340 likes | 505 Views
CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004. Introduction to Internal Control What is it What are the auditors’ responsibilities Components of Internal Control (COSO) Obtaining an Understanding of Internal Control Documenting the Understanding. What is Internal Control?.
E N D
CHAPTER 9UNDERSTANDING INTERNAL CONTROLS Winter 2004 • Introduction to Internal Control • What is it • What are the auditors’ responsibilities • Components of Internal Control (COSO) • Obtaining an Understanding of Internal Control • Documenting the Understanding
What is Internal Control? COSO Definition: The processes implemented by the BOD and management to help ensure: • Effectiveness and efficiency of operations.* • Reliability of financial reporting. • Compliance with applicable laws and regulations. * This is not included in the SOX definition of IC
Why is internal control SO important? KPMG Fraud Survey: Large and Midsize Companies 2003 report • Interviewed executives from 459 public companies with revenues > $250 million • Types of fraud • How fraud was caught
Why is internal control SO important? • The businesses we audit rely on numerous reports and analyses to control operations. These controls are often IT related. • Good system reduces the possibility that errors or irregularities will occur. • Audit more efficiently and effectively if rely on the client’s system of internal control. • Professional standards and laws require that the auditors’ consider it.
GAAS on Internal Control • Identify types of potential misstatements • Consider factors that affect the risk of material misstatement • Design substantive tests to provide reasonable assurance of detecting misstatements related to specific assertions • Could decide to not rely on controls and assess CR at maximum, but you must understand why control risk is assessed at the maximum • There may be times when substantive tests alone do not reduce control risk to a sufficiently low level.
Internal Control & SOX for Public Companies • Requires auditors to attest to Certification of Disclosure and Managements’ Internal Controls and Procedures (Rule 404) • Internal control framework to follow is COSO • Provides assistance on: • Internal control over financial reporting. • One material weakness = adverse report on internal controls
Roles and Responsibilities (COSO) • Management: establish effective IC • BOD and audit committee: governance and oversight responsibilities of mgmt • Internal auditors: periodically examine and evaluate the adequacy of an entity’s IC and make recommendations • Other entity personnel: “blow whistle” • Independent auditors. Any significant IC deficiencies discovered, communicate to mgt and BOD with recommendations for improvement. For public companies, must attest to management’s assertion about IC • Legislators and regulators: establish minimum statutory and regulatory requirements
Limitations of Internal Control No matter how well designed and operated, an I/C can provide only reasonable assurance regarding achievement of an entity’s control objectives because: 1.Mistakes in judgment. 2.Breakdowns. 3.Collusion. 4.Management override. 5.Cost versus benefits.
Components of Internal Control The COSO report identifies 5 interrelated components of internal control which are: 1. Control environment 2. Risk assessment 3. Information and communication 4. Control activities 5. Monitoring
Control Environment Sets the tone of an organization, influencing the control consciousness of its people. • Management philosophy & operating style • Organizational structure • Integrity and ethical values • Board of directors and audit committee • Assignment of authority & responsibility • Human resource policies and practices • Commitment to competence • External Influences • Information Technology
Risk Assessment An entity’s identification and analysis of risks that could affect whether the financial statements that are fairly presented in conformity with GAAP. Business Risk Inherent Risk Fraud Risk Internal Controls
Information and Communication Ensures pertinent information is identified, captured and communicated throughout the organization in a timely manner. Requires the system: • Identify and record only valid transactions occurring in the current period (existence or occurrence). • Identify and record all valid transactions occurring in the current period (completeness). • Ensure recorded assets and liabilities are result of transactions that produced entity rights to, or obligations for, those items (rights & obligations). • Appropriately measure the value for recording their proper monetary value in the f/s (valuation or allocation assertion). • Capture sufficient detail of all transactions to permit their proper presentation in thef/s incl. proper classification and required disclosure (presentation and disclosure assertion).
Information and Communication Authorize Execute Risk of Misstatement Record Consideration
Control Activities • Authorization • Segregation of Duties • Information Processing Controls • General Controls • Application Controls • Controls over the Financial Reporting Process • Physical Controls • Performance Reviews • Controls over Management’s Discretion in Financial Reporting
Control Activity - Authorization • Every transaction needs appropriate general or specific authorization of commitment of resources as transactions are initiated.
Information Processing Controls Computer General Controls • Organization & operation controls (prior slide) • Systems development & documentation controls • Users, accounting & IA should be involved in design • Testing joint effort between users & IT • Proper approval before placing into use • Changes properly approved and tested • Hardware and system software controls • Access controls: Prevent unauthorized use of: • IT equipment, • Data files • Programs
Information Processing Controls Computer General Controls continued • Data and procedural controls • Receiving and screening all data to be processed • Accounting for all input data • Following-up on processing errors • Verifying the proper distribution of output • Adequate back-up and safeguarding procedures
Information Processing Controls Application Controls • Input (computer editing) controls • Missing data check - Check digit • Valid character check - Valid sign check • Limit or reasonableness test - Valid code check • Processing controls • Control totals - Before & after report • File identification labels - Sequence tests • Limit & reasonableness tests - Processing tracing data • Output controls • Reconciliation of totals • Comparison to source documents • Visual scanning
Information Processing Controls Spreadsheets Financial Statements SQL Accounting Database Strong Controls Weak or No Controls Weak or No Controls
Physical Controls • Important issue of physical security • Limit direct physical access to assets • Lock boxes, fireproof safes, locked storerooms • Limit indirect physical access through the preparation or processing of documents that allow access to assets
Performance Reviews • Management review and analysis of – • Reports that summarize the detail of account balances • aged trial balance • report of cash disbursements by department • reports of sales and gross margins by customer or region • Actual performance vs. budget or forecast • Balanced scorecard type measures with ability to drill down to department level • Financial, customer, business process, innovation
Information and Communication Ensures pertinent information is identified, captured and communicated throughout the organization in a timely manner. Requires the system: • Identify and record only valid transactions occurring in the current period (existence or occurrence). • Identify and record all valid transactions occurring in the current period (completeness). • Ensure recorded assets and liabilities are result of transactions that produced entity rights to, or obligations for, those items (rights & obligations). • Appropriately measure the value for recording their proper monetary value in the f/s (valuation or allocation assertion). • Capture sufficient detail of all transactions to permit their proper presentation in thef/s incl. proper classification and required disclosure (presentation and disclosure assertion).
Monitoring Assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions including reporting all deficiencies to higher authorities within the organization. This should occur through: • Ongoing activities and • Separate periodic evaluations. Responsibilities: • Management & Acct Officers • Board of Directors
Purpose of Understanding Internal Control • The understanding of internal control should be used to: • Identify types of potential misstatements • Consider factors that affect the risk of material misstatement • Determine where controls should be tested. For public companies, necessary to attest to management’s assertions about the effectiveness of their internal controls. • Design substantive tests to provide reasonable assurance of detecting misstatements related to specific assertions, taking into account what relevant tests of controls are being performed if any.
Understanding and Testing Internal Control 1. Understand the design of policies and procedures related to each component of internal control. 2. Determine whether the policies and procedures are operating as you expected, where are attesting or relying on controls. • Reviewing previous experience with the client • Inquiring of appropriate management, supervisory, and staff personnel • Inspecting documents and records • Observing entity activities and operations This often will take the form of a “walk through” of the system
How Much Depth of Understanding Do You Need??? • Minimum Understanding • Control environment • Risk assessment • Information and communication • Control activities (may need very little knowledge when a primarily substantive approach is followed). • Monitoring
Depth: Control Environment • Obtain sufficient knowledge to understand the attitude and actions of management and the BOD concerning the control environment. • Consider both the substance of control environment and the collective effect on other aspects of internal control.
Depth: Risk Assessment • Determine how management: • identifies risks relevant to fair presentation in the financial statements • the care with which it assesses the significance of those risks, and • how it decides on control activities to address those risks. Business Risk Inherent Risk Fraud Risk Internal Controls
Depth: Control Activities Level of understanding is directly related to preliminary audit strategy. • If the auditor is planning a primarily substantive approach the auditor may not additional knowledge of need to control activities in order to assess control risk. • If the auditor plans to use a lower assessed level of control risk approach or is attesting to management’s IC, will need to obtain a significant understanding of control activities.
Depth: Information and Communication Systems Need to understand the transaction trail. This includes understanding: • Transaction classes significant to the f/s. • How transactions are initiated • The accounting records, supporting documents, and specific accounts in the f/s involved in the processing and reporting of transactions. • The accounting processing involved from initiating a transaction to its inclusion in the f/s, including electronic means used to transmit, process maintain, and access information. • Cash receipt or disbursements • The financial reporting process used to prepares financial statements, estimates and disclosures
Depth: Monitoring • It is important to understand the types of activities used by the entity, top management, accounting management, and internal auditors to monitor the effectiveness of internal control. • Knowledge should also be obtained about how corrective actions are initiated.
Documenting the Understanding Documenting the understanding of internal control is required in all audits. • The form and extent of documentation is influenced by the size and complexity of the entity, and the nature of the entity’s IC. • There are 4 forms of documentation commonly used by auditors. • Questionnaires • Decision Tables • Flowcharts • Narrative Memos • Will also need to document the results of any testing of the system.