You are on page 1of 2

Chapter 7: Auditing Internal Control over Financial Reporting

Consider and audit internal control / COSO Framework
7.1 Management Responsibilities under Section 404
- Requires managements of publicly traded companies to issue a report that accepts responsibility for establishing & maintaining
adequate ICFR and assert whether ICFR is effective as the end of the fiscal year. Management’s assessment does not cover the entire
Requirements of ICFR:
1. Accept responsibility for the effectiveness of the entity’s ICFR
2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria
3. Support the evaluation with sufficient evidence, including documentation
4. Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of entity’s most recent fiscal year
7.2 Auditor Responsibilities under Section 404 & AS5
Section 404: requires auditor to audit management’s assertion about effectiveness of ICFR
AS5: states auditor must conduct audits of financial statements & ICFR in an integrated way because each audit provides auditor with
information relevant to the evaluation of the results of the other
The auditor’s objective in an audit: “To express an opinion on the effectiveness of the company’s ICFR,” while the objective in a
financial statement audit is to express an opinion on whether the financial statements are fairly stated in accordance with generally
accepted accounting principles (GAAP)
-- To form this basis, auditor must plan and perform audit to obtain reasonable assurance
In this case, reasonable assurance recognizes that no system of internal control is perfect and that there is a remote likelihood that
material misstatements will not be prevented or detected on a timely basis, even if controls are, in fact, effective.
7.3 Internal Control over Financial Reporting Defined
- CEO & CFO are responsible for the reliability of ICFR & preparation of the financial statements
(1) Maintenance of records in reasonable detail/accurately/ fairly reflect transactions & dispositions of company’s assets
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of f.s. In accordance to gaap, that
receipts & expenditures of company are being made in accordance
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of
company’s assets that could have a material effect on f.s.
- Items (1) & (2) relate to controls for initiating, authorizing, recording, processing & reporting significant accounts & disclosures &
related assertions embodied in f.s.
- Items (3) concerns controls over safeguarding of assets
7.4 Internal Control Deficiencies Defined
Control Deficiency: define what constitutes a control deficiency & to define different levels of severity
Control deficiency exists when design of operation of a control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent or detect misstatements on a timely basis
Design efficiency exists when

(1) Control necessary to meet relevant control objective is missing

(2) Existing control isn’t properly designed, control of objective isn’t met
Operation deficiency exists when properly designed control doesn’t operate as designed or when person performing control
doesn’t poses necessary authority or qualifications
Material Weakness: deficiency or combination of deficiencies, in ICFR that there is a reasonable possibility that a material
misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis
Significant Deficiency: is a control deficiency, or combination of control deficiencies in ICFR that is less severe than a material
weakness yet important enough to merit attention by those responsible for oversight of the entity’s financial reporting
sLikelihood and Magnitude 
“Remote”: identified control issue does not even rise to the level of control deficiency
Look at figure 7.1 on pg. 228
7.5 Management’s Assessment Process
Step 1: Identify Financial Reporting Risks and Related Controls
Risk that a misstatement could result in a material misstatement of the financial statements
How management assesses is based on industry
Management identifies controls that are in place to address f.s. Reporting risks
Mgmt. evaluates whether controls in place to address entity-level controls & other elements of ICFR
Mgmt. should consider the effect of information technology general controls
Mgmt. must obtain and doc reasonable evidential support
Step 2: Consider which locations to include in the evaluation
Step 3: Evaluate Evidence about the Operating Effectiveness of ICFR
Considers whether the control is operating as designed and whether the person performing the control possesses the
necessary authority and competence to perform the control effectively
Mgmt. should focus on highest risk of ICFR
Direct test of controls: performed on periodic basis by individuals like auditors with respect to control
Reporting Considerations
No material weakness: conclude entity’s ICFR was effective
Material weakness: management must disclose material weakness in its assessment of effectiveness of ICFR on annual basis
Nature of material weakness
Impact on entity’s financial reporting & ICFR
Management’s current plans, if any, for remediating material weakness
-- Mgmt. assessment process involves: (1) service organizations & (2) safeguarding assets

11 Remediation of a Material Weakness -when an entity determines that it has material weakness. identify controls that mgmt. are developed and understood iii.10) Step 5: Form an opinion on the effectiveness of the ICFR 7. identify significant accounts disclosures & their relevant assertions 3.6 Performing an Audit of ICFR Step 1: Plan the audit of ICFR (7. 3 rd parties Step 2: Identify controls to test using a top-down.receiving assistance from internal auditors.12 Written Representations . procedures. identify controls that mgmt.9) Nature of Testing Timing of Tests of Controls Extent of Tests of Controls: nature of the control. its business processes and business units o Using work of others. understand flow of transactions related to relevant assertions b.7. Understand likely sources of misstatement a. it should take steps to correct it 7.size and complexity of the company. Board or audit committee understands & exercises oversight responsibility over financial reporting & internal control b. use or disposition of company’s assets ** perform walk throughs 4. Mgmt’s philosophy & operating style promote effective ICFR ii. identify points within entity’s processes at which a misstatement could arise would be material c. Select controls to test Step 3: Test the design and operating effectiveness of selected controls (7.7) consider following activities: o Role of Risk Assessment and the Risk of Fraud o Scaling the audit. Control Environment i. risk based approach (7.auditors document the processes.End Financial Reporting Process 2. identify entity level controls a. frequency of operation. entity personnel.8) 1. judgments & results relating to the audit of internal control 7. particularly of top mgmt. importance of the control Step 4: Evaluate identified control deficiencies (7. has implemented over prevention or timely detection of unauthorized acquisition. Period.13 Auditor Documentation Requirements . Sound integrity & ethical values.14 Auditor Reporting on ICFR Other Reporting Issues: Mgmt’s report incomplete or improperly presented Auditor decides to refer to the report of other auditors Subsequent events - Mgmt’s report contains additional information . has implemented to address potential misstatements d.need representation from management 7.