Flashcards in Internal Control Deck (30):
What is the minimum level of understanding that the auditor must have or readily obtain as to the functioning of the client's AIS in connection with the preparation of its F/S?
obtain understanding of the five components of internal control to asses the RMM in the F/S
When assets such as finished goods are being shipped or received, exactly what type of controls should be in place?
buyer should reconcile the physical description of the asset and the shipping documents with documents independently received
the buyer should count the assets and verify the quantity received with the appropriate documentation
the buyer should verify the condition of the assets and should proceed with a freight claim if damage is found
the seller conveying the asset to the buyer should obtain a signed receipt or document copy for the shipment being made
What is the definition of internal control?
Internal control is a system of policies and procedures designed to provide reasonable assurance to management that the company's goals and objectives will be achieved in financial reporting, effectiveness and efficiency of operations and compliance with laws and regulations.
Why is absolute assurance not possible in regards to an internal control in an audit?
certain inherent limits exist in any system of internal control
depends on competency and dependability of the people using it
human error exists
management has the ability to override
How can the auditor test to determine whether specific control activities are functioning as efficiently and as effectively as intended?
talk with applicable entity personnel about the procedures they follow
observe entity employees as they perform critical tasks
trace transactions through each activity to provide evidence to indicate that the activities were performed as designed
re-perform key activities to verify that all situations were examined
What approach should the auditor take so that reasonable assurance of no MM in an environment where an entity processes many transactions electronically?
obtain an understanding of the automated system
focus on assessing the changes to program that limit effectiveness of controls
What is meant by the term control environment?
a company's actions, policies, and procedures that reflect the overall attitude and philosophy of top management toward internal control and its importance to the entity
managements commitment to integrity and ethical values
The amount of risk management is willing to take
delegation of authority within the company
Human resource policies, practices and commitment to competence
management's attitude toward financial reporting
BOD or audit committee participation
What is meant by the term control activities
all other policies and procedures not included in the other four internal control components to ensure the necessary actions are taken to address the risks in the achievement of the entity's objectives
general controls to ensure the accuracy of data processing
application controls applied to individual transactions
physical controls to safeguard assets and records
segregation of duties
How is segregation of duties achieved?
having separate independent individuals or departments perform each of the following tasks
authorization of transactions and separation of authorization of transactions from custody of the related assets
recording of transactions and separation between the custody of assets from those accounting for them
Maintaining custody of assets and separation of operational responsibilities from record-keeping responsibilities
separation of IT duties from user departments
proper authorization of transactions and activities
What is meant by the term information and communication?
the ability of the AIS to generate reliable info and convey it in a timely manner to those parties that need it
What is meant by the term monitoring?
the ongoing or regular assessment of the quality of internal control by management to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions
What are some fraud risk factors in the internal control system?
Failure of management to monitor certain significant controls
inadequate recording of assets that are susceptible to theft
lack of ID'd controls for authorizing transactions
failure to correct previously noted control weaknesses
Failure of certain key employees to take at least annual vacations
failure to record transactions on a timely basis
poor physical safeguards for the entity's assets
What are the two available approaches to designing and performing further audit procedures?
perform only substantive testing
perform both tests of controls and substantive tests (requires effective controls)
In performing an assessment of internal control, what information does the auditor need to document?
the understanding of 5 internal control components
risk assessment procedures performed
assessment of RMM
basis for these assessements
What are some of the methods used by the auditor to document the understanding of the company and its environment, including its internal control?
internal control questionnaires
What is the definition of significant deficiency?
a control deficiency or a combination of deficiencies that is less severe than a material weakness but important enough to bring to the attention of those charged with governance
When designing a questionnaire to learn about the design of internal control in a client's AIS, how does the auditor determine the questions to be asked?
anticipating the controls that would normally be found the auditor then writes questions for each of the controls to determine if the control has been implemented
In an internal control questionnaire, what response is normally anticipated?
the auditor would expect a "yes" answer, normally a "No" answer is an indication of a possible control problem
How does the auditor determine controls to test in an AIS?
the auditor should ID specific control activities designed into the system that would reduce overall CR
How and when does an independent auditor convey info about significant deficiencies to management and those charged with governance?
all significant deficiencies and material weaknesses must be reported in writing to management and those charged with governance
any items previously reported and not been re-mediated must be communicated again
a report that no significant deficiencies in IC is unacceptable. auditor may report that no material weaknesses were found
made no later than 60 days following the report release date
How does failure to correct a deficiency impact a CPA's work in the current year?
this may be a fraud risk factor and thus additional substantive procedures
assessment of CR will have to be raised
What procedures are used by the auditor to test the operating effectiveness of controls?
What are some examples of inherent limitations of IC systems?
management override of control
collusion among employees
controls may become unreliable due to changes in the entity or personnel
What is the function of the internal auditor/audit staff in a company?
monitors company's internal controls
test the design and functionality of the controls to ensure operational efficiency and effectiveness
How does the positive assessment of the internal auditor impact the work of independent auditor?
evaluation IR and CR lower
gather less evidence through substantive testing or accept evidence that is less persuasive due to DR set at high level
What is the definition of a service organization?
outside organization that provides accounting, payroll or other business services
What are three ways that an auditor make an evaluation of service organizations?
test the entity's own controls over the activities of the service organization
rely on the service auditor's report on internal control issued by the independent auditor of the service organization
visit the service organization and perform tests of controls
What is meant by the term risk assessment in regards to COSO framework?
managements identification, analysis and management of risks relevant to the entity's ability to record, process, summarize and report financial information
changes in personnel
instillation of new computer systems
rapid business growth and/or new technology
geographical business expansion
introduction of new products
Why should the auditor obtain sufficient knowledge of the entity's risk assessment process?
to understand how management considers and deals with risks relevant to financial reporting