slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 7 PowerPoint Presentation

Chapter 7

2 Vues Download Presentation
Télécharger la présentation

Chapter 7

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter 7 Understanding Internal Control over Financial Reporting and Auditing Design Effectiveness

  2. Learning Objectives 1. Understand the value of effective internal control. 2. Learn the components and mechanisms of internal control. 3. Describe the internal control-related requirements imposed on management of public companies. 4. Analyze the relationship between management’s assertions, ICFR, and activities of an integrated audit. 5. Explain the approach and steps an auditor uses to understand a company’s ICFR and assess its design effectiveness.

  3. Audit Planning and Risk Assessment Exhibit 7-1

  4. Authoritative Sources for this Chapter • Sarbanes Oxley Act (SOX) • Securities and Exchange Commission (SEC) • Public Company Accounting Oversight Board (PCAOB) • American Institute of CPAs (AICPA) • Statements on Auditing Standards (SAS) • International Auditing and Assurance Standards Board (IAASB) • International Standards on Auditing (ISA) • Committee of Sponsoring Organizations (COSO) • Foreign Corrupt Practices Act, 1977 (FCPA)

  5. Auditors and ICFR • Auditor has to understand the client’s Internal Control over Financial Reporting and assess the effectiveness of its design: • An important part of planning • To be able to select which controls to test in the audit and plan substantive audit procedures

  6. Corporate Accountants and ICFR • Accountants inside a company need to understand Internal Control over Financial Reporting because good ICFR helps the company: • use cost effective procedures • manage costs of processing accounting information • manage productivity of the company’s financial functions • maintain an effective financial control system

  7. Definition of Internal Control over Financial Reporting • Internal control over financial reporting is a subset of the entire system of internal control • Two important sources of definitions • PCAOB’s definition in AS 5 • COSO’s definition in Internal Control Framework • The COSO definition is broader than the PCAOB’s definition • …this makes sense because the PCAOB defines the target of an audit, while COSO’s Internal Control Framework is for more general use

  8. PCAOB AS 5, Definition of Internal Control • Internal control over financial reporting is a processdesigned by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that --

  9. PCAOB AS 5 Definition (continued) • Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; • Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and • Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements

  10. Investor Confidence and Internal Control • In the simplest terms, investors can have much more confidence in the reliability of a corporate financial statement if corporate management demonstrates that it exercises adequate control over bookkeeping, the sufficiency of books and records for the preparation of accurate financial statements, adherence to rules about the use of company assets and the possibility of misappropriation of company assets. (PCAOB Release 2004-001, p. 3)

  11. Concepts from COSO Definition • Internal control is a process. It is a means to an end, not an end in itself. • Internal control depends on people. It is not just policy manuals and forms, but people at every level of an organization. • Internal control only provides reasonable assurance – not absolute assurance. • Internal control objectives may address single or overlapping categories of internal control components.

  12. COSO Categories of Internal Control • Reliability of financial reporting • Directly relates to integrated audit goals • Effectiveness and efficiency of operations • Important to management • Compliance with laws and regulations • Less directly related to integrated audit goals • Important to management

  13. Overview of the COSO IC Structure • Control environment • Risk assessment • Control activities • Information and communication • Monitoring The PCAOB uses these same categories in As 12, Identifying and Assessing Risks of Material Misstatement.

  14. Control Environment • “Tone at the top” • Integrity and ethical values • Commitment to competence • Board of Directors or audit committee participation • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resources policies

  15. Risk Assessment • Risks defined: Anything that can keep an organization from achieving its objectives. • Organization must set its objectives • Organization must identify threats to achieving the objectives • Guidance to risk assessment is in the COSO Enterprise Risk Management (ERM) Framework • Risk can be • From external and internal factors • At entity and activity levels

  16. Risk Assessment Considerations • Significance or degree of impact of the risk on the company • Likelihood of the risk occurring or frequency with which it may occur • Best ways to manage the risk

  17. Ways to Identify Risks • Qualitative and quantitative approaches to identify higher-risk activities • Period review of economic and industry factors • Business planning conferences and meetings • Forecasting • Strategic planning

  18. External and Internal Sources of Risk • External • Technological developments • Changing customer needs or expectations • Competition • New legislation and regulation • Natural catastrophes • Economic changes • Internal • Disruption in information systems processing • Personnel: hiring, training, motivation • Change in management responsibilities • Entity’s activities and employee access to assets • Unassertive or ineffective board or audit committee

  19. Circumstances Demanding Special Risk Assessment Attention • Changed Operating Environment • New Personnel • New or Revamped Information Systems • Rapid Growth • New Technology • New Lines, Products, Activities • Corporate Restructurings • Foreign Operations

  20. Control Activities • Control activities defined: the policies and procedures that help ensure management directives are carried out • Policies: establish what should be accomplished in carrying out management’s directives to address risk • Procedures: the activities that should be followed to carry out the policies

  21. Categories of Control Activities • Performance reviews • Used to monitor the business, often on an ongoing basis • Information processing • Controls over use of IT to initiate, record, process and report transactions and other financial data • General and Application controls • Physical controls • Over assets and access to information • Segregation of duties • Assigning different people responsibility for authorizing transactions, recording transactions and maintaining custody of assets • Collusion is a threat to segregation of duties

  22. Information and Communication • Quality of Information • Content appropriate: Is the needed information available? • Information timely: Is it available when required? • Information current: Is the latest information available? • Information accurate: Are the data correct? • Information accessible: Can the information be obtained easily by the appropriate parties? • Communication • Tool for control related to ICFR • Means of enabling achievement of the objectives of the business

  23. Monitoring • Ongoing monitoring: those things that are a part of running the business • Separate monitoring: activities conducted for the specific purpose of monitoring • Tradeoff…the more ongoing monitoring exists the less separate monitoring may be needed

  24. COSO Guidance on Monitoring Internal Control Systems • Monitoring is a normal state of affairs in the organization. • Monitoring is a formal part of the organization. • Someone has responsibility for developing monitoring procedures. • Employees execute monitoring activities and make reports as a normal part of their jobs. • Management assesses reports and take whatever action is needed.

  25. Management’s Responsibility for Internal Control • Foreign Corrupt Practices Act, 1977 • Requires management of public companies to maintain a system of control • Sarbanes Oxley Act • Section 302: management certification • Section 404: management assessment, report and audit • Dodd Frank Act • Permanently exempts smaller public companies from the requirement of having ICFR audited; retains management requirement to assess ICFR and report

  26. SOX Section 302 Management Certification • Specific officers or those with officer functions must sign • Reviewed the SEC filing; annual or quarterly report • SEC filing does not include anything material that is untrue • SEC filing does not omit anything material that makes statements untrue • Fair financial reporting • Management is responsible for internal control • Controls permit people within the company to prepare the SEC reports • Have evaluated effectiveness of ICFR within 90 days prior and are presenting their conclusions • Have told the auditor and audit committee about ICFR problems • Have told the auditor and audit committee of management fraud • Have reported any changes in internal control • Have reported any events that occurred after the report date that may affect internal control

  27. SOX Section 404 • Annual SEC filing must include an internal control report • Report states management’s responsibility for internal control and producing financial information • Report includes management’s assessment at fiscal year end about internal controls and procedures for financial reporting • SEC Interpretive Release 2007: No requirement that management’s assessment be performed using the guidance in the Interpretive Release, but the guidance provides an acceptable way to perform the assessment of ICFR

  28. SOX Section 404, Audits of ICFR • ICFR must be audited for all companies except those exempted by Dodd Frank • Auditor must • Be registered with PCAOB • Attest to (audit) management’s report • Follow PCAOB standards for an audit of ICFR • Since SOX requires that the financial statement and ICFR audit be one integrated engagement, the same auditor must do both

  29. Background to an Audit of ICFR • Objective of an integrated audit report on ICFR and the financial statements • Opinion on the fairness of the financial statements • Opinion on the effectiveness of ICFR • Opinions can be in a combined or separate reports • If the auditor disagrees with management’s assessment this is added to the audit report • Auditor must audit the financial statements to audit ICFR • Auditor uses information and conclusions from each part of the audit in the other part of the audit

  30. Approach to an Integrated Audit • Identify what would make the financial statements materially misstated. • Focus on management’s assertions in understanding the accounting system • Identify • …important controls….that address significant risks…associated with management’s assertions • Assess whether the controls are designed effectively so that, if operating effectively, they can prevent or detect material misstatements • Test operating effectiveness of controls • Perform substantive procedures

  31. Assertions defined… • Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur. ISA 315

  32. Management’s Assertions • PCAOB uses 5 • AICPA and IAASB use 13 • Auditors have to cover the important concepts in the assertions, but otherwise can express them however they choose • …it is easy to see how both sets of assertions cover the same concepts….

  33. PCAOB Assertions: AS 15, Audit Evidence • Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. • Completeness – All transactions and accounts that should be presented in the financial statements are included. • Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. • Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. • Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.

  34. AICPA and IAASB, 13 Assertions • Classes of Transactions and Events • Occurrence • Completeness • Accuracy • Cutoff • Classification • Account Balances • Existence • Rights and Obligations • Completeness • Valuation and Allocation • Presentation and Disclosure • Occurrence, Rights, Obligations • Completeness • Classification and Understandability • Accuracy and Valuation

  35. Difference between 5 and 13… • The AICPA and IAASB use additional terms: • Accuracy, Cutoff, Classification, Understandability • Explanations to consider: • If an item posted is not accurate – including being posted in the wrong period or to the wrong account --it either did not occur as shown or the balance is incomplete • If a disclosure is not accurate it cannot meet the requirements for the presentation and disclosure assertion • Proper classification is a part of the presentation and disclosure assertion • If an item is not understandable it cannot be properly described under the presentation and disclosure assertion

  36. Reminder: Use of Management Assertions • Auditor identifies • Significant accounts and disclosures • Relevant assertions for those accounts and disclosures • Auditor considers risks that might cause the assertions to be wrong • Auditor looks for ICFR controls in place to prevent or detect any misstatements resulting from the risks • Auditor assesses whether controls are designed so that they can be effective if they operate properly • Audit continues with • Selecting controls to test; considering whether to always rely on controls in financial statement audit • Deciding how controls tests should be performed • Deciding on substantive procedures needed

  37. Time Periods Covered by Audit Procedures • For an audit opinion that ICFR is effective it must be effective at fiscal year end • ICFR must be effective at and for a period of time prior to fiscal year end so that the auditor has confidence in the conclusion • To rely on ICFR in the financial statement audit, the auditor must test ICFR for the entire period of reliance • If ICFR was not effective throughout the entire financial period, this affects the financial statement audit procedures • Even in an integrated audit, the auditor may choose not to rely on ICFR for an account, and consequently only test related controls at fiscal year end

  38. Evidence Related to ICFR • Making inquiries of appropriate management, supervisory, and staff personnel • Inspecting company documents • Observing the application of specific controls • Tracing transactions through the information system relevant to financial reporting • Walkthroughs – a set of procedures performed together; an efficient way to understand ICFR and assess design effectiveness

  39. Walkthroughs • Tracing a transaction from origination until it is reflected in the company’s financial records • Includes inquiry and observation steps • Information from a walkthrough: • Who performs the control? Or, if automated, what system • What is performed and why? What is the management assertion? • When is the activity performed, including how often? • What evidence is produced showing that the control occurred? • How are problems or exceptions investigated and resolved?

  40. Examples of Walkthrough Inquiries • What do you do when you find an error? • What are you looking for to determine if there is an error? • What kinds of errors have you found? • What happens as a result of finding errors? • How are errors resolved? • Have you ever been asked to override the process or controls? Is so, what happened and why did it occur?

  41. Audit Documentation • Audit documentation is the written record of the auditor’s work. • Information included in documentation: • Planning and performance of the work • Procedures performed • Evidence obtained • Conclusions reached • Professional judgment is used to decide how extensive audit documentation must be

  42. AS 3 Documentation Requirements • Demonstrate that the engagement complied with the standards of the PCAOB • Support the auditor’s conclusions concerning every relevant financial statement assertion • Nature, timing, extent and results of procedures performed – means: what was done, when, by whom, outcomes, reviewer, date of review • Demonstrate that the underlying accounting records agreed or reconciled with the financial statements

  43. Characteristics that Cause More Documentation • An audit task that is difficult to understand or interpret • An audit task that requires a lot of judgment • An audit task that is very important to the audit • A management assertion that has a lot of risk

  44. Required Documentation of Contradicting Issues • AS 3.8: In addition to the documentation necessary to support the auditor’s final conclusions, audit documentation must include information the auditor has identified relating to significant findings or issues that is inconsistent with or contradicts the auditor’s final conclusions. The relevant records to be retained include, but are not limited to, procedures performed in response to the information, and records, documentation, consultations on, or resolutions of, differences in professional judgment among members of the engagement team or between the engagement team and others consulted.

  45. Documentation of the Company’s ICFR • SEC requires management to have significant documentation to support its conclusions about ICFR • Form of documentation varies depending on company characteristics (size, complexity, etc.) • Management can rely on documents it uses day-to-day or develop specific ICFR documentation • Auditor may use company’s documentation to advance understanding of the company and ICFR assessment

  46. ICFR Documentation Techniques Used • Flowcharts • Process models • Narrative descriptions • Job descriptions • Samples of transaction documents and forms, procedures manuals, organization charts • Questionnaires and checklists

  47. Information in Management’s ICFR Documentation • The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements • Information about how significant transactions are initiated, authorized, recorded, processed, and reported • Information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur • Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties • Controls over the safeguarding of assets • The results of management’s testing and evaluation of ICFR

  48. Entity Level Controls • Pervasive controls; those that exist at the organization or company level, but have an impact on controls at the process, transaction, or application level • Examples • Controls related to the control environment • Controls over management override • The company’s risk assessment process • Centralized processing and controls • Controls over shared service environments • Controls to monitor other controls • Period-end financial reporting process controls • Policies that address significant business control and risk management practices

  49. Three Categories of Entity-Level Controls • 1. Have an important, but indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis • 2. Monitor the effectiveness of other controls; might identify breakdowns in lower-level controls but not at a level of precision that would sufficiently address the risk of material misstatements • 3. Operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions