6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk

6-2 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. INTERNAL CONTROL -- AN INTEGRATED FRAMEWORK (COSO) Internal Control A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) Reliability of financial reporting, (2) Compliance with applicable laws and regulations, (3) Effectiveness and efficiency of operations.

6-3 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Internal Control—Integrated Framework (COS0)

6-4 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. INTERNAL CONTROL -- AN INTEGRATED FRAMEWORK (COSO) COMPONENTS OF INTERNAL CONTROL CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING

6-5 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. CONTROL ENVIRONMENT Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components.

6-6 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. RISK ASSESSMENT The entity's identification and analysis of relevant risks to achievement of its objectives.

6-7 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. CONTROL ACTIVITIES The policies and procedures that help ensure management directives are carried out. –Information Processing Approvals and authorization Verifications and reconciliations –Physical controls over the security of assets –Segregation of duties –Performance reviews

6-8 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. INFORMATION & COMMUNICATION The identification, capture, and exchange of information in the form and time frame that enables people to carry out their responsibilities.

6-9 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. MONITORING The process that assesses the quality of the internal control's performance over time.

6-10 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Responsibility for Internal Control Management responsibility –Foreign Corrupt Practices Act Auditor responsibility –Second standard of fieldwork

6-11 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Reasons for Internal Control Evaluation Planning the substantive audit program Communicating internal control deficiencies –Reportable conditions are matters the auditors believe should be communicated to the client’s audit committee because they represent significant deficiencies in the design or application of the internal controls that could adversely affect the organization’s ability to record, process, summarize, and report financial data in the financial statements. Report of material weaknesses –Material weaknesses are reportable conditions in which the design or operation of internal controls does not reduce to a relatively low level the risk that material errors or frauds may occur and may not be detected within a timely period by employees in the course of performing their normal assigned functions.

6-12 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Reporting on Internal Control Related Matters Noted in an Audit Report, preferably in writing; if not, document reporting via memoranda in working papers. The auditor may communicate during or after audit. A previously communicated reportable condition that has not been corrected ordinarily should be communicated again if there has been major turnover in upper-level management and the Board of Directors.

6-13 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Example Report of Reportable Conditions In planning and performing our audit of the financial statements of the ABC Corporation for the year ended December 31, 20XX, we considered its internal control structure in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide assurance on the internal control structure. However, we noted certain matters involving internal control and its operation that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control structure that, in our judgment, could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. [Include paragraphs to describe the reportable conditions noted.] This report is intended solely for the information and use of the audit committee (board of directors, board of trustees, or owners in owner ‑ managed enterprises), management, and others within the organization (or specified regulatory agency or other specified third party).

6-14 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Required Communication with Audit Committees The auditor should communicate the following issues to the Audit Committee: –The Auditor's Responsibility Under Generally Accepted Auditing Standards –Significant Accounting Policies –Management Judgments and Accounting Estimates –Significant Audit Adjustments –Other Information in Documents Containing Audited Financial Statements –Disagreements With Management –Consultation With Other Accountants –Major Issues Discussed With Management Prior to Retention –Difficulties Encountered in Performing the Audit –Reportable Conditions and MATERIAL WEAKNESSES

6-15 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Required Communication with Audit Committees (Continued) The communications may be oral or written. When the auditor communicates in writing, the report should indicate that it is intended solely for the use of the audit committee or the board of directors and, if appropriate, management. If information is communicated orally, the auditor should DOCUMENT the communication by appropriate memoranda or notations in the working papers. Communications with management is not required; however, communications with management or other individuals within the entity who may, in the auditor's judgment, benefit from the communications are not precluded.

6-16 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. PHASES OF A CONTROL EVALUATION Phase 1: Understand and Document –Understand the Client’s Internal Control –Document the Internal Control understanding Internal Control questionnaire Narrative Accounting and Control System Flowcharts Phase 2: Assess Control Risk (Preliminary) Phase 3: Testing and Reassessment –Perform Test of Controls Audit Procedures –Re-Assess Control Risk

6-17 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Phases of Internal Control Evaluation

6-18 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Limitations of Internal Controls Collusion Management override Cost/benefit analysis

6-19 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Cost-Benefit Analysis There is often a trade-off between the cost and the effectiveness of internal controls. The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.