Audits of Internal Control and Control Risk

Question 1

An entity’s system of ____________ consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals,

Answer 1

Internal control

Question 2

Internal control objectives and goals, including:

Answer 2

1. Reliability of financial reporting
2. Compliance with applicable laws and regulations
3. Effectiveness and efficiency of operations

Question 3

is the level of confidence that internal controls or audit processes are effective enough to achieve their objectives, such as accurate financial reporting, while acknowledging that no system is perfect and risks or errors may still occur. It balances effectiveness with cost and effort.

Answer 3

Reasonable assurance

Question 4

Reasonable assurance involves two considerations:

Answer 4

1. The cost of the entity’s internal control should not exceed the expected benefits. Cost benefit principle
2. Limitations exist in any entity’s internal control.

Question 5

Example of NO Reasonable assurance

Answer 5

• Code the missing cash to bad debts: This means recording missing or unaccounted-for cash as a bad debt, essentially writing it off as a loss. This can sometimes be a way to conceal theft or financial discrepancies.
• Collusion can defeat internal controls: Even well-designed internal controls can fail if two or more individuals collaborate to bypass or manipulate them, as they can cover for each other and avoid detection.

Question 6

requires the management of public companies to issue an internal control report

Answer 6

Section 404 of Sarbanes-Oxley

Question 7

Section 404 of Sarbanes-Oxley includes

Answer 7

• A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
• An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company’s fiscal year.

Question 8

Key Components of Management’s Assessment of Internal Control

Answer 8

• Management must evaluate the design of internal control over financial reporting.
• Management must test the operating effectiveness of those controls.

Question 9

A sufficient understanding of internal control is to be obtained to plan the audit and determine the nature, timing, and extent of tests to be performed. This is part of the second standard of fieldwork.

Answer 9

Auditor Responsibilities for Understanding Internal Control for Public and private companies

Question 10

Section 404 requires effort beyond that stated above so that the auditor can provide a report on internal controls

Answer 10

Auditor Responsibilities for Understanding Internal Control for Public companies

Question 11

Public companies contains

Answer 11

1. Whether management’s assessment of the effectiveness of internal control over financial reporting as of the end of the fiscal period is fairly stated in all material respects.
2. Whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date.

Question 12

The internal control framework for most U.S. companies is the

Answer 12

the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework

Question 13

the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework is issued in

Answer 13

1992

Question 14

The Components of Internal Control

Answer 14

A. The Control Environment
B. Risk Assessment
C. Control Activities
D. Information and Communication
E. Monitoring

Question 15

is concerned with the actions, policies, and procedures that reflect the overall attitude of the client’s top management, directors, and owners of an entity about internal control and its importance.

Answer 15

Control environment

Question 16

Control environment includes

Answer 16

1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices

Question 17

• Management actions to remove incentives that prompt a person to behave improperly.
• Communication of behavioral standards through codes of conduct and by example.

Answer 17

Integrity and Ethical values

Question 18

Management’s consideration of the competence levels for specific jobs and how those translate into requisite skills and knowledge.

Answer 18

Commitment to competence

Question 19

Management’s consideration of the competence levels for specific jobs and how those translate into requisite skills and knowledge.

Answer 19

Commitment to competence

Question 20

delegates responsibility for internal control to management and is charged with regular independent assessments of management-established internal control.
- The major stock exchanges require listed companies to have an audit committee composed entirely of independent directors who are financially literate.

Answer 20

Board of Directors and Audit Committee

Question 21

through its activities, provides clear signals to employees about the importance of internal control. For example, are sales and earnings targets unrealistic, and are employees encouraged to take aggressive actions to meet those targets?

Answer 21

Management’s philosophy and operating style

Question 22

Understanding the client’s ______ provides the auditor with an understanding of how the client’s business functions and implements controls.

Answer 22

Organizational structures

Question 23

Formal methods of communication include:
- Top management memoranda concerning internal control
- Organizational operating plans
- Employee job descriptions

Answer 23

Assignment of Authority and Responsibility

Question 24

• If employees are honest and trustworthy, other controls can be absent and reliable financial statements will still result.
• Methods by which persons are hired, trained, promoted, and compensated are important elements of internal control.

Answer 24

Human Resource Policies and Practices

Question 25

Client management’s identification and analysis of risks relevant to the preparation of the financial statements in accordance with GAAP.

Answer 25

Risk assessment

Question 26

Types of risk assessment

Answer 26

1. Client Management’s Risk Assessment 2. Auditor Risk Assessment

Question 27

assesses risk as part of designing and operating internal controls to minimize errors and fraud.

Answer 27

Client Management’s Risk Assessment

Question 28

Client Management’s Risk Assessment's Three steps involve:

Answer 28

1. Identify factors that may increase risk. 2. Determine significance of risk and likelihood of occurrence. 3. Develop specific actions to reduce risk to an acceptable level.

Question 29

obtains knowledge about management’s risk assessment process by: - Determining how management identifies risks relevant to financial reporting. - Evaluating their significance and likelihood of occurrence. - Deciding the actions needed to address the risks.

Answer 29

Auditor Risk Assessment

Question 30

Policies and procedures that client management has established to meet its objectives for financial reporting.

Answer 30

Control activities

Question 31

Control activities

Answer 31

1. Adequate segregation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance

Question 32

- Separation of the functions of authorization, recordkeeping, and custody. - Separating IT duties from user departments.

Answer 32

Adequate Segregation of Duties

Question 33

- General authorization is permissible for routine events for which there are policies to follow. - For some transactions, specific authorization is needed on a case-by-case basis.

Answer 33

Proper Authorization of Transactions and Activities

Question 34

- Prenumbered consecutive documents so missing items are noticed. - Prepared as near to transaction time as possible. - Good design with instructions and appropriate spaces.

Answer 34

Adequate Documents and Records

Question 35

- Deterrents to prevent physical access. - Access controls to prevent getting into computer systems. - Backup and recovery procedures.

Answer 35

Physical Control Over Assets and Records

Question 36

Personnel are likely to forget or intentionally fail to follow procedures, or they may become careless unless someone observes and evaluates their performance.

Answer 36

Independent Checks on Performance

Question 37

Methods used to initiate, record, process, and report an entity’s transactions and to maintain accountability for related assets. - For a small company with active involvement by the owner, a simple computerized accounting system that involves one honest, competent accountant may provide an adequate accounting system. - A larger company requires a more complex system that includes carefully defined responsibilities and written procedures.

Answer 37

Information and Communication

Question 38

Client management’s ongoing and periodic assessment of the quality of internal control performance to determine whether controls are operating as intended and modified when needed. - For many companies, especially larger ones, an internal audit department is essential for effective monitoring. - To maintain internal audit independence, it is imperative that they be independent of operating and accounting departments and report to a high level of authority, preferably the audit committee of the board of directors.

Answer 38

Monitoring

Question 39

III. Process for Understanding Internal Control and Assessing Control Risk

Answer 39

A. Phase 1: Obtain and Document Understanding of Internal Control: Design and Operation B. Phase 2: Assess Control Risk C. Phase 3: Design, Perform, and Evaluate Tests of Controls D. Phase 4: Decide Planned Detection Risk and Substantive Tests

Question 40

A. Phase 1: Obtain and Document Understanding of Internal Control

Answer 40

- Three methods commonly used by auditors to obtain and document their understanding of the design of internal control are narratives, flowcharts, and internal control questionnaires. - The auditor must also evaluate whether the designed controls are actually placed in operation. - PCAOB Standard 2 requires the auditor to perform at least one walkthrough for each major class of transactions. In a walkthrough, the auditor selects one or a few documents for the initiation of a transaction type and traces them through the entire accounting process.

Question 41

B. Phase 2: Assess Control Risk

Answer 41

Two specific assessments must be made to arrive at the preliminary assessment: 1. Whether the entity is auditable. This is determined by considering the integrity of management and the adequacy of accounting records. 2. Determine assessed control risk supported by the understanding obtained, assuming the controls are being followed.

Question 42

C. Phase 3: Design, Perform, and Evaluate Tests of Controls

Answer 42

- If the results of tests of controls support the design and operating effectiveness of controls as expected, the auditor uses the same assessed control risk as the preliminary assessment. Otherwise, assessed control risk must be reconsidered. - If the auditor wants a lower assessed control risk, more extensive tests of controls are applied. - PCAOB Standard 2 requires the auditor to determine whether controls are operating effectively at year end. The auditor may test at an interim date and later determine if changes have occurred.

Question 43

D. Phase 4: Decide Planned Detection Risk and Substantive Tests

Answer 43

- The greater the control risk (weak internal controls), the lower the detection risk the auditor can accept. - To lower detection risk, the auditor performs more substantive testing.

Question 44

- Significant deficiencies and material weaknesses must be communicated in writing to the audit committee as part of every audit. Timely communication may help management correct the problem before their year-end report on internal control. - Less significant internal-control matters and recommendations for operational improvements may be communicated through a management letter. Although such letters are not required by auditing standards, they are often provided as a value-added service of the audit.

Answer 44

Communications with the Audit Committee and Management

Question 45

As part of understanding internal control and assessing control risk, the auditor is required to communicate certain matters to the audit committee:

Answer 45

- **Significant deficiencies and material weaknesses** must be communicated in writing to the audit committee as part of every audit. - **Less significant internal-control matters** and recommendations for operational improvements may be communicated through a management letter. Although such letters are not required by auditing standards, they are often provided as a value-added service of the audit.

Question 46

may help management correct the problem before their year-end report on internal control.

Answer 46

Timely communication