ACCT 4240 - Auditing

1
ACCT 4240 - Auditing
Internal Control Evaluation Assessing Control
Risk
2
Major Components of an Audit The Audit Risk
Model
Evidence Gathering
Plan the Audit
Study, Test Evaluate Controls
Perform Evaluate Tests of Balances
Issue the Audit Report
3
Consideration of Internal Controls in a Financial
Statement Audit

• Required by the second standard of field work

A sufficient understanding of the internal
control structure is to be obtained to plan the
audit and to determine the nature, timing, and
extent of tests to be performed
4
Relationship of Control Risk and Detection Risk
Audit risk assumed

100
100 assurance
Desired level of assurance
Allowable detection risk


Estimated inherent and control risk
0
Low
High
Strength of control structure
5
Relationship of Detection Risk and Testing of
Financial Statement Balances
Audit risk assumed

100
100 assurance
Desired level of assurance
Extent of testing of financial statement balances
Allowable detection risk
0
Low
High
Strength of control structure
6
Assessment of Control Risk
The higher the control risk
The lower the control risk
the lower the detection risk
the higher the detection risk
and the less extensive the substantive tests of
financial statement balances
and the more extensive the substantive tests of
financial statement balances
7
Internal Control

• Internal control is a process, effected by an
  entitys board of directors, management, and
  other personnel, which is designed to provide
  reasonable assurance regarding the achievement of
  objectives in one or more categories
• Effectiveness and efficiency of operations
• Reliability of financial information
• Compliance with applicable laws and regulations
• Safe-guarding assets

8
Assessing Control Risk

• Management has three concerns in designing an
  effective control system
• Reliability of financial reporting
• Efficiency and effectiveness of operations
• Compliance with applicable laws and regulations

9
Key Control Concepts

• Controls are the responsibility of management
• Controls provide reasonable, but not absolute,
  assurance
• Internal controls have inherent limitations
• Misunderstandings by employees
• Management override
• Collusion
• Cost/Benefit

10
Components of Internal Control
11
The Control Environment

• The actions, policies, and procedures that
  reflect the overall attitudes of top management,
  directors, and owners of an entity about control
  and its importance to the entity

12
The Control Environment

• Integrity and ethical values
• Commitment to competence
• Board of Directors or Audit Committee
  participation
• Managements philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and procedures

13
Risk Assessment
Managements identification and analysis of risks
relevant to the preparation of financial
statements in accordance with GAAP

• Changes in regulatory or operating environment
• New personnel
• Changes in the information system
• Rapid growth

• New technologies
• New lines of business
• Restructuring
• Foreign operations
• New accounting principles

14
Control Activities
The policies and procedures, in addition to those
included in the other four components, that help
ensure that necessary actions are taken to
address risks in the achievement of the entitys
objectives

• Adequate segregation of duties
• Proper authorization of transactions and
  activities
• Adequate documents and records
• Physical controls over assets and records
• Independent checks on performance

15
Adequate Segregation of Duties

• Separation of the custody of assets from
  accounting
• Separation of the authorization of transactions
  from the custody of related assets
• Separation of operational responsibilities from
  record-keeping responsibility
• Separation of duties within EDP

16
Proper Authorization

• General authorization - approval for all
  transactions within the limits of an established
  policy
• Specific authorization - authority granted on a
  case-by-case basis

17
Adequate Documents and Records

• Prenumbered
• Prepared when the transaction is executed
• Contain sufficient detail
• Simple to complete
• Space for signature of preparer
• Subject to controlled access

18
Physical Controls

• Physical controls
• Fences, locks
• Guards
• Fireproof cabinets and safes
• Computer access controls
• Backup and recovery procedures

19
Independent Checks

• Reconciliations
• Input, process, and output controls
• Review of documents and transactions

20
Information and Communication

• The Accounting System - the methods and records
  that an entity establishes to identify, assemble,
  analyze, classify, record, and report
  transactions and to maintain accountability for
  the related assets and liabilities

21
The Accounting System

• Identify and record all valid transactions
• Describe transactions on a timely basis in
  sufficient detail to permit their proper
  classification for financial reporting
• Measure the value of transactions in a manner
  that permits recording of their proper monetary
  value in the financial statements

22
The Accounting System

• Determine the time period in which transactions
  occur so they can be recorded in the proper
  accounting period
• Properly present the transactions and related
  disclosures in the financial statements

23
Communication of Employees Roles and
Responsibilities

• Oral instructions or behavioral examples
• Policies and procedures manuals

24
Monitoring of System

• Communication from external parties
• Internal auditors
• Exception reports
• Reports to regulators
• Customer complaints

25
Audit Scope Pre 404 vs. Post 404
Source Deloitte Touche
26
Auditors Study Evaluation of Internal Control
Structure (ICS)

1. Review and understanding of ICS
2. Preliminary evaluation of ICS
3. Tests of controls
4. Final evaluation of ICS

27
Internal Control Financial Reporting
Notes
Financial Reporting Controls
Cash Flow
Income Statement
Balance Sheet
Financial Statements
Source Deloitte Touche
28
Internal Control
Authorization of Transactions
Safeguarding of Assets
Financial Reporting
Assets Compared to Accounting Records
Accounting Records
Source Deloitte Touche
29
Internal Control
FCPA / Attest
Disclosure Controls
Certify / Report on Evaluation
Laws and Regulations
Operations
Source Deloitte Touche
30
Missing Link
The weakest link is a compliance program and
infrastructure to measure and monitor
the effectiveness and alignment between corporate
governance and business unit / functional control
activities to provide a basis for certification.
Source Deloitte Touche
31
Documentation of Understanding

• Questionnaires
• Narrative descriptions
• Flowcharts

Invoice Copy 2
Invoice Copy 2
Invoice Copy 1
Invoice Copy 1
32
Assessing Control Risk

• For non-EDP-based systems, auditors are NOT
  required to perform tests of controls unless they
  plan to assess control risk at less than the
  maximum
• Nature of tests of controls
• Inquiry of client personnel
• Observation of client activities and operations
• Inspection of documents and other accounting
  records
• Reperforming procedures
• Perform a transaction walk-through from inception
  to ultimate recording

33
Assessing Control Risk

• Extent of tests of controls may be determined
  judgmentally or statistically
• Timing of tests of controls - usually performed
  before year-end (interim), but will examine
  transactions throughout the year

34
Obtaining and Understanding

• Audit Planning

Timing

• Sufficient to plan audit of each significant
  financial statement assertion under the
• Primarily substantive approach, or
• Lower assessed level of control risk approach

Extent

• Prior experience with entity
• Inquiring of entity personnel
• Observing entity operations
• Inspecting documents and records

Procedures

• Completed questionnaires
• Flowcharts
• Narrative Memoranda

Documentation
35
Summary of Audit Tests
Tests of Controls Substantive Tests
Types Concurrent. Additional. Analytical procedures. Tests of details of transactions. Tests of details of balances.
Purpose Determine effectiveness of design and operation of internal control structure policies and procedures. Determine fairness of significant financial statement assertions.
Nature of test measurement Frequency of deviations from control structure policies and procedures. Monetary errors in transactions and balances.
36
Applicable audit procedures Inquiring, observing, inspecting, reperforming, and computer-assisted audit techniques. Same as tests of controls, plus analytical procedures, counting, confirming, tracing, and vouching.
Timing Primarily interim work.1 Primarily at or near balance sheet date.2
Audit risk component Control risk. Detection risk.
Primary field work standard Second. Third.
Required by GAAS No. Yes.
1 Concurrent tests of controls are performed in
audit planning with procedures to obtain an
understanding of the internal control structure.
Additional tests of controls are performed during
interim field work. 2 Tests of details of
transactions may also be performed with tests of
controls as dual-purpose tests during interim
field work.
37
Roles and Responsibilities Internal Control
over Financial Reporting

• Management Designs and implements the system of
  internal control over financial reporting
  evaluates the effectiveness of the companys
  internal control over financial reporting and
  provides a public report on that assessment
  prepares the financial statements.
• Audit Committee Has responsibility for oversight
  of the companys financial reporting process.
• Independent Auditor Performs an audit of
  internal control over financial reporting and
  issues a report on managements assessment of
  internal control over financial reporting and on
  the effectiveness of internal control over
  financial reporting also performs an audit of
  the companys financial statements.

38
What Managements Report Will Include

• Under the SEC rules, managements report on
  internal control over financial reporting should
  include the following information
• Statement of managements responsibility for
  establishing and maintaining adequate internal
  control over financial reporting.
• Statement identifying the framework used by
  management to evaluate the effectiveness of
  internal control over financial reporting.
• Managements assessment of the effectiveness of
  the companys internal control over financial
  reporting as of the end of the companys most
  recent fiscal year, including an explicit
  statement as to whether that control is effective
  and disclosing any material weakness identified
  by management in that control.
• Statement that the registered public accounting
  firm that audited the financial statements
  included in the annual report has issued an
  attestation report on managements internal
  control assessment.

39
Audit of Internal Control

• Planning the scope of the work
• Obtaining an understanding of internal control
• Evaluating the design effectiveness of internal
  control
• Testing the operating effectiveness of internal
  control
• Assessing internal control deficiencies and
  reporting on overall effectiveness
• Integrating the audit of internal control with
  the audit of the entitys financial statements

40
Control Deficiencies and What They Mean

1. Management and the independent auditor will
   evaluate its significance and determine whether
   it constitutes a control deficiency, a
   significant deficiency, or a material weakness.
2. Deficiencies that are less serious than a
   material weakness (i.e., control deficiencies and
   significant deficiencies) are required to be
   disclosed to the audit committee and/or
   management.
3. Management and the independent auditor must
   evaluate less serious weaknesses to determine
   whether, when taken together, they result in a
   material weakness.

41
Control Deficiencies and What They Mean (cont.)

• All identified material weaknesses that exist at
  the companys fiscal year-end must be disclosed
  in the public reports issued by management and
  the auditor. Although not required by Section
  404, some companies may also choose to disclose
  significant deficiencies.
• If one or more material weaknesses exist at the
  companys fiscal year-end, management and the
  auditor must conclude that internal control over
  financial reporting is not effective.

42
Control Deficiencies and What They Mean (cont.)

1. The PCAOB has defined a material weakness as a
   significant control deficiency, or combination
   of deficiencies, that results in more than a
   remote likelihood that a material misstatement of
   the annual or interim financial statements will
   not be prevented or detected.
2. A material weakness does not mean that a material
   misstatement has occurred or will occur, but that
   it could occur.
3. Although the law and rules require that
   management disclose material weaknesses, they
   provide no specific guidance about

43
Control Deficiencies and What They Mean (cont.)

• A company can report a material weakness in
  internal control over financial reporting and
  still receive an unqualified, or clean,
  financial statement opinion from the independent
  auditor.
• Whether management or the auditor identifies a
  material weakness, management continues to be
  responsible for the preparation of complete and
  accurate financial statements.
• management should take whatever steps are
  necessary to compensate for the material weakness
  in the financial statement preparation process.

44
PCAOB Auditing Standard No. 2An Audit of
Internal Control over Financial Reporting
Performed in Conjunction with an Audit of
Financial Statements

• AS No. 2 required three integrated reports on
• Financial statements audited by registered public
  accounting firms.
• Managements assessment of the effectiveness of
  internal control over financial reporting
  (Section 404).
• The effectiveness of internal control over
  financial reporting over financial reporting
  based on the auditors attestation of internal
  control.
• AS No 2 is effective beginning June 17, 2004.

Source http//pcaobus.org/
45
Evaluate Results (PCAOB 2)

• Internal Control Deficiency
• An internal control deficiency exists when the
  design or operation of A control does not allow
  the companys management or employees, in the
  normal course of performing their assigned
  functions, to prevent or detect misstatements on
  a timely basis.
• Significant deficiency
• More than a remote likelihood of a misstatement
  of the annual or interim financial statements
  that is more than inconsequential in amount
• Material weakness
• More than a remote likelihood of a material
  misstatement
• Significant deficiencies and material
  misstatements must be communicated in writing to
  audit committee

46
Types of Internal Control Reports (PCAOB 2)

• Separate Report on Internal Control
• Opinions on managements assertion of internal
  control effectiveness as well as actual internal
  control effectiveness
• Opinion on financial statements contained in
  separate audit report
• Integrated Audit Report and Report on Internal
  Control
• Includes auditors opinions on 1) managements
  assertion of internal control effectiveness, 2)
  internal control effectiveness, and 3) the
  fairness of the companys financial statements.

47
The Independent Auditors Opinion

• The content of the auditors report is prescribed
  by the PCAOB standard. The most common opinions
  on the effectiveness of internal control over
  financial reporting will be
• Unqualified Opinion. An opinion that internal
  control over financial reporting is effective no
  material weaknesses in internal control over
  financial reporting exist as of the fiscal
  year-end assessment date.
• Adverse Opinion. An opinion that internal
  control over financial reporting is not
  effective one or more material weaknesses exist
  as of the fiscal year-end assessment date.
• Disclaimer of Opinion. A report stating that
  restrictions on the scope of the auditors work
  prevent the auditor from expressing an opinion on
  the companys internal control over financial
  reporting.

Source http//pcaobus.org/
48
Report of Independent Registered Public
Accounting Firm
1. Introductory Paragraph
2. Scope Paragraph
3. Definition Paragraph
4. Inherent Limitations Paragraph
4. Explanatory Paragraph
6. Opinion Paragraph
7. Signature
8. City and State or County
9. Date
The explanatory paragraph is required only when
auditors opinion is other than unqualified and
may also be placed after the opinion paragraph
when the auditor issues two separate reports on
the audit of financial statements and internal
controls, thus makes reference to opinion on the
financial statement audit in the report on the
internal control audit.
Source http//pcaobus.org/
49
Source Release No. 2004-001, pages 116-137,
Appendix A Illustrative Reports, available at
http//pcaobus.org.
50
Source Release No. 2004-001, pages 116-137,
Appendix A Illustrative Reports, available at
http//pcaobus.org.
51
Source Release No. 2004-001, pages 116-137,
Appendix A Illustrative Reports, available at
http//pcaobus.org.
52
Suitable Internal Control Framework (Example
COSO)
Source Deloitte Touche
53
Suggestions

• Testing and evaluating the effectiveness of both
  the design and operation of internal controls.
• Potential costs and benefits of Section 404
• Assessment of the effectiveness of the audit
  committee whereas ineffectiveness is considered
  as a strong indicator of material weakness.

54
Next Time
Module H Information Systems Auditing