test 2

Internal control – A process effected by the entity’s board of directors, management, and other personnel to provide reasonable assurance regarding the achievement of objectives relating to operations, report and compliance 

➢Process – a series of activities documentation and processes

 ➢Reasonable assurance – cannot realistically meet all objectives 

➢Achievement of objectives – effectively and efficiently meet the 

objectives of the organization 

➢ From an audit perspective we are only concerned with controls over the financial statements and their presentation 

➢ Different types of controls 

➢Preventive controls – aimed at avoiding the occurrence of misstatements (double signatures on a check) 

➢Detective controls – discover misstatements after they have occurred and been recorded (bank reconciliation) 

➢Corrective controls – control aimed at fixing the misstatement after it has been discovered (internal auditors) 

➢Complementary controls – controls that aim at fixing the same potential misstatement but useful (time card and manager signing time sheet) 

➢Redundant controls – address the same financial statement assertion or control objective but don’t provide additional comfort 

➢Compensating controls – control that may help reduce risk in the absence of a control (owner of a small business handles all cash disbursements)

LO 2 – DESCRIBE THE MAJOR COMPONENTS AND LIMITATIONS OF INTERNAL CONTROLS 

➢ Commitment to Integrity and Ethical Values 

➢Tone at the top (ethical actions in your place)

➢ Effective Board of Directors 

➢Independence and ability to effect change 

➢Independent committees regarding important matters 

➢ Effective Organizational Structure 

➢Clear lines on reporting and who has the authority to effect change 

➢Who is held accountable for actions that require investigation 

➢ Employees 

➢Does the company attract, train and retain competent employees 

➢Understanding the system and controls enhances the effectiveness 

➢ Control Activities 

➢Performance reviews 

➢Transaction control activities 

➢Physical controls (retina scanner, rfid tag that beeps)

➢Segregation of duties 

➢Controls over accounting estimates 

➢Bonding of employees (insured employee)

➢ Limitations of Controls 

➢Simple errors or judgement errors 

➢Not fully understanding the purpose of the control 

LO 3 – DESCRIBE AUDITORS’ CONSIDERATION OF INTERNAL CONTROL 

➢Understand the client and its environment including internal controls    

➢Assess risk (moderate, low)

➢Test controls to ensure risk assessment was sufficient (checking if checks r signed)

➢Difficult areas 

➢Complex calculations (depreciation)

➢Technology changes 

➢Recent developments or changes in the company, industry or economy

LO 4 – DISCUSS THE TECHNIQUES TO UNDERSTAND INTERNAL CONTROLS 

➢Document Understanding 

➢Internal control questionnaire 

➢Written narrative 

➢Flowcharts 

➢Walk-through 

➢Inspect

LO 5 – EXPLAIN HOW INTERNAL CONTROLS RELATE TO FINANCIAL STATEMENT AUDIT 

➢Control Risk 

➢Control risk is an element of the audit risk formula and has a significant impact on the amount and quality of substantive tests (tracing, vouching) to be performed 

➢The audit risk formula can also be evaluated at the assertion level to determine the level of audit work to be performed 

➢Normally this is only performed for assertions that are relevant and significant 

➢Control risk and testing again can reduce the substantive tests to be performed

LO 6 – DESCRIBE THE MAJOR TYPES OF TESTS OF CONTROLS 

➢Once documented controls need to be tested to ensure the effectiveness 

➢Inquires 

➢Inspection 

➢Observation 

➢Reperformance 

➢Management review controls 

➢Look at exception reports to ensure that the review control actually was followed through 

➢Timing for tests of controls 

➢May do significant testing at interim and then update through year end to ensure the controls are still in place 

➢May rely on test of controls performed in PY assuming no changes have been made (test every 3rd year) 

➢PCAOB requires some updating of testing every year 

➢May use internal auditors and level is based on factors considering whether they are “available” and “unbiased”

LO 7 – EXPLAIN THE AUDITORS RESPONSIBILITY FOR COMMUNICATING TO CLIENT 

➢Determine the level of deficiency (control does not allow for normal detection of misstatement) 

➢Less than significant – may report to management if it warrants consideration 

➢Significant - less than severe but material weakness – should be reported to those in charge of governance (BOD) – additional audit procedures necessary 

➢Material weakness – Reasonable possibility of material misstatement – should be reported to those in charge of governance (BOD) – significant additional audit procedures necessary 

Could be fraud or material misstatement

➢Should be reported to management at the earliest date to ensure correction of deficiencies

LO 8 – DESCRIBE THE NATURE OF AUDITS UNDER SOX ➢Integrated Audit 

➢Must have a separate auditor’s report that gives an opinion on internal controls 

➢Must make mention of the internal controls report in the audit opinion report 

➢Procedures for audit of internal controls for public companies 

➢Plan the audit of internal controls ➢Identify controls from a top-down approach (highest level down to lowest level) 

➢Test and evaluate design effectiveness 

➢Test and evaluate operating effectiveness 

➢Form an opinion on the effectiveness of internal controls - unqualified, qualified or disclaimer of opinion (pervasive scope limitation)

Adverse opinion; pervasive departure from GAAP.

Why can't we issue an adverse opinion on internal controls?

There's no gaap for internal controls.

c. A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with:

Knowledge necessary to determine the nature, timing, and extent of further audit procedures.

d. An auditor may compensate for a weakness in internal control by increasing the extent of:

Substantive tests of details.

e. Controls over financial reporting are often classified as preventative, detective, or corrective. Which of the following is an example of a detective control?

Preparing bank reconciliations.

h. Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by:

Direct participation by the owner in key record-keeping and control activities of the business.

j. Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes?

Confirmation.

k. To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must do all of the following, except:

Establish internal control with no material weakness.

a. Tests of controls do not address:

How controls were originated.

b. Which of the following is least likely to be a test of controls?

Observation of confirmations.

e. At the completion of the audit, the auditors are least likely to know:

Actual control risk.

Preventive Control:

-Segregation of duties

Detective Control:

-A requirement to prepare bank reconciliations

Corrective Control:

-Maintaining backups of data

Which of the following is not a limitation of internal control?

Transaction controls

What is the primary reason that auditors’ assess internal control?

To determine the risk of misstatements of accounts.

Tests of controls are designed to determine all of the following, except:

Whether or not the control was overridden.