Chapter 5: Auditing and Assurance Services - Internal Control Evaluation

Auditing & Assurance Services 8e Chapter 5 © Copyright 2020 © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.. ©McGraw-Hill Education Chapter 05 Risk Assessment: Internal Control Evaluation “Adequate internal controls are the first line of defense in detecting and preventing material errors or fraud in financial reporting... when internal control deficiencies are left unaddressed, financial reporting quality can suffer.” As stated on January 29, 2019, by SEC Chief Accountant Wesley Bricker when commenting on the issuance of separate “cease and desist” orders against four public companies for failure to maintain proper internal controls (https://www. sec.gov/news/press-release/2019-6) ©McGraw-Hill Education 5-2 Internal Control Defined Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: Reliability of financial reporting. Effectiveness and efficiency of operations. Compliance with applicable laws and regulations. ©McGraw-Hill Education. 5-3 Responsibility for Internal Control Management’s responsibility – Responsibility for establishing and maintaining adequate internal control over financial reporting – Assess and report on the effectiveness of internal control over financial reporting Auditors’ responsibility – For public companies, must audit and issue an opinion about the effectiveness of the internal control over financial reporting (ICFR) – For each fraud risk, must evaluate whether controls are in place to mitigate the fraud risk – Must assess control risk to determine the [nature, timing and extent of substantive ©McGraw-Hill Education. 5-4 Relationship Between Internal Control Reliance and Audit Procedures ©McGraw-Hill Education. 5-5 Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (COSO) The Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (COSO), referred to as the Treadway Commission, included a group professional organizations to improve financial reporting. The COSO included representatives from the Financial Executives Institute (FEI), the American Accounting Association (AAA), the Institute of Internal Auditors (IIA), the Institute of Management Accountants (IMA), and the American Institute of Certified Public Accountants (AICPA). The COSO’s website is www.coso.org. ©McGraw-Hill Education. 5-6 Internal Control Components (COSO) The COSO’s 2013 integrated framework includes the following five components: Control Environment (and 5 principles) Risk Assessment (and 4 principles) Control Activities (and 3 principles) Information and Communication (and 2 principles) Monitoring (and 3 principles) The framework identifies 17 principles associated with the above five components ©McGraw-Hill Education. 5-7 1. Control Environment Sets the “tone at the top” of an organization, influencing the control consciousness of its people. It is the foundation for all other components. As a result, an auditor must obtain a detailed understanding of the control environment and document that understanding. ©McGraw-Hill Education. 5-8 Five Principles of the Control Environment ©McGraw-Hill Education. 5-9 Audit Committee Subcommittee of the board of directors that is generally composed of 3-6 members of the board of directors. Provides a buffer between the audit team and operating management. All members must be “financially literate.” One member must be a “financial expert.” ©McGraw-Hill Education. 5-10 Audit Committee Duties Appointment, compensation, and oversight of the public accounting firm conducting the entity’s audit. Resolution of disagreements between management and the audit team. Oversight of the entity’s internal audit function. Approval of nonaudit services provided by the public accounting firm performing the audit engagement. Oversight of the anonymous fraud hotline. Authority to engage legal counsel in the event of management fraud. ©McGraw-Hill Education. 5-11 2. Risk Assessment Management’s identification, analysis, and management of relevant risks to achievement of its objectives. Set management objectives and identify success factors. Auditors focus on risk of material misstatement, in particular due to fraud. ©McGraw-Hill Education. 5-12 Four Principles of the Risk Assessment ©McGraw-Hill Education. 5-13 3. Control Activities The policies and procedures that help ensure management directives are carried out. – Physical controls over the security of assets – Separation of duties – Information Processing Approvals and authorization Verifications and reconciliations – Management Review Controls Preventive controls vs. detective controls ©McGraw-Hill Education. 5-14 Three Principles of the Control Activities ©McGraw-Hill Education. 5-15 Relevant Assertions, What Could Go Wrong and Control Activities for the Revenue Acct ©McGraw-Hill Education. 5-16 Separation of Duties Incompatible responsibilities: – Combinations of responsibilities that place a person alone in a position to create and conceal misstatements due to errors or frauds in her or his normal job Four Types of functional responsibilities should be performed by different departments (or different persons): – Authorization to execute transactions – Recording transactions – Custody of assets involved in the transactions – Periodic reconciliation of existing assets to recorded amounts Segregating duties forces people to commit fraud through collusion—a much harder task! ©McGraw-Hill Education. 5-17 Separation of Duties ©McGraw-Hill Education. 5-18 4. Information and Communication The auditor must understand the information systems that are relevant to financial reporting. The auditor cannot ever rely on information produced by the company’s information system without investigation. Information systems produces a trail of activities from data identification to financial reports. This is known as the “audit trail”. Can visualize with source documents. ©McGraw-Hill Education. 5-19 Three Principles of Information and Communication ©McGraw-Hill Education. 5-20 5. Monitoring A well functioning monitoring system is characterized by these philosophies: – Ongoing and separate evaluations. – Reporting deficiencies. Management’s process that involves ongoing evaluation of the controls, including – Periodic evaluation by internal auditing – Supervisory review of controls – Follow-up of reporting errors – Follow up of customer complaints ©McGraw-Hill Education. – Audit committee inquiries 5-21 Two Principles of Monitoring Activities ©McGraw-Hill Education. 5-22 Limitations of Internal Control Human error Collusion Management override Cost/benefit analysis – There is often a trade-off between the cost and the effectiveness of internal controls. – The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived. ©McGraw-Hill Education. 5-23 Internal Control Evaluation Phase 1: Understand and document the client’s internal control Phase 2: Assess control risk (Preliminary) Phase 3: Identify Controls to Test and Perform Test of Controls ©McGraw-Hill Education. 5-24 Phase 1: Understand and Document Understand the client’s internal control Document the understanding of internal control Should be performed in a “top down” risk-based manner – Identify significant accounts and their relevant assertions – Account’s significance is based on its inherent risk ©McGraw-Hill Education. Identifying Entity-Level Controls Entity-Level Controls: pervasive to the internal control system and the reliability of the financial statements taken as a whole. Transaction-Level Controls: controls that pertain to specific classes of transactions, account balances, and disclosures. – Walkthrough – Come to an understanding of design effectiveness ©McGraw-Hill Education. Documenting Internal Control Understanding The audit team must document its understanding of internal control system. The understanding can be summarized and documented effectively in the form of: – Narrative Description (most common) – Questionnaires – Flowcharts ©McGraw-Hill Education. 5-27 Payroll System Flowchart ©McGraw-Hill Education. 5-28 Key Decision: Deciding Whether to Continue to Test Controls An auditor may choose not to test controls for one of two reasons: – Internal control system is too ineffective in preventing or detecting misstatements to rely upon to justify reductions in substantive testing. – For audits of non-issuers (non public company): it would take more time to test the operating effectiveness of the control activities than it would take to perform the substantive tests necessary for a relevant assertion. ©McGraw-Hill Education. 5-29 Phase 2: Assess the Control Risk (Preliminary) Auditors seek to identify internal control activities that are explicitly designed to support reliable financial statement reporting for the relevant financial statement assertion identified about each significant account and disclosure. Consider cost effectiveness of reliance/testing. At this stage, auditors have established an assessment of the level of control risk. Preventative/detective, automated/manual, how often control is preformed Preformed with phase 1 ©McGraw-Hill Education. Phase 3: Identify Controls to Test and Perform Test of Controls Perform test of controls audit procedures 2 most common approaches, depends on the nature of the control being tested: Testing all items in a population – exception testing: automated: every A/R for amount owed vs. credit limit Testing a sample from a population – audit sampling Re-assess control risk ©McGraw-Hill Education. Tests of Controls After identifying specific control activities that can be relied on to reduce substantive testing for a financial statement assertion, must test the control. Hierarchy of the types of control tests from the least persuasive (inquiry) to the most persuasive type of evidence: – Inquiry of client personnel. – Observation of the control activity being performed. – Inspection of relevant documentation. – Reperformance of the control activity. Direction of test does matter. ©McGraw-Hill Education. 5-32 Relevant Assertions about Payroll Cycle Transactions ©McGraw-Hill Education. 5-33 Audit Process to Evaluate the Effectiveness of ICFR (PCAOB AS No. 2201) Phases of the engagement 1. Planning the engagement 2. Using a top-down approach 3. Testing controls 4. Evaluating identified deficiencies 5. Wrapping up 6. Reporting on internal control ©McGraw-Hill Education. 5-34 Step 1: Planning the Engagement Significant accounts, locations, and assertions must be identified Inherent risk is used to determine the nature, timing, and extent of tests of controls Evaluate controls for all relevant assertions for all significant accounts or disclosures ©McGraw-Hill Education. 5-35 Step 2: Using a top-down approach Focuses on the threats to the integrity of the external financial reporting process. Identify entity-level controls – Pervasive impact Significant accounts and disclosures and their relevant assertions – Perform walkthroughs ©McGraw-Hill Education. 5-36 Top-Down Process ©McGraw-Hill Education. 5-37 Step 3: Testing Controls The audit team decides which controls to test. Tests of operating effectiveness: – A sample of transactions is examined using inquiry, observation, inspection, and reperformance. Tests of controls would not be performed if design is not evaluated as effective. ©McGraw-Hill Education. 5-38 Step 4: Evaluating Identified Deficiencies Internal control deficiency: exists when the design or operation of a control does not allow the entity’s management or employees to detect or prevent misstatements in a timely fashion. – A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control’s objective. – An operating deficiency occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). More serious internal control deficiencies can be categorized into one of two groups: – Material weaknesses – Significant deficiencies ©McGraw-Hill Education. 5-39 Step 4: Evaluating Identified Deficiencies (cont.)a deficiency, or Material weakness: combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis. Significant deficiencies: deficiency or combination of deficiencies that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements. Less severe Primary difference between a significant deficiency and a material ©McGraw-Hill Education. weakness: 5-40 Step 4: Evaluating Identified Deficiencies Material weakness:(cont.) a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis. Indicators of possible material weakness: – Restatement of previously issued financial statements to reflect the correction of a material misstatement. – Evidence of material misstatements (identified by the audit team) that were not prevented or detected by the client’s internal controls. – Ineffective oversight of the financial reporting process by the entity’s audit committee. – Indication of fraud (either material or immaterial) by senior management. ©McGraw-Hill Education. 5-41 Step 5: Wrapping up Auditors can issue one of three types of opinions on internal control over financial reporting: – Unqualified: no material weaknesses found. – Disclaimer of opinion: the audit team cannot perform all of the procedures considered necessary to determine if weaknesses exist. – Adverse opinion: one or more material weaknesses found. Evaluate management’s annual report on internal control over financial reporting. ©McGraw-Hill Education. 5-42 Step 6: Reporting on Internal Control 2 Options are available: – 2 separate reports Fairness of the entity’s financial statements Internal control over financial reporting (Each report would be separately titled, dated, and signed) – A combined report that expresses one opinion on the financial statements and a second on the effectiveness of internal control over financial reporting ©McGraw-Hill Education. 5-43 Internal Control Letter ©McGraw-Hill Education. 5-44

Chapter 5: Auditing and Assurance Services - Internal Control Evaluation

Document Details

Tags

Related

Summary

Full Transcript