Embed Size (px)
Citation preview
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-1
Chapter 5
Internal Control Evaluation:
Assessing Control Risk
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-2
Presentation Outline
I. Internal Control Overview
II. The Internal Control Framework
III. Phases of Audit of Internal Control (PCAOB 2) (Publicly Traded Companies)
IV. Reporting Internal Control Weaknesses
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-3
I. Internal Control Overview
A. Reason for Internal Control Evaluation Under GAAS (2nd Standard of Fieldwork)
B. Management and Auditor ResponsibilityC. Management Report on Internal Controls
(Public Company Audits)D. Auditor Report on Internal Controls
(Public Company Audits)E. Limitations of Internal Controls
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-4
A. Reason for Internal Control Evaluation Under GAAS (2nd Standard of Field Work)
Trade-off between tests of controls and substantive testing
**Important**
Understand Exhibit 5.8 on p.
162 of text.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-5Exhibit 5.10Bridge Workpaper for Preliminary Assessment of Control Risk
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-6
B. Management and Auditor Responsibility
Management responsibilityPrimary responsibility for internal controlSarbanes-Oxley Act of 2002 (publicly traded
companies)Auditor responsibility
Second standard of fieldworkPCAOB Auditing Standard No. 2 (PCAOB 2): An Audit
of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-7
C. Management Report on Internal Controls (Public Company Audits)
In addition to certifying the company’s financial statements (Section 302), management must also report on the company’s internal control over financial reporting (Section 404).
Specifically, the company’s annual report must include: A statement that management is responsible for
establishing and maintaining adequate internal control over financial reporting.
A statement identifying the framework (usually COSO) management uses to evaluate the effectiveness of the company’s internal control.
A statement providing management's assessment of the effectiveness of the company’s internal control.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-8
D. Auditor Report on Internal Controls (Public Company Audits)
The auditor must attest to management’s assessment of internal control.Objective:
“To form an opinion as to whether management's assessment of the effectiveness of the registrant's internal control over financial reporting is fairly stated in all material respects.”
Auditors must also provide their own opinions on the effectiveness of internal control.
Not a separate engagement Integrated audit of internal control and financial
statements
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-9
E. Limitations of Internal Controls
• Human error• Collusion• Management override• Cost/benefit analysis
– There is often a trade-off between the cost and the effectiveness of internal controls.
– The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-10
II. The Internal Control FrameworkA. Entities Comprising COSO
B. The COSO Definition of Internal ControlC. Interrelated Components of Internal
ControlD. The Control Environment
E. Risk AssessmentF. Control Activities
G. Information and CommunicationH. Monitoring
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-11
A. Entities Comprising COSO
Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial
Reporting (Treadway Commission)Financial Executives Institute (FEI)
American Accounting Association (AAA)Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)American Institute of Certified Public
Accountants (AICPA)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-12B. The COSO Definition of Internal Control
A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
(1) Reliability of financial reporting,
(2) Compliance with applicable laws and regulations,
(3) Effectiveness and efficiency of operations.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-13
C. Interrelated Components of Internal Control
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-14
D. The Control Environment
• Sets the tone of an organization, influencing the control consciousness of its people.
• It is the foundation for all other components.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-15
D. The Control Environment(Continued)
• Philosophy And Operating Style
• Integrity And Ethical Values
• Organizational Structure
• Commitment To Competence
• Functioning Of Board• Authority And
Responsibility• Internal Audit• Human Resources
Policies• External Environment
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-16
E. Risk Assessment
• The entity's identification and analysis of relevant risks to achievement of its objectives.
• COSO's Enterprise risk management (ERM) framework (Chapter 4)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-17
F. Control Activities (Procedures)
The policies and procedures that help ensure management directives are carried out.Physical controls over the security of assets
(see p. 156 of text)Segregation of duties (see pp. 154-155 of
text)Information Processing (see pp. 156-157 of
text)Performance reviews (see p. 154 of text)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-18
G. Information & Communication
The identification, capture, and exchange of information in the form and time frame that
enables people to carry out their responsibilities.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-19H. Monitoring
Management’s process that assesses the quality of the internal control's
performance over time.Internal auditing
Follow-up of reporting errors
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-20
III. Phases of Audit of Internal Control (PCAOB 2) (Publicly Traded Companies)
A. Plan the AuditB. Evaluate Management’s Process for
Assessing Internal ControlC. Obtain an Understanding of Internal Control
D. Evaluate Internal Control Effectiveness1. Design
2. OperationE. Form an Opinion About Effectiveness
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-21A. Plan the Audit (PCAOB 2)
Evaluation must be done for all relevant assertions for all significant accounts or disclosures.
Significant accounts, locations, and assertions must be identified.
The key to determining what is included is whether there is more than a remote possibility that a material misstatement could be associated
with it.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-22
B. Evaluating Management's Process for Assessing Internal Control (PCAOB 2)
The more extensive and reliable management’s assessment is, the less extensive the auditor’s work needs to be. Auditor must perform work related to:
Company-wide anti-fraud programs Controls that have a pervasive effect
Auditor must obtain “principal evidence,” but can incorporate work of Internal Auditors and others
Must assess competence and objectivity Limited reliance
Can’t reduce work on control environment
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-23
C. Obtain an Understanding of Internal Control (PCAOB 2)
Must understand that controls have actually been implemented and are operating as
designedMust perform walkthroughs
Major classes of transactionsRoutine and unusual transactions
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-24
D1. Evaluate Design Effectiveness(PCAOB 2)
Key Questions Will controls be effective if operated as designed?Are all necessary controls in place?
Methods Inquiry, observation, walkthroughsSpecific evaluation of whether the controls are likely to
prevent or detect financial misstatementsSpecifically evaluate audit committee
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-25
D2. Evaluate Operating Effectiveness (PCAOB 2)
TimingEvaluation as of end of fiscal yearCan test at interim and update
Methods Inquiries, inspection of documentation, observation,
reperformance.May use tests by management, internal audit staff and
3rd partiesRead internal audit reports
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-26
E. Form an Opinion About Effectiveness (PCAOB 2)
• Two opinions– Management’s assessment of internal control effectiveness.– Actual effectiveness of controls over financial reporting
• Types of opinions– If no material weaknesses are discovered, issue an
unqualified opinion.– If the auditor cannot perform all procedures, either
qualify or disclaim opinion. If opinion cannot be expressed, explain why.
– If any material weaknesses are discovered, issue an adverse opinion.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-27
IV. Reporting Internal Control Weaknesses
A. Forms of Internal Control Weakness
B. Reporting to Audit Committee on Internal Control Related Matters
C. Types of Internal Control Reports Accompanying Financial Statements (PCAOB 2)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-28A. Forms of Internal Control Weakness (PCAOB 2)
Internal Control Deficiency– “An internal control deficiency exists when the design or
operation of A control does not allow the company’s management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.”
Significant deficiency (p. 174 of text)– More than a remote likelihood of a misstatement of the annual
or interim financial statements that is more than inconsequential in amount
Material weakness (p. 175 of text)– More than a remote likelihood of a material misstatement
Significant deficiencies and material misstatements must be communicated in writing to audit committee
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-29
B. Reporting to Audit Committee on Internal Control Related Matters
Sarbanes-Oxley requires that the report be in writing.
The auditor may communicate during or after audit.
Communications with management is not required; however, communications with
management or other individuals within the entity who may, in the auditor's judgment, benefit from
the communications are not precluded.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-30C. Types of Internal Control Reports Accompanying Financial Statements
(PCAOB 2)Separate Report on Internal Control
– Opinions on management’s assertion of internal control effectiveness as well as actual internal control effectiveness
– Opinion on financial statements contained in separate audit report
Integrated Audit Report and Report on Internal Control – Includes auditor’s opinions on 1) management’s
assertion of internal control effectiveness, 2) internal control effectiveness, and 3) the fairness of the company’s financial statements.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-31
Summary
Overview of internal control describing its role and evaluation in GAAS and public
company audits.The COSO Framework
PCAOB requirements for evaluating internal control for public companies.
Reporting internal control matters to the audit committee and the public.
