1 / 54

ACCT 4240 - Auditing

ACCT 4240 - Auditing. Internal Control Evaluation: Assessing Control Risk. Major Components of an Audit: The Audit Risk Model. Evidence Gathering. Plan the Audit. Study, Test & Evaluate Controls. Perform & Evaluate Tests of Balances. Issue the Audit Report.

pelagia
Télécharger la présentation

ACCT 4240 - Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACCT 4240 - Auditing Internal Control Evaluation: Assessing Control Risk

  2. Major Components of an Audit: The Audit Risk Model Evidence Gathering Plan the Audit Study, Test & Evaluate Controls Perform & Evaluate Tests of Balances Issue the Audit Report

  3. Consideration of Internal Controls in a Financial Statement Audit • Required by the second standard of field work: A sufficient understanding of the internal control structure is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed

  4. Relationship of Control Risk and Detection Risk 100% 100% assurance Desired level of assurance Allowable detection risk Estimated inherent and control risk 0 Low High Strength of control structure

  5. Relationship of Detection Risk and Testing of Financial Statement Balances 100% 100% assurance Desired level of assurance Extent of testing of financial statement balances Allowable detection risk 0 Low High Strength of control structure

  6. Assessment of Control Risk The higher the control risk The lower the control risk the lower the detection risk the higher the detection risk and the less extensive the substantive tests of financial statement balances and the more extensive the substantive tests of financial statement balances

  7. Internal Control Internal control is a process, effected by an entity’s board of directors, management, and other personnel, which is designed to provide reasonable assurance regarding the achievement of objectives in one or more categories: • Effectiveness and efficiency of operations • Reliability of financial information • Compliance with applicable laws and regulations • Safe-guarding assets

  8. Assessing Control Risk • Management has three concerns in designing an effective control system • Reliability of financial reporting • Efficiency and effectiveness of operations • Compliance with applicable laws and regulations

  9. Key Control Concepts • Controls are the responsibility of management • Controls provide reasonable, but not absolute, assurance • Internal controls have inherent limitations • Misunderstandings by employees • Management override • Collusion • Cost/Benefit

  10. Components of Internal Control

  11. The Control Environment • The actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about control and its importance to the entity

  12. The Control Environment • Integrity and ethical values • Commitment to competence • Board of Directors or Audit Committee participation • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resource policies and procedures

  13. Changes in regulatory or operating environment New personnel Changes in the information system Rapid growth New technologies New lines of business Restructuring Foreign operations New accounting principles Risk Assessment Management’s identification and analysis of risks relevant to the preparation of financial statements in accordance with GAAP

  14. Control Activities The policies and procedures, in addition to those included in the other four components, that help ensure that necessary actions are taken to address risks in the achievement of the entity’s objectives • Adequate segregation of duties • Proper authorization of transactions and activities • Adequate documents and records • Physical controls over assets and records • Independent checks on performance

  15. Adequate Segregation of Duties • Separation of the custody of assets from accounting • Separation of the authorization of transactions from the custody of related assets • Separation of operational responsibilities from record-keeping responsibility • Separation of duties within EDP

  16. Proper Authorization • General authorization - approval for all transactions within the limits of an established policy • Specific authorization - authority granted on a case-by-case basis

  17. Adequate Documents and Records • Prenumbered • Prepared when the transaction is executed • Contain sufficient detail • Simple to complete • Space for signature of preparer • Subject to controlled access

  18. Physical Controls • Physical controls • Fences, locks • Guards • Fireproof cabinets and safes • Computer access controls • Backup and recovery procedures

  19. Independent Checks • Reconciliations • Input, process, and output controls • Review of documents and transactions

  20. Information and Communication • The Accounting System - the methods and records that an entity establishes to identify, assemble, analyze, classify, record, and report transactions and to maintain accountability for the related assets and liabilities

  21. The Accounting System • Identify and record all valid transactions • Describe transactions on a timely basis in sufficient detail to permit their proper classification for financial reporting • Measure the value of transactions in a manner that permits recording of their proper monetary value in the financial statements

  22. The Accounting System Determine the time period in which transactions occur so they can be recorded in the proper accounting period • Properly present the transactions and related disclosures in the financial statements

  23. Communication of Employee’s Roles and Responsibilities • Oral instructions or behavioral examples • Policies and procedures manuals

  24. Monitoring of System • Communication from external parties • Internal auditors • Exception reports • Reports to regulators • Customer complaints

  25. Audit Scope: Pre 404 vs. Post 404 Source: Deloitte & Touche

  26. Auditors’ Study & Evaluation of Internal Control Structure (ICS) • Review and understanding of ICS • Preliminary evaluation of ICS • Tests of controls • Final evaluation of ICS

  27. Internal Control: Financial Reporting Notes Financial Reporting Controls Cash Flow Income Statement Balance Sheet Financial Statements Source: Deloitte & Touche

  28. Internal Control Authorization of Transactions Safeguarding of Assets Financial Reporting Assets Compared to Accounting Records Accounting Records Source: Deloitte & Touche

  29. Internal Control FCPA / Attest Disclosure Controls Certify / Report on Evaluation Laws and Regulations Operations Source: Deloitte & Touche

  30. Missing Link The “weakest link” is a compliance program and infrastructure to measure and monitor the effectiveness and alignment between corporate governance and business unit / functional control activities to provide a basis for certification. Source: Deloitte & Touche

  31. Documentation of Understanding • Questionnaires • Narrative descriptions • Flowcharts Invoice Copy 2 Invoice Copy 2 Invoice Copy 1 Invoice Copy 1

  32. Assessing Control Risk • For non-EDP-based systems, auditors are NOT required to perform tests of controls unless they plan to assess control risk at less than the maximum • Nature of tests of controls • Inquiry of client personnel • Observation of client activities and operations • Inspection of documents and other accounting records • Reperforming procedures • Perform a transaction walk-through from inception to ultimate recording

  33. Assessing Control Risk • Extent of tests of controls may be determined judgmentally or statistically • Timing of tests of controls - usually performed before year-end (interim), but will examine transactions throughout the year

  34. Obtaining and Understanding • Audit Planning Timing • Sufficient to plan audit of each significant financial statement assertion under the: • Primarily substantive approach, or • Lower assessed level of control risk approach Extent • Prior experience with entity • Inquiring of entity personnel • Observing entity operations • Inspecting documents and records Procedures • Completed questionnaires • Flowcharts • Narrative Memoranda Documentation

  35. Summary of Audit Tests

  36. 1 Concurrent tests of controls are performed in audit planning with procedures to obtain an understanding of the internal control structure. Additional tests of controls are performed during interim field work. 2 Tests of details of transactions may also be performed with tests of controls as dual-purpose tests during interim field work.

  37. Roles and Responsibilities – Internal Control over Financial Reporting • Management: Designs and implements the system of internal control over financial reporting; evaluates the effectiveness of the company’s internal control over financial reporting and provides a public report on that assessment; prepares the financial statements. • Audit Committee: Has responsibility for oversight of the company’s financial reporting process. • Independent Auditor: Performs an audit of internal control over financial reporting and issues a report on management’s assessment of internal control over financial reporting and on the effectiveness of internal control over financial reporting; also performs an audit of the company’s financial statements.

  38. What Management’s Report Will Include Under the SEC rules, management’s report on internal control over financial reporting should include the following information: • Statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting. • Statement identifying the framework used by management to evaluate the effectiveness of internal control over financial reporting. • Management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether that control is effective and disclosing any material weakness identified by management in that control. • Statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s internal control assessment.

  39. Audit of Internal Control • Planning the scope of the work • Obtaining an understanding of internal control • Evaluating the design effectiveness of internal control • Testing the operating effectiveness of internal control • Assessing internal control deficiencies and reporting on overall effectiveness • Integrating the audit of internal control with the audit of the entity’s financial statements

  40. Control Deficiencies and What They Mean • Management and the independent auditor will evaluate its significance and determine whether it constitutes a control deficiency, a significant deficiency, or a material weakness. • Deficiencies that are less serious than a material weakness (i.e., control deficiencies and significant deficiencies) are required to be disclosed to the audit committee and/or management. • Management and the independent auditor must evaluate less serious weaknesses to determine whether, when taken together, they result in a material weakness.

  41. Control Deficiencies and What They Mean (cont.) • All identified material weaknesses that exist at the company’s fiscal year-end must be disclosed in the public reports issued by management and the auditor. Although not required by Section 404, some companies may also choose to disclose significant deficiencies. • If one or more material weaknesses exist at the company’s fiscal year-end, management and the auditor must conclude that internal control over financial reporting is not effective.

  42. Control Deficiencies and What They Mean (cont.) • The PCAOB has defined a material weakness as a “significant control deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.” • A material weakness does not mean that a material misstatement has occurred or will occur, but that it could occur. • Although the law and rules require that management disclose material weaknesses, they provide no specific guidance about

  43. Control Deficiencies and What They Mean (cont.) • A company can report a material weakness in internal control over financial reporting and still receive an unqualified, or “clean,” financial statement opinion from the independent auditor. • Whether management or the auditor identifies a material weakness, management continues to be responsible for the preparation of complete and accurate financial statements. • management should take whatever steps are necessary to compensate for the material weakness in the financial statement preparation process.

  44. PCAOB Auditing Standard No. 2:An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements • AS No. 2 required three integrated reports on: • Financial statements audited by registered public accounting firms. • Management’s assessment of the effectiveness of internal control over financial reporting (Section 404). • The effectiveness of internal control over financial reporting over financial reporting based on the auditor’s attestation of internal control. • AS No 2 is effective beginning June 17, 2004. Source: http://pcaobus.org/

  45. Evaluate Results (PCAOB 2) • Internal Control Deficiency • “An internal control deficiency exists when the design or operation of A control does not allow the company’s management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.” • Significant deficiency • More than a remote likelihood of a misstatement of the annual or interim financial statements that is more than inconsequential in amount • Material weakness • More than a remote likelihood of a material misstatement • Significant deficiencies and material misstatements must be communicated in writing to audit committee

  46. Types of Internal Control Reports (PCAOB 2) • Separate Report on Internal Control • Opinions on management’s assertion of internal control effectiveness as well as actual internal control effectiveness • Opinion on financial statements contained in separate audit report • Integrated Audit Report and Report on Internal Control • Includes auditor’s opinions on 1) management’s assertion of internal control effectiveness, 2) internal control effectiveness, and 3) the fairness of the company’s financial statements.

  47. The Independent Auditor’s Opinion The content of the auditor’s report is prescribed by the PCAOB standard. The most common opinions on the effectiveness of internal control over financial reporting will be: • Unqualified Opinion. An opinion that internal control over financial reporting is effective: no material weaknesses in internal control over financial reporting exist as of the fiscal year-end assessment date. • Adverse Opinion. An opinion that internal control over financial reporting is not effective: one or more material weaknesses exist as of the fiscal year-end assessment date. • Disclaimer of Opinion. A report stating that restrictions on the scope of the auditor’s work prevent the auditor from expressing an opinion on the company’s internal control over financial reporting. Source: http://pcaobus.org/

  48. Report of Independent Registered Public Accounting Firm 1. Introductory Paragraph 2. Scope Paragraph 3. Definition Paragraph 4. Inherent Limitations Paragraph 4. Explanatory Paragraph* 6. Opinion Paragraph 7. Signature 8. City and State or County 9. Date *The explanatory paragraph is required only when auditor’s opinion is other than unqualified and may also be placed after the opinion paragraph when the auditor issues two separate reports on the audit of financial statements and internal controls, thus makes reference to opinion on the financial statement audit in the report on the internal control audit. Source: http://pcaobus.org/

  49. Source: Release No. 2004-001, pages 116-137, Appendix A – Illustrative Reports, available at http://pcaobus.org.

  50. Source: Release No. 2004-001, pages 116-137, Appendix A – Illustrative Reports, available at http://pcaobus.org.

More Related