ACC 403 Chapter 5

What is the COSO framework?

An integrated framework published by the Committee of Sponsoring Organizations used to assess internal control effectiveness.

What are the three categories of objectives for internal control?

1. Reliability of financial reporting 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations.

What does internal control provide?

Reasonable assurance regarding the achievement of objectives.

What are some limitations of internal control?

Human error, deliberate circumvention, management override, and collusion.

Who is responsible for establishing an effective system of internal control?

Management.

What must management maintain to demonstrate effective internal control?

Documentation sufficient to provide evidence that the internal control system is designed and operating effectively.

What is the audit risk model?

Inherent risk x Control risk = Risk of Material Misstatement (RMM).

What are the five components of a properly designed internal control system?

1. Control environment 2. Risk assessment 3. Control activities 4. Monitoring 5. Information and communication.

What does the acronym CRIME stand for in internal control?

C: Control activities, R: Risk assessment, I: Information and communication, M: Monitoring, E: Control environment.

What is the role of the control environment in internal control?

It sets the tone of the organization and is the foundation for all other components of internal control.

What factors should auditors consider when evaluating the control environment?

Integrity, ethical values, competence of personnel, and the impact of the audit committee.

What is the purpose of management's risk assessment process?

To identify risks, estimate their significance and likelihood, and consider how to manage them.

What are control activities?

Specific actions taken by management and employees to ensure that directives are carried out.

What types of control activities exist?

Preventative and detective controls.

Give an example of a manual control activity.

Three-way match (purchase order, receiving report, and vendor invoice) before authorizing payment.

What is the importance of the information system in internal control?

It captures transactions and produces an audit trail.

What does effective monitoring involve?

Ongoing evaluation of controls and reporting of control deficiencies.

What are some methods of monitoring internal controls?

Periodic evaluations by internal audit, supervisory reviews, and quality assurance reviews.

What is the main focus of auditors regarding internal control?

To understand the client's internal control system and assess the risk of material misstatement.

What is the significance of the audit committee in internal control?

It serves as a buffer between the audit team and management, overseeing the audit firm and internal audit.

What is the relationship between management's risk assessment and auditors' evaluations?

Management assesses risks related to all objectives, while auditors evaluate risks specific to financial reporting.

What is the role of control activities in addressing risks?

They help ensure that management's directives are carried out effectively.

What is the purpose of the internal control exercise mentioned in the session?

To apply the concepts learned about risk assessment and internal control evaluation.

What is the next topic to be covered in the following session?

Risk Assessment: Internal Control Evaluation (continued).

What are the steps in auditor control risk assessment?

1. Understand and document the client's internal control system. 2. Assess control risk for each relevant assertion identified. 3. Identify controls to test and perform tests of control.

What is the purpose of understanding and documenting the internal control system?

To evaluate the design of internal controls and determine whether they have been implemented.

What approach do auditors use to evaluate internal controls?

A top-down approach: Significant accounts → Relevant assertions → Controls.

What are entity-level controls?

Controls that are pervasive to the internal control system and the reliability of the financial statements taken as a whole.

Give an example of entity-level controls.

Whistleblower hotline, code of conduct, Board and Audit Committee communications.

What are transaction-level controls?

Controls that pertain to specific classes of transactions, account balances, and disclosures.

What is a walkthrough in auditing?

The tracing of one or more transactions through the audit trail from initiation to inclusion in the financial statements.

What methods can auditors use to understand internal controls?

Inquiry of personnel, observation of operations, examination of documents.

What is design effectiveness in internal controls?

Whether controls would be expected to prevent or detect errors or fraud that could result in a material misstatement.

What is the auditor's role in assessing control risk?

To determine if it might be possible to rely upon the internal control system during the audit.

What must auditors do for issuers regarding control testing?

Test controls for all relevant assertions for each significant account and disclosure.

Why might auditors choose not to perform tests of controls?

If the internal control system is ineffective or if the costs of testing exceed the costs of substantive testing.

What is the goal of performing tests of controls?

To reduce substantive testing.

What are the four methods of testing controls?

Inquiry, observation, document examination (inspection), and reperformance.

What happens if controls are functioning as described after testing?

Control risk is consistent with the preliminary level, and auditors proceed with planned substantive procedures.

What is an internal control deficiency?

A condition where the design or operation of a control does not allow timely detection or prevention of misstatements.

What is a material weakness in internal controls?

A deficiency that results in a reasonable possibility that a material misstatement would not be prevented or detected timely.

What is a significant deficiency?

A deficiency that is less severe than a material weakness but important enough to merit attention from governance.

What must the audit team communicate regarding significant deficiencies and material weaknesses?

They must communicate these to those charged with governance, usually the audit committee.

What is the next topic covered in the course after internal control evaluation?

Revenue and Collection Cycle.