Audit Opinion Formulation Process LO 1: Importance of Internal Control to Financial Statement Audits • The quality of internal control over financial reporting is an important part of an organization’s commitment to good governance • Internal control processes must effectively address risks that are present between an organization and the accomplishment of its objectives • Internal controls are needed because every organization faces significant risks like: – corporate failure – misuse of corporate assets – incorrect or incomplete preparation of financial information LO 2: COSO Framework for Internal Control COSO: A Framework for Internal Control • Internal controls is a process designed to provide reasonable assurance of achieving the following: – Generating reliable financial accounting information – Safeguarding assets – Complying with applicable laws and regulations – Operating efficiently and effectively What are the components of an internal control system? There is a logical loop to an organization’s internal controls, starting with 1. Identification of organizational risks that affect the accomplishment of objectives 2. Design of the control environment 3. Design and implementation of controls activities to prevent or detect errors 4. Communicate the policies effectively through information and communication process 5. Monitoring of the effectiveness of the controls to operate effectively Components of Internal Control • An internal control system consists of five components • Risk assessment: process designed to identify and manage risks that may affect its ability to achieve its objectives • Control environment: overall attitude, awareness, and actions of significant internal groups to maintain a well-controlled organization (tone at the top) • Control activities: policies and procedures established by management to help ensure that internal control objectives are achieved and risks mitigated Components of Internal Control • Information and communication: process of identifying, capturing, and exchanging information in a timely fashion to enable the organization to achieve its objectives • Monitoring: process that assesses the quality of internal controls over time Risk Assessment • Risk assessment involves the identification and analysis of the risks of material misstatement in financial reports • Failure to identify risks, results in deficiencies in the control processes to mitigate the risks • Risk assessment questionnaire is used for identifying the significant risks related to financial reporting and documenting LO 3: Understanding the Control Environment Factors an auditor should look at when evaluating an organization’s control environment: • Integrity and ethical values • Board of directors and audit committee • Management’s philosophy and operating style • Organizational structure, including assignment of authority and responsibility • Commitment to financial reporting competence • Authority and Responsibility • Human resource policies and practices Control Activities • Control activities are policies and procedures implemented across the organization to reduce the risk of financial reporting misstatements • Control activities involve: – The design of the control – The operations of the control • The sources to misstatement includes: – Transaction processing Control Activities – Accounting estimates – Adjusting and closing entries • Organizations use Preventive and Detective controls Information and Communication • Information and communication represent a company’s processes for gathering key financial information to support the achievement of financial reporting objectives • Information must be communicated to the right people • It must also be assured that substantive issues are report to audit committee for investigation Monitoring • Monitoring represents a company’s processes to determine whether internal control over financial reporting is operating effectively • Ongoing monitoring processes are designed to identify control failures • Effective control system rely heavily on monitoring • Internal auditing is a highly effective monitoring control LO 4: Common Control Activities Control activities implemented in almost all accounting systems include: • Segregation of duties • Authorization procedures • Adequately documented transaction trail • Physical controls to safeguard assets • Reconciliation of control accounts with subsidiary ledgers, of transactions recorded with transactions submitted for processing, and of physical counts of assets with recorded assets • Competent, trustworthy employees LO 5: IT Controls Integrated into Internal Control Evaluations • General computer controls are pervasive and affect every computerized system • These controls address the following: – Planning and controlling the data processing function – Controlling applications development and changes to programs and/or data files and records – Controlling access to equipment, data, and programs – Assuring business continuity such that control failures do not affect data or programs – Controlling data transmission IT Controls Integrated into Internal Control Evaluations • Application controls are specific control procedures designed into and around the computer program to ensure that processing objectives are attained • The control procedures include: – Input Controls – Processing Controls – Output Controls • It leads to better data for decisions and increases the organizational success and sustainability LO 6: Management Reports on Internal Control over Financial Reporting • The Sarbanes-Oxley Act of 2002 requires management to implement effective internal controls over financial reporting and to certify that the controls have been implemented properly and are operating effectively • To guide management and auditor, SEC and PCAOB provides definitions of – Material Weakness – Significant Deficiency Material Weakness • Deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis Significant Deficiency • Deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting LO 7: Auditor Evaluation of Internal Controls The steps in the integrated audit process are: 1. Update information about various risks 2. Consider the possibility of account misstatements 3. Complete preliminary analytical procedures 4. Understand the client’s internal controls – Obtain an Understanding of Management’s Risk Assessment Process and the Control Environment Auditor Evaluation of Internal Controls – Obtain an Understanding of Significant Accounts and Disclosures and Their Relevant Assertions Within the Information and Communication System – Obtain an Understanding of the Control Activities in Accounting Processes – Obtain an Understanding of Management’s Monitoring Activities 5. Identify controls to test – Auditor needs to test all the five components of internal control Auditor Evaluation of Internal Controls 6. Make a plan to test the controls and execute that plan – Use “top-down approach” that begins with at financial statement level 7. Consider the results of control testing – It is a part of the process designed to conduct the most efficient audit possible while minimizing overall audit risk 8. Conduct substantive audit tests LO 8: Documenting the Auditor’s Understanding and Assessment of an Organization’s Internal Controls • Documentation should clearly identify each component of the internal control framework • Documentation should show – How each significant control is tested – The sampling approach used and the size of the sample used in testing – The conclusions of the tests, – The individual performing the test – The auditor’s conclusion on the effectiveness of the control – The implications for the audit of related financial account balances