Section 404 Audits of Internal Control and Control Risk Chapter 10 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Learning Objective 1 Describe the three primary objectives of effective internal Control. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 2 Client’s Concerns Reliability of financial reporting: SOX certification of F/S Efficiency and effectiveness of operations Master price list, credit approval, Double counts of inventory Compliance with applicable laws and regulations – SOX: Mgt assessment of I/C effectiveness (material weakness) and auditor independently opines (AS5); NYSE – Internal audit ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 3 Learning Objective 2 Contrast management’s responsibilities for maintaining internal control with the auditor’s responsibilities for evaluating and reporting on internal control. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 4 Key Concepts Management’s Responsibility 404: statement and assessment Reasonable Assurance: Cost / Benefit Inherent Limitations: Collusion / Override ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 5 Auditor Concerns Controls related to reliability of financial reporting (AS2 →AS5): Never price above competitors Vs. Seg. of duties for cash Controls over classes of transactions: Transaction focus, not balances ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 6 Sales Transaction-related Audit Objectives Transaction-related Audit Objective – General form Sales Transaction-related Audit Objectives Recorded transactions exist (occurrence) Sales are to existing customers CONTROL? Existing transactions are recorded (completeness) Existing sales transactions are recorded Transactions are stated correctly (accuracy) Sales for goods shipped are correctly billed ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 7 Sales Transaction-related Audit Objectives Transaction-related Audit Objective – General form Sales Transaction-related Audit Objectives Transactions are correctly filed (posting and summarization) Sales transactions are correctly included in the master files CONTROL? Transactions are correctly classified (classification) Sales transactions are correctly classified Transactions are recorded Sales are recorded on on correct dates (timing) the correct dates ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 8 Auditor Concerns Public (mandatory) vs. Private (discretion) company Opinion on I/Cs: gain an understanding and perform tests of controls (discretion) related to all significant account balances, classes of transactions, disclosures, and related assertions in the F/S. AS5: Risk-based, no opinion on Mgt assessment ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 9 Learning Objective 3 Explain the five components of the COSO internal control framework. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 10 Five Components of Internal Control Control Environment Risk Assessment Control Activities Information and Monitoring Communication ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 11 The Control Environment Integrity and ethical values Commitment to competence Board of directors or audit committee participation Management’s philosophy and operating style ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 12 The Control Environment Organizational structure: wide or skinny? Assignment of authority and responsibility: Resources for I/Cs Human resources policies and practices: whistleblowers, exit interviews, competence ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 13 Mgt Risk Assessment Identify factors affecting control risk. Assess significance of risks and likelihood of occurrence. Determine actions necessary to manage risk. Contingency plans ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 14 Control Activities (cycle related) 1. Adequate separation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 15 Adequate Separation of Duties Custody of assets Accounting Authorization of transactions Operational responsibility IT Duties The custody of related assets Record-keeping responsibility User departments ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 16 Proper Authorization of Transactions and Activities General authorization: Credit check Automated Specific authorization: To write-off customer A/R account Manual ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 17 Adequate Documents and Records Prenumbered consecutively – exist and comp Prepared at the time of transaction - timing Simple enough to ensure understanding -accuracy Designed for multiple uses - accuracy Constructed to encourage correct preparation - accuracy ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 18 Physical Control over Assets and Records Physical precautions: daily dep. of cash Controls related to IT equipment, programs, and data files Backup and recovery Physical Access procedures: controls controls business ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley continuity10 - 19 Independent Checks on Performance The need for independent checks arise because internal control tends to change over time, become n/a, or ignored unless there is a mechanism for frequent review. Internal Auditors/SOX 404/external auditors ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 20 Information and Communication The purpose of an accounting information and communication system is to… initiate, record, process, and report the transactions and to maintain accountability for the related F/S accounts. Does AIS have controls to cover all 6 transaction obj. for each cycle / meet COSO criteria? SOX documentation. Flowcharts, narratives, and questionnaires ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 21 Monitoring Management’s ongoing and periodic assessment of the quality of internal control performance … to determine whether controls are operating as intended and modified when needed. Priority now w/ SOX – material I/C weaknesses disclosed to F/S users, SOX consultants ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 22 SEC and COSO Focus on Smaller Public Companies The SEC has extended the deadline for small public companies compliance with Section 404 requirements: MGT: 12/15/09 Auditor: 12/15/09 COSO issued guidance in Internal Control Over Financial Reporting for Smaller Public Companies. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 23 Learning Objective 4 Obtain and document an understanding of internal control. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 24 Understanding Internal Control and Assessing Control Risk Obtain Understanding of Internal Control: Design and Operation Assess Prelim. CR Test Controls Final CR -> Decide Planned Detection Risk and Substantive Tests ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 25 Reasons for Sufficiently Understanding Internal Control SAS 109 and AS2/AS5 both require the auditor to obtain an understanding of internal control for every audit. Minimum audit planning matters: CR at max • Auditability / AR • Potential material misstatements (IR) • Detection risk (DR) – meet? • Design of tests ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 26 Procedures to Determine Design and Placement Update and evaluate auditor’s previous experience with the entity. Make inquires of client personnel. Read client’s policy and systems manuals – SOX 404 Examine documents and records. Observe entity activities and operations. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 27 Documentation of the Understanding Narrative Flowchart Internal control questionnaire p. 306 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 28 Learning Objective 5 Assess control risk by linking key controls, significant deficiencies, and material weaknesses to transaction-related audit objectives. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 29 Assess Control Risk Obtain sufficient understanding for planning. Assess whether the entity is auditable. IT –timing of evidence availability. Need IT audit specialist? SAS 94 – If you rely on IT for evidence, you need to test controls of IT – no more auditing around the computer! Preliminarily assess control risk. Why???? If CR below max. – need to test I/Cs. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 30 Assess Control Risk Identify transaction-related audit objectives. Identify specific controls – from narrative, flowchart, and/or checklist Identify and evaluate weaknesses – Control Matrix/SOX (design deficiency) ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 31 The Control Risk Matrix Auditors use the control risk matrix to identify both controls and weaknesses and to assess control risk. See p. 308 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 32 Communication of Weaknesses Before = report to audit committee or BOD SOX / AS5 = auditor opines on I/C Reports Significant Deficiencies to Audit Committee Management letters and Material Weaknesses to public. Deficiencies due to design vs. operation ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 33 What is a Material Weakness?? SIGNIFICANCE Material Material Weakness LIKELIHOOD Remote Probable Significant Deficiency Immaterial > inconsequential ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 34 Learning Objective 6 Describe the process of designing and performing tests of controls. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 35 Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls. When do we perform all this CR work? ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 36 Procedures for Tests of Controls Make inquiries of client personnel. Examine documents, records, and reports. Observe control-related activities. Reperform client procedures. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 37 Relationship of Assessed Control Risk and Extent of Procedures Type of Procedure Inquiry Documentation Observation Reperformance Assessed Control Risk MAX Level: Lower Level: Obtaining an Tests of Understanding Only Controls Yes – extensive Yes – with transaction walk-through Yes – with transaction walk-through No Yes – some Yes – using sample Yes – multiple times Yes – sampling ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 38 Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control risk assessment process and tests of controls to assess final control risk and determine the planned detection risk and related substantive tests. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 39 Learning Objectives 7 and 8 Understand Section 404 requirements for reports on internal control. Describe the differences in evaluating, reporting, and testing internal control for nonpublic companies. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 40 Reporting on Internal Control Section 404(b) of the Sarbanes-Oxley Act restricts the scope of the engagement to internal controls over financial reporting. The Act provides that the auditor’s attestation of management’s assessment of internal control for a public company be integrated with the audit of the financial statements. Material Weakness = Adverse opinion on I/C ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 41 Differences in Scope of Controls Tested: Public vs. Non-public Company Internal controls over financial reporting COSO Framework Internal controls used to assess control risk below maximum DISCRETIONARY Controls that must be tested in an audit of internal controls (public) Controls that must be tested in an audit of financial statements (private) ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 42 Public Company Accounting Oversight Board The (PCAOB) has issued guidance (std # 2 or AS2→AS5) for audits of internal control over financial reporting performed in conjunction with an audit of financial statements of public companies. Why test I/Cs for nonpublic companies?? ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 43 EXTRA!!! Describe how information technology affects internal control. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 44 Effect of Information Technology on Internal Control Information Technology IT can improve the effectiveness and efficiency of internal controls. IT also enhances (a) the timeliness and accuracy of information (b) access to information. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 45 Risks Associated With the Use of Information Technology Programmed errors: transaction goes to wrong account Processing incorrect data: wrong selling price Unauthorized access: Passwords Research: ERP imp. = higher CR, internal control applications improperly installed, imp. team, minimal supervisory review/seg. of duties, lack of training, Role of IT audit specialist/auditor AIS expertise inc. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 46 End of Chapter 10 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 47