Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Section 404 Audits of Internal Control and Control.

Similar presentations


Presentation on theme: "©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Section 404 Audits of Internal Control and Control."— Presentation transcript:

1

2 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Section 404 Audits of Internal Control and Control Risk Chapter 10

3 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 2 Learning Objective 1 Describe the three primary objectives of effective internal Control.

4 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 3 Client’s Concerns Compliance with applicable laws and regulations – SOX: Mgt assessment of I/C effectiveness (material weakness) and auditor independently opines (AS5); NYSE – Internal audit Reliability of financial reporting: SOX certification of F/S Efficiency and effectiveness of operations Master price list, credit approval, Double counts of inventory

5 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 4 Learning Objective 2 Contrast management’s responsibilities for maintaining internal control with the auditor’s responsibilities for evaluating and reporting on internal control.

6 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 5 Inherent Limitations: Collusion / Override Reasonable Assurance: Cost / Benefit Management’s Responsibility 404: statement and assessment Key Concepts

7 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 6 Auditor Concerns Controls over classes of transactions: Transaction focus, not balances Controls related to reliability of financial reporting (AS2 →AS5): Never price above competitors Vs. Seg. of duties for cash

8 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 7 Sales Transaction-related Audit Objectives Sales Transaction-related Audit Objectives Sales are to existing customers CONTROL? Transaction-related Audit Objective – General form Recorded transactions exist (occurrence) Existing sales transactions are recorded Existing transactions are recorded (completeness) Transactions are stated correctly (accuracy) Sales for goods shipped are correctly billed

9 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 8 Sales Transaction-related Audit Objectives Transactions are correctly classified (classification) Sales transactions are correctly classified Transactions are recorded on correct dates (timing) Sales are recorded on the correct dates Transactions are correctly filed (posting and summarization) Sales transactions are correctly included in the master files CONTROL? Sales Transaction-related Audit Objectives Transaction-related Audit Objective – General form

10 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 9 Auditor Concerns Opinion on I/Cs: gain an understanding and perform tests of controls (discretion) related to all significant account balances, classes of transactions, disclosures, and related assertions in the F/S. AS5: Risk-based, no opinion on Mgt assessment Public (mandatory) vs. Private (discretion) company

11 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 10 Learning Objective 3 Explain the five components of the COSO internal control framework.

12 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 11 Five Components of Internal Control Risk Assessment Control Activities Information and Communication Monitoring Control Environment

13 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 12 The Control Environment Integrity and ethical values Commitment to competence Board of directors or audit committee participation Management’s philosophy and operating style

14 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 13 The Control Environment Organizational structure: wide or skinny? Assignment of authority and responsibility: Resources for I/Cs Human resources policies and practices: whistleblowers, exit interviews, competence

15 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 14 Mgt Risk Assessment Identify factors affecting control risk. Assess significance of risks and likelihood of occurrence. Determine actions necessary to manage risk. Contingency plans

16 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 15 Control Activities (cycle related) 1. Adequate separation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance

17 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 16 Adequate Separation of Duties Custody of assets Authorization of transactions Operational responsibility IT Duties Accounting The custody of related assets Record-keeping responsibility User departments

18 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 17 Proper Authorization of Transactions and Activities General authorization: Credit check Automated Specific authorization: To write-off customer A/R account Manual

19 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 18 Adequate Documents and Records Prenumbered consecutively – exist and comp Prepared at the time of transaction - timing Designed for multiple uses - accuracy Constructed to encourage correct preparation - accuracy Simple enough to ensure understanding -accuracy

20 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 19 Physical Control over Assets and Records Physical precautions: daily dep. of cash Controls related to IT equipment, programs, and data files Physical controls Access controls Backup and recovery procedures: business continuity

21 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 20 Independent Checks on Performance The need for independent checks arise because internal control tends to change over time, become n/a, or ignored unless there is a mechanism for frequent review. Internal Auditors/SOX 404/external auditors

22 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 21 Information and Communication The purpose of an accounting information and communication system is to… initiate, record, process, and report the transactions and to maintain accountability for the related F/S accounts. Does AIS have controls to cover all 6 transaction obj. for each cycle / meet COSO criteria? SOX documentation. Flowcharts, narratives, and questionnaires

23 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 22 Monitoring Management’s ongoing and periodic assessment of the quality of internal control performance … to determine whether controls are operating as intended and modified when needed. Priority now w/ SOX – material I/C weaknesses disclosed to F/S users, SOX consultants

24 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 23 SEC and COSO Focus on Smaller Public Companies The SEC has extended the deadline for small public companies compliance with Section 404 requirements: MGT: 12/15/09 Auditor: 12/15/09 COSO issued guidance in Internal Control Over Financial Reporting for Smaller Public Companies.

25 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 24 Learning Objective 4 Obtain and document an understanding of internal control.

26 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 25 Understanding Internal Control and Assessing Control Risk Obtain Understanding of Internal Control: Design and Operation Assess Prelim. CR Test Controls Final CR -> Decide Planned Detection Risk and Substantive Tests

27 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 26 Reasons for Sufficiently Understanding Internal Control SAS 109 and AS2/AS5 both require the auditor to obtain an understanding of internal control for every audit. Minimum audit planning matters: CR at max Auditability / AR Potential material misstatements (IR) Detection risk (DR) – meet? Design of tests

28 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 27 Procedures to Determine Design and Placement Update and evaluate auditor’s previous experience with the entity. Make inquires of client personnel. Read client’s policy and systems manuals – SOX 404 Examine documents and records. Observe entity activities and operations.

29 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 28 Documentation of the Understanding Narrative Flowchart Internal control questionnaire p. 306 Internal control questionnaire p. 306

30 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 29 Learning Objective 5 Assess control risk by linking key controls, significant deficiencies, and material weaknesses to transaction-related audit objectives.

31 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 30 Assess Control Risk Obtain sufficient understanding for planning. Assess whether the entity is auditable. IT –timing of evidence availability. Need IT audit specialist? Preliminarily assess control risk. Why???? If CR below max. – need to test I/Cs. SAS 94 – If you rely on IT for evidence, you need to test controls of IT – no more auditing around the computer!

32 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 31 Assess Control Risk Identify transaction-related audit objectives. Identify specific controls – from narrative, flowchart, and/or checklist Identify and evaluate weaknesses – Control Matrix/SOX (design deficiency)

33 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 32 The Control Risk Matrix Auditors use the control risk matrix to identify both controls and weaknesses and to assess control risk. See p. 308

34 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 33 Communication of Weaknesses Management letters Before = report to audit committee or BOD SOX / AS5 = auditor opines on I/C Reports Significant Deficiencies to Audit Committee and Material Weaknesses to public. Deficiencies due to design vs. operation

35 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 34 What is a Material Weakness?? MaterialWeakness LIKELIHOODSIGNIFICANCEMaterial Immaterial ProbableRemote SignificantDeficiency > inconse- > inconse-quential

36 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 35 Learning Objective 6 Describe the process of designing and performing tests of controls.

37 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 36 Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls. When do we perform all this CR work?

38 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 37 Procedures for Tests of Controls Make inquiries of client personnel. Examine documents, records, and reports. Observe control-related activities. Reperform client procedures.

39 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 38 Relationship of Assessed Control Risk and Extent of Procedures Assessed Control Risk MAX Level:Lower Level: Obtaining anTests of Type of ProcedureUnderstanding OnlyControls InquiryYes – extensiveYes – some DocumentationYes – with transactionYes – using walk-through sample ObservationYes – with transactionYes – multiple walk-through times ReperformanceNoYes – sampling

40 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 39 Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control risk assessment process and tests of controls to assess final control risk and determine the planned detection risk and related substantive tests.

41 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 40 Learning Objectives 7 and 8 Understand Section 404 requirements for reports on internal control. Describe the differences in evaluating, reporting, and testing internal control for nonpublic companies.

42 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 41 Reporting on Internal Control Section 404(b) of the Sarbanes-Oxley Act Section 404(b) of the Sarbanes-Oxley Act restricts the scope of the engagement to internal controls over financial reporting. internal controls over financial reporting. The Act provides that the auditor’s attestation of management’s assessment of internal control for a public company be integrated with the audit of the financial statements. Material Weakness = Adverse opinion on I/C Material Weakness = Adverse opinion on I/C

43 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 42 Differences in Scope of Controls Tested: Public vs. Non-public Company Internal controls over financial reporting COSO Framework Controls that must be tested in an audit of internal controls (public) Internal controls used to assess control risk below maximum DISCRETIONARY Controls that must be tested in an audit of financial statements (private)

44 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 43 Public Company Accounting Oversight Board The (PCAOB) has issued guidance (std # 2 or AS2→AS5) for audits of internal control over financial reporting performed in conjunction with an audit of financial statements of public companies. Why test I/Cs for nonpublic companies??

45 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 44 EXTRA!!! Describe how information technology affects internal control.

46 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 45 Effect of Information Technology on Internal Control Information Technology IT can improve the effectiveness and efficiency of internal controls. IT also enhances (a) the timeliness and accuracy of information (b) access to information.

47 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 46 Risks Associated With the Use of Information Technology Programmed errors: transaction goes to wrong account Processing incorrect data: wrong selling price Unauthorized access: Passwords Research: ERP imp. = higher CR, internal control applications improperly installed, imp. team, minimal supervisory review/seg. of duties, lack of training, Role of IT audit specialist/auditor AIS expertise inc.

48 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 47 End of Chapter 10


Download ppt "©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Section 404 Audits of Internal Control and Control."

Similar presentations


Ads by Google