2 Responsibility for Internal Control 5-2Responsibility for Internal ControlManagement responsibilityManagement has primary responsibility for internal controlSarbanes-Oxley Act of 2002 (publicly traded companies)Auditor responsibilitySecond standard of fieldworkPCAOB Auditing Standard No. 5 (AS 5): An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements
3 Management’s Responsibility for Internal Control (Sarbanes-Oxley) 5-3Management’s Responsibility for Internal Control (Sarbanes-Oxley)In addition to certifying the company’s financial statements (Section 302), management must also report on the company’s internal control over financial reporting (Section 404).Specifically, the company’s annual report must include:A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting.A statement identifying the framework (usually COSO) management uses to evaluate the effectiveness of the company’s internal control.A statement providing management's assessment of the effectiveness of the company’s internal control.
4 Not a separate engagement 5-4AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial StatementsAuditors must provide their opinion on the effectiveness of client’s internal control.Not a separate engagementIntegrated audit of internal control and financial statements
5 5-5COSOCommittee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (Treadway Commission)FEI, AAA, IIA, IMA, AICPA
6 Why Assess Control Risk? 5-6Why Assess Control Risk?Determine nature, timing, and extent of audit procedures.Trade-off between testing of controls and substantive procedures.Note: Control testing required for public companies (AS 5), but not for private companies and not-for-profit organizations.
7 5-7Exhibit Trade-off Between Tests of Controls and Substantive Testing
8 Internal Control – An Integrated Framework (COSO) 5-8Internal ControlA process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:(1) Reliability of financial reporting,(2) Compliance with applicable laws and regulations,(3) Effectiveness and efficiency of operations.
10 Exhibit 5.4 Interrelated Components of Internal Control 5-10
11 5-11Control EnvironmentSets the tone of an organization, influencing the control consciousness of its people.It is the foundation for all other components.
12 Control Environment Philosophy And operating style 5-12Control EnvironmentPhilosophy And operating styleIntegrity And ethical valuesOrganizational structureCommitment to competenceFunctioning of boardAuthority and responsibilityInternal auditHuman resources policiesExternal environment
13 5-13Risk AssessmentThe entity's identification and analysis of relevant risks to achievement of its objectives.COSO's Enterprise risk management (ERM) framework
14 Control Procedures5-14The policies and procedures that help ensure management directives are carried out.Physical controls over the security of assetsSegregation of dutiesInformation ProcessingApprovals and authorizationVerifications and reconciliationsPerformance reviews
16 Information Processing Controls 5-16Information Processing ControlsInformation technology general controls (ITGC)Physical securityHardware controlsSegregation of IT dutiesDocumentationBack-up proceduresInformation technology application controls (ITAC)Input controlsProcessing controlsOutput controlsSpreadsheet controls
17 Information and Communication 5-17Information and CommunicationThe identification, capture, and exchange of information in the form and time frame that enables people to carry out their responsibilities.
18 5-18MonitoringManagement’s process that assesses the quality of the internal control's performance over time.Internal auditingFollow-up of reporting errors
19 General Phases of Internal Control Evaluation 5-19General Phases of Internal Control EvaluationPhase 1: Understand and documentUnderstand the client’s internal controlDocument the understanding of internal controlInternal Control questionnaireNarrativeAccounting and control system flowchartsPhase 2: Assess control risk (Preliminary)Phase 3: Testing and reassessmentPerform test of controls audit proceduresRe-assess control risk
22 5-22Exhibit 5.12 Assertions about Class Transactions and Events for the Period: Payroll Cycle
23 Exhibit 5.13 Dual Direction Test of Payroll Controls 5-23
24 5-24AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements (for Publicly Traded Companies)Phases of the engagementPlan the engagementUse a top-down approach to gain an understandingIdentify entity-level controlsWalkthroughsTesting internal control effectivenessDesign effectivenessOperating effectivenessEvaluating control deficienciesDeficienciesSignificant deficienciesMaterial weaknessesWrapping up: Forming an opinion on the effectiveness of internal control over financial reportingReporting on internal control
25 Step 1: Plan the Audit 5-25 Consider knowledge of industry Consider knowledge of businessConsider extent of changes in operationsConsider extent of changes in internal controlEvaluation must be done for all relevant assertions for all significant accounts or disclosures. Thus, significant accounts, locations, and assertions must be identified.The key to determining whether an account, location, or assertion is significant is whether there is a more-than-reasonable possibility that a material misstatement could be associated with it.Just as control risk is used to determine the nature, timing, and extent of substantive procedures, inherent risk is used to determine the nature, timing, and extent of tests of controls.
26 Step 2: Use a top-down approach to gain an understanding 5-26Step 2: Use a top-down approach to gain an understandingIdentify entity-level controlsPerform walkthroughsAuditor must perform work related to:Company-wide anti-fraud programsControls that have a pervasive effectAuditor must obtain “principal evidence,” but can incorporate work of internal auditors and othersMust assess competence and objectivityLimited relianceCan’t reduce work on control environment
27 Exhibit 5.8 Entity-Level Controls 5-27Controls related to the control environment.Controls related to management override.Centralized processing and controls including shared service environments.Controls to monitor results of operations.Controls to monitor other controls.Management’s risk assessment.Period-end financial reporting processPolicies that address significant business control and risk management practices
28 Test Controls: Design Effectiveness 5-28Test Controls: Design EffectivenessDesign effectiveness determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements.After an understanding of internal controls is gained through inquiry, inspection, and observation, the controls are evaluated for the possibility that the controls would not prevent or detect a misstatement.
29 Test Controls: Operating Effectiveness 5-29Test Controls: Operating EffectivenessOperating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.A sample of transactions is examined using inquiry, observation, inspection, and reperformance.Tests of controls are not performed if design is not effective.
30 Step 4a: Evaluate control deficiencies 5-30Step 4a: Evaluate control deficienciesWhether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the entity’s management or employees to detect or prevent misstatements in a timely fashion.A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control’s objective.An operating deficiency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained).More serious internal control deficiencies can be categorized into one of two groups, significant deficiencies or material weaknesses, depending on their severity.
31 Step 4b: Identify significant deficiencies 5-31Step 4b: Identify significant deficienciesSignificant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements.While not material, they are important enough to bring to the attention of those charged with governance (usually the audit committee).Absence of appropriate separation of duties.Absence of appropriate reviews and approvals of transactions.Evidence of failure of control procedures.
32 Step 4c: Identify Material Weaknesses 5-32A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis.Restatement of previously issued financial statements to reflect the correction of a misstatement.Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client’s internal controls.Ineffective oversight of financial reporting process by entity’s audit committee.Indication of fraud (either material or immaterial) by senior management.
33 Summary of Internal Control Deficiencies 5-33Summary of Internal Control DeficienciesThree categoriesInternal control deficiencySignificant deficiencyMaterial weaknessesThe difference between a significant deficiency and a material weakness is the (1) likelihood and (2) materiality that a potential (or actual) misstatement would not be detected on a timely basis.
34 5-34Step 5: Wrapping up: Forming an opinion on the effectiveness of internal control over financial reportingAuditors can issue one of three types of opinions on internal control over financial reporting:Unqualified. No material weaknesses found.Disclaimer of opinion. The audit team cannot perform all of the procedures considered necessary.Adverse opinion. One or more material weaknesses found.
35 Step 6: Reports on Internal Control 5-35Step 6: Reports on Internal ControlSeparate report on internal controlOpinion on financial statements contained in separate audit reportExtra paragraph added to report on internal control referencing opinion on financial statements.Integrated audit report and report on internal controlIncludes auditor’s opinions on 1) internal control effectiveness, and 2) the fairness of the company’s financial statements.
36 Reporting to Audit Committee on Internal Control Related Matters 5-36Reporting to Audit Committee on Internal Control Related MattersSarbanes-Oxley requires that the report be in writing.The auditor may communicate during or after audit.Communications with management is not required; however, communications with management or other individuals within the entity who may, in the auditor's judgment, benefit from the communications are not precluded.
37 Limitations of Internal Control 5-37Limitations of Internal ControlHuman errorCollusionManagement overrideCost/benefit analysisThere is often a trade-off between the cost and the effectiveness of internal controls.The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.