Chapter 6 Internal Control in a Financial Statement Audit

Question 1

COSO’s Internal Control- Integrated Framework

Answer 1

A system of internal control designed and carried out by and entity’s board of directors, management, and other personnel to provide reasonable assurance about the acheivement of the entitys objectives in the following categories
1. Reliability, timeliness, and transparency of int and ext financial and nonfinancial reporting
2. Effectiveness and Efficiency of Operations
3. Compliance with laws and regulations

Question 2

Management has the responsibility to…

Answer 2

Design and maintain internal controls that provide reasonable assurance that:
-the entitys assets and records are properly safeguarded
-the information system generates reliable information for decision making

auditor needs assurance about the reliability of the data generated by the information system

Question 3

Auditor uses risk assessment procedures to

Answer 3

-obtain understanding of the entitys internal control
-identify key controls
-recognize the types of potential misstatement
-design tests of controls and substantive procedures

Question 4

Auditor has the responsibility to…

Answer 4

-Obtain an understanding of internal control and,
-assess control risk

auditors understanding of internal control is a major factor in determining the audit strategy

Question 5

5 Components of Internal Control

Answer 5

1. Control Environment
2. Entity’s risk assessment process
3. Control Activities
4. Information and Communication
5. Monitoring Activities

Question 6

Control Environment

Answer 6

the set of standards, processesm and structures that provides the basis for carrying out internal control across the organization.

BOD and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct

Question 7

Entitys Risk Assessment process

Answer 7

the process for identifying and analyzing risks to achieving the entitys objectives and forms a basis for determining how risks should be managed

*important management identifies the entitys risks and takes action against them

Question 8

Most important to auditor about entitys risk assessment process is how management…

Answer 8

-identifys risks relevant to the preparation of financial statements
-estimates their significance
-assesses the liklihood of their occurrence
-decides on how to manage them

*Includes internal and external events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with mgmts assertions

Question 9

Control Activities

Answer 9

actions established by policies and procedures to help ensure that management plan to reduce risks and achieve objectives are carried out

*performed at all levels of entity and at various stages w/in the business process

Question 10

Examples of control activities

Answer 10

-Performance reviews
-Physical Controls
-Segregation of Duties
-Information Processing Controls

*org selects and develops general control activities over technology to support the achievement of objectives

Question 11

Performance Reviews

Answer 11

Comparison of budget to actual performance (how the business is performing)

Question 12

Physical Controls

Answer 12

Keeping assets locked up, restriction of access to records, IT

Question 13

Segregation of Duties

Answer 13

Separate job functions so one individual does not have too much control
*prevents the ability of an individual to commit and conceal fraud

Question 14

Information Processing Controls

Question 15

Information

Answer 15

Information is necessary for the entity to carry out internal control responsibilities in support of achieving its objectives

Question 16

Communication

Answer 16

Occurs both internally and externally and provides the organization with the info needed to carry out day to day internal control activities.

-enables personnel to understand internal control responsibilities and their importance to the achievement of objectives

*allows for flow of info to management

Question 17

Internal Communication

Answer 17

communicates informations including objectives and responsibilities for int control necessary to support the functioning of internal control

Question 18

External Communication

Answer 18

communicates with external parties regarding matters affecting the functioning of internal control

Question 19

Monitoring of Controls

Answer 19

Ongoing evaluation, separate evaluations or a combination of both are used to tell whether each of the five components are present and functioning

*findings are evaluated and deficiencies are communicated in a timely manner with serious matter reported to senior management and to the board

Question 20

Audit Risk Model

Answer 20

AR=IR x CR x DR
RMM=IR x CR

*in applying model auditor must assess control risk

Question 21

Substantive Strategy

Answer 21

The auditor does not rely on controls and control risk is set high because
-Controls do not pertain to an assertion
-Controls are assessed as ineffective
-Testing the effectiveness of controls is inefficient

Requires more substantive testing to support assertion

Question 22

Reliance Strategy

Answer 22

Rely on controls, assess control risk at a lower level, detection risk is then higher=less substantive testing and helps with the efficiency of the audit

*in order to rely on controls we must test and have an understanding of the controls

Question 23

Why have an understanding of five components of internal controls to plan the audit

Answer 23

-helps to identify types of potential misstatement
-pinpoint controls meant to mitigate risk of material misstatement
-design test of controls and substantive procedures to reduce risk of misstatement to an acceptably low level

Question 24

Effect of entities size on internal control

Answer 24

while the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than a large one

Question 25

Limitations of an entities internal control

Answer 25

1. managements override of internal control 2. human error or mistakes 3. Collusion

Question 26

Collusion

Answer 26

2 or more parties working together to perpetrate fraud

Question 27

Assessing Control Risk (3)

Answer 27

1. Identify specific controls that will be relied upon 2. perform test of controls 3. conclude on the achieved level of control risk

Question 28

Performing test of controls (4)

Answer 28

1. Inquiry of appropriate entity personnel 2. inspection of documents indicating performance of the control 3. observation of the application of control risk 4. Reperformance of the application of the control by the auditor

Question 29

How to document achieved level of control risk (3 ways)

Answer 29

1. a structured working paper 2. an internal control questionnaire 3. a memorandum ***MUST DOCUMENT RESULTS***

Question 30

Performing substantive procedures

Answer 30

audit strategies for the nature, timing, and extent of substantive procedures based on different levels of detection risk for inventory

Question 31

Low Detection Risk Strategy

Answer 31

audit tests for all significant audit asserions using the following types of audit procedures Nature -Physical examinations (year end) -review of external documents -confirmation -reperformance Timing -all significant work completed at year yed Extent -extensive testing of significant accounts or transactions ***acceptable level of detection risk low=auditor needs to provide more assurance***

Question 32

High Detection Risk Strategy

Answer 32

Corroborative audit tests using the following types of audit tests: Nature -Physical examination (Conducted at interim date) -analytical procedures -substantive tests of transactions and balances Timing -Interim and year-end Extent -limited testing of accounts or transactions

Question 33

Timing of audit

Answer 33

auditor must conduct a test of controls AFTER any major changes in systems or procedures Between interim test of controls and fin stmnts date auditors must ensure that systems are still running as designed *** very economical and efficient for auditors***

Question 34

Interim test of controls

Answer 34

-controls have been effective in prior audits -efficient use of staff time

Question 35

Interim Substantive procedures

Answer 35

-Control environment -purpose of substantive procedure -the assessed risk of material misstatement -the nature of the transactions or balances and relevant assertions -the ability of the auditor to perform appropriate procedures to cover the remaining period

Question 36

Auditing accounting applications processed by service organizations

Answer 36

Because what happens at the service organization affects the entity one of the auditors concerns is the internal control system of the service org auditor can confer with service orgs auditor on their operations

Question 37

Service Organiztions

Answer 37

Organizations that take over an accounting function from the entity like ADP or Paycor for payroll

Question 38

Type 1 Report

Answer 38

A report on managements description of a service organization's system and the suitability of the design of their controls

Question 39

Type 2 Report

Answer 39

**more in depth** provides assurance on the operating effectiveness of the service orgs controls based on the auditors test of controls ***auditor can only reduce control risk using a service auditors type 2 report***

Question 40

Communication of Internal Control-Related matters (3)

Answer 40

1. Control Deficiency 2. Material Weakness 3. Significant Deficiency

Question 41

Control Deficiency

Answer 41

Exists when the design or operation of a control does not allow management or employees to prevent detect or correct misstatements on a timely basis

Question 42

Material Weakness

Answer 42

A deficiency, or combination of deficiencies, in internal control, which could cause a reasonable possibility that a material misstatement of the entitys financial statement will not be prevented, detected, or corrected, on a timely basis

Question 43

Significant Deficiency

Answer 43

A deficiency, or combo of deficiencys, in internal control that is less severe than a material weakness yet important enough to merit attention

Question 44

Which deficiencys must an auditor communicate, in writing any deficiencies to management and those charged with governance

Answer 44

Significant deficiencies and Material weaknesses

Question 45

General Controls

Answer 45

the overall information processing environment and have a pervasive effect on the entitys computer operations

Question 46

Application Controls

Answer 46

apply to the processing of specific computer application and are part of the computer programs used in the accounting system

Question 47

Limit test

Answer 47

a test to ensure that a numerical value does not exceed some predetermined value

Question 48

Range Test

Answer 48

A check to ensure that the value in a field falls within an allowable range of values

Question 49

Sequence Check

Answer 49

A check to determine if input data are in proper numerical or alphabetical sequence

Question 50

Existence (validity) test

Answer 50

a test of ID number or code by comparison to a file or table containing valid ID numbers or codes

Question 51

Field test

Answer 51

A check on a field to ensure that in contains either all numeric or alphabetic characters

Question 52

Sign test

Answer 52

A check to ensure that the data in a field have the proper arithmetic sign

Question 53

Check-digit verification

Answer 53

a numerical computed to provide assurance that the original value was not altered

Question 54

Closed Loop Verification

Answer 54

a process that takes data entered into the system to find and present other related information, thus enabling the user to verify the correctness of the original data entry