Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004"— Presentation transcript:

1 CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004
Introduction to Internal Control What is it What are the auditors’ responsibilities Components of Internal Control (COSO) Obtaining an Understanding of Internal Control Documenting the Understanding

2 What is Internal Control?
COSO Definition: The processes implemented by the BOD and management to help ensure: Effectiveness and efficiency of operations.* Reliability of financial reporting. Compliance with applicable laws and regulations. * This is not included in the SOX definition of IC This sets up that there are 3 types of controls Effectiveness: operating controls Other objectives and related controls may also be relevant if they pertain to data the auditor uses in applying audit procedures. Examples: Nonfinancial data used in analytical procedures, such as the number of employees, the entity’s manufacturing capacity and volume of goods manufactured, and other production and marketing statistics. Reliability of financial controls including (1) reliable f/s (2) security over assets and records and (3) no bribes! Certain financial data developed primarily for internal purposes, such as budgets and performance data, used by the auditor to obtain evidence about the amounts reported in the financial statements. Compliance controls Fraud and Direct Effect Illegal Acts

3 Why is internal control SO important?
KPMG Fraud Survey: Large and Midsize Companies 2003 report Interviewed executives from 459 public companies with revenues > $250 million Types of fraud How fraud was caught Talk about survey handout

4 Why is internal control SO important?
The businesses we audit rely on numerous reports and analyses to control operations. These controls are often IT related. Good system reduces the possibility that errors or irregularities will occur. Audit more efficiently and effectively if rely on the client’s system of internal control. Professional standards and laws require that the auditors’ consider it.

5 GAAS on Internal Control
Identify types of potential misstatements Consider factors that affect the risk of material misstatement Design substantive tests to provide reasonable assurance of detecting misstatements related to specific assertions Could decide to not rely on controls and assess CR at maximum, but you must understand why control risk is assessed at the maximum There may be times when substantive tests alone do not reduce control risk to a sufficiently low level. Second standard of fieldwork: gain a sufficient understanding of internal control

6 Internal Control & SOX for Public Companies
Requires auditors to attest to Certification of Disclosure and Managements’ Internal Controls and Procedures (Rule 404) Internal control framework to follow is COSO Provides assistance on: Internal control over financial reporting. One material weakness = adverse report on internal controls

7 Roles and Responsibilities (COSO)
Management: establish effective IC BOD and audit committee: governance and oversight responsibilities of mgmt Internal auditors: periodically examine and evaluate the adequacy of an entity’s IC and make recommendations Other entity personnel: “blow whistle” Independent auditors. Any significant IC deficiencies discovered, communicate to mgt and BOD with recommendations for improvement. For public companies, must attest to management’s assertion about IC Legislators and regulators: establish minimum statutory and regulatory requirements Other entity personnel: do not have primary responsibility But if become aware of non compliance with controls or illegal acts, communicate to a higher level in the organization.

8 Limitations of Internal Control
No matter how well designed and operated, an I/C can provide only reasonable assurance regarding achievement of an entity’s control objectives because: 1. Mistakes in judgment. 2. Breakdowns. 3. Collusion. 4. Management override. 5. Cost versus benefits.

9 Components of Internal Control
The COSO report identifies 5 interrelated components of internal control which are: 1. Control environment 2. Risk assessment 3. Information and communication 4. Control activities 5. Monitoring This is an overview. We’ll go over each in much more detail later. Control environment: sets tone, is the foundation for controls Risk Assessment: company understands risks to business. Ex: natural and computer disasters, etc. Control Activities: actual controls Info and comm: system provides info that is timely and relevant Monitoring: properly oversee system

10 Control Environment Sets the tone of an organization, influencing the control consciousness of its people. Management philosophy & operating style Organizational structure Integrity and ethical values Board of directors and audit committee Assignment of authority & responsibility Human resource policies and practices Commitment to competence External Influences Information Technology Take undue risks? Manipulate NI to “improve performance”? Pressure employees? Balance authority and responsibility, have appropriate IA dept Do they seem to be present? Code of conduct? SEC Co’s must all be o/s directors and responsible for IC. Must be knowledgeable. Job descriptions, training, policy and procedure manual, background checks Hiring, training, evaluation, compensate and promote to minimize IC risks See above Heighten management awareness of IC importance. FASB, SEC, regulated industries (insurance, banking, utilities) Technology: - Involvement of management in setting policies for developing, modifying, and using computer programs and data. - Form of organization structure of data processing - Methods of assigning authority and responsibility over computer systems documentation, including procedures for authorizing transactions and approving system changes.

11 Risk Assessment An entity’s identification and analysis of risks that could affect whether the financial statements that are fairly presented in conformity with GAAP. Business Risk Inherent Risk Fraud Risk Internal Controls

12 Information and Communication
Ensures pertinent information is identified, captured and communicated throughout the organization in a timely manner. Requires the system: Identify and record only valid transactions occurring in the current period (existence or occurrence). Identify and record all valid transactions occurring in the current period (completeness). Ensure recorded assets and liabilities are result of transactions that produced entity rights to, or obligations for, those items (rights & obligations). Appropriately measure the value for recording their proper monetary value in the f/s (valuation or allocation assertion). Capture sufficient detail of all transactions to permit their proper presentation in the f/s incl. proper classification and required disclosure (presentation and disclosure assertion).

13 Information and Communication
Authorize Execute Risk of Misstatement Record Consideration

14 Control Activities Authorization Segregation of Duties
Information Processing Controls General Controls Application Controls Controls over the Financial Reporting Process Physical Controls Performance Reviews Controls over Management’s Discretion in Financial Reporting Necessary to ensure that the information system is working.

15 Control Activity - Authorization
Every transaction needs appropriate general or specific authorization of commitment of resources as transactions are initiated. This is critical to the existence assertion. Is it something that SHOULD be recorded. Authorization needs to occur at the time the transaction is INITIATED!

16 Control Activity – Segregation of Duties (Figure 9-1)
Execute = Authorization Custody Recordkeeping = maintain recorded accountability DO NOT WANT SOMEONE TO BE IN POSITION TO PERPETRATE AND CONCEAL AN IRREGULARITY.

17 IT Functions Requiring Segregation Figure 9-2

18 Information Processing Controls
Computer General Controls Organization & operation controls (prior slide) Systems development & documentation controls Users, accounting & IA should be involved in design Testing joint effort between users & IT Proper approval before placing into use Changes properly approved and tested Hardware and system software controls Access controls: Prevent unauthorized use of: IT equipment, Data files Programs

19 Information Processing Controls
Computer General Controls continued Data and procedural controls Receiving and screening all data to be processed Accounting for all input data Following-up on processing errors Verifying the proper distribution of output Adequate back-up and safeguarding procedures

20 Information Processing Controls
Application Controls Input (computer editing) controls Missing data check - Check digit Valid character check - Valid sign check Limit or reasonableness test - Valid code check Processing controls Control totals - Before & after report File identification labels - Sequence tests Limit & reasonableness tests - Processing tracing data Output controls Reconciliation of totals Comparison to source documents Visual scanning

21 Information Processing Controls
Spreadsheets Accounting Database SQL Financial Statements Strong Controls Weak or No Controls Weak or No Controls

22 Important issue of physical security
Physical Controls Important issue of physical security Limit direct physical access to assets Lock boxes, fireproof safes, locked storerooms Limit indirect physical access through the preparation or processing of documents that allow access to assets

23 Performance Reviews Management review and analysis of –
Reports that summarize the detail of account balances aged trial balance report of cash disbursements by department reports of sales and gross margins by customer or region Actual performance vs. budget or forecast Balanced scorecard type measures with ability to drill down to department level Financial, customer, business process, innovation

24 Information and Communication
Ensures pertinent information is identified, captured and communicated throughout the organization in a timely manner. Requires the system: Identify and record only valid transactions occurring in the current period (existence or occurrence). Identify and record all valid transactions occurring in the current period (completeness). Ensure recorded assets and liabilities are result of transactions that produced entity rights to, or obligations for, those items (rights & obligations). Appropriately measure the value for recording their proper monetary value in the f/s (valuation or allocation assertion). Capture sufficient detail of all transactions to permit their proper presentation in the f/s incl. proper classification and required disclosure (presentation and disclosure assertion).

25 Monitoring Assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions including reporting all deficiencies to higher authorities within the organization. This should occur through: Ongoing activities and Separate periodic evaluations. Responsibilities: Management & Acct Officers Board of Directors Management and Accounting Officers: Be conscious of IT risks and monitor performance of internal controls. Address weaknesses and recommendations from regulators and external auditors Audit committee: Have internal audit do periodic reviews of IT risks and controls

26 Purpose of Understanding Internal Control
The understanding of internal control should be used to: Identify types of potential misstatements Consider factors that affect the risk of material misstatement Determine where controls should be tested. For public companies, necessary to attest to management’s assertions about the effectiveness of their internal controls. Design substantive tests to provide reasonable assurance of detecting misstatements related to specific assertions, taking into account what relevant tests of controls are being performed if any.

27 Understanding and Testing Internal Control
1. Understand the design of policies and procedures related to each component of internal control. 2. Determine whether the policies and procedures are operating as you expected, where are attesting or relying on controls. Reviewing previous experience with the client Inquiring of appropriate management, supervisory, and staff personnel Inspecting documents and records Observing entity activities and operations This often will take the form of a “walk through” of the system

28 How Much Depth of Understanding Do You Need???
Minimum Understanding Control environment Risk assessment Information and communication Control activities (may need very little knowledge when a primarily substantive approach is followed). Monitoring

29 Depth: Control Environment
Obtain sufficient knowledge to understand the attitude and actions of management and the BOD concerning the control environment. Consider both the substance of control environment and the collective effect on other aspects of internal control.

30 Depth: Risk Assessment
Determine how management: identifies risks relevant to fair presentation in the financial statements the care with which it assesses the significance of those risks, and how it decides on control activities to address those risks. Business Risk Inherent Risk Fraud Risk Internal Controls

31 Depth: Control Activities
Level of understanding is directly related to preliminary audit strategy. If the auditor is planning a primarily substantive approach the auditor may not additional knowledge of need to control activities in order to assess control risk. If the auditor plans to use a lower assessed level of control risk approach or is attesting to management’s IC, will need to obtain a significant understanding of control activities.

32 Depth: Information and Communication Systems
Need to understand the transaction trail. This includes understanding: Transaction classes significant to the f/s. How transactions are initiated The accounting records, supporting documents, and specific accounts in the f/s involved in the processing and reporting of transactions. The accounting processing involved from initiating a transaction to its inclusion in the f/s, including electronic means used to transmit, process maintain, and access information. Cash receipt or disbursements The financial reporting process used to prepares financial statements, estimates and disclosures Remember,

33 Depth: Monitoring It is important to understand the types of activities used by the entity, top management, accounting management, and internal auditors to monitor the effectiveness of internal control. Knowledge should also be obtained about how corrective actions are initiated.

34 Documenting the Understanding
Documenting the understanding of internal control is required in all audits. The form and extent of documentation is influenced by the size and complexity of the entity, and the nature of the entity’s IC. There are 4 forms of documentation commonly used by auditors. Questionnaires Decision Tables Flowcharts Narrative Memos Will also need to document the results of any testing of the system. A questionnaire consists of a series of questions about internal control that the auditor considers necessary to prevent material misstatements in the financial statements. (“checklist”) A decision table is a matrix used to document the logic of a computer program. Decision tables usually have 3 key components: 1. conditions related to accounting transactions, 2. actions taken by the computer program, 3. decision rules that are used with like conditions with subsequent actions. A flowchart is a schematic diagram using standardized symbols, interconnecting flow lines, and annotations that portray the steps involved in processing information through the accounting system. Sometimes use narrative memoranda w/ it to describe the controls A narrative memorandum consists of written comments concerning the auditor’s consideration of internal controls.

Download ppt "CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004"

Similar presentations

Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control and Control Risk

Internal Control and Control Risk
Auditing Concepts.

Auditing Concepts.
Internal Control.

Internal Control.
The Islamic University of Gaza

The Islamic University of Gaza
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Review of Introduction to Auditing

Review of Introduction to Auditing
CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007

CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Section 404 Audits of Internal Control and Control Risk

Section 404 Audits of Internal Control and Control Risk
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session 1.8 1 Internal Control and Risk Assessment.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Chapter 10 Internal control and Control Risk.

Chapter 10 Internal control and Control Risk.

Similar presentations

Ads by Google