Chap007 - 27-Oct-2008 13:07

beansproutscompleteSoftware and s/w Development

Dec 13, 2013 (3 years and 3 months ago)

76 views

Chapter 7

Auditing Internal
Control over
Financial Reporting

McGraw
-
Hill/Irwin

©2008 The McGraw
-
Hill Companies, All Rights Reserved

7
-
2

Management Responsibilities
under Section 404

Section 404 of the Sarbanes
-
Oxley Act requires
managements of publicly traded companies to issue
an internal control report that explicitly accepts
responsibility for establishing and maintaining
“adequate” internal control over financial reporting
(ICFR).

LO# 1

7
-
3

Management Responsibilities
under Section 404

Management must comply with the following in order
for its public accounting firm to complete an audit of
ICFR.

1.
Accepts responsibility for the effectiveness of the entity’s
ICFR.

2.
Evaluate the effectiveness of the entity’s ICFR using
suitable control criteria.

3.
Support its evaluation with sufficient evidence, including
documentation.

4.
Present a written assessment of the effectiveness of the
entity’s ICFR as of the end of the entity’s most recent
fiscal year.

LO# 1

7
-
4

Auditor Responsibilities under
Section 404

The entity’s independent auditor must audit and report
on the effectiveness of ICFR. The auditor is required to
conduct an
integrated audit

of the entity’s ICFR and
its financial statements.

LO# 2

7
-
5

ICFR Defined

ICFR is defined as a process designed to provide
reasonable assurance regarding the reliability of
financial reporting and the preparation of financial
statements in accordance with GAAP. Controls include
procedures that:

1.
Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.

2.
Provide reasonable assurance that transactions are
recorded in accordance with GAAP.

3.
Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use or
disposition of the company’s assets.

LO# 3

7
-
6

Internal Control Deficiencies
Defined

A
control deficiency

exists when the
design or operation

of a control does not allow management or employees, in
the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.

A
significant deficiency

is a deficiency, or a combination
of deficiencies, in internal control over financial reporting
that is less severe than a material weakness, yet
important enough to merit attention by those responsible
for oversight of the company's financial reporting.

LO# 4

7
-
7

Internal Control Deficiencies
Defined

A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness

in the system of internal control. A
material weakness is a
deficiency, or a combination of
deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the annual or
interim financial statements will not be prevented or
detected on a timely basis.

As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency: likelihood
reasonably possible) and magnitude (material,
consequential, or inconsequential).

LO# 4

7
-
8

Internal Control Deficiencies
Defined

Material

Not material

but significant

Not material

or significant

Remote

Reasonably

possible or probable

Material

weakness

Significant
deficiency


Control deficiency

L I K E L I H O O D

M

A

G

N

I

T

U

D

E

LO# 4

7
-
9

Management’s Assessment
Process

Management must follow a top
-
down, risk
-
based
approach:

1.
Identify financial reporting risks and controls.

2.
Evaluate evidence about the operating effectiveness of
ICFR.

3.
Consider which locations to include in the evaluation.

LO# 5

7
-
10

Management’s Documentation

Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.

LO# 6

7
-
11

Framework Used by Management
to Conduct Its Assessment

Most entities use the framework developed by COSO.

This framework identifies three primary objectives of

internal control: (1) reliable financial reporting;

(2) efficiency and effectiveness of operations;

and (3) compliance with laws and regulations.

LO# 7

7
-
12

Performing an Audit of ICFR

LO# 8

7
-
13

Integrating the Audits of Internal
Control and Financial Statements

An integrated audit is composed of the audits of internal
control and the financial statements. The control testing
impacts the planned substantive procedures. Also, the
results of the substantive procedures are considered in
the evaluation of internal control.

Tests of

internal

control

Substantive

audit

procedures

LO# 9

7
-
14

Effect of the Audit of Internal Control
on the Financial Statement Audit

When the auditor performs an integrated audit, he or
she will have access to a large amount of information
about the client’s controls. This information can make
the financial statement audit more efficient and result
in reduced substantive procedures.

Regardless of the level of control risk
in connection with the audit of the
financial statements, auditing
standards require the auditor to
perform some substantive
procedures for all significant accounts
and disclosures.

LO# 9

7
-
15

Effect of the Financial Statement
Audit on the Audit of Internal Control

The effectiveness of the audit of internal controls should
lead the auditor to determine the implications of these
findings on the financial statement audit. The auditor’s
evaluation should include:

1.
Misstatements detected.

2.
The auditor’s risk evaluations in connection with the
selection and application of substantive procedures,
especially those related to fraud.

3.
Findings with respect to illegal acts and related party
transactions.

4.
Indications of management bias in making accounting
estimates and in selecting accounting principles.

LO# 9

7
-
16

Plan the Engagement


The planning process is similar to the
process used for the audit of F/S.


Consider the following:


Risk assessment and the risk of fraud.


Scaling the audit.


Using the work of others.


Materiality.

LO# 10

7
-
17

Special Consideration:

Using the Work of Others

A major consideration for the external auditor is how much the
work performed by others. In determining the extent to which
the auditor may use the work of others, the auditor should:

(1) evaluate the nature of the controls subjected to the work of
others,

(2) evaluate the competence and objectivity of the individuals
who performed the work, and

(3) test some of the work performed by others to evaluate the
quality and effectiveness of their work.


As the risk associated with the control being tested increases,
the external auditor should do more of the work.


LO# 10

7
-
18

Using a Top
-
Down Approach

LO# 11

See Table 7
-
3

See Table 7
-
4

7
-
19

Test Controls

LO# 12


Evaluate design


Test and evaluate operating effectiveness


Nature, timing, and extent

7
-
20

Evaluate Identified Control Deficiencies

LO# 13

7
-
21

Evaluate Identified Control Deficiencies

LO# 13

7
-
22

Written Representations

In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of ICFR.

Failure to obtain written
representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.

LO# 15

7
-
23

Auditor Documentation
Requirements

The auditor must properly document the
processes
,
procedures
,
judgments
, and
results

relating to the audit
of internal control.

When an entity has effective
ICFR, the auditor should be
able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a
low level
.

LO# 16

7
-
24

Reporting on ICFR

Sarbanes
-
Oxley requires management’s description of
internal control to include:

1.
A statement of management’s responsibility for establishing
and maintaining adequate internal control.

2.
A statement identifying the framework used by management to
conduct the required assessment of the effectiveness of the
company’s internal control.

3.
An assessment of the effectiveness of the company’s internal
control as of the end of the most recent fiscal year, including
an explicit statement as to whether internal control is effective.

LO# 17

7
-
25

The Auditor’s Report on ICFR

Once the auditor has completed the audit of internal
control, he or she must issue an appropriate report to
accompany management’s assessment, published in the
company’s annual report.

LO# 18

7
-
26

Auditor’s Report Relating to the
Audit of Internal Control

The auditor’s report contains an opinion the
effectiveness of ICFR based on the auditor’s
independent audit work.

LO#

13 & 14

7
-
27

Types of Reports Relating to the
Audit of ICFR

An
unqualified

opinion signifies that the client’s
internal control is designed and operating
effectively.

A serious scope limitation requires the auditor to
disclaim

an opinion.

An
adverse

opinion is required if a material
weakness is identified.

LO#

18 & 19

7
-
28

Types of Reports Relating to the
Audit of ICFR

Report Modification Based on Control Deficiencies

Likelihood/Magnitude

of Misstatement

Type of

Audit Report

Control

deficiency

Significant

deficiency

Material

weakness

Unqualified

opinion

Adverse

opinion

LO# 19

7
-
29

Types of Reports Relating to the
Audit of Internal Control

Report Modification Based on Scope Limitation

Reason for

Scope Limitation

Type of

Audit Report

Minor

effect

Sever

limitation

Unqualified

opinion

Disclaim

opinion or

withdraw

LO# 19

7
-
30

Additional Required Communications
in an Audit of ICFR

The auditor must communicate in writing to management
and the audit committee all significant deficiencies and
material weaknesses identified during the audit (AS5).
This communication should be made prior to the issuance
of the auditor’s report on ICFR. In addition, the auditor
should communicate to management, in writing, all
control deficiencies identified during the audit and inform
the audit committee when such a communication has
been made.

LO# 17

7
-
31

Advanced Module 1: Special
Considerations for an Audit of
Internal Control

Service

organizations.

Safeguarding

assets.

7
-
32

Use of Service Organizations

Many companies use service organization to
process transactions. If the service organization’s
services make up part of a company’s information
system, then they are considered part of the
information and communication component of the
company’s internal control over financial report.
Thus, both management and the auditor must
consider the activities of the service organization.

LO# 21

7
-
33

Use of Service Organizations

Management and the auditor should perform the
following procedures with respect to the activities
performed by the service organization:
(1) obtain an understanding of the controls at
the service organization that are relevant to the
entity’s internal control and the controls at
the user organization over the activities of
the service organization and
(2) obtain evidence that the controls which
are relevant to management’s assessment
and the auditor’s opinion are operating effectively.

LO# 21

7
-
34

Safeguarding of Assets

Safeguarding of assets is defined as policies
and procedures that “provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use or
disposition of the company’s assets that could
have a material effect on the financial
statements.”

LO# 23

7
-
35

Advanced Module 2:
Computer
-
Assisted Audit Techniques

Computer
-
assisted audit techniques include:



Generalized audit software packages.



Custom audit software.



Test data.

7
-
36

Generalized Audit Software

Function
Description
File or data access
Reads and extracts data from a
client's computer files or databases
for further audit testing.
Selection operators
Select from files or databases
transactions that meet certain
criteria.
Arithmetic functions
Perform a variety of arithmetic
calculations (addition, subtraction,
and so on) on transactions, files, and
databases.
Statistical analyses
Provide functions supporting various
types of audit sampling.
Report generation
Prepares various types of documents
and reports.
LO# 23

7
-
37

Custom Audit Software

Custom audit software is generally written by auditors
for specific audit tasks. It may be required when the
client’s computer system is not compatible with the
auditor’s generalized audit software.

Custom software:

(1)

Is expensive to develop.

(2)

Requires extended development time.

(3)

Is limited in scope of functions.

LO# 23

7
-
38

Test Data

This is data developed by the auditor to test the
application controls in the client’s computer programs.
The technique can be used to check
(1)

data validation
controls and error detection routines,
(2)

processing
logic controls,
(3)

arithmetic calculations, and
(4)

the
inclusion of transactions in records, files, and reports.

LO# 23

7
-
39

End of Chapter 7