2. Where we are
• Introduction
• Audit basics
– Risk
– Materiality
– Evidence
– Documentation
• Audit Phases
– Planning
– Internal controls in a financial statement audit
– Internal controls in an integrated audit
3. What we’ll cover
• Difference between internal control in
financial statement audit and internal control
in integrated audit
• Management’s responsibilities
• Auditor’s responsibilities
• Steps in auditing internal controls
4. Different approaches of evaluating
internal controls
Financial statement audits Integrated audits
• Audits of non-public entities • Audits of public corporations
• Regulated by AICPA • Regulated by PCAOB
• No requirements of • Management has some
management responsibilities
• Auditors are required to
understand internal controls • Auditors are required to
understand internal controls
• Auditors may choose to rely
upon controls. If so, they must • Auditors are required to audit
test controls. internal controls, including
• Auditors communicate control testing.
weaknesses to board of • Auditors issue report on
directors. internal controls.
5. Management’s responsibilities
• Accept responsibility for controls
• Evaluate effectiveness of internal controls
using COSO
– Entity-level
– Application controls
– Risk-based
• Document internal controls
• Report on internal controls
7. Auditor’s responsibilities Controls over
• unusual transactions
• adjusting entries
• Risk assessment and fraud risk • related-party
transactions
• Scaling the audit • Management estimates
• Using work of others
• Materiality
• Entity level • Control environment
controls • Year-end process
• Identify significant
assertions
• Understand
sources of
misstatement
• Select controls to
test
8. Controls and tests
• Controls
– Authorization
– Documents
– Records
– Segregation of duties
– Independent checks
– Safeguard assets
• Tests
– Walkthrough
– Inquiry
• How control is done
• When is it done (frequency)
• What happens if there is an exception (detective control)
• Who performs the control
– Observe
– Inspect documents
– Re-perform
9. Example – movie theater
Planning
• Risk assessment
• Scaling
• Work of others
• Materiality
Identify controls
• Entity level controls
• Assertions
(transactions)
• Occurrence
• Completeness
• Authorization
• Accuracy
Theater Theater
• Cutoff
• Classification
• Understand sources of
misstatement
• Select controls to test
10. Assertion Source of Misstatement
Control Tests
Walkthrough transaction
All recorded sales occurred False sales recorded Monthly reconciliation of register Inquire what happens if
reports to sales journal entries exceptions are found
Monthly reconciliation of sales Re-perform sample of
journal entries to deposits of cash reconciliations
All sales events recorded Customers do not pay for entry Tickets disbursed to customers Observe process
Clerk does not record sale and collected
All sales authorized Low risk of misstatement
Sales recorded accurately Sales entered into register at Clerk selects ticket type rather Observe register use
incorrect amount than entering amount Re-perform sample of
Register total entered incorrectly Monthly reconciliation of register reconciliations
into journal reports to sales journal entries
Sales recorded in the correct fiscal Sales recorded in subsequent Sales recorded every night Vouch from journal to register
period period report 2 days before and after FYE
Sales recorded in prior period
Sales recorded in the correct NA
account
Cash balances exist Cash balance not reported Monthly bank reconciliation Bank confirmations
correctly
Cash balances owned by client Low risk of misstatement
All cash balances are reported Low risk of misstatement
Cash accurately valued Low risk of misstatement
AR balances exist Insignificant account
AR owned by client Insignificant account
All AR reported Insignificant account
AR valued correctly Insignificant account
13. Evaluate deficiencies
• Risk factors that a control deficiency will result in a
misstatement (likelihood):
– Nature of assertions involved
– Susceptibility of balance to fraud
– Amount of judgment required to determine amount
involved
– Relationship with other controls
– Possible consequences of the deficiency
• Factors that affect whether the misstatement may be
material:
– The amounts exposed to the deficiency
– The volume of activity exposed to the deficiency
18. Adverse Opinion
Includes
Would it be possible to give
• Definition of material weakness
an adverse opinion on
• Description of particular weakness
internal controls and an
• Opinion
unqualified opinion on the
financial statements?
19. Report of Independent Registered Public Accounting Firm
To the Board of Directors and Shareholders of American International Group, Inc.:
In our opinion, the consolidated financial statements listed in the accompanying index present fairly, in all material respects, the financial
position of American International Group, Inc. and its subsidiaries (AIG) at December 31, 2007 and 2006, and the results of their operations
and their cash flows for each of the three years in the period ended December 31, 2007 in conformity with accounting principles generally
accepted in the United States of America. In addition, in our opinion, the financial statement schedules listed in the accompanying index
present fairly, in all material respects, the information set forth therein when read in conjunction with the related consolidated financial
statements. Also in our opinion, AIG did not maintain, in all material respects, effective internal control over financial reporting as of
December 31, 2007, based on criteria established in Internal Control — Integrated Framework issued by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) because a material weakness in internal control over financial reporting related to the
AIGFP super senior credit default swap portfolio valuation process and oversight thereof existed as of that date. A material weakness is a
deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a
material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. The material
weakness referred to above is described in Management’s Report on Internal Control Over Financial Reporting appearing under Item 9A.
We considered this material weakness in determining the nature, timing, and extent of audit tests applied in our audit of the 2007
consolidated financial statements, and our opinion regarding the effectiveness of AIG’s internal control over financial reporting does not
affect our opinion on those consolidated financial statements. AIG’s management is responsible for these financial statements and financial
statement schedules, for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal
control over financial reporting, included in management’s report referred to above. Our responsibility is to express opinions on these
financial statements, on the financial statement schedules, and on AIG’s internal control over financial reporting based on our integrated
audits. We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those
standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free of
material misstatement and whether effective internal control over financial reporting was maintained in all material respects. Our audits of
the financial statements included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements,
assessing the accounting principles used and significant estimates made by management, and evaluating the overall financial statement
presentation. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial
reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal
control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the
circumstances. We believe that our audits provide a reasonable basis for our opinions.
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted
accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (i) pertain to the
maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the
company; (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (iii) provide reasonable assurance regarding prevention
or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the
financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements.
Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because
of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
PricewaterhouseCoopers LLP
New York, New York
February 28, 2008
20. Communications
From manager to auditor
Management is responsible for IC
Mgt has evaluated IC
Mgt did not rely on work of auditor
Mgt has disclosed all weakness
Any material fraud
Resolution of weaknesses
Changes in IC
From auditor to company
All material weaknesses and significant deficiencies to both
management and the board
Control deficiencies to management
22. Computer – Assisted audit techniques
• Generalized audit software
– File and database access
– Selection of data
– Statistical analysis
• Custom audit software
• Test date
23. Chapter summary
• Difference between internal control in
financial statement audit and internal control
in integrated audit
• Management’s responsibilities
• Auditor’s responsibilities
• Steps in auditing internal controls
Sources of misstatement: identify controls at locations of sources, to walkthroughs, find exceptions during walkthroughTesting: Nature, timing, and extent (nature of the control (manual more), frequency of operation, importance of control)