Term
| mgmt. must report on ____ in addition to certifying F/S's. |
|
Definition
|
|
Term
Internal control report should include:
(think R-E-F) |
|
Definition
-mgmt's responsibility for internal control
-identification of framework (usually COSO)
-Mgmt's assessment of effectiveness |
|
|
Term
|
Definition
| auditor must provide opinion on effectiveness of internal control (integrated w/ F/S's-same CPA firm must do both F/S & I/C opinions) |
|
|
Term
|
Definition
| Committee of Sponsoring Organizations (of the National Commission of Fraudulent Financial Reporting) |
|
|
Term
|
Definition
| process, effected by entity's BOD, mgmt, and others, designed to provide REASONABLE assurance regarding the achievement of objectives in certain categories |
|
|
Term
| Internal Control (achievement of objectives in three categories, what are they?)--> think R-E-C |
|
Definition
1)reliability of Fin. reporting (auditor concern)
2)Compliance w/laws and regulations
3)Effectiveness & efficiency of oper. |
|
|
Term
| what are the 5 components of Internal Control (COSO) --> think R-I-C-C-M |
|
Definition
1)Risk
2)Information & communication
3)Control environment
4)Control activities (most time spent here)
5)Monitoring |
|
|
Term
Control Environment is composed of:
think PIC-A-HOF |
|
Definition
-philosophy & operating style (mgmt. attitude)
-Integrity & ethical values (tone at the top)
-Organ. structure (organ. chart)
-Authority & responsibility (no conflict of interest)
-Functioning of board (independent & experience)
-Commitment to competence (qual. ppl in right positions)
-HR policies (recruitment, training, discipline) |
|
|
Term
| the more ___ identified, the ____ the auditor's job |
|
Definition
|
|
Term
| Risk Assessment (client's risk assessment) |
|
Definition
| the entity's identification & analysis of relevant risks to achievement of its objectives; COSO's ERM framework |
|
|
Term
|
Definition
| policies & procedures that ensure mgmt. directives are carried out |
|
|
Term
Control activities include:
(P-I-S-P-PD) |
|
Definition
-phys. controls over security of assets
-segregation of duties
-information processing
-performance reviews (budgets)
-preventative vs. detective controls (all have preventative aspect) |
|
|
Term
| activities within INFORMATION PROCESSING (a control activity) |
|
Definition
-approvals and authorization
-verification and reconciliations |
|
|
Term
| segregation of duties by itself does NOT... |
|
Definition
| make an account safe; concept should be applied |
|
|
Term
| what are the 3 components of segregation of duties (C-A-R) |
|
Definition
-Custody
-Authorization
-Recording |
|
|
Term
|
Definition
| mgmt's process that assesses the quality of the internal control's performance over time |
|
|
Term
| Ways to MONITOR Internal Control performance over time...(I-F) |
|
Definition
Internal audit (#1 way)
Follow-up of reporting errors
-->issuer and non-issuer has to understand and document I/C's |
|
|
Term
| what are the phases of the I/C engagement? (P-U-T-E-W-R) |
|
Definition
1)Plan the engagement (planning analy.)
2)Use top-down approach
3)Test internal control effectiveness (Design & Operating effectiveness)
4)Evaluating control deficiencies
5)Wrapping up (forming opinion on I/C over financial reporting)
6)report on internal control |
|
|
Term
| what are the two types of testing for internal control effectiveness? |
|
Definition
| Design & Operating effectiveness |
|
|
Term
| What are the 3 Control deficiencies that need to be evaluated? (S-M-D) |
|
Definition
-Deficiencies (I/C def)
-Significant deficiencies
-Material weaknesses |
|
|
Term
Step 1: Plan the Engagement (what to do)
C-C-I |
|
Definition
-consider knowledge of industry & business
-consider changes in operations & internal control
-Identify all relevant assertions for all sign. accounts or disclosures |
|
|
Term
| what does "significant" mean in terms of accounts and disclosures |
|
Definition
| a more-than-reasonable possibility that a material misstatement could be associated with it |
|
|
Term
| Step 2: Use a top-down approach (I-P-A-A) |
|
Definition
-identify entity-level controls
-perform walkthroughs--> take transaction from cradle to grave
-Auditor must perform work related to:
(a)company-wide anti-fraud programs (code of ethics, hotline)
(b)controls w/ a pervasive effect
-Auditor must obtain "principal evidence" but can include work of internal auditors and others |
|
|
Term
| "principal evidence" and the work of internal auditors and others (auditor must...) |
|
Definition
-must assess competence & objectivity
-limited reliance on others work (not an elimination of work)
-possibly reduce work on 4 components, but CAN'T reduce work on CONTROL environment (impacts everything) |
|
|
Term
| Entity-level controls can... |
|
Definition
| possibly help us reduce our control testing top to down if done very well |
|
|
Term
| List entity level controls |
|
Definition
-Controls related to control environment
-" " related to mgmt. override
-Centralized processing & controls including shared service environments
-" " to monitor results of operations
-" " to monitor other controls (best clue towards an entity-level control)
-mgmt. risk assessment
-Period-end financial reporting process
-Policies that address sign. business control and risk mgmt. practices |
|
|
Term
| what does using a top-down approach mean? |
|
Definition
-understand the flow of transactions by performing WALKTHROUGHS
-Identify the likely sources of potential misstatements by asking yourself "what could go wrong?"
-Determine if there are controls to "cover" the potential misstatements (what could go wrong) |
|
|
Term
| what are the test controls that address the risk of misstatement to each relevant assertion? |
|
Definition
DESIGN effectiveness
OPERATING effectiveness
-->if design eff. fails, you don't need to test operating effectiveness |
|
|
Term
|
Definition
| (often accomplished in walkthrough); determines whether the controls over fin. reporting, IF OPERATING EFFECTIVELY, would be expected to prevent or detect errors or fraud that could result in a material misstatement; may be a sample of only 1 |
|
|
Term
|
Definition
| whether the control is OPERATING AS DESIGNED and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively |
|
|
Term
| internal control deficiencies |
|
Definition
| (whether result of a design or oper. deficiency)exists when design or operation of a control does not allow the entity's mgmt. or employees to detect or prevent misstatements in a timely fashion |
|
|
Term
| what are the two groups of "more serious" control deficiencies? |
|
Definition
1) Significant deficiencies (middle)
2) Material Weaknesses (the Worst) |
|
|
Term
|
Definition
| defined as conditions, or combinations of conditions, that could adversely affect the organization's ability to initiate, record, process, and report financial data in the F/S's- not material but important enough to bring to those charged w/gov. (audit comm.) |
|
|
Term
| KNOW 3 the significant deficiencies |
|
Definition
-absence of appropriate seg. of duties
-absence of appr. reviews & approvals of transactions
-evidence of failure of control procedures |
|
|
Term
|
Definition
| in I/C, is defines as a def. or combo. of deficiencies, that results in a REASONABLE POSSIBILITY that a MATERIAL MISSTATEMENT would not be prevented or detected on a timely basis (everyone sees it) |
|
|
Term
| know 4 MATERIAL WEAKNESSES |
|
Definition
1) restatement of prev. issued F/S's to reflect the correction of a misstatement
2)Evidence of mat. misstatements (caught by audit team) that were not prevented or detected by client's I/C's
3)Ineffective oversight of fin. reporting process by entity's audit comm.
-Indication of fraud (either mat. or immaterial) by senior mgmt. |
|
|
Term
| what are 3 categories of I/C deficiencies |
|
Definition
Internal control def.
Sign. def.
Material weaknesses |
|
|
Term
| What is the diff. b/t sign def. & material weakness? |
|
Definition
| the (1)LIKELIHOOD and (2)MATERIALITY that a potential (or actual) misstatement would not be detected on a timely basis |
|
|
Term
|
Definition
| forming an opinion on the effectiveness of internal control over fin. reporting |
|
|
Term
| what are the 3 opinions for I/C reporting? |
|
Definition
1)Unqualified (NO mat. weakn. found)
2)Disclaimer of opinion (cannot perform all necessary procedures)
3)Adverse opinion (one or more mat. weaknesses found) |
|
|
Term
| Sign. def. will still result in a _____ opinion. |
|
Definition
|
|
Term
|
Definition
1)separate report on I/C
2)Integrated audit report on I/C |
|
|
Term
| separate report on I/C (characteristics) |
|
Definition
-opinion on F/S's separate
-Extra paragraph added to report on I/C that references F/S opinion |
|
|
Term
| Integrated audit report on I/C (characteristics) |
|
Definition
| Includes auditor's opinions on 1)I/C effectiveness, and 2)the fairness of the company's F/S's |
|
|
Term
| Reporting to Audit Comm. on I/C related matters (3 guidelines) |
|
Definition
-report MUST be in writing (SOX)
-May communicate during or after audit
-Comm. w/mgmt not req. but comm. is not prohibited |
|
|
Term
| what are the LIMITATIONS on I/C? |
|
Definition
-Human error
-Collusion
-Mgmt. override
-Cost benefit analysis |
|
|
Term
| cost benefit analysis of I/C |
|
Definition
-often trade-off b/t cost and effectiveness of controls
-concept of reasonable assurance recognizes this trade-off b/t cost & benefits expected |
|
|
Term
| WHY do assess CONTROL risk? |
|
Definition
-determine nature, timing, and extent of audit procedures
-trade-off b/t testing of controls and substantive procedures |
|
|
