You are on page 1of 35

Chapter 10

Section 404 Audits of Internal


Control and Control Risk
Internal Control

Risk

. Internal Control
Presentation Outline

I. An Overview of Internal Control


II. The Components of Internal Control
III. Process for Understanding Internal
Control and Assessing Control Risk
IV. Communications with the Audit
Committee and Management
I. An Overview of Internal
Control
A. Internal Control Defined
B. Reasonable Assurance
C. Section 404 Reporting Requirements for
Management
D. Key Components of Managements’
Assessment of Internal Control
E. Auditor Responsibilities for
Understanding Internal Control
A. Internal Control Defined
An entity’s system of internal control consists of
policies and procedures designed to provide
management with reasonable assurance that the
company achieves its objectives and goals
including:
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Effectiveness and efficiency of operations
B. Reasonable Assurance
Code the
missing cash
to bad debts.
Reasonable assurance
involves two
considerations:
 The cost of the
entity’s internal
control should not
exceed the expected
Collusion benefits.
 Limitations exist in
any entity’s internal
control.
C. Section 404 Reporting Requirements for
Management

Section 404 of Sarbanes-Oxley requires the management of


public companies to issue an internal control report that
includes:
 A statement that management is responsible for establishing
and maintaining an adequate internal control structure and
procedures for financial reporting.
 An assessment of the effectiveness of the internal control
structure and procedures for financial reporting as of the
end of the company’s fiscal year.
D. Key Components of Managements’ Assessment
of Internal Control

 Management must
evaluate the design of
internal control over
financial reporting.
 Management must test
the operating
effectiveness of those
controls.
E. Auditor Responsibilities for
Understanding Internal Control

 Public and private companies – A sufficient understanding of internal


control is to be obtained to plan the audit and to determine the nature,
timing, and extent of tests to be performed. (2nd standard of
fieldwork)
 Public companies – Section 404 requires effort beyond that stated
above so that the auditor can provide a report on internal controls that
contains the following two opinions:
 Whether management’s assessment of the effectiveness of internal control over
financial reporting as of the end of the fiscal period is fairly stated in all material
respects.
 Whether the company maintained, in all material respects, effective internal
control over financial reporting as of the specified date.
II. The Components of Internal
Control
The internal control framework for most U.S. companies is the
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal Control—Integrated
Framework, issued in 1992.
A. The Control Environment
B. Risk Assessment
C. Control Activities
D. Information and Communication
E. Monitoring
A. The Control Environment
The control environment is concerned with the
actions, policies, and procedures that reflect the
overall attitude of the client’s top management,
directors, and owners of an entity about internal
control and its importance.

1. Integrity and ethical values


2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
1. Integrity and Ethical Values
 Management actions
to remove incentives
that prompt a person
to behave improperly.
 Communication of
behavioral standards
by codes of conduct
and example.
2. Commitment to Competence

Management’s
consideration of the
competence levels for
specific jobs and how
those translate into
requisite skills and
knowledge.
3. Board of Directors and Audit
Committee
 Board delegates responsibility
for internal control to
management and is charged
with regular independent
assessments of management-
established internal control.
 The major stock exchanges
require listed companies to have
an audit committee composed of
entirely independent directors
who are financially literate.
4. Management’s Philosophy and
Operating Style

Management, through its activities, provides clear


signals to employees about the importance of internal
control. For example, are sales and earnings targets
unrealistic, and are employees encouraged to take
aggressive actions to meet those targets.
5. Organizational Structure

Understanding the
client’s organizational
structure provides the
auditor with an
understanding of how
the client’s business
functions and
implements controls.
6. Assignment of Authority and
Responsibility
Formal methods of
communication including:
Em
 Top management pl
memoranda concerning De J oy
sc ob ee
internal control ri p
tio
 Organizational operating ns
plans
 Employee job
descriptions
7. Human Resource Policies and
Practices
 If employees are honest
and trustworthy, other
controls can be absent and
reliable financial
statements will still result.
 Methods by which persons
are hired, trained,
promoted, and
compensated are important
elements of internal
control.
B. Risk Assessment

Client management’s identification and analysis of


risks relevant to the preparation of the financial
statements in accordance with GAAP.

1. Client Management’s Risk Assessment


2. Auditor Risk Assessment
1. Client Management’s Risk Assessment

Client management assesses risk as part of designing and


operating internal controls to minimize errors and fraud.
Three steps involve:
i. Identify factors that may increase risk
ii. Determine significance of risk and likelihood of
occurrence
iii. Develop specific actions to reduce risk to an acceptable
level.
2. Auditor Risk Assessment
The auditor obtains knowledge
about management’s risk
assessment process by:
 Determining how management
identifies risks relevant to
financial reporting
 Evaluating their significance and
likelihood of occurrence
 Deciding the actions needed to
address the risks.
C. Control Activities

Policies and procedures that client management has


established to meet its objectives for financial
reporting.

1. Adequate segregation of duties


2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
1. Adequate Segregation of
Duties
 Separation of the
functions of
authorization,
recordkeeping, and
custody.
 Separating IT duties
from User
Departments
2. Proper Authorization of
Transactions and Activities
 General authorization
is permissible for
routine events for
which there are
policies to follow.
 For some transactions
specific authorization
is needed on a case-
by-case basis.
3. Adequate Documents and
Records
 Prenumbered
consecutive
documents so missing
items are noticed
 Prepared as near to
transaction time as
possible
 Good design with
instructions and
appropriate spaces
4. Physical Control Over Assets
and Records
 Deterrents to prevent
physical access.
 Access controls to
Incorrect
prevent getting into Password
computer system.
 Backup and recovery
procedures
5. Independent Checks on
Performance

Personnel are likely to


forget or intentionally
fail to follow
procedures, or they
may become careless
unless someone
observes and evaluates
their performance.
D. Information and Communication

Methods used to initiate, record, process, and report an


entity’s transactions and to maintain accountability
for related assets.
 For a small company with active involvement by the
owner, a simple computerized accounting system that
involves one honest, competent accountant may
provide an adequate accounting system.
 A larger company requires a more complex system
that includes carefully defined responsibilities and
written procedures.
E. Monitoring

Client management’s ongoing and periodic assessment


of the quality of internal control performance to
determine whether controls are operating as intended
and modified when needed.
 For many companies, especially larger ones, an
internal audit department is essential for effective
monitoring.
 To maintain internal audit independence, it is
imperative that they be independent of operating and
accounting departments; and that they report to a high
level of authority, preferably the audit committee of
the board of directors.
III. Process for Understanding Internal
Control and Assessing Control Risk

A. Phase 1: Obtain and Document


Understanding of Internal Control: Design
and Operation
B. Phase 2: Assess Control Risk
C. Phase 3: Design, Perform, and Evaluate
Tests of Controls
D. Phase 4: Decide Planned Detection Risk
and Substantive Tests
A. Phase 1: Obtain and Document
Understanding of Internal Control

 Three methods commonly used by auditors to obtain and


document their understanding of the design of internal
control are narratives, flowcharts, and internal control
questionnaires (see Figure 10-4 on p. 286).
 The auditor must also evaluate whether the designed
controls are actually placed in operation.
 PCAOB Standard 2 requires the auditor to perform at least
one walkthrough for each major class of transactions. In a
walkthrough, the auditor selects one or a few documents for
the initiation of a transaction type and traces them through
the entire accounting process.
B. Phase 2: Assess Control Risk
Two specific assessments must be
made to arrive at the
preliminary assessment:
 The first assessment is whether
the entity is auditable. This is
determined by considering the
integrity of management and
the adequacy of the accounting
records.
 Determine assessed control risk
supported by the understanding
obtained assuming the controls
are being followed.
C. Phase 3: Design, Perform, and Evaluate
Tests of Controls

 If the results of tests of controls support the design and


operating of controls as expected, the auditor uses the
same assessed control risk as the preliminary assessment.
Otherwise, assessed control risk must be reconsidered.
 If the auditor wants a lower assessed control risk, more
extensive tests of controls are applied.
 PCAOB Standard 2 requires the auditor to determine
whether controls are operating effectively at year end.
The auditor may test at an interim date and later determine
if changes have occurred.
D. Phase 4: Decide Planned
Detection Risk and Substantive Tests

 The greater the


control risk (weak
internal controls) the
lower the detection
risk the auditor can
accept.
 To lower detection
risk, the auditor
performs more
substantive testing.
IV. Communications with the Audit
Committee and Management

As part of understanding internal control and assessing


control risk, the auditor is required to communicate
certain matters to the audit committee:
 Significant deficiencies and material weaknesses must be
communicated in writing to the audit committee as a part
of every audit. Timely communication may help
management in correcting the problem before their year-
end report on internal control.
 Less significant internal-control matters and
recommendations for operational improvements may be
communicated through a management letter. Although
such letters are not required by auditing standards, they
are often provided as a value-added service of the audit.
Summary

1. Internal control defined


2. Management and auditor responsibilities
3. The most prevalent internal control framework
4. Phases of understanding and assessing control
risk
5. Communication of internal control matters
Risk

You might also like