CH 5: Risk Assessment

is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance

Internal Control

What is the primary focus of auditors

reliability of financial reporting

What is the second focus of auditors>

safeguarding of assets

framework for management to put controls in place

COSO

What does ICFR and SOX Section 404 require of/from management?

Establish and maintain adequate ICs
Identify framework used
Assess effectiveness of ICFR

What are the 5 big elements of COSO

Control Environment
Control Activities
Risk Assessment
Info & Communication
Monitoring Activities

There are 17 Principles of Internal Control. What are the 5 that relate to control environment:

Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority, and responsibility
Demonstrates commitment to competence
Enforces accountability

There are 17 Principles of Internal Control. What are the 4 that relate to Risk Assessment :

Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change

There are 17 Principles of Internal Control. What are the 3 that relate to Info & Communication:

Selects and develops control activities
Selects and develops general controls over technology
Deploys through policies and procedures

There are 17 Principles of Internal Control. What are the 2 that relate to Monitoring Activities:

Conducts ongoing and/or separate evaluations
Evaluates and communicates deficiencies

sets the tone at the top of an organization, influencing the control consciousness of its people

Control Environment

Which of the COSO components is the foundation for all the others; auditor must obtain a detailed understanding of control environment and document that understanding

control environment

What are some examples of Control Environment: (7)

Code of Conduct
Hotline
Audit committee assures qualifications/performance/independent of external auditors
Director /exec officer questionnaires
Establish organization chart
Periodic compensation evaluations
Mandatory training performed

What are the requirements for the audit committee (what are the stipulations/rules to forming one? Who should be on it)

3-6 independent members of the board
Members must be financially literate
One financial experts

What are the duties of the audit committee?(5)

Appointment, comp, and oversight of the pub auditor firm
Buffer audit team and management
Resolve disagreements between management and audit team
Oversight of entity’s internal audit
Approval of non audit services provided by the public accounting firm performing audit

management’s identification and analysis of relevant risks to achievement of its objectives; auditors focus on risk of material misstatement (risky areas/accounts)

risk assessment

What are some examples of risk assessment? (3)

Mgmt annual risk and scoping assessments
Internal audit annual risk assessment
Audit committee reviews

guts of the internal control system

control activities

What are the examples of control activities? (4)

Physical controls over security of assets
Segregation of duties
Reconciliations
Performance reviews

the identification, capture, and exchange of info in the form that enables people to carry out their responsibilities; management needs timely, reliable and relevant information to make decisions

Information and Communication

Management’s process that assesses the quality of the internal controls performance over time

monitoring

What are some examples of monitoring? (5)

Periodic evaluation by internal auditors
Supervisory review of controls
Follow up of reporting errors
Follow up of customer complaints
Audit committee inquiries

What does ICFR stand for?

Internal controls over financial reporting

to aid in assessing control risk (throughout the year) which influences the detection risk and NET of substantive testing

F/S Audit

to provide evidence of the effectiveness (or not) of the company’s controls over financial over financial reporting at the end of the year

ICFR Audit

What is the scope of ICFR?

test of each relevant control activity each year

What is the scope of F/S Audit?

test relevant controls IF relying on them

What is the main difference in the timing of F/S auditing and ICFR

F/S Audit Throughout Year
ICFR at Year End

what is the main difference between ICFR and F/S Audit in process

ICFR has NO choice
F/S Audit has a choice

What is the first step in the F/S Audit of Internal controls?

Develop an understanding of internal control (design and implementation)
AND Document

What are the phases of IC in F/S assessment of IC (4)

Understand and document controls
Assess control risk
Identify control to test
Perform test of controls

What are the things that must be documented as the understanding of internal controls? (3)

IC questionnaire
Narrative
Accounting and control system flowcharts

What two things are done in the testing phase (phase 3) of the F/S Audit of IC

Perform test of controls audit procedures
Reassess control risk

What are the other names for audit of Internal control over Financial reporting (ICFR)? (3)

Audit of ICFR
Internal Control Audit
Attestation of IC (Attestation Engagement)

What are the phases of the Attestation of IC engagement? (5)

Plan engagement
Use top down approach
Testing controls
Evaluate identified deficiencies
Reporting on internal controls

What are the two parts of a top down approach?

Identify entity level controls
Walkthroughs and documentation

What are the two parts of testing controls during attestation engagement

design effectiveness
Operating effectiveness

What are the three parts of evaluating identified deficiencies during attestation engagement

Deficiencies
Significant Deficiencies
Material Weakness

What are the three parts of reporting on internal controls during attestation engagement? (What are the three types of opinions)

Unqualified
Disclaimer
Adverse

Example of entity level control (4)

Management access to system
Code of Conduct
Management’s risk assessment process
Period end financial reporting processes

What are the steps of planning the IC attestation engagement? (3)

Knowledge of industry and busn
Evaluate extent of changes in operations and ICs
Evaluate controls for all relevant assertions and significant accounts

if operating as designed, will the control actually prevent material misstatement; and whether the person performing the control possesses the necessary authority and qualifications to perform the control environment

operating effectiveness

if there is one material weakness that comes from a control, then they must issue a ___ report

adverse

Within the top down approach, companies by must perform work related to: (2)

Company wide antifraud programs
Controls that have a pervasive affect

Auditors can limitedly rely on work of internal auditors and others, but must:

obtain principal evidence for own opinion
cant reduce work on control environ

If operating effectively, would control prevent or detect errors or fraud that could result in a material misstatement to financial statements

design effectiveness

the design or operation of a control does not allow the entity’s management or employees to detect or prevent misstatements in a timely fashion

internal control deficiency

a necessary control is missing or poorly designed

design deficiency

a properly designed control is either ignored or inappropriately applied

operating deficiency

a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis

material weakness

a deficiency, or combination of deficiencies, in internal control over financial reporting, that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the companies financial reporting (board)

significant deficiencies

What are the two components to evaluate identifies deficiencies

magnitude
likelihood

opinion given is no material weaknesses found

unqualified

opinion given is one or more material weaknesses found

adverse

opinion given is the audit team cannot perform all of the procedures considered necessary

disclaimer

only a material weakness if not corrected be fore the as of date results in an auditor providing an ___ opinion.

adverse

If there is a material weakness found, report to:

Audit committee
Management
Externally (adverse opinion)

If there is a significant deficiency found, report to:

Audit committee
Management

If there is a control deficiency found, report to:

Management

What are SOC reports done for?

When company outsources some process (payroll to ADP)

That are the types of SOC reports?

Type 1: assess IC for suitable design
Type 2: provide some assurance through tests of controls

An auditor can only decrease control risk related to a system and organization (outsourced service) when what type of SOC report is issued ?

Type 2