Chapter 7: Auditing Internal Control over Financial Reporting

Consider and audit internal control / COSO Framework

7.1 Management Responsibilities under Section 404
- Requires managements of publicly traded companies to issue a report that accepts responsibility for establishing & maintaining
adequate ICFR and assert whether ICFR is effective as the end of the fiscal year. Managements assessment does not cover the entire
year.
Requirements of ICFR:
1. Accept responsibility for the effectiveness of the entitys ICFR
2. Evaluate the effectiveness of the entitys ICFR using suitable control criteria
3. Support the evaluation with sufficient evidence, including documentation
4. Present a written assessment regarding the effectiveness of the entitys ICFR as of the end of entitys most recent fiscal year
7.2 Auditor Responsibilities under Section 404 & AS5
Section 404: requires auditor to audit managements assertion about effectiveness of ICFR
AS5: states auditor must conduct audits of financial statements & ICFR in an integrated way because each audit provides auditor with
information relevant to the evaluation of the results of the other
The auditors objective in an audit: To express an opinion on the effectiveness of the companys ICFR, while the objective in a
financial statement audit is to express an opinion on whether the financial statements are fairly stated in accordance with generally
accepted accounting principles (GAAP)
-- To form this basis, auditor must plan and perform audit to obtain reasonable assurance
In this case, reasonable assurance recognizes that no system of internal control is perfect and that there is a remote likelihood that
material misstatements will not be prevented or detected on a timely basis, even if controls are, in fact, effective.
7.3 Internal Control over Financial Reporting Defined
- CEO & CFO are responsible for the reliability of ICFR & preparation of the financial statements
(1) Maintenance of records in reasonable detail/accurately/ fairly reflect transactions & dispositions of companys assets
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of f.s. In accordance to gaap, that
receipts & expenditures of company are being made in accordance
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of
companys assets that could have a material effect on f.s.
- Items (1) & (2) relate to controls for initiating, authorizing, recording, processing & reporting significant accounts & disclosures &
related assertions embodied in f.s.
- Items (3) concerns controls over safeguarding of assets
7.4 Internal Control Deficiencies Defined
Control Deficiency: define what constitutes a control deficiency & to define different levels of severity
Control deficiency exists when design of operation of a control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent or detect misstatements on a timely basis
o
Design efficiency exists when

(1) Control necessary to meet relevant control objective is missing

(2) Existing control isnt properly designed, control of objective isnt met
Operation deficiency exists when properly designed control doesnt operate as designed or when person performing control
doesnt poses necessary authority or qualifications
Material Weakness: deficiency or combination of deficiencies, in ICFR that there is a reasonable possibility that a material
misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis
Significant Deficiency: is a control deficiency, or combination of control deficiencies in ICFR that is less severe than a material
weakness yet important enough to merit attention by those responsible for oversight of the entitys financial reporting
sLikelihood and Magnitude
Remote: identified control issue does not even rise to the level of control deficiency
Look at figure 7.1 on pg. 228
7.5 Managements Assessment Process
Step 1: Identify Financial Reporting Risks and Related Controls
Risk that a misstatement could result in a material misstatement of the financial statements
How management assesses is based on industry
Management identifies controls that are in place to address f.s. Reporting risks
Mgmt. evaluates whether controls in place to address entity-level controls & other elements of ICFR
Mgmt. should consider the effect of information technology general controls
Mgmt. must obtain and doc reasonable evidential support
Step 2: Consider which locations to include in the evaluation
Step 3: Evaluate Evidence about the Operating Effectiveness of ICFR
Considers whether the control is operating as designed and whether the person performing the control possesses the
necessary authority and competence to perform the control effectively
Mgmt. should focus on highest risk of ICFR
Direct test of controls: performed on periodic basis by individuals like auditors with respect to control
Reporting Considerations
No material weakness: conclude entitys ICFR was effective
Material weakness: management must disclose material weakness in its assessment of effectiveness of ICFR on annual basis
o
Nature of material weakness
o
Impact on entitys financial reporting & ICFR
o
Managements current plans, if any, for remediating material weakness
-- Mgmt. assessment process involves: (1) service organizations & (2) safeguarding assets

7.6 Performing an Audit of ICFR

Step 1: Plan the audit of ICFR (7.7)
consider following activities:
o
Role of Risk Assessment and the Risk of Fraud
o
Scaling the audit- size and complexity of the company, its business processes and business units
o
Using work of others- receiving assistance from internal auditors, entity personnel, 3 rd parties
Step 2: Identify controls to test using a top-down, risk based approach (7.8)
1. identify entity level controls
a. Control Environment
i. Mgmts philosophy & operating style promote effective ICFR
ii. Sound integrity & ethical values, particularly of top mgmt. are developed and understood
iii. Board or audit committee understands & exercises oversight responsibility over financial reporting &
internal control
b. Period- End Financial Reporting Process
2. identify significant accounts disclosures & their relevant assertions
3. Understand likely sources of misstatement
a. understand flow of transactions related to relevant assertions
b. identify points within entitys processes at which a misstatement could arise would be material
c. identify controls that mgmt. has implemented to address potential misstatements
d. identify controls that mgmt. has implemented over prevention or timely detection of unauthorized acquisition, use
or disposition of companys assets
** perform walk throughs
4. Select controls to test
Step 3: Test the design and operating effectiveness of selected controls (7.9)
Nature of Testing
Timing of Tests of Controls
Extent of Tests of Controls: nature of the control, frequency of operation, importance of the control
Step 4: Evaluate identified control deficiencies (7.10)
Step 5: Form an opinion on the effectiveness of the ICFR
7.11 Remediation of a Material Weakness
-when an entity determines that it has material weakness, it should take steps to correct it
7.12 Written Representations
- need representation from management
7.13 Auditor Documentation Requirements
- auditors document the processes, procedures, judgments & results relating to the audit of internal control
7.14 Auditor Reporting on ICFR
Other Reporting Issues:
Mgmts report incomplete or improperly presented
Auditor decides to refer to the report of other auditors
Subsequent events

Mgmts report contains additional information