ACG 4671 Internal Auditing

CHAPTER 5 Internal Control

Internal Controls Definition and Legal Requirements Internal and External Auditor Responsibilities IC Key Concepts and Fundamentals COSO Framework

Definition Internal control is the most important and fundamental concept for an Internal Auditor Internal control defined per COSO: “Processes, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objective in the following categories: Financial reporting reliability Operating efficiency and effectiveness Compliance with applicable laws and standards”

Definition SOX (2002) requires the CEO and CFO of publicly traded companies to opine on: The adequate design and effective operation of internal control over financial reporting as part of the annual filing Report any substantial changes in internal control over financial reporting on a quarterly basis IC frameworks The SEC does not specify a particular IC framework but notes three suitable frameworks COSO Internal Control Framework CICA Guidance on Assessing Control (CoCo) ICAEW Turnbull Report

Section 404 Certification Managements Assertions “includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis.” Management Representations Declare responsibility for establishing and maintaining internal controls over financial reporting Identify and disclose framework used to evaluate effectiveness of internal control Assess effectiveness of internal controls as of the end of the period State an auditor issued an attestation report on management’s assessment Actions Document processes & internal controls (process/activity, risk, controls, responsibility) Management evaluation of effectiveness (audits & self-assessments)

Section 404 Assessment Compliance with COSO control standards (or other accepted standards) Clear documentation of internal controls as well as the testing processes Evidence that management evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls Evidence that the audit committee and/or disclosure committee have taken a keen interest in the effectiveness of controls

Section 404 Assessment Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness Management must maintain evidential matter, including documentation, to provide reasonable support for the assessment (both design and testing) of effectiveness

Auditor Responsibility A control deficiency … “exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis”. A deficiency in design exists when: A control necessary to meet the control objective is missing, OR An existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met

Auditor Responsibility Control deficiency (cont.) A deficiency in operation exists when: a properly designed control does not operate as designed, OR when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

Auditor Responsibility A significant deficiency … “is a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is a more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected.”

Auditor Responsibility A material weakness … “a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

Fundamentals Internal Controls Protect assets Ensure records are accurate Promote operational efficiency Encourage adherence to policies, rules, regulations, and laws.

Fundamentals Control Objectives are Desired goals or conditions for a specific event cycle or process which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur.  Conditions which we want the system of internal control to satisfy. Measurable and observable. Important to the audit process. Typically categorized by a principal business process/activity or technology.

Fundamentals Control Objectives Example Control Activity Example The company only pays bills for goods actually ordered and received. Control Activity Example Accounts payable clerks perform a three-way match of original purchase orders, goods receipt information, and invoices received prior to payment to vendors.

Fundamentals Control Classifications Directive – designed to give explicit direction regarding what actions need to take place to cause or encourage a desirable event Preventative – built to prevent an error or undetected event from occurring Detective – designed to alert management of errors or problems shortly after they occur Corrective – used with detective controls to recover from the consequences of undesired events

Fundamentals Control Classifications Entity Level – Very broadly focused and deal with organizational environment or atmosphere Process Level – more detailed in focus; should reduce risk relative to a group or variety of operational level activities or transactions within an organization Key Controls – a control activity designed to reduce risk associated with a critical business objective Secondary Controls – designed to either reduce risk associated with a business objectives that are not critical or serve as a back-up to key controls

Fundamentals Control Classifications (con’t) Compensating Controls – redundant controls designed to supplement key controls that are either ineffective or cannot fully mitigate a risk or group of risks by themselves Complementary Controls – not directly related to the risk it mitigates, and is not enough to fully mitigate the risk by itself but when taken together with other control activities that are in place, does contribute to risk reduction.

COSO Framework COSO Internal Control

Control Environment Description: Sets the tone of an organization by establishing attitude standardization. The foundation for all other components of internal control, providing discipline and structure. Factors include the integrity, ethical values and competence of the corporation’s people, management philosophy and operating style.

Control Environment Components: Integrity and Ethical Values “Tone at the Top”, Strong Code of Conduct Board of Directors and Audit Committee Set the “Tone at the Top” Commitment to Competence Adequate and appropriate skills and training Organizational Structure Reporting relationships Human Resources Policies and Practices Staffing, Training, Evaluation, Disciplinary Actions

Risk Assessment Description: Recall that risk is “the possibility of loss”; risk can be divided into risk (downside) or opportunity (upside); and may be internal, external or both. Organizations/divisions/business units/subsidiaries/ etc. must manage risk, on an ongoing basis, to achieve organizational objectives.

Risk Assessment Risk Assessment Process: Types of Risks Estimate the significance of the risk Assess the likelihood or frequency of the risk occurring Consider how the risk should be managed and assess what actions must be taken Types of Risks Organizational risks from external factors Organizational risks from internal factors Specific activity-level risks

Control Activities Description: The policies and procedures that help ensure that management directives are carried out. Help ensure that the necessary actions are taken to address risks during the achievement of company objectives. Also ensure that control activities occur throughout the organization, at all levels and in all functions. Include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

Control Activities Policies and procedures to ensure actions addressing risks are carried out Types of Control Activities (small subset): Top-level reviews MBO/performance appraisal Direct functional or activity management Supervision Information processing Secure from outsider/insider manipulation Physical controls over assets and records Locks and restricted accesses Adequate documents and records Pre-numbered forms Performance indicators Variance (DMQV) Segregation of duties Initiation, recording, and custody are separate Proper authorization of transactions and activities General and specific authorization

Information & Communication Description: Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing financial related information that make it possible to control the reliability of financial reporting.

Information & Communication I&C spans all level of the organization and facilitates creation and sharing of knowledge and awareness Information can be generated automatically, obtained manually, or reside conceptually Information systems can be formal or informal Communication methods vary including bulletin boards, mass emails, webcasts, meetings, procedural manuals, etc.

Monitoring Description: Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

Monitoring Ongoing Monitoring Activities (examples): Normal management functions External communication Supervisory activities Physical inventories Periodic Internal Control Evaluations Self-assessments Benchmarking Reporting Internal Control Deficiencies Individual responsible for function Individual in position to correct AND One level of management above responsible individual

Fundamentals Why don’t Internal Controls always work? Inadequate knowledge of policies and procedures by employees. Lack of segregation of duties due to trust in employees. Inappropriate access to assets. Form over substance. Control override. Inherent limitations.