Concept – Internal Control

The purpose of this article is to provide an overview of internal control, with particular
emphasis on topics relevant to Part C of the F1/FAB syllabus. The article will focus on
the following learning objectives, as set out in section C6 of the study guide:

a) Explain internal control and internal check

b) Explain the importance of internal financial controls in an organisation
c) Describe the responsibilities of management for internal financial control.

The article will also describe the roles of internal audit and internal audit testing,
relevant to section C2(e) and (f) of the study guide.

Definition and purposes of internal control

The Turnbull Report, first published in 1999, defined internal control and its scope as
follows:

‘The policies, processes, tasks, behaviours and other aspects of an organisation that
taken together:

Facilitate effective operation by enabling it to respond in an appropriate manner to

significant business, operational, financial, compliance and other risks to achieve its
objectives. This includes safeguarding of assets and ensuring that liabilities are
identified and managed.

Ensure the quality of internal and external reporting, which in turn requires the
maintenance of proper records and processes that generate a flow of timely, relevant
and reliable information from both internal and external sources.

Ensure compliance with applicable laws and regulations and also with internal policies.’

Turnbull’s explanation focuses on the positive role that internal control has to play in an
organisation. Facilitating efficient operations implies improvement, and, properly
applied, internal control processes add value to an organisation by considering
outcomes against original plans and then proposing ways in which they might be
addressed.

At the same time, Turnbull also conceded that there is no such thing as a perfect
internal control system, as all organisations operate in a dynamic environment: just as
some risks recede into insignificance, new risks will emerge, some of which will be
difficult or impossible to anticipate. The purpose of any control system should therefore
be to provide reasonable assurance that the organisation can meet its objectives.

Objectives of internal control

Internal control should have the following objectives:

Efficient conduct of business:

Controls should be in place to ensure that processes flow smoothly and operations are
free from disruptions. This mitigates against the risk of inefficiencies and threats to the
creation of value in the organisation.

Safeguarding assets:
Controls should be in place to ensure that assets are deployed for their proper
purposes, and are not vulnerable to misuse or theft. A comprehensive approach to his
objective should consider all assets, including both tangible and intangible assets.

Preventing and detecting fraud and other unlawful acts:

Even small businesses with simple organisation structures may fall victim to these
violations, but as organisations increase in size and complexity, the nature of fraudulent
practices becomes more diverse, and controls must be capable of addressing these.

Completeness and accuracy of financial records:

An organisation cannot produce accurate financial statements if its financial records are
unreliable. Systems should be capable of recording transactions so that the nature of
business transacted is properly reflected in the financial accounts.

Timely preparation of financial statements:

Organisations should be able to fulfil their legal obligations to submit their account,
accurately and on time. They also have a duty to their shareholders to produce
meaningful statements. Internal controls may also be applied to management
accounting processes, which are necessary for effective strategic planning, decision
taking and monitoring of organisational performance.

Responsibilities for internal control

In many smaller, unincorporated businesses such as sole traders and unlimited

partnerships, the responsibility for internal controls often lies with the owners
themselves. In most cases, the owners are fully engaged in the business itself, and if
employees are engaged, it is usually within the capability of the owners to remain fully
aware of transactions and the overall state of the business.

As organisations grow, the need for internal controls increases, as the degree of
specialisation increases and it becomes impossible to remain fully aware of what is
going on in every part of the business.

In a limited company, the board of directors is responsible for ensuring that

appropriate internal controls are in place. Their accountability is to the shareholders, as
the directors act as their agents. In turn, the directors may consider it prudent to
establish a dedicated internal control function. The point at which this decision is taken
will depend on the extent to which the benefits of function will outweigh the costs.

The directors must pay due attention to the control environment. If internal controls
are to be effective, it is necessary to create an appropriate culture and embed a
commitment to robust controls throughout the organisation.

Generic control categories

Controls and be categorised in many different ways. Figure 1 described five categories
that are often used.

Figure 1: Categories of controls

Internal controls can be:

Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances.
These are widely used to prevent breached of laws or policy, as well as to minimise
risks relating to health and safety. Voluntary controls are applied according to the
judgement of the organisation and its managers.

Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of
risks in given circumstances. Non-discretionary controls must be applied.

Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are
programmed into the systems of the organisation. Some systems combine the two: for
example, when deciding on whether a customer should be permitted days on hand for
payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’
or below a specified credit rating, and an intermediate range in which a manager may
be able to override the automated system.

General controls or application controls:

This classification of controls applies specifically to information systems. General
controls help to ensure the reliability of data generated by systems, helping to ascertain
whether systems operate as intended and output is reliable. Application controls are
automated and designed to ensure the complete and accurate recording of data from
input to output.

Common control procedures

Physical controls:
These controls include restrictions on access to buildings, specified office or factory
areas or equipment, such as turnstiles at the entrance to the premises, swipe cards and
passwords. They also include physical restraints, such as fixing non-current assets to
prevent removal.

Authorisation and approval limits:

Many employees must adhere to authorisation limits, and these will usually be specified
in the terms of employment. For example, a junior manager may be permitted to book
business flights up to the value of $500, but for tickets costing more than this, the
purchase may have to be approved by someone more senior.

Segregation of duties:
To minimise the risk of errors and fraud, duties associated with cash handling are often
segregated. For example, in the post room of a company that received cash by post, the
employee recording the cash will be a different person to the one who opens the post.
Segregation is also relevant to other functions. At executive level, it is now best practice
to segregate the roles of chairman and chief executive officer, and as an independent
 assurance function, internal audit should be totally segregated from the finance
department, with a reporting line direct to the board of directors or the audit committee.

Management controls:
These controls are operated by managers themselves. An example is variance analysis,
through which a manager may be required as part of their job to consider differences
between planned outcomes and actual performance. Performance management of
subordinates is also an integral part of many managerial positions. Further down the
chain of command, supervision controlsare exercised in respect of day-to-day
transactions. Organisation controls operate according to the configuration of the
organisation chart and line/staff responsibilities.

Arithmetic and accounting controls:

These controls are in place to ensure accurate recording and processing of
transactions. Procedures here include reconciliations and trial balances.

Human resources controls:

Controls are implemented for all aspects of human resources management. Examples
include qualifications verification, references and criminal record checks on recruits,
checks on staff who have to be attested for competence and training effectiveness.

Internal check

Internal check is a system through which the accounting procedures of an organisation

are so laid out that the accounts procedures are not under the absolute and
independent control of any person. The work of one employee is complementary of that
of another, enabling a continuous audit of the business to be made.

The essential elements of an internal check are:

 checks are implemented on day-to-day transactions

 checks operate continuously as a part of the system
 the work of each person is complementary to the work of another.

By allocating duties in this way, no one person has exclusive control over any
transaction.

Internal audit
 Definition and purposes of internal audit:
Internal audit may be defined as an independent appraisal function established within
an organisation to examine and evaluate its activities as a service to the organisation.

Internal audit supports management in the effective discharge of their responsibilities.

To this end, internal audit furnishes management with analyses, appraisals,
recommendations, counsel and information concerning the activities reviewed.

Objectives of internal audit

The formal objectives of internal audit may include some or all of the following:

 review of accounting and internal control systems

 examination of financial and operating information
 review of the ‘three E’s (economy, efficiency and effectiveness)
 review of compliance with laws and regulations
 review of arrangements for the safeguarding of assets
 review of implementation of corporate goals and objectives
 identification of significant risks to the organisation, and monitoring risk management
policy and risk management strategies
 special investigations as required.

Why internal audit necessary?

The importance of internal audit was highlighted by the Turnbull Report. It states that
listed public companies that do not have an internal audit function should review the
need to have such a function at least annually. Turnbull goes on to state that listed
public companies that do have an internal audit function should review the scope,
authority and resources of this function at least annually.

Turnbull suggests that the need for the internal audit function will depend on several
factors. These include:

 the scale, diversity and complexity of the organisation’s activities

 the number of employees – the need for an internal audit function increases as the
number of employees increases, or if employee interrelationships become more
complex
 where the benefits of such a function will outweigh the costs of implementation and
operation
 when changes occur over time in the organisation’s structures, reporting processes or
underlying information systems
 the nature of risks, changes to risks and emerging risks
 problems and issues arising with internal control systems, both actual and perceived
 the occurrence of an increasing number of unexplained or unacceptable events.

Internal audit and internal control

Internal audit is an internal but independent assurance function. While internal

auditors are usually employees of the organisation, they should operate independently
of management so that their analyses, judgements and reports are free from bias or
undue influence. The head of internal audit should report to the board of directors, or to
the audit committee. Some organisations reinforce independence by outsourcing the
internal audit function to professional external firms.

Internal audit testing is the internal assessment of internal controls and as such is a
management control to ensure compliance and conformity of internal controls to pre-
determined standards.

Key risks:
Internal audit reviews and reports on internal controls in relation to key risks affecting
the organisation. The objective here should be to test the extent to which the controls
will control the risk if it crystallises. The conclusions of these reports should enable
management to reconsider the controls and modify or redesign them if appropriate.

Financial and operating information:

Internal audit may examine this information in order to ensure it is accurate, fit for
purpose and timely. Tests may be applied to determine whether information is correctly
measured and therefore suitable as a basis for informing management and external
stakeholders.

Compliance:
Increasingly, organisations have to implement performance standards in relation to
compliance. This may be to satisfy the demands of external regulators, or to operate to
pre-determined internal standards. Internal audit should review operations for
compliance with such standards. In this respect, the work of internal auditors in
broadening, as organisations increasingly pursue compliance not only with industry
standards for products and service provision, but also with criteria relevant to
environmental standards.
Types of audit

In the course of their duties, internal auditors may carry out various types of audit.
These include the following:

Operational audits may be concerned with the efficiency of the organisation’s

activities. They consider performance relative to pre-determined criteria.

Systems audits are used to test and evaluate controls as described in the last section.
They test whether the controls can be relied upon to ensure that resources are allocated
and managed effectively. They also test whether the information provided by the
organisation’s systems is accurate. Compliance tests verify whether internal controls
are being applied in a proper manner. Substantive tests verify the accuracy of figures,
and can be used to identify errors and omissions.

A transactions or probity audit is concerned with detecting fraud and other types of
criminal or unlawful behaviour. However, it can also be extended to matters relating to
fairness of dealings, impartiality, accountability and transparency, sometimes
considered to be within the scope of social audit. Generally, social audit may be
concerned with any matters relating to governance.

Internal Control [Questions and Answers]

A client’s internal control is a process designed to provide reasonable, but not absolute, assurance
that the following entity objectives will be achieved: reliable financial reporting, effective and
efficient operations, compliance with laws and regulations. A client’s internal control consists of five
interrelated components: control environment, risk assessment, control activities, information and
communication systems support, monitoring. This post provides a brief overview about internal
control, its interrelated core components, its relationship to the auditors and IT people in “questions
and answers” form. Enjoy!

Question: What Is the Control Environment?

Answer: The control environment, which is the foundation for the other components of internal
control, provides discipline and structure by setting the tone of an organization and influencing
control consciousness. Factors to consider in assessing the client’s control environment include:

 Integrity and ethical values, including (1) management’s actions to eliminate or mitigate
incentives and temptations on the part of personnel to commit dishonest, illegal, or unethical
acts, (2) policy statements, and (3) codes of conduct
  Commitment to competence, including management’s consideration of competence levels for
specific tasks and how those levels translate into necessary skills and knowledge.

 Board of directors or audit committee participation, including interaction with internal and
external (independent) auditors

 Management’s philosophy and operating style, such as management’s attitude and actions
regarding financial reporting, as well as management’s approach to taking and monitoring risks

 The entity’s organizational structure

 Assignment of authority and responsibility, including fulfilling job responsibilities

 Human resource policies and practices, including those relating to hiring, orientation, training,
evaluating, counseling, promoting, and compensating employees

Question: What Is Meant By Risk Assessment?

Answer: An entity’s risk assessment for financial reporting purposes is its identification, analysis, and
management of risks pertaining to financial statement preparation. Accordingly, risk assessment may
consider the possibility of executed transactions that remain unrecorded.

The following internal and external events and circumstances may be relevant to the risk of preparing
financial statements that are not in conformity with generally accepted accounting principles [or
another comprehensive basis of accounting]:

 Changes in operating environment, including competitive pressures

 New personnel that have a different perspective on internal control

 Rapid growth that can result in a breakdown in controls

 New technology in information systems and production processes

 New lines, products, or activities

 Corporate restructuring that might result in changes in supervision and segregation of job
functions
Foreign operations

 Accounting pronouncements requiring adoption of new accounting principles

Question: What Control Activities Are Applicable to a Financial Statement Audit?

Answer: Control activities are the policies and procedures management has implemented in order to
ensure that directives are carried out. Control activities that may be relevant to a financial statement
audit may be classified into the following categories:

 Performance reviews, including comparisons of actual performance with budgets, forecasts, and
prior period results.

 Information processing. Controls relating to information processing are generally designed to

verify accuracy, completeness, and authorization of transactions. Specifically, controls may be
classified as general controls or application controls. General controls might include controls
over data center operations, systems software acquisition and maintenance, and access
security; application controls apply to the processing of individual applications and are designed
to ensure that transactions that are recorded are valid, authorized, and complete.

 Physical controls, which involve adequate safeguards over the access to assets and records,
include authorization for access to computer programs and files and periodic counting and
comparison with amounts shown on control records.

 Segregation of duties, which is designed to reduce opportunities that allow any person to be in a
position to both perpetrate and conceal errors or fraud in the normal course of his or her duties,
involves assigning different people the responsibilities of authorizing transactions, recording
transactions, and maintaining custody of assets.

Question: What knowledge about the “information and communication systems support” component
should an auditor obtain?

Answer: The auditor should obtain sufficient knowledge about the information system relevant to
financial reporting. The information system generally consists of the methods and records established
to record, process, summarize, and report entity transactions and to maintain accountability of related
assets, liabilities, and equity. Communication involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.

Question: What is Meant by Monitoring?

Answer: Monitoring is management’s process of assessing the quality of internal control performance
over time. Accordingly, management must assess the design and operation of controls on a timely
basis and take necessary corrective actions.

Monitoring may involve: (1) separate evaluations, (2) the use of internal auditors, and (3) the use of
communications from outside parties (e.g., complaints from customers and regulator comments).

Is There a Relationship Between Internal Control Objectives and Components?

Answer: There is a direct relationship between objectives and components. This results from the fact
that objectives are what an entity strives to achieve, while components are what an entity needs to
achieve the objectives. It is also important to remember that internal control is relevant not only to the
entire entity, but also to an entity’s operating units and business functions.

Question: What Objectives and Controls are Relevant to a Financial Statement Audit?

Answer: In general, the auditor should consider the controls that pertain to the entity’s objective of
preparing financial statements for external use that are presented fairly in conformity with generally
accepted accounting principles (GAAP) or some other comprehensive basis of accounting other than
GAAP (OCBOA).

The controls relating to operations and compliance objectives may be relevant to a financial
statement audit if they pertain to data the auditor evaluates or uses. For example, the auditor may
consider the controls relevant to nonfinancial data (such as production statistics) used in analytical
procedures.

Caution: Not all of the objectives and related controls are relevant to a financial statement audit.
Furthermore, an understanding of internal control relevant to each operating unit and business function
may not be essential.

Question: What is the auditor’s primary consideration with respect to the components of internal
control?

Answer: The auditor’s primary consideration is whether a specific control affects the financial
statement assertions rather than its classification into any particular component. Although the five
components are applicable to every audit, they should be considered in the context of the following:

 Entity size
  Organization and ownership characteristics

 Nature of the entity’s business

 Diversity and complexity of operations

 Methods of transmitting, processing, maintaining, and accessing information

 Applicable legal and regulatory requirements

Question: How does information technology (IT) affect internal control?

Answer:

 An entity’s use of IT may affect any of the five interrelated components of internal control.

 Controls in systems that use IT consist of a combination of automated controls (e.g., controls
embedded in computer programs) and manual controls.

Question: What are the potential benefits of IT to internal control?

Answer: IT provides potential benefits of effectiveness and efficiency for internal control because it
enables the entity to:

 Consistently apply predefined rules and perform complex calculations in processing large
volumes of transactions or data.

 Enhance the timeliness, availability, and accuracy of information.

 Facilitate the additional analysis of information.

 Enhance the ability to monitor the performance of the entity’s activities and its policies and
procedures.

 Reduce the risk that controls will be circumvented.

 Enhance the ability to achieve effective segregation of duties by implementing security controls
in applications, databases, and operating systems.
Question: What risks does IT pose to internal control?

Answer: IT poses specific risks to internal control, including:

 Reliance on inaccurate systems or programs

 Unauthorized access to data that may result in destruction of data or improper alterations to
data.

 Unauthorized changes to master files

 Unauthorized changes to systems or programs

 Failure to make necessary changes to systems or programs

 Inappropriate manual intervention

 Potential loss of data

Note: The extent and nature of these risks to internal control depend on the nature and characteristics
of the entity’s information system.

Question: To what extent must I consider the client’s internal control?

Answer: The practitioner must obtain a sufficient understanding of internal control to enable the
proper planning of the audit. Whether controls have been placed in operations is of prime
importance. Operating effectiveness is not to be judged by the practitioner. The understanding of the
internal control should: (1) provide a basis for identifying types of potential misstatements, (2) enable
the assessment of the risk that such misstatements will occur, and (3) enable the auditor to design
substantive tests.

Question: What are the procedures used to obtain an understanding of internal control?

Answer: Ordinarily, a combination of the following procedures is used in obtaining a sufficient

understanding of internal control:

 Previous experience with the client

 Inquiry of appropriate client personnel

 Observation of client activities

  Reference to prior year working papers

 Inspection of client-prepared descriptions, such as organization charts and accounting manuals.

Question: How should I document my understanding of internal control?

Answer: The auditor must exercise professional judgment in determining the methods and extent of
documentation. The most frequently used methods of documentation are:

 Flowcharts

 Questionnaires

 Narrative memos (written descriptions)

Question: What is meant by assessing control risk?

Answer: The assessment of control risk is a process of evaluating the effectiveness of a client’s
internal controls in preventing or detecting material misstatements in the financial statements.

Question: How do I assess control risk?

Answer: If the auditor concludes, based on his or her understanding of internal control, that controls are
likely to be ineffective or that evaluation of their effectiveness would be inefficient, then the auditor
may assess control risk at the maximum level for some or all financial statement assertions.

If specific controls are likely to prevent or detect material misstatements and the auditor performs tests
of controls in order to evaluate the effectiveness of the controls identified, then assessment of control
risk below the maximum level is permissible.

Question: What are tests of controls?

Answer: SAS 55 defines tests of controls as tests directed toward the design or operation of an
internal control to assess its effectiveness in preventing or detecting material misstatements in a
financial statement assertion. Inquiry of company personnel, inspection of client documents and
records, observation of client activities, and re-performance of controls represent some of the
procedures used in performing tests of controls.

In performing tests of controls, the auditor seeks answers to the following questions:
  Who performed the control?

 When was the control performed?

 How was the control performed?

 Was the control consistently applied?

 What is the relationship between the assessed level of control risk and substantive testing?

Since the auditor’s determination of the nature, extent, and timing of substantive tests is dependent
on detection risk, the assessed level of control risk must be considered in conjunction with inherent
risk (see SAS 47). There is an inverse relationship between detection risk and the assurances to be.

Internal Control: Test Your Knowledge

BY JAMES SCHAEFER, CPA, DBA AND JOY V. PELUCHETTE, DBA

March 1, 2010

Today many companies recognize the desirability as well as the requirement to have an effective system
of internal control. Yet, designing and implementing a cost-effective system of internal control is a
daunting, if not overwhelming, task.

One way to overcome resistance to internal control is to educate stakeholders at every level of the
organization about its advantages.

Try the following quiz to test your knowledge of internal control and consider using it as a teaching tool for
others in your organization.

1. Houston Helpers, a faith-based group that offers help to people in need, has hired Janet Wells, a local
CPA, to train its professional staff in the basics of internal control. As Wells begins her presentation, a
participant interrupts by saying, “We are not like other organizations. How can we talk about common
elements of internal control when we are a faith-based service provider?”

a. The participant is correct; there are no generally accepted frameworks for internal control.
b. The participant is incorrect; there are generally accepted frameworks for internal control, regardless of
industry.

2. Internal control is a process designed to provide reasonable assurance regarding the achievement of
which objective?

a. Effectiveness and efficiency of operations

b. Reliability of financial reporting
c. Compliance with applicable laws and regulations
d. All of the above
3. CS Inc. has asked you to join its board of directors. Before agreeing to do so, you realize that it is
important that you understand the company’s approach to Enterprise Risk Management (ERM). Which of
the following is NOT true about ERM?

a. ERM is a bottom-up view of the key risks facing the organization.

b. ERM links growth, risk and return.
c. ERM aligns risk appetite and strategy.
d. ERM identifies and manages cross-enterprise risk.

4. The directors of Evans Corp. are reevaluating their “tone at the top.” They realize the phrase “tone at
the top” is used to describe the example set by directors, officers and executives through their statements
and daily actions. The board members also realize written policies need to reinforce the tone, but are
unsure how to integrate written policies into the “tone at the top.” If you were advising the board, what
would you tell them is the cornerstone of these policies?

a. A comprehensive code of conduct

b. A conflict-of-interest policy
c. Organization communications
d. Protection of the organization’s assets

5. Your employer has asked you to develop controls to help prevent duplicate payments. Which of the
following steps would NOT be appropriate in developing such a policy?

a. Create a form for updates to the master vendor file, which should be completed by the person
requesting the change and signed off by someone at a higher level.
b. Purge inactive vendors.
c. Periodically run reports showing the daily changes to the master vendor file.
d. Prohibit the sharing of passwords for the master vendor file.

6. As part of a training exercise for a corporate controller’s staff, Jeri Lee breaks the group into teams and
asks each team to gain (and document) their understanding of a potential acquisition’s system of internal
control. When she returns to check on their progress, she discovers that one team is working on
integrating the use of narratives, flowcharts and internal control questionnaires. What should Lee tell this
team about using all three approaches simultaneously?

a. The team is correct in using all three approaches simultaneously.

b. The team only needs to use one approach.
c. Combining the use of narratives and flowcharts together is inefficient.
d. Combining the use of flowcharts and internal control questions together is ineffective.
e. b and c

COSO FRAMEWORK

The COSO framework consists of five elements of control: the control environment, risk assessment,
control activities, information and communication, and monitoring. The remaining questions refer to these
elements.

7. The owner of Austin Marina has approached the managing partner of a CPA firm about conducting a
first-time independent audit. While discussing the nature and scope of the audit, the owner of Austin
Marina asks if it is really necessary for the auditor to gain an understanding of Austin Marina’s system of
internal control. Which of the following responses would NOT be correct?
a. The auditor needs to gain an understanding of the client’s internal control in order to assess risk.
b. An understanding of internal control is necessary to support the audit opinion.
c. Audit standards do not require the auditor to gain an understanding of the client’s system of internal
control since risk can be assessed by other means.
d. Independent auditors can no longer assess control risk at a maximum without having support for that
assessment.

8. Risks relevant to financial reporting include which of the following?

a. External events
b. Internal events
c. Circumstances that might affect reliable financial reporting
d. All of the above

9. Control activities can be defined as:

a. A means to an end
b. Authorized procedures
c. The particular category in which a control is placed
d. The actions of people to help ensure that management directives necessary to address risks are
carried out

10. Evans & Co. has been struggling to implement the monitoring component of the COSO Internal
Control—Integrated Framework.Which of the following is NOT correct in how the company can implement
the monitoring component?

a. Monitoring can be an ongoing process.

b. Monitoring can be conducted as a separate evaluation.
c. An adequate internal audit staff can reduce external audit costs.
d. The independent auditor can serve as part of the control environment.

ANSWERS

1. (b) While the staff at Houston Helpers may not be aware of it, there are frameworks available to
evaluate the effectiveness of internal control in any type of organization. The industry standard used by
most U.S. companies is Internal Control—Integrated Framework, which was issued in 1992 by the
Committee of Sponsoring Organizations (COSO), and is a blueprint for organizations to assess and
enhance internal control systems. COSO was formed in 1985. The sponsoring organizations are the
American Accounting Association, the AICPA, Financial Executives International, the Institute of
Management Accountants, and the Institute of Internal Auditors.

2. (d) Effectiveness relates to the ability of the entity to accomplish its goals. Efficiency is concerned with
maximizing the best use of resources. Reliability of financial reporting includes the accuracy of financial
statement balances and adequate and complete disclosure. Compliance with applicable laws and
regulations refers to all laws and regulations that apply to the entity.

3. (a) ERM provides “a process that provides a robust and holistic top-down view of key risks facing the
organization.” (Effective Enterprise Risk Oversight: The Role of the Board of Directors, COSO, 2009).
Thus ERM is significantly different from the more traditional risk management approaches. Board
members need to understand the entity’s strategy for managing risks to ensure that day-to-day operations
are aligned with stakeholder expectations. The other answers are true.

4. (a) “The code of conduct should be a source of guidance on daily behavior and set the minimum
standards for that behavior,” according to the AICPA On-Site Training course Financial Fraud, Forensics,
and the CPA. The “tone at the top” applies to everyone as they carry out their business and personal
responsibilities. The other answers (a conflict-of-interest policy, organization communications, and
protection of the organization’s assets) are normally considered for inclusion in the code of conduct.

5. (b) Accounts payable expert Mary Schaeffer recommends that inactive vendors be deactivated, not
purged. This allows vendor activity to be researched if needed. The other steps are appropriate. Using
forms for updates to the master vendor file allows accountability for changes. Schaeffer also recommends
executive review of reports, which show daily changes to the master vendor file. Passwords to the master
vendor file should never be shared. For more information, see “Fight Fraud and Duplicate Payments”
(Dec. 4, 2008), by Mary Schaeffer, available at tinyurl.com/yfc7jog.

6. (e) A narrative is a written description of a system of internal control. A flowchart is a diagram of the
documents and their sequential flow within an organization. A narrative and a flowchart present the same
information. While one well-executed approach can be sufficient to gaining an understanding of internal
control, a flowchart and an internal control questionnaire can be used together effectively, as the internal
control questionnaire offers checklists that include the many types of controls available.

7. (c) Current audit standards require the independent auditor to obtain an understanding of the entity and
its environment, including internal control. Moreover, the auditor is required to evaluate the design of
controls and whether or not they have been implemented. Also, the auditor must document significant
processes and their basis for assessing control risk.

8. (d) Risk assessment is the process of identifying and analyzing relevant risks in order to manage and
mitigate the risks. External and internal events, as well as any other circumstance that could affect
reliable financial reporting should play a part in risk assessment.

9. (d) The COSO definition of control activities recognizes that internal control is affected by people at
every level of the organization. Control activities are more than a means to an end, and are not limited to
authorized procedures. Control activities are often in overlapping categories.

10. (d) Management is responsible for establishing and maintaining the entity’s internal control, and an
independent auditor cannot perform management functions. Monitoring can be an ongoing process or be
conducted as a separate evaluation. For many larger entities, internal audit departments are essential for
effective monitoring. In fact, AU section 322 addresses the effect of internal auditors on the external
auditor’s evidence accumulation, provided the internal audit function is performed by staff independent of
both the operating and accounting departments and reports either to top management or the audit
committee.

SCORING

An effective system of internal control is one of the best ways to prevent the fraudulent misstatement of
financial statements. If you answered all 10 questions correctly, you are an internal control guru. If you
answered eight or nine questions correctly, your knowledge of internal control is competent.

If you answered seven or fewer questions correctly, you may want to build on your internal control skills.
Fortunately, no one needs to “reinvent the wheel” when implementing or upgrading a system of internal
controls. The resources listed on the previous page will help you stay competent in internal control.