Internal Controls

1
Chapter 9

• Internal Controls

2
1. Establishment of Responsibility

• Assign responsibility to specific individuals
• Control is more effective when only 1 person is
  responsible for a specific task
• Assign responsibility for authorization and
  approval of transactions

3
2. Segregation of Duties

• Responsibility for related activities should be
  assigned to different individuals
• 1 individual is responsible for all related
  activities will increase the risk of errors
• Responsibility for accounting for an asset should
  be separate from the responsibility for physical
  custody of the asset

4
3. Documentation Procedures

• Documents provide evidence that
  transactions/events have occurred
• Documents should be pre-numbered
• Original documents should be provided to the
  accounting dept.
• Signatures can identify the responsible individual

5
4. Physical Controls

• Mechanical or electronic controls to safeguard
  assets
• Safes, locking the warehouse, passwords,
  biometric access, alarms

6
5. Independent Verification

• Review, comparison, and reconciliation of data
• Verification should be done
• Periodically on a random basis
• By an independent individual
• And discrepancies/exceptions should be reported
  to management

7
5. Independent Verification

• Internal verification
• Independent comparisons of accounting records
• Internal auditors check the internal controls for
  effectiveness
• External verification
• External auditor are independent of the company
  and are hired to report on whether the f/s fairly
  present the financial position and results of the
  operations

8
Other Controls

• Bonding of employees
• Insurance protection against misappropriate of
  assets
• Insurance company will screen employees and the
  insurance company will prosecute all offenders
• Rotating staff duties/mandatory vacation
• Deters theft as employees will not be able to
  permanently conceal their actions

9
Internal Controls

• GAAS
• Auditor should obtain an understanding of the
  company and its environment including internal
  controls

10
Managements Responsibilities

• Cost-effective-good controls, reduce audit costs
• Reliable accounting and operating data-use info
  for critical business decisions (current and
  dependable)
• Safeguard assets and records-prevent stolen,
  misused, destroyed

11
Managements Responsibilities

• Promote operational efficiency-prevent
  duplication of effort and waste in all aspects of
  the business
• Prevent and detect error, fraud, illegal acts
• Ensure compliance with laws and regulations

12
Internal Controls-auditor

• Consider in context of misstatement of
  transaction
• Looking to see if internal controls prevents,
  detects or corrects material misstatements
• Controls related to reliability of financial
  reporting
• Rely on f/s
• Concerns controls related to reliability are not
  operating then cant rely on statements

13
Internal Controls-auditor

• Concerned if prevents/detects fraud
• Responsible for discovery of management and
  employee fraud and illegal acts
• Internal info (budgets/reports) can be used for
  analytical procedures (if rely upon)

14
Auditors Responsibilities

• Document and evaluate internal controls
• Test controls if reliance intended
• Communicate weaknesses that could cause material
  errors
• Concerned with classes of transactions as opposed
  to account balances
• Acct balances are dependent on how transactions
  were recorded

15
3 Internal Control Concepts

• Management Responsibilities
• Establish and maintain companys controls and
  prepare f/s auditor will test controls
• Reasonable Assurance
• Internal controls will not provide absolute
  assurance
• Cost-benefit-may not be able to implement ideal
  situation

16
3 Internal Control Concepts

• Inherent limitations
• Not completely effective
• Consider competency and dependability of people
• Collusion and management override
• There is always some control risk (gt0)

17
4 Components of Internal Control

• Control Environment
• Attitude of management
• Policies, procedures, actions that reflect
  attitudes of top management
• Assessed as part of knowledge of business and
  used to develop a client risk profile

18
1. Control Environment

• Management Philosophy and operating system
• Ethically and honestly
• Encourage behaviour-documented policies such as a
  code of ethics
• Service policies could include a commitment to
  quality and competence
• Signals provided to employees

19
1. Control Environment

• BOD and Audit Committee
• Board and audit committee should include
  independent directors
• Audit committee should have competence in
  accounting
• Board members should participate actively, meet
  with internal and external auditors
• Active or rubber stamp?

20
1. Control Environment

• Organizational Structure
• A structure that is appropriate for planning,
  directing and controlling operations
• Authority and responsibility assignments clear
• Understand functional elements of business and
  perceive how control-related policies and
  procedures can be carried out

21
1. Control Environment

• Methods of Assigning Authority and
  Responsibilities
• Reporting relationships and responsibilities
  within organizational culture
• Organizational goals, ethical and social issues
  considered
• Formal organizational and operating plans such as
  job descriptions and codes of conduct

22
1. Control Environment

• Management control methods
• Methods management uses to supervise companys
  activities
• Logical access controls and monitoring for data
  communications
• Monitoring activities of employees
• Implementing of effective budgeting systems with
  follow up of differences

23
1. Control Environment

• Systems Development Methodology
• Policies and procedures for selecting,
  development/purchase and maintenance of
  information systems
• Formal methodologies for customized systems
• Implementation of systems consistent with
  organizational objectives

24
1. Control Environment

• Management reaction to external influences
• Monitoring of the external environment, including
  changes in laws
• Ability to respond to changes in the external
  environment, including changes in business
  procedures or organizational structures
• Aware of changes in the economy and technology,
  tax laws

25
1. Control Environment

• HR policies and practices
• Honest, efficient people are able to perform at a
  high level even when there are few other controls
• People can become bored or dissatisfied, personal
  problems may disrupt performance, goals may
  change
• Good hiring policies, evaluation and compensation
  processes should motive the staff

26
1. Control Environment

• Internal Audit
• Effective, competent, independent, well-trained
  audit committee can greatly enhance the
  operations
• Ensure independence, internal auditor should
  report directly to the audit committee

27
2. Risk Assessment

• Managements identification and analysis of risks
  relevant to the preparation of the financial
  statements
• Risks from internal and external sources
• Economic, industry, regulatory, and operating
  conditions change management needs to develop
  ways to identify and deal with risks
• Risk assessment is an ongoing process

28
2. Risk Assessment

• Management should identify factors that increase
  risk, estimate the significance of the risk,
  assess the likelihood of the risk occurring and
  develop actions that needs to be taken to reduce
  risk to an acceptable level
• Management assesses risks as part of designing
  and operating internal controls to minimize
  errors and fraud auditor assesses risk to decide
  on the evidence needed for the audit

29
3. Control Systems

• 5 components of the Control System
• Control Environment
• Companys risk assessment process
• The information system
• Control activities
• Monitoring of controls
• 3 elements from text
• General control systems and procedures
• Accounting system
• Accounting system control procedures

30
3. Control Systems-General Computer Controls

• General controls that affect multiple classes of
  transactions
• Organization and management controls-policies and
  procedures established and segregation of
  incompatible functions
• Systems acquisition, development, and maintenance
  controls-make changes to system authorized
• Operations and information systems
  support-systems should be available and used for
  authorized purposes (training, documentation,
  physical security)

31
3. Control Systems-Accounting System

• The set of manual/computerized procedures that
  collect, record, and process data and report the
  resulting information
• 6 audit objectives should be addressed
  (Occurrence, Completeness, Accuracy,
  Classification, Timing, Posting/Summarizing)

32
3. Control Systems-Control Procedures

• Policies and procedures that help ensure that
  necessary actions are taken to address risks

33
3. Control Systems-Segregation of Duties

• Segregation of custody of assets from accounting
• Same person has the asset and can record
  transaction, there is a risk of using the asset
  for personal gain
• Segregation of Operational Responsibility from
  recording/data entry
• If each department could prepare its own records,
  there would be a bias recording keeping has its
  own department

34
3. Control Systems-Segregation of Duties

• Segregation of systems development/acquisition
  and maintenance from accounting
• Changing the way info is entered, displayed,
  reported, and posted dont want programmer to
  make changes and then suppress the info

35
3. Control Systems-Segregation of Duties

• Segregation of Computer Operations from
  Programming and Accounting
• Ability to handle output reports, set up access
  rights, taking backup copies of data-steal
  confidential info or give themselves full access
• Separation from authorization, data entry of
  transactions, or ability to change programs makes
  it harder for personnel to suppress trail of
  their activities

36
3. Control Systems-Segregation of Duties

• Separation of Reconciliation from Data Entry
• Reconciliation comparing info from two or more
  sources or independently verifying the work that
  has been completed by others
• Review of bank rec can detect unauthorized
  disbursements

37
3. Control Systems-Proper Authorization of
Transactions and Activities

• Prevent person who authorizes transactions from
  having control over the asset
• Person should not authorize payment of vendors
  transaction and also sign the cheque
• General authorization-management establishes
  polices for organization to follow
• Specific authorization-individual transactions
  management is unwilling to provide general policy

38
3. Control Systems-Adequate Documents and Records

• Documents/records physical objects
  (paper/electronic files) on which transactions
  are entered and summarized
• Prenumbered-account for all
• Prepared at the time of the transaction
• Developed for multiple use
• Internal check to ensure correct preparation

39
3. Control Systems-Chart of Accounts Systems
manuals

• Chart of Accounts
• Listing of accounts that classifies transactions
  into B/S or I/S
• Prevent classification error if accurate
• Systems Manuals
• Procedures for proper recordkeeping should be
  documented

40
3. Control Systems-adequate safeguards over
access to records/assets

• Protect assets/records from being stolen,
  damaged, or lost
• Most important type of protective measures for
  safeguarding assets and records is physical
  controls (locks, access controls, backup/recovery)

41
3. Control Systems-Independent Verification and
Accuracy of Recorded Amts

• Independent check
• Personnel may forget or fail to follow
  procedures, careless
• Independent of the original person preparing the
  data

42
4. Monitoring

• Ongoing, periodic assessment of quality of
  internal control to ensure controls are operating
  as intended
• Internal Audit department may provide independent
  evaluations of the quality of the monitoring
  process

43
Internal Control Audit Process

• Obtain an understanding
• Extent must be sufficient to plan the audit
• Obtain info about integrity of management and
  nature of accounting records (enough evidence to
  audit the co)
• Understanding to determine the potential types of
  misstatements/fraud
• Design tests

44
Internal Control Audit Process

• Understand the Control Environment
• Assess management and directors attitude and
  awareness of controls
• Understand General Controls
• Obtain info about organizations hardware and
  software, types of systems in use info will be
  used to plan extent of work

45
Internal Control Audit Process

• Understanding Accounting System
• Major classes of transactions
• How transactions are initiated
• What accounting records and data files exist
• How transactions are processed
• Normally trace one or a few transactions through
  the system
• Understanding Control Procedures
• Identify controls for each audit assertion

46
Internal Control Audit Process

• Procedures to gain understanding
• Update auditors previous experience
• Enquiries of client
• Read clients manuals
• Examine documents and records
• Complete walkthroughs

47
Internal Control Audit Process

• Narrative-written description
• Flow charts-diagram
• Internal Control Questionnaire-series of
  questions
• Provide details approvals, documents, reports,
  stages that occur, employees that handle tasks

48
Internal Control Audit Process

• Assess Control Risk
• Based on understanding determine if the company
  is auditable
• Control environment and management integrity
• Records are deficit, evidence may not be
  available
• Discuss with client if unable to audit otherwise
  client acceptance

49
Internal Control Audit Process

• Determine Control Risk
• Measure of auditors expectation that internal
  controls will neither prevent misstatements from
  occurring nor detect or correct them
• Set at High, Moderate, Low
• High if cant rely on controls
• In some cases set control risk at high where it
  actually isnt (more economical to audit
  financial statement balances then to conduct
  tests of controls)
• Level of control risk is limited to evidence
  provided

50
Internal Control Audit Process

• Identify controls
• Key controls-help achieve audit objective
• Identify weaknesses and determine if possible for
  material misstatement to occur
• Consider if there are compensating controls to
  offset weaknesses

51
Internal Control Audit Process

• Tests of control (based on reliance)
• Rely on controls need evidence of effectiveness
  throughout period
• Walkthroughs-to obtain understanding
• If tests show that not operating effectively then
  need to re-assess control risk

52
General Controls

• Access controls
• No assess controls can not rely on general
  computer controls
• Program Change Controls
• General Computer Controls are poor then you can
  only rely on manual controls

53
Procedures for Tests of Controls

• Enquiries
• Examine documents/records
• Observation
• Reperformance

54
Combined Vs. Substantive Testing

• Combined
• Rely on controls
• CR below max DR medium to high
• Understand control env, accting system, and
  document
• Test controls

• Substantive
• Cant rely on controls
• Not cost effective
• CR high DR Low
• Understanding control env and accting system
• No tests of controls