Section 404 Audits of Internal Control and Control Risk

1
Section 404 Audits of Internal Control and
Control Risk

• Chapter 10

2
Internal Control Objectives
Reliability of financial reporting
Efficiency and effectiveness of operations
Compliance with laws and regulations
3
Managements Responsibilities For Internal Control
Management - responsible for establishing and
maintaining internal control
I/C offers reasonable assurance
I/C has inherent limitations
4
Managements Responsibilities For Internal Control
Managements Section 404 reporting
responsibilities

• Design of internal control over financial
  reporting
• Focus is on controls over mgmt. assertions (Ch 6)

• Operating effectiveness of controls
• Must be tested and evaluated for effectiveness

5
Auditor Responsibilities Related to Internal
Control
Second standard of fieldwork A sufficient
understanding of internal control is to be
obtained in order to plan the audit and to
determine the nature, timing, and extent
of tests to be performed.
Control over classes of transactions (vs.
account balances)
Auditor responsibilities for testing and
reporting (Ch. 2) on internal control
6
Five Components of Internal Control
Control environment
Risk assessment
Information and communication
Control activities
Monitoring
7
The Control Environment
Actions, policies and procedures that reflect
overall attitudes of top management (tone from
the top)

• Integrity and ethical values
• Commitment to competence
• Board of directors or audit committee
  participation
• Managements philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and practices

8
Risk Assessment
For audit purposes managements identification
and analysis of risks relevant to the preparation
of financial statements in conformity with GAAP.
9
Control Activities
Policies and procedures (in addition to those in
the Other four components)

1. Adequate separation of duties
2. Proper authorization of transactions and
   activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance

10
Adequate Separation of Duties
11
Proper Authorization of Transactions and
Activities
General authorization policies for the
organization to follow.
Specific authorization applies to Individual
transactions
12
Adequate Documents and Records
Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple use
Constructed to encourage correct preparation
13
Physical Control over Assetsand Records
The most important measure for safeguarding
assets and records is the use of physical
precautions limit access to assets/records.
14
Independent Checks on Performance
The need for independent checks arises because
internal controls tend to change over time unless
there is a mechanism for frequent review.
15
Information and Communication
The purpose of an accounting information and
communication system is to
initiate, record, process, and report the
entitys transactions and to maintain accountabili
ty for the related assets.
16
Monitoring
Monitoring activities deal with
managements ongoing and periodic assessment of
the quality of internal control performance
to determine whether controls are operating as
intended and modified when needed.
17
How the Size of the Business Affects Internal
Control
In general the SEC believes that small businesses
should be expected to adhere to the same internal
control standards that apply to larger public
companies.
The SEC has also stated that the burden
to smaller companies can be disproportionate.
18
Four Phases of a Financial Statement Audit
19
Obtain and Document Understanding of Internal
Control
SAS 55 and PCAOB Standard 2 both require the
auditor to obtain an understanding of internal
control for every audit.

• Procedures to obtain an understanding
• Design of internal controls
• Whether placed in operation
• Uses this information as a basis for the
• integrated audit.

20
Methods Used
Narrative
Flowchart
Internal control questionnaire
21
Narrative
1. The origin of every document and record in
the system
2. All processing that takes place
3. The disposition of every document and
record in the system
4. An indication of the controls relevant to
the assessment of control risk
22
Evaluating Internal Control Operation
Update and evaluate auditors previous experience
with the entity.
Make inquiries of client personnel.
Examine documents and records.
Observe entity activities and operations.
Perform walkthroughs of the accounting system.
23
Assess Control Risk
Assess whether the financial statements are
auditable.
Determine assessed control risk supported by the
understanding obtained assuming the controls are
being followed.
Use of a control risk matrix to assess control
risk
24
Control Risk Matrix
Identify transaction-related audit objectives.
Identify existing controls.
Associate controls with transaction-related audit
objectives.
Identify and evaluate control deficiencies, signif
icant deficiencies, and material weaknesses
25
Evaluating Significant Control Deficiencies
Material Weakness
26
Communicate Internal Control Deficiencies and
Related Matters

• Audit committee communications
• Significant deficiencies and material
• weaknesses must be communicated

Management letters
27
Tests of Controls
The procedures to test effectiveness of
controls in support of a reduced assessed
control risk are called tests of controls.
28
Procedures for Tests of Controls
1. Make inquiries of client personnel.
2. Examine documents, records, and reports.
3. Observe control-related activities.
4. Reperform client procedures.
29
Extent of Procedures

• PCAOB 2 requires public company auditors
• to test controls each year for all relevant
  assertions
• for all significant accounts and transactions
• Reliance on evidence from prior years audit

• PCAOB 2 is concerned with adequacy of I/C as of
• the end of the fiscal year
• Timing of tests depends on the nature of controls
  
• and frequency at which they are performed.

30
Procedures to Obtain an Understanding vs.Tests
of Controls
In obtaining an understanding, procedures are
applied to all controls to identify those likely
to prevent/detect Material misstatements in
specified assertions. Test of of controls are
applied only when the assessed control risk has
not been done in obtaining an understanding.
Procedures to obtain an understanding are
performed on few transactions, while tests of
controls are performed on larger samples.
31
Relationship of Assessed ControlRisk and Extent
of Procedures (Table 10-3)
32
Decide Planned Detection Risk and Design
Substantive Tests
The auditor uses the results of the control
risk assessment process and tests of controls
to determine the planned detection risk
and related substantive tests.
The auditor links the control risk assessments to
the balance-related audit objectives.
33
Section 404 Reporting on Internal Control
34
Section 404 Reporting on Internal Control
2
The auditors opinion on whether the
company maintained, in all material respects,
effective internal control over financial
reporting as of the specified date.
35
Types of Opinions on Internal Controls Over
Financial Reporting

• Unqualified
• No identified material weaknesses
• No scope limitations

• Adverse
• Material weaknesses exist

• Qualified or disclaimer of opinion
• Scope limitation

36
Differences in Scope of Controls Tested
Nonpublic Company