What is internal control?
A process- effected by an entity’s board of directors, management, and other personnel- designed to provide reasonable assurance regarding the achievement of objectives in the following categories
- reliability of financial reporting
- Effectiveness and efficiency of operations
- compliance with applicable laws and regulations.
Who is responsible for the design, implementation and maintenance of internal controls?
What is the auditor’s responsibility in regards to internal control?
the auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the FSs whether due to fraud or error, and to design the nature, timing and extent of further audit procedures.
The auditor should obtain an initial understanding of the ICs relevant to the entity’s financial statements, that’s primarily done through:
Inquiry of management
Observation of the entity’s accounting related activities
Review of documentation.
How is documenting the auditor’s understanding of internal controls done?
Preparing flowcharts of major transaction cycles
Interviewing the entity’s personnel using standardized internal control questionnaires
Preparing narrative write ups regarding internal control
does the extensiveness of the auditor’s review on Internal controls vary?
The extensiveness of the auditor’s review and documentation varies with the circumstances. For example, the emphasis on understanding internal controls increases if reliance on internal control is planned.
What are flowcharts?
A graphical depiction of the client’s accounting systems for major categories of transactions.
What are internal control questionnaires?
Questionnaires consisting of a list of questions about an entity’s control procedures and activities. A “no” answer is usually designed to indicate a control deficiency.
What are narrative write ups?
A written memo describing the important control related activities in the transaction cycles under consideration.
There are 2 reasons why the auditor might “assess control risk at the max level”, which means the same thing as adopting a wholly substantive audit approach with no reliance on IC:
the auditor may perceive the relevant ICs to be ineffective or
Even if the controls are viewed as effective, a reliance audit approach may be less efficient than a wholly substantive audit approach. Test of control would not be performed when the auditor has chosen a wholly substantive audit approach.
What is the required documentation of internal control?
The auditor should document the basis for the auditor’s conclusions about internal control either way, whether IC is received to be effective or ineffective.
The auditor should perform tests of controls to evaluate the operating effectiveness of relevant controls under either of two circumstances:
When the assessment of risks of material misstatement at the relevant assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls.
When the auditor’s substantive procedures alone cannot provide sufficient appropriate audit evidence at the relevant assertion level.
The purpose of performing tests of control is to verity that:
the controls that looked good on paper, known as design effectiveness, were actually working as intended through the period, known as operating effectiveness.
Re-evaluation phase, after performing the tests of controls, the auditor should decide whether the results of the tests of controls are:
consistent with the planned reliance on Internal controls. Sometimes ICs that look good on paper may not actually be working as intended. In such a case, the auditor should reconsider whether a reliance audit approach is appropriate.
Design audit plan phase:
The auditor should prepare a required written audit plan (also referred to as an audit “program”) that specifies the nature, timing, and extent of “further audit procedures” to be performed.
What are the 3 categories of audit procedures?
Risk assessment procedures
Tests of controls
What does a wholly substantive audit approach mean?
no reliance on IC (same as assessing control risk at the max level). in other words, the auditor plans to meet the audit risk objectives by performing only substantive audit procedures without any expectation about the operating effectiveness of IC. In this case, tests of control would not be performed.
True or False: the cost of ICs should not outweigh the benefits attributable to those controls.
What is collusion
A conspiracy among employees or management to circumvent internal controls.
Segregation of duties may break down due to:
management’s override of controls.
What are the auditors risk assessment procedures?
Inquiries of management and other Observation and inspection Analytical procedures Review information Discussion among audit team members
the auditor’s responsibility to obtain an understanding of the entity and its environment focuses on understanding the following:
Industry, regulatory, and other external factors,
Nature of the entity
Objectives and strategies and related business risks that may cause misstatement of the financial statements.
Measurement and review of the entity’s financial performance
What are the 5 interrelated components of internal control?
Control activities Risk assessment Information and communication systems Monitoring Control Environment
What is control environment consisted of? (The tone at the top) CHOPPER
Commitment to competence
Human resource policies and practices
Participation of those charged with governance
Philosophy of management and operating style
Ethical values and integrity
What is the Risk assessment component?
The policies and procedures involving the identification, prioritization, and analysis of relevant risks as a basis for managing those risks.Factors such as: Changes in operating environment New personnel New or revamped info systems Rapid growth New technology New lines of business, products or activities Corporate restructurings Foreign operations Accounting pronouncements.
What is Control activities?
Policies and procedures that help ensure that management directives are carried out: Performance review Information processing Physical controls Segregation of duties which consists of Authorization of transactions Recording (posting) of transactions Custody of assets Comparisons
What is Information and communication?
Refers to the ID, retention, and transfer of info in a timely manner allowing personnel to perform their responsibilities.
Info system: consists of the methods and records used to record, process, summarize and report Co.’s transactions and to maintain accountability for the related accounts.
Communication: Involves establishing individual duties and responsibilities relating to internal control and making them known to involved personnel.
What is monitoring?
An important management responsibility is to establish and maintain internal control. Management monitors controls to consider whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring is a process that assesses the quality of internal control performance over time.
At what levels should the auditor identify and assess the risks of material misstatement?
At the overall financial statement lever and
At the relevant assertion level related to classes of transactions, account balances, and disclosures.
How frequently must an auditor test operating effectiveness of controls that appear to function as they have in past years and on which the auditor wishes to rely in the current year?
At least every third audit.
What is auditor’s objective in regards to communication IC?
The auditor’s objective is to appropriately communicate to those charged with governance and management deficiencies in IC that the auditor has identified that are important enough to warrant attention.
What is a significant deficiency?
A deficiency (or combination of deficiencies) in internal control that is less severe than a material weakness, yet important enough to merit attention to those charged with governance.
What is material weakness?
A deficiency (a combination of deficiencies) in internal control such that there is a reasonable possibility that a material misstatement of the entity’s FSs will not be prevented or detected and corrected on a timely basis.
What are specific indicators of material weaknesses?
Identification of any fraud involving senior management (whether or not material)
Restatement of previously issued FSs to correct a material misstatement due to error or fraud
Identification of a material misstatement in the FSs by the auditor that would not have been identified by the entity’s IC
Ineffective oversight of the entity’s financial reporting and IC by those charged with governance.
Communicating identified control deficiencies- the auditor should appropriately communicate any significant deficiencies and material weakness identified in the audit to:
management and those charged with governance IN WRITING
By what date should the auditor communicate the material weaknesses and significant deficiencies?
The required communication is best made by the “report release date” and should be made no later than the “documentation completion date” . AICPA defines the documentation completion date as 60 days following the report release date.
Are all material weaknesses a significant deficiencies?
YES, All material weaknesses are significant deficiencies.
What is an internal audit function?
A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control.
What are the 2 ways that the external auditor may use the work of an internal audit function>?
1) obtain audit evidence that modifies the nature, timing, or extent of audit procedures to be performed by the external auditor
2) provide direct assistance to the external auditor under the external auditor’s direction, supervision, and review.
What are the 3 necessary conditions before the external auditor may use the internal audit function to obtain audit evidence?
Systematic and disciplined approach
What is competence?
Competence- The internal auditors must be competent (related to their education, experience, certification) to perform reliable work.
What is objectivity?
Objectivity-the internal audit function’s organizational status and relevant policies and procedures must support the objectivity of the internal auditors.
What is systematic and disciplined approach?
Systematic and disciplined approach-The internal audit function must apply a “systematic and disciplined approach, including quality control.” The external auditor should not rely on “internal audit-like” work that is conducted in an informal, unstructured, or ad hoc way. however the degree of formality and structure may vary with the nature, size, and complexity of the entity involved.
When the external auditor plans to use the work of the internal audit function, he must?
Communicate that with those charged with governance.
When the internal auditor provides direct assistance to the external auditor, the internal auditor is under external auditor’s:
Direction, supervision, and review.
What is the auditor’s responsibility when an audit entity has outsourced some of their transaction processing to an outside service organization?
The auditor is responsible for obtaining an understanding of ICs relevant to the entity’s FSs for purposes of assessing the risks of material misstatement whether those controls are located within the client entity ro within the service organization. Accordingly, the auditor may need to visit the service organization to interview personnel there for the purpose of obtaining the required understanding. Alternatively, the auditor may be able to obtain that required understanding of those relevant controls by reading a service auditor’s report on IC at the service organization.
The standard states that the user auditor’s objectives, when the user entity uses the services of a service organization are to
Obtain an understanding of the nature and significance of the services provided and their effect on the user entity’s IC relevant to the audit sufficient to assess the risks of material misstatement
Design and perform audit procedures that are responsive to those risks.
What is a user auditor and service auditor?
User auditor-an auditor who audits and report on the FSs of a user entity.
Service auditor- a practitioner who reports on controls at a service organization.
What is Service organization and user entity?
Service organization- An organization or segment of an organization that provides services to user entities that are relevant to those user entities’ IC over financial reporting.
User entity- An entity that uses a service organization and whose FSs are being audited.
If the user auditor is unable to obtain a sufficient understanding from the user entity- the user auditor should obtain that understanding by one of the following:
Type1 report- report on management’s description of a service organization’s system and the suitability of the DESIGN of controls.
Type 2 report- Report on management’s description of a service organization’s system and the suitability of the DESIGN and OPERATING effectiveness of controls.
What is an integrated audit?
Integrated audit is an audit of Internal control and financial statements
What are the elements of SCARE that are used in the transaction cycles?
Segregation of duties- avoid incompatible functions
Controls (physical controls)-safeguarding assets and documents
Authorization-transactions should be executed as authorized by mgmt
Review (Performance Reviews)-appropriate comparisons should be made
EDP/IT (Info processing)-
In the payroll department, the followign activities should be performed by different personnel when circumstances permit:
Establishing and maintaining employee files in the personnel department
Reconciling the payroll bank account with the general ledge.
Who shoudl sign the payroll checks?
What should be done with unclaimed checks?
Checks should be returned to treasury, secured, and eventually destroyed if not claimed within an appropriate time.