Chapter 9

advertisement
Chapter 5
Internal Control Evaluation:
Assessing Control Risk
Accounting 408
Chapter 5
1
1.
Overview
Accounting 408
Chapter 5
2
2. Introduction

Management’s Responsibility for internal control

Responsibility under SOX
certify the financial statements (Section 302)
report on IC over fin. reporting (Section 404)




For nonissuer


must include a statement:
•
that management is responsible
•
identifying the framework
•
providing management's assessment
design, implement, and maintain control system
Foreign Corrupt Practices Act
Accounting 408
Chapter 5
3
2. Introduction (continued)

Auditor’s responsibility

Under SOX




For nonissuer


Accounting 408
auditor must conduct an integrated audit under PCAOB stds
not a separate engagement
issue opinion on f/s and IC
auditor must conduct audit under AICPA stds
use evaluation of the client’s business and it’s IC to identify
and assess risks of material misstatement
Chapter 5
4
2. Introduction (continued)

Performance Principle


The auditor must identify and assess risks of material misstatement,
whether due to fraud or error, based on an understanding of the
entity and its environment, including its internal control.
Standards





SAS
SAS
SAS
SAS
SAS
122
109
78 - COSO
55
1
Questions
Accounting 408
Chapter 5
5
2. Introduction (continued)

SAS 122 and 109 – Definition of IC

IC is a process, effected by those charged with
governance, management, and other personnel,
designed to provide reasonable assurance about
the achievement of objectives with regard to



Accounting 408
reliability of financial reporting
effectiveness and efficiency of operations
compliance with applicable laws and regulations
Chapter 5
6
2. Introduction (continued)

SAS 78 (COSO)

IC is a process, effected by an entity’s board
of directors, management, and other
personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories: (a)
reliability of financial reporting, (b) compliance
with laws and regulations, and (c)
effectiveness and efficiency of operations.
Accounting 408
Chapter 5
7
2. Introduction (continued)

SAS 55

An internal control structure consists of the
policies and procedures established by an
entity to provide reasonable assurance that
specific entity objectives will be achieved.
Accounting 408
Chapter 5
8
2. Introduction (continued)

SAS 1

Internal control includes the organization’s
plan and other measures designed to
accomplish the following objectives:




Accounting 408
safeguard assets
check the accuracy and reliability of accounting
data
promote operational efficiency
encourage adherence to managerial policies
Chapter 5
9
3. Control Structure


Relevance to an audit
Elements of IC – COSO





control environment
risk assessment
information and communication
control activities
monitoring
Accounting 408
Chapter 5
10
3. Control Structure (con’t)

Control environment – most important







integrity and ethical values
board of directors (includes audit committee)
management’s philosophy and operating style
organizational structure
financial reporting competencies
authority and responsibility
human resources
Accounting 408
Chapter 5
11
3. Control Structure (con’t)


Risk assessment
Examples of where risks may arise:







change in regulatory or operating environment
new personnel
new or revised AIS
rapid expansion
new technology
new business models or products
expansion or acquisition of foreign operations
Accounting 408
Chapter 5
12
3. Control Structure (con’t)

Information and communication




AIS
IT general controls
IT application controls
spreadsheet controls
Accounting 408
Chapter 5
13
3. Control Structure (con’t)

Control activities


prenumbered documents
segregation of duties







authorization
record keeping
custody
reconciliation
physical security
IT controls
preventive controls vs. detective controls
Accounting 408
Chapter 5
14
3. Control Structure (con’t)

Monitoring



internal auditing
follow-up of reporting errors
follow up of customer complaints
Questions
Accounting 408
Chapter 5
15
3. Control Structure (con’t)
Accounting 408
Chapter 5
16
3. Control Structure (con’t)

Elements – Enterprise Risk Mgt Framework








internal environment
objective setting
event identification
risk assessment
risk response
control procedures
information and communication
monitoring
Accounting 408
Chapter 5
17
3. Control Structure (con’t)
Accounting 408
Chapter 5
18
4. General Considerations





Entity’s specific context
Management’s responsibility
Extent of IT
Reasonable assurance
Limitations
Accounting 408
Chapter 5
19
4. General Considerations
(continued)

Limitations







cost benefit issues
misunderstandings
mistakes of judgment
carelessness
collusion
management override
unusual transactions
Accounting 408
Chapter 5
20
4. General Considerations
(continued)



Small business considerations
Design vs. implementation vs. operating
effectiveness
Auditability of entity
Accounting 408
Chapter 5
21
4. General Considerations
(continued)

Why assess risk of material
misstatement?

determine nature, timing, and extent
of audit procedures
tests of controls
 substantive tests

Accounting 408
Chapter 5
22
4. General Considerations
(continued)

Trade-off Between Testing of Controls and
Substantive Testing
Detection Risk: High
Low
Substantive Testing
Tests of Controls
RMM:
Accounting 408
Low
High
Chapter 5
23
4. General Considerations
(continued)



Control risk never zero
Some substantive procedures always required
Tests of controls



required for issuers (AS 5)
optional for nonissuers
Use of TOC evidence from previous audits


inquire of management – if no changes, can use
but must test every three years
Accounting 408
Chapter 5
24
5. Obtaining an
Understanding

Extent of understanding necessary?


Must include understanding of (follows top down approach)





depends on

circumstances of the engagement

size and complexity of the entity

auditor’s experience with entity

identifying significant changes from prior years

sufficient to identify and assess RMM
design, implementation, effectiveness
significant accounts and disclosures, and their relevant assertions
entity-level controls and transaction-level controls
Must include knowledge of each IC element
Does not have to include all controls in the entity
Accounting 408
Chapter 5
25
5. Obtaining an
Understanding (continued)

Procedures to obtain an understanding
(Risk Assessment Procedures)






inquiries
inspection
observation
analytical procedures
walk through
previous experience
Accounting 408
Chapter 5
26
5. Obtaining an
Understanding (continued)

Documentation

Extent






Discussion among audit team
Key components and each element
Assessment of RMM at both f/s and assertion levels
Controls tested
Risks identified
Methods





Accounting 408
Narrative
Questionnaire
Flowchart
Decision tree
Check list
Chapter 5
27
6. Assessing RMM

Use top-down approach





identify risks at entity level and then relate to assertion level for
significant accounts and assertions
relate risks to what can go wrong at the relevant assertion level
consider if misstatements could raise to a material amount
consider the likelihood they would result in a material misstatement
Consider nature of transactions



routine transactions
nonroutine transactions
estimation transactions
Accounting 408
Chapter 5
28
6. Assessing RMM (con’t)

Examples of Risk Assessment Procedures used
to obtain understanding and assess risks

Inquires – use different levels

Analytical procedures – high level of aggregation

Observation and inspection – prior year info –
consider changes

Discussion with audit team
Accounting 408
Chapter 5
29
6. Assessing RMM (con’t)

After assessment

Determine:



Accounting 408
nature
timing
extent of testing (substantive and tests of
controls)
Chapter 5
30
6. Assessing RMM (con’t)

Assessment levels




at the maximum
below the maximum
Initial assessment
Additional concepts for assessment




pervasive vs. specific effect
direct vs. indirect effect
compensating strengths
qualitative or quantitative assessment
Accounting 408
Chapter 5
31
7. Tests of Controls

Types of tests





inquiries
inspection
observation
reperformance
Requirements to perform tests of controls
Accounting 408
Chapter 5
32
7. Tests of Controls (con’t)

Approach to tests of controls

directed toward the operation of a control (design or
implementation)



directed toward the effectiveness of a control


procedures used: inquiring, inspecting, observing
e.g., budget, IT general controls
procedures used: inquiring, inspecting, observing
reperforming
Dual purpose tests
Accounting 408
Chapter 5
33
7. Tests of Controls (con’t)

Internal control deficiency


Design deficiency


the design or operation of a control does not allow
management or employees to detect or prevent
misstatements in a timely fashion
control missing or so poorly designed it fails to detect or
prevent misstatements even if operating as designed
Operating deficiency

properly designed control is either ignored or inappropriately
applied
Accounting 408
Chapter 5
34
8. Reassess RMM


Based on results from tests of controls
Could support




lower assessment
same assessment
higher assessment
Cumulative process
Accounting 408
Chapter 5
35
9. Design Substantive Tests



Audit program
Relationship between final assessment of CR and
substantive testing
Effect on substantive testing



nature
timing
extent
Questions
Accounting 408
Chapter 5
36
10. Types of Audit Procedures

Tests Related to 2nd Field Work Standard

risk assessment procedures


inquiry, inspection, observation, analytical procedures,
walk through, and prior experience
tests of controls

Accounting 408
inquiry, inspection, observation, prior experience, and
reperforming
Chapter 5
37
10. Types of Audit Procedures
(continued)

Tests Related to 3rd Field Work Standard

substantive tests

substantive analytical procedures

tests of details

of transactions


of balances

Accounting 408
vouching, tracing, reperforming, etc.
confirming, reconciling, observing, etc.
Chapter 5
38
11. Communication of
Internal Control Matters

Responsibility of auditor

(nonissuer)
AU-C 265.02

Accounting 408
The auditor is required to obtain an understanding of internal
control relevant to the audit when identifying and assessing the
risks of material misstatement. In making those risk assessments,
the auditor considers internal control in order to design audit
procedures that are appropriate in the circumstances but not for
the purpose of expressing an opinion on the effectiveness of
internal control. The auditor may identify deficiencies in internal
control not only during this risk assessment process but also at
any other stage of the audit. This section specifies which
identified deficiencies the auditor is required to communicate to
those charged with governance and management.
Chapter 5
39
11. Communication of
Internal Control Matters

Levels of deficiencies




Must communicate both significant deficiencies and
material weaknesses to management and BOD


control deficiencies
significant deficiencies
material weaknesses
for issuers, must be in writing
Do not give statement of no deficiencies found
Accounting 408
Chapter 5
40
11. Communication of
Internal Control Matters

Control deficiencies could result from

deficiency in


Accounting 408
design – no control, or existing control not
properly designed
operation – properly designed control not
operating as designed, or person performing
control does not possess necessary authority
or competence
Chapter 5
41
11. Communication of
Internal Control Matters

Material weaknesses

a deficiency, or combination of deficiencies, such
that there is a reasonable possibility* that a
material misstatement of the f/s will not be
prevented or detected
* based on FASB Stmt. No. 5 – includes reasonably
possible and probable
Accounting 408
Chapter 5
42
11. Communication of
Internal Control Matters

Significant deficiencies

less severe than material weakness yet
important enough to merit attention
Accounting 408
Chapter 5
43
12. AS Requirements

Phases of AS 5 integrated audit
1.
2.
Plan the engagement
Use a top-down approach to gain an understanding
a)
b)
3.
Testing internal control effectiveness
a)
b)
4.
b)
c)
6.
Accounting 408
Design effectiveness
Operating effectiveness
Evaluating control deficiencies
a)
5.
Identify entity-level controls
Walkthroughs
Deficiencies
Significant deficiencies
Material weaknesses
Wrapping up: Forming an opinion on the effectiveness of internal control over
financial reporting
Reporting on internal control
Chapter 5
44
12. AS Requirements (con’t)





Must use top down approach
Must issue opinion on the effectiveness of internal control
Not separate engagement

integrated audit of internal control and financial statements
Report

Unqualified – no material weaknesses found

Disclaimer of opinion – cannot perform all procedures considered
necessary

Adverse opinion – one or more material weaknesses found
Evaluate management’s report
Accounting 408
Chapter 5
45
13. Review Questions for Discussion

Chapter 5
5.3
5.4
5.5
5.7
5.8
5.10
5.13
5.14
5.15
ACCT-4080
5.17
5.18
5.21
5.26
5.29
5.30
5.31
Chapter 3
46
Download