
Organizational structure
Assignment of authority and responsibility
Human resources policies and practices
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 13
Risk Assessment
Identify factors that may increase risk.
Estimate the significance of the risk.
Assess the likelihood of the risk.
Determine actions necessary to manage the risk.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 14
Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 15
Adequate Separation of Duties
Custody of assets
Accounting
Authorization
of transactions
The custody of
related assets
Operational
responsibility
Record-keeping
responsibility
IT duties
User departments
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 16
Proper Authorization of
Transactions and Activities
General authorization
Specific authorization
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 17
Adequate Documents and
Records
Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple use
Constructed to encourage correct preparation
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 18
Physical Control over Assets
and Records
The most important type of protective
measure for safeguarding assets and
records is the use of physical precautions.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 19
Independent Checks on
Performance
The need for independent checks arises
because internal control tends to change
over time unless there is a mechanism
for frequent review.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 20
Information and Communication
The purpose of an accounting information
and communication system is to…
initiate, record, process, and report
the entity’s transactions and to maintain
accountability for the related assets.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 21
Monitoring
Monitoring activities deal with management’s
ongoing and periodic assessment of the
quality of internal control performance…
to determine whether controls are operating
as intended and modified when needed.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 22
How the Size of the Business
Affects Internal Control
In general the SEC believes that small
businesses should be expected to adhere
to the same internal control standards that
apply to larger public companies.
The SEC has also stated that the burden to
smaller companies can be disproportionate.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 23
Learning Objective 4
Obtain and document an
understanding of internal control.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 24
Four Phases of a Financial
Statement Audit
Phase 1
Phase 2
Obtain an
understanding of
internal control:
design and
operation
Assess control
risk.
Phase 3
Design, perform,
and evaluate tests
of controls
Phase 4
Decide planned
detection risk
and substantive
tests.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 25
Obtain and Document
Understanding of Internal Control
SAS 55 and PCAOB Standard 2 both require
the auditor to obtain an understanding
of internal control for every audit.
Procedures to obtain an understanding:
• Design of internal controls
• Whether placed in operation
• Uses this information as a basis for the
integrated audit.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 26
Methods Used
Narrative
Flowchart
Internal
control
questionnaire
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 27
Narrative
1. The origin of every document
and record in the system
2. All processing that takes place
3. The disposition of every document
and record in the system
4. An indication of the controls relevant
to the assessment of control risk
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 28
Evaluating Internal Control
Operation
Update and evaluate auditor’s previous
experience with the entity.
Make inquiries of client personnel.
Examine documents and records.
Observe entity activities and operations.
Perform walkthroughs of the accounting system.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 29
Learning Objective 5
Assess control risk by linking key
controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 30
Assess Control Risk
Assess whether the financial statements
are auditable.
Determine assessed control risk supported
by the understanding obtained assuming
the controls are being followed.
Use of a control risk matrix to assess control risk
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 31
Control Risk Matrix
Auditors use the control risk matrix to
identify both controls and weaknesses
and to assess control risk.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 32
Control Risk Matrix
Identify transaction-related audit objectives.
Identify existing controls.
Associate controls with transaction-related
audit objectives.
Identify and evaluate control deficiencies,
significant deficiencies, and material weaknesses
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 33
Evaluating Significant Control
Deficiencies
SIGNIFICANCE
Material
Material
Weakness
LIKELIHOOD Remote
Probable
Immaterial
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 34
Communicate Internal Control
Deficiencies and Related Matters
Audit committee communications
Management letters
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 35
Learning Objective 6
Describe the process of designing
and performing tests of controls.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 36
Tests of Controls
The procedures to test effectiveness of controls
in support of a reduced assessed control
risk are called tests of controls.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 37
Procedures for Tests of Controls
1. Make inquiries of client personnel.
2. Examine documents, records, and reports.
3. Observe control-related activities.
4. Reperform client procedures.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 38
Extent of Procedures
Reliance on evidence from prior year’s audit
Testing less than the entire audit period
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 39
Relationship of Assessed Control
Risk and Extent of Procedures
Assessed control risk
Type of
procedure
High level:
Procedures to obtain
an understanding
Inquiry
Yes–extensive
Documentation Yes–with transaction
walk-through
Observation
Yes–with transaction
walk-through
Reperformance No
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
Lower level:
Tests of controls
Yes–some
Yes–using sampling
Yes–at multiple times
Yes–using sampling
10 - 40
Decide Planned Detection Risk
and Design Substantive Tests
The auditor uses the results of the control risk
assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.
The auditor links the control risk assessments
to the balance-related audit objectives.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 41
Learning Objective 7
Understand Section 404
requirements for auditor
reporting on internal control.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 42
Section 404 Reporting on Internal
Control
1
The auditor’s opinion on whether management’s
assessment of the effectiveness of internal
control over financial reporting as of the
end of the fiscal period is fairly stated,
in all material respects.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 43
Section 404 Reporting on Internal
Control
2
The auditor’s opinion on whether the company
maintained, in all material respects, effective
internal control over financial reporting
as of the specified date.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 44
Types of Opinions
Unqualified
Adverse
Qualified or disclaimer of opinion
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 45
Learning Objective 8
Describe the differences in
evaluating, reporting, and
testing internal control for
nonpublic companies.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 46
Evaluating, Reporting, and Testing Internal
Control for Nonpublic Companies
1. Reporting requirements
2. Extent of required internal controls
3. Extent of understanding needed
4. Assessing control risk
5. Extent of tests of controls needed
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 47
Differences in Scope of Controls
Tested: Nonpublic Company
Internal controls over financial reporting
Internal controls used to assess
control risk below maximum
Controls that must be tested in
an audit of internal controls
Controls that must be tested in
an audit of financial statements
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 48
End of Chapter 10
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder
10 - 49
Download