Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

Similar documents
Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

29 th Regional Conference of WIRC

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Implementation Tool for Auditors

Institute of Chartered Accountants of India. Standards on Auditing

CAAS 104 Cost Audit and Assurance Standard on Knowledge of Business, its Processes and the Business Environment

Internal financial controls

Cost Auditing Standard Cost Auditing Standard on Knowledge of Business, its Processes and the Business Environment

SA 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL

IAASB Main Agenda (December 2008) Page Agenda Item

Community Bankers Conference

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Mapping of Original ISA 315 to New ISA 315 s Standards and Application Material (AM) Agenda Item 2-C

SA 402(REVISED) AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING

Auditing Standards and Practices Council

ISA 240 (Redrafted), The Auditor s Responsibilities Relating to Fraud in an Audit of Financial Statements

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

SRI LANKA AUDITING STANDARD 315 (REVISED)

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

International Standard on Auditing (UK) 315 (Revised June 2016)

RELEVANT TO ACCA QUALIFICATION PAPERS F8 (INT), P7 (INT) AND FOUNDATION LEVEL PAPER FAU (INT)

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

An Overview of the 2013 COSO Framework. August 2013

International Standard on Auditing (Ireland) 315

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

IAASB Main Agenda (March 2005) Page Agenda Item 12-C

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

How well you are prepared to deal with IFC

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

PART 6 - INTERNAL CONTROL

Evaluating Internal Controls

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

The Auditor s Responses to Assessed Risks

Internal Controls Over Financial Reporting (ICoFR) Overview and Practical Aspects

Road to Self Governance

IAASB Main Agenda (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

IAASB Main Agenda (September 2004) Page Agenda Item PROPOSED REVISED INTERNATIONAL STANDARD ON AUDITING 540

6 Assessment of risk Introduction General risk assessment Specific risk assessment Reliability factors 50 6.

Introductions. An Overview of the COSO 2013 Framework. Christian Peo Sharon Todd. An Overview of the 2013 COSO Framework.

US U.S. AAM vs. DTTL AAM A Refresher Deloitte Touche Tohmatsu

Auditing Standards and Practices Council

Audit Practice Introduced by HKSA (HKSA 315 and 330) 1 February 2008

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a

Chapter 7. Auditing Internal Control over Financial Reporting. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

REGISTERED CANDIDATE AUDITOR (RCA) TECHNICAL COMPETENCE REQUIREMENTS

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

Responsibilities of auditors while undertaking IFC reporting role of documentation

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

13-A. Fraud Phase II Issues Paper

[RELEASE NOS ; ; FR-77; File No. S ]

and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

THE AUDITOR S RESPONSES TO ASSESSED RISKS SRI LANKA AUDITING STANDARD 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS

Internal Audit Policy and Procedures Internal Audit Charter

G13 - ITGCs Role in Internal Control over Financial Reporting William J. Powers

IAASB Main Agenda (December 2004) Page Agenda Item

Chapter 18. Integrated Audits of Public Companies. McGraw-Hill/Irwin. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

INTERNATIONAL STANDARD ON AUDITING (NEW ZEALAND) 315 (Revised)

SECTION A CASE QUESTIONS (Total: 50 marks)

Your committee: Evaluates the "tone at the top" and the company's culture, understanding their relevance to financial reporting and compliance

Anti-Fraud Programs and Control Policy

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a AUDITING THEORY AUDIT PLANNING

REPORTING REQUIREMENTS UNDER IFC

Seminar Internal Control Identification and Filtering

STAFF QUESTIONS AND ANSWERS

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015

INTERNAL FINANCIAL CONTROLS COMPLIANCE REPORTING APPLICABILITY SCOPE OPINION FRAMEWORK ACTION. Strictly for private circulation

Report on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

Auditing and Assurance Standards Council

Auditing and Assurance Standards Council

IAASB CAG Public Session (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

SEMINAR ON INTERNAL FINANCIAL CONTROLS. Oct 31, 2015 at ISACA Pune Chapter Nov 1, 2015 at Pune Branch of WIRC of ICAI

Entity level controls Design/implementation 530 Page 1 of 9

Audit Workshop Part 2 12 December 2009

Audit Practice Introduced by HKSA (HKSA 300, 315 and 330) 10 July 2008

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

SRI LANKA AUDITING STANDARD 600 SPECIAL CONSIDERATIONS AUDITS OF GROUP FINANCIAL STATEMENTS (INCLUDING THE WORK OF COMPONENT AUDITORS) CONTENTS

International Standards for the Professional Practice of Internal Auditing (Standards)

Internal Control Over Financial Reporting (ICFR) Unique Approach, Superior Results

Chapter 8. Planning and Testing Operating Effectiveness of Internal Control over Financial Reporting. Prepared by Richard J.

How to Maximize Your Internal Controls Program. June 15, 2017 Atlanta, GA

DECISION. mb a5 EFSA Internal Control Framework. Internal Control Framework of the European Food Safety Authority. Decision No.

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Scope of this SA Effective Date Objective Definitions Sufficient Appropriate Audit Evidence... 6

Chapter 6 Field Work Standards for Performance Audits

A Discussion About Internal Controls February 2016

Presentation on Standard on Cost Auditing Knowledge of Business, its Processes and the Business Environment (SCA 104)

Overview of Auditing Standards Recap and Update 6 July 2011

Statement on February 2014 Auditing Standards 128. Using the Work of Internal Auditors

Master Document Audit Program. Version 9.6, dated November 2017 B-1 Planning Considerations. Purpose and Scope

Agreeing the Terms of Audit Engagements

Transcription:

Internal controls over Financial Reporting Key concepts Presentation by Jayesh Gandhi at WIRC Page 1 ICFR Key Concepts WIRC 28 May 2016

Agenda Scope and requirements Overview of internal controls as per SA 315 Planning and Approach for ICFR Audit Design effectiveness Operative effectiveness Exceptions and deficiencies Material weakness Page 2 ICFR Key Concepts WIRC 28 May 2016

Internal financial controls Internal controls V/s Internal financial controls SA 315 Internal control the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity s objectives with regard to : reliability of financial reporting, effectiveness and efficiency of operations; safeguarding of assets, and compliance with applicable laws and regulations. Page 3 ICFR Key Concepts WIRC 28 May 2016

Internal financial controls Sec134(5)(e) of the Act Internal financial control the policies and procedures adopted by the company for ensuring: the orderly and efficient conduct of its business including adherence to company s policies; the safeguarding of its assets; the prevention and detection of frauds and errors; the accuracy and completeness of the accounting records and the timely preparation of reliable financial information. Section 143(3)(i)of the Act requires the auditors report to state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls applicable to all companies irrespective of nature and size. Page 4 ICFR Key Concepts WIRC 28 May 2016

ICFR - defined Internal financial controls over financial reporting shall mean Reliability of financial statements + Financial Statements (in accordance with GAAP) + Maintenance of financial records (Detail / Accuracy & Fair) + Transactions are authorized and as per GAAP + Safeguarding of the assets + Internal financial controls over financial reporting (ICFR) Page 5 ICFR Key Concepts WIRC 28 May 2016

Auditor s objective Express an opinion on the effectiveness of the company's internal financial controls over financial reporting Carried out along with an audit of the financial statements Auditor must plan and perform the audit to obtain sufficient appropriate evidence to obtain reasonable assurance about whether material weakness exists as of the balance sheet date To note Significant deficiency or material weakness in internal financial controls over financial reporting may exist even when financial statements are not materially misstated. Page 6 ICFR Key Concepts WIRC 28 May 2016

Scope for Reporting on Internal Financial Controls Significantly larger and wider than the reporting on internal controls under CARO 2015 Reporting on internal financial controls will not be applicable with respect to interim financial statements Applies to consolidated financial statements - Reporting on the adequacy and operating effectiveness of internal financial controls over financial reporting would apply for the respective components only if it is a company under the Companies Act. Should report if the company has adequate internal control systems in place and whether they were operating effectively as at the balance sheet date. NOTE: While forming the opinion on internal financial controls, the auditor should test the same during the financial year under audit and not just as at the balance sheet date Page 7 ICFR Key Concepts WIRC 28 May 2016

Components of Internal controls SA 315 According to Guidance note, Criteria can be established by the Company for ICFR by considering the essential components of internal control as stated in SA 315. Internal control operating at the entity level versus operating at the transaction or process level for each of the five components: Component Entity level Transaction/Process level Control environment Risk assessment Monitoring Information and communication Control activities Page 8 ICFR Key Concepts WIRC 28 May 2016

Control environment The control environment encompasses the following elements: Integrity, ethical values and behaviour of key executives The enforcement of integrity and ethical values include management s actions to: - Remove or reduce incentives, pressures and opportunities; - Being alert to behaviour that may indicate management s motivations and intentions - Communicate ethical values Management s commitment to competence Participation in governance and oversight by those charged with governance Organizational structure and assignment of authority and responsibility Management s control consciousness and operating style HR policies and practices Page 9 ICFR Key Concepts WIRC 28 May 2016

Control environment The auditor must evaluate the control environment at the company. As part of evaluating the control environment, the auditor should assess: - Whether management's philosophy and operating style promote effective internal financial controls over financial reporting; - Whether sound integrity and ethical values, particularly of top management, are developed and understood; and - Whether the board or audit committee understands and exercises oversight responsibility over financial reporting and internal control. Page 10 ICFR Key Concepts WIRC 28 May 2016

Risk assessment We obtain an understanding of whether the entity has a process for: Identifying business risks relevant to financial reporting Estimating the significance of the risks Assessing the likelihood of their occurrence Determining actions to address those risks If the entity has not established a risk assessment process, or has an ad hoc process: Inquire of management whether business risks relevant to financial reporting objectives have been identified and how they have been addressed Evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances Determine whether the absence of a documented risk assessment process represents a significant deficiency in internal financial control Page 11 ICFR Key Concepts WIRC 28 May 2016

Monitoring Understand the activities, implemented by management and overseen by those charged with governance, that monitor the ongoing effectiveness of controls. Inquire of management about the sources of information it uses in monitoring activities and how management becomes satisfied about the integrity of that information. Monitoring is a process of: Assessing the effectiveness of the performance of internal controls over time Determining whether controls are operating as intended Determining that internal control systems are modified as appropriate for changes in conditions Page 12 ICFR Key Concepts WIRC 28 May 2016

Information system and communication Obtain an understanding of the information system, including the related business processes, relevant to financial reporting, Understand how the entity communicates financial reporting roles and responsibilities and any matters that are significant to financial reporting, including: Communications between management and those charged with governance External communications, such as those with regulatory authorities In understanding an entity s communication process, consider Duties and control responsibilities Communication channels Accounting policies and changes to processes Adequacy of communication Timely follow-up action Monitoring and compliance requirements Ethical standards and policies Page 13 ICFR Key Concepts WIRC 28 May 2016

Control activities Control activities relevant to an audit may be categorised as policies and procedures relating to: Performance reviews Information processing Physical controls -- physical security for adequate safeguard of assets and records including access to computer programs and data files. Segregation of duties Emphasise on identifying and obtaining an understanding of control activities that address the areas where the auditor considers that risks of material misstatement are likely to be higher. Page 14 ICFR Key Concepts WIRC 28 May 2016

Understanding of the components of internal control To obtain an understanding of the components of internal control at the entity level and related elements we: Inquire of management and of others within the entity who, in our judgment, may have information that is likely to help in identifying risks of material misstatement Observe processes and controls in operation Inspect documents and reports Page 15 ICFR Key Concepts WIRC 28 May 2016

Limitation of internal control system Internal control systems are subject to certain inherent limitations, such as: Management's consideration of cost of an internal control to its expected benefits Do not tend to be directed at transactions of unusual nature Circumvention of internal controls through collusion with employees or with parties outside the entity. Abuse of responsibility, for example, a member of management overriding an internal control. Manipulations by management Page 16 ICFR Key Concepts WIRC 28 May 2016

Combining the audits What is a combined (integrated) audit In a combined audit, the auditor expresses opinion on the following aspects: a. Opinion on internal control over financial reporting, which requires evaluating and opining on the adequacy and effectiveness of the entity s system of internal financial controls; and b. Opinion on the financial statements Should design procedures for testing of controls to accomplish the objectives of both audits simultaneously. Page 17 ICFR Key Concepts WIRC 28 May 2016

Planning the IFC Audit Following considerations may impact the procedures planned in the combined audit: Matters affecting the industry in which the company operates and complexity of the company's operations Matters relating to the company's business, including its organisation, operating characteristics, and capital structure; The extent of recent changes, if any, in the company, its operations, or its internal financial controls over financial reporting; Control deficiencies previously communicated to the audit committee or management; Legal or regulatory matters of which the company is aware; Page 18 ICFR Key Concepts WIRC 28 May 2016

Assess and Manage Risk Manage Audit Engagement route map Planning Start Identify significant account balances/ disclosure Items Identify & understand significant flows of transactions Identify risk of Material misstatements Identify controls which address risk of material misstatements Identify significant account balances/ disclosure Items Design & implementation Assess the design of controls Asses the Implementation of controls Appropriate design & Implementation of controls? Assess audit impact and plan other suitable procedures Plan operative effectiveness testing Operating effectiveness Plan nature, timing and extent of testing operative effectiveness Perform operating effectiveness testing Assess findings and conclude on operating effectiveness Form opinion on IFC Reporting Assess impact on audit opinion Form audit opinion on Financial Statements End Source: Guidance note on Audit of ICFR issued by ICAI Page 19 ICFR Key Concepts WIRC 28 May 2016

Reporting on IFC Using Top Down approach Use a top-down approach in identifying and understanding the controls that are relevant to the audit. Entity level controls (ELC), provide the tone at the top of the organization, and as a result directly or in-directly impact all underlying controls. Benefits from leveraging effective ELC s: Reduce the extent of reliance on transaction level controls Better define and communicate the expectations of management across the organization through leveraging on experienced personnel, Increase the effectiveness of internal controls Reduce redundancy in controls performed across the organization at different levels Page 20 ICFR Key Concepts WIRC 28 May 2016 Direct entity level controls monitor specific business and financial risks, and operate at the

Testing of entity-level controls Entity-level controls include: Controls related to the control environment; Controls over management override; The Company's risk assessment process; Centralised processing and controls Controls to monitor results of operations; Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; Controls over the period-end financial reporting process; Controls over recording of unusual transactions; and Policies that address significant business control and risk management practices Page 21 ICFR Key Concepts WIRC 28 May 2016

Design Assessment Start with ELC and IT General controls Focus on Segregation of Duties + Functional MIS Review strength of IT general controls Prepare documentation templates Flowchart / Narratives / IPE Document process and application controls Identify What can go Wrong (WCGW) - Risks Prepare Risk & Control matrix with control description, owner, frequency, control evidence etc Perform & document walkthroughs Update process maps with risks, controls references Identity controls into Manual, Automated, IT dependent, Preventive/ Detective Page 22 ICFR Key Concepts WIRC 28 May 2016 Identify design gaps

IT General Controls The IT General Controls protect data integrity and are a significant component of an organization s IFC Importance of ITGCs Improve the consistency of control operation (i.e. automated processes vs. manual) Improve the security (confidentiality, integrity and availability) of corporate information Reduce the extent of testing and reliance on manual transaction-level controls Improve reliability of manual controls dependent on IT information Page 23 ICFR Key Concepts WIRC 28 May 2016

Key worksteps Adequacy and operating effectiveness Key work-steps/considerations for Gap identification: Identify Design gaps ICFR Prioritize gaps - carry them forward to SOCD and evaluate Key work-steps/considerations for controls testing: Decide Testing methodology Testing Sampling - Align TOC approach with IFC approach (Possible impact on audit strategy controls v/s substantive) Prepare test plans and test scripts Test controls Prioritize testing gaps to carry them forward to SOCD and evaluate Page 24 ICFR Key Concepts WIRC 28 May 2016

Assessment Evaluate severity of each control deficiency Communication to management and those charged with Governance of all material weaknesses and significant deficiencies (determined individually or collectively) identified during the audit. Inquire about subsequent events Auditor must obtain management representation letter If the BoD / management report contains elements which are incomplete / improperly presented, auditor should follow requirements of SA 720. Issue report, containing material weaknesses, after obtaining approvals Page 25 ICFR Key Concepts WIRC 28 May 2016

Key aspects -- Understanding and confirming the process Significant class of transactions (SCOT) is a class of transactions that materially affects a significant account and its relevant assertions, includes significant routine, non-routine and estimation transactions from initiation, recording, processing, correcting as necessary, and reporting to the financial statements. Understand the following elements of the critical path of SCOTs: Major input and output sources Relevant transaction data and master data, documentation and records Significant processing procedures, including how IT applications support the processing The entity s policies and procedures related to authorization, segregation of duties, safeguarding of assets, monitoring of processes and information processing Page 26 ICFR Key Concepts WIRC 28 May 2016

Key Aspects -- Understanding and confirming the process In an integrated audit, we identify and test the design and operating effectiveness for all SCOTs (Routine, Non-routine and Estimation SCOTs) Maintain documentation of our understanding and evaluation of the critical path of SCOTs and the relevant controls within the SCOTs Example Understanding of critical path of Purchase to Pay SCOT should be adequately documented with process models, flowcharts, procedural manuals available with the entity, and adequate documentation of results of our inquiries regarding risk assessment, job descriptions, segregation of duties, safeguard of assets, monitoring of IT application etc To understand the SCOTs, use a combination of inquiry, observation and Page 27 ICFR Key Concepts WIRC 28 May 2016

Key Aspects Performing walkthrough Performing walkthroughs helps achieve the following objectives on selection of control: Understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorised, processed, and recorded; Verify points identified within the company's processes at which a misstatement including a misstatement due to fraud could arise that, individually or in combination with other misstatements, would be material; Identify the controls that management has implemented to address these potential misstatements; and Identify the controls that management has implemented over the prevention or timely detection of unauthorised acquisition, use, or disposition of the company's assets that could result in a material misstatement of the financial statements. Page 28 ICFR Key Concepts WIRC 28 May 2016 Assess whether management has designed appropriate segregation of duties.

Key Aspects Performing walkthrough Walkthrough encompasses, confirming our understanding: of the routine and non-routine SCOTs every period, by selecting one transaction and tracing that transaction along its critical path. of the whole critical path of initiation, recording, processing and reporting in the general ledger, of the journal entries that post transactions into the general ledger from subledgers. of how wrongly processed information is corrected. Perform walkthrough for integrated audit involves: inquiry of appropriate personnel, Walkthroughs observation that include of the company's these procedures operations, ordinarily and are sufficient to evaluate design effectiveness. inspection of relevant documentation. Page 29 ICFR Key Concepts WIRC 28 May 2016

How ineffective ITGCs affect audit If control exception is identified,: Make specific inquiries and investigate the nature and cause of the exception Determine whether the exception is systematic or random Evaluate the effect of the exception on our planned audit procedures and other areas of the audit If support conclusion through substantive procedures is achieved, there are no further implications for the financial statement audit (one can rely on ITGCs) Ineffective ITGC conclusions will require a higher level of senior team member involvement to develop an appropriate response Page 30 ICFR Key Concepts WIRC 28 May 2016

ITGC exceptions and deficiencies If ITGCs are not effective, then it is generally necessary to test the automated control at or near the balance-sheet date in support of the opinion on internal financial controls. When, through testing, auditors identify an ineffective ITGC, one should consider it as an ITGC deficiency and include it on the Summary of control deficiencies (SOCD) for further evaluation, even though one has identified and test compensating controls For the ICFR opinion (assuming ITGC deficiencies are not remediated), one need to evaluate the effect of the ITGC deficiency on a control by control basis Some controls may be unaffected For some controls one may identify compensating controls (e.g., SCOT controls) Page 31 ICFR Key Concepts WIRC 28 May 2016

Evaluating ITGC deficiencies Illustrative decision tree for ITGC Deficiencies: 1. Are there complementary or redundant ITGCs that were tested and evaluated that achieve the same control objective Yes 5. Does additional evaluation result in a judgment that the ITGC deficiency is a significant deficiency? No OR 2. Are there control deficiencies at the application level that are related to or caused by the ITGC deficiency? No Would a prudent official conclude that the ITGC deficiency is a significant deficiency? No Deficiency Yes 3. Are the control deficiencies at the application level related to or caused by the ITGC deficiency classified as only a deficiency? Yes No 4. Are the control deficiencies at the application level related to or caused by the ITGC deficiency classified as a significant deficiency? Yes Yes Significant deficiency No Material weakness Page 32 ICFR Key Concepts WIRC 28 May 2016

Evaluating ITGC deficiencies The classification of an ITGC deficiency considers many factors, including but not limited to, the following: The nature and significance of the deficiency The pervasiveness of the deficiency to applications and data The complexity of the company s IT environment and the likelihood that the deficiency could adversely affect application and IT-dependent manual controls The relative proximity of the deficient ITGC to applications and data Whether an ITGC deficiency relates to applications or data for accounts or disclosures that are susceptible to loss or fraud The cause and frequency of known or detected exceptions in the operating effectiveness of an ITGC. An indication of increased risk evidenced by a history of misstatements relating to applications affected by the ITGC deficiency If the ITGC conclusion is ineffective, one needs to include both the ITGC deficiency, as well as all controls within the SCOT that rely on the ITGCs, as deficiencies in the Page 33 ICFR Key Concepts WIRC 28 May 2016

IT Consideration in less complex IT environments Characteristics of less complex IT environments: Computer systems centralised and limited interfaces between systems. Access to systems managed by a limited number of personnel. Software - Uses off-the-shelf packaged software without programming modification. Management tends to rely primarily on manual controls over transaction processing. End-user computing - The company is relatively more dependent on spreadsheets and other user-developed applications Audit Approach in a less complex environment, Identify IT related risks by understanding the software being used Understand how software is installed and used by the company. Page 34 ICFR Key Concepts WIRC 28 May 2016

IT Consideration in smaller entities May use off-the-shelf accounting / business processes. Hence the audit focus: For ITGC, the testing of those controls that are important to the effective operation of the selected application controls; No need to perform all manage change primary control procedures for those IT applications if we are able to confirm that changes have not occurred on the application controls built into the off-the-shelf software that management relies on to achieve its control objectives Directly testing the underlying data used in ITDM controls cannot be used to support our opinion on internal control over financial reporting Evaluate and test controls that assess the completeness and accuracy of the related data or reports used to perform ITDM or application control Page 35 ICFR Key Concepts WIRC 28 May 2016

Information Produced by the Entity (IPE) What is Information Produced by the Entity? Information Produced by the Entity (IPE) are Data generated or processed through an IT application and/or end user computing solution, be it in electronic or printed form, used to support audit procedures. Specifically, it includes Data and reports used by management in the performance of controls; Data and reports used in substantive procedures; Other data and reports provided by the entity Some common IPEs are system-generated aging reports, expense amortization reports, Fixed asset system-generated reports used to calculate depreciation/amortization etc Substantive procedures cannot be used to support opinion Performing substantive on internal testing involves control over agreeing financial information reporting. to and from source documents to test the completeness and accuracy of the IPE, and testing the clerical accuracy, computations and relevant categorizations. Page 36 ICFR Key Concepts WIRC 28 May 2016

Types of control deficiencies Control Deficiency Exists when the design or operation of a control does not allow management or employees to prevent or detect and correct misstatements on a timely basis Design Deficiency A control necessary to meet the control objective is missing or an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met Operation Deficiency A properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority, capabilities, competence, or objectivity to perform the control effectively Page 37 ICFR Key Concepts WIRC 28 May 2016

Potential sources of control deficiencies Walkthroughs: Segregation of incompatible duties, safeguarding of assets Understanding and evaluating entity-level controls IT general controls Internal audit reports Tests of controls: Auditors testing Management, internal audit and third-party testing Understanding of management s assessment Corrected and/or uncorrected errors/misstatements identified through substantive procedures Reclassifications identified Page 38 ICFR Key Concepts WIRC 28 May 2016 Understanding/testing the FSCP

Significant deficiency and Material weakness Definition of significant deficiency A deficiency (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention of the audit committee or those charged with governance Definition of material weakness A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the entity s annual financial statements will not be prevented or detected on a timely basis Evaluate the severity of each control deficiency to determine whether individually or in the aggregate it is a material weakness Page 39 ICFR Key Concepts WIRC 28 May 2016

Severity of a deficiency Whether there is a reasonable possibility that the controls will fail to prevent or detect a misstatement of an account balance or disclosure The magnitude of the potential misstatement resulting from the deficiency or deficiencies Severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement Page 40 ICFR Key Concepts WIRC 28 May 2016

Thank You Page 41 ICFR Key Concepts WIRC 28 May 2016

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback