Chapter 07 Internal Control McGraw-Hill/Irwin Copyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Dec 28, 2015
Chapter 07
Internal Control
McGraw-Hill/Irwin Copyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Summary of Internal Control DefinitionSummary of Internal Control Definition
A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives on:
Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and
regulations
7-2
Foreign Corrupt Practices ActForeign Corrupt Practices Act
Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business
The Act Requires an effective system of internal control Makes illegal payment of bribes to foreign officials
7-3
Components of Internal Control Components of Internal Control
The Control Environment
Risk Assessment
The Accounting Information and Communication System
Control Activities
Monitoring
7-4
Control Environment FactorsControl Environment Factors Integrity and ethical values Commitment to competence Board of directors or audit committee Management philosophy and operating
style Organizational structure Human resource policies and practices Assignment of authority and responsibility
7-5
Risk Assessment--Factors Indicative of Risk Assessment--Factors Indicative of Increased Financial Reporting RiskIncreased Financial Reporting Risk
Changes in the regulatory or operating environment Changes in personnel Implementation of a new or modified information
system Rapid growth of the organization Changes in technology affecting production
processes or information systems Introduction of new lines of business, products, or
processes
7-6
Control ActivitiesControl Activities
Performance reviews
Information processing General control activities
Application control activities
Physical controls
Segregation of duties Segregate authorization, recording and
custody of assets
7-7
Objectives of an Accounting SystemObjectives of an Accounting System
Identify and record valid transactions Describe on a timely basis the transactions in
sufficient detail to permit proper classification of transactions
Measure the value of transactions appropriately Determine the time period in which the transactions
occurred to permit recording in the proper period Present properly the transactions and related
disclosures in the financial statements
7-8
MonitoringMonitoring
Ongoing monitoring activities Regularly performed supervisory and
management activities Example: Continuous monitoring of
customer complaints Separate evaluations
Performed on nonroutine basis Example: Periodic audits by internal audit
7-9
Limitations of Internal ControlLimitations of Internal Control
Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc.
Controls that depend on the segregation of duties may be circumvented by collusion
Management may override the structure
Compliance may deteriorate over time
7-10
Auditors’ Overall Approach with Auditors’ Overall Approach with Internal Control Internal Control
Overall approach of an audit1. Plan the audit
2. Obtain an understanding of the client and its environment, including internal control
3. Assess the risks of material misstatement and design further audit procedures
4. Perform further audit procedures
5. Complete the audit
6. Form an opinion and issue the audit report
Steps 2-4 relate most directly to the role of internal control in financial statement audits
7-11
2. Obtain an understanding of the client and its 2. Obtain an understanding of the client and its environment, including internal controlenvironment, including internal control
The understanding of internal control is used to help the auditor to
Identify types of potential misstatements Consider factors that affect the risks of material misstatement. Design tests of controls (when applicable) and substantive
procedures. Auditors must consider all five internal control
components Control environment Accounting information system Risk assessment Control activities Monitoring
Also consider areas difficult to control like non-routine transactions
7-12
3. Assess the risks of material 3. Assess the risks of material misstatementmisstatement
General approach Identify risks while obtaining an understanding of the
client and its environment, including its internal control Relate the identified risks to what can go wrong at the
relevant assertion level Consider whether the risks are of a magnitude that
could result in a material misstatement Consider the likelihood that the risks could result in a
material misstatement
7-13
4. Perform Further Audit Procedures – 4. Perform Further Audit Procedures – Test of ControlsTest of Controls
Approach: Identify controls likely to prevent or detect material
misstatements Perform tests of controls to determine whether they
are operating effectively
Tests of controls address: How controls were applied The consistency with which controls were applied By whom or by what means (e.g., electronically) the
controls were applied
7-14
Consideration of the Work of Internal Consideration of the Work of Internal Auditors Auditors
Using the work of internal auditors CPA can rely on work of internal audit to reduce
amount of testing CPA must assess internal audit competence and
objectivity If intent is to rely upon work of internal audit, test that
work
Obtaining direct assistance of internal auditors
Can obtain assistance in performing procedures, but CPA remains responsible for the audit.
7-15
Service Organizations Service Organizations 1/21/2
Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data
Examples: Outsource processing of payroll or Internet sales.
7-16
Service Organizations Service Organizations 2/22/2
Types of Service Auditor Reports Type 1—Management’s description of the
system and the suitability of the design of controls
Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls
• A Type 2 report may provide the user auditor with a basis for assessing control risk below the maximum.
7-17
Relationships Among DeficienciesRelationships Among Deficiencies
Deficiency in
Internal Control
Less than Significant Material
Significant Deficiency Weakness
7-18
Management’s Report on Internal Control Management’s Report on Internal Control under Section 404aunder Section 404a
Acknowledgment of responsibility for internal control
An assessment of internal control effectiveness as of the last day of the company’s fiscal yearn using suitable criteria
Support the evaluation with sufficient evidence
7-19
Approach to Audit of Internal Control Approach to Audit of Internal Control under Section 404bunder Section 404b
This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit as follows:
Plan the engagement Use a top-down approach to identify the controls to test Test and evaluate design effectiveness of internal control Test and evaluate operating effectiveness of internal
control Form an opinion on effectiveness of internal control over
financial reporting
7-20