Chapter 7x

italiansaucyΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

113 εμφανίσεις

Chapter 7

Auditing Internal
Control over
Financial
Reporting

McGraw
-
Hill/Irwin

Copyright © 2012 by The McGraw
-
Hill Companies, Inc. All rights reserved.

Management Responsibilities
under Section 404

Section 404 of the Sarbanes
-
Oxley Act requires
managements of publicly traded companies to issue
an internal control report that explicitly accepts
responsibility for establishing and maintaining

adequate


internal control over financial reporting
(ICFR).

LO# 1

7
-
2

Management Responsibilities
under Section 404

Management must comply with the following
requirements in order for the external auditor to
complete an audit of ICFR.

1.
Accept responsibility for the effectiveness of the
entity

s ICFR.

2.
Evaluate the effectiveness of the entity

s ICFR
using suitable control criteria.

3.
Support the evaluation with sufficient evidence,
including documentation.

4.
Present a written assessment regarding the
effectiveness of the entity

s ICFR as of the end of
the entity

s most recent fiscal year.

LO# 1

7
-
3

Auditor Responsibilities under
Section 404 and AS5

The entity

s independent auditor must audit and report
on the effectiveness of ICFR. The auditor is required to
conduct an
integrated audit

of the entity

s ICFR and
its financial statements.

LO# 2

7
-
4

ICFR Defined

ICFR is defined as a process designed to provide reasonable
assurance regarding the reliability of financial reporting and
the preparation of financial statements in accordance with
GAAP. Controls include procedures that:

1.
Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.

2.
Provide reasonable assurance that transactions are
recorded in accordance with GAAP.

3.
Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company

s assets.

LO# 3

7
-
5

Internal Control Deficiencies
Defined

A
control deficiency

exists when the
design or operation

of a control does not allow management or employees, in
the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.

A
significant deficiency

is a deficiency, or a combination
of deficiencies, in internal control over financial reporting
that is less severe than a material weakness, yet
important enough to merit attention by those responsible
for oversight of the company's financial reporting.

LO# 4

7
-
6

Internal Control Deficiencies
Defined

A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness

in the system of internal control. A
material weakness is a
deficiency, or a combination of
deficiencies, in ICFR, such that there is a
reasonable
possibility

that a
material misstatement

of the annual or
interim financial statements
will not be prevented or
detected

on a timely basis.

As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency:
likelihood

(reasonably possible), and
magnitude

(material, consequential, or inconsequential)

LO# 4

7
-
7

Internal Control Deficiencies
Defined

Material

Not material

but significant

Not material

or significant

Remote

Reasonably possible or probable

Material

weakness

Significant
deficiency


Control
deficiency

L I K E L I H O O D

M

A

G

N

I

T

U

D

E

LO# 4

7
-
8

Management

s

Assessment
Process

Management must follow a top
-
down, risk
-
based
approach:

1.
Identify financial reporting risks and controls.

2.
Evaluate evidence about the operating effectiveness of
ICFR.

3.
Consider which locations to include in the evaluation.

LO# 5

7
-
9

Framework Used by Management
to Conduct Its Assessment

Most entities use the framework developed by COSO.

This framework identifies three primary objectives of

internal control: (1) reliable financial reporting;

(2) efficiency and effectiveness of operations;

and (3) compliance with laws and regulations.

LO#

5

7
-
10

Management

s
Documentation

Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, process models,
flowcharts, job descriptions, documents, and
forms.

LO# 5

7
-
11

Integrating the Audits of Internal
Control and Financial Statements

An integrated audit is composed of the audits of internal
control and the financial statements. The control testing
impacts the planned substantive procedures. Also, the
results of the substantive procedures are considered in
the evaluation of internal control.

Tests of

internal

control

Substantive

audit

procedures

LO# 6

7
-
12

Performing an Audit of ICFR

Figure 7
-
2

LO# 6

7
-
13

Planning the Audit of ICFR


The planning process is similar to the
process used for the audit of financial
statements.


Consider the following:


Risk assessment and the risk of fraud.


Scaling the audit.


Using the work of others.

LO# 7

7
-
14

Special Consideration:

Using the Work of Others

A major consideration for the external auditor is how much
work is to be performed by others. In determining the extent to
which the auditor may use the work of others, the auditor
should:

(1) evaluate the nature of the controls subjected to the work of
others,

(2) evaluate the competence and objectivity of the individuals
who performed the work, and

(3) test some of the work performed by others to evaluate the
quality and effectiveness of their work.


As the risk associated with the control being tested increases,
the external auditor should do more of the work.

LO# 7

7
-
15

Using a Top
-
Down Approach

Figure 7
-
3

LO# 8

7
-
16

Identify Entity
-
Level Controls

LO#
5

7
-
17


Size and composition of the account


Susceptibility to misstatement due to
errors or fraud


Volume of activity, complexity, and
homogeneity of the individual transactions
processed through the account or
reflected in the disclosure


Nature of the account or disclosure


Accounting and reporting complexities
associated with the account or disclosure

LO# 8

Identifying Significant Accounts

7
-
18

Identifying Significant Accounts


Exposure to losses in the account


Possibility of significant contingent
liabilities arising from the activities
reflected in the account or disclosure


Existence of related
-
party
transactions in the account


Changes from the prior period in
account or disclosure characteristics

LO# 8

7
-
19

Sources of Misstatements


Understand the flow of transactions related to the
relevant assertions


Identify the points within the entity

s processes at
which a misstatement could arise that would be
material


Identify the controls that management has
implemented to address these potential
misstatements


Identify the controls that management has
implemented over the prevention or timely detection
of unauthorized acquisition, use, or disposition of the
company

s assets that could result in a material
misstatement of the financial statements


LO# 8

7
-
20

Select Controls to Test

LO# 8

7
-
21

Test the Design and Operating
Effectiveness of Controls

LO# 9


Evaluate design


Test and evaluate operating
effectiveness


Nature:

Inquiry, Inspection of documents,
observation, and reperformance.


Timing:

Interim vs.

as of


date


Extent:
Consider (1) Nature of the control;
(2) Frequency of operation; and
(3) Importance of the control.

7
-
22

Internal Control Deficiencies
Defined

Material

Not material

but significant

Not material

or significant

Remote

Reasonably possible or probable

Material

weakness

Significant
deficiency


Control
deficiency

L I K E L I H O O D

M

A

G

N

I

T

U

D

E

LO# 4

7
-
23

Evaluate Identified Control Deficiencies

LO# 10

As discussed previously, the auditor must consider the
likelihood
and
magnitude
of the control deficiency.

7
-
24

Evaluate Identified Control Deficiencies

LO# 10

If a deficiency, or combination of deficiencies,
prevents the auditor from having reasonable
assurance that transactions are recorded properly,
then the auditor should treat the deficiency as an
indicator of a material weakness.

7
-
25

Remediation of a Material
Weakness


Remediation is the process of
correcting a material weakness in the
ICFR


If a material weakness is corrected
before the

as of


date, there must be
sufficient time for both management
and the auditor to test the operating
effectiveness of the control


if not, an
adverse opinion (or disclaimer) is still
issued.

LO# 11

7
-
26

Written Representations

In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of ICFR.

Failure to obtain written
representations from
management, including
management

s

refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.

LO# 12

7
-
27

Auditor Documentation
Requirements

The auditor must properly document the
processes
,
procedures
,
judgments
, and
results

relating to the audit
of internal control.

When an entity has effective
ICFR, the auditor should be
able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a
low level
.

LO# 13

7
-
28

Auditor Documentation Requirements

The auditor

s

documentation of the process, procedures,
judgments and results relating to the audit of ICFR should
include:

1. The auditor

s

understanding and evaluation of the
design of each of the components of ICFR;

2. The process used to determine the points at which
misstatements could occur;

3. The extent to which the auditor relied upon the work of
others; and

4. The evaluation of any deficiencies discovered or other
findings which could result in a report modification.

LO# 13

7
-
29

Types of Reports Relating to the
Audit of ICFR

An
unqualified

opinion signifies that the client

s
internal control is designed and operating
effectively (no material weaknesses).

A serious scope limitation requires the auditor to
disclaim

an opinion.

An
adverse

opinion is required if a material
weakness is identified.

LO# 14

7
-
30

Types of Reports Relating to the
Audit of ICFR

Report Modification Based on Control Deficiencies

Likelihood/Magnitude

of Misstatement

Type of

Audit Report

Control

deficiency

Significant

deficiency

Material

weakness

Unqualified

opinion

Adverse

opinion

LO# 14

7
-
31

Types of Reports Relating to the
Audit of Internal Control

Report Modification Based on Scope Limitation

Seriousness of

Scope Limitation

Type of

Audit Report

Minor

effect

Severe
limitation

Unqualified

opinion

Disclaim

opinion or

withdraw

LO# 14

7
-
32

Other Reporting Issues

1.
Management

s report is incomplete or improperly
presented.

2.
The auditor decides to refer to the report of other
auditors.

3.
A significant subsequent event has occurred.

4.
There is additional information contained in
management

s report on internal control.

5.
There is a remediated material weakness at an interim
date.

LO# 14

7
-
33

Additional Required Communications
in an Audit of ICFR

The auditor must communicate in writing to management
and the audit committee all significant deficiencies and
material weaknesses identified during the audit (AS5).
This communication should be made prior to the issuance
of the auditor

s

report on ICFR. In addition, the auditor
should communicate to management, in writing, all
control deficiencies identified during the audit and inform
the audit committee when such a communication has
been made.

LO# 15

7
-
34

Advanced Module 1: Safeguarding
of Assets

Safeguarding of assets is defined as policies
and procedures that

provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use, or
disposition of the company’s assets that could
have a material effect on the financial
statements.


LO# 17

7
-
35

Advanced Module 2:
Computer
-
Assisted Audit Techniques

Computer
-
assisted audit techniques (CAATs)
include:



Generalized audit software packages.



Custom audit software.



Test data.

LO# 18

7
-
36

Advanced Module 2: Generalized
Audit Software

LO# 18

7
-
37

Advanced Module 2: Custom Audit
Software

Custom audit software is generally written by auditors
for specific audit tasks. It may be required when the
client

s

computer system is not compatible with the
auditor’s generalized audit software.

Custom software:

(1)

Is expensive to develop.

(2)

Requires long development time.

(3)

May require extensive modification if
the client changes its accounting
application programs.

LO# 18

7
-
38

Advanced Module 2: Test Data

Test data are developed by the auditor to test the
application controls in the client

s

computer programs.
The technique can be used to check
(1)

data validation
controls and error detection routines,
(2)

processing
logic controls,
(3)

arithmetic calculations, and
(4)

the
inclusion of transactions in records, files, and reports.

LO# 18

7
-
39