ACCT 4240- AUDITING

Document Sample
ACCT 4240- AUDITING Powered By Docstoc
					ACCT 4240 - Auditing
  Internal Control Evaluation:
  Assessing Control Risk
Major Components of an Audit:
The Audit Risk Model


                  Evidence Gathering
  Plan    Study, Test &        Perform &      Issue the
   the      Evaluate         Evaluate Tests     Audit
  Audit     Controls          of Balances      Report
Consideration of Internal Controls
in a Financial Statement Audit
• Required by the second standard of field
  work:

    A sufficient understanding of the internal
    control structure is to be obtained to plan
    the audit and to determine the nature,
    timing, and extent of tests to be performed
Relationship of Control Risk
and Detection Risk
100%                    Audit risk assumed                    100% assurance

                                                              Desired level
                                                              of assurance
                                               Allowable
                                               detection
                                                  risk
               Estimated
             inherent and
              control risk

   0
       Low                                             High
                    Strength of control structure   AR  IR  CR  DR

                                                              APR TDR
Relationship of Detection Risk and Testing of
Financial Statement Balances

100%                     Audit risk assumed                   100% assurance

                                                              Desired level
                                                              of assurance
             Extent of testing of
             financial statement
                  balances
                                                Allowable
                                                detection
                                                   risk
   0
       Low                                             High
                     Strength of control structure
            Assessment of Control Risk

 The higher the                    The lower the
  control risk                      control risk


 the lower the                     the higher the
 detection risk                     detection risk

  and the more                       and the less
  extensive the                     extensive the
substantive tests                 substantive tests
   of financial                      of financial
   statement                          statement
    balances                           balances
Internal Control
Internal control is a process, effected by an entity’s
board of directors, management, and other
personnel, which is designed to provide reasonable
assurance regarding the achievement of objectives in
one or more categories:
•Effectiveness and efficiency of operations
•Reliability of financial information
•Compliance with applicable laws and regulations
•Safe-guarding assets
Assessing Control Risk
 • Management has three concerns in
   designing an effective control system
    Reliability of financial reporting
    Efficiency and effectiveness of
     operations
    Compliance with applicable laws and
     regulations
Key Control Concepts
• Controls are the responsibility of management
• Controls provide reasonable, but not absolute,
  assurance
• Internal controls have inherent limitations
    Misunderstandings by employees
    Management override
    Collusion
    Cost/Benefit
Components of Internal Control
The Control Environment

• The actions, policies, and procedures that
  reflect the overall attitudes of top
  management, directors, and owners of an
  entity about control and its importance to
  the entity
The Control Environment
• Integrity and ethical values
• Commitment to competence
• Board of Directors or Audit Committee
  participation
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and procedures
Risk Assessment
     Management’s identification and analysis of
     risks relevant to the preparation of financial
     statements in accordance with GAAP
• Changes in regulatory or     •   New technologies
  operating environment
                               •   New lines of business
• New personnel
• Changes in the information   •   Restructuring
  system                       •   Foreign operations
• Rapid growth                 •   New accounting
                                   principles
Control Activities
The policies and procedures, in addition to those
included in the other four components, that help
ensure that necessary actions are taken to address
risks in the achievement of the entity’s objectives
  •   Adequate segregation of duties
  •   Proper authorization of transactions and activities
  •   Adequate documents and records
  •   Physical controls over assets and records
  •   Independent checks on performance
Adequate Segregation of
Duties
• Separation of the custody of assets
  from accounting
• Separation of the authorization of
  transactions from the custody of related
  assets
• Separation of operational
  responsibilities from record-keeping
  responsibility
• Separation of duties within EDP
Proper Authorization

 • General authorization - approval for all
   transactions within the limits of an
   established policy
 • Specific authorization - authority granted
   on a case-by-case basis
Adequate Documents and
Records
• Prenumbered
• Prepared when the transaction is executed
• Contain sufficient detail
• Simple to complete
• Space for signature of preparer
• Subject to controlled access
Physical Controls

   • Physical controls
      Fences, locks
      Guards
      Fireproof cabinets and safes
   • Computer access controls
   • Backup and recovery procedures
Independent Checks

 • Reconciliations
 • Input, process, and output controls
 • Review of documents and transactions
 Information and
 Communication
• The Accounting System - the methods and
  records that an entity establishes to identify,
  assemble, analyze, classify, record, and
  report transactions and to maintain
  accountability for the related assets and
  liabilities
The Accounting System

 • Identify and record all valid transactions
 • Describe transactions on a timely basis in
   sufficient detail to permit their proper
   classification for financial reporting
 • Measure the value of transactions in a
   manner that permits recording of their
   proper monetary value in the financial
   statements
The Accounting System

 Determine the time period in which
  transactions occur so they can be recorded
  in the proper accounting period
 • Properly present the transactions and
   related disclosures in the financial
   statements
Communication of Employee’s
Roles and Responsibilities
• Oral instructions or behavioral examples
• Policies and procedures manuals
Monitoring of System
  • Communication from external parties
  • Internal auditors
  • Exception reports
  • Reports to regulators
  • Customer complaints
 Audit Scope: Pre 404 vs. Post 404




Source: Deloitte & Touche
Auditors’ Study & Evaluation of
Internal Control Structure (ICS)
1.   Review and understanding of ICS
2.   Preliminary evaluation of ICS
3.   Tests of controls
4.   Final evaluation of ICS
Internal Control: Financial Reporting

        Notes                 Financial Reporting Controls
              Cash Flow
                            Income
                            Statement   Balance
                                        Sheet     Financial
                                                  Statements




Source: Deloitte & Touche
 Internal Control
   Authorization
                                        Safeguarding
        of
                                          of Assets
   Transactions



                            Financial
                            Reporting


                                           Assets
     Accounting                         Compared to
      Records                           Accounting
                                          Records


Source: Deloitte & Touche
 Internal Control


                                          FCPA /
                    Disclosure            Attest
                     Controls

                                               Certify /
                                              Report on
                             Laws and         Evaluation
   Operations
                            Regulations


Source: Deloitte & Touche
  Missing Link




    The “weakest link” is a compliance
    program and infrastructure to
    measure and monitor the
    effectiveness and alignment
    between corporate governance and
    business unit / functional control
    activities to provide a basis for
    certification.
Source: Deloitte & Touche
Documentation of
Understanding

  • Questionnaires
  • Narrative
    descriptions
                                        Invoice Copy 2

  • Flowcharts
                       Invoice Copy 2
                     Invoice Copy 1


                                        Invoice Copy 1
Assessing Control Risk
• For non-EDP-based systems, auditors are NOT required to
  perform tests of controls unless they plan to assess control
  risk at less than the maximum
• Nature of tests of controls
    Inquiry of client personnel
    Observation of client activities and operations
    Inspection of documents and other accounting records
    Reperforming procedures
    Perform a transaction walk-through from inception to
     ultimate recording
Assessing Control Risk
• Extent of tests of controls may be determined
  judgmentally or statistically
• Timing of tests of controls - usually
  performed before year-end (interim), but will
  examine transactions throughout the year
Obtaining and Understanding
Timing                   • Audit Planning

                         • Sufficient to plan audit of each significant
                           financial statement assertion under the:
    Extent                   o Primarily substantive approach, or
                             o Lower assessed level of control risk
                               approach

                         • Prior experience with entity
     Procedures          • Inquiring of entity personnel
                         • Observing entity operations
                         • Inspecting documents and records

                         • Completed questionnaires
         Documentation
                         • Flowcharts
                         • Narrative Memoranda
Summary of Audit Tests
                  Tests of Controls          Substantive Tests
Types          Concurrent.                Analytical procedures.
               Additional.                Tests of details of
                                          transactions.
                                          Tests of details of
                                          balances.
Purpose        Determine effectiveness    Determine fairness of
               of design and operation    significant financial
               of internal control        statement assertions.
               structure policies and
               procedures.
Nature of test Frequency of deviations    Monetary errors in
measurement from control structure        transactions and
               policies and procedures.   balances.
Applicable          Inquiring, observing,          Same as tests of controls,
audit               inspecting, reperforming,      plus analytical procedures,
procedures          and computer-assisted          counting, confirming,
                    audit techniques.              tracing, and vouching.
Timing              Primarily interim work.1       Primarily at or near
                                                   balance sheet date.2
Audit risk          Control risk.                  Detection risk.
component
Primary field       Second.                        Third.
work
standard
Required by         No.                            Yes.
GAAS
1   Concurrent tests of controls are performed in audit planning with procedures
    to obtain an understanding of the internal control structure. Additional tests
    of controls are performed during interim field work.
2   Tests of details of transactions may also be performed with tests of controls
    as dual-purpose tests during interim field work.
Roles and Responsibilities – Internal Control over
Financial Reporting
• Management: Designs and implements the system of
  internal control over financial reporting; evaluates the
  effectiveness of the company’s internal control over financial
  reporting and provides a public report on that assessment;
  prepares the financial statements.
• Audit Committee: Has responsibility for oversight of the
  company’s financial reporting process.
• Independent Auditor: Performs an audit of internal control
  over financial reporting and issues a report on
  management’s assessment of internal control over financial
  reporting and on the effectiveness of internal control over
  financial reporting; also performs an audit of the company’s
  financial statements.
  What Management’s Report Will Include
Under the SEC rules, management’s report on internal control over
  financial reporting should include the following information:

• Statement of management’s responsibility for establishing and
  maintaining adequate internal control over financial reporting.

• Statement identifying the framework used by management to evaluate
  the effectiveness of internal control over financial reporting.

• Management’s assessment of the effectiveness of the company’s
  internal control over financial reporting as of the end of the company’s
  most recent fiscal year, including an explicit statement as to whether that
  control is effective and disclosing any material weakness identified by
  management in that control.

• Statement that the registered public accounting firm that audited the
  financial statements included in the annual report has issued an
  attestation report on management’s internal control assessment.
Audit of Internal Control
• Planning the scope of the work
• Obtaining an understanding of internal control
• Evaluating the design effectiveness of internal
  control
• Testing the operating effectiveness of internal
  control
• Assessing internal control deficiencies and
  reporting on overall effectiveness
• Integrating the audit of internal control with the
  audit of the entity’s financial statements
Control Deficiencies and
What They Mean

  1.   Management and the independent auditor will evaluate
       its significance and determine whether it constitutes a
       control deficiency, a significant deficiency, or a
       material weakness.
  2.   Deficiencies that are less serious than a material
       weakness (i.e., control deficiencies and significant
       deficiencies) are required to be disclosed to the audit
       committee and/or management.
  3.   Management and the independent auditor must
       evaluate less serious weaknesses to determine
       whether, when taken together, they result in a material
       weakness.
Control Deficiencies and
What They Mean (cont.)
4. All identified material weaknesses that exist at the
   company’s fiscal year-end must be disclosed in the public
   reports issued by management and the auditor. Although
   not required by Section 404, some companies may also
   choose to disclose significant deficiencies.
5. If one or more material weaknesses exist at the company’s
   fiscal year-end, management and the auditor must
   conclude that internal control over financial reporting is not
   effective.
Control Deficiencies and
What They Mean (cont.)
6. The PCAOB has defined a material weakness as
   a “significant control deficiency, or combination of
   deficiencies, that results in more than a remote
   likelihood that a material misstatement of the
   annual or interim financial statements will not be
   prevented or detected.”
7. A material weakness does not mean that a
   material misstatement has occurred or will occur,
   but that it could occur.
8. Although the law and rules require that
   management disclose material weaknesses, they
   provide no specific guidance about
Control Deficiencies and
What They Mean (cont.)
9.  A company can report a material weakness in internal
    control over financial reporting and still receive an
    unqualified, or “clean,” financial statement opinion from
    the independent auditor.
10. Whether management or the auditor identifies a material
    weakness, management continues to be responsible for
    the preparation of complete and accurate financial
    statements.
11. management should take whatever steps are necessary
    to compensate for the material weakness in the financial
    statement preparation process.
     PCAOB Auditing Standard No. 2:
     An Audit of Internal Control over Financial Reporting Performed in
     Conjunction with an Audit of Financial Statements



      1. AS No. 2 required three integrated reports on:
              a. Financial statements audited by registered public accounting firms.
              b. Management’s assessment of the effectiveness of internal control over
                 financial reporting (Section 404).
              c. The effectiveness of internal control over financial reporting over
                 financial reporting based on the auditor’s attestation of internal control.


      2. AS No 2 is effective beginning June 17, 2004.




Source: http://pcaobus.org/
Evaluate Results (PCAOB 2)
• Internal Control Deficiency
    “An internal control deficiency exists when the design or operation of
     A control does not allow the company’s management or employees,
     in the normal course of performing their assigned functions, to
     prevent or detect misstatements on a timely basis.”
• Significant deficiency
    More than a remote likelihood of a misstatement of the annual or
     interim financial statements that is more than inconsequential in
     amount
• Material weakness
    More than a remote likelihood of a material misstatement
• Significant deficiencies and material misstatements must be
  communicated in writing to audit committee
Types of Internal Control Reports
(PCAOB 2)
• Separate Report on Internal Control
   Opinions on management’s assertion of internal control
    effectiveness as well as actual internal control
    effectiveness
   Opinion on financial statements contained in separate
    audit report
• Integrated Audit Report and Report on Internal
  Control
   Includes auditor’s opinions on 1) management’s
    assertion of internal control effectiveness, 2) internal
    control effectiveness, and 3) the fairness of the
    company’s financial statements.
       The Independent Auditor’s Opinion
      The content of the auditor’s report is prescribed by the PCAOB
        standard. The most common opinions on the effectiveness of
        internal control over financial reporting will be:

      • Unqualified Opinion. An opinion that internal control over financial
        reporting is effective: no material weaknesses in internal control over
        financial reporting exist as of the fiscal year-end assessment date.

      •     Adverse Opinion. An opinion that internal control over financial
           reporting is not effective: one or more material weaknesses exist as
           of the fiscal year-end assessment date.

      • Disclaimer of Opinion. A report stating that restrictions on the
        scope of the auditor’s work prevent the auditor from expressing an
        opinion on the company’s internal control over financial reporting.


Source: http://pcaobus.org/
      Report of Independent Registered Public Accounting Firm
                   1. Introductory                                        2. Scope                                3. Definition
                   Paragraph                                              Paragraph                               Paragraph




                     4. Inherent                                         4. Explanatory                           6. Opinion
                     Limitations                                         Paragraph*                               Paragraph
                     Paragraph




                   7. Signature                                           8. City and                             9. Date
                                                                          State or
                                                                          County

*The explanatory paragraph is required only when auditor’s opinion is other than unqualified and may also be placed after the opinion paragraph
when the auditor issues two separate reports on the audit of financial statements and internal controls, thus makes reference to opinion on the
financial statement audit in the report on the internal control audit.




                                                                                                                     Source: http://pcaobus.org/
Source: Release No. 2004-001, pages 116-137, Appendix A – Illustrative Reports, available at http://pcaobus.org.
Source: Release No. 2004-001, pages 116-137, Appendix A – Illustrative Reports, available at http://pcaobus.org.
Source: Release No. 2004-001, pages 116-137, Appendix A – Illustrative Reports, available at http://pcaobus.org.
 Suitable Internal Control Framework
 (Example: COSO)




Source: Deloitte & Touche
Suggestions:
1. Testing and evaluating the effectiveness of
   both the design and operation of internal
   controls.
2. Potential costs and benefits of Section 404
3. Assessment of the effectiveness of the
   audit committee whereas ineffectiveness is
   considered as a strong indicator of material
   weakness.
Next Time

 Module H: Information Systems Auditing