Flashcards in Internal Control Deck (54):
Internal Control has five component. They are:
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
Think of CRIME which leads to control activities
factors set the tone of an organization, influencing the control consciousness of its people.
7 control environment
Integrity and ethical values,
Commitment to competence
Human resource policies and practicies
Assignment of authority and responsibility
Management's philosphy and operating style
Board of directors or audit committee participation
its identificaiton, analysis, and management of risks relevant to the preparation of financial statements following GAAP.
Are there control activities in place?
policies and procedures that help ensure that necessary actions are taken to address risks to achieving the entitty's objectives. policies include
Information and communciation
The accounting system, consisting of the methods and records establised to record, process, summarize, and report entity transactions and to maintain accountability.
Record, process, summarize, and report. To be effective, it should accomplish:
1) identify and record all valid tranactions
2) describe on timely basis
3) measure the value properly
4) record in the proper time period
5) properly present and disclose
6) communicate responsibilities to employees
Assesses the quality of internal control performance over time. Monitoring activities may be ongoing, separate evaluations, or a combination.
Limitations of internal control
1. Human judgement in decision making cna be faulty
2. Breakdowns can occur beacuse of human failure s such as simple errros or misstakes.
3. Controls, whether manual or atomated, cna be circumvented by collusion
4. Management has the ability to orrider internal contorl
5. Cost constraints
6. Custom, culture, and the corporate governnance system may inhibit fraud, but they are not absolute deterrents.
Foreign Corrupt Practices Act
Passed by congress in 1977.
1. Requiring every corporation registed under the SEA of 1934 to maintain a system of strong internal accounting control.
2. Requiring corporations to maintain accurate books and records, and making it 3) illegal for individuals or business entities to make payments to foreign officials to secure business.
Committee of Sponsoring Organization (COSO
Provide thought leadership through the development of comprehenseive frameworks and guidane on enterprise risk management, internal control, and fraud detterence
Committee composed of representatives of various profesional organization.
What are the ways to test of controls?
R - Reperformance
I - Inquiries
I - Inspection
O - Observation
What are the financial statement assertions?
R ights and obligations
A llocation and valuation
C ompleteness, cutoff
E xsistence and occurence
What is a dual purpose tests?
A test of controls and a substantive test is applied to the same transaction.
What are the components of Control activities?
Performance reviews (reviews of actual performance against budgets, forecasts, one another, etc.)
Information processing (controls that check accuracy, completeness, and authorization of transactions)
Physical controls (activities that assure the physical security of assets and records)
Segregation of duties (separate authorization, recordkeeping, and custody)
What are Risk assessments?
Risk of preparing the FS wrong!
1) changes in the operating environemnt (increase competition)
2) New employee or tech.
3) rapid growth
3) new technology
4) new lines, products, or activities
5) corporate restructing
7) accounting pronouncement
After planning the audit, the auditors should:
-obtain the understanding of the entity and its environment, including its IC.
- Assess the risks of material misstatement and design further audit IC.
How do you perform a test of controls?
There are three types of deficiencies for IC
1) deficiency - a design or opearting deficiency
2) significant deficiency - a deficiency, or combination of deficiencies.
3) material weakness - is a reasonble possiblity that a mateiral misstatment of the FS will not be prevented or detected.
In an IC audit, the work of others, the auditor should
1) assess their competence and objectivity; do not use the work of thoes iwth low competence
2) use the work in lower risk areas.
What are the differences between PCAOB and AT501 in regards to IC?
1) PCAOB refers to this as an "audit" while AT 501 refers to it as an "examination"
2) AT 501 allows an auditor to examine effectiveness of internal control for a period of time. ex. 20x5
3)AT 501 allows for reporting on management's assertion.
Reporting on whether a previously reported mateiral weakness continues to exist-
1) mangment gathers evidence, including documentation that the mateiral weakenss no longer exists, then prepares a written report so indicating. The audtiros tehn plan and perform an engagement emphasizing the controls over the mateiral eakenss. The auditor report issued indiciate the auditor's opinion that the mateiral weakness "no longer exists" or exists" of the date of managmenet's assertion.
When can auditors communicate issues with IC?
Communicaitons are best if issued by theaudit report realese date, but it can be up to 60 days after.
When there is a significant deficiency or a mateiral weakness in IC, commute it by
a written report. it includes:
1) purpose of consideration of IC was to express an opinion on the FS, not to express na opinion on iC.
2) auditor is not expressing an opinon on IC effectiveness.
3)Consideraiton of IC not designed to identify all signficant deficiencies or matieral weaknesses.
4)consdideraiton of IC not deisnged to identify al signficant deficienecies or mateiral weaknsses.
5)definition of mateiral weakness and signficant deficiency.
6)separately describre signficant deficiencies and material weaknesses identified.
7) indication that he communication is for managemen, those charged with governance and othe rothers within the organization; it shoud not be used by others.
The audit commitee consists of:
group of outside (non management) directors whose fucnitons incldue:
Nominating, terminating, and negotiating CPA firm fees
discussing braod, general matters concering the type, scope ,and timing of audit with public firm
Discussing IC weaknesses
Review FS and the bpucli accounting firm's audit report
workign with the ocmapny's internal auditros.
Internal audtiros have two primary effects on the audit:
1) Their existence and work may affect the nature, timing, and extent of audit procedures
2) CPAS may use internal auditors to provide direct assitance in perfmirng procedures.
The CPA should assess both the competence and objectivity of internal auditors. Competence is the educatiional, experience, certifcaino etc.
What's not required on a particular audit of a nonissuer (nonpublic) company?
Test of controls! Tests of controls are only reuiqred when the auditro relies on the controls or substantive tests alone are not sufficient to audit particular assertions.
How do you assess contorl risk at a low level?
1) identifying specific controls releveant to specfici asserrtions that are likely to prevent or detect mateiral missatements in those assertions.
2) performing tests of contorls to evaluate the effectiveness of such controls.
Auditors test controls to provide:= evidence for hteir assesment of contorl risk through:
Inquiries of appropriate personnel, inspection of documents and records, observation of the applicaiton of controls, and reperformance
The Sarbanesx-Oxley act of 2002 uses which COSO framwork?
The COSO internal framework
If an engagement to examine internal?
Will be more extensive in scope than the assessment of control risk made during a FS audit.
How much assistance can an auditor provide to management in its assessment of IC?
Very limited assistance may be provided
The minimum likelihood of loss involved in the consideration of a control deficiency is
a condition in which the operation of a contorl does not allow managemnet, or meployees in the normal course of perofmring their functions to prevent or detect misstatemnts on a timely bassis. That is why the amount is NOT explicitly considered.
According to PCAOB, what type of tranctions involves estimation
estimation trnactions are activities involving management's jusgments or sumptions, such as determining the allowance for doubtful acocunts, establishing warranty reseves, and assessing assets for impairment
According to PCAOB, what type of tranctions involves routine tranacitons?
those are recurring activities, such as sales, purchases, cash receipts, and disbursements, and payroll.
According to PCAOB, what type of tranctions involves nonroutine tranacitons?
Those are transactions ouccring periodically, such as taking of physical inventory, calculating depreciation expense, or adjusting for forieng currencies. usually not part of a routine flow of tranaction.
When there is a control deficiency, a competent indivudal otherwise indepdent will help take care of the funciton to help reduce the risk of misstatment. What type of control is this considered?
What is a walkthrough?
It is the procedure that invovles tracing a transaction from orgination through the company's informaiotn systems until it is refelcted in the company's FS.
1) confirm the auditor's undersatnding of the flow of tranctions and the desing of controls
2) evaluate the effectiveness of hte design of controls
3) to confirm whether controls have been implented
Unde PCOB, the "as of date" is waht?
the last day of the fiscal period or it is this date on which the auditor concludes as to the effectiveness of internal control.
What is the circumstance that makes an account significant for purposes of a PCAOB audit of IC?
Requires only that more than a remote likelihood of mateiral misstatement
The auditor must communicate in writing to managagement what type of deficiencies?
material weaknesses, significant deficiencies, and other control deficiencies.
If the assesed level of control risk is high, an auditor would probalby
request the lcient to schedule the physical inventory count at the end of the year.
The auditor who audits the procesing of tranactions by a service organization may issue a report on controls
Implemneted nad the operating effectiveness.Either of the two types of reports.
GAO consideres three types of impairments:
external, personal, and organizational.
Concept of reasonable assurance
The cost of the entity's internal control should not exceed the benefits expected to be derived.
Assessing control risk at a low level involves
1)Identifying specific contorls relevant to specific assertions that are likley to prevent or detect material misstaments in those assertions
2) perfomring tests of controls to evaulate the effectiveness of such controls.
The objective of tests of detials of trnactions performed as tests of controls is to:
Evaluate whether controls operated effectively.
Test of controls consists of:
1) inqiuires of appropriate entity personnel
2)inspection of documents and reports
3) obesrvation of the appolicaiton of the policy or procedures,
4) reperformance of the applicationfo the policy or procedures.
The minimum likelihood of loss involved in the consideration of a control deficiency is
Not explicitly considered. A control deficiency is a condition in which the opeartion of contorl does not allow manamgent or employee in normal course of perfomring their functions to pervent or detect missatemtns ona timely basis.
The PCAOB consider an account to be significant if there is
remote likelihood that it could contain material misstatement.
The following is most likely to be considered a material weakness in internal control for purposes of an internal control audit of a private company?
An ineffective oversight of financial reporting by the audit committee.
AT501 states taht when a deviation from the control criteria being reported upon exists (here a material weakness in internal control)
the CPA should report directly upon the subject matter and not upon the assertion.
In determining the effectiveness of an entity's controls relating to the existence or occurence assertion for payroll tranactions, an auditor most likely would inquire about and
observe the segregation fo duties concerning personnel responsibilities and payroll disbursement.
which of the following departments most likely would approve changes in pay rates and deductions from employee salaries?
When there are numerous property and equipment tranactions during the year, an auditor who plans to assess control risk at ta low level usually performs
test of controls and limited tests of current yera property and equipment tranactions.