chapter 5
Download
Skip this Video
Download Presentation
Chapter 5

Loading in 2 Seconds...

play fullscreen
1 / 46

Chapter 5 - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

Chapter 5. Internal Control Evaluation: Assessing Control Risk. 1. Overview. 2. Introduction. Management’s Responsibility for internal control Responsibility under SOX certify the financial statements (Section 302) report on IC over fin. reporting (Section 404)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Chapter 5' - linda-cochran


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 5

Chapter 5

Internal Control Evaluation:

Assessing Control Risk

Chapter 5

slide2

1. Overview

Chapter 5

2 introduction
2. Introduction
  • Management’s Responsibility for internal control
    • Responsibility under SOX
      • certify the financial statements (Section 302)
      • report on IC over fin. reporting (Section 404)
        • must include a statement:
        • that management is responsible
        • identifying the framework
        • providing management\'s assessment
    • For nonissuer
      • design, implement, and maintain control system
    • Foreign Corrupt Practices Act

Chapter 5

2 introduction continued
2. Introduction (continued)
  • Auditor’s responsibility
    • Under SOX
      • auditor must conduct an integrated audit under PCAOB stds
      • not a separate engagement
      • issue opinion on f/s and IC
    • For nonissuer
      • auditor must conduct audit under AICPA stds
      • use evaluation of the client’s business and it’s IC to identify and assess risks of material misstatement

Chapter 5

2 introduction continued1
2. Introduction (continued)
  • Performance Principle
    • The auditor must identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including its internal control.
  • Standards
    • SAS 122
    • SAS 109
    • SAS 78 - COSO
    • SAS 55
    • SAS 1

Questions

Chapter 5

2 introduction continued2
2. Introduction (continued)
  • SAS 122 and 109 – Definition of IC
    • IC is a process, effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance about the achievement of objectives with regard to
      • reliability of financial reporting
      • effectiveness and efficiency of operations
      • compliance with applicable laws and regulations

Chapter 5

2 introduction continued3
2. Introduction (continued)
  • SAS 78 (COSO)
    • IC is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) compliance with laws and regulations, and (c) effectiveness and efficiency of operations.

Chapter 5

2 introduction continued4
2. Introduction (continued)
  • SAS 55
    • An internal control structure consists of the policies and procedures established by an entity to provide reasonable assurance that specific entity objectives will be achieved.

Chapter 5

2 introduction continued5
2. Introduction (continued)
  • SAS 1
    • Internal control includes the organization’s plan and other measures designed to accomplish the following objectives:
      • safeguard assets
      • check the accuracy and reliability of accounting data
      • promote operational efficiency
      • encourage adherence to managerial policies

Chapter 5

3 control structure
3. Control Structure
  • Relevance to an audit
  • Elements of IC – COSO
    • control environment
    • risk assessment
    • information and communication
    • control activities
    • monitoring

Chapter 5

3 control structure con t
3. Control Structure (con’t)
  • Control environment – most important
    • integrity and ethical values
    • board of directors (includes audit committee)
    • management’s philosophy and operating style
    • organizational structure
    • financial reporting competencies
    • authority and responsibility
    • human resources

Chapter 5

3 control structure con t1
3. Control Structure (con’t)
  • Risk assessment
  • Examples of where risks may arise:
    • change in regulatory or operating environment
    • new personnel
    • new or revised AIS
    • rapid expansion
    • new technology
    • new business models or products
    • expansion or acquisition of foreign operations

Chapter 5

3 control structure con t2
3. Control Structure (con’t)
  • Information and communication
    • AIS
    • IT general controls
    • IT application controls
    • spreadsheet controls

Chapter 5

3 control structure con t3
3. Control Structure (con’t)
  • Control activities
    • prenumbered documents
    • segregation of duties
      • authorization
      • record keeping
      • custody
      • reconciliation
    • physical security
    • IT controls
    • preventive controls vs. detective controls

Chapter 5

3 control structure con t4
3. Control Structure (con’t)
  • Monitoring
    • internal auditing
    • follow-up of reporting errors
    • follow up of customer complaints

Questions

Chapter 5

3 control structure con t6
3. Control Structure (con’t)
  • Elements – Enterprise Risk Mgt Framework
    • internal environment
    • objective setting
    • event identification
    • risk assessment
    • risk response
    • control procedures
    • information and communication
    • monitoring

Chapter 5

4 general considerations
4. General Considerations
  • Entity’s specific context
  • Management’s responsibility
  • Extent of IT
  • Reasonable assurance
  • Limitations

Chapter 5

4 general considerations continued
4. General Considerations (continued)
  • Limitations
    • cost benefit issues
    • misunderstandings
    • mistakes of judgment
    • carelessness
    • collusion
    • management override
    • unusual transactions

Chapter 5

4 general considerations continued1
4. General Considerations (continued)
  • Small business considerations
  • Design vs. implementation vs. operating effectiveness
  • Auditability of entity

Chapter 5

4 general considerations continued2
4. General Considerations (continued)
  • Why assess risk of material misstatement?
    • determine nature, timing, and extent of audit procedures
      • tests of controls
      • substantive tests

Chapter 5

4 general considerations continued3
4. General Considerations(continued)
  • Trade-off Between Testing of Controls and Substantive Testing

Detection Risk: High Low

Substantive Testing

Tests of Controls

RMM: Low High

Chapter 5

4 general considerations continued4
4. General Considerations (continued)
  • Control risk never zero
  • Some substantive procedures always required
  • Tests of controls
    • required for issuers (AS 5)
    • optional for nonissuers
  • Use of TOC evidence from previous audits
    • inquire of management – if no changes, can use
    • but must test every three years

Chapter 5

5 obtaining an understanding
5. Obtaining anUnderstanding
  • Extent of understanding necessary?
    • depends on
      • circumstances of the engagement
      • size and complexity of the entity
      • auditor’s experience with entity
      • identifying significant changes from prior years
      • sufficient to identify and assess RMM
  • Must include understanding of (follows top down approach)
    • design, implementation, effectiveness
    • significant accounts and disclosures, and their relevant assertions
    • entity-level controls and transaction-level controls
  • Must include knowledge of each IC element
  • Does not have to include all controls in the entity

Chapter 5

5 obtaining an understanding continued
5. Obtaining anUnderstanding (continued)
  • Procedures to obtain an understanding (Risk Assessment Procedures)
    • inquiries
    • inspection
    • observation
    • analytical procedures
    • walk through
    • previous experience

Chapter 5

5 obtaining an understanding continued1
5. Obtaining anUnderstanding (continued)
  • Documentation
    • Extent
      • Discussion among audit team
      • Key components and each element
      • Assessment of RMM at both f/s and assertion levels
      • Controls tested
      • Risks identified
    • Methods
      • Narrative
      • Questionnaire
      • Flowchart
      • Decision tree
      • Check list

Chapter 5

6 assessing rmm
6. Assessing RMM
  • Use top-down approach
    • identify risks at entity level and then relate to assertion level for significant accounts and assertions
    • relate risks to what can go wrong at the relevant assertion level
    • consider if misstatements could raise to a material amount
    • consider the likelihood they would result in a material misstatement
  • Consider nature of transactions
    • routine transactions
    • nonroutine transactions
    • estimation transactions

Chapter 5

6 assessing rmm con t
6. Assessing RMM (con’t)
  • Examples of Risk Assessment Procedures used to obtain understanding and assess risks
    • Inquires – use different levels
    • Analytical procedures – high level of aggregation
    • Observation and inspection – prior year info – consider changes
    • Discussion with audit team

Chapter 5

6 assessing rmm con t1
6. Assessing RMM (con’t)
  • After assessment
    • Determine:
      • nature
      • timing
      • extent of testing (substantive and tests of controls)

Chapter 5

6 assessing rmm con t2
6. Assessing RMM (con’t)
  • Assessment levels
    • at the maximum
    • below the maximum
  • Initial assessment
  • Additional concepts for assessment
    • pervasive vs. specific effect
    • direct vs. indirect effect
    • compensating strengths
    • qualitative or quantitative assessment

Chapter 5

7 tests of controls
7. Tests of Controls
  • Types of tests
    • inquiries
    • inspection
    • observation
    • reperformance
  • Requirements to perform tests of controls

Chapter 5

7 tests of controls con t
7. Tests of Controls (con’t)
  • Approach to tests of controls
    • directed toward the operation of a control (design or implementation)
      • procedures used: inquiring, inspecting, observing
      • e.g., budget, IT general controls
    • directed toward the effectiveness of a control
      • procedures used: inquiring, inspecting, observingreperforming
  • Dual purpose tests

Chapter 5

7 tests of controls con t1
7. Tests of Controls (con’t)
  • Internal control deficiency
    • the design or operation of a control does not allow management or employees to detect or prevent misstatements in a timely fashion
  • Design deficiency
    • control missing or so poorly designed it fails to detect or prevent misstatements even if operating as designed
  • Operating deficiency
    • properly designed control is either ignored or inappropriately applied

Chapter 5

8 reassess rmm
8. Reassess RMM
  • Based on results from tests of controls
  • Could support
    • lower assessment
    • same assessment
    • higher assessment
  • Cumulative process

Chapter 5

9 design substantive tests
9. Design Substantive Tests
  • Audit program
  • Relationship between final assessment of CR and substantive testing
  • Effect on substantive testing
    • nature
    • timing
    • extent

Questions

Chapter 5

10 types of audit procedures
10. Types of Audit Procedures
  • Tests Related to 2nd Field Work Standard
    • risk assessment procedures
      • inquiry, inspection, observation, analytical procedures, walk through, and prior experience
    • tests of controls
      • inquiry, inspection, observation, prior experience, and reperforming

Chapter 5

10 types of audit procedures continued
10. Types of Audit Procedures (continued)
  • Tests Related to 3rd Field Work Standard
    • substantive tests
      • substantive analytical procedures
      • tests of details
        • of transactions
          • vouching, tracing, reperforming, etc.
        • of balances
          • confirming, reconciling, observing, etc.

Chapter 5

11 communication of internal control matters
11. Communication of Internal Control Matters
  • Responsibility of auditor (nonissuer)
    • AU-C 265.02
      • The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. This section specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management.

Chapter 5

11 communication of internal control matters1
11. Communication of Internal Control Matters
  • Levels of deficiencies
    • control deficiencies
    • significant deficiencies
    • material weaknesses
  • Must communicate both significant deficiencies and material weaknesses to management and BOD
    • for issuers, must be in writing
  • Do not give statement of no deficiencies found

Chapter 5

11 communication of internal control matters2
11. Communication of Internal Control Matters
  • Control deficiencies could result from
    • deficiency in
      • design – no control, or existing control not properly designed
      • operation – properly designed control not operating as designed, or person performing control does not possess necessary authority or competence

Chapter 5

11 communication of internal control matters3
11. Communication of Internal Control Matters
  • Material weaknesses
    • a deficiency, or combination of deficiencies, such that there is a reasonable possibility* that a material misstatement of the f/s will not be prevented or detected

* based on FASB Stmt. No. 5 – includes reasonably possible and probable

Chapter 5

11 communication of internal control matters4
11. Communication of Internal Control Matters
  • Significant deficiencies
    • less severe than material weakness yet important enough to merit attention

Chapter 5

12 as requirements
12. AS Requirements
  • Phases of AS 5 integrated audit
    • Plan the engagement
    • Use a top-down approach to gain an understanding
        • Identify entity-level controls
        • Walkthroughs
    • Testing internal control effectiveness
        • Design effectiveness
        • Operating effectiveness
    • Evaluating control deficiencies
        • Deficiencies
        • Significant deficiencies
        • Material weaknesses
    • Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting
    • Reporting on internal control

Chapter 5

12 as requirements con t
12. AS Requirements (con’t)
  • Must use top down approach
  • Must issue opinion on the effectiveness of internal control
  • Not separate engagement
    • integrated audit of internal control and financial statements
  • Report
    • Unqualified – no material weaknesses found
    • Disclaimer of opinion – cannot perform all procedures considered necessary
    • Adverse opinion – one or more material weaknesses found
  • Evaluate management’s report

Chapter 5

13 review questions for discussion
13. Review Questions for Discussion
  • Chapter 5

5.3

5.4

5.5

5.7

5.8

5.10

5.13

5.14

5.15

  • 5.17
  • 5.18
  • 5.21
  • 5.26
  • 5.29
  • 5.30
  • 5.31

Chapter 3

ad