auditing chapter 8

AUDITINGCHAPTER 8

Internal Control ByDavid N. Ricchiute

GBW 8th ed., Ch. 82

TOPICS

COSO framework of internal controlAuditor’s consideration of internal controlAudit of internal control mandated by Sarbanes-Oxley

GBW 8th ed., Ch. 83

INTRODUCTIONAuditor responsible for considering internal control in audit program design Audit planning

What is assessed level of control risk? Based on control risk assessment, can auditor

relax nature, extent, timing of substantive tests?

Sarbanes-Oxley Act requires auditor to audit internal control To comply with Act & SEC’s rules

GBW 8th ed., Ch. 84

COSO FRAMEWORKCOSO provides guidance for auditor’s consideration of internal control A framework to assess internal controls Common definition for internal controls Applies to financial reporting & other

management objectives

Sarbanes-Oxley Act applies only to financial reporting

GBW 8th ed., Ch. 85

INTERNAL CONTROL:COSO Definition

A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness & efficiency of operationsReliability of financial reportingCompliance with applicable laws & regulations

COSO, 1992, p. 9

GBW 8th ed., Ch. 86

CONCEPTS OF COSO DEFINITION

Internal control is a processInternal control accomplished by people at all levelsInternal control is means to achieve entity’s objectivesInternal controls provide reasonable, not absolute, assurance

GBW 8th ed., Ch. 87

INTERNAL CONTROL OBJECTIVES

Operations objectives Market share, ROI, product/service

diversification

Financial reporting objectives Producing reliable financial

statements

Compliance objectives Compliance with laws, regulations

GBW 8th ed., Ch. 88

SEC & PCAOBControl Over Financial Reporting

Sarbanes-Oxley Act Section 404 Management to certify internal

control over financial reporting is effective

Auditor to issue opinion on management’s certification

GBW 8th ed., Ch. 89

INTERNAL CONTROL OVER FINANCIAL REPORTING

SEC, PCAOB definition Section 404A process designed by, or under supervision

of principal executive & principal financial officers . . . To provide reasonable assurance regarding reliability of financial reporting, preparation financial statements in accordance with GAAP

SEC, Final Rule. Washington, D. C.: SEC, 2003.

GBW 8th ed., Ch. 810

INTERNAL CONTROLPolicies & Procedures

Maintain records in reasonable detail To accurately, fairly reflect transactions,

dispositions of assets

Provide reasonable assurance that Transactions recorded as necessary to

prepare financial statements in accord with GAAP

Receipts, expenditures in accord with management’s, directors’ authorization

Unauthorized acquisition, use of assets having material effect on financial statements will be prevented, detected in timely manner


COSO COMPONENTS OF INTERNAL CONTROL

Control environmentRisk assessmentControl activitiesInformation & communications supportMonitoring

COSO & adopted by SAS 94


CONTROL ENVIRONMENT

Management’s & board of director’s attitude, awareness, & actions regarding internal controlCaptures importance of control in management’s operating style“Tone at the top”


ELEMENTS OF CONTROL ENVIRONMENT

Attitude & awarenessIntegrityCommitmentDirectors, audit committeeManagement philosophyOrganization structureAuthority HR policies, procedures

Codes of conductCommitted to qualityBoard independent of

managementAttitude about false

recordsProper flow

informationResponsibilities

definedPolicies training,

promotion, etc.


RISK ASSESSMENT

Management’s responsibility to identify risks for Financial reporting Operations Compliance

Management’s responsibility to take action to manage risks


MANAGING RISKS IN CHANGE

Change agents

Operating environmentNew personnelNew information systemRapid growthNew technologyNew products, servicesCorporate restructuringForeign operations

DivestitureOrganization cultureTime constraints for

redesignBack ordersProduction delaysUnfamiliar risksStaff reductions,

inadequate supervisionLocal customs, culture


CONTROL ACTIVITIES

Policies & procedures to provide reasonable assurance that objectives are met Authorization, execution of

transactions Segregation of duties Design & use of documents & records Access to assets & records


CONTROL ACTIVITIES Categories

Preventive controls Intended to prevent misstatement

Detective controls Detect misstatements that have

occurred


CONTROL ACTIVITIES Authorization

All transactions should be authorized by responsible personnel acting within scope of prescribed authority, responsibility Specific authorization

Required for each transaction Typically unusual transactions

General authorization Policies, procedures for typical

transactions


SEGREGATION OF DUTIES

Optimum segregation of duties exists when collusion is necessary to circumvent controlsSeparate functions for Management (authorization) Custody (transaction execution) Accounting (recording transactions) Monitoring (independent checks on

performance


DESIGN, USE DOCUMENTS & RECORDS

Evidence of executed transactions Represent an audit trail

Impact efficiency Designed for multiple use Prenumbered consecutively Easy to complete


ACCESS TO ASSETS & RECORDS

Access limited to authorized personnel by Locks for physical protection Limits on employee access online Codes to authorize access


INFORMATION, COMMUNICATION: Defined

System identifies, captures, communicates external & internal information in form & timeframe to discharge responsibilitiesIncludes accounting system


INFORMATION, COMMUNICATION: Sources

External Market share, regulatory

requirements, complaints

Internal Identify valid transactions Record proper time period Sufficient detail to classify, measure,

present in financial statements


INFORMATION, COMMUNICATION: Accounting

Methods, records, to identify valid transactionsTransactions recorded in proper periodDescribe transactions on timely basis, sufficient detail to properly Classify Measure Summarize Disclose


TRANSATION CYCLESDefined

Accounting system organized & processes information in cycles Financing Expenditure & disbursement Conversion Revenue & receipt


TRANSATION CYCLESExamples

CyclesFinancing

Expenditure/ disbursement

Conversion

Revenue/receipt

Capital funds received, used, invested

Goods, services acquired from vendors, employees & paid

Resources used, held, transformed

Resources distributed to outsiders; payment received


MONITORING

Continuous or periodic evaluationResolution of discrepanciesTo ensure reliability


RESTATEMENT, FRAUD, & INTERNAL CONTROL

Section 13(b)(2)(B) of 1934 Securities Exchange Act requires issuers to devise, maintain system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accord with GAAP.

Internal control is a matter of law


ASSESSING CONTROL RISKA sufficient understanding of internal

control is to be obtained to plan the audit & determine the nature, timing, and extent of tests to be performed. (2nd GAAS fieldwork)Obtain understandingAssess control riskDetermine nature, timing, extent of

substantive tests


ASSESSING V. AUDITING COSO INTERNAL CONTROLS

Assessing controls Auditing Section 404Obtain

understandingAssess control risk for assertions about balances & transactions Determine nature, extent, timing of substantive tests

Evaluate effectiveness

Form opinion on internal control over financial reporting

Obtain understanding


OBTAIN UNDERSTANDINGAudit Committee Effectiveness

Final authority over financial reporting Challenge CEO, CFO over financial

reporting Seek advice of independent auditor Engages independent counsel when

necessary


OBTAIN UNDERSTANDINGAuditor’s Evaluation

Auditor evaluates audit committee effectiveness by considering Nominating process & independence Clarity of responsibilities Level management cooperation Committee involvement with auditor &

internal auditing Time devoted to audit, internal controls


OBTAIN UNDERSTANDINGInformation Technology

Personal computers & local area networksDatabase management systemsEnd-user computingTelecommunicationsService bureausInternet technologySoftware for information systems Operating & applications software


OBTAIN UNDERSTANDINGIT & “Section 404 Documentation”

For information technology, did management Document & test controls related to

financial reporting? Evaluate effectiveness, likelihood of

failure? Communicate findings to auditor? Reach assessment that documentation

supports?


OBTAIN UNDERSTANDINGDocument System

To demonstrate compliance with requirement to understand & evaluate client’s system Internal control questionnaire Flowchart Narrative memorandum


OBTAIN UNDERSTANDINGIdentify Transactions Cycles

To identify cycles Review account components for

homogeneity Identify representative cycles Flowchart each cycle Trace representative transactions

through each cycle Revise flowcharts if necessary


OBTAIN UNDERSTANDINGPerform Transaction Walkthroughs

Required by Section 404 of Sarbanes-Oxley ActTrace wide range of transactions, common, uncommon, from each cycle through system from Authorization to Execution to Recording to Summarization


OBTAIN UNDERSTANDINGAuditor Responsibilities

In transactions walkthroughs, auditor must Understand controls over end-of-

period financial reporting Especially for effects on earnings


EVALUATE CONTROL EFFECTIVENESS: Reliability

When documenting controls Identify controls to be relied upon

Test controls If acceptable, assess control risk below

maximum Identify controls not suitable to justify

reliance Do not test these controls Assess control risk at maximum Plan audit to rely heavily on substantive tests


EVALUATE CONTROL EFFECTIVENESS: Risk

Assess Control Risk Consider errors, frauds that could

occur Identify relevant control activities

to prevent, detect errors, frauds Perform tests of controls on

control activities that may prevent, detect errors, frauds


EVALUATE CONTROL EFFECTIVENESS: Tests of Controls

Testing design of controls Whether policy, procedure suitably

designed to prevent, detect material misstatements

Testing operations of controls Were control activities performed? How were they performed? By whom were they performed?


EVALUATE CONTROL EFFECTIVENESS: General Controls

Computer assisted tests Organization, operation controls Systems development &

documentation controls Hardware controls Access controls Data & procedural controls


GENERAL CONTROL EFFECTIVENESS: Operation

Organization & operation Segregate computer department &

users Provide general authorization over

execution of transactions Segregate functions within the

computer department


GENERAL CONTROL EFFECTIVENESS: Documentation

Development & documentation Participation by users, accounting personnel,

internal auditors in system design Review, approval of system specifications Joint system testing by user, computer

personnel Approval new applications, changes Control over master, transaction files Procedures to create, maintain

documentation


GENERAL CONTROL EFFECTIVENESS: Hardware

Hardware controls Controls built into computers by

manufacturers


GENERAL CONTROL EFFECTIVENESS: Access Controls

Limit access to authorized personnel for Hardware Software Data files Software support documentation


GENERAL CONTROL EFFECTIVENESS: Data

Data & procedural controls Written procedures, authorization

manuals Control groups


EVALUATE CONTROL EFFECTIVENESS

Computer-Assisted Tests of Application Controls Input controls Processing controls Output controls


APPLICATION CONTROL EFFECTIVENESS: Input

Input controls Input authorization, approval Code verification Data conversion Data movement Occurrence correction


APPLICATION CONTROL EFFECTIVENESS: Processing

Processing controls Control totals File labels Limit (reasonableness) tests


APPLICATION CONTROL EFFECTIVENESS: Output

Output controls Control totals comparisons Output distribution


COMPUTER-ASSISTED TESTS OF CONTROLS: Types

Test data: uses client software to process data with valid & invalid transactionsBase Case System Evaluation (BCSE): develops test data to text expected conditionsIntegrated test facility: tests whether client actually uses software by running live and fictitious data simultaneouslyParallel simulation: processing client data with auditor’s software


COMPUTER-ASSISTED TESTS OF CONTROLS: Types (cont.)

Embedded audit modules: selects client data for subsequent testing & analysis SCARFs: logs created from embedded audit

modules that collect transaction information

Audit hooks & tagging: transaction records tagged & traced through critical control points


CONTROL DEFICIENCIES, MATERIAL WEAKNESSES

Deficiencies do not allow management, employees to prevent, detect misstatements in normal course of businessMaterial weakness is a significant deficiency more than remotely likely to cause a material misstatement that will not be prevented, detected


NATURE, TIMING, EXTENT

Audit risk strategy Determine acceptable detection risk Design nature, timing, extent of

substantive tests


NATURE, TIMING, EXTENT & SUBSTANTIVE TESTS

Level of Detection RiskEffect Lower Higher

Nature

Use more persuasive tests (confirmation)

Use less persuasive tests (documentation)

Timing

Test at balance sheet date

Test at interim dates

Extent Test more (increase sample size)

Test less (decrease sample size)


AUDITOR’S OPINION ON INTERNAL CONTROLS

Auditor evaluates Reports by internal auditors Significant deficiencies Results of test of controls Results of substantive test of details

To issue an opinion on controls

auditing chapter 8

Documents