Internal ControlsLecture 07

By: Kanchan Damithendra

Internal Control-Simple Definition

• Internal control is what we do to see that the things we want to happen will happen …

• And the things we don’t want to happen won’t happen.

Internal Controls Are Common Sense

• What do you worry about going wrong?

• What steps have been taken to assure it doesn’t?

• How do you know things are under control?

Internal Controls are everywhere:

You exercise internal control principles in your personal life when you:

• Lock your house when you leave

• Keep copies of important papers in your safety deposit box

• Balance your checkbook

• Keep your ATM/debit card PIN number separate from your card

• Make travel plans

Responsibility for Internal Control

• Management responsibility• Management has primary responsibility for internal control

• Sarbanes-Oxley Act of 2002 (publicly traded companies)

• Auditor responsibility• Second standard of fieldwork

• PCAOB Auditing Standard No. 5 (AS 5): An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements

5-5

Management’s Responsibility for Internal Control (Sarbanes-Oxley)

• In addition to certifying the company’s financial statements (Section 302),management must also report on the company’s internal control over financialreporting (Section 404).

• Specifically, the company’s annual report must include:• A statement that management is responsible for establishing and maintaining adequate

internal control over financial reporting.

• A statement identifying the framework (usually COSO) management uses to evaluate the effectiveness of the company’s internal control.

• A statement providing management's assessment of the effectiveness of the company’s internal control.

A. Internal Control Defined

• Reliability of financial reporting

• Compliance with applicable laws and regulations

• Effectiveness and efficiency of operations

An entity’s system of internal control consists of policies and procedures designed to provide

management with reasonable assurance that the company achieves its objectives and goals

including:

The Components of Internal Control

A. The Control Environment

B. Risk Assessment

C. Control Activities

D. Information and Communication

E. Monitoring

The internal control framework for most U.S. companies is the Committee of Sponsoring Organizations of the Treadway

Commission (COSO) Internal Control—Integrated Framework, issued in 1992.

A. The Control EnvironmentThe control environment is concerned with the actions, policies, and procedures

that reflect the overall attitude of the client’s top management, directors, and owners of an entity about internal control and its importance.

1. Integrity and ethical values

2. Commitment to competence

3. Board of directors and audit committee

4. Management’s philosophy and operating style

5. Organizational structure

6. Assignment of authority and responsibility

7. Human resource policies and practices

1. Integrity and Ethical Values

Management actions to remove incentives that prompt a person to behave improperly.

Communication of behavioral standards by codes of conduct

and example.

2. Commitment to Competence

Management’s consideration of the competence levels for specific jobs and

how those translate into requisite skills and knowledge.

3. Board of Directors and Audit Committee

Board delegates responsibility for internal control to

management and is charged with regular independent

assessments of management-established internal control.

The major stock exchanges require listed companies to have an audit committee composed

of entirely independent directors who are financially literate.

4. Management’s Philosophy and Operating Style

Management, through its activities, provides clear signals to employees about the importance of internal control. For

example, are sales and earnings targets unrealistic, and are employees encouraged to take aggressive actions to meet

those targets.

5. Organizational Structure

Understanding the client’s organizational structure provides the

auditor with an understanding of how the client’s business

functions and implements controls.

6. Assignment of Authority and Responsibility

Formal methods of communication including:

Top management memoranda concerning

internal control

Organizational operating plans

Employee job descriptions

7. Human Resource Policies and Practices

If employees are honest and trustworthy, other

controls can be absent and reliable financial statements

will still result.

Methods by which persons are hired, trained,

promoted, and compensated are important

elements of internal control.

B. Risk Assessment

Client management’s identification and analysis of risks relevant to the preparation of the financial statements in accordance

with GAAP.

1. Client Management’s Risk Assessment

2. Auditor Risk Assessment

1. Client Management’s Risk Assessment

Client management assesses risk as part of designing and operating internal controls to minimize errors and fraud.

Three steps involve:

i. Identify factors that may increase risk

ii. Determine significance of risk and likelihood of occurrence

iii. Develop specific actions to reduce risk to an acceptable level.

2. Auditor Risk Assessment

The auditor obtains knowledge about management’s risk assessment process by:

Determining how management identifies risks relevant to

financial reporting

Evaluating their significance and likelihood of occurrence

Deciding the actions needed to address the risks.

C. Control Activities

Policies and procedures that client management has established to meet its objectives for financial reporting.

1. Adequate segregation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance

1. Adequate Segregation of Duties

Separation of the functions of authorization, recordkeeping,

and custody.

Separating IT duties from User Departments

2. Proper Authorization of Transactions and Activities

General authorization is permissible for routine events for which there are policies to

follow.

For some transactions specific authorization is needed on a

case-by-case basis.

3. Adequate Documents and Records

Prenumbered consecutive documents so missing items are

noticed

Prepared as near to transaction time as possible

Good design with instructions and appropriate spaces

4. Physical Control Over Assets and Records

Deterrents to prevent physical access.

Access controls to prevent getting into computer system.

Backup and recovery procedures

Incorrect Password

5. Independent Checks on Performance

Personnel are likely to forget or intentionally

fail to follow procedures, or they

may become careless unless someone

observes and evaluates their performance.

D. Information and Communication

Methods used to initiate, record, process, and report an entity’s transactions and to maintain accountability for related assets.

For a small company with active involvement by the owner, a simple computerized accounting system that

involves one honest, competent accountant may provide an adequate accounting system.

A larger company requires a more complex system that includes carefully defined responsibilities and

written procedures.

E. Monitoring

Client management’s ongoing and periodic assessment of the quality of internal control performance to determine whether

controls are operating as intended and modified when needed.

For many companies, especially larger ones, an internal audit department is essential for effective

monitoring.

To maintain internal audit independence, it is imperative that they be independent of operating and

accounting departments; and that they report to a high level of authority, preferably the audit committee

of the board of directors.

III. Process for Understanding Internal Control and Assessing Control Risk

A. Phase 1: Obtain and Document Understanding of Internal Control: Design and Operation

B. Phase 2: Assess Control Risk

C. Phase 3: Design, Perform, and Evaluate Tests of Controls

D. Phase 4: Decide Planned Detection Risk and Substantive Tests

A. Phase 1: Obtain and Document Understanding of Internal Control

Three methods commonly used by auditors to obtain and document their understanding of the design of internal control are narratives, flowcharts, and internal control

questionnaires (see Figure 10-4 on p. 286).

The auditor must also evaluate whether the designed controls are actually placed in operation.

PCAOB Standard 2 requires the auditor to perform at least one walkthrough for each major class of transactions. In a walkthrough, the auditor selects one or a few documents

for the initiation of a transaction type and traces them through the entire accounting process.

B. Phase 2: Assess Control Risk

Two specific assessments must be made to arrive at the

preliminary assessment:

The first assessment is whether the entity is auditable. This is determined by considering the integrity of management and

the adequacy of the accounting records.

Determine assessed control risk supported by the understanding obtained assuming the controls

are being followed.

C. Phase 3: Design, Perform, and Evaluate Tests of Controls

If the results of tests of controls support the design and operating of controls as expected, the auditor uses the

same assessed control risk as the preliminary assessment. Otherwise, assessed control risk must be reconsidered.

If the auditor wants a lower assessed control risk, more extensive tests of controls are applied.

PCAOB Standard 2 requires the auditor to determine whether controls are operating effectively at year end.

The auditor may test at an interim date and later determine if changes have occurred.

D. Phase 4: Decide Planned Detection Risk and Substantive Tests

The greater the control risk (weak

internal controls) the lower the detection risk the auditor can

accept.

To lower detection risk, the auditor performs more

substantive testing.

IV. Communications with the Audit Committee and Management

As part of understanding internal control and assessing control risk, theauditor is required to communicate certain matters to the auditcommittee:Significant deficiencies and material weaknesses must be communicated in writing

to the audit committee as a part of every audit. Timely communication may help management in correcting the problem before their year-end report on internal control.

Less significant internal-control matters and recommendations for operationalimprovements may be communicated through a management letter. Although suchletters are not required by auditing standards, they are often provided as a value-added service of the audit.

Why Controls Don’t Always Work?

• Inadequate knowledge of policies or governing regulations.

• – “I didn’t know that!”

• Inadequate segregation of duties.

• – “We trust ‘A’ who does all of those things.”

• Inappropriate access to assets.

• – Passwords shared, access not removed, cash not secured…

• Form over substance.

• – “You mean I’m supposed to do something besides initial/sign it?”

Weak Internal Controls Increase Risk Through…

• Business Interruption - system breakdowns or catastrophes, excessive re-work to correct for errors.

• Erroneous Management Decisions - based on erroneous, inadequate or misleading information.

• Fraud, Embezzlement and Theft -by management, employees, customers, vendors, or the public-at-large.

• Statutory Sanctions- penalties arising from failure to comply with regulatory requirements, as well as overt violations.

• Excessive Costs/Deficient Revenues - expenses which could have been avoided, as well as loss of revenues to which the organization is entitled.

• Loss, Misuse or Destruction of Assets -unintentional loss of physical assets such as cash, inventory, and equipment.

Effective Implementation• More is not necessarily better

• Controls that do not work together leaving holes

• Cost of duplicated or inefficient controls.

• Controls that do not align with the importance of the risks

• Complex and poorly implemented controls

• Not understood or followed

• Inconsistently applied

• Control effectiveness can degrade over time

• No value for money

• Controls cost money

• Duplication of ineffective controls do not provide benefits