• No results found

AUDITING INTERNAL CONTROL OVER FINANCIAL REPORTING IN CONJUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS

Answers to Review Questions

7-1 Following are management’s and the auditor’s responsibilities under Section 404 of the Sarbanes-Oxley Act of 2002:

Managements Responsibilities

• Accept responsibility for the effectiveness of the entity’s internal control over financial reporting.

• Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.

• Support its evaluation with sufficient evidence, including documentation.

• Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.

Auditor’s Responsibilities

• The auditor must audit and report on management’s assertion about the effectiveness of internal control.

• The audit of internal control should be ‘integrated’ with the financial statement audit, and should express an opinion on management’s assertions of internal control over financial reporting.

• The auditor must plan and perform the audit to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of the date specified in management’s assessment.

7-2 ‘Likelihood’ refers to the probability that a misstatement will not be prevented or

detected. For a significant deficiency or a material weakness to exist, the likelihood of such an occurrence must be more than remote (e.g. either ‘reasonably possible’ or ‘probable’).

‘Magnitude’ refers to the significance that the control deficiency could have on the financial statements according to the judgment of a reasonable person who considers the possibility of further undetected misstatements. If likelihood is more than remote and if the magnitude of the deficiency is more than inconsequential, then either a significant deficiency or material weakness exists depending on the magnitude of the potential effects of the deficiency on the entity’s financial statements.

7-3 All of the following controls would typically be tested:

• Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements.

• Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles.

• Antifraud programs and controls.

• Controls, including IT general controls, on which other controls are dependent.

• Controls over significant non-routine and non-systematic transactions, such as accounts involving judgments and estimates.

• Company level controls, including (1) the control environment and (2) controls over the period-end financial reporting process (e.g. controls over procedures used to enter transaction totals into the general ledger; to initiate, authorize, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements).

7-4 Management should document the design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. Documentation should include a description of each control in place, the business processes to which each control relates, and the assertions addressed by each control. Finally, the results of management’s testing and evaluation should be documented.

7-5 The steps in the auditor’s process for an audit of internal control over financial reporting include:

• Plan the engagement.

• Evaluate management’s assessment process.

• Obtain and document an understanding of internal control.

• Evaluate the design effectiveness of internal control.

• Test and evaluate the operating effectiveness of internal control.

• Form an opinion on the effectiveness of internal control.

7-6 The auditor should classify the significant processes and major classes of transactions by transaction type: routine, non-routine, and estimation. For each significant business process, the auditor should:

• Understand the flow of transactions.

• Identify the points within the process at which a misstatement related to each relevant financial statement assertion could arise.

• Identify the controls that management has implemented to address these potential misstatements.

• Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets (AS2,

¶74).

7-7 The period-end financial reporting process controls include procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries in the general ledger; record recurring and nonrecurring adjustments to the annual and quarterly financial statements; and draft annual and quarterly financial statements and related

disclosures.

The auditor’s evaluation of the period-end financial reporting process includes the inputs, procedures performed, and outputs of the processes the company uses to produce its annual and quarterly financial statements. The auditor should also consider the extent of IT

involvement in each period-end financial reporting process element, who participates from management, the number of locations involved, types of adjusting entries, and the nature and extent of the oversight of the process by appropriate parties, including management, the board of directors, and the audit committee.

7-8 Walkthroughs help the auditor to confirm his or her understanding of control design and transaction process flow, to determine whether all points at which misstatements could occur have been identified, to evaluate the effectiveness of the design of controls, and to confirm whether controls have been placed in operation (AS2, ¶79).

7-9 The circumstances that should be regarded as at least significant deficiencies and as strong indicators of a material weakness include:

• Restatement of previously issued financial statements to reflect the correction of a misstatement.

• Identification by the auditor of a material misstatement in financial statements in the current period that was not initially identified by the company’s internal control over financial reporting.

• Oversight of the company’s external financial reporting and internal control over financial reporting by the company’s audit committee is ineffective.

• The internal audit function or the risk assessment function is ineffective at a company for which such a function needs to be effective for the company to have an effective

monitoring or risk assessment component, such as for very large or highly complex companies.

• For complex entities in highly regulated industries, an ineffective regulatory compliance function. This relates solely to those aspects of the ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.

• Identification of fraud of any magnitude on the part of senior management.

• Significant deficiencies that have been communicated to management and the audit committee remain uncorrected after some reasonable period of time.

• An ineffective control environment. (AS2, ¶140)

These circumstances are ‘red flags’ for potential problems in the control environment.

Because the nature of the audit report depends on the significance of such weaknesses, the PCAOB does not want them to be overlooked.

7-10 When evaluating the competence and objectivity of others, the auditor should consider the following factors:

Competence:

• Their educational level and professional experience.

• Their professional certification and continuing education.

• Practices regarding the assignment of individuals to work areas.

• Supervision and review of their activities.

• Quality of the documentation of their work, including any reports or recommendations issued.

• Evaluation of their performance.

Objectivity:

• The organizational status of the individuals responsible for the work of others in testing controls, including—

a. Whether the testing authority reports to an officer of sufficient status to ensure sufficient testing coverage and adequate consideration of, and action on, the findings and

recommendations of the individuals performing the testing.

b. Whether the testing authority has direct access and reports regularly to the board of directors or the audit committee.

c. Whether the board of directors or the audit committee oversees employment decisions related to the testing authority.

• Policies to maintain the individuals’ objectivity about the areas being tested, including—

a. Policies prohibiting individuals from testing controls in areas in which relatives are employed in important or internal control sensitive positions.

b. Policies prohibiting individuals from testing controls in areas to which they were recently assigned or are scheduled to be assigned upon completion of their controls testing

responsibilities. (AS2, ¶119-120)

7-11 AS2 requires that the auditor appropriately document the processes, procedures, judgments, and results relating to the audit of internal control. The auditor’s documentation must include the auditor’s understanding and evaluation of the design of each of the

components of the entity’s internal control over financial reporting. The auditor also documents the process used to determine, and the points at which misstatements could occur within, significant accounts, disclosures, and major classes of transactions. The auditor must justify and document the extent to which he or she relied upon work performed by others. Finally, the auditor must describe the evaluation of any deficiencies discovered as well as any other findings that could result in a modification to the auditor’s report. (AS2, ¶159)

7-12 The auditor’s report contains opinions on two separate items: (1) management’s assessment of the effectiveness of internal control over financial reporting, and (2) the

effectiveness of internal control over financial reporting based on the auditor’s independent audit work. Similar to reports relating to the financial statement audit, the basic options for the

opinions are unqualified, qualified, and adverse.

The auditor’s opinion relating to management’s assessment simply depends on whether the auditor agrees with management’s conclusion regarding the effectiveness of internal control over financial reporting. If the auditor agrees, the opinion on management’s assessment will be unqualified. If the auditor disagrees, the opinion will be adverse.

With respect to the auditor’s opinion on the effectiveness of a client’s internal control, an unqualified opinion signifies that the client’s internal control is designed and operating effectively in all material respects. Significant deficiencies relate to possible financial statement errors that are less than material, and therefore do not require a departure from an unqualified opinion. A qualified opinion is issued under certain circumstances involving limitations on the scope of the auditor’s work; however, serious scope limitations require the auditor to disclaim an opinion. An adverse opinion is required if a material weakness is identified. Figure 7-3 illustrates the types of auditor’s reports and the circumstances leading to each.

7-13 The auditor should take into account all of the following items when deciding which locations or business units to test:

• The relative financial significance of each location or business unit.

• The risk of material misstatement arising from each location or business unit.

• The similarity of business operations and internal control over financial reporting at the various locations or business units.

• The degree of centralization of processes and financial reporting applications.

• The effectiveness of the control environment, particularly management’s direct control over the exercise of authority delegated to others and its ability to effectively supervise activities at the various locations or business units. An ineffective control environment over the locations or business units might constitute a material weakness.

• The nature and amount of transactions executed and related assets at the various locations or business units.

• The potential for material unrecognized obligations to exist at a location or business unit and the degree to which the location or business unit could create an obligation on the part of the company.

• Management’s risk assessment process and analysis for excluding a location or business unit from its assessment of internal control over financial reporting. (AS2, ¶ B10)

7-14 When a significant period of time has elapsed between the time period covered by the tests of controls in the service auditor’s report and the date of management’s assessment, additional procedures should be performed. The auditor should consider the results of relevant procedures performed by management or the auditor, how much time has passed since the service auditor’s report, the significance of the activities of the service organization, whether errors have been identified in the service organization’s processing, and the nature and

significance of any changes in the service organization’s controls. As these factors increase in significance, the need for the auditor to obtain additional evidence increases.

7-15 Generalized audit software (GAS) includes programs that allow the auditor to perform tests on computer files and databases. It was developed so that auditors would be able to conduct similar computer-assisted audit techniques in different IT environments. Custom audit software is generally written by auditors for specific audit tasks. Such programs are necessary when the entity’s computer system is not compatible with the auditor’s GAS or when the auditor wants to conduct some testing that may not be possible with the GAS.

Some functions that can be performed by GAS are: (1) file or database access, (2) selection of transactions that meet certain criteria, (3) arithmetic functions, (4) statistical analyses, and (5) report generation.

Solutions to Problems 7-16

Control 1: Monthly Manual Reconciliation