5 components of internal control

8/6/2019 5 Components of Internal Control

1/35

Chapter 10

Section 404 Audits of InternalControl and Control Risk

Internal Control

Internal Control

Risk

.


2/35

Presentation Outline

I. An Overview of Internal Control

II. The Components of Internal ControlIII. Process for Understanding Internal

Control and Assessing Control Risk

IV. Communications with the AuditCommittee and Management


3/35

I. An Overview of Internal

Control

A. Internal Control Defined

B. Reasonable Assurance

C. Section 404 Reporting Requirements forManagement

D. Key Components of Managements

Assessment of Internal ControlE. Auditor Responsibilities for

Understanding Internal Control


4/35

A. Internal Control Defined

Reliability of financial reporting Compliance with applicable laws and regulations

Effectiveness and efficiency of operations

An entitys system of internal control consists of

policies and procedures designed to provide

management with reasonable assurance that thecompany achieves its objectives and goals

including:


5/35

B. Reasonable Assurance

Reasonable assuranceinvolves two

considerations: The cost of the

entitys internalcontrol should not

exceed the expectedbenefits.

Limitations exist inany entitys internal

control.

Code themissing cash

to bad debts.

Collusion


6/35

C. Section 404 Reporting Requirements for

Management

Section 404 of Sarbanes-Oxley requires the management ofpublic companies to issue an internal control report that

includes:

A statement that management is responsible for establishingand maintaining an adequate internal control structure and

procedures for financial reporting.

An assessment of the effectiveness of the internal controlstructure and procedures for financial reporting as of the end

of the companys fiscal year.


7/35

D. Key Components of Managements Assessment

of Internal Control

Management must

evaluate the design of

internal control overfinancial reporting.

Management must test

the operating

effectiveness of those

controls.


8/35

E. Auditor Responsibilities for

Understanding Internal Control

Public and private companies A sufficient understanding of internal

control is to be obtained to plan the audit and to determine the nature,timing, and extent of tests to be performed. (2nd standard offieldwork)

Public companies Section 404 requires effort beyond that statedabove so that the auditor can provide a report on internal controls that

contains the following two opinions: Whether managements assessment of the effectiveness of internal control over

financial reporting as of the end of the fiscal period is fairly stated in all materialrespects.

Whether the company maintained, in all material respects, effective internalcontrol over financial reporting as of the specified date.


9/35

II. The Components of Internal

Control

A. The Control Environment

B. Risk AssessmentC. Control Activities

D. Information and Communication

E. Monitoring

The internal control framework for most U.S. companies is the

Committee of Sponsoring Organizations of the Treadway

Commission (COSO)Internal ControlIntegratedFramework, issued in 1992.


10/35

A. The ControlEnvironment

The control environment is concerned with theactions, policies, and procedures that reflect theoverall attitude of the clients top management,directors, and owners of an entity about internal

control and its importance.

1. Integrity and ethical values

2. Commitment to competence

3. Board of directors and audit committee4. Managements philosophy and operating style

5. Organizational structure

6. Assignment of authority and responsibility

7. Human resource policies and practices


11/35

1. Integrity andE

thical ValuesManagement actions

to remove incentives

that prompt a personto behave improperly.

Communication of

behavioral standards

by codes of conduct

and example.


12/35

2. Commitment to Competence

Managements

consideration of thecompetence levels for

specific jobs and how

those translate into

requisite skills andknowledge.


13/35

3. Board of Directors and Audit

CommitteeBoard delegates responsibility

for internal control to

management and is chargedwith regular independent

assessments of management-

established internal control.

The major stock exchangesrequire listed companies to have

an audit committee composed of

entirely independent directors

who are financially literate.


14/35

4. Managements Philosophy and

Operating Style

Management, through its activities, provides clearsignals to employees about the importance of

internal control. For example, are sales and earningstargets unrealistic, and are employees encouraged to

take aggressive actions to meet those targets.


15/35

5. Organizational Structure

Understanding the

clients organizationalstructure provides the

auditor with an

understanding of how

the clients businessfunctions and

implements controls.


16/35

6. Assignment of Authority and

ResponsibilityFormal methods of

communication including:

Top managementmemoranda concerning

internal control

Organizational operating

plansEmployee job

descriptions


17/35

7. Human Resource Policies and

Practices

If employees are honestand trustworthy, other

controls can be absent andreliable financial

statements will still result.

Methods by which persons

are hired, trained,promoted, andcompensated are important

elements of internalcontrol.


18/35

B. Risk Assessment

Client managements identification and analysis of

risks relevant to the preparation of the financialstatements in accordance with GAAP.

1. Client Managements Risk Assessment

2. Auditor Risk Assessment


19/35

1. Client Managements Risk Assessment

Client management assesses risk as part of designing andoperating internal controls to minimize errors and fraud.

Three steps involve:

i. Identify factors that may increase riskii. Determine significance of risk and likelihood of

occurrence

iii. Develop specific actions to reduce risk to an acceptable

level.


20/35

2

. Auditor Risk AssessmentThe auditor obtains knowledge

about managements risk

assessment process by:

Determining how management

identifies risks relevant to

financial reporting

Evaluating their significance and

likelihood of occurrence

Deciding the actions needed to

address the risks.


21/35

C. Control Activities

Policies and procedures that client management has

established to meet its objectives for financialreporting.

1. Adequate segregation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance


22/35

1. Adequate Segregation of

DutiesSeparation of the

functions of

authorization,recordkeeping, and

custody.

Separating IT duties

from User

Departments


23/35

2. Proper Authorization of

Transactions and ActivitiesGeneral authorization

is permissible for

routine events forwhich there are

policies to follow.

For some transactions

specific authorization

is needed on a case-

by-case basis.


24/35

3. Adequate Documents and

RecordsPrenumbered

consecutive

documents so missingitems are noticed

Prepared as near totransaction time as

possibleGood design with

instructions andappropriate spaces


25/35


26/35

5. Independent Checks on

P

erformance

Personnel are likely toforget or intentionallyfail to follow

procedures, or theymay become careless

unless someoneobserves and evaluates

their performance.


27/35

D. Information and Communication

Methods used to initiate, record, process, and report anentitys transactions and to maintain accountability

for related assets.

For a small company with active involvement by the

owner, a simple computerized accounting system that

involves one honest, competent accountant may

provide an adequate accounting system. A larger company requires a more complex system

that includes carefully defined responsibilities and

written procedures.


28/35

E. Monitoring

Client managements ongoing and periodic assessment

of the quality of internal control performance to

determine whether controls are operating as intended

and modified when needed.

For many companies, especially larger ones, aninternal audit department is essential for effective

monitoring.

To maintain internal audit independence, it isimperative that they be independent of operating andaccounting departments; and that they report to a highlevel of authority, preferably the audit committee of

the board of directors.


29/35


30/35

A. Phase 1: Obtain and Document

Understanding of Internal Control

Three methods commonly used by auditors to obtain anddocument their understanding of the design of internal

control are narratives, flowcharts, and internal controlquestionnaires (see Figure 10-4 on p. 286).

The auditor must also evaluate whether the designedcontrols are actually placed in operation.

PCAOB Standard 2 requires the auditor to perform at leastone walkthrough for each major class of transactions. In a

walkthrough, the auditor selects one or a few documents forthe initiation of a transaction type and traces them through

the entire accounting process.


31/35

B. Phase 2: Assess Control Risk

Two specific assessments must bemade to arrive at the

preliminary assessment:

The first assessment is whetherthe entity is auditable. This isdetermined by considering the

integrity of management and theadequacy of the accounting

records.

Determine assessed control risksupported by the understandingobtained assuming the controls

are being followed.


32/35

C. Phase 3: Design, Perform, andEvaluate

Tests of Controls

If the results of tests of controls support the design and

operating of controls as expected, the auditor uses the

same assessed control risk as the preliminary assessment.Otherwise, assessed control risk must be reconsidered.

If the auditor wants a lower assessed control risk, more

extensive tests of controls are applied.

PCAOB Standard 2 requires the auditor to determine

whether controls are operating effectively at year end.

The auditor may test at an interim date and later determine

if changes have occurred.


33/35

D. Phase 4: Decide Planned

Detection Risk and Substantive Tests

The greater thecontrol risk (weak

internal controls) thelower the detectionrisk the auditor can

accept.

To lower detectionrisk, the auditor

performs moresubstantive testing.


34/35

IV. Communications with the Audit

Committee and Management

As part of understanding internal control and assessingcontrol risk, the auditor is required to communicate

certain matters to the audit committee:

Significant deficiencies and material weaknesses must becommunicated in writing to the audit committee as a part

of every audit. Timely communication may helpmanagement in correcting the problem before their year-

end report on internal control.Less significant internal-control matters and

recommendations for operational improvements may becommunicated through a management letter. Althoughsuch letters are not required by auditing standards, they

are often provided as a value-added service of the audit.


35/35