Chapter 7 (Internal Control)

Chapter 7
Internal Control
McGraw-Hill/Irwin
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
Summary of Internal Control
Definition
A process, effected by the entity’s board
of directors, management, and other
personnel, designed to provide
reasonable assurance regarding,
achievement of (the entity’s) objectives
on:



Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and
regulations
7-2
Control Objectives

In each area of internal control (financial reporting,
operations and compliance)



Control objectives and
Subobjectives exist
Example: Area of financial reporting


Top level objective – prepare and issue reliable financial information
Detailed level applied to A/R subobjectives
• All goods shipped are accurately billed in the proper period
• Invoices are accurately recorded for all authorized shipments and
only for such shipments
• Authorized and only authorized sales returns and allowances are
accurately recorded
• The continued completeness and accuracy of A/R is ensured
• Accounts receivable records are safeguarded
7-3
Foreign Corrupt Practices Act

Passed in 1977 in response to American
corporation practice of paying bribes and
kickbacks to officials in foreign countries to
obtain business
 The Act


Requires an effective system of internal control
Makes illegal payment of bribes to foreign officials
7-4
Controls over Financial Reporting



Preventive

Aimed at avoiding the occurrence of misstatements in the
financial statements

Example: Segregation of duties
Detective

Designed to discover misstatements after they have occurred

Example: Monthly bank reconciliations
Corrective



Needed to remedy the situation uncovered by detective controls
Example: Backups of master file
Controls overlap



Complementary – function together
Redundant – address same assertion or control objective
Compensating – reduces risk existing weakness will result in misstatement
7-5
Components of Internal
Control
 The
Control Environment
 Risk Assessment
 The Accounting
Information and
Communication System
 Control Activities
 Monitoring
7-6
7-7
Control Environment Factors







Integrity and ethical values
Commitment to competence
Board of directors or audit committee
Management philosophy and operating
style
Organizational structure
Human resource policies and practices
Assignment of authority and responsibility
7-7
7-8
Risk Assessment--Factors Indicative of
Increased Financial Reporting Risk

Changes in the regulatory or operating
environment
 Changes in personnel
 Implementation of a new or modified information
system
 Rapid growth of the organization
 Changes in technology affecting production
processes or information systems
 Introduction of new lines of business, products, or
processes
7-8
7-9
Control Activities
 Performance
 Information
reviews
processing

General control activities

Application control activities
 Physical
controls
 Segregation

of duties
Segregate authorization, recording and
custody of assets
7-9
Segregation of Duties
7-10
Objectives of an Accounting System

Identify and record valid transactions
 Describe on a timely basis the transactions in
sufficient detail to permit proper classification of
transactions
 Measure the value of transactions appropriately
 Determine the time period in which the transactions
occurred to permit recording in the proper period
 Present properly the transactions and related
disclosures in the financial statements
7-11
Monitoring
 Ongoing


monitoring activities
Regularly performed supervisory and
management activities
Example: Continuous monitoring of
customer complaints
 Separate


evaluations
Performed on nonroutine basis
Example: Periodic audits by internal audit
7-12
Limitations of Internal Control

Errors may arise from misunderstandings
of instructions, mistakes of judgment,
fatigue, etc.

Controls that depend on the segregation
of duties may be circumvented by
collusion

Management may override the structure

Compliance may deteriorate over time
7-13
Enterprise Risk Management (ERM)

COSO issued a new internal control
framework in 2004 on enterprise risk
management. It does not replace the original
COSO internal control framework.
 It goes beyond internal control to focus on
how organizations can effectively manage
risks and opportunities.
 The auditing standards are still structured
around the original COSO internal control
framework.
7-14
Financial Statement Audits: The
Role of Internal Control
Second Field Work Standard
The auditor must obtain a sufficient
understanding of the entity and its
environment, including its internal control,
to assess the risk of material misstatement
of the financial statements whether due to
error or fraud, and to design the nature,
timing, and extent of further audit
procedures. [emphasis added]
7-15
Auditors’ Overall Approach with
Internal Control

Overall approach of an audit
1. Plan the audit
2. Obtain an understanding of the client and its
environment, including internal control
3. Assess the risks of material misstatement and design
further audit procedures
4. Perform further audit procedures
5. Complete the audit
6. Form an opinion and issue the audit report

Steps 2-4 relate most directly to the role of
internal control in financial statement audits
7-16
2. Obtain an understanding of the client and
its environment, including internal control

The understanding of internal control is used to help the
auditor to




Auditors must consider all five internal control
components






Identify types of potential misstatements
Consider factors that affect the risks of material misstatement.
Design tests of controls (when applicable) and substantive
procedures.
Control environment
Accounting information system
Risk assessment
Control activities
Monitoring
Also consider areas difficult to control like nonroutine
transactions
7-17
Obtaining the Understanding
 Procedures




include
Inquiring of entity personnel
Observing the application of specific controls
Inspecting documents and reports
Tracing transactions through the information
system relevant to financial reporting
 May
also obtain evidence on operating
effectiveness of various controls
7-18
Documenting the Understanding
of Internal Control
 Questionnaires

Typically standardized by firm
 Written

Narratives
Memos that describe flow of transactions
 Flowcharts

Systems flowcharts
 Walk-through

Trace one or two transaction through cycle
7-19
7-20
3. Assess the risks of material
misstatement
General approach




Identify risks while obtaining an understanding of the
client and its environment, including its internal
control
Relate the identified risks to what can go wrong at the
relevant assertion level
Consider whether the risks are of a magnitude that
could result in a material misstatement
Consider the likelihood that the risks could result in a
material misstatement
7-21
The nature of transactions
 Consider
the nature of the transactions
Routine transactions—e.g., revenue,
purchases, and cash receipts and
disbursements
 Nonroutine transactions—e.g., taking of
inventory, calculating depreciation expense
 Estimation transactions—e.g., determining the
allowance for doubtful accounts
 Generally routine transactions have the
strongest controls

7-22
Assessing Risks at the Financial
Statement Level


Examples

Preparing the period-end financial statements, including the
development of significant accounting estimate and preparation
of the notes

The selection and application of significant accounting policies

IT general controls

The control environment
Responses to high risks

Assigning more experience staff or those with specialized skills

Providing more supervision and emphasizing the need to
maintain professional skepticism

Incorporating additional elements of unpredictability in the
selection of further audit procedures to be performed

Increasing the overall scope of audit procedures, including the
nature, timing or extent
7-23
Assessing Risks at the
Assertion Level
 Examples


Failure to recognize an impairment loss on a
long-lived asset affects only the valuation
assertion
Inaccurate counting of inventory at year-end
affect the valuation of inventory and the
accuracy of cost of goods sold
 Responses

Decisions are made here as to the
appropriate combination of tests of controls
and substantive procedures
7-24
4. Design and Perform audit
procedures – test of controls (1 of 2)
 Approach:


Identify controls likely to prevent or detect material
misstatements
Perform tests of controls to determine whether they
are operating effectively
 Tests



of controls address:
How controls were applied
The consistency with which controls were applied
By whom or by what means (e.g., electronically) the
controls were applied
7-25
4. Perform further audit procedures—tests of controls (2 of 2)
 Tests




of controls include:
Inquiries of appropriate client personnel
Inspection of documents and reports
Observation of the application of controls
Reperformance of the controls
 The
results of the tests of controls are
used to determine the nature, timing and
extent of substantive procedures
7-26
Diagram of the
Auditors’
Consideration
of Internal
Control
7-27
Other Considerations
 Audit

Checklist, standard form or computer program that
helps auditors make a decision by ensuring that they
have all relevant information or by assisting them in
combining the information.
 Use


decision aids
of the work of internal auditors
Must assess internal audit competence and objectivity
and test work
Can rely on work of internal audit to reduce amount of
testing done by independent auditors
7-28
Relationships Among Deficiencies
Deficiency in
Internal Control
Less than
Significant
Significant
Deficiency
Material
Weakness
7-29
Management’s Report on Internal
Control under Section 404a
 Acknowledgment
of responsibility for
internal control
 An assessment of internal control
effectiveness as of the last day of the
company’s fiscal yearn using suitable
criteria
 Support the evaluation with sufficient
evidence
7-30
Approach to Audit of Internal
Control under Section 404b

Plan the engagement
 Use a top-down approach to identify the
controls to test
 Test and evaluate design effectiveness of
internal control
 Test and evaluate operating effectiveness of
internal control
 Form an opinion on effectiveness of internal
control over financial reporting
7-31
7-32
Internal Control in
the Small Company


Due to lack of employees, internal control is seldom strong in small
businesses
Specific practices for small businesses








Record all cash receipts immediately
Deposit all cash receipts intact daily
Make all payments by serially numbered checks, with exception of petty
cash disbursements
Reconcile bank accounts monthly and retain copies
Use serially numbered invoices, Pos, and receiving reports
Issue checks to vendors only in payment of approved invoices that have
been matched with purchase orders and receiving reports
Balance subsidiary ledger with control accounts
Prepare comparative financial statements monthly to disclose significant
variations in any category of revenue or expense
7-32