Presentation on theme: "Section 404 Audits of Internal Control and Control Risk"— Presentation transcript:
1 Section 404 Audits of Internal Control and Control Risk Chapter 10
2 Learning Objective 1Describe the three primaryobjectives of effectiveinternal control.
3 Internal Control Objectives Reliability of financial reportingEfficiency and effectiveness of operationsCompliance with laws and regulations
4 Learning Objective 2Contrast management’sresponsibilities for maintainingand reporting on internal controlswith the auditor’s responsibilitiesfor understanding, testing, andreporting on internal controls.
5 Management and Auditor Responsibilities Related to Internal Control Management’s responsibilityfor establishing internal controlReasonable assuranceInherent limitations
6 Management and Auditor Responsibilities Related to Internal Control Management’s Section 404reporting responsibilitiesDesign of internal controlOperating effectiveness of controls
7 Management and Auditor Responsibilities Related to Internal Control Auditor responsibilities forunderstanding internal controlControl over classes of transactionsAuditor responsibilities for testingand reporting on internal control
8 Sales Transaction-Related Audit Objectives Sales are for shipmentsto existing customers.Transaction-Related AuditObjective – General formRecorded transactionsexist (existence).Existing sales transactionsare recorded.Existing transactions arerecorded (completeness).Transactions are statedcorrectly (accuracy).Sales for goods shippedare correctly billed.
9 Sales Transaction-Related Audit Objectives Objective – General formSales Transaction-RelatedAudit ObjectivesTransactions are properlyclassified (classification).Sales transactions areproperly classified.Transactions are recordedon correct dates (timing).Sales are recorded onthe correct dates.Transactions are properlyfiled (posting andsummarization).Sales transactions areproperly included in themaster files.
10 Learning Objective 3Explain the five componentsof the COSO internalcontrol framework.
11 Five Components of Internal Control Control environmentRiskassessmentInformation andcommunicationControlactivitiesMonitoring
12 The Control Environment Integrity and ethical valuesCommitment to competenceBoard of directors or audit committee participationManagement’s philosophy and operating style
13 The Control Environment Organizational structureAssignment of authority and responsibilityHuman resources policies and practices
14 Risk Assessment Identify factors that may increase risk. Estimate the significance of the risk.Assess the likelihood of the risk.Determine actions necessary to manage the risk.
15 Control Activities 1. Adequate separation of duties 2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records5. Independent checks on performance
16 Adequate Separation of Duties Custody of assetsAccountingfromAuthorizationof transactionsThe custody ofrelated assetsfromOperationalresponsibilityRecord-keepingfromIT dutiesUser departmentsfrom
17 Proper Authorization of Transactions and Activities General authorizationSpecific authorization
18 Adequate Documents and Records Prenumbered consecutivelyPrepared at the time of transactionSimple enough to ensure understandingDesigned for multiple useConstructed to encourage correct preparation
19 Physical Control over Assets and Records The most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.
20 Independent Checks on Performance The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.
21 Information and Communication The purpose of an accounting informationand communication system is to…initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.
22 Monitoring Monitoring activities deal with management’s ongoing and periodic assessment of thequality of internal control performance…to determine whether controls are operatingas intended and modified when needed.
23 How the Size of the Business Affects Internal Control In general the SEC believes that smallbusinesses should be expected to adhereto the same internal control standards thatapply to larger public companies.The SEC has also stated that the burden tosmaller companies can be disproportionate.
24 Learning Objective 4Obtain and document anunderstanding of internal control.
25 Four Phases of a Financial Statement Audit Obtain anunderstanding ofinternal control:design andoperationPhase 3Design, perform,and evaluate testsof controlsPhase 2Assess controlrisk.Phase 4Decide planneddetection riskand substantivetests.
26 Obtain and Document Understanding of Internal Control SAS 55 and PCAOB Standard 2 both requirethe auditor to obtain an understandingof internal control for every audit.Procedures to obtain an understanding:Design of internal controlsWhether placed in operationUses this information as a basis for theintegrated audit.
28 Narrative 1. The origin of every document and record in the system 2. All processing that takes place3. The disposition of every documentand record in the system4. An indication of the controls relevantto the assessment of control risk
29 Evaluating Internal Control Operation Update and evaluate auditor’s previousexperience with the entity.Make inquiries of client personnel.Examine documents and records.Observe entity activities and operations.Perform walkthroughs of the accounting system.
30 Learning Objective 5Assess control risk by linking keycontrols, significant deficiencies,and material weaknesses totransaction-related auditobjectives.
31 Assess Control Risk Assess whether the financial statements are auditable.Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.Use of a control risk matrix to assess control risk
32 Control Risk Matrix Auditors use the control risk matrix to identify both controls and weaknessesand to assess control risk.
33 Control Risk Matrix Identify transaction-related audit objectives. Identify existing controls.Associate controls with transaction-relatedaudit objectives.Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses
34 Evaluating Significant Control Deficiencies LIKELIHOODSIGNIFICANCEMaterialImmaterialProbableRemoteMaterialWeakness
35 Communicate Internal Control Deficiencies and Related Matters Audit committee communicationsManagement letters
36 Learning Objective 6Describe the process of designingand performing tests of controls.
37 Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed controlrisk are called tests of controls.
38 Procedures for Tests of Controls 1. Make inquiries of client personnel.2. Examine documents, records, and reports.3. Observe control-related activities.4. Reperform client procedures.
39 Extent of Procedures Reliance on evidence from prior year’s audit Testing less than the entire audit period
40 Relationship of Assessed Control Risk and Extent of Procedures InquiryDocumentationObservationReperformanceYes–extensiveYes–with transactionwalk-throughNoYes–someYes–using samplingYes–at multiple timesType ofprocedureHigh level:Procedures to obtainan understandingLower level:Tests of controlsAssessed control risk
41 Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.The auditor links the control risk assessmentsto the balance-related audit objectives.
42 Learning Objective 7Understand Section 404requirements for auditorreporting on internal control.
43 Section 404 Reporting on Internal Control The auditor’s opinion on whether management’sassessment of the effectiveness of internalcontrol over financial reporting as of theend of the fiscal period is fairly stated,in all material respects.1
44 Section 404 Reporting on Internal Control 2The auditor’s opinion on whether the companymaintained, in all material respects, effectiveinternal control over financial reportingas of the specified date.
45 Types of Opinions Unqualified Adverse Qualified or disclaimer of opinion
46 Learning Objective 8Describe the differences inevaluating, reporting, andtesting internal control fornonpublic companies.
47 Evaluating, Reporting, and Testing Internal Control for Nonpublic Companies 1. Reporting requirements2. Extent of required internal controls3. Extent of understanding needed4. Assessing control risk5. Extent of tests of controls needed
48 Differences in Scope of Controls Tested: Nonpublic Company Internal controls over financial reportingInternal controls used to assesscontrol risk below maximumControls that must be tested inan audit of internal controlsControls that must be tested inan audit of financial statements