1 / 46

Chapter 5

Chapter 5. Internal Control Evaluation: Assessing Control Risk. 1. Overview. 2. Introduction. Management’s Responsibility for internal control Responsibility under SOX certify the financial statements (Section 302) report on IC over fin. reporting (Section 404)

wren
Download Presentation

Chapter 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 Internal Control Evaluation: Assessing Control Risk Chapter 5

  2. 1. Overview Chapter 5

  3. 2. Introduction • Management’s Responsibility for internal control • Responsibility under SOX • certify the financial statements (Section 302) • report on IC over fin. reporting (Section 404) • must include a statement: • that management is responsible • identifying the framework • providing management's assessment • For nonissuer • design, implement, and maintain control system • Foreign Corrupt Practices Act Chapter 5

  4. 2. Introduction (continued) • Auditor’s responsibility • Under SOX • auditor must conduct an integrated audit under PCAOB stds • not a separate engagement • issue opinion on f/s and IC • For nonissuer • auditor must conduct audit under AICPA stds • use evaluation of the client’s business and it’s IC to identify and assess risks of material misstatement Chapter 5

  5. 2. Introduction (continued) • Performance Principle • The auditor must identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including its internal control. • Standards • SAS 122 • SAS 109 • SAS 78 - COSO • SAS 55 • SAS 1 Questions Chapter 5

  6. 2. Introduction (continued) • SAS 122 and 109 – Definition of IC • IC is a process, effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance about the achievement of objectives with regard to • reliability of financial reporting • effectiveness and efficiency of operations • compliance with applicable laws and regulations Chapter 5

  7. 2. Introduction (continued) • SAS 78 (COSO) • IC is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) compliance with laws and regulations, and (c) effectiveness and efficiency of operations. Chapter 5

  8. 2. Introduction (continued) • SAS 55 • An internal control structure consists of the policies and procedures established by an entity to provide reasonable assurance that specific entity objectives will be achieved. Chapter 5

  9. 2. Introduction (continued) • SAS 1 • Internal control includes the organization’s plan and other measures designed to accomplish the following objectives: • safeguard assets • check the accuracy and reliability of accounting data • promote operational efficiency • encourage adherence to managerial policies Chapter 5

  10. 3. Control Structure • Relevance to an audit • Elements of IC – COSO • control environment • risk assessment • information and communication • control activities • monitoring Chapter 5

  11. 3. Control Structure (con’t) • Control environment – most important • integrity and ethical values • board of directors (includes audit committee) • management’s philosophy and operating style • organizational structure • financial reporting competencies • authority and responsibility • human resources Chapter 5

  12. 3. Control Structure (con’t) • Risk assessment • Examples of where risks may arise: • change in regulatory or operating environment • new personnel • new or revised AIS • rapid expansion • new technology • new business models or products • expansion or acquisition of foreign operations Chapter 5

  13. 3. Control Structure (con’t) • Information and communication • AIS • IT general controls • IT application controls • spreadsheet controls Chapter 5

  14. 3. Control Structure (con’t) • Control activities • prenumbered documents • segregation of duties • authorization • record keeping • custody • reconciliation • physical security • IT controls • preventive controls vs. detective controls Chapter 5

  15. 3. Control Structure (con’t) • Monitoring • internal auditing • follow-up of reporting errors • follow up of customer complaints Questions Chapter 5

  16. 3. Control Structure (con’t) Chapter 5

  17. 3. Control Structure (con’t) • Elements – Enterprise Risk Mgt Framework • internal environment • objective setting • event identification • risk assessment • risk response • control procedures • information and communication • monitoring Chapter 5

  18. 3. Control Structure (con’t) Chapter 5

  19. 4. General Considerations • Entity’s specific context • Management’s responsibility • Extent of IT • Reasonable assurance • Limitations Chapter 5

  20. 4. General Considerations (continued) • Limitations • cost benefit issues • misunderstandings • mistakes of judgment • carelessness • collusion • management override • unusual transactions Chapter 5

  21. 4. General Considerations (continued) • Small business considerations • Design vs. implementation vs. operating effectiveness • Auditability of entity Chapter 5

  22. 4. General Considerations (continued) • Why assess risk of material misstatement? • determine nature, timing, and extent of audit procedures • tests of controls • substantive tests Chapter 5

  23. 4. General Considerations(continued) • Trade-off Between Testing of Controls and Substantive Testing Detection Risk: High Low Substantive Testing Tests of Controls RMM: Low High Chapter 5

  24. 4. General Considerations (continued) • Control risk never zero • Some substantive procedures always required • Tests of controls • required for issuers (AS 5) • optional for nonissuers • Use of TOC evidence from previous audits • inquire of management – if no changes, can use • but must test every three years Chapter 5

  25. 5. Obtaining anUnderstanding • Extent of understanding necessary? • depends on • circumstances of the engagement • size and complexity of the entity • auditor’s experience with entity • identifying significant changes from prior years • sufficient to identify and assess RMM • Must include understanding of (follows top down approach) • design, implementation, effectiveness • significant accounts and disclosures, and their relevant assertions • entity-level controls and transaction-level controls • Must include knowledge of each IC element • Does not have to include all controls in the entity Chapter 5

  26. 5. Obtaining anUnderstanding (continued) • Procedures to obtain an understanding (Risk Assessment Procedures) • inquiries • inspection • observation • analytical procedures • walk through • previous experience Chapter 5

  27. 5. Obtaining anUnderstanding (continued) • Documentation • Extent • Discussion among audit team • Key components and each element • Assessment of RMM at both f/s and assertion levels • Controls tested • Risks identified • Methods • Narrative • Questionnaire • Flowchart • Decision tree • Check list Chapter 5

  28. 6. Assessing RMM • Use top-down approach • identify risks at entity level and then relate to assertion level for significant accounts and assertions • relate risks to what can go wrong at the relevant assertion level • consider if misstatements could raise to a material amount • consider the likelihood they would result in a material misstatement • Consider nature of transactions • routine transactions • nonroutine transactions • estimation transactions Chapter 5

  29. 6. Assessing RMM (con’t) • Examples of Risk Assessment Procedures used to obtain understanding and assess risks • Inquires – use different levels • Analytical procedures – high level of aggregation • Observation and inspection – prior year info – consider changes • Discussion with audit team Chapter 5

  30. 6. Assessing RMM (con’t) • After assessment • Determine: • nature • timing • extent of testing (substantive and tests of controls) Chapter 5

  31. 6. Assessing RMM (con’t) • Assessment levels • at the maximum • below the maximum • Initial assessment • Additional concepts for assessment • pervasive vs. specific effect • direct vs. indirect effect • compensating strengths • qualitative or quantitative assessment Chapter 5

  32. 7. Tests of Controls • Types of tests • inquiries • inspection • observation • reperformance • Requirements to perform tests of controls Chapter 5

  33. 7. Tests of Controls (con’t) • Approach to tests of controls • directed toward the operation of a control (design or implementation) • procedures used: inquiring, inspecting, observing • e.g., budget, IT general controls • directed toward the effectiveness of a control • procedures used: inquiring, inspecting, observingreperforming • Dual purpose tests Chapter 5

  34. 7. Tests of Controls (con’t) • Internal control deficiency • the design or operation of a control does not allow management or employees to detect or prevent misstatements in a timely fashion • Design deficiency • control missing or so poorly designed it fails to detect or prevent misstatements even if operating as designed • Operating deficiency • properly designed control is either ignored or inappropriately applied Chapter 5

  35. 8. Reassess RMM • Based on results from tests of controls • Could support • lower assessment • same assessment • higher assessment • Cumulative process Chapter 5

  36. 9. Design Substantive Tests • Audit program • Relationship between final assessment of CR and substantive testing • Effect on substantive testing • nature • timing • extent Questions Chapter 5

  37. 10. Types of Audit Procedures • Tests Related to 2nd Field Work Standard • risk assessment procedures • inquiry, inspection, observation, analytical procedures, walk through, and prior experience • tests of controls • inquiry, inspection, observation, prior experience, and reperforming Chapter 5

  38. 10. Types of Audit Procedures (continued) • Tests Related to 3rd Field Work Standard • substantive tests • substantive analytical procedures • tests of details • of transactions • vouching, tracing, reperforming, etc. • of balances • confirming, reconciling, observing, etc. Chapter 5

  39. 11. Communication of Internal Control Matters • Responsibility of auditor (nonissuer) • AU-C 265.02 • The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. This section specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management. Chapter 5

  40. 11. Communication of Internal Control Matters • Levels of deficiencies • control deficiencies • significant deficiencies • material weaknesses • Must communicate both significant deficiencies and material weaknesses to management and BOD • for issuers, must be in writing • Do not give statement of no deficiencies found Chapter 5

  41. 11. Communication of Internal Control Matters • Control deficiencies could result from • deficiency in • design – no control, or existing control not properly designed • operation – properly designed control not operating as designed, or person performing control does not possess necessary authority or competence Chapter 5

  42. 11. Communication of Internal Control Matters • Material weaknesses • a deficiency, or combination of deficiencies, such that there is a reasonable possibility* that a material misstatement of the f/s will not be prevented or detected * based on FASB Stmt. No. 5 – includes reasonably possible and probable Chapter 5

  43. 11. Communication of Internal Control Matters • Significant deficiencies • less severe than material weakness yet important enough to merit attention Chapter 5

  44. 12. AS Requirements • Phases of AS 5 integrated audit • Plan the engagement • Use a top-down approach to gain an understanding • Identify entity-level controls • Walkthroughs • Testing internal control effectiveness • Design effectiveness • Operating effectiveness • Evaluating control deficiencies • Deficiencies • Significant deficiencies • Material weaknesses • Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting • Reporting on internal control Chapter 5

  45. 12. AS Requirements (con’t) • Must use top down approach • Must issue opinion on the effectiveness of internal control • Not separate engagement • integrated audit of internal control and financial statements • Report • Unqualified – no material weaknesses found • Disclaimer of opinion – cannot perform all procedures considered necessary • Adverse opinion – one or more material weaknesses found • Evaluate management’s report Chapter 5

  46. 13. Review Questions for Discussion • Chapter 5 5.3 5.4 5.5 5.7 5.8 5.10 5.13 5.14 5.15 • 5.17 • 5.18 • 5.21 • 5.26 • 5.29 • 5.30 • 5.31 Chapter 3

More Related