Sie sind auf Seite 1von 57

AUDITING

CHAPTER 8
Internal Control
By
David N. Ricchiute
TOPICS

COSO framework of internal control


Auditors consideration of internal control
Audit of internal control mandated by
Sarbanes-Oxley

2 GBW 8th ed., Ch. 8


INTRODUCTION
Auditor responsible for considering internal
control in audit program design
Audit planning
What is assessed level of control risk?
Based on control risk assessment, can auditor relax
nature, extent, timing of substantive tests?
Sarbanes-Oxley Act requires auditor to audit
internal control
To comply with Act & SECs rules

3 GBW 8th ed., Ch. 8


COSO FRAMEWORK
COSO provides guidance for auditors
consideration of internal control
A framework to assess internal controls
Common definition for internal controls
Applies to financial reporting & other
management objectives
Sarbanes-Oxley Act applies only to
financial reporting

4 GBW 8th ed., Ch. 8


INTERNAL CONTROL:
COSO Definition

A process, effected by an entitys board of


directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in
the following categories:
Effectiveness & efficiency of operations
Reliability of financial reporting
Compliance with applicable laws & regulations
COSO, 1992, p. 9

5 GBW 8th ed., Ch. 8


CONCEPTS OF COSO
DEFINITION
Internal control is a process
Internal control accomplished by people
at all levels
Internal control is means to achieve
entitys objectives
Internal controls provide reasonable,
not absolute, assurance

6 GBW 8th ed., Ch. 8


INTERNAL CONTROL
OBJECTIVES
Operations objectives
Market share, ROI, product/service
diversification
Financial reporting objectives
Producing reliable financial statements
Compliance objectives
Compliance with laws, regulations

7 GBW 8th ed., Ch. 8


SEC & PCAOB
Control Over Financial Reporting

Sarbanes-Oxley Act Section 404


Management to certify internal control over
financial reporting is effective
Auditor to issue opinion on managements
certification

8 GBW 8th ed., Ch. 8


INTERNAL CONTROL OVER
FINANCIAL REPORTING
SEC, PCAOB definition Section 404
A process designed by, or under supervision of
principal executive & principal financial
officers . . . To provide reasonable assurance
regarding reliability of financial reporting,
preparation financial statements in
accordance with GAAP

SEC, Final Rule. Washington, D. C.: SEC, 2003.

9 GBW 8th ed., Ch. 8


INTERNAL CONTROL
Policies & Procedures
Maintain records in reasonable detail
To accurately, fairly reflect transactions, dispositions
of assets
Provide reasonable assurance that
Transactions recorded as necessary to prepare
financial statements in accord with GAAP
Receipts, expenditures in accord with
managements, directors authorization
Unauthorized acquisition, use of assets having
material effect on financial statements will be
prevented, detected in timely manner

10 GBW 8th ed., Ch. 8


COSO COMPONENTS OF
INTERNAL CONTROL
Control environment
Risk assessment
Control activities
Information & communications support
Monitoring

COSO & adopted by SAS 94

11 GBW 8th ed., Ch. 8


CONTROL ENVIRONMENT
Managements & board of directors
attitude, awareness, & actions
regarding internal control
Captures importance of control in
managements operating style
Tone at the top

12 GBW 8th ed., Ch. 8


ELEMENTS OF CONTROL
ENVIRONMENT
Attitude & awareness
Integrity Codes of conduct
Commitment Committed to quality
Directors, audit Board independent of
committee management
Management Attitude about false
philosophy records
Organization structure Proper flow information
Authority Responsibilities defined
HR policies, procedures Policies training,
13 promotion,
GBW 8th ed., Ch. 8 etc.
RISK ASSESSMENT
Managements responsibility to identify
risks for
Financial reporting
Operations
Compliance
Managements responsibility to take
action to manage risks

14 GBW 8th ed., Ch. 8


MANAGING RISKS IN
CHANGE
Change agents
Operating environment Divestiture
New personnel Organization culture
New information system Time constraints for redesign
Rapid growth Back orders
New technology Production delays
New products, services Unfamiliar risks
Corporate restructuring Staff reductions, inadequate
Foreign operations supervision
Local customs, culture

15 GBW 8th ed., Ch. 8


CONTROL ACTIVITIES
Policies & procedures to provide
reasonable assurance that objectives
are met
Authorization, execution of transactions
Segregation of duties
Design & use of documents & records
Access to assets & records

16 GBW 8th ed., Ch. 8


CONTROL ACTIVITIES
Categories

Preventive controls
Intended to prevent misstatement
Detective controls
Detect misstatements that have occurred

17 GBW 8th ed., Ch. 8


CONTROL ACTIVITIES
Authorization
All transactions should be authorized
by responsible personnel acting
within scope of prescribed authority,
responsibility
Specific authorization
Required for each transaction
Typically unusual transactions
General authorization
Policies, procedures for typical transactions

18 GBW 8th ed., Ch. 8


SEGREGATION OF DUTIES
Optimum segregation of duties exists when
collusion is necessary to circumvent controls
Separate functions for
Management (authorization)
Custody (transaction execution)
Accounting (recording transactions)
Monitoring (independent checks on performance

19 GBW 8th ed., Ch. 8


DESIGN, USE DOCUMENTS
& RECORDS
Evidence of executed transactions
Represent an audit trail
Impact efficiency
Designed for multiple use
Prenumbered consecutively
Easy to complete

20 GBW 8th ed., Ch. 8


ACCESS TO ASSETS &
RECORDS
Access limited to authorized personnel
by
Locks for physical protection
Limits on employee access online
Codes to authorize access

21 GBW 8th ed., Ch. 8


INFORMATION,
COMMUNICATION: Defined

System identifies, captures, communicates


external & internal information in form &
timeframe to discharge responsibilities
Includes accounting system

22 GBW 8th ed., Ch. 8


INFORMATION,
COMMUNICATION: Sources
External
Market share, regulatory requirements,
complaints
Internal
Identify valid transactions
Record proper time period
Sufficient detail to classify, measure,
present in financial statements

23 GBW 8th ed., Ch. 8


INFORMATION,
COMMUNICATION: Accounting
Methods, records, to identify valid
transactions
Transactions recorded in proper period
Describe transactions on timely basis,
sufficient detail to properly
Classify
Measure
Summarize
Disclose

24 GBW 8th ed., Ch. 8


TRANSATION CYCLES
Defined

Accounting system organized &


processes information in cycles
Financing
Expenditure & disbursement
Conversion
Revenue & receipt

25 GBW 8th ed., Ch. 8


TRANSATION CYCLES
Examples
Cycles
Financing Capital funds
received, used, invested
Expenditure/ Goods, services
acquired from vendors,
disbursement
employees & paid
Resources used, held,
Conversion transformed
Resources distributed
Revenue/receipt to outsiders; payment
26 received
GBW 8th ed., Ch. 8
MONITORING

Continuous or periodic evaluation


Resolution of discrepancies
To ensure reliability

27 GBW 8th ed., Ch. 8


RESTATEMENT, FRAUD, &
INTERNAL CONTROL
Section 13(b)(2)(B) of 1934 Securities Exchange
Act requires issuers to devise, maintain
system of internal accounting controls
sufficient to provide reasonable assurances
that transactions are recorded as necessary to
permit preparation of financial statements in
accord with GAAP.

Internal control is a matter of law


28 GBW 8th ed., Ch. 8
ASSESSING CONTROL
RISK
A sufficient understanding of internal
control is to be obtained to plan the audit
& determine the nature, timing, and
extent of tests to be performed. (2nd GAAS
fieldwork)
Obtain understanding
Assess control risk
Determine nature, timing, extent of substantive
tests
29 GBW 8th ed., Ch. 8
ASSESSING V. AUDITING
COSO INTERNAL CONTROLS
Assessing controls Auditing Section 404
Obtain understanding Evaluate
Assess control risk for effectiveness
assertions about Form opinion on
balances & transactions internal control over
Determine nature, financial reporting
extent, timing of Obtain understanding
substantive tests

30 GBW 8th ed., Ch. 8


OBTAIN UNDERSTANDING
Audit Committee Effectiveness

Final authority over financial reporting


Challenge CEO, CFO over financial
reporting
Seek advice of independent auditor
Engages independent counsel when
necessary

31 GBW 8th ed., Ch. 8


OBTAIN UNDERSTANDING
Auditors Evaluation

Auditor evaluates audit committee


effectiveness by considering
Nominating process & independence
Clarity of responsibilities
Level management cooperation
Committee involvement with auditor &
internal auditing
Time devoted to audit, internal controls
32 GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDING
Information Technology

Personal computers & local area networks


Database management systems
End-user computing
Telecommunications
Service bureaus
Internet technology
Software for information systems
Operating & applications software

33 GBW 8th ed., Ch. 8


OBTAIN UNDERSTANDING
IT & Section 404 Documentation

For information technology, did


management
Document & test controls related to
financial reporting?
Evaluate effectiveness, likelihood of failure?
Communicate findings to auditor?
Reach assessment that documentation
supports?

34 GBW 8th ed., Ch. 8


OBTAIN UNDERSTANDING
Document System

To demonstrate compliance with


requirement to understand & evaluate
clients system
Internal control questionnaire
Flowchart
Narrative memorandum

35 GBW 8th ed., Ch. 8


OBTAIN UNDERSTANDING
Identify Transactions Cycles

To identify cycles
Review account components for
homogeneity
Identify representative cycles
Flowchart each cycle
Trace representative transactions through
each cycle
Revise flowcharts if necessary

36 GBW 8th ed., Ch. 8


OBTAIN UNDERSTANDING
Perform Transaction Walkthroughs

Required by Section 404 of Sarbanes-Oxley


Act
Trace wide range of transactions, common,
uncommon, from each cycle through system
from
Authorization to
Execution to
Recording to
Summarization

37 GBW 8th ed., Ch. 8


OBTAIN UNDERSTANDING
Auditor Responsibilities

In transactions walkthroughs, auditor


must
Understand controls over end-of-period
financial reporting
Especially for effects on earnings

38 GBW 8th ed., Ch. 8


EVALUATE CONTROL
EFFECTIVENESS: Reliability
When documenting controls
Identify controls to be relied upon
Test controls
If acceptable, assess control risk below maximum
Identify controls not suitable to justify
reliance
Do not test these controls
Assess control risk at maximum
Plan audit to rely heavily on substantive tests

39 GBW 8th ed., Ch. 8


EVALUATE CONTROL
EFFECTIVENESS: Risk
Assess Control Risk
Consider errors, frauds that could

occur
Identify relevant control activities to

prevent, detect errors, frauds


Perform tests of controls on control

activities that may prevent, detect errors,


frauds

40 GBW 8th ed., Ch. 8


EVALUATE CONTROL
EFFECTIVENESS: Tests of Controls

Testing design of controls


Whether policy, procedure suitably
designed to prevent, detect material
misstatements
Testing operations of controls
Were control activities performed?
How were they performed?
By whom were they performed?
41 GBW 8th ed., Ch. 8
EVALUATE CONTROL
EFFECTIVENESS: General Controls

Computer assisted tests


Organization, operation controls
Systems development & documentation
controls
Hardware controls
Access controls
Data & procedural controls

42 GBW 8th ed., Ch. 8


GENERAL CONTROL
EFFECTIVENESS: Operation

Organization & operation


Segregate computer department & users
Provide general authorization over
execution of transactions
Segregate functions within the computer
department

43 GBW 8th ed., Ch. 8


GENERAL CONTROL
EFFECTIVENESS: Documentation
Development & documentation
Participation by users, accounting personnel,
internal auditors in system design
Review, approval of system specifications
Joint system testing by user, computer
personnel
Approval new applications, changes
Control over master, transaction files
Procedures to create, maintain documentation
44 GBW 8th ed., Ch. 8
GENERAL CONTROL
EFFECTIVENESS: Hardware

Hardware controls
Controls built into computers by
manufacturers

45 GBW 8th ed., Ch. 8


GENERAL CONTROL
EFFECTIVENESS: Access Controls

Limit access to authorized personnel for


Hardware
Software
Data files
Software support documentation

46 GBW 8th ed., Ch. 8


GENERAL CONTROL
EFFECTIVENESS: Data

Data & procedural controls


Written procedures, authorization manuals
Control groups

47 GBW 8th ed., Ch. 8


EVALUATE CONTROL
EFFECTIVENESS

Computer-Assisted Tests of Application


Controls
Input controls
Processing controls
Output controls

48 GBW 8th ed., Ch. 8


APPLICATION CONTROL
EFFECTIVENESS: Input
Input controls
Input authorization, approval
Code verification
Data conversion
Data movement
Occurrence correction

49 GBW 8th ed., Ch. 8


APPLICATION CONTROL
EFFECTIVENESS: Processing

Processing controls
Control totals
File labels
Limit (reasonableness) tests

50 GBW 8th ed., Ch. 8


APPLICATION CONTROL
EFFECTIVENESS: Output

Output controls
Control totals comparisons
Output distribution

51 GBW 8th ed., Ch. 8


COMPUTER-ASSISTED TESTS
OF CONTROLS: Types
Test data: uses client software to process
data with valid & invalid transactions
Base Case System Evaluation (BCSE):
develops test data to text expected conditions
Integrated test facility: tests whether client
actually uses software by running live and
fictitious data simultaneously
Parallel simulation: processing client data
with auditors software

52 GBW 8th ed., Ch. 8


COMPUTER-ASSISTED TESTS
OF CONTROLS: Types (cont.)

Embedded audit modules: selects client


data for subsequent testing & analysis
SCARFs: logs created from embedded audit
modules that collect transaction information
Audit hooks & tagging: transaction records
tagged & traced through critical control points

53 GBW 8th ed., Ch. 8


CONTROL DEFICIENCIES,
MATERIAL WEAKNESSES
Deficiencies do not allow
management, employees to
prevent, detect misstatements in
normal course of business
Material weakness is a significant
deficiency more than remotely
likely to cause a material
misstatement that will not be
prevented, detected

54 GBW 8th ed., Ch. 8


NATURE, TIMING, EXTENT
Audit risk strategy
Determine acceptable detection risk
Design nature, timing, extent of
substantive tests

55 GBW 8th ed., Ch. 8


NATURE, TIMING, EXTENT
& SUBSTANTIVE TESTS
Level of Detection Risk
Effect Lower Higher
Nature Use more Use less persuasive
persuasive tests tests
(confirmation) (documentation)
Timing Test at balance Test at interim
sheet date dates
Extent Test more (increase Test less (decrease
sample size) sample size)
56 GBW 8th ed., Ch. 8
AUDITORS OPINION ON
INTERNAL CONTROLS
Auditor evaluates
Reports by internal auditors
Significant deficiencies
Results of test of controls
Results of substantive test of details
To issue an opinion on controls

57 GBW 8th ed., Ch. 8