Presentation is loading. Please wait.

Presentation is loading. Please wait.

Section 404 Audits of Internal Control and Control Risk

Similar presentations

Presentation on theme: "Section 404 Audits of Internal Control and Control Risk"— Presentation transcript:

1 Section 404 Audits of Internal Control and Control Risk
Chapter 10

2 Internal Control Objectives
Reliability of financial reporting Efficiency and effectiveness of operations Compliance with laws and regulations

3 Management’s Responsibilities For Internal Control
Management - responsible for establishing and maintaining internal control I/C offers reasonable assurance I/C has inherent limitations

4 Management’s Responsibilities For Internal Control
Management’s Section 404 reporting responsibilities Design of internal control over financial reporting Focus is on controls over mgmt. assertions (Ch 6) Operating effectiveness of controls Must be tested and evaluated for effectiveness

5 Auditor Responsibilities Related to Internal Control
Second standard of fieldwork: A sufficient understanding of internal control is to be obtained in order to plan the audit and to determine the nature, timing, and extent of tests to be performed. Control over classes of transactions (vs. account balances) Auditor responsibilities for testing and reporting (Ch. 2) on internal control

6 Five Components of Internal Control
Control environment Risk assessment Information and communication Control activities Monitoring

7 The Control Environment
Actions, policies and procedures that reflect overall attitudes of top management (“tone from the top”) Integrity and ethical values Commitment to competence Board of directors or audit committee participation Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility Human resources policies and practices

8 Risk Assessment For audit purposes:
management’s identification and analysis of risks relevant to the preparation of financial statements in conformity with GAAP.

9 Control Activities Policies and procedures (in addition to those in the Other four components) Adequate separation of duties Proper authorization of transactions and activities Adequate documents and records Physical control over assets and records Independent checks on performance

10 Adequate Separation of Duties
Custody of assets Accounting from Authorization of transactions The custody of related assets from Operational responsibility Record-keeping from IT duties User departments from

11 Proper Authorization of Transactions and Activities
General authorization – policies for the organization to follow. Specific authorization – applies to Individual transactions

12 Adequate Documents and Records
Prenumbered consecutively Prepared at the time of transaction Simple enough to ensure understanding Designed for multiple use Constructed to encourage correct preparation

13 Physical Control over Assets and Records
The most important measure for safeguarding assets and records is the use of physical precautions – limit access to assets/records.

14 Independent Checks on Performance
The need for independent checks arises because internal controls tend to change over time unless there is a mechanism for frequent review.

15 Information and Communication
The purpose of an accounting information and communication system is to… initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets.

16 Monitoring Monitoring activities deal with management’s
ongoing and periodic assessment of the quality of internal control performance… to determine whether controls are operating as intended and modified when needed.

17 How the Size of the Business Affects Internal Control
In general the SEC believes that small businesses should be expected to adhere to the same internal control standards that apply to larger public companies. The SEC has also stated that the burden to smaller companies can be disproportionate.

18 Four Phases of a Financial Statement Audit
Obtain an understanding of internal control: design and operation Phase 3 Design, perform, and evaluate tests of controls Phase 2 Assess control risk. Phase 4 Decide planned detection risk and substantive tests.

19 Obtain and Document Understanding of Internal Control
SAS 55 and PCAOB Standard 2 both require the auditor to obtain an understanding of internal control for every audit. Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for the integrated audit.

20 Methods Used Narrative Flowchart Internal control questionnaire

21 Narrative 1. The origin of every document and record in the system
2. All processing that takes place 3. The disposition of every document and record in the system 4. An indication of the controls relevant to the assessment of control risk

22 Evaluating Internal Control Operation
Update and evaluate auditor’s previous experience with the entity. Make inquiries of client personnel. Examine documents and records. Observe entity activities and operations. Perform walkthroughs of the accounting system.

23 Assess Control Risk Assess whether the financial statements
are auditable. Determine assessed control risk supported by the understanding obtained assuming the controls are being followed. Use of a control risk matrix to assess control risk

24 Control Risk Matrix Identify transaction-related audit objectives.
Identify existing controls. Associate controls with transaction-related audit objectives. Identify and evaluate control deficiencies, significant deficiencies, and material weaknesses

25 Evaluating Significant Control Deficiencies
LIKELIHOOD SIGNIFICANCE Material Immaterial Probable Remote Material Weakness

26 Communicate Internal Control Deficiencies and Related Matters
Audit committee communications Significant deficiencies and material weaknesses must be communicated Management letters

27 Tests of Controls The procedures to test effectiveness of controls
in support of a reduced assessed control risk are called tests of controls.

28 Procedures for Tests of Controls
1. Make inquiries of client personnel. 2. Examine documents, records, and reports. 3. Observe control-related activities. 4. Reperform client procedures.

29 Extent of Procedures PCAOB 2 requires public company auditors
to test controls each year for all relevant assertions for all significant accounts and transactions Reliance on evidence from prior year’s audit PCAOB 2 is concerned with adequacy of I/C as of the end of the fiscal year Timing of tests depends on the nature of controls and frequency at which they are performed.

30 Procedures to Obtain an Understanding vs. Tests of Controls
In obtaining an understanding, procedures are applied to all controls to identify those likely to prevent/detect Material misstatements in specified assertions. Test of of controls are applied only when the assessed control risk has not been done in obtaining an understanding. Procedures to obtain an understanding are performed on few transactions, while tests of controls are performed on larger samples.

31 Relationship of Assessed Control Risk and Extent of Procedures (Table 10-3)
Inquiry Documentation Observation Reperformance Yes–extensive Yes–with transaction walk-through No Yes–some Yes–using sampling Yes–at multiple times Type of procedure High level: Procedures to obtain an understanding Lower level: Tests of controls Assessed control risk

32 Decide Planned Detection Risk and Design Substantive Tests
The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests. The auditor links the control risk assessments to the balance-related audit objectives.

33 Section 404 Reporting on Internal Control
The auditor’s opinion on whether management’s assessment of the effectiveness of internal control over financial reporting as of the end of the fiscal period is fairly stated, in all material respects. 1

34 Section 404 Reporting on Internal Control
2 The auditor’s opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date.

35 Types of Opinions on Internal Controls Over Financial Reporting
Unqualified – No identified material weaknesses No scope limitations Adverse Material weaknesses exist Qualified or disclaimer of opinion Scope limitation

36 Differences in Scope of Controls Tested: Nonpublic Company
Internal controls over financial reporting Internal controls used to assess control risk below maximum Controls that must be tested in an audit of internal controls (ICFR opinion expressed) Controls that must be tested in an audit of financial statements

Download ppt "Section 404 Audits of Internal Control and Control Risk"

Similar presentations

Ads by Google