1 / 30

ACG 4671 Internal Auditing

ACG 4671 Internal Auditing. CHAPTER 5 Internal Control. Internal Controls. Definition and Legal Requirements Internal and External Auditor Responsibilities IC Key Concepts and Fundamentals COSO Framework. Definition.

dbaumgardner
Download Presentation

ACG 4671 Internal Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACG 4671 Internal Auditing

  2. CHAPTER 5 Internal Control

  3. Internal Controls • Definition and Legal Requirements • Internal and External Auditor Responsibilities • IC Key Concepts and Fundamentals • COSO Framework

  4. Definition • Internal control is the most important and fundamental concept for an Internal Auditor • Internal control defined per COSO: • “Processes, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objective in the following categories: • Financial reporting reliability • Operating efficiency and effectiveness • Compliance with applicable laws and standards”

  5. Definition • SOX (2002) requires the CEO and CFO of publicly traded companies to opine on: • The adequate design and effective operation of internal control over financial reporting as part of the annual filing • Report any substantial changes in internal control over financial reporting on a quarterly basis • IC frameworks • The SEC does not specify a particular IC framework but notes three suitable frameworks • COSO Internal Control Framework • CICA Guidance on Assessing Control (CoCo) • ICAEW Turnbull Report

  6. Section 404 Certification • Managements Assertions “includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis.” • Management Representations • Declare responsibility for establishing and maintaining internal controls over financial reporting • Identify and disclose framework used to evaluate effectiveness of internal control • Assess effectiveness of internal controls as of the end of the period • State an auditor issued an attestation report on management’s assessment • Actions • Document processes & internal controls (process/activity, risk, controls, responsibility) • Management evaluation of effectiveness (audits & self-assessments)

  7. Section 404 Assessment • Compliance with COSO control standards (or other accepted standards) • Clear documentation of internal controls as well as the testing processes • Evidence that management evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls • Evidence that the audit committee and/or disclosure committee have taken a keen interest in the effectiveness of controls

  8. Section 404 Assessment • Management’sassessment must be based on procedures sufficient both to evaluate design and test operating effectiveness • Management must maintain evidential matter, including documentation, to provide reasonable support for the assessment (both design and testing) of effectiveness

  9. Auditor Responsibility • A control deficiency … “exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis”. • A deficiency in design exists when: • A control necessary to meet the control objective is missing, OR • An existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met

  10. Auditor Responsibility • Control deficiency (cont.) • A deficiency in operation exists when: • a properly designed control does not operate as designed, OR • when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

  11. Auditor Responsibility • A significant deficiency … “is a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is a more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected.”

  12. Auditor Responsibility • A material weakness … “a significant deficiency, or combination of significant deficiencies, that results in more than aremote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

  13. Fundamentals • Internal Controls • Protect assets • Ensure records are accurate • Promote operational efficiency • Encourage adherence to policies, rules, regulations, and laws.

  14. Fundamentals • Control Objectives are • Desired goals or conditions for a specific event cycle or process which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur.  • Conditions which we want the system of internal control to satisfy. • Measurable and observable. • Important to the audit process. • Typically categorized by a principal business process/activity or technology.

  15. Fundamentals • Control Objectives Example The company only pays bills for goods actually ordered and received. • Control Activity Example Accounts payable clerks perform a three-way match of original purchase orders, goods receipt information, and invoices received prior to payment to vendors.

  16. Fundamentals • Control Classifications • Directive – designed to give explicit direction regarding what actions need to take place to cause or encourage a desirable event • Preventative – built to prevent an error or undetected event from occurring • Detective – designed to alert management of errors or problems shortly after they occur • Corrective – used with detective controls to recover from the consequences of undesired events

  17. Fundamentals • Control Classifications • Entity Level – Very broadly focused and deal with organizational environment or atmosphere • Process Level – more detailed in focus; should reduce risk relative to a group or variety of operational level activities or transactions within an organization • Key Controls – a control activity designed to reduce risk associated with a critical business objective • Secondary Controls – designed to either reduce risk associated with a business objectives that are not critical or serve as a back-up to key controls

  18. Fundamentals • Control Classifications (con’t) • Compensating Controls – redundant controls designed to supplement key controls that are either ineffective or cannot fully mitigate a risk or group of risks by themselves • Complementary Controls – not directly related to the risk it mitigates, and is not enough to fully mitigate the risk by itself but when taken together with other control activities that are in place, does contribute to risk reduction.

  19. COSO Framework • COSO Internal Control

  20. Control Environment Description: • Sets the tone of an organization by establishing attitude standardization. • The foundation for all other components of internal control, providing discipline and structure. • Factors include the integrity, ethical values and competence of the corporation’s people, management philosophy and operating style.

  21. Control Environment Components: • Integrity and Ethical Values • “Tone at the Top”, Strong Code of Conduct • Board of Directors and Audit Committee • Set the “Tone at the Top” • Commitment to Competence • Adequate and appropriate skills and training • Organizational Structure • Reporting relationships • Human Resources Policies and Practices • Staffing, Training, Evaluation, Disciplinary Actions

  22. Risk Assessment Description: • Recall that risk is “the possibility of loss”; risk can be divided into risk (downside) or opportunity (upside); and may be internal, external or both. Organizations/divisions/business units/subsidiaries/ etc. must manage risk, on an ongoing basis, to achieve organizational objectives.

  23. Risk Assessment • Risk Assessment Process: • Estimate the significance of the risk • Assess the likelihood or frequency of the risk occurring • Consider how the risk should be managed and assess what actions must be taken • Types of Risks • Organizational risks from external factors • Organizational risks from internal factors • Specific activity-level risks

  24. Control Activities Description: • The policies and procedures that help ensure that management directives are carried out. • Help ensure that the necessary actions are taken to address risks during the achievement of company objectives. • Also ensure that control activities occur throughout the organization, at all levels and in all functions. • Include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

  25. Control Activities • Policies and procedures to ensure actions addressing risks are carried out • Types of Control Activities (small subset): • Top-level reviews • MBO/performance appraisal • Direct functional or activity management • Supervision • Information processing • Secure from outsider/insider manipulation • Physical controls over assets and records • Locks and restricted accesses • Adequate documents and records • Pre-numbered forms • Performance indicators • Variance (DMQV) • Segregation of duties • Initiation, recording, and custody are separate • Proper authorization of transactions and activities • General and specific authorization

  26. Information & Communication Description: • Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. • Information systems produce reports containing financial related information that make it possible to control the reliability of financial reporting.

  27. Information & Communication • I&C spans all level of the organization and facilitates creation and sharing of knowledge and awareness • Information can be generated automatically, obtained manually, or reside conceptually • Information systems can be formal or informal • Communication methods vary including bulletin boards, mass emails, webcasts, meetings, procedural manuals, etc.

  28. Monitoring Description: • Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. • Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

  29. Monitoring • Ongoing Monitoring Activities (examples): • Normal management functions • External communication • Supervisory activities • Physical inventories • Periodic Internal Control Evaluations • Self-assessments • Benchmarking • Reporting Internal Control Deficiencies • Individual responsible for function • Individual in position to correct AND • One level of management above responsible individual

  30. Fundamentals • Why don’t Internal Controls always work? • Inadequate knowledge of policies and procedures by employees. • Lack of segregation of duties due to trust in employees. • Inappropriate access to assets. • Form over substance. • Control override. • Inherent limitations.

More Related