Internal Control 4 Flashcards
IC report for FS Audit
Nonissuer/Non public
AU-C 265
Objective is to Communicate to those in charge with governance and management deficiencies in IC that in the auditor’s judgment, are sufficiently important to merit attention
- communication should be no later than 60 days after the report release date
- Test only the control you rely on
- Limited use statement
- No opinion - Disclaimer
- No need to communicate control deficiency to those charge with governance
- Definition of Material weakness
- Written report of NO material Weakness identified
- NO Written report of NO Significant deficiency identified
Attestation Engagement
IC - Nonissuer / Non public
AICPA -SSAE 15
Under Attestation Engagement - the auditor is engaged to examine the internal control as of a specified date or for a period of time
- Test ALL controls
- Opinion - Management’s assertion is fairly stated
- Inherent Limitation that IC may not prevent/detect and correct misstatement
- Do not project IC in the future
- General Distribution
- No need to communicate control deficiency to those charge with governance
PCOAB - IC report
Issuer/ Public
PCAOB – AS 15
Integrated with Audit FS
The auditor is engaged to AUDIT the internal control in accordance with standards of PCAOB as of a specified date
- Test ALL controls
- Opinion – Mgt maintained effective IC over financial reporting
- Inherent Limitation that IC may not prevent/detect and correct misstatement
- Do not project IC in the future
- General Distribution
- No need to communicate control deficiency to those charge with audit committee
which disagreements between the auditor and management have to be communicated by the auditor to those charged with governance
the professional standards require that disagreements that should be communicated include those relating
- to estimates,
- the scope of the audit,
- application of accounting principles,
- the wording of the audit report, and
- other matters.
When using a service auditor’s report, the user auditor should:
a. Make inquiries concerning service auditor’s professional reputation
b. If necessary, supplement understanding of service auditor’s procedures by discussing them with the service auditor
c. make NO reference to the report of the service auditor in his/her audit report
When the service organization performs data processing service to an audit client, its controls interact wiht the audit client’s internal control
In such circumstances three approaches are possible for the user auditor:
(1) test the user organization’s controls over activites of the service organization,
(2) use the service auditor’s report on the service organization’s internal contol policies, and
(3) perform tests of controls at the service organization
Personnel and Payroll Controls
(1) Segregate:
- Timekeeping
- Payroll preparation
- Personnel
- Paycheck distribution
(2) Time clocks used where possible
(3)Job time tickets reconciled to time clock cards
(4)Time clock cards approved by supervisors (overtime and regular hours)
(5)Treasurer signs paychecks
(6) Unclaimed paychecks controlled by someone otherwise independent of the payroll function (locked up and eventually destroyed if not claimed). In cases in which employees are paid cash (as opposed to checks) unclaimed pay should be deposited into a special bank account.
(7) Personnel department promptly sends termination notices to the payroll department.
Company-level controls
- The auditors begin by considering company-level controls, because these controls have a pervasive impact on controls at the process, transaction, or application level.
- Company-level controls include:
- Controls within the control environment, including tone at the top, assignment of authority and responsibility, consistent policies and procedures, and company-wide programs such as codes of conduct and fraud prevention
- Management’s risk assessment process
- Centralized processing and controls
- Controls to monitor results of operations
- Controls to monitor other controls, such as internal audit, the audit committee and self-assessment programs
- The period-end financial reporting process is always considered significant and includes: the consolidation procedures, use of spreadsheets, journal entries, significant nonroutine, nonsystematic transactions, and selection and application of accounting policies
- Drafting of the financial statements and disclosures
- Board of director approved policies that address business control and risk management
Standard control for cash disbursements
(1) Pre-numbered checks with a mechanical check protector used
(2)Two signatures on large check amounts
(3) Checks signed only with appropriate support (purchase order, receiving report, vendor’s invoice). Treasurer signs checks and mails them
(4) Support for checks canceled after payment
(5) Voided checks mutilated, retained, and accounted for
(6) Bank reconciliations prepared by individual independent of cash disbursements recordkeeping
(7) Physical control of unused checks
Example of significant deficiency
A deficiency in any one of the following controls would at least be a significant deficiency:
• Controls over the selection and application of accounting principles that are in conformity with generally accepted accounting principles
• Antifraud programs and controls
• Controls over nonroutine and nonsystematic transactions
• Controls over the period-end financial reporting process
Walk-throughs
• A walk-through involves literally tracing a transaction from its origination through the company’s information systems until it is reflected in the financial reports.
• Walk-throughs provide the auditor with evidence to
1. Confirm the understanding of the flow of transactions and the design of controls
2. Evaluate the effectiveness of the design of controls
3. Confirm whether controls have been implemented
Performing a walkthrough is an efficient way of:
Performing a walkthrough is an efficient way of:
- understanding the flow of transactions in the entity, including how the transactions are initiated, authorized, processed, and recorded,
- verifying that the auditor has identified the points within the entity’s processes at which a material misstatement could arise (including misstatements due to fraud),
- identifying the controls that management has implemented to address potential misstatements, and
- identifying the controls that management has implemented to prevent or timely detect unauthorized acquisition, use, or disposition of company assets that could result in a material misstatement of the financial statements.
Assessing control risk below the maximum level shows ….
Assessing control risk below the maximum level because this assessment shows reliance on the internal control structure
