Chapters 6 and 7 Flashcards
(23 cards)
There is an _____ relationship between the reliability of internal control and the amount of substantive evidence required by the auditor.
Inverse.
Internal control is the method by which an entity’s board of directors, management, and other personnel provide reasonable assurance about the achievement of objectives in the following categories:
(1) reliability of financial reporting,
(2) effectiveness and efficiency of operations, and
(3) compliance with applicable laws and regulations.
The controls that are of most direct relevance to a financial statement audit are those that contribute to the…
reliability, timeliness, and transparency of external financial reporting.
Internal control as defined by the COSO Framework consists of five components:
- Control Environment.
- Entity’s Risk -Assessment.
- Control Activities.
- Information and Communication.
- Monitoring Activities.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission
Control environment
The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.
Entity’s Risk Assessment
A dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives
Information and Communication
Enable personnel to understand internal control responsibilities and their importance to the achievement of objectives.
Control activities
The actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.
Control activities are commonly categorized into the following four types:
- Performance reviews (sometimes called “independent checks”).
- Physical controls.
- Segregation of duties.
- Information processing controls, including authorization and document-based controls.
Monitoring Activities
Ascertain whether each of the five components of internal control are present and functioning.
The effectiveness of any internal control system is subject to certain inherent limitations:
- Management override of internal control
- Personnel errors or mistakes
- Collusion.
To set control risk below high (e.g., at moderate or low), the auditor must:
- Identify specific controls that will be relied upon.
- Perform tests of the identified controls.
- Conclude on the achieved level of control risk given results of testing.
Interim Tests of Controls
- An auditor might test controls at an interim date because the assertion being tested:
A. May not be significant
B. The control has been effective in prior audits
C. More efficient to conduct the tests at that time.
What companies must comply to auditing internal control?
Large publicly traded corporations - called “accelerated filers.”
What is an Accelerated filer?
A public company with common equity > 75 million.
Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to:
A. Issue a report that accepts responsibility for establishing and maintaining adequate ICFR (internal control over financial reporting).
B. Assert whether ICFR is effective as of the end of the fiscal year
What are the auditor’s responsibilities for reporting on internal control under Section 404 of the Sarbanes-Oxley Act?
A. The auditor must audit (give an opinion on) management’s assertion about the effectiveness of ICFR.
B. The auditor must conduct the audit in an integrated way (integrated with the financial statement audit)
Control deficiency (REPORT TO MANAGEMENT)
A weakness in the design or operation of a control such that management or employees, in the normal course of performing their assigned functions, fail to prevent or detect misstatements on a timely basis.
Significant deficiency (REPORT TO AUDIT COMMITTEE and MANAGEMENT)
A deficiency, or a combination of deficiencies, in ICFR that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the entity’s financial reporting.
Material weakness (REPORT EXTERNALLY!!, REPORT TO AUDIT COMMITTEE and MANAGEMENT)
A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
In order to issue a report on the effectiveness of internal control, management needs to first…
Design and implement an effective system of ICFR and then develop an ongoing assessment process.
The evaluation process has three steps:
- Identify financial reporting risks and related controls.
- Consider which locations to include in the evaluation.
- Evaluate evidence about the operating effectiveness of ICFR.
