Download - Arens12e 10
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 1
Section 404 Audits of Internal Control and Control Risk
Chapter 10
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 22
Learning Objective 1
Describe the three primary
objectives of effective
internal control.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 33
3. Compliance with laws and regulations
2. Efficiency and effectiveness of operations
1. Reliability of financial reporting
Internal Control Objectives
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 44
Learning Objective 2
Contrast management’s
responsibilities for maintaining
and reporting on internal controls
with the auditor’s responsibilities
for understanding, testing, and
reporting on internal controls.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 55
Management and Auditor Responsibilities Relatedto Internal Control
Management’s responsibilityfor establishing internal control
Reasonable assurance
Inherent limitations
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 66
Management and Auditor Responsibilities Relatedto Internal Control
Management’s Section 404reporting responsibilities
Design of internal control
Operating effectiveness of controls
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 77
Management and Auditor Responsibilities Relatedto Internal Control
Auditor responsibilities forunderstanding internal control
Control over classes of transactions
Auditor responsibilities for testinginternal control
Controls over the reliabilityof financial reporting
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 88
Sales Transaction-related Audit Objectives
Sales Transaction-relatedAudit Objectives
Sales are for shipmentsto existing customers
Transaction-related AuditObjective – General form
Recorded transactionsexist (occurrence)
Existing sales transactionsare recorded
Existing transactions arerecorded (completeness)
Transactions are statedcorrectly (accuracy)
Sales for goods shippedare correctly billed
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 99
Sales Transaction-related Audit Objectives
Transactions are correctlyclassified (classification)
Sales transactions arecorrectly classified
Transactions are recordedon correct dates (timing)
Sales are recorded onthe correct dates
Transactions are correctlyfiled (posting andsummarization)
Sales transactions arecorrectly included in themaster files
Sales Transaction-relatedAudit Objectives
Transaction-related AuditObjective – General form
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1010
Learning Objective 3
Explain the five components
of the COSO internal
control framework.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1111
Five Components of Internal Control
Riskassessment
Controlactivities
Information andcommunication
Monitoring
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1212
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or auditcommittee participation
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1313
The Control Environment
Management’s philosophy and operating style
Organizational structure
Human resource policies and practices
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1414
Risk Assessment
Identify factors that may increase risk
Assess the likelihood of the risk occurring
Determine actions necessary to manage the risk
Estimate the significance of the risk
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1515
Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1616
Adequate Separation of Duties
Custody of assets Accounting
Authorizationof transactions
The custody ofrelated assets
Operationalresponsibility
Record-keepingresponsibility
IT duties User departments
from
from
from
from
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1717
Proper Authorization of Transactions and Activities General authorization
Specific authorization
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1818
Adequate Documents and Records
Prenumbered consecutively
Prepared at the time of transaction
Designed for multiple use
Constructed to encourage correct preparation
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 1919
Physical Control Over Assetsand Records
The most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2020
Independent Checks on Performance
The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2121
Information and Communication
The purpose of an accounting informationand communication system is to…
initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2222
Monitoring
Monitoring activities deal with management’songoing and periodic assessment of thequality of internal control performance…
to determine whether controls are operatingas intended and modified when needed.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2323
SEC and COSO Focus on Smaller Public Companies
The SEC has extended the deadline forsmall public companies compliancewith Section 404 requirements.
COSO issued guidance in Internal ControlOver Financial Reporting for SmallerPublic Companies.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2424
Learning Objective 4
Obtain and document an
understanding of internal control.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2525
Process for Understanding Internal Control and Assessing Control Risk
Phase 1
Obtain anunderstanding ofinternal control:design andoperation
Phase 2Assess controlrisk
Phase 3Design, perform,and evaluate testsof controls
Phase 4
Decide planneddetection riskand substantivetests
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2626
Obtain and Document Understanding of Internal Control
SAS 109 and PCAOB Standard 2 both require auditors to obtain an understandingof internal control for every audit.
Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for the
integrated audit
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2727
Methods Used
Narrative
FlowchartInternalcontrol
questionnaire
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2828
Narrative
1. The origin of every document and record in the system
2. All processing that takes place
3. The disposition of every document and record in the system
4. An indication of the controls relevant to the assessment of control risk
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 2929
Evaluating Internal Control Operation
Update and evaluate auditor’s previousexperience with the entity
Make inquiries of client personnel
Examine documents and records
Observe entity activities and operations
Perform walk-throughs of the accounting system
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3030
Learning Objective 5
Assess control risk by linking key
controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3131
Assess Control Risk
Assess whether the financial statementsare auditable.
Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.
Use of a control risk matrix to assesscontrol risk.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3232
Control Risk Matrix
Many auditors use the control risk matrixto assist in the control risk assessmentprocess.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3333
Control Risk Matrix
Identify audit objectives
Identify existing controls
Associate controls with related audit objectives
Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3434
Evaluating Significant Control Deficiencies
MaterialWeakness
LIKELIHOOD
SIGNIFICANCE
Material
Immaterial
ProbableRemote
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3535
Identify Deficiencies and Weakness
Identify existing controls
Identify the absence of key controls
Consider the possibility of compensating controls
Decide whether there is a significant deficiencyor material weakness
Determine potential misstatements that could result
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3636
Communications
Management letters
Communications to thosecharged with governance
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3737
Learning Objective 6
Describe the process of designing
and performing tests of controls.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3838
Tests of Controls
The procedures to test effectiveness of controlsin support of a reduced assessed controlrisk are called tests of controls.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 3939
Procedures for Tests of Controls
1. Make inquiries of client personnel
2. Examine documents, records, and reports
3. Observe control-related activities
4. Reperform client procedures
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4040
Extent of Procedures
Reliance on evidence from prior year’s audit
Testing of controls related to significant risks
Testing less than the entire audit period
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4141
Relationship of Assessed ControlRisk and Extent of Procedures
InquiryDocumentation
Observation
Reperformance
Yes–extensiveYes–with transaction
walk-throughYes–with transaction
walk-throughNo
Yes–someYes–using sampling
Yes–at multiple times
Yes–using sampling
Type ofprocedure
High level:Procedures to obtain
an understandingLower level:
Tests of controls
Assessed Control Risk
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4242
Decide Planned Detection Risk and Design Substantive Tests
The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.
The auditor links the control risk assessmentsto the balance-related audit objectives.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4343
Learning Objective 7
Understand Section 404
requirements for auditor
reporting on internal control.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4444
Section 404 Reporting on Internal Control
1. The auditor’s opinion on whether management’sassessment of the effectiveness of internal controlover financial reporting as of the end of the fiscalperiod is fairly stated, in all material respects.
2. The auditor’s opinion on whether the companymaintained, in all material respects, effectiveinternal control over financial reporting as ofthe specified date.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4545
Types of Opinions
Unqualified
Adverse
Qualified or disclaimer of opinion
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4646
Learning Objective 8
Describe the differences in
evaluating, reporting, and
testing internal control for
nonpublic companies.
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4747
Evaluating, Reporting, and Testing Internal Control for Nonpublic Companies
1. Reporting requirements
2. Extent of required internal controls
4. Assessing control risk
5. Extent of tests of controls needed
3. Extent of understanding needed
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 4848
Differences in Scope of Controls Tested
Internal controls over financial reportingInternal controls over financial reporting
Internal controls used to assesscontrol risk below maximum
Controls that must be tested inan audit of financial statements
Controls that must be tested inan audit of internal controls
©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 49
End of Chapter 10