Internal Controls Lecture 07 By: Kanchan Damithendra
Internal ControlsLecture 07
By: Kanchan Damithendra
Internal Control-Simple Definition
• Internal control is what we do to see that the things we want to happen will happen …
• And the things we don’t want to happen won’t happen.
Internal Controls Are Common Sense
• What do you worry about going wrong?
• What steps have been taken to assure it doesn’t?
• How do you know things are under control?
Internal Controls are everywhere:
You exercise internal control principles in your personal life when you:
• Lock your house when you leave
• Keep copies of important papers in your safety deposit box
• Balance your checkbook
• Keep your ATM/debit card PIN number separate from your card
• Make travel plans
Responsibility for Internal Control
• Management responsibility• Management has primary responsibility for internal control
• Sarbanes-Oxley Act of 2002 (publicly traded companies)
• Auditor responsibility• Second standard of fieldwork
• PCAOB Auditing Standard No. 5 (AS 5): An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements
5-5
Management’s Responsibility for Internal Control (Sarbanes-Oxley)
• In addition to certifying the company’s financial statements (Section 302),management must also report on the company’s internal control over financialreporting (Section 404).
• Specifically, the company’s annual report must include:• A statement that management is responsible for establishing and maintaining adequate
internal control over financial reporting.
• A statement identifying the framework (usually COSO) management uses to evaluate the effectiveness of the company’s internal control.
• A statement providing management's assessment of the effectiveness of the company’s internal control.
A. Internal Control Defined
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Effectiveness and efficiency of operations
An entity’s system of internal control consists of policies and procedures designed to provide
management with reasonable assurance that the company achieves its objectives and goals
including:
The Components of Internal Control
A. The Control Environment
B. Risk Assessment
C. Control Activities
D. Information and Communication
E. Monitoring
The internal control framework for most U.S. companies is the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal Control—Integrated Framework, issued in 1992.
A. The Control EnvironmentThe control environment is concerned with the actions, policies, and procedures
that reflect the overall attitude of the client’s top management, directors, and owners of an entity about internal control and its importance.
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
1. Integrity and Ethical Values
Management actions to remove incentives that prompt a person to behave improperly.
Communication of behavioral standards by codes of conduct
and example.
2. Commitment to Competence
Management’s consideration of the competence levels for specific jobs and
how those translate into requisite skills and knowledge.
3. Board of Directors and Audit Committee
Board delegates responsibility for internal control to
management and is charged with regular independent
assessments of management-established internal control.
The major stock exchanges require listed companies to have an audit committee composed
of entirely independent directors who are financially literate.
4. Management’s Philosophy and Operating Style
Management, through its activities, provides clear signals to employees about the importance of internal control. For
example, are sales and earnings targets unrealistic, and are employees encouraged to take aggressive actions to meet
those targets.
5. Organizational Structure
Understanding the client’s organizational structure provides the
auditor with an understanding of how the client’s business
functions and implements controls.
6. Assignment of Authority and Responsibility
Formal methods of communication including:
Top management memoranda concerning
internal control
Organizational operating plans
Employee job descriptions
7. Human Resource Policies and Practices
If employees are honest and trustworthy, other
controls can be absent and reliable financial statements
will still result.
Methods by which persons are hired, trained,
promoted, and compensated are important
elements of internal control.
B. Risk Assessment
Client management’s identification and analysis of risks relevant to the preparation of the financial statements in accordance
with GAAP.
1. Client Management’s Risk Assessment
2. Auditor Risk Assessment
1. Client Management’s Risk Assessment
Client management assesses risk as part of designing and operating internal controls to minimize errors and fraud.
Three steps involve:
i. Identify factors that may increase risk
ii. Determine significance of risk and likelihood of occurrence
iii. Develop specific actions to reduce risk to an acceptable level.
2. Auditor Risk Assessment
The auditor obtains knowledge about management’s risk assessment process by:
Determining how management identifies risks relevant to
financial reporting
Evaluating their significance and likelihood of occurrence
Deciding the actions needed to address the risks.
C. Control Activities
Policies and procedures that client management has established to meet its objectives for financial reporting.
1. Adequate segregation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
1. Adequate Segregation of Duties
Separation of the functions of authorization, recordkeeping,
and custody.
Separating IT duties from User Departments
2. Proper Authorization of Transactions and Activities
General authorization is permissible for routine events for which there are policies to
follow.
For some transactions specific authorization is needed on a
case-by-case basis.
3. Adequate Documents and Records
Prenumbered consecutive documents so missing items are
noticed
Prepared as near to transaction time as possible
Good design with instructions and appropriate spaces
4. Physical Control Over Assets and Records
Deterrents to prevent physical access.
Access controls to prevent getting into computer system.
Backup and recovery procedures
Incorrect Password
5. Independent Checks on Performance
Personnel are likely to forget or intentionally
fail to follow procedures, or they
may become careless unless someone
observes and evaluates their performance.
D. Information and Communication
Methods used to initiate, record, process, and report an entity’s transactions and to maintain accountability for related assets.
For a small company with active involvement by the owner, a simple computerized accounting system that
involves one honest, competent accountant may provide an adequate accounting system.
A larger company requires a more complex system that includes carefully defined responsibilities and
written procedures.
E. Monitoring
Client management’s ongoing and periodic assessment of the quality of internal control performance to determine whether
controls are operating as intended and modified when needed.
For many companies, especially larger ones, an internal audit department is essential for effective
monitoring.
To maintain internal audit independence, it is imperative that they be independent of operating and
accounting departments; and that they report to a high level of authority, preferably the audit committee
of the board of directors.
III. Process for Understanding Internal Control and Assessing Control Risk
A. Phase 1: Obtain and Document Understanding of Internal Control: Design and Operation
B. Phase 2: Assess Control Risk
C. Phase 3: Design, Perform, and Evaluate Tests of Controls
D. Phase 4: Decide Planned Detection Risk and Substantive Tests
A. Phase 1: Obtain and Document Understanding of Internal Control
Three methods commonly used by auditors to obtain and document their understanding of the design of internal control are narratives, flowcharts, and internal control
questionnaires (see Figure 10-4 on p. 286).
The auditor must also evaluate whether the designed controls are actually placed in operation.
PCAOB Standard 2 requires the auditor to perform at least one walkthrough for each major class of transactions. In a walkthrough, the auditor selects one or a few documents
for the initiation of a transaction type and traces them through the entire accounting process.
B. Phase 2: Assess Control Risk
Two specific assessments must be made to arrive at the
preliminary assessment:
The first assessment is whether the entity is auditable. This is determined by considering the integrity of management and
the adequacy of the accounting records.
Determine assessed control risk supported by the understanding obtained assuming the controls
are being followed.
C. Phase 3: Design, Perform, and Evaluate Tests of Controls
If the results of tests of controls support the design and operating of controls as expected, the auditor uses the
same assessed control risk as the preliminary assessment. Otherwise, assessed control risk must be reconsidered.
If the auditor wants a lower assessed control risk, more extensive tests of controls are applied.
PCAOB Standard 2 requires the auditor to determine whether controls are operating effectively at year end.
The auditor may test at an interim date and later determine if changes have occurred.
D. Phase 4: Decide Planned Detection Risk and Substantive Tests
The greater the control risk (weak
internal controls) the lower the detection risk the auditor can
accept.
To lower detection risk, the auditor performs more
substantive testing.
IV. Communications with the Audit Committee and Management
As part of understanding internal control and assessing control risk, theauditor is required to communicate certain matters to the auditcommittee:Significant deficiencies and material weaknesses must be communicated in writing
to the audit committee as a part of every audit. Timely communication may help management in correcting the problem before their year-end report on internal control.
Less significant internal-control matters and recommendations for operationalimprovements may be communicated through a management letter. Although suchletters are not required by auditing standards, they are often provided as a value-added service of the audit.
Why Controls Don’t Always Work?
• Inadequate knowledge of policies or governing regulations.
• – “I didn’t know that!”
• Inadequate segregation of duties.
• – “We trust ‘A’ who does all of those things.”
• Inappropriate access to assets.
• – Passwords shared, access not removed, cash not secured…
• Form over substance.
• – “You mean I’m supposed to do something besides initial/sign it?”
Weak Internal Controls Increase Risk Through…
• Business Interruption - system breakdowns or catastrophes, excessive re-work to correct for errors.
• Erroneous Management Decisions - based on erroneous, inadequate or misleading information.
• Fraud, Embezzlement and Theft -by management, employees, customers, vendors, or the public-at-large.
• Statutory Sanctions- penalties arising from failure to comply with regulatory requirements, as well as overt violations.
• Excessive Costs/Deficient Revenues - expenses which could have been avoided, as well as loss of revenues to which the organization is entitled.
• Loss, Misuse or Destruction of Assets -unintentional loss of physical assets such as cash, inventory, and equipment.
Effective Implementation• More is not necessarily better
• Controls that do not work together leaving holes
• Cost of duplicated or inefficient controls.
• Controls that do not align with the importance of the risks
• Complex and poorly implemented controls
• Not understood or followed
• Inconsistently applied
• Control effectiveness can degrade over time
• No value for money
• Controls cost money
• Duplication of ineffective controls do not provide benefits