Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk

Copyright © 2007 Pearson Education Canada 9-2 Chapter 9 objectives  Explain why the study of internal control is important  List the four components of internal control  Discuss the relationship between the control environment and application controls  Examine how control risk is assessed  Describe the process used to understand, document and test internal controls  Identify internal control reports

Copyright © 2007 Pearson Education Canada 9-3 What is Internal Control?  A process designed and effected by management (or board or employees) in providing reasonable assurance about the achievement of the entity’s objectives (reliable reporting, effectiveness and efficiency, compliance with laws)  See CICA Handbook

Copyright © 2007 Pearson Education Canada 9-4 GAAS and Internal Controls  Why is it mandatory for the auditor to understand the internal control system?  How likely is it that there are NO internal controls at all?

Copyright © 2007 Pearson Education Canada 9-5 Management responsibilities with respect to internal control  Should be cost-effective  Provide reliable accounting and operating data  Safeguard assets and records  Promote operational efficiency  Prevent and detect error, fraud or illegal acts  Ensure compliance with laws and regulations

Copyright © 2007 Pearson Education Canada 9-6 Auditor responsibilities with respect to internal control  Exercise professional skepticism  Document and evaluate internal controls of financial systems  Test controls if reliance intended  Communicate weaknesses that could cause material errors

Copyright © 2007 Pearson Education Canada 9-7 Concepts when studying internal control  Remember, it is management’s responsibility to establish and maintain internal controls: the auditor evaluates and may test these controls  The auditor can provide reasonable, but not absolute assurance  Internal controls have inherent limitations

Copyright © 2007 Pearson Education Canada 9-8 Inherent limitations of internal controls  No such thing as 100% internal controls  Effectiveness depends upon the competency and dependability of individuals (or systems) executing the controls  Most internal controls can be overridden using collusion

Copyright © 2007 Pearson Education Canada 9-9 Four components of internal control

Copyright © 2007 Pearson Education Canada 9-10 The control environment  Actions, policies and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about controls  The essence of an effectively controlled organization lies in the attitude of its management  Control environment (CE) factors are assessed as part of the knowledge of business and are used to develop a client risk profile

Copyright © 2007 Pearson Education Canada 9-11 CE factor: management philosophy and operating style  Management should operate ethically and honestly  Like behaviour should be encouraged among employees, perhaps by means of documented policies such as a code of ethics  Service policies could include a commitment to quality and competence

Copyright © 2007 Pearson Education Canada 9-12 CE factor: board of directors and audit committee  Board should include independent directors  Audit committee should include independent directors  Audit committee should have competence in financial reporting assessment  Board members should participate actively, meet with internal and external auditors

Copyright © 2007 Pearson Education Canada 9-13 CE factor: organizational structure  A structure that is appropriate for planning, directing and controlling operations  Authority and responsibility assignments clear  Information systems steering committee to oversee systems development and management of information systems

Copyright © 2007 Pearson Education Canada 9-14 CE factor: methods of assigning authority and responsibility  Take into account reporting relationships and responsibilities within organizational culture  Organizational goals, ethical and social issues considered  Development and implementation of policies such as job descriptions and codes of conduct

Copyright © 2007 Pearson Education Canada 9-15 CE factor: management control methods  Methods used to implement objectives and policies (many possible examples)  Logical access controls and monitoring for data communications  Monitoring activities of employees  Implementing of effective budgeting systems with follow up of differences

Copyright © 2007 Pearson Education Canada 9-16 CE factor: systems development methodology  Policies and procedures for selecting, development/purchase and maintenance of information systems  Formal methodologies for customized systems  Implementation of systems consistent with organizational objectives

Copyright © 2007 Pearson Education Canada 9-17 CE factor: management reaction to external influences  Monitoring of the external environment, including changes in laws  Ability to respond to changes in the external environment, including changes in business procedures or organizational structures

Copyright © 2007 Pearson Education Canada 9-18 CE factor: human resource policies and practices  Hiring practices to ensure competent and trustworthy employees  Evaluation and compensation processes to help motivate employees to continued competence and honesty

Copyright © 2007 Pearson Education Canada 9-19 Role of internal audit  To help ensure independence, internal audit should report to the audit committee of the board of directors  Can be part of control environment when effective, competent, independent and well-trained  Can contribute to reduced external audit costs

Copyright © 2007 Pearson Education Canada 9-20 Risk assessment  Involves managements identification and analysis of risks relevant to the preparation of financial statements in conformity with GAAP  Management needs to: identify risks, estimate significance, assess likelihood of occurrence, develop action plans to reduce the risk to an acceptable level

Copyright © 2007 Pearson Education Canada 9-21 Control systems include:  General controls: control systems that affect multiple classes of transactions (also called application systems)  Application (or accounting system) controls: can be manual, computer-assisted, or fully automated

Copyright © 2007 Pearson Education Canada 9-22 Impact of inadequate general controls  Organization and management: Cannot rely on automated or combined controls  Systems acquisition, development and maintenance: Cannot rely upon automated or combined controls  Operations and information systems support: May result in going concern issues

Copyright © 2007 Pearson Education Canada 9-23 Accounting (application) system control procedures  Appropriate segregation of duties  Proper authorization of transactions and activities  Adequate documents and records  Adequate safeguards over access to and use of assets and records  Independent verification of performance and the accuracy of recorded amounts

Copyright © 2007 Pearson Education Canada 9-24 Monitoring  Deals with ongoing or periodic assessment of the quality of internal control performance by management  Internal audit department may provide independent evaluation of the quality of the monitoring process

Copyright © 2007 Pearson Education Canada 9-25 Internal control audit process: 1. Obtain understanding  Obtain understanding of design and operation  Methods used to understand and document this process: – Flow charts – Narrative – Internal control questionnaire

Copyright © 2007 Pearson Education Canada 9-26 Knowing the difference between a strength and a weakness  Question 9-17, p. 278  Identifying the absent control when an error or fraud occurred  Which audit objective(s) were not met?  Also be able to identify: Controls to help prevent the problem from occurring

Copyright © 2007 Pearson Education Canada 9-27 Internal control audit process: 2. Assess control risk  Using the audit risk model  Control risk is assessed at one of the following levels: – Maximum (100%) – no reliance, only substantive testing is completed – High – Moderate – Low  Decide whether controls will be tested or not (it may be more efficient to only go substantive)

Copyright © 2007 Pearson Education Canada 9-28 Internal control audit process: 3. Test controls if reliance is intended  Procedures completed to ensure that key controls have been operating: – Inquiry – Inspection – Observation – Reperformance  Procedures must be linked to audit objectives

Copyright © 2007 Pearson Education Canada 9-29 Where controls are functioning:  Identify the errors that are less likely to occur  Link to the related substantive test  Perform less or limited or no substantive procedures in this area  More analytical procedures can be used

Copyright © 2007 Pearson Education Canada 9-30 Identify the potential impact of weaknesses  If a control is not functioning, or does not exist, this is a WEAKNESS: – Need to identify potential monetary error (is the impact MATERIAL?) – Do expanded substantive tests, if necessary – Analytical procedures – No internal controls testing in this area

Copyright © 2007 Pearson Education Canada 9-31 Internal control audit process: 4. Decide PDR and substantive tests  After control testing you are better able to assess planned detection risk (PDR or just DR)  Then substantive tests are designed for each audit objective based on the PDR for that cycle or objective

Copyright © 2007 Pearson Education Canada 9-32 Internal control audit process: 5. Report potentially material weaknesses  Specific wording is required for these weaknesses  Must be reported to management, board and audit committee (GAAS requires)  Other weaknesses (i.e. non-material) would also be included in a management letter