Internal Control
COSO’s Framework
Committee of Sponsoring
Organizations
• 1992 issued a white paper on
internal control
• Since this time, this framework
has been incorporated into US
auditing standards
Internal control that provides
reasonable assurance regarding
achievement of objectives in the
following categories.
• Effective and efficient operations
• Reliable financial reporting
• Compliance with applicable laws
and regulations
Internal control is geared to the achievement of
objectives in one or more separate overlapping
categories:
1 effective operations — relating to effective
and efficient use of the entity's resources
2 financial reporting — relating to preparation of
reliable published financial statements
3 compliance — relating to the entity's
compliance with applicable laws and
regulations
4 safeguarding of assets
Management Control Objectives
• Effective Operations goal safeguarding
of assets (cash, accounts receivable,
accounting records)
• Financial Reporting Need for accurate
information because management has a
responsibility to see that statements are
prepared fairly in accordance with
accounting standards. Auditor is
interested primarily in financial reporting
controls (especially controls over
transactions).
• Compliance Companies must comply
with many laws and regulations
including company law, tax law and
environmental protection regulations.
Components of Internal Control are
• Control Environment,
• Risk Assessment ,
• Control Activities / Control
Procedures,
• Information and
Communication and
• Monitoring.
Components
of Internal
Control
Illustration 7.1
Control Environment
• Integrity and ethical values
• Commitment to competence
• Participation of board of directors or
audit committee
• Management’s philosophy and
operating style
• Organizational structure
• Assignment of authority and
responsibilities
• Human resource policies and practices
Risk Assessment
• Changes may occur in the operating
environment
• New personnel may become involved
• Information systems may change
• Rapid growth
• New technologies
• New products or services
• Restructuring
• Foreign operations
• New accounting pronouncements
Control Activities (Control Procedures)
There are potentially many control activities,
but they generally fall into five categories:
 Performance reviews;
 Information processing: proper authorization
of transactions and activities, General
Controls;
 Information: accuracy, adequate documents
and records, Application controls;
 Physical control over assets and records;
 adequate Segregation of duties.
Information Processing
• Proper authorization
– Appropriate delegation of
authority sets limits on what
levels of risk are acceptable
• Other General Controls
– access to the computer system is
limited to people who have a right
to the information
– back-up and recovery procedures
– User ID and general system
access
Information Adequate Documents (Application
Control) • Well-designed documents in a manual
system and preformatted input screens
in a CIS
• Assets are properly controlled and all
transactions correctly recorded
• Document prepared at the time a
transaction takes place
• Document simple enough to be clearly
understood,
• Document designed for multiple use to
minimize the number of different forms
• Document constructed in a manner that
encourages correct preparation.
Information: Application Controls
• The chart of accounts
• Use of serial numbers on documents
and input transactions
• Checks, tickets, sales invoices,
purchase orders, stock certificates and
many other business papers
• Systems manuals for computer
accounting software should provide
sufficient information to make the
accounting functions clear
• Passwords that allow only authorized
people admittance to the computer
software on line
Segregation of Duties
Segregation of duties entail three
fundamental functions which must be
separated and adequately supervised:
 authorization
 recording
 custody
Monitoring
Assess controls on a timely basis
and make modifications when
appropriate.
Use internal auditors to review
Test controls
Under Sarbanes Oxley Act
• CEO and CFO certification
• Internal control report
• Document system so others can
review
• SEC will review every 3 years
CEO, CFO Certification
• Explicitly must evaluate and report
on effectiveness of internal control
• Disclose to audit committee any
material deficiencies in financial
controls
• Report any changes in IC
• Report any corrective actions
CEO, CFO Report
• Assess effectiveness within 90
days of filing dates
• Design disclosure controls and
procedures
“ ..are intended to cover a broader range of
information than is covered by internal
controls related to financial reporting..
They are intended to ensure that an
issuer maintains commensurate
procedures for gathering, analyzing and
disclosing all information that is required
to be disclosed…”
Internal Control Report
• A part of annual report
• Management responsible for
internal control
• States a conclusion on the
effectiveness of IC
• External auditor has to attest to
company’s internal control under
PCAOB rules