Presentation on theme: "Internal Control Chapter 7 covers two distinct, but related topics:"— Presentation transcript:
1 Internal Control Chapter 7 covers two distinct, but related topics: 1. What are Internal Controls and Internal Control System or Structure?2. How does client’s ICS affect the auditor’s work?1
2 Internal Control System Definition A process...designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives in the following categories:Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulationsSource: Committee of Sponsoring OrganizationsWhat is COSO? This is its 2nd, broader definitionAICPA Accepted with SAS 78.Why was it formed? Fraudulent F.S.Reason: FCPA, SEC requiresWhich of the ICS objectives are of most concern to the CPA? - Nos. 2 and 3What are the primary elements of the financial reporting process?1. Recording Transactions2. Processing Transactions3. Summarizing Transactions4. Reporting Financial Position and Results22
3 Components of Internal Control The Control EnvironmentRisk AssessmentThe Accounting Information and Communication SystemControl ActivitiesMonitoringThe 5 components of an ICS.33
4 Control Environment(Internal) Integrity and ethical valuesCommitment to competenceBoard of directors or audit committeeManagement philosophy and operating styleOrganizational structureHuman resource policies and practicesAssignment of authority and responsibilityThese factors probably have the greatest impact on the effectiveness of internal controls since they set the atmosphere and motivation to apply internal controls.These are basically the same categories as the high client risk factors we saw in chapter 6 for fraud from SAS 82/99.44
5 Control Environment (External) Reviews by Governmental Agencies:OSHA, FDA, IRS, GAO, EPA, DCAA, Bank Examiners, Bd of Equalization, State Franchise Tax BdReviews by Non-Governmental Agencies:ISO, Industry AssociationsAs we saw in the video, outside reviewers can reduce risk of misstatements by, in essence auditing/evaluating certain aspects of financial data in the F.S. plus compliance with laws and regulations.In essence, these are an “external” part of a client’s ICS.
6 Components of Internal Control The Control EnvironmentRisk AssessmentThe Accounting Information and Communication SystemControl ActivitiesMonitoringWe are talking about risk assessment done by the client.33
7 Client Risk Assessment Clients must constantly reassess its ICS because of:Changes in regulatory or operating environmentChanges in key personnelImplementation of new/modified information systemRapid growth of the organizationChanges in technology affecting production processes or information systemsIntroduction of new lines of business, products, or processesCOSO added this component in its last report.COSO realized that an organization must assess its risks before it could design an effective ICS ANDIt must also constantly re-assess since its control environment (the 1st component) changes.How many of these did we see in the video?1-changed products and production2-Increased competition3-FDA delays4-New facility5-IPO - regulatory environment6-New Accounts Receivable billing system55
8 Components of Internal Control The Control EnvironmentRisk AssessmentThe Accounting Information and Communication SystemControl ActivitiesMonitoringIn its latest definition, COSO added Info & communication system - Why?Anyone heard of ERP Systems.More and more manufacturing, engineering and financial systems are integrated. So, accounting dept. may not input or control all financial transaction recording. Hercules MRP II example of inflated average unit costing for transfers.33
9 Primary Objectives of Accounting & Information Systems Identify & record all, but only, valid transactionsDescribe on a timely basis the transactions in sufficient detail to permit proper classification of transactionsMeasure the value of transactions appropriatelyDetermine time period in which the transactions occurred to permit recording in the proper periodPresent properly the transactions and related disclosures in the financial statementsIncludes all accounting records such as journal vouchers, journals, ledgers and chart of accounts (why?) and accounting policies and procedures.6
10 Components of Internal Control The Control EnvironmentRisk AssessmentThe Accounting Information and Communication SystemControl ActivitiesMonitoringControl activities are things people, machines or software programs do to screen, or double check to ensure the objectives on a previous slide on ICS objectives are achieved.33
11 Types of Control Activities Performance Reviews (Usually Detection) (Reconcile, Analyze & Approve)IT General & Application Controls (Ch 8)Physical Security ControlsSegregation of DutiesRecording TransactionsAuthorizing TransactionsCustody of Related AssetPerformance reviews can also include various analyses such as:-Standard cost variance analyses-Actual vs Budget analysis-Capital Budget tracking-Cash Flow Projection and tracking (video)-Bd of Directors’ Reviews (video)Question: Can we do some of these on a sampling basis? Of course. It just probably reduces the overall effectiveness because of sampling error (Chapter 9).76
12 Components of Internal Control The Control EnvironmentRisk AssessmentThe Accounting Information and Communication SystemControl ActivitiesMonitoringAlso a new component in COSO’s latest list.33
13 Monitoring Monitoring ICS Effectiveness & Compliance Ongoing Monitoring Activities(Management review & follow-up)Separate Evaluations(Internal Audits or Self Compliance)Public Companies: SOX Section 404 Monitoring and AssessmentBasically periodic evaluations of ICS adequacy (design) and effectiveness/compliance.8
14 Monitoring Internal Controls Do Public Companies do More? Section 404 of Sarbanes-Oxley requires at least quarterly monitoring & assessment of financial reporting internal control effectiveness. Comment required on any material change during a fiscal quarter.CFO normally leads, generally with Internal Audit involvement.
15 Limitations of Even A Good (Well Designed) ICS Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc.Controls that depend on the segregation of duties may be circumvented by collusion.Management may override the structureCompliance may deteriorate over timeEven the best designed ICS cannot be 100% effective 100% of the time for these main reasons.Also, ICS design could also be limited by cost considerations. Why spend $1 million to protect just $100,000? How about purchasing buyer total authority for small dollar purchases. If total dollars of these purchases are material in total, client could establish internal controls to detect errors or fraud after the fact, I.e., Boeing’s automated analyses and management follow-up.Use of Sampling in performing control activities relates to design.97
16 Auditor’s Basic Requirements Regarding Client’s Internal Controls Obtain an understanding andDocument the understandingWhere does this requirement come from?GAAS 2nd Field Work Standard as part of the assessment of the risk of material misstatement.Mandatory for all F.S. audits, even if perceived as insignificantWhy do we need to have an understanding?Be able to assess CR (risk of misstatements not caught by internal controls)To plan appropriate audit tests as to:Nature (type of tests)Timing (when done)Extent (scope as to accounts, number of balances or transactions and disclosures)108
17 Documenting Internal Control ICQ covers most common internal controls, so it requires no planning time.ICQ easy to ID strengths & weaknesses (yes/no).ICQ may not ensure auditor actually understands.Sample ICQ on class web siteNarrative ensures thorough understanding, but may be incomplete since auditor may not think of all possible controls. Time consuming to draft.Flowchart can be easy to spot weaknesses, but only for the experienced. Usually get from client, but 99% of the time it’s outdated.11
18 Sources of ICS Information Client Policies & ProceduresClient InquiryInspection of DocumentsObservations
19 The Auditors’ Consideration of Client’s Internal Controls Obtain an understandingDocument the understandingDetermine planned (initial) assessed level of control riskYou estimate control risk based on your understanding and desire to rely on certain controls.108
20 Assessing Control Risk Rarely, except in text or other theoretical writings will you see anything but the qualitative assessments. Why?Assessment is very subjective because we are not there all the time. We must draw inferences about compliance and effectiveness.What do the percentages represent?Risk that the internal controls will not prevent a material misstatement from getting to the F.S. or that it will not be timely detected.Can CR ever be zero? No - see slide on limitations.
21 Assessing Control Risk At the F.S. Statement/Overall LevelPreparation of F.S., incl. estimates & disclosuresSelection of Significant Accounting PoliciesThe Control EnvironmentGeneral IT Controls (chapter 8)At the Assertion/Account LevelRelates to specific assertions about specific accounts. (Transactions)Risks at the financial statement level are those that relate to the overall financial statements and potentially affect many individual assertions.Risks such as these potentially affect many relevant assertions in that they cannot effectively be isolated.Because of these characteristics of financial statement level risks, an overall response by the auditor is often required. This response might include:Assigning more experienced staff or those with specialized skills.Providing more supervision and emphasizing the need to maintain professional skepticism.Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed.Increasing the overall scope of audit procedures, including the nature, timing, or extent.
22 To Test or Not to Test Controls We Test Controls When We Expect That:We Will Be Able Rely on the Client’s Internal Controls to Set Control Risk Below MaximumANDEstimated Time Spent to Test Controls Will Be < the Reduction in Substantive Testing Time IF We Find the Controls to be Operating Effectively.So - It will be beneficial to the auditor.Therefore:Only two reasons not to test controls:1.Controls appear so weak that any reliance is unlikely.2. It would be more efficient to do the audit using an “substantive” approach if time to test controls is equal to or exceeds any savings in reduced substantive testing if tests revealed reliance could be placed.Because of these options, testing for just the F.S. audit is usually INSUFFIEIENT to support the integrated report on internal controls under Sarbanes-Oxley.
23 The Auditors’ Consideration of Client’s Internal Controls Obtain an understandingDocument the understandingDetermine planned assessed level of control riskDesign additional tests of control(Testing procedures include: review of documents, observations, questioning client employees, re-performing the controls, review of error detection & correction reports.)To set CR at less than maximum, you must test the controls.Before you can place reliance on internal controls you must test them for (1) effectiveness and (2) are actually in operation (implemented).Assessing effectiveness:Errors/fraud found?F/U & correction done on exception reports?Performed by designated person?Consistently applied?Why ADDITIONAL? You may have done some tests of controls to gain understanding.108
24 Relying on Previous Tests of Controls Auditors should obtain evidence of changes in internal controls/business processes since the last audit and must test any changed controls/processes for which reliance is desired.For controls/process that haven’t changed, reliance can be placed on testing for operating effectiveness in prior years’ audits if the control tested every 3rd year.Unless control relates to a significant risk.
25 The Auditors’ Consideration of Client’s Internal Controls Obtain an understandingDocument the understandingDetermine planned assessed level of control riskDesign additional tests of controlPerform test of controls likely to prevent or detect material misstatements and Reassess control riskTests of Controls:Key is if control is placed in operation AND is operating effectively.Must also consider frequency of effective performance.Automated controls generally more consistently performed.Why re-assess?Once you’ve confirmed effectiveness or lack thereof.As we’ll see in chapter 9, usually we are willing to accept something less than 100%, unless control activity is very important and there is no compensating control.108
26 The Auditors’ Consideration of Client’s Internal Controls Obtain an understandingDocument the understandingDetermine planned assessed level of control riskDesign additional tests of controlTest Controls and Reassess control riskDesign nature, timing and extent of substantive testsAfter assessing IR and now CR, we set what DR we can live with based on our overall audit risk that we are willing take.We establish DR by the nature, timing and extent of our substantive tests of F.S. balances and/or the transactions behind the balances and F.S. disclosures..108
27 Documentation Requirements Understanding of Internal ControlsAssessed Level of Control Risk and the Combined Level of the Risk of Material Misstatements (IR + CR)Basis for the Risk AssessmentAuditor’s Response to the Risks and Link to Audit Procedures PerformedUse of Prior Years’ Tests of ControlsBasis for setting CR at max is One of the following:1. Controls appear very weak so reliance is deemed unlikely and controls are NOT tested.2. Time to test controls equals or exceeds potential time savings in reduced substantive testing IF controls found to be performed and effective. So, no testing of controls performed.3. Controls appear somewhat strong in design, but testing of controls show that controls are either not performed or not effective.
28 ICS in a Small Client Adequate segregation of duties impossible. Owner may have to be more active.But, this could foster fraudulent F.S.Therefore, we usually apply the “substantive” rather than the “reliance” audit approach.Relate these concepts to what we saw in the Dermaceutics video.
29 IA as Part of the ICSSome of their work may “overlap” what CPA would do.We may be able to rely on (1) their work to reduce our work, just like any other part of client’s ICS, or (2) use of their auditors to perform on the F.S. audit.To rely, we must assess:1. Objectivity2. Competency3. QualitySource: SAS 128Objectivity: Look at organizational placement. Is IA free to report findings without fear?Competency: The 1st GAAS general standard.Has the IA Dept adopted IIA’sprofessional standards?Quality: Does IA’s work show a quality job?Test some of their work by repeatingtests or do additional tests and compare results.
30 Communicating ICS Weaknesses Report to Mgmt and Those Charged with Governance (Board of Directors)Must Communicate:Significant DeficienciesMaterial WeaknessesPreviously Reported, But Not RemediatedPotential Effects of the Deficiencies/WeaknessesIn Writing & Within 60 Days of Release Date of Audit Report on Financial StatementsBasically we report all significant weaknesses in the client’s ICS and categorize the really bad ones as “material”. See next slide.We should also communicate other deficiencies we believe warrant management’s attention.How do we convince client to correct or strengthen?Tell them how it impacts the CPA’s audit scope. Didn’t Max explain it sort of this way regarding the billing price problem?
31 Classifying ICS Weaknesses A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis.A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.Source: AU 325 with SAS 115 (eff. 2009) and 99Auditor to use the “prudent officials, having knowledge of the same facts and circumstances” rule.From SAS 115 – made definition less precise for a significant deficiency – eff 2009.
32 Classifying ICS Weaknesses (con’t) Indicators of material weaknesses include:Identification of fraud, whether or not material, on the part of senior management;Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud;Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control; andIneffective oversight of the entity’s financial reporting and internal control by those charged with governanceSource: AU 325 with SAS 115
33 Classifying ICS Weaknesses (con’t) LevelGenerally Accepted MeaningProbableThe future event or events are likely to occur (probability is > 50%).Reasonably PossibleThe chance of the future event or events occurring is more than remote, but less than likely (probability is 20% to 50%).RemoteThe chance of the future event or events occurring is slight (probability is < 20%).Classification of deficiencies must consider both probability of such deficiency causing a misstatement & the significance or materiality of the occurrence on the F.S.
34 Classifying ICS Weaknesses (con’t) MaterialA misstatement which would alter a reasonable person's decision making.More than Inconse-quentialWhen a reasonable person would not reach a conclusion regarding a particular misstatement that the misstatement is inconsequential, then that misstatement is more than inconsequential.Inconse-quentialWhen a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. (Generally, less than 20% of overall financial statement materiality threshold.)
35 Summary Why do we consider a client’s ICS? 1. Assess Control Risk 2. To plan the audit(nature, timing & extent of tests)What must we do before we set Control Risk below maximum?Test the controls we want to rely on.Why Wouldn’t We Test Controls?1. Appear Very Weak - Reliance Unlikely2. Time to Test > Savings in Reduced Sub. TestsRefer to Figure 7.7 in text where the auditor’s consideration of internal controls is summarized in a flowchart.