Chapter 12- Assessing Control Risk and Reporting on Internal Control
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/38
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
39 Terms
Process for Understanding Internal Control and Assessing Control Risk
Figure 12-1
Phase 1- Obtain and document an understanding of internal control: design and operation
Phase 2- Assess control risk
Phase 3- Design, perform, and evaluate tests of controls
Phase 4- Decide planned detection risk and substantive tests
Obtain and Document
Understanding of Internal Control
lAuditing standards require auditors to obtain and document their understanding of internal control for every audit.
–Audit of financial statements
–Audit of internal control over financial reporting
Obtain and Document Understanding of Internal Control
The understanding involves gathering evidence about:
–Design of internal controls
–Implementation of internal controls
Obtain and Document Understanding of Internal Control
The auditor generally uses four types of evidence to obtain an understanding:
–Inquiry of entity personnel
–Observation of employees performing control processes
–Inspection of documents and records
–Reperformance by tracing one or a few transactions through the accounting system
Obtain and Document Understanding of Internal Control
lThe auditor generally uses three types of documents to obtain and document the understanding:
–Narratives
–Flowcharts
–Internal Control Questionnaires
Narrative
–Written description of a client’s internal controls
Flowchart
–Diagram of the client’s documents and their sequential flow in the organization
–Figure 14-3 (page 469) presents a flowchart of sales and cash receipts
Obtain and Document Understanding of Internal Control
Narratives and Flowcharts contain the
same basic information
–The origin of every document and record in the system.
–All processing that takes place.
–The disposition of every document and record in the system.
–An indication of the controls relevant to the assessment of control risk.
*Unusual to use both a flowchart and a narrative because they present the same information
Flowcharts have two advantages
–Easier to read
–Easier to update
Questionnaire
–Asks a series of questions about the controls in each area
–Most questionnaires require a “yes” or “no” response
–“No” indicates a potential control deficiency
–Figure 12-2 presents a questionnaire for sales
Questionnaire Disadvantages
–Do not provide overview of the system
–Do not apply to some audits (e.g., small companies)
Evaluating Internal Control Implementation
The understanding of the design and implementation of internal control are often done simultaneously
Common Methods of Evaluating Internal Control Implementation
–Update and evaluate auditor’s previous experience with the entity
–Make inquiries of client personnel
–Observe entity activities and operations
–Inspect documents and records
–Perform walkthroughs of the accounting system
Assess Control Risk
The auditor obtains an understanding of the design and implementation of internal control to make a preliminary assessment of control risk
The auditor makes the preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle
Use of a Control Risk Matrix
Many auditors use a control risk matrix in the control risk assessment process
Figure 12-3 illustrates a control risk matrix for sales transactions
Preparation of the matrix consists of six steps
Step 1 in Assess of control risk
Identify Audit objectives
Recall the seven transaction-related objectives:
–Occurrence
–Completeness
–Accuracy
–Posting and summarization
–Classification
–Timing
–Presentation
*See Figure 12-3: List these objectives at the top of the matrix
Step 2 in Assess of control risk
Use information acquired from obtaining and documenting the understanding of internal control
lUse the five control activities as reminders
–Separation of duties
–Proper authorization
–Adequate documents and records
–Independent checks on performance
–Physical control over assets and records
*Figure 12-3- –List the controls in the rows on the left side of the matrix
ldentify and include only “key controls”
–Controls that are expected to have the greatest effect on meeting the transaction related audit objectives
Step 3 in Assess of control risk
Associate Controls with Related Audit Objectives
Enter a “C” in each cell where a control partially or fully satisfies an audit objective
See Figure 12-3
–Control: mailing statements to customers
–Related objectives: occurrence, accuracy, posting and summarization
Step 4 in Assess of control risk
Identify and Evaluate Absence of Controls
Evaluate whether key controls are absent
Three levels of absence of controls
–Control deficiency
–Significant deficiency
–Material weakness
: Identify and Evaluate Absence of Controls (Figure 12-5)
In Step 4 Identify and Evaluate Absence of Controls, a material weakness exists if
a significant deficiency, by itself, or in combination with other significant deficiencies, results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis
A significant deficiency exists if
one or more control deficiencies exist that is less severe than a material weakness, but important enough to merit attention by those responsible for oversight of the company’s financial reporting
A control deficiency exists if
the design or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis (least severe)
Step 4: Identify and Evaluate Absence of Controls Steps
Identify existing controls
Identify the absence of key controls
Consider the possibility of compensating controls (offsets the absence of a key control)
Decide whether there is a significant deficiency or material weakness
Determine potential misstatements
Step 5 in Assess of control risk
Associate Control Deficiencies with Related Audit Objectives
Enter a “D” in each cell where there is a significant deficiency or material weakness for an audit objective
See Figure 12-3
–Significant deficiency: There is a lack of internal verification for the possibility of sales invoices being recorded more than once
–Objective: Occurrence
lWhat is the likelihood that a material misstatement would not be prevented or detected by these controls?
Answer
–High, moderate, low (more often)
–1.0, .6, .2
Step 6 in Assess of control risk
Assess Control Risk
Enter answer in bottom row of matrix.
See Figure 12-3
–Occurrence: Medium
–Completeness: Low
–Accuracy: Low
–Posting and summarization: Low
–Classification: Low
–Timing: Medium
–Presentation: Lowc
Purpose of Tests of Control
lPurpose
–Test the effectiveness of controls in support of a reduced assessed control risk
If tests of controls indicate that controls are effective
–Reduced assessment = Preliminary assessment
lf tests of controls indicate that controls are not effective
–Reduced assessment must be reconsidered
Procedures for Tests of Control
Make inquiries of client personnel
Examine documents, records, and records
Observe control-related activities
Reperform client procedures
Extent of Procedures
Reliance on evidence from prior year’s audit
–Auditing standards require tests of controls’ effectiveness every third year
–Auditing standards require some tests each year to ensure rotation of controls
Testing of controls related to significant risks
Testing less than the entire period
–Some controls can be tested on an interim basis
–Other controls must be tested at year-end
Relationship of Assessed Control Risk and Extent of Procedures
Decide Planned Detection Risk and Design Substantive Tests
lThe auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests auditor links the control risk assessments to the balance-related audit objectives
Communications
Communication in writing to those charged with governance
–Significant deficiencies
–Material weaknesses
–Management letters
–Less important control issues
–Operational issues
Section 404- Sarbanes-OCley
Reporting Requirements
lThe auditor is required to prepare an audit report on internal control over financial reporting for public companies subject to Sarbanes-Oxley Section 404
lThe auditor may issue separate or combined audit reports on the financial statements and on internal control over financial reporting
Types of Opinions
lUnqualified Opinion
–No material weaknesses as of year end
–No scope restrictions
*if one material, its an adverse opinion
Adverse Opinion (See Figure 12-7)
–Material weakness exists
Qualified or Disclaimer of Opinion
–Scope restriction
Internal Control for Nonpublic Companies
lReporting requirements
l
lExtent of required internal controls
lExtent of understanding needed
lAssessing control risk
Extent of tests of controls needed
Differences in Scope of Controls Tested
Internal controls over financial reporting
