Section 404 Audits of Internal Control and Control Risk

Section 404 Audits of
Internal Control and

Control Risk
Chapter 10
2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 1

Learning Objective 1
Describe the three primary

objectives of effective
internal control.

Internal Control Objectives
Reliability of financial reporting
Efficiency and effectiveness of operations
Compliance with laws and regulations

Contrast managements
responsibilities for maintaining
and reporting on internal controls
with the auditors responsibilities
for understanding, testing, and
reporting on internal controls.
Management and Auditor
Responsibilities Related
to Internal Control
Managements responsibility
for establishing internal control
Reasonable assurance
Inherent limitations

to Internal Control
Managements Section 404
reporting responsibilities
Design of internal control
Operating effectiveness of controls

to Internal Control
Auditor responsibilities for
understanding internal control
Control over classes of transactions
Auditor responsibilities for testing

and reporting on internal control

Sales Transaction-Related Audit
Objectives
Transaction-Related Audit Sales Transaction-Related
Objective General form Audit Objectives
Recorded transactions Sales are for shipments
exist (existence). to existing customers.
Existing transactions are Existing sales transactions
recorded (completeness). are recorded.
Transactions are stated Sales for goods shipped

correctly (accuracy). are correctly billed.

Sales Transaction-Related Audit
Objectives
Transaction-Related Audit Sales Transaction-Related
Objective General form Audit Objectives
Transactions are properly Sales transactions are
classified (classification). properly classified.
Transactions are recorded Sales are recorded on
on correct dates (timing). the correct dates.
Transactions are properly Sales transactions are
filed (posting and properly included in the
summarization). master files.
Explain the five components

of the COSO internal
control framework.

Five Components of Internal
Control
Risk Information and

assessment communication
Control
Monitoring
activities
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or audit committee participation
Managements philosophy and operating style

The Control Environment
Organizational structure
Assignment of authority and responsibility
Human resources policies and practices

Risk Assessment
Identify factors that may increase risk.
Estimate the significance of the risk.
Assess the likelihood of the risk.
Determine actions necessary to manage the risk.

Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance

Adequate Separation of Duties
Custody of assets Accounting
Authorization The custody of

of transactions related assets
Operational Record-keeping
responsibility responsibility
IT duties User departments

Proper Authorization of
Transactions and Activities
General authorization
Specific authorization

Adequate Documents and
Records
Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple use
Constructed to encourage correct preparation

Physical Control over Assets
and Records
The most important type of protective
measure for safeguarding assets and
records is the use of physical precautions.

Independent Checks on
Performance
The need for independent checks arises

because internal control tends to change
over time unless there is a mechanism
for frequent review.

Information and Communication
The purpose of an accounting information

and communication system is to
initiate, record, process, and report

the entitys transactions and to maintain
accountability for the related assets.

Monitoring
Monitoring activities deal with managements

ongoing and periodic assessment of the
quality of internal control performance
to determine whether controls are operating

as intended and modified when needed.

How the Size of the Business
Affects Internal Control
In general the SEC believes that small
businesses should be expected to adhere
to the same internal control standards that
apply to larger public companies.
The SEC has also stated that the burden to

smaller companies can be disproportionate.

Obtain and document an

understanding of internal control.

Four Phases of a Financial
Statement Audit
Obtain an
understanding of Design, perform,
Phase 1 internal control: Phase 3 and evaluate tests
design and of controls
operation
Decide planned
Assess control detection risk
Phase 2 risk. Phase 4 and substantive
tests.

Obtain and Document
Understanding of Internal Control
SAS 55 and PCAOB Standard 2 both require
the auditor to obtain an understanding
of internal control for every audit.
Procedures to obtain an understanding:

Design of internal controls
Whether placed in operation
Uses this information as a basis for the
integrated audit.

Methods Used
Narrative
Flowchart
Internal
control
questionnaire

Narrative
1. The origin of every document
and record in the system
2. All processing that takes place
3. The disposition of every document

and record in the system
4. An indication of the controls relevant

to the assessment of control risk

Evaluating Internal Control
Operation
Update and evaluate auditors previous
experience with the entity.
Make inquiries of client personnel.
Examine documents and records.
Observe entity activities and operations.
Perform walkthroughs of the accounting system.

Assess control risk by linking key

controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.

Assess Control Risk
Assess whether the financial statements

are auditable.
Determine assessed control risk supported

by the understanding obtained assuming
the controls are being followed.
Use of a control risk matrix to assess control risk

Control Risk Matrix
Auditors use the control risk matrix to

identify both controls and weaknesses
and to assess control risk.

Control Risk Matrix
Identify transaction-related audit objectives.
Identify existing controls.
Associate controls with transaction-related

audit objectives.
Identify and evaluate control deficiencies,

significant deficiencies, and material weaknesses

Evaluating Significant Control
Deficiencies
SIGNIFICANCE
Material
Material
Weakness
LIKELIHOOD Remote Probable
Immaterial
Communicate Internal Control
Deficiencies and Related Matters
Audit committee communications
Management letters

Describe the process of designing

and performing tests of controls.

Tests of Controls
The procedures to test effectiveness of controls
in support of a reduced assessed control
risk are called tests of controls.

Procedures for Tests of Controls
1. Make inquiries of client personnel.
2. Examine documents, records, and reports.
3. Observe control-related activities.
4. Reperform client procedures.

Extent of Procedures
Reliance on evidence from prior years audit
Testing less than the entire audit period

Relationship of Assessed Control
Risk and Extent of Procedures
Assessed control risk
High level:
Type of Procedures to obtain Lower level:
procedure an understanding Tests of controls
Inquiry Yesextensive Yessome
Documentation Yeswith transaction Yesusing sampling
walk-through
Observation Yeswith transaction Yesat multiple times
walk-through
Reperformance No Yesusing sampling

Decide Planned Detection Risk
and Design Substantive Tests
The auditor uses the results of the control risk

assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.
The auditor links the control risk assessments

to the balance-related audit objectives.

Understand Section 404

requirements for auditor
reporting on internal control.

Section 404 Reporting on Internal
Control
1
The auditors opinion on whether managements

assessment of the effectiveness of internal
control over financial reporting as of the
end of the fiscal period is fairly stated,
in all material respects.

Section 404 Reporting on Internal
Control
2
The auditors opinion on whether the company

maintained, in all material respects, effective
internal control over financial reporting
as of the specified date.

Types of Opinions
Unqualified
Adverse
Qualified or disclaimer of opinion

Describe the differences in

evaluating, reporting, and
testing internal control for
nonpublic companies.

Evaluating, Reporting, and Testing Internal
Control for Nonpublic Companies
1. Reporting requirements
2. Extent of required internal controls
3. Extent of understanding needed
4. Assessing control risk
5. Extent of tests of controls needed

Differences in Scope of Controls
Tested: Nonpublic Company
Internal controls over financial reporting
Internal controls used to assess

control risk below maximum
Controls that must be tested in Controls that must be tested in

an audit of internal controls an audit of financial statements

End of Chapter 10

Section 404 Audits of Internal Control and Control Risk

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Section 404 Audits of Internal Control and Control Risk

Uploaded by

Copyright:

Available Formats

Section 404 Audits of

Internal Control and

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 1

Describe the three primary

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 2

Reliability of financial reporting

Efficiency and effectiveness of operations

Compliance with laws and regulations

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 3

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 5

Design of internal control

Operating effectiveness of controls

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 6

Control over classes of transactions

Auditor responsibilities for testing

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 7

Transactions are stated Sales for goods shipped

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 8

Explain the five components

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 10

Risk Information and

Integrity and ethical values

Board of directors or audit committee participation

Managements philosophy and operating style

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 12

Assignment of authority and responsibility

Human resources policies and practices

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 13

Identify factors that may increase risk.

Estimate the significance of the risk.

Assess the likelihood of the risk.

Determine actions necessary to manage the risk.

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 14

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 15

Custody of assets Accounting

Authorization The custody of

IT duties User departments

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 16

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 17

Prepared at the time of transaction

Simple enough to ensure understanding

Designed for multiple use

Constructed to encourage correct preparation

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 18

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 19

The need for independent checks arises

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 20

The purpose of an accounting information

initiate, record, process, and report

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 21

Monitoring activities deal with managements

to determine whether controls are operating

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 22

The SEC has also stated that the burden to

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 23

Obtain and document an

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 24

2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder 10 - 25