Arens14e ch10 ppt

©2012 Prentice Hall Business Publishing, ©2012 Prentice Hall Business Publishing, Auditing 14/e,Auditing 14/e, Arens/Elder/Beasley Arens/Elder/Beasley 5 - 510 - 10 - 11

Section 404 Audits of Section 404 Audits of Internal Control and Internal Control and

Control RiskControl RiskChapter 10Chapter 10

10 - 10 - 22©2012 Prentice Hall Business Publishing, ©2012 Prentice Hall Business Publishing, Auditing 14/e,Auditing 14/e, Arens/Elder/Beasley Arens/Elder/Beasley

Learning Objective 1Learning Objective 1

Describe the three primary Describe the three primary objectives of effective objectives of effective internal control.internal control.

©2012 Prentice Hall Business Publishing, ©2012 Prentice Hall Business Publishing, Auditing 14/e,Auditing 14/e, Arens/Elder/Beasley Arens/Elder/Beasley 10 - 10 - 33

Compliance with laws and regulations

Efficiency/ effectiveness of operations

Reliability of financial reporting

Internal Control Internal Control ObjectivesObjectives

Management has three broad objectives in designing an effective internal control system



Contrast management’s Contrast management’s responsibilities for responsibilities for maintaining and reporting on maintaining and reporting on internal controls with the internal controls with the auditor’s responsibilities auditor’s responsibilities for understanding, testing, and for understanding, testing, and reporting on internal controls.reporting on internal controls.


Management’s Management’s Responsibilities for Responsibilities for Establishing Internal Establishing Internal

ControlControl Management must establish and maintain the entity’s internal controls

Management’s design and implementation of internal controls is based on two key underlying concepts:

Reasonable assurance

Inherent limitations


Management of all public companies to issue an internal control report that includes the following:

An acknowledgement of responsibility for internal controls

Results of annual internal control assessment

Management’s Section 404 Management’s Section 404

Reporting Reporting Responsibilities Responsibilities

2010 federal financial reform laws permanently exempted nonaccelerated filers from reporting on internal controls.


Management must first test the design of internal controls over financial reporting.

Management must also test the operating effectiveness of those controls.

Management’s Assessment of Management’s Assessment of Internal Controls Internal Controls


Management’s Assessment of Management’s Assessment of Internal Controls Internal Controls


Auditor Responsibilities Auditor Responsibilities for Understanding Internal for Understanding Internal

ControlControlSecond GAAS fieldwork standard

Must assess control risk in every audit

Primarily concerned about controls over: •reliability of financial reporting •classes of transactions


Sales Transaction-Sales Transaction-related Audit Objectivesrelated Audit Objectives


Auditor Responsibilities Auditor Responsibilities for for

Testing Internal ControlTesting Internal ControlObtains understanding of controls

Performs tests of controls:significant account balances

classes of transactionsdisclosures and related financial statement assertions



Explain the five components of Explain the five components of the COSO internal control the COSO internal control framework.framework.


Five Components of Five Components of Internal ControlInternal Control


The Control EnvironmentThe Control Environment

Integrity and ethical values

Commitment to competence

Board of directors or audit committee participation


The Control EnvironmentThe Control Environment

Management’s philosophy and operating style

Organizational structure

Human resource policies and practices


Risk AssessmentRisk Assessment Identify factors that may increase risk

Assess the likelihood of the risk occurring

Determine actions necessary to manage the risk

Estimate the significance of the risk


Control ActivitiesControl Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance


Adequate Separation of Adequate Separation of DutiesDuties

Custody of assets Accounting

Authorizationof transactions

The custody ofrelated assets

Operationalresponsibility

Record-keepingresponsibility

IT duties User departments

from

from

from

from


Proper Authorization of Proper Authorization of Transactions and Transactions and

ActivitiesActivities

General Authorization

Specific Authorization

Transaction Approval Policies


Adequate Documents and Adequate Documents and RecordsRecords

Prenumbered consecutively

Prepared at the time of transaction

Designed for multiple use

Constructed to encourage correct preparation


Physical Control Over Physical Control Over AssetsAssets

and Recordsand RecordsThe most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.


Independent Checks on Independent Checks on PerformancePerformance

The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.


Information and Information and CommunicationCommunication

The purpose of an accounting informationand communication system

Initiate

Process

Record Reporttransactions

Maintain Accountability

for Related Assets


MonitoringMonitoring

Monitoring activities deal with management’songoing and periodic assessment of thequality of internal control performance…

to determine whether controls are operatingas intended and modified when needed.



Obtain and document an Obtain and document an understanding of internal understanding of internal control.control.


Process for Understanding Process for Understanding Internal Control and Internal Control and

Assessing Control RiskAssessing Control Risk


Obtain and Document Obtain and Document Understanding of Internal Understanding of Internal

ControlControlAuditing standards require auditors to obtain an understanding of internal control for every audit.

Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for theintegrated audit


Methods UsedMethods Used

Narrative

FlowchartInternalcontrol

questionnaire


NarrativeNarrative

1. The origin of every document and record in the system2. All processing that takes place3. The disposition of every document and record in the system4. An indication of the controls relevant to the assessment of control risk


Evaluating Internal Evaluating Internal Control OperationControl Operation

Update and evaluate auditor’s previousexperience with the entity

Make inquiries of client personnel Examine documents and records Observe entity activities and operations Perform walk-throughs of the accounting system



Assess control risk by linking Assess control risk by linking key controls, significant key controls, significant deficiencies, and material deficiencies, and material weaknesses to transaction-weaknesses to transaction-related audit objectives.related audit objectives.


Assess Control RiskAssess Control Risk

Assess whether the financial statementsare auditable.

Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.

Use a control risk matrix to assesscontrol risk.


Control Risk MatrixControl Risk Matrix

Many auditors use the control risk matrixto assist in the control risk assessmentprocess.


Control Risk MatrixControl Risk Matrix

Identify audit objectives

Identify existing controls

Associate controls with related audit objectives

Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses


Evaluating Significant Evaluating Significant Control DeficienciesControl Deficiencies


Identify Deficiencies Identify Deficiencies and Material Weaknessesand Material Weaknesses

Identify existing controls

Identify the absence of key controls

Consider the possibility of compensating controls

Decide whether there is a significant deficiency or material weakness

Determine potential misstatements that could result


Communications to Those Communications to Those Charged with GovernanceCharged with Governance

Management letters from the auditor less significant control weaknesses ideas for operational improvements

Auditor must communicate in writing significant deficiencies and material weaknesses to the audit committee



Describe the process of designing Describe the process of designing and performing tests of and performing tests of controls.controls.


Tests of ControlsTests of Controls

The procedures to test effectiveness of controlsin support of a reduced assessed controlrisk are called tests of controls.


Procedures for Tests of Procedures for Tests of ControlsControls

Inquire of client personnel

Examine documents,

records, reports

Observe control-related

activities

Reperform client

procedures


Extent of ProceduresExtent of Procedures

Reliance on evidence from prior year’s audit

Testing of controls related to significant risks

Testing less than the entire audit period


Relationship of Assessed Relationship of Assessed ControlControl

Risk and Extent of Risk and Extent of ProceduresProcedures

InquiryDocumentation

Observation

Reperformance

Yes–extensiveYes–with transaction

walk-throughYes–with transaction

walk-throughNo

Yes–someYes–using sampling

Yes–at multiple times

Yes–using sampling

Type ofprocedure

High level:Procedures to obtainan understanding

Lower level:Tests of controls

Assessed Control Risk


Decide Planned Detection Decide Planned Detection Risk and Design Substantive Risk and Design Substantive

TestsTestsControl risk assessment

process results

Related substantive

tests

Planned detection

risk

Tests of controls

Control risk assessments

Balance related audit

objectives



Understand Section 404 Understand Section 404 requirements for auditor requirements for auditor reporting on internal control.reporting on internal control.


Section 404 Reporting on Section 404 Reporting on Internal ControlInternal Control

The scope of the auditor’s report on internal controlis limited to obtaining reasonable assurance that material weaknesses in internal control are identified.


Types of OpinionsTypes of Opinions

Unqualified

Adverse

Qualified or disclaimer

No material weaknessesNo scope restrictions

One or more material weaknesses

Scope limitation



Describe the differences in Describe the differences in evaluating, reporting, and evaluating, reporting, and testing internal control for testing internal control for nonpublic companies.nonpublic companies.


Evaluating, Reporting, and Evaluating, Reporting, and Testing Internal Control for Testing Internal Control for

Nonpublic CompaniesNonpublic Companies1. Reporting requirements

2. Extent of required internal controls

4. Assessing control risk

5. Extent of tests of controls needed

3. Extent of understanding needed


Differences in Scope of Differences in Scope of Controls TestedControls Tested

Internal controls over financial reportingInternal controls over financial reporting

Internal controls used to assesscontrol risk below maximum

Controls that must be tested inan audit of financial statements

Controls that must be tested inan audit of internal controls

©2012 Prentice Hall Business Publishing, ©2012 Prentice Hall Business Publishing, Auditing 14/e,Auditing 14/e, Arens/Elder/Beasley Arens/Elder/Beasley 5 - 510 - 10 - 5050

End of Chapter 10End of Chapter 10

Arens14e ch10 ppt

Documents

Transcript of Arens14e ch10 ppt