Acfn 723: Advanced Auditing

Addis Ababa University

College of Business and Economics
Department of Accounting & Finance

• Module Title: Advanced Auditing

• Module Code: ACFN 723
• Credit Value: 2 Cr hours [4.5 ECTS]
• Instructor: Dr. P. Laxmikantham

Acfn 723: Advanced Auditing/PLK

 Chapter 6

Auditing Internal Control over

Financial Reporting

Acfn 723: Advanced Auditing/PLK

 Chapter 6 - Contents

Auditing Internal Control over Financial Reporting

(ISA 240)
• Management responsibility
• Auditor responsibility
• Internal control over financial reporting
• Internal control deficiencies
• Evaluating identified control deficiencies
• Remediation of material weakness

Acfn 723: Advanced Auditing/PLK

Management Responsibilities

ISA 240, The Auditor's Responsibilities Relating to

Fraud in an Audit of Financial Statements
Section 404 of the Sarbanes-Oxley Act:
Requires managements of publicly traded
companies to issue a report that accepts
responsibility for establishing and maintaining
‘adequate’ internal control over financial reporting
(ICFR) and
Assert whether ICFR is effective as of the end of the
fiscal year.

Acfn 723: Advanced Auditing/PLK

Management Responsibilities
Management must comply with the following
requirements in order for the external auditor to
complete an audit of ICFR.
1. Accepts responsibility for the effectiveness of the
entity’s ICFR.
2. Evaluate the effectiveness of the entity’s ICFR using
suitable control criteria.
3. Support the evaluation with sufficient evidence,
including documentation.
4. Present a written assessment of the effectiveness of
the entity’s ICFR ‘as of’ the end of the entity’s most
recent fiscal year.

Acfn 723: Advanced Auditing/PLK

 Auditor Responsibilities
under Section 404 and AS5

The entity’s independent auditor must

audit and report on the effectiveness of
ICFR. The auditor is required to conduct
an integrated audit of the entity’s ICFR
and its financial statements.

Acfn 723: Advanced Auditing/PLK

 ICFR Defined
ICFR is defined as a process designed to provide
reasonable assurance regarding the reliability of
financial reporting and the preparation of financial
statements in accordance with GAAP.
Controls include procedures that:
1. Pertain to the maintenance of records that accurately and
fairly reflect the transactions and dispositions of the assets
of the company.
2. Provide reasonable assurance that transactions are properly
authorized and recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company’s assets.
Acfn 723: Advanced Auditing/PLK
Internal Control Deficiencies
Defined
A control deficiency exists when the design or
operation of a control does not allow management
or employees, in the normal course of performing
their assigned functions, to prevent or detect
misstatements on a timely basis.
A significant deficiency is a deficiency, or a
combination of deficiencies, in internal control over
financial reporting that is less severe than a
material weakness, yet important enough to merit
attention by those responsible for oversight of the
company's financial reporting.

Acfn 723: Advanced Auditing/PLK

Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to be
considered not only a significant deficiency but also a
material weakness in the system of internal control.
A material weakness is a deficiency, or a combination of
deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the annual or
interim financial statements will not be prevented or
detected on a timely basis.
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency:
likelihood (reasonably possible); and
magnitude (material, significant, or insignificant).

Acfn 723: Advanced Auditing/PLK

Internal Control Deficiencies
Defined
The Relationship of Likelihood and Magnitude in Determining the Materiality of a
Control Deficiency

Acfn 723: Advanced Auditing/PLK

Management’s Assessment
Process

Management must follow a top-down, risk-based

approach:
1. Identify financial reporting risks and controls.
2. Consider which locations to include in the evaluation.
3. Evaluate evidence about the operating effectiveness of
ICFR.

Acfn 723: Advanced Auditing/PLK

Framework Used by Management to
Conduct Its Assessment

Most entities use the framework developed by COSO.

This framework identifies three primary objectives of
internal control:
(1) reliable financial reporting;
(2) efficiency and effectiveness of operations; and
(3) compliance with laws and regulations.

Acfn 723: Advanced Auditing/PLK

Identify Entity-Level Controls

Examples of Entity-Level Controls

Acfn 723: Advanced Auditing/PLK

 Management’s
Documentation
Management must develop sufficient
documentation to support its assessment of
the effectiveness of internal control.
This documentation may take many forms,
such as paper, electronic files or other media.
It also includes policy manuals, process
models, flowcharts, job descriptions,
documents and forms.

Acfn 723: Advanced Auditing/PLK

Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of
internal control and the financial statements. The
control testing impacts the planned substantive
procedures. Also, the results of the substantive
procedures are considered in the evaluation of
internal control.

Tests of Substantive
internal audit
control procedures

Acfn 723: Advanced Auditing/PLK

Performing an Audit of ICFR

Steps in the Audit of

ICFR

Acfn 723: Advanced Auditing/PLK

Planning the Audit of ICFR

• The planning process is similar to the process

used for the audit of financial statements.

• Consider the following:

- Role of risk assessment and the risk of
fraud.
- Scaling the audit.
- Using the work of others.

Acfn 723: Advanced Auditing/PLK

 Special Consideration:
Using the Work of Others
A major consideration for the external auditor is how much
work is to be performed by others. In determining the extent
to which the auditor may use the work of others, the auditor
should:
(1) evaluate the nature of the controls subjected to the work
of others,
(2) evaluate the competence and objectivity of the
individuals who performed the work, and
(3) test some of the work performed by others to evaluate
the quality and effectiveness of their work.

As the risk associated with the control being tested

increases, the external auditor should do more of the work.

Acfn 723: Advanced Auditing/PLK

Using a Top-Down Approach

Top-Down,
Risk-Based
Approach to
the Audit of
ICFR

Acfn 723: Advanced Auditing/PLK

 Identifying Significant
Accounts
• Size and composition of the account.
• Susceptibility to misstatement due to errors
or fraud.
• Volume of activity, complexity, and
homogeneity of the individual transactions
processed through the account or reflected in
the disclosure.
• Nature of the account or disclosure.
• Accounting and reporting complexities
associated with the account or disclosure.
Acfn 723: Advanced Auditing/PLK
Identifying Significant
Accounts
• Exposure to losses in the account.
• Possibility of significant contingent
liabilities arising from the activities
reflected in the account or disclosure.
• Existence of related-party transactions in
the account.
• Changes from the prior period in account
or disclosure characteristics.

Acfn 723: Advanced Auditing/PLK

Sources of Misstatement

• Understand the flow of transactions related to the

relevant assertions.
• Identify the points within the entity’s processes at
which a misstatement could arise that would be
material.
• Identify the controls that management has
implemented to address these potential
misstatements.
• Identify the controls that management has
implemented over the prevention or timely detection
of unauthorized acquisition, use, or disposition of the
company’s assets that could result in a material
misstatement of the financial statements.

Acfn 723: Advanced Auditing/PLK

 Select Controls to Test
Factors Commonly Considered When Identifying Controls to
Test

Acfn 723: Advanced Auditing/PLK

Evaluate Identified Control
Deficiencies
The auditor must consider the likelihood and
magnitude of the control deficiency.

Risk Factors that Affect Whether There Is a Reasonable Possibility that a Control Deficiency
(or a Combination of Control Deficiencies) Will Result in a Misstatement of an Account
Balance or Disclosure

Acfn 723: Advanced Auditing/PLK

Evaluate Identified Control
Deficiencies
If a deficiency, or combination of deficiencies, prevents
the auditor from having reasonable assurance that
transactions are recorded properly, then the auditor
should treat the deficiency as an indicator of a material
weakness.
Indicators of Material Weaknesses

Acfn 723: Advanced Auditing/PLK

Remediation of a Material
Weakness

• Remediation is the process of correcting

a material weakness in the ICFR
- If a material weakness is corrected before
the 'as of’ date, there must be sufficient
time for both management and the auditor
to test the operating effectiveness of the
control – if not, an adverse opinion is still
issued.

Acfn 723: Advanced Auditing/PLK

Written Representations

In addition to the management representations

obtained as part of a financial statement audit, the
auditor also obtains written representations from
management related to the audit of ICFR.

Failure to obtain written

representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude
an unqualified opinion.
Acfn 723: Advanced Auditing/PLK
Auditor Documentation
Requirements
The auditor must properly document the processes,
procedures, judgements, and results relating to the
audit of internal control.

When an entity has effective

ICFR, the auditor should be
able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.

Acfn 723: Advanced Auditing/PLK

Auditor Documentation
Requirements
The auditor’s documentation of the process, procedures,
judgements and results relating to the audit of ICFR
should include:
1. Auditor’s understanding and evaluation of the design of
ICFR;
2. The process used to determine the points at which
material misstatements could occur;
3. The extent to which the auditor relied upon the work of
others; and
4. The evaluation of any deficiencies discovered or other
findings which could result in a report modification.

Acfn 723: Advanced Auditing/PLK

Types of Reports Relating to
the Audit of ICFR

An unqualified opinion signifies that the entity’s

internal control is designed and operating effectively
(no material weaknesses).

A serious (more than minor) scope limitation requires

the auditor to disclaim an opinion.

An adverse opinion is required if a material weakness

is identified.

Acfn 723: Advanced Auditing/PLK

Additional Required Communications
in an Audit of ICFR

The auditor must communicate in writing to

management and the audit committee all significant
deficiencies and material weaknesses identified
during the audit (AS5).
This communication should be made prior to the
issuance of the auditor’s report on ICFR.
In addition, the auditor should communicate to
management, in writing, all control deficiencies
identified during the audit and inform the audit
committee when such a communication has been
made.
Acfn 723: Advanced Auditing/PLK
Use of Service Organizations

Many companies use a service organization to

process transactions.
If the service organization's services make up part
of a company’s information system, then they are
considered part of the information and
communication component of the company’s
internal control over financial report.
Thus, both management and the auditor must
consider the activities of the service organization.
Acfn 723: Advanced Auditing/PLK
Use of Service Organizations

Management and the auditor should perform the

following procedures with respect to the activities
performed by the service organization:
(1) obtain an understanding of the nature and
significance of the services provided by the
service organization and their effect of the
user entity’s internal control relevant to the
audit, sufficient to identify and assess the
risks of material misstatement; and
(2) design and perform audit procedures
responsive to those risks.

Acfn 723: Advanced Auditing/PLK

Safeguarding of Assets

Safeguarding of assets is defined as

policies and procedures that ‘provide
reasonable assurance regarding prevention
or timely detection of unauthorized
acquisition, use or disposition of the
company’s assets that could have a
material effect on the financial statements.’

Acfn 723: Advanced Auditing/PLK