View
61
Download
9
Category
Preview:
DESCRIPTION
AUDITING CHAPTER 8. Internal Control By David N. Ricchiute. TOPICS. COSO framework of internal control Auditor’s consideration of internal control Audit of internal control mandated by Sarbanes-Oxley. INTRODUCTION. - PowerPoint PPT Presentation
Citation preview
AUDITINGCHAPTER 8
Internal Control ByDavid N. Ricchiute
GBW 8th ed., Ch. 82
TOPICS
COSO framework of internal controlAuditor’s consideration of internal controlAudit of internal control mandated by Sarbanes-Oxley
GBW 8th ed., Ch. 83
INTRODUCTIONAuditor responsible for considering internal control in audit program design Audit planning
What is assessed level of control risk? Based on control risk assessment, can auditor
relax nature, extent, timing of substantive tests?
Sarbanes-Oxley Act requires auditor to audit internal control To comply with Act & SEC’s rules
GBW 8th ed., Ch. 84
COSO FRAMEWORKCOSO provides guidance for auditor’s consideration of internal control A framework to assess internal controls Common definition for internal controls Applies to financial reporting & other
management objectives
Sarbanes-Oxley Act applies only to financial reporting
GBW 8th ed., Ch. 85
INTERNAL CONTROL:COSO Definition
A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness & efficiency of operationsReliability of financial reportingCompliance with applicable laws & regulations
COSO, 1992, p. 9
GBW 8th ed., Ch. 86
CONCEPTS OF COSO DEFINITION
Internal control is a processInternal control accomplished by people at all levelsInternal control is means to achieve entity’s objectivesInternal controls provide reasonable, not absolute, assurance
GBW 8th ed., Ch. 87
INTERNAL CONTROL OBJECTIVES
Operations objectives Market share, ROI, product/service
diversification
Financial reporting objectives Producing reliable financial
statements
Compliance objectives Compliance with laws, regulations
GBW 8th ed., Ch. 88
SEC & PCAOBControl Over Financial Reporting
Sarbanes-Oxley Act Section 404 Management to certify internal
control over financial reporting is effective
Auditor to issue opinion on management’s certification
GBW 8th ed., Ch. 89
INTERNAL CONTROL OVER FINANCIAL REPORTING
SEC, PCAOB definition Section 404A process designed by, or under supervision
of principal executive & principal financial officers . . . To provide reasonable assurance regarding reliability of financial reporting, preparation financial statements in accordance with GAAP
SEC, Final Rule. Washington, D. C.: SEC, 2003.
GBW 8th ed., Ch. 810
INTERNAL CONTROLPolicies & Procedures
Maintain records in reasonable detail To accurately, fairly reflect transactions,
dispositions of assets
Provide reasonable assurance that Transactions recorded as necessary to
prepare financial statements in accord with GAAP
Receipts, expenditures in accord with management’s, directors’ authorization
Unauthorized acquisition, use of assets having material effect on financial statements will be prevented, detected in timely manner
GBW 8th ed., Ch. 811
COSO COMPONENTS OF INTERNAL CONTROL
Control environmentRisk assessmentControl activitiesInformation & communications supportMonitoring
COSO & adopted by SAS 94
GBW 8th ed., Ch. 812
CONTROL ENVIRONMENT
Management’s & board of director’s attitude, awareness, & actions regarding internal controlCaptures importance of control in management’s operating style“Tone at the top”
GBW 8th ed., Ch. 813
ELEMENTS OF CONTROL ENVIRONMENT
Attitude & awarenessIntegrityCommitmentDirectors, audit committeeManagement philosophyOrganization structureAuthority HR policies, procedures
Codes of conductCommitted to qualityBoard independent of
managementAttitude about false
recordsProper flow
informationResponsibilities
definedPolicies training,
promotion, etc.
GBW 8th ed., Ch. 814
RISK ASSESSMENT
Management’s responsibility to identify risks for Financial reporting Operations Compliance
Management’s responsibility to take action to manage risks
GBW 8th ed., Ch. 815
MANAGING RISKS IN CHANGE
Change agents
Operating environmentNew personnelNew information systemRapid growthNew technologyNew products, servicesCorporate restructuringForeign operations
DivestitureOrganization cultureTime constraints for
redesignBack ordersProduction delaysUnfamiliar risksStaff reductions,
inadequate supervisionLocal customs, culture
GBW 8th ed., Ch. 816
CONTROL ACTIVITIES
Policies & procedures to provide reasonable assurance that objectives are met Authorization, execution of
transactions Segregation of duties Design & use of documents & records Access to assets & records
GBW 8th ed., Ch. 817
CONTROL ACTIVITIES Categories
Preventive controls Intended to prevent misstatement
Detective controls Detect misstatements that have
occurred
GBW 8th ed., Ch. 818
CONTROL ACTIVITIES Authorization
All transactions should be authorized by responsible personnel acting within scope of prescribed authority, responsibility Specific authorization
Required for each transaction Typically unusual transactions
General authorization Policies, procedures for typical
transactions
GBW 8th ed., Ch. 819
SEGREGATION OF DUTIES
Optimum segregation of duties exists when collusion is necessary to circumvent controlsSeparate functions for Management (authorization) Custody (transaction execution) Accounting (recording transactions) Monitoring (independent checks on
performance
GBW 8th ed., Ch. 820
DESIGN, USE DOCUMENTS & RECORDS
Evidence of executed transactions Represent an audit trail
Impact efficiency Designed for multiple use Prenumbered consecutively Easy to complete
GBW 8th ed., Ch. 821
ACCESS TO ASSETS & RECORDS
Access limited to authorized personnel by Locks for physical protection Limits on employee access online Codes to authorize access
GBW 8th ed., Ch. 822
INFORMATION, COMMUNICATION: Defined
System identifies, captures, communicates external & internal information in form & timeframe to discharge responsibilitiesIncludes accounting system
GBW 8th ed., Ch. 823
INFORMATION, COMMUNICATION: Sources
External Market share, regulatory
requirements, complaints
Internal Identify valid transactions Record proper time period Sufficient detail to classify, measure,
present in financial statements
GBW 8th ed., Ch. 824
INFORMATION, COMMUNICATION: Accounting
Methods, records, to identify valid transactionsTransactions recorded in proper periodDescribe transactions on timely basis, sufficient detail to properly Classify Measure Summarize Disclose
GBW 8th ed., Ch. 825
TRANSATION CYCLESDefined
Accounting system organized & processes information in cycles Financing Expenditure & disbursement Conversion Revenue & receipt
GBW 8th ed., Ch. 826
TRANSATION CYCLESExamples
CyclesFinancing
Expenditure/ disbursement
Conversion
Revenue/receipt
Capital funds received, used, invested
Goods, services acquired from vendors, employees & paid
Resources used, held, transformed
Resources distributed to outsiders; payment received
GBW 8th ed., Ch. 827
MONITORING
Continuous or periodic evaluationResolution of discrepanciesTo ensure reliability
GBW 8th ed., Ch. 828
RESTATEMENT, FRAUD, & INTERNAL CONTROL
Section 13(b)(2)(B) of 1934 Securities Exchange Act requires issuers to devise, maintain system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accord with GAAP.
Internal control is a matter of law
GBW 8th ed., Ch. 829
ASSESSING CONTROL RISKA sufficient understanding of internal
control is to be obtained to plan the audit & determine the nature, timing, and extent of tests to be performed. (2nd GAAS fieldwork)Obtain understandingAssess control riskDetermine nature, timing, extent of
substantive tests
GBW 8th ed., Ch. 830
ASSESSING V. AUDITING COSO INTERNAL CONTROLS
Assessing controls Auditing Section 404Obtain
understandingAssess control risk for assertions about balances & transactions Determine nature, extent, timing of substantive tests
Evaluate effectiveness
Form opinion on internal control over financial reporting
Obtain understanding
GBW 8th ed., Ch. 831
OBTAIN UNDERSTANDINGAudit Committee Effectiveness
Final authority over financial reporting Challenge CEO, CFO over financial
reporting Seek advice of independent auditor Engages independent counsel when
necessary
GBW 8th ed., Ch. 832
OBTAIN UNDERSTANDINGAuditor’s Evaluation
Auditor evaluates audit committee effectiveness by considering Nominating process & independence Clarity of responsibilities Level management cooperation Committee involvement with auditor &
internal auditing Time devoted to audit, internal controls
GBW 8th ed., Ch. 833
OBTAIN UNDERSTANDINGInformation Technology
Personal computers & local area networksDatabase management systemsEnd-user computingTelecommunicationsService bureausInternet technologySoftware for information systems Operating & applications software
GBW 8th ed., Ch. 834
OBTAIN UNDERSTANDINGIT & “Section 404 Documentation”
For information technology, did management Document & test controls related to
financial reporting? Evaluate effectiveness, likelihood of
failure? Communicate findings to auditor? Reach assessment that documentation
supports?
GBW 8th ed., Ch. 835
OBTAIN UNDERSTANDINGDocument System
To demonstrate compliance with requirement to understand & evaluate client’s system Internal control questionnaire Flowchart Narrative memorandum
GBW 8th ed., Ch. 836
OBTAIN UNDERSTANDINGIdentify Transactions Cycles
To identify cycles Review account components for
homogeneity Identify representative cycles Flowchart each cycle Trace representative transactions
through each cycle Revise flowcharts if necessary
GBW 8th ed., Ch. 837
OBTAIN UNDERSTANDINGPerform Transaction Walkthroughs
Required by Section 404 of Sarbanes-Oxley ActTrace wide range of transactions, common, uncommon, from each cycle through system from Authorization to Execution to Recording to Summarization
GBW 8th ed., Ch. 838
OBTAIN UNDERSTANDINGAuditor Responsibilities
In transactions walkthroughs, auditor must Understand controls over end-of-
period financial reporting Especially for effects on earnings
GBW 8th ed., Ch. 839
EVALUATE CONTROL EFFECTIVENESS: Reliability
When documenting controls Identify controls to be relied upon
Test controls If acceptable, assess control risk below
maximum Identify controls not suitable to justify
reliance Do not test these controls Assess control risk at maximum Plan audit to rely heavily on substantive tests
GBW 8th ed., Ch. 840
EVALUATE CONTROL EFFECTIVENESS: Risk
Assess Control Risk Consider errors, frauds that could
occur Identify relevant control activities
to prevent, detect errors, frauds Perform tests of controls on
control activities that may prevent, detect errors, frauds
GBW 8th ed., Ch. 841
EVALUATE CONTROL EFFECTIVENESS: Tests of Controls
Testing design of controls Whether policy, procedure suitably
designed to prevent, detect material misstatements
Testing operations of controls Were control activities performed? How were they performed? By whom were they performed?
GBW 8th ed., Ch. 842
EVALUATE CONTROL EFFECTIVENESS: General Controls
Computer assisted tests Organization, operation controls Systems development &
documentation controls Hardware controls Access controls Data & procedural controls
GBW 8th ed., Ch. 843
GENERAL CONTROL EFFECTIVENESS: Operation
Organization & operation Segregate computer department &
users Provide general authorization over
execution of transactions Segregate functions within the
computer department
GBW 8th ed., Ch. 844
GENERAL CONTROL EFFECTIVENESS: Documentation
Development & documentation Participation by users, accounting personnel,
internal auditors in system design Review, approval of system specifications Joint system testing by user, computer
personnel Approval new applications, changes Control over master, transaction files Procedures to create, maintain
documentation
GBW 8th ed., Ch. 845
GENERAL CONTROL EFFECTIVENESS: Hardware
Hardware controls Controls built into computers by
manufacturers
GBW 8th ed., Ch. 846
GENERAL CONTROL EFFECTIVENESS: Access Controls
Limit access to authorized personnel for Hardware Software Data files Software support documentation
GBW 8th ed., Ch. 847
GENERAL CONTROL EFFECTIVENESS: Data
Data & procedural controls Written procedures, authorization
manuals Control groups
GBW 8th ed., Ch. 848
EVALUATE CONTROL EFFECTIVENESS
Computer-Assisted Tests of Application Controls Input controls Processing controls Output controls
GBW 8th ed., Ch. 849
APPLICATION CONTROL EFFECTIVENESS: Input
Input controls Input authorization, approval Code verification Data conversion Data movement Occurrence correction
GBW 8th ed., Ch. 850
APPLICATION CONTROL EFFECTIVENESS: Processing
Processing controls Control totals File labels Limit (reasonableness) tests
GBW 8th ed., Ch. 851
APPLICATION CONTROL EFFECTIVENESS: Output
Output controls Control totals comparisons Output distribution
GBW 8th ed., Ch. 852
COMPUTER-ASSISTED TESTS OF CONTROLS: Types
Test data: uses client software to process data with valid & invalid transactionsBase Case System Evaluation (BCSE): develops test data to text expected conditionsIntegrated test facility: tests whether client actually uses software by running live and fictitious data simultaneouslyParallel simulation: processing client data with auditor’s software
GBW 8th ed., Ch. 853
COMPUTER-ASSISTED TESTS OF CONTROLS: Types (cont.)
Embedded audit modules: selects client data for subsequent testing & analysis SCARFs: logs created from embedded audit
modules that collect transaction information
Audit hooks & tagging: transaction records tagged & traced through critical control points
GBW 8th ed., Ch. 854
CONTROL DEFICIENCIES, MATERIAL WEAKNESSES
Deficiencies do not allow management, employees to prevent, detect misstatements in normal course of businessMaterial weakness is a significant deficiency more than remotely likely to cause a material misstatement that will not be prevented, detected
GBW 8th ed., Ch. 855
NATURE, TIMING, EXTENT
Audit risk strategy Determine acceptable detection risk Design nature, timing, extent of
substantive tests
GBW 8th ed., Ch. 856
NATURE, TIMING, EXTENT & SUBSTANTIVE TESTS
Level of Detection RiskEffect Lower Higher
Nature
Use more persuasive tests (confirmation)
Use less persuasive tests (documentation)
Timing
Test at balance sheet date
Test at interim dates
Extent Test more (increase sample size)
Test less (decrease sample size)
GBW 8th ed., Ch. 857
AUDITOR’S OPINION ON INTERNAL CONTROLS
Auditor evaluates Reports by internal auditors Significant deficiencies Results of test of controls Results of substantive test of details
To issue an opinion on controls
Recommended