Chapter 5 Risk Assessment: Internal Control Evaluation “If everything seems under control, you're just not going fast enough.” -- Mario Andretti, Race car driver McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved.
Responsibility for Internal Control 5-2 Responsibility for Internal Control Management responsibility Management has primary responsibility for internal control Sarbanes-Oxley Act of 2002 (publicly traded companies) Auditor responsibility Second standard of fieldwork PCAOB Auditing Standard No. 5 (AS 5): An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements
Management’s Responsibility for Internal Control (Sarbanes-Oxley) 5-3 Management’s Responsibility for Internal Control (Sarbanes-Oxley) In addition to certifying the company’s financial statements (Section 302), management must also report on the company’s internal control over financial reporting (Section 404). Specifically, the company’s annual report must include: A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting. A statement identifying the framework (usually COSO) management uses to evaluate the effectiveness of the company’s internal control. A statement providing management's assessment of the effectiveness of the company’s internal control.
Not a separate engagement 5-4 AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements Auditors must provide their opinion on the effectiveness of client’s internal control. Not a separate engagement Integrated audit of internal control and financial statements
5-5 COSO Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (Treadway Commission) FEI, AAA, IIA, IMA, AICPA
Why Assess Control Risk? 5-6 Why Assess Control Risk? Determine nature, timing, and extent of audit procedures. Trade-off between testing of controls and substantive procedures. Note: Control testing required for public companies (AS 5), but not for private companies and not-for-profit organizations.
5-7 Exhibit 5.2 Trade-off Between Tests of Controls and Substantive Testing
Internal Control – An Integrated Framework (COSO) 5-8 Internal Control A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) Reliability of financial reporting, (2) Compliance with applicable laws and regulations, (3) Effectiveness and efficiency of operations.
Exhibit 5.3 Internal Control—Integrated Framework 5-9
Exhibit 5.4 Interrelated Components of Internal Control 5-10
5-11 Control Environment Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components.
Control Environment Philosophy And operating style 5-12 Control Environment Philosophy And operating style Integrity And ethical values Organizational structure Commitment to competence Functioning of board Authority and responsibility Internal audit Human resources policies External environment
5-13 Risk Assessment The entity's identification and analysis of relevant risks to achievement of its objectives. COSO's Enterprise risk management (ERM) framework
Control Procedures 5-14 The policies and procedures that help ensure management directives are carried out. Physical controls over the security of assets Segregation of duties Information Processing Approvals and authorization Verifications and reconciliations Performance reviews
Exhibit 5.5 Separation of Duties 5-15
Information Processing Controls 5-16 Information Processing Controls Information technology general controls (ITGC) Physical security Hardware controls Segregation of IT duties Documentation Back-up procedures Information technology application controls (ITAC) Input controls Processing controls Output controls Spreadsheet controls
Information and Communication 5-17 Information and Communication The identification, capture, and exchange of information in the form and time frame that enables people to carry out their responsibilities.
5-18 Monitoring Management’s process that assesses the quality of the internal control's performance over time. Internal auditing Follow-up of reporting errors
General Phases of Internal Control Evaluation 5-19 General Phases of Internal Control Evaluation Phase 1: Understand and document Understand the client’s internal control Document the understanding of internal control Internal Control questionnaire Narrative Accounting and control system flowcharts Phase 2: Assess control risk (Preliminary) Phase 3: Testing and reassessment Perform test of controls audit procedures Re-assess control risk
Exhibit 5.10 Payroll System Flowchart 5-20
Exhibit 5.11 Bridge Workpaper 5-21
5-22 Exhibit 5.12 Assertions about Class Transactions and Events for the Period: Payroll Cycle
Exhibit 5.13 Dual Direction Test of Payroll Controls 5-23
5-24 AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements (for Publicly Traded Companies) Phases of the engagement Plan the engagement Use a top-down approach to gain an understanding Identify entity-level controls Walkthroughs Testing internal control effectiveness Design effectiveness Operating effectiveness Evaluating control deficiencies Deficiencies Significant deficiencies Material weaknesses Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting Reporting on internal control
Step 1: Plan the Audit 5-25 Consider knowledge of industry Consider knowledge of business Consider extent of changes in operations Consider extent of changes in internal control Evaluation must be done for all relevant assertions for all significant accounts or disclosures. Thus, significant accounts, locations, and assertions must be identified. The key to determining whether an account, location, or assertion is significant is whether there is a more-than-reasonable possibility that a material misstatement could be associated with it. Just as control risk is used to determine the nature, timing, and extent of substantive procedures, inherent risk is used to determine the nature, timing, and extent of tests of controls.
Step 2: Use a top-down approach to gain an understanding 5-26 Step 2: Use a top-down approach to gain an understanding Identify entity-level controls Perform walkthroughs Auditor must perform work related to: Company-wide anti-fraud programs Controls that have a pervasive effect Auditor must obtain “principal evidence,” but can incorporate work of internal auditors and others Must assess competence and objectivity Limited reliance Can’t reduce work on control environment
Exhibit 5.8 Entity-Level Controls 5-27 Controls related to the control environment. Controls related to management override. Centralized processing and controls including shared service environments. Controls to monitor results of operations. Controls to monitor other controls. Management’s risk assessment. Period-end financial reporting process Policies that address significant business control and risk management practices
Test Controls: Design Effectiveness 5-28 Test Controls: Design Effectiveness Design effectiveness determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements. After an understanding of internal controls is gained through inquiry, inspection, and observation, the controls are evaluated for the possibility that the controls would not prevent or detect a misstatement.
Test Controls: Operating Effectiveness 5-29 Test Controls: Operating Effectiveness Operating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. A sample of transactions is examined using inquiry, observation, inspection, and reperformance. Tests of controls are not performed if design is not effective.
Step 4a: Evaluate control deficiencies 5-30 Step 4a: Evaluate control deficiencies Whether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the entity’s management or employees to detect or prevent misstatements in a timely fashion. A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control’s objective. An operating deficiency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). More serious internal control deficiencies can be categorized into one of two groups, significant deficiencies or material weaknesses, depending on their severity.
Step 4b: Identify significant deficiencies 5-31 Step 4b: Identify significant deficiencies Significant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements. While not material, they are important enough to bring to the attention of those charged with governance (usually the audit committee). Absence of appropriate separation of duties. Absence of appropriate reviews and approvals of transactions. Evidence of failure of control procedures.
Step 4c: Identify Material Weaknesses 5-32 A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis. Restatement of previously issued financial statements to reflect the correction of a misstatement. Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client’s internal controls. Ineffective oversight of financial reporting process by entity’s audit committee. Indication of fraud (either material or immaterial) by senior management.
Summary of Internal Control Deficiencies 5-33 Summary of Internal Control Deficiencies Three categories Internal control deficiency Significant deficiency Material weaknesses The difference between a significant deficiency and a material weakness is the (1) likelihood and (2) materiality that a potential (or actual) misstatement would not be detected on a timely basis.
5-34 Step 5: Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting Auditors can issue one of three types of opinions on internal control over financial reporting: Unqualified. No material weaknesses found. Disclaimer of opinion. The audit team cannot perform all of the procedures considered necessary. Adverse opinion. One or more material weaknesses found.
Step 6: Reports on Internal Control 5-35 Step 6: Reports on Internal Control Separate report on internal control Opinion on financial statements contained in separate audit report Extra paragraph added to report on internal control referencing opinion on financial statements. Integrated audit report and report on internal control Includes auditor’s opinions on 1) internal control effectiveness, and 2) the fairness of the company’s financial statements.
Reporting to Audit Committee on Internal Control Related Matters 5-36 Reporting to Audit Committee on Internal Control Related Matters Sarbanes-Oxley requires that the report be in writing. The auditor may communicate during or after audit. Communications with management is not required; however, communications with management or other individuals within the entity who may, in the auditor's judgment, benefit from the communications are not precluded.
Limitations of Internal Control 5-37 Limitations of Internal Control Human error Collusion Management override Cost/benefit analysis There is often a trade-off between the cost and the effectiveness of internal controls. The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.