What is Management’s Responsibility over Internal Controls? (ACE)
Accurate and reliable financial reporting
Compliance with Laws and Regulations
Effectiveness of operations
SAS 109 (AU314) What are 5 components of Internal Controls? (CRIME)
- Control Activities - act. vs budgets, IT systems processing
- Risk Assessment - internal and external factors
- Information and communication - info systems & comm but establishing duties
- Monitoring - mgmt must monitor
- Control Environment (chopper)
What are the risk assesment procedures to assess RMM related to IC? (during the understanding control stage)
- Analytics
- Inquiries of management/staff
- Inspections of documents
- Observe application of controls
Key is auditor is trying to understand what controls have been implemented, not if it is operating effectively (during the understanding stage)
What are the 4 procedures of testing controls?
- Reperformance
- Inspection
- Inquiry
- Observation
Why should we reasess RMM to determine Detection Risk?
After testing controls, if operating effectively, then detection risk is lower, then you can do less substantive testing.
What does SOX require of management?
- Section 302: require officers responsible for maintaining effective IC and to disclose all known deficiencys to auditors and audit committee
- Officers required to report any fraud (material or not) regarinding an EE with roles in internal controls
What are inherent limitations of IC? (COCO)
- Collusion
- Override by Mangement
- Competence - cant prevent human mistakes
- Obsolescence - good controls can cease due to changes within the Company
What is reasonable assurance over IC?
if management can create perfect IC, it wouldnt do so because it is not cost effective.
SAS 99 (AU 316) What does this require?
Requires auditors to respond to management override of controls.
What is the acrenim ARC for in employee responsbiity over IC?
Authorization, Records and Custody. No one person should have two of the ARCs
What is a control deficiency?
when design of control does not allow management or EE in normal course of performing their assigned functions, to prevent or detect or correct mistatements on timely basis
What is significant deficiency?
deficieny or combination of, in IC that is less severe than material weakness, yet important enough to merit attention by those charged with governance
What is material weakness?
deficiency or combo of, in IC such that reasonablne/probable possibility that a material mistatement of entity FS will not be prevented/detected/corrected on timely basis.
What is SSAE15 - Attestation Engagement to Examine IC?
- It is considered an integrated audit and snould be done with FS audit.
- Scope under AICPA
- All deficiencies must be communicated in writing
- Auditor not required to search for controls less severe than material weakness, but if identifieid, should be communicated.
- Report is for General Distributions
Public Company - Internal Control Over Financial Reporting (ICFR)? AS5 & SSAE#10
- Existence of one or more material weakness warrants an “ADVERSE OPINION”. Unqualified opinon if no material weakness and scope limitation.
- Scope Limitation requires auditor to disclaim opinion or withdraw from engagement
- Key difference between non-issues report is that “correct” is not part of deficiency definition
- All deficiency must be communicated in writing to MGMT
Public Company - What are indications of Material Weaknesses?
- ineffective oversight by those charged with governance
- Restatement of PY FS due to material mistatements
- Material mistatements that would not have been detected by Company’s IC, but were identified by Auditors
- Fraud by senior mgmt, material or immaterial
For IC reports - what is the key difference between public and non public?
- Public under PCAOB. Non public under AICPA.
- Public expresses an opinon (unqualified/averse) at the end. NP no opinion.
- Public, all decifiecies must be written. NP, only SD and MW in writing.
What is PCAOB AS4?
Engagement which firm auditor is engaged to report on whether previously identified material weakness exist or still exist at a point of time.
What is FCPA?
FCPA makes payment of bribes to foreign officials illegal and requires publicly held companies to maintain systems of control sufficient to provide assurance IC objective are met.
If control risk is high due to ineffective controls in place, what can compensate by increase ?
Auditor must increase extent of anayltics (not detection risk).
