Đang tải... (xem toàn văn)
In this chapter, the learning objectives are Understand managements responsibilities for reporting on internal control under section 404 of the sarbanesoxley act, understand the auditors responsibilities for reporting on internal control under section 404 of the sarbanesoxley act, know the definition of internal control over financial reporting (ICFR),...
Chapter Seven Auditing Internal Control over Financial Reporting © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Management Responsibilities under Section 404 Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue an internal control report that explicitly accepts responsibility for establishing and maintaining ‘adequate’ internal control over financial reporting (ICFR) © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Management Responsibilities under Section 404 Management must comply with the following in order for its public accounting firm to complete an audit of ICFR Accepts responsibility for the effectiveness of the entity’s ICFR Evaluate the effectiveness of the entity’s ICFR using suitable control criteria Support its evaluation with sufficient evidence, including documentation Present a written assessment of the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Auditor Responsibilities under Section 404 and AS5 The entity’s independent auditor must audit and report on the effectiveness of ICFR The auditor is required to conduct an integrated audit of the entity’s ICFR and its financial statements © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin ICFR Defined ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP Controls include procedures that: Pertain Pertain to to the the maintenance maintenance of of records records that that fairly fairly reflect reflect the the transactions transactions and and dispositions dispositions of of the the assets assets of the the company company Provide Provide reasonable reasonable assurance assurance that that transactions transactions are are recorded recorded in in accordance accordance with with GAAP GAAP Provide Provide reasonable reasonable assurance assurance regarding regarding prevention or timely timely detection detection of of unauthorized unauthorized acquisition, acquisition, use, use, or or disposition disposition of of the the company’s company’s assets assets © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Internal Control Deficiencies Defined A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Internal Control Deficiencies Defined A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (reasonably possible) and magnitude (material, consequential, or inconsequential) © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Internal Control Deficiencies Defined M A G N I T U D E Material weakness Material Significant deficiency Not material but significant Not material or significant Control deficiency Remote Reasonably possible or probable LIKELIHOOD © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Management’s Assessment Process Management must follow a top-down, risk-based approach: 1.Identify financial reporting risks and controls 2.Evaluate evidence about the operating effectiveness of ICFR 3.Consider which which locations locations to to include include in in the the evaluation evaluation © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Framework Used by Management to Conduct Its Assessment Most entities use the framework developed by COSO This framework identifies three primary objectives of internal control: (1) reliable financial reporting; (2) efficiency and effectiveness of operations; and (3) compliance with laws and regulations O S O C © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Test the Design and Operating Effectiveness of Controls Evaluate design Test and evaluate operating effectiveness • Nature: Inquiry, Inspection of documents, observation, and reperformance • Timing: Interim vs ‘as of’ date •Extent: Consider : (1) Nature of the control; (2) Frequency of operation; (3) Importance of the control © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Evaluate Identified Control Deficiencies © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Remediation of a Material Weakness Remediation is the process of correcting a material weakness in the ICFR • If a material weakness is corrected before the 'as of’ date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Written Representations In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of ICFR Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Auditor Documentation Requirements The auditor must properly document the processes, procedures, judgements, and results relating to the audit of internal control When an entity has effective ICFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Auditor Documentation Requirements The auditor’s documentation of the process, procedures, judgements and results relating to the audit of ICFR should include: Auditor’s understanding and evaluation of the design of ICFR; The process used to determine the points at which material misstatements could occur; The extent to which the auditor relied upon the work of others; and The evaluation of any deficiencies discovered or other findings which could result in a report modification © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Types of Reports Relating to the Audit of ICFR An unqualified opinion signifies signifies that the client’s client’s internal control is designed and operating operating effectively A serious scope limitation requires the auditor to disclaim an opinion An adverse opinion is required ifif a material material weakness weakness is identified © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Types of Reports Relating to the Audit of ICFR Report Modification Based on Control Deficiencies Likelihood/Magnitude of Misstatement Control deficiency Significant deficiency Material weakness © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Type of Audit Report Unqualified opinion Adverse opinion Types of Reports Relating to the Audit of Internal Control Report Modification Based on Scope Limitation Seriousness of Scope Limitation Type of Audit Report Minor effect Unqualified opinion Severe limitation © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Disclaim opinion or withdraw Other Reporting Issues Management’s report is incomplete or improperly presented The auditor decides to refer to the report of other auditors A significant subsequent event has occurred There is other information contained in management’s report on internal control There is a remediated material weakness at an interim date © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Additional Required Communications in an Audit of ICFR The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5) This communication should be made prior to the issuance of the auditor’s report on ICFR In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Advanced Module: Use of Service Organisations Many companies use a service organisation to process transactions If the service organisation’s services make up part of a company’s information system, then they are considered part of the information and communication component of the company’s internal control over financial report Thus, both management and the auditor must consider the activities of the service organisation © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Advanced Module: Use of Service Organisations Management and the auditor should perform the following procedures with respect to the activities performed by the service organisation: (1)obtain an understanding of the controls at the service organisation that are relevant to the entity’s internal control and the controls at the user organisation over the activities of the service organisation; and (2)obtain evidence that the controls which are relevant to management’s assessment and the auditor’s opinion are operating effectively Sometimes a SAS 70 report is issued © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Advanced Module: Safeguarding of Assets Safeguarding of assets is defined as policies and procedures that ‘provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.’ © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin End of Chapter © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin ... internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company''s financial reporting. .. traded companies to issue an internal control report that explicitly accepts responsibility for establishing and maintaining ‘adequate’ internal control over financial reporting (ICFR) © The McGraw-Hill... identifies three primary objectives of internal control: (1) reliable financial reporting; (2) efficiency and effectiveness of operations; and (3) compliance with laws and regulations O S O C © The McGraw-Hill