What is Internal Control?
A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting,
(2) compliance with applicable laws and regulations, (3) effectiveness and efficiency of operations, and (4) safeguarding of assets.

Control is part of corporate governance
•Governance begins with stockholders.
•Needs to occur within a framework of control and accountability.
Control is almost as important to shareholders as are the financial results.
Good control makes good business sense .

Who is interested in an organization’s control system?
• The board of directors and the audit committee of the board.
• Management.
• Regulators.
• Auditors, both internal and external.
• Suppliers and customers.
• Investors and lenders.
• Customers or others using the Web for commerce.

Internal Reports to Management
• Ongoing monitoring reports from operations.
• Internal audit reports.
• External audit reports.
External Reports by Management
Regulatory Required Reports
E-Commerce Reports
Audit Committee Reports

A Framework for
Understanding and Evaluating
Internal Controls
Components of an Internal Control
System
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring

Understanding and Assessing the Control Environment
•Sets the tone of an organization.
•Management’s philosophy and operating style.
•Organizational structure, including the assignment of authority and responsibility.
•Board of directors and the audit committee.
•Human resource policies and practices.
•Integrity and ethical values.
•Commitment to competence.

•Risk Assessment
•Control Activities
•Information and Communication
•Monitoring

• Minimum level of control necessary.
• Overall quality of controls can impact ability to remain a going concern.
• Quality of control will significantly affect both audit approach and amount of testing.
• Analysis of control risk helpful in identifying types of likely misstatements.
• Inadequate controls may place organizations in violation of federal laws.
• Auditor may need to issue a formal report.

Understanding and Evaluating
Accounting Information Systems
Internal Control and Financial Statement Account
Balances
• Auditor needs to evaluate internal control.
• Auditor needs to evaluate internal control only for accounting systems that result in material account balances.
• Need to assess both overall control structure and specific control procedures.
• To reduced control risk must have evidence that control structure is soundly designed and efficient.

Assessing the Effectiveness of
Control Procedures
Non-Transaction-Based Systems
Transaction-Based Systems
Pervasive Control Activities
•Segregation of duties
•Authorization procedures
•Adequate documentation
•Physical controls
•Reconciliation
•Competent, trustworthy employees .

Phase 1
Obtain an understanding of risks and controls.
Phase 2 Preliminary assessment of control risk.
Phase 3 Test controls for effectiveness.
Phase 4
Reconsider and revise assessment if necessary.

Phase One:
Obtain an Understanding
•Walk-Throughs
•Inquiries
•Plant and Operational Tours
•Client-Prepared Documentation
•Prior-Year Working Papers

Phase Two:
Make Preliminary Assessment of Control Risk
Crucial, because it drives the planning for the rest of the audit.
Control risk high means more testing.
Control risk low means less testing.
Control risk can vary across subsystems.

Phase Three:
Perform Test of Controls
Preliminary assessment based on understanding of system as it has operated in past and how it is designed to operate.
Things change so the auditor must test the system.

Phase Four:
Update Assessment of Control
Risk and Need for Substantive
Testing
Work in gaining an understanding is not an end in itself.
The amount of risk determines the amount, timing and extent of evidence needed.