10 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Section 404...

10 - 1©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder

Section 404 Audits of Section 404 Audits of Internal Control and Internal Control and Control RiskControl Risk

Chapter 10Chapter 10


Learning Objective 1Learning Objective 1

Describe the three primaryDescribe the three primary

objectives of effectiveobjectives of effective

internal control.internal control.


Compliance with laws and regulationsCompliance with laws and regulations

Efficiency and effectiveness of operationsEfficiency and effectiveness of operations

Reliability of financial reportingReliability of financial reporting

Internal Control ObjectivesInternal Control Objectives



Contrast management’sContrast management’s

responsibilities for maintainingresponsibilities for maintaining

and reporting on internal controlsand reporting on internal controls

with the auditor’s responsibilitieswith the auditor’s responsibilities

for understanding, testing, andfor understanding, testing, and

reporting on internal controls.reporting on internal controls.


Management and Auditor Management and Auditor Responsibilities RelatedResponsibilities Relatedto Internal Controlto Internal Control

Management’s responsibilityManagement’s responsibilityfor establishing internal controlfor establishing internal control

Reasonable assuranceReasonable assurance

Inherent limitationsInherent limitations



Management’s Section 404Management’s Section 404reporting responsibilitiesreporting responsibilities

Design of internal controlDesign of internal control

Operating effectiveness of controlsOperating effectiveness of controls



Auditor responsibilities forAuditor responsibilities forunderstanding internal controlunderstanding internal control

Control over classes of transactionsControl over classes of transactions

Auditor responsibilities for testingAuditor responsibilities for testing and reporting on internal controland reporting on internal control


Sales Transaction-Related Audit Sales Transaction-Related Audit ObjectivesObjectives

Sales Transaction-RelatedSales Transaction-RelatedAudit ObjectivesAudit Objectives

Sales are for shipmentsSales are for shipmentsto existing customers.to existing customers.

Transaction-Related AuditTransaction-Related AuditObjective – General formObjective – General form

Recorded transactionsRecorded transactionsexist (existence).exist (existence).

Existing sales transactionsExisting sales transactionsare recorded.are recorded.

Existing transactions areExisting transactions arerecorded (completeness).recorded (completeness).

Transactions are statedTransactions are statedcorrectly (accuracy).correctly (accuracy).

Sales for goods shippedSales for goods shippedare correctly billed.are correctly billed.


Sales Transaction-Related Audit Sales Transaction-Related Audit ObjectivesObjectives

Transactions are properlyTransactions are properlyclassified (classification).classified (classification).

Sales transactions areSales transactions areproperly classified.properly classified.

Transactions are recordedTransactions are recordedon correct dates (timing).on correct dates (timing).

Sales are recorded onSales are recorded onthe correct dates.the correct dates.

Transactions are properlyTransactions are properlyfiled (posting andfiled (posting andsummarization).summarization).

Sales transactions areSales transactions areproperly included in theproperly included in themaster files.master files.

Transaction-Related AuditTransaction-Related AuditObjective – General formObjective – General form

Sales Transaction-RelatedSales Transaction-RelatedAudit ObjectivesAudit Objectives



Explain the five componentsExplain the five components

of the COSO internalof the COSO internal

control framework.control framework.


Five Components of Internal Five Components of Internal ControlControl

RiskRiskassessmentassessment

ControlControlactivitiesactivities

Information andInformation andcommunicationcommunication

MonitoringMonitoring


The Control EnvironmentThe Control Environment

Integrity and ethical valuesIntegrity and ethical values

Commitment to competenceCommitment to competence

Board of directors or audit committee participationBoard of directors or audit committee participation

Management’s philosophy and operating styleManagement’s philosophy and operating style


The Control EnvironmentThe Control Environment

Organizational structureOrganizational structure

Assignment of authority and responsibilityAssignment of authority and responsibility

Human resources policies and practicesHuman resources policies and practices


Risk AssessmentRisk Assessment

Identify factors that may increase risk.Identify factors that may increase risk.

Assess the likelihood of the risk.Assess the likelihood of the risk.

Determine actions necessary to manage the risk.Determine actions necessary to manage the risk.

Estimate the significance of the risk.Estimate the significance of the risk.


Control ActivitiesControl Activities

1. Adequate separation of duties1. Adequate separation of duties

2. Proper authorization of transactions and activities2. Proper authorization of transactions and activities

3. Adequate documents and records3. Adequate documents and records

4. Physical control over assets and records4. Physical control over assets and records

5. Independent checks on performance5. Independent checks on performance


Adequate Separation of DutiesAdequate Separation of Duties

Custody of assetsCustody of assets AccountingAccounting

AuthorizationAuthorizationof transactionsof transactions

The custody ofThe custody ofrelated assetsrelated assets

OperationalOperationalresponsibilityresponsibility

Record-keepingRecord-keepingresponsibilityresponsibility

IT dutiesIT duties User departmentsUser departments


Proper Authorization of Proper Authorization of Transactions and ActivitiesTransactions and Activities

General authorizationGeneral authorization

Specific authorizationSpecific authorization


Adequate Documents and Adequate Documents and RecordsRecordsPrenumbered consecutivelyPrenumbered consecutively

Prepared at the time of transactionPrepared at the time of transaction

Designed for multiple useDesigned for multiple use

Constructed to encourage correct preparationConstructed to encourage correct preparation

Simple enough to ensure understandingSimple enough to ensure understanding


Physical Control over AssetsPhysical Control over Assetsand Recordsand Records

The most important type of protectiveThe most important type of protectivemeasure for safeguarding assets andmeasure for safeguarding assets andrecords is the use of physical precautions.records is the use of physical precautions.


Independent Checks on Independent Checks on PerformancePerformance

The need for independent checks arisesThe need for independent checks arisesbecause internal control tends to changebecause internal control tends to changeover time unless there is a mechanismover time unless there is a mechanismfor frequent review.for frequent review.


Information and CommunicationInformation and Communication

The purpose of an accounting informationThe purpose of an accounting informationand communication system is to…and communication system is to…

initiate, record, process, and reportinitiate, record, process, and reportthe entity’s transactions and to maintainthe entity’s transactions and to maintainaccountability for the related assets.accountability for the related assets.


MonitoringMonitoring

Monitoring activities deal with management’sMonitoring activities deal with management’songoing and periodic assessment of theongoing and periodic assessment of thequality of internal control performance…quality of internal control performance…

to determine whether controls are operatingto determine whether controls are operatingas intended and modified when needed.as intended and modified when needed.


How the Size of the Business How the Size of the Business Affects Internal ControlAffects Internal Control

In general the SEC believes that smallIn general the SEC believes that smallbusinesses should be expected to adherebusinesses should be expected to adhereto the same internal control standards thatto the same internal control standards thatapply to larger public companies.apply to larger public companies.

The SEC has also stated that the burden toThe SEC has also stated that the burden tosmaller companies can be disproportionate.smaller companies can be disproportionate.



Obtain and document anObtain and document an

understanding of internal control.understanding of internal control.


Four Phases of a Financial Four Phases of a Financial Statement AuditStatement Audit

Phase 1Phase 1

Obtain anObtain anunderstanding ofunderstanding ofinternal control:internal control:design anddesign andoperationoperation

Phase 2Phase 2Assess controlAssess controlrisk.risk.

Phase 3Phase 3Design, perform,Design, perform,and evaluate testsand evaluate testsof controlsof controls

Phase 4Phase 4

Decide plannedDecide planneddetection riskdetection riskand substantiveand substantivetests.tests.


Obtain and Document Obtain and Document Understanding of Internal ControlUnderstanding of Internal Control

SAS 55 and PCAOB Standard 2 SAS 55 and PCAOB Standard 2 both requireboth requirethe auditor to obtain an understandingthe auditor to obtain an understandingof internal control for every auditof internal control for every audit..

Procedures to obtain an understanding:Procedures to obtain an understanding:• Design of internal controlsDesign of internal controls• Whether placed in operationWhether placed in operation• Uses this information as a basis for theUses this information as a basis for the integrated audit.integrated audit.


Methods UsedMethods Used

NarrativeNarrative

FlowchartFlowchart

InternalInternalcontrolcontrol

questionnairequestionnaire


NarrativeNarrative

1. The origin of every document1. The origin of every document and record in the systemand record in the system

2. All processing that takes place2. All processing that takes place

3. The disposition of every document3. The disposition of every document and record in the systemand record in the system

4. An indication of the controls relevant4. An indication of the controls relevant to the assessment of control riskto the assessment of control risk


Evaluating Internal Control Evaluating Internal Control OperationOperation

Update and evaluate auditor’s previousUpdate and evaluate auditor’s previousexperience with the entity.experience with the entity.

Make inquiries of client personnel.Make inquiries of client personnel.

Examine documents and records.Examine documents and records.

Observe entity activities and operations.Observe entity activities and operations.

Perform walkthroughs of the accounting system.Perform walkthroughs of the accounting system.



Assess control risk by linking keyAssess control risk by linking key

controls, significant deficiencies,controls, significant deficiencies,

and material weaknesses toand material weaknesses to

transaction-related audittransaction-related audit

objectives.objectives.


Assess Control RiskAssess Control Risk

Assess whether the financial statementsAssess whether the financial statementsare auditable.are auditable.

Determine assessed control risk supportedDetermine assessed control risk supportedby the understanding obtained assumingby the understanding obtained assumingthe controls are being followed.the controls are being followed.

Use of a control risk matrix to assess control riskUse of a control risk matrix to assess control risk


Control Risk MatrixControl Risk Matrix

Auditors use the Auditors use the control risk matrixcontrol risk matrix to toidentify both controls and weaknessesidentify both controls and weaknessesand to assess control risk.and to assess control risk.


Control Risk MatrixControl Risk Matrix

Identify transaction-related audit objectives.Identify transaction-related audit objectives.

Identify existing controls.Identify existing controls.

Associate controls with transaction-relatedAssociate controls with transaction-relatedaudit objectives.audit objectives.

Identify and evaluate control deficiencies,Identify and evaluate control deficiencies,significant deficiencies, and material weaknessessignificant deficiencies, and material weaknesses


Evaluating Significant Control Evaluating Significant Control DeficienciesDeficiencies

MaterialMaterialWeaknessWeakness

LIKELIHOODLIKELIHOOD

SIGNIFICANCESIGNIFICANCE

MaterialMaterial

ImmaterialImmaterial

ProbableProbableRemoteRemote


Communicate Internal Control Communicate Internal Control Deficiencies and Related MattersDeficiencies and Related Matters

Management lettersManagement letters

Audit committee communicationsAudit committee communications



Describe the process of designingDescribe the process of designing

and performing tests of controls.and performing tests of controls.


Tests of ControlsTests of Controls

The procedures to test effectiveness of controlsThe procedures to test effectiveness of controlsin support of a reduced assessed controlin support of a reduced assessed controlrisk are called risk are called tests oftests of controlscontrols..


Procedures for Tests of ControlsProcedures for Tests of Controls

1. Make inquiries of client personnel.1. Make inquiries of client personnel.

2. Examine documents, records, and reports.2. Examine documents, records, and reports.

3. Observe control-related activities.3. Observe control-related activities.

4. Reperform client procedures.4. Reperform client procedures.


Extent of ProceduresExtent of Procedures

Reliance on evidence from prior year’s auditReliance on evidence from prior year’s audit

Testing less than the entire audit periodTesting less than the entire audit period


Relationship of Assessed ControlRelationship of Assessed ControlRisk and Extent of ProceduresRisk and Extent of Procedures

InquiryInquiryDocumentationDocumentation

ObservationObservation

ReperformanceReperformance

Yes–extensiveYes–extensiveYes–with transactionYes–with transaction

walk-throughwalk-throughYes–with transactionYes–with transaction walk-throughwalk-throughNoNo

Yes–someYes–someYes–using samplingYes–using sampling

Yes–at multiple timesYes–at multiple times

Yes–using samplingYes–using sampling

Type ofType ofprocedureprocedure

High level:High level:Procedures to obtainProcedures to obtain

an understandingan understandingLower level:Lower level:

Tests of controlsTests of controls

Assessed control riskAssessed control risk


Decide Planned Detection Risk Decide Planned Detection Risk and Design Substantive Testsand Design Substantive Tests

The auditor uses the results of the control riskThe auditor uses the results of the control riskassessment process and tests of controls toassessment process and tests of controls todetermine the planned detection risk anddetermine the planned detection risk andrelated substantive tests.related substantive tests.

The auditor links the control risk assessmentsThe auditor links the control risk assessmentsto the balance-to the balance-related audit objectives.related audit objectives.



Understand Section 404Understand Section 404

requirements for auditorrequirements for auditor

reporting on internal control.reporting on internal control.


Section 404 Reporting on Internal Section 404 Reporting on Internal ControlControl

The auditor’s opinion on whether management’sThe auditor’s opinion on whether management’sassessment of the effectiveness of internalassessment of the effectiveness of internalcontrol over financial reporting as of thecontrol over financial reporting as of theend of the fiscal period is fairly stated, end of the fiscal period is fairly stated, in all material respects.in all material respects.

11


Section 404 Reporting on Internal Section 404 Reporting on Internal ControlControl

The auditor’s opinion on whether the companyThe auditor’s opinion on whether the companymaintained, in all material respects, effectivemaintained, in all material respects, effectiveinternal control over financial reportinginternal control over financial reportingas of the specified date.as of the specified date.

22


Types of OpinionsTypes of Opinions

UnqualifiedUnqualified

AdverseAdverse

Qualified or disclaimer of opinionQualified or disclaimer of opinion



Describe the differences inDescribe the differences in

evaluating, reporting, andevaluating, reporting, and

testing internal control fortesting internal control for

nonpublic companies.nonpublic companies.


Evaluating, Reporting, and Testing Internal Evaluating, Reporting, and Testing Internal Control for Nonpublic CompaniesControl for Nonpublic Companies

1. Reporting requirements1. Reporting requirements

2. Extent of required internal controls2. Extent of required internal controls

4. Assessing control risk4. Assessing control risk

5. Extent of tests of controls needed5. Extent of tests of controls needed

3. Extent of understanding needed3. Extent of understanding needed


Differences in Scope of Controls Differences in Scope of Controls Tested: Nonpublic CompanyTested: Nonpublic Company

Internal controls over financial reportingInternal controls over financial reporting

Internal controls used to assessInternal controls used to assesscontrol risk below maximumcontrol risk below maximum

Controls that must be tested inControls that must be tested inan audit of financial statementsan audit of financial statements

Controls that must be tested inControls that must be tested inan audit of internal controlsan audit of internal controls


End of Chapter 10End of Chapter 10

Date post:	01-Apr-2015
Category:	Documents
Upload:	madeline-barns
View:	236 times
Download:	5 times