6-1
Chapter 6
Internal Control Evaluation:
Assessing Control Risk
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL -- AN
INTEGRATED FRAMEWORK (COSO)
Internal Control
A process, effected by an entity's board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories:
(1) Reliability of financial reporting,
(2) Compliance with applicable laws and regulations,
(3) Effectiveness and efficiency of operations.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-2
6-3
Internal Control—Integrated Framework
(COS0)
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL -- AN
INTEGRATED FRAMEWORK (COSO)
COMPONENTS OF INTERNAL CONTROL
• CONTROL ENVIRONMENT
• RISK ASSESSMENT
• CONTROL ACTIVITIES
• INFORMATION & COMMUNICATION
• MONITORING
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-4
6-5
CONTROL ENVIRONMENT
• Sets the tone of an
organization,
influencing the control
consciousness of its
people.
• It is the foundation for
all other components.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-6
RISK ASSESSMENT
• The entity's
identification and
analysis of relevant
risks to
achievement of its
objectives.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-7
CONTROL ACTIVITIES
• The policies and procedures that help
ensure management directives are carried
out.
– Information Processing
• Approvals and authorization
• Verifications and reconciliations
– Physical controls over the security of assets
– Segregation of duties
– Performance reviews
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
INFORMATION &
COMMUNICATION
6-8
• The identification, capture, and exchange
of information in the form and time
frame that enables people to carry out
their responsibilities.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-9
MONITORING
• The process that
assesses the
quality of the
internal control's
performance over
time.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-10
Responsibility for Internal Control
• Management responsibility
– Foreign Corrupt Practices Act
• Auditor responsibility
– Second standard of fieldwork
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
Reasons for Internal Control Evaluation
6-11
• Planning the substantive audit program
• Communicating internal control deficiencies
– Reportable conditions are matters the auditors believe should be
communicated to the client’s audit committee because they
represent significant deficiencies in the design or application of the
internal controls that could adversely affect the organization’s
ability to record, process, summarize, and report financial data in
the financial statements.
• Report of material weaknesses
– Material weaknesses are reportable conditions in which the
design or operation of internal controls does not reduce to a
relatively low level the risk that material errors or frauds may
occur and may not be detected within a timely period by
employees in the course of performing their normal assigned
functions.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
Reporting on Internal Control
Related Matters Noted in an
Audit
6-12
• Report, preferably in writing; if not, document
reporting via memoranda in working papers.
• The auditor may communicate during or after
audit.
• A previously communicated reportable
condition that has not been corrected
ordinarily should be communicated again if
there has been major turnover in upper-level
management and the Board of Directors.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-13
Example Report of Reportable
Conditions
In planning and performing our audit of the financial statements of the
ABC Corporation for the year ended December 31, 20XX, we
considered its internal control structure in order to determine our
auditing procedures for the purpose of expressing our opinion on the
financial statements and not to provide assurance on the internal
control structure. However, we noted certain matters involving internal
control and its operation that we consider to be reportable conditions
under standards established by the American Institute of Certified
Public Accountants. Reportable conditions involve matters coming to
our attention relating to significant deficiencies in the design or
operation of the internal control structure that, in our judgment, could
adversely affect the organization's ability to record, process,
summarize, and report financial data consistent with the assertions of
management in the financial statements.
[Include paragraphs to describe the reportable conditions noted.]
This report is intended solely for the information and use of the audit
committee (board of directors, board of trustees, or owners in
owner-managed enterprises), management, and others within the
organization (or specified regulatory agency or other specified third
party).
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
6-14
Required Communication
with Audit Committees
• The auditor should communicate the following issues to the
Audit Committee:
– The Auditor's Responsibility Under Generally Accepted Auditing
Standards
– Significant Accounting Policies
– Management Judgments and Accounting Estimates
– Significant Audit Adjustments
– Other Information in Documents Containing Audited Financial
Statements
– Disagreements With Management
– Consultation With Other Accountants
– Major Issues Discussed With Management Prior to Retention
– Difficulties Encountered in Performing the Audit
– Reportable Conditions and MATERIAL WEAKNESSES
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
Required Communication
with Audit Committees
6-15
(Continued)
• The communications may be oral or written.
• When the auditor communicates in writing, the report should
indicate that it is intended solely for the use of the audit
committee or the board of directors and, if appropriate,
management.
• If information is communicated orally, the auditor should
DOCUMENT the communication by appropriate memoranda or
notations in the working papers.
• Communications with management is not required; however,
communications with management or other individuals within
the entity who may, in the auditor's judgment, benefit from the
communications are not precluded.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-16
PHASES OF A CONTROL EVALUATION
• Phase 1: Understand and Document
– Understand the Client’s Internal Control
– Document the Internal Control understanding
• Internal Control questionnaire
• Narrative
• Accounting and Control System Flowcharts
• Phase 2: Assess Control Risk (Preliminary)
• Phase 3: Testing and Reassessment
– Perform Test of Controls Audit Procedures
– Re-Assess Control Risk
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-17
Phases of Internal Control Evaluation
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-18
Limitations of Internal Controls
• Collusion
• Management override
• Cost/benefit analysis
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
6-19
Cost-Benefit Analysis
• There is often a trade-off between the cost and the
effectiveness of internal controls.
• The concept of reasonable assurance recognizes
that the cost of an entity’s internal control should
not exceed the benefits that are expected to be
derived.
McGraw-Hill/Irwin
©2002 by The McGraw-Hill Companies, Inc. All rights reserved.
