Chapter 7

Auditing
Internal Control
over
Financial
Reporting

© McGraw-Hill Education 2014

Management Responsibilities
under Section 404

Section 404 of the Sarbanes-Oxley Act

requires managements of publicly traded
companies to issue a report that accepts
responsibility for establishing and
maintaining ‘adequate’ internal control over
financial reporting (ICFR) and assert
whether ICFR is effective as of the end of
the fiscal year.

© McGraw-Hill Education 2014

Management Responsibilities
under Section 404
Management must comply with the following
requirements in order for the external auditor to
complete an audit of ICFR.
1. Accepts responsibility for the effectiveness of the
entity’s ICFR.
2. Evaluate the effectiveness of the entity’s ICFR using
suitable control criteria.
3. Support the evaluation with sufficient evidence,
including documentation.
4. Present a written assessment of the effectiveness of
the entity’s ICFR ‘as of’ the end of the entity’s most
recent fiscal year.

© McGraw-Hill Education 2014

 Auditor Responsibilities
under Section 404 and AS5

The entity’s independent auditor must

audit and report on the effectiveness of
ICFR. The auditor is required to conduct
an integrated audit of the entity’s ICFR
and its financial statements.

© McGraw-Hill Education 2014

 ICFR Defined
ICFR is defined as a process designed to provide
reasonable assurance regarding the reliability of
financial reporting and the preparation of financial
statements in accordance with GAAP.
Controls include procedures that:
1. Pertain to the maintenance of records that accurately and
fairly reflect the transactions and dispositions of the assets
of the company.
2. Provide reasonable assurance that transactions are properly
authorized and recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company’s assets.
© McGraw-Hill Education 2014
Internal Control Deficiencies
Defined
A control deficiency exists when the design or
operation of a control does not allow management
or employees, in the normal course of performing
their assigned functions, to prevent or detect
misstatements on a timely basis.
A significant deficiency is a deficiency, or a
combination of deficiencies, in internal control over
financial reporting that is less severe than a
material weakness, yet important enough to merit
attention by those responsible for oversight of the
company's financial reporting.

© McGraw-Hill Education 2014

Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to be
considered not only a significant deficiency but also a
material weakness in the system of internal control.
A material weakness is a deficiency, or a combination of
deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the annual or
interim financial statements will not be prevented or
detected on a timely basis.
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency:
likelihood (reasonably possible); and
magnitude (material, significant, or insignificant).

© McGraw-Hill Education 2014

Internal Control Deficiencies
Defined
Figure 7–1 The Relationship of Likelihood and Magnitude in Determining the
Materiality of a Control Deficiency

© McGraw-Hill Education 2014

Management’s Assessment
Process

Management must follow a top-down, risk-based

approach:
1. Identify financial reporting risks and controls.
2. Consider which locations to include in the evaluation.
3. Evaluate evidence about the operating effectiveness of
ICFR.

© McGraw-Hill Education 2014

Framework Used by Management to
Conduct Its Assessment

Most entities use the framework developed by COSO.

This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.

© McGraw-Hill Education 2014

Identify Entity-Level Controls

Table 7–1 Examples of Entity-Level Controls

© McGraw-Hill Education 2014

 Management’s
Documentation
Management must develop sufficient
documentation to support its assessment of
the effectiveness of internal control.
This documentation may take many forms,
such as paper, electronic files or other media.
It also includes policy manuals, process
models, flowcharts, job descriptions,
documents and forms.

© McGraw-Hill Education 2014

Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of
internal control and the financial statements. The
control testing impacts the planned substantive
procedures. Also, the results of the substantive
procedures are considered in the evaluation of
internal control.

Tests of Substantive
internal audit
control procedures

© McGraw-Hill Education 2014

Performing an Audit of ICFR

Figure 7–2 Steps in the

Audit of ICFR

© McGraw-Hill Education 2014

Planning the Audit of ICFR

• The planning process is similar to the process

used for the audit of financial statements.

• Consider the following:

- Role of risk assessment and the risk of
fraud.
- Scaling the audit.
- Using the work of others.

© McGraw-Hill Education 2014

 Special Consideration:
Using the Work of Others
A major consideration for the external auditor is how much
work is to be performed by others. In determining the extent
to which the auditor may use the work of others, the auditor
should:
(1) evaluate the nature of the controls subjected to the work
of others,
(2) evaluate the competence and objectivity of the
individuals who performed the work, and
(3) test some of the work performed by others to evaluate
the quality and effectiveness of their work.

As the risk associated with the control being tested

increases, the external auditor should do more of the work.

© McGraw-Hill Education 2014

Using a Top-Down Approach

Figure 7–3
Top-Down,
Risk-Based
Approach to
the Audit of
ICFR

© McGraw-Hill Education 2014

 Identifying Significant
Accounts
• Size and composition of the account.
• Susceptibility to misstatement due to errors
or fraud.
• Volume of activity, complexity, and
homogeneity of the individual transactions
processed through the account or reflected in
the disclosure.
• Nature of the account or disclosure.
• Accounting and reporting complexities
associated with the account or disclosure.
© McGraw-Hill Education 2014
Identifying Significant
Accounts
• Exposure to losses in the account.
• Possibility of significant contingent
liabilities arising from the activities
reflected in the account or disclosure.
• Existence of related-party transactions in
the account.
• Changes from the prior period in account
or disclosure characteristics.

© McGraw-Hill Education 2014

Sources of Misstatement

• Understand the flow of transactions related to the

relevant assertions.
• Identify the points within the entity’s processes at
which a misstatement could arise that would be
material.
• Identify the controls that management has
implemented to address these potential
misstatements.
• Identify the controls that management has
implemented over the prevention or timely detection
of unauthorized acquisition, use, or disposition of the
company’s assets that could result in a material
misstatement of the financial statements.

© McGraw-Hill Education 2014

 Select Controls to Test
Table 7–4 Factors Commonly Considered When Identifying
Controls to Test

© McGraw-Hill Education 2014

Test the Design and Operating
Effectiveness of Controls
• Evaluate design
• Test and evaluate operating effectiveness
- Nature: Inquiry, inspection of documents,
observation and reperformance.
- Timing: Interim vs. ‘as of’ date.
- Extent: Consider:
(1) Nature of the control;
(2) Frequency of operation; and
(3) Importance of the control.
© McGraw-Hill Education 2014
Evaluate Identified Control
Deficiencies
As discussed previously, the auditor must consider the
likelihood and magnitude of the control deficiency.

Table 7–6 Risk Factors that Affect Whether There Is a Reasonable Possibility that a Control
Deficiency (or a Combination of Control Deficiencies) Will Result in a Misstatement of an
Account Balance or Disclosure

© McGraw-Hill Education 2014

Evaluate Identified Control
Deficiencies
If a deficiency, or combination of deficiencies, prevents
the auditor from having reasonable assurance that
transactions are recorded properly, then the auditor
should treat the deficiency as an indicator of a material
weakness.
Table 7–7 Indicators of Material Weaknesses

© McGraw-Hill Education 2014

Remediation of a Material
Weakness

• Remediation is the process of correcting

a material weakness in the ICFR
- If a material weakness is corrected before
the 'as of’ date, there must be sufficient
time for both management and the auditor
to test the operating effectiveness of the
control – if not, an adverse opinion is still
issued.

© McGraw-Hill Education 2014

Written Representations

In addition to the management representations

obtained as part of a financial statement audit, the
auditor also obtains written representations from
management related to the audit of ICFR.

Failure to obtain written

representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude
an unqualified opinion.
© McGraw-Hill Education 2014
Auditor Documentation
Requirements
The auditor must properly document the processes,
procedures, judgements, and results relating to the
audit of internal control.

When an entity has effective

ICFR, the auditor should be
able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.

© McGraw-Hill Education 2014

Auditor Documentation
Requirements
The auditor’s documentation of the process, procedures,
judgements and results relating to the audit of ICFR
should include:
1. Auditor’s understanding and evaluation of the design of
ICFR;
2. The process used to determine the points at which
material misstatements could occur;
3. The extent to which the auditor relied upon the work of
others; and
4. The evaluation of any deficiencies discovered or other
findings which could result in a report modification.

© McGraw-Hill Education 2014

Types of Reports Relating to
the Audit of ICFR

An unqualified opinion signifies that the entity’s

internal control is designed and operating effectively
(no material weaknesses).

A serious (more than minor) scope limitation requires

the auditor to disclaim an opinion.

An adverse opinion is required if a material weakness

is identified.

© McGraw-Hill Education 2014

Types of Reports Relating to
the Audit of ICFR
Report Modification Based on Control Deficiencies

Likelihood/Magnitude Type of
of Misstatement Audit Report
Control
deficiency
Unqualified
opinion
Significant
deficiency

Material Adverse
weakness opinion

© McGraw-Hill Education 2014

Types of Reports Relating to
the Audit of Internal Control
Report Modification Based on Scope Limitation
Seriousness of Type of
Scope Limitation Audit Report
Minor Unqualified
effect opinion

Disclaim
Severe
opinion or
limitation
withdraw

© McGraw-Hill Education 2014

Other Reporting Issues
1. Management’s report is incomplete or improperly
presented.
2. The auditor decides to refer to the report of other
auditors.
3. A significant subsequent event has occurred.
4. There is other information contained in
management’s report on internal control.
5. There is a remediated material weakness at an
interim date.

© McGraw-Hill Education 2014

Additional Required Communications
in an Audit of ICFR

The auditor must communicate in writing to

management and the audit committee all significant
deficiencies and material weaknesses identified
during the audit (AS5). This communication should
be made prior to the issuance of the auditor’s report
on ICFR. In addition, the auditor should communicate
to management, in writing, all control deficiencies
identified during the audit and inform the audit
committee when such a communication has been
made.

© McGraw-Hill Education 2014

Use of Service Organizations

Many companies use a service organization to

process transactions. If the service organization's
services make up part of a company’s information
system, then they are considered part of the
information and communication component of the
company’s internal control over financial report.
Thus, both management and the auditor must
consider the activities of the service organization.

© McGraw-Hill Education 2014

Use of Service Organizations

Management and the auditor should perform the

following procedures with respect to the activities
performed by the service organization:
(1) obtain an understanding of the nature and
significance of the services provided by the
service organization and their effect of the
user entity’s internal control relevant to the
audit, sufficient to identify and assess the
risks of material misstatement; and
(2) design and perform audit procedures
responsive to those risks.

© McGraw-Hill Education 2014

Safeguarding of Assets

Safeguarding of assets is defined as

policies and procedures that ‘provide
reasonable assurance regarding prevention
or timely detection of unauthorized
acquisition, use or disposition of the
company’s assets that could have a
material effect on the financial statements.’

© McGraw-Hill Education 2014