[The following appendix was effective for audits of financial statements for periods beginning on or after June 1, 2001. Earlier application was permissible. It was deleted as a result of the adoption of Auditing Standard No. 5, effective for audits of fiscal years ending on or after November 15, 2007. See PCAOB Release 2007-005A. Show
Return to the current version.] AppendixInternal Control Components.1101. This appendix discusses the five internal control components set forth in paragraph .07 and further described in paragraphs .34 through .57 as they relate to a financial statement audit. Control Environment2. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. 3. The control environment encompasses the following factors:
Application to Small and Midsized Entities4. Small and midsized entities may implement the control environment factors differently than larger entities. For example, smaller entities might not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Similarly, smaller entities may not have an independent or outside member on their board of directors. Risk Assessment5. An entity's risk assessment for financial reporting purposes is its identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles. For example, risk assessment may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions. 6. Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:
Application to Small and Midsized Entities7. The basic concepts of the risk assessment process should be present in every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small and midsized entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in smaller entities. Management may be able to learn about risks related to these objectives through direct personal involvement with employees and outside parties. Control Activities8. Control activities are the policies and procedures that help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities, whether automated or manual, have various objectives and are applied at various organizational and functional levels. 9. Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that pertain to the following:
Application to Small and Midsized Entities10. The concepts underlying control activities in small or midsized organizations are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, smaller entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and draw-downs on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. An appropriate segregation of duties often appears to present difficulties in smaller organizations. Even companies that have only a few employees, however, may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives. Information and Communication11. An information system consists of infrastructure (physical and hardware components), software, people, procedures (manual and automated), and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology. 12. The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures, whether automated or manual, and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. Transactions may be initiated manually or automatically by programmed procedures. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarization, and reconciliation, whether performed by automated or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in monitoring and other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. 13. Accordingly, an information system encompasses methods and records that—
14. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on. 15. Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management. Application to Small and Midsized Entities16. Information systems in small or midsized organizations are likely to be less formal than in larger organizations, but their role is just as significant. Smaller entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small or midsized company than in a larger enterprise due to the smaller organization's size and fewer levels as well as management's greater visibility and availability. Monitoring17. Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. 18. Ongoing monitoring activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations. 19. In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of an entity's activities through separate evaluations. They regularly provide information about the functioning of internal control, focusing considerable attention on evaluating the design and operation of internal control. They communicate information about strengths and weaknesses and recommendations for improving internal control. 20. Monitoring activities may include using information from communications from external parties. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal control from external auditors in performing monitoring activities. Application to Small and Midsized Entities21. Ongoing monitoring activities of small and midsized entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data. What are the five primary activities involved in the acquisition and payment cycle?The acquisition and payment cycle includes processes for identifying products or services to be acquired, purchasing goods and services, receiving the goods, approving payments, and paying for goods and services received.
What is acquisition cycle in auditing?The main activities of the acquisition cycle is: 1) purchase requisition, 2) authorized acquisition of materials, 3) receive of materials, 4) transaction recording in accounting, 5) bill payment authorization, 6) cash disbursement.
What is acquisition and payment cycle?What is the Acquisition and Payment Cycle? The Acquisition and Payment Cycle (also referred to as the PPP Cycle for Purchases, Payables, and Payments) consists mainly of two classes of transactions. The first class is the acquisition class.
What is the primary reason for management's ability to overvalue inventory without rapid detection by auditors?Which of the following is a major factor in management's ability to overvalue inventory without rapid detection by auditors? Complexity in the valuation of inventory.
|