Summary of Internal ControlDefinition

A process, effected by the entity’s board of directors,

management, and other personnel, designed to provide
reasonable assurance regarding, achievement of (the
entity’s) objectives on:

–Effectiveness and efficiency of operations

–Reliability of financial reporting
–Compliance with applicable laws and regulations
 Control Objectives
• In each area of internal control (financial reporting,
operations and compliance)
– Control objectives and

– Sub objectives exist

• Example: Area of financial reporting
– Top level objective – prepare and issue reliable financial information
– Detailed level applied to A/R sub objectives
• All goods shipped are accurately billed in the proper period
• Invoices are accurately recorded for all authorized shipments and
only for
such shipments
• Authorized and only authorized sales returns and allowances are
accurately recorded
• The continued completeness and accuracy of A/R is ensured
• Accounts receivable records are safeguarded
Foreign Corrupt PracticesAct
• Passed in 1977 in response to American corporation
practice of paying bribes and kickbacks to officials in
foreign countries to obtain business

• The Act

– Requires an effective system of internal control

– Makes illegal payment of bribes to foreign officials

 Controls over FinancialReporting
• Preventive
– Aimed at avoiding the occurrence of misstatements in the
financial statements
– Example: Segregation of duties
• Detective
– Designed to discover misstatements after they have occurred
– Example: Monthly bank reconciliations
• Corrective
– Needed to remedy the situation uncovered by detective controls
– Example: Backups of master file
• Controls overlap
– Complementary – function together
– Redundant – address same assertion or control objective
– Compensating – reduces risk existing weakness will result in misstatement
Components of InternalControl

• The Control Environment

• Risk Assessment
• The Accounting Information and
Communication System
• Control Activities
• Monitoring
Control Environment Factors

• Integrity and ethical values

• Commitment to competence
• Board of directors or auditcommittee
• Management philosophy and operating style
• Organizational structure
• Human resource policies and practices
• Assignment of authority andresponsibility
Risk Assessment--Factors Indicative of Increased
Financial Reporting Risk

• Changes in the regulatory or operating

environment
• Changes in personnel
• Implementation of a new or modified information
system
• Rapid growth of the organization
• Changes in technology affecting production
processes or information systems
• Introduction of new lines of business, products,
or processes
 Control Activities
• Performance reviews
• Information processing
– General control activities
– Application control activities
• Physical controls
• Segregation of duties
– Segregate authorization, recording and
custody of assets
Segregation of Duties
 Objectives of an AccountingSystem

• Identify and record valid transactions

• Describe on a timely basis the transactions in
sufficient detail to permit proper classification of
transactions
• Measure the value of transactions appropriately
• Determine the time period in which the transactions
occurred to permit recording in the proper period
• Present properly the transactions and related
disclosures in the financial statements
 Monitoring
• Ongoing monitoring activities
– Regularly performed supervisory and
management activities
– Example: Continuous monitoring of
customer complaints
• Separate evaluations
– Performed on nonroutine basis
– Example: Periodic audits by internal
audit
Limitations of InternalControl

• Errors may arise from

misunderstandings of instructions,
mistakes of judgment, fatigue, etc.
• Controls that depend on the
segregation of duties may be
circumvented by collusion
• Management may override the
structure
• Compliance may deteriorate over time
 Enterprise Risk Management (ERM)
• COSO issued a new internal control
framework in 2004 on enterprise risk
management. It does
not replace the original COSO internal
control framework.
• It goes beyond internal control to focus on
how organizations can effectively manage
risks and opportunities.
• The auditing standards are still structured
around the original COSO internal control
framework.
 Auditors’ Overall Approach with
Internal Control
• Overall approach of an audit
1. Plan the audit
2.Obtain an understanding of the client and its
environment,
including internal control
3.Assess the risks of material misstatement and design
further
audit procedures
4.Perform further audit procedures
5. Complete the audit
6. Form an opinion and issue the audit report
• Steps 2-4 relate most directly to the role of
internal control in financial statement audits
 2. Obtain an understanding of the client and its
environment, including internal control
• The understanding of internal control is used to help the
auditor to
– Identify types of potential misstatements
– Consider factors that affect the risks of material misstatement.
– Design tests of controls (when applicable) and substantive
procedures.
• Auditors must consider all five internal control
components
– Control environment
– Accounting information system
– Risk assessment
– Control activities
– Monitoring
• Also consider areas difficult to control like nonroutine
transactions
 Obtaining the Understanding
• Procedures include
– Inquiring of entity personnel
– Observing the application of specific
controls
– Inspecting documents and reports
– Tracing transactions through the
information system relevant to financial
reporting
• May also obtain evidence on
operating effectiveness of various
 Documenting the Understanding of
Internal Control
• Questionnaires
– Typically standardized by firm
• Written Narratives
– Memos that describe flowof transactions
• Flowcharts
– Systems flowcharts
• Walk-through
– Trace one or twotransaction through cycle
 3. Assess the risks of material
misstatement

General approach
–Identify risks while obtaining an understanding of the
client and its environment, including its internal control
–Relate the identified risks to what can go wrong at the
relevant assertion level
–Consider whether the risks are of a magnitude that
could
result in a material misstatement
–Consider the likelihood that the risks could result in a
material misstatement
 The nature of transactions
• Consider the nature of the transactions
– Routine transactions—e.g., revenue,
purchases, and cash receipts and
disbursements
– Nonroutine transactions—e.g., taking of
inventory, calculating depreciation expense
– Estimation transactions—e.g., determining the
allowance for doubtful accounts
• Generally routine transactions have the
strongest controls
 Assessing Risks at the Financial
Statement Level
• Examples
– Preparing the period-end financial statements, including the
development of significant accounting estimate and preparation
of the notes
– The selection and application of significant accounting policies
– IT general controls
– The control environment
• Responses to high risks
– Assigning more experience staff or those with specialized skills
– Providing more supervision and emphasizing the need to
maintain
professional skepticism
– Incorporating additional elements of unpredictability in the
selection
of further audit procedures to be performed
– Increasing the overall scope of audit procedures, including the
nature, timing or extent
Assessing Risks at the AssertionLevel
• Examples
– Failure to recognize an impairment loss on a
long- lived asset affects only the valuation
assertion
– Inaccurate counting of inventory at year-end
affect the valuation of inventory and the
accuracy of cost of goods sold
• Responses
– Decisions are made here as to the
appropriate combination of tests of controls
and substantive procedures
 4. Perform Further Audit Procedures – Test
of Controls (1/2)
• Approach:
– Identify controls likely to prevent or detect material
misstatements
– Perform tests of controls to determine whether they
are operating effectively
• Tests of controls address:
– How controls were applied
– The consistency with which controls were applied
– By whom or by what means (e.g., electronically)
the controls were applied
 4. Perform Further Audit Procedures – Test of
Controls (1/2)
• Tests of controls include:
– Inquiries of appropriate client personnel
– Inspection of documents and reports
– Observation of the application of controls
– Reperformance of the controls
• The results of the tests of controls are
used to determine the nature, timing and
extent of substantive procedures
 Diagram of the
Auditors’
Consideration of
Internal Control
 Other Considerations
• Audit decision aids
– Checklist, standard form or computer program that
helps auditors make a decision by ensuring that they
have all relevant information or by assisting them in
combining the information.
• Use of the work of internal auditors
– Must assess internal audit competence and
objectivity and test work
– Can rely on work of internal audit to reduce amount of
testing done by independent auditors
 Relationships AmongDeficiencies
Deficiency in
Internal
Control

Less than Significant

Material Significant Deficiency
Weakness
 Management’s Report on Internal
Control under Section 404a
• Acknowledgment of responsibility for internal control
• An assessment of internal control effectiveness as of the last day of
the company’s fiscal yearn using suitable criteria
• Support the evaluation with sufficient evidence
 Approach to Audit of Internal Control under
Section 404b
• This section applies to public companies with a
market capitalization of $75 million or more. For
those companies, the auditors audit internal
control as a part of an integrated audit as
follows:
– Plan the engagement
– Use a top-down approach to identify the controls to
test
– Test and evaluate design effectiveness of internal
control
– Test and evaluate operating effectiveness of internal
control
– Form an opinion on effectiveness of internal control
 Internal Control in
the Small Company
• Due to lack of employees, internal control is seldom strong in small
businesses
• Specific practices for small businesses
– Record all cash receipts immediately
– Deposit all cash receipts intact daily
– Make all payments by serially numbered checks, with exception of
petty cash disbursements
– Reconcile bank accounts monthly and retain copies
– Use serially numbered invoices, Pos, and receiving reports
– Issue checks to vendors only in payment of approved invoices that
have been matched with purchase orders and receiving reports
– Balance subsidiary ledger with control accounts
– Prepare comparative financial statements monthly to disclose
significant
variations in any category of revenue or expense
Thank you