Quiz 7: Auditing Internal Control Over Financial Reporting
Sarbanes-Oxley Act of 2002 The U S government in the year 2002 established the Sarbanes-Oxley Act of 2002. The act provides various standards and regulations for the public company audits. It is also known as the Public Company Accounting Oversight Board (PCAOB). Management's responsibilities under Section 404 of the Sarbanes-Oxley Act of 2002: • To accept responsibility for the effectiveness of the entity's Internal Control over Financial Reporting (ICFR) • To evaluate the effectiveness of the entity's Internal Control over Financial Reporting (ICFR) using suitable control criteria • To support its evaluation with sufficient evidence and documentation • To present a written assessment of the effectiveness of the entity's Internal Control over Financial Reporting (ICFR) as of the end of the entity's most recent fiscal year Auditor's responsibilities under Section 404 of the Sarbanes-Oxley Act of 2002: • The auditor must audit and report on the management's assertion about the effectiveness of internal control. • The audit of internal control should be 'integrated' with the financial statement audit, and should express an opinion on the management's assertions of Internal Control over Financial Reporting (ICFR). • The auditor must plan and perform the audit to obtain reasonable assurance whether the entity maintained, in all material respects, effective internal control as of the date specified in the management's assessment.
The role of likelihood and magnitude in evaluating control deficiencies: Control deficiency in internal control exists when the design or operation of a control system does not allow the management and employee to perform their assigned work in order to protect and prevent the assigned work timely. In judging the significance of control deficiency, the auditor considers the likelihood and magnitude of the material misstatement. Likelihood: Likelihood refers to the probability that a misstatement will not be prevented or detected. Likelihood consists of two categories of misstatement: Remote and Reasonable possible or probable. For a significant deficiency, the likelihood of the occurrence of the misstatement must be more than remote, that is, reasonable possible or probable. Magnitude: Magnitude refers to the significance of misstatement that control deficiency could have on the financial statement according to the judgment of a reasonable person. Magnitude consists of three categories of misstatement: Not material or significant, Not material but significant, Material. If likelihood of misstatement is more than ' remote ' and if the magnitude of the deficiency is more than ' not material or significant' , then there may be a significant control deficiency in the financial statement.
The first element in the management's procedure for assessing the effectiveness of internal control is to determine which control should be tested.The following are the controls that would typically be tested by the management: • Controls that are in conformity with Generally Accepted Accounting Principles (GAAP) like the selection and application of accounting policies • Controls of antifraud programs • Controls on which other controls are dependent like IT general control • Controls over significant non-routine and non-systematic transactions such as accounts involving judgments and estimates • Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures, and related assertions embodied in the financial statements • Entry-level controls like controls over management override, controls over period-end financial reporting process, and controls to monitor the results of operation
There is no answer for this question