Five Components of Internal Control

beansproutscompleteSoftware and s/w Development

Dec 13, 2013 (3 years and 8 months ago)

81 views

Chapter 10

Section 404 Audits of Internal
Control and Control Risk

Internal Control

Internal Control

Risk

.

Presentation Outline

I.
An Overview of Internal Control

II.
The Components of Internal Control

III.
Process for Understanding Internal
Control and Assessing Control Risk

IV.
Communications with the Audit
Committee and Management



I. An Overview of Internal
Control

A.
Internal Control Defined

B.
Reasonable Assurance

C.
Section 404 Reporting Requirements for
Management

D.
Key Components of Managements’
Assessment of Internal Control

E.
Auditor Responsibilities for
Understanding Internal Control

A. Internal Control Defined


Reliability of financial reporting


Compliance with applicable laws and regulations


Effectiveness and efficiency of operations

An entity’s system of internal control consists of
policies and procedures designed to provide
management with reasonable assurance that the
company achieves its objectives and goals
including:

B. Reasonable Assurance

Reasonable assurance
involves two
considerations:



The cost of the
entity’s internal
control should not
exceed the expected
benefits.



Limitations exist in
any entity’s internal
control.

Code the
missing cash
to bad debts.

Collusion

C. Section 404 Reporting Requirements for
Management

Section 404 of Sarbanes
-
Oxley requires the management of
public companies to issue an internal control report that
includes:


A statement that management is responsible for establishing
and maintaining an adequate internal control structure and
procedures for financial reporting.


An assessment of the effectiveness of the internal control
structure and procedures for financial reporting as of the end
of the company’s fiscal year.


D. Key Components of Managements’ Assessment
of Internal Control


Management must
evaluate the design of
internal control over
financial reporting.


Management must test
the operating
effectiveness of those
controls.

E. Auditor Responsibilities for
Understanding Internal Control



Public and private companies


A sufficient understanding of internal
control is to be obtained to plan the audit and to determine the nature,
timing, and extent of tests to be performed. (2
nd

standard of
fieldwork)


Public companies


Section 404 requires effort beyond that stated
above so that the auditor can provide a report on internal controls that
contains the following two opinions:


Whether management’s assessment of the effectiveness of internal control over
financial reporting as of the end of the fiscal period is fairly stated in all material
respects.


Whether the company maintained, in all material respects, effective internal
control over financial reporting as of the specified date.


II. The Components of Internal
Control

A.
The Control Environment

B.
Risk Assessment

C.
Control Activities

D.
Information and Communication

E.
Monitoring

The internal control framework for most U.S. companies is the
Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
Internal Control

Integrated
Framework
, issued in 1992.

A. The Control Environment

The control environment is concerned with the
actions, policies, and procedures that reflect the
overall attitude of the client’s top management,
directors, and owners of an entity about internal
control and its importance.

1.
Integrity and ethical values

2.
Commitment to competence

3.
Board of directors and audit committee

4.
Management’s philosophy and operating style

5.
Organizational structure

6.
Assignment of authority and responsibility

7.
Human resource policies and practices

1. Integrity and Ethical Values


Management actions
to remove incentives
that prompt a person
to behave improperly.


Communication of
behavioral standards
by codes of conduct
and example.

2. Commitment to Competence

Management’s
consideration of the
competence levels for
specific jobs and how
those translate into
requisite skills and
knowledge.

3. Board of Directors and Audit
Committee


Board delegates responsibility
for internal control to
management and is charged
with regular independent
assessments of management
-
established internal control.


The major stock exchanges
require listed companies to have
an audit committee composed of
entirely independent directors
who are financially literate.

4. Management’s Philosophy and
Operating Style

Management, through its activities, provides clear
signals to employees about the importance of
internal control. For example, are sales and earnings
targets unrealistic, and are employees encouraged to
take aggressive actions to meet those targets.

5. Organizational Structure

Understanding the
client’s organizational
structure provides the
auditor with an
understanding of how
the client’s business
functions and
implements controls.

6. Assignment of Authority and
Responsibility

Formal methods of
communication including:


Top management
memoranda concerning
internal control


Organizational operating
plans


Employee job
descriptions

7. Human Resource Policies and
Practices


If employees are honest
and trustworthy, other
controls can be absent and
reliable financial
statements will still result.


Methods by which persons
are hired, trained,
promoted, and
compensated are important
elements of internal
control.

B. Risk Assessment

Client management’s identification and analysis of
risks relevant to the preparation of the financial
statements in accordance with GAAP.


1.
Client Management’s Risk Assessment

2.
Auditor Risk Assessment


1. Client Management’s Risk Assessment

Client management assesses risk as part of designing and
operating internal controls to minimize errors and fraud.
Three steps involve:

i.
Identify factors that may increase risk

ii.
Determine significance of risk and likelihood of
occurrence

iii.
Develop specific actions to reduce risk to an acceptable
level.

2. Auditor Risk Assessment

The auditor obtains knowledge
about management’s risk
assessment process by:


Determining how management
identifies risks relevant to
financial reporting


Evaluating their significance and
likelihood of occurrence


Deciding the actions needed to
address the risks.

C. Control Activities

Policies and procedures that client management has
established to meet its objectives for financial
reporting.

1.
Adequate segregation of duties

2.
Proper authorization of transactions and activities

3.
Adequate documents and records

4.
Physical control over assets and records

5.
Independent checks on performance


1. Adequate Segregation of
Duties


Separation of the
functions of
authorization,
recordkeeping, and
custody.


Separating IT duties
from User
Departments

2. Proper Authorization of
Transactions and Activities


General authorization
is permissible for
routine events for
which there are
policies to follow.


For some transactions
specific authorization
is needed on a case
-
by
-
case basis.

3. Adequate Documents and
Records


Prenumbered
consecutive
documents so missing
items are noticed


Prepared as near to
transaction time as
possible


Good design with
instructions and
appropriate spaces

4. Physical Control Over Assets
and Records


Deterrents to prevent
physical access.


Access controls to
prevent getting into
computer system.


Backup and recovery
procedures

Incorrect
Password

5. Independent Checks on
Performance

Personnel are likely to
forget or intentionally
fail to follow
procedures, or they
may become careless
unless someone
observes and evaluates
their performance.


D. Information and Communication

Methods used to initiate, record, process, and report an
entity’s transactions and to maintain accountability
for related assets.



For a small company with active involvement by the
owner, a simple computerized accounting system that
involves one honest, competent accountant may
provide an adequate accounting system.


A larger company requires a more complex system
that includes carefully defined responsibilities and
written procedures.

E. Monitoring

Client management’s ongoing and periodic assessment
of the quality of internal control performance to
determine whether controls are operating as intended
and modified when needed.



For many companies, especially larger ones, an
internal audit department is essential for effective
monitoring.


To maintain internal audit independence, it is
imperative that they be independent of operating and
accounting departments; and that they report to a high
level of authority, preferably the audit committee of
the board of directors.

III. Process for Understanding Internal
Control and Assessing Control Risk

A.
Phase 1: Obtain and Document
Understanding of Internal Control: Design
and Operation

B.
Phase 2: Assess Control Risk

C.
Phase 3: Design, Perform, and Evaluate
Tests of Controls

D.
Phase 4: Decide Planned Detection Risk
and Substantive Tests


A. Phase 1: Obtain and Document
Understanding of Internal Control


Three methods commonly used by auditors to obtain and
document their understanding of the design of internal
control are narratives, flowcharts, and internal control
questionnaires (see Figure 10
-
4 on p. 286).


The auditor must also evaluate whether the designed
controls are actually placed in operation.


PCAOB Standard 2 requires the auditor to perform at least
one walkthrough for each major class of transactions. In a
walkthrough, the auditor selects one or a few documents for
the initiation of a transaction type and traces them through
the entire accounting process.

B. Phase 2: Assess Control Risk

Two specific assessments must be
made to arrive at the
preliminary assessment:


The first assessment is whether
the entity is auditable. This is
determined by considering the
integrity of management and the
adequacy of the accounting
records.


Determine assessed control risk
supported by the understanding
obtained assuming the controls
are being followed.

C. Phase 3: Design, Perform, and Evaluate
Tests of Controls


If the results of tests of controls support the design and
operating of controls as expected, the auditor uses the
same assessed control risk as the preliminary assessment.
Otherwise, assessed control risk must be reconsidered.


If the auditor wants a lower assessed control risk, more
extensive tests of controls are applied.


PCAOB Standard 2 requires the auditor to determine
whether controls are operating effectively at year end.
The auditor may test at an interim date and later determine
if changes have occurred.

D. Phase 4: Decide Planned
Detection Risk and Substantive Tests


The greater the
control risk (weak
internal controls) the
lower the detection
risk the auditor can
accept.


To lower detection
risk, the auditor
performs more
substantive testing.

IV. Communications with the Audit
Committee and Management

As part of understanding internal control and assessing
control risk, the auditor is required to communicate
certain matters to the audit committee:


Significant deficiencies and material weaknesses must be
communicated in writing to the audit committee as a part
of every audit. Timely communication may help
management in correcting the problem before their year
-
end report on internal control.


Less significant internal
-
control matters and
recommendations for operational improvements may be
communicated through a management letter. Although
such letters are not required by auditing standards, they
are often provided as a value
-
added service of the audit.

Summary

1.
Internal control defined

2.
Management and auditor responsibilities

3.
The most prevalent internal control framework

4.
Phases of understanding and assessing control
risk

5.
Communication of internal control matters

Risk