Internal Control Chapter 7 covers two distinct, but related topics: 1. What are Internal Controls and Internal Control System or Structure? 2. How does client’s ICS affect the auditor’s work? 1

Internal Control System Definition A process...designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Source: Committee of Sponsoring Organizations What is COSO? This is its 2nd, broader definition AICPA Accepted with SAS 78. Why was it formed? Fraudulent F.S. Reason: FCPA, SEC requires Which of the ICS objectives are of most concern to the CPA? - Nos. 2 and 3 What are the primary elements of the financial reporting process? 1. Recording Transactions 2. Processing Transactions 3. Summarizing Transactions 4. Reporting Financial Position and Results 2 2

Components of Internal Control The Control Environment Risk Assessment The Accounting Information and Communication System Control Activities Monitoring The 5 components of an ICS. 3 3

Control Environment(Internal) Integrity and ethical values Commitment to competence Board of directors or audit committee Management philosophy and operating style Organizational structure Human resource policies and practices Assignment of authority and responsibility These factors probably have the greatest impact on the effectiveness of internal controls since they set the atmosphere and motivation to apply internal controls. These are basically the same categories as the high client risk factors we saw in chapter 6 for fraud from SAS 82/99. 4 4

Control Environment (External) Reviews by Governmental Agencies: OSHA, FDA, IRS, GAO, EPA, DCAA, Bank Examiners, Bd of Equalization, State Franchise Tax Bd Reviews by Non-Governmental Agencies: ISO, Industry Associations As we saw in the video, outside reviewers can reduce risk of misstatements by, in essence auditing/evaluating certain aspects of financial data in the F.S. plus compliance with laws and regulations. In essence, these are an “external” part of a client’s ICS.

Components of Internal Control The Control Environment Risk Assessment The Accounting Information and Communication System Control Activities Monitoring We are talking about risk assessment done by the client. 3 3

Client Risk Assessment Clients must constantly reassess its ICS because of: Changes in regulatory or operating environment Changes in key personnel Implementation of new/modified information system Rapid growth of the organization Changes in technology affecting production processes or information systems Introduction of new lines of business, products, or processes COSO added this component in its last report. COSO realized that an organization must assess its risks before it could design an effective ICS AND It must also constantly re-assess since its control environment (the 1st component) changes. How many of these did we see in the video? 1-changed products and production 2-Increased competition 3-FDA delays 4-New facility 5-IPO - regulatory environment 6-New Accounts Receivable billing system 5 5

Components of Internal Control The Control Environment Risk Assessment The Accounting Information and Communication System Control Activities Monitoring In its latest definition, COSO added Info & communication system - Why? Anyone heard of ERP Systems. More and more manufacturing, engineering and financial systems are integrated. So, accounting dept. may not input or control all financial transaction recording. Hercules MRP II example of inflated average unit costing for transfers. 3 3

Primary Objectives of Accounting & Information Systems Identify & record all, but only, valid transactions Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions Measure the value of transactions appropriately Determine time period in which the transactions occurred to permit recording in the proper period Present properly the transactions and related disclosures in the financial statements Includes all accounting records such as journal vouchers, journals, ledgers and chart of accounts (why?) and accounting policies and procedures. 6

Components of Internal Control The Control Environment Risk Assessment The Accounting Information and Communication System Control Activities Monitoring Control activities are things people, machines or software programs do to screen, or double check to ensure the objectives on a previous slide on ICS objectives are achieved. 3 3

Types of Control Activities Performance Reviews (Usually Detection) (Reconcile, Analyze & Approve) IT General & Application Controls (Ch 8) Physical Security Controls Segregation of Duties Recording Transactions Authorizing Transactions Custody of Related Asset Performance reviews can also include various analyses such as: -Standard cost variance analyses -Actual vs Budget analysis -Capital Budget tracking -Cash Flow Projection and tracking (video) -Bd of Directors’ Reviews (video) Question: Can we do some of these on a sampling basis? Of course. It just probably reduces the overall effectiveness because of sampling error (Chapter 9). 7 6

Components of Internal Control The Control Environment Risk Assessment The Accounting Information and Communication System Control Activities Monitoring Also a new component in COSO’s latest list. 3 3

Monitoring Monitoring ICS Effectiveness & Compliance Ongoing Monitoring Activities (Management review & follow-up) Separate Evaluations (Internal Audits or Self Compliance) Public Companies: SOX Section 404 Monitoring and Assessment Basically periodic evaluations of ICS adequacy (design) and effectiveness/compliance. 8

Monitoring Internal Controls Do Public Companies do More? Section 404 of Sarbanes-Oxley requires at least quarterly monitoring & assessment of financial reporting internal control effectiveness. Comment required on any material change during a fiscal quarter. CFO normally leads, generally with Internal Audit involvement.

Limitations of Even A Good (Well Designed) ICS Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. Controls that depend on the segregation of duties may be circumvented by collusion. Management may override the structure Compliance may deteriorate over time Even the best designed ICS cannot be 100% effective 100% of the time for these main reasons. Also, ICS design could also be limited by cost considerations. Why spend $1 million to protect just $100,000? How about purchasing buyer total authority for small dollar purchases. If total dollars of these purchases are material in total, client could establish internal controls to detect errors or fraud after the fact, I.e., Boeing’s automated analyses and management follow-up. Use of Sampling in performing control activities relates to design. 9 7

Auditor’s Basic Requirements Regarding Client’s Internal Controls Obtain an understanding and Document the understanding Where does this requirement come from? GAAS 2nd Field Work Standard as part of the assessment of the risk of material misstatement. Mandatory for all F.S. audits, even if perceived as insignificant Why do we need to have an understanding? Be able to assess CR (risk of misstatements not caught by internal controls) To plan appropriate audit tests as to: Nature (type of tests) Timing (when done) Extent (scope as to accounts, number of balances or transactions and disclosures) 10 8

Documenting Internal Control ICQ covers most common internal controls, so it requires no planning time. ICQ easy to ID strengths & weaknesses (yes/no). ICQ may not ensure auditor actually understands. Sample ICQ on class web site Narrative ensures thorough understanding, but may be incomplete since auditor may not think of all possible controls. Time consuming to draft. Flowchart can be easy to spot weaknesses, but only for the experienced. Usually get from client, but 99% of the time it’s outdated. 11

Sources of ICS Information Client Policies & Procedures Client Inquiry Inspection of Documents Observations

The Auditors’ Consideration of Client’s Internal Controls Obtain an understanding Document the understanding Determine planned (initial) assessed level of control risk You estimate control risk based on your understanding and desire to rely on certain controls. 10 8

Assessing Control Risk Rarely, except in text or other theoretical writings will you see anything but the qualitative assessments. Why? Assessment is very subjective because we are not there all the time. We must draw inferences about compliance and effectiveness. What do the percentages represent? Risk that the internal controls will not prevent a material misstatement from getting to the F.S. or that it will not be timely detected. Can CR ever be zero? No - see slide on limitations.

Assessing Control Risk At the F.S. Statement/Overall Level Preparation of F.S., incl. estimates & disclosures Selection of Significant Accounting Policies The Control Environment General IT Controls (chapter 8) At the Assertion/Account Level Relates to specific assertions about specific accounts. (Transactions) Risks at the financial statement level are those that relate to the overall financial statements and potentially affect many individual assertions. Risks such as these potentially affect many relevant assertions in that they cannot effectively be isolated. Because of these characteristics of financial statement level risks, an overall response by the auditor is often required. This response might include: Assigning more experienced staff or those with specialized skills. Providing more supervision and emphasizing the need to maintain professional skepticism. Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed. Increasing the overall scope of audit procedures, including the nature, timing, or extent.

To Test or Not to Test Controls We Test Controls When We Expect That: We Will Be Able Rely on the Client’s Internal Controls to Set Control Risk Below Maximum AND Estimated Time Spent to Test Controls Will Be < the Reduction in Substantive Testing Time IF We Find the Controls to be Operating Effectively. So - It will be beneficial to the auditor. Therefore: Only two reasons not to test controls: 1.Controls appear so weak that any reliance is unlikely. 2. It would be more efficient to do the audit using an “substantive” approach if time to test controls is equal to or exceeds any savings in reduced substantive testing if tests revealed reliance could be placed. Because of these options, testing for just the F.S. audit is usually INSUFFIEIENT to support the integrated report on internal controls under Sarbanes-Oxley.

The Auditors’ Consideration of Client’s Internal Controls Obtain an understanding Document the understanding Determine planned assessed level of control risk Design additional tests of control (Testing procedures include: review of documents, observations, questioning client employees, re-performing the controls, review of error detection & correction reports.) To set CR at less than maximum, you must test the controls. Before you can place reliance on internal controls you must test them for (1) effectiveness and (2) are actually in operation (implemented). Assessing effectiveness: Errors/fraud found? F/U & correction done on exception reports? Performed by designated person? Consistently applied? Why ADDITIONAL? You may have done some tests of controls to gain understanding. 10 8

Relying on Previous Tests of Controls Auditors should obtain evidence of changes in internal controls/business processes since the last audit and must test any changed controls/processes for which reliance is desired. For controls/process that haven’t changed, reliance can be placed on testing for operating effectiveness in prior years’ audits if the control tested every 3rd year. Unless control relates to a significant risk.

The Auditors’ Consideration of Client’s Internal Controls Obtain an understanding Document the understanding Determine planned assessed level of control risk Design additional tests of control Perform test of controls likely to prevent or detect material misstatements and Reassess control risk Tests of Controls: Key is if control is placed in operation AND is operating effectively. Must also consider frequency of effective performance. Automated controls generally more consistently performed. Why re-assess? Once you’ve confirmed effectiveness or lack thereof. As we’ll see in chapter 9, usually we are willing to accept something less than 100%, unless control activity is very important and there is no compensating control. 10 8

The Auditors’ Consideration of Client’s Internal Controls Obtain an understanding Document the understanding Determine planned assessed level of control risk Design additional tests of control Test Controls and Reassess control risk Design nature, timing and extent of substantive tests After assessing IR and now CR, we set what DR we can live with based on our overall audit risk that we are willing take. We establish DR by the nature, timing and extent of our substantive tests of F.S. balances and/or the transactions behind the balances and F.S. disclosures.. 10 8

Documentation Requirements Understanding of Internal Controls Assessed Level of Control Risk and the Combined Level of the Risk of Material Misstatements (IR + CR) Basis for the Risk Assessment Auditor’s Response to the Risks and Link to Audit Procedures Performed Use of Prior Years’ Tests of Controls Basis for setting CR at max is One of the following: 1. Controls appear very weak so reliance is deemed unlikely and controls are NOT tested. 2. Time to test controls equals or exceeds potential time savings in reduced substantive testing IF controls found to be performed and effective. So, no testing of controls performed. 3. Controls appear somewhat strong in design, but testing of controls show that controls are either not performed or not effective.

ICS in a Small Client Adequate segregation of duties impossible. Owner may have to be more active. But, this could foster fraudulent F.S. Therefore, we usually apply the “substantive” rather than the “reliance” audit approach. Relate these concepts to what we saw in the Dermaceutics video.

IA as Part of the ICS Some of their work may “overlap” what CPA would do. We may be able to rely on (1) their work to reduce our work, just like any other part of client’s ICS, or (2) use of their auditors to perform on the F.S. audit. To rely, we must assess: 1. Objectivity 2. Competency 3. Quality Source: SAS 128 Objectivity: Look at organizational placement. Is IA free to report findings without fear? Competency: The 1st GAAS general standard. Has the IA Dept adopted IIA’s professional standards? Quality: Does IA’s work show a quality job? Test some of their work by repeating tests or do additional tests and compare results.

Communicating ICS Weaknesses Report to Mgmt and Those Charged with Governance (Board of Directors) Must Communicate: Significant Deficiencies Material Weaknesses Previously Reported, But Not Remediated Potential Effects of the Deficiencies/Weaknesses In Writing & Within 60 Days of Release Date of Audit Report on Financial Statements Basically we report all significant weaknesses in the client’s ICS and categorize the really bad ones as “material”. See next slide. We should also communicate other deficiencies we believe warrant management’s attention. How do we convince client to correct or strengthen? Tell them how it impacts the CPA’s audit scope. Didn’t Max explain it sort of this way regarding the billing price problem?

Classifying ICS Weaknesses A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. Source: AU 325 with SAS 115 (eff. 2009) and 99 Auditor to use the “prudent officials, having knowledge of the same facts and circumstances” rule. From SAS 115 – made definition less precise for a significant deficiency – eff 2009.

Classifying ICS Weaknesses (con’t) Indicators of material weaknesses include: Identification of fraud, whether or not material, on the part of senior management; Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud; Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control; and Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance Source: AU 325 with SAS 115

Classifying ICS Weaknesses (con’t) Level Generally Accepted Meaning Probable The future event or events are likely to occur (probability is > 50%). Reasonably Possible The chance of the future event or events occurring is more than remote, but less than likely (probability is 20% to 50%). Remote The chance of the future event or events occurring is slight (probability is < 20%). Classification of deficiencies must consider both probability of such deficiency causing a misstatement & the significance or materiality of the occurrence on the F.S.

Classifying ICS Weaknesses (con’t) Material A misstatement which would alter a reasonable person's decision making. More than Inconse-quential When a reasonable person would not reach a conclusion regarding a particular misstatement that the misstatement is inconsequential, then that misstatement is more than inconsequential. Inconse-quential When a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. (Generally, less than 20% of overall financial statement materiality threshold.)

Summary Why do we consider a client’s ICS? 1. Assess Control Risk 2. To plan the audit (nature, timing & extent of tests) What must we do before we set Control Risk below maximum? Test the controls we want to rely on. Why Wouldn’t We Test Controls? 1. Appear Very Weak - Reliance Unlikely 2. Time to Test > Savings in Reduced Sub. Tests Refer to Figure 7.7 in text where the auditor’s consideration of internal controls is summarized in a flowchart.