Download presentation
Presentation is loading. Please wait.
1
Internal Control Evaluation: Assessing Control Risk
Chapter 5 Internal Control Evaluation: Assessing Control Risk Accounting 408 Chapter 5
2
1. Overview Accounting 408 Chapter 5
3
2. Introduction Management’s Responsibility for internal control
Responsibility under SOX design, implement, and maintain control system certify the financial statements (Section 302) report on IC over fin. reporting (Section 404) must include a statement: that management is responsible identifying the framework providing management's assessment For nonissuer Foreign Corrupt Practices Act Accounting 408 Chapter 5
4
2. Introduction (continued)
Auditor’s responsibility Under SOX auditor must conduct an integrated audit under PCAOB stds not a separate engagement issue opinion on f/s and IC For nonissuer auditor must conduct audit under AICPA stds use evaluation of the client’s business and it’s IC to identify and assess risks of material misstatement Accounting 408 Chapter 5
5
2. Introduction (continued)
Performance Principle The auditor must identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including its internal control. Standards SAS 122 SAS 109 SAS 78 - COSO SAS 55 SAS 1 Questions Accounting 408 Chapter 5
6
2. Introduction (continued)
SAS 122 and 109 – Definition of IC IC is a process, effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance about the achievement of objectives with regard to reliability of financial reporting effectiveness and efficiency of operations compliance with applicable laws and regulations Accounting 408 Chapter 5
7
3. Control Structure Relevance to an audit Elements of IC – COSO
control environment risk assessment information and communication control activities monitoring Accounting 408 Chapter 5
8
3. Control Structure (con’t)
Control environment – most important integrity and ethical values board of directors (includes audit committee) management’s philosophy and operating style organizational structure financial reporting competencies authority and responsibility human resource policies How would you gather evidence about these components? Harder to gather evidence about more abstract components yet more abstract components have the most pervasive effect Accounting 408 Chapter 5
9
3. Control Structure (con’t)
Risk assessment Examples of where risks may arise: change in regulatory or operating environment new personnel new or revised AIS rapid expansion new technology new business models or products expansion or acquisition of foreign operations Accounting 408 Chapter 5
10
3. Control Structure (con’t)
Information and communication AIS IT general controls IT application controls spreadsheet controls Accounting 408 Chapter 5
11
3. Control Structure (con’t)
Control activities prenumbered documents segregation of duties authorization record keeping custody reconciliation physical security IT controls preventive controls vs. detective controls Accounting 408 Chapter 5
12
3. Control Structure (con’t)
Monitoring internal auditing follow-up of reporting errors follow up of customer complaints Questions Accounting 408 Chapter 5
13
3. Control Structure (con’t)
Accounting 408 Chapter 5
14
3. Control Structure (con’t)
Elements – Enterprise Risk Mgt Framework internal environment objective setting event identification risk assessment risk response control procedures information and communication monitoring Accounting 408 Chapter 5
15
3. Control Structure (con’t)
Accounting 408 Chapter 5
16
4. General Considerations
Entity’s specific context Management’s responsibility Extent of IT Reasonable assurance Limitations Accounting 408 Chapter 5
17
4. General Considerations (continued)
Limitations cost benefit issues misunderstandings mistakes of judgment carelessness collusion management override unusual transactions Accounting 408 Chapter 5
18
4. General Considerations (continued)
Small business considerations Design vs. implementation vs. operating effectiveness Auditability of entity Accounting 408 Chapter 5
19
4. General Considerations (continued)
Why assess risk of material misstatement? determine nature, timing, and extent of audit procedures tests of controls substantive tests Accounting 408 Chapter 5
20
4. General Considerations (continued)
Trade-off Between Testing of Controls and Substantive Testing Detection Risk: High Low Substantive Testing Tests of Controls RMM: Low High Accounting 408 Chapter 5
21
4. General Considerations (continued)
Control risk never zero Some substantive procedures always required Tests of controls required for issuers (AS 5) optional for nonissuers Use of TOC evidence from previous audits inquire of management – if no changes, can use but must test every three years Accounting 408 Chapter 5
22
5. Obtaining an Understanding
Extent of understanding necessary? depends on circumstances of the engagement size and complexity of the entity auditor’s experience with entity identifying significant changes from prior years sufficient to identify and assess RMM Must include understanding of (follows top down approach) significant accounts and disclosures, and their relevant assertions entity-level controls and transaction-level controls design, implementation, effectiveness Must include knowledge of each IC element Does not have to include all controls in the entity Accounting 408 Chapter 5
23
5. Obtaining an Understanding (continued)
Procedures to obtain an understanding (Risk Assessment Procedures) inquiries inspection observation analytical procedures walk through previous experience Accounting 408 Chapter 5
24
5. Obtaining an Understanding (continued)
Documentation Extent Discussion among audit team Key components and each element Assessment of RMM at both f/s and assertion levels Controls tested Risks identified Methods Narrative Questionnaire Flowchart Accounting 408 Chapter 5
25
6. Assessing RMM Use top-down approach Consider nature of transactions
identify significant accounts and assertions identify risks at entity level and then relate to assertion level for significant accounts and assertions relate risks to what can go wrong at the relevant assertion level consider if misstatements could raise to a material amount consider the likelihood they would result in a material misstatement Consider nature of transactions routine transactions nonroutine transactions estimation transactions Accounting 408 Chapter 5
26
6. Assessing RMM (con’t) Examples of Risk Assessment Procedures used to obtain understanding and assess risks Inquires – use different levels Analytical procedures – high level of aggregation Observation and inspection – prior year info – consider changes Discussion with audit team Accounting 408 Chapter 5
27
6. Assessing RMM (con’t) After assessment Determine: nature timing
extent of testing (substantive and tests of controls) Accounting 408 Chapter 5
28
6. Assessing RMM (con’t) Assessment levels Initial assessment
at the maximum below the maximum Initial assessment Additional concepts for assessment pervasive vs. specific effect direct vs. indirect effect compensating strengths qualitative or quantitative assessment Accounting 408 Chapter 5
29
7. Tests of Controls Types of tests
inquiries inspection observation reperformance Requirements to perform tests of controls Accounting 408 Chapter 5
30
7. Tests of Controls (con’t)
Approach to tests of controls directed toward the operation of a control (design or implementation) procedures used: inquiring, inspecting, observing e.g., budget, IT general controls directed toward the effectiveness of a control procedures used: inquiring, inspecting, observing reperforming Dual purpose tests Accounting 408 Chapter 5
31
7. Tests of Controls (con’t)
Internal control deficiency the design or operation of a control does not allow management or employees to detect or prevent misstatements in a timely fashion Design deficiency control missing or so poorly designed it fails to detect or prevent misstatements even if operating as designed Operating deficiency properly designed control is either ignored or inappropriately applied Accounting 408 Chapter 5
32
8. Reassess RMM Based on results from tests of controls Could support
lower assessment same assessment higher assessment Cumulative process Accounting 408 Chapter 5
33
9. Design Substantive Tests
Audit program Relationship between final assessment of CR and substantive testing Effect on substantive testing nature timing extent Questions Accounting 408 Chapter 5
34
11. Communication of Internal Control Matters
Responsibility of auditor (nonissuer) AU-C The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. This section specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management. Accounting 408 Chapter 5
35
11. Communication of Internal Control Matters
Levels of deficiencies control deficiencies significant deficiencies material weaknesses Must communicate both significant deficiencies and material weaknesses to management and BOD for issuers, must be in writing Do not give statement of no deficiencies found Accounting 408 Chapter 5
36
11. Communication of Internal Control Matters
Control deficiencies could result from deficiency in design – no control, or existing control not properly designed operation – properly designed control not operating as designed, or person performing control does not possess necessary authority or competence Accounting 408 Chapter 5
37
11. Communication of Internal Control Matters
Material weaknesses a deficiency, or combination of deficiencies, such that there is a reasonable possibility* that a material misstatement of the f/s will not be prevented or detected * based on FASB Stmt. No. 5 – includes reasonably possible and probable Accounting 408 Chapter 5
38
11. Communication of Internal Control Matters
Significant deficiencies less severe than material weakness yet important enough to merit attention Accounting 408 Chapter 5
39
12. AS Requirements Phases of AS 5 integrated audit
Plan the engagement Use a top-down approach to gain an understanding Identify entity-level controls Walkthroughs Testing internal control effectiveness Design effectiveness Operating effectiveness Evaluating control deficiencies Deficiencies Significant deficiencies Material weaknesses Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting Reporting on internal control Accounting 408 Chapter 5
40
12. AS Requirements (con’t)
Must use top down approach Must issue opinion on the effectiveness of internal control Not separate engagement integrated audit of internal control and financial statements Report Unqualified – no material weaknesses found Disclaimer of opinion – cannot perform all procedures considered necessary Adverse opinion – one or more material weaknesses found Evaluate management’s report Accounting 408 Chapter 5
41
13. Review Questions for Discussion
Chapter 5 5.3 5.4 5.6 5.7 5.9 5.12 5.13 5.16 5.17 5.18 5.26 ACCT-4080 Chapter 3
Similar presentations
