Arens Chapter10

Section 404 Audits of Internal
Control and Control Risk
Chapter 10
2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 1

Learning Objective 1
Describe the three primary
objectives of effective
internal control.

Internal Control Objectives
1. Reliability of financial reporting
2. Efficiency and effectiveness of operations
3. Compliance with laws and regulations

Contrast managements
responsibilities for maintaining
and reporting on internal controls
with the auditors responsibilities
for understanding, testing, and
reporting on internal controls.

Management and Auditor
Responsibilities Related
to Internal Control
Managements responsibility
for establishing internal control
Reasonable assurance
Inherent limitations

to Internal Control
Managements Section 404

reporting responsibilities
Design of internal control
Operating effectiveness of controls

to Internal Control
Auditor responsibilities for
understanding internal control
Controls over the reliability

of financial reporting
Control over classes of transactions
Auditor responsibilities for testing

internal control
Sales Transaction-related Audit
Objectives
Transaction-related Audit Sales Transaction-related
Objective General form Audit Objectives
Recorded transactions Sales are for shipments
exist (occurrence) to existing customers
Existing transactions are Existing sales transactions
recorded (completeness) are recorded
Transactions are stated Sales for goods shipped
correctly (accuracy) are correctly billed

Sales Transaction-related Audit
Objectives
Transaction-related Audit Sales Transaction-related
Objective General form Audit Objectives
Transactions are correctly Sales transactions are

filed (posting and correctly included in the
summarization) master files
Transactions are correctly Sales transactions are
classified (classification) correctly classified
Transactions are recorded Sales are recorded on
on correct dates (timing) the correct dates

Explain the five components
of the COSO internal
control framework.

Five Components of Internal
Control
Risk Control Information and

Monitoring
assessment activities communication

The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or audit

committee participation

The Control Environment
Managements philosophy and operating style
Organizational structure
Human resource policies and practices

Risk Assessment
Identify factors that may increase risk
Estimate the significance of the risk
Assess the likelihood of the risk occurring
Determine actions necessary to manage the risk

Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance

Adequate Separation of Duties
Custody of assets from Accounting
Authorization The custody of

from
of transactions related assets
Operational Record-keeping
from
responsibility responsibility
IT duties from User departments

Proper Authorization of
Transactions and Activities
General authorization
Specific authorization

Adequate Documents and
Records
Prenumbered consecutively
Prepared at the time of transaction
Designed for multiple use
Constructed to encourage correct preparation

Physical Control Over Assets
and Records
The most important type of protective
measure for safeguarding assets and
records is the use of physical precautions.

Independent Checks on
Performance
The need for independent checks arises
because internal control tends to change
over time unless there is a mechanism
for frequent review.

Information and Communication
The purpose of an accounting information

and communication system is to
initiate, record, process, and report

the entitys transactions and to maintain
accountability for the related assets.

Monitoring
Monitoring activities deal with managements

ongoing and periodic assessment of the
quality of internal control performance
to determine whether controls are operating

as intended and modified when needed.

SEC and COSO Focus on
Smaller Public Companies
The SEC has extended the deadline for
small public companies compliance
with Section 404 requirements.
COSO issued guidance in Internal Control

Over Financial Reporting for Smaller
Public Companies.

Obtain and document an
understanding of internal control.

Process for Understanding Internal
Control and Assessing Control Risk
Obtain an
understanding of
Phase 1 internal control: design
and operation
Phase 2 Assess control risk
Design, perform, and

Phase 3 evaluate tests of
controls
Decide planned
Phase 4 detection risk and
substantive tests

Obtain and Document Understanding
of Internal Control
Auditing standards require auditors to obtain

an understanding of internal control for every
audit.
Procedures to obtain an understanding:

Design of internal controls
Whether placed in operation
Uses this information as a basis for the
integrated audit

Methods Used
Narrative
Flowchart
Internal
control
questionnaire

Narrative
1. The origin of every document

and record in the system
2. All processing that takes place
3. The disposition of every document
and record in the system
4. An indication of the controls relevant
to the assessment of control risk

Evaluating Internal Control
Operation
Update and evaluate auditors previous
experience with the entity
Make inquiries of client personnel
Examine documents and records
Observe entity activities and operations
Perform walk-throughs of the accounting system

Assess control risk by linking key
controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.

Assess Control Risk
Assess whether the financial statements

are auditable.
Determine assessed control risk supported

by the understanding obtained assuming
the controls are being followed.
Use of a control risk matrix to assess

control risk.

Control Risk Matrix
Many auditors use the control risk matrix

to assist in the control risk assessment
process.

Control Risk Matrix
Identify audit objectives
Identify existing controls
Associate controls with related audit objectives
Identify and evaluate control deficiencies,

significant deficiencies, and material weaknesses

Evaluating Significant Control
Deficiencies
SIGNIFICANCE
Material
Material
Weakness
LIKELIHOOD Remote Probable
Immaterial
Identify Deficiencies and
Weakness
Identify existing controls
Identify the absence of key controls
Consider the possibility of compensating controls
Decide whether there is a significant deficiency

or material weakness
Determine potential misstatements that could result

Communications
Communications to those
charged with governance
Management letters

Describe the process of designing
and performing tests of controls.

Tests of Controls
The procedures to test effectiveness of controls

in support of a reduced assessed control
risk are called tests of controls.

Procedures for Tests of Controls
1. Make inquiries of client personnel
2. Examine documents, records, and reports
3. Observe control-related activities
4. Reperform client procedures

Extent of Procedures
Reliance on evidence from prior years audit
Testing of controls related to significant risks
Testing less than the entire audit period

Relationship of Assessed Control
Risk and Extent of Procedures
Assessed Control Risk
High level:
Type of Procedures to obtain Lower level:
procedure an understanding Tests of controls
Inquiry Yesextensive Yessome
Documentation Yeswith transaction Yesusing sampling
walk-through
Observation Yeswith transaction Yesat multiple times
walk-through
Reperformance No Yesusing sampling

Decide Planned Detection Risk and
Design Substantive Tests
The auditor uses the results of the control risk

assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.
The auditor links the control risk assessments

to the balance-related audit objectives.

Understand Section 404
requirements for auditor
reporting on internal control.

Section 404 Reporting on
Internal Control
1. The auditors opinion on whether the company
maintained, in all material respects, effective
internal control over financial reporting as of
the specified date.

Types of Opinions
Unqualified
Adverse
Qualified or disclaimer of opinion

Describe the differences in
evaluating, reporting, and
testing internal control for
nonpublic companies.

Evaluating, Reporting, and Testing
Internal Control for Nonpublic
Companies
1. Reporting requirements
2. Extent of required internal controls
3. Extent of understanding needed
4. Assessing control risk
5. Extent of tests of controls needed

Differences in Scope of Controls
Tested
Internal controls over financial reporting
Internal controls used to assess

control risk below maximum
Controls that must be tested in Controls that must be tested in

an audit of internal controls an audit of financial statements
End of Chapter 10

Arens Chapter10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Arens Chapter10

Uploaded by

Copyright:

Available Formats

Section 404 Audits of Internal

Control and Control Risk

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 1

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 2

1. Reliability of financial reporting

2. Efficiency and effectiveness of operations

3. Compliance with laws and regulations

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 3

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 4

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 5

Managements Section 404

Design of internal control

Operating effectiveness of controls

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 6

Controls over the reliability

Control over classes of transactions

Auditor responsibilities for testing

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 8

Transactions are correctly Sales transactions are

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 9

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 10

Risk Control Information and

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 11

Integrity and ethical values

Board of directors or audit

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 12

Managements philosophy and operating style

Human resource policies and practices

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 13

Identify factors that may increase risk

Estimate the significance of the risk

Assess the likelihood of the risk occurring

Determine actions necessary to manage the risk

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 14

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 15

Custody of assets from Accounting

Authorization The custody of

IT duties from User departments

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 16

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 17

Prepared at the time of transaction

Designed for multiple use

Constructed to encourage correct preparation

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 18

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 19

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 20

The purpose of an accounting information

initiate, record, process, and report

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 21

Monitoring activities deal with managements

to determine whether controls are operating

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 22

COSO issued guidance in Internal Control

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 23

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 24

Phase 2 Assess control risk

Design, perform, and

2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 25