Chapter 7
Chapter 7
Auditing Internal
Control over
Financial Reporting
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved
Management Responsibilities
under Section 404
Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue
an internal control report that explicitly accepts responsibility for establishing and maintaining
“ d t ” i t l t l fi i l ti
LO# 1
7-2
“adequate” internal control over financial reporting (ICFR).
Management Responsibilities
under Section 404
Management must comply with the following in order for its public accounting firm to complete an audit of
ICFR.
1. Accepts responsibility for the effectiveness of the entity’s ICFR.
LO# 1
7-3 2. Evaluate the effectiveness of the entity’s ICFR using
suitable control criteria.
3. Support its evaluation with sufficient evidence, including documentation.
Auditor Responsibilities under
Section 404
The entity’s independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated auditintegrated auditof the entity’s ICFR and its financial statements.
7-4
ICFR Defined
ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:
LO# 3
7-5
procedures that:
1.
1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company. transactions and dispositions of the assets of the company.
2.
2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.
recorded in accordance with GAAP.
3.
3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or timely detection of unauthorized acquisition, use or disposition of the company’s assets.
disposition of the company’s assets.
Internal Control Deficiencies
Defined
A control deficiencyexists when the design or operation
of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Asignificant deficiencyis a deficiency, or a combination
LO# 4
Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a
material weaknessin the system of internal control. A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable
LO# 4
7-7
, ,
possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis.
As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood reasonably possible) and magnitude (material, consequential, or inconsequential).
Internal Control Deficiencies
Defined
Remote Reasonably possible or probable
deficiency
Management’s Assessment
Process
Management must follow a top
Management must follow a top--down, riskdown, risk--based based approach:
approach:
1.
1. Identify financial reporting risks and controls.Identify financial reporting risks and controls.
2
2 EE ll tt idid bb t tht th titi ffff titi ff
LO# 5
7-9 2.
2. Evaluate evidence about the operating effectiveness of Evaluate evidence about the operating effectiveness of ICFR.
ICFR.
3.
Management’s Documentation
Management must develop sufficient Management must develop sufficient documentation to support its assessment of the documentation to support its assessment of the
effectiveness of internal control. This effectiveness of internal control. This documentation may take many forms, such as documentation may take many forms, such as paper electronic files or other media It also paper electronic files or other media It also
7-10
paper, electronic files, or other media. It also paper, electronic files, or other media. It also includes policy manuals, job descriptions, includes policy manuals, job descriptions,
flowcharts, and process models. flowcharts, and process models.
Framework Used by Management
to Conduct Its Assessment
Most entities use the framework developed by COSO. Most entities use the framework developed by COSO. This framework identifies three primary objectives of This framework identifies three primary objectives of
internal control: (1) reliable financial reporting; internal control: (1) reliable financial reporting; (2) efficiency and effectiveness of operations; (2) efficiency and effectiveness of operations;
LO# 7
7-11 (2) efficiency and effectiveness of operations; (2) efficiency and effectiveness of operations; and (3) compliance with laws and regulations. and (3) compliance with laws and regulations.
Performing an Audit of ICFR
Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in
LO# 9
7-13
results of the substantive procedures are considered in the evaluation of internal control.
Tests of
Effect of the Audit of Internal Control
on the Financial Statement Audit
When the auditor performs an integrated audit, he or she will have access to a large amount of information about the client’s controls. This information can make the financial statement audit more efficient and result
LO# 9
7-14
in reduced substantive procedures.
Regardless of the level of control risk Regardless of the level of control risk in connection with the audit of the in connection with the audit of the financial statements, auditing financial statements, auditing standards require the auditor to standards require the auditor to perform some substantive perform some substantive procedures for all significant accounts procedures for all significant accounts
and disclosures. and disclosures.
Effect of the Financial Statement
Audit on the Audit of Internal Control
The effectiveness of the audit of internal controls should lead the auditor to determine the implications of these findings on the financial statement audit. The auditor’s evaluation should include:
LO# 9
7-15 1.
1. Misstatements detected.Misstatements detected. 2.
2. The auditor’s risk evaluations in connection with the The auditor’s risk evaluations in connection with the selection and application of substantive procedures, selection and application of substantive procedures, especially those related to fraud.
especially those related to fraud. 3.
3. Findings with respect to illegal acts and related party Findings with respect to illegal acts and related party transactions.
transactions. 4.
Plan the Engagement
The planning process is similar to the
process used for the audit of F/S.
Consider the following:
Ri k t d th i k f f d
7-16 Risk assessment and the risk of fraud.
Scaling the audit.
Using the work of others.
Materiality.
Special Consideration:
Using the Work of Others
A major consideration for the external auditor is how much the A major consideration for the external auditor is how much the work performed by others. In determining the extent to which work performed by others. In determining the extent to which the auditor may use the work of others, the auditor should: the auditor may use the work of others, the auditor should: (1) evaluate the nature of the controls subjected to the work of (1) evaluate the nature of the controls subjected to the work of others,
others,
LO# 10
7-17
others, others,
(2) evaluate the competence and objectivity of the individuals (2) evaluate the competence and objectivity of the individuals who performed the work, and
who performed the work, and
(3) test some of the work performed by others to evaluate the (3) test some of the work performed by others to evaluate the quality and effectiveness of their work.
quality and effectiveness of their work.
As the risk associated with the control being tested increases, As the risk associated with the control being tested increases, the external auditor should do more of the work.
the external auditor should do more of the work.
Using a Top-Down Approach
LO# 11
See Table 7-3
Test Controls
LO# 12
Evaluate design
Test and evaluate operating effectiveness
Nature, timing, and extent7-19
Evaluate Identified Control Deficiencies
LO# 13
7-20
Evaluate Identified Control Deficiencies
LO# 13
Written Representations
In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related
to the audit of ICFR.
7-22
Failure to obtain written Failure to obtain written representations from representations from management, including management, including management’s refusal to management’s refusal to furnish them, constitutes a furnish them, constitutes a limitation on the scope of the limitation on the scope of the audit sufficient to preclude an audit sufficient to preclude an
unqualified opinion. unqualified opinion.
Auditor Documentation
Requirements
The auditor must properly document the processes, procedures, judgments, and resultsrelating to the audit
of internal control. When an entity has effective
LO# 16
7-23
y
ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.
Reporting on ICFR
Sarbanes-Oxley requires management’s description of internal control to include:
1. A statement of management’s responsibility for establishing and maintaining adequate internal control.
2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the
LO# 17
conduct the required assessment of the effectiveness of the company’s internal control.
The Auditor’s Report on ICFR
Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in the
company’s annual report.
LO# 18
7-25
p y p
Auditor’s Report Relating to the
Audit of Internal Control
The auditor’s report contains an opinion the effectiveness of ICFR based on the auditor’s
independent audit work.
LO# 13 & 14
7-26
Types of Reports Relating to the
Audit of ICFR
An
An unqualifiedunqualifiedopinion signifies that the client’s opinion signifies that the client’s internal control is designed and operating internal control is designed and operating
effectively. effectively.
LO# 18 & 19
7-27 A serious scope limitation requires the auditor to A serious scope limitation requires the auditor to
disclaim
disclaiman opinion. an opinion.
An
Types of Reports Relating to the
Audit of ICFR
Report Modification Based on Control Deficiencies Report Modification Based on Control Deficiencies
Likelihood/Magnitude
Types of Reports Relating to the
Audit of Internal Control
Report Modification Based on Scope Limitation Report Modification Based on Scope LimitationReason for
Minor UnqualifiedUnqualified
LO# 19
Additional Required Communications
in an Audit of ICFR
The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5)
LO# 17
Advanced Module 1: Special
Considerations for an Audit of
Internal Control
Service
Service SafeguardingSafeguarding
7-31 Service
Service organizations.
organizations. SafeguardingSafeguardingassets.assets.
Use of Service Organizations
Many companies use service organization to process transactions. If the service organization’s services make up part of a company’s information
system, then they are considered part of the information and communication component of the
LO# 21
7-32
company’s internal control over financial report. Thus, both management and the auditor must consider the activities of the service organization.
Use of Service Organizations
Management and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the
LO# 21
7-33
g
Safeguarding of Assets
Safeguarding of assets is defined as policies
and procedures that “provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use or
di
i i
f h
’
h
ld
7-34
disposition of the company’s assets that could
have a material effect on the financial
statements.”
Advanced Module 2:
Computer-Assisted Audit Techniques
Computer
Computer--assisted audit techniques include:
assisted audit techniques include:
•• Generalized audit software packages.
Generalized audit software packages.
C stom a dit soft are
C stom a dit soft are
7-35
•• Custom audit software.
Custom audit software.
•• Test data.
Test data.
Generalized Audit Software
Function Description
File or data access
Reads and extracts data from a client's computer files or databases for further audit testing.
Selection operators
Select from files or databases transactions that meet certain criteria.
LO# 23
Arithmetic functions
Perform a variety of arithmetic calculations (addition, subtraction, and so on) on transactions, files, and databases.
Statistical analyses Provide functions supporting various types of audit sampling.
Custom Audit Software
Custom audit software is generally written by auditors for specific audit tasks. It may be required when the
client’s computer system is not compatible with the auditor’s generalized audit software.
LO# 23
7-37
Custom software: Custom software:
(1)
(1) Is expensive to develop.Is expensive to develop.
(2)
(2) Requires extended development time.Requires extended development time.
(3)
(3) Is limited in scope of functions.Is limited in scope of functions.
Test Data
This is data developed by the auditor to test the application controls in the client’s computer programs. The technique can be used to check (1)data validation
controls and error detection routines, (2)processing logic controls (3)arithmetic calculations and(4)the
LO# 23
7-38
logic controls, (3)arithmetic calculations, and (4)the inclusion of transactions in records, files, and reports.