1 CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004 Introduction to Internal ControlWhat is itWhat are the auditors’ responsibilitiesComponents of Internal Control (COSO)Obtaining an Understanding of Internal ControlDocumenting the Understanding
2 What is Internal Control? COSO Definition: The processes implemented by the BOD and management to help ensure:Effectiveness and efficiency of operations.*Reliability of financial reporting.Compliance with applicable laws and regulations.* This is not included in the SOX definition of ICThis sets up that there are 3 types of controlsEffectiveness: operating controlsOther objectives and related controls may also be relevant if they pertain to data the auditor uses in applying audit procedures.Examples: Nonfinancial data used in analytical procedures, such as the number of employees, the entity’s manufacturing capacity and volume of goods manufactured, and other production and marketing statistics.Reliability of financial controls including (1) reliable f/s (2) security over assets and records and (3) no bribes!Certain financial data developed primarily for internal purposes, such as budgets and performance data, used by the auditor to obtain evidence about the amounts reported in the financial statements.Compliance controlsFraud and Direct Effect Illegal Acts
3 Why is internal control SO important? KPMG Fraud Survey: Large and Midsize Companies 2003 reportInterviewed executives from 459 public companies with revenues > $250 millionTypes of fraudHow fraud was caughtTalk about survey handout
4 Why is internal control SO important? The businesses we audit rely on numerous reports and analyses to control operations. These controls are often IT related.Good system reduces the possibility that errors or irregularities will occur.Audit more efficiently and effectively if rely on the client’s system of internal control.Professional standards and laws require that the auditors’ consider it.
5 GAAS on Internal Control Identify types of potential misstatementsConsider factors that affect the risk of material misstatementDesign substantive tests to provide reasonable assurance of detecting misstatements related to specific assertionsCould decide to not rely on controls and assess CR at maximum, but you must understand why control risk is assessed at the maximumThere may be times when substantive tests alone do not reduce control risk to a sufficiently low level.Second standard of fieldwork: gain a sufficient understanding of internal control
6 Internal Control & SOX for Public Companies Requires auditors to attest to Certification of Disclosure and Managements’ Internal Controls and Procedures (Rule 404)Internal control framework to follow is COSOProvides assistance on:Internal control over financial reporting.One material weakness = adverse report on internal controls
7 Roles and Responsibilities (COSO) Management: establish effective ICBOD and audit committee: governance and oversight responsibilities of mgmtInternal auditors: periodically examine and evaluate the adequacy of an entity’s IC and make recommendationsOther entity personnel: “blow whistle”Independent auditors. Any significant IC deficiencies discovered, communicate to mgt and BOD with recommendations for improvement. For public companies, must attest to management’s assertion about ICLegislators and regulators: establish minimum statutory and regulatory requirementsOther entity personnel:do not have primary responsibilityBut if become aware of non compliance with controls or illegal acts, communicate to a higher level in the organization.
8 Limitations of Internal Control No matter how well designed and operated, an I/C can provide only reasonable assurance regarding achievement of an entity’s control objectives because:1. Mistakes in judgment.2. Breakdowns.3. Collusion.4. Management override.5. Cost versus benefits.
9 Components of Internal Control The COSO report identifies 5 interrelated components of internal control which are:1. Control environment2. Risk assessment3. Information and communication4. Control activities5. MonitoringThis is an overview. We’ll go over each in much more detail later.Control environment: sets tone, is the foundation for controlsRisk Assessment: company understands risks to business. Ex: natural and computer disasters, etc.Control Activities: actual controlsInfo and comm: system provides info that is timely and relevantMonitoring: properly oversee system
10 Control EnvironmentSets the tone of an organization, influencing the control consciousness of its people.Management philosophy & operating styleOrganizational structureIntegrity and ethical valuesBoard of directors and audit committeeAssignment of authority & responsibilityHuman resource policies and practicesCommitment to competenceExternal InfluencesInformation TechnologyTake undue risks? Manipulate NI to “improve performance”? Pressure employees?Balance authority and responsibility, have appropriate IA deptDo they seem to be present? Code of conduct?SEC Co’s must all be o/s directors and responsible for IC. Must be knowledgeable.Job descriptions, training, policy and procedure manual, background checksHiring, training, evaluation, compensate and promote to minimize IC risksSee aboveHeighten management awareness of IC importance. FASB, SEC, regulated industries (insurance, banking, utilities)Technology:- Involvement of management in setting policies for developing, modifying, and using computer programs and data.- Form of organization structure of data processing- Methods of assigning authority and responsibility over computer systems documentation, including procedures for authorizing transactions and approving system changes.
11 Risk AssessmentAn entity’s identification and analysis of risks that could affect whether the financial statements that are fairly presented in conformity with GAAP.Business RiskInherent RiskFraud RiskInternalControls
12 Information and Communication Ensures pertinent information is identified, captured and communicated throughout the organization in a timely manner. Requires the system:Identify and record only valid transactions occurring in the current period (existence or occurrence).Identify and record all valid transactions occurring in the current period (completeness).Ensure recorded assets and liabilities are result of transactions that produced entity rights to, or obligations for, those items (rights & obligations).Appropriately measure the value for recording their proper monetary value in the f/s (valuation or allocation assertion).Capture sufficient detail of all transactions to permit their proper presentation in the f/s incl. proper classification and required disclosure (presentation and disclosure assertion).
13 Information and Communication AuthorizeExecuteRisk of MisstatementRecordConsideration
14 Control Activities Authorization Segregation of Duties Information Processing ControlsGeneral ControlsApplication ControlsControls over the Financial Reporting ProcessPhysical ControlsPerformance ReviewsControls over Management’s Discretion in Financial ReportingNecessary to ensure that the information system is working.
15 Control Activity - Authorization Every transaction needs appropriate general or specific authorization of commitment of resources as transactions are initiated.This is critical to the existence assertion. Is it something that SHOULD be recorded.Authorization needs to occur at the time the transaction is INITIATED!
16 Control Activity – Segregation of Duties (Figure 9-1) Execute = AuthorizationCustodyRecordkeeping = maintain recorded accountabilityDO NOT WANT SOMEONE TO BE IN POSITION TO PERPETRATE AND CONCEAL AN IRREGULARITY.
18 Information Processing Controls Computer General ControlsOrganization & operation controls (prior slide)Systems development & documentation controlsUsers, accounting & IA should be involved in designTesting joint effort between users & ITProper approval before placing into useChanges properly approved and testedHardware and system software controlsAccess controls: Prevent unauthorized use of:IT equipment,Data filesPrograms
19 Information Processing Controls Computer General Controls continuedData and procedural controlsReceiving and screening all data to be processedAccounting for all input dataFollowing-up on processing errorsVerifying the proper distribution of outputAdequate back-up and safeguarding procedures
20 Information Processing Controls Application ControlsInput (computer editing) controlsMissing data check - Check digitValid character check - Valid sign checkLimit or reasonableness test - Valid code checkProcessing controlsControl totals - Before & after reportFile identification labels - Sequence testsLimit & reasonableness tests - Processing tracing dataOutput controlsReconciliation of totalsComparison to source documentsVisual scanning
21 Information Processing Controls SpreadsheetsAccountingDatabaseSQLFinancialStatementsStrongControlsWeak or NoControlsWeak or NoControls
22 Important issue of physical security Physical ControlsImportant issue of physical securityLimit direct physical access to assetsLock boxes, fireproof safes, locked storeroomsLimit indirect physical access through the preparation or processing of documents that allow access to assets
23 Performance Reviews Management review and analysis of – Reports that summarize the detail of account balancesaged trial balancereport of cash disbursements by departmentreports of sales and gross margins by customer or regionActual performance vs. budget or forecastBalanced scorecard type measures with ability to drill down to department levelFinancial, customer, business process, innovation
24 Information and Communication Ensures pertinent information is identified, captured and communicated throughout the organization in a timely manner. Requires the system:Identify and record only valid transactions occurring in the current period (existence or occurrence).Identify and record all valid transactions occurring in the current period (completeness).Ensure recorded assets and liabilities are result of transactions that produced entity rights to, or obligations for, those items (rights & obligations).Appropriately measure the value for recording their proper monetary value in the f/s (valuation or allocation assertion).Capture sufficient detail of all transactions to permit their proper presentation in the f/s incl. proper classification and required disclosure (presentation and disclosure assertion).
25 MonitoringAssesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions including reporting all deficiencies to higher authorities within the organization.This should occur through:Ongoing activities andSeparate periodic evaluations.Responsibilities:Management & Acct OfficersBoard of DirectorsManagement and Accounting Officers:Be conscious of IT risks and monitor performance of internal controls.Address weaknesses and recommendations from regulators and external auditorsAudit committee:Have internal audit do periodic reviews of IT risks and controls
26 Purpose of Understanding Internal Control The understanding of internal control should be used to:Identify types of potential misstatementsConsider factors that affect the risk of material misstatementDetermine where controls should be tested. For public companies, necessary to attest to management’s assertions about the effectiveness of their internal controls.Design substantive tests to provide reasonable assurance of detecting misstatements related to specific assertions, taking into account what relevant tests of controls are being performed if any.
27 Understanding and Testing Internal Control 1. Understand the design of policies and procedures related to each component of internal control.2. Determine whether the policies and procedures are operating as you expected, where are attesting or relying on controls.Reviewing previous experience with the clientInquiring of appropriate management, supervisory, and staff personnelInspecting documents and recordsObserving entity activities and operationsThis often will take the form of a “walk through” of the system
28 How Much Depth of Understanding Do You Need??? Minimum UnderstandingControl environmentRisk assessmentInformation and communicationControl activities (may need very little knowledge when a primarily substantive approach is followed).Monitoring
29 Depth: Control Environment Obtain sufficient knowledge to understand the attitude and actions of management and the BOD concerning the control environment.Consider both the substance of control environment and the collective effect on other aspects of internal control.
30 Depth: Risk Assessment Determine how management:identifies risks relevant to fair presentation in the financial statementsthe care with which it assesses the significance of those risks, andhow it decides on control activities to address those risks.Business RiskInherent RiskFraud RiskInternalControls
31 Depth: Control Activities Level of understanding is directly related to preliminary audit strategy.If the auditor is planning a primarily substantive approach the auditor may not additional knowledge of need to control activities in order to assess control risk.If the auditor plans to use a lower assessed level of control risk approach or is attesting to management’s IC, will need to obtain a significant understanding of control activities.
32 Depth: Information and Communication Systems Need to understand the transaction trail. This includes understanding:Transaction classes significant to the f/s.How transactions are initiatedThe accounting records, supporting documents, and specific accounts in the f/s involved in the processing and reporting of transactions.The accounting processing involved from initiating a transaction to its inclusion in the f/s, including electronic means used to transmit, process maintain, and access information.Cash receipt or disbursementsThe financial reporting process used to prepares financial statements, estimates and disclosuresRemember,
33 Depth: MonitoringIt is important to understand the types of activities used by the entity, top management, accounting management, and internal auditors to monitor the effectiveness of internal control.Knowledge should also be obtained about how corrective actions are initiated.
34 Documenting the Understanding Documenting the understanding of internal control is required in all audits.The form and extent of documentation is influenced by the size and complexity of the entity, and the nature of the entity’s IC.There are 4 forms of documentation commonly used by auditors.QuestionnairesDecision TablesFlowchartsNarrative MemosWill also need to document the results of any testing of the system.A questionnaire consists of a series of questions about internal control that the auditor considers necessary to prevent material misstatements in the financial statements. (“checklist”)A decision table is a matrix used to document the logic of a computer program. Decision tables usually have 3 key components:1. conditions related to accounting transactions,2. actions taken by the computer program,3. decision rules that are used with like conditions with subsequent actions.A flowchart is a schematic diagram using standardized symbols, interconnecting flow lines, and annotations that portray the steps involved in processing information through the accounting system.Sometimes use narrative memoranda w/ it to describe the controlsA narrative memorandum consists of written comments concerning the auditor’s consideration of internal controls.