chapter 7 auditing internal control over financial reporting mcgraw-hill/irwincopyright © 2012 by...

Chapter 7Chapter 7Auditing Internal Auditing Internal

Control over Control over Financial Financial ReportingReporting

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Management Responsibilities Management Responsibilities under Section 404under Section 404

Management must comply with the following requirements in order for the external auditor to

complete an audit of ICFR.

1. Accept responsibility for the effectiveness of the entity’s ICFR.

2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.

3. Support the evaluation with sufficient evidence, including documentation.

4. Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year.

1. Accept responsibility for the effectiveness of the entity’s ICFR.

2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.

3. Support the evaluation with sufficient evidence, including documentation.

4. Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year.

LO# 1

7-2

Auditor Responsibilities under Auditor Responsibilities under Section 404 and AS5Section 404 and AS5

The entity’s independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated auditintegrated audit of the entity’s ICFR and its financial statements.

LO# 2

7-3

ICFR DefinedICFR DefinedICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:

1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.

2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.

3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or timely detection of unauthorized acquisition, use, or disposition of the companydisposition of the company’’s assets.s assets.

1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.

2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.

3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or timely detection of unauthorized acquisition, use, or disposition of the companydisposition of the company’’s assets.s assets.

LO# 3

7-4

Internal Control Deficiencies Internal Control Deficiencies DefinedDefined

Material

Not materialbut significant

Not materialor significant

Remote Reasonably possible or probable

MaterialMaterialweaknessweakness

Significant Significant deficiencydeficiency

Control Control deficiency deficiency

L I K E L I H O O DL I K E L I H O O D

MMAAGGNNIITTUUDDEE

LO# 4

Report externally to Report externally to audit committee and audit committee and

to managementto management

Report to audit Report to audit committee and to committee and to

managementmanagement

Report to Report to managementmanagement

7-5

Management’s Assessment Management’s Assessment ProcessProcess

Management must follow a top-down, risk-based Management must follow a top-down, risk-based approach:approach:

1.1. Identify financial reporting risks and controls.Identify financial reporting risks and controls.

2.2. Evaluate evidence about the operating effectiveness of Evaluate evidence about the operating effectiveness of ICFR.ICFR.

3.3. Consider which locations to include in the evaluation.Consider which locations to include in the evaluation.

Management must follow a top-down, risk-based Management must follow a top-down, risk-based approach:approach:

1.1. Identify financial reporting risks and controls.Identify financial reporting risks and controls.

2.2. Evaluate evidence about the operating effectiveness of Evaluate evidence about the operating effectiveness of ICFR.ICFR.

3.3. Consider which locations to include in the evaluation.Consider which locations to include in the evaluation.

LO# 5

7-6

Performing an Audit of ICFRPerforming an Audit of ICFRFigure 7-2Figure 7-2

LO# 6

7-7

Integrating the Audits of Internal Integrating the Audits of Internal Control and Financial StatementsControl and Financial Statements

An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in

the evaluation of internal control.

Tests of Tests of internalinternalcontrolcontrol

Tests of Tests of internalinternalcontrolcontrol

SubstantiveSubstantiveauditaudit

proceduresprocedures

SubstantiveSubstantiveauditaudit

proceduresprocedures

LO# 6

7-8

Planning the Audit of ICFRPlanning the Audit of ICFR

The planning process is similar to the The planning process is similar to the process used for the audit of financial process used for the audit of financial statements.statements.

Consider the following:Consider the following:– Risk assessment and the risk of fraud.Risk assessment and the risk of fraud.– Scaling the audit.Scaling the audit.– Using the work of others.Using the work of others.

LO# 7

7-9

Using a Top-Down ApproachUsing a Top-Down ApproachFigure 7-3Figure 7-3

LO# 8

7-10

Test the Design and Operating Test the Design and Operating Effectiveness of ControlsEffectiveness of Controls

LO# 9

Evaluate design Test and evaluate operating

effectiveness– Nature: Inquiry, Inspection of documents,

observation, and reperformance.– Timing: Interim vs. “as of” date– Extent: Consider (1) Nature of the control;

(2) Frequency of operation; and (3) Importance of the control.

7-11

Evaluate Identified Control DeficienciesEvaluate Identified Control Deficiencies

LO# 10

7-12

Remediation of a Material Remediation of a Material WeaknessWeakness

Remediation is the process of correcting a material weakness in the ICFR– If a material weakness is corrected

before the “as of” date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued.

LO# 11

7-13

Written RepresentationsWritten Representations

In addition to the management representations obtained as part of a financial statement audit, the auditor also

obtains written representations from management related to the audit of ICFR.

Failure to obtain written representations from

management, including management’s refusal to

furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an

unqualified opinion.

Failure to obtain written representations from

management, including management’s refusal to

furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an

unqualified opinion.

LO# 12

7-14

Auditor Documentation Auditor Documentation RequirementsRequirements

The auditor must properly document the processes, procedures, judgments, and results relating to the audit

of internal control.

When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

LO# 13

7-15

Types of Reports Relating to the Audit of ICFR

An unqualified opinion signifies that the client’s internal control is designed and operating

effectively (no material weaknesses).

An unqualified opinion signifies that the client’s internal control is designed and operating

effectively (no material weaknesses).

A serious scope limitation requires the auditor to disclaim an opinion.

A serious scope limitation requires the auditor to disclaim an opinion.

An adverse opinion is required if a material weakness is identified.

An adverse opinion is required if a material weakness is identified.

LO# 14

7-16

Additional Required Communications Additional Required Communications in an Audit of ICFRin an Audit of ICFR

The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5). This communication should be made prior to the issuance of the auditor’s report on ICFR. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.

LO# 15

7-17

Management and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the entity’s internal control and the controls at the user organization over the activities of the service organization; and

(2) obtain evidence that the controls that are relevant to management’s assessment and the auditor’s opinion are operating effectively.

Sometimes a Type 2 report is issued

LO# 16

Advanced Module 1: Use of Advanced Module 1: Use of Service OrganizationsService Organizations

7-18

Advanced Module 2: Advanced Module 2: Computer-Assisted Audit TechniquesComputer-Assisted Audit Techniques

Computer-assisted audit techniques (CAATs) Computer-assisted audit techniques (CAATs) include:include:

• Generalized audit software packages.Generalized audit software packages.

• Custom audit software.Custom audit software.

• Test data.Test data.

Computer-assisted audit techniques (CAATs) Computer-assisted audit techniques (CAATs) include:include:

• Generalized audit software packages.Generalized audit software packages.

• Custom audit software.Custom audit software.

• Test data.Test data.

LO# 18

7-19

End of Chapter 7End of Chapter 7

7-20