Flashcards in Chapter 7 Deck (103):
What does COSO stand for?
Committee of Sponsoring Organizations. They make some rules of Internal Control
The three broad internal control objectives are
Compliance with laws and regulations
Reliability of financial reporting
Efficiency/effectiveness of operations
Internal Control is defined as
a process, effected by the entity's board of directors, management, and other personnel designed to provide reasonable assurance regarding achievement of objectives in the following categories:
- Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
Auditor's focus towards internal control is the on internal control over _____, or ICOFR
Internal Control Over Financial Reporting
This act, in addition to making bribes to foreign officials illegal, requires an effective system of internal control
Foreign Corrupt Practices Act of 1977
Define Segregation of Duties, a component
No one department or person shall handle all aspects of transaction from beginning to end to perpetrate and conceal errors/fraud.
• MUST segregate duties along the “arc” – must separate the authorizing of transactions, recording of transactions, and custody of related assets
Does management or the internal auditor establish internal controls?
Management does, along with preparation of financial statements.
Is reasonable or absolute assurance required?
Name the five components of internal control
The Control Environment
Risk Assessment Process
The Accounting Information and Communication system
Monitoring of Controls
Detailed employee responsibilities, open communication channels, and reporting exceptions/unusual items to management are also key in information and communication system. True or False?
Define Physical Controls, a component
providesw physical security over records and assets
Physical Controls – provide physical security over records and assets
• Maintaining control over unissued pre-numbered documents
• Restricting access to computer programs and data
• Restricting physical access in safes, locks, fences, guards etc
• Accounting records should be maintained independent of custody-related assets, and company should periodically compare/reconcile accounting records to assert on hand (to detect loss, waste, or theft)
Define the Risk Assessment Process component
management’s process for identifying, analyzing, and responding to such risks.
• Financial Reporting Risks
Changes in the regulatory or operating environment
Changes in personnel
Implementation of a new or modified information system
Rapid growth of the organization
Changes in technology affecting production processes or information systems
Introduction of new lines of business, products, or processes
Define a Performance Review
provide management with an overall indication of employee effectiveness at meeting objectives. By investigating deviations¸ management takes timely action to change strategy or take and other appropriate action.
Control Activities, a component of internal control, can be defined as
policies and procedures that address and mitigate risks identified by risk assessment process.
Actions, policies, and procedures that reflect overall attitudes of top management, directors, and owners of an entity establish which component of Internal control?
The Control Environment.
• Commitment to integrity and ethical values
• Effective BOD and audit committee
• Effective organizational structure
• Commitment to attract, develop, and retain competent employees
• Individual accountability for internal control responsibilities
Describe the six limitations of Internal Control
Collusion circumventing segregation of Duties
Override of internal Control by Management
Compliance deteriorating over time
Should management perform ongoing monitoring to determine if controls are present and functioning?
Describe The Accounting Information and Communication System
Information is needed throughout company to meet objectives. Therefore, management must obtain, use, and communicate relevant, quality information to support controls.
Monitoring activities assess the quality of internal control over time. True or False?
What does ERM stand for?
Enterprise Risk Management.
• COSO, but doesn’t replace internal control framework
• Goes beyond internal control to focus on how organizations may be able to maximize value for stakeholders most effectively by managing risks and opportunities
• More robust, or strong and stable, for companies to manage business risk
Define Corporate Governance
“the system by which companies are directed and controlled.” It includes the policies, procedures, and mechanism that are established to ensure that the company operates in the best interests of its major stakeholders - including owners, customers, suppliers, employees, and society as a whole.
For example, for a corporation, the major instruments of corporate governance include management compensation systems, the boards of directors (including major committees), external auditors, internal auditors, attorneys, regulators, creditors, securities analysts, and internal control systems.governance
Define how systematic errors may occur
in designing, maintaining, or monitoring automated controls
Once again - steps of audit in order
Plan Audit - Obtain Understanding - Assess Risks of Material Misstatement - Perform further audit procedures - Complete the Audit - Form an Opinion - Issue audit report
Corporate Governance Mechanisms include
Regulators (such as the SEC)
revenue, purchases, and cash receipts and disbursements are names of what types of transactions?
Stage 2, obtaining understanding, regarding internal control:
Identify types of potential misstatements and consider factors that affect risk
Design tests of controls
Auditors must first understand the internal control design, so the client can provide narratives here or flowcharts of controls
Only test controls that work. No point in testing ineffective ones, because cant increase detection.
Also, Auditors must consider all five of the internal control components
Corporate Governance would be considered ____ (broader/smaller) than internal control
Broader, it also encompasses ethical treatment of all major stakeholders, compliance with laws, regulations, customary business practices, and effective risk management
Determining the allowance for doubtful accounts would be an example of which type of transaction?
Test of controls include the following: (there are four)
Inquiries of appropriate client personnel
Inspection of documents and reports
Observation of the application
Reperformance of the controls
taking of inventory, calculating depreciation expense are examples of what type of transactions?
Results of ____ are often used to determine nature, extent, and timing of substantive proceudres
Tests of Controls
Which of the three types of transactions generally has the strongest control compared the other two?
If controls have changed from prior year, new controls must be tested. True or false?
Advantages and disadvantages of Internal Control Questionnaires
A: Asks a series of questions about controls in each transaction cycle in order to identify deficiencies
D: 1. Inability to provide a system overview
2. Inapplicability of many questions for some audits, especially smaller ones
Define a Narrative
Written description of each transaction cycle in
an accounting system
If controls have not changed, can one rely on past tests of controls?
Sure, but in a limited fashion.
AICPA and International Auditing Standards – tests of control must be performed at least every third year
PCAOB – more stringent – tests of controls must be performed to some extent annually when controls are relied upon
The four procedures to obtain understanding of control design and implementation include (usually a combo of):
• Inquiring of entity personnel
• Observing the application of specific controls
• Inspecting documents and reports
• Tracing transactions through the information system relevant to financial reporting (walk-throughs)
If tests of control show numerous control deviations, is substantive testing expanded or reduced?
Expanded to test the assertions
• Auditing standards require auditors to obtain and document an understanding of internal control. True or False?
• Internal Control Questionnaires
Is a walk-through the same as a tour of the audit property?
Define a significant deficiency
control deficiency that is important but less severe than material weakness
Describe considerations taken if the work of internal auditors must be used
• CPA may rely on work of internal audit to reduce amount of testing if found to be effective
• CPA must assess internal audit competence (education, experience, certifications) and objectivity (report directly to audit committee?) and quality of their work (examine working papers)
• If intent is to rely upon work of internal audit, must test that work
Diagram of each cycle in an accounting system that
serves as a visual representation of the series of procedures that occur in each sequence of processing
Define an advantage of a Narrative
Kind of like writing out a walk-through. Advantage is that it gives a good understanding of what a transaction look like.
Which report documents the organization's suitability and effectiveness?
Advantages of flowcharts?
Contains the same information as a narrative,
with the advantages of being:
1. Easier to read/visualize
2. Easier to update.
***Narratives/flowcharts to understand the system accompanied
by internal control questionnaires for checklist of potential
deficiencies = highly useful!
Define a walk-through
After documentation of internal controls, trace one or two transactions through cycle to ensure proper implementation
If auditor finds implementation of internal controls is different from description, modify working papers accordingly
Potential disadvantages of flowcharts are
that it's not as clearly identifying areas of weakness/omitted controls
An Unqualified opinion on Internal Control means that
No material weaknesses or scope restrictions
Can a CPA obtain direct assistance from internal auditors?
Sure, for certain procedures (nothing high risk or subjective), but CPA remains responsible for the audit
A type _ (1/2) report is Management’s description of the system and the suitability of the design of controls
• Auditors may also assist in effective internal control and improving client effectiveness and efficiency by communicating the following in a management letter:
• Internal control deficiencies (even less significant ones)
• Explanation of potential effects
• Recommendations for corrective action
Audit standards require WRITTEN communication of _____ (significant deficiencies/material weaknesses) to management no later than 60 days after report release date
SOX Section 404a Establishes a form 10k each year. This is a report that includes the following affects on management:
Acknowledges responsibility for establishing and maintaining adequate internal control over financial reporting
Assesses internal control effectiveness as of the last day of the company’s fiscal year using suitable criteria
Define a material weakness
control deficiency that creates a reasonable possibility of a material misstatement
An adverse opinion on Internal Control means that
there are one or more material weaknesses
A Qualified or Disclaimer opinion on Internal control means that
there is a Scope Limitation
Due to lack of employees, internal control is generally _____ (strong/weak) in small businesses
weak since, for example, adequate segregation of duties is not feasible. Auditors must rely much more on substantive procedures of account balances and transactions
Some key measures to ensure better control include
• Segregation of duties of cash handling and record keeping
• Active oversight and participation by the owner
Auditors selected by a service organization to assess systems are called
Define a Service Organization
Organization that performs data processing/computer/or IT services, like payroll processing, for various clients
Preventive, Detective, or Corrective control? - Segregation of Duties
Preventive, Detective, or Corrective control? - Requirement to prepare bank reconciliations
Preventive, Detective, or Corrective control? - Maintaining Backups of Data
Preventive, Detective, or Corrective control? - Finding a misstatement that has already been made
Preventive, Detective, or Corrective control? - Finding a misstatement
Preventive, Detective, or Corrective control? - Approving journal entries
A common way to help detect misstatements that have been made is to
Prepare bank Reconciliations
Lifo calculations, Depreciation, Physical inventory, and financial statement closes are what type of transactions?
Bad debt expense is what type of transaction?
Cash receipts, payroll, cash disbursement, and inventory costing is considered what type of transaction?
The significance of accounts should be considered ______ (with/without) regard to internal control.
The first step of planning steps of the audit of internal control is
Management's report on internal control
What kind of approach is sued to identify controls to a tesT?
An account is significant if there is a reasonable possibility that it could contain a misstatement that has a material effect on the financial statements. True or False
Accounting ______ (disclosures/estimates) involve management's judgment or assumptions.
Is design or operating effectiveness tested first?
Efficient planning of the evaluation of internal control requires coordination the financial statement audit. True or false?
Evidence as to the design of internal control and its operating effectiveness should be considered ____________ (as of, before, or after) the date specified in the assessment
The audit committee is especially important as it exercises oversight responsibility over the financial statements. True or False
Who should develop a statement of ethical values?
Management's evaluation process of internal control ____________ (concludes/begins with) with the management report on internal control--the first step of the audit process.
Organizational structure provides a basis for planning, directing, and controlling operations. True or False?
To enhance the control environment, management develops job descriptions. True or False?
For well controlled operations, the same employee that maintains custody of assets should also keep the accounting records for the assets. True or False?
An employee has incompatible duties if the person is in a position to perpetrate and conceal errors or fraud in the normal course of performing his or her duties. True or False?
The controls over a client's sales cycle are part of that client's control environment. True or False?
The establishment of sales terms is an example of a control. True or False?
The internal audit function is an important part of the monitoring component of internal control. True or False?
All material weaknesses are also control deficiencies. True or False??
Both the design of controls and the operating effectiveness of controls is considered in an audit of internal control performed under PCAOB standards. True or False?
A control activity that leaves evidence of compliance is usually tested by inquiry and observation. True or False?
An advantage of an internal control questionnaire is that weaknesses in internal control are highlighted by the questionnaire. True or False?
In audits of both public and nonpublic companies significant deficiencies and material weaknesses noted by the auditors must be communicated to management in writing. True or false??
Before assessing control risk at a level lower than the maximum, the auditor obtains reasonable assurance that controls are in use and operating effectively. This assurance is most likely obtained in part by:
Analyzing tests of trends and ratios
performing substantive procedures
Examine signatures on checks is considered a test of control?
When performing an audit of internal control, the period or date on which the opinion relates under PCAOB standards is the: as of date or the entire period under audit?
As of Date
Counting and listing cash on hand considered a test of control?
No one particular form of documentation of client's internal control is required, and the extent of documentation may vary. True or false?
Obtaining or preparing reconciliations of bank accounts as of the balance sheet date considered a test of control?
Observation of client personnel applying the control is most likely to provide an auditor with utmost assurance about the effectiveness of the operation of internal control. True or false?
An auditor's flowchart of a client's internal control is a diagrammatic representation which depicts the auditors':
documentation of control risk
understanding of the system
planned tests of controls
program for tests of controls
understanding of the system