chapter 7 auditing internal control over financial reporting mcgraw-hill/irwincopyright © 2012 by...
Post on 24-Dec-2015
216 Views
Preview:
TRANSCRIPT
Chapter 7Chapter 7Auditing Internal Auditing Internal
Control over Control over Financial Financial ReportingReporting
McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Management Responsibilities Management Responsibilities under Section 404under Section 404
Management must comply with the following requirements in order for the external auditor to
complete an audit of ICFR.
1. Accept responsibility for the effectiveness of the entity’s ICFR.
2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.
3. Support the evaluation with sufficient evidence, including documentation.
4. Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year.
1. Accept responsibility for the effectiveness of the entity’s ICFR.
2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.
3. Support the evaluation with sufficient evidence, including documentation.
4. Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year.
LO# 1
7-2
Auditor Responsibilities under Auditor Responsibilities under Section 404 and AS5Section 404 and AS5
The entity’s independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated auditintegrated audit of the entity’s ICFR and its financial statements.
LO# 2
7-3
ICFR DefinedICFR DefinedICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:
1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.
2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.
3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or timely detection of unauthorized acquisition, use, or disposition of the companydisposition of the company’’s assets.s assets.
1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.
2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.
3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or timely detection of unauthorized acquisition, use, or disposition of the companydisposition of the company’’s assets.s assets.
LO# 3
7-4
Internal Control Deficiencies Internal Control Deficiencies DefinedDefined
Material
Not materialbut significant
Not materialor significant
Remote Reasonably possible or probable
MaterialMaterialweaknessweakness
Significant Significant deficiencydeficiency
Control Control deficiency deficiency
L I K E L I H O O DL I K E L I H O O D
MMAAGGNNIITTUUDDEE
LO# 4
Report externally to Report externally to audit committee and audit committee and
to managementto management
Report to audit Report to audit committee and to committee and to
managementmanagement
Report to Report to managementmanagement
7-5
Management’s Assessment Management’s Assessment ProcessProcess
Management must follow a top-down, risk-based Management must follow a top-down, risk-based approach:approach:
1.1. Identify financial reporting risks and controls.Identify financial reporting risks and controls.
2.2. Evaluate evidence about the operating effectiveness of Evaluate evidence about the operating effectiveness of ICFR.ICFR.
3.3. Consider which locations to include in the evaluation.Consider which locations to include in the evaluation.
Management must follow a top-down, risk-based Management must follow a top-down, risk-based approach:approach:
1.1. Identify financial reporting risks and controls.Identify financial reporting risks and controls.
2.2. Evaluate evidence about the operating effectiveness of Evaluate evidence about the operating effectiveness of ICFR.ICFR.
3.3. Consider which locations to include in the evaluation.Consider which locations to include in the evaluation.
LO# 5
7-6
Performing an Audit of ICFRPerforming an Audit of ICFRFigure 7-2Figure 7-2
LO# 6
7-7
Integrating the Audits of Internal Integrating the Audits of Internal Control and Financial StatementsControl and Financial Statements
An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in
the evaluation of internal control.
Tests of Tests of internalinternalcontrolcontrol
Tests of Tests of internalinternalcontrolcontrol
SubstantiveSubstantiveauditaudit
proceduresprocedures
SubstantiveSubstantiveauditaudit
proceduresprocedures
LO# 6
7-8
Planning the Audit of ICFRPlanning the Audit of ICFR
The planning process is similar to the The planning process is similar to the process used for the audit of financial process used for the audit of financial statements.statements.
Consider the following:Consider the following:– Risk assessment and the risk of fraud.Risk assessment and the risk of fraud.– Scaling the audit.Scaling the audit.– Using the work of others.Using the work of others.
LO# 7
7-9
Using a Top-Down ApproachUsing a Top-Down ApproachFigure 7-3Figure 7-3
LO# 8
7-10
Test the Design and Operating Test the Design and Operating Effectiveness of ControlsEffectiveness of Controls
LO# 9
Evaluate design Test and evaluate operating
effectiveness– Nature: Inquiry, Inspection of documents,
observation, and reperformance.– Timing: Interim vs. “as of” date– Extent: Consider (1) Nature of the control;
(2) Frequency of operation; and (3) Importance of the control.
7-11
Evaluate Identified Control DeficienciesEvaluate Identified Control Deficiencies
LO# 10
7-12
Remediation of a Material Remediation of a Material WeaknessWeakness
Remediation is the process of correcting a material weakness in the ICFR– If a material weakness is corrected
before the “as of” date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued.
LO# 11
7-13
Written RepresentationsWritten Representations
In addition to the management representations obtained as part of a financial statement audit, the auditor also
obtains written representations from management related to the audit of ICFR.
Failure to obtain written representations from
management, including management’s refusal to
furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an
unqualified opinion.
Failure to obtain written representations from
management, including management’s refusal to
furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an
unqualified opinion.
LO# 12
7-14
Auditor Documentation Auditor Documentation RequirementsRequirements
The auditor must properly document the processes, procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.
When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.
LO# 13
7-15
Types of Reports Relating to the Audit of ICFR
An unqualified opinion signifies that the client’s internal control is designed and operating
effectively (no material weaknesses).
An unqualified opinion signifies that the client’s internal control is designed and operating
effectively (no material weaknesses).
A serious scope limitation requires the auditor to disclaim an opinion.
A serious scope limitation requires the auditor to disclaim an opinion.
An adverse opinion is required if a material weakness is identified.
An adverse opinion is required if a material weakness is identified.
LO# 14
7-16
Additional Required Communications Additional Required Communications in an Audit of ICFRin an Audit of ICFR
The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5). This communication should be made prior to the issuance of the auditor’s report on ICFR. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.
LO# 15
7-17
Management and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the entity’s internal control and the controls at the user organization over the activities of the service organization; and
(2) obtain evidence that the controls that are relevant to management’s assessment and the auditor’s opinion are operating effectively.
Sometimes a Type 2 report is issued
LO# 16
Advanced Module 1: Use of Advanced Module 1: Use of Service OrganizationsService Organizations
7-18
Advanced Module 2: Advanced Module 2: Computer-Assisted Audit TechniquesComputer-Assisted Audit Techniques
Computer-assisted audit techniques (CAATs) Computer-assisted audit techniques (CAATs) include:include:
• Generalized audit software packages.Generalized audit software packages.
• Custom audit software.Custom audit software.
• Test data.Test data.
Computer-assisted audit techniques (CAATs) Computer-assisted audit techniques (CAATs) include:include:
• Generalized audit software packages.Generalized audit software packages.
• Custom audit software.Custom audit software.
• Test data.Test data.
LO# 18
7-19
End of Chapter 7End of Chapter 7
7-20
top related