Flashcards in Becker AUD 3.7 - Internal Controls Deck (24):
Control Environment includes what 7 FACTORS?
1) Communication and enforcement of integrity and ethical values of the people who create, administer, and monitor internal controls
2) Commitment to competence (as shown in MGT's consideration of knowledge & skills required for certain job positions)
3) Participation of those charged with governance.
* Management's knowledge, experience, stature, and independence
* MGT's extent on scrutinizing activities
* MGT's willingness to ask difficult questions
* MGT's interaction with internal and external controls
4) MGT's philosophy and operating style on:
* Approach to risk-taking
* Attitudes and actions towards financial reporting
* Attitude toward information process, accounting functions, and personnel
5) Organizational structure (a framework) for the Entity to plan, execute, control, and monitor its activities, including establishment of key areas of authority and responsibility and lines of reporting.
6) Assignment of authority, responsibility, and accountability.
7) Human resource policies and practices related to recruitment, orientation, training, evaluating, promoting, compensating, and remedial activities.
5 Components of Internal Control
1) Control environment: * Overall tone of organization that is started with the MGT and board of directors.
2) Risk Assessment: MGT's identifying risks
3) Information and communication systems: means of Recording TRANSACTIONS, INFORMATION processing, and COMMUNICATING responsibilities
4) Monitoring: Assess internal controls over time
5) Existing Control activities: Control policies and procedures such as Segregation of duties.
What is the COSO framework?
COSO Framework = The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations listed on the left and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud.
1) What is a User auditor?
2) What is a service auditor report?
3) Example of Service organization
1) User Auditor: it's an external auditor that examines the service organization that is providing a service to the client company and assess its effect on the client's internal controls
Other words: Examine service organization's effect on client company''s internal control.
2) Service Auditor report = a report created by the Service Auditor that examines the Service organization's own internal controls that is RELEVANT to the client company's internal controls.
3) Example of service organization = Payroll services
What is the most EFFICIENT audit procedures to evaluate the service organization effects on the client company's controls?
Look and Review the service auditor's report.
What is internal control?
A process - affected by those in charged with governance, management, and other personnel - designed to provide REASONABLE ASSURANCE about achieving the company's objectives.
In internal control, what are the 3 categories of entity objectives?
1) RELIABILITY of FINANCIAL REPORTING = prevent, deter, detect F/S fraud (lying)
2) EFFECTIVENESS and EFFICIENCY of OPERATIONS = asset misappropriation (stealing
3) Compliance with applicable laws and regulations = corruption cheating
Which of the following entity objectives is the MOST relevant to the audit:
* Financial Reporting objective
* operations objective
* compliance objective
* Financial reporting objective is the most relevant to the audit
When Operations objective and compliance objective becomes relevant to the audit?
Dealing with relating Non-financial data used in analytical procedures (comparing non-financial data with financial data)
Dealing with noncompliance with laws or regulations that have a DIRECT and MATERIAL EFFECT on F/S.
True or False:
1) Performing accountant's background checks can help in dealing with lack of adequate segregation of duties in small organization.
2) Replacing personnel every three to four years does not eliminate the lack of segregation of duties in smaller companies.
3) Disclosing the issue of lack of adequate segregation of duties does not eliminate the issue of lacking segregated duties.
4) The best compensation control in smaller organization in dealing with lagging segregated duties is to get MGT to be more involved, have more OVERSIGHT of incompatible functions/activities in the companies' operations.
5) Obtaining an understanding of internal control involves evaluating the design of control and determining whether the control has been authorized.
6) Internal controls is applied to entire entity as a whole, not a specific event.
7) Inherent risk and control risk is a component of internal control.
8) The Act of interviewing the controller and verify the proper preparation of bank reconciliation done by the accountant and reviewed by the controller to sign off is MOST closely related to the procedures of Observation and inspection of records.
9) Automated controls are NOT suitable than manual controls where transactions are HIGH-volume and recurring.
10) Verifying that approved spending limits are NOT exceeded is a method used to assess whether there is an abuse of MGT override over the internal control.
11) Peer review is a form of monitory which is a control activity, not an inherent limitation in internal control.
12) A CEO or Senior MGT requesting a check without a purchase order (receipt/invoice attached) is an example of an inherent limitation in control.
13) Inherent limitation in internal control is a limitation that prevents seemingly good controls from happening.
14) Test of controls can be used to identify activities relevant to assertions.
15) Faulty human error is one of the inherent limitations in internal controls.
16) Lack of audit committees, lack of segregation of duties, and incompatible duties are MISSING duties, not inherent limitations of duties.
17) If there is a high level of control risk in relation to the revenue cycle, then the internal control issue here is the Sales manager not enforcing the client's stated policies regarding Authorization / approval of sales transactions.
18) Service auditor (an auditor auditing the service organization, payroll service) performs substantive testing on service organization.
Back ground checks do not mitigate the lack of adequate segregation of duties.
This because lack of segregation deals with lack of strong policies being implemented to ensure that segregation of duties exist and there is no collusion going on among personnel.
Reporting about it is one thing whether to an external auditor, but you need to take action to eliminate the lacking of segregated duties.
In smaller organizations, more emphasis is on the authority and the (presumed) adequate experience of the MGT to oversee incompatible operations to deter, prevent, and detect fraud and unintentional errors.
UNDERSTANDING internal controls involves examining the controls' design and whether it's IMPLEMENTED.
Understanding internal controls does not involve monitoring, authorizing or testing.
Internal controls is a holistic system in the company that is applied to every facet of the company. It's not limited to just an event. It is an entity-level control.
Inherent risk and control risks = Risk assessments.
They are not components of internal controls.
Observation involves the auditor staring at the operation and not talk with anyone.
Inquiry involves asking questions and talking with client company's personnel.
Interviewing the controller on the bank reconciliation process, review, and sign off and looking at the bank reconciliation done appropriate is a process of "INQUIRY" and "INSPECTION OF RECORDS."
Automated controls (processes) is actually well-suited to handle HIGH VOLUME of TRANSACTIONS and HIGH RECURRENCE of TRANSACTIONS.
Certain MGT overrides does involve allowing a certain $$ amount to come through than what it is authorized. So, looking at a transaction list to look for $$ amounts exceeding or not exceeding a limited amount determines if MGT override is used properly.
Inherent limitation in internal control involves Board of Directors or MGT committing an action that they can get away with and no oversight over their actions.
14) Test of controls ARE ACTUALLY used to evaluate the operating effectiveness of internal control in preventing or detecting material misstatements.
Inherent limitations in internal control is the internal control is not always good in detecting, preventing, and deterring fraudulent activity or an unintentional error-action. Example: Faulty human judgment.
These are missing controls that can be compensated.
Service auditor does not do substantive procedures ona service organization. Service auditor's task is to perform control tests in determining controls are in placed, --OR-- control systems are in placed and are operating effectively.
1) Why is the client's internal controls ENVIRONMENT have a persuasive effect on auditor's risk assessment and preliminary judgments on internal controls' effectiveness?
2) What is the difference in the audit procedures when you are dealing with a WEAK control environment and a STRONG control environment.
1) It influences the Nature, Extent, and Timing of further audit procedures to be performed in the audit.
Other words, internal control environment tells the auditor on what type, how much, and what date/time to do a particular audit procedure.
2) WEAK control environment =
* Do MORE SUBSTANTIVE procedures at Balance Sheet date (not at Interim date)
* Modify nature of tests to OBTAIN more PERSUASIVE EVIDENCE
* INCREASE the EXTENT of TESTING (include more items, more locations)
STRONG control environment =
* Do more audit testing at INTERIM dates (not at Balance sheet dates)
* Use tests to provide LESS persuasive evidence
* Reduce the extent of testing (doing little testing)
1) Manual controls are used more often with activities that requires what 2 things?
2) Manual controls are MORE appropriate with what 3 circumstances?
1) Judgment and Discretion
* Large, unusual, or non-recurring transactions
* Potential MISSTATEMENTS/ERRORS are DIFFICULT to DEFINE or PREDICT
* Changes in circumstances that REQUIRE CHANGES in CONTROL.
Automated Controls are internal controls using ___ and are more suitable for what 2 situations?
using IT (information technology) and are MORE suitable for:
1) High volume or recurring transactions
2) Control activities that can be adequately DESIGNED and AUTOMATED
What are the Benefits of using an IT system in the company's internal controls?
1) Ability to process LARGE volumes of transactions and data ACCURATELY
2) Improved timeliness and availability of info
3) Facilitation of data analysis
4) Reduction in the risk that controls will be circumvented.
5) Enhanced segregation of duties through effective implementation of security controls.
6) Enhanced ability to monitor the performance of the entity's activities and policies and procedures.
1) Give the job position titles of individuals involved in the IT system in a company (there are 5 titles).
2) What is the weakness of having a efficient and effective IT system?
1) COPAL mnemonic
a) Control group
d) Analyst (systems)
2) Anyone doing or supervising another area. No time placed to examine the IT system to ensure it is operating properly and there's no one manipulating the IT system.
Which of the following is a:
* Test of controls
* Test of Details
* Quality Control
a) Reviewing audit work-papers to ensure proper sign-off
b) Reviews the check register for unrecorded liabilities
c) Interview and observes appropriate personnel to determine segregation of duties
d) Evaluates whether General Journal entry was recorded at proper amount
a) Quality control - that the audit was performed adequately.
b) test of details - substantive test
c) test of controls - Here it involves to ensure the internal control aspect of Segregated duties
d) test of details - substantive tests.
You are auditing a company's F/S. This company uses a Payroll service company to do payroll. Another CPA firm is auditing this payroll service company, how do you determine if this other CPA's firm (service auditor report) is to be trusted?
Inquiring about the other CPA firm's reputation.
Note: You cannot assess the other CPA firm's audit papers. You are assigned to audit the client company not the Payroll service company.
1) The degree in which the information technology is used int he accounting function determines the extent of the documentation of auditor's understanding of a client's system of internal controls?
2) The More complex the IT system, the ___ extensive the documentation sch as Flowcharts, Narratives, Questionnaires, decision tables, etc.
3) The less complex the IT system, the ___ extensive the documentation the company has.
3) Less - here with less documentation then there is limited documentation. Such limited documentation such as a memorandum may be sufficient.
1) What are the inherent limitations in an internal control?
2) If a company is using a transfer agent to handle teh accounting for teh company's shareholders, what is the most efficient way to get info about the transfer's agent internal controls?
1) The inherent limitations =
b) Human error
c) Management override.
For small entities, it's the lack of segregated duties.
2) Talk with the auditor auditing the Transfer agent to take a look at the Reports on the Internal controls placed in operation and its operating effectiveness.
FYI - You cannot audit the transfer agent's internal control because that takes too much time (not efficient). Doing test of controls a sample of the audited firm's transactions through the transfer agent will also take too much time (not efficient). Also, looking at information of material increase or decrease in transactions processed by transfer agent is irrelevant to assess the Transfer agent's internal controls.
1) What are client lines of reporting?
2) How are the client lines of reporting involved in assessing the control risk in relation to organizational structure?
1) Who to report to in the organization, i.e. from employee to supervisor or to manager to senior manager to board of directors, etc.
2) Organization structure has series of lines of reporting between the upper ranks to the lower rants. This information helps assess control risk esp. in the case of MGT override, areas of lacking internal controls that gives an opportunity for collusion among the MGT or the people in charge to get away with something.
What is the ultimate purpose of assessing control risk?
Evaluate whether or not SPECIFIC internal control activities are operating as designed and its collective effect is to determine the RISK of FINANCIAL STATEMENT MISSTATEMENT.
Other words - you are evaluating the control risk to determine the risk that there is a misstatement (error or mistake) inside the F/S.
1) What circumstances would have a bad influence on the management's philosophy and operating style?
2) Internal auditors direct access to entity's board of directors, external policies established by parties (laws and regulations) outside thee entity affecting accounting policies, those charged with governance active in overseeing the entity's financial reporting policies are examples of internal controls that does what?
3) Proper segration of duties is designed to not allow an employee in a position to do what 2 prohibited actions?
1) MGT consumed with meeting the budget or meeting specific profit goals = PRESSURE
2) MGT dominated by one person = Opportunity (MGT override)
3) MGT compensation contingent upon entity's financial performance = You get a bonus & stock option for meeting a profit goal = Rationalize
Note to (3): Rationalizing as in making a justified excused to commit a prohibited act to meet a profit goal and get your bonus reward for it.
2) These examples of internal controls are involved in ensuring that MGT is following the rules to not commit fraud or commit an intentional misstatement or error in the F/S.
3) Not allowed to Record and conceal fraudulent transactions in a normal course of assigned tasks.
Other words, segregated duties prevents an employee to misappropriate assets and misstate the F/S in a way to hide this fraudulent act.
1) Properly designed internal controls may still fail in detecting or preventing what kind of fraudulent actions?
2) What is the reason that inadequate segregation of duties that allows one person to perpetuate or conceal fraudulent activity is NOT a reason for a failure in a properly designed internal control system?
a) Collusion to by 2 or more people to circumvent controls.
b) MGT override controls through its attitude and actions
c) Human error in inappropriate applications of controls
2) The reason is because inadequate segregation of duties is a different situation where it involves actually poorly designed internal controls.
Properly designed internal controls does NOT allow inadequate segregated duties to exist.