CHAPTER 5
INTERNAL CONTROL OVER
FINANCIAL REPORTING
1
Define Internal Controls - COSO

Internal controls is a process designed
to provide reasonable assurance of
achieving the following:
 Generating
reliable financial accounting
information
 Safeguarding assets
 Complying with applicable laws and
regulations
 Operating efficiently and effectively
2
The Need for Control




Control is part of corporate governance whereby
the owners and creditors of an organization
exert control and require accountability for its
resources
Governance begins with stockholders, who
delegate certain responsibilities to the board of
directors and in turn to management
That delegation must occur within a framework
of control and accountability
The control system exists to ensure that
 Responsibilities
are properly identified
 Tasks are assigned in accordance with
responsibilities and accountability
3
The Integrated Audit



The Sarbanes-Oxley Act of 2002 requires
publicly held companies to report on the
effectiveness of their internal controls over
financial reporting
The Public Company Accounting Oversight
Board requires external auditors to perform an
integrated audit of the effectiveness of internal
controls and financial reporting
In essence, the auditor must attest to both the
financial statements and management's
assertions regarding the effectiveness of
internal controls over financial reporting
4
LO2 - The components of an
internal control system
An internal control system consists of five components
1.
Control environment: overall attitude, awareness, and actions of
significant internal groups to maintain a well-controlled organization (tone
at the top)
2.
Risk assessment: process designed to identify and manage risks that may
affect its ability to achieve its objectives
3.
Control activities: policies and procedures established by management to
help ensure that internal control objectives are achieved and risks
mitigated
4.
Information and communication: process of identifying, capturing, and
exchanging information in a timely fashion to enable the organization to
achieve its objectives
5.
Monitoring: process that assesses the quality of internal controls over time
5
Internal Control Components
MONITORING
Information &
Communication
CONTROL
ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
6
LO4 - Understanding & Assessing the
Control Environment – The most pervasive
of them all
There are a number of factors an auditor should look at
when evaluating an organization's control environment:
 Management's philosophy and operating style
 Organizational structure, including assignment of
authority and responsibility
 Board of directors and audit committee
 Human resource policies and practices
 Integrity and ethical values
 Commitment to competence
 Compensation and evaluation programs
 Effectiveness of the internal audit function
7
LO6 - Audit Reporting on Internal
Control

External auditors of non-public companies must report to
management significant internal control deficiencies in the
design or operation of internal controls that are identified in
the normal course of a financial audit.

Such reports are for management's use and are not
intended to be distributed to the public

External auditors of public companies must go beyond the
report to management and also report on management's
assertion regarding the effectiveness of internal controls
over financial reporting

Includes an opinion on the client's internal controls

Included in the company's annual report
8
LO7 Audit Reporting on Internal
Control (continued)

The PCAOB's proposed report on internal
controls would include a(n):
 Description
of internal control, its objectives,
and inherent limitations
 Definition
of material deficiency in internal
control
 Description
of all material deficiencies found
 Opinion
regarding effectiveness of company's
internal controls
9
Audit Reporting on Internal Control
(continued)

According to the Sarbanes-Oxley Act, if an
auditor identifies significant or material
deficiencies in internal control,
 Those
deficiencies must be reported to both
management and the audit committee
 Deficiencies must be reported to the audit committee
even if management has addressed the deficiency
and implemented new controls

The stated intent of the Sarbanes-Oxley Act is to
ensure boards of directors understand they have
a responsibility to improve the governance of the
organization
10
CHAPTER 5 - b
INTERNAL CONTROL OVER
FINANCIAL REPORTING
11
Account Balance Assertions &
Related Objectives





Presentation & Disclosure – an item is
disclosed, classified, and described in
accordance with the applicable financial
reporting framework
Existence - an asset or a liability exists at a
given date;
Rights and obligations - an asset or a liability
pertains to the entity at a given date..
Completeness - there are no unrecorded
assets, liabilities, transactions or events, or
undisclosed items
Valuation - an asset or liability is recorded at an
12
appropriate carrying value
Transaction Assertions &
Related Control Objectives





Occurrence – Recorded transactions and
events have occurred and pertain to the entity
Completeness – All transactions and events
that should have been recorded have been
recorded
Accuracy – Amounts and other data have been
recorded accurately
Cutoff – Transactions and events have been
recorded in the correct accounting period
Classification – Transactions and events have
been recorded in the proper accounts
13
Overview of Controls Testing Pervasive Control Activities (types of)
Some control procedures are found in almost
all accounting systems:
a)
b)
c)
d)
e)
f)
Segregation of duties
Authorization procedures
Documented transaction trail
Physical controls to limit access to assets
Independent reconciliation
Competent, trustworthy employees
14
(a) Segregation of Duties

Very fundamental, should always
separate:
 Authorization
 Record
keeping
 Custody (Physical)
15
(b) Authorization Procedures

These ensure that only authorized
 Transactions
take place
 Activities take place
 Access to records are permitted
16
(c) Documentation

Documentation must be such that a proper
audit trail exists
 This
will obviously be more difficult in a
computerized environment, but still can be
achieved.
17
(d) Physical Controls to Assets
Security locks
 Fences
 Keys
 Password etc
 Vaults, safes

18
(e) Reconciliation

Comparisons must always be done
between
 what
was submitted and what was processed
 What physically exists and what is recorded
 Internal records and external records
19
(f) Competent & Trustworthy
employees

These employees help to make controls
work
20
Overview of Controls Testing –
Integrated Audit (per PCAOB) vs.
Normal Audit

Compare Exhibit 5.11 and Exhibit 5.12 on
page 168 & 169
21
Control Effectiveness and Control Risk
Assessment

Process for evaluating controls:
1. Obtain an understanding of risks and
internal controls
2. Make a preliminary assessment of control
risk and decide whether to test operation of
control procedures
3. Test operating effectiveness of controls
4. Based on the results of testing, determine
whether to revise the assessment of control
risk and incorporate this revision into the
substantive testing
22
1. Obtain an Understanding
Auditor needs to gain understanding of each significant accounting
application operates and the control procedures used
The auditor gathers evidence by
 Performing walkthroughs of the accounting system and processing
procedures and document via narrative memo and/or flowchart

Making inquires of management, and accounting and operational
employees

Taking plant and operational tours

Reviewing client documentation including accounting manuals
and program and system descriptions

Reviewing prior year audit work papers and then focus on
changes
The auditor documents his/her understanding using flowcharts
(visio), questionnaires, and narratives (see pages 176 & 177)
23
2. Make Preliminary Assessment of
Control Risk
After gaining an understanding, the auditor makes a preliminary
assessment of control risk - this assessment is crucial because
it drives the planning for the rest of the audit
The relationship between the assessed level of control risk and
the rigor of the subsequent substantive testing is inverse:
 If control risk is assessed as high,
 No reliance is placed on the client's internal controls
 The amount and rigor of substantive testing must be
increased
 If control risk is assessed as low
 The auditor would like to rely on the client's internal controls
 The amount and rigor of substantive testing may not have to
be increased
 However, the auditor must test the controls to make sure
they are operating effectively (and document it)
24
3. Perform Tests of Controls



The preliminary assessment of control risk is based on
the auditor's understanding of the control system and
how it has operated in the past
When control risk is assessed low, and the auditor
intends to rely on the client's controls, the auditor may
reduce (or not increase) the amount of substantive
testing
To ensure that the auditor's reliance on the client's
control is warranted, the auditor must test the control to
make sure it is operating effectively
 Guidance on Sample Size for Testing Controls (Ch 9)
 Testing Controls Across Multiple Locations
 Dual Purpose Tests (transaction & substantive)
 Assessing Control Risk as Moderate (see next slide)
25
4. Update Assessment of Control Risk
& Need for Substantive Testing

If testing indicates the control is not
operating effectively, the auditor will revise
the preliminary assessment of control risk
and incorporate this revision into the
subsequent substantive testing
26