Chapter 5 Internal Control Evaluation: Assessing Control Risk Accounting 408 Chapter 5 1 1. Overview Accounting 408 Chapter 5 2 2. Introduction Management’s Responsibility for internal control Responsibility under SOX certify the financial statements (Section 302) report on IC over fin. reporting (Section 404) For nonissuer must include a statement: • that management is responsible • identifying the framework • providing management's assessment design, implement, and maintain control system Foreign Corrupt Practices Act Accounting 408 Chapter 5 3 2. Introduction (continued) Auditor’s responsibility Under SOX For nonissuer Accounting 408 auditor must conduct an integrated audit under PCAOB stds not a separate engagement issue opinion on f/s and IC auditor must conduct audit under AICPA stds use evaluation of the client’s business and it’s IC to identify and assess risks of material misstatement Chapter 5 4 2. Introduction (continued) Performance Principle The auditor must identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including its internal control. Standards SAS SAS SAS SAS SAS 122 109 78 - COSO 55 1 Questions Accounting 408 Chapter 5 5 2. Introduction (continued) SAS 122 and 109 – Definition of IC IC is a process, effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance about the achievement of objectives with regard to Accounting 408 reliability of financial reporting effectiveness and efficiency of operations compliance with applicable laws and regulations Chapter 5 6 2. Introduction (continued) SAS 78 (COSO) IC is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) compliance with laws and regulations, and (c) effectiveness and efficiency of operations. Accounting 408 Chapter 5 7 2. Introduction (continued) SAS 55 An internal control structure consists of the policies and procedures established by an entity to provide reasonable assurance that specific entity objectives will be achieved. Accounting 408 Chapter 5 8 2. Introduction (continued) SAS 1 Internal control includes the organization’s plan and other measures designed to accomplish the following objectives: Accounting 408 safeguard assets check the accuracy and reliability of accounting data promote operational efficiency encourage adherence to managerial policies Chapter 5 9 3. Control Structure Relevance to an audit Elements of IC – COSO control environment risk assessment information and communication control activities monitoring Accounting 408 Chapter 5 10 3. Control Structure (con’t) Control environment – most important integrity and ethical values board of directors (includes audit committee) management’s philosophy and operating style organizational structure financial reporting competencies authority and responsibility human resources Accounting 408 Chapter 5 11 3. Control Structure (con’t) Risk assessment Examples of where risks may arise: change in regulatory or operating environment new personnel new or revised AIS rapid expansion new technology new business models or products expansion or acquisition of foreign operations Accounting 408 Chapter 5 12 3. Control Structure (con’t) Information and communication AIS IT general controls IT application controls spreadsheet controls Accounting 408 Chapter 5 13 3. Control Structure (con’t) Control activities prenumbered documents segregation of duties authorization record keeping custody reconciliation physical security IT controls preventive controls vs. detective controls Accounting 408 Chapter 5 14 3. Control Structure (con’t) Monitoring internal auditing follow-up of reporting errors follow up of customer complaints Questions Accounting 408 Chapter 5 15 3. Control Structure (con’t) Accounting 408 Chapter 5 16 3. Control Structure (con’t) Elements – Enterprise Risk Mgt Framework internal environment objective setting event identification risk assessment risk response control procedures information and communication monitoring Accounting 408 Chapter 5 17 3. Control Structure (con’t) Accounting 408 Chapter 5 18 4. General Considerations Entity’s specific context Management’s responsibility Extent of IT Reasonable assurance Limitations Accounting 408 Chapter 5 19 4. General Considerations (continued) Limitations cost benefit issues misunderstandings mistakes of judgment carelessness collusion management override unusual transactions Accounting 408 Chapter 5 20 4. General Considerations (continued) Small business considerations Design vs. implementation vs. operating effectiveness Auditability of entity Accounting 408 Chapter 5 21 4. General Considerations (continued) Why assess risk of material misstatement? determine nature, timing, and extent of audit procedures tests of controls substantive tests Accounting 408 Chapter 5 22 4. General Considerations (continued) Trade-off Between Testing of Controls and Substantive Testing Detection Risk: High Low Substantive Testing Tests of Controls RMM: Accounting 408 Low High Chapter 5 23 4. General Considerations (continued) Control risk never zero Some substantive procedures always required Tests of controls required for issuers (AS 5) optional for nonissuers Use of TOC evidence from previous audits inquire of management – if no changes, can use but must test every three years Accounting 408 Chapter 5 24 5. Obtaining an Understanding Extent of understanding necessary? Must include understanding of (follows top down approach) depends on circumstances of the engagement size and complexity of the entity auditor’s experience with entity identifying significant changes from prior years sufficient to identify and assess RMM design, implementation, effectiveness significant accounts and disclosures, and their relevant assertions entity-level controls and transaction-level controls Must include knowledge of each IC element Does not have to include all controls in the entity Accounting 408 Chapter 5 25 5. Obtaining an Understanding (continued) Procedures to obtain an understanding (Risk Assessment Procedures) inquiries inspection observation analytical procedures walk through previous experience Accounting 408 Chapter 5 26 5. Obtaining an Understanding (continued) Documentation Extent Discussion among audit team Key components and each element Assessment of RMM at both f/s and assertion levels Controls tested Risks identified Methods Accounting 408 Narrative Questionnaire Flowchart Decision tree Check list Chapter 5 27 6. Assessing RMM Use top-down approach identify risks at entity level and then relate to assertion level for significant accounts and assertions relate risks to what can go wrong at the relevant assertion level consider if misstatements could raise to a material amount consider the likelihood they would result in a material misstatement Consider nature of transactions routine transactions nonroutine transactions estimation transactions Accounting 408 Chapter 5 28 6. Assessing RMM (con’t) Examples of Risk Assessment Procedures used to obtain understanding and assess risks Inquires – use different levels Analytical procedures – high level of aggregation Observation and inspection – prior year info – consider changes Discussion with audit team Accounting 408 Chapter 5 29 6. Assessing RMM (con’t) After assessment Determine: Accounting 408 nature timing extent of testing (substantive and tests of controls) Chapter 5 30 6. Assessing RMM (con’t) Assessment levels at the maximum below the maximum Initial assessment Additional concepts for assessment pervasive vs. specific effect direct vs. indirect effect compensating strengths qualitative or quantitative assessment Accounting 408 Chapter 5 31 7. Tests of Controls Types of tests inquiries inspection observation reperformance Requirements to perform tests of controls Accounting 408 Chapter 5 32 7. Tests of Controls (con’t) Approach to tests of controls directed toward the operation of a control (design or implementation) directed toward the effectiveness of a control procedures used: inquiring, inspecting, observing e.g., budget, IT general controls procedures used: inquiring, inspecting, observing reperforming Dual purpose tests Accounting 408 Chapter 5 33 7. Tests of Controls (con’t) Internal control deficiency Design deficiency the design or operation of a control does not allow management or employees to detect or prevent misstatements in a timely fashion control missing or so poorly designed it fails to detect or prevent misstatements even if operating as designed Operating deficiency properly designed control is either ignored or inappropriately applied Accounting 408 Chapter 5 34 8. Reassess RMM Based on results from tests of controls Could support lower assessment same assessment higher assessment Cumulative process Accounting 408 Chapter 5 35 9. Design Substantive Tests Audit program Relationship between final assessment of CR and substantive testing Effect on substantive testing nature timing extent Questions Accounting 408 Chapter 5 36 10. Types of Audit Procedures Tests Related to 2nd Field Work Standard risk assessment procedures inquiry, inspection, observation, analytical procedures, walk through, and prior experience tests of controls Accounting 408 inquiry, inspection, observation, prior experience, and reperforming Chapter 5 37 10. Types of Audit Procedures (continued) Tests Related to 3rd Field Work Standard substantive tests substantive analytical procedures tests of details of transactions of balances Accounting 408 vouching, tracing, reperforming, etc. confirming, reconciling, observing, etc. Chapter 5 38 11. Communication of Internal Control Matters Responsibility of auditor (nonissuer) AU-C 265.02 Accounting 408 The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. This section specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management. Chapter 5 39 11. Communication of Internal Control Matters Levels of deficiencies Must communicate both significant deficiencies and material weaknesses to management and BOD control deficiencies significant deficiencies material weaknesses for issuers, must be in writing Do not give statement of no deficiencies found Accounting 408 Chapter 5 40 11. Communication of Internal Control Matters Control deficiencies could result from deficiency in Accounting 408 design – no control, or existing control not properly designed operation – properly designed control not operating as designed, or person performing control does not possess necessary authority or competence Chapter 5 41 11. Communication of Internal Control Matters Material weaknesses a deficiency, or combination of deficiencies, such that there is a reasonable possibility* that a material misstatement of the f/s will not be prevented or detected * based on FASB Stmt. No. 5 – includes reasonably possible and probable Accounting 408 Chapter 5 42 11. Communication of Internal Control Matters Significant deficiencies less severe than material weakness yet important enough to merit attention Accounting 408 Chapter 5 43 12. AS Requirements Phases of AS 5 integrated audit 1. 2. Plan the engagement Use a top-down approach to gain an understanding a) b) 3. Testing internal control effectiveness a) b) 4. b) c) 6. Accounting 408 Design effectiveness Operating effectiveness Evaluating control deficiencies a) 5. Identify entity-level controls Walkthroughs Deficiencies Significant deficiencies Material weaknesses Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting Reporting on internal control Chapter 5 44 12. AS Requirements (con’t) Must use top down approach Must issue opinion on the effectiveness of internal control Not separate engagement integrated audit of internal control and financial statements Report Unqualified – no material weaknesses found Disclaimer of opinion – cannot perform all procedures considered necessary Adverse opinion – one or more material weaknesses found Evaluate management’s report Accounting 408 Chapter 5 45 13. Review Questions for Discussion Chapter 5 5.3 5.4 5.5 5.7 5.8 5.10 5.13 5.14 5.15 ACCT-4080 5.17 5.18 5.21 5.26 5.29 5.30 5.31 Chapter 3 46