Chapter 7. Auditing Internal Control over Financial Reporting. ©2008 The McGraw-Hill Companies, All Rights Reserved. McGraw-Hill/Irwin. LO# 1. Management Responsibilities under Section 404.
Auditing Internal Control over Financial Reporting
©2008 The McGraw-Hill Companies, All Rights Reserved
Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue an internal control report that explicitly accepts responsibility for establishing and maintaining “adequate” internal control over financial reporting (ICFR).
Management must comply with the following in order for its public accounting firm to complete an audit of ICFR.
ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis.
As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood reasonably possible) and magnitude (material, consequential, or inconsequential).
Management must develop sufficient documentation to support its assessment of the effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also includes policy manuals, job descriptions, flowcharts, and process models.
LO# 7Framework Used by Management to Conduct Its Assessment
Most entities use the framework developed by COSO.This framework identifies three primary objectives of internal control: (1) reliable financial reporting;(2) efficiency and effectiveness of operations;and (3) compliance with laws and regulations.
LO# 9Integrating the Audits of Internal Control and Financial Statements
An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control.
When the auditor performs an integrated audit, he or she will have access to a large amount of information about the client’s controls. This information can make the financial statement audit more efficient and result in reduced substantive procedures.
Regardless of the level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to perform some substantive procedures for all significant accounts and disclosures.
The effectiveness of the audit of internal controls should lead the auditor to determine the implications of these findings on the financial statement audit. The auditor’s evaluation should include:
A major consideration for the external auditor is how much the work performed by others. In determining the extent to which the auditor may use the work of others, the auditor should:
(1) evaluate the nature of the controls subjected to the work of others,
(2) evaluate the competence and objectivity of the individuals who performed the work, and
(3) test some of the work performed by others to evaluate the quality and effectiveness of their work.
As the risk associated with the control being tested increases, the external auditor should do more of the work.
In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of ICFR.
Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion.
The auditor must properly document the processes, procedures, judgments, and results relating to the audit of internal control.
When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.
Sarbanes-Oxley requires management’s description of internal control to include:
13 & 14Auditor’s Report Relating to the Audit of Internal Control
The auditor’s report contains an opinion the effectiveness of ICFR based on the auditor’s independent audit work.
18 & 19Types of Reports Relating to the Audit of ICFR
An unqualified opinion signifies that the client’s internal control is designed and operating effectively.
A serious scope limitation requires the auditor to disclaim an opinion.
An adverse opinion is required if a material weakness is identified.
Report Modification Based on Scope Limitation
Reason forScope Limitation
Type ofAudit Report
The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5). This communication should be made prior to the issuance of the auditor’s report on ICFR. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.
Many companies use service organization to process transactions. If the service organization’s services make up part of a company’s information system, then they are considered part of the information and communication component of the company’s internal control over financial report. Thus, both management and the auditor must consider the activities of the service organization.
Management and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the entity’s internal control and the controls at the user organization over the activities of the service organization and (2) obtain evidence that the controls which are relevant to management’s assessment and the auditor’s opinion are operating effectively.
Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.”
Custom audit software is generally written by auditors for specific audit tasks. It may be required when the client’s computer system is not compatible with the auditor’s generalized audit software.
This is data developed by the auditor to test the application controls in the client’s computer programs. The technique can be used to check (1) data validation controls and error detection routines, (2) processing logic controls, (3) arithmetic calculations, and (4) the inclusion of transactions in records, files, and reports.