1 / 44

Chapter 7

Chapter 7. Auditing Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements. LO# 1. Management Responsibilities under Section 404.

haines
Download Presentation

Chapter 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 Auditing Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements

  2. LO# 1 Management Responsibilities under Section 404 Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue an internal control report that explicitly accepts responsibility for establishing and maintaining “adequate” internal control over financial reporting.

  3. LO# 1 Management Responsibilities under Section 404 Management must comply with the following in order for its public accounting firm to complete an audit of internal control over financial reporting. • Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting. • Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria. • Support its evaluation with sufficient evidence, including documentation. • Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.

  4. LO# 2 Auditor Responsibilities under Section 404 and AS5 The entity’s independent auditor must audit and report on management’s assertion about the effectiveness of internal control. The auditor is required to conduct an integrated audit of the entity’s internal control over financial reporting and its financial statements.

  5. LO# 3 Internal Control over Financial Reporting Defined Internal control over financial reporting is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that: • Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company. • Provide reasonable assurance that transactions are recorded in accordance with GAAP. • Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets.

  6. LO# 4 Internal Control Deficiencies Defined A control deficiencyexists when the design or operationof a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiencyis a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.

  7. LO# 4 Internal Control Deficiencies Defined A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weaknessin the system of internal control. A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood reasonably possible) and magnitude (material, consequential, or inconsequential).

  8. LO# 4 Internal Control Deficiencies Defined Materialweakness MAGNITUDE Material Significant deficiency Not material but significant Control deficiency Not material or significant Remote Reasonablypossible or probable L I K E L I H O O D

  9. Internal Control Deficiencies Defined and Reporting requirements LO# 4 Report externally, to audit committee and to management Materialweakness MAGNITUDE Material Report to audit committee and to management Significant deficiency Not material but significant Control deficiency Report to management Not material or significant Remote Reasonably possible or probable L I K E L I H O O D 7-9

  10. LO# 5 Management’s Assessment Process • Management must follow a top-down, risk-based approach: • Identify financial reporting risks and controls. • Evaluate evidence about the operating effectiveness of ICFR. • Consider which locations to include in the evaluation.

  11. Management Reporting Considerations • Evaluate the severity of control deficiencies defined • If the CD is a material weakness, it must be disclosed in the assessment of the effectiveness of ICOFR and should include the following: 1. The nature of the MW 2. Its impact on the company’s financial reporting as well as ICOFR 3. Management’s plans for correcting the MW

  12. Management Reporting Considerations (continued) • Any control deficiency considered a significant deficiency or material weakness should be reported to the audit committee and to the external auditor • Management’s assessment involves special consideration of two topics (also to be considered by the auditor). They are: (1) Service org. (2) safeguarding assets.

  13. LO# 6 Management’s Documentation Management must develop sufficient documentation to support its assessment of the effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also includes policy manuals, job descriptions, flowcharts, and process models.

  14. COSO LO# 7 Framework Used by Management to Conduct Its Assessment Most entities use the framework developed by COSO.This framework identifies three primary objectives of internal control: (1) reliable financial reporting;(2) efficiency and effectiveness of operations;and (3) compliance with laws and regulations.

  15. LO# 8 Performing an Audit of ICFR

  16. Tests of internalcontrol Substantiveauditprocedures LO# 9 Integrating the Audits of Internal Control and Financial Statements An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control.

  17. LO# 9 Effect of the Audit of Internal Control on the Financial Statement Audit When the auditor performs an integrated audit, he or she will have access to a large amount of information about the client’s controls. This information can make the financial statement audit more efficient and result in reduced substantive procedures. Regardless of the level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to perform some substantive procedures for all significant accounts and disclosures.

  18. LO# 10 Plan the Engagement • The planning process is similar to the process used for the audit of F/S. • Consider the following: • Risk assessment and the risk of fraud. • Scaling the audit. • Using the work of others. • Materiality.

  19. The role of risk assessment and the risk of fraud: • AS5 requires that risk assessment underlies the entire audit of ICOFR • There should be a direct relationship between the risk that a material weakness could exist in a particular area of IC and the amount of audit work done in that area. • Assessing the risk of fraud.

  20. Scaling the Audit AS5 paragraph 13 clearly states “the size and complexity of the company, its business processes, and business units, may affect the way in which the company achieves many of its control objectives”

  21. LO# 10 Special Consideration:Using the Work of Others A major consideration for the external auditor is how much the work performed by others. In determining the extent to which the auditor may use the work of others, the auditor should: (1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work. As the risk associated with the control being tested increases, the external auditor should do more of the work.

  22. LO# 11 Using a Top-Down Approach See Table 7-4 See Table 7-5

  23. LO# 12 Test Controls • Evaluate design • Test and evaluate operating effectiveness • Nature: Inquiry, inspection of documents, observation and reperformance • timing: interim vs “as of” date • Extent: consider (a) nature of control (b) frequency of operation; and (c) importance of the control

  24. LO# 13 Evaluate Identified Control Deficiencies As discussed previously, the auditor must consider the likelihood and magniture of the control deficiency.

  25. LO# 13 Evaluate Identified Control Deficiencies If a deficiency, or combination of deficiencies, prevents the auditor from having reasonable assurance that transactions are recorded properly, then the auditor should treat the deficiency as an indicator of a material weakness.

  26. LO# 11 Remediation of a Material Weakness • Remediation is the process of correcting a material weakness in the ICFR • If a material weakness is corrected before the “as of” date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued. 7-26

  27. LO# 10 Written Representations In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of internal control over financial reporting. Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion.

  28. LO# 11 Auditor Documentation Requirements The auditor must properly document the processes, procedures, judgments, and results relating to the audit of internal control. When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

  29. Auditor Documentation Requirements LO# 13 The auditor’s documentation of the process, procedures, judgments and results relating to the audit of ICFR should include: 1. The auditor’s understanding and evaluation of the design of each of the components of ICFR; 2. The process used to determine the points at which misstatements could occur; 3. The extent to which the auditor relied upon the work of others; and 4. The evaluation of any deficiencies discovered or other findings which could result in a report modification. 7-29

  30. LO# 13 The Auditor’s Report on Internal Control over Financial Reporting Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in the company’s annual report.

  31. LO# 13 & 14 Auditor’s Report Relating to the Audit of Internal Control The auditor’s report contains an opinion the effectiveness of ICFR based on the auditor’s independent audit work.

  32. LO# 18 & 19 Types of Reports Relating to the Audit of ICFR An unqualified opinion signifies that the client’s internal control is designed and operating effectively. A serious scope limitation requires the auditor to disclaim an opinion. An adverse opinion is required if a material weakness is identified.

  33. LO# 19 Types of Reports Relating to the Audit of ICFR Report Modification Based on Control Deficiencies Likelihood/Magnitude of Misstatement Type ofAudit Report Controldeficiency Unqualifiedopinion Significantdeficiency Materialweakness Adverseopinion

  34. LO# 19 Types of Reports Relating to the Audit of Internal Control Report Modification Based on Scope Limitation Reason forScope Limitation Type ofAudit Report Minoreffect Unqualifiedopinion Disclaimopinion orwithdraw Severlimitation

  35. LO# 17 Additional Required Communications in an Audit of ICFR The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5). This communication should be made prior to the issuance of the auditor’s report on ICFR. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.

  36. Advanced Module 1: Special Considerations for an Audit of Internal Control Serviceorganizations. Safeguardingassets.

  37. LO# 21 Use of Service Organizations Many companies use service organization to process transactions. If the service organization’s services make up part of a company’s information system, then they are considered part of the information and communication component of the company’s internal control over financial report. Thus, both management and the auditor must consider the activities of the service organization.

  38. LO# 21 Use of Service Organizations Management and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the entity’s internal control and the controls at the user organization over the activities of the service organization and (2) obtain evidence that the controls which are relevant to management’s assessment and the auditor’s opinion are operating effectively.

  39. LO# 23 Safeguarding of Assets Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.”

  40. Advanced Module 2: Computer-Assisted Audit Techniques • Computer-assisted audit techniques include: • Generalized audit software packages. • Custom audit software. • Test data.

  41. LO# 23 Generalized Audit Software

  42. LO# 23 Custom Audit Software Custom audit software is generally written by auditors for specific audit tasks. It may be required when the client’s computer system is not compatible with the auditor’s generalized audit software. • Custom software: • Is expensive to develop. • Requires extended development time. • Is limited in scope of functions.

  43. LO# 23 Test Data This is data developed by the auditor to test the application controls in the client’s computer programs. The technique can be used to check (1) data validation controls and error detection routines, (2) processing logic controls, (3) arithmetic calculations, and (4) the inclusion of transactions in records, files, and reports.

  44. End of Chapter 7

More Related