Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

ACCT 407 > Chapter 5 > Flashcards

Chapter 5 Flashcards

(96 cards)

Start Studying
1
Q

How does COSO define Internal Control?

A

a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who is responsible for maintaining effective internal controls?

A

Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the auditor required to do in terms of the client’s internal controls?

A

Gain an understanding of the client’s internal controls related to financial reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the purpose of the assessment of inherent risk for the auditor?

A

Gives the auditor a basis for planning the nature, timing, and the extent of substantive procedures (do the auditors want to rely on the controls?)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are substantive procedures?

A

Procedures to address detection risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Less Reliance on Internal Control (Higher CR, Lower DR)

Nature

A

More effective tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Less Reliance on Internal Control (Higher CR, Lower DR)

Timing

A

More testing at year-end

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Less Reliance on Internal Control (Higher CR, Lower DR)

Extent

A

More tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

More Reliance on Internal Control (Lower CR, Higher DR)

Nature

A

Less effective tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

More Reliance on Internal Control (Lower CR, Higher DR)

Timing

A

More testing at interim

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

More Reliance on Internal Control (Lower CR, Higher DR)

Extent

A

Fewer tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If you gain an understanding that control risk is 50%, if you want to rely on that, you have to test the controls, to…

A

validate that the control risk really is 50%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If my understanding is 50% control risk, but you don’t want to rely on that, you can…

A

assess control risk higher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If my understanding is 50% control risk, but you start testing and they are failing…

A

Adjust risk lower

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is COSO?

A

An internal control framework

It is NOT required by law, but the SEC noted it as a possible framework for use by companies to evaluate the effectiveness of internal controls over financial report

The only framework that the SEC said was appropriate to follow (Not actually required but many companies adopted because it was the only framework that the SEC “approved.”)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 3 types of internal control?

A
  1. Financial reporting
  2. Regulatory compliance
  3. Operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the five components of internal control?

A
  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Communication
  5. Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

COSO defines internal control as the processes in place to provide reasonable assurance of:

A
  1. Reliability of financial reporting
  2. Compliance with laws and regulations
  3. Effectiveness and efficiency of operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Strictly speaking, external auditors focus on which of these?

  1. Reliability of financial reporting
  2. Compliance with laws and regulations
  3. Effectiveness and efficiency of operations
A

The first category of reasonable assurance

“Reliability of financial reporting”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Audited pipeline company: chemicals/oil through pipe. Pipeline had a sensor – measured every mile (what was going through the pipe). Primary reason for the sensor operations (efficiency, bandwidth,etc.) also used from a compliance perspective (if there is a leak – regulations), also related to revenue recognition. Auditors were concerned how well the sensors worked…

A

In the end, as an auditor you care about how controls relate to financial reporting – but that doesn’t mean that the controls won’t ever have other implications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What 5 principles relate to the control environment?

A

Principle 1: The organization demonstrates a commitment to integrity and ethical values.
Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Control Environment

A

Set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Board of directors and senior management set the “tone at the top” of an organization, influencing the control consciousness of its people.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the foundational component for COSO?

A

Control Environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Because control environment is the foundation for all other components, the auditor must…

A

obtain a detailed understanding of the control environment and document that understanding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Risk Assessment Principles
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives. Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.
26
COSO Risk Assessment
Management’s identification and analysis of relevant risks related to the achievement of its objectives.
27
Is COSO Risk Assessment the same as the Auditor's Risk Assessment?
NO!
28
What does management look at during risk assessment?
What are my strategic goals? What are risks in achieving these goals?
29
Control Activity Principles
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
30
What are control activities?
The policies and procedures that help ensure management directives are carried out The "guts" of the internal control system
31
When auditors get to control activities they have to...
map controls to an assertion
32
What are examples of control activities?
1. Segregation of duties (e.g., separating authorization, physical transfer, and recording) 2. Approval and co-signing requirements 3. Documentation trails and prenumbered sequence controls 4. Restricted physical access 5. Reconciliations and independent cross-checks
33
What assertion is supported by the information processing control? Purchase orders must be authorized by purchasing department before any purchase is made.
Occurrence
34
What assertion is supported by the information processing control? All invoices received from vendors for payment must be matched to receiving report and purchase order to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed-upon prices.
Accuracy (valuation or allocation) Completeness and existence deal with direction of things (should it be in the report and it isn’t? and vice versa) ”Agreeing quantity and amounts” – hard to find a direction… valuation
35
What assertion is supported by the information processing control? Prenumbered documents (checks, purchase orders, and receiving reports) must be used and accounted for to ensure that all transactions have been recorded.
Completeness Checkbook, checks numbered sequentially…helps you see that everything’s been reccorded
36
Information and Communication Principles
Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.
37
Information and Communication
Controls related to how the organization communicates to support the proper functioning of internal controls. This includes controls over the quality of the information used within communication.
38
Can auditors rely on information produced by the company's information system?
Auditors cannot blindly rely on information produced by the company’s information system.
39
Monitoring Principles
Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
40
Monitoring
Management’s process that assesses the quality of the internal control's performance over time
41
Monitoring Examples
Periodic evaluation by internal audit Supervisory review of controls Follow-up of reporting errors Follow up of customer complaints Audit committee inquiries
42
What is monitoring essentially?
Controls over controls
43
Audit committee is typically considered part of the control environment, however, audit committee INQUIRES are...
monitoring
44
What are the limitations of internal control?
Human error Collusion Management override Cost/benefit analysis
45
Cost/benefit analysis of internal control
There is often a trade-off between the cost and the effectiveness of internal controls. The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.
46
What type of controls are typically viewed to be more reliable?
Automated controls
47
Management override
CFO should have access to override certain controls – enabled to commit fraud if she wanted to
48
How do you develop an understanding of internal control?
1. Evaluating the design of controls 2. Determinng if the controls have been implemented
49
After auditors have developed an understanding of internal controls, what is the next steps?
Document the understanding of internal control
50
After documenting the understanding of internal control, what is the next question that should be considered by the auditor?
Does the auditor intent to rely on controls?
51
If the auditor intends to rely on controls what is the path of the "reliance strategy"?
1. Plan and perform tests of controls 2. Set control risk based on tests of controls 3. If the achieved level of control risk does NOT support the level of control risk, revise the planned level of substantive procedures, and then document the level of control risk. 3. If the achieved level of control risk supports the level of control risk, document the level of control risk 4. Perform the substantive procedures based on level of assessed control risk
52
If the auditor intends to rely on controls what is the path of the "substantive strategy"?
1. Set control risk at the maximum 2. Document the level of control risk 3. Perform substantive procedures based on level of assessed control risk
53
Substantive Strategy After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at high for some or all assertions because of one or all of the following factors:
1. Controls do not pertain to an assertion 2. Controls are likely to be assessed as ineffective 3. Testing the effectiveness of controls is inefficient
54
Reliance Strategy After obtaining an understanding of internal control, an auditor may want to rely on a control to allow for an increased detection risk (i.e., to not have to gain as much assurance from substantive procedures).
If the auditor plans to rely on a control, they must assess control risk by testing the control to validate it is designed appropriately and operating effectively.
55
Integrated Audit
the auditor provides an opinion on the effectiveness of a company’s internal controls AND on the fairness of a company’s financial statements SOX requires for some companies
56
SOX Section 404a applies to...
all issuers (public companies)
57
SOX section 404b applies to...
accelerated fileres
58
Who established the PCAOB?
SOX
59
What does the PCAOB do?
Oversees public company auditors
60
What does SOX 404a outline?
Management must... 1. report the results from its own tests of the company’s internal control over financial reporting (ICFR), identifying any deficiencies. 2. accept responsibility for internal controls 3. evaluate the effectiveness of ICFR using a suitable control criteria 4. support the evaluation with sufficient evidence, including documentation
61
Where is management's ICFR opinion included?
Its annual report (10-K)
62
What kind of opinion is managment's opinion over the effectiveness of ICFR?
"As of" the fiscal year end
63
What does SOX 404b outline?
ONLY applies to "accelerated filers" Drawing on management’s findings and the auditor’s own tests, the external auditor must independently assess and report on the effectiveness of ICFR as of the fiscal year end. (integrated audit)
64
Large Accelerated Filers
(>$700 million in market capitalization) have to file their annual report within 60 days of year-end
65
Accelerated Filers
(>$75 million in market capitalization) have to file their annual report within 75 days of year-end
66
Non-Accelerated Filers
(<$75 million in market capitalization) have to file their annual report within 90 days of year-end
67
404b: What happens if the auditor finds a deficiency in ICFR? "All Deficiencies" Discuss with management? Report to audit committee? Adverse external opinion on internal control?
Discuss with management: YES Report to audit committee: NO Adverse external opinion on internal control: NO
68
404b: What happens if the auditor finds a deficiency in ICFR? "Significant Deficiencies" Discuss with management? Report to audit committee? Adverse external opinion on internal control?
Discuss with management: YES Report to audit committee: YES Adverse external opinion on internal control: NO
69
404b: What happens if the auditor finds a deficiency in ICFR? "Material Weakness" Discuss with management? Report to audit committee? Adverse external opinion on internal control?
Discuss with management: YES Report to audit committee: YES Adverse external opinion on internal control: YES
70
There are three levels of deficiencies, which is the most severe?
Material weakness Adverse opinion and you must tell everyone
71
Material Weakness
a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
72
Significant Deficiency
a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by the audit committee.
73
Deficiency
A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
74
Factors auditors use to distinguish a material weakness from a significant deficiency
Does the weakness involve the control environment? Does the weakness repeat regularly? What is the magnitude? Does the weakness pertain to a complex and/or subjective process? Does the weakness involve oversight processes? Are there any compensating controls? Has management taken actions to remediate the weakness? Did the weakness result in an actual material error that had to be corrected?
75
Remediation
Because ICFR opinions are as of the fiscal year-end, remediation may result in no need to disclose a material weakness.
76
If the auditor detects material weaknesses in internal control as part of the interim audit procedures, the client can sometimes ____________ the problem and avoid negative reporting consequences.
remediate, or fix
77
When must remediation be completed and tested before?
The balance sheet date (before year end)
78
What are the 3 types of internal control opinions?
1. Unqualified opinion 2. Adverse opinion 3. Scope limitation
79
Unqualified opinion
The entity's internal conrol is designed and operating effectively (no material weakness)
80
Adverse Opinion
Required if material weakness is identified
81
Scope Limitation
A serious scope limitation requires the auditor to disclaim an opinion
82
Is there such thing as a qualified internal control opinion?
NO!!
83
What are the scope differences between an Integrated Audit (404b) and a Financial Statement Only Audit?
Integrated Audit (404b): Test each relevant control activity each year (all) Financial Statement Audit: Test relevant control activities if relying on them
84
What are the reporting differences between an Integrated Audit (404b) and a Financial Statement Only Audit?
Integrated Audit (404b): Opinion on the effectiveness of internal control Financial Statement Audit: No opinion on internal control
85
What are the timing differences between an Integrated Audit (404b) and a Financial Statement Only Audit?
Integrated Audit (404b): Evaluate effectiveness of internal control AS OF the fiscal year end (also need to evaluate throughout the year for the associated financial statement audit) Financial Statement Audit: Evaluate effectiveness of internal control (where relying) throughout the fiscal year
86
AICPA governs
Private companies
87
AICPA rules relating to internal controls
Auditors must communicate known significant deficiencies and material weaknesses in internal control to management and to the entity’s governance body (e.g., audit committee, school board, etc.).
88
Under AICPA rules is the auditor required to search for control deficiencies?
NO, but the auditor is required to evaluate and communicate deficiences that have been identified over the normal course of an audit
89
SOC 1
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (internal control over an outsourced service)
90
What are the two types of SOC 1s?
Type 1: Only covers the design of ICFR at the service organization Type 2: Covers the design AND effectiveness of ICFR at the service organization
91
If the auditor detects a material weakness in internal control over financial reporting, does this imply material misstatements in account balances?
Not necessarily, but there is a reasonable possibility that there may be a material misstatement.
92
If the auditor detects a material misstatement in an account balance, does this imply a material weakness in internal control over financial reporting?
Yes because management didn’t catch it before the auditor. If you find the material misstatement, then you found the misstatement (you are past the threshold). Typically if you have a material misstatement it is almost always because you had an internal control issue.
93
Why might disclosed material weaknesses almost always have a related material misstatement?
Market reacts negatively to material weaknesses. CEO argues that there is not a material weakness because of the “reasonable possibility.” Management and Auditor argue over when you are going to put your foot down and when you are not. It is a REALLY hard thing for an auditor to say there is a material weakness when there is not a related material misstatement.
94
The integrated audit report for an accelerated filer must include...
the auditor’s opinion on the fair presentation of the financial statements as well as the auditor’s assessment of internal control over financial reporting.
95
Can a company receive a clean opinion on its financial statements but an adverse opinion on internal controls?
Yes. The company can have bad controls and still have a clean opinion. The SEC requires “fairly presented” financial statements.
96
Can an auditor of an accelerated filer assess CR at its maximum (e.g., 1)?
Yes, but they have to assess it as such… they can’t just set it as such

ACCT 407 (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions