Ch. 7 - Internal Controls

Materiality

something important enough to affect decisions

Internal Controls

A process designed to provide reasonable assurance on the completion of 3 objectives

1. Reliability of the financial reporting

2. Effectiveness and efficiency of operations

3. Law compliance

Reliability of financial reporting =

good quality financial statements

As the auditor, we are primarily concerned with

Internal Controls over Financial Reporting (ICFRs)

ICFRs do 3 things

1. are owned by the client

2. provide reasonable assurance NOT absolute

3. are related to GAAP reporting

Internal Control examples

• requiring management approval for purchases/credit sales

• physically locking up inventory

• record keeping of all kinds

What makes for good internal controls?

COSO’s 5 part framework

COSO 5 part framework

1. Control environment

2. Management’s risk assessment

3. Accounting information system

4. Control activities

5. Monitoring

Control environment

company culture, employee competency

Managemen’s Risk Assessment

Annual process where we revise the company’s key risks and test the Int. Controls that mitigate them

Accounting Information System

Quality of the ERP system that houses the financial info

Control activities

the actual controls

Monitoring

A system to check if the controls are “working properly”

Segregation of Duties

Not 1 person should be responsible for more than 1 ARC activity!

ARC activities

Authorization

Recording

Custody

Authorization

Approving of transactions/records

Recording

Recording transactions in the books

Custody

Physically holding on to goods/cash

Segregation issues if ARC access is to more than 1

• AC: One person could approve the purchase of personal goods (A) that get sent directly to themselves (C)

• AR: An employee approves a false return and delete any record of it

The smaller the firm, the _____ it’s gonna be to fully segregate the duties

HARDER

• bc there aren’t many employees

2 things that can bypass internal controls

• collusion

• management override

Collusion

A group of people working together to circumvent controls

Management Override

When a manager can blow thru the controls

During the audit, we are going to pay special attention for warning signs of ____ and _____ of ICS

• collusion

• management override

The Standards require us to (2)

1. Obtain an understanding of the client’s Internal Controls

2. Make sure they’re implemented

Implemented

Somebody is “doing” the controls, they’re not just “on paper”

• very low standard

• used by the AICPA

We determine if controls are Implemented by

• Inquiries

• Observations/shadowing

Implemented DOESN’T mean the IC are “good”…

It means the IC exist & they’re getting done

Design Effectiveness

If the IC were working, would they achieve their objective?

• used by the PCAOB

• high bar

If control risk is medium or low….

It means the Internal controls are really good at catching material misstatements, so we can justify doing less audit work, allowing detection risk to go higher.

“Relying on the Internal Controls”

when you do less audit work (high detection risk) because control risk is really low (meaning the ICs are strong)

If the auditor is gonna “rely on the ICs”, and trust them so we can do less work, we’re gonna have to

test them for Operating Effectiveness

Opperating effectiveness is like Implemented BUT…

it’s a much higher standard

• Now, instead of jusdt being “done,” the control is being tested to see if it’s working

Operating Effectiveness

Checks if controls function as intended and if the person executing them has the required authority and skill

• this ensures whether they’re working

How do we test 4 Operating Effectiveness?

• inspections

• more thorough observation

• reperformance

Trade-off between substantive testing & operating effectiveness

Applies more to private companies

Integrated audit

Because of SOX, 4 public clients, we always have to test Internal Controls

Public companies in the US must get an annual audit of ICs which

tests ICFRs for Operating Effectiveness

ONLY 2 opinions allowed for ICFRs

• Unqualified

• Adverse

Unqualified

if all ICFRs were operating effectively as of the end of the year

Adverse

if there are 1 or more material weaknesses in ICFR as of the end of the year

“As of the end of the year”

This means the client could have 1,000 material weaknesses in ICFR 99% of the year, BUT if they get them fixed before 12/31, they can still get an “Unqualified” opinion

Control risk and Opinions don’t always match

they fact that their 999+ material weaknesses get ‘fixed’ @ last minute doesn’t change the fact they were bad almost the whole year.

The SEC will allow 'adverse’ opinions on IFRCs

unlike the financial statements where they ONLY allow Unqualified

An adverse opinion on ICs has negative reactions BUT

the priority is an unqualified opinion on financials.

• the bargaining power of the auditor is less since the SEC will allow an ‘adverse opinion’ on ICs.

Actual Control Risk (ACR)

the actual, unknown, risk that a material misstatement could be found in the financials and won’t be detected by the ICs.

Planned Assessed Level of Control Risk (PALCR)

the level of control risk the auditor is gonna use in the ARC at the earliest stages of the audit

Planned & Assessed don’t always match

If the PALCR is “lower than the max level,” that means the auditor will “rely on ICs” and will have to test them 4 Operational Effectiveness

Assessed Level of Control Risk (ALCR)

the level of control risk actually used in the the Audit Risk Model