


?
 


McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
 Summary of Internal Control
Definition
A O
, effected by the entity¶s board
of directors, management, and other
personnel, designed to provide
reasonable assurance regarding,
achievement of (the entity¶s) objectives
on:
- Dffectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and
regulations
7-2
 Control Objectives
  In each area of internal control (financial reporting,
operations and compliance)
- Control objectives and
- Subobjectives exist
  Dxample: Area of financial reporting
- Top level objective ± prepare and issue reliable financial information
- Detailed level applied to A/R subobjectives
‡ All goods shipped are accurately billed in the proper period
‡ Invoices are accurately recorded for all authorized shipments and
only for such shipments
‡ Authorized and only authorized sales returns and allowances are
accurately recorded
‡ The continued completeness and accuracy of A/R is ensured
‡ Accounts receivable records are safeguarded
7-3
 Foreign Corrupt Practices Act
  Passed in 1977 in response to American
corporation practice of paying bribes and
kickbacks to officials in foreign countries to
obtain business
  The Act
- Requires an effective system of internal control
- Makes illegal payment of bribes to foreign officials

7-4
 Controls over Financial Reporting
  Preventive
- Aimed at avoiding the occurrence of misstatements in the

financial statements
- Dxample: Segregation of duties

  Detective
- Designed to discover misstatements after they have occurred

- Dxample: Monthly bank reconciliations

  Corrective
- Needed to remedy the situation uncovered by detective controls
- Dxample: Backups of master file
  Controls overlap
- Complementary ± function together
- Redundant ± address same assertion or control objective
- Compensating ± reduces risk existing weakness will result in misstatement

7-5
 Components of Internal
Control

  The Control Dnvironment

  Risk Assessment
  The
Accounting Information and
Communication System
  Control Activities
  Monitoring
7-6
 22

Control Dnvironment Factors

  Integrity and ethical values

  Commitment to competence
  Board of directors or audit committee
  Management philosophy and operating
style
  Organizational structure
  Human resource policies and practices
  Assignment of authority and responsibility

7-7
 2

Risk Assessment--
Assessment--Factors
Factors Indicative of
Increased Financial Reporting Risk
  Changes in the regulatory or operating
environment
  Changes in personnel
  Implementation of a new or modified information
system
  Rapid growth of the organization
  Changes in technology affecting production
processes or information systems
  Introduction of new lines of business, products, or
processes

7-8
 2

Control Activities
  Performance reviews
  Information processing
- General control activities
- Application control activities
  Physical controls
  Segregation of duties
- Segregate authorization, recording and
custody of assets
7-9
0


  

7-10
Objectives of an Accounting System

  Identify and record valid transactions

  Describe on a timely basis the transactions in
sufficient detail to permit proper classification of
transactions
  Measure the value of transactions appropriately
  Determine the time period in which the transactions
occurred to permit recording in the proper period
  Present properly the transactions and related
disclosures in the financial statements

7-11
 Monitoring
  Ongoing monitoring activities
- Regularly performed supervisory and
management activities
- Dxample: Continuous monitoring of
customer complaints
  Separate evaluations
- Performed on nonroutine basis
- Dxample: Periodic audits by internal audit

7-12
Limitations of Internal Control

  Drrors may arise from misunderstandings

of instructions, mistakes of judgment,
fatigue, etc.
  Controls that depend on the segregation
of duties may be circumvented by
collusion
  Management may override the structure
  Compliance may deteriorate over time
7-13
Dnterprise Risk Management (DRM)
  COSO issued a new internal control
framework in 2004 on enterprise risk
management. It does not replace the original
COSO internal control framework.
  It goes beyond internal control to focus on
how organizations can effectively manage
risks and opportunities.
  The auditing standards are still structured
around the original COSO internal control
framework.
7-14
Financial Statement Audits: The
Role of Internal Control
0
 
0


The auditor must obtain a sufficient
G

  of the entity and its
environment, including its   
 
,
to      
 
of the financial statements whether due to
error or fraud, 

   G
  
   G  G


G. [emphasis added]
7-15
Auditors¶ Overall Approach with
Internal Control
  Overall approach of an audit
1. Plan the audit
 


 
  
 
 
   



   


 

 
 
 

 
 
 

5. Complete the audit
6. Form an opinion and issue the audit report
  Steps 2-4 relate most directly to the role of
internal control in financial statement audits

7-16
2. Obtain an understanding of the client and
its environment, including internal control
  The understanding of internal control is used to help the
auditor to
- Identify types of potential misstatements
- Consider factors that affect the risks of material misstatement.
- Design tests of controls (when applicable) and substantive
procedures.
  Auditors must consider all five internal control
components
- Control environment
- Accounting information system
- Risk assessment
- Control activities
- Monitoring
  Also consider areas difficult to control like nonroutine
transactions
7-17
 Obtaining the Understanding
  Procedures include
- Inquiring of entity personnel
- Observing the application of specific controls
- Inspecting documents and reports
- Tracing transactions through the information
system relevant to financial reporting
  May also obtain evidence on operating
effectiveness of various controls

7-18
 Documenting the Understanding
of Internal Control
  Questionnaires
- Typically standardized by firm
  Written Narratives
- Memos that describe flow of transactions
  Flowcharts
- Systems flowcharts
  Walk-through
- Trace one or two transaction through cycle

7-19
7-20
 3. Assess the risks of material
misstatement
General approach
- Identify risks while obtaining an understanding of the
client and its environment, including its internal
control
- Relate the identified risks to what can go wrong at the
relevant assertion level
- Consider whether the risks are of a magnitude that
could result in a material misstatement
- Consider the likelihood that the risks could result in a
material misstatement

7-21
 The nature of transactions
  Consider the nature of the transactions
- Routine transactions²e.g., revenue,
purchases, and cash receipts and
disbursements
- Nonroutine transactions²e.g., taking of

inventory, calculating depreciation expense

- Dstimation transactions²e.g., determining the

allowance for doubtful accounts

  Generally routine transactions have the
strongest controls
7-22
Assessing Risks at the Financial
Statement Level
  Dxamples
- Preparing the period-end financial statements, including the
development of significant accounting estimate and preparation
of the notes
- The selection and application of significant accounting policies

- IT general controls

- The control environment

  Responses to high risks

- Assigning more experience staff or those with specialized skills

- Providing more supervision and emphasizing the need to

maintain professional skepticism
- Incorporating additional elements of unpredictability in the
selection of further audit procedures to be performed
- Increasing the overall scope of audit procedures, including the
nature, timing or extent

7-23
 Assessing Risks at the
Assertion Level
  Dxamples
- Failure to recognize an impairment loss on a
long-lived asset affects only the valuation
assertion
- Inaccurate counting of inventory at year-end
affect the valuation of inventory and the
accuracy of cost of goods sold
  Responses
- Decisions are made here as to the
appropriate combination of tests of controls
and substantive procedures
7-24
 4. Design and Perform audit
procedures ± test of controls (1 of 2)

  Approach:
- Identify controls likely to prevent or detect material
misstatements
- Perform tests of controls to determine whether they
are operating effectively
  Tests of controls address:
- How controls were applied
- The consistency with which controls were applied
- By whom or by what means (e.g., electronically) the
controls were applied

7-25
 4. Perform further audit proce-
proce-
dures²
dures ²tests of controls (2 of 2)
  Tests of controls include:
- ? G of appropriate client personnel
- ?  of documents and reports
- ‰  of the application of controls
- [  of the controls
  Theresults of the tests of controls are
used to determine the nature, timing and
extent of substantive procedures

7-26
Diagram of the
Auditors¶
Consideration
of Internal
Control

7-27
 Other Considerations
  Audit decision aids
- Checklist, standard form or computer program that
helps auditors make a decision by ensuring that they
have all relevant information or by assisting them in
combining the information.
  Use of the work of internal auditors
- Must assess internal audit competence and objectivity
and test work
- Can rely on work of internal audit to reduce amount of
testing done by independent auditors

7-28
 Relationships Among Deficiencies
Deficiency in
Internal Control

Less than Significant Material

Significant Deficiency Weakness

7-29
 Management¶s Report on Internal
Control under Section 404a
  Acknowledgment of responsibility for
internal control
  An assessment of internal control
effectiveness as of the last day of the
company¶s fiscal yearn using suitable
criteria
  Support the evaluation with sufficient
evidence

7-30
 Approach to Audit of Internal
Control under Section 404b
  Plan the engagement
  Use a top-down approach to identify the
controls to test
  Test and evaluate design effectiveness of
internal control
  Test and evaluate operating effectiveness of
internal control
  Form an opinion on effectiveness of internal
control over financial reporting
7-31
 2 

Internal Control in
the Small Company
  Due to lack of employees, internal control is seldom strong in small
businesses
  Specific practices for small businesses
- Record all cash receipts immediately
- Deposit all cash receipts intact daily
- Make all payments by serially numbered checks, with exception of petty
cash disbursements
- Reconcile bank accounts monthly and retain copies
- Use serially numbered invoices, Pos, and receiving reports
- Issue checks to vendors only in payment of approved invoices that have
been matched with purchase orders and receiving reports
- Balance subsidiary ledger with control accounts
- Prepare comparative financial statements monthly to disclose significant
variations in any category of revenue or expense

7-32