7-1

Chapter Seven
Auditing Internal Control
over Financial Reporting
in Conjunction with
an Audit of Financial Statements

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-2

Management Responsibilities under

Section 404

Section 404 of the Sarbanes-Oxley Act requires

managements of publicly traded companies to issue
an internal control report that explicitly accepts
responsibility for establishing and maintaining
“adequate” internal control over financial reporting.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-3

Management Responsibilities under

Section 404
Management must comply with the following in order
for its public accounting firm to complete an audit of
internal control over financial reporting.
1. Accepts responsibility for the effectiveness of the entity’s
internal control over financial reporting.
2. Evaluate the effectiveness of the entity’s internal control
over financial reporting using suitable control criteria.
3. Support its evaluation with sufficient evidence, including
documentation.
4. Present a written assessment of the effectiveness of the
entity’s internal control over financial reporting as of the
end of the entity’s most recent fiscal year.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-4

Auditor Responsibilities under Section

404
The entity’s independent auditor must audit and report
on management’s assertion about the effectiveness of
internal control. The auditor is required to conduct an
“integrated audit “ of the entity’s internal control over
financial reporting and its financial statements.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-5

Internal Control over Financial Reporting

Defined

Internal control over financial reporting is defined as a

process designed to provide reasonable assurance
regarding the reliability of financial reporting and the
preparation of financial statements in accordance with
GAAP. Controls include procedures that:
1. Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are
recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use or
disposition of the company’s assets.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-6

Internal Control Deficiencies Defined

M Material Material
A weakness
G
N Significant
I Consequential deficiency
T
U
D Insignificant deficiency
E Inconsequential
Remote More than remote

LIKELIHOOD
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-7

Management’s Assessment Process

Management must:
1. Design and implement an effective system of internal
control. This process involves determining whether a
necessary control is missing or an existing control is not
properly designed.
2. Develop an ongoing assessment process for the internal
controls in place. Management must assess the likelihood
that failure of a control could result in a misstatement.
3. Management must decide which business units to include in
the assessment process.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-8

Management’s Documentation

Management must develop sufficient

documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-9

Framework Used by Management to

Conduct Its Assessment

Most entities use the framework developed by COSO.

This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-10

Performing an Audit of Internal Control

over Financial Reporting
Plan the engagement.

Evaluate management’s
assessment process.

The auditor typically obtains his or her understanding of

management’s assessment process through inquiry of
management and others.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-11

Performing an Audit of Internal Control

over Financial Reporting
Plan the engagement.

Evaluate management’s
assessment process.

Obtain and document an

understanding of internal control.

As part of gaining this understanding the auditor must:

1. Understand and assess
company-level controls.
2. Evaluate the effectiveness of
the audit committee.
3. Identify significant accounts.
4. Identify relevant financial
statement assertions.
McGraw-Hill/Irwin
5. Identify significant processes
and major classes of
transactions.
6. Understand the period-end
financial reporting process.
7. Perform walkthroughs.
8. Identify controls to test.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-12

Performing an Audit of Internal Control

over Financial Reporting
Plan the engagement.

Evaluate the management’s

assessment process.

Obtain and document an

understanding of internal control.

Evaluate the design effectiveness

of internal control.

Controls are effectively designed when they prevent or

detect errors or fraud that could result in material
misstatements in the financial statements.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-13

Performing an Audit of Internal Control

over Financial Reporting
Plan the engagement.

Evaluate the management’s

assessment process.

Obtain and document an

understanding of internal control.

Evaluate the design effectiveness

of internal control.

Test and evaluate the operating

effectiveness of internal control.
In testing the effectiveness of controls, the auditor needs to
consider the nature, timing, and extent of testing.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-14

Performing an Audit of Internal Control

over Financial Reporting
The auditor should Plan the engagement.
evaluate all evidence
Evaluate the management’s
before forming an opinion
assessment process.
on internal control,
including (1) the adequacy Obtain and document an
of management’s understanding of internal control.
assessment, (2) the results
of the auditor’s evaluation, Evaluate the design effectiveness
(3) the negative results of of internal control.
substantive procedures
performed, (4) any control Test and evaluate the operating
deficiencies. effectiveness of internal control.

Form an opinion of the

effectiveness of internal control.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-15

Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of internal control over financial reporting.

Failure to obtain written

representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-16

Auditor Documentation Requirements

The auditor must properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.

When an entity has effective

internal control over financial
reporting, the auditor should
be able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-17

Reporting on Internal Control

Sarbanes-Oxley requires management’s description of
internal control to include:
1. A statement of management’s responsibility for establishing and
maintaining adequate internal control.
2. A statement identifying the framework used by management to
conduct the required assessment of the effectiveness of the
company’s internal control.
3. An assessment of the effectiveness of the company’s internal
control as of the end of the most recent fiscal year, including an
explicit statement as to whether internal control is effective.
4. A statement that the public account firm that audited the
financial statements included in the annual report has issued an
attestation report on management’s assessment of internal
control.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-18

The Auditor’s Report on Internal Control

over Financial Reporting

Once the auditor has completed the audit of internal

control, he or she must issue an appropriate report to
accompany management’s assessment, published in the
company’s annual report.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-19

Types of Reports Relating to the Audit of

Internal Control

The auditor’s report contains opinions on two separate

items: (1) management’s assessment of the
effectiveness of internal control over financial reporting,
and (2) the effectiveness of internal control over financial
reporting based on the auditor’s independent audit work.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-20

Types of Reports Relating to the Audit of

Internal Control
An unqualified opinion A serious scope
signifies that the client’s limitation requires the
internal control is auditor to disclaim an
designed and operating opinion.
effectively.

Opinion

A qualified opinion is
issued when there is a An adverse opinion is
limitation on the scope required if a material
of the auditor’s work. weakness is identified.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-21

Types of Reports Relating to the Audit of

Internal Control
Report Modification Based on Control Deficiencies
Likelihood of Type of
Misstatement Audit Report
Inconsequential
deficiency
Unqualified
opinion
Significant
deficiency

Material Adverse
weakness opinion

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-22

Types of Reports Relating to the Audit of

Internal Control
Report Modification Based on Scope Limitation
Reason for Type of
Scope Limitation Audit Report
Minor Unqualified
effect opinion

Management imposed/ Qualified

more than minor effect opinion

Disclaim
Sever
opinion or
limitation
withdraw

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-23

Elements of the Auditor’s Report

1. A title that includes the word “independent.”
2. An identification of management’s conclusion about the effectiveness of
the company’s internal control over financial reporting.
3. A definition of internal control over financial reporting.
4. A statement that the auditor planned and performed the audit to obtain
reasonable assurance about whether effective internal control is
maintained.
5. A statement that an audit includes obtaining an understanding of internal
control, valuating management’s assessment of testing the design and
effectiveness of internal control and any other procedures.
6. A paragraph stating that internal control may not prevent or detect
misstatements because of inherent limitations.
7. The auditor’s opinion on whether management’s assessment of the
effectiveness of internal control is fairly stated.
8. The auditor’s opinion on whether the company maintained effective
internal control.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-24

Integrating the Audits of Internal Control

and Financial Statements

An integrated audit is composed of the audits of internal

control and the financial statements. The control testing
impacts the planned substantive procedures. Also, the
results of the substantive procedures are considered in
the evaluation of internal control.

Tests of Substantive
internal audit
control procedures

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-25

Effect of the Audit of Internal Control on

the Financial Statement Audit

If the auditor performs an integrated audit, he or she

will have access to a large amount of information
about the client’s controls. This information can make
the financial statement audit more efficient and result
in reduced substantive procedures.
Regardless of the level of control risk
in connection with the audit of the
financial statements, auditing
standards require the auditor to
perform some substantive
procedures for all significant accounts
and disclosures.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-26

Effect of the Financial Statement Audit on

the Audit of Internal Control

The effectiveness of the audit of internal controls should

lead the auditor to determine the implications of these
findings on the financial statement audit. The auditor’s
evaluation should include:
1. Misstatements detected.
2. The auditor’s risk evaluations in connection with the
selection and application of substantive procedures,
especially those related to fraud.
3. Findings with respect to illegal acts and related party
transactions.
4. Indications of management bias in making accounting
estimates and in selecting accounting principles.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-27

Special Considerations for an Audit of

Internal Control

Using the work Service

of others. organizations.

Special consideration
by management
and the auditor

Multilocations Safeguarding
and business assets.
units.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-28

Using the Work of Others

In determining the extent to which the auditor may use

the work of others, the auditor should:
o Evaluate the nature of the controls
subjected to the work of others.
o Evaluate the competence and
objectivity of the individuals who
performed the work.
oTest some of the work performed by
others to evaluate the quality and
effectiveness of their work.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-29

Testing Multilocation
Total number of units = 150
Is unit individually
important?
Evaluate documents and test
15 Yes
No 135 controls over significant accounts at
each location.
Are there specific significant
risks?
5 Yes Evaluate documents and test
No 130
controls over specific risks.
Are there units that are not
important even when
aggregated?
60 Yes
No 70 No further action required.
Evaluate documents and test
Are there documented company-level controls over group.
company-level controls over Yes
this group? Some testing of controls at
No individual locations.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-30

Safeguarding of Assets
Safeguarding of assets is defined as policies
and procedures that “provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use or
disposition of the company’s assets that could
have a material effect on the financial
statements.”

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-31

Computer-Assisted Audit Techniques

Computer-assisted audit techniques include:

o Generalized audit software packages.
o Custom audit software.
o Test data.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-32

Generalized Audit Software

Function Description
Reads and extracts data from a
File or data access client's computer files or databases
for further audit testing.
Select from files or databases
Selection operators transactions that meet certain
criteria.
Perform a variety of arithmetic
calculations (addition, subtraction,
Arithmetic functions
and so on) on transactions, files, and
databases.
Provide functions supporting various
Statistical analyses
types of audit sampling.

Prepares various types of documents

Report generation
and reports.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-33

Custom Audit Software

Custom audit software is generally written by auditors

for specific audit tasks. It may be required when the
client’s computer system is not compatible with the
auditor’s generalized audit software.

Custom software:
(1)Is expensive to develop.
(2)Requires extended development
time.
(3)Is limited in scope of functions.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-34

Test Data

This is data developed by the auditor to test the

application controls in the client’s computer programs.
The technique can be used to check (1) data validation
controls and error detection routines, (2) processing
logic controls, (3) arithmetic calculations, and (4) the
inclusion of transactions in records, files, and reports.

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
 7-35

End of Chapter 7

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.