BA 120.

1 Auditing Theory
Internal Control and Corporate Governance

Todays Class
Activities July 7, 14, and 21 (Exam) Class groups Internal control over financial reporting
Components of internal control Common internal control actvities

Corporate governance and audits

Corporate governance defined Responsibilities of audit committees Required communications between audit firm and audit committees Relationship between corporate governance and audit risk Generally accepted auditing and attestation standards

Non-recorded Exercise

Activities: Next 3 sessions

July 7: Internal Control and Corporate Governance July 14: Overall review for the exam (+ graded recitation)
We will start at 2pm.

July 21: First Long Examination

1:45pm 4pm (Exam Proper) 4:15pm 5:15pm (Discussion)

Class Grouping
Expect to have exercises on the second and third part of our course. Group yourselves into 5 (though some groups may only have 4 members). On a piece of paper, submit to me the list of the members in your group, together with your Group Name. The Group name should be Auditing-related, but try to be creative. You have 5 minutes to finish the exercise.

Review: Materiality
Based on PSA 320, A47: The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditors report.

Review: Performance Materiality

A student took an admission in an auditing course. Course contains 60 lectures in total. In order to qualify for exam entrance, students have to fulfil attendance criteria, i.e. student can be absent from 10 lectures as a whole but not more than 1 lecture in a week. Overall Financial Statement Materiality, Planning Materiality, Tolerable Mistatements, and Posting Materiality? Inverse relationship between materiality and audit risk?

LESSON STRUCTURE
Assessing Client Acceptance and Retention Decisions PSA 200 Overall Objectives of the Independent Auditor Understanding the Client Obtaining Evidence about Controls Obtaining Substantive Evidence Wrapping Up the Audit

PSA 315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement

PSA 330 The Auditors Responses to Assessed Risks

PSA 260 Communication with Those Charged with Governance

PSA 265 Communicating Deficiencies in Internal Control to those Charged with Governance and Management

What is internal control?

PSA 315 (Redrafted), 4c: The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entitys objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations.

What is internal control?

PSA 315 (Redrafted), A40: Internal control is designed, implemented, and maintained to address identified business risks that threaten the achievement of any of the entitys objectives that concern: The reliability of the entitys financial reporting; The effectiveness and efficiency of its operations; and Its compliance with applicable laws and regulations. The way in which internal control is designed, implemented and maintained varies with an entitys size and complexity.

Components of internal control

Based on PSA 315, A47: The control environment The entitys risk assessment process The information system, including the related business processes, relevant to financial reporting, and communication Control activities Monitoring of controls

The Control Environment

Based on PSA 315, A65: Includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entitys internal control and its importance in the entity. The control environment sets the tone of an organization, influencing the control consciousness of its people.

The Control Environment - elements

Based on PSA 315, A65: Communication and enforcement of integrity and ethical values Commitment to competence Participation by those charged with governance Managements philosophy and operating style Organizational structure Assignment of authority and responsibility Human resources policies and practices
Example Code of Conduct

The Control Environment

A strong control environment is the first, and most important, line of defense against the risks related to the accuracy and completeness of financial statements. However, a strong control environment cannot reduce all the financial reporting risks to zero. Therefore, management must implement specific control activities to minimize misstatements in the financial records.

Risk assessment
Involves identification and analysis of the risks of material misstatement in financial reports.

Risk assessment
Risk can arise or change due to the following circumstances: Changes in operating environment New personnel New or revamped information systems Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded foreign operations New accounting pronouncements

Information and Communication

PSA 315, A77: Information system consists of the procedures and records designed and established to: Initiate, record, process and report entity transactions Resolve incorrect processing of transactions Process and account for system overrides or bypasses to controls Transfer information from transaction processing systems to the general ledger Capture information relevant to financial reporting for events and conditions other than transactions Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized and appropriately reported in the FS.

Information and Communication

Information and communication usually involves a two-way flow: From top management to the rest of the organization From the bottom up, communicating economic information as well as deviations from the organizations policies (including whistleblower system).

Control activities
Control activities are the policies and procedures that are established to assist organizations in accomplishing objectives and mitigating risks. Control activities involve two elements: (a) The design and implementation of the controls including a description of how the control activities operate; and (b) The operation of the controls
Sample control register

Preventive vs. Detective Controls

Preventive controls are designed to prevent the occurrence of a misstatement.
Access controls Edit controls

Detective controls provide evidence on whether processing has been effective in preventing errors.
Reconciliation controls

Control activities
Authorization Performance reviews. Information processing. Physical controls. Segregation of duties.

Monitoring
A process to assess the effectiveness of internal control performance over time. Management accomplishes this through ongoing activities, separate evaluations, or a combination of the two. Internal auditing is often considered a highly effective monitoring control.

IT Controls integrated into Internal Control

General Computer Controls (General-IT controls).
Planning and controlling the data processing function Controlling applications development and changes to programs and/or data files and records Controlling access to equipment, data, and programs Assuring business continuity such that control failures do not affect data or programs Controlling data transmission

Application Controls
Input controls Processing controls Output controls

Auditor Evaluation of Internal Controls

In determining control risk, the auditor will assess control risk on a scale from high (weak controls) to low (strong controls).
Refer to Exhibit 5.10 (textbook)
Test of controls
Design effectiveness Operating effectiveness

Substantive tests

What is Corporate Governance?

A process by which the owners and creditors of an organization exert control and require accountability for the resources entrusted to the organization.
PSA 260 has defined two groups who have responsibilities and accountabilities as far as corporate governance is concerned: Those charged with governance Management

Role of Audit Committees

A standing committee of the board of directors whose purpose is to oversee the accounting and financial reporting processes of the company and the financial statement audits.
Primary responsibilities: Provide oversight of the accounting and financial reporting processes and of the financial statement audits; Appoint, compensate, and oversee the external auditor, including approving any non-audit services to be provided by the external auditor. Ensure that the board establishes a whistleblower program.

Matters to be communicated
The auditors responsibilities in relation to the financial statement audit; Planned scope and timing of the audit; Significant findings from the audit; Significant deficiencies in the internal control Auditor independence

Communication process
Auditor shall communicate with those charged with governance the form, timing, and expected general content of the communications. Forms of Communication
In writing, when:
Regarding significant findings from the audit, if oral communication would not be adequate Disclosing auditor independence for audited listed entities, as stated in paragraph 13 of PSA 260. Significant deficiencies in internal control (shall also discuss this with management), as stated in PSA 265. Specific legislature or law requires it.

Exercise
Internal Control and Corporate Governance