5-1 Chapter 5 Internal Control Evaluation: Assessing Control Risk McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-2 Presentation Outline I. Internal Control Overview II. The Internal Control Framework III. Phases of Audit of Internal Control (PCAOB 2) (Publicly Traded Companies) IV. Reporting Internal Control Weaknesses McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-3 I. Internal Control Overview A. Reason for Internal Control Evaluation Under GAAS (2nd Standard of Fieldwork) B. Management and Auditor Responsibility C. Management Report on Internal Controls (Public Company Audits) D. Auditor Report on Internal Controls (Public Company Audits) E. Limitations of Internal Controls McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-4 A. Reason for Internal Control Evaluation Under GAAS (2nd Standard of Field Work) Trade-off between tests of controls and substantive testing **Important** Understand Exhibit 5.8 on p. 162 of text. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. Exhibit 5.10 Bridge Workpaper for Preliminary Assessment of Control Risk McGraw-Hill/Irwin 5-5 ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-6 B. Management and Auditor Responsibility Management responsibility Primary responsibility for internal control Sarbanes-Oxley Act of 2002 (publicly traded companies) Auditor responsibility Second standard of fieldwork PCAOB Auditing Standard No. 2 (PCAOB 2): An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-7 C. Management Report on Internal Controls (Public Company Audits) In addition to certifying the company’s financial statements (Section 302), management must also report on the company’s internal control over financial reporting (Section 404). Specifically, the company’s annual report must include: A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting. A statement identifying the framework (usually COSO) management uses to evaluate the effectiveness of the company’s internal control. A statement providing management's assessment of the effectiveness of the company’s internal control. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-8 D. Auditor Report on Internal Controls (Public Company Audits) The auditor must attest to management’s assessment of internal control. Objective: “To form an opinion as to whether management's assessment of the effectiveness of the registrant's internal control over financial reporting is fairly stated in all material respects.” Auditors must also provide their own opinions on the effectiveness of internal control. Not a separate engagement Integrated audit of internal control and financial statements McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-9 E. Limitations of Internal Controls • • • • Human error Collusion Management override Cost/benefit analysis – There is often a trade-off between the cost and the effectiveness of internal controls. – The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-10 II. The Internal Control Framework A. Entities Comprising COSO B. The COSO Definition of Internal Control C. Interrelated Components of Internal Control D. The Control Environment E. Risk Assessment F. Control Activities G. Information and Communication H. Monitoring McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-11 A. Entities Comprising COSO Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (Treadway Commission) Financial Executives Institute (FEI) American Accounting Association (AAA) Institute of Internal Auditors (IIA) Institute of Management Accountants (IMA) American Institute of Certified Public Accountants (AICPA) McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-12 B. The COSO Definition of Internal Control A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) Reliability of financial reporting, (2) Compliance with applicable laws and regulations, (3) Effectiveness and efficiency of operations. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-13 C. Interrelated Components of Internal Control McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-14 D. The Control Environment • Sets the tone of an organization, influencing the control consciousness of its people. • It is the foundation for all other components. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-15 D. The Control Environment (Continued) • Philosophy And Operating Style • Integrity And Ethical Values • Organizational Structure • Commitment To Competence McGraw-Hill/Irwin • Functioning Of Board • Authority And Responsibility • Internal Audit • Human Resources Policies • External Environment ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-16 E. Risk Assessment • The entity's identification and analysis of relevant risks to achievement of its objectives. • COSO's Enterprise risk management (ERM) framework (Chapter 4) McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-17 F. Control Activities (Procedures) The policies and procedures that help ensure management directives are carried out. Physical controls over the security of assets (see p. 156 of text) Segregation of duties (see pp. 154-155 of text) Information Processing (see pp. 156-157 of text) Performance reviews (see p. 154 of text) McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-18 G. Information & Communication The identification, capture, and exchange of information in the form and time frame that enables people to carry out their responsibilities. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. H. Monitoring 5-19 Management’s process that assesses the quality of the internal control's performance over time. Internal auditing Follow-up of reporting errors McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-20 III. Phases of Audit of Internal Control (PCAOB 2) (Publicly Traded Companies) A. Plan the Audit B. Evaluate Management’s Process for Assessing Internal Control C. Obtain an Understanding of Internal Control D. Evaluate Internal Control Effectiveness 1. Design 2. Operation E. Form an Opinion About Effectiveness McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. A. Plan the Audit (PCAOB 2) 5-21 Evaluation must be done for all relevant assertions for all significant accounts or disclosures. Significant accounts, locations, and assertions must be identified. The key to determining what is included is whether there is more than a remote possibility that a material misstatement could be associated with it. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-22 B. Evaluating Management's Process for Assessing Internal Control (PCAOB 2) The more extensive and reliable management’s assessment is, the less extensive the auditor’s work needs to be. Auditor must perform work related to: Company-wide anti-fraud programs Controls that have a pervasive effect Auditor must obtain “principal evidence,” but can incorporate work of Internal Auditors and others Must assess competence and objectivity Limited reliance Can’t reduce work on control environment McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-23 C. Obtain an Understanding of Internal Control (PCAOB 2) Must understand that controls have actually been implemented and are operating as designed Must perform walkthroughs Major classes of transactions Routine and unusual transactions McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-24 D1. Evaluate Design Effectiveness (PCAOB 2) Key Questions Will controls be effective if operated as designed? Are all necessary controls in place? Methods Inquiry, observation, walkthroughs Specific evaluation of whether the controls are likely to prevent or detect financial misstatements Specifically evaluate audit committee McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-25 D2. Evaluate Operating Effectiveness (PCAOB 2) Timing Evaluation as of end of fiscal year Can test at interim and update Methods Inquiries, inspection of documentation, observation, reperformance. May use tests by management, internal audit staff and 3rd parties Read internal audit reports McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-26 E. Form an Opinion About Effectiveness (PCAOB 2) • Two opinions – Management’s assessment of internal control effectiveness. – Actual effectiveness of controls over financial reporting • Types of opinions – If no material weaknesses are discovered, issue an unqualified opinion. – If the auditor cannot perform all procedures, either qualify or disclaim opinion. If opinion cannot be expressed, explain why. – If any material weaknesses are discovered, issue an adverse opinion. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-27 IV. Reporting Internal Control Weaknesses A. Forms of Internal Control Weakness B. Reporting to Audit Committee on Internal Control Related Matters C. Types of Internal Control Reports Accompanying Financial Statements (PCAOB 2) McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. A. Forms of Internal Control Weakness (PCAOB 2) 5-28 Internal Control Deficiency – “An internal control deficiency exists when the design or operation of A control does not allow the company’s management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.” Significant deficiency (p. 174 of text) – More than a remote likelihood of a misstatement of the annual or interim financial statements that is more than inconsequential in amount Material weakness (p. 175 of text) – More than a remote likelihood of a material misstatement Significant deficiencies and material misstatements must be communicated in writing to audit committee McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-29 B. Reporting to Audit Committee on Internal Control Related Matters Sarbanes-Oxley requires that the report be in writing. The auditor may communicate during or after audit. Communications with management is not required; however, communications with management or other individuals within the entity who may, in the auditor's judgment, benefit from the communications are not precluded. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-30 C. Types of Internal Control Reports Accompanying Financial Statements (PCAOB 2) Separate Report on Internal Control – Opinions on management’s assertion of internal control effectiveness as well as actual internal control effectiveness – Opinion on financial statements contained in separate audit report Integrated Audit Report and Report on Internal Control – Includes auditor’s opinions on 1) management’s assertion of internal control effectiveness, 2) internal control effectiveness, and 3) the fairness of the company’s financial statements. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. 5-31 Summary Overview of internal control describing its role and evaluation in GAAS and public company audits. The COSO Framework PCAOB requirements for evaluating internal control for public companies. Reporting internal control matters to the audit committee and the public. McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.