5-1
Chapter 5
Internal Control Evaluation:
Assessing Control Risk
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-2
Presentation Outline
I.
Internal Control Overview
II. The Internal Control Framework
III. Phases of Audit of Internal Control (PCAOB 2)
(Publicly Traded Companies)
IV. Reporting Internal Control Weaknesses
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-3
I. Internal Control Overview
A. Reason for Internal Control Evaluation
Under GAAS (2nd Standard of Fieldwork)
B. Management and Auditor Responsibility
C. Management Report on Internal Controls
(Public Company Audits)
D. Auditor Report on Internal Controls
(Public Company Audits)
E. Limitations of Internal Controls
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-4
A.
Reason for Internal Control Evaluation Under GAAS
(2nd Standard of Field Work)
Trade-off between tests of controls and substantive
testing
**Important**
Understand
Exhibit 5.8 on p.
162 of text.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
Exhibit 5.10
Bridge Workpaper for Preliminary Assessment of
Control Risk
McGraw-Hill/Irwin
5-5
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-6
B. Management and Auditor
Responsibility
Management responsibility
 Primary responsibility for internal control
 Sarbanes-Oxley Act of 2002 (publicly traded
companies)
Auditor responsibility
 Second standard of fieldwork
 PCAOB Auditing Standard No. 2 (PCAOB 2): An Audit
of Internal Control Over Financial Reporting
Performed in Conjunction with an Audit of Financial
Statements
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-7
C. Management Report on Internal
Controls (Public Company Audits)
 In addition to certifying the company’s financial
statements (Section 302), management must also
report on the company’s internal control over
financial reporting (Section 404).
 Specifically, the company’s annual report must
include:



A statement that management is responsible for
establishing and maintaining adequate internal control over
financial reporting.
A statement identifying the framework (usually COSO)
management uses to evaluate the effectiveness of the
company’s internal control.
A statement providing management's assessment of the
effectiveness of the company’s internal control.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-8
D. Auditor Report on Internal Controls
(Public Company Audits)
The auditor must attest to management’s
assessment of internal control.
 Objective:
“To form an opinion as to whether management's assessment of
the effectiveness of the registrant's internal control over
financial reporting is fairly stated in all material respects.”
Auditors must also provide their own opinions on
the effectiveness of internal control.
Not a separate engagement
 Integrated audit of internal control and financial
statements
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-9
E. Limitations of Internal Controls
•
•
•
•
Human error
Collusion
Management override
Cost/benefit analysis
– There is often a trade-off between the cost and the
effectiveness of internal controls.
– The concept of reasonable assurance recognizes that
the cost of an entity’s internal control should not exceed
the benefits that are expected to be derived.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-10
II. The Internal Control Framework
A. Entities Comprising COSO
B. The COSO Definition of Internal Control
C. Interrelated Components of Internal
Control
D. The Control Environment
E. Risk Assessment
F. Control Activities
G. Information and Communication
H. Monitoring
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-11
A. Entities Comprising COSO
Committee of Sponsoring Organizations of the
National Commission of Fraudulent Financial
Reporting (Treadway Commission)
Financial Executives Institute (FEI)
American Accounting Association (AAA)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)
American Institute of Certified Public Accountants
(AICPA)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-12
B. The COSO Definition of Internal Control
A process, effected by an entity's board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
(1) Reliability of financial reporting,
(2) Compliance with applicable laws and
regulations,
(3) Effectiveness and efficiency of operations.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-13
C. Interrelated Components of Internal Control
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-14
D. The Control Environment
• Sets the tone of an
organization,
influencing the control
consciousness of its
people.
• It is the foundation for
all other components.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-15
D. The Control Environment
(Continued)
• Philosophy And
Operating Style
• Integrity And Ethical
Values
• Organizational
Structure
• Commitment To
Competence
McGraw-Hill/Irwin
• Functioning Of Board
• Authority And
Responsibility
• Internal Audit
• Human Resources
Policies
• External Environment
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-16
E. Risk Assessment
• The entity's
identification and
analysis of relevant
risks to achievement
of its objectives.
• COSO's Enterprise
risk management
(ERM) framework
(Chapter 4)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-17
F. Control Activities (Procedures)
The policies and procedures that help
ensure management directives are carried
out.
Physical controls over the security of assets
(see p. 156 of text)
Segregation of duties (see pp. 154-155 of
text)
Information Processing (see pp. 156-157 of
text)
Performance reviews (see p. 154 of text)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-18
G. Information & Communication
The identification, capture, and exchange of
information in the form and time frame that
enables people to carry out their
responsibilities.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
H. Monitoring
5-19
Management’s process that assesses
the quality of the internal control's
performance over time.
Internal auditing
Follow-up of reporting errors
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-20
III. Phases of Audit of Internal Control (PCAOB 2)
(Publicly Traded Companies)
A. Plan the Audit
B. Evaluate Management’s Process for Assessing
Internal Control
C. Obtain an Understanding of Internal Control
D. Evaluate Internal Control Effectiveness
1. Design
2. Operation
E. Form an Opinion About Effectiveness
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
A. Plan the Audit (PCAOB 2)
5-21
Evaluation must be done for all relevant assertions
for all significant accounts or disclosures.
Significant accounts, locations, and assertions
must be identified.
The key to determining what is included is
whether there is more than a remote possibility
that a material misstatement could be associated
with it.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-22
B. Evaluating Management's Process for
Assessing Internal Control (PCAOB 2)
 The more extensive and reliable management’s assessment is, the
less extensive the auditor’s work needs to be.
 Auditor must perform work related to:
 Company-wide anti-fraud programs
 Controls that have a pervasive effect
 Auditor must obtain “principal evidence,” but can incorporate
work of Internal Auditors and others
 Must assess competence and objectivity
 Limited reliance
 Can’t reduce work on control environment
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-23
C. Obtain an Understanding of
Internal Control (PCAOB 2)
Must understand that controls have actually
been implemented and are operating as
designed
Must perform walkthroughs
Major classes of transactions
Routine and unusual transactions
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-24
D1. Evaluate Design Effectiveness
(PCAOB 2)
Key Questions
 Will controls be effective if operated as designed?
 Are all necessary controls in place?
Methods
 Inquiry, observation, walkthroughs
 Specific evaluation of whether the controls are likely to
prevent or detect financial misstatements
 Specifically evaluate audit committee
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-25
D2. Evaluate Operating Effectiveness
(PCAOB 2)
Timing
 Evaluation as of end of fiscal year
 Can test at interim and update
Methods
 Inquiries, inspection of documentation, observation,
reperformance.
 May use tests by management, internal audit staff and
3rd parties
 Read internal audit reports
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-26
E. Form an Opinion About Effectiveness
(PCAOB 2)
• Two opinions
– Management’s assessment of internal control
effectiveness.
– Actual effectiveness of controls over financial reporting
• Types of opinions
– If no material weaknesses are discovered, issue an
unqualified opinion.
– If the auditor cannot perform all procedures, either
qualify or disclaim opinion. If opinion cannot be
expressed, explain why.
– If any material weaknesses are discovered, issue an
adverse opinion.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-27
IV. Reporting Internal Control
Weaknesses
A. Forms of Internal Control Weakness
B. Reporting to Audit Committee on Internal Control
Related Matters
C. Types of Internal Control Reports Accompanying
Financial Statements (PCAOB 2)
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
A. Forms of Internal Control
Weakness (PCAOB 2)
5-28
 Internal Control Deficiency
– “An internal control deficiency exists when the design or
operation of A control does not allow the company’s
management or employees, in the normal course of
performing their assigned functions, to prevent or detect
misstatements on a timely basis.”
 Significant deficiency (p. 174 of text)
– More than a remote likelihood of a misstatement of the
annual or interim financial statements that is more than
inconsequential in amount
 Material weakness (p. 175 of text)
– More than a remote likelihood of a material misstatement
 Significant deficiencies and material misstatements must be
communicated in writing to audit committee
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-29
B. Reporting to Audit Committee on
Internal Control Related Matters
Sarbanes-Oxley requires that the report be in
writing.
The auditor may communicate during or after
audit.
Communications with management is not
required; however, communications with
management or other individuals within the entity
who may, in the auditor's judgment, benefit from
the communications are not precluded.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-30
C. Types of Internal Control Reports
Accompanying Financial Statements
(PCAOB 2)
Separate Report on Internal Control
– Opinions on management’s assertion of internal
control effectiveness as well as actual internal
control effectiveness
– Opinion on financial statements contained in
separate audit report
Integrated Audit Report and Report on
Internal Control
– Includes auditor’s opinions on 1) management’s
assertion of internal control effectiveness, 2)
internal control effectiveness, and 3) the fairness
of the company’s financial statements.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
5-31
Summary
Overview of internal control describing its
role and evaluation in GAAS and public
company audits.
The COSO Framework
PCAOB requirements for evaluating
internal control for public companies.
Reporting internal control matters to the
audit committee and the public.
McGraw-Hill/Irwin
©2007 by the McGraw-Hill Companies, Inc. All rights reserved.