Add to collection(s) Add to saved
  1. Business
  2. Management

Chapter 10 – Section 404 Audits of Internal Control and Control Risk

advertisement 
Section 404 Audits of Internal
Control and Control Risk
Chapter 10
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 1
Learning Objective 1
Describe the three primary
objectives of effective
internal control.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 2
Internal Control Objectives
1. Reliability of financial reporting
2. Efficiency and effectiveness of operations
3. Compliance with laws and regulations
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 3
Learning Objective 2
Contrast management’s
responsibilities for maintaining
and reporting on internal controls
with the auditor’s responsibilities
for understanding, testing, and
reporting on internal controls.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 4
Management and Auditor
Responsibilities Related
to Internal Control
 Management’s responsibility
for establishing internal control
 Reasonable assurance
 Inherent limitations
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 5
Management and Auditor
Responsibilities Related
to Internal Control
 Management’s Section 404
reporting responsibilities
 Design of internal control
 Operating effectiveness of controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 6
Management and Auditor
Responsibilities Related
to Internal Control
 Auditor responsibilities for
understanding internal control
 Controls over the reliability
of financial reporting
 Control over classes of transactions
 Auditor responsibilities for testing
internal control
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 7
Sales Transaction-related Audit
Objectives
Transaction-related Audit
Objective – General form
Sales Transaction-related
Audit Objectives
Recorded transactions
exist (occurrence)
Sales are for shipments
to existing customers
Existing transactions are
recorded (completeness)
Existing sales transactions
are recorded
Transactions are stated
correctly (accuracy)
Sales for goods shipped
are correctly billed
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 8
Sales Transaction-related Audit
Objectives
Transaction-related Audit
Objective – General form
Sales Transaction-related
Audit Objectives
Transactions are correctly Sales transactions are
correctly included in the
filed (posting and
master files
summarization)
Transactions are correctly Sales transactions are
classified (classification)
correctly classified
Transactions are recorded Sales are recorded on
on correct dates (timing)
the correct dates
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 9
Learning Objective 3
Explain the five components
of the COSO internal
control framework.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 10
Five Components of Internal
Control
Risk
assessment
Control
activities
Information and
Monitoring
communication
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 11
The Control Environment
 Integrity and ethical values
 Commitment to competence
 Board of directors or audit
committee participation
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 12
The Control Environment
 Management’s philosophy and operating style
 Organizational structure
 Human resource policies and practices
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 13
Risk Assessment
 Identify factors that may increase risk
 Estimate the significance of the risk
 Assess the likelihood of the risk occurring
 Determine actions necessary to manage the risk
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 14
Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 15
Adequate Separation of Duties
Custody of assets
from
Accounting
from
The custody of
related assets
Operational
responsibility
from
Record-keeping
responsibility
IT duties
from
User departments
Authorization
of transactions
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 16
Proper Authorization of
Transactions and Activities
 General authorization
 Specific authorization
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 17
Adequate Documents and
Records
 Prenumbered consecutively
 Prepared at the time of transaction
 Designed for multiple use
 Constructed to encourage correct preparation
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 18
Physical Control Over Assets
and Records
The most important type of protective
measure for safeguarding assets and
records is the use of physical precautions.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 19
Independent Checks on
Performance
The need for independent checks arises
because internal control tends to change
over time unless there is a mechanism
for frequent review.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 20
Information and Communication
The purpose of an accounting information
and communication system is to…
initiate, record, process, and report
the entity’s transactions and to maintain
accountability for the related assets.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 21
Monitoring
Monitoring activities deal with management’s
ongoing and periodic assessment of the
quality of internal control performance…
to determine whether controls are operating
as intended and modified when needed.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 22
SEC and COSO Focus on
Smaller Public Companies
The SEC has extended the deadline for
small public companies compliance
with Section 404 requirements.
COSO issued guidance in Internal Control
Over Financial Reporting for Smaller
Public Companies.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 23
Learning Objective 4
Obtain and document an
understanding of internal control.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 24
Process for Understanding Internal
Control and Assessing Control Risk
Phase 1
Obtain an
understanding of
internal control: design
and operation
Phase 2
Assess control risk
Phase 3
Design, perform, and
evaluate tests of
controls
Phase 4
Decide planned
detection risk and
substantive tests
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 25
Obtain and Document Understanding
of Internal Control
Auditing standards require auditors to obtain
an understanding of internal control for every
audit.
Procedures to obtain an understanding:
 Design of internal controls
 Whether placed in operation
 Uses this information as a basis for the
integrated audit
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 26
Methods Used
Narrative
Flowchart
Internal
control
questionnaire
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 27
Narrative
1. The origin of every document
and record in the system
2. All processing that takes place
3. The disposition of every document
and record in the system
4. An indication of the controls relevant
to the assessment of control risk
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 28
Evaluating Internal Control
Operation
 Update and evaluate auditor’s previous
experience with the entity
 Make inquiries of client personnel
 Examine documents and records
 Observe entity activities and operations
 Perform walk-throughs of the accounting system
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 29
Learning Objective 5
Assess control risk by linking key
controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 30
Assess Control Risk
Assess whether the financial statements
are auditable.
Determine assessed control risk supported
by the understanding obtained assuming
the controls are being followed.
Use of a control risk matrix to assess
control risk.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 31
Control Risk Matrix
Many auditors use the control risk matrix
to assist in the control risk assessment
process.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 32
Control Risk Matrix
 Identify audit objectives
 Identify existing controls
 Associate controls with related audit objectives
 Identify and evaluate control deficiencies,
significant deficiencies, and material weaknesses
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 33
Evaluating Significant Control
Deficiencies
SIGNIFICANCE
Material
Material
Weakness
LIKELIHOOD Remote
Probable
Immaterial
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 34
Identify Deficiencies and
Weakness
 Identify existing controls
 Identify the absence of key controls
 Consider the possibility of compensating controls
 Decide whether there is a significant deficiency
or material weakness
 Determine potential misstatements that could result
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 35
Communications
 Communications to those
charged with governance
 Management letters
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 36
Learning Objective 6
Describe the process of designing
and performing tests of controls.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 37
Tests of Controls
The procedures to test effectiveness of controls
in support of a reduced assessed control
risk are called tests of controls.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 38
Procedures for Tests of Controls
1. Make inquiries of client personnel
2. Examine documents, records, and reports
3. Observe control-related activities
4. Reperform client procedures
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 39
Extent of Procedures
 Reliance on evidence from prior year’s audit
 Testing of controls related to significant risks
 Testing less than the entire audit period
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 40
Relationship of Assessed Control
Risk and Extent of Procedures
Type of
procedure
Inquiry
Documentation
Observation
Reperformance
Assessed Control Risk
High level:
Procedures to obtain
Lower level:
an understanding
Tests of controls
Yes–extensive
Yes–with transaction
walk-through
Yes–with transaction
walk-through
No
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
Yes–some
Yes–using sampling
Yes–at multiple times
Yes–using sampling
10 - 41
Decide Planned Detection Risk and
Design Substantive Tests
The auditor uses the results of the control risk
assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.
The auditor links the control risk assessments
to the balance-related audit objectives.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 42
Learning Objective 7
Understand Section 404
requirements for auditor
reporting on internal control.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 43
Section 404 Reporting on
Internal Control
1. The auditor’s opinion on whether the company
maintained, in all material respects, effective
internal control over financial reporting as of
the specified date.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 44
Types of Opinions
 Unqualified
 Adverse
 Qualified or disclaimer of opinion
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 45
Learning Objective 8
Describe the differences in
evaluating, reporting, and
testing internal control for
nonpublic companies.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 46
Evaluating, Reporting, and Testing
Internal Control for Nonpublic
Companies
1. Reporting requirements
2. Extent of required internal controls
3. Extent of understanding needed
4. Assessing control risk
5. Extent of tests of controls needed
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 47
Differences in Scope of Controls
Tested
Internal controls over financial reporting
Internal controls used to assess
control risk below maximum
Controls that must be tested in
an audit of internal controls
Controls that must be tested in
an audit of financial statements
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 48
End of Chapter 10
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
10 - 49
Related documents
Chapter 3 – Audit Reports
Chapter 3 – Audit Reports
RRChapter03 recoverd 2
RRChapter03 recoverd 2
Audit of Cash Balances
Audit of Cash Balances
Auditing and Assurance Services 9/e
Auditing and Assurance Services 9/e
Chapter 12 – The Impact of Information Technology on the Audit
Chapter 12 – The Impact of Information Technology on the Audit
Chapter 2 – The CPA Profession
Chapter 2 – The CPA Profession
Chapter 23 – Audit of Cash Balances
Chapter 23 – Audit of Cash Balances
Chapter 25 – Other Assurance Services
Chapter 25 – Other Assurance Services
Download
advertisement