AUDITING CHAPTER 8 - PowerPoint PPT Presentation

1 / 57

About This Presentation

Title:

AUDITING CHAPTER 8

Description:

Management to certify internal control over financial reporting is effective. Auditor to issue opinion on management's certification. GBW 8th ed., Ch. 8. 9 ... – PowerPoint PPT presentation

Number of Views:375

Avg rating:3.0/5.0

Slides: 58

Provided by: GailW2

Category:

more less

Transcript and Presenter's Notes

Title: AUDITING CHAPTER 8

1
AUDITINGCHAPTER 8

Internal Control
By
David N. Ricchiute

2
TOPICS

COSO framework of internal control
Auditors consideration of internal control
Audit of internal control mandated by
Sarbanes-Oxley

3
INTRODUCTION

Auditor responsible for considering internal
control in audit program design
Audit planning
What is assessed level of control risk?
Based on control risk assessment, can auditor
relax nature, extent, timing of substantive
tests?
Sarbanes-Oxley Act requires auditor to audit
internal control
To comply with Act SECs rules

4
COSO FRAMEWORK

COSO provides guidance for auditors
consideration of internal control
A framework to assess internal controls
Common definition for internal controls
Applies to financial reporting other management
objectives
Sarbanes-Oxley Act applies only to financial
reporting

5
INTERNAL CONTROLCOSO Definition

A process, effected by an entitys board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories
Effectiveness efficiency of operations
Reliability of financial reporting
Compliance with applicable laws regulations
COSO, 1992, p. 9

6
CONCEPTS OF COSO DEFINITION

Internal control is a process
Internal control accomplished by people at all
levels
Internal control is means to achieve entitys
objectives
Internal controls provide reasonable, not
absolute, assurance

7
INTERNAL CONTROL OBJECTIVES

Operations objectives
Market share, ROI, product/service
diversification
Financial reporting objectives
Producing reliable financial statements
Compliance objectives
Compliance with laws, regulations

8
SEC PCAOBControl Over Financial Reporting

Sarbanes-Oxley Act Section 404
Management to certify internal control over
financial reporting is effective
Auditor to issue opinion on managements
certification

9
INTERNAL CONTROL OVER FINANCIAL REPORTING

SEC, PCAOB definition Section 404
A process designed by, or under supervision of
principal executive principal financial
officers . . . To provide reasonable assurance
regarding reliability of financial reporting,
preparation financial statements in accordance
with GAAP
SEC, Final Rule. Washington, D. C. SEC, 2003.

10
INTERNAL CONTROLPolicies Procedures

Maintain records in reasonable detail
To accurately, fairly reflect transactions,
dispositions of assets
Provide reasonable assurance that
Transactions recorded as necessary to prepare
financial statements in accord with GAAP
Receipts, expenditures in accord with
managements, directors authorization
Unauthorized acquisition, use of assets having
material effect on financial statements will be
prevented, detected in timely manner

11
COSO COMPONENTS OF INTERNAL CONTROL

Control environment
Risk assessment
Control activities
Information communications support
Monitoring
COSO adopted by SAS 94

12
CONTROL ENVIRONMENT

Managements board of directors attitude,
awareness, actions regarding internal control
Captures importance of control in managements
operating style
Tone at the top

13
ELEMENTS OF CONTROL ENVIRONMENT

Attitude awareness

14
RISK ASSESSMENT

Managements responsibility to identify risks for
Financial reporting
Operations
Compliance
Managements responsibility to take action to
manage risks

15
MANAGING RISKS IN CHANGE

Change agents

16
CONTROL ACTIVITIES

Policies procedures to provide reasonable
assurance that objectives are met
Authorization, execution of transactions
Segregation of duties
Design use of documents records
Access to assets records

17
CONTROL ACTIVITIES Categories

Preventive controls
Intended to prevent misstatement
Detective controls
Detect misstatements that have occurred

18
CONTROL ACTIVITIES Authorization

All transactions should be authorized by
responsible personnel acting within scope of
prescribed authority, responsibility
Specific authorization
Required for each transaction
Typically unusual transactions
General authorization
Policies, procedures for typical transactions

19
SEGREGATION OF DUTIES

Optimum segregation of duties exists when
collusion is necessary to circumvent controls
Separate functions for
Management (authorization)
Custody (transaction execution)
Accounting (recording transactions)
Monitoring (independent checks on performance

20
DESIGN, USE DOCUMENTS RECORDS

Evidence of executed transactions
Represent an audit trail
Impact efficiency
Designed for multiple use
Prenumbered consecutively
Easy to complete

21
ACCESS TO ASSETS RECORDS

Access limited to authorized personnel by
Locks for physical protection
Limits on employee access online
Codes to authorize access

22
INFORMATION, COMMUNICATION Defined

System identifies, captures, communicates
external internal information in form
timeframe to discharge responsibilities
Includes accounting system

23
INFORMATION, COMMUNICATION Sources

External
Market share, regulatory requirements, complaints
Internal
Identify valid transactions
Record proper time period
Sufficient detail to classify, measure, present
in financial statements

24
INFORMATION, COMMUNICATION Accounting

Methods, records, to identify valid transactions
Transactions recorded in proper period
Describe transactions on timely basis, sufficient
detail to properly
Classify
Measure
Summarize
Disclose

25
TRANSATION CYCLESDefined

Accounting system organized processes
information in cycles
Financing
Expenditure disbursement
Conversion
Revenue receipt

26
TRANSATION CYCLESExamples

Cycles

27
MONITORING

Continuous or periodic evaluation
Resolution of discrepancies
To ensure reliability

28
RESTATEMENT, FRAUD, INTERNAL CONTROL

Section 13(b)(2)(B) of 1934 Securities Exchange
Act requires issuers to devise, maintain system
of internal accounting controls sufficient to
provide reasonable assurances that transactions
are recorded as necessary to permit preparation
of financial statements in accord with GAAP.
Internal control is a matter of law

29
ASSESSING CONTROL RISK

A sufficient understanding of internal control is
to be obtained to plan the audit determine the
nature, timing, and extent of tests to be
performed. (2nd GAAS fieldwork)
Obtain understanding
Assess control risk
Determine nature, timing, extent of substantive
tests

30
ASSESSING V. AUDITING COSO INTERNAL CONTROLS

Assessing controls Auditing Section 404

31
OBTAIN UNDERSTANDINGAudit Committee Effectiveness

Final authority over financial reporting
Challenge CEO, CFO over financial reporting
Seek advice of independent auditor
Engages independent counsel when necessary

32
OBTAIN UNDERSTANDINGAuditors Evaluation

Auditor evaluates audit committee effectiveness
by considering
Nominating process independence
Clarity of responsibilities
Level management cooperation
Committee involvement with auditor internal
auditing
Time devoted to audit, internal controls

33
OBTAIN UNDERSTANDINGInformation Technology

Personal computers local area networks
Database management systems
End-user computing
Telecommunications
Service bureaus
Internet technology
Software for information systems
Operating applications software

34
OBTAIN UNDERSTANDINGIT Section 404
Documentation

For information technology, did management
Document test controls related to financial
reporting?
Evaluate effectiveness, likelihood of failure?
Communicate findings to auditor?
Reach assessment that documentation supports?

35
OBTAIN UNDERSTANDINGDocument System

To demonstrate compliance with requirement to
understand evaluate clients system
Internal control questionnaire
Flowchart
Narrative memorandum

36
OBTAIN UNDERSTANDINGIdentify Transactions Cycles

To identify cycles
Review account components for homogeneity
Identify representative cycles
Flowchart each cycle
Trace representative transactions through each
cycle
Revise flowcharts if necessary

37
OBTAIN UNDERSTANDINGPerform Transaction
Walkthroughs

Required by Section 404 of Sarbanes-Oxley Act
Trace wide range of transactions, common,
uncommon, from each cycle through system from
Authorization to
Execution to
Recording to
Summarization

38
OBTAIN UNDERSTANDINGAuditor Responsibilities

In transactions walkthroughs, auditor must
Understand controls over end-of-period financial
reporting
Especially for effects on earnings

39
EVALUATE CONTROL EFFECTIVENESS Reliability

When documenting controls
Identify controls to be relied upon
Test controls
If acceptable, assess control risk below maximum
Identify controls not suitable to justify
reliance
Do not test these controls
Assess control risk at maximum
Plan audit to rely heavily on substantive tests

40
EVALUATE CONTROL EFFECTIVENESS Risk

Assess Control Risk
Consider errors, frauds that could occur
Identify relevant control activities to prevent,
detect errors, frauds
Perform tests of controls on control activities
that may prevent, detect errors, frauds

41
EVALUATE CONTROL EFFECTIVENESS Tests of Controls

Testing design of controls
Whether policy, procedure suitably designed to
prevent, detect material misstatements
Testing operations of controls
Were control activities performed?
How were they performed?
By whom were they performed?

42
EVALUATE CONTROL EFFECTIVENESS General Controls

Computer assisted tests
Organization, operation controls
Systems development documentation controls
Hardware controls
Access controls
Data procedural controls

43
GENERAL CONTROL EFFECTIVENESS Operation

Organization operation
Segregate computer department users
Provide general authorization over execution of
transactions
Segregate functions within the computer department

44
GENERAL CONTROL EFFECTIVENESS Documentation

Development documentation
Participation by users, accounting personnel,
internal auditors in system design
Review, approval of system specifications
Joint system testing by user, computer personnel
Approval new applications, changes
Control over master, transaction files
Procedures to create, maintain documentation

45
GENERAL CONTROL EFFECTIVENESS Hardware

Hardware controls
Controls built into computers by manufacturers

46
GENERAL CONTROL EFFECTIVENESS Access Controls

Limit access to authorized personnel for
Hardware
Software
Data files
Software support documentation

47
GENERAL CONTROL EFFECTIVENESS Data

Data procedural controls
Written procedures, authorization manuals
Control groups

48
EVALUATE CONTROL EFFECTIVENESS

Computer-Assisted Tests of Application Controls
Input controls
Processing controls
Output controls

49
APPLICATION CONTROL EFFECTIVENESS Input

Input controls
Input authorization, approval
Code verification
Data conversion
Data movement
Occurrence correction

50
APPLICATION CONTROL EFFECTIVENESS Processing

Processing controls
Control totals
File labels
Limit (reasonableness) tests

51
APPLICATION CONTROL EFFECTIVENESS Output

Output controls
Control totals comparisons
Output distribution

52
COMPUTER-ASSISTED TESTS OF CONTROLS Types

Test data uses client software to process data
with valid invalid transactions
Base Case System Evaluation (BCSE) develops test
data to text expected conditions
Integrated test facility tests whether client
actually uses software by running live and
fictitious data simultaneously
Parallel simulation processing client data with
auditors software

53
COMPUTER-ASSISTED TESTS OF CONTROLS Types (cont.)

Embedded audit modules selects client data for
subsequent testing analysis
SCARFs logs created from embedded audit modules
that collect transaction information
Audit hooks tagging transaction records tagged
traced through critical control points

54
CONTROL DEFICIENCIES, MATERIAL WEAKNESSES

Deficiencies do not allow management, employees
to prevent, detect misstatements in normal course
of business
Material weakness is a significant deficiency
more than remotely likely to cause a material
misstatement that will not be prevented, detected

55
NATURE, TIMING, EXTENT