Embed Size (px)
Citation preview
Chapter 7 Auditing Internal
Control over Financial Reporting
McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Management Responsibilities
under Section 404 Management must comply with the following
requirements in order for the external auditor to
complete an audit of ICFR.
1. Accept responsibility for the effectiveness of the entity’s ICFR.
2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.
3. Support the evaluation with sufficient evidence, including documentation.
4. Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year.
LO# 1
7-2
Auditor Responsibilities under
Section 404 and AS5 The entity’s independent auditor must audit and report
on the effectiveness of ICFR. The auditor is required to
conduct an integrated audit of the entity’s ICFR and
its financial statements.
LO# 2
7-3
ICFR Defined ICFR is defined as a process designed to provide reasonable
assurance regarding the reliability of financial reporting and
the preparation of financial statements in accordance with
GAAP. Controls include procedures that:
1. Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are
recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company’s assets.
LO# 3
7-4
Internal Control Deficiencies
Defined Material
Not material
but significant
Not material
or significant
Remote Reasonably possible or probable
Material
weakness
Significant
deficiency
Control
deficiency
L I K E L I H O O D
M
A
G
N
I
T
U
D
E
LO# 4
Report externally to
audit committee and
to management
Report to audit
committee and to
management
Report to
management
7-5
Management’s Assessment
Process
Management must follow a top-down, risk-based
approach:
1. Identify financial reporting risks and controls.
2. Evaluate evidence about the operating effectiveness of
ICFR.
3. Consider which locations to include in the evaluation.
LO# 5
7-6
Performing an Audit of ICFR Figure 7-2
LO# 6
7-7
Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of internal
control and the financial statements. The control testing
impacts the planned substantive procedures. Also, the
results of the substantive procedures are considered in
the evaluation of internal control.
Tests of
internal
control
Substantive
audit
procedures
LO# 6
7-8
Planning the Audit of ICFR
The planning process is similar to the process used for the audit of financial statements.
Consider the following:
–Risk assessment and the risk of fraud.
–Scaling the audit.
–Using the work of others.
LO# 7
7-9
Using a Top-Down Approach Figure 7-3
LO# 8
7-10
Test the Design and Operating
Effectiveness of Controls
LO# 9
Evaluate design
Test and evaluate operating effectiveness
– Nature: Inquiry, Inspection of documents, observation, and reperformance.
– Timing: Interim vs. “as of” date
– Extent: Consider (1) Nature of the control; (2) Frequency of operation; and (3) Importance of the control.
7-11
Evaluate Identified Control Deficiencies
LO# 10
7-12
Remediation of a Material
Weakness
Remediation is the process of correcting a material weakness in the ICFR – If a material weakness is corrected
before the “as of” date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued.
LO# 11
7-13
Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of ICFR.
Failure to obtain written
representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.
LO# 12
7-14
Auditor Documentation
Requirements
The auditor must properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective
ICFR, the auditor should be
able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.
LO# 13
7-15
Types of Reports Relating to the
Audit of ICFR
An unqualified opinion signifies that the client’s
internal control is designed and operating
effectively (no material weaknesses).
A serious scope limitation requires the auditor to
disclaim an opinion.
An adverse opinion is required if a material
weakness is identified.
LO# 14
7-16
Additional Required Communications
in an Audit of ICFR
The auditor must communicate in writing to management
and the audit committee all significant deficiencies and
material weaknesses identified during the audit (AS5).
This communication should be made prior to the issuance
of the auditor’s report on ICFR. In addition, the auditor
should communicate to management, in writing, all
control deficiencies identified during the audit and inform
the audit committee when such a communication has
been made.
LO# 15
7-17
Management and the auditor should perform the
following procedures with respect to the activities
performed by the service organization:
(1) obtain an understanding of the controls at the service
organization that are relevant to the entity’s internal
control and the controls at the user organization over the
activities of the service organization; and
(2) obtain evidence that the controls that are relevant to
management’s assessment and the auditor’s opinion are
operating effectively.
Sometimes a Type 2 report is issued
LO# 16
Advanced Module 1: Use of
Service Organizations
7-18
Advanced Module 2:
Computer-Assisted Audit Techniques
Computer-assisted audit techniques (CAATs)
include:
• Generalized audit software packages.
• Custom audit software.
• Test data.
LO# 18
7-19
End of Chapter 7
7-20
