Section 404 Audits of Internal Control and Control Risk
Published byModified over 5 years ago
Presentation on theme: "Section 404 Audits of Internal Control and Control Risk"— Presentation transcript:
1 Section 404 Audits of Internal Control and Control Risk Chapter 10
2 Internal Control Objectives Reliability of financial reportingEfficiency and effectiveness of operationsCompliance with laws and regulations
3 Management’s Responsibilities For Internal Control Management - responsible for establishingand maintaining internal controlI/C offers reasonable assuranceI/C has inherent limitations
4 Management’s Responsibilities For Internal Control Management’s Section 404reporting responsibilitiesDesign of internal control over financial reportingFocus is on controls over mgmt. assertions (Ch 6)Operating effectiveness of controlsMust be tested and evaluated for effectiveness
5 Auditor Responsibilities Related to Internal Control Second standard of fieldwork:A sufficient understanding of internal control is to beobtained in order to plan the audit and to determinethe nature, timing, and extent of tests to be performed.Control over classes of transactions(vs. account balances)Auditor responsibilities for testingand reporting (Ch. 2) on internal control
6 Five Components of Internal Control Control environmentRiskassessmentInformation andcommunicationControlactivitiesMonitoring
7 The Control Environment Actions, policies and procedures that reflect overallattitudes of top management (“tone from the top”)Integrity and ethical valuesCommitment to competenceBoard of directors or audit committee participationManagement’s philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resources policies and practices
8 Risk Assessment For audit purposes: management’s identification and analysis of risksrelevant to the preparation of financial statementsin conformity with GAAP.
9 Control ActivitiesPolicies and procedures (in addition to those in theOther four components)Adequate separation of dutiesProper authorization of transactions and activitiesAdequate documents and recordsPhysical control over assets and recordsIndependent checks on performance
10 Adequate Separation of Duties Custody of assetsAccountingfromAuthorizationof transactionsThe custody ofrelated assetsfromOperationalresponsibilityRecord-keepingfromIT dutiesUser departmentsfrom
11 Proper Authorization of Transactions and Activities General authorization – policies for theorganization to follow.Specific authorization – applies toIndividual transactions
12 Adequate Documents and Records Prenumbered consecutivelyPrepared at the time of transactionSimple enough to ensure understandingDesigned for multiple useConstructed to encourage correct preparation
13 Physical Control over Assets and Records The most important measure for safeguardingassets and records is the use of physicalprecautions – limit access to assets/records.
14 Independent Checks on Performance The need for independent checks arisesbecause internal controls tend to changeover time unless there is a mechanismfor frequent review.
15 Information and Communication The purpose of an accounting informationand communication system is to…initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.
16 Monitoring Monitoring activities deal with management’s ongoing and periodic assessment of thequality of internal control performance…to determine whether controls are operatingas intended and modified when needed.
17 How the Size of the Business Affects Internal Control In general the SEC believes that smallbusinesses should be expected to adhereto the same internal control standards thatapply to larger public companies.The SEC has also stated that the burden tosmaller companies can be disproportionate.
18 Four Phases of a Financial Statement Audit Obtain anunderstanding ofinternal control:design andoperationPhase 3Design, perform,and evaluate testsof controlsPhase 2Assess controlrisk.Phase 4Decide planneddetection riskand substantivetests.
19 Obtain and Document Understanding of Internal Control SAS 55 and PCAOB Standard 2 both requirethe auditor to obtain an understandingof internal control for every audit.Procedures to obtain an understanding:Design of internal controlsWhether placed in operationUses this information as a basis for theintegrated audit.
21 Narrative 1. The origin of every document and record in the system 2. All processing that takes place3. The disposition of every documentand record in the system4. An indication of the controls relevantto the assessment of control risk
22 Evaluating Internal Control Operation Update and evaluate auditor’s previousexperience with the entity.Make inquiries of client personnel.Examine documents and records.Observe entity activities and operations.Perform walkthroughs of the accounting system.
23 Assess Control Risk Assess whether the financial statements are auditable.Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.Use of a control risk matrix to assess control risk
24 Control Risk Matrix Identify transaction-related audit objectives. Identify existing controls.Associate controls with transaction-relatedaudit objectives.Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses
25 Evaluating Significant Control Deficiencies LIKELIHOODSIGNIFICANCEMaterialImmaterialProbableRemoteMaterialWeakness
26 Communicate Internal Control Deficiencies and Related Matters Audit committee communicationsSignificant deficiencies and materialweaknesses must be communicatedManagement letters
27 Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed controlrisk are called tests of controls.
28 Procedures for Tests of Controls 1. Make inquiries of client personnel.2. Examine documents, records, and reports.3. Observe control-related activities.4. Reperform client procedures.
29 Extent of Procedures PCAOB 2 requires public company auditors to test controls each year for all relevant assertionsfor all significant accounts and transactionsReliance on evidence from prior year’s auditPCAOB 2 is concerned with adequacy of I/C as ofthe end of the fiscal yearTiming of tests depends on the nature of controlsand frequency at which they are performed.
30 Procedures to Obtain an Understanding vs. Tests of Controls In obtaining an understanding, procedures are appliedto all controls to identify those likely to prevent/detectMaterial misstatements in specified assertions.Test of of controls are applied only when the assessedcontrol risk has not been done in obtaining an understanding.Procedures to obtain an understanding are performed onfew transactions, while tests of controls are performed onlarger samples.
31 Relationship of Assessed Control Risk and Extent of Procedures (Table 10-3) InquiryDocumentationObservationReperformanceYes–extensiveYes–with transactionwalk-throughNoYes–someYes–using samplingYes–at multiple timesType ofprocedureHigh level:Procedures to obtainan understandingLower level:Tests of controlsAssessed control risk
32 Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.The auditor links the control risk assessmentsto the balance-related audit objectives.
33 Section 404 Reporting on Internal Control The auditor’s opinion on whether management’sassessment of the effectiveness of internalcontrol over financial reporting as of theend of the fiscal period is fairly stated,in all material respects.1
34 Section 404 Reporting on Internal Control 2The auditor’s opinion on whether the companymaintained, in all material respects, effectiveinternal control over financial reportingas of the specified date.
35 Types of Opinions on Internal Controls Over Financial Reporting Unqualified –No identified material weaknessesNo scope limitationsAdverseMaterial weaknesses existQualified or disclaimer of opinionScope limitation
36 Differences in Scope of Controls Tested: Nonpublic Company Internal controls over financial reportingInternal controls used to assesscontrol risk below maximumControls that must be tested inan audit of internal controls(ICFR opinion expressed)Controls that must be tested inan audit of financial statements