Chapter Seven

Auditing Internal
Control over
Financial Reporting

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Management Responsibilities under
Section 404
Section 404 of the Sarbanes-Oxley Act requires
managements of publicly traded companies to
issue an internal control report that explicitly
accepts responsibility for establishing and
maintaining ‘adequate’ internal control over
financial reporting (ICFR).

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Management Responsibilities under
Section 404
Management must comply with the following in
order for its public accounting firm to complete an
audit of ICFR.
1. Accepts responsibility for the effectiveness of the
entity’s ICFR.
2. Evaluate the effectiveness of the entity’s ICFR using

suitable control criteria.
3. Support its evaluation with sufficient evidence,
including documentation.
4. Present a written assessment of the effectiveness of
the entity’s ICFR as of the end of the entity’s most
recent fiscal year.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Auditor Responsibilities under Section
404 and AS5
The entity’s independent auditor must audit and
report on the effectiveness of ICFR. The auditor is
required to conduct an integrated audit of the
entity’s ICFR and its financial statements.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


ICFR Defined
ICFR is defined as a process designed to provide
reasonable assurance regarding the reliability of
financial reporting and the preparation of financial
statements in accordance with GAAP. Controls include
procedures that:
1. Pertain
Pertain to
to the

the maintenance
maintenance of
of records
records that
that fairly
fairly reflect
reflect the
the
transactions
transactions and
and dispositions
dispositions of
of the
the assets
assets of the
the
company.
company.
2. Provide
Provide reasonable
reasonable assurance
assurance that
that transactions
transactions are
are
recorded
recorded in
in accordance
accordance with
with GAAP.

GAAP.
3. Provide
Provide reasonable
reasonable assurance
assurance regarding
regarding prevention or
timely
timely detection
detection of
of unauthorized
unauthorized acquisition,
acquisition, use,
use, or
or
disposition
disposition of
of the
the company’s
company’s assets.
assets.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Internal Control Deficiencies Defined
A control deficiency exists when the design or
operation of a control does not allow management
or employees, in the normal course of performing
their assigned functions, to prevent or detect
misstatements on a timely basis.

A significant deficiency is a deficiency, or a
combination of deficiencies, in internal control over
financial reporting that is less severe than a
material weakness, yet important enough to merit
attention by those responsible for oversight of the
company's financial reporting.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Internal Control Deficiencies Defined
A control deficiency may be serious enough that it is to be
considered not only a significant deficiency but also a
material weakness in the system of internal control. A
material weakness is a deficiency, or a combination of
deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the annual or
interim financial statements will not be prevented or
detected on a timely basis.
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency: likelihood
(reasonably possible) and magnitude (material,
consequential, or inconsequential).
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Internal Control Deficiencies Defined
M
A

G
N
I
T
U
D
E

Material
weakness

Material

Significant
deficiency

Not material
but
significant
Not material
or
significant

Control deficiency
Remote

Reasonably possible or probable

LIKELIHOOD
© The McGraw-Hill Companies 2010

McGraw-Hill/Irwin


Management’s Assessment Process

Management must follow a top-down, risk-based
approach:
1.Identify financial reporting risks and controls.
2.Evaluate evidence about the operating effectiveness
of ICFR.
3.Consider which
which locations
locations to
to include
include in
in the
the evaluation.
evaluation.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Framework Used by Management to
Conduct Its Assessment
Most entities use the framework developed by COSO.
This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.

O
S
O
C

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Identify Entity-Level Controls

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Management’s Documentation
Management must develop sufficient
documentation to support its assessment of
the effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Performing an Audit of ICFR


© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of
internal control and the financial statements. The
control testing impacts the planned substantive
procedures. Also, the results of the substantive
procedures are considered in the evaluation of
internal control.

Tests of
internal
control

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin

Substantive
audit
procedures


Effect of the Audit of Internal Control on
the Financial Statement Audit
When the auditor performs an integrated audit, he or
she will have access to a large amount of information
about the client’s controls. This information can make

the financial statement audit more efficient and result
in reduced substantive procedures.
Regardless of
of the level of control
control
risk in connection
connection with the
the audit
audit of
of
the financial statements,
statements, auditing
auditing
standards require the auditor to
perform some substantive
procedures for all significant
accounts and disclosures.
disclosures.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Effect of the Financial Statement Audit
on the Audit of Internal Control
The effectiveness of the audit of internal controls
should lead the auditor to determine the implications
of these findings on the financial statement audit. The
auditor’s evaluation should include:
1.

1. Misstatements
Misstatements detected.
detected.
2.
2. The
The auditor’s
auditor’s risk
risk evaluations
evaluations in
in connection
connection with
with the
the
selection
selection and
and application
application of
of substantive
substantive procedures,
procedures,
especially
especially those
those related
related to
to fraud.
fraud.
3.
3. Findings
Findings with
with respect

respect to
to illegal
illegal acts
acts and
and related-party
related-party
transactions.
transactions.
4.
4. Indications
Indications of
of management
management bias
bias in
in making
making accounting
accounting
estimates
estimates and
and in
in selecting
selecting accounting
accounting principles.
principles.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Planning the Audit of ICFR

The planning process is similar to the process
used for the audit of financial statements.
Consider the following:
• Risk assessment and the risk of fraud.
• Scaling the audit.
• Using the work of others.
• Materiality.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Special Consideration:
Using the Work of Others
A major consideration for the external auditor is how
much work is to be performed by others. In determining
the extent to which the auditor may use the work of
others, the auditor should:
(1) evaluate the nature of the controls subjected to the
work of others,
(2) evaluate the competence and objectivity of the
individuals who performed the work, and
(3) test some of the work performed by others to evaluate
the quality and effectiveness of their work.
As the risk associated with the control being tested
increases, the external auditor should do more of the
work.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin



Using a Top-Down Approach

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Identifying Significant Accounts
Size and composition of the account;
Susceptibility to misstatement due to errors
or fraud;
Volume of activity, complexity, and
homogeneity of the individual transactions
processed through the account or reflected in
the disclosure;
Nature of the account or disclosure;
Accounting and reporting complexities
associated with the account or disclosure.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Identifying Significant Accounts
Exposure to losses in the account;
Possibility of significant contingent liabilities
arising from the activities reflected in the
account or disclosure;
Existence of related-party transactions in the
account; and
Changes from the prior period in account or

disclosure characteristics.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Sources of Misstatement
Understand the flow of transactions related to the
relevant assertions, including initiation,
authorization, processing, and recording;
Identify the points within the entity’s processes at
which a misstatement could arise that would be
material;
Identify the controls that management has
implemented to address these potential
misstatements; and
Identify the controls that management has
implemented over the prevention or timely detection
of unauthorized acquisition, use, or disposition of
the company’s assets that could result in a material
misstatement of the financial statements.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Select Controls to Test

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin



Test the Design and Operating
Effectiveness of Controls
Evaluate design
Test and evaluate operating effectiveness
• Nature: Inquiry, Inspection of documents,
observation, and reperformance
• Timing: Interim vs. ‘as of’ date
•Extent: Consider :
(1) Nature of the control;
(2) Frequency of operation;
(3) Importance of the control.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Evaluate Identified Control Deficiencies

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin