640 likes | 922 Views
AUDITING CHAPTER 8. Internal Control By David N. Ricchiute. TOPICS. COSO framework of internal control Auditor’s consideration of internal control Audit of internal control mandated by Sarbanes-Oxley. INTRODUCTION.
E N D
AUDITINGCHAPTER 8 Internal Control By David N. Ricchiute
TOPICS • COSO framework of internal control • Auditor’s consideration of internal control • Audit of internal control mandated by Sarbanes-Oxley GBW 8th ed., Ch. 8
INTRODUCTION • Auditor responsible for considering internal control in audit program design • Audit planning • What is assessed level of control risk? • Based on control risk assessment, can auditor relax nature, extent, timing of substantive tests? • Sarbanes-Oxley Act requires auditor to audit internal control • To comply with Act & SEC’s rules GBW 8th ed., Ch. 8
COSO FRAMEWORK • COSO provides guidance for auditor’s consideration of internal control • A framework to assess internal controls • Common definition for internal controls • Applies to financial reporting & other management objectives • Sarbanes-Oxley Act applies only to financial reporting GBW 8th ed., Ch. 8
INTERNAL CONTROL:COSO Definition A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws & regulations COSO, 1992, p. 9 GBW 8th ed., Ch. 8
CONCEPTS OF COSO DEFINITION • Internal control is a process • Internal control accomplished by people at all levels • Internal control is means to achieve entity’s objectives • Internal controls provide reasonable, not absolute, assurance GBW 8th ed., Ch. 8
INTERNAL CONTROL OBJECTIVES • Operations objectives • Market share, ROI, product/service diversification • Financial reporting objectives • Producing reliable financial statements • Compliance objectives • Compliance with laws, regulations GBW 8th ed., Ch. 8
SEC & PCAOBControl Over Financial Reporting • Sarbanes-Oxley Act Section 404 • Management to certify internal control over financial reporting is effective • Auditor to issue opinion on management’s certification GBW 8th ed., Ch. 8
INTERNAL CONTROL OVER FINANCIAL REPORTING • SEC, PCAOB definition Section 404 A process designed by, or under supervision of principal executive & principal financial officers . . . To provide reasonable assurance regarding reliability of financial reporting, preparation financial statements in accordance with GAAP SEC, Final Rule. Washington, D. C.: SEC, 2003. GBW 8th ed., Ch. 8
INTERNAL CONTROLPolicies & Procedures • Maintain records in reasonable detail • To accurately, fairly reflect transactions, dispositions of assets • Provide reasonable assurance that • Transactions recorded as necessary to prepare financial statements in accord with GAAP • Receipts, expenditures in accord with management’s, directors’ authorization • Unauthorized acquisition, use of assets having material effect on financial statements will be prevented, detected in timely manner GBW 8th ed., Ch. 8
COSO COMPONENTS OF INTERNAL CONTROL • Control environment • Risk assessment • Control activities • Information & communications support • Monitoring COSO & adopted by SAS 94 GBW 8th ed., Ch. 8
CONTROL ENVIRONMENT • Management’s & board of director’s attitude, awareness, & actions regarding internal control • Captures importance of control in management’s operating style • “Tone at the top” GBW 8th ed., Ch. 8
ELEMENTS OF CONTROL ENVIRONMENT Attitude & awareness GBW 8th ed., Ch. 8
RISK ASSESSMENT • Management’s responsibility to identify risks for • Financial reporting • Operations • Compliance • Management’s responsibility to take action to manage risks GBW 8th ed., Ch. 8
MANAGING RISKS IN CHANGE Change agents GBW 8th ed., Ch. 8
CONTROL ACTIVITIES • Policies & procedures to provide reasonable assurance that objectives are met • Authorization, execution of transactions • Segregation of duties • Design & use of documents & records • Access to assets & records GBW 8th ed., Ch. 8
CONTROL ACTIVITIESCategories • Preventive controls • Intended to prevent misstatement • Detective controls • Detect misstatements that have occurred GBW 8th ed., Ch. 8
CONTROL ACTIVITIESAuthorization All transactions should be authorized by responsible personnel acting within scope of prescribed authority, responsibility • Specific authorization • Required for each transaction • Typically unusual transactions • General authorization • Policies, procedures for typical transactions GBW 8th ed., Ch. 8
SEGREGATION OF DUTIES • Optimum segregation of duties exists when collusion is necessary to circumvent controls • Separate functions for • Management (authorization) • Custody (transaction execution) • Accounting (recording transactions) • Monitoring (independent checks on performance GBW 8th ed., Ch. 8
DESIGN, USE DOCUMENTS & RECORDS • Evidence of executed transactions • Represent an audit trail • Impact efficiency • Designed for multiple use • Prenumbered consecutively • Easy to complete GBW 8th ed., Ch. 8
ACCESS TO ASSETS & RECORDS • Access limited to authorized personnel by • Locks for physical protection • Limits on employee access online • Codes to authorize access GBW 8th ed., Ch. 8
INFORMATION, COMMUNICATION:Defined • System identifies, captures, communicates external & internal information in form & timeframe to discharge responsibilities • Includes accounting system GBW 8th ed., Ch. 8
INFORMATION, COMMUNICATION: Sources • External • Market share, regulatory requirements, complaints • Internal • Identify valid transactions • Record proper time period • Sufficient detail to classify, measure, present in financial statements GBW 8th ed., Ch. 8
INFORMATION, COMMUNICATION: Accounting • Methods, records, to identify valid transactions • Transactions recorded in proper period • Describe transactions on timely basis, sufficient detail to properly • Classify • Measure • Summarize • Disclose GBW 8th ed., Ch. 8
TRANSATION CYCLESDefined • Accounting system organized & processes information in cycles • Financing • Expenditure & disbursement • Conversion • Revenue & receipt GBW 8th ed., Ch. 8
TRANSATION CYCLESExamples Cycles GBW 8th ed., Ch. 8
MONITORING • Continuous or periodic evaluation • Resolution of discrepancies • To ensure reliability GBW 8th ed., Ch. 8
RESTATEMENT, FRAUD, & INTERNAL CONTROL Section 13(b)(2)(B) of 1934 Securities Exchange Act requires issuers to devise, maintain system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accord with GAAP. • Internal control is a matter of law GBW 8th ed., Ch. 8
ASSESSING CONTROL RISK A sufficient understanding of internal control is to be obtained to plan the audit & determine the nature, timing, and extent of tests to be performed. (2nd GAAS fieldwork) Obtain understanding Assess control risk Determine nature, timing, extent of substantive tests GBW 8th ed., Ch. 8
ASSESSING V. AUDITING COSO INTERNAL CONTROLS Assessing controls Auditing Section 404 GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGAudit Committee Effectiveness • Final authority over financial reporting • Challenge CEO, CFO over financial reporting • Seek advice of independent auditor • Engages independent counsel when necessary GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGAuditor’s Evaluation • Auditor evaluates audit committee effectiveness by considering • Nominating process & independence • Clarity of responsibilities • Level management cooperation • Committee involvement with auditor & internal auditing • Time devoted to audit, internal controls GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGInformation Technology • Personal computers & local area networks • Database management systems • End-user computing • Telecommunications • Service bureaus • Internet technology • Software for information systems • Operating & applications software GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGIT & “Section 404 Documentation” • For information technology, did management • Document & test controls related to financial reporting? • Evaluate effectiveness, likelihood of failure? • Communicate findings to auditor? • Reach assessment that documentation supports? GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGDocument System • To demonstrate compliance with requirement to understand & evaluate client’s system • Internal control questionnaire • Flowchart • Narrative memorandum GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGIdentify Transactions Cycles • To identify cycles • Review account components for homogeneity • Identify representative cycles • Flowchart each cycle • Trace representative transactions through each cycle • Revise flowcharts if necessary GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGPerform Transaction Walkthroughs • Required by Section 404 of Sarbanes-Oxley Act • Trace wide range of transactions, common, uncommon, from each cycle through system from • Authorization to • Execution to • Recording to • Summarization GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDINGAuditor Responsibilities • In transactions walkthroughs, auditor must • Understand controls over end-of-period financial reporting • Especially for effects on earnings GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Reliability • When documenting controls • Identify controls to be relied upon • Test controls • If acceptable, assess control risk below maximum • Identify controls not suitable to justify reliance • Do not test these controls • Assess control risk at maximum • Plan audit to rely heavily on substantive tests GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Risk • Assess Control Risk • Consider errors, frauds that could occur • Identify relevant control activities to prevent, detect errors, frauds • Perform tests of controls on control activities that may prevent, detect errors, frauds GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Tests of Controls • Testing design of controls • Whether policy, procedure suitably designed to prevent, detect material misstatements • Testing operations of controls • Were control activities performed? • How were they performed? • By whom were they performed? GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS: General Controls • Computer assisted tests • Organization, operation controls • Systems development & documentation controls • Hardware controls • Access controls • Data & procedural controls GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Operation • Organization & operation • Segregate computer department & users • Provide general authorization over execution of transactions • Segregate functions within the computer department GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Documentation • Development & documentation • Participation by users, accounting personnel, internal auditors in system design • Review, approval of system specifications • Joint system testing by user, computer personnel • Approval new applications, changes • Control over master, transaction files • Procedures to create, maintain documentation GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Hardware • Hardware controls • Controls built into computers by manufacturers GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Access Controls • Limit access to authorized personnel for • Hardware • Software • Data files • Software support documentation GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Data • Data & procedural controls • Written procedures, authorization manuals • Control groups GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS • Computer-Assisted Tests of Application Controls • Input controls • Processing controls • Output controls GBW 8th ed., Ch. 8
APPLICATION CONTROL EFFECTIVENESS: Input • Input controls • Input authorization, approval • Code verification • Data conversion • Data movement • Occurrence correction GBW 8th ed., Ch. 8
APPLICATION CONTROL EFFECTIVENESS: Processing • Processing controls • Control totals • File labels • Limit (reasonableness) tests GBW 8th ed., Ch. 8