Flashcards in Internal Control Deck (40)
What is internal control?
A process designed to provide reasonable assurance that objectives are met
What are the five components of internal control?
Information and communication systems
What are control activities?
Activities/processes taken to reduce risk, as decided by management
What are some common control activities?
Information processing (verifying transaction info)
Segregation of duties
What is risk assessment?
The entity's (not the auditor's) analysis of risks
What is monitoring?
Evaluating the internal control system's effectiveness over time (and making certain corrections)
It is necessary, since internal controls tend to fail over time
What is the control environment?
The general "atmosphere" for controls, consisting of attitudes within mgmt and personnel to excellence and integrity
Is it necessary for an entity to have all five components of internal control?
No -- the framework is helpful for the auditor's evaluation, not necessarily a description for all entities
Also, the auditor's main job is testing effectiveness, not categorizing
Should the auditor evaluate all of an entity's internal control systems?
No, only controls relevant to the financial statements (and only ones with significant risks)
What are some examples of irrelevant controls?
Controls to ensure compliance with safety regulations
Controls to set an optimal price on a product
What is an important consideration when evaluating controls?
Some controls will have overlapping purposes -- both financial reporting and operations (e.g. a lockbox for collecting payments)
What are the two parts of understanding a control?
Design -- whether it prevents/detects misstatements
Implementation -- whether it is actually being used
What are some procedures for assessing the design and implementation of controls?
Observing the applications of controls
Tracing transactions through the information system
What should the auditor document regarding internal control?
(1) Key elements of the five components
(3) Risk assessment procedures that were performed
What are different ways to document an entity's internal control?
What are the advantages and disadvantages of a flowchart?
-hard to overlook things
-requires complete understanding to create
-more time-consuming to create
What is the questionnaire approach to documenting internal control?
Simply listing questions to be answered
E.g. "Are the subsidiary ledgers frequently balanced with the control accounts?"
"Are these two duties properly segregated?"
What are the advantages and disadvantages of a questionnaire?
-easy to create
-requires listed issues to be covered
-weaknesses are obvious ("no")
-can be too general
What is the narrative approach, and what are its advantages and disadvantages?
Simply writing out what the system is
-unique to each engagement
-requires good understanding to create
-takes a long time
-lacks safeguards if auditor overlooks something
When should the auditor perform tests of controls?
-when his risk assessment includes an assessment of controls' effectiveness
-when substantive procedures alone don't reduce detection risk enough
What is the difference between risk assessment procedures on controls and tests of controls?
In risk assessment procedures, the auditor evaluates control design and implementation
In tests of controls, he tests effectiveness
These can sometimes be performed simultaneously
What are some tests for the operating effectiveness of controls?
Generally the same as for testing design and implementation of controls:
-inspection of documents
-observation of control's application
-reperformance of control by auditor
What is important to know regarding the different kinds of tests for controls' operating effectiveness?
Combinations of them should be used
E.g., inquiries alone are insufficient
How do the results of substantive procedures bear on the effectiveness of controls?
A lack of misstatement does not mean controls are effective, but misstatements might mean that controls are ineffective
Any misstatements found by the auditor but not the entity are significant deficiencies
What should an auditor test for controls' operating effectiveness if he plans to rely on prior period evidence?
If controls have changed, they need to be tested
If not, they should be tested at least once per three years (though more frequently the more crucial the control is)
How should auditors treat prior evidence for the effectiveness of controls that mitigate significant risk?
They should consider it but not rely upon it
It should be tested even if the control is unchanged from the prior period
What qualifies as a deficiency in the design of an internal control?
Not merely whether a control would not detect a misstatement if operating properly, but also if a control is missing
Distinguished from a deficiency in operation, which occurs when a control does not operate as designed
For controls, what is the difference between a material weakness and a significant deficiency?
Material weakness = reasonable possibility that control will lead to material misstatement
Significant deficiency = not as bad, but still requires attention
What should the auditor do if there are multiple significant deficiencies for a control?
Determine whether they, in aggregate, are a material weakness
What is a compensating control?
A control that limits the extent of a deficiency
What control deficiencies should be reported to management and TCWG?
All significant deficiencies and material weaknesses, including ones previously mentioned but not yet fixed
Must be in writing
When should control deficiencies be reported to management and TCWG?
Issuers must do this before the audit report is issued on the financial statements
-Otherwise, the latest is within 60 days of the report release date
Some deficiencies should be communicated during the audit, though not necessarily in writing
What is the report release date?
When the auditor grants permission for the entity to use the audit report for their financials
What should be included in the auditor's written communication for control deficiencies?
(1) that the auditor aims to express an opinion on the financials, not on controls per se
(2) a definition of "significant deficiency" and "material weakness"
(3) that the auditor did not aim to uncover all SDs and MWs
(4) a clear distinction between deficiencies identified as SDs and MWs
(5) that the communication is intended only for the specified parties
For communication on control deficiencies, what should the auditor say if he finds no significant deficiencies or material weaknesses?
He can make a communication stating that no material weaknesses were found, but not one stating that no significant deficiencies were found
What are five objectives for an internal control system?
(2) Validity (e.g. whether a transaction has occurred)
(4) Tracking assets
(5) Custody of assets/limited access
What subsidiary objectives comprise the objective of proper recording?
What duties should be segregated for the processing of a transaction?
What enables documents to be tracked through the control system?