ACC 450 Chapter 11
Reasonable Assurance
A company should develop internal controls that provide reasonable, but not absolute, assurance that the financial statements are fairly stated.
Section 404(a) of the Sarbanes-Oxley Act requires management of all public companies to issue an internal control report that includes the following:
A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company's fiscal year
The control activities generally fall into the following five types, which are discussed next:
Adequate separation of duties Proper authorization of transactions and activities Adequate documents and records Physical control over assets and records Independent checks on performance
Auditor's Controls Over Classes of Transactions
Auditors emphasize internal control over classes of transactions rather than account balances because the accuracy of accounting system outputs (account balances) depends heavily on the accuracy of inputs and processing (transactions). Auditors are primarily concerned with the transaction-related audit objectives discussed in Chapter 6 when assessing internal controls over financial reporting.
Auditor's Controls Over the Reliability of Financial Reporting
Auditors focus primarily on controls related to the first of management's internal control concerns: reliability of financial reporting. Financial statements are not likely to correctly reflect GAAP or IFRS if internal controls over financial reporting are inadequate. Unlike the client, the auditor is less concerned with controls that affect the efficiency and effectiveness of company operations, because such controls may not influence the fair presentation of financial statements. Auditors should not, however, ignore controls affecting internal management information, such as budgets and internal performance reports. These types of information are often important sources used by management to run the business and can be important sources of evidence that help the auditor decide whether the financial statements are fairly presented. If the controls over these internal reports are inadequate, the value of the reports as evidence diminishes.
Commitment to Competence
Competence is the knowledge and skills necessary to accomplish tasks that define an individual's job. Commitment to competence includes management's consideration of the competence levels for specific jobs and how those levels translate into requisite skills and knowledge. If employees are competent and trustworthy, other controls can be absent, and reliable financial statements will still result. Incompetent or dishonest people can reduce the system to a shambles—even if there are numerous controls in place. Honest, efficient people are able to perform at a high level even when there are few other controls to support them. However, even competent and trustworthy people can have shortcomings. For example, they can become bored or dissatisfied, personal problems can disrupt their performance, or their goals may change. Because of the importance of competent, trustworthy personnel in providing effective control, the methods by which persons are hired, evaluated, trained, promoted, and compensated are an important part of internal control.
The COSO internal control components include the following:
Control environment Risk assessment Control activities Information and communication Monitoring
Managements Operating Effectiveness of Controls
In addition, management must test the operating effectiveness of controls. The testing objective is to determine whether the controls are operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Management's test results, which must also be documented, form the basis for management's assertion at the end of the fiscal year about the controls' operating effectiveness. Management must disclose any material weakness in internal control. Even if only one material weakness is present, management must conclude that the company's internal control over financial reporting is not effective. The SEC requires management to include its report on internal control in its annual Form 10-K report filed with the SEC
Inherent Limitations
Internal controls can never be completely effective, regardless of the care followed in their design and implementation. Even if management can design an ideal system, its effectiveness depends on the competency and dependability of the people using it.
Accountability
Management and the board of directors are responsible for communicating expectations and holding individuals accountable for internal control duties. The effectiveness of this process depends on the other subcomponents discussed above. For example, management must set the appropriate tone and put in place appropriate structures and reporting lines in order to hold individuals accountable. Incentives should be provided for employees to fulfill their internal control duties.
Managements Design of Internal Control
Management must evaluate whether the controls are designed and put in place to prevent or detect material misstatements in the financial statements. Management's focus is on controls that address risks related to all relevant assertions for all significant accounts, transactions, and disclosures in the financial statements. This includes evaluating how significant transactions are initiated, authorized, recorded, processed, and reported to identify points in the flow of transactions where material misstatements due to error or fraud could occur.
Establishing Internal Control
Management, not the auditor, must establish and maintain the entity's internal controls.
Auditor Responsibilities for Understanding Internal Control
One of the principles in AICPA auditing standards is that the auditor "identifies and assesses risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including the entity's internal control."1 Auditing standards require the auditor to obtain an understanding of internal control relevant to the audit on every audit engagement. Auditors are primarily concerned about controls over the reliability of financial reporting and controls over classes of transactions.
Board of Director or Audit Committee Participation
The board of directors is essential for effective corporate governance because it has the ultimate responsibility to make sure management implements proper internal control and financial reporting processes. An effective board of directors is independent of management, and its members oversee management's activities. Although the board delegates responsibility for internal control to management, the board must exercise oversight of the design and performance of controls. An active and objective board can reduce the likelihood that management overrides existing controls.
Organizational Structure
The entity's organizational structure defines the existing lines of responsibility and authority. As shown in the COSO cube in Figure 11-2 (p. 347), the organizational structure can consist of the entity level, divisions, operating units, and functions within those units, and controls operate at each of these levels. By understanding the client's organizational structure, the auditor can learn the management and functional elements of the business and perceive how controls are implemented.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework
The internal control framework used by most U.S. companies
Chart of accounts
a listing of all the entity's accounts that classifies transactions into individual balance sheet and income statement accounts
Internal control
a process designed to provide reasonable assurance regarding the achievement of management's objectives in the following categories: (1) reliability of reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations
Collusion
an act of two or more employees who conspire to steal assets or misstate records
Specific authorization
case-by-case approval of transactions not covered by companywide policies
General authorization
companywide policies for the approval of all transactions within stated limits
Entity-level controls
controls that have a pervasive effect on the entity's system of internal control; also referred to as company-level controls
General controls
controls that relate to all parts of the IT function and affect many different software applications
Application controls
controls typically at the business process level that apply to processing transactions, such as the inputting, processing, and outputting of sales or cash receipts
Independent checks
internal control activities designed for the continuous internal verification of other controls
In response, the exchanges will not list any security from a company with an audit committee that
is not comprised solely of independent directors. is not solely responsible for hiring and firing the company's auditors. does not establish procedures for the receipt and treatment of complaints (e.g., "whistleblowing") regarding accounting, internal control, or auditing matters. does not have the ability to engage its own counsel and other advisors. is inadequately funded.
Risk assessment
management's identification and analysis of risks relevant to the preparation of financial statements in accordance with an applicable accounting framework
Monitoring
management's ongoing and periodic assessment of the quality of internal control performance to determine that controls are operating as intended and are modified when needed
Control activities
policies and procedures, in addition to those included in the other four components of internal control, that help ensure that necessary actions are taken to address risks in the achievement of the entity's objectives; they typically include the following five specific control activities: (1) adequate separation of duties, (2) proper authorization of transactions and activities, (3) adequate documents and records, (4) physical control over assets and records, and (5) independent checks on performance
COSO principles
represent the fundamental concepts related to each of the five components of internal control; all principles must be functioning for controls to be effective
Section 404(b) of the Sarbanes-Oxley Act
requires that the auditor report on the effectiveness of internal control over financial reporting.
Separation of duties
separation of the following activities in an organization: (1) custody of assets from accounting, (2) authorization from custody of assets, (3) operational responsibility from record-keeping, and (4) IT duties from outside users of IT
Control environment(Umbrella)
the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity
Those charged with governance
the person(s) with responsibility for overseeing the strategic direction of the entity and its obligations related to the accountability of the entity, including overseeing the financial reporting and disclosure process
Information and communication
the set of manual and/or computerized procedures that initiate, record, process, and report an entity's transactions and maintain accountability for the related assets