Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Slides:



Advertisements
Similar presentations
Internal Control in a Financial Statement Audit
Advertisements

Learning Objectives LO1 Describe the current audit environment, including developments in regulatory oversight and provincial regulation of public accountants.
Discussion on SA-500 – AUDIT EVIDENCE
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Internal Controls over Financial Reporting
The Demand for Audit and Other Assurance Services Chapter 1.
Planning the Audit; Linking Audit Procedures to Risk
Review of Introduction to Auditing
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit
CHAPTER 2 FINANCIAL STATEMENT AUDITS AND AUDITORS’ RESPONSIBILITIES Fall 2007 u G enerally Accepted Auditing Standards u Assurance Provided by an Audit.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Section 404 Audits of Internal Control and Control Risk
Nature of an Integrated Audit
Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.
Learning Objectives LO1 Describe the association framework. LO2 Determine whether a PA is associated with financial statements. LO3 Describe the three.
Auditing & Assurance Services, 6e
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Reports on Audited Financial Statements
Auditing Internal Control over Financial Reporting
Planning an Audit The Audit Process consists of the following phases:
Auditing Internal Control over Financial Reporting
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting
Considering Internal Control
Internal Control in a Financial Statement Audit
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
Internal Control in a Financial Statement Audit
1 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Evaluation of Internal Control System
5-1 McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Internal Control Evaluation: Assessing Control Risk.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter 6 Internal Control in a Financial Statement Audit Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS,
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
OVERVIEW THE AUDIT PROCESS Overview of the Audit Process.
BA 427 – Assurance and Attestation Services Lecture 7 Reporting on Internal Controls.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
1 Overview of PCAOB Auditing Standard No. 5 An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements.
Chapter 3-Auditing Computer-based Information Systems.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Section 404 Audits of Internal Control and Control Risk Chapter 10.
18-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Audit Reports Chapter 3. Audit Reports What is an audit report? Different reporting guidelines exist depending on the type of company upon which the auditor.
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
Audit Planning, Understanding the Client, Assessing Risks and Responding Chapter 6.
Section 404 Audits of Internal Control and Control Risk
Internal Control in a Financial Statement Audit
Internal Control Evaluation: Assessing Control Risk
The Demand for Audit and Other Assurance Services
Reports on Audited Financial Statements
Internal Control in a Financial Statement Audit
Defining Internal Control
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved

7-2 Management Responsibilities under Section 404 Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue an internal control report that explicitly accepts responsibility for establishing and maintaining “adequate” internal control over financial reporting (ICFR). LO# 1

7-3 Management Responsibilities under Section 404 Management must comply with the following in order for its public accounting firm to complete an audit of ICFR. 1.Accepts responsibility for the effectiveness of the entity’s ICFR. 2.Evaluate the effectiveness of the entity’s ICFR using suitable control criteria. 3.Support its evaluation with sufficient evidence, including documentation. 4.Present a written assessment of the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year. 1.Accepts responsibility for the effectiveness of the entity’s ICFR. 2.Evaluate the effectiveness of the entity’s ICFR using suitable control criteria. 3.Support its evaluation with sufficient evidence, including documentation. 4.Present a written assessment of the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year. LO# 1

7-4 Auditor Responsibilities under Section 404 integrated audit The entity’s independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated audit of the entity’s ICFR and its financial statements. LO# 2

7-5 ICFR Defined ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that: 1.Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company. 2.Provide reasonable assurance that transactions are recorded in accordance with GAAP. 3.Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets. 1.Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company. 2.Provide reasonable assurance that transactions are recorded in accordance with GAAP. 3.Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets. LO# 3

7-6 Internal Control Deficiencies Defined A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. LO# 4

7-7 Internal Control Deficiencies Defined A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood reasonably possible) and magnitude (material, consequential, or inconsequential). LO# 4

7-8 Internal Control Deficiencies Defined Material Not material but significant Not material or significant Remote Reasonably possible or probable Material weakness Significant deficiency Control deficiency Control deficiency L I K E L I H O O D MAGNITUDEMAGNITUDEMAGNITUDEMAGNITUDE LO# 4

7-9 Management’s Assessment Process Management must follow a top-down, risk-based approach: 1.Identify financial reporting risks and controls. 2.Evaluate evidence about the operating effectiveness of ICFR. 3.Consider which locations to include in the evaluation. Management must follow a top-down, risk-based approach: 1.Identify financial reporting risks and controls. 2.Evaluate evidence about the operating effectiveness of ICFR. 3.Consider which locations to include in the evaluation. LO# 5

7-10 Management’s Documentation Management must develop sufficient documentation to support its assessment of the effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also includes policy manuals, job descriptions, flowcharts, and process models. LO# 6

7-11 Framework Used by Management to Conduct Its Assessment Most entities use the framework developed by COSO. This framework identifies three primary objectives of internal control: (1) reliable financial reporting; (2) efficiency and effectiveness of operations; and (3) compliance with laws and regulations. COSO LO# 7

7-12 Performing an Audit of ICFR LO# 8

7-13 Integrating the Audits of Internal Control and Financial Statements An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control. Tests of internal control Substantive audit procedures LO# 9

7-14 Effect of the Audit of Internal Control on the Financial Statement Audit When the auditor performs an integrated audit, he or she will have access to a large amount of information about the client’s controls. This information can make the financial statement audit more efficient and result in reduced substantive procedures. Regardless of the level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to perform some substantive procedures for all significant accounts and disclosures. LO# 9

7-15 Effect of the Financial Statement Audit on the Audit of Internal Control The effectiveness of the audit of internal controls should lead the auditor to determine the implications of these findings on the financial statement audit. The auditor’s evaluation should include: 1.Misstatements detected. 2.The auditor’s risk evaluations in connection with the selection and application of substantive procedures, especially those related to fraud. 3.Findings with respect to illegal acts and related party transactions. 4.Indications of management bias in making accounting estimates and in selecting accounting principles. 1.Misstatements detected. 2.The auditor’s risk evaluations in connection with the selection and application of substantive procedures, especially those related to fraud. 3.Findings with respect to illegal acts and related party transactions. 4.Indications of management bias in making accounting estimates and in selecting accounting principles. LO# 9

7-16 Plan the Engagement  The planning process is similar to the process used for the audit of F/S.  Consider the following:  Risk assessment and the risk of fraud.  Scaling the audit.  Using the work of others.  Materiality. LO# 10

7-17 Special Consideration: Using the Work of Others A major consideration for the external auditor is how much the work performed by others. In determining the extent to which the auditor may use the work of others, the auditor should: (1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work. As the risk associated with the control being tested increases, the external auditor should do more of the work. A major consideration for the external auditor is how much the work performed by others. In determining the extent to which the auditor may use the work of others, the auditor should: (1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work. As the risk associated with the control being tested increases, the external auditor should do more of the work. LO# 10

7-18 Using a Top-Down Approach LO# 11 See Table 7-3 See Table 7-4

7-19 Test Controls LO# 12  Evaluate design  Test and evaluate operating effectiveness  Nature, timing, and extent

7-20 Evaluate Identified Control Deficiencies LO# 13

7-21 Evaluate Identified Control Deficiencies LO# 13

7-22 Written Representations In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of ICFR. Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion. LO# 15

7-23 Auditor Documentation Requirements The auditor must properly document the processes, procedures, judgments, and results relating to the audit of internal control. When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level. LO# 16

7-24 Reporting on ICFR Sarbanes-Oxley requires management’s description of internal control to include: 1.A statement of management’s responsibility for establishing and maintaining adequate internal control. 2.A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control. 3.An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective. 1.A statement of management’s responsibility for establishing and maintaining adequate internal control. 2.A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control. 3.An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective. LO# 17

7-25 The Auditor’s Report on ICFR Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in the company’s annual report. LO# 18

7-26 Auditor’s Report Relating to the Audit of Internal Control The auditor’s report contains an opinion the effectiveness of ICFR based on the auditor’s independent audit work. LO# 13 & 14

7-27 Types of Reports Relating to the Audit of ICFR An unqualified opinion signifies that the client’s internal control is designed and operating effectively. A serious scope limitation requires the auditor to disclaim an opinion. An adverse opinion is required if a material weakness is identified. LO# 18 & 19

7-28 Types of Reports Relating to the Audit of ICFR Report Modification Based on Control Deficiencies Likelihood/Magnitude of Misstatement Type of Audit Report Control deficiency Significant deficiency Material weakness Unqualified opinion Adverse opinion LO# 19

7-29 Types of Reports Relating to the Audit of Internal Control Report Modification Based on Scope Limitation Reason for Scope Limitation Type of Audit Report Minor effect Sever limitation Unqualified opinion Disclaim opinion or withdraw LO# 19

7-30 Additional Required Communications in an Audit of ICFR The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5). This communication should be made prior to the issuance of the auditor’s report on ICFR. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made. LO# 17

7-31 Advanced Module 1: Special Considerations for an Audit of Internal Control Service organizations. Safeguarding assets.

7-32 Use of Service Organizations Many companies use service organization to process transactions. If the service organization’s services make up part of a company’s information system, then they are considered part of the information and communication component of the company’s internal control over financial report. Thus, both management and the auditor must consider the activities of the service organization. LO# 21

7-33 Use of Service Organizations Management and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the entity’s internal control and the controls at the user organization over the activities of the service organization and (2) obtain evidence that the controls which are relevant to management’s assessment and the auditor’s opinion are operating effectively. LO# 21

7-34 Safeguarding of Assets Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.” LO# 23

7-35 Advanced Module 2: Computer-Assisted Audit Techniques Computer-assisted audit techniques include: Generalized audit software packages. Generalized audit software packages. Custom audit software. Custom audit software. Test data. Test data. Computer-assisted audit techniques include: Generalized audit software packages. Generalized audit software packages. Custom audit software. Custom audit software. Test data. Test data.

7-36 Generalized Audit Software LO# 23

7-37 Custom Audit Software Custom audit software is generally written by auditors for specific audit tasks. It may be required when the client’s computer system is not compatible with the auditor’s generalized audit software. Custom software: (1) Is expensive to develop. (2) Requires extended development time. (3) Is limited in scope of functions. Custom software: (1) Is expensive to develop. (2) Requires extended development time. (3) Is limited in scope of functions. LO# 23

7-38 Test Data This is data developed by the auditor to test the application controls in the client’s computer programs. The technique can be used to check (1) data validation controls and error detection routines, (2) processing logic controls, (3) arithmetic calculations, and (4) the inclusion of transactions in records, files, and reports. LO# 23

7-39 End of Chapter 7

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.