Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Management Responsibilities under Section 404 Management must comply with the following requirements in order for the external auditor to complete an audit of ICFR. 1. Accept responsibility for the effectiveness of the entity s ICFR. LO# 1 2. Evaluate the effectiveness of the entity s ICFR using suitable control criteria. 3. Support the evaluation with sufficient evidence, including documentation. 4. Present a written assessment regarding the effectiveness of the entity s ICFR as of the end of the entity s most recent fiscal year. 7-2
Auditor Responsibilities under Section 404 and AS5 The entity s independent auditor must audit and report on the effectiveness of ICFR. The auditor is required to conduct an integrated audit of the entity s ICFR and its financial statements. LO# 2 7-3
LO# 3 ICFR Defined ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that: 1. Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company. 2. Provide reasonable assurance that transactions are recorded in accordance with GAAP. 3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company s assets. 7-4
Internal Control Deficiencies LO# 4 M A G N I T U D E Material Not material but significant Not material or significant Defined Material weakness Significant deficiency Control deficiency Report externally to audit committee and to management Report to audit committee and to management Report to management Remote Reasonably possible or probable L I K E L I H O O D 7-5
LO# 5 Management s Assessment Process Management must follow a top-down, risk-based approach: 1. Identify financial reporting risks and controls. 2. Evaluate evidence about the operating effectiveness of ICFR. 3. Consider which locations to include in the evaluation. 7-6
LO# 6 Performing an Audit of ICFR Figure 7-2 7-7
Integrating the Audits of Internal Control and Financial Statements LO# 6 An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control. Tests of internal control Substantive audit procedures 7-8
LO# 7 Planning the Audit of ICFR The planning process is similar to the process used for the audit of financial statements. Consider the following: Risk assessment and the risk of fraud. Scaling the audit. Using the work of others. 7-9
LO# 8 Using a Top-Down Approach Figure 7-3 7-10
Test the Design and Operating Effectiveness of Controls LO# 9 Evaluate design Test and evaluate operating effectiveness Nature: Inquiry, Inspection of documents, observation, and reperformance. Timing: Interim vs. as of date Extent: Consider (1) Nature of the control; (2) Frequency of operation; and (3) Importance of the control. 7-11
LO# 10 Evaluate Identified Control Deficiencies 7-12
Remediation of a Material Weakness LO# 11 Remediation is the process of correcting a material weakness in the ICFR If a material weakness is corrected before the as of date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control if not, an adverse opinion is still issued. 7-13
LO# 12 Written Representations In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of ICFR. Failure to obtain written representations from management, including management s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion. 7-14
Auditor Documentation LO# 13 Requirements The auditor must properly document the processes, procedures, judgments, and results relating to the audit of internal control. When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level. 7-15
Types of Reports Relating to the Audit of ICFR LO# 14 An unqualified opinion signifies that the client s internal control is designed and operating effectively (no material weaknesses). A serious scope limitation requires the auditor to disclaim an opinion. An adverse opinion is required if a material weakness is identified. 7-16
LO# 15 Additional Required Communications in an Audit of ICFR The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5). This communication should be made prior to the issuance of the auditor s report on ICFR. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made. 7-17
Advanced Module 1: Use of Service Organizations LO# 16 Management and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the entity s internal control and the controls at the user organization over the activities of the service organization; and (2) obtain evidence that the controls that are relevant to management s assessment and the auditor s opinion are operating effectively. Sometimes a Type 2 report is issued 7-18
LO# 18 Advanced Module 2: Computer-Assisted Audit Techniques Computer-assisted audit techniques (CAATs) include: Generalized audit software packages. Custom audit software. Test data. 7-19
End of Chapter 7 7-20