INTERNAL CONTROL - NOTES 1
1. Definition of Internal Control
Internal Control is a process designed by management of an entity to provide
reasonable assurance that an entity achieves its objectives in the following categories:
•
•
•
Reliability of financial reporting
Effectiveness and efficiency of operations,
Compliance with applicable laws and regulations.
2. Major components
1. Control Environment – factors that set the tone of an organization and influences
the consciousness of its people. There are seven factors (ICHAMBO).
I – Integrity and ethical values
C – Commitment to competence
H – Human resource policies and practices
A – Assignment of authority and responsibility
M – Management’s philosophy and operating style
B – Board of Trustees’ or audit committee participation
O – Organizational structure
2. Risk Assessment – risks that may affect an entity’s ability to properly record,
process, summarize and report financial data due to:
Changes in the operating environment (e.g., increased competition)
New personnel
New Information systems
Rapid growth
New technology
New lines, products, or activities
Corporate restructuring
Foreign operations
Accounting pronouncements
3. Control Activities – various policies and procedures that help ensure that
necessary actions are taken to address risks affecting the achievement of an
entity’s objectives. (PIPS):
P – Performance reviews (reviews of actual against budgets, forecasts)
I – Information processing (checks for accuracy, completeness,
authorization)
P – Physical controls (physical security)
S – Segregation of duties
4. Information and Communication – methods and records established to record,
process, summarize, and report transactions and to maintain accountability of
related assets and liabilities. Must accomplish the following objectives:
1 – Identify and record all valid transactions
2 – Describe on a timely basis
3 – Measure the value properly
4 – Record in the proper time period
5 – Properly present and disclose
6 – Communicate responsibilities to employees
5. Monitoring – assessment of the quality of internal control performance over time
3. Auditor’s Required Understanding to Plan an Audit
(1) Overall Internal Control – obtain knowledge about the design and whether
controls have been placed for an operation; the understanding should be
adequate to allow the auditor to:
a. Identify types of potential misstatements
b. Consider factors affecting risk of material misstatements
c. Design effective substantive tests
(2) Control environment – obtain sufficient knowledge to understand
management’ and the board of directors’:
a. Attitudes;
b. Awareness; and
c. Actions
(3) Risk assessment – obtain an understanding of how management:
a. Identify risks
b. Estimate the significance of the risks
c. Assess the likelihood of occurrence
(4) Control Activities – obtain additional understanding as necessary to plan an
audit. Ordinarily, an understanding of control activities related to each
account or to every assertion is not necessary.
(5) Information and Communication – obtain understanding of:
a. Major transaction classes
b.
c.
d.
e.
f.
How transactions are initiated
Available accounting records and support
Manner of processing of transactions
Reporting process used to prepare statements
Means entity uses to communicate reporting roles and
responsibilities
(6) Monitoring – obtain sufficient understanding of major types of monitoring
activities
4. Documentation of an Understanding of the Internal Control
The size and complexity of the entity, as well as the nature of the entity’s internal control,
influences the auditor’s understanding of the internal control. Typical forms of
documentation are memorandum, questionnaires, and flowcharts. The more complex the
internal control and the more extensive the procedures performed by the auditor, the more
extensive should be the documentation.
Method
Questionnaire
Memorandum
Flowchart
Advantages
Easy to complete
Comprehensive list of
questions make it unlikely
that important portions of
the Internal Control will be
overlooked.
Weakness become obvious
(unable to provide
reasonable response)
Tailor-made to fit specific
engagement
Requires a detailed analysis
of the operations and thus,
enable the auditor to
understand the function
Disadvantages
May be answered without
adequate consideration
Standardized questionnaires
may not fit client
adequately
May become very long and
time-consuming
Weaknesses in the structure
are not always obvious
Auditor may overlook
important portions of the
Internal Control
Graphic presentations of the Preparation is timestructure
consuming
Weaknesses in the structure
Important portions of the
Internal Control will not be not obvious (especially to
inexperienced auditor)
overlooked
Goof for electronic systems
5. Assessed level of control risk
After obtaining an understanding of the Internal Control necessary to plan an audit, an
assessed level of control risk is established. This level of control risk is established either
at the maximum level or below the maximum level. If the auditor believes the assessed
level should be at the maximum level, no test of controls will be performed. It will be
more cost effective to perform extensive substantive testing than performing test of
controls. However, whenever controls appear to be effective, the planned level of control
risk may be established below the maximum level and test of controls are performed in
order to decrease the substantive testing. There are three instances when test of controls
will not be performed:
•
•
•
Controls are believed to be ineffective and control risk assessed at
maximum
Controls are believed to be effective, but testing them is not cost efficient
and therefore control risk is assessed at maximum level
Controls are believed to be effective and evidence already obtained is
adequate to support planned assessed level of control risk which is below
maximum level