1 chapter 10 Section 404 Audits Sarbanes-Oxley Act section 404.

1

chapter 10

Section 404 Audits

Sarbanes-Oxley Act section 404

2

Societe Generale

• junior trader gambled more than the entire net worth of the bank

3

JP Morgan Chase

4

National Commission on Fraudulent Financial Reporting

the “Treadway Commission” 1987

Committee of Sponsoring Organizations

“COSO”

5

COSO

Committee of Sponsoring Organizationsorganizations that sponsored the Treadway Commission

American Institute of Certified Public Accountants

American Accounting Association

Institute of Internal Auditors

Institute of Management Accountants

Financial Executives Institute

6

Mandeep

how does COSO define internal controls ?

7

COSO internal controls day 1 handout

Internal control is a process, effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to the

• reliability of financial reporting• effectiveness and efficiency of operations• compliance with applicable laws and regulations

8

Foreign Corrupt Practices Act

1977

any corporation that has a class of securities registered, or that is required to file reports under the Securities and Exchange Act of 1934

9

U.S. CodeTITLE 15--COMMERCE AND TRADE

CHAPTER 2BSECURITIES EXCHANGES

10

(2) Every issuer pursuant to section 78l or … shall–

(A)make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;

(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that–

(i) transactions are executed in accordance with management's general or specific authorization;

(ii) transactions are recorded as necessary

(I) to prepare financial statements in conformity with GAAP,

(II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management's general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences; and

11

Sarbanes-Oxley Act 2002

§ 7262. Management assessment of internal controls

(a) Rules required The Commission shall prescribe rules requiring …. an internal control report, which shall—

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure ...

(b) Internal control evaluation and reporting …, each registered public accounting firm that …issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.

12

PCAOB auditor’s report on internal control

We have audited internal control over financial reporting as of Dec. 31, 2013, based criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). MMC’s management is responsible for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management Report on Internal Control Over Financial Reporting. Our responsibility is to express an opinion on the company's internal control over financial reporting based on our audits.

We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audits of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinion.

A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted

accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

In our opinion, MMC maintained, in all material respects, effective internal control over financial reporting as of December 31, 2013, based on COSO criteria.

13

Rachel

Which section of the auditing standards most directly discusses internal controls?

14

Johanna

Why are auditors required to understand the client’s internal controls?

15

.03 The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity's internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

AU-C 315 Understanding the Entity & Its Environment &

Assessing RoMM

16

Brianna

what is the definition of control risk?

17

Control Risk

The risk that a misstatement that could occur in an assertion about a class of transaction, account balance, or disclosure and that could be material, either individually or when aggregated with other misstatements, will

not be prevented, or detected and corrected, on a timely basis by the entity's internal control.

18

Denise

Discuss reasonable assurance.

19

Reasonable Assurance

Reasonable assurance. In the context of an audit of financial statements, a high, but not absolute, level of assurance.

20

Clint

Under Sarbanes-Oxley management must report on the effectiveness of the company’s internal controls.

With Regard to Internal Controls,

what STATEMENTS must MANAGEMENT include in their annual report ?

21

Section 404 of Sarbanes-Oxley

management must make the following statements page 159

1 management is responsible for effective internal controls over financial reporting

2 management’s assessment of the effectiveness of the internal controls

3 the framework used to evaluate the effectiveness of the internal controls

22

Evaluate the Effectiveness

1 management must evaluate the design of internal controls

2 management must test the operating effectiveness of those controls

23

Erin

what framework will management use to evaluate the effectiveness of internal controls?

24

Joseba

In the standard unmodified audit report

What is management’s responsibility with regard to the financial statements?

25

Management’s Responsibilty

Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

26

Controls over Sig Classes of Transactions

27

AU-C 315

The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity's internal control,

28

Page 160 (Design of Internal Control)

Risks related to all relevant assertions

Evaluating Significant classes of transactions

Identify points in the transactions where material misstatements could occur

Identify how each significant class of transactions–Initiated–Authorized–Recorded–Processed through the accounting system–Reported in the financial statements and disclosures

29

AU-c 315.84 the accounting system

Procedures and records designed to Initiate, authorize, record, process, and report entity transactionsMaintain accountability for the assets, liabilities & equity

Transfer information to the general ledger

Capture information other than transactions that is relevant to the financial statements. e.g. depreciation and amortization of assets, changes in the recoverability of receivables.

Ensure information that is required to be disclosed is accumulated, recorded, processed, summarized, and appropriately reported in the financial statements.

transactions

disclosures

adjusting journal entries

30

Makinzie

In the standard unmodified audit reportWhat is the auditor’s responsibility?

31

Auditor’s Responsibilty

Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit

in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial

statements. The procedures selected depend on the auditor's judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity's internal control. Accordingly, we express no such

opinion. An audit also includes evaluating the appropriateness of accounting policies used and the

reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.

32

Auditors must document their understanding

33

page 160/169

The classes of transactions that are significant

Procedures by which those transactions are: Initiated, authorized & recordedwhat accounting records exist, Processed through the accounting system into the GL, and

reported in the financial statements.

How the info system captures other events that are significant to the financial statements

Reporting process used to prepare the financial statements, including significant estimates and disclosures.

34

Naomi

COSO – 5 components of internal control

what are the five components of the internal control framework ?

35

COSO components of internal controls

1.Control environment

2.Risk assessment

3.Control procedures

4.Information and communication

5.Monitoring

36



2.Risk assessment

3.Control procedures4. Info & Comm --- Accounting System is part of

5.Monitoring

37

1. Control environment

• management’s integrity and ethical values • commitment to competence• board of directors and audit committee• management’s philosophy & operating style • organizational structure• human resource policies and practices

page 163

38

1. Control environment – Audit Committee

Bd of Directors - Audit Committee – Outside Directors

• Appointment of auditors• Resolve differences between

management and auditors• Oversight of internal audit• Approval of non-audit services by auditor

page 163

39



2.Risk Assessment (p 165) 3.Control procedures


5.Monitoring

40

2. Risk assessmentHow does the audit client manage risk?

Internal control is a process, effected by those charged with governance, management and other personnel that is designed to provide reasonable assurance about the achievement of the entity’s objectives in the following three categories:

Focus o

n risk

oversig

ht

page 89

41

Saul

what can you assume when the Expected Rate of Return for an investment or project exceeds the interest rate on gov’t insured savings accounts ?

42

business is about managing risk

otherwise companies should invest their money in gov’t insured savings accounts

companies invest in risky assets and the auditors must understand how the company manages risks to convert those assets into cash receipts

43

COSO Enterprise Risk Management

1. Internal environment

2. Objective Setting

3. Event identification

4. Risk assessment

5. Risk response

6. Control activities procedures

7. Information and communication

8. Monitoring

44



2.Risk assessment

3.Control procedures4.Information and communication

5.Monitoring

45

3. Control Procedures

Adequate segregation of dutiesProper authorization of transactions & activities

Adequate documents & records

Physical controls over assets & records

Independent checks on performance

46

page 160/169


Procedures by which those transactions are: Initiated, authorized & recorded what accounting records exist, Processed through the accounting system into the GL, and




47


Must separate p. 166

Custody of Assets from Accounting (Record-Keeping)

Authorization of Trx from Custody of Related Assets

Operational Responsibility from Record-Keeping

IT Duties from User Departments

48


Must separate

Custody of Assets

Authorization of Transactions involving those assets

Record-Keeping

49


Adequate documents and records

Pre-numbered documents

1. Checks

2. Purchase orders

3. Shipping documents

50

check no. 2228

Dec. 31 2014

Pay to: Cuesta Hardware $1,500.00

check no. 2229

Dec. 31 2014

Pay to: Lubricant Supply $875.00

check no. 2230

Dec. 31 2014

Pay to: The Electric Warehouse $970.00

check no. 2231

Dec. 31 2014

Pay to: Parts Supply Co. $625.00

six hundred and twenty-five Dollars

Tad Miller

51

Cash Disbursements Journal

date check written to amount total no. disbursed

30-Dec 2,700.0031-Dec 2228 Cuesta Hardware 1,500.00 4,200.0031-Dec 2230 The Electric Warehouse 970.00 5,170.0031-Dec 2231 Parts Supply Co 625.00 5,795.00

where is check 2229 to Lubricant Supply

52

Stephanie

if you discover a check that was not recorded

to which financial statement assertion does an unrecorded check relate ?

53



2.Risk assessment



5.Monitoring

54

4. Information & Communication / Monitoring

• Account balances are used to prepare external financial statements

• Internal reports are part of management’s feedback for Monitoring operations

55



2.Risk assessment



5.Monitoring

56

5. Monitoring

• Internal audit

• Compare reports with your knowledge of the business

• Customer complaints

• Vendor complaints

• Regulators’ reports

• Periodic reconciliations

57

Understanding Internal Controls

Obtain an understanding of internal controls

The design of internal controls

Document understanding

Assess Control Risk (preliminary)

Test Operating Effectiveness of controls

Assess Control Risk (after ToC’s)

58

page 160/169


Procedures by which those transactions are: Initiated, authorized & recorded what accounting records exist, Processed through the accounting system into the GL, and




59

How –gain an understanding Internal Controls

Internal Control Questionnaire p. 172

Prior year’s work papers p. 174

Inquiries of client

Examine documents

Observe activities – Perform Walkthroughs

60

Internal Controls Questionnaire p. 173

A. Recorded sales are for shipments actually made to existing customers

B. Existing sales transactions are recorded

C. Recorded sales are for the amount of goods shipped and are correctly billed and recorded

D. Sales transactions are properly included in master files and correctly summarized

E. Recorded sales transactions are properly classified

F. Sales are recorded on the correct dates

61

Internal Controls Questionnaire p. 173 (62-161)-176-207-252

A. Recorded sales are for shipments actually made to existing customers

B. Existing sales transactions are recorded

C. Recorded sales are for the amount of goods shipped and are correctly billed and recorded

D. Sales transactions are properly included in master files and correctly summarized

E. Recorded sales transactions are properly classified

F. Sales are recorded on the correct dates

Occurrence

Completeness

Accuracy

Classification

Cutoff

62

Page 59

63

Document- our understanding of Internal Controls

Internal Control Questionnaire p. 173

Narative

Flowchart

64

Must assess Control Risk

•for each fin statement assertion

•for each sig class of transaction

65

Control Risk Matrix p. 176

Look at the headings of the columns

Audit Objectives / Assertions

Must have a control(s) in place for each assertion / objective

66

67

p. 252see p. 176Control Risk Matrix

68

Tests of Controls

if a control is well designed

test if control is operating effectively

69

Internal Control Communications

70

Adrian

what is a Control Deficiency?

page 176 ---

look at the last 2 lines in Figure 5

71

72

Control deficiency (day one handout)

when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis

73

Control deficiency

if a control is not properly designed

Or well designed control may not operate as designed

or the person performing the control is not sufficiently qualified

74

Alyxandria

what is a Material Weakness in internal control?

75

Material weakness

A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of

the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.

76

David

what is a Significant Deficiency in internal control ?

77

Significant deficiency

A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

78

Material weaknessFigure 6 materialpage 272

MaterialWeakness

Likelihood

ReasonablyPossible

immaterial

ProbableRemote

79

Communications regarding Internal Control

Reportable Conditions

significant deficiencies

material weaknesses

Those charged with governance of the company

audit committee

board of directors

senior management

80

Effectiveness of Internal Controls

andAudit Approaches

81

82

for private companiesnon-SEC companies

not covered by Sarbanes-Oxley

83

Emmanuel

After evaluating the design of the controls you do not believe the client’s controls would prevent, or detect and correct misstatements even if properly implemented

You believe the controls are INeffective

How will you preliminarily assess CR ?

84

Kyle



You preliminarily assess CR = High

Which audit approach will you take?

85

Laura

You believe it would cost less to perform

Tests of Contols than $ubstantive Test$

which audit approach will you take ?

86

Lauren

Which types of audit tests will you perform

evaluate design of controls

Tests of Controlstest operating effectiveness none some extensive

Substantive Testsanalytical procedures

test of details of account balances none limited extensive

87

Raquel

After evaluating the design of the controls you believe the client’s controls would prevent, or detect and correct misstatements if properly implemented

You believe they would be Effective if implemented


88

Sumner



You preliminarily assess CR = Low


89

Ariana




90

Haley






91



92

Iris


$ubstantive Test$ than Tests of Contols


93

Jake






94

for private companiesnon-SEC companies

not covered by Sarbanes-Oxley

95

preliminarily

assess

Subst Tests

Less costly than

ToC

ToC

Less costly than

Subst Tests

controls

effective

(CR =Low)

extensive

Subst Tests

ToClimit subst tests =>

analytical procedures

controls

ineffective

(CR = MAX)

Must do extensive Subst Tests

96

• Understand internal controls– Document understanding– Evaluate the design of the controls

• Preliminarily assess control risk– Document prelim CR assessment

• If CR < Low & $ToC < $Sub$t Tests – Design and perform ToC– Document results of ToC and CR assessment– Design and perform limited Subst Tests– Document results of Subst Tests

• If CR = Max or $Sub$t < $ToC– Design and perform extensive Subst Tests– Document results of Subst Tests

97

for public companiesSEC companies

covered by Sarbanes-Oxley

98

99

Joyce



How will you preliminarily assess CR

100

Maria



You preliminarily assess CR = Low


101

Mitch




102

Abhinav

Which types of procedures will you perform

evaluate design effectiveness


Substantive Testsanalytical procedures test of details of account balances none limited extensive

103

Albert


$ubstantive Test$ than Tests of Contols


104

Emily

Which types of procedures will you perform





105

Hailey




106

Jesse



You preliminarily assess CR = High


107

Jordan


Does it matter which types of tests are least expensive?


108

Phil





test of details of account balance none limited extensive

109

preliminarily

assess

Subst Tests

Less costly than

ToC

ToC

Less costly than

Subst Tests

controls effective

(CR < Low)

ToCcan limit subst testsanalytical procedures

ToCcan limit subst testsanalytical procedures

controls

ineffective(CR = MAX)

must do some ToC

Extensive Subst TestsTests of Details

must do some ToC

Extensive Subst TestsTests of Details

110

• Understand internal control structure– Document understanding– Evaluate the Design Effectiveness of ICS

• Design and perform ToC to assess CR– Document results of ToC – and CR assessment

• If CR > Low – Design and perform extensive Subst Tests– Document results of Subst Tests

111

Audit DocumentationWorkpapers

Must document

Record of compliance with GAAS

112

113

114

115

116

AICPA

December 2006

109Statementon AuditingStandards

Understanding the Entity and its Environment andAssessing the Risks of MaterialMisstatement

117

118

Assessing CR < Max

119

120

Assessing control riskIdentify:• specific control objectives (assertions)• points in the flow of transactions where

specific types of misstatements could occur• specific controls procedures designed to

prevent or detect these misstatements• Evaluate the design of control procedures • perform tests of the operating effectiveness of

controls

121

For each significant class of transactions

For each Management Assertion

we will need to assess CR

If we assess CR < Max for an Assertion

must identify a Control Procedure (strength)

Then design & perform a Test of Controls to see if that Procedure is effective

122

preliminary assess of

control risk

final assessment of control risk

Occurrence low

Accuracy low

Completeness low

Cutoff max max

Classification max max

credit sales

123

124

Accounts receivableSales

occurrence

potential misstate

control activity

test of control results of ToC

evaluate

sales to unauthorized customers

customer on approved customer list

inspect list

approved sales

order examine approved sales order

goods may be released from warehouse for unauthorized orders

approved sales order for all goods released to shipping

observe warehouse person filling orders

goods shipped may not agree with goods ordered

shipping clerks agree goods received from warehouse with S.O.

signature of shipping clerk indicating he performed the check

125

potential misstate

control activity


evaluate

unauthorized shipments made

prepare Shipping doc for each order

Inspect Ship Docs

billings may be made for ficititous transactions

matching S.D. and approved S.O. for each invoice

vouch invoices to S.D. and approved S.O.

duplicate billings may be made

matching S.D. and approved S.O. for each

vouch invoices to S.D. and approved S.O.

126

potentialmisstate

controlactivity

test of control resultsof ToC

evaluate

fictitous sales maybe recorded

sales invoice andmatchingdocumentsrequired for allentries

vouch recordedsales tosupportingdocuments

invoices may beposted to the wrongcustomers accounts

mail monthlystatements tocustomers withindependentfollowup oncustomercomplaints

observe mailingand followupprocedures

127

potential misstate

control activity


evaluate

goods shipped may not agree with goods ordered

shipping clerk agrees goods received from warehouse to approved S.O.

signature of shipping clerk indicating he agreed goods to S.O.

some shipments may not be billed

matching sales invoice for each S.D.

trace S.D. to invoices

billings may be made for ficititous transactions

periodic accounting for all S.D.

observe procedure re-perform


completeness

128

potentialmisstate

controlactivity

test of control resultsof ToC

evaluate

invoices may not bejournalized orposted to customeraccounts

agree salesjournal entriesand amountsposted tocustomeraccounts withcontrol totals ofinvoices

review evidenceof independentcheck

trace incoices tosales journal andcustm\omeraccounts

periodicaccounting for allsales invoices

observe procedure

re-perform

invoices may beposted to the wrongcustomer accounts

mailing ofmonthlystatements andfollowup oncustomercomplaints

observe mainlingand followupprocedures

129

potential misstate

control activity


evaluate

sales may be made without credit approval

check on customer’s credit prior to each sale

examine evidence of credit limit check on each sale

sales invoices may have incorrect prices

check pricing of invoices

reperform check on accuracy of pricing

fictitous sales may be recorded

sales invoice and matching documents required for all entries

vouch recorded sales to supporting documents


accuracy

130

potential misstate

control activity


evaluate

invoices may not be journalized or posted to customer accounts

agree entries in sales journal and amounts posted to customer accounts with control totals of invoices

review evidence of independent check trace sales invoices to sales journal and customer accounts

invoices may be mailed to wrong customer account

mailing of montly statements with followup on customer complaints

observe mailing and followup procedures

131

Assess control riskIdentify:• significant classes of transactions• objectives assertions• points where errors or fraud could occur• specific controls that would prevent or detect

these errors • Link specific controls with the assertions to

which they relate• Evaluate the design of the control• Test the operating effectiveness of the control

Date post:	01-Jan-2016
Category:	Documents
Upload:	geraldine-holmes
View:	215 times
Download:	2 times

1 chapter 10 Section 404 Audits Sarbanes-Oxley Act section 404.

Documents