B4555 - Chapter 6-10

Internal Control

The system of policies, procedures, and processes implemented by management to provide reasonable assurance that adequate control exists over the entity's assets and records.

Control Risk

The risk that a material misstatement will not be prevented or detected and corrected on a timely basis by the entity's internal control system.

Risk Assessment Procedures

Procedures performed by the auditor to obtain an understanding of the entity's internal control, identify key controls, recognize potential misstatements, and design tests of controls and substantive procedures.

Reliability of Internal Control

The degree to which the internal control system can be relied upon to prevent or detect and correct material misstatements, which affects the amount of substantive evidence required by the auditor.

Components of Internal Control

The five components of internal control are control environment, entity's risk assessment process, control activities, information and communication, and monitoring activities.

Control Environment

The set of standards, processes, and structures that provides the basis for carrying out internal control across the organization, including the tone at the top set by the board of directors and senior management.

Entity's Risk Assessment Process

The dynamic and iterative process for identifying the entity's objectives, analyzing risks, and determining how risks should be managed, considering changes in the external environment and within the entity's business model.

Control Activities

The actions established by policies and procedures to mitigate risks to the achievement of objectives, including performance reviews, physical controls, segregation of duties, and information processing controls.

Information and Communication

The process of obtaining, generating, and using relevant, quality information to support the functioning of internal control, and internally and externally communicating necessary information.

Monitoring Activities

Ongoing evaluations or separate evaluations used to assess whether the components of internal control are present and functioning, with findings evaluated and deficiencies communicated in a timely manner.

Substantive Strategy

An audit strategy where the auditor does not rely on the entity's controls and instead uses substantive procedures as the main source of evidence about the assertions in the financial statements.

Reliance Strategy

An audit strategy where the auditor plans to rely on the entity's controls and assesses control risk at a lower level, using tests of controls to obtain audit evidence that the controls are operating effectively.

Nature and Extent of Understanding of Internal Control

The level of understanding of each component of internal control needed for the audit, considering the complexity and sophistication of the entity's operations and systems.

IT Specialist

An individual with expertise in information technology who may be needed by the engagement team to evaluate the nature and complexity of the entity's IT systems and controls.

Control Environment Questionnaire

A questionnaire used to assess the control environment of an entity, including factors such as integrity and ethical values, independence of the board of directors, and accountability for internal control responsibilities.

Integrity and Ethical Values

Essential elements of the control environment that affect the design, administration, and monitoring of other components.

Control Environment

The entity's ethical and behavioral standards, how they are communicated, and how they are reinforced in practice.

Entity Policies

Established policies regarding acceptable business practices, conflicts of interest, and codes of conduct.

Tone at the Top

Management's explicit moral guidance about what is right or wrong.

Everyday Dealings

Dealing with customers, suppliers, employees, and other parties based on honesty and fairness.

Knowledge and Skills

Determining the knowledge and skills needed to perform particular jobs.

Evidence of Requisite Knowledge and Skills

Employees having the necessary knowledge and skills to perform their job.

Documentation of Internal Control

Procedure manuals, organizational charts, internal control questionnaires, flowcharts, and narrative descriptions used to document the understanding of internal control.

Size of Entity

How the size of an entity may affect the implementation of internal control components.

Limitations of Internal Control

Management override, human errors or mistakes, and collusion as limitations of an entity's internal control system.

Assessing Control Risk

Evaluating the effectiveness of an entity's internal control in preventing, detecting, and correcting material misstatements in the financial statements.

Specific Controls

Identifying controls that will be relied upon to prevent or detect material misstatements.

Tests of Controls

Performing tests to provide evidence of the effectiveness of controls.

Achieved Level of Control Risk

Combining the achieved level of control risk and the assessed level of inherent risk to determine the level of detection risk needed.

Communication of Internal Control-Related Matters

Control deficiency, significant deficiency, and material weakness as reportable conditions.

Deficiencies in Design of Controls

Inadequate design of internal control over financial statements, significant accounts or processes, documentation, control consciousness, segregation of duties, safeguarding of assets, information technology controls, and monitoring controls.

Failures in Operation of Internal Control

Failure of designed controls, information and communication component, safeguarding controls, reconciliations, objectivity, misrepresentation, lack of qualifications and training, management override, and application control failures.

Types of Controls in an IT Environment

General controls and application controls.

Data Validation Controls

Limit test, range test, sequence check, existence test, field test, sign test, check-digit verification, and closed-loop verification.

Auditing Internal Control Over Financial Reporting

Management responsibilities, requirements for external auditor, and definition of internal control over financial reporting.

Internal Control Deficiencies

Control deficiencies that do not allow prevention or timely detection of misstatements.

Design deficiency

A control necessary to meet a control objective is missing or not properly designed.

Operation deficiency

A control does not operate as designed or the person performing the control lacks the necessary authority or qualifications.

Significant deficiency

A control deficiency, or a combination of deficiencies, in internal control over financial reporting (ICFR) that is less severe than a material weakness but important enough to merit attention.

Material weakness

A deficiency, or a combination of deficiencies, in ICFR that could result in a reasonable possibility of a material misstatement of the annual or interim financial statements not being prevented or detected on a timely basis.

Likelihood

The probability that a control deficiency will occur, with "remote" being less than 50% and other assessments being 50% or more.

Magnitude

The significance of a control deficiency, categorized as material, significant, or insignificant.

Control deviation

A control procedure performed by an unauthorized employee, considered a deficiency in design.

Management's assessment process

Steps involved in evaluating the effectiveness of ICFR, including identifying financial reporting risks and related controls, considering the locations to include in the evaluation, and evaluating the evidence about the operating effectiveness of ICFR.

Documentation

The process of documenting the design of controls, financial reporting risks, and other elements necessary for effective ICFR, using various forms such as paper, electronic files, or other media.

Integrated audit

An audit that includes both the audits of internal control and the financial statements, where control testing impacts the planned substantive procedures and the results of substantive procedures are considered in the evaluation of internal control.

Planning the audit of ICFR

The process of planning the audit of internal control, considering factors such as risk assessment, scaling the audit, and using the work of others.

Using the work of others

Evaluating the nature, competence, and objectivity of the work performed by others and testing some of their work to evaluate its quality and effectiveness.

Identifying controls to test

The process of identifying controls to test based on their relevance to the assessed risk of misstatement and their importance in addressing material misstatements.

Select controls to test

Factors to consider when identifying controls to test, including points of potential errors or fraud, the nature of controls, and the risk of controls not operating effectively.

Evaluate design and test operating effectiveness of controls

Evaluating the design effectiveness of controls to prevent or detect errors or fraud and testing the operating effectiveness of controls to ensure they are operating as designed and performed by authorized individuals.

Evaluate identified control deficiencies

Considering the likelihood and magnitude of control deficiencies to determine if they indicate a material weakness, based on factors such as financial statement amounts, volume of activity, and future consequences.

Remediation of a material weakness

The process of correcting a material weakness in ICFR before the "as of" date, allowing sufficient time for testing the operating effectiveness of the control.

Auditor documentation requirements

Documenting the understanding and evaluation of the design of ICFR components, determination of points of potential misstatements, reliance on work performed by others, and scope of testing.

Use of service organizations

The use of service organizations by companies to process transactions, requiring special considerations when auditing internal control.

Service Organization

An organization whose services are part of a company's information system and considered part of the information and communication component of the company's internal control over financial reporting.

Safeguarding of Assets

Policies and procedures that provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements.

Computer-Assisted Audit Techniques (CAATs)

Techniques used by auditors that include generalized audit software, custom audit software, and test data to perform various audit procedures.

Custom Audit Software

Software developed by auditors for specific audit tasks when the entity's computer system is not compatible with the auditor's generalized audit software.

Test Data

Data developed by the auditor to test the application controls in the entity's computer programs.

Management Responsibilities Under Section 404

The responsibilities of management of publicly traded companies under Section 404 of the Sarbanes-Oxley Act, which include issuing a report accepting responsibility for establishing and maintaining "adequate" internal control over financial reporting and asserting whether it is effective.

Auditor Responsibilities Under Section 404 and AS5

The responsibilities of the entity's independent auditor to audit and report on the effectiveness of the entity's internal control over financial reporting.

Written Representations

Written statements obtained from management related to the audit of internal control over financial reporting.

Types of Reports

Different types of auditor's reports based on control deficiencies, scope limitations, incomplete or improperly presented management's report, referral to the report of other auditors, significant subsequent events, additional information in management's report, and remediated material weakness.

Significant Deficiencies and Material Weaknesses

Communication of significant deficiencies and material weaknesses identified during the audit of internal control over financial reporting to management and the audit committee.

Audit Sampling

The selection and evaluation of less than 100 percent of the items in a population of audit relevance to provide a reasonable basis for conclusions about the population.

Sampling Risk

The possibility that the sample drawn is not representative of the population, leading to incorrect conclusions about the account balance or class of transactions based on the sample.

Representative Sample

A sample that leads to the same conclusions that would be drawn if the same audit procedures were applied to the entire population.

Type I Sampling Risk

The risk of incorrect rejection, where the sample supports a conclusion that a control is not operating effectively or that a recorded balance is materially misstated when it is not.

Type II Sampling Risk

The risk of incorrect acceptance, where the sample supports a conclusion that a control is operating effectively or that a recorded balance is not materially misstated when it is.

Confidence Level

The desired level of assurance in the results of the sample, typically set at 90% or 95%.

Tolerable Error

The maximum deviation rate or misstatement that the auditor is willing to accept and still consider the control effective or the account balance not materially misstated.

Expected Error

The rate of deviation or misstatement that the auditor expects to exist in the population.

Audit Sampling Techniques

Different approaches to audit sampling, including nonstatistical (judgmental) sampling and statistical sampling.

Attribute Sampling

Sampling technique used to estimate the proportion of a population that possesses a specified characteristic, commonly used for tests of controls.

Monetary-Unit Sampling

Sampling technique that uses attribute sampling theory to estimate the dollar amount of misstatement for a class of transactions or an account balance.

Classical Variables Sampling

Sampling technique used to estimate the dollar value of a class of transactions or account balance, often used to determine whether an account is materially misstated.

Planning (Audit Sampling)

The phase of audit sampling that involves determining the test objectives, defining the population characteristics, and determining the sample size based on inputs such as confidence level, tolerable deviation rate, and expected population deviation rate.

Population Size

Attributes Sampling

undefined

The size of the population being sampled does not significantly impact the determination of sample size for attributes sampling, except for relatively small populations (less than 1,000 items).

Random-number selection

undefined

A method of selecting sample items where every item in the population has an equal probability of being selected, ensuring a random and unbiased sample.

Systematic Selection

undefined

A method of selecting sample items where the auditor determines the sampling interval by dividing the population by the sample size. A starting number is randomly selected in the first interval, and then every nth item is selected.

Voided documents

undefined

In the context of auditing procedures, voided documents refer to instances where a control deviation exists because a required document, such as a shipping document, is not present. This indicates a failure in the control process.

Unused or inapplicable documents

undefined

In auditing procedures, unused or inapplicable documents are those that are not relevant to the control being tested. Unless there is something unusual about these items, they should be replaced with a new sample item.

Inability to examine a sample item

undefined

If the auditor is unable to examine a document or use an alternative procedure to test a control, the sample item is considered a deviation for the purpose of evaluating the sample results.

Stopping the test before completion

undefined

If a significant number of deviations are detected early in the tests of controls, the auditor should consider stopping the test. This is done when the results of the test will not support the planned assessed level of control risk.

Sample deviation rate

undefined

The sample deviation rate is calculated by dividing the number of deviations found in the sample by the sample size. It represents the percentage of deviations in the sample.

Upper deviation rate

undefined

The upper deviation rate is the sum of the sample deviation rate and an appropriate allowance for sampling risk. It provides an estimate of the maximum deviation rate in the population.

True State of Internal Control-Reliable

undefined

The auditor's decision based on sample evidence that indicates the internal control is working properly and supports the planned level of control risk.

True State of Internal Control-Not Reliable

undefined

The auditor's decision based on sample evidence that indicates a control deviation exists, suggesting that the internal control is not working properly and does not support the planned level of control risk.