Professional Documents
Culture Documents
“If everything seems under control, you're just not going fast enough.”
-- Mario Andretti, Race car driver
McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved .
5-3
Chapter 5 Objectives
• Distinguish between management’s and auditors’ responsibilities
regarding an entity’s internal control.
• Define and describe internal control.
• Define and describe the five basic components of internal control and
specify some of their characteristics.
• Explain the phases of an evaluation of control and risk assessment
and the documentation and extent of audit work required.
• Describe additional responsibilities for management and auditors of
public companies required by Sarbanes-Oxley and Auditing Standard
No. 5.
• List the major components of the auditors’ report on internal control
over financial reporting.
• Describe situations in which the auditors’ report on internal control
over financial reporting would be modified.
• Explain the communication of internal control deficiencies to those
charged with governance such as the audit committee and other key
management personnel.
• Explain the limitations of all internal control systems.
5-4
• Management responsibility
– Management has primary responsibility for internal
control
– Sarbanes-Oxley Act of 2002 (publicly traded
companies)
• Auditor responsibility
– Second standard of fieldwork
– PCAOB Auditing Standard No. 5 (AS 5): An Audit of
Internal Control over Financial Reporting That Is
Integrated with an Audit of Financial Statements
5-5
Management’s Responsibility for Internal
Control (Sarbanes-Oxley)
• In addition to certifying the company’s financial
statements (Section 302), management must also report
on the company’s internal control over financial
reporting (Section 404).
• Specifically, the company’s annual report must include:
• A statement that management is responsible for establishing and
maintaining adequate internal control over financial reporting.
• A statement identifying the framework (usually COSO)
management uses to evaluate the effectiveness of the company’s
internal control.
• A statement providing management's assessment of the
effectiveness of the company’s internal control.
5-6
AS 5: An Audit of Internal Control over Financial Reporting
That Is Integrated with an Audit of Financial Statements
COSO
Control Environment
Control Environment
Risk Assessment
• The entity's
identification and
analysis of relevant
risks to achievement
of its objectives.
• COSO's Enterprise
risk management
(ERM) framework
5-16
Control Procedures
Monitoring
• Three categories
– Internal control deficiency
– Significant deficiency
– Material weaknesses
• The difference between a significant deficiency
and a material weakness is the (1) likelihood and
(2) materiality that a potential (or actual)
misstatement would not be detected on a timely
basis.
5-36
Step 5: Wrapping up:
Forming an opinion on the effectiveness of
internal control over financial reporting
• Human error
• Collusion
• Management override
• Cost/benefit analysis
– There is often a trade-off between the cost and the
effectiveness of internal controls.
– The concept of reasonable assurance recognizes that
the cost of an entity’s internal control should not
exceed the benefits that are expected to be derived.