Beruflich Dokumente
Kultur Dokumente
11. The organization selects and develops general control activities over technology
to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control.
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of
internal control.
15. The organization communicates with external parties regarding matters affecting
the functioning of internal control.
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
Internal control is always relevant to the nature, size and complexity of a reporting entity.
Smaller entities will ordinarily have more informal controls that are carried out by one or
a few persons. While the basic components of internal control should be present in
small- and medium-size entities, the 17 principles will ordinarily be subjectively included
in an entitys design and operation of internal controls.
Generally, internal controls over financial reporting include those that are designed to
make sure financial data is recorded, processed, summarized and reported consistent with
managements representations (assertions) in financial statements. Management of an
entity has the primary responsibility for internal control. An auditors responsibilities
include the evaluation of whether the five components are designed and operating
effectively, given the nature, size and complexity of the entity.
Managements Control Objectives
An entitys internal control system provides the machinery used by management to
accomplish these basic objectives:
internal control is that the cost of operation of a control activity should result in benefits
appropriate for the nature, size and complexity of the organization.
While properly prepared and monitored budgets can significantly improve a small
entitys internal controls, their use should provide benefits commensurate with the cost of
preparation and monitoring. Like the design and operation of internal control procedures,
benefits must be measured in terms of the relative costs of implementation and
maintenance.
The Importance of a Code of Conduct:
While smaller entities dont normally have a written code of conduct, larger organizations
are establishing these codes. Publically-held companies, issuers under the SarbanesOxley Act, are required to establish and communicate codes of conduct. Other privatelyheld companies, non-issuers, are also creating codes of conduct as part of their control
environment.
Whether written or communicated informally, a code of conduct defines behavior
expectations for both management and other employees. While such codes do not
prevent inappropriate behavior or fraud, they do provide employees with legal and ethical
standards that will influence their performance and commitment to the entitys system of
internal control.
An entitys code of conduct will ordinarily include these sections:
Use of company assets and resources for business and not personal use
Use of telephones, email and the internet
Avoiding actual and potential conflicts of interest
Protecting the companys confidential information
Maintaining complete and accurate accounting records
Investigating and reporting any accounting, auditing and disclosure concerns
Retaining and disposing of records and documents
Prohibiting discrimination and harassment
Prohibiting use of alcohol and illegal drugs
Complying with laws, rules and regulations
Protecting intellectual property and using copyrighted materials
Giving and receiving gifts, meals, services and entertainment
Understanding disciplinary actions for code violations
Reporting concerns and code violations
The Entitys Risk Assessment Process:
Risks at the entity level may come from external factors such as changes in technology,
customers needs, competition, regulations or laws and the economy. At the entity level,
risks also arise from internal factors such as information systems failures, personnel
practices affecting the quality of employees, access to assets and the susceptibility of an
entitys operations to fraud.
At the activity level, risk assessment involves business operations and financial reporting.
Analyzing operational reports, financial and non-financial data and observations of
employees activities may bring risks to managements attention.
Control Activities:
Control activities that are established in response to perceived risks relate to
managements representations (assertions) in the entitys financial statements. The
assertions from section AU-C 315 of the Auditing Standards Board Clarified Auditing
Standards can be synthesized and organized in this way:
Completeness
Occurrence and cut-off
Valuation and accuracy
Existence
Rights
Obligations
Disclosure and Presentation
An entitys financial reporting and internal control systems should result in financial
statement classifications that are appropriate and reasonable.
Key or Entity-Level Controls
Key controls are those elements of the five components of internal control that have a
pervasive affect upon the accomplishment of managements control objectives. For
smaller entities, key controls are normally performed at the entity level, although some
may exist at the activity level. Illustrated in the accompanying Small Audits Internal
Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried
out by one or a few persons such as an owner/manager. The design and operation of
these key controls can prevent material misstatements due to error or fraud from
occurring and going undetected. When these circumstances exist, even a small entity can
have a good internal control system!
Components of key controls for both large and small entities are:
Activity-Level Controls
The COSO Report states that control activities are the policies and procedures established
to help ensure that management directives are carried out and that managements
objectives are accomplished. The key controls described above are primary to
accomplishing these objectives. Absent the design of key controls, or when key controls
are designed but not operating, activity-level controls may be necessary to prevent
misstatements from occurring and going undetected.
These controls may be applied through features in an accounting software system, by
personnel while performing accounting procedures or by the design of documents or data.
The SAICQ mentioned above also illustrates the activity-level controls for the financial
statement classifications of a small entity. If key controls are not designed or operating,
certain activity-level controls may prevent errors from occurring and going undetected.
Information and Communication:
Comprising the nature of internal information produced and distributed by an entity, this
component is intended to enable management and others to operate, manage and control
the entitys business. It is also intended to provide employees an understanding of
financial reporting and safeguarding controls and their operations. For larger entities,
communication may take the form of policy and procedure manuals, instructional memos
and oral communications. For smaller entities, communication will often be verbal, face
to face and directed by the owner or a manager.
Communications may also involve outside parties such as auditors, customers and
vendors. These communications may provide information that can lead to identifying
deficiencies in internal control.
Monitoring:
The monitoring component is intended to cause management to assess the design and
operating effectiveness of the entitys system of internal control on a short and long-range
basis. Monitoring can be performed on an on-going basis or be performed on separate
occasions.
Monitoring is the evaluation the effectiveness of other internal control components and
how well managements and other employees duties are being performed. Monitoring in
small entities normally consists of the day-to-day observations of an owner or manager.
Special Issues for Small Entities
As discussed above, the owner or manager of a small entity is that entitys control
environment. If he or she has good character, is committed to performing key controls
and is diligent in carrying out day-to-day responsibilities, it is possible for a small entity
Information for preparing flowcharts is usually based on the knowledge of the top
financial authority of an entity. Additional information may be obtained by interviewing
persons responsible for procedures, making inquiries of each person responsible for
document preparation and tracing all documents through the processing procedures. The
accompanying Flowcharting Guide can facilitate the flowchart drafting process, whether
in hardcopy or electronic format.
The overall objective of flowchart preparation is to produce a complete and
understandable flowchart. Here are some basic rules:
Leave two to three inches on the left of the page open for comments.
Begin at the upper-left corner and draw down and/or to the right.
Show the source and use of every document.
Use keys within symbols for footnotes or drop-down boxes to describe
documents.
Use a separate memo or drop-down box on the flowchart to explain any
information that is not self-explanatory.
The flowchart should be divided into columns to separate people or departments
with specific areas of responsibility.
Use directional arrows only if the information flow contradicts a normal pattern.
Avoid cross lines of data-flow.
10
11
12
2.
3.
4.
5.
6.
14
tailored to the nature, size and complexity of an entity and the objectives
of its management will facilitate the identification of what could go
wrong.
b. Documentation of internal control policies and procedures will also vary
with the nature, size and complexity of an entity. Smaller entities
normally have informally designed and communicated internal controls.
In other words, there normally are no policies and procedures manuals,
systems flowcharts, organization charts and job descriptions. With fewer
people and levels of management, more frequent contact by an owner or
manager enables communication of the informal policies and procedures.
c. Some documentation of accounting and internal control procedures is
ordinarily necessary to demonstrate transaction processes are occurring
and being recorded properly. Determining that all shipments are billed,
that billings only occur after shipments are made and that bank accounts
are being reconciled are examples of such procedures. Key controls
performed by owners or managers of small entities should include periodic
inspections of records sufficient to determine transactions are being
recorded properly.
INTERNAL CONTROLS AND FRAUD PREVENTION
Much has been written about forensic accounting and fraud. There are three major
categories of fraud that commonly affect entities:
1. Misrepresentations in financial reporting. These include intentional
misstatements of amounts or disclosures in financials statements that are intended
to mislead users of the statements.
2. Misappropriation of assets. Theft of an entitys assets by employees or others is
the most common form of misappropriation. Financial records are usually altered
to conceal a theft of assets.
3. External frauds. Persons outside an entity are normally responsible for external
frauds, although there may be collusion with certain employees. Financial gain is
the normal motivation.
For small entities, misappropriation of assets is the most common type of fraud. The
fraud triangle contains three factors that indicate circumstances that can cause a person
to misappropriate assets and misstate records to conceal the theft:
1. Incentives or pressures to commit fraud. Reasons to commit frauds may
include financial pressures such as a spouse out of work, a divorce or separation
or the failure of a personal business.
2. Opportunities to commit fraud. Ineffective internal controls, the opportunities
and likelihood for management personnel to override internal controls, and
decentralized operations and accounting are examples of circumstances that create
opportunities to commit fraud.
15
16
PREVENTIVE CONTROLS
CASH:
1. No segregation of duties among office
employees,
records.
ACCOUNTS RECEIVABLE:
1. No segregation of duties. All office personnel
receives
receivable records.
17
1. Same as above.
INVENTORY:
1. No documents or records are maintained to
control
inventory items (precast concrete blocks).
occur.
2. Yard is open during the day while employees 2. Sales could be missed because Employees attend a training
are
of
meeting
working but often no one is present in the yard.
It is
insufficient quantities on hand.
locked at night.
FIXED ASSETS:
1. No detailed sub-ledger maintained.
2. No numerical control of fixed assets is in
place.
use.
fictitious vendors
raw materials.
reconciliations.
4. No accounts payable sub-ledger is maintained.
REVENUES:
See cash section.
Unrecorded sales.
EXPENSES:
See cash section and accounts payable section.
Payroll--manager hires and fires. No doublechecks
on payroll computations.
OTHER:
18
CONCLUSION
Important issues to remember that influence the design of internal control systems for
smaller entities include:
Internal control and fraud prevention are the responsibilities of management.
Internal control systems are always relevant to the nature, size and complexity of
an entity.
Key controls designed and operated by owners or managers of small entities are
the primary methods of preventing and detecting errors and fraud.
Internal control procedures should provide reasonable assurance that errors or
fraud will not occur and go undetected.
The benefits of internal control procedures should outweigh their costs.
The design process includes understanding accounting systems and existing
internal controls, identifying what could go wrong and designing cost-beneficial
control activities and anti-fraud programs that are likely to prevent and detect
errors and fraud.
INSTRUCTIONS
The Questionnaire should be utilized while making inquiries of client personnel
regarding internal control. Internal control documentation time can be minimized by
completing a systems walk-through procedure and preparing flowchart or memorandum
documentation as this Questionnaire is completed.
19
The Questionnaire contains space for yes, no or N/A responses to key controls and
activity-level controls generally applicable to a small business or organization. Yes
responses indicate that the control procedure is has been at least informally designed and
is operating effectively. No responses indicate the control procedure has not been
designed or, if designed, is not operating effectively. N/A responses indicate the
control procedure is not applicable to a clients internal control system. The Personnel
column should be used to identify persons performing the control activities.
Key controls, a part of entity-level controls, should drive the control risk assessment
process. Key controls can mitigate most deficiencies in activity-level controls,
particularly for smaller entities. For a small business or organization, key controls are
normally performed by the owner/manager (O/M), a member of the entitys board of
directors, a volunteer or paid consultant.
If key controls have not been designed, or are not operating effectively, the auditor should
consider the activity-level controls to provide the assessment of control risk for relevant
assertions.
RELEVANT ASSERTIONS
When completing this Questionnaire, the auditor should primarily consider these relevant
assertions:
Financial Statement Classification
Cash
Existence/Occurrence; Completeness;
Cutoff
Accounts Receivable
Inventories
Existence/Occurrence; Valuation;
Completeness; Accuracy; Cutoff
Fixed Assets
Accounts Payable
Completeness; Cutoff
Revenues
Existence/Occurrence; Valuation;
Completeness; Cutoff
Payroll
Existence/Occurrence; Completeness;
Accuracy
Expenses
Existence/Occurrence; Completeness;
Cutoff: Classification
20
21
PERSONNEL
22
YES
NO
N/A
PERSONNEL
23
YES
NO
N/A
PERSONNEL
24
YES
NO
N/A
PERSONNEL
YES
NO
N/A
PERSONNEL
26
YES
NO
N/A
PERSONNEL
27
YES
NO
N/A
PERSONNEL
28
YES
NO
N/A
PERSONNEL
29
YES
NO
N/A
PERSONNEL
30
YES
NO
N/A
PERSONNEL
31
YES
NO
N/A
ACCOUNTS RECEIVABLE:
INVENTORIES:
FIXED ASSETS:
ACCOUNTS PAYABLE:
SALES/REVENUE:
32
PAYROLL:
EXPENSES:
OTHER:
33
INSTRUCTIONS
Client Inquiries
The SAICQ and the flowcharts resulting from this Guide should be used while making
inquiries of appropriate client personnel. While a flowchart is being prepared, or after it
is prepared if it is more convenient, a systems walk-through procedure should be
performed to determine that information on the flowcharts is accurate. Documents
examined and procedures performed during the walk-through may be recorded on the
flowcharts or described in an accompanying memorandum. Control deficiencies should
be documented in the last section of the SAICQ.
Flowchart and/or Memoranda
Memoranda may be prepared for documenting the accounting and internal control
procedures in lieu of flowcharts at the option of the audit engagement leader. The author
recommends using flowcharts since they are usually more effective for identifying
control deficiencies and they often take less time to carry forward, to discuss with client
personnel and to update. Memoranda may be used to supplement the flowcharts to
enhance explanations of accounting system procedures, internal control activities or other
information as the auditor considers necessary.
Key Controlsthe Heart of Error and Fraud Prevention
Key controls, a part of entity-level controls, should drive the control risk assessment
process and should be clearly indicated on the flowcharts. Key controls can mitigate
most deficiencies in activity-level controls, particularly for smaller entities. For a small
business or organization, key controls are normally performed by the owner/manager
(O/M), a member of the entitys board of directors, a volunteer or a paid consultant. Key
controls are presented first in each section of the SAICQ.
Financial Statement Assertions
34
When control risk is evaluated at the financial statement classification level, the auditor
should primarily consider relevant assertions described in the SAICQ. Flowcharts
should, therefore, focus primarily on controls that affect the relevant assertions in each
financial statement classification. All controls that are operating, however, should be
evidenced on the flowchart to provide an accurate evaluation of control risk.
Flowchart Preparation
Flowcharts may be prepared using manual templates or flowcharting software. The
hardcopies or the electronic copies may be carried forward with changes reflected in
different color pencils or software fonts. All accounting systems software applications,
procedures, documents and data, and all internal controls, should be reflected on the
flowcharts.
35
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
ACCOUNTS RECEIVABLE
The flowchart should contain documentation of:
All types of sales on account including customer written orders received by mail,
phone or email, sales orders from sales representatives, C.O.D., consignment, etc.
36
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
FIXED ASSETS
The flowchart should contain documentation of:
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
37
Can fixed assets acquisitions or disposals be made and not approved or recorded?
Are capitalization limits in place?
Does accounting personnel understand when to capitalize additions or repairs to
fixed assets (when the life or capacity is increased)?
ACCOUNTS PAYABLE
The flowchart should contain documentation of:
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
SALES:
The flowchart should contain documentation of:
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
PAYROLL
The flowchart should contain documentation of:
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
All modules of the general ledger software, data entry personnel, source
documents and all related accounting system and internal control procedures.
Controls over general journal entries, bank reconciliations and financial statement
preparation.
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
Can journal entries or unusual transactions be posted to the general ledger without
approval of a supervisor?
Are there effective administrative controls such as regular vacations, crosstraining, bonding insurance, timely financial statement preparation and budget
utilization?
Is internal control affected by busy or slack periods, illnesses, vacations, etc.?
39
40