True / False: If the auditor does not rely on internal controls, then the auditor doesn't need to obtain an understanding of the internal controls
False
What are the 3 objectives of every entity?
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
Reliability of financial reporting
At which stage of the audit process must the auditor obtain an understand of the entity's internal control: (1) engagement letter, (2) assessment of risk, (3) planning of the audit, (4) execution of the audit, (5) forming the opinion, (6) reporting on the opinion
Planning of the Audit
What are the 5 components of internal control and a brief description
C-R-I-M-E
(1) Control environment = overall tone of the organization, management's participation
(2) Risk assessment by management for lieing, stealing, cheating
(3) Information and Communications systems = recording transactions and communicating responsibilities
(4) Monitoring = assessing the performance of internal control over time
(5) Existing control policies and procedures
True / False: The auditor is required to understand each element of the 5 components of internal control as it relates to financial reporting.
True
What types of items are included in the control environment
Management's "tone at the top"
Written policy statements
Written codes of conduct
Management's actions to reduce occurrence of unethical acts, including willingness to raise difficult questions
Management's reaction to violations
Commitment to competence
Organizational structure
HR policies
What types of management behavior might indicate increased risk regarding the control environment
Mgmt is consumed with meeting the budget (pressure)
Mgmt is dominated by one person (opportunity for mgmt override)
Mgmt compensation is contingent on the entity's financial performance (rationalization)
What situations may increase risk within an entity to prepare and fairly present GAAP-based FS?
(don't need to know them all)
Change in the regulatory or operating environment
New or modified information systems
Rapid expansion of operations
Incorporation of new technology
New business models, products, processes, segments
Corporate restructuring
New personnel
Foreign operations
Define the internal control communication system
Written procedures, oral instruction, and modeling by management that
provide an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.
What is the purpose of monitoring for internal control
Evaluate the quality of performance over time and
take necessary corrective actions.
Which existing control activities are relevant to an audit?
P-A-I-D T-I-P-S
Prenumbered documents
Authorization of transactions before commitment of resources
Detective Examples: periodic counting and comparison of actual vs recorded assets, review of logs.
Which 3 duties should always be segregated?
A-R-C
Authorization
Recording or record keeping
Custody of related assets
True / False: The auditor is responsible to review all internal controls.
False
The auditor is responsible for all internal controls related to the prevention, detection or correction of material misstatements
What must be determined when evaluating the design of an internal control?
Whether it is capable, individually or in combination with other controls, of preventing, detecting, or correcting material misstatements.
What must be determined when evaluating the implementation of an internal control?
Does the control exist and is it being used.
** Does the user know about the control?
** Does the user have knowledge of how the procedure should be performed?
What procedures can be used to obtain evidence about the design and implementation of internal controls?
Inquiry of personnel
Observation of the application of controls
Reperformance of the procedure
Inspection of documents and reports created using the procedure
Performing a walk-through
True / False: Talking to (inquiry) of entity personnel regarding the existence of and knowledge about internal controls provides sufficient evidence of design and implementation.
False
Observation, inspection or walk-throughs must also be performed
What is the purpose of a walk-thru?
To trace transactions relevant to financial reporting through the accting system from inception through to presentation in the FS
What are the two methods of walk-thru?
(1) trace a single transaction from inception to reporting on the FS, OR
(2) Identify the key steps from inception to reporting on the FS for a class of transactions, then perform risk assessment procedures for each step, such as testing a specific transaction (but not the same transaction) at each step.
What 4 methods may be used to document the auditor's understanding of the internal control?
F-I-N-D
Flowchart
Internal control questionnaire or checklist
Narrative summary (hard to see weaknesses)
Documentation provided by the client, such as their procedure manual
Which symbols are used in a flowchart for the following: (1) document or report, (2) computer process, (3) keyed entry, (4) tape file, (5) disk file, (6) display, (7) manual process, (8) decision, (9) data such as journal or general ledger, (10) on-page connector, (11) off-page connector, (12) paper file
(1) rectangle with french-curve bottom
(2) rectangle
(3) rectangle with angled top
(4) filled Q
(5) cylinder
(6) rectangle with (L) side arrow and (R) side curve
(7) trapezoid
(8) diamond
(9) parallelogram
(10) circle
(11) broad down arrow
(12) inverted triangle
True / False: A well designed and implemented internal control system will provide absolute assurance that financial reporting will be accurate.
False
It will only provide reasonable assurance.
What are the 3 inherent limitations of internal control, regardless of how well designed and implemented.
Management override of internal control
Human error
Deliberate circumvention by collusion of 2+ people
When are manual controls superior to automated controls?
When the transactions require judgment or discretion, such as
** large, unusual or nonrecurring transactions
** potential misstatements are difficult to define or predict
** frequent changes in circumstances occur
When are automated controls superior to manual controls?
With high volume or recurring transactions
When control activities can be adequately designed for automation
What is the difference between an IT general vs application control?
General Controls: Relate to many applications, or the proper operation of the information system.
Application Controls: apply to the input, processing and output of individual transactions.
What types of controls are considered general controls, and what are a few examples.
Control over data center and network operations
System software acquisition
System maintenance
Access security
Examples: passwords, change management procedures, backup or recovery, administrative rights to the network
What types of controls are considered application controls, and what are a few examples.
Administrative rights to a program
Checking mathematical accuracy of records
Maintaining and reviewing account & trial balances
Automated checks of input data
Creation of exception reports and manual f/up of such
True / False: Everyone must have a system of internal control based on a standardized framework.
True for issuers via SOX; not required for nonissuers
COSO is the common standardized framework (C-R-I-M-E)
Just to remember: If the IT system constantly updates and doesn't retain previous records, the auditor may not be able to retrieve earlier evidence and it negatively impacts the NET of the audit
The IT system could make it impossible to resolve the detection risk through substantive testing alone; therefore, the auditor must test the control system as well.
When it comes to an IT system, which roles (employee jobs) should be segregated, including not having supervisory authority?
C-O-P-A-L
Control group
Operators
Programmers
Analysts (system)
Librarian
What is meant by an internal control's substance over form?
The internal control exists (form), but the control must be operating effectively, including management's enforcement of their use (substance).
In which situation are services performed by another organization not considered to be part of the client's information system?
If the services provided are limited to executing transactions that are specifically authorized by the client.