Chapter 07 – Auditing Internal Control over Financial Reporting
7-1
CHAPTER 7
AUDITING INTERNAL CONTROL OVER FINANCIAL
REPORTING
Answers to Review Questions
7-1 Following are management’s and the auditor’s responsibilities under Section 404 of the
Sarbanes-Oxley Act of 2002:
Management’s Responsibilities
Accept responsibility for the effectiveness of the entity’s ICFR.
Evaluate the effectiveness of the entity’s ICFR using suitable control criteria.
The audit of internal control should be fiintegrated” with the financial statement audit,
and should express an opinion on the effectiveness of the entity’s ICFR.
7-2 fiLikelihood” refers to the probability that a misstatement will not be prevented or
detected. For a significant deficiency or a material weakness to exist, the likelihood of
such an occurrence must be either fireasonably possible” or fiprobable.”
fiMagnitude” refers to the significance that the control deficiency could have on the
financial statements according to the judgment of a prudent official who considers the
7-3 All of the following controls would typically be tested (see Table 7-2):
Entity-level controls (see Table 7-1).
Controls over initiating, authorizing, recording, processing, and reporting significant
Chapter 07 – Auditing Internal Control over Financial Reporting
7-2
7-4 Management and the auditor make similar decisions deciding which locations or business
units to include for testing. Thus, the choice of which locations to include in the
assessment of internal control is based on the presence of entity-level controls and the
financial reporting risk at each individual location or business unit. Willis & Adams
provide the following flowchart as part of its Policy Statement on Identifying Significant
Business Units or Locations (see the policy statement for more details):
Yes
No
No
No
No
Yes
Yes
Yes
Are there specific significant
risks?
Is the location or business unit
individually important?
Are there locations or business
units that are not important even
when aggregated with others?
No further action required for
such units.
Evaluate and test controls over
specific risks.
Evaluate documentation and test
significant controls at each
location or business unit.
Are there documented company-
level controls over this group?
Evaluate documentation and test
company-level controls over this
group.
Some testing of controls at
individual locations or business
units is required.
Multi-location Testing Consideration Flowchart
Chapter 07 – Auditing Internal Control over Financial Reporting
7-3
7-5 The SEC allows considerable flexibility to management in how it should document its
assessment. Reasonable support would include the basis for management’s assessment,
such as documentation of the methods and procedures it utilizes to gather and evaluate
evidence. Such documentation would include the design of the controls management has
placed in operation to adequately address identified financial reporting risks, including
the entity-level and other pervasive elements necessary for effective ICFR. Management
7-6 The steps in the auditor’s process for an audit of ICFR include (see Figure 7-2):
Plan the audit of ICFR.
Identify controls to test using a top-down, risk-based approach.
7-7 (Refer to Table 3-2). The following factors can be used to judge the objectivity of the
internal audit function:
Whether the organizational status of the IAF, including the function’s authority and
accountability, supports the ability of the function to be free from bias, conflict of
Whether the internal auditors are members of relevant professional bodies and their
memberships obligate their compliance with relevant professional standards relating
to objectivity or whether their internal policies achieve the same objectives.
The competence of internal audit function can be determined by assessing the following
factors:
Whether the IAF is adequately and appropriately resourced relative to the size of the
entity and the nature of its operations.
Chapter 07 – Auditing Internal Control over Financial Reporting
7-4
auditing. (e.g., the internal auditors’ possession of a relevant professional designation
and experience).
Whether the internal auditors possess the required knowledge relating to the entity’s
financial reporting and the applicable financial reporting framework and whether the
7-8 The steps in the top-down, risk-based approach to obtaining an understanding of ICFR
include:
Identify entity-level controls Because these controls have a pervasive effect on
ICFR, the auditor needs a thorough understanding of entity-level controls. The two
major categories of controls included here are: (1) the control environment and (2) the
period-end financial reporting process.
Identify significant accounts and disclosures and their relevant assertions To
complete this step, the auditor evaluates risk factors related to the financial statement
accounts and disclosures. The risk factors include:
Size and composition of the account.
Changes from the prior period in account or disclosure characteristics (AS5, 29).
Understand likely sources of misstatement In order to complete this step, the auditor
needs to do the following:
Understand the flow of transactions related to the relevant assertions.
Identify the points within the entity’s processes at which a misstatement
including a misstatement due to fraud could arise that, individually or in
identifying controls to test.
Chapter 07 – Auditing Internal Control over Financial Reporting
7-5
7-9 The period-end financial reporting process controls include procedures used to enter
transaction totals into the general ledger; initiate, authorize, record, and process journal
entries in the general ledger; record recurring and nonrecurring adjustments to the annual
and quarterly financial statements; and draft annual and quarterly financial statements
and related disclosures.
The auditor’s evaluation of the period-end financial reporting process includes the inputs,
management, the board of directors, and the audit committee.
7-10 Walkthroughs help the auditor to confirm his or her understanding of control design and
transaction process flow, to determine whether all points at which misstatements could
occur have been identified, to evaluate the effectiveness of the design of controls, and to
7-11 The circumstances that should be regarded as indicators of a material weakness include
(see Table 7-7):
Identification of fraud, whether or not material, on the part of senior management.
Restatement of previously issued financial statements to reflect the correction of a
material misstatement.
Identification by the auditor of a material misstatement of financial statements in the
7-12 Remediation is when an entity determines that it has a material weakness and takes steps
to correct it. If management corrects a material weakness before the fias of” date, and
7-13 AS5 requires that the auditor appropriately document the processes, procedures,
judgments, and results relating to the audit of internal control. The auditor’s
Chapter 07 – Auditing Internal Control over Financial Reporting
7-6
each of the components of the entity’s ICFR. The auditor also documents the process used
other findings that could result in a modification to the auditor’s report.
7-14 The auditor’s unqualified opinion on the effectiveness of an entity’s internal control
signifies that the entity’s internal control is designed and operating effectively in all
material respects. Significant deficiencies relate to possible financial statement errors that
are less than material, and therefore do not require a departure from an unqualified
7-15 The auditor will issue an adverse opinion on the effectiveness of internal control if a
material weakness is identified.
7-16 If the scope of the auditor’s work is limited, the auditor may disclaim an opinion,
depending on the severity of the limitation and whether or not management intentionally
7-17 When a significant period of time has elapsed between the time period covered by the
tests of controls in the service auditor’s report and the date of management’s assessment,
additional procedures should be performed. The auditor should consider the results of
relevant procedures performed by management or the auditor, how much time has passed
7-18 Generalized audit software (GAS) includes programs that allow the auditor to perform
tests on computer files and databases. GAS enables auditors to conduct similar computer-
assisted audit techniques in different IT environments. Custom audit software is generally
Chapter 07 – Auditing Internal Control over Financial Reporting
7-7
Answers to Multiple-Choice Questions
d
7-27
c
b
7-28
a
c
7-29
c
c
7-30
a
c
7-31
c
b
7-32
a
d
7-33
d
d
Solutions to Problems
7-34
Control 1: Monthly Manual Reconciliation
Nature, Timing, and Extent of Procedures
Objective of the Test: To determine whether misstatements in accounts receivable
(existence, valuation, and completeness) would be detected on a timely basis.
Test the company’s reconciliation control by selecting a sample of reconciliations based
upon the number of accounts, the dollar value of the accounts, and the volume of
transactions affecting the account. Perform the following tests on the reconciliation
process:
a. Make inquiries of personnel performing the control. Ask the employee performing the
reconciliation the following questions:
What documentation describes the account reconciliation process?
How long have you been performing the reconciliation work?
What is the reconciliation process for resolving reconciling items?
Who performs this function when you are ill or on vacation?
b. Observe the employee performing the control. For nonrecurring reconciling items,
observe whether each item included a clear explanation as to its nature, the action that
had been taken to resolve it, and whether it had been resolved on a timely basis.
c. Reperform the control for two months by inspecting the reconciliations and
reperforming the reconciliation procedures. Scan through the file of all reconciliations
Chapter 07 – Auditing Internal Control over Financial Reporting
7-8
prepared during the year and note whether they had been performed on a timely basis.
d. Make inquiries of company personnel and determine that the reconciliation procedures
have not changed from interim to year-end.
Control 2: Daily Manual Preventive Control
Nature, Timing, and Extent of Procedures
Objective of the Test: To determine whether misstatements in cash (existence) and
accounts payable (existence, valuation, and completeness) would be prevented on a timely basis.
Test the control that a cash disbursement is made only after matching the invoice with the
receiving report and purchase order.
Select 25 disbursements (voucher packages) from the cash disbursement registers from
January through September. Perform the following procedures:
a. Examine the invoice to see if it includes the signature or initials of the accounts payable
of one transaction in December.
Control 3: Programmed Preventive Control and Weekly Information Technology-
Dependent Manual Detective Control
Nature, Timing, and Extent of Procedures
Objective of the Test: To determine whether misstatements in cash (existence) and
accounts payable/inventory (existence, valuation, and completeness) would be prevented or
detected on a timely basis.
Test the programmed application control of matching the receiving report, purchase order,
and invoice as well as the review and followup control over unmatched items. To test the
programmed application control, perform the following procedures:
a. Identify, through discussion with company personnel, the software used to process
receipts and purchase invoices.
b. Determine, through further discussion with company personnel, that they do not modify the core
Chapter 07 – Auditing Internal Control over Financial Reporting
7-9
d. Identify, through discussions with the entity and review of the supplier’s
documentation, the names, file sizes (in bytes), and locations of the executable files
reference numbers) and unmatched items (for example, receipts, orders or invoices)
are listed on the exception report.
f. Determine whether the programmed control is operating effectively by performing a
walkthrough in the month of July.
Test the detect control and follow up on the Unmatched Items Report, by performing the
following procedures in the month of July for the period January to July:
a. Make inquiries of the employee who follows up on the weekly-unmatched items
reports and determine why items appear on it.
b. Observe the performance of the control.