8 INTERNAL CONTROL

Definition Duty  mgt (CEO)  Board  Internal auditor  Employee  External person

Components of Internal control-ISA315 Control environment Risk assessment Information and communication Control activities Monitoring

Control Environment Organizational Structure Commitment to Competence Participation by those charged with governance Management’s Philosophy and Operating Style Integrity and Ethical Values Assignment of Authority and Responsibility Human Resources Policies and Practices

Entity ’ s risk assessment process Identifying BR relevant to financial reporting objectives Estimating the significance of the risk Assessing the likelihood of their occurrence Deciding upon actions to address those risks

Information and communication Relevant to F/R objectives Including the F/R system, consists of procedures and records established to initiate, record, process, and report entity transaction/events/condition and to maintain accountability for related assets, liabilities and equity.

Method and record Identify and record all valid transactions. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. Present properly the transactions and related disclosures in the financial statements.

Control activities — SOAP MAPS Segregation of duty Org. structure Authorization and approval Physical Mgt Arithmetic and accuracy Personnel Supervision

Monitoring of controls Internal audit function

Small companies-the problem of control Override controls Segregation of duties

Inherent Limitation ---cost-benefits -applied to systematic transaction ---faulty judgments ---simple error or mistake ---circumvented by the collusion of two or more people ---abuse of authority and override by mgt

Why IC interest mgt Stop things going missing and to make some sense of how the business is doing IC is the process designed and effected by those charged with governance, mgt, and other personnel to provide reasonable assurance about the achievement of the entity ’ s objectives designed and implemented to address identified business risks that threaten the achievement of any of these objectives.

Why IC interests the external auditor Reduce the amount of substantive testing of transactions and balances — relate to assertion

Importance of Control Risk Lower Control Risk Less audit work/ work/Evidence

Why IC interests the internal auditor Key objective of internal auditor is to review the org. ’ s system of IC and to provide assurance that the corp. gov. requirements are being met. To assure that -- the controls in place -- Operating effectively

Process of Understanding Internal Control and Assessing Control Risk Process of Understanding Internal Control and Assessing Control Risk Obtain Understanding : Design and Operation AssessPreliminaryCR Further Assess CRDecideDR,SubstantiveTests Tests of Controls

Procedures to Gain an Understanding Narrative notes Org. chart ICQs / Checklist Flowcharts Narrative notes Org. chart ICQs / Checklist Flowcharts ExaminingInspectingInterview/inquiryTracing/walk-throughobservingExaminingInspectingInterview/inquiryTracing/walk-throughobserving

Evaluating the IC system –CR Assess whether controls exist (Weak IC) a. No controls CR = Max a. No controls CR = Max b. Not cost-effectiveCR = Max b. Not cost-effective CR = Max Extensive substantive test Assess whether controls exist (Weak IC) a. No controls CR = Max a. No controls CR = Max b. Not cost-effectiveCR = Max b. Not cost-effective CR = Max Extensive substantive test Yes ?

Evaluating the IC sys Yes, controls exist (Strong IC) 1.Perform tests of controls 2.Revise CR 3. Reduced substantive test Yes, controls exist (Strong IC) 1.Perform tests of controls 2.Revise CR 3. Reduced substantive test

Auditing in a CIS environment The overall objective of an audit in a CIS environment does not change The CIS is likely to have an effect on IR and CR. The use of IT affect the way that control activities are implemented The auditor should consider whether specialized skill are needed in the audit (use the work of an expert)

Classification of controls General controls Application controls --programmed controls --manual controls

general control Programmed application control Manual application control Transactions Relate to all computer application Relate to specific computer application

General controls — ISA 315 Policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information system. -- data center and net work operation -- sys software acquisition, change and maintenance -- access security (operational control) -- Application sys acquisition, development and maintenance

Application control Manual or automated procedures that typically operate at a business process level Designed to ensure the integrity of the accounting records Relate to specific control procedures used to initiate, record, process and report transaction or other financial data. Ensure transactions occurred are authorized, completely and accurately recorded and processed timely

Application controls Control over input Control over processing Controls over output Master file control

Further examples of selected controls Manual controlsManual controls -- physical controls -- back-up disks -- data filing -- documentation --staff training --proofing Programmed controlsProgrammed controls -- passwords -- date/time stamps -- prompts --check digits -- Batch totals and hash totals -- Reasonableness checks -- Existence checks -- Dependency checks