Chapter 7: Internal Control
Advantages of ERM
-Aligning org's risk tolerance and strategy -Enhancing risk response decisions by focusing on best technique for managing risk -Reduce operational surprises and losses -identifying multiple and cross-enterprise risk -seizing opportunities -Improving deployment of capital
Committee of Sponsoring Organizations commissioned a study to:
-Establish common definition of internal control -Provide a stnd against which busns can assess their control systems and determine how to improve
Written narratives of IC
-describe the flow of transactions cycles, identifying the employees performing tasks, the docs prepared, division of duties
Material weakness
-reasonable possibility that a material misstatement will not be prevented or detected on a timely basis
Walk-through
-tracing one or two transactions through each step in the cycle
Violations of the FCPA can result in...
-up to $1 million fines -imprisonment
PCAOB stnds for audits on IC
1) describe integrated audit 2) requires specific requirements for audit of IC
Entity-level risks vs. transaction risks
Entity: may arise from external/internal factors Transaction: found within company; generally relate directly to finc statement assertions
Are separate evaluations monitoring activities that occur on a routine basis?
NO; nonroutine
Risk tolerance
acceptable level of variation in performance relative to the achievement of objectives
No individual should perform more than one of the functions of ____________ transactions, ____________ them, and ______________ ___________ over assets
authorizing, recording, and maintaining custody
t or f; the actg department records financial transactions and handles financial assets
false; doesn't handle the assets
t or f; in smaller organizations, auditors will focus less on substantive procedures
false; they will focus more on them
Audit procedures to test effectiveness of IC
inquiries, inspection, observation, reperformance
A well-designed organization structure provides a basis for...
planning, directing, and controlling operations
Internal control used to be considered mainly as the steps taken by a business to...
prevent fraud
Should auditors focus on substance or form of controls
substance
Are the design of a control and the implementation of a control two separate operations?
yes
When auditors communicate significant **and** material weaknesses to mgmt, is it required to be in writing?
yes
Categories of risk responses
-Avoidance, reduction, sharing, (reducing likelihood by transferring risk; ex is ins.) and acceptance (when its consistent with risk tolerance)
Corp Gov's relationship to internal control
-Broader than internal control; focuses on ethical treatment of stakeholders, compliance with laws, regulations, customary busn practices, and effective risk mgmt -**control environment is significant to corp gov**
Corrective control
-Needed to remedy material misstatements -ex: backup copies of key transactions and naster files
Establishing accountability for assets
-One party holds custody of assets, one maintains an independent record, one can either be outside party or electronic device -actg records should be maintained independently of custody of related assets, should be reconciled at reasonable intervals
Basic principles of control activities
-Select activities that mitigate risks of achievement of objectives to acceptable level -Select general control activities over tech to support organizational objectives -Deploy activities though policies, establish what is expected
Service organizations and what auditors should do
-contact the organization through user entity to get info -visit the service and perform procedures about controls at service org -obtain report of a service auditor on service org
How can owner of small busn mitigate misstatements
1) reading daily cash register totals 2) reconciling monthly 3) signing all checks and cancelling supporting docs 4) approving all journal entries 5) critically reviewing comparative monthly statements of rev and expense
Risk assessment include an expectation of the operating effectiveness of controls when:
1) substantive procedures alone do not provide sufficient appropriate audit evidence or 2) auditors wish to reduce scope of substantive procedures through tests of controls
Which type of report from service organizations (type 1 or type 2) should be provided when user auditors's risk assessment includes an expectation that controls at service org are operating effectively?
Type 2
The Anti-bribery policies in the FCPA require that all corporations under the SEC (regardless of if its international) to maintain an internal control system that:
provides reasonable assurance that: -transaction are executed with knowledge/authorization of mgmt -transactions recorded to permit prep of reliable statements/maintain accountability for assets -Access to assets is limited to authorized people -Actg records of assets compared to existing assets at reasonable intervals and action is taken for differences
Both AICPA and IAS require tests of controls to be performed at least every ________ audit, while PCAOB requires it every __________ audit
third; annual
t or f; an AIS should include a chart of accts with a detailed description of the purpose of each
true
t or f; in the 3 areas of internal control (reporting, operations, and compliance) COSO states that a series of control objectives and subobjectives exist
true
t or f; public companies are required to provide reports on internal control by both mgmt and auditors
true
Control activities
-Policies/procedures that help mitigate the risk that organization's objectives are not met
Monitoring of Controls: basic principles and definition
-Process to assess quality of IC over time -Principles: --perform ongoing monitoring evaluations to determine that everything is present/functioning --Evaluate IC deficiencies in timely manner to those responsible for taking corrective actions
Section 404 of Sarbanes Oxley
-Requires each annual report to include a report in which: 1) mgmt acknowledges its responsibilities for establishing/maintaining IC 2) providing an assessment of IC effectiveness as of the the end of the most recent fiscal yr (the as-of date) Section b: requires company's auditors to attest to and report on IC (companies with over &75000000 mrkt capitalization)
Evaluating internal auditors
-Should assess **competence and objectivity** of internal audit function, and whether the auditors apply a **systematic and disciplined** approach to performing the work -if its appropriately staffed, if they're adequately trained, and the policies
"Top-down" approach
-Starts at finc statements and entity-level controls, and links them to significant accts, relevant assertions, and major classes of transactions
2 types of reports the AICPA says that service auditors may provide
-Type 1: report on mgmt's description of a service org's system and suitability of design of controls -Type 2: Report of mgmt's description of a service org's system and the suitability of design **and operating effectiveness of controls**
Preventive controls
-aimed at avoiding occurrence of misstatements -ex: segregation of duties, requiring approval of period-ending journal entries -operate at individual transaction level
National Commission on Fraudulent Financial Reporting
-aka the Treadway Commission -studies the casual factors associated with fraud reporting -recommendations made: --importance of competent audit committee and active internal audit function in prevent fraud --called on sponsoring organizations to work together to integrate internal control criteria
Basic principles of control environment
-commitment of integrity and ethical values -b of d demonstrates independence from mgmt and exercises effective oversight of internal control -Effective structure, including reporting lines, and authorities and responsibilities -Commitment to attract, develop, and retain competent employees -Holding employees accountable for IC responsibilities
Factors to consider when determining whether a risk deserves special attention
-complexity of calcs -risk of fraud -selection/application of actg principles -internal & external circumstances giving rise to busn risk -recent developments in industry/economy
Which component of IC is considered the foundation for the other components?
-control environment
Mgmt letter
-deficiencies communicated to mgmt -valuable reference doc for mgmt -minimizes auditor's legal liability is event of fraud
Significant deficiency definition
-deficiency in IC over finc reporting that is **less** severe than material weakness, yet important enough to merit attention
Detective controls
-designed to discover misstatements after they've occurred -ex: policy requiring the prep of monthly bank recs -operates at transaction level or a higher level
Systems flowchart
-divided into vertical columns representing departments -usually start in upper left-hand corner -Adv: provides clearer, more specific portrayal of client's system; updating it is easy -Disadv: IC weaknesses not identified as prominently as in questionnaires
Incompatible duties
-duties that allow an individual to both perpetrate and conceal errors or fraud
Assessing risk involves...
-evaluating likelihood of occurrence and potential impact -consideration of velocity/speed of occurrence and duration of impact of risk
Enterprise Risk Mgmt
-extends beyond IC to focus on how organization can max value for stakeholders by effectively managing all risks and opportunities
t or f; in an integrated audit, auditors have the option to test controls for a significant acct
-false; all significant accts should have test of controls
2 categories of transaction-level controls
-general control activities; ex. restrict access to tech to only authorized people -application controls
Tests of control address...
-how controls were applied, the consistency with which controls were applied, and by whom or what means the controls were applied
An AIS should include:
-identify and record valid transactions -Describe on timely basis the transactions in detail to permit proper classification -Measure value of transactions that records their monetary value in finc statements -determine time period the transactions occurred to record in right period -present properly the transactions
Fidelity bonds
-ins in which a bonding company agrees to reimburse an employer for losses attributable to theft or embezzlement by bonded employees
Transaction control activities - types
-major types: authorizations/approvals, verifications, physical controls, controls over standing data, reconciliations, and supervisory controls
Differences in auditor risk assessment vs. mgmt risk assessment
-mgmt is more into operations and compliance, with broader internal control
Decision aids for audit plan modification
-minimum audit sample sizes -checklist, standard form, or computer program that helps auditor
Who is the reconciliation process often performed by
-operations control group
Compensation committee of a company
-oversees policies and procedures for mgmt compensation to ensure that it is aligned with strategic objectives and risk appetite of organization
Types of control activities
-performance reviews, transaction processing controls, physical controls, and segregation of duties
Foreign Corrupt Practices Act
-pymts to foreign officials for the purpose of securing business are specifically prohibited for all american busns by anti-bribery provisions in the act
Compensating Control
-reduces the risk that an existing or potential control weakness will result in a misstatement -ex: small busn may not be able to segregate duties, so owner may carefully review actg records to compensate for weakness
Opinion on internal control under PCAOB
-that the company maintained, in all material respects, effective internal control over finc reporting
AIS definition
-the methods and records established to record, process, summarize, report an entity's transactions and to maintain accountability for a, l, and e.
When there is a low degree of interaction between the user entity's controls and those at the service organization, that may mean...
-the user entity's controls are adequate enough to ensure material errors/fraud are detected; when these are adequate, auditors only need to test client controls
Difference between knowing a control has been implemented and obtaining evidence on its operating effectiveness
-to perform an audit, auditors are required to determine that major controls have been implemented -they are **not** required to evaluate operating effectiveness
Finance department
-under direction of treasurer -responsible for finc operations and custody of liquid assets -activities include: planning future cash requirements, establishing customer credit policies, arranging to meet short/long-term financing needs of the busn
Auditor's responsibility with IC
-understanding IC (implementation and design), assessing risks, designing further audit procedures
Internal Control Questionnaire
-used for auditors to document their understanding of IC -usually has separate section for each transaction cycle -may provide distinction between minor and major weaknesses -Disadv: lack of flexibility
AIS: basic principles
-uses relevant info to support functioning of other IC components -Communicates internally info necessary to support functioning of other components -communicates with external parties regarding matters affecting functions of components
Deficiency in IC definition
-when design or operation of control doesn't allow mgmt in normal course of their assigned functions, to prevent/detect material misstatements on a timely basis
Sets of suitable criteria for integrated audits
1) COSO for IC audit 2) applicable finc statement framework for finc statement audit
ERM Framework components
1) Internal environment 2) Objective setting 3) Event identification (positive, neg, or both) 4) Risk assessment 5) Risk Response 6) Control activities 7) Info and communication 8) Monitoring
What steps are most directly related to IC from the auditor's 6 steps to approach a finc statement audit
1) Plan audit **2) Obtain understanding of client/environment** **3) Asses risks of misstatement/design further procedures** **4) Perform further audit procedures** 5) complete audit 6) Form opinion and issue audit report
5 Stages of IC audit
1) Plan engagement 2) Use top-down approach to identify controls 3) Test design effectiveness of IC 4) Test operating effectiveness of IC 5) Form opinion on effectiveness of IC over finc reporting
The organizational structure of an entity should separate responsibilities for:
1) authorization of transactions 2) record-keeping for transactions 3) custody of assets 4) execution of transaction should be segregated from the above 3 responsibilities
Five components of internal control
1) control environment 2) risk assessment process 3) control activities 4) information system relevant to finc reporting and communication 5) monitoring activities
External auditors may use the work of internal auditors by:
1) obtaining audit evidence by using internal auditors' worker performed as part of normal responsibilities 2) using internal auditors to provide direct assistance on external audit
Practices to improve IC in small businesses
1) record all cash receipts immediately --for over the counter collections, use registers easily visible to customers, and record register readings daily --Prepare list of all mail remittances immediately upon opening mail, retain this list for comparison with bank deposits and cash receipt entries 2) deposit cash receipts daily 3) Make pymts by serially #'d checks 4) reconcile bank accts monthly, keep on file 5) serially #'d sales invoices, p.o.'s, receiving reports 6) issue checks to vendors only in pymt of approved invoices that have been matched to p.o.s 7) Balance subsidiary ledger with control accts; mail statements monthly 8) Prepare comparative finc statements monthly
COSO's definition of internal control
A process, effected by entity's b of d and mgmt designed to proved **reasonable assurance** regarding the achievement of objectives relating to operations, reporting and compliance
Major difference between control objectives and assertions
control objectives are broader; they relate not only to finc reporting but also to operating and compliance
General vs. specific authorization
general: criteria for accepting a certain type of transaction. ex: credit policies for new customers, then credit department can approve the transaction specific: when transactions are authorized on individual basis
If auditors wish to assess control risk at a level below max, they should...
obtain evidence of operating effectiveness of these controls
What are the 3 ways that controls over finc reporting are often classified?
preventive, detective, and corrective
Emphasis for tests of controls should be on...
the operating effectiveness of controls directly related to relevant assertions