Internal Control and Control Risk

advertisement
Section 404 Audits of Internal
Control and Control Risk
Chapter 10
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 1
Learning Objective 1
Describe the three primary
objectives of effective internal
Control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 2
Client’s Concerns
Reliability of financial reporting:
SOX certification of F/S
Efficiency and effectiveness of operations
Master price list, credit approval,
Double counts of inventory
Compliance with applicable laws
and regulations – SOX: Mgt assessment of
I/C effectiveness (material weakness) and auditor
independently opines (AS5); NYSE – Internal audit
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 3
Learning Objective 2
Contrast management’s
responsibilities for maintaining
internal control with the auditor’s
responsibilities for evaluating and
reporting on internal control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 4
Key Concepts
Management’s
Responsibility
404: statement
and
assessment
Reasonable
Assurance:
Cost / Benefit
Inherent
Limitations:
Collusion / Override
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 5
Auditor Concerns
Controls related to reliability of
financial reporting (AS2 →AS5):
Never price above competitors
Vs.
Seg. of duties for cash
Controls over classes of transactions:
Transaction focus, not balances
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 6
Sales Transaction-related Audit
Objectives
Transaction-related Audit
Objective – General form
Sales Transaction-related
Audit Objectives
Recorded transactions
exist (occurrence)
Sales are to existing
customers CONTROL?
Existing transactions are
recorded (completeness)
Existing sales transactions
are recorded
Transactions are stated
correctly (accuracy)
Sales for goods shipped
are correctly billed
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 7
Sales Transaction-related Audit
Objectives
Transaction-related Audit
Objective – General form
Sales Transaction-related
Audit Objectives
Transactions are correctly
filed (posting and
summarization)
Sales transactions are
correctly included in the
master files CONTROL?
Transactions are correctly
classified (classification)
Sales transactions are
correctly classified
Transactions are recorded Sales are recorded on
on correct dates (timing)
the correct dates
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 8
Auditor Concerns
Public (mandatory) vs. Private (discretion) company
Opinion on I/Cs: gain an understanding
and perform tests of controls (discretion)
related to all significant account
balances, classes of transactions,
disclosures, and related assertions in the
F/S.
AS5: Risk-based, no opinion on Mgt assessment
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 9
Learning Objective 3
Explain the five components
of the COSO internal control
framework.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 10
Five Components
of Internal Control
Control Environment
Risk
Assessment
Control
Activities
Information and
Monitoring
Communication
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 11
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or audit
committee participation
Management’s philosophy
and operating style
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 12
The Control Environment
Organizational structure: wide or skinny?
Assignment of authority
and responsibility: Resources for I/Cs
Human resources
policies and practices:
whistleblowers, exit interviews, competence
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 13
Mgt Risk Assessment
Identify factors affecting control risk.
Assess significance of risks
and likelihood of occurrence.
Determine actions necessary
to manage risk.
Contingency plans
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 14
Control Activities (cycle related)
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 15
Adequate Separation
of Duties
Custody of assets
Accounting
Authorization
of transactions
Operational
responsibility
IT Duties
The custody of
related assets
Record-keeping
responsibility
User departments
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 16
Proper Authorization of
Transactions and Activities
General authorization: Credit check
Automated
Specific authorization: To write-off
customer A/R account
Manual
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 17
Adequate Documents
and Records
Prenumbered consecutively – exist and comp
Prepared at the time of transaction - timing
Simple enough to ensure understanding -accuracy
Designed for multiple uses - accuracy
Constructed to encourage correct preparation - accuracy
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 18
Physical Control over
Assets and Records
Physical precautions: daily dep. of cash
Controls related to IT equipment,
programs, and data files
Backup and
recovery
Physical
Access
procedures:
controls
controls
business
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
continuity10 - 19
Independent Checks
on Performance
The need for independent checks
arise because internal control tends
to change over time, become n/a, or
ignored unless there is
a mechanism for frequent review.
Internal Auditors/SOX 404/external auditors
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 20
Information and
Communication
The purpose of an accounting information
and communication system is to…
initiate, record, process, and report the
transactions and to maintain accountability
for the related F/S accounts.
Does AIS have controls to cover all
6 transaction obj. for each cycle /
meet COSO criteria? SOX documentation.
Flowcharts, narratives, and questionnaires
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 21
Monitoring
Management’s ongoing and periodic assessment
of the quality of internal control performance …
to determine whether controls are operating
as intended and modified when needed.
Priority now w/ SOX – material I/C
weaknesses disclosed to F/S
users, SOX consultants
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 22
SEC and COSO Focus on
Smaller Public Companies
The SEC has extended the deadline for
small public companies compliance
with Section 404 requirements:
MGT: 12/15/09
Auditor: 12/15/09
COSO issued guidance in Internal Control
Over Financial Reporting for Smaller
Public Companies.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 23
Learning Objective 4
Obtain and document an
understanding
of internal control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 24
Understanding Internal Control
and Assessing Control Risk
Obtain Understanding of Internal Control:
Design and Operation
Assess Prelim. CR
Test Controls
Final CR -> Decide Planned Detection Risk
and Substantive Tests
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 25
Reasons for Sufficiently
Understanding Internal Control
SAS 109 and AS2/AS5 both require the
auditor to obtain an understanding of
internal control for every audit.
Minimum audit
planning matters:
CR at max
• Auditability / AR
• Potential material
misstatements (IR)
• Detection risk (DR) – meet?
• Design of tests
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 26
Procedures to Determine
Design and Placement
Update and evaluate auditor’s previous
experience with the entity.
Make inquires of client personnel.
Read client’s policy and systems manuals – SOX 404
Examine documents and records.
Observe entity activities and operations.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 27
Documentation of
the Understanding
Narrative
Flowchart
Internal
control
questionnaire
p. 306
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 28
Learning Objective 5
Assess control risk by linking key
controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 29
Assess Control Risk
Obtain sufficient understanding for planning.
Assess whether the entity is auditable. IT –timing
of evidence availability. Need IT
audit specialist?
SAS 94 – If you rely on IT for evidence,
you need to test controls of IT – no more auditing
around the computer!
Preliminarily assess control risk. Why????
If CR below max. – need to test I/Cs.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 30
Assess Control Risk
Identify transaction-related audit objectives.
Identify specific controls – from
narrative, flowchart, and/or checklist
Identify and evaluate weaknesses –
Control Matrix/SOX (design deficiency)
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 31
The Control Risk Matrix
Auditors use the control risk matrix to
identify both controls and weaknesses
and to assess control risk. See
p. 308
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 32
Communication of Weaknesses
Before = report to audit committee or BOD
SOX / AS5 = auditor opines on I/C
Reports Significant Deficiencies to Audit Committee
Management
letters
and Material
Weaknesses
to public.
Deficiencies due to design vs. operation
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 33
What is a Material Weakness??
SIGNIFICANCE
Material
Material
Weakness
LIKELIHOOD Remote
Probable
Significant
Deficiency
Immaterial
> inconsequential
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 34
Learning Objective 6
Describe the process of designing
and performing tests of controls.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 35
Tests of Controls
The procedures to test effectiveness
of controls in support of a reduced
assessed control risk are called
tests of controls.
When do we perform all this CR
work?
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 36
Procedures for
Tests of Controls
Make inquiries of client personnel.
Examine documents, records, and reports.
Observe control-related activities.
Reperform client procedures.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 37
Relationship of Assessed Control
Risk and Extent of Procedures
Type of Procedure
Inquiry
Documentation
Observation
Reperformance
Assessed Control Risk
MAX Level:
Lower Level:
Obtaining an
Tests of
Understanding Only
Controls
Yes – extensive
Yes – with transaction
walk-through
Yes – with transaction
walk-through
No
Yes – some
Yes – using
sample
Yes – multiple
times
Yes – sampling
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 38
Decide Planned Detection Risk
and Design Substantive Tests
The auditor uses the results of the control risk
assessment process and tests of controls to
assess final control risk and
determine the planned detection risk and
related substantive tests.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 39
Learning Objectives 7 and 8
Understand Section 404 requirements
for reports on internal control.
Describe the differences in
evaluating, reporting, and
testing internal control for
nonpublic companies.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 40
Reporting on Internal Control
Section 404(b) of the Sarbanes-Oxley Act
restricts the scope of the engagement to
internal controls over financial reporting.
The Act provides that the auditor’s attestation
of management’s assessment of internal
control for a public company be integrated
with the audit of the financial statements.
Material
Weakness
=
Adverse
opinion
on
I/C
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
10 - 41
Differences in Scope of Controls Tested:
Public vs. Non-public Company
Internal controls over financial reporting
COSO Framework
Internal controls used to assess
control risk below maximum
DISCRETIONARY
Controls that must be tested in
an audit of internal controls (public)
Controls that must be tested in
an audit of financial statements (private)
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 42
Public Company Accounting
Oversight Board
The (PCAOB) has issued guidance (std # 2 or
AS2→AS5)
for audits of internal control over financial
reporting performed in conjunction with an audit
of financial statements of public companies.
Why test I/Cs for nonpublic companies??
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 43
EXTRA!!!
Describe how information
technology affects
internal control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 44
Effect of Information
Technology on Internal Control
Information Technology
IT can improve
the effectiveness
and efficiency of
internal controls.
IT also enhances
(a) the timeliness
and accuracy
of information (b)
access to information.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 45
Risks Associated With the Use
of Information Technology
Programmed errors: transaction goes to wrong account
Processing incorrect data: wrong selling price
Unauthorized access: Passwords
Research: ERP imp. = higher CR, internal control
applications improperly installed, imp. team, minimal
supervisory review/seg. of duties, lack of training,
Role of IT audit specialist/auditor AIS expertise inc.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 46
End of Chapter 10
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 47
Download