CHAPTER 8 Internal Control By David N. Ricchiute TOPICS
COSO framework of internal control
Auditors consideration of internal control Audit of internal control mandated by Sarbanes-Oxley
2 GBW 8th ed., Ch. 8
INTRODUCTION Auditor responsible for considering internal control in audit program design Audit planning What is assessed level of control risk? Based on control risk assessment, can auditor relax nature, extent, timing of substantive tests? Sarbanes-Oxley Act requires auditor to audit internal control To comply with Act & SECs rules
3 GBW 8th ed., Ch. 8
COSO FRAMEWORK COSO provides guidance for auditors consideration of internal control A framework to assess internal controls Common definition for internal controls Applies to financial reporting & other management objectives Sarbanes-Oxley Act applies only to financial reporting
4 GBW 8th ed., Ch. 8
INTERNAL CONTROL: COSO Definition
A process, effected by an entitys board of
directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws & regulations COSO, 1992, p. 9
5 GBW 8th ed., Ch. 8
CONCEPTS OF COSO DEFINITION Internal control is a process Internal control accomplished by people at all levels Internal control is means to achieve entitys objectives Internal controls provide reasonable, not absolute, assurance
Management to certify internal control over financial reporting is effective Auditor to issue opinion on managements certification
8 GBW 8th ed., Ch. 8
INTERNAL CONTROL OVER FINANCIAL REPORTING SEC, PCAOB definition Section 404 A process designed by, or under supervision of principal executive & principal financial officers . . . To provide reasonable assurance regarding reliability of financial reporting, preparation financial statements in accordance with GAAP
SEC, Final Rule. Washington, D. C.: SEC, 2003.
9 GBW 8th ed., Ch. 8
INTERNAL CONTROL Policies & Procedures Maintain records in reasonable detail To accurately, fairly reflect transactions, dispositions of assets Provide reasonable assurance that Transactions recorded as necessary to prepare financial statements in accord with GAAP Receipts, expenditures in accord with managements, directors authorization Unauthorized acquisition, use of assets having material effect on financial statements will be prevented, detected in timely manner
10 GBW 8th ed., Ch. 8
COSO COMPONENTS OF INTERNAL CONTROL Control environment Risk assessment Control activities Information & communications support Monitoring
COSO & adopted by SAS 94
11 GBW 8th ed., Ch. 8
CONTROL ENVIRONMENT Managements & board of directors attitude, awareness, & actions regarding internal control Captures importance of control in managements operating style Tone at the top
12 GBW 8th ed., Ch. 8
ELEMENTS OF CONTROL ENVIRONMENT Attitude & awareness Integrity Codes of conduct Commitment Committed to quality Directors, audit Board independent of committee management Management Attitude about false philosophy records Organization structure Proper flow information Authority Responsibilities defined HR policies, procedures Policies training, 13 promotion, GBW 8th ed., Ch. 8 etc. RISK ASSESSMENT Managements responsibility to identify risks for Financial reporting Operations Compliance Managements responsibility to take action to manage risks
14 GBW 8th ed., Ch. 8
MANAGING RISKS IN CHANGE Change agents Operating environment Divestiture New personnel Organization culture New information system Time constraints for redesign Rapid growth Back orders New technology Production delays New products, services Unfamiliar risks Corporate restructuring Staff reductions, inadequate Foreign operations supervision Local customs, culture
15 GBW 8th ed., Ch. 8
CONTROL ACTIVITIES Policies & procedures to provide reasonable assurance that objectives are met Authorization, execution of transactions Segregation of duties Design & use of documents & records Access to assets & records
16 GBW 8th ed., Ch. 8
CONTROL ACTIVITIES Categories
Preventive controls Intended to prevent misstatement Detective controls Detect misstatements that have occurred
17 GBW 8th ed., Ch. 8
CONTROL ACTIVITIES Authorization All transactions should be authorized by responsible personnel acting within scope of prescribed authority, responsibility Specific authorization Required for each transaction Typically unusual transactions General authorization Policies, procedures for typical transactions
18 GBW 8th ed., Ch. 8
SEGREGATION OF DUTIES Optimum segregation of duties exists when collusion is necessary to circumvent controls Separate functions for Management (authorization) Custody (transaction execution) Accounting (recording transactions) Monitoring (independent checks on performance
19 GBW 8th ed., Ch. 8
DESIGN, USE DOCUMENTS & RECORDS Evidence of executed transactions Represent an audit trail Impact efficiency Designed for multiple use Prenumbered consecutively Easy to complete
20 GBW 8th ed., Ch. 8
ACCESS TO ASSETS & RECORDS Access limited to authorized personnel by Locks for physical protection Limits on employee access online Codes to authorize access
21 GBW 8th ed., Ch. 8
INFORMATION, COMMUNICATION: Defined
System identifies, captures, communicates
external & internal information in form & timeframe to discharge responsibilities Includes accounting system
22 GBW 8th ed., Ch. 8
INFORMATION, COMMUNICATION: Sources External Market share, regulatory requirements, complaints Internal Identify valid transactions Record proper time period Sufficient detail to classify, measure, present in financial statements
23 GBW 8th ed., Ch. 8
INFORMATION, COMMUNICATION: Accounting Methods, records, to identify valid transactions Transactions recorded in proper period Describe transactions on timely basis, sufficient detail to properly Classify Measure Summarize Disclose
24 GBW 8th ed., Ch. 8
TRANSATION CYCLES Defined
Accounting system organized &
processes information in cycles Financing Expenditure & disbursement Conversion Revenue & receipt
25 GBW 8th ed., Ch. 8
TRANSATION CYCLES Examples Cycles Financing Capital funds received, used, invested Expenditure/ Goods, services acquired from vendors, disbursement employees & paid Resources used, held, Conversion transformed Resources distributed Revenue/receipt to outsiders; payment 26 received GBW 8th ed., Ch. 8 MONITORING
Continuous or periodic evaluation
Resolution of discrepancies To ensure reliability
27 GBW 8th ed., Ch. 8
RESTATEMENT, FRAUD, & INTERNAL CONTROL Section 13(b)(2)(B) of 1934 Securities Exchange Act requires issuers to devise, maintain system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accord with GAAP.
Internal control is a matter of law
28 GBW 8th ed., Ch. 8 ASSESSING CONTROL RISK A sufficient understanding of internal control is to be obtained to plan the audit & determine the nature, timing, and extent of tests to be performed. (2nd GAAS fieldwork) Obtain understanding Assess control risk Determine nature, timing, extent of substantive tests 29 GBW 8th ed., Ch. 8 ASSESSING V. AUDITING COSO INTERNAL CONTROLS Assessing controls Auditing Section 404 Obtain understanding Evaluate Assess control risk for effectiveness assertions about Form opinion on balances & transactions internal control over Determine nature, financial reporting extent, timing of Obtain understanding substantive tests
Challenge CEO, CFO over financial reporting Seek advice of independent auditor Engages independent counsel when necessary
31 GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDING Auditors Evaluation
Auditor evaluates audit committee
effectiveness by considering Nominating process & independence Clarity of responsibilities Level management cooperation Committee involvement with auditor & internal auditing Time devoted to audit, internal controls 32 GBW 8th ed., Ch. 8 OBTAIN UNDERSTANDING Information Technology
Personal computers & local area networks
Database management systems End-user computing Telecommunications Service bureaus Internet technology Software for information systems Operating & applications software
33 GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDING IT & Section 404 Documentation
For information technology, did
management Document & test controls related to financial reporting? Evaluate effectiveness, likelihood of failure? Communicate findings to auditor? Reach assessment that documentation supports?
34 GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDING Document System
To demonstrate compliance with
requirement to understand & evaluate clients system Internal control questionnaire Flowchart Narrative memorandum
35 GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDING Identify Transactions Cycles
To identify cycles Review account components for homogeneity Identify representative cycles Flowchart each cycle Trace representative transactions through each cycle Revise flowcharts if necessary
Act Trace wide range of transactions, common, uncommon, from each cycle through system from Authorization to Execution to Recording to Summarization
37 GBW 8th ed., Ch. 8
OBTAIN UNDERSTANDING Auditor Responsibilities
In transactions walkthroughs, auditor
must Understand controls over end-of-period financial reporting Especially for effects on earnings
38 GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Reliability When documenting controls Identify controls to be relied upon Test controls If acceptable, assess control risk below maximum Identify controls not suitable to justify reliance Do not test these controls Assess control risk at maximum Plan audit to rely heavily on substantive tests
39 GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Risk Assess Control Risk Consider errors, frauds that could
occur Identify relevant control activities to
prevent, detect errors, frauds
Perform tests of controls on control
activities that may prevent, detect errors,
frauds
40 GBW 8th ed., Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Tests of Controls
Testing design of controls
Whether policy, procedure suitably designed to prevent, detect material misstatements Testing operations of controls Were control activities performed? How were they performed? By whom were they performed? 41 GBW 8th ed., Ch. 8 EVALUATE CONTROL EFFECTIVENESS: General Controls
Computer assisted tests
Organization, operation controls Systems development & documentation controls Hardware controls Access controls Data & procedural controls
42 GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Operation
Organization & operation
Segregate computer department & users Provide general authorization over execution of transactions Segregate functions within the computer department
43 GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Documentation Development & documentation Participation by users, accounting personnel, internal auditors in system design Review, approval of system specifications Joint system testing by user, computer personnel Approval new applications, changes Control over master, transaction files Procedures to create, maintain documentation 44 GBW 8th ed., Ch. 8 GENERAL CONTROL EFFECTIVENESS: Hardware
Hardware controls Controls built into computers by manufacturers
45 GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Access Controls
Limit access to authorized personnel for
Hardware Software Data files Software support documentation
46 GBW 8th ed., Ch. 8
GENERAL CONTROL EFFECTIVENESS: Data
Data & procedural controls
Written procedures, authorization manuals Control groups
APPLICATION CONTROL EFFECTIVENESS: Input Input controls Input authorization, approval Code verification Data conversion Data movement Occurrence correction
49 GBW 8th ed., Ch. 8
APPLICATION CONTROL EFFECTIVENESS: Processing
Processing controls Control totals File labels Limit (reasonableness) tests
50 GBW 8th ed., Ch. 8
APPLICATION CONTROL EFFECTIVENESS: Output
Output controls Control totals comparisons Output distribution
51 GBW 8th ed., Ch. 8
COMPUTER-ASSISTED TESTS OF CONTROLS: Types Test data: uses client software to process data with valid & invalid transactions Base Case System Evaluation (BCSE): develops test data to text expected conditions Integrated test facility: tests whether client actually uses software by running live and fictitious data simultaneously Parallel simulation: processing client data with auditors software
52 GBW 8th ed., Ch. 8
COMPUTER-ASSISTED TESTS OF CONTROLS: Types (cont.)
Embedded audit modules: selects client
data for subsequent testing & analysis SCARFs: logs created from embedded audit modules that collect transaction information Audit hooks & tagging: transaction records tagged & traced through critical control points
53 GBW 8th ed., Ch. 8
CONTROL DEFICIENCIES, MATERIAL WEAKNESSES Deficiencies do not allow management, employees to prevent, detect misstatements in normal course of business Material weakness is a significant deficiency more than remotely likely to cause a material misstatement that will not be prevented, detected
NATURE, TIMING, EXTENT & SUBSTANTIVE TESTS Level of Detection Risk Effect Lower Higher Nature Use more Use less persuasive persuasive tests tests (confirmation) (documentation) Timing Test at balance Test at interim sheet date dates Extent Test more (increase Test less (decrease sample size) sample size) 56 GBW 8th ed., Ch. 8 AUDITORS OPINION ON INTERNAL CONTROLS Auditor evaluates Reports by internal auditors Significant deficiencies Results of test of controls Results of substantive test of details To issue an opinion on controls
