Term
|
Definition
| internal control over financial reporting |
|
|
Term
| management requirements under SOX with regards to ICFR |
|
Definition
- must issue a report accepting responsibility for establishing and maintaining adequate ICFR
- assert whether ICFR is effective as of the end of the fiscal year
|
|
|
Term
| who sets the regulation for whether ICFR is adequate? |
|
Definition
| the SEC and PCAOB (not SOX) |
|
|
Term
| 4 things management (public companies) must comply with regarding ICFR |
|
Definition
- Accept responsibility for the effectiveness of the entity's ICFR
- Evaluate the effectiveness of the entity's ICFR using suitable control criteria
- Support the evaluation with sufficient evidence, including documentation
- Present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the entity's most recent fiscal year
|
|
|
Term
| the auditor's objective in an audit of ICFR |
|
Definition
| "to express an opinion on the effectiveness of the company's internal control over financial reporting" (AS5) |
|
|
Term
|
Definition
| exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis |
|
|
Term
|
Definition
| exists when (1) a control necessary to meet the relevant control objective is missing; or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met |
|
|
Term
|
Definition
| exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively |
|
|
Term
|
Definition
| a deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis |
|
|
Term
|
Definition
| a control deficiency, or combination of control deficiencies, in ICFR that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting |
|
|
Term
| two dimensions of a control deficiency |
|
Definition
likelihood
- remote
- reasonably possible/probable
magnitude
- material
- not material but significant
- not material or significant
|
|
|
Term
| purposes of tests of controls in the audit of (1) financial statements and (2) ICFR |
|
Definition
- (1) to assess control risk, which in turn affects the nature, timing, and extent of the substantive tests
- (2) provide evidence on the effectiveness of the entity's controls over financial reporting as of the end of the period
|
|
|
Term
| 5 steps in the audit of ICFR |
|
Definition
- Plan the audit of ICFR
- Identify controls to test using a top-down, risk-based approach
- Test the design and operating effectiveness of selected controls
- Evaluate identified control deficiencies
- Form an opinion on the effectiveness of ICFR
|
|
|
Term
| 4 factors to consider when planning an audit of ICFR |
|
Definition
- the role of risk assessment and the risk of fraud
- scaling the audit
- using the work of others
- materiality
|
|
|
Term
| 5 controls that might address the risk of fraud and management override |
|
Definition
controls . . .
- over significant, unusual transactions, particularly those that result in late or unusual journal entries
- over journal entries and adjustments made in the period-end financial reporting process
- over related-party transactions
- related to significant management estimates
- that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results
|
|
|
Term
| 4 Steps in the Top-Down, Risk-Based Approach to the Audit of ICFR |
|
Definition
- Identify entity-level controls
- Identify significant accounts and disclosures
- Understand likely sources of misstatement
- Select Controls to test
|
|
|
Term
| 3 control environment assessments that an auditor should make |
|
Definition
Whether . . .
- Management's philosophy and operating style promote effective ICFR
- Sound integrity and ethical values, particularly of top management, are developed and understood
- The Board or audit committee understands and exercises oversight responsibility over financial reporting and internal control
|
|
|
Term
| 9 risk factors that the auditor uses when identifying significant accounts and disclosures |
|
Definition
- Size and composition of the account
- Susceptibility to misstatement due to errors or fraud
- Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure
- Nature of the account or disclosure
- Accounting and reporting complexities associated with the account or disclosure
- Exposure to losses in the account
- Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure
- Existence of related-party transactions in the account
- Changes from the prior period in account or disclosure characteristics
|
|
|
Term
| 4 steps to follow to understand the likely sources of potential misstatements |
|
Definition
- Understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorized, processed, and recorded
- Identify the points within the entity's processes at which a misstatement--including a misstatement due to fraud--could arise that, individually or in combination with other misstatements, would be material
- Identify the controls that management has implemented to address these potential misstatements
- Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could result in a material misstatement of the financial statements
|
|
|
Term
| What is the best way to identify sources of misstatements? |
|
Definition
|
|
Term
| 4 factors commonly considered when identifying controls to test |
|
Definition
- Points at which errors or fraud could occur
- The nature of the controls implemented by management
- The significance of each control in achieving the objectives of the control criteria and whther more than one control achieves a particular objective or whether more than one control is necessary to achieve a particular objective
- The risk that the controls might not be operating effectively
|
|
|
Term
| 6 factors that affect whether the control might not be operating effectively |
|
Definition
- Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness
- Whether there have been changes in the design of controls
- The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or IT general controls)
- Whether there have been changes in key personnel who perform the control or monitor its performance
- Whether the control relies on performance by an individual or is automated
- The complexity of the control
|
|
|
