CHAPTER 6
advertisement
AUDITING CHAPTER 8 Internal Control By David N. Ricchiute TOPICS COSO framework of internal control Auditor’s consideration of internal control Audit of internal control mandated by Sarbanes-Oxley 2 GBW 8th ed., Ch. 8 INTRODUCTION Auditor responsible for considering internal control in audit program design Audit planning What is assessed level of control risk? Based on control risk assessment, can auditor relax nature, extent, timing of substantive tests? Sarbanes-Oxley Act requires auditor to audit internal control 3 To comply with Act & SEC’s rules GBW 8th ed., Ch. 8 COSO FRAMEWORK COSO provides guidance for auditor’s consideration of internal control A framework to assess internal controls Common definition for internal controls Applies to financial reporting & other management objectives Sarbanes-Oxley Act applies only to financial reporting 4 GBW 8th ed., Ch. 8 INTERNAL CONTROL: COSO Definition A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws & regulations COSO, 1992, p. 9 5 GBW 8th ed., Ch. 8 CONCEPTS OF COSO DEFINITION Internal control is a process Internal control accomplished by people at all levels Internal control is means to achieve entity’s objectives Internal controls provide reasonable, not absolute, assurance 6 GBW 8th ed., Ch. 8 INTERNAL CONTROL OBJECTIVES Operations objectives Market share, ROI, product/service diversification Financial reporting objectives Producing reliable financial statements Compliance objectives 7 Compliance with laws, regulations GBW 8th ed., Ch. 8 SEC & PCAOB Control Over Financial Reporting Sarbanes-Oxley Act Section 404 8 Management to certify internal control over financial reporting is effective Auditor to issue opinion on management’s certification GBW 8th ed., Ch. 8 INTERNAL CONTROL OVER FINANCIAL REPORTING SEC, PCAOB definition Section 404 A process designed by, or under supervision of principal executive & principal financial officers . . . To provide reasonable assurance regarding reliability of financial reporting, preparation financial statements in accordance with GAAP SEC, Final Rule. Washington, D. C.: SEC, 2003. 9 GBW 8th ed., Ch. 8 INTERNAL CONTROL Policies & Procedures Maintain records in reasonable detail To accurately, fairly reflect transactions, dispositions of assets Provide reasonable assurance that 10 Transactions recorded as necessary to prepare financial statements in accord with GAAP Receipts, expenditures in accord with management’s, directors’ authorization Unauthorized acquisition, use of assets having material effect on financial statements will be prevented, detected in timely manner GBW 8th ed., Ch. 8 COSO COMPONENTS OF INTERNAL CONTROL Control environment Risk assessment Control activities Information & communications support Monitoring COSO & adopted by SAS 94 11 GBW 8th ed., Ch. 8 CONTROL ENVIRONMENT Management’s & board of director’s attitude, awareness, & actions regarding internal control Captures importance of control in management’s operating style “Tone at the top” 12 GBW 8th ed., Ch. 8 ELEMENTS OF CONTROL ENVIRONMENT Attitude & awareness Integrity Codes of conduct Commitment Committed to quality Directors, audit Board independent of committee management Management Attitude about false philosophy records Organization structure Proper flow information Authority Responsibilities defined HR policies, procedures Policies training, promotion, etc. 13 GBW 8th ed., Ch. 8 RISK ASSESSMENT Management’s responsibility to identify risks for Financial reporting Operations Compliance Management’s responsibility to take action to manage risks 14 GBW 8th ed., Ch. 8 MANAGING RISKS IN CHANGE Change agents Operating environment New personnel New information system Rapid growth New technology New products, services Corporate restructuring Foreign operations 15 Divestiture Organization culture Time constraints for redesign Back orders Production delays Unfamiliar risks Staff reductions, inadequate supervision Local customs, culture GBW 8th ed., Ch. 8 CONTROL ACTIVITIES Policies & procedures to provide reasonable assurance that objectives are met 16 Authorization, execution of transactions Segregation of duties Design & use of documents & records Access to assets & records GBW 8th ed., Ch. 8 CONTROL ACTIVITIES Categories Preventive controls Intended to prevent misstatement Detective controls 17 Detect misstatements that have occurred GBW 8th ed., Ch. 8 CONTROL ACTIVITIES Authorization All transactions should be authorized by responsible personnel acting within scope of prescribed authority, responsibility Specific authorization Required for each transaction Typically unusual transactions General authorization Policies, procedures for typical transactions 18 GBW 8th ed., Ch. 8 SEGREGATION OF DUTIES Optimum segregation of duties exists when collusion is necessary to circumvent controls Separate functions for 19 Management (authorization) Custody (transaction execution) Accounting (recording transactions) Monitoring (independent checks on performance GBW 8th ed., Ch. 8 DESIGN, USE DOCUMENTS & RECORDS Evidence of executed transactions Represent an audit trail Impact efficiency 20 Designed for multiple use Prenumbered consecutively Easy to complete GBW 8th ed., Ch. 8 ACCESS TO ASSETS & RECORDS Access limited to authorized personnel by 21 Locks for physical protection Limits on employee access online Codes to authorize access GBW 8th ed., Ch. 8 INFORMATION, COMMUNICATION: Defined System identifies, captures, communicates external & internal information in form & timeframe to discharge responsibilities Includes accounting system 22 GBW 8th ed., Ch. 8 INFORMATION, COMMUNICATION: Sources External Market share, regulatory requirements, complaints Internal 23 Identify valid transactions Record proper time period Sufficient detail to classify, measure, present in financial statements GBW 8th ed., Ch. 8 INFORMATION, COMMUNICATION: Accounting Methods, records, to identify valid transactions Transactions recorded in proper period Describe transactions on timely basis, sufficient detail to properly 24 Classify Measure Summarize Disclose GBW 8th ed., Ch. 8 TRANSATION CYCLES Defined Accounting system organized & processes information in cycles 25 Financing Expenditure & disbursement Conversion Revenue & receipt GBW 8th ed., Ch. 8 TRANSATION CYCLES Examples Financing Expenditure/ disbursement Conversion Revenue/receipt 26 Cycles Capital funds received, used, invested Goods, services acquired from vendors, employees & paid Resources used, held, transformed Resources distributed to outsiders; payment received GBW 8th ed., Ch. 8 MONITORING Continuous or periodic evaluation Resolution of discrepancies To ensure reliability 27 GBW 8th ed., Ch. 8 RESTATEMENT, FRAUD, & INTERNAL CONTROL Section 13(b)(2)(B) of 1934 Securities Exchange Act requires issuers to devise, maintain system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accord with GAAP. Internal control is a matter of law 28 GBW 8th ed., Ch. 8 ASSESSING CONTROL RISK A sufficient understanding of internal control is to be obtained to plan the audit & determine the nature, timing, and extent of tests to be performed. (2nd GAAS fieldwork) Obtain understanding Assess control risk Determine nature, timing, extent of substantive tests 29 GBW 8th ed., Ch. 8 ASSESSING V. AUDITING COSO INTERNAL CONTROLS Assessing controls Auditing Section 404 Obtain understanding Evaluate effectiveness Assess control risk for Form opinion on assertions about internal control over balances & transactions financial reporting Determine nature, Obtain understanding extent, timing of substantive tests 30 GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Audit Committee Effectiveness Final authority over financial reporting 31 Challenge CEO, CFO over financial reporting Seek advice of independent auditor Engages independent counsel when necessary GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Auditor’s Evaluation Auditor evaluates audit committee effectiveness by considering 32 Nominating process & independence Clarity of responsibilities Level management cooperation Committee involvement with auditor & internal auditing Time devoted to audit, internal controls GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Information Technology Personal computers & local area networks Database management systems End-user computing Telecommunications Service bureaus Internet technology Software for information systems 33 Operating & applications software GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING IT & “Section 404 Documentation” For information technology, did management 34 Document & test controls related to financial reporting? Evaluate effectiveness, likelihood of failure? Communicate findings to auditor? Reach assessment that documentation supports? GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Document System To demonstrate compliance with requirement to understand & evaluate client’s system 35 Internal control questionnaire Flowchart Narrative memorandum GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Identify Transactions Cycles To identify cycles 36 Review account components for homogeneity Identify representative cycles Flowchart each cycle Trace representative transactions through each cycle Revise flowcharts if necessary GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Perform Transaction Walkthroughs Required by Section 404 of Sarbanes-Oxley Act Trace wide range of transactions, common, uncommon, from each cycle through system from 37 Authorization to Execution to Recording to Summarization GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Auditor Responsibilities In transactions walkthroughs, auditor must Understand controls over end-of-period financial reporting Especially for effects on earnings 38 GBW 8th ed., Ch. 8 EVALUATE CONTROL EFFECTIVENESS: Reliability When documenting controls Identify controls to be relied upon Test controls If acceptable, assess control risk below maximum Identify controls not suitable to justify reliance Do not test these controls Assess control risk at maximum Plan audit to rely heavily on substantive tests 39 GBW 8th ed., Ch. 8 EVALUATE CONTROL EFFECTIVENESS: Risk Assess Control Risk Consider errors, frauds that could occur Identify relevant control activities to prevent, detect errors, frauds Perform tests of controls on control activities that may prevent, detect errors, frauds 40 GBW 8th ed., Ch. 8 EVALUATE CONTROL EFFECTIVENESS: Tests of Controls Testing design of controls Whether policy, procedure suitably designed to prevent, detect material misstatements Testing operations of controls 41 Were control activities performed? How were they performed? By whom were they performed? GBW 8th ed., Ch. 8 EVALUATE CONTROL EFFECTIVENESS: General Controls Computer assisted tests 42 Organization, operation controls Systems development & documentation controls Hardware controls Access controls Data & procedural controls GBW 8th ed., Ch. 8 GENERAL CONTROL EFFECTIVENESS: Operation Organization & operation 43 Segregate computer department & users Provide general authorization over execution of transactions Segregate functions within the computer department GBW 8th ed., Ch. 8 GENERAL CONTROL EFFECTIVENESS: Documentation Development & documentation 44 Participation by users, accounting personnel, internal auditors in system design Review, approval of system specifications Joint system testing by user, computer personnel Approval new applications, changes Control over master, transaction files Procedures to create, maintain documentation GBW 8th ed., Ch. 8 GENERAL CONTROL EFFECTIVENESS: Hardware Hardware controls 45 Controls built into computers by manufacturers GBW 8th ed., Ch. 8 GENERAL CONTROL EFFECTIVENESS: Access Controls Limit access to authorized personnel for 46 Hardware Software Data files Software support documentation GBW 8th ed., Ch. 8 GENERAL CONTROL EFFECTIVENESS: Data Data & procedural controls 47 Written procedures, authorization manuals Control groups GBW 8th ed., Ch. 8 EVALUATE CONTROL EFFECTIVENESS Computer-Assisted Tests of Application Controls 48 Input controls Processing controls Output controls GBW 8th ed., Ch. 8 APPLICATION CONTROL EFFECTIVENESS: Input Input controls 49 Input authorization, approval Code verification Data conversion Data movement Occurrence correction GBW 8th ed., Ch. 8 APPLICATION CONTROL EFFECTIVENESS: Processing Processing controls 50 Control totals File labels Limit (reasonableness) tests GBW 8th ed., Ch. 8 APPLICATION CONTROL EFFECTIVENESS: Output Output controls 51 Control totals comparisons Output distribution GBW 8th ed., Ch. 8 COMPUTER-ASSISTED TESTS OF CONTROLS: Types Test data: uses client software to process data with valid & invalid transactions Base Case System Evaluation (BCSE): develops test data to text expected conditions Integrated test facility: tests whether client actually uses software by running live and fictitious data simultaneously Parallel simulation: processing client data with auditor’s software 52 GBW 8th ed., Ch. 8 COMPUTER-ASSISTED TESTS OF CONTROLS: Types (cont.) Embedded audit modules: selects client data for subsequent testing & analysis SCARFs: logs created from embedded audit modules that collect transaction information Audit hooks & tagging: transaction records tagged & traced through critical control points 53 GBW 8th ed., Ch. 8 CONTROL DEFICIENCIES, MATERIAL WEAKNESSES Deficiencies do not allow management, employees to prevent, detect misstatements in normal course of business Material weakness is a significant deficiency more than remotely likely to cause a material misstatement that will not be prevented, detected 54 GBW 8th ed., Ch. 8 NATURE, TIMING, EXTENT Audit risk strategy 55 Determine acceptable detection risk Design nature, timing, extent of substantive tests GBW 8th ed., Ch. 8 NATURE, TIMING, EXTENT & SUBSTANTIVE TESTS Effect Level of Detection Risk Lower Higher Nature Use more persuasive tests (confirmation) Timing Test at balance sheet date Extent Test more (increase sample size) 56 GBW 8th ed., Ch. 8 Use less persuasive tests (documentation) Test at interim dates Test less (decrease sample size) AUDITOR’S OPINION ON INTERNAL CONTROLS Auditor evaluates Reports by internal auditors Significant deficiencies Results of test of controls Results of substantive test of details To issue an opinion on controls 57 GBW 8th ed., Ch. 8
