Kế toán, kiểm toán - Chapter 05: Risk assessment: internal control evaluation

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/IrwinChapter 05Risk Assessment: Internal Control Evaluation“Bernie doesn’t want you to use the words “internal controls” in any more of your audit reportsit aggravates him. ”-- Cynthia Cooper referring to advice given her by a colleague on how to best deal with Bernie Ebbers, the then CEO of WorldCom right before she uncovered an $11 Billion dollar fraud that Ebbers directed.5-2Learning ObjectivesDefine and describe internal control and explain the limitations of all internal control systems.Distinguish between the responsibilities of management and auditors regarding an entity’s internal control.Define and describe the five basic components of internal control and specify some of their characteristics. Explain the process the audit team uses to assess control risk, understand its impact on the risk of material misstatement, and, ultimately, to know how it affects the nature, timing, and extent of substantive testing to be performed on the audit. 5-3Learning Objectives (cont.)Describe additional responsibilities for management and auditors of public companies required by Sarbanes-Oxley and Auditing Standard No. 5. List the major components of the auditors’ report on internal control over financial reporting. Describe situations in which the auditors’ report on internal control over financial reporting would be modified. Explain the communication of internal control deficiencies to those charged with governance such as the audit committee and other key management personnel. 5-4Internal Control Defined Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:Reliability of financial reportingEffectiveness and efficiency of operationsCompliance with applicable laws and regulations5-5Limitations of Internal ControlHuman errorCollusionManagement overrideCost/benefit analysisThere is often a trade-off between the cost and the effectiveness of internal controls.The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.5-6Responsibility for Internal ControlManagement’s responsibilityResponsibility for establishing and maintaining adequate internal control over financial reportingAssess and report on the effectiveness of internal control over financial reportingAuditors’ responsibilityFor public companies, must audit and issue an opinion about the effectiveness of the internal control over financial reportingFor each fraud risk, must evaluate whether controls are in place to mitigate the fraud riskMust assess control risk to determine the nature, timing and extent of substantive procedures to be performed5-7Internal Control Components (COSO)Control EnvironmentRisk AssessmentControl ActivitiesMonitoringInformation and Communication5-8Control EnvironmentSets the “tone at the top” of an organization, influencing the control consciousness of its people. It is the foundation for all other components.As a result, an auditor must obtain a detailed understanding of the control environment and document that understanding. 5-9Control Environment—General PrinciplesIntegrity and ethical valuesBoard of directorsManagement’s philosophy and operating styleOrganizational StructureFinancial reporting competenciesAuthority and responsibilityHuman resources5-10Audit Committee3-6 “outside” members of Board.Provides a buffer between the audit team and operating management.Members must be “financially literate.”One “financial expert”5-11Audit Committee DutiesAppointment, compensation, and oversight of the public accounting firm conducting the entity’s audit.Resolution of disagreements between management and the audit team.Oversight of the entity’s internal audit function.Approval of nonaudit services provided by the public accounting firm performing the audit engagement.5-12Risk AssessmentManagement’s identification and analysis of relevant risks to achievement of its objectives.Quite possibly using COSO's Enterprise risk management (ERM) framework5-13Auditor Focus – Risk AssessmentShould examine management’s process for:Assessing risks relevant to financial reporting objectives, including fraud riskAssessing the likelihood and significance of risk of misstatements due to fraudDeciding about actions to address these risks5-14Control ActivitiesThe policies and procedures that help ensure management directives are carried out.Physical controls over the security of assetsSeparation of dutiesInformation ProcessingApprovals and authorizationVerifications and reconciliationsPerformance reviewsPreventive controls vs. detective controls5-15Why Separate Duties??Combining duties allows a single person to create and conceal errors and frauds.Segregating duties forces people to commit fraud through collusion—a much harder task!5-16Information and CommunicationThe identification, capture, and exchange of information in the form that enables people to carry out their responsibilitiesMust understand the information systems that are relevant to financial reportingInformation systems produces a trail of activities from data identification to financial reports. This is known as the “audit trail”5-17MonitoringManagement’s process that assesses the quality of the internal control's performance over time.Periodic evaluation by internal auditingSupervisory review of controlsFollow-up of reporting errorsFollow up of customer complaintsAudit committee inquiries5-18Internal Control EvaluationPhase 1: Understand and documentUnderstand the client’s internal control Document the understanding of internal controlInternal Control questionnaireNarrativeAccounting and control system flowchartsPhase 2: Assess control risk (Preliminary)Consider cost effectiveness of reliance/testing.Phase 3: Identify Controls to Test and Perform Test of Controls Perform test of controls audit proceduresRe-assess control risk5-19Why Assess Control Risk?Determine nature, timing, and extent of audit procedures.There is a trade-off between testing of controls and substantive procedures.At least some substantive procedures are required.Control testing is required for public companies (in accordance with PCOAB AS 5), but remains an auditor judgment for other audits.5-20Documenting Internal Control UnderstandingAn auditor must document their understanding of internal control on every audit. Can be documented with:QuestionnairesNarrativesFlowcharts5-21Should Test of Controls Be Completed?An auditor may choose not to test controls for one of two reasons:Internal control system is too ineffective in preventing or detecting misstatements to rely upon to justify reductions in substantive testingIt may take more time to test controls than it would to just perform more substantive testing to provide evidence needed to conclude about a financial statement assertionFor public company audits, an auditor MUST test controls5-22Tests of ControlsAfter identifying specific control activities that can be relied on to reduce substantive testing for a financial statement assertion, must test the controlProcedures used from the least persuasive to the most persuasive form of evidence:InquiryObservationInspectionReperformanceDirection of test does matter5-23AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements (Public Companies)Phases of the engagementPlanning the engagementUse a top-down approachIdentify entity-level controlsWalkthroughsTesting controlsDesign effectivenessOperating effectivenessEvaluating identified deficienciesDeficienciesSignificant deficienciesMaterial weaknesses Wrapping upUnqualified opinionDisclaimer of opinionAdverse opinionReporting on internal control5-24Step 1: Planning the engagementConsider knowledge of industryConsider knowledge of businessConsider extent of changes in operationsConsider extent of changes in internal controlEvaluate controls for all relevant assertions for all significant accounts or disclosures. 5-25Step 2: Using a top-down approachIdentify entity-level controlsPerform walkthroughsAuditor must perform work related to:Company-wide anti-fraud programsControls that have a pervasive effect Auditor but can incorporate work of internal auditors and othersMust obtain “principal evidence” for opinion on their ownMust assess competence and objectivityLimited relianceCan’t reduce work on control environment5-26Step 3a: Testing Controls: Design EffectivenessDesign effectiveness determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements. After an understanding of internal controls is gained through inquiry, inspection, and observation, the controls are evaluated for the possibility that the controls would not prevent or detect a misstatement.5-27Step 3b: Testing Controls: Operating EffectivenessOperating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. A sample of transactions is examined using inquiry, observation, inspection, and reperformance. Tests of controls would not be performed if design is not evaluated as effective.5-28Step 4a: Evaluate identified deficienciesWhether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the entity’s management or employees to detect or prevent misstatements in a timely fashion. A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control’s objective. An operating deficiency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). More serious internal control deficiencies can be categorized into one of two groups, significant deficiencies or material weaknesses, depending on their severity.5-29Step 4b: Identify significant deficienciesSignificant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements. While not material, they are important enough to bring to the attention of those charged with governance (usually the audit committee). Absence of appropriate separation of duties.Absence of appropriate reviews and approvals of transactions.Evidence of failure of control procedures.5-30Step 4c: Identify Material WeaknessesA material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis.Indicators of possible material weaknessRestatement of previously issued financial statements to reflect the correction of a misstatement.Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client’s internal controls.Ineffective oversight of financial reporting process by entity’s audit committee.Indication of fraud (either material or immaterial) by senior management.5-31Step 5: Wrapping up Auditors can issue one of three types of opinions on internal control over financial reporting:Unqualified. No material weaknesses found.Disclaimer of opinion. The audit team cannot perform all of the procedures considered necessary.Adverse opinion. One or more material weaknesses found.Evaluate management’s report on the effectiveness of internal control.5-32Step 6: Reporting on Internal ControlCan be a separate report on internal control Opinion on financial statements contained in separate audit report Extra paragraph added to report on internal control referencing opinion on financial statements.Or an integrated audit report and report on internal control and the financial statements Includes auditor’s opinions on 1) internal control effectiveness, and 2) the fairness of the company’s financial statements.5-33Auditor’s Report On Internal Control Over Financial Reporting (ICFR)Title—include the word independentResponsibility of auditors and managementIn accordance with PCAOB standardsDefinition of internal control over ICFRInherent limitationsOpinionReference to opinion on financial statementsDate of report5-34Modifications to the Auditors’ Standard Report on Internal ControlMaterial weaknesses in the entity’s internal control over financial reportingEffect of an adverse opinion on internal control on the auditor’s opinion on the financial statementsRestriction on the scope of the engagement5-35Reporting to Audit Committee on Internal Control Related MattersSignificant deficiencies and material weaknessesSarbanes-Oxley requires that the report be in writing. The auditor may communicate during or after audit.5-36