Question

Assume you are auditing the company that you chose for your term project. List two aspects of a client's “control environment” which you might find that would give you a favorable view of that client's control environment, and explain why they would make you think positively. . (Obviously, you didn't actually do this audit, so you don't have actual knowledge of their control environment. I am asking you to discuss and explain things you might find, that would give you comfort.)

Answer 1

Auditors are specifically expected to understand controls that address “significant” risks. These are identified and assessed for risks of material misstatement that, in the auditor’s professional judgment, require special audit consideration. Examples include control activities

1) relevant to the risk of fraud or

2) over journal entries (such as nonrecurring, unusual transactions or adjustments).

Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity, and nature of operations. The AICPA advises auditors to consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.

The updated COSO framework outlines five components of internal controls that are required under the Sarbanes-Oxley Act’s Section 404 provisions:

1. Control environment. A set of standards, processes and structures is needed to provide the basis for carrying out internal controls across the organization.
2. Risk assessment. This dynamic, iterative process identifies stumbling blocks to the achievement of the company’s strategic objectives and forms the basis for determining how risks will be managed.
3. Control activities. Policies and procedures are necessary to help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
4. Information and communication. Relevant and quality information supports the internal control process. Management needs to continually obtain and share this information with people inside and outside of the company.
5. Monitoring. Management should routinely evaluate whether each of the five components of internal controls is present and functioning.