Embed Size (px)
Citation preview
Internal Control Over Financial Reporting
Learning Objectives
Define internal control and understand its importance to financial statement audits
Describe the components of internal control and their principles
Understand risks and controls in computerized information systems
Describe the concepts and processes related to the audit of internal control over financial reporting
Describe the nature of documentation the auditor uses in understanding and assessing internal control
The Audit Process
I. Making client acceptance and continuance decision
Chapter 1
II. Performing risk assessment
Chapters 3, 7 and 9-13
III. Obtaining evidence about internal control operating effectivenessChapters 8-13 and 16
IV. Obtaining substantive evidence about accounts, disclosures and assertionsChapters 8-13 and 16
V. Completing the audit and making reporting decisions
Chapters 14 and 15
The auditing profession, regulation, corporate governance, and audit quality
Chapters 1 and 2
Professional liability and the need for quality auditor judgments and ethical decisions
Chapter 4
Audit opinion formulation process and a framework for obtaining audit evidence
Chapters 5 and 6
Why is Internal Control Important to Financial Statement Audits?
Internal control is a process, effected by an entity’s BOD, management, and other personnel, designed to provide reasonable assurance regarding the achievement of certain objectives: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and
regulations
Q: Which objectives are the auditor’s primary concern?
Components of Internal Control
Risk assessment – methods to identify, analyze, and manage risks
Control environment – the overall attitude, awareness and actions of the BOD and management
Control activities – policies and procedures that ensures management’s directives regarding IC are carried out
Information and communication – methods to identify, capture and communicate external and internal information
Monitoring – ongoing and periodic assessment of the effectiveness of the design and operation of the IC
Risk Assessment
Is management aware of, and responsive to, risks? External risks
e.g., technology, competition, customer demand
Internal riskse.g., embezzlement, computer downtime, poorly conceived business model
Principles of Risk Assessment
Specify the objectives with sufficient clarity to enable the identification and assessment of risk
Identify and analyze risks as a basis for determining how the risk should be managed
Consider the potential for fraud in assessing risks
Identify and assess changes that could significantly impact the internal controls
Principles of Control Environment
Commit to integrity and ethical valuesEnsure board is independent of and
exercises oversight for design and operation internal control
Establish structures, reporting lines, and appropriate authorities and responsibilities
Hold individuals accountable for responsibilities
Commit to attract, develop and retain competent individuals
Control Activities
Control activities two aspects/elements: Design – policies or prescriptions likely
prevent/detect Operation – working as designed
They are of two types: Preventive – e.g., access control Detective – e.g., reconciliation
Principles of Control Activities
Select and develop control activities specific to the risks identified during risk assessment
Select and develop general control activities over technology
Deploy control activities through policies that establish what is expected and in procedures that put policies into action
Principles of Information and Communication
Obtain/generate and use relevant, quality information
Communicate information with internal parties, including information on objectives and responsibilities for internal controls
Communicate information with external parties regarding matters affecting the functioning of internal controls
Principles of Monitoring
Select, develop and perform ongoing and periodic evaluations
Evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective actions
Computer Information Systems Characteristics
1. Transaction trail exists for a limited period and only in machine readable language
2. Processing errors are more systematic3. Segregation of duties has to be achieved
in a different manner4. Many transactions are automatically
initiated and processed5. The potential for errors and fraud is
higher due to unauthorized access
Overview of Information System Risks
Data is intercepted, modified, deleted or replaced with fraudulent dataData ports provide access to hackers, denial of service attacks or unauthorized access
Data Communications
Unauthorized access, manipulation of data, addition of unauthorized data
Data Files
Fraudulent programming, incorrect data processing, processing fraudulent data
Computer Programs
Sabotage, natural disaster, viruses, anything that impairs operations
Computer Operations
RisksComputer Processing Area
Information System Controls
Two groupings of information system controls are general and application controls.
General controls apply to many or all computer applications. They include: Planning and controlling data processing Controlling applications development and changes to
programs Controlling access Assuring business continuity Controlling data transmission
Application controls apply to individual applications. These controls help ensure that transactions are valid, properly authorized, and completely and accurately processed. They can be classified into input, processing, and output controls.
Relationship Between Generaland Application Controls
Cash receiptsapplication
controls
Salesapplications
controls
Payrollapplication
controls
Other cycleapplication
controls
General Controls
Risk of unauthorized changeto application software Risk of system crash
Risk of unauthorizedmaster file update
Risk of unauthorizedprocessing
Planning & Controlling the Data Processing Function
Fundamental concepts an auditor should consider when evaluating the organization of the data processing:
1. Authorization for all transactions originates outside the data processing department
2. Users are responsible for authorization, review, and testing of all application developments and changes in computer programs
3. Access to data is provided only to authorized users4. Data processing department is responsible for all custodial
functions associated with data, data files, software, and related documentation
5. Users, jointly with data processing, are responsible for the adequacy of application controls
6. Management periodically evaluates the information systems function for efficiency, integrity, security, and consistency with organizational objectives
7. Internal audit staff periodically audits applications and operations
Controlling Applications Development and Changes
Program Development There exists a process to determine that the
right applications are acquired, installed, and accomplish their objectives
Program Changes Only authorized changes are made to a
program All authorized changes are made to a program All changes are tested, reviewed, and
documented before implementation Only the authorized version of the computer
program is run
Controlling Access
Controlling Access to Equipment, Data, and Programs Access to data is limited to those with a need to know Ability to change, modify, delete data is restricted to
authorized persons Control system has the ability to identify potential
users as authorized or unauthorized Security department actively monitors attempts to
compromise the system Authentication
A system to verify that users are authorized to access data
There are three primary methods used to authenticate users:
What you know What you have Who you are
Security and backup plans for both physical assets and media Minimum elements in a backup and recovery
Standardized procedures for backup and disaster recovery
Plans for reconstructionPeriodic review and testing of plans and procedures
Controls to assure the completeness and accuracy of data transmission between computers and terminals Data encryption
Assuring Continuity and Controlling Data Transmission
Input controls ensure that transactions are fully and accurately captured, and properly recorded.
They include: Input validation tests (Edit tests)
Data type, reasonableness, limit, validityInvalid combination of itemsRecord countsBatch control and hash control totals
Self-checking digits Use of stored data to minimize data input On-screen input verification techniques
Input Controls
Processing Controls are designed to ensure that: The correct program is used for processing Transactions are processed appropriately The correct transactions update files
They include: Validation tests (correct program is used for
processing and correct transactions update files) Sequential tests (no unauthorized transactions added) Completeness tests (all authorized transactions
processed) Mathematical accuracy tests Data reasonable tests
Processing Controls
Output Controls are designed to ensure that: Processing results are accurate Output is distributed only to authorized
recipientsThey include:
Data reasonable tests Reconciliation of output to input control totals Review of error listings
Output Controls
Assessing General & Application Controls
Effective?
Test general controls
Do not rely on IT application controls
Effective?
Test applications controls
Do not rely on IT application controls
Test application controls and, if effective, reduce tests
No
Yes
Yes
No
Attestation Services andInternal Control
Section 404 of the Sarbanes-Oxley Act requires that: management document and assess the
effectiveness of internal control over financial reporting, and
the auditor that audits the company’s financial statements attest to management’s assessment and report on effectiveness of internal control.
Section 302 requires that CEO and CFO certify the effectiveness of internal control.
AS 5 establishes the requirements and provides directions when an auditor is engaged to audit both a company’s financial statements and internal control over financial reporting.
Objective of the Audit of Internal Control over Financial Reporting
The auditor's objective here is to express an opinion on the effectiveness of the company’s controls.
To do this, the auditor must obtain reasonable assurance about whether the company maintained effective internal control as of the date specified in management's assessment.
Maintaining effective internal control means that no material weaknesses exist.
Therefore, the objective of the audit of internal control is to obtain reasonable assurance that no material weaknesses exist as of the end of the client’s fiscal year.
Material Weakness vs. Significant Deficiency vs. Control Deficiency
Control deficiency – the design or operation of a control does not allow prevention or detection of misstatements on a timely basis
Significant deficiency – one or more control deficiencies that is less severe than a material weakness, yet important enough to merit attention by those who are responsible to oversee the company’s financial reporting
Material weakness – one or more control deficiencies that results in [an at least] a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis
Key features of AS5
Emphasis on top-down, risk-based approach and scalability
More emphasis on entity-level controlsGreater ability to rely on the work of
othersFocus on understanding and testing
controls in areas that present the highest risk
Steps in the Audit of Internal Control
The auditor must adhere to auditing standards in performing an audit of a company’s internal control. This involves: Planning the engagement Obtaining an understanding of internal control Testing and evaluating design effectiveness of
internal control Testing and evaluating operating effectiveness
of internal control Forming an opinion on the effectiveness of
internal control
Planning the Audit of Internal Control
When planning the audit of internal control, the auditor should evaluate how the following matters will affect the audit procedures:1. Knowledge of the company's internal control
obtained during other engagements2. Matters affecting the industry in which the
company operates3. Matters relating to the company's business4. The extent of recent changes, if any, in the
company, its operations, or its internal control
Planning the Audit of Internal Control
5. Preliminary judgments about materiality and risk
6. Control deficiencies previously communicated to the audit committee or management
7. Legal or regulatory matters which the company is aware of
8. The type and extent of available evidence9. Preliminary judgments about the effectiveness
of internal control10.Knowledge about risks identified when
accepting the client and the relative complexity of the operations
Testing and Evaluating the Design & Operation of Internal
Control
The auditor must first obtain an understanding of internal control using a top-down risk based approach.
Evaluating the design effectiveness involves determining whether the control, if operating as prescribed, can effectively prevent or detect errors or fraud.
To evaluate the operating effectiveness of a control, the auditor must determine whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.
Forming an Opinion on the Effectiveness of Internal Control
When forming an opinion on internal control over financial reporting, the auditor should evaluate all evidence obtained from all sources, including: The auditor’s testing of controls Misstatements detected during the financial
statement audit Any identified control deficiencies
Note: The auditor's opinion relates to the effectiveness of the company's internal control as of a point in time and taken as a whole.
Reporting on Internal Control
The auditor may choose to issue a combined report or separate reports on the company's financial statements and on internal control over financial reporting.
If the auditor chooses to issue a separate report on internal control over financial reporting, a separate paragraph should be added to both the auditor's report on the financial statements and the auditor’s report on internal control.
The report on internal control is similar to that on financial statements.
When the client maintains, in all material respects, effective internal control as of the end of its (the client’s) fiscal year, the auditor issues an unqualified opinion. The auditor provides an opinion on the
effectiveness of internal control in the context of agreed upon criteria.
The auditor recognizes and conveys to users that there are limitations of internal control.
Unqualified Opinion on Internal Control over Financial Reporting
Adverse Audit Opinion on Internal Control over Financial
Reporting
When one or more material weaknesses in the client’s internal control over financial reporting exist, the auditor issues an adverse opinion. The report describes the weaknesses identified
in management’s report but does not discuss the actions being taken to overcome those problems.
The report does not discuss whether the control weakness was first identified by management or by the auditor.
Required Communications in an Audit of Internal Control
The auditor must communicate in writing to management and the audit committee all material weaknesses identified during the audit prior to the issuance of the auditor's report.
Significant deficiencies must also be communicated to the audit committee in writing.
In addition, the auditor should communicate to management, in writing, all deficiencies in internal control.
Documenting the Understanding and Assessment of Internal
Control
Audit documentation should clearly identify each component of the internal control.
It should show: How each significant control is tested The sampling approach and the size of the
sample used in testing The conclusions of the tests The individual performing the test The auditor’s conclusion about the
effectiveness of the control The implications for the audit of related
financial account balances
Assurance Services and Internal Control
The developments in information technology have created new assurance services opportunities, some of which the CPAs have already taken advantage of.PricewaterhouseCoopers:
assures data security for companies that trade on the Internet.
