ACCT 4240 - Auditing - PowerPoint PPT Presentation

1 / 54
About This Presentation
Title:

ACCT 4240 - Auditing

Description:

Major Components of an Audit: The Audit Risk Model Consideration of Internal Controls in a Financial Statement Audit Required by the second standard of field work: ... – PowerPoint PPT presentation

Number of Views:188
Avg rating:3.0/5.0
Slides: 55
Provided by: Jer858
Category:

less

Transcript and Presenter's Notes

Title: ACCT 4240 - Auditing


1
ACCT 4240 - Auditing
Internal Control Evaluation Assessing Control
Risk
2
Major Components of an Audit The Audit Risk
Model
Evidence Gathering
Plan the Audit
Study, Test Evaluate Controls
Perform Evaluate Tests of Balances
Issue the Audit Report
3
Consideration of Internal Controls in a Financial
Statement Audit
  • Required by the second standard of field work

A sufficient understanding of the internal
control structure is to be obtained to plan the
audit and to determine the nature, timing, and
extent of tests to be performed
4
Relationship of Control Risk and Detection Risk
Audit risk assumed

100
100 assurance
Desired level of assurance
Allowable detection risk


Estimated inherent and control risk
0
Low
High
Strength of control structure
5
Relationship of Detection Risk and Testing of
Financial Statement Balances
Audit risk assumed

100
100 assurance
Desired level of assurance
Extent of testing of financial statement balances
Allowable detection risk
0
Low
High
Strength of control structure
6
Assessment of Control Risk
The higher the control risk
The lower the control risk
the lower the detection risk
the higher the detection risk
and the less extensive the substantive tests of
financial statement balances
and the more extensive the substantive tests of
financial statement balances
7
Internal Control
  • Internal control is a process, effected by an
    entitys board of directors, management, and
    other personnel, which is designed to provide
    reasonable assurance regarding the achievement of
    objectives in one or more categories
  • Effectiveness and efficiency of operations
  • Reliability of financial information
  • Compliance with applicable laws and regulations
  • Safe-guarding assets

8
Assessing Control Risk
  • Management has three concerns in designing an
    effective control system
  • Reliability of financial reporting
  • Efficiency and effectiveness of operations
  • Compliance with applicable laws and regulations

9
Key Control Concepts
  • Controls are the responsibility of management
  • Controls provide reasonable, but not absolute,
    assurance
  • Internal controls have inherent limitations
  • Misunderstandings by employees
  • Management override
  • Collusion
  • Cost/Benefit

10
Components of Internal Control
11
The Control Environment
  • The actions, policies, and procedures that
    reflect the overall attitudes of top management,
    directors, and owners of an entity about control
    and its importance to the entity

12
The Control Environment
  • Integrity and ethical values
  • Commitment to competence
  • Board of Directors or Audit Committee
    participation
  • Managements philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and procedures

13
Risk Assessment
Managements identification and analysis of risks
relevant to the preparation of financial
statements in accordance with GAAP
  • Changes in regulatory or operating environment
  • New personnel
  • Changes in the information system
  • Rapid growth
  • New technologies
  • New lines of business
  • Restructuring
  • Foreign operations
  • New accounting principles

14
Control Activities
The policies and procedures, in addition to those
included in the other four components, that help
ensure that necessary actions are taken to
address risks in the achievement of the entitys
objectives
  • Adequate segregation of duties
  • Proper authorization of transactions and
    activities
  • Adequate documents and records
  • Physical controls over assets and records
  • Independent checks on performance

15
Adequate Segregation of Duties
  • Separation of the custody of assets from
    accounting
  • Separation of the authorization of transactions
    from the custody of related assets
  • Separation of operational responsibilities from
    record-keeping responsibility
  • Separation of duties within EDP

16
Proper Authorization
  • General authorization - approval for all
    transactions within the limits of an established
    policy
  • Specific authorization - authority granted on a
    case-by-case basis

17
Adequate Documents and Records
  • Prenumbered
  • Prepared when the transaction is executed
  • Contain sufficient detail
  • Simple to complete
  • Space for signature of preparer
  • Subject to controlled access

18
Physical Controls
  • Physical controls
  • Fences, locks
  • Guards
  • Fireproof cabinets and safes
  • Computer access controls
  • Backup and recovery procedures

19
Independent Checks
  • Reconciliations
  • Input, process, and output controls
  • Review of documents and transactions

20
Information and Communication
  • The Accounting System - the methods and records
    that an entity establishes to identify, assemble,
    analyze, classify, record, and report
    transactions and to maintain accountability for
    the related assets and liabilities

21
The Accounting System
  • Identify and record all valid transactions
  • Describe transactions on a timely basis in
    sufficient detail to permit their proper
    classification for financial reporting
  • Measure the value of transactions in a manner
    that permits recording of their proper monetary
    value in the financial statements

22
The Accounting System
  • Determine the time period in which transactions
    occur so they can be recorded in the proper
    accounting period
  • Properly present the transactions and related
    disclosures in the financial statements

23
Communication of Employees Roles and
Responsibilities
  • Oral instructions or behavioral examples
  • Policies and procedures manuals

24
Monitoring of System
  • Communication from external parties
  • Internal auditors
  • Exception reports
  • Reports to regulators
  • Customer complaints

25
Audit Scope Pre 404 vs. Post 404
Source Deloitte Touche
26
Auditors Study Evaluation of Internal Control
Structure (ICS)
  1. Review and understanding of ICS
  2. Preliminary evaluation of ICS
  3. Tests of controls
  4. Final evaluation of ICS

27
Internal Control Financial Reporting
Notes
Financial Reporting Controls
Cash Flow
Income Statement
Balance Sheet
Financial Statements
Source Deloitte Touche
28
Internal Control
Authorization of Transactions
Safeguarding of Assets
Financial Reporting
Assets Compared to Accounting Records
Accounting Records
Source Deloitte Touche
29
Internal Control
FCPA / Attest
Disclosure Controls
Certify / Report on Evaluation
Laws and Regulations
Operations
Source Deloitte Touche
30
Missing Link
The weakest link is a compliance program and
infrastructure to measure and monitor
the effectiveness and alignment between corporate
governance and business unit / functional control
activities to provide a basis for certification.
Source Deloitte Touche
31
Documentation of Understanding
  • Questionnaires
  • Narrative descriptions
  • Flowcharts

Invoice Copy 2
Invoice Copy 2
Invoice Copy 1
Invoice Copy 1
32
Assessing Control Risk
  • For non-EDP-based systems, auditors are NOT
    required to perform tests of controls unless they
    plan to assess control risk at less than the
    maximum
  • Nature of tests of controls
  • Inquiry of client personnel
  • Observation of client activities and operations
  • Inspection of documents and other accounting
    records
  • Reperforming procedures
  • Perform a transaction walk-through from inception
    to ultimate recording

33
Assessing Control Risk
  • Extent of tests of controls may be determined
    judgmentally or statistically
  • Timing of tests of controls - usually performed
    before year-end (interim), but will examine
    transactions throughout the year

34
Obtaining and Understanding
  • Audit Planning

Timing
  • Sufficient to plan audit of each significant
    financial statement assertion under the
  • Primarily substantive approach, or
  • Lower assessed level of control risk approach

Extent
  • Prior experience with entity
  • Inquiring of entity personnel
  • Observing entity operations
  • Inspecting documents and records

Procedures
  • Completed questionnaires
  • Flowcharts
  • Narrative Memoranda

Documentation
35
Summary of Audit Tests
Tests of Controls Substantive Tests
Types Concurrent. Additional. Analytical procedures. Tests of details of transactions. Tests of details of balances.
Purpose Determine effectiveness of design and operation of internal control structure policies and procedures. Determine fairness of significant financial statement assertions.
Nature of test measurement Frequency of deviations from control structure policies and procedures. Monetary errors in transactions and balances.
36
Applicable audit procedures Inquiring, observing, inspecting, reperforming, and computer-assisted audit techniques. Same as tests of controls, plus analytical procedures, counting, confirming, tracing, and vouching.
Timing Primarily interim work.1 Primarily at or near balance sheet date.2
Audit risk component Control risk. Detection risk.
Primary field work standard Second. Third.
Required by GAAS No. Yes.
1 Concurrent tests of controls are performed in
audit planning with procedures to obtain an
understanding of the internal control structure.
Additional tests of controls are performed during
interim field work. 2 Tests of details of
transactions may also be performed with tests of
controls as dual-purpose tests during interim
field work.
37
Roles and Responsibilities Internal Control
over Financial Reporting
  • Management Designs and implements the system of
    internal control over financial reporting
    evaluates the effectiveness of the companys
    internal control over financial reporting and
    provides a public report on that assessment
    prepares the financial statements.
  • Audit Committee Has responsibility for oversight
    of the companys financial reporting process.
  • Independent Auditor Performs an audit of
    internal control over financial reporting and
    issues a report on managements assessment of
    internal control over financial reporting and on
    the effectiveness of internal control over
    financial reporting also performs an audit of
    the companys financial statements.

38
What Managements Report Will Include
  • Under the SEC rules, managements report on
    internal control over financial reporting should
    include the following information
  • Statement of managements responsibility for
    establishing and maintaining adequate internal
    control over financial reporting.
  • Statement identifying the framework used by
    management to evaluate the effectiveness of
    internal control over financial reporting.
  • Managements assessment of the effectiveness of
    the companys internal control over financial
    reporting as of the end of the companys most
    recent fiscal year, including an explicit
    statement as to whether that control is effective
    and disclosing any material weakness identified
    by management in that control.
  • Statement that the registered public accounting
    firm that audited the financial statements
    included in the annual report has issued an
    attestation report on managements internal
    control assessment.

39
Audit of Internal Control
  • Planning the scope of the work
  • Obtaining an understanding of internal control
  • Evaluating the design effectiveness of internal
    control
  • Testing the operating effectiveness of internal
    control
  • Assessing internal control deficiencies and
    reporting on overall effectiveness
  • Integrating the audit of internal control with
    the audit of the entitys financial statements

40
Control Deficiencies and What They Mean
  1. Management and the independent auditor will
    evaluate its significance and determine whether
    it constitutes a control deficiency, a
    significant deficiency, or a material weakness.
  2. Deficiencies that are less serious than a
    material weakness (i.e., control deficiencies and
    significant deficiencies) are required to be
    disclosed to the audit committee and/or
    management.
  3. Management and the independent auditor must
    evaluate less serious weaknesses to determine
    whether, when taken together, they result in a
    material weakness.

41
Control Deficiencies and What They Mean (cont.)
  • All identified material weaknesses that exist at
    the companys fiscal year-end must be disclosed
    in the public reports issued by management and
    the auditor. Although not required by Section
    404, some companies may also choose to disclose
    significant deficiencies.
  • If one or more material weaknesses exist at the
    companys fiscal year-end, management and the
    auditor must conclude that internal control over
    financial reporting is not effective.

42
Control Deficiencies and What They Mean (cont.)
  1. The PCAOB has defined a material weakness as a
    significant control deficiency, or combination
    of deficiencies, that results in more than a
    remote likelihood that a material misstatement of
    the annual or interim financial statements will
    not be prevented or detected.
  2. A material weakness does not mean that a material
    misstatement has occurred or will occur, but that
    it could occur.
  3. Although the law and rules require that
    management disclose material weaknesses, they
    provide no specific guidance about

43
Control Deficiencies and What They Mean (cont.)
  • A company can report a material weakness in
    internal control over financial reporting and
    still receive an unqualified, or clean,
    financial statement opinion from the independent
    auditor.
  • Whether management or the auditor identifies a
    material weakness, management continues to be
    responsible for the preparation of complete and
    accurate financial statements.
  • management should take whatever steps are
    necessary to compensate for the material weakness
    in the financial statement preparation process.

44
PCAOB Auditing Standard No. 2An Audit of
Internal Control over Financial Reporting
Performed in Conjunction with an Audit of
Financial Statements
  • AS No. 2 required three integrated reports on
  • Financial statements audited by registered public
    accounting firms.
  • Managements assessment of the effectiveness of
    internal control over financial reporting
    (Section 404).
  • The effectiveness of internal control over
    financial reporting over financial reporting
    based on the auditors attestation of internal
    control.
  • AS No 2 is effective beginning June 17, 2004.

Source http//pcaobus.org/
45
Evaluate Results (PCAOB 2)
  • Internal Control Deficiency
  • An internal control deficiency exists when the
    design or operation of A control does not allow
    the companys management or employees, in the
    normal course of performing their assigned
    functions, to prevent or detect misstatements on
    a timely basis.
  • Significant deficiency
  • More than a remote likelihood of a misstatement
    of the annual or interim financial statements
    that is more than inconsequential in amount
  • Material weakness
  • More than a remote likelihood of a material
    misstatement
  • Significant deficiencies and material
    misstatements must be communicated in writing to
    audit committee

46
Types of Internal Control Reports (PCAOB 2)
  • Separate Report on Internal Control
  • Opinions on managements assertion of internal
    control effectiveness as well as actual internal
    control effectiveness
  • Opinion on financial statements contained in
    separate audit report
  • Integrated Audit Report and Report on Internal
    Control
  • Includes auditors opinions on 1) managements
    assertion of internal control effectiveness, 2)
    internal control effectiveness, and 3) the
    fairness of the companys financial statements.

47
The Independent Auditors Opinion
  • The content of the auditors report is prescribed
    by the PCAOB standard. The most common opinions
    on the effectiveness of internal control over
    financial reporting will be
  • Unqualified Opinion. An opinion that internal
    control over financial reporting is effective no
    material weaknesses in internal control over
    financial reporting exist as of the fiscal
    year-end assessment date.
  • Adverse Opinion. An opinion that internal
    control over financial reporting is not
    effective one or more material weaknesses exist
    as of the fiscal year-end assessment date.
  • Disclaimer of Opinion. A report stating that
    restrictions on the scope of the auditors work
    prevent the auditor from expressing an opinion on
    the companys internal control over financial
    reporting.

Source http//pcaobus.org/
48
Report of Independent Registered Public
Accounting Firm
1. Introductory Paragraph
2. Scope Paragraph
3. Definition Paragraph
4. Inherent Limitations Paragraph
4. Explanatory Paragraph
6. Opinion Paragraph
7. Signature
8. City and State or County
9. Date
The explanatory paragraph is required only when
auditors opinion is other than unqualified and
may also be placed after the opinion paragraph
when the auditor issues two separate reports on
the audit of financial statements and internal
controls, thus makes reference to opinion on the
financial statement audit in the report on the
internal control audit.
Source http//pcaobus.org/
49
Source Release No. 2004-001, pages 116-137,
Appendix A Illustrative Reports, available at
http//pcaobus.org.
50
Source Release No. 2004-001, pages 116-137,
Appendix A Illustrative Reports, available at
http//pcaobus.org.
51
Source Release No. 2004-001, pages 116-137,
Appendix A Illustrative Reports, available at
http//pcaobus.org.
52
Suitable Internal Control Framework (Example
COSO)
Source Deloitte Touche
53
Suggestions
  • Testing and evaluating the effectiveness of both
    the design and operation of internal controls.
  • Potential costs and benefits of Section 404
  • Assessment of the effectiveness of the audit
    committee whereas ineffectiveness is considered
    as a strong indicator of material weakness.

54
Next Time
Module H Information Systems Auditing
Write a Comment
User Comments (0)
About PowerShow.com