CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007 Introduction to Internal Control What is it Why is it so important? Limitations of Internal Control Responsibilities of involved parties Components of Internal Control (COSO)
What is Internal Control? COSO Definition: The processes implemented by the BOD and management to help ensure: Reliability of financial reporting. Compliance with applicable laws and regulations. Effectiveness and efficiency of operations.* * This is not included in the SOX definition of IC
Why is internal control SO important? The businesses we audit rely on numerous reports and analyses to control operations. Good system reduces the possibility that errors or fraud will occur. Audit more efficiently and effectively if rely on the client’s internal controls. Professional standards and laws require that the auditors’ consider it. Expectations of f/s users!
Limitations of Internal Controls Mistakes in judgment Breakdowns Collusion Management Fraud
Responsibilities Regarding Internal Controls in F/S Audit Management Establish, set tone at top BOD and Audit Committee Oversee Internal Auditors Part of system External Auditor: 1. Review & document understanding 2. Test control where think are reliable Determine audit strategy Communicate problems to AC of BOD
External Auditor Responsibilities Review & document understanding of system to form preliminary CR assessment. Prior experience w/ client Inquiry & client documentation Walkthroughs Understand process flow of transactions Confirm design of controls for all I/C components Evaluate the design of controls Determine if controls were placed in operation
External Auditor Responsibilities Auditor documentation of Controls The form and extent of documentation is influenced by the size and complexity of the entity, and the nature of the entity’s IC. Questionnaires Flowcharts Narrative Memos Will also need to document the results of any testing of the system
External Auditor Responsibilities 2. Test controls where CR < max. Is preliminary CR assessment supported? Chapter 11 covers in more detail Audit procedures Review previous experience with the client Inquire of appropriate client personnel Inspect documents and records Observe entity activities and operations CAATs
External Auditor Responsibilities 3. Determine audit strategy Communicate with audit committee (SAS 112) Effective for calendar year 2006 audits Terminology to conform with 404 Significant deficiency Material weakness Increase reasons for issuing management letters
COSO Components
Control Environment Sets tone of organization, influencing control consciousness of its people Is part of organizational culture Factors include: Management’s philosophy and operating style Integrity and ethical values Competence of employees Authority appropriately delegated BOD and AC governance and monitoring mgmt
Illustration of Poor Control Environments Miami childcare Worldcom testimony
Risk Assessment Process Management has a process for considering how their business could be adversely impacted by: Business risks Fraud risks Legal risks Technology risks Financial reporting risks Forms the basis for determining control activities
Control Activities Policies and procedures to ensure reliable financial reporting. Should link with risk assessment Cost benefit: preventive vs. detective (compensating) controls
Control Activities: Categories Authorization Segregation of Duties Information processing Computer general controls Computer application controls Controls over financial reporting Physical controls Performance reviews Controls over management discretion in financial reporting
Control Activities: Authorization Are transactions approved? Ways to approve General policy vs. specific authorization Manual vs. computerized Relates to primarily to transaction objective of occurrence
Control Activities: Segregation of Duties
Control Activities: Information Processing Controls General Controls Relate to the overall system rather than a specific software package Examples: Physical and password control over IT access Backup and processing controls Systems development and documentation Segregation of duties within IT department (user vs. development) Internal hardware controls to detect malfunctioning
Control Activities: Information Processing Controls Computer Application Controls Controls within a particular software application that make sure transactions done right! Categories of computer application controls Input: “beep” if info in wrong format or content Processing: make sure nothing lost, duplicated, calculated wrong, or wrong files used internally Output: Make sure what went in is what came out, and that only the right folks get the information
Control Activities: Controls Over the Financial Reporting Process General Journal Sales Journal Spread-sheets or Consolidation Software Cash Receipts Journal Trial Balance G/L F/S Cash Disb Journal How is this process controlled? Purchases Journal
Control Activities Continued Physical Controls Limit access to assets directly and through documents Ex: Lock inventory in warehouse and lock up unused checks or authorizations Performance Reviews Someone who didn’t prepare info periodically looks at details Ex: Production mgr reviews payroll details, Dept managers review budget to actual
Control Activities: Controls Over Mgmt Discretion in Financial Reporting Controls over judgmental areas in accounting Selection of GAAP where there is choice Disclosures Estimates or judgmental application of standards Tools Documentation of logic/support Review process Disclosure committee Accounting & operational members Review issues with Audit committee
Information and Communication Pertinent information identified, captured and communicated in a timely manner. IT Systems and Management Reporting Transactions Audit Trail Documents & Records Management communications with employees & customers, suppliers, regulators and owners
Monitoring Assessment of a control system’s performance over time Combination of ongoing and separate evaluation Management and supervisory activities Examples: Internal audit department System for customer complaints Whistleblower process to audit committee
Antifraud Programs and Controls