Chapters 11 12 Internal Controls the COSO Framework

+ Chapters 11 & 12 Internal Controls & the COSO Framework Assessing Control Risk and Reporting on Internal Controls

+ Four Phases of an Audit Phase III Phase IV • Plan + Design Audit Approach • Perform Tests of Controls • Perform Analytical Procedures • Perform Tests of Details of Balances • Complete the Audit and Issue An Audit Report

+ Planning the Audit + Designing an Audit Approach Accept Client & Initial Audit Planning Understand the Business & Industry Perform Prelim Analytics Set Materiality Identify Significant Risks due to Fraud or Error Assess Inherent Risk Understand Internal Control + Assess CR Develop Overall Plan

+ Determining the Planned Audit Approach Audit Evidence from Audit Procedures Evidence from substantive procedures Evidence from tests of operation of controls 4

+ Determining the Planned Audit Approach Audit Evidence Controls (control risk) from Risk. Evidence of Misstatement substantive Au d i t E vi d en ce Inherent Risk of Error procedures Evidence from tests of operation of controls At the assertion level (significant accounts and disclosures) 5

+ Internal Control – Defined n. A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: n Reliability of financial reporting n Effectiveness and efficiency of operations n Compliance with applicable laws and regulations

+ Audits – Post SOX 404 Management’s Responsibility TO IMPLEMENT AND ASSESS EFFECTIVENESS OF INTERNAL CONTROLS • Accept responsibility • Evaluate effectiveness of IC over financial reporting • Support with documentation • Present written assessment as of fiscal year end • Report to accompany the F/S Auditor’s Responsibility AUDIT INTERNAL CONTROLS (provides more assurance than a F/S audit on its own) • F/S – to express opinion and provide reasonable assurance on the financial statements • Search for material misstatements • IC – to express opinion on the effectiveness of IC over financial reporting • Search for material control weaknesses

+ Audits – Post SOX 404 n Regulatory Base: n SOX 404 n PCAOB AS 5 - An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements n The audit of IC has to be approved by audit committee. n Auditors can use the work of others (internal auditors). n Auditors can obtain evidence on IC operating effectiveness at any point of time but have to update them before issuing the report. n Auditors MUST include transactions testing throughout the year.

+ Internal Controls – 5 Components COSO Framework Monitoring Control Activities Risk Assessment Information and Communication Systems Control Environment

+ …More on Information and Communication Systems n Qualitative Characteristics of Information: RELEVANCE 1. Predictive value 2. Feedback value 3. Timeliness RELIABILITY 1. Verifiability 2. Representational faithfulness 3. Neutral

+ Internal Controls – 5 Components COSO Framework Monitoring Control Activities Risk Assessment Information and Communication Systems Control Environment

+ …More on Risk Assessment

+ Internal Controls – 5 Components COSO Framework Monitoring Control Activities Risk Assessment Information and Communication Systems Control Environment

+ …More on Control Activities n The set of policies and procedures designed and performed to address/manage risks related to internal control objectives. n Types of control activities: n n n Segregation of duties n Access vs. Authorization vs. Accounting n Design vs. Operations vs. Data Control Physical controls – to protect assets and information Proper authorization of transactions (general vs. specific) Adequate documents and records Independent checks on performance Information processing controls – focus on control objectives n General controls – to maintain security, data center operation n Application controls – authorization, validity of data n Input, Processing, and Output controls

+ Internal Controls – 5 Components COSO Framework Monitoring Control Activities Risk Assessment Information and Communication Systems Control Environment

+ Limitations of Internal Control n Cost/benefit restrictions (small companies, SOX 404) n Insufficient independence to provide assurance to external parties n Poor judgment n Breakdowns n Collusion (can override even segregation of duties) n Management override

+ Audit of IC Process – Performing the Audit n Auditors: n Should evaluate management’s assessment process. n Obtain understanding of IC. n Much more extensive for audit of IC than F/S audit. n Test both operating and design effectiveness of IC. n Design effectiveness – are the controls designed effectively (are they even in place). n Operating effectiveness – how well are controls working (are controls operating as designed to catch error/fraud). ( if operated properly can they catch error/fraud)

+ Audit of IC Process – Performing the Audit n Nature of Testing of Controls n n Design Effectiveness n Inquiry n Observation n Inspection of documents n Narratives, Flowcharts, IC Questionnaires, and Walkthroughs Operating Effectiveness n Inquiry of Appropriate Personnel n Inspection of Documents n Observation of Operations n Reperformance of Application of Control

+ Assessing & Testing Controls – Summary n Assess Whether the Financial Statements are Auditable n n n Integrity of Management Adequacy of Accounting Records Primary Assessment of Control Risk n Starting Point is Entity-Level Controls (aka Control Environment) n Identify Audit Objectives (covering Assertions) n Identify Existing Controls n n n Key Controls Compensating Controls Control Matrix n Test Controls n Identify Deficiencies n Communicate to Management

+ Audit of Internal Controls n Purpose? n to find MATERIAL CONTROL WEAKNESSES n What is a control deficiency? n deficiency in controls such that they do not prevent/detect misstatements n Could be design or operating deficiency n How do we know when a deficiency becomes a material weakness?

+ What is a Material Weakness? M A G N I T U D E Material weakness Consequential Significant deficiency Control deficiency Inconsequential Remote More than remote LIKELIHOOD

+ Likelihood of Control Deficiency n Remote. The chance of the future events or events occurring is slight. n Reasonably Possible. The chance of the future event or events occurring is more than remote but less than likely. n Probable. The future event or events are likely to occur. n Anything more than remote is considered DEFICIENCY

+ Magnitude of Control Deficiency n Inconsequential. A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. n Consequential. A misstatement which is more than inconsequential but less than material will not be prevented or detected by IC. n Material misstatement will not be prevented or detected by IC.

+ Control Deficiencies n Significant Deficiency n One or more control deficiencies exist that result in more than remote likelihood that a misstatement that is more than inconsequential will not be prevented or detected. n Material Weakness n One or more significant deficiencies exist that result in more than a remote likelihood that internal controls will not prevent or detect a material misstatement.

+ Internal Control Reporting n The auditor’s report could contain opinions on two separate items: (1) (2) management’s report on the effectiveness of internal control over financial reporting. n Management’s report is incomplete or inappropriate n REPORT INCLUDES EXPLANATORY PARAGRAPH n Management’s report does not include existing material weakness n ADVERSE REPORT the effectiveness of internal control over financial reporting based on the auditor’s independent audit work.

+ Public Reporting Report Modification Based on Control Deficiencies Inconsequential deficiency Significant deficiency Material weakness Type of Audit Report Unqualified opinion Adverse opinion

+ Public Reporting Report Modification Based on Scope Limitation Reason for Scope Limitation Type of Audit Report Minor effect Unqualified opinion Management imposed/ more than minor effect Qualified opinion Severe limitation Disclaimer opinion or withdraw

+ Additional Communication on IC Audit n The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS 5). n This communication should be made prior to the issuance of the auditor’s report on internal control over financial reporting. n In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.

+ For Thursday Read NFM case. Bring laptops to class and/or be prepared to begin group work.