Auditing and Internal Control

Questions and Answers

Which scenario best exemplifies the relationship between internal and external auditors?

• External auditors dictate the scope and methodology of internal audits to ensure compliance.
• External and internal auditors work independently, sharing findings only at the audit committee level.
• Internal auditors focus solely on operational efficiency, while external auditors concentrate on financial statement accuracy.
• Internal auditors gather evidence that external auditors may rely on, provided the internal audit department is sufficiently independent and competent. (correct)

What is the primary role of the audit committee, as mandated by SOX, regarding the external auditor?

• To provide technical guidance to the external auditor on complex accounting issues.
• To independently hire, fire, and resolve disputes with the external auditor. (correct)
• To ensure that the external auditor's fees are in line with industry standards.
• To serve as a liaison between management and the external auditor.

How does the concept of independence apply differently to internal versus external auditors?

• External auditors are primarily concerned with operational independence, while internal auditors focus on financial independence.
• External auditor independence is mandated by regulatory bodies, while internal auditor independence is self-imposed. (correct)
• Internal auditors must be independent of the organization they audit, while external auditors only need to be independent of management.
• Both internal and external auditors must be independent in fact and appearance, with no distinction in the application of the concept.

In the context of auditing standards, what is the role of the AICPA's Statements on Auditing Standards (SAS)?

They provide specific, authoritative interpretations of Generally Accepted Auditing Standards (GAAS). (D)

Which of the following best describes the impact of Section 404 of the Sarbanes-Oxley Act (SOX) on internal control?

It mandates that management of public companies assess and report on the effectiveness of their internal control over financial reporting. (C)

What is the purpose of segregation of duties within an organization's internal control system?

To prevent any single individual from controlling all aspects of a transaction, reducing the risk of fraud or error. (A)

In the audit risk model (AR = IR x CR x DR), if the inherent risk (IR) and control risk (CR) are assessed as high, what is the auditor likely to do?

Increase the scope and intensity of substantive testing. (A)

Which of the following best describes the difference between preventive and detective controls?

Preventive controls are passive techniques to reduce the frequency of undesirable events, while detective controls identify and expose such events. (D)

An auditor discovers that a company's IT system lacks proper access controls. How should the auditor respond in light of PCAOB Standard No. 5?

The auditor should understand the transaction flow and related controls to determine the impact on the financial statements and potentially modify the audit opinion. (D)

A company implements a new IT system. Which of the following controls would be MOST important to ensure the accuracy and completeness of financial data transferred from the old system to the new system?

Application controls, such as check digits and batch balancing, during the data conversion process. (A)

Flashcards

Internal Auditing

Independent appraisal function to examine and evaluate activities within an organization.

External (Financial) Audits

An independent attestation by an expert expressing an opinion on financial statement presentation.

Advisory Services

Improve client's operational effectiveness and efficiency.

Fraud Audits

Investigate anomalies and gather fraud evidence that may lead to criminal convictions.

Audit Committee Role

Subcommittee of the board of directors, acting as a check and balance.

Auditing Standards

General qualification, field work, and reporting standards, with interpretations from AICPA Statements.

Internal Control System

Policies, practices, and procedures to safeguard assets, ensure accuracy, promote efficiency, and measure compliance.

Preventive Controls

Passive techniques to reduce the frequency of undesirable events.

Detective Controls

Devices, techniques, and procedures to identify and expose undesirable events that elude preventive controls.

Application Controls

Ensure validity, completeness and accuracy of financial transactions.

Study Notes

• These are notes on Auditing and Internal Control

Learning Objectives

• Know the difference and relationship between attest and advisory services.
• Understand audit structure and conceptual elements of the audit process.
• Understand internal control categories in the COSO framework.
• Be familiar with key features of Sections 302 and 404 of the Sarbanes-Oxley Act.
• Understand the relationship between general controls, application control, and financial data integrity.

Overview of Auditing

• IT developments have greatly impacted auditing.
• Organizations undergo different types of audits for different purposes.
• Common audits are external (financial), internal, and fraud audits.

External (Financial) Audits

• An independent expert performs attestation, expressing an opinion on the presentation of financial statements.
• The SEC requires it for all public companies.
• Independence is a key concept, and is similar to a trial by judge.
• The auditor collects evidence and renders an opinion, forming the basis of public confidence in financial statements.
• Auditors adhere to strict rules defined by the SEC, FASB, AICPA, and SOX.

Attest vs. Advisory Services

• Attestation services require written assertions, practitioner's report, formal measurement criteria, and are limited to examination, review, and agreed-upon procedures.
• Advisory services improve a client's operational effectiveness and efficiency.
• SOX restricts non-audit services auditors can provide to audit clients.
• It is unlawful to provide certain accounting, financial, internal audit, management, HR, or legal services unrelated to the audit.

Internal Audits

• Internal auditing is an independent appraisal function to examine and evaluate activities within an organization.
• Internal auditors perform financial, operational, compliance, and fraud audits.
• Auditors may work for the organization or be outsourced.
• While independence is self-imposed, auditors represent the organization's interest.

External vs. Internal Auditors

• External auditors are outsiders, while internal auditors represent the organization.
• Internal auditors often cooperate with and assist external auditors in some aspects of financial audits.
• The extent of cooperation depends on the independence and competence of the internal audit staff.
• External auditors can rely on evidence from independent internal audit departments reporting to the board's audit committee.

Fraud Audits

• Fraud audits have increased in popularity as a corporate governance tool.
• The objective is to investigate anomalies and gather fraud evidence that may lead to criminal convictions.
• Initiated by management suspecting employee fraud or the board of directors suspecting executive fraud.

The Role of the Audit Committee

• The audit committee is a subcommittee of the board of directors.
• There are usually three outsider members, with SOX requiring at least one financial expert.
• It serves as an independent "check and balance" for internal audit.
• SOX mandates that external auditors report to the audit committee, who hire, fire, and resolve disputes with auditors.

Auditing Standards

• There are three classes of auditing standards: general qualification, field work, and reporting.
• Specific guidance is provided by AICPA Statements on Auditing Standards (SASS) as authoritative interpretations of GAAS, first issued in 1972.
• If recommendations are not followed, the auditor must explain why a SAS does not apply.
• Conducting an audit is a systematic and logical process applicable to all information systems.

Generally Accepted Auditing Standards

• General standards require adequate technical training and proficiency, independence, and due professional care.
• Field work standards require adequate planning, understanding of the internal control structure, and sufficient competent evidence.
• Reporting standards require stating whether financial statements were prepared according to GAAP, identifying non-GAAP applications, identifying items lacking adequate disclosure, and an opinion on the financial statements as a whole.

Auditing Standards

• Auditors address management assertions, including existence, completeness, rights, valuation, and presentation, developing audit objectives and procedures.
• They seek corroborating evidence, determine the materiality of internal control weaknesses and misstatements, and communicate test results, including an audit opinion.

Audit Objectives and Audit Procedures Based on Management Assertions

• Management assertions and examples:
  • Existence/Occurrence: Inventories listed on the balance sheet exist, verified by observing the physical inventory counting.
  • Completeness: Accounts payable include all vendor obligations, verified by comparing receiving reports, invoices, orders, and entries.
  • Rights and Obligations: Plant and equipment listed are owned by the entity, verified by reviewing agreements, insurance policies, and documents.
  • Valuation/Allocation: Accounts receivable are at net realizable value, verified by reviewing the aging and evaluating the uncollectible accounts allowance.
  • Presentation and Disclosure: Contingencies are properly disclosed, verified by obtaining information from lawyers regarding litigation and potential losses.

Audit Risk

• Audit risk is the probability that an auditor will render an unqualified opinion on materially misstated financial statements.
• Inherent Risk (IR) is associated with unique client characteristics.
• Control Risk (CR) is the likelihood of control structure flaws due to absent or inadequate controls.
• Detection Risk (DR) is the auditor's acceptable risk that errors not prevented by the control structure will not be detected by the auditor.
• The audit risk model AR = IR x CR x DR determines the scope, nature, and timing of substantive tests.

Audit Risk Model

• If acceptable audit risk is 5%, planned detection risk depends on the control structure.
• A stronger internal control structure leads to lower control risk and less substantive testing.
• Substantive tests are labor intensive and time-consuming, which drives up audit costs and cause disruption.
• Management's best interests are served by a strong internal control structure.

Phases of an IT Audit

• Audit Planning Phase
• Tests of Controls Phase
• Substantive Testing Phase
• Audit Report

The IT Audit

• The first step is audit planning, which analyzes audit risk.
• Gathering evidence through questionnaires, interviews, system documentation review, and observation.
• Tests of controls seek to determine if adequate controls are in place and functioning.
• The third phase focuses on financial data and a detailed investigation of account balances and transactions through substantive tests.
• Files extracted using Computer-Assisted-Audit Tools and Techniques (CAATTS) software.

Internal Control

• Management is required by law to establish and maintain an adequate system of internal controls.
• History of internal control legislation:
  • Securities Acts of 1933 and 1934
  • Copyright Law of 1976
  • Foreign Corrupt Practices Act (FCPA) of 1977

Foreign Corrupt Practices Act (FCPA) of 1977

• Requires SEC registered companies to:
  • Keep records that fairly and reasonably reflect transactions and financial position.
  • Maintain a system of internal control that provides reasonable assurance that organization objectives are met.
• Committee of Sponsoring Organization - 1992

Internal Control & Sarbanes-Oxley Act (SOX)

• The Sarbanes-Oxley Act of 2002 (SOX) requires management of public companies to implement adequate internal control systems over their financial reporting process. -Section 302: Managers must certify the organization's internal controls quarterly and annually. -External auditors must perform certain procedures quarterly to identify any material control modifications that may impact financial reporting. -Section 404 requires management of public companies to assess the effectiveness of their internal control in an annual report.

Internal Control System

• A system of policies, practices, and procedures achieving four broad objectives:
  • Safeguarding assets
  • Ensuring accuracy and reliability of accounting records and information
  • Promoting efficiency
  • Measuring compliance with policies and procedures
• Objectives should be achieved regardless of data processing method, modified by management responsibility made law by SOX.

Control Systems Limitations

• Every system has limitations: possibility of error, circumvention, management override and changing conditions.
• Systems should provide reasonable assurance that broad objectives are met, not absolute. -Cost to achieve improved control should not outweigh benefits. -Cost of correcting material weaknesses is offset by benefits.

The PDC Model

• Preventive controls reduce the frequency of undesirable events occurring and are more cost effective than detecting and correcting problems after they occur.
• Detective controls identify and expose undesirable events that elude preventive controls.
• Corrective controls fix the identified problem.

COSO Internal Control Framework

• The control environment as the foundation for other components:
  • Management integrity and ethical values, organization structure, board participation, and management's philosophy and operating style.
• Risk assessment must be performed to identify, analyze and manage financial reporting risks.
• Information System - Identify and record all valid financial transactions, provide timely information and adequately measure and record transactions.
• Monitoring assesses the quality of internal control design and operation.
• Control Activities ensure actions to deal with identified risk through policies and procedures.

Types of Controls

• Physical controls relate primarily to human activities in accounting systems.
• Information technology controls.

Physical Controls

• Transaction authorization ensures all processed transactions are valid, either general or specific.
• Segregation of duties:
  • Separate transaction authorization from processing.
  • Separate asset custody from recordkeeping.
  • Successful fraud requires collusion between individuals with incompatible responsibilities.
  • Supervision is a compensating control for small organizations lacking adequate segregation of duties.
  • Accounting records are source documents, journals and ledgers providing an audit trail.
  • Information is necessary for day to day operations and financial audit process.
  • Access controls ensure the authorized personnel have access to firm's assets.
  • Verification - independent checks to identify errors and misrepresentation.
  • Management assesses performance, the integrity of transaction processing, and data correctness.

IT Controls

• Application controls ensure validity, completeness and accuracy of financial transactions, including check digits, batch balancing and payroll limits.
• General controls apply to all systems, including governance, infrastructure, security and access to operating systems and databases, application acquisition, development and program change procedures.
• General controls are needed to support functioning of application controls, as both are needed to ensure accurate financial reporting.

Audit Implications of SOX

• Auditors have an expanded role:
  • Must attest to the quality of client organizations in terms of internal control.
  • This entails a separate audit opinion.
• It may be possible to render a qualified opinion on controls and an unqualified opinion on financial statements.
• PCAOB Standard No.5 requires auditors to understand:
  • Transaction flow including controls pertaining to how transactions are initiated, authorized, recorded, and reported.
• Auditors are responsible for detecting fraudulent activity.