Chapter 7
Auditing Internal
Control over
Financial Reporting
McGraw-Hill/Irwin
©2008 The McGraw-Hill Companies, All Rights Reserved
LO# 1
Management Responsibilities
under Section 404
Section 404 of the Sarbanes-Oxley Act requires
managements of publicly traded companies to issue
an internal control report that explicitly accepts
responsibility for establishing and maintaining
“adequate” internal control over financial reporting
(ICFR).
7-2
LO# 1
Management Responsibilities
under Section 404
Management must comply with the following in order
for its public accounting firm to complete an audit of
ICFR.
1. Accepts responsibility for the effectiveness of the entity’s
ICFR.
2. Evaluate the effectiveness of the entity’s ICFR using
suitable control criteria.
3. Support its evaluation with sufficient evidence, including
documentation.
4. Present a written assessment of the effectiveness of the
entity’s ICFR as of the end of the entity’s most recent
fiscal year.
7-3
LO# 2
Auditor Responsibilities under
Section 404
The entity’s independent auditor must audit and report
on the effectiveness of ICFR. The auditor is required to
conduct an integrated audit of the entity’s ICFR and
its financial statements.
7-4
LO# 3
ICFR Defined
ICFR is defined as a process designed to provide
reasonable assurance regarding the reliability of
financial reporting and the preparation of financial
statements in accordance with GAAP. Controls include
procedures that:
1. Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are
recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use or
disposition of the company’s assets.
7-5
LO# 4
Internal Control Deficiencies
Defined
A control deficiency exists when the design or operation
of a control does not allow management or employees, in
the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.
A significant deficiency is a deficiency, or a combination
of deficiencies, in internal control over financial reporting
that is less severe than a material weakness, yet
important enough to merit attention by those responsible
for oversight of the company's financial reporting.
7-6
LO# 4
Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness in the system of internal control. A
material weakness is a deficiency, or a combination of
deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the annual or
interim financial statements will not be prevented or
detected on a timely basis.
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency: likelihood
reasonably possible) and magnitude (material,
consequential, or inconsequential).
7-7
Internal Control Deficiencies
Defined
M
A
G
N
I
T
U
D
E
Material
Material
weakness
Not material
but significant
Significant
deficiency
LO# 4
Control deficiency
Not material
or significant
Remote
Reasonably possible or probable
LIKELIHOOD
7-8
Management’s Assessment
Process
LO# 5
Management must follow a top-down, risk-based
approach:
1. Identify financial reporting risks and controls.
2. Evaluate evidence about the operating effectiveness of
ICFR.
3. Consider which locations to include in the evaluation.
7-9
LO# 6
Management’s Documentation
Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.
7-10
LO# 7
Framework Used by Management
to Conduct Its Assessment
Most entities use the framework developed by COSO.
This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.
7-11
LO# 8
Performing an Audit of ICFR
7-12
LO# 9
Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of internal
control and the financial statements. The control testing
impacts the planned substantive procedures. Also, the
results of the substantive procedures are considered in
the evaluation of internal control.
Tests of
internal
control
Substantive
audit
procedures
7-13
LO# 9
Effect of the Audit of Internal Control
on the Financial Statement Audit
When the auditor performs an integrated audit, he or
she will have access to a large amount of information
about the client’s controls. This information can make
the financial statement audit more efficient and result
in reduced substantive procedures.
Regardless of the level of control risk
in connection with the audit of the
financial statements, auditing
standards require the auditor to
perform some substantive
procedures for all significant accounts
and disclosures.
7-14
LO# 9
Effect of the Financial Statement
Audit on the Audit of Internal Control
The effectiveness of the audit of internal controls should
lead the auditor to determine the implications of these
findings on the financial statement audit. The auditor’s
evaluation should include:
1. Misstatements detected.
2. The auditor’s risk evaluations in connection with the
selection and application of substantive procedures,
especially those related to fraud.
3. Findings with respect to illegal acts and related party
transactions.
4. Indications of management bias in making accounting
estimates and in selecting accounting principles.
7-15
LO# 10
Plan the Engagement
The planning process is similar to the
process used for the audit of F/S.
Consider the following:




Risk assessment and the risk of fraud.
Scaling the audit.
Using the work of others.
Materiality.
7-16
LO# 10
Special Consideration:
Using the Work of Others
A major consideration for the external auditor is how much the
work performed by others. In determining the extent to which
the auditor may use the work of others, the auditor should:
(1) evaluate the nature of the controls subjected to the work of
others,
(2) evaluate the competence and objectivity of the individuals
who performed the work, and
(3) test some of the work performed by others to evaluate the
quality and effectiveness of their work.
As the risk associated with the control being tested increases,
the external auditor should do more of the work.
7-17
LO# 11
Using a Top-Down Approach
See Table 7-3
See Table 7-4
7-18
LO# 12
Test Controls
Evaluate design
Test and evaluate operating effectiveness
 Nature, timing, and extent
7-19
LO# 13
Evaluate Identified Control Deficiencies
7-20
LO# 13
Evaluate Identified Control Deficiencies
7-21
LO# 15
Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of ICFR.
Failure to obtain written
representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.
7-22
Auditor Documentation
Requirements
LO# 16
The auditor must properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective
ICFR, the auditor should be
able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.
7-23
LO# 17
Reporting on ICFR
Sarbanes-Oxley requires management’s description of
internal control to include:
1. A statement of management’s responsibility for establishing
and maintaining adequate internal control.
2. A statement identifying the framework used by management to
conduct the required assessment of the effectiveness of the
company’s internal control.
3. An assessment of the effectiveness of the company’s internal
control as of the end of the most recent fiscal year, including
an explicit statement as to whether internal control is effective.
7-24
LO# 18
The Auditor’s Report on ICFR
Once the auditor has completed the audit of internal
control, he or she must issue an appropriate report to
accompany management’s assessment, published in the
company’s annual report.
7-25
LO#
Auditor’s Report Relating to the
Audit of Internal Control
13 & 14
The auditor’s report contains an opinion the
effectiveness of ICFR based on the auditor’s
independent audit work.
7-26
LO#
Types of Reports Relating to the
Audit of ICFR
18 & 19
An unqualified opinion signifies that the client’s
internal control is designed and operating
effectively.
A serious scope limitation requires the auditor to
disclaim an opinion.
An adverse opinion is required if a material
weakness is identified.
7-27
LO# 19
Types of Reports Relating to the
Audit of ICFR
Report Modification Based on Control Deficiencies
Likelihood/Magnitude
of Misstatement
Control
deficiency
Significant
deficiency
Material
weakness
Type of
Audit Report
Unqualified
opinion
Adverse
opinion
7-28
LO# 19
Types of Reports Relating to the
Audit of Internal Control
Report Modification Based on Scope Limitation
Reason for
Scope Limitation
Type of
Audit Report
Minor
effect
Unqualified
opinion
Sever
limitation
Disclaim
opinion or
withdraw
7-29
LO# 17
Additional Required Communications
in an Audit of ICFR
The auditor must communicate in writing to management
and the audit committee all significant deficiencies and
material weaknesses identified during the audit (AS5).
This communication should be made prior to the issuance
of the auditor’s report on ICFR. In addition, the auditor
should communicate to management, in writing, all
control deficiencies identified during the audit and inform
the audit committee when such a communication has
been made.
7-30
Advanced Module 1: Special
Considerations for an Audit of
Internal Control
Service
organizations.
Safeguarding
assets.
7-31
LO# 21
Use of Service Organizations
Many companies use service organization to
process transactions. If the service organization’s
services make up part of a company’s information
system, then they are considered part of the
information and communication component of the
company’s internal control over financial report.
Thus, both management and the auditor must
consider the activities of the service organization.
7-32
LO# 21
Use of Service Organizations
Management and the auditor should perform the
following procedures with respect to the activities
performed by the service organization:
(1) obtain an understanding of the controls at
the service organization that are relevant to the
entity’s internal control and the controls at
the user organization over the activities of
the service organization and
(2) obtain evidence that the controls which
are relevant to management’s assessment
and the auditor’s opinion are operating effectively.
7-33
LO# 23
Safeguarding of Assets
Safeguarding of assets is defined as policies
and procedures that “provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use or
disposition of the company’s assets that could
have a material effect on the financial
statements.”
7-34
Advanced Module 2:
Computer-Assisted Audit Techniques
Computer-assisted audit techniques include:
• Generalized audit software packages.
• Custom audit software.
• Test data.
7-35
LO# 23
Generalized Audit Software
Function
File or data access
Selection operators
Arithmetic functions
Description
Reads and extracts data from a
client's computer files or databases
for further audit testing.
Select from files or databases
transactions that meet certain
criteria.
Perform a variety of arithmetic
calculations (addition, subtraction,
and so on) on transactions, files, and
databases.
Statistical analyses
Provide functions supporting various
types of audit sampling.
Report generation
Prepares various types of documents
and reports.
7-36
LO# 23
Custom Audit Software
Custom audit software is generally written by auditors
for specific audit tasks. It may be required when the
client’s computer system is not compatible with the
auditor’s generalized audit software.
Custom software:
(1) Is expensive to develop.
(2) Requires extended development time.
(3) Is limited in scope of functions.
7-37
LO# 23
Test Data
This is data developed by the auditor to test the
application controls in the client’s computer programs.
The technique can be used to check (1) data validation
controls and error detection routines, (2) processing
logic controls, (3) arithmetic calculations, and (4) the
inclusion of transactions in records, files, and reports.
7-38
End of Chapter 7
7-39