Auditing and Internal Control

Prepared by:Ambrocio, Sheila Mae B.

Common types of Audits• External ( Financial ) Audits- is an independent attestation performed by an expert—the auditor—who expresses an opinion regarding the presentation of financial statements.

• Internal Audit- an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization.

• Fraud Audit- is to investigate anomalies and gather evidence of fraud that may lead to criminal conviction.

History of the Audit Committee• 1939: The New York Stock Exchange (NYSE) first endorsed the audit committee concept.

• 1972: The U.S. Securities and Exchange Commission (SEC) first recommends that publicly held companies establish audit committees composed of outside (non-management) directors.

• 1977: NYSE adopts a listing requirement that audit committees be composed entirely of independent directors.

• 1988: AICPA issues SAS 61 "Communication with Audit Committees" addressing communications between the external auditor, audit committee and management of SEC reporting companies.

• 1999: NYSE, NASD, AMEX, SEC and AICPA finalize major rule changes based on Blue Ribbon Committee on Improving the Effectiveness of the Corporate Audit Committee.

• 2002: Sarbanes-Oxley Act is passed in the wake of corporate scandals and includes whistleblower and financial expert disclosure requirements for audit committees.

The Role of the Audit Committee

• The audit committee will consist of at least three and no more than six members of the board of directors

• Each committee member will be both independent and financially literate.

• At least one member shall be designated as the "financial expert," as defined by applicable legislation and regulation”. -IIA

Responsibilities of the Audit Committee

• risk management;• internal control;• financial statements;• compliance requirements;• internal audit and;• external audit

Audit Committee Charter• sets forth the general purpose, authority, composition and responsibilities of the committee.

• should be tailored to the organization.

• determine that all responsibilities outlined in the charter have been carried out.

• should be reviewed, and proposed updates presented to the board for approval.

Impact of the Sarbanes-Oxley Act of 2002

• increased audit committees’ responsibilities and authority.

• raised membership requirements and committee composition to include more independent directors.

• Companies were required to disclose whether or not a financial expert is on the Committee.

Ten Generally Accepted Auditing Standards

Financial Audit Components

•Auditing Standards•A Systematic Process•Management Assertions and Audit Objectives

•Obtaining Evidence•Ascertaining Materiality•Communicating Results

Audit Risk• is the probability that the auditor will render an unqualified (clean) opinion on financial statements that are, in fact, materially misstated.

• Error - are unintentional mistakes.

• Irregularities - are intentional misrepresentations associated with the commission of a fraud

Audit Risk Components• Inherent Risk

– A risk of misstatement due to error or fraud that is said to exist within a financial statement based on an assessment by an independent auditor regardless of management awareness of the error.

• Control Risk- is the likelihood that the control

structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts

• Detection Risk- is the risk that auditors are willing

to take that errors not detected or prevented by the control structure will also not be detected by the auditor.

Audit Risk Model•used by the auditors to manage the overall risk of an audit engagement.

•inherent and control risk is high, the detection risk is set at a lower level to keep the audit risk at an acceptable level and vice versa.

•Audit Risk   =   Inherent Risk   x   Control Risk   x   Detection Risk ( AR IR ×CR ×DR )

The IT Audit

Brief History of Internal Control Legislation

• SEC Acts of 1933 and 1934– (1) require that investors receive financial and other significant information concerning securities being offered for public sale; and

– (2) prohibit deceit, misrepresentations, and other fraud in the sale of securities.

- Securities Exchange Act, 1934, created the Securities and Exchange Commission (SEC) and empowered it with broad authority over all aspects of the securities industry, which included authority regarding auditing standards.

• Copyright Law–1976- had multiple revisions, added software and other intellectual properties into the existing copyright protection laws.

• Foreign Corrupt Practices Act (FCPA) of 1977The FCPA requires companies registered with the SEC to do the following:1. Keep records that fairly and reasonably reflect the transactions of the firm and its financial position.

2. Maintain a system of internal control that provides reasonable assurance that the organization’s objectives are met.

• Committee of Sponsoring Organizations–1992Describes the relationship between the firm’s…- internal control structure,- auditor’s assessment of risk, and- the planning of audit procedures

How do these three interrelate?- The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor procedures applied in the audit.

• Sarbanes-Oxley Act of 2002

- the law supports efforts to increase public confidence in capital markets by seeking to improve corporate governance, internal controls, and audit quality.

- requires management of public companies to implement an adequate system of internal controls over their financial reporting process.

• Section 302 of SOA 2002- external auditors must perform the following procedures quarterly to identify any material modifications in controls that may impact financial reporting:1. Interview management regarding any significant changes in the design or operation of internal control that occurred subsequent to the preceding annual audit or prior review of interim financial information.

2. Evaluate the implications of misstatements identified by the auditor as part of the interim review that relate to effective internal controls.

3. Determine whether changes in internal controls are likely to materially affect internal control over financial reporting.

• Section 404 of SOA 2002- requires the management of public companies to assess the effectiveness of their organization’s internal controls. This entails providing an annual report addressing the following points:

1. Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise.

2. Using a risk-based approach, assess both the design and operating effectiveness of selected internal controls related to material accounts.

3. Assess the potential for fraud in the system and evaluate the controls designed to prevent or detect fraud.

4. Evaluate and conclude on the adequacy of controls over the financial statement reporting process.

5. Evaluate entity-wide (general) controls that correspond to the components of the COSO framework.

Internal Control Objectives

1.Safeguard assets of the firm

2.Ensure accuracy and reliability of accounting records and information

3.Promote efficiency of the firm’s operations

4.Measure compliance with management’s prescribed policies and procedures

Modifying Principles•Management Responsibility - The establishment and maintenance of a system of internal control is the responsibility of management.

•Reasonable Assurance - The cost of achieving the objectives of internal control should not outweigh its benefits.

•Methods of Data Processing - The techniques of achieving the objectives will vary with different types of technology.

• Limitations- Possibility of honest errors- Circumvention via collusion- Management override- Changing conditions especially in companies with high growth

Exposures of Weak Internal Controls (Risk)

• Destruction of an asset• Theft of an asset • Corruption of information • Disruption of the information system

The PDC Model

• Preventive Controls-are passive techniques designed to reduce the frequency of occurrence of undesirable events.

• Detective Controls- are devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls & reveal specific types of errors by comparing actual occurrences to pre-established standards

• Corrective Controls- Detective controls identify undesirable events and draw attention to the problem; corrective controls actually fix the problem.

Coso Internal Control Framework

• Control Environment• Risk Assessment • Information and Communication• Monitoring• Control Activities

Physical Controls• This class of controls relates primarily to the human activities employed in accounting systems. There are six types of physical control:– Transaction Authorization– Segregation of Duties– Supervision– Accounting Records – Access Control – Independent Verification

IT Controls• Application controls - Are to ensure the validity, completeness, and accuracy of financial transactions• Examples: controls over sales order processing, accounts payable, and payroll applications

• General controls- pertain to the entity wide computer environment or all the systems.•Examples: controls over the data center, organization databases, systems development, and program maintenance

Audit Implications of SOX

• expands the role of external auditors by mandating that they attest to the quality of their client organizations’ internal controls.

• Constitutes the issuance of a separate audit opinion on the internal controls in addition to the opinion on the fairness of the financial statements.

• PCAOB Standard No. 5 specifically requires auditors to understand transaction flows, including the controls pertaining to how transactions are initiated, authorized, recorded, and reported.

• places responsibility on auditors to detect fraudulent activity and emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements.

• PCAOB Auditing Standard No. 5 emphasizes that management and auditors use a risk-based approach rather than a onesize-fits-all approach in the design and assessment of controls.