Chapter 6

Question 1

Responsibility for Internal Controls (I/C)?

Answer 1

Management is responsible, they have oversight/guidance of audit committee (Board of directors) as well.

Question 2

COSO (Who/What is it?)

Answer 2

COSO is a management document, containing The 5 Components management should be doing.
AICPA/SEC develops technical guidance for I/C.

Question 3

Five Components of I/C per the COSO Framework (The “COSO Cube”)

Answer 3

1. Control Environment.
2. The Entity’s Risk Assessment Process.
3. Control Activities.
4. Information and Communications.
5. Monitoring of Controls.

Question 4

Relationship of I/C Testing to Substantive Testing (Interplay/Inverse relationship between the two)

Answer 4

1. If controls testing are effective, you can rely on controls and information in that area.
2. If controls testing are NOT effective, you should do MORE substantive testing (Not rely on the info).
   SOX requires testing for I/C.
   Do this for each major account/assertion by management.

Question 5

1. Control Environment (5 Principles)

Answer 5

Tone of the organization or attitude.

1) Show commitment to integrity and ethical values.
2) How does the board demonstrate independence from mgmt?
3) Reporting lines.
4) Commitment to attract, develop, and retain competent controls (Training, wages, hiring).
5) Holding individuals accountable for I/C responsibilities?

Question 6

2. Entity’s Risk Assessment Process (4 Principles)

Answer 6

6) Do they make it clear to employees what they are doing and is F/S reporting consistent?
7) How does the company analyze risk?
8) Organizations considers potential for fraud?
9) Consider how changes impact the system of I/C.

Question 7

3. Control Activities (3 Principles)

Answer 7

10) What does the company do to mitigate risk?
11) IT controls, general, and application controls.
12) Do we have policies and procedures?

Question 8

Segregation of Duties (Client employees)

Answer 8

Tells us about their overall control structure. See if client personnel duties are not in line with each other!

Question 9

Information Processing Controls (Two of these)

Answer 9

General and Application Controls.

Question 10

General Controls

Answer 10

IT controls that impact the whole overall company.

Question 11

Application Controls

Answer 11

Controls that relate to particular IT applications. (Payroll application)

Question 12

4. Information and Communications (3 Principles)

Answer 12

13) How does the org. obtain and generate accounting info?
14) How does the org. communicate amongst itself (internally)?
15) How does the org. communicate with outside parties (externally)?

Question 13

5. Monitoring of Controls (2 Principles)

Answer 13

16) Activities mgmt, does on regular basis to see if I/C are working properly and suppose to.
17) How does mgmt communicate to how controls are working (Deficiencies)?

Question 14

Effect of Size

Answer 14

Small: One accounting personnel. Has power of segregation of duties, and power of documentation. Harder to do because mgmt may be walking the floor.
GM: Ton of accounting personnel.

Question 15

Normal Limitations of I/C

Answer 15

Management overrides. Human Error. Collusion.

Question 16

Document Understanding of I/C

Answer 16

Flowchart, Narrative Description, Internal Control Questionnaire, and Procedural Manuals.

Question 17

Planning and Audit Strategy

Answer 17

Develop understanding of I/C, Document Understanding of I/C. Reliance or Substantive Strategy?

Question 18

Reliance Strategy (Three Steps) (RS)

Answer 18

1) Identify Controls we plan to rely on, and test those controls “key controls”.
2) Determine control risk based on test of controls.
3) Conclude regarding “achieved level of risk”.

Question 19

RS: Identify Controls we plan to rely on, and test those controls “key controls”

Answer 19

See if they are designed properly and operate effectively.

Question 20

RS: Determine Control Risk based on test of controls

Answer 20

Risk that the client’s controls will not catch or detect a material misstatement. Low, Medium, or High.

Question 21

RS: Conclude regarding “Achieved level of risk”

Answer 21

Expect a low control risk due to reliance. Make sure to do substantive testing.

Question 22

If test results do not allow you to conclude controls are operating as expected, what do you do?

Answer 22

Revise plan and do more substantive procedures.

Question 23

Substantive Procedure

Answer 23

The auditor has decided not to rely on the entity’s controls and instead use SP as the main source of evidence.

Question 24

Circumstances when we would want to use a Substantive approach instead of a reliance approach? (Three of these)

Answer 24

Controls are likely ineffective (do not work).
Controls do not pertain to the assertion being tested.
Testing controls would be inefficient (SOX does not allow this).
All these can be used under GAAS, but not SOX. Must test key controls.

Question 25

Greater the reliability of controls, less substantive testing required (AGAIN!)

Answer 25

As controls are less reliable, you'll have to do more tests. Sometimes you'll have to do a lot of both! (Papa's interplay) No matter what, you will have to do some substantive testing! (NEVER ZERO)

Question 26

Advantages of Doing Work Early

Answer 26

Gives you a chance to change your approach/audit program. Helps manage time or staff, getting work done in fall reduces it in the winter. Can give our client an opportunity to fix a problem before the end of the year. Prior knowledge says do it early. May not be a significant area.

Question 27

Other Items to Consider

Answer 27

Overall environment. Materiality and Risk.

Question 28

Greater the risk, later the testing, HOWEVER...

Answer 28

Sometimes you want to get these important problems out of the way. Identify these big problems (risk) earlier. Ex: Test cash at end year (fluctuates a lot during the year) Ex: Fixed Assets/Depreciation- do early in year (constant) Ex: Allowance for bad debts: Want to both!

Question 29

Update/Roll Forward (Important)

Answer 29

Must roll forward work from early date to end of the year! Influenced by risk, materiality and knowledge of client.

Question 30

Service Bureaus (SB)

Answer 30

A third party that a client will hire to do something for them. Ex: Do payroll, pension plan accounting, fixed assets or bookkeeping.

Question 31

Why do Auditors care about Service Bureaus?

Answer 31

Now we need to figure out how to test our clients controls and even the third party! Need to see if the third parties controls are running properly and effectively!

Question 32

Service Organization Controls (SOC) Report Type 1 Tests

Answer 32

Document describes only the controls of the service bureau, but DON'T test them! Tell you how it is designed.

Question 33

SOC Report Type 2 Tests

Answer 33

Document how the system works and tests controls too!

Question 34

Our Responsibility for SOC Reports

Answer 34

We must test what the client does even after the report. If a Report is Type 1 or Type 2 and you are not satisfied with it, you can go in to do the testing or have the SB auditor do the testing more! If a Report is Type 2, and done well, we can accept the report. We MUST always roll forward though!!!

Question 35

Communication of I/C Issues to Client (Nonpublic Company) | Three of these

Answer 35

Material Weakness. Significant Deficiency. Minor Deficiency. | No requirement under GAAS to do any reporting in the F/S!

Question 36

Material Weakness

Answer 36

Deficiency in internal control that imposes a reasonable possibility of controls not catching misstatements. Report in writing to management and those charged with governance (Board of Directors and Audit Committee).

Question 37

Significant Deficiency

Answer 37

Deficiency that is less severe than a MW, but important to get to management and Audit Committee's attention. Report in writing to management and those charged with governance (Board of Directors and Audit Committee).

Question 38

Minor Deficiency

Answer 38

Control weaknesses that are not significant to any level, "noise level", just be aware of them. Verbally reported to management.

Question 39

4 Types of Control Activities that contribute to the Mitigation/Reduction of Risk

Answer 39

Performance Reviews. Segregation of Duties. Physical controls. Information Processing Controls.

Question 40

5 Factors to consider where Substantive Procedures are Performed at Interim Date

Answer 40

Control Environment and other relevant controls. Availability of info at a later date. Purpose of the substantive procedure. The assessed risk of material misstatement. The nature of the class of transactions or account balance and relevant assertions.