COSO Framework - Components of Internal Control
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Control Activities - 5 categories
Separation of Duties
Proper Authorization
Adequate Documents & Records
Physical Control of Assets
Independent Checks on Performance
Actions, policies, and procedures that reflect the overall attitude of top management, directors, and owners about internal control and its importance.
Name this component of the COSO framework.
Control Environment
Management's identification and analysis of risks relevant to the preparation of financial statements in accordance with appropriate accounting frameworks such as GAAP.
Name this component of the COSO framework.
Risk Assessment
Policies and procedures that management has established to meets its objectives for financial reporting.
Name this component of the COSO framework.
Control Activities
Methods used to initiate, record, process, and report an entity's transactions and maintain accountability for related assets.
Name this component of the COSO framework.
Information and Communication
Management's ongoing and periodic assessment of the quality of internal control performance to determine whether controls are operating as intended and are modified when needed.
Name this component of the COSO framework.
Monitoring
Name the two types of controls auditors are primarily concerned with.
Controls over the reliability of financial reporting.
Controls over classes of transactions.
Who must establish and maintain the entity's internal controls?
Management
A company should develop internal controls that provide ________ ________ that the financial statements are fairly stated.
Reasonable assurance
What is the inherent limitation of internal controls?
They can never be completely effective.
Section 404 of Sarbanes-Oxley requires management issue an internal control report that includes...
Statement of management's responsibility for internal controls.
Assessment of effectiveness of internal controls.
What framework is used to evaluate the effectiveness of internal controls?
COSO Internal Control Integrated Framework
When management evaluates their internal controls, they look at the _______ of internal controls as well as the operating ______ of controls.
Design
Effectiveness
The SEC requires that management include its report on internal controls in their annual _______
10-K
Auditing standards require an auditor obtain an _________ of internal controls relevant to the audit.
Understanding
Integrity and ethical values, commitment to competence, BoD and audit committee participation, management operating style and philosophy, organizational structure, HR policies, etc. all related to which element of the COSO framework?
Control Environment
Management establishes policies and subordinates are instructed to implement these rules by approving all transactions within the limits set by the policy.
What type of authorization is this?
General authorization
Case-by-case approval of transactions not covered by company-wide policies.
Specific authorization
This document helps classify which accounts should be used for certain classes of transactions.
Chart of Accounts
A chart of accounts is a control that relates best to which component of the COSO framework?
Control Activities (Adequate Documents and Records)
A. Assess control risk.
B. Decide planned detection risk and substantive tests.
C. Obtain and document understanding of internal control design and operation.
D. Design, perform, and evaluate tests of controls.
What is the correct order for understanding
C
A
D
B
Written description of a client's internal controls, including the origin, processing, and disposition of documents and records, and the relevant controls.
Narrative
A diagrammatic representation of the client's documents and records and the sequence in which they are processed.
Flowchart
A series of questions about the controls in each audit area used as a means of indicating to the auditor aspects of internal control that may be inadequate
Internal Control Questionnaire
A methodology used to help the auditor assess control risk by matching key internal controls and internal control deficiencies with transaction-related audit objectives
Control Risk Matrix
A deficiency in the design or operation of controls that does not permit company personnel to prevent or detect and correct misstatements on a timely basis
Control deficiency
A cooperative effort among employees to steal assets or misstate records
Collusion
Controls that are expected to have the greatest effect on meeting the transaction-related audit objectives
Key Controls
An optional letter written by the auditor to a client's management containing the auditor's recommendations for improving any aspect of the client's business
Management Letter
A significant deficiency in internal control that, by itself, or in combination with other significant deficiencies, results in a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected
Material Weakness
Name the three levels of control inadequacies
Control deficiency
Significant deficiency
Material weakness
One or more control deficiencies exist that is less severe than a material weakness, but important enough to merit attention by those responsible for oversight of the company's financial reporting
Significant deficiency
Audit procedures to test the operating effectiveness of controls in support of reduced assessed control risk
Tests of Controls
The tracing of selected transactions through the accounting system to determine that controls are in place
Walkthrough
A control elsewhere in the system that offsets the absence of a key control
Compensating Control
What types of evidence are used when performing tests of control?
Inquiry
Inspection
Observation
Reperformance
First four major parts of audit planning:
Accept client and perform initial audit planning
Understand client's business and industry
Assess client business risk
Perform preliminary analytical procedures
A measure of how willing the auditor is to accept that the financial statements may be materially misstated after the audit is completed and an unqualified opinion has been issued.
Acceptable Audit Risk
Acceptable Audit Risk
How willing the auditor is to accept that the statements may still be materially misstated after an unqualified opinion has been issued.
The risk that they client will fail to achieve its objectives related to (1) reliability of financial reporting, (2) effectiveness and efficiency of operation, and (3) compliance with laws and regulations
Client Business Risk
Client Business Risk
Risk that they client will fail to achieve its objectives
An agreement between the CPA firm and the client as to the terms of the engagement for the conduct of the audit and related services
Engagement Letter
A measure of the auditor's assessment of the likelihood that there are material misstatements in a segment before considering the effectiveness of internal controls.
Inherent Risk
Inherent Risk
Risk before considering internal controls
Displays all items as a percent of a common based, such as sales (e.g. divide everything by sales)
Common-Size Financial Statements
When we perform analytical procedures, with whom do we compare a client's data?
Previous years
Competitors
Industry
Budgets
Auditor expectations
What are the primary purposes of analytical procedures during the planning phase?
Understand the client's business
Indicate areas of concern
What are the secondary purposes of analytical procedures during the planning phase?
Assess going concern
Reduce detailed tests
Maximum amount of materiality we would accept and still issue an unqualified opinion
Preliminary judgement about materiality
Also known as tolerable materiality
Performance materiality
The sum of ______ and projected _____ misstatements must be less than the performance materiality.
Known and likely
A complement to acceptable audit risk; an acceptable audit risk of 2 percent is the same as ___________ of 98 percent
Audit Assurance
A formal model reflecting the relationships between acceptable audit risk (AAR), inherent risk (IR), control risk (CR), and planned detection risk (PDR); PDR = AAR / (IR * CR)
Audit Risk Model
A measure of the auditor's assessment of the risk that a material misstatement could occur in an assertion and not be prevented or detected on a timely basis by the client's internal controls
Control Risk
Control Risk
Risk that misstatements may occur and not be prevented or corrected by internal controls
The risk that the auditor or audit firm will suffer harm because of a client relationship, even though the audit report rendered for the client was correct
Engagement Risk
The magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probably that the judgement of a reasonable person relying on the information would have been changed or influenced by the omi
Materiality
The materiality amounts for segments of the audit, set by the auditor at less than materiality for the financial statements as a whole
Performance Materiality
A measure of the risk that audit evidence for a segment will fail to detect misstatements that could be material, should such misstatements exist; PDR = AAR / (IR * CR)
Planned Detection Risk
Planned Detection Risk
Risk that we fail to detect material misstatements
Engagement Risk
Risk that the firm will suffer harm because of a client relationship
Audit Risk Model
PDR = AAR / (IR * CR)
Acceptable Audit Risk and Planned Detection Risk have a(n) _______ relationship.
Direct
Acceptable Audit Risk and level of audit evidence have a(n) ______ relationship.
Inverse
Inherent Risk and Planned Detection Risk have a(n) ______ relationship.
Inverse
Inherent Risk and level of audit evidence have a(n) ______ relationship.
Direct
Control Risk and Planned Detection Risk have a(n) ______ relationship.
Inverse
Control Risk and level of audit evidence have a(n) ______ relationship.
Direct
The degree to which external users rely on client's financial statements, the likelihood that a client will have financial difficulties after the audit report is issued, and management integrity are all factors that influence which type of risk?
Acceptable Audit Risk
The nature of the business, results of previous audits, initial vs. repeat engagement, related-party transactions, and degree to which judgement is required to record transactions are all factors that influence which type of risk?
Inherent Risk
What are the five types of tests auditors use?
Risk Assessment Procedures
Tests of Controls
Substantive Tests of Transactions
Tests of Details of Balances
Analytical Procedures
Tests of controls and substantive tests of transactions speak to which type of risk?
Control Risk
In which type of further audit procedure are you most likely to use physical examination evidence?
Tests of Details of Balances
in which type of further audit procedure are you most likely to use confirmation evidence?
Tests of Details of Balances
In which type of further audit procedure are you most likely to use observation evidence?
Tests of Controls
Which type of evidence are you most likely to use in all types of further audit procedures?
Inquiries of the Client
List the types of tests according to their relative costs in increasing order.
Analytical Procedures
Risk Assessment Procedures
Tests of Controls
Substantive Tests of Transactions
Tests of Details of Balances
An exception in a test of control indicates a ______ misstatement, whereas an exception in a substantive test indicates an _______ misstatement.
Possible, actual
When are we likely to do more extensive testing of internal controls? When they are deemed effective or ineffective?
Effective
What three types of audit evidence are we most likely to see in the plan / design stage of an audit?
Inspection
Inquiries of the Client
Analytical Procedures
Where are we most likely to see observation audit evidence?
Tests of Controls
Evaluations of financial information through analysis of plausible relationships among financial and nonfinancial data
Analytical Procedures
Combination of tests of controls, substantive tests of transactions, analytical procedures, and tests of details of balances performed in response to risks of material misstatement identified by the auditor's risk assessment procedures
Further Audit Procedures
Audit procedures designed to test for dollar (monetary) misstatements of financial statement balances
Substantive Tests
Audit procedures testing for monetary misstatements to determine whether the six transaction-related audit objectives have been satisfied for each class of transactions
Substantive Tests of Transactions
Audit procedures to test the effectiveness of controls in support of a reduced assessed control risk
Tests of Controls
Audit procedures testing for monetary misstatements to determine whether the eigh balance-related audit objectives have been satisfied for each significant account balance
Tests of Details of Balances
Last four major parts of audit planning:
Set materiality and assess acceptable audit risk and inherent risk, Understand internal control and assess control risk, Gather information to assess fraud, develop overall audit strategy and audit program
Management's objectives in designing and implementing a system of internal controls.
Reliability of financial reporting, efficiency and effectiveness, compliance