Chapter 7 Internal Control

1
Chapter 7Internal Control
If everything seems under control, you're just
not going fast enough.
Mario Andretti, Race Car
Driver
2
Internal Control

• Process effected by an entitys board of
  directors, management, and other personnel,
  designed to provide reasonable assurance of
  achievement of objectives in the following
  categories
• Reliability of Financial Reporting
• Effectiveness and Efficiency of Operations
• Compliance with Applicable Laws and Regulations
• Safeguarding of Assets

3
Parties Interested in Organization's Control
System

• Board of Directors and Audit Committee
• Management
• Regulators
• Internal and External Auditors
• Suppliers and Customers
• Investors and Creditors
• Customers or others using the Web for commerce

4
Control Objectives

• In each area of internal control (financial
  reporting, operations and compliance)
• Control objectives and
• Subobjectives exist
• Example Area of Financial Reporting
• Top Level Objective prepare and issue reliable
  financial information
• Detailed Level Applied --- A/R subobjectives
• All goods shipped are accurately billed in the
  proper period
• Invoices are accurately recorded for all
  authorized shipments and only for such shipments
• Authorized and only authorized sales returns and
  allowances are accurately recorded
• The continued completeness and accuracy of A/R is
  ensured
• Accounts receivable records are safeguarded

5
Controls over Financial Reporting

• Preventive
• Aimed at avoiding the occurrence of misstatements
  in the financial statements
• Example Segregation of Duties
• Detective
• Designed to discover misstatements after they
  have occurred
• Example Monthly Bank Reconciliations
• Corrective
• Needed to remedy the situation uncovered by
  detective controls
• Example Backups of Master File
• Controls Overlap
• Complementary function together
• Redundant address same assertion or control
  objective
• Compensating reduces risk existing weakness
  will result in misstatement

6
Managements Responsibility for Internal Control
(Sarbanes-Oxley)

• Certify Companys Financial Statements (Section
  302)
• Report on Companys Internal Control over
  Financial Reporting (Section 404)
• Companys annual report must include a statement
  
• Management is responsible for establishing and
  maintaining adequate internal control over
  financial reporting
• Identifying the framework (usually COSO)
  management uses to evaluate the effectiveness of
  the companys internal control.
• Providing management's assessment of the
  effectiveness of the companys internal control.

7
Auditor Reasons for Sufficiently Understanding
Internal Control
SAS 55 (as amended by SAS 78 and 594 plus AU319)
requires the auditor to obtain an understanding
of internal control for every audit.
Minimum audit planning matters

• Auditability
• Potential Material
• Misstatements
• Detection Risk
• Design of Tests

8
Limitations of Internal Control

• Errors from Misunderstandings of Instructions,
  Mistakes of Judgment, Fatigue, etc.
• Management Override
• Circumvented by Collusion
• Compliance Deteriorates
• Cost/Benefit Analysis

9
Five Components of Internal Control
Control Environment
Risk Assessment
Information and Communication
Control Activities
Monitoring
10
Interrelatedness of Components of Internal Control
Control Environment
Risk Assessment
Control Procedures
Information and Communication
Monitoring
11
Obtain an Understanding of Internal
Control
Identify types of potential misstatements
Pinpoint the factors that affect the risk of
material misstatement
Design tests of controls and substantive
procedures
12
Control Environment Factors

• Integrity and Ethical Values
• Board of Directors, and Audit Committee
• Effectiveness of Internal Audit Function
• Managements Philosophy and Operating Style
• Assignment of Authority and Responsibility
• Commitment to Competence
• Human Resource Policies and Practices
• Organizational Structure

13
Entitys Risk Assessment Process
Risk assessment process should consider external
and internal events and circumstances that may
arise and adversely affect the entitys ability
to initiate, record, process and report financial
data consistent with the assertions of management
in the financial statements.
14
Control Activities
Policies and procedures that help ensure that
managements directives are carried out. Control
procedures relevant to the audit include
Performance Reviews
Information Processing
Physical Controls
Segregation of Duties
15
Pervasive Control Activities

• Segregation of Incompatible Duties
• Authorization Policies
• Documented Transaction Trail
• Physical Controls to Safeguard Assets
• Reconciliations
• Competent, Trustworthy Employees

16
Segregation of Duties
Authorization
Reconciliation
Custody
Recording
17
Adequate Separationof Duties
18
Segregation of Duties
19
Proper Authorization of Transactions and
Activities
General Authorization
Specific Authorization
20
Adequate Documentsand Records
Prenumbered Consecutively
Prepared at Time of Transaction
Simple Enough to Ensure Understanding
Designed for Multiple Uses
Constructed to Encourage Correct Preparation
21
Physical Control overAssets and Records
Physical Precautions
Controls Related to IT Equipment, Programs, and
Data Files
22
Objectives of an Accounting System

• Identify and record valid transactions
• Describe on a timely basis the transactions in
  sufficient detail to permit proper classification
  of transactions
• Measure the value of transactions appropriately
• Determine the time period in which the
  transactions occurred to permit recording in the
  proper period
• Present properly the transactions and related
  disclosures in the financial statements

23
Monitoring
Managements process that assesses the quality of
the internal control's performance over time.

• Ongoing Monitoring Activities
• Separate Evaluations

24
Effect of Entity Size on Internal Control
While the basic concepts of the five components
should be present in all entities, they are
likely to be less formal in a small or midsize
entity than in a large entity.
25
Internal Control in the Small Company
7-25

• Due to lack of employees, internal control is
  seldom strong in small businesses
• Specific Practices for Small Businesses
• Record all cash receipts immediately
• Deposit all cash receipts intact daily
• Make all payments by serially numbered checks,
  with exception of petty cash disbursements
• Reconcile bank accounts monthly and retain copies
• Use serially numbered invoices, POS, and
  receiving reports
• Issue checks to vendors only in payment of
  approved invoices that have been matched with
  purchase orders and receiving reports
• Balance subsidiary ledger with control accounts
• Prepare comparative financial statements monthly
  to disclose significant variations in any
  category of revenue or expense

26
Understanding Internal Controland Assessing
Control Risk
Obtain Understanding of Internal Control Design
and Operation
27
Trade-off Between Testing of Controls and
Substantive Testing
More Effective
More Efficient
Substantive Testing
Substantive Testing
Testing of Controls
Year-end
Interim
28
Auditors Overall Approach with Internal Control

• Overall approach of an audit
• 1. Plan the audit
• 2. Obtain an understanding of the client and its
  environment, including internal control
• 3. Assess the risks of material misstatement and
  design further audit procedures
• 4. Perform further audit procedures
• 5. Complete the audit
• 6. Form an opinion and issue the audit report
• Steps 2-4 relate most directly to the role of
  internal control in financial statement audits

29
Phase Two - Understanding of Internal Control

• Performing Walkthroughs
• Inquires of Management, Accounting and
  Operational Employees
• Taking Plant and Operational Tours
• Client Prepared Documentation including
  accounting manuals and program and system
  descriptions
• Prior Year Audit Work Papers

30
Documenting the Understanding of Internal
Control
Procedure Manuals and Organizational Charts
Narrative Description
Internal Control Questionnaires
Flowcharts
31
Narrative

• Origin of every document and record
• in the system

2. All processing that takes place
3. Disposition of every document and record
in the system
4. Indication controls relevant to assessment
of control risk
32
Flowcharting Symbols
33
Payroll System Flowchart
34
Bridge Workpaper
35
Phase Three Assess Risks of Material
Misstatement

• General Approach
• Identify risks while obtaining an understanding
  of the client and its environment, including its
  internal control
• Relate the identified risks to what can go wrong
  at the relevant assertion level
• Consider whether the risks are of a magnitude
  that could result in a material misstatement
• Consider the likelihood that the risks could
  result in a material misstatement

36
Nature of Transactions

• Routine transactionse.g., revenue, purchases,
  and cash receipts and disbursements
• Nonroutine transactionse.g., taking of
  inventory, calculating depreciation expense
• Estimation transactionse.g., determining the
  allowance for doubtful accounts
• Generally routine transactions have the strongest
  controls

37
Assessing Risks Financial Statement Level

• Responses to High Risks
• Assigning more experience staff or those with
  specialized skills
• Providing more supervision and emphasizing the
  need to maintain professional skepticism
• Incorporating additional elements of
  unpredictability in the selection of further
  audit procedures to be performed
• Increasing the overall scope of audit procedures,
  including the nature, timing or extent

38
Assessing Risks Assertion Level

• Examples
• Failure to recognize an impairment loss on a
  long-lived asset affects only the valuation
  assertion
• Inaccurate counting of inventory at year-end
  affect the valuation of inventory and the
  accuracy of cost of goods sold
• Responses
• Decisions are made here as to the appropriate
  combination of tests of controls and substantive
  procedures

39
Results of Preliminary Assessment of Control Risk

• Relationship of assessed level of Control Risk
  and subsequent Substantive Testing is Inverse
• Control Risk High
• No reliance placed on the client's internal
  controls
• Amount and rigor of substantive testing must be
  increased
• Control Risk Low
• Auditors rely on the client's internal controls
• Amount and rigor of substantive testing not
  increased
• Auditor must test the controls to make sure they
  are operating effectively

40
Assessed Control Risk High

• Review material entries in closing process
• Review material adjusting entries
• Review all changes to significant estimates
• Review all internal audit reports
• Discuss implications with audit committee

41
Tests of Controls..
. Procedures to test effectiveness of controls
in support of a reduced assessed control risk
42
Phase 4 Design and Perform Audit Procedures
Test of Controls (1 of 2)

• Approach
• Identify controls likely to prevent or detect
  material misstatements
• Perform tests of controls to determine whether
  they are operating effectively
• Tests of Controls Address
• How controls were applied
• The consistency with which controls were applied
• By whom or by what means (e.g., electronically)
  the controls were applied

43
Audit Procedures Perform Tests of Controls (2 of
2)

• Tests of Controls Include
• Inquiries of appropriate client personnel
• Inspection of documents and reports
• Observation of the application of controls
• Reperformance of the controls
• Results of the tests used to determine the
  nature, timing and extent of substantive
  procedures

44
Dual Direction Test of Payroll Controls
45
Update Assessment of Control Risk Need for
Substantive Testing

• If testing indicates the control is not operating
  effectively, the auditor will revise the
  preliminary assessment of control risk and
  incorporate this revision into subsequent
  substantive testing

46
Timing of Audit Procedures
47
Interim Audit Procedures
48
AS 5 An Audit of Internal Control over Financial
Reporting That Is Integrated with an Audit of
Financial Statements (for Publicly Traded
Companies)

• Phases of the Engagement
• Plan the Engagement
• Use a Top-Down Approach to Gain an Understanding
• Identify entity-level controls
• Walkthroughs
• Testing Internal Control Effectiveness
• Design effectiveness
• Operating effectiveness
• Evaluating Control Deficiencies
• Deficiencies
• Significant deficiencies
• Material weaknesses
• Wrapping up Forming an opinion on the
  effectiveness of internal control over financial
  reporting
• Reporting on Internal Control
• Review for subsequent changes

49
Communication of Internal Control-Related Matters
Reportable Conditions
Material Weakness
50
Examples of Reportable Conditions
51
Relationships Among Deficiencies

• Deficiency in
• Internal Control
• Less than Significant Material
• Significant Deficiency Weakness

52
Managements Report on Internal Control under
Section 404a

• Acknowledgment of responsibility for internal
  control
• An assessment of internal control effectiveness
  as of the last day of the companys fiscal yearn
  using suitable criteria
• Support the evaluation with sufficient evidence

53
Reporting to Audit Committee on Internal Control
Related Matters

• Sarbanes-Oxley requires the report be in writing.
  
• Auditor may communicate during or after audit.
• Communications with management is not required
  however, communications with management or other
  individuals within the entity who may, in the
  auditor's judgment, benefit from the
  communications are not precluded.

54
Control Risk Matrix
Identify transaction-related audit objectives.
Identify existing controls.
Associate controls with transaction-related audit
objectives.
Identify and evaluate control deficiencies, signif
icant deficiencies, and material weaknesses
55
Evaluating Significant Control Deficiencies
Material Weakness
56
Auditors Consideration of Internal Control ---
Summary

• Obtain an understanding
• Document the understanding
• Determine planned assessed level of control risk
• Design additional tests of control
• Reassess control risk
• If necessary, modify planned substantive tests

57
END of CHAPTER 7