Internal Control COSO’s Framework Committee of Sponsoring Organizations • 1992 issued a white paper on internal control • Since this time, this framework has been incorporated into US auditing standards Internal control that provides reasonable assurance regarding achievement of objectives in the following categories. • Effective and efficient operations • Reliable financial reporting • Compliance with applicable laws and regulations Internal control is geared to the achievement of objectives in one or more separate overlapping categories: 1 effective operations — relating to effective and efficient use of the entity's resources 2 financial reporting — relating to preparation of reliable published financial statements 3 compliance — relating to the entity's compliance with applicable laws and regulations 4 safeguarding of assets Management Control Objectives • Effective Operations goal safeguarding of assets (cash, accounts receivable, accounting records) • Financial Reporting Need for accurate information because management has a responsibility to see that statements are prepared fairly in accordance with accounting standards. Auditor is interested primarily in financial reporting controls (especially controls over transactions). • Compliance Companies must comply with many laws and regulations including company law, tax law and environmental protection regulations. Components of Internal Control are • Control Environment, • Risk Assessment , • Control Activities / Control Procedures, • Information and Communication and • Monitoring. Components of Internal Control Illustration 7.1 Control Environment • Integrity and ethical values • Commitment to competence • Participation of board of directors or audit committee • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibilities • Human resource policies and practices Risk Assessment • Changes may occur in the operating environment • New personnel may become involved • Information systems may change • Rapid growth • New technologies • New products or services • Restructuring • Foreign operations • New accounting pronouncements Control Activities (Control Procedures) There are potentially many control activities, but they generally fall into five categories: Performance reviews; Information processing: proper authorization of transactions and activities, General Controls; Information: accuracy, adequate documents and records, Application controls; Physical control over assets and records; adequate Segregation of duties. Information Processing • Proper authorization – Appropriate delegation of authority sets limits on what levels of risk are acceptable • Other General Controls – access to the computer system is limited to people who have a right to the information – back-up and recovery procedures – User ID and general system access Information Adequate Documents (Application Control) • Well-designed documents in a manual system and preformatted input screens in a CIS • Assets are properly controlled and all transactions correctly recorded • Document prepared at the time a transaction takes place • Document simple enough to be clearly understood, • Document designed for multiple use to minimize the number of different forms • Document constructed in a manner that encourages correct preparation. Information: Application Controls • The chart of accounts • Use of serial numbers on documents and input transactions • Checks, tickets, sales invoices, purchase orders, stock certificates and many other business papers • Systems manuals for computer accounting software should provide sufficient information to make the accounting functions clear • Passwords that allow only authorized people admittance to the computer software on line Segregation of Duties Segregation of duties entail three fundamental functions which must be separated and adequately supervised: authorization recording custody Monitoring Assess controls on a timely basis and make modifications when appropriate. Use internal auditors to review Test controls Under Sarbanes Oxley Act • CEO and CFO certification • Internal control report • Document system so others can review • SEC will review every 3 years CEO, CFO Certification • Explicitly must evaluate and report on effectiveness of internal control • Disclose to audit committee any material deficiencies in financial controls • Report any changes in IC • Report any corrective actions CEO, CFO Report • Assess effectiveness within 90 days of filing dates • Design disclosure controls and procedures “ ..are intended to cover a broader range of information than is covered by internal controls related to financial reporting.. They are intended to ensure that an issuer maintains commensurate procedures for gathering, analyzing and disclosing all information that is required to be disclosed…” Internal Control Report • A part of annual report • Management responsible for internal control • States a conclusion on the effectiveness of IC • External auditor has to attest to company’s internal control under PCAOB rules