Auditing A RiskBased Approach To Conducting A Quality
Auditing A Risk-Based Approach To Conducting A Quality Audit 10 th edition Karla M. Johnstone | Audrey A. Gramling | Larry E. Rittenberg CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: RESPONSIBILITIES OF MANAGEMENT AND THE EXTERNAL AUDITORS Copyright © 2016 South-Western/Cengage Learning
LEARNING OBJECTIVES 1. 2. 3. 4. Articulate the importance of internal control over financial reporting for organizations Define internal control as presented in COSO’s 2013 Internal Control, Integrated Framework and identify the components of internal control Describe the control environment component of internal control, list its principles, and provide examples of each principle Describe the risk assessment component of internal control, list its principles, and provide examples of each principle Copyright © 2016 South-Western/Cengage Learning 3 -2
LEARNING OBJECTIVES 5. 6. 7. Describe the control activities component of internal control, list its principles, and provide examples of each principle Describe the information and communication component of internal control, list its principles, and provide examples of each principle Describe the monitoring component of internal control, list its principles, and provide examples of each principle Copyright © 2016 South-Western/Cengage Learning 3 -3
LEARNING OBJECTIVES 8. 9. 10. Identify management’s responsibilities related to internal control over financial reporting Distinguish between material weaknesses, significant deficiencies, and control deficiencies in internal control over financial reporting Articulate the importance of internal control over financial reporting for the external audit and apply the concepts related to management’s and the auditor’s assessments of internal control effectiveness Copyright © 2016 South-Western/Cengage Learning 3 -4
THE AUDIT OPINION FORMULATION PROCESS Copyright © 2016 South-Western/Cengage Learning 3 -5
LEARNING OBJECTIVE 1 ARTICULATE THE IMPORTANCE OF INTERNAL CONTROL OVER FINANCIAL REPORTING FOR ORGANIZATIONS Copyright © 2016 South-Western/Cengage Learning
IMPORTANCE OF INTERNAL CONTROL OVER FINANCIAL REPORTING • Internal control helps: • Mitigate risks of not achieving organizational objectives • Provide assurance regarding reliability of financial information • Reduce occurrence of unforeseen circumstances • Improve quality of information Copyright © 2016 South-Western/Cengage Learning 3 -7
LEARNING OBJECTIVE 2 DEFINE INTERNAL CONTROL AS PRESENTED IN COSO’S 2013 INTERNAL CONTROL, INTEGRATED FRAMEWORK AND IDENTIFY THE COMPONENTS OF INTERNAL CONTROL Copyright © 2016 South-Western/Cengage Learning
INTERNAL CONTROL - INTEGRATED FRAMEWORK • COSO defines internal control as a process: • Effected by an entity’s board of directors, management, and other personnel • Designed to provide reasonable assurance regarding achievement of objectives relating to operations, reporting, and compliance • Effective internal control needs to: • Be effectively designed and implemented • Operate effectively Copyright © 2016 South-Western/Cengage Learning 3 -9
EXHIBIT 3. 1 - COSO FRAMEWORK FOR INTERNAL CONTROL Copyright © 2016 South-Western/Cengage Learning 3 -10
COMPONENTS OF INTERNAL CONTROL • Control environment • Set of standards, processes, and structures that provides the basis for carrying out internal control across the organization • Includes the tone at the top regarding importance of: • Internal control • Expected standards of conduct • Risk assessment: Process for identifying and assessing risks that may affect organizations from achieving objectives Copyright © 2016 South-Western/Cengage Learning 3 -11
COMPONENTS OF INTERNAL CONTROL • Control activities: Actions established by policies and procedures • Help ensure that management’s directives regarding internal control are carried out • Information and communication • Information from internal and external sources • Communication is the process of providing, sharing, and obtaining necessary information • Monitoring: Helps determine whether the controls are present and continuing to function effectively Copyright © 2016 South-Western/Cengage Learning 3 -12
LEARNING OBJECTIVE 3 DESCRIBE THE CONTROL ENVIRONMENT COMPONENT OF INTERNAL CONTROL, LIST ITS PRINCIPLES, AND PROVIDE EXAMPLES OF EACH PRINCIPLE Copyright © 2016 South-Western/Cengage Learning
COSO COMPONENT: CONTROL ENVIRONMENT • Foundation for all other components of internal control • A strong control environment protects against risks related to reliability of financial statements • Examples of control environment deficiencies • Low level of control consciousness within an organization • Audit committee not having independent members • Absence of an ethics policy within an organization Copyright © 2016 South-Western/Cengage Learning 3 -14
COSO COMPONENT: CONTROL ENVIRONMENT PRINCIPLES 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. . 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Copyright © 2016 South-Western/Cengage Learning 3 -15
LEARNING OBJECTIVE 4 DESCRIBE THE RISK ASSESSMENT COMPONENT OF INTERNAL CONTROL, LIST ITS PRINCIPLES, AND PROVIDE EXAMPLES OF EACH PRINCIPLE Copyright © 2016 South-Western/Cengage Learning
COSO COMPONENT - RISK ASSESSMENT Internal sources of risk External sources of risks • Changes in management responsibilities • Changes in internal information technology • Poorly conceived business model • Economic recessions decrease product or service demand • Increase in competition • Changes in regulation that make the business model unsustainable • Changes in the reliability of source goods that reduce profitability Copyright © 2016 South-Western/Cengage Learning 3 -17
COSO COMPONENT - RISK ASSESSMENT PRINCIPLES 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Copyright © 2016 South-Western/Cengage Learning 3 -18
LEARNING OBJECTIVE 5 DESCRIBE THE CONTROL ACTIVITIES COMPONENT OF INTERNAL CONTROL, LIST ITS PRINCIPLES, AND PROVIDE EXAMPLES OF EACH PRINCIPLE Copyright © 2016 South-Western/Cengage Learning
COSO COMPONENT: CONTROL ACTIVITIES • Ensure that management’s directives regarding controls are accomplished • Performed within processes • May be preventive or detective • May be manual or automated Copyright © 2016 South-Western/Cengage Learning 3 -20
COSO COMPONENT: CONTROL ACTIVITIES PRINCIPLES 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action. Copyright © 2016 South-Western/Cengage Learning 3 -21
TRANSACTION PROCESSING • Business Process Transactions • Control activities include verifications, reconciliations, authorizations and approvals • Accounting Estimates • Control activities should provide reasonable assurance that: • The data are accurate • The estimates are faithful to the data • The underlying estimation model reflects current economic conditions and has proven to provide reasonable estimates in the past Copyright © 2016 South-Western/Cengage Learning 3 -22
TRANSACTION PROCESSING • Adjusting, Closing, and Other Unusual Entries • Control activities include: • Documented support for all entries • Reference to underlying supporting data with a welldeveloped transaction trail • Transaction trail: Records that allow auditors to trace transactions from origination through final disposition, or vice versa • Review by CFO or controller Copyright © 2016 South-Western/Cengage Learning 3 -23
AUTOMATED AND MANUAL TRANSACTION CONTROLS • Input Controls: Designed to ensure that authorized transactions are correct and complete, and that only authorized transactions can be input • Processing controls: Designed to ensure that: • Correct program used for processing • All transactions are processed • Transactions update appropriate files • Output controls: Designed to ensure that: • All data are completely processed • Output is distributed only to authorized recipients Copyright © 2016 South-Western/Cengage Learning 3 -24
OTHER IMPORTANT CONTROL ACTIVITIES • Segregation of duties: Protect against risk that individuals may collude to conceal a fraud • Requires that a minimum of two employees be involved such that one does not have: • Authority and ability to process transactions • Custodial responsibilities • Physical controls over assets: Protect and safeguard assets from accidental or intentional destruction and theft Copyright © 2016 South-Western/Cengage Learning 3 -25
LEARNING OBJECTIVE 6 DESCRIBE THE INFORMATION AND COMMUNICATION COMPONENT OF INTERNAL CONTROL, LIST ITS PRINCIPLES, AND PROVIDE EXAMPLES OF EACH PRINCIPLE Copyright © 2016 South-Western/Cengage Learning
COSO COMPONENT - INFORMATION AND COMMUNICATION • Process of identifying, capturing, and exchanging information in a timely fashion to enable accomplishment of the organization’s objectives • Information • Required by an organization from internal and external sources to carry out its internal control responsibilities • Communication • Process of providing, sharing, and obtaining information internally • Requires two-way communication with external parties Copyright © 2016 South-Western/Cengage Learning 3 -27
COSO COMPONENT - INFORMATION AND COMMUNICATION PRINCIPLES 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. Copyright © 2016 South-Western/Cengage Learning 3 -28
LEARNING OBJECTIVE 7 DESCRIBE THE MONITORING COMPONENT OF INTERNAL CONTROL, LIST ITS PRINCIPLES, AND PROVIDE EXAMPLES OF EACH PRINCIPLE Copyright © 2016 South-Western/Cengage Learning
COSO COMPONENT - MONITORING • Process that provides feedback on effectiveness of each of the five components of internal control • Managers select either of the following or a combination of both • Mix of ongoing evaluations • Separate evaluations • Requires that identified deficiencies in internal control be communicated to the personnel concerned with follow-up action taken Copyright © 2016 South-Western/Cengage Learning 3 -30
COSO COMPONENT – MONITORING PRINCIPLES 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Copyright © 2016 South-Western/Cengage Learning 3 -31
LEARNING OBJECTIVE 8 IDENTIFY MANAGEMENT’S RESPONSIBILITIES RELATED TO INTERNAL CONTROL OVER FINANCIAL REPORTING Copyright © 2016 South-Western/Cengage Learning
MANAGEMENT RESPONSIBILITES • Design, implement, maintain internal control to mitigate risks of material misstatements in the financial statements • Document internal control • Test effectiveness of internal control • Annually report on the design and operating effectiveness of controls Copyright © 2016 South-Western/Cengage Learning 3 -33
EXHIBIT 3. 6 - STEPS IN MANAGEMENT’S EVALUATION OF INTERNAL CONTROL OVER FINANCIAL REPORTING Copyright © 2016 South-Western/Cengage Learning 3 -34
LEARNING OBJECTIVE 9 DISTINGUISH BETWEEN MATERIAL WEAKNESSES, SIGNIFICANT DEFICIENCIES, AND CONTROL DEFICIENCIES IN INTERNAL CONTROL OVER FINANCIAL REPORTING Copyright © 2016 South-Western/Cengage Learning
ASSESSING INTERNAL CONTROL DEFICIENCIES • Control deficiency: Shortcoming in internal controls such that objective of reliable financial reporting may not be achieved • Could be in design or operation • Significant deficiency: A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting Copyright © 2016 South-Western/Cengage Learning 3 -36
ASSESSING INTERNAL CONTROL DEFICIENCIES • Material weakness • A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis Copyright © 2016 South-Western/Cengage Learning 3 -37
INDICATORS OF A MATERIAL WEAKNESS Identification of fraud, whether or not material, on the part of senior management Multiple control deficiencies affecting the same financial statement account Significant deficiencies from the previous management report that the organization has not remediated Restatement of previously issued financial statements to reflect the correction of a material misstatement Copyright © 2016 South-Western/Cengage Learning 3 -38
LEARNING OBJECTIVE 10 ARTICULATE THE IMPORTANCE OF INTERNAL CONTROL OVER FINANCIAL REPORTING FOR THE EXTERNAL AUDIT AND APPLY THE CONCEPTS RELATED TO MANAGEMENT’S AND THE AUDITOR’S ASSESSMENTS OF INTERNAL CONTROL EFFECTIVENESS Copyright © 2016 South-Western/Cengage Learning
IMPORTANCE OF INTERNAL CONTROL FOR THE EXTERNAL AUDIT • Auditors are required to identify and assess risks of material misstatement due to fraud or error • The auditor needs to understand the company’s internal controls to determine appropriate audit procedures • Integrated audit: Occurs when an auditor provides an opinion on: • The effectiveness of the client’s internal control over financial reporting and • The financial statements Copyright © 2016 South-Western/Cengage Learning 3 -40
- Slides: 40