Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
26 Cards in this Set
- Front
- Back
|
internal control (COSO)
|
process to assure reliability of fin. reporting, compliance w/ laws and regs, & effectiveness and efficiency of operations
|
|
|
limitations of IC
|
reasonable, but not absolute assurance that control objectives will be achieved, human errors, mgmt overrides, and deliberate circumvention are all potential breakdowns
|
|
|
COBIT
|
control objectives for information and related technology - set of best practices for IT mgmt, generally accepted measures
|
|
|
5 COSO components
|
control environment
risk assessment control activities info and communication monitoring |
|
|
control environment
|
"tone at the top", foundation for all other IC components, includes org.-wide integrity, ethics, corp. governance, mgmt style, org structure, HR policies, etc.
|
|
|
risk assessment process
|
should consider external and internal events that may arise & adversely affect the entity's ability to initiate, record, and process fin. data consistent with F/S assertions
|
|
|
control activities
|
guts of IC system, can be manual or computerized.
key elements: design and operation/implementation of controls 3 processing levels: transaction, accounting estimates, adjusting & closing JEs |
|
|
control activities examples
|
segregation of duties, physical access controls to safeguard assets, info processing controls, reconciliations/performance reviews
|
|
|
information and communication
|
AIS usually network of smaller systems, each processing a unique type of transaction
applications each have unique source documents-auditor develops understanding of how transactions are entered and controls for each application |
|
|
monitoring
|
mgmt's ongoing & periodic assessment of quality of IC performance to determine whether controls need modification (essentially controls over controls-feedback system for other 4 components)
|
|
|
mgmt vs auditor responsibilities (MGMT)
|
identify risks that impact org., enact 5 components of IC, identify weaknesses in IC (deficiencies in design, operation, IC, or material weakness in IC)
|
|
|
mgmt vs auditor responsibilities (auditor)
|
understand and test IC to assess control risk, provide opinion on IC (for public COs), provide feedback to mgmt on IC weaknesses
|
|
|
4 steps for auditor evaluation of IC
|
1. obtain & document understanding of entity risks and 5 components of IC
2. make preliminary CR assessment 3. test controls for effectiveness (if appropriate or public CO) 4. evaluate results (& re-evaluate preliminary CR assessment) |
|
|
1. how to obtain an understanding of I/C
|
top down approach:
examine CO level controls first identify significant accounts and relevant assertions identify points at which errors or fraud could occur identify controls to test to prevent/detect misstatements |
|
|
audit procedures to help understand IC
|
review of client docs/flowcharts
tour facilities/plants interviews and questionnaires walk-throughs and physical verification of controls where feasible *review prior year's workpapers |
|
|
2. preliminary assessment of control risk
|
weak, ineffective, or non-existent controls lead to high CR and thus cannot rely on IC-perform more substantive tests
low CR means auditor must test CR (for compliance) to make sure they are operating effectively |
|
|
moderate CR assessment
|
best assessment, does not require control testing
can only be given if: org. had been audited by firm before w/ no IC problems, no significant changes in the system this year, CO is not public |
|
|
bridge workpaper
|
helps auditors consider implication of IC strengths & weaknesses on their audit plan to test controls
|
|
|
3. testing controls (examples)
|
re-performance (calculations)
inspection of document for evidence of control (signature) examination of supporting evidence (time cards) inquiry & observation |
|
|
guidelines to consider when testing controls
|
transaction controls (sampling techniques), TCs built into computer apps, monthly control procedures (ensure design is effective), YE controls (last qtr of year and 1st qtr of next year
|
|
|
4. evaluate results of IC testing and update assessment
|
if tests reveal weaknesses-increase substantive procedures. (if public CO, control weaknesses considered in terms of PCAOB defs)
Even 1 material weakness results in adverse opinion on IC if testing indicates CR is low, substantive procedures can be reduced |
|
|
control deficiency
|
exists when the design or operation of a control does not allow the CO to detect or prevent misstatements
|
|
|
significant deficiency
|
a control deficiency or combination of deficiencies in IC that is less sever than a material weakness, yet important enough to merit attention
|
|
|
material weakness
|
a control deficiency or combination of deficiencies such that there is a reasonable possibility that a material misstatement in the COs interim or annual F/S will not be prevented or detected
|
|
|
private CO reporting results of IC
|
mgmt: no requirements
auditor: summarize weaknesses and recommendations in mgmt letter |
|
|
public CO reporting results of IC
|
mgmt: separate report required in 10k summarizing mat. weaknesses
auditor: identify sign. def. and mat. weaknesses, report findings to audit committee, provide separate IC audit opinion |
