Ch. 7 - Ross Fuerman

Chapter 7
Auditing Internal
Control over
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Reporting on Internal Control
Management of all public companies must
report on ICFR in the 10-K (annual report,
annual financial statements, etc.) filed
with the SEC
 If it is a public company of at least
$75,000,000 market cap, then also the
auditors must perform an integrated audit
engagement resulting in an
– opinion on the financial statements, and an
– opinion on the ICFR
LO# 1
Management Responsibilities
under Section 404
Section 404 of the Sarbanes-Oxley Act requires
managements of publicly traded companies to issue a
report that accepts responsibility for establishing and
maintaining “adequate” internal control over financial
reporting (ICFR) and assert whether ICFR is effective
as of the end of the fiscal year.
LO# 1
Management Responsibilities
under Section 404
Management must comply with the following
requirements in order for the external auditor to
complete an audit of ICFR.
1. Accept responsibility for the effectiveness of the
entity’s ICFR.
2. Evaluate the effectiveness of the entity’s ICFR
using suitable control criteria.
3. Support the evaluation with sufficient evidence,
including documentation.
4. Present a written assessment regarding the
effectiveness of the entity’s ICFR as of the end of
the entity’s most recent fiscal year.
LO# 2
Auditor Responsibilities under
Section 404 and AS5
The entity’s independent auditor must audit and report
on the effectiveness of ICFR. The auditor is required to
conduct an integrated audit of the entity’s ICFR and
its financial statements.
LO# 3
ICFR Defined
ICFR is defined as a process designed to provide reasonable
assurance regarding the reliability of financial reporting and
the preparation of financial statements in accordance with
GAAP. Controls include procedures that:
1. Pertain to the maintenance of records that accurately and
fairly reflect the transactions and dispositions of the assets
of the company.
2. Provide reasonable assurance that transactions are
properly authorized and recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company’s assets.
LO# 4
Relationships: Deficiencies, significant
deficiencies, & material weaknesses
LO# 4
Internal Control Deficiencies
A control deficiency exists when the design or
operation of a control does not allow management or
employees, in the normal course of performing their
assigned functions, to prevent or detect misstatements
on a timely basis.
A significant deficiency is a control deficiency, or a
combination of control deficiencies, in internal control
over financial reporting that is less severe than a material
weakness, yet important enough to merit attention by
those responsible for oversight of the company's financial
reporting (i.e. the audit committee).
LO# 4
Internal Control Deficiencies
A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness in the system of internal control. A
material weakness is a deficiency, or a combination of
deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the annual
or interim financial statements will not be prevented or
detected on a timely basis.
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency:
likelihood (reasonably possible), and
magnitude (material, significant, or insignificant)
LO# 4
Internal Control Deficiencies
Defined Report externally to
Not material
but significant
Not material
or significant
audit committee and
to management
Report to audit
committee and to
Report to
Reasonably possible or probable
Indicators of Material Weakness
Identification of fraud, whether or not material, on the part
of senior Management (e.g. CEO, CFO, CAO, Controller)
Restatement of previously issued financial statements to
reflect the correction of a material misstatement (per SFAS
Identification by the auditor of a material misstatement of
financial statements in the current period in circumstances
that indicate that the misstatement would not have been
detected by the company's ICFR; and
Ineffective oversight of the company's external financial
reporting and ICFR by the company's audit committee
LO# 5
Framework Used by Management
to Conduct Its Assessment
Most entities use the COSO framework. As we learned
in Ch. 6, there are three primary objectives of
internal control:
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with laws and regulations
LO# 5
Identify Entity-Level Controls
LO# 5
Management’s Documentation
Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation must be sufficient to convince the
auditors that they can rely upon the work done by
the company. The auditor is not supposed to
begin work anew in its audit of ICFR, but instead
is supposed to leverage off the work already done
by the company. If the auditor feels he cannot do
this then he may have to issue a disclaimer.
LO# 6
Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of internal
control and the financial statements. The control testing
impacts the planned substantive procedures. Also, the
results of the substantive procedures are considered in
the evaluation of internal control.
Tests of
LO# 7
Planning the Audit of ICFR
 The
planning process is similar to the
process used for the audit of financial
 Consider the following:
– Role of risk assessment and the risk of
– Scaling the audit.
– Using the work of others.
Special Consideration:
Using the Work of Others
LO# 7
A major consideration for the external auditor is how much
work is to be performed by others. In determining the extent to
which the auditor may use the work of others, the auditor
(1) evaluate the nature of the controls subjected to the work of
(2) evaluate the competence and objectivity of the individuals
who performed the work, and
(3) test some of the work performed by others to evaluate the
quality and effectiveness of their work.
As the risk associated with the control being tested increases,
the external auditor should do more of the work.
LO# 8
Using a Top-Down Approach
Figure 7-3
LO# 8
Identifying Significant Accounts
Size and composition of the account
 Susceptibility to misstatement due to
errors or fraud
 Volume of activity, complexity, and
homogeneity of the individual transactions
processed through the account or
reflected in the disclosure
 Nature of the account or disclosure
 Accounting and reporting complexities
associated with the account or disclosure
LO# 8
Sources of Misstatements
Understand the flow of transactions related to the
relevant assertions
Identify the points within the entity’s processes at
which a misstatement could arise that would be
Identify the controls that management has
implemented to address these potential
Identify the controls that management has
implemented over the prevention or timely detection
of unauthorized acquisition, use, or disposition of the
company’s assets that could result in a material
misstatement of the financial statements
LO# 8
Select Controls to Test
LO# 9
Test the Design and Operating
Effectiveness of Controls
 Evaluate
 Test and evaluate operating
– Nature: Inquiry, Inspection of documents,
observation, and reperformance.
– Timing: Interim vs. “as of” date
– Extent: Consider (1) Nature of the control;
(2) Frequency of operation; and
(3) Importance of the control.
LO# 10
Evaluate Identified Control Deficiencies
Is this a Deficiency?
Is this a Significant Deficiency?
Is this a Material Weakness?
As discussed previously, the auditor must
consider the likelihood and magnitude of
the control deficiency.
LO# 11
Remediation of a Material
 Remediation
is the process of fixing
or correcting a material weakness in
the ICFR (so that the material
weakness no longer exists).
Remediation (fixing a Material Weakness)
• There are 3 ways a remediation can be fixed and
then reported by the auditor
– This year, if it is fixed on time, well before the balance sheet
date, the company can avoid reporting a material weakness
and the auditor can give an unqualified opinion on ICFR
– In the next year’s audit opinion on ICFR the past year’s
material weakness issue is not mentioned, implying that it has
been remediated (fixed)
– Prior to the next year’s audit opinion on ICFR, the auditor
performs an engagement called “Reporting on Whether a
Previously Reported Material Weakness Continues to Exist”
(AS 4) and reports that the previously disclosed material
weakness no longer exists.
LO# 12
Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of ICFR.
Failure to obtain written
representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.
LO# 13
Auditor Documentation
The auditor should properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective ICFR,
the auditor should be able to
perform sufficient testing of controls
to assess control risk for all relevant
assertions at a low level.
LO# 13
Auditor Documentation Requirements
The auditor’s documentation of the process, procedures,
judgments and results relating to the audit of ICFR should
1. The auditor’s understanding and evaluation of the
design of each of the components of ICFR;
2. The process used to determine the points at which
misstatements could occur;
3. The extent to which the auditor relied upon the work of
others; and
4. The evaluation of any deficiencies discovered or other
findings which could result in a report modification.
LO# 14
Types of Reports re audit of ICFR
An unqualified opinion signifies
that the entity’s internal control is
designed and operating effectively
(no material weaknesses).
A serious (more than minor) scope
limitation requires a disclaimer
An adverse opinion is required if a
material weakness is identified.
LO# 15
Additional communications (beyond
audit opinion) in audit of ICFR
To management and the audit committee:
all significant deficiencies
To management:
all control deficiencies
End of Chapter 7