Chapter 07 Internal Control Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Summary of Internal Control Definition A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives relating to: Operations Reporting, and Compliance Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 2 2
Control Objectives In each area of internal control (reporting, operations and compliance) Control objectives and Sub objectives exist Example: Area of reporting Top level objective – prepare and issue reliable financial information Detailed level applied to A/R sub objectives All goods shipped are accurately billed in the proper period Invoices are accurately recorded for all authorized shipments and only for such shipments Authorized and only authorized sales returns and allowances are accurately recorded The continued completeness and accuracy of A/R is ensured Accounts receivable records are safeguarded Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Foreign Corrupt Practices Act Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business The Act Requires an effective system of internal control Makes illegal payment of bribes to foreign officials Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Controls over Financial Reporting Preventive Aimed at avoiding the occurrence of misstatements in the financial statements Example: Segregation of duties Detective Designed to discover misstatements after they have occurred Example: Monthly bank reconciliations Corrective Needed to remedy the situation uncovered by detective controls Example: Backups of master file Controls overlap Complementary – function together Redundant – address same assertion or control objective Compensating – reduces risk existing weakness will result in misstatement Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Components of Internal Control The Control Environment Risk Assessment Control Activities Information System Relevant to Financial Reporting and Communication Monitoring Activities Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 3 3
Control Environment Factors Commitment to integrity and ethical values. Board of directors demonstrates independence from management and exercises oversight of internal control. Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. Commitment to attract, develop, and retain competent employees. Holding employees accountable for internal control responsibilities. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 4 4
Risk Assessment Clearly specify objectives to allow the identification and assessment of risks related to those objectives. Identify and analyze risks to the achievement of its objectives to determine how they may be managed. Consider potential fraud relating to the achievement of objectives. Identify and assess changes that could impact internal control. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 5 5
Control Activities Performance reviews Transaction control activities Physical controls Segregation of duties Segregate authorization, recording and custody of assets Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6 7
Segregation of Duties Figure 7.2 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Objectives of an Accounting System Identify and record valid transactions Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions Measure the value of transactions appropriately Determine the time period in which the transactions occurred to permit recording in the proper period Present properly the transactions and related disclosures in the financial statements Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6
Monitoring Ongoing monitoring activities Separate evaluations Regularly performed supervisory and management activities Example: Continuous monitoring of customer complaints Separate evaluations Performed on nonroutine basis Example: Periodic audits by internal audit Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 8
Limitations of Internal Control Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. Controls that depend on the segregation of duties may be circumvented by collusion Management may override the structure Compliance may deteriorate over time Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 7 9
Enterprise Risk Management (ERM) COSO issued a new internal control framework in 2004 on enterprise risk management. It does not replace the original COSO internal control framework. It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities. The auditing standards are still structured around the original COSO internal control framework. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Auditors’ Overall Approach with Internal Control Overall approach of an audit 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report Steps 2-4 relate most directly to the role of internal control in financial statement audits Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
2. Obtain an understanding of the client and its environment, including internal control The understanding of internal control is used to help the auditor to Identify types of potential misstatements Consider factors that affect the risks of material misstatement. Design tests of controls (when applicable) and substantive procedures. Auditors must consider all five internal control components Control environment Accounting information system Risk assessment Control activities Monitoring Also consider areas difficult to control like non-routine transactions Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Obtaining the Understanding Procedures include Inquiring of entity personnel Observing the application of specific controls Inspecting documents and reports Tracing transactions through the information system relevant to financial reporting May also obtain evidence on operating effectiveness of various controls Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Documenting the Understanding of Internal Control Questionnaires Typically standardized by firm Written Narratives Memos that describe flow of transactions Flowcharts Systems flowcharts Walk-through Trace one or two transaction through cycle Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 11
Cash Receipts Flowchart Figure 7.6 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
3. Assess the risks of material misstatement General approach Identify risks while obtaining an understanding of the client and its environment, including its internal control Relate the identified risks to what can go wrong at the relevant assertion level Consider whether the risks are of a magnitude that could result in a material misstatement Consider the likelihood that the risks could result in a material misstatement Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The nature of transactions Consider the nature of the transactions Routine transactions—e.g., revenue, purchases, and cash receipts and disbursements Non-routine transactions—e.g., taking of inventory, calculating depreciation expense Estimation transactions—e.g., determining the allowance for doubtful accounts Generally routine transactions have the strongest controls Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Assessing Risks at the Financial Statement Level Examples Preparing the period-end financial statements, including the development of significant accounting estimate and preparation of the notes The selection and application of significant accounting policies IT general controls The control environment Responses to high risks Assigning more experience staff or those with specialized skills Providing more supervision and emphasizing the need to maintain professional skepticism Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed Increasing the overall scope of audit procedures, including the nature, timing or extent Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Assessing Risks at the Assertion Level Examples Failure to recognize an impairment loss on a long-lived asset affects only the valuation assertion Inaccurate counting of inventory at year-end affect the valuation of inventory and the accuracy of cost of goods sold Responses Decisions are made here as to the appropriate combination of tests of controls and substantive procedures Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
4. Perform Further Audit Procedures – Test of Controls (1/2) Approach: Identify controls likely to prevent or detect material misstatements Perform tests of controls to determine whether they are operating effectively Tests of controls address: How controls were applied The consistency with which controls were applied By whom or by what means (e.g., electronically) the controls were applied Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
4. Perform Further Audit Procedures – Test of Controls (2/2) Tests of controls include: Inquiries of appropriate client personnel Inspection of documents and reports Observation of the application of controls Reperformance of the controls The results of the tests of controls are used to determine the nature, timing and extent of substantive procedures Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Diagram of the Auditors’ Consideration of Internal Control Figure 7.7 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Use of the Work of Internal Auditors Work of Internal Auditors may be used in two ways: Obtaining audit evidence by using the internal auditors’ work performed as a part of their normal responsibilities, and Using internal auditors to provide direct assistance on the external audit. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Service Organizations 1/3 Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data Examples: Outsource processing of payroll or Internet sales. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Service Organizations 2/3 Auditor should obtain understanding of the outsourced function by following one or more of: Contacting service organization to obtain information. Visiting service organization an performing necessary procedures. Obtaining a report from service organization Terms Service auditor—provides examination of service organization’s controls. User Auditor—Uses that report. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Service Organizations 3/3 Types of Service Auditor Reports Type 1—Management’s description of the system and the suitability of the design of controls Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls A Type 2 report may provide the user auditor with a basis for assessing control risk below the maximum. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Relationships Among Deficiencies Deficiency in Internal Control Less than Significant Significant Deficiency Material Weakness Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Management’s Report on Internal Control under Section 404a Acknowledgment of responsibility for internal control An assessment of internal control effectiveness as of the last day of the company’s fiscal yearn using suitable criteria Support the evaluation with sufficient evidence Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Approach to Audit of Internal Control under Section 404b This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit as follows: Plan the engagement Use a top-down approach to identify the controls to test Test and evaluate design effectiveness of internal control Test and evaluate operating effectiveness of internal control Form an opinion on effectiveness of internal control over financial reporting Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Internal Control in the Small Company Due to lack of employees, internal control is seldom strong in small businesses Specific practices for small businesses Record all cash receipts immediately Deposit all cash receipts intact daily Make all payments by serially numbered checks, with exception of petty cash disbursements Reconcile bank accounts monthly and retain copies Use serially numbered invoices, Pos, and receiving reports Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports Balance subsidiary ledger with control accounts Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.