Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
88 Cards in this Set
- Front
- Back
|
Internal controls
|
built in safeguards which, if implemented properly, will increase the likelihood that published financial statements are reliable, timely, and transparent
|
|
|
5 COSO components of an entity's internal control
|
1. The control environment
2. Management’s risk assessment 3. Information and communication 4. Control activities 5. Monitoring |
|
|
COSO: The control environment
|
The overall attitude of management, the board of directors, and owners toward the importance of controls
No other control is enough without this |
|
|
COSO: The control environment: Factors
|
1. Commitment to integrity and ethical values
2. Management and philosophy style (approach for business risk and attitudes towards financial reporting/accounting) 3. The board of directors 4. Management establishes clear reporting lines 5. Attract, develop, and retain competent individuals 6. Management and board must establish performance measures, incentives, and rewards |
|
|
COSO: The control environment: Factors
The board of directors are/must be |
o Independent from managers
o Oversees internal controls o Interacts with internal and external auditors o Asks management tough questions |
|
|
COSO: The control environment: Factors
Establishing clear reporting lines |
o Has a well-spaced organizational chart
o Employees know what they are accountable for |
|
|
COSO: The control environment: Factors
Performance measures, incentives, and rewards must |
o Reflect reasonable expectations, considering long and short term goals
o Reduce temptations o Are aligned with fulfilling IC activity |
|
|
COSO: Management's risk assessment
|
Management must identify and analyze risks relevant to financial statement preparation (changes that could affect ICS, fraud risk, etc.)
|
|
|
COSO: Information and communication
|
The organization uses relevant, quality information to support the functioning of internal control
|
|
|
COSO: Information and communication: Factors
|
• Information systems should identify, process (classify), value, and present all valid transactions in the appropriate accounting period
• Management should communicate employees’ roles and responsibilities about internal control over financial reporting |
|
|
COSO: Control activities
|
Policies and procedures that help ensure management’s directives are carried out and designed to prevent and detect errors in accounting data (strengthens AIS)
|
|
|
COSO: Control activities: Examples
|
Performance reviews
Information processing controls - general and application controls Physical controls - physical asset security Segregation of duties |
|
|
These three duties should be segregated
|
Authorization and approval of a transaction
Accounting, recording, and reconciling the transaction Custody of or access to the related asset |
|
|
COSO: Monitoring
|
an ongoing process of periodic assessment of internal control; an entity’s ability to check itself to make sure controls are effective over time
|
|
|
Inherent limitations of IC systems
|
Collusion
Management override Human error and inconsistency |
|
|
Why evaluate internal controls?
|
1. If it’s a public company, SOX Section 404 requires the auditor to issue a separate report on internal controls
2. To assess control risk |
|
|
Steps to evaluate internal controls
|
1. Obtain understanding of internal controls for business processes and specific assertions
2. Document the understanding of internal control 3. Preliminary assessment of control risk (maximum or lower?) |
|
|
Steps to evaluate internal controls:
Obtain understanding of internal controls: For each business process, do the following |
• Identify the types of misstatements that could occur
• Determine necessary controls to prevent and detect • Determine whether designed and in place • Identify weaknesses • Design substantive procedures for weaknesses found • Communicate weaknesses as reportable conditions |
|
|
Steps to evaluate internal controls:
Document the understanding of IC: Sources |
(1) Study of the organizational structure
(2) Update from previous experience (3) Inquiry of client personnel (4) Study manuals, documents, and records (5) Observation of activities and operations |
|
|
Steps to evaluate internal controls:
Preliminary assessment of control risk: Choosing a strategy |
If control risk is maximum, don't rely on them and instead use more substantive testing
If control risk is low, you can use a reliance strategy |
|
|
Steps to evaluate internal controls:
Preliminary assessment of control risk: Why would control risk be at maximum? |
• No control pertinent to that assertion
• Controls are not perceived to be good • Testing controls is not considered to be cost-effective (it may be cheaper to do more substantive testing instead) |
|
|
Forms of document understanding (with pros and cons)
|
1. Narrative description
Advantage: rigor of analysis Disadvantage: difficulty for reviewer to follow 2. IC questionnaire/checklist Advantage: easy to complete; comprehensive Disadvantage: tendency toward cursory review 3. IC flowchart Advantage: easy to review; visual depiction Disadvantage: hard to get in-depth understanding |
|
|
Audit risk model
|
AR = IR * CR * DR
|
|
|
Test of controls
|
Performed to provide support for lower level of CR assessment
|
|
|
Procedures used as a test of controls
|
- Inquiry
- Inspection of documents, reports, electronic files - Observation of application of control - Walkthroughs – tracing transaction through system - Reperformance of application of control |
|
|
How do strong ICs reduce the cost of substantive tests
|
Nature – replace a costly test like confirmations with less costly test like analytical procedures
Timing – move timing of test to interim period Extent – reduce sample size or number of tests |
|
|
Communication of internal control within public and private companies
|
Public company – the auditor issues a separate report on the effectiveness of internal controls
Private company – the auditor does not have to perform a separate auditor of the internal controls, but the auditor may discover control deficiencies during the audit |
|
|
What challenges does a sophisticated IT system present for an auditor?
|
• audit trails may only exist electronically (no printed copies)
• program errors may cause uniform transaction errors programmed controls may have to make up for lack of adequate segregation of duties and manual review • detecting unauthorized access may be difficult (especially for real time systems) |
|
|
Two general approaches to auditing computer-based systems
|
1. Auditing "around" the computer - extensive testing of the inputs and outputs of the IT system and little or no testing of processing
2. Auditing "through" the computer - testing computer hardware and software (input and processing phases) |
|
|
Categories of control in an IT environment
|
General controls - relate to all parts of the computerized system
Application controls - relate to one specific use of the system; controls that help ensure the completeness and accuracy of transaction processing, authorization, and validity in specific applications |
|
|
General control areas to test
|
• Segregation of duties within IT function (rotation of operator duties & mandatory vacations)
• Systems development and documentation (with internal audit participation in design) • Access Controls to prevent unauthorized access to computer rooms, systems, programs, and files • Review of operating systems control log to ensure no unauthorized activities • Back-up files at off-site locations |
|
|
Application control areas to test
|
• Make sure all transactions are recorded, and recorded only once, and that errors are rejected and corrected before they’re reentered
• Programmed edit checks help ensure accuracy |
|
|
How to test application controls
|
CAATs (computer assisted auditing techniques)
Parallel simulation - the auditor writes a computer program that mimics part of the client’s system; the auditor’s program is used to process actual client data on client hardware and results are compared |
|
|
Types of CAATs
|
1. Generalized audit software
2. Custom audit software 3. Test data |
|
|
Generalized audit software:
What was it developed for? What does it provide? |
o Developed to allow auditors to perform similar CAATs in different IT environments
o Software provides a high-level computer language to allow tests of clients’ files and databases |
|
|
Drawbacks of custom audit software
|
expensive to develop, takes a long time to develop, and limited functions
|
|
|
How to use test data CAATs
|
o Involves a series of fictitious transactions containing intentional errors
o Auditor examines the results and determines whether the errors were detected by the system |
|
|
Drawbacks of test data CAATs
|
1. Could mix up fictitious and actual data
2. Preparation of test data examining all aspects of the application is difficult 3. Auditor doesn't know that the program being tested is the one actually used in the routine process |
|
|
Generalized audit software examples
|
File or data access – reads and extracts data from a client’s computer files or databases for further audit testing
Selection operators – select from files or databases transactions that meet certain criteria Arithmetic functions – perform a variety of arithmetic calculations on transactions, files, and databases Statistical analysis – provide functions supporting various types of audit sampling Report generation – prepares various types of documents and reports |
|
|
How to mitigate increased risks associated with sophisticated IT systems
|
• Effective documentation of systems, programs, and program changes
• Password security • Computer Editing • Computer log of all activities • Backup files |
|
|
Two types of intentional misstatements
|
1. Fraudulent financial reporting
2. Misappropriation of assets |
|
|
Fraudulent financial reporting
|
• Manipulation or falsification of accounting records or documents
• Misrepresenting (or omission of) events, transactions, and significant information • Intentionally misapplying accounting principles (GAAP) • Usually committed by management to deceive financial statement users |
|
|
Misappropriation of assets
|
• Involves theft of the company’s assets and includes:
o Defalcation o Embezzlement o Stealing assets o Causing the entity to pay for goods or services not received • Usually committed by employees against the entity |
|
|
SAS 99 Fraud Triangle's three sides
|
opportunities, incentives/pressure, and attitude/realization
|
|
|
Risk factors related to incentives/pressures to commit fraud
|
Financial stability, growth, or profitability are threatened by:
• Economic conditions • Industry conditions • Entity’s operating conditions Excessive pressure for management to meet 3rd party expectations and company targets Management’s personal financial position is highly dependent on entity’s financial performance |
|
|
Risk factors related to opportunities to commit fraud
|
• Nature of the industry
Ineffective monitoring of management • Complex or unstable organizational structure • Inadequate internal controls |
|
|
Risk factors related to attitudes/rationalizations to commit fraud
|
• Weak ethical standards for management behavior and poor communication channels for reporting inappropriate behavior
• Non-financial management’s excessive participation in selection of accounting principles and estimates • Known violations of laws and/or rules by management or board • Excessive interest by management in maintaining or increasing stock price or earnings • Management history of committing to unrealistic or aggressive forecasts • Management history of justifying inappropriate accounting based on materiality |
|
|
Audit of ICFR (internal control over financial reporting performed in conjunction with an audit of financial statements)
|
a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP
|
|
|
ICFR controls include procedures that:
|
1. Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are recorded in accordance with GAAP. 3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets. |
|
|
Control deficiency
|
exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis (not material or significant)
|
|
|
Control deficiency: Design deficiency exists when
|
1. A control necessary to meet the relevant control objective is missing OR
2. An existing control is not properly designed so that even if the control operates as designed, the control objective is not always met |
|
|
Control deficiency: Deficiency in operation exists when
|
1. A properly designed control does not operate as designed OR
2. When the person performing the control does not possess the necessary authority or qualification to perform the control effectively |
|
|
Material weakness
|
a deficiency or combination of deficiencies in ICFR, such that there is a reasonable possibility that a material misstatement of the entity's annual or interim f/s will not be prevented or detected on a timely basis
|
|
|
Significant deficiency
|
a control deficiency (CD) or combination of CDs in ICFR that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting (not material but significant)
|
|
|
Statistical sampling
|
uses the laws of probability to select and evaluate the results of an audit sample, thereby permitting the auditor to quantify the sampling risk for the purpose of reaching a conclusion about the population
|
|
|
Nonstatistical sampling
|
relies on the auditor’s judgment to determine sample size (typically of comparable size to a statistically based sampling approach), select the sample
|
|
|
Advantages and disadvantages of statistical sampling
|
Advantage: more quantitative and precise; efficient
Disadvantage: more costly training |
|
|
Attributive sampling
|
used to estimate the proportion of a population that possesses a specified characteristic. It is more appropriately used for tests of controls.
|
|
|
Variable sampling
|
uses normal distribution theory to estimate the dollar amount of misstatement for a class of transactions or an account balance. Variable sampling is more appropriately used for substantive testing.
|
|
|
Risk of incorrect rejection
|
the risk that the sample supports the conclusion that the control is not operating effectively when it actually is or that the recorded account balance is materially misstated when it is not materially misstated.
|
|
|
Risk of incorrect acceptance
|
the risk that the sample supports the conclusion that the control is operating effectively when it is not or that the recorded account balance is not materially misstated when it is materially misstated.
|
|
|
Assessing control risk too high
|
Risk of incorrect rejection
|
|
|
Assessing control risk too low
|
Risk of incorrect acceptance
|
|
|
Sampling risk error types
|
Type 1: auditor erroneously thinks he found a problem; audit efficiency is reduced
Type 2: auditor erroneously thinks no problems exist; audit effectiveness is reduced |
|
|
Sampling errors
|
result when the sample drawn is not representative of the population and that, as a result, the auditor will reach an incorrect conclusion about the account balance or class of transactions based on the sample
|
|
|
Nonsampling errors
|
result when the auditor reaches an erroneous conclusion for any reason that is not related to sampling risk
(ex: failure to recognize errors or the selection of ineffective procedures) |
|
|
Desired confidence level
|
the probability that the true but unknown measure of the characteristic of interest is within specified limits
|
|
|
Tolerable deviation rate
|
the maximum deviation rate from a prescribed control that the auditor is willing to accept without altering the planned assessed level of control risk
|
|
|
Expected population deviation rate
|
the deviation rate that the auditor expects to exist in the population
|
|
|
Stratified sampling
|
Items in the population are divided into two + subpopulations which are each sampled
|
|
|
Auditor decision process
|
1. Project the sample results to the population
2. Add an amount for sampling risk (use judgment for nonstatistical sampling and math for statistical sampling) 3. The total amount (upper deviation rate/upper misstatement rate) should be compared with tolerable deviation rate/tolerable misstatement |
|
|
Sampling for tests of controls
|
used in the evaluation of the client's internal controls
|
|
|
Sampling for tests of details of balances
|
the acceptability of the monetary balance of an account
|
|
|
Sampling for substantive tests of transactions
|
used in the evaluation of the monetary correctness of transactions
|
|
|
Test of controls: Tolerable deviation rate
|
Tests of transactions and balances: Tolerable misstatement
|
|
|
Test of controls: Expected deviation rate
|
Tests of transactions and balances: Expected misstatement
|
|
|
Test of controls: Computed upper deviation rate
|
Tests of transactions and balances: Upper misstatement limit
|
|
|
Test of controls: risk of assessing control risk too low
|
Tests of transactions and balances: Risk of incorrect acceptance
|
|
|
Computed upper deviation rate =
|
Sample deviation rate (number of exceptions or deviations actually found in the sample / number of items in the sample)
+ Appropriate allowance for sampling risk |
|
|
Considering sampling error, if computed upper deviation rate < tolerable deviation rate
|
the auditor can conclude that the controls can be relied upon (use assessed level of CR)
|
|
|
Considering sampling error, if computed upper deviation rate > tolerable rate
|
Check definitions of deviations
Review deviations to make sure they're deviations Expand sample Increase planned assessed level of control risk and extend substantive tests |
|
|
In control testing, sampling risk errors (Type 1 and Type 2) are
|
the risk of assessing control risk too high and the risk of assessing control risk too low
|
|
|
Tolerable misstatement
|
the amount of misstatement that may exist in an account balance without causing the financial statements to be materially misstated
Note: form an opinion AS A WHOLE |
|
|
Expected misstatement
|
the amount of misstatement that the auditor expects to find
|
|
|
Upper misstatement limit (UML) =
|
Projected misstatement (a point estimate of the total misstatement in the population estimated from the misstatements found in the sample)
+ appropriate allowance for sampling risk |
|
|
Considering sampling error, if upper misstatement limit < tolerable misstatement
|
accept the conclusion that the book value is not misstated by a material amount
|
|
|
Considering sampling error, if upper misstatement limit > tolerable misstatement
|
book value is not acceptable and the auditor should:
wait until other test areas are complete expand audit tests in specific areas increase sample size adjust the account balance request the client correct the population refuse to give an unqualified opinion |
|
|
In substantive testing, sampling risk errors (Type 1 and Type 2) are
|
the risk of rejecting the account balance as correct when it is correct and the risk of accepting the account balance as correct when it is misstated
|
