Chapter 10Section 404 Audits of Internal Controland Control Risk Review Questions10-1Management typically has three broad objectives in designing an effective internal control system.1. Reliability of Financial Reporting Management is responsible for preparing financial statements for investors, creditors, and other users. Management has both a legal and professional responsibility to be sure that the information is fairly presented in accordance with reporting requirements such as GAAP. The objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities.2. Efficiency and Effectiveness of Operations Controls within an organization are meant to encourage efficient and effective use of its resources to optimize the companys goals. An important objective of these controls is accurate financial and non-financial information about the entitys operations for decision making.3. Compliance with Laws and Regulations Section 404 of the Sarbanes-Oxley Act requires all public companies to issue a report about the operating effectiveness of internal control over financial reporting. In addition to the legal provisions of Section 404, public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations. Some relate to accounting only indirectly, such as environmental protection and civil rights laws. Others are closely related to accounting, such as income tax regulations and fraud. 10-2Management designs systems of internal control to accomplish three categories of objectives: financial reporting, operations, and compliance with laws and regulations. The auditors focus in both the audit of financial statements and the audit of internal controls is on those controls related to the reliability of financial reporting plus those controls related to operations and to compliance with laws and regulations objectives that could materially affect financial reporting. 10-3Section 404 requires management of all public companies to issue an internal control report that includes the following: A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting and An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the companys fiscal year.10-4Managements assessment of internal control over financial reporting consists of two key components. First, management must evaluate the design of internal control over financial reporting. Second, management must test the operating effectiveness of those controls. When evaluating the design of internal control over financial reporting, management evaluates whether the controls are designed to prevent or detect material misstatements in the financial statements. When testing the operating effectiveness of those controls, the objective is to determine whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.10-5There are eight parts of the planning phase of audits: accept client and perform initial planning, understand the clients business and industry, assess client business risk, perform preliminary analytical procedures, set materiality and assess acceptable audit risk and inherent risk, understand internal control and assess control risk, gather information to assess fraud risks, and develop an overall audit plan and audit program. Understanding internal control and assessing control risk is therefore part six of planning. Only gathering information to assess fraud risk and developing an overall audit plan and audit program follow understanding internal control and assessing control risk.10-6The second GAAS field work standard states “The auditor must obtain a sufficient understanding of the entity and its environment, including its internal controls, to assess the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures.” The auditor obtains the understanding of internal control to assess control risk in every audit and that responsibility is the same for audits of both public and nonpublic companies. Auditors are primarily concerned about controls related to the reliability of financial reporting and controls over classes of transactions.10-7Section 404 requires that the auditor attest to and issue a report on managements assessment of internal control over financial reporting. To express an opinion on internal controls, the auditor obtains an understanding of and performs tests of controls related to all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements. PCAOB Standard 2 r