1. Section 404 Audits of Internal Control and Control Risk Chapter 10

3. Internal Control Objectives 3. Compliance with laws and regulations 2. Efficiency and effectiveness of operations 1. Reliability of financial reporting

8. Sales Transaction-related Audit Objectives Sales Transaction-related Audit Objectives Sales are for shipments to existing customers Transaction-related Audit Objective – General form Recorded transactions exist (occurrence) Existing sales transactions are recorded Existing transactions are recorded (completeness) Transactions are stated correctly (accuracy) Sales for goods shipped are correctly billed

9. Sales Transaction-related Audit Objectives Transactions are correctly classified (classification) Sales transactions are correctly classified Transactions are recorded on correct dates (timing) Sales are recorded on the correct dates Transactions are correctly filed (posting and summarization) Sales transactions are correctly included in the master files Sales Transaction-related Audit Objectives Transaction-related Audit Objective – General form

11. Five Components of Internal Control Risk assessment Control activities Information and communication Monitoring Control Environment

15. Control Activities 1. Adequate separation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance

16. Adequate Separation of Duties Custody of assets Accounting Authorization of transactions The custody of related assets Operational responsibility Record-keeping responsibility IT duties User departments from from from from

19. Physical Control Over Assets and Records The most important type of protective measure for safeguarding assets and records is the use of physical precautions.

20. Independent Checks on Performance The need for independent checks arises because internal control tends to change over time unless there is a mechanism for frequent review.

21. Information and Communication The purpose of an accounting information and communication system is to… initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets.

22. Monitoring Monitoring activities deal with management’s ongoing and periodic assessment of the quality of internal control performance… to determine whether controls are operating as intended and modified when needed.

23. SEC and COSO Focus on Smaller Public Companies The SEC has extended the deadline for small public companies compliance with Section 404 requirements. COSO issued guidance in Internal Control Over Financial Reporting for Smaller Public Companies.

25. Process for Understanding Internal Control and Assessing Control Risk Phase 1 Obtain an understanding of internal control: design and operation Phase 2 Assess control risk Phase 3 Design, perform, and evaluate tests of controls Phase 4 Decide planned detection risk and substantive tests

27. Methods Used Narrative Flowchart Internal control questionnaire

28. Narrative 1. The origin of every document and record in the system 2. All processing that takes place 3. The disposition of every document and record in the system 4. An indication of the controls relevant to the assessment of control risk

31. Assess Control Risk Assess whether the financial statements are auditable. Determine assessed control risk supported by the understanding obtained assuming the controls are being followed. Use of a control risk matrix to assess control risk.

32. Control Risk Matrix Many auditors use the control risk matrix to assist in the control risk assessment process.

34. Evaluating Significant Control Deficiencies Material Weakness LIKELIHOOD SIGNIFICANCE Material Immaterial Probable Remote

38. Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls .

39. Procedures for Tests of Controls 1. Make inquiries of client personnel 2. Examine documents, records, and reports 3. Observe control-related activities 4. Reperform client procedures

41. Relationship of Assessed Control Risk and Extent of Procedures Inquiry Documentation Observation Reperformance Yes–extensive Yes–with transaction walk-through Yes–with transaction walk-through No Yes–some Yes–using sampling Yes–at multiple times Yes–using sampling Type of procedure High level: Procedures to obtain an understanding Lower level: Tests of controls Assessed Control Risk

42. Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests. The auditor links the control risk assessments to the balance- related audit objectives.

44. Section 404 Reporting on Internal Control 1. The auditor’s opinion on whether management’s assessment of the effectiveness of internal control over financial reporting as of the end of the fiscal period is fairly stated, in all material respects. 2. The auditor’s opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date.

47. Evaluating, Reporting, and Testing Internal Control for Nonpublic Companies 1. Reporting requirements 2. Extent of required internal controls 4. Assessing control risk 5. Extent of tests of controls needed 3. Extent of understanding needed

48. Differences in Scope of Controls Tested Internal controls over financial reporting Internal controls used to assess control risk below maximum Controls that must be tested in an audit of financial statements Controls that must be tested in an audit of internal controls

49. End of Chapter 10