Download - 5 Components of Internal Control
-
8/6/2019 5 Components of Internal Control
1/35
Chapter 10
Section 404 Audits of InternalControl and Control Risk
Internal Control
Internal Control
Risk
.
-
8/6/2019 5 Components of Internal Control
2/35
Presentation Outline
I. An Overview of Internal Control
II. The Components of Internal ControlIII. Process for Understanding Internal
Control and Assessing Control Risk
IV. Communications with the AuditCommittee and Management
-
8/6/2019 5 Components of Internal Control
3/35
I. An Overview of Internal
Control
A. Internal Control Defined
B. Reasonable Assurance
C. Section 404 Reporting Requirements forManagement
D. Key Components of Managements
Assessment of Internal ControlE. Auditor Responsibilities for
Understanding Internal Control
-
8/6/2019 5 Components of Internal Control
4/35
A. Internal Control Defined
Reliability of financial reporting Compliance with applicable laws and regulations
Effectiveness and efficiency of operations
An entitys system of internal control consists of
policies and procedures designed to provide
management with reasonable assurance that thecompany achieves its objectives and goals
including:
-
8/6/2019 5 Components of Internal Control
5/35
B. Reasonable Assurance
Reasonable assuranceinvolves two
considerations: The cost of the
entitys internalcontrol should not
exceed the expectedbenefits.
Limitations exist inany entitys internal
control.
Code themissing cash
to bad debts.
Collusion
-
8/6/2019 5 Components of Internal Control
6/35
C. Section 404 Reporting Requirements for
Management
Section 404 of Sarbanes-Oxley requires the management ofpublic companies to issue an internal control report that
includes:
A statement that management is responsible for establishingand maintaining an adequate internal control structure and
procedures for financial reporting.
An assessment of the effectiveness of the internal controlstructure and procedures for financial reporting as of the end
of the companys fiscal year.
-
8/6/2019 5 Components of Internal Control
7/35
D. Key Components of Managements Assessment
of Internal Control
Management must
evaluate the design of
internal control overfinancial reporting.
Management must test
the operating
effectiveness of those
controls.
-
8/6/2019 5 Components of Internal Control
8/35
E. Auditor Responsibilities for
Understanding Internal Control
Public and private companies A sufficient understanding of internal
control is to be obtained to plan the audit and to determine the nature,timing, and extent of tests to be performed. (2nd standard offieldwork)
Public companies Section 404 requires effort beyond that statedabove so that the auditor can provide a report on internal controls that
contains the following two opinions: Whether managements assessment of the effectiveness of internal control over
financial reporting as of the end of the fiscal period is fairly stated in all materialrespects.
Whether the company maintained, in all material respects, effective internalcontrol over financial reporting as of the specified date.
-
8/6/2019 5 Components of Internal Control
9/35
II. The Components of Internal
Control
A. The Control Environment
B. Risk AssessmentC. Control Activities
D. Information and Communication
E. Monitoring
The internal control framework for most U.S. companies is the
Committee of Sponsoring Organizations of the Treadway
Commission (COSO)Internal ControlIntegratedFramework, issued in 1992.
-
8/6/2019 5 Components of Internal Control
10/35
A. The ControlEnvironment
The control environment is concerned with theactions, policies, and procedures that reflect theoverall attitude of the clients top management,directors, and owners of an entity about internal
control and its importance.
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee4. Managements philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
-
8/6/2019 5 Components of Internal Control
11/35
1. Integrity andE
thical ValuesManagement actions
to remove incentives
that prompt a personto behave improperly.
Communication of
behavioral standards
by codes of conduct
and example.
-
8/6/2019 5 Components of Internal Control
12/35
2. Commitment to Competence
Managements
consideration of thecompetence levels for
specific jobs and how
those translate into
requisite skills andknowledge.
-
8/6/2019 5 Components of Internal Control
13/35
3. Board of Directors and Audit
CommitteeBoard delegates responsibility
for internal control to
management and is chargedwith regular independent
assessments of management-
established internal control.
The major stock exchangesrequire listed companies to have
an audit committee composed of
entirely independent directors
who are financially literate.
-
8/6/2019 5 Components of Internal Control
14/35
4. Managements Philosophy and
Operating Style
Management, through its activities, provides clearsignals to employees about the importance of
internal control. For example, are sales and earningstargets unrealistic, and are employees encouraged to
take aggressive actions to meet those targets.
-
8/6/2019 5 Components of Internal Control
15/35
5. Organizational Structure
Understanding the
clients organizationalstructure provides the
auditor with an
understanding of how
the clients businessfunctions and
implements controls.
-
8/6/2019 5 Components of Internal Control
16/35
6. Assignment of Authority and
ResponsibilityFormal methods of
communication including:
Top managementmemoranda concerning
internal control
Organizational operating
plansEmployee job
descriptions
-
8/6/2019 5 Components of Internal Control
17/35
7. Human Resource Policies and
Practices
If employees are honestand trustworthy, other
controls can be absent andreliable financial
statements will still result.
Methods by which persons
are hired, trained,promoted, andcompensated are important
elements of internalcontrol.
-
8/6/2019 5 Components of Internal Control
18/35
B. Risk Assessment
Client managements identification and analysis of
risks relevant to the preparation of the financialstatements in accordance with GAAP.
1. Client Managements Risk Assessment
2. Auditor Risk Assessment
-
8/6/2019 5 Components of Internal Control
19/35
1. Client Managements Risk Assessment
Client management assesses risk as part of designing andoperating internal controls to minimize errors and fraud.
Three steps involve:
i. Identify factors that may increase riskii. Determine significance of risk and likelihood of
occurrence
iii. Develop specific actions to reduce risk to an acceptable
level.
-
8/6/2019 5 Components of Internal Control
20/35
2
. Auditor Risk AssessmentThe auditor obtains knowledge
about managements risk
assessment process by:
Determining how management
identifies risks relevant to
financial reporting
Evaluating their significance and
likelihood of occurrence
Deciding the actions needed to
address the risks.
-
8/6/2019 5 Components of Internal Control
21/35
C. Control Activities
Policies and procedures that client management has
established to meet its objectives for financialreporting.
1. Adequate segregation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
-
8/6/2019 5 Components of Internal Control
22/35
1. Adequate Segregation of
DutiesSeparation of the
functions of
authorization,recordkeeping, and
custody.
Separating IT duties
from User
Departments
-
8/6/2019 5 Components of Internal Control
23/35
2. Proper Authorization of
Transactions and ActivitiesGeneral authorization
is permissible for
routine events forwhich there are
policies to follow.
For some transactions
specific authorization
is needed on a case-
by-case basis.
-
8/6/2019 5 Components of Internal Control
24/35
3. Adequate Documents and
RecordsPrenumbered
consecutive
documents so missingitems are noticed
Prepared as near totransaction time as
possibleGood design with
instructions andappropriate spaces
-
8/6/2019 5 Components of Internal Control
25/35
-
8/6/2019 5 Components of Internal Control
26/35
5. Independent Checks on
P
erformance
Personnel are likely toforget or intentionallyfail to follow
procedures, or theymay become careless
unless someoneobserves and evaluates
their performance.
-
8/6/2019 5 Components of Internal Control
27/35
D. Information and Communication
Methods used to initiate, record, process, and report anentitys transactions and to maintain accountability
for related assets.
For a small company with active involvement by the
owner, a simple computerized accounting system that
involves one honest, competent accountant may
provide an adequate accounting system. A larger company requires a more complex system
that includes carefully defined responsibilities and
written procedures.
-
8/6/2019 5 Components of Internal Control
28/35
E. Monitoring
Client managements ongoing and periodic assessment
of the quality of internal control performance to
determine whether controls are operating as intended
and modified when needed.
For many companies, especially larger ones, aninternal audit department is essential for effective
monitoring.
To maintain internal audit independence, it isimperative that they be independent of operating andaccounting departments; and that they report to a highlevel of authority, preferably the audit committee of
the board of directors.
-
8/6/2019 5 Components of Internal Control
29/35
-
8/6/2019 5 Components of Internal Control
30/35
A. Phase 1: Obtain and Document
Understanding of Internal Control
Three methods commonly used by auditors to obtain anddocument their understanding of the design of internal
control are narratives, flowcharts, and internal controlquestionnaires (see Figure 10-4 on p. 286).
The auditor must also evaluate whether the designedcontrols are actually placed in operation.
PCAOB Standard 2 requires the auditor to perform at leastone walkthrough for each major class of transactions. In a
walkthrough, the auditor selects one or a few documents forthe initiation of a transaction type and traces them through
the entire accounting process.
-
8/6/2019 5 Components of Internal Control
31/35
B. Phase 2: Assess Control Risk
Two specific assessments must bemade to arrive at the
preliminary assessment:
The first assessment is whetherthe entity is auditable. This isdetermined by considering the
integrity of management and theadequacy of the accounting
records.
Determine assessed control risksupported by the understandingobtained assuming the controls
are being followed.
-
8/6/2019 5 Components of Internal Control
32/35
C. Phase 3: Design, Perform, andEvaluate
Tests of Controls
If the results of tests of controls support the design and
operating of controls as expected, the auditor uses the
same assessed control risk as the preliminary assessment.Otherwise, assessed control risk must be reconsidered.
If the auditor wants a lower assessed control risk, more
extensive tests of controls are applied.
PCAOB Standard 2 requires the auditor to determine
whether controls are operating effectively at year end.
The auditor may test at an interim date and later determine
if changes have occurred.
-
8/6/2019 5 Components of Internal Control
33/35
D. Phase 4: Decide Planned
Detection Risk and Substantive Tests
The greater thecontrol risk (weak
internal controls) thelower the detectionrisk the auditor can
accept.
To lower detectionrisk, the auditor
performs moresubstantive testing.
-
8/6/2019 5 Components of Internal Control
34/35
IV. Communications with the Audit
Committee and Management
As part of understanding internal control and assessingcontrol risk, the auditor is required to communicate
certain matters to the audit committee:
Significant deficiencies and material weaknesses must becommunicated in writing to the audit committee as a part
of every audit. Timely communication may helpmanagement in correcting the problem before their year-
end report on internal control.Less significant internal-control matters and
recommendations for operational improvements may becommunicated through a management letter. Althoughsuch letters are not required by auditing standards, they
are often provided as a value-added service of the audit.
-
8/6/2019 5 Components of Internal Control
35/35