Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
91 Cards in this Set
- Front
- Back
What was the Sarbanes-Oxley Act intended to strengthen?
|
The Sarbanes-Oxley Act is intended to strengthen corporate financial reporting by assessing stiffer criminal penalties for white-collar crimes, increasing management accountability, and enhancing auditor independence.
|
|
Management's responsibilities regarding an internal control
|
Responsible for organization internal control
Certifying the company's financial statements Reporting on the company's internal control over financial reporting Disclosing any material weaknesses in internal control |
|
The Sarbanes-Oxley Act specifically requires the company's annual report to include
|
A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting
A statement identifying the framework management uses to evaluate the effectiveness of the company's internal control A statement providing management's assessment of the effectiveness of the company's internal control |
|
Material weaknesses in internal control may prevent...
|
Management from concluding that the company's internal control over financial reporting is effective
|
|
Primary reasons for auditors to conduct an evaluation of a company's internal control
|
Sarbanes-Oxley requires an audit of management's assessment of internal controls for publicly traded companies
To assess control risk to give the auditors a basis for planning the audit and dermining the nature, timing, and extent of audit procedures for the account balance (substantive) audit program |
|
Three opinions auditors provide when conducting an evaluation of a company's internal control
|
One on the company's financial statements
One on management's evaluation of their internal controls over financial reporting One on the effectiveness of a company's internal controls |
|
Control risk
|
The probability that a company's controls will fail to prevent or detect material misstatements due to errors or frauds that would otherwise have entered the system
|
|
To assess control risk external auditors must...
|
Evaluate existing internal controls and assess the control risk for the period under audit
|
|
How are control risks expressed?
|
With descriptive terminology (e.g., maximum, slightly below maximum, high, moderate, low)
Probability number (e.g., 100, 50, or 10 percent, but never zero) |
|
What does it mean to assess control risk as "maximum" or 100 percent (i.e., poor control)?
|
Auditors will tend to perform a great deal of substantive procedures with large sample sizes (extent) at or near the company's fiscal year-end (timing), using procedures designed to obtain high-quality external evidence (nature)
|
|
What does it mean to assess control risk as "low" or 10 to 20 percent (i.e., effective control)?
|
Auditors perform fewer substantive procedures with smaller sample sizes (extent), at an interim date before the company's fiscal year-end (timing), using a mixture of procedures designed to obtain high-quality external evidence and lower quality internal evidence (nature)
|
|
What does control risk illustrate?
|
The trade-off between audit effectiveness (catching errors or fraud) and audit efficiency (completing the audit in a timely fashion)
|
|
Internal control
|
Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:
Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations A dynamic process operating every day within a company's structure |
|
Primary concern for external auditors
|
External auditors are primarily concerned with the financial reporting controls. However, some controls related to operations and compliance can be relevant to the external audit
|
|
Key compoent of an entity's internal control
|
People
People establish the objectives, put controls in place, and operate them |
|
Internal control assurance
|
Internal control provides reasonable assurance, not absolute assurance, the control objectives will be achieved.
|
|
Types of control breakdowns
|
Because people operate the controls, breakdowns can occur. Human error, deliberate circumvention, management override, and improper collusion among people who are supposed to act independently can cause failure to achieve objectives.
|
|
Reasonable assurance
|
In auditing standards, the concept of reasonable assurance recognizes that the costs of controls should not exceed the benefits that are expected from the controls
|
|
What are the basic components of internal control?
|
Control environment
Risk assessment Control activities Monitoring Information and communication |
|
Control environment
|
The control environment sets the tone of the organization
It is the foundation for all other components of internal control It provides discipline and structure Control environment factors include the integrity, ethical values, and competence of the company's people |
|
Audit committee
|
A subcommittee of the board of directors that is generally composed of three to six "outside" members
The purpose of including outside member is to provide a buffer between the audit team and operating management. The buffer allows the audit team to report any controversial findings to members of the board of directors without fear of reprisal |
|
Important duties of the audit committee
|
Appointment, compensation, and oversight of the audit firm conducting the company's audit
Resolution of disagreements between management and the audit team Oversight of the company's internal audit function Approval of nonaudit services provided by the professional services firm performing the audit engagement |
|
Business Risk
|
Factors, events, and conditions that can prevent the organization from achieving its business objectives
|
|
Risk Assessment
|
Steps take by management to identify risks, estimate their significance and likelihood, and consider how to manage the risk.
|
|
Purpose of setting objectives for risk assessment
|
By setting objectives, management can identify critical success factors and institute policies and procedures to ensure they are met
|
|
Control Procedures
|
Imposed on the accounting system for the purpose of preventing, detecting, and correcting errors and frauds that could enter and flow through to the financial statements
|
|
Control procedures include...
|
Performance reviews
Segregation of duties Physical controls Information-processing controls |
|
Performance review
|
Periodic comparison and action to correct errors lowers the risk that material misstatments remain in the accounts
|
|
Segregation of duties
|
Four types of function responsibilities should be performed by different departments, or at least by different persons on the company's accounting staff:
Authroization to execute transactions Recording transactions Custody of assets involved in the transactions Periodic reconciliation of existing assets to recorded amounts |
|
Incompatible responsibilities
|
Combinations of responsibilities that place a person alone in a position to create and conceal erros, frauds, and misstatements in her or his normal job. Duties should be divided so that no one person can control two or more of these responsibilities.
|
|
Physical controls
|
Physical access to assets and important records, documents, and blank forms should be limited to authorized personnel
|
|
Information-processing controls
|
The information system produces a trail of computer operations (audit trail) from data identification to reports. It starts with the source documents and proceeds through to the financial reports.
|
|
Audit trail
|
Auditors often follow this trail frontward and backward. They will follow it backward from the financial reports to the source documents to determenine whether everthing in the financial reports is supported by appropriate source documents (the existence or occurrence assertion)
They will follow it forward from source documents to reports to determine whether everything that happened (transactions) was recorded in the accounts and reported in the financial statements (the completeness assertion) |
|
Categories of information-processing controls
|
General controls
Application controls |
|
Information technology general controls (ITGC)
|
Apply to all applications systems and help ensure their continued proper operation. They can be though of in the same lights as the control environment because if the ITGC are weak, the application controls cannot be relied on.
|
|
Information technology application controls (ITAC)
|
ITAC include computerized steps within the application software and related manual procedures to control the processing of various types of transactions. ITAC are specific to each cycle. They are divided into the following categories: input controls, processing controls, and output controls
|
|
Input controls
|
Designed to provide reasonable assurance that data received fro processing by the computer department have been authorized properly and converted into machine-sensitive form, and that data have not been lost, suppressed, added, duplicated, or improperly changed
|
|
Processing controls
|
Error-condition check routines written into the computer program.
Designed to provide reaonable assurance that data processing has been performed as intended without any omission or double counting of transactions. |
|
Output controls
|
The final check on the accuracy of the results of computer processing. These controls should be designed to ensure that only authorized persons receive reports or have access to files produced by the system.
|
|
Spreadsheet controls
|
Financial reporting controls extend over the entire process from initiation fo transactions to the financial statements. Many of the final adjusting entries, consolidating entries, and footnote amounts are created by speadsheet applications, which must also be controlled
|
|
Spreadsheets can be evaluated using...
|
Inventory the spreadsheets including name, description, department, frequency, and extent of changes
Evaluate the use and complexity of the spreadsheets Determine the necessar level of controls for the spreadsheet Evaluate existing controls for the spreadsheet Develop action plans for remediating control deficiencies |
|
Information and communication
|
A necessary prerequisite for achieving management's objectives. To make effective decisions, managers must have access to timely, reliiable, and relevant information.
Communication includes report production and distribution. Communication also involves expectations, responsibilities of individuals and groups, and other important matters. |
|
Monitoring
|
Monitoring does not include regular management and supervisory control activites and other actions personnel take in performing their dutieis. It involves ongoing evaluation of the controls.
|
|
Criteria for evaluating a company's financial reporting controls and the bases for auditors' assessment of control risk as it related to financial statements
|
The five components of internal control
|
|
Phases of an evaluation of control and risk assessment
|
Phase 1: Understand and document the client's internal control
Phase 2: Assess the control risk (preliminary) Phase 3: Perform tests of controls and reassess control risk |
|
Phase 1: Understand and document the client's internal control
|
A major goal in audits is to be efficient without losing effectiveness. Generally, the more auditors know about good controls, the fewer substantive procedures they need to perform. It gives auditors an overall acquaintance with the control environment and management's risk assessment, the flow of transactions through the accounting system, and the design of some client control procedures. This step should be performed in a "top-down" risk-based manner that first examines company-level controls (CLCs) and then controls at significant business units.
|
|
Steps in the top-down approach
|
Identify, understnad, and evaluate the design of CLCs
Identify significant accounts and relevant assertions identify significant processes and major classes of transactions Idenfity points at whiich errors or fraud could occur Idenfiy controls to test that prevent or detect errors or fraud on a timely basis Clearly link individual controls with the significant accounts and assertions to which they relate |
|
Account's significance
|
Based on the inherent risk of the account
|
|
Inherent risk
|
The likelihood of containing a material misstatement before the consideration of internal control
|
|
Relevant assetions
|
Represent the possibility of a material misstatement
|
|
Control environment evaluation
|
Primary evidence is gather through observation and inquiry and some examination of documents
|
|
Risk assessment evaluation
|
How the client assesses and responds to risk
Responses to these inquires should be supported by documentation and observation |
|
Information and communication assessment
|
Obtain an understanding of the accounting system's flow of transactions and other processes that mitigate financial reporting risk.
Accounting manuals should contrain statement of objectives and policies. Other sources of information include (1) previous experience with the company as found in last year's audit, (2) responses to inquiries directed to client personnel, (3) inspection of documents and records, and (4) obeservation of activities and operations made in a walk-through of one or a few transactions |
|
Walk-through
|
Consists of tracing one or more transactions through the audit trail from initiation of the transaction to its inclusion in the financial statements
|
|
Document the internal control understanding
|
Audit documentation of a decision to assess control risk as 100 percent (no reliance on internal control to reduce procedures) should explain reaons for the decision. However, for future reference in next year's audit, the memorandum should contrain an explanation of effectiveness-related or efficiency-related reasons for the assessment.
For decision to assess control risk at lower than the maximum, audit documentation is requires and should include records showing the audit team's understanding of the controls/ The understanding can be summarized in the form of questionnaires, narratives, and flowcharts. |
|
Internal control questionnaire
|
A checklist of internal control-related questions used to gain and document an auditor's understanding of the client's internal control
|
|
Narrative description
|
Audit documentation that describes the environmental elements, the accounting system, and the control procedures in an entity's internal control
|
|
Accounting and control system flowcharts
|
The flowchart should communicate all relevant information and evidence about segregation of responsibilities, authorization, and accounting and control procedures in an understandable, visual form. The starting point in the system should, if possible, be placed at the upper left-hand corner. The flow of procedures and document should be from left to right and from top to bottom as much as is possible.
|
|
Deciding not to test controls
|
Auditors of nonpublic entities can decide to stop the evaluation work in Phase 1 for either of two reasons, both of them coordinated with the final audit program. First, the audit team could conclude that no more evidence is needed to show the control is too poor to justify reductions of subsequent audit procedures. Essentially, this decision is a matter of audit effectiveness.
Second, the audit team could decide that more time and effort would be spent testing controls to lower the control risk assessment than would be saved by being able to justify less effective or fewer substantive procedures (providing the controls turn out to be working well). The cost of obtaining a low control risk assessment can be high. The additional work on controls is not economical. The decision to stop work on control risk assessment in this case is a matter of audit efficiency. |
|
Phase 2: Assess the control risk (preliminary)
|
The audit team should be able to make a preliminary assessment of the control risk. One way to make the assessment is to analyze the control strenghts and weaknessess.
|
|
Control strengths
|
Strenghts are specific features of good general and application controls
|
|
Control weaknesses
|
Weaknesses are the lack of controls in particular arears. Auditors do not need to perform tests of controls on weaknesses just to prove they are weaknesses.
Apparent weaknesses in any of the input, processing, and output controls are matters of concern. However, absence of a control at one stage may be offset by compensating controls at another stage. |
|
Bridge workpaper
|
Stenghts and weaknesses should be documented in a bridge workpaper, so called because it connects ("bridges") the control evaluation to subsequent audit procedures. In the bridge workpaper, the Test of Controls Audit Program column contains tests of controls for auditing the control strengths and Compensating Substantive Procedures related to the weaknesses.
|
|
Phase 3: Perform Tests of Controls and Reassess Control Risk
|
When auditors reach the third phase of an evaluation of internal control, they will have identified specific controls of which risk could be assess below maximum
|
|
To reduce the control risk assessment, auditors must determine...
|
(1) the required degree of complaince with the control policies and procedures
(2) the acutal degree of complience. |
|
Test of control statement
|
A test of controls is a twop-part statement. Part 1 is an identification of the data population from which a sample of items will be selected for audit. Part 2 is an expression of an action taken to produce relevant evidence. In general, the action is to determine whether (1) the selected items correspond to a standard and (2) the selected items agree with information in another data population.
|
|
Test of controls
|
Test of controls should be applied to samples of transactions and control procedures executed throughout the period under audit. The reason for this requreiment is that the conclusions about controls will be generalized to the whole period under audit.
|
|
Perform tests of controls
|
When the audit team determines that a speciofic control procedure could have a significant effect in reducing control risk to a low level for a specific assertion, they ordinarily need to perform additional tests of controls to obtain sufficient audit evidence to support the conclusion about the effectiveness of the design ro operation of that control procedure
Some test of controls inveolve reperfromance Some tests of controls depend on documentary evidence |
|
Direction of the tests of controls
|
Completeness direction ensures that all valid employees are included
Occurrence test ensures that all employees included are bona fide employees of the organization |
|
Reassess the control risk
|
The audit manager or senior accountant in charge of the audit should evaluate the evidence obtained from an understanding of the internal controls and from the tests of controls. If the control risk is assessed very low, the substantive proceudres on the account balances cna be limited in cost-saving ways. On the other hand, if tests of controls reveal weaknesses substantive procedures need to be added to lower the risk of failing to detect material misstatements in the financial statements.
|
|
Final control risk assessment
|
Recognize that the final evaluation of a company's internal control is the assessment of the control risk related to each assertion. These assessments are an auditor's express of the effectiveness of internal control for preventing, detecting, and correcting specific errors and frauds in management's financial statement assertions.
|
|
Assessment of control risk
|
SHould be coordinated with the final audit plan. The final account balance audit plan includes the list of substantive procedures to detect material misstatements in account balances and financial statement disclosures.
|
|
Dual purpose tests
|
The general audit procedures can be used both as tests of controls and as substantive procedures. A single procedure can produce both control and substantive evidence and, thus, serve both purposes.
|
|
PCAOB Audit Standard No. 2 (AS 2)
|
Details the work that external auditors of public companies must perform to comply with Section 404 of Sarbanes-Oxley
|
|
SAS 65 "Auditor's Consideration fo the Internal Audit Function"
|
Much of the intial work, including documentation and testing of controls, is done by employees of the firm including the internal audit staff and outside parties hired by management.
Encourages external auditors to use the work of internal auditors; however, the external auditor's own work must provide the principal evidence for the audit opinion on internal controls |
|
Important difference between AS2 and GAAS
|
What is considered the end of the fiscal year?
The auditor must understand and evaluate the controls for the entire period to dertermine their effect on the nature, timing, and extend of substantive procedures |
|
For the auditor to satisfactorily complete an audit of internal control over financial reproting, management must...
|
Accept responsibility for the effectiveness of the company's internal control over financial reporting
Evaluate the effectiveness of the company's internal control over financial reporting using suitable control criteria Support its evaluation with sufficient evidence, including documentation Present a written assessment of the effectiveness of the company's internal control over financial repring as of the end of the company's most recent fiscal year |
|
AS 2 six-step audit procedure to audit financial reporting controls
|
Planning the engagement
Evaluating management's assessment process Gaining an understanding of internal control over financial reporting Testing and evaluating design effectiveness of internal control over financial reporting Testing and evlauting operating effectiveness of internal control over financial reporting Forming an opinion on the effectiveness of internal control over financial reporting |
|
Design effectiveness
|
Determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements
|
|
Operating effectiveness
|
Whether the control is operating as designed and whterh the person perofrming the control possesses the necessary authority and qualifications to perform the control effectively
|
|
Internal control deficinecy
|
Exists when the design or operation of a control does not allow the company's management or employees to detect or prevent misstatements in atimely fashion
|
|
Significant deficiencies
|
Defined as conditions that could adversely affect the organization' s ability to initiate, record, process, and report financial data in the financial statements
|
|
Material weakness
|
A condition that results in more than a remote likelihood that a material misstatement exists in financial statements
|
|
Control deficiencies
|
Internal control deficiency
Significant deficiency Material weakness |
|
Management's assessment
|
If the auditor determines that management’s process for assessing internal control over financial reporting is inadequate, the auditor should modify her or his opinion for a scope limitation. If the auditor determines that management’s
report is inappropriate, the auditor shoud modify her or his report to includes, at a minimum, an explanatory paragraph describing the reasons for this conclusion. |
|
Effectiveness of Internal Control over financial reporting
|
The internal control reprot may be included with the external auditor's opinion on the financial statement or may be a separate reprot
|
|
Types of deficiencies identified by AS 2 that the external auditor must classify as a significant deficiency in internal controls
|
Ineffective oversight by the audit committee
A material misstatement in the financial statements that was not identified by the system of internal control Significant deficiencies in internal contrl that remain uncorrected after a reasonable period of time |
|
Auditor can issues one of three types of reprots on internal control
|
Unqualified. No material weaknesses exist.
Qualified or disclaimer. Auditor cannot perform all of the procedures considered necessary. Adverse opinion. One or more material weakness exist. |
|
In additon to the document requirements (AU 339), the auditor should document...
|
The understanding obtained and the evaluation of the design of each of the five components of the company's internal control over financial reporting
The process used to determine significant accounts and disclosures and major classes of transactions, including the determination of the locations or business units at which to perform testing The identification of the points at which misstatements related to relevant financial statement assertions could occur within significant accounts and disclusres and major classes of transactions The extent to which the auditor relied on work perofrmance by others as well as the auditor's assessment of their competence and objectivity The evaluation of any deficiencies noted as a result of the auditor's testing Other findings that could result in a modification to the auditor's report |
|
Internal control communications
|
Auditors' communications of significant deficiencies and material weaknesses are intended to help management carry out its responsibilites for internal control monitoring and change. However, external auditors' observations and recommendations are usually limited to external financial reporting matters.
|
|
Management letter
|
This letter may contain commentary and suggestions on a variety of matters in addition to internal control matters
|