Arens12e 10

©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 1

Section 404 Audits of Internal Control and Control Risk

Chapter 10

©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 10 - 22

Learning Objective 1

Describe the three primary

objectives of effective

internal control.


3. Compliance with laws and regulations

2. Efficiency and effectiveness of operations

1. Reliability of financial reporting

Internal Control Objectives



Contrast management’s

responsibilities for maintaining

and reporting on internal controls

with the auditor’s responsibilities

for understanding, testing, and

reporting on internal controls.


Management and Auditor Responsibilities Relatedto Internal Control

Management’s responsibilityfor establishing internal control

Reasonable assurance

Inherent limitations



Management’s Section 404reporting responsibilities

Design of internal control

Operating effectiveness of controls



Auditor responsibilities forunderstanding internal control

Control over classes of transactions

Auditor responsibilities for testinginternal control

Controls over the reliabilityof financial reporting


Sales Transaction-related Audit Objectives

Sales Transaction-relatedAudit Objectives

Sales are for shipmentsto existing customers

Transaction-related AuditObjective – General form

Recorded transactionsexist (occurrence)

Existing sales transactionsare recorded

Existing transactions arerecorded (completeness)

Transactions are statedcorrectly (accuracy)

Sales for goods shippedare correctly billed


Sales Transaction-related Audit Objectives

Transactions are correctlyclassified (classification)

Sales transactions arecorrectly classified

Transactions are recordedon correct dates (timing)

Sales are recorded onthe correct dates

Transactions are correctlyfiled (posting andsummarization)

Sales transactions arecorrectly included in themaster files

Sales Transaction-relatedAudit Objectives

Transaction-related AuditObjective – General form



Explain the five components

of the COSO internal

control framework.


Five Components of Internal Control

Riskassessment

Controlactivities

Information andcommunication

Monitoring


The Control Environment

Integrity and ethical values

Commitment to competence

Board of directors or auditcommittee participation


The Control Environment

Management’s philosophy and operating style

Organizational structure

Human resource policies and practices


Risk Assessment

Identify factors that may increase risk

Assess the likelihood of the risk occurring

Determine actions necessary to manage the risk

Estimate the significance of the risk


Control Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance


Adequate Separation of Duties

Custody of assets Accounting

Authorizationof transactions

The custody ofrelated assets

Operationalresponsibility

Record-keepingresponsibility

IT duties User departments

from

from

from

from


Proper Authorization of Transactions and Activities General authorization

Specific authorization


Adequate Documents and Records

Prenumbered consecutively

Prepared at the time of transaction

Designed for multiple use

Constructed to encourage correct preparation


Physical Control Over Assetsand Records

The most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.


Independent Checks on Performance

The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.


Information and Communication

The purpose of an accounting informationand communication system is to…

initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.


Monitoring

Monitoring activities deal with management’songoing and periodic assessment of thequality of internal control performance…

to determine whether controls are operatingas intended and modified when needed.


SEC and COSO Focus on Smaller Public Companies

The SEC has extended the deadline forsmall public companies compliancewith Section 404 requirements.

COSO issued guidance in Internal ControlOver Financial Reporting for SmallerPublic Companies.



Obtain and document an

understanding of internal control.


Process for Understanding Internal Control and Assessing Control Risk

Phase 1

Obtain anunderstanding ofinternal control:design andoperation

Phase 2Assess controlrisk

Phase 3Design, perform,and evaluate testsof controls

Phase 4

Decide planneddetection riskand substantivetests


Obtain and Document Understanding of Internal Control

SAS 109 and PCAOB Standard 2 both require auditors to obtain an understandingof internal control for every audit.

Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for the

integrated audit


Methods Used

Narrative

FlowchartInternalcontrol

questionnaire


Narrative

1. The origin of every document and record in the system

2. All processing that takes place

3. The disposition of every document and record in the system

4. An indication of the controls relevant to the assessment of control risk


Evaluating Internal Control Operation

Update and evaluate auditor’s previousexperience with the entity

Make inquiries of client personnel

Examine documents and records

Observe entity activities and operations

Perform walk-throughs of the accounting system



Assess control risk by linking key

controls, significant deficiencies,

and material weaknesses to

transaction-related audit

objectives.


Assess Control Risk

Assess whether the financial statementsare auditable.

Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.

Use of a control risk matrix to assesscontrol risk.


Control Risk Matrix

Many auditors use the control risk matrixto assist in the control risk assessmentprocess.


Control Risk Matrix

Identify audit objectives

Identify existing controls

Associate controls with related audit objectives

Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses


Evaluating Significant Control Deficiencies

MaterialWeakness

LIKELIHOOD

SIGNIFICANCE

Material

Immaterial

ProbableRemote


Identify Deficiencies and Weakness

Identify existing controls

Identify the absence of key controls

Consider the possibility of compensating controls

Decide whether there is a significant deficiencyor material weakness

Determine potential misstatements that could result


Communications

Management letters

Communications to thosecharged with governance



Describe the process of designing

and performing tests of controls.


Tests of Controls

The procedures to test effectiveness of controlsin support of a reduced assessed controlrisk are called tests of controls.


Procedures for Tests of Controls

1. Make inquiries of client personnel

2. Examine documents, records, and reports

3. Observe control-related activities

4. Reperform client procedures


Extent of Procedures

Reliance on evidence from prior year’s audit

Testing of controls related to significant risks

Testing less than the entire audit period


Relationship of Assessed ControlRisk and Extent of Procedures

InquiryDocumentation

Observation

Reperformance

Yes–extensiveYes–with transaction

walk-throughYes–with transaction

walk-throughNo

Yes–someYes–using sampling

Yes–at multiple times

Yes–using sampling

Type ofprocedure

High level:Procedures to obtain

an understandingLower level:

Tests of controls

Assessed Control Risk


Decide Planned Detection Risk and Design Substantive Tests

The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.

The auditor links the control risk assessmentsto the balance-related audit objectives.



Understand Section 404

requirements for auditor

reporting on internal control.


Section 404 Reporting on Internal Control

1. The auditor’s opinion on whether management’sassessment of the effectiveness of internal controlover financial reporting as of the end of the fiscalperiod is fairly stated, in all material respects.

2. The auditor’s opinion on whether the companymaintained, in all material respects, effectiveinternal control over financial reporting as ofthe specified date.


Types of Opinions

Unqualified

Adverse

Qualified or disclaimer of opinion



Describe the differences in

evaluating, reporting, and

testing internal control for

nonpublic companies.


Evaluating, Reporting, and Testing Internal Control for Nonpublic Companies

1. Reporting requirements

2. Extent of required internal controls

4. Assessing control risk

5. Extent of tests of controls needed

3. Extent of understanding needed


Differences in Scope of Controls Tested

Internal controls over financial reportingInternal controls over financial reporting

Internal controls used to assesscontrol risk below maximum

Controls that must be tested inan audit of financial statements

Controls that must be tested inan audit of internal controls

©2008 Prentice Hall Business Publishing, ©2008 Prentice Hall Business Publishing, Auditing 12/e,Auditing 12/e, Arens/Beasley/Elder Arens/Beasley/Elder 10 - 49

End of Chapter 10

Arens12e 10

Business

internal control controls

internal control objectives

internal control sas

audits of internal control

physical control

control risk phase

control risk chapter

control environment