Chapter 7

Auditing Internal Control over Financial Reporting

Where we are

• Introduction• Audit basics– Risk– Materiality– Evidence– Documentation

• Audit Phases– Planning– Internal controls in a financial statement audit– Internal controls in an integrated audit

What we’ll cover

• Difference between internal control in financial statement audit and internal control in integrated audit

• Management’s responsibilities• Auditor’s responsibilities• Steps in auditing internal controls

Different approaches of evaluating internal controls

Financial statement audits• Audits of non-public entities• Regulated by AICPA• No requirements of management• Auditors are required to

understand internal controls• Auditors may choose to rely upon

controls. If so, they must test controls.

• Auditors communicate control weaknesses to board of directors.

Integrated audits• Audits of public corporations• Regulated by PCAOB• Management has some

responsibilities• Auditors are required to

understand internal controls• Auditors are required to audit

internal controls, including testing.

• Auditors issue report on internal controls.

Management’s responsibilities

• Accept responsibility for controls• Evaluate effectiveness of internal controls

using COSO– Entity-level– Application controls– Risk-based

• Document internal controls• Report on internal controls

Management’s report

Auditor’s responsibilities• Risk assessment and fraud risk• Scaling the audit• Using work of others• Materiality

Controls over • unusual transactions• adjusting entries• related-party

transactions• Management estimates

• Entity level controls

• Identify significant assertions

• Understand sources of misstatement

• Select controls to test

• Control environment• Year-end process

Controls and tests• Controls

– Authorization– Documents– Records– Segregation of duties– Independent checks– Safeguard assets

• Tests– Walkthrough– Inquiry

• How control is done• When is it done (frequency)• What happens if there is an exception (detective control)• Who performs the control

– Observe– Inspect documents– Re-perform

Example – movie theater

Theater Theater

Planning• Risk assessment• Scaling• Work of others• MaterialityIdentify controls• Entity level controls• Assertions

(transactions)• Occurrence• Completeness• Authorization• Accuracy• Cutoff• Classification

• Understand sources of misstatement

• Select controls to test

Assertion Source of Misstatement Control

Tests

Walkthrough transaction All recorded sales occurred False sales recorded Monthly reconciliation of register

reports to sales journal entries Monthly reconciliation of sales journal entries to deposits of cash

Inquire what happens if exceptions are found Re-perform sample of reconciliations

All sales events recorded Customers do not pay for entry Clerk does not record sale

Tickets disbursed to customers and collected

Observe process

All sales authorized Low risk of misstatement Sales recorded accurately Sales entered into register at

incorrect amount Register total entered incorrectly into journal

Clerk selects ticket type rather than entering amount Monthly reconciliation of register reports to sales journal entries

Observe register use Re-perform sample of reconciliations

Sales recorded in the correct fiscal period

Sales recorded in subsequent period Sales recorded in prior period

Sales recorded every night Vouch from journal to register report 2 days before and after FYE

Sales recorded in the correct account

NA

Cash balances exist Cash balance not reported correctly

Monthly bank reconciliation Bank confirmations

Cash balances owned by client Low risk of misstatement All cash balances are reported Low risk of misstatement Cash accurately valued Low risk of misstatement AR balances exist Insignificant account AR owned by client Insignificant account All AR reported Insignificant account AR valued correctly Insignificant account

Practice

• Problem 7-34

Types of deficiencies

Evaluate deficiencies• Risk factors that a control deficiency will result in a

misstatement (likelihood):– Nature of assertions involved– Susceptibility of balance to fraud– Amount of judgment required to determine amount involved– Relationship with other controls– Possible consequences of the deficiency

• Factors that affect whether the misstatement may be material:– The amounts exposed to the deficiency– The volume of activity exposed to the deficiency

Practice

• 7-35• 7-36

Remediation of deficiencies

• Clients may fix weaknesses-- Must be fixed by “as of” date- Must be testable before “as of” date

Reporting on internal control

Adverse Opinion

Includes• Definition of material weakness• Description of particular weakness• Opinion

Would it be possible to give an adverse opinion on internal controls and an unqualified opinion on the financial statements?

Report of Independent Registered Public Accounting Firm To the Board of Directors and Shareholders of American International Group, Inc.:

In our opinion, the consolidated financial statements listed in the accompanying index present fairly, in all material respects, the financial position of American International Group, Inc. and its subsidiaries (AIG) at December 31, 2007 and 2006, and the results of their operations and their cash flows for each of the three years in the period ended December 31, 2007 in conformity with accounting principles generally accepted in the United States of America. In addition, in our opinion, the financial statement schedules listed in the accompanying index present fairly, in all material respects, the information set forth therein when read in conjunction with the related consolidated financial statements. Also in our opinion, AIG did not maintain, in all material respects, effective internal control over financial reporting as of December 31, 2007, based on criteria established in Internal Control — Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) because a material weakness in internal control over financial reporting related to the AIGFP super senior credit default swap portfolio valuation process and oversight thereof existed as of that date. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. The material weakness referred to above is described in Management’s Report on Internal Control Over Financial Reporting appearing under Item 9A. We considered this material weakness in determining the nature, timing, and extent of audit tests applied in our audit of the 2007 consolidated financial statements, and our opinion regarding the effectiveness of AIG’s internal control over financial reporting does not affect our opinion on those consolidated financial statements. AIG’s management is responsible for these financial statements and financial statement schedules, for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting, included in management’s report referred to above. Our responsibility is to express opinions on these financial statements, on the financial statement schedules, and on AIG’s internal control over financial reporting based on our integrated audits. We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free of material misstatement and whether effective internal control over financial reporting was maintained in all material respects. Our audits of the financial statements included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles used and significant estimates made by management, and evaluating the overall financial statement presentation. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions. A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

PricewaterhouseCoopers LLP New York, New York February 28, 2008

CommunicationsFrom manager to auditorManagement is responsible for ICMgt has evaluated ICMgt did not rely on work of auditorMgt has disclosed all weaknessAny material fraudResolution of weaknessesChanges in IC

From auditor to company

All material weaknesses and significant deficiencies to both management and the board

Control deficiencies to management

Practice

• 7-37• 7-38• 7-39• 7-43

Computer – Assisted audit techniques

• Generalized audit software– File and database access– Selection of data– Statistical analysis

• Custom audit software• Test date

Chapter summary

• Difference between internal control in financial statement audit and internal control in integrated audit

• Management’s responsibilities• Auditor’s responsibilities• Steps in auditing internal controls

Review questions

• 7-1• 7-2• 7-6• 7-14