606

Card Set Information

Author:
Kshowalter
ID:
95596
Filename:
606
Updated:
2011-07-30 10:52:24
Tags:
Understanding Internal Control
Folders:

Description:
Understanding Internal Control
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user Kshowalter on FreezingBlue Flashcards. What would you like to do?


  1. 606 The Understanding of Internal Control

    606.1 SAS No. 109 (AU 314), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, provides guidance to auditors related to consideration of internal control as part of an audit. It also provides guidance
    • about how the entity's use of information technology (IT) affects the
    • auditor's consideration of internal control in planning the audit.
  2. Components of Internal Control

    606.2 SAS No. 109 (AU 314.40)
    requires auditors to obtain an understanding of internal control that
    is sufficient to assess the risk of material misstatement of the
    financial statements due to error or fraud and to design the nature,
    timing, and extent of further audit procedures. SAS No. 109 requires an
    understanding of the five interrelated components of internal control
    defined and described in COSO's Internal Control—Integrated Framework. Those components are as follows
    a. Control environment (see further discussion beginning at paragraph 606.22).

    b. Risk assessment (see further discussion beginning at paragraph 606.35).

    c. Information and communication (see further discussion beginning at paragraph 606.39)

    d. Monitoring (see further discussion beginning at paragraph 606.58).

    e. Control activities (see further discussion beginning at paragraph 606.71).
  3. 606.3 In assessing the risk of
    material misstatement of the financial statements to develop an overall
    audit strategy, auditors generally focus on obtaining an understanding
    of the control environment, risk assessment, information and
    communication, and monitoring components, typically obtaining an
    understanding of the control environment first. The understanding of
    control activities is not needed unti
    • planning the nature, timing, and
    • extent of further audit procedures at the assertion level. As a
    • practical matter, however, auditors often obtain an understanding of
    • control activities while obtaining an understanding of the other control
    • components. As a CIRA's operations and systems become more complex,
    • auditors will most likely need to increase their understanding of the
    • internal control components to obtain the understanding necessary to
    • assess the risk of material misstatement of the financial statements and
    • to plan the nature, timing, and extent of further audit procedures.
  4. Nature of the Auditor's Understanding

    606.4 As indicated in paragraph 606.2, SAS No. 109 (AU 314)
    requires auditors to obtain a sufficient understanding of the five
    components of internal control to assess risk and design the nature,
    timing, and extent of further audit procedures. To obtain that
    understanding,
    • the SAS requires auditors to perform risk assessment procedures to (a)
    • evaluate the design of controls that are relevant to the audit and (b)
    • determine if they have been implemented. A key consideration is whether
    • and how the CIRA's internal control prevents, or detects and corrects,
    • material misstatements in relevant assertions related to transaction
    • classes, account balances, or disclosures
  5. 606.5 Evaluation of design
    considers whether the control, individually or in combination with other
    controls, is capable of effectively preventing, or detecting and
    correcting, material misstatements. In other words,
    • the auditor considers the
    • effectiveness of the control in achieving its objective. If a control is
    • improperly designed, it may represent a control deficiency that needs
    • to be communicated to management and those charged with governance as
    • more fully described in section 812.
  6. 606.6 The documentation of a
    control procedure, however, does not demonstrate that the control is
    actually operating as intended. The auditor, therefore, should also
    determine if the control, as documented or described, actually
    • exists and the CIRA is using it. In
    • other words, the auditor should use risk assessment procedures to
    • obtain audit evidence that the control has actually been implemented.
    • Generally, the auditor uses procedures such as observation or
    • inspection, combined with inquiries, to verify implementation. Inquiry
    • alone is not sufficient to evaluate the design of a control and
    • determine if it has been implemented.
  7. 606.7 Normally, the auditor's
    understanding of internal control design and implementation is not
    sufficient to serve as testing the operating effectiveness of controls.
    The same types of procedures performed to determine if a control has
    been implemented (e.g., observation, inspection of documents,
    reperformance, and walkthroughs) are also used when testing controls for
    operating effectiveness. However, the extent of the procedures to
    determine implementation may fall short of what is needed to determine
    operating effectiveness because tests of operating effectiveness need to
    provide audit evidence about how controls were applied throughout the
    period under audit and the consistency with which they were applied.
    • However, in some cases, the
    • auditor's procedures may serve both purposes. For example, a walkthrough
    • can serve as a test of controls for operating effectiveness and in some
    • cases, along with other procedures that test operating effectiveness,
    • can provide a valid basis for assessing control risk at less than high.
    • In addition, for an automated control where consistency of application
    • would normally occur assuming the existence of effective IT general
    • controls, the auditor may be able to determine operating effectiveness
    • based on procedures performed to establish that the control has been
    • implemented and the auditor's assessment and testing of the related
    • general controls.
  8. Extent of the Auditor's Understanding

    606.8 As indicated in paragraph 606.2, the overriding requirement regarding the understanding of internal control is that it should be sufficient to assess
    • the risk of material misstatement of the financial statements due to
    • error or fraud and to design the nature, timing, and extent of further
    • audit procedures. Obtaining an understanding that is sufficient to
    • assess the risks of material misstatement requires the auditor to
    • develop a fairly thorough and robust knowledge of the components of
    • internal control. That is primarily because the auditor is required to
    • have, and document, the basis for his or her risk assessment. The
    • auditor is not permitted to simply default to high control risk. 5
    • In most situations, the auditor's understanding of internal control
    • will be more comprehensive than the understanding of the other aspects
    • of the CIRA and its environment discussed in section 605,
    • and obtaining it will require more time. In addition, for initial audit
    • engagements, the effort and time to gather information on the
    • components of internal control that is sufficient to assess risk will
    • most likely exceed that necessary for engagements in following years.
  9. 606.9 In general terms, the extent
    of the understanding, along with the nature, timing, and extent of the
    associated risk assessment procedures performed to obtain the
    understanding, are affected by factors such as the following:
    The auditor's prior experience with the client.

    • Materiality and tolerable misstatement.

    • Size of the CIRA

    .• Type of legal entity (corporation, association, etc.) and development (condominium, planned unit development, etc.)

    • Number and nature of operating locations.

    • Degree of diversity of systems within the CIRA, including the use of service organizations.

    • Nature of the CIRA industry.

    • Applicable legal and regulatory requirements.

    • Level of business and financial sophistication of the client.
  10. 606.10 The auditor's understanding of the CIRA and its environment other than internal control as discussed in paragraph 605.7 (as well as preliminary engagement activities discussed in section 601)
    will generally influence the extent of the understanding of internal
    control components. Most of the factors noted in paragraph 606.9
    are determined to a major degree when the auditor performs risk
    assessment procedures to understand the entity and its environment.
    Furthermore,
    • that understanding often results in the identification of risks of
    • material misstatement that further shape the direction, extent, and
    • depth of the auditor's understanding of internal control. (However, the
    • auditor should be aware that additional risks of material misstatement
    • may be identified when obtaining an understanding of internal control
    • and by performing further audit procedures.) The authors recommend that
    • the auditor perform risk assessment procedures related to the
    • understanding of the CIRA and its environment discussed in section 605 before obtaining an understanding of internal control.
  11. 606.11 How Are the Results of the Understanding Used? As noted in paragraph 606.2,
    the understanding of internal control should be sufficient to assess
    the risks of material misstatement and to design the nature, timing, and
    extent of further audit procedures. Specifically, the understanding is
    used to:
    • Identify types of potential misstatements.

    • Consider factors that affect the risks of material misstatement.

    • Design tests of controls, when applicable, and substantive procedures.

    • In
    • addition, the auditor should be alert for risks that may be identified
    • during the process of obtaining an understanding of internal controls.
    • Where applicable, identified risks can be documented on “Understanding
    • the Entity and Identifying Risks” (HOA-CX-3.1) or the “Risk Assessment Summary Form” (HOA-CX-7.1).
  12. Effect
    of Information Technology (IT) on Internal Control

    606.12 SAS No. 109 (AU
    314.96) notes that the auditor should consider whether the entity established
    effective controls that adequately respond to the risks that arise from IT.
    Such controls include
    • both properly designed and
    • implemented application controls and general controls upon which application
    • controls depend. The AICPA risk assessment guide, Assessing and Responding
    • to Audit Risk in a Financial Statement Audit (paragraph 4.63), notes that
    • the auditor should evaluate the design of IT general controls and determine
    • whether they have been implemented when assessing the risks of material
    • misstatement. Auditors should consider testing general controls when they plan
    • to rely on IT application controls to modify the nature, timing, and extent of
    • substantive tests
  13. 606.13 In addition to the
    risks of material misstatement due to error or fraud that IT may introduce, the
    auditor should be aware that the use of IT may affect the availability of
    information needed for the audit. Furthermore,
    • in certain situations the
    • auditor may be precluded from using only substantive procedures when the role
    • of IT is significant to the processing of transactions. For example, in highly
    • automated processing with little or no manual intervention where information is
    • initiated, authorized, recorded, processed, or reported electronically, the
    • auditor may determine that detection risk cannot be adequately reduced without
    • testing the operating effectiveness of controls
  14. 606.14 Considering Whether
    Specialized IT Skills Are Needed to Understand Internal Control Auditors should consider whether specialized IT
    skills are needed to determine the effect of IT on the audit, understand IT
    controls, or design and perform tests of IT controls or substantive procedures. That determination should
    be made relatively early in the planning process to assure that the necessary
    resources are available on a timely basis. The decision to use an IT specialist
    is a matter of auditor judgment. SAS No. 108 (AU 311.23) states that auditors
    should consider the following factors in determining whether the audit team
    should include individuals who possess specialized IT skills:
    • • The significance of changes made to
    • existing systems or the implementation of new systems.



    • • The extent to which data is shared among
    • systems.



    • The CIRA's use of emerging technologies.



    • • The significance of audit evidence that
    • is available only in electronic form.



    • • The extent of the CIRA's participation in
    • e-commerce.



    • An IT specialist may be either a member of the auditor's firm or
    • an outside professional.
  15. 606.15 However, an IT specialist might not be needed, even for
    complex computer systems, if one or more of the following conditions exist:
    • a. The CIRA uses only purchased software
    • and has no access to the source code.



    • b. The CIRA uses a service organization for
    • its computer services and there is a recent service auditor's SAS 70 report on
    • the service organization's internal control.



    • c. The auditor believes he or she can
    • identify types of potential misstatements. This will normally be the case when
    • manual control procedures are adequate to prevent or detect material
    • misstatements in computer-processed information.
  16. 606.16 If a CIRA's systems are complex, such as when a
    significant amount of information is electronically initiated, recorded,
    processed, or reported, or when evidence is available only in electronic form,
    specialized skills may be needed. In those cases, either a professional on the
    audit staff who possesses IT skills or an outside professional may be needed.
    An IT specialist may help the auditor by—
    • • Inquiring of a CIRA's IT personnel about
    • how data and transactions are initiated, authorized, recorded, processed, and
    • reported and how IT controls are designed.



    • Inspecting systems documentation.



    • Observing the operation of IT controls.



    • • Planning and performing tests of IT
    • controls.
  17. 606.17 If the auditor uses
    an IT specialist on the engagement team, the auditor should be knowledgeable
    enough to communicate the audit objectives to the specialist, evaluate whether
    the procedures performed by the specialist meet the auditor's objectives, and
    determine the effects of the procedures on the nature, timing, and extent of
    other planned procedures. That does not mean auditors have to be experts in
    information technology.
    • The auditor's responsibility
    • when using a computer specialist is the same as for other members of the
    • engagement team. To effectively supervise an IT specialist, auditors need a
    • basic understanding of computer applications and controls, especially those
    • most relevant to particular client systems. That understanding can be gained
    • from experience with the client or from attending training classes or seminars.
    • The extent of the understanding will vary with the nature of the entity's IT
    • environment. If the firm uses an outside professional, the guidance in SAS No.
    • 73 (AU 336) should be considered.
  18. Documentation

    606.18 SAS No. 109 requires
    documentation of the understanding of the CIRA and its environment, including
    internal control
    • For internal control, the
    • auditor is required to document the understanding obtained for the five
    • components of internal control. The auditor should also document the sources of
    • the information used and risk assessment procedures that were performed to
    • obtain the understanding
  19. 606.19 SAS No. 109 permits
    auditors flexibility in the manner of documentation. The form and extent of
    documentation is influenced by factors such as the complexity, size, and nature
    of the CIRA and the use of technology. Where applicable, some auditors have
    supplemented their documented understanding with
    • existing documentation of control systems prepared by the
    • client. Due to the increasing visibility of the importance of controls, some
    • CIRAs have developed or enhanced their internal documentation and evaluation of
    • internal controls. Auditors may consider inquiring of the client about the
    • existence of such documentation along with any supporting evaluation of the
    • effectiveness of controls. In those cases, the auditor may gain additional
    • audit efficiencies and a better understanding of the CIRA's internal control.
  20. 606.20 This Guide provides the following practice aids
    that can be used to document the auditor's understanding of internal control,
    including the evaluation of its design and implementation:
    • • “Understanding the Design and Implementation
    • of Internal Control” (HOA-CX-4.1). This form can be used to document the
    • understanding of entity-level controls along with the sources of information
    • used and procedures performed to obtain or update the understanding. The
    • auditor also uses this form to document his or her evaluation of the design and
    • implementation of entity-level controls and to identify and link to the
    • documentation of general controls and significant transaction classes.



    • • “Financial Reporting System
    • Documentation Form—Significant Transaction Classes” (HOA-CX-4.2.1). This
    • form can be used to document the understanding of the flow of information
    • through the CIRA's financial reporting system (which includes the accounting
    • system) for significant transaction classes. The auditor can also indicate if
    • the controls are properly designed and implemented and document the sources of
    • information used and procedures performed to obtain or update the
    • understanding.



    • • “Financial Reporting System
    • Documentation Form—IT Environment and General Computer Controls”
    • (HOA-CX-4.2.2). This form can be used to document the understanding of the
    • CIRA's IT environment (including consideration of controls at a service
    • organization) and general computer controls, as well as the decision about
    • whether to use an IT specialist. The auditor can also indicate if general
    • controls are properly designed and implemented and document the sources of
    • information used and procedures performed to obtain or update the
    • understanding.



    • • “Walkthrough Documentation Table”
    • (HOA-CX-4.3). This form can be used to document the performance of a
    • walkthrough. A walkthrough confirms the understanding of the design and
    • implementation of controls by tracing a transaction through the CIRA's system
    • from its initiation to inclusion in the general ledger and financial
    • statements.



    • • “Activity and Entity-level Control
    • Forms” (HOA-CX-5). These forms are optional source lists of control
    • activities and entity-level controls by transaction class (for each audit area)
    • or by objective (for entity-level controls). The forms provide a list of common
    • key controls that are applicable for many CIRAs. The forms can be used as a
    • memory jogger to assist the auditor in identifying and describing the CIRA's
    • controls or as a supplement to narratives or flowcharts to further document the
    • understanding of controls and to indicate which controls are being tested. In
    • addition, Appendix 6A lists common control objectives by transaction class for
    • various audit areas.
  21. 606.21 When a further
    understanding of control activities is needed, the auditor can document this
    understanding using the “Control Activities Forms” at HOA-CX-5.
    • These forms allow the
    • documentation of whether a control activity is properly designed and
    • implemented as well as whether it is operating effectively.
  22. Control
    Environment

    606.22 The control
    environment sets the tone of the CIRA and influences the control consciousness
    of its people. The control environment is the foundation
    • for all other components of internal control
    • and provides structure and discipline. Among the important elements of the
    • control environment are the attitude, awareness, and actions of management, as
    • well as those charged with governance, concerning internal control. Control
    • environment considerations as discussed in this and the following paragraphs
    • generally are relevant, regardless of whether the CIRA has a managing agent
  23. 606.23 The control environment includes the following elements:
    • • Communication and enforcement of
    • integrity and ethical values.



    • Commitment to competence.



    • • Participation of those charged with
    • governance.



    • • Management's philosophy and operating
    • style.



    • Organizational structure.



    • • Assignment of authority and
    • responsibility.



    • Human resource policies and practices.
  24. 606.24 A CIRA's control
    environment is a significant factor when considering the risks of material
    misstatement due to error or fraud. The integrity of the CIRA's management,
    including managing agent, if any, often plays a significant role in
    establishing a strong control environment. For example,
    • although a CIRA might not
    • have a written code of conduct, it might still have a culture that emphasizes
    • the importance of integrity and ethical behavior. That culture will be
    • instilled through the visibility and direct involvement of the CIRA's
    • management. Obtaining an understanding of the control environment of a small or
    • midsize CIRA need not be a complex process. The term is more formal and
    • imposing than the idea behind it. The control environment is simply the
    • conditions and circumstances that exist within the entity that demonstrate
    • management's attitude about controls and other indicators of management's
    • integrity and motivation.
  25. 606.25 The auditor should
    obtain a sufficient knowledge of the control environment as a result of
    performing risk assessment procedures to understand the attitudes, awareness,
    and actions of management and those charged with governance concerning internal
    control and its importance in achieving reliable financial reporting.
    • The responsibilities
    • assumed by management and those charged with governance related to financial
    • reporting are particularly important. For example, the auditor should identify
    • the members of management, and directors if any, who are expected to understand
    • the CIRA's business transactions and to evaluate whether they are appropriately
    • reflected in the financial statements. The auditor considers both (a) the
    • aspects of the control environment that help insure the integrity of financial
    • reporting (that is, the key control environment controls) and (b) any control
    • environment weaknesses that could have a pervasive effect on the financial
    • statements
  26. 606.26 The audit evidence
    for elements of the control environment is often not available in documentary
    form. When it is available, the auditor may inspect documents, for example, a
    written code of conduct, as evidence of how management communicates its views
    of business practices and ethical behavior.
    • While formal documentation
    • may be preferable, it is not always necessary in order for a policy to be in
    • place and operating effectively. This is emphasized in a nonauthoritative AICPA
    • Technical Practice Aid, Obtaining an Understanding of the Control
    • Environment (TIS 8200.08). TIS 8200.08 notes that if an auditor decides to
    • rely on these controls (whether documented or not), they are required to test
    • the controls. For example, in a small CIRA human resource policies may not be
    • formally documented as they would in a larger CIRA. Even so, policies and
    • practices can still exist and be communicated orally. When documentary evidence
    • is not available, the auditor might observe management's and directors' actions
    • and attitudes.
  27. 606.27 Factors to consider
    for each element of the control environment to understand its design and
    implementation and identify risks are provided
    • at HOA-CX-4.1, “Understanding the Design and
    • Implementation of Internal Control.”
  28. 606.28 Owner/managers are
    common in small commercial businesses, and comparable situations exist in many
    small CIRAs. For example, a small association may, in effect, be controlled by
    a president or chairman of the board who operates much like an owner/manager in
    that he or she is heavily involved in daily operations and designing accounting
    controls.
    • Consideration of management
    • integrity (or of the integrity of the management of the managing agent) is an
    • important factor in deciding whether to accept a CIRA engagement, as explained
    • in section 601. Factors such as management's tendency to take unusual or unnecessary
    • business risks may increase audit risk. In preliminary planning, an auditor
    • needs to reconsider the background information on management integrity along
    • with the knowledge that has been obtained about the client's business, its
    • operations, and its industry.
  29. 606.29 The purpose of the
    auditor's reconsideration is to assess whether the attitude of management or
    the managing agent, if applicable, in the particular circumstances might create
    an increased risk of material misstatement of the financial statements.
    • CIRA management that is
    • dominated by a single individual or small group with out compensating controls,
    • because of the ability to dominate activities or override controls, is in a
    • position to execute and conceal improper transactions. (A managing agent may
    • have similar opportunities if the CIRA board of directors does not exercise
    • sufficient control over the managing agent's activities.) Even basically honest
    • management may be motivated in some cases to materially misstate the financial
    • statements, and an auditor needs to recognize those circumstances and consider
    • them in planning, especially when identifying risks of material misstatement of
    • the financial statements due to fraud.
  30. 606.30 Some of the circumstances that increase the risk of
    material misstatement of the financial statements of a small CIRA because of
    their effect on management's (or the managing agent's) attitude are as follows:
    • a. A threat to management's personal net
    • worth resulting from a poor or deteriorating financial condition when
    • management has a significant interest in the CIRA.



    • b. A significant portion of management's
    • compensation depends on incentives, the value of which is dependent on the CIRA
    • meeting performance targets (for example budget, cash flow, or other financial or
    • operating goals, such as a percentage of delinquent dues collected).



    • c. Managing agents feel they deserve perks
    • such as free landscaping, etc. for the time they have invested in the CIRA.
  31. 606.31 In a smaller CIRA, a
    strong control environment can partially compensate for control deficiencies in
    other areas, including inadequate segregation of duties. The control
    environment is often viewed
    • synonymously with “tone at
    • the top.” Employees of smaller CIRAs often interact with management and
    • typically are influenced by the tone at the top. Consequently, smaller CIRAs
    • often develop a culture that emphasizes the importance of integrity and ethical
    • behavior through oral communication and by management example.
  32. 606.32 Due to the role of
    the control environment, the auditor's understanding of this area may influence
    how the auditor approaches obtaining an understanding of other areas of
    internal control,
    • as well as the ultimate
    • assessment of risk at the overall financial statement level. Risk at the
    • overall financial statement level is discussed beginning with paragraph 607.23.
  33. 606.33 All CIRAs should be proactive in reducing fraud
    opportunities by identifying and measuring fraud risks, taking steps to
    mitigate identified risks, and implementing and monitoring appropriate
    preventive and detective controls and other antifraud measures. However, the
    nature and extent of these risk assessment and monitoring activities should be
    commensurate with the size and complexity of the CIRA. It is important for
    management to understand its responsibility for establishing and monitoring the
    CIRA's fraud risk assessment process. That process is likely to be less formal
    and structured in a smaller CIRA than in a larger CIRA, but should include a
    sufficient degree of fraud awareness on the part of the CIRA's president and
    board of directors and appropriate fraud risk management activities with
    oversight from those charged with governance. The fraud risk assessment and
    monitoring process for a typical small to midsize CIRA may include:
    • a. Communicating to employees the
    • management's views on business practices and ethical behavior, either orally or
    • by example.



    • b. Thoroughly investigating any incidents
    • of alleged fraud, taking appropriate and consistent actions against violators,
    • assessing how relevant controls could be improved, correcting any effects on
    • the financial statements, and reinforcing the CIRA's values and expectations
    • through appropriate communication.



    • c. Considering standards of ethical
    • behavior and appropriate business practices in the CIRA's employee training and
    • evaluation procedures.



    • d. Identifying fraud risks and taking
    • appropriate action to reduce or eliminate the risks.



    • e. Appropriate oversight of the CIRA's
    • fraud risk assessment and monitoring activities by the board of directors or
    • audit committee (if the CIRA has one).
  34. 606.34 Documentation of the
    Control Environment
    The “Understanding the Design and Implementation of Internal Control” form at
    HOA-CX-4.1 can be used to document the auditor's understanding of the CIRA's
    control environment
    • along with sources of
    • information and procedures performed to obtain or update the understanding

What would you like to do?

Home > Flashcards > Print Preview