Chapter 7
Auditing Internal
Control over
Financial
Reporting
McGraw-Hill/Irwin
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Reporting on Internal Control
Management of all public companies must
report on ICFR in the 10-K (annual report,
annual financial statements, etc.) filed
with the SEC
 Auditors, if it is a public company of at
least $75,000,000 market cap, must also
perform an integrated audit engagement
resulting in…

– An opinion on the financial statements, and
– An opinion on the ICFR
LO# 1
Management Responsibilities
under SarBox Section 404
Management of all publicly traded companies must
issue an internal control report that accepts
responsibility for establishing and maintaining
“adequate” ICFR.
The investigation by management and the
subsequent management report is very important to
auditors because auditors rely somewhat on
management, instead of completely “reinventing the
wheel” in their audit of ICFR.
7-3
LO# 1
Management Responsibilities
under Section 404
Management must also comply with the following
requirements in order for the external auditor to
complete an audit of ICFR.
1. Evaluate the effectiveness of the entity’s ICFR
using suitable control criteria.
2. Support the evaluation with sufficient evidence,
including documentation.
3. Present a written assessment regarding the
effectiveness of the entity’s ICFR as of the end of
the entity’s most recent fiscal year.
7-4
LO# 2
Auditor Responsibilities under
Section 404 and AS5
• In addition to management reporting on ICFR, the
entity’s independent auditor must audit and report on
the effectiveness of ICFR, if it is a public company, and
if it has market capitalization of at least $75,000,000.
• However, if it is a public company with market
capitalization of less than $75,000,000, only
management has to report on ICFR effectiveness.
•The auditor, if he reports on ICFR, must conduct an
integrated audit of the entity’s ICFR and its financial
statements.
7-5
LO# 3
ICFR Defined
ICFR is defined as a process designed to provide reasonable
assurance regarding the reliability of financial reporting and
the preparation of financial statements in accordance with
GAAP. Controls include procedures that:
1. Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are
recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company’s assets.
7-6
LO# 4
Relationships: Deficiencies, significant
deficiencies, & material weaknesses
Material
weakness
Significant
deficiency
Deficiency
LO# 4
Internal Control Deficiencies
Defined
A control deficiency exists when the design or operation
of a control does not allow management or employees, in
the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.
A significant deficiency is a deficiency, or a combination
of deficiencies, in internal control over financial reporting
that is less severe than a material weakness, yet
important enough to merit attention by those responsible
for oversight of the company's financial reporting.
7-8
LO# 4
Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness in the system of internal control. A
material weakness is a deficiency, or a combination of
deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the annual or
interim financial statements will not be prevented or
detected on a timely basis.
As illustrated on the next slide, the auditor must consider
two dimensions of each control deficiency detected:
Likelihood and Magnitude:
7-9
Internal Control Deficiencies
Defined
M
A
G
N
I
T
U
D
E
Material
Material
weakness
Not material
but significant
Significant
deficiency
LO# 4
Control deficiency
Not material
or significant
Remote
Reasonably possible or probable
LIKELIHOOD
7-10
How likely IC will fail to prevent or detect misstatement?






The nature of the financial statement accounts,
disclosures, and assertions;
The susceptibility of the related asset or liability
to loss or fraud;
The subjectivity, complexity, or extent of
judgment required to determine the amount;
The interaction or relationship of the control with
other controls, e.g. whether there are redundant
(compensating) controls;
The interaction of the deficiencies; and
The possible future consequences of the
deficiency. AS 5, par. 65 and 68
Assuming a misstatement occurs, what will
its magnitude be?
 In
other words, how material a
misstatement would this be? AS 5,
par. 66 phrases this a bit differently
but substantively that’s what it says.
Research shows that some years management and
auditors have had such difficulty identifying material
weaknesses that they relied more often than not on the four
Indicators of Material Weaknesses (AS 5 par. 69) on the
next slide
Indicators of Material Weakness
•
•
•
•
Identification of fraud, whether or not material, on the part
of senior Management (e.g. CEO, CFO, CAO, Controller)
Restatement of previously issued financial statements to
reflect the correction of a material misstatement (per SFAS
154)
Identification by the auditor of a material misstatement of
financial statements in the current period in circumstances
that indicate that the misstatement would not have been
detected by the company's ICFR; and
Ineffective oversight of the company's external financial
reporting and ICFR by the company's audit committee
LO# 5
Management’s Assessment
Process
Management must follow a top-down, risk-based
approach:
1. Identify financial reporting risks and controls.
2. Evaluate evidence about the operating effectiveness of
ICFR.
3. Consider which locations to include in the evaluation.
7-15
LO# 5
Framework Used by Management
to Conduct Its Assessment
Most entities use the framework developed by COSO.
This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.
7-16
LO# 5
Identify Entity-Level Controls
7-17
LO# 5
Management’s Documentation
•Management must develop sufficient documentation to
support its assessment of the effectiveness of ICFR. This
documentation may take many forms.
If the investigation of ICFR by the company, and the
documentation of the investigation, are not good
enough, the auditor may not be able to express an
opinion and thus will have to issue a disclaimer.
7-18
LO# 6
Integrating the Audits of Internal
Control and Financial Statements
• An integrated audit is composed of the audits of internal control and
the financial statements. The control testing impacts the planned
substantive procedures. Also, the results of the substantive procedures
are considered in the evaluation of internal control.
• Thus, one CPA firm must perform both the audit of the financial
statements and the audit of ICFR.
Tests of
internal
control
Substantive
audit
procedures
7-19
LO# 6
Performing an Audit of ICFR
Figure 7-2
7-20
LO# 7
Planning the Audit of ICFR
 The
planning process is similar to the
process used for the audit of financial
statements.
 Consider the following:
– Risk assessment and the risk of fraud.
– Scaling the audit.
– Using the work of others.
7-21
LO# 7
Special Consideration:
Using the Work of Others
A major consideration for the external auditor is how much
work is to be performed by others. In determining the extent to
which the auditor may use the work of others, the auditor
should:
(1) evaluate the nature of the controls subjected to the work of
others,
(2) evaluate the competence and objectivity of the individuals
who performed the work, and
(3) test some of the work performed by others to evaluate the
quality and effectiveness of their work.
As the risk associated with the control being tested increases,
the external auditor should do more of the work.
7-22
LO# 8
Using a Top-Down Approach
Figure 7-3
7-23
LO# 8
Identifying Significant Accounts
Size and composition of the account
 Susceptibility to misstatement due to
errors or fraud
 Volume of activity, complexity, and
homogeneity of the individual transactions
processed through the account or
reflected in the disclosure
 Nature of the account or disclosure
 Accounting and reporting complexities
associated with the account or disclosure

7-24
LO# 8
Identifying Significant Accounts
 Exposure
to losses in the account
 Possibility of significant contingent
liabilities arising from the activities
reflected in the account or disclosure
 Existence of related-party
transactions in the account
 Changes from the prior period in
account or disclosure characteristics
7-25
LO# 8
Sources of Misstatements




Understand the flow of transactions related to the
relevant assertions
Identify the points within the entity’s processes at
which a misstatement could arise that would be
material
Identify the controls that management has
implemented to address these potential
misstatements
Identify the controls that management has
implemented over the prevention or timely detection
of unauthorized acquisition, use, or disposition of the
company’s assets that could result in a material
misstatement of the financial statements
7-26
LO# 8
Select Controls to Test
7-27
LO# 9
Test the Design and Operating
Effectiveness of Controls
 Evaluate
design
 Test and evaluate operating
effectiveness
– Nature: Inquiry, Inspection of documents,
observation, and reperformance.
– Timing: Interim vs. “as of” date
– Extent: Consider (1) Nature of the control;
(2) Frequency of operation; and
(3) Importance of the control.
7-28
Auditor Communication

Auditor communication is of three types
– The auditor must give an opinion as to
ICFR to the public. This is included in
the company’s annual report filed with
the SEC
– The auditor must communicate certain
additional things to the audit committee
(almost all public companies now have
an audit committee)
– The auditor should communicate certain
additional things to management
Auditor’s opinion as to ICFR given to the
public (see examples at end of Ch. 7)
 Possible
opinions
– Unqualified if ICFR is effective
 Can
be “standard” or can be “modified”
– Adverse if ICFR is not effective
 In
other words, Adverse opinion if there are
one or more material weaknesses
– Disclaimer if serious scope limitation
 In
other words, something prevented the
auditor from fully completing a proper audit
of ICFR
Auditor must communicate certain
additional things to audit committee
 Not
only material weaknesses (which
are communicated to the public), but
also significant deficiencies, must be
communicated to the audit
committee
Auditor should communicate
certain additional things to
management
 According
to AS5, not only material
weaknesses, and significant
deficiencies, but also other control
deficiencies, that the auditor learns
of, should be communicated to the
management of the company
LO# 11
Remediation of a Material
Weakness
 Remediation
means fixing a material
weakness in the ICFR
– If a material weakness is fixed before
the “as of” date, there must be
sufficient time for both management
and the auditor to test the operating
effectiveness of the control – if not, an
adverse opinion is still issued.
7-33
LO# 12
Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of ICFR.
Failure to obtain written
representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.
7-34
Auditor Documentation
Requirements
LO# 13
The auditor must properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective
ICFR, the auditor should be
able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.
7-35
LO# 13
Auditor Documentation Requirements
The auditor’s documentation of the process, procedures,
judgments and results relating to the audit of ICFR should
include:
1. The auditor’s understanding and evaluation of the
design of each of the components of ICFR;
2. The process used to determine the points at which
misstatements could occur;
3. The extent to which the auditor relied upon the work of
others; and
4. The evaluation of any deficiencies discovered or other
findings which could result in a report modification.
7-36
LO# 14
Other Reporting Issues
1. Management’s report is incomplete or improperly
presented.
2. The auditor decides to refer to the report of other
auditors.
3. A significant subsequent event has occurred.
4. There is additional information contained in
management’s report on internal control.
5. There is a remediated material weakness at an interim
date (AS 4).
7-37
LO# 16
Advanced Module 1: Use of
Service Organizations
Management and the auditor should perform the
following procedures with respect to the activities
performed by the service organization:
(1) obtain an understanding of the controls at the service
organization that are relevant to the entity’s internal
control and the controls at the user organization over the
activities of the service organization; and
(2) obtain evidence that the controls that are relevant to
management’s assessment and the auditor’s opinion are
operating effectively. This can be accomplished by
obtaining a Type 2 report from the service organization’s
auditor.
7-38
LO# 18
Advanced Module 2:
Computer-Assisted Audit Techniques
Computer-assisted audit techniques (CAATs)
include:
• Generalized audit software packages.
• Custom audit software.
• Test data.
7-39
Advanced Module 2: Generalized Audit Software
LO# 18
ACL is an example of GAS
7-40
End of Chapter 7
7-41