Chapter 7: Internal Control
Steps in Internal Control Structure Phase--Non-Public Companies
1. Understand & document components 2. Preliminary assessment of control risk 3. Assess level of control risk using one of two approaches: - a. Lower assessed level of control risk approach: -- Tests of controls -> Assess control risk - b. Primarily substantive test approach -- Assess control risk at 100% 4. Substantive tests phase - Determine nature, extent, & timing for Tests of Details for transactions & acct balances - Conduct Tests of details & analytical procedures
Steps in audit of internal controls - Public company
1. Understand: - Components of ICS: -- Control Environment -- Risk Assessment -- Information and Communication -- Control Activities -- Monitoring - Document: -- Questionnaire -- Flow Chart -- Narrative 2. Preliminary assessment of control risk- Design effectiveness 3. Tests of controls 4. Assess control risk- Operating effectiveness 5. Substantial test phase 6. Report on internal controls 7. Report on FS
Foreign Corrupt Practices Act
1977 Makes illegal payment of bribes to foreign officials - Response to American corporate practice of paying bribes and kickbacks to officials in foreign countries to obtain business - Requires an effective system of internal control
Internal control def
A process ...designed to provide reasonable assurance...regarding achievement of (the entity's) objectives on: - Effectiveness and efficiency of operations - Reliability of financial reporting - Compliance with applicable laws and regulations
Management's Responsibility for Internal Control-Public Companies
Accept responsibility for internal control Assess internal control effectiveness as of the last day of the company's fiscal year Support the assessment with sufficient evidence
Management's Report on Internal Control under Section 404a
Acknowledgment of responsibility for internal control An assessment of internal control effectiveness as of the last day of the company's fiscal year using suitable criteria - Support evaluation with sufficient evidence
Preventative Controls over Financial Reporting
Aimed at avoiding the occurrence of misstatements in the financial statements Example: Segregation of duties
Approach to Audit of Internal Control under Section 404b
Applies to public companies with a market capitalization of $75 million or more For those companies, the auditors audit internal control as a part of an integrated audit as follows: - Plan the engagement - Use a top-down approach to identify the controls to test - Test and evaluate design effectiveness of internal control - Test and evaluate operating effectiveness of internal control - Form an opinion on effectiveness of internal control over financial reporting
Responses to risk of internal control failure at FS level
Assigning more experienced staff or those with specialized skills Providing more supervision and emphasizing the need to maintain professional skepticism Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed Increasing the overall scope of audit procedures, including the nature, timing or extent
Segregation of Duties Control Activities
Authorization Recording Custody
Enterprise Risk Management (ERM)
COSO issued a new internal control framework in 2004 on enterprise risk management - Does not replace the original COSO internal control framework. -- Goes beyond internal control to focus on how organizations can effectively manage risks and opportunities. -- Auditing standards are still structured around the original COSO internal control framework.
Factors Indicative of Increased Financial Reporting Risk (Risk Assessment)
Changes in the regulatory or operating environment Changes in personnel Implementation of a new or modified information system Rapid growth of the organization Changes in technology affecting production processes or information systems Introduction of new lines of business, products, or processes
Performance Review Control Activities
Comparison of actual to budget or forecast Relating different sets of data to one another Overall reviews
Overlapping Controls over Financial Reporting
Complementary - function together Redundant - address same assertion or control objective Compensating - reduces risk existing weakness will result in misstatement
Significant deficiency def
Control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP. Leads to more than remote likelihood that a misstatement of the companys annual or interim financial statements that is more than inconsequential will not be prevented or detected
Responses to risk of internal control failure at assertion level
Decisions are made here as to the appropriate combination of tests of controls and substantive procedures
Control deficiency def
Design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
Detective Controls over Financial Reporting
Designed to discover misstatements after they have occurred Example: Monthly bank reconciliations
Internal Control in the Small Company
Due to lack of employees, internal control is seldom strong in small businesses
Limitations of Internal Control
Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. Controls that depend on the segregation of duties may be circumvented by collusion Management may override the structure Compliance may deteriorate over time
Examples of control risk areas assessed at the assertion level
Failure to recognize an impairment loss on a long-lived asset - Affects only valuation assertion Inaccurate counting of inventory at year-end - Affects valuation of inventory and accuracy of cost of goods sold
Information processing Control Activities
General authorization Specific authorization
Objectives of an Accounting System
Identify and record valid transactions Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions Measure the value of transactions appropriately Determine the time period in which the transactions occurred to permit recording in the proper period Present properly the transactions and related disclosures in the financial statements
General Approach to Assessing the risks of material misstatement
Identify risks while obtaining an understanding of the client and its environment, including its internal control Relate the identified risks to what can go wrong at the relevant assertion level Consider whether the risks are of a magnitude that could result in a material misstatement Consider the likelihood that the risks could result in a material misstatement
Control Objectives
In each area of internal control (financial reporting, operations and compliance) control objectives & sub objectives exist
The Control Environment
Integrity and Ethical Values Commitment to Competence Board of Directors or Audit Committee Management Philosophy and Operating Style Organizational Structure Assignment of Authority and Responsibility Human Resource Policies and Procedures
Corrective Controls over Financial Reporting
Needed to remedy the situation uncovered by detective controls Example: Backups of master file
The Auditors' Consideration of Internal Control--Non-Public Companies
Obtain and document an understanding Test and evaluate the design effectiveness Determine audit strategy - Lower assessed level of control risk than for public co's - Primarily substantive test approach If necessary, design additional tests of controls for operating effectiveness - Reassess control risk -- If necessary, modify planned substantive tests
Monitoring Control Activities
Ongoing monitoring activities - Regularly performed supervisory and management activities - Example: Continuous monitoring of customer complaints Separate evaluations - Performed on nonroutine basis - Example: Periodic audits by internal auditor
Control Activities
Performance reviews Information processing Physical controls Segregation of duties
Approach to Audit of Internal Control-Public Company
Plan the engagement Evaluate management's assessment process Obtain an understanding of internal control Test and evaluate design effectiveness of internal control Test and evaluate operating effectiveness of internal control Form an opinion on control effectiveness
Examples of control risk areas assessed at the FS level
Preparing period-end financial statements - Including development of significant accounting estimates and preparation of notes The selection and application of significant accounting policies IT general controls The control environment
Types of documentation for understanding internal control
Questionnaires - Typically standardized by firm Written Narratives - Memos that describe flow of transactions Flowcharts - Systems flowcharts Walk-through - Trace one or two transactions through cycle
Specific internal control practices for small businesses
Record all cash receipts immediately Deposit all cash receipts intact daily Make all payments by serially numbered checks, with exception of petty cash disbursements Reconcile bank accounts monthly and retain copies Use serially numbered invoices, PO's, and receiving reports Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports Balance subsidiary ledger with control accounts Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense
Types of Transaction Cycles
Revenue (sales and collections) Cycle Acquisition (purchases and disbursements) Cycle Conversion (production) Cycle Payroll Cycle Financing Cycle Investing Cycle
Nature of transactions in evaluating controls
Routine transactions—e.g., revenue, purchases, and cash receipts and disbursements Nonroutine transactions—e.g., taking of inventory, calculating depreciation expense Estimation transactions—e.g., determining the allowance for doubtful accounts Generally routine transactions have the strongest controls
Material weakness def
Significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
Components of Internal Control
The Control Environment Risk Assessment The Accounting Information and Communication System Control Activities Monitoring
Control Objectives Example: Area of financial reporting
Top level objective - prepare and issue reliable financial information Detailed level applied to A/R sub objectives - All goods shipped are accurately billed in the proper period - Invoices are accurately recorded for all authorized shipments and only for such shipments - Authorized and only authorized sales returns and allowances are accurately recorded - The continued completeness and accuracy of A/R is ensured - Accounts receivable records are safeguarded
A System of Internal Control Provides Reasonable Assurance That:
Transactions are executed with the knowledge and authorization of management Transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets Access to assets is limited to authorized individuals Accounting records of assets are compared to existing assets at reasonable intervals and appropriate action is taken with respect to any differences