Auditing Internal Control over Financial Reporting Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Reporting on Internal Control Management of all public companies must report on ICFR in the 10-K (annual report, annual financial statements, etc.) filed with the SEC If it is a public company of at least $75,000,000 market cap, then also the auditors must perform an integrated audit engagement resulting in an opinion on the financial statements, and an opinion on the ICFR
Management Responsibilities under Section 404 LO# 1 Management Responsibilities under Section 404 Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue a report that accepts responsibility for establishing and maintaining “adequate” internal control over financial reporting (ICFR) and assert whether ICFR is effective as of the end of the fiscal year. 7-3
Management Responsibilities under Section 404 LO# 1 Management Responsibilities under Section 404 Management must comply with the following requirements in order for the external auditor to complete an audit of ICFR. Accept responsibility for the effectiveness of the entity’s ICFR. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria. Support the evaluation with sufficient evidence, including documentation. Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year. 7-4
Auditor Responsibilities under Section 404 and AS5 LO# 2 Auditor Responsibilities under Section 404 and AS5 The entity’s independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated audit of the entity’s ICFR and its financial statements. 7-5
LO# 3 ICFR Defined ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that: Pertain to the maintenance of records that accurately and fairly reflect the transactions and dispositions of the assets of the company. Provide reasonable assurance that transactions are properly authorized and recorded in accordance with GAAP. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets. 7-6
Significant deficiency LO# 4 Relationships: Deficiencies, significant deficiencies, & material weaknesses Deficiency Significant deficiency Material weakness
Internal Control Deficiencies Defined LO# 4 Internal Control Deficiencies Defined A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or a combination of control deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting (i.e. the audit committee). 7-8
Internal Control Deficiencies Defined LO# 4 Internal Control Deficiencies Defined A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (reasonably possible), and magnitude (material, significant, or insignificant) 7-9
Internal Control Deficiencies Defined LO# 4 Internal Control Deficiencies Defined Report externally to audit committee and to management Material weakness M A G N I T U D E Material Report to audit committee and to management Significant deficiency Not material but significant Control deficiency Report to management Not material or significant Remote Reasonably possible or probable L I K E L I H O O D 7-10
Indicators of Material Weakness Identification of fraud, whether or not material, on the part of senior Management (e.g. CEO, CFO, CAO, Controller) Restatement of previously issued financial statements to reflect the correction of a material misstatement (per SFAS 154) Identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company's ICFR; and Ineffective oversight of the company's external financial reporting and ICFR by the company's audit committee
Framework Used by Management to Conduct Its Assessment LO# 5 Framework Used by Management to Conduct Its Assessment Most entities use the COSO framework. As we learned in Ch. 6, there are three primary objectives of internal control: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with laws and regulations 7-12
Identify Entity-Level Controls LO# 5 Identify Entity-Level Controls 7-13
Management’s Documentation LO# 5 Management’s Documentation Management must develop sufficient documentation to support its assessment of the effectiveness of internal control. This documentation must be sufficient to convince the auditors that they can rely upon the work done by the company. The auditor is not supposed to begin work anew in its audit of ICFR, but instead is supposed to leverage off the work already done by the company. If the auditor feels he cannot do this then he may have to issue a disclaimer. 7-14
Integrating the Audits of Internal Control and Financial Statements LO# 6 Integrating the Audits of Internal Control and Financial Statements An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control. Tests of internal control Substantive audit procedures 7-15
Planning the Audit of ICFR LO# 7 Planning the Audit of ICFR The planning process is similar to the process used for the audit of financial statements. Consider the following: Role of risk assessment and the risk of fraud. Scaling the audit. Using the work of others. 7-16
Special Consideration: Using the Work of Others LO# 7 Special Consideration: Using the Work of Others A major consideration for the external auditor is how much work is to be performed by others. In determining the extent to which the auditor may use the work of others, the auditor should: (1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work. As the risk associated with the control being tested increases, the external auditor should do more of the work. 7-17
Using a Top-Down Approach Figure 7-3 LO# 8 Using a Top-Down Approach Figure 7-3 7-18
Identifying Significant Accounts LO# 8 Identifying Significant Accounts Size and composition of the account Susceptibility to misstatement due to errors or fraud Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure Nature of the account or disclosure Accounting and reporting complexities associated with the account or disclosure 7-19
Sources of Misstatements LO# 8 Sources of Misstatements Understand the flow of transactions related to the relevant assertions Identify the points within the entity’s processes at which a misstatement could arise that would be material Identify the controls that management has implemented to address these potential misstatements Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement of the financial statements 7-20
Select Controls to Test LO# 8 Select Controls to Test 7-21
Test the Design and Operating Effectiveness of Controls LO# 9 Test the Design and Operating Effectiveness of Controls Evaluate design Test and evaluate operating effectiveness Nature: Inquiry, Inspection of documents, observation, and reperformance. Timing: Interim vs. “as of” date Extent: Consider (1) Nature of the control; (2) Frequency of operation; and (3) Importance of the control. 7-22
LO# 10 Evaluate Identified Control Deficiencies Is this a Deficiency? Is this a Significant Deficiency? Is this a Material Weakness? As discussed previously, the auditor must consider the likelihood and magnitude of the control deficiency. 7-23
Remediation of a Material Weakness LO# 11 Remediation of a Material Weakness Remediation is the process of fixing or correcting a material weakness in the ICFR (so that the material weakness no longer exists). 7-24
Remediation (fixing a Material Weakness) There are 3 ways a remediation can be fixed and then reported by the auditor This year, if it is fixed on time, well before the balance sheet date, the company can avoid reporting a material weakness and the auditor can give an unqualified opinion on ICFR In the next year’s audit opinion on ICFR the past year’s material weakness issue is not mentioned, implying that it has been remediated (fixed) Prior to the next year’s audit opinion on ICFR, the auditor performs an engagement called “Reporting on Whether a Previously Reported Material Weakness Continues to Exist” (AS 4) and reports that the previously disclosed material weakness no longer exists.
Written Representations LO# 12 Written Representations In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of ICFR. Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion. 7-26
Auditor Documentation Requirements LO# 13 Auditor Documentation Requirements The auditor should properly document the processes, procedures, judgments, and results relating to the audit of internal control. When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level. 7-27
Auditor Documentation Requirements LO# 13 Auditor Documentation Requirements The auditor’s documentation of the process, procedures, judgments and results relating to the audit of ICFR should include: 1. The auditor’s understanding and evaluation of the design of each of the components of ICFR; 2. The process used to determine the points at which misstatements could occur; 3. The extent to which the auditor relied upon the work of others; and 4. The evaluation of any deficiencies discovered or other findings which could result in a report modification. 7-28
Types of Reports re audit of ICFR LO# 14 Types of Reports re audit of ICFR An unqualified opinion signifies that the entity’s internal control is designed and operating effectively (no material weaknesses). A serious (more than minor) scope limitation requires a disclaimer An adverse opinion is required if a material weakness is identified. 7-29
Additional communications (beyond audit opinion) in audit of ICFR LO# 15 Additional communications (beyond audit opinion) in audit of ICFR To management and the audit committee: all significant deficiencies To management: all control deficiencies 7-30
End of Chapter 7 7-31