SU 06 Internal Control Flashcards
What are an auditors options as their response to assessed risk?
- Tests of controls
- Substantive Procedures
What do tests of controls consist of
- assessing controls over processes
- assessing the control environment overall
- assessing the operating effectiveness of controls
What affects the operating effectiveness of internal controls
Overall their value in reducing RMM
- are they designed well
- are they implemented and operating properly
What are substantive procedures
audit procedures designed to produce evidence that may be used in court
What circumstances may indicate increased risk
- changes in overall operating environment
- new personnel
- new/ revamped IT
- rapid growth
- new technology
- new business models-products-activities
- corporate restructuring
- expanded foreign operations
- new accounting pronouncements
- new
Is an auditor required to assess internal controls?
Yes - part of SOX
Internal control components
C.R.I.M.E
- Control activities
- Risk assessment
- Information and communication systems
- Monitoring
- Environment (control environment)
Who is responsible for internal controls
Client management / governance
What is the auditor’s responsibility in regard to internal controls
have the responsibility for assessing their existence/ management assertions about them
Control activities include
- performance reviews
- general vs application controls
- physical controls
- segregation of duties
Which duties must be segregated
authorization from recording from custody
what is the difference between general and application controls
- General controls are over the whole system - controls at the business level
- application controls are built into specific applications
Objectives of internal controls
1) to prevent or detect financial statement misstatements
2) to control operational objectives
3) to control compliance objectives
Limitations of internal controls
- human judgement is faulty
- collusion may circumvent controls
- management may override controls
- impossible to create perfect controls (esp not at reasonable cost)
Levels of internal controls
- entity level (general and application controls)
- transaction/ assertion level controls (address specific FS issues)
What might transaction/ assertion controls address
- CAPE CROC asssertions
- transactions and account balances
- IS & BS balances
Types of entity-level controls
- organizational structure
- clear assignment of authority and responsibility
- adequate segregation of duties
- IT planning in alignment with business strategy
- compliance with licensing , laws, and regulations
Classes of internal controls
- Automated vs Manual
classes of automated controls
- IT General Controls (ITGC)
- IT Application controls
- IT-dependent manual controls
Types of IT General Controls
- data center & network
- system software acquisition, change, and maintenance
- program change
- access
- application system acquisition, development, & maintenance
Preventive controls
- designed to stop errors before they occur
- often generate error messages/ alerts
- leave no documentary trail?
- informed by “WCGWs”
WCGSs
What can go wrong
Detective controls
Designed to catch fraud or errors after functions or transactions occur
- also informed by WCGWs
- important they can detect & intervene in a timely manner
- often use IT application controls for detection
- often built in as a post-processing procedure
- can be applied to each transaction or to batches
Preventive vs detective control
- preventive more frequent, more dependent than IT, but also generally more cost effective
- preventive produces less evidence than detective
- auditors tend to focus on detective due to the larger amount of evidence
