1. MODERN AUDITING 7th Edition
William C. Boynton
California Polytechnic State University at San Luis Obispo
Raymond N. Johnson
Portland State University
Walter G. Kell
University of Michigan
Developed by:
Gregory K. Lowry, MBA, CPA
Saint Paul’s College
John Wiley & Sons, Inc.

2. CHAPTER 9 UNDERSTANDING INTERNAL CONTROL
Introduction to Internal Control
Components of Internal Control
Obtaining an Understanding of Internal Control
Documenting the Understanding

3. Importance of Internal Control
A 1947 publication by the AICPA entitled Internal Control cited the following factors as contributing to the expanding recognition of the significance of internal control:
1. The scope and size of the business entity has become so complex and widespread that management must rely on numerous reports and analyses to effectively control operations.
2. The check and review inherent in a good system of internal control affords protection against human weaknesses and reduces the possibility that errors or irregularities will occur.
3. It is impracticable for auditors to make audits of most companies within economic fee limitations without relying on the client’s system of internal control.

4. Importance of Internal Control
The Foreign Corrupt Practices Act (FCPA) was passed in Under this Act, management and directors of Chapter 9 companies subject to reporting requirements of the Securities Exchange Act of 1934, whether or not they operate outside the U.S., are required to comply with antibribery and accounting standards provisions.
10 years later, the National Commission on Fraudulent Financial Reporting (Treadway Commission) reemphasized the importance of internal control in reducing the incidence of fraudulent financial reporting.
Finally, following up the last recommendation of the Treadway Commission, in 1992 the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued a report entitled Internal Control — Integrated Framework.

5. Definition and Components
The COSO defines internal control as follows:
Internal Control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
1. Reliability of financial reporting.
2. Compliance with applicable laws and regulations.
3. Effectiveness and efficiency of operations.

6. Definition and Components
To provide a structure for considering the many possible controls related to the achievement of an entity’s objectives, the COSO report identifies 5 interrelated components of internal control which are:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

7. Entity Objectives and Related Internal Control Relevant to an Audit
Other objectives and related controls may also be relevant if they pertain to data the auditor uses in applying audit procedures. Examples include objectives and related controls that pertain to:
1. Nonfinancial data used in analytical procedures, such as the number of employees, the entity’s manufacturing capacity and volume of goods manufactured, and other production and marketing statistics.
2. Certain financial data developed primarily for internal purposes, such as budgets and performance data, used by the auditor to obtain evidence about the amounts reported in the financial statements.

8. Limitations of an Entity’s Internal Control
AU , Consideration of Internal Control in a Financial Statement Audit, identifies the following inherent limitations that explain why internal control, no matter how well designed and operated, can provide only reasonable assurance regarding achievement of an entity’s control objectives.
1. Mistakes in judgment.
2. Breakdowns.
3. Collusion.
4. Management override.
5. Cost versus benefits.

9. Roles and Responsibilities
The COSO report concludes that everyone in an organization has some responsibility for, and is actually a part of, the organization’s internal control. Several responsible parties and their roles are as follows:
1. Management. It is management’s responsibility to establish effective internal control.
2. Board of directors and audit committee. Board members, as part of their general governance and oversight responsibilities, should determine that management meets its responsibilities for establishing and maintaining internal control.

10. Roles and Responsibilities
3. Internal auditors. Internal auditors should periodically examine and evaluate the adequacy of an entity’s internal control and make recommendations for improvements, but they do not have primary responsibility for establishing and maintaining internal control.
4. Other entity personnel. The roles and responsibilities of all other personnel who provide information to, or use information provided by, systems that include internal control, should understand they have a responsibility to communicate any problems with noncompliance with controls or illegal acts of which they become aware to a higher level in the organization.

11. Roles and Responsibilities
5. Independent auditors. As a result of procedures in an audit of financial statements, an external auditor may discover deficiencies in internal control that he or she communicates to management, the audit committee, or the board, together with recommendations for improvement.
6. Other external parties. Legislators and regulators establish minimum statutory and regulatory requirements for the establishment of internal controls by certain entities.

12. Control Environment
The control environment sets the tone of an organization, influencing the control consciousness of its people. Numerous factors comprise the control environment in an entity. Among these are the following (AU ):
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices

13. Risk Assessment
Risk assessment for financial reporting purposes is an entity’s identification, analysis, and management of risks relevant to the perception of financial statements that are fairly presented in conformity with generally accepted accounting principles (AU ).

14. Risk Assessment
Management’s risk assessment should also include special consideration of the risks that can arise from changed circumstances described in AU :
1. Changes in operating environment
2. New personnel
3. New or revamped information systems
4. Rapid growth
5. New technology
6. New lines, products, or activities
7. Corporate restructurings
8. Foreign operations
9. Accounting pronouncements

15. Information and Communication
The information and communication system relevant to financial reporting objectives, which includes the accounting system, consists of the methods and records established to identify, assemble, analyze, classify, record, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets and liabilities. Communication involves providing a clear understanding of individual roles and responsibilities pertaining to internal control over financial reporting (AU ).

16. Information and Communication
Transactions consist of exchanges of assets and services between an entity and outside parties, as well as the transfer or use of assets and services within an entity. An effective accounting system should:
1. Identify and record only the valid transactions of the entity that occurred in the current period (existence or occurrence assertion).
2. Identify and record all valid transactions of the entity that occurred in the current period (completeness assertion).
3. Ensure that recorded assets and liabilities are the result of transactions that produced entity rights to, or obligations for, those items (rights and obligations assertion).

17. Information and Communication
4. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements (valuation or allocation assertion).
5. Capture sufficient detail of all transactions to permit their proper presentation in the financial statements, including proper classification and required disclosure (presentation and disclosure assertion).

18. Control Activities
Control activities are those policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities have various objectives and are applied at various organizational and functional levels (AU ).

19. Traditional Segregation of Duties Figure 9-1

20. IT Functions Requiring Segregation Figure 9-2

21. Reconstruction of Data Files Figure 9-3

22. Monitoring
Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions (AU ).
1. Monitoring can occur through ongoing activities.
2. Monitoring can also occur through separate periodic evaluations.
3. Management and the audit committee should be conscious of IT risks and monitor the performance of internal control in the IT environment.

23. Monitoring
4. Accounting officers should be conscious of IT risks and monitor these risks on an ongoing basis.
5. The audit committee might charge internal audit with periodic reviews of IT risks and controls.
6. Management may receive information from regulators, such as bank examiners, and external auditors about weaknesses and recommended improvements.

24. Applications of Components to Small and Midsize Entities
AU identifies the following factors to be considered in deciding on how to implement each of the 5 components:
1. The entity’s size
2. Its organization and ownership characteristics
3. The nature of its business
4. The diversity and complexity of its operation
5. Its methods of processing data
6. It’s applicable legal and regulatory requirements

25. Components of Internal Control Figure 9-4

30. Obtaining an Understanding of Internal Control
The auditor’s methodology for meeting the second standard of fieldwork involves 3 major activities:
1. Obtaining a sufficient understanding of the components of internal control to plan the audit.
2. Assessing control risk for each significant assertion contained in the account balance, transaction class, and disclosure components of the financial statements.
3. Designing substantive tests for each significant financial statement assertion.

31. Obtaining an Understanding of Internal Control
Obtaining an understanding involves performing procedures to:
1. Understand the design of policies and procedures related to each component of internal control.
2. Determine whether the policies and procedures have been placed in operation.

32. Obtaining an Understanding of Internal Control
AU indicates that the understanding of internal control should be used to:
1. Identify types of potential misstatements.
2. Consider factors that effect the risk of material misstatement.
3. Design substantive tests to provide reasonable assurance of detecting the misstatements related to specific assertions.

33. Procedures to Obtain an Understanding
AU suggests that the procedures to obtain an understanding consist of:
1. Reviewing previous experience with the client
2. Inquiring of appropriate management, supervisory, and staff personnel
3. Inspecting documents and records
4. Observing entity activities and operations

34. Documenting the Understanding
Documenting the understanding of internal control is required in all audits. AU states that the form and extent of documentation is influenced by the size and complexity of the entity, and the nature of the entity’s internal control. There are 4 forms of documentation commonly used by auditors.

35. Questionnaires
A questionnaire consists of a series of questions about internal control that the auditor considers necessary to prevent material misstatements in the financial statements.

36. Flowcharts
A flowchart is a schematic diagram using standardized symbols, interconnecting flow lines, and annotations that portray the steps involved in processing information through the accounting system.

37. Decision Tables
A decision table is a matrix used to document the logic of a computer program. Decision tables usually have 3 key components:
1. conditions related to accounting transactions,
2. actions taken by the computer program,
3. decision rules that are used with like conditions with subsequent actions.

38. Narrative Memoranda
A narrative memorandum consists of written comments concerning the auditor’s consideration of internal controls.

39. Information Technology and Internal Control Appendix 9A
The auditor should be familiar with the following components of an IT system:
1. Hardware
2. Software
3. Data organization and processing methods

40. Batch Entry/Batch Processing Figure 9A-2

41. On-Line Entry/Batch Processing Figure 9A-3

42. Benefits and Risks of IT Systems
In order to understand internal control in a computer environment, it is important to understand the benefits and risks of IT systems. The major benefits of IT systems over manual systems include the following:
1. IT systems can provide greater consistency in processing than manual systems because they uniformly subject all transactions to the same controls.
2. More timely computer-generated accounting reports may provide management with more effective means of analyzing, supervising, and reviewing the operations of the company.

43. Benefits and Risks of IT Systems
Important risks of IT systems over manual systems include the following:
1. The IT system may produce a transaction trail that is available for audit for only a short period of time.
2. There is often less documentary evidence of the performance of control procedures in computer systems.
3. Files and records in IT systems are usually in machine-sensible form and cannot be read without a computer.
4. The decrease of human involvement in computer processing can obscure errors that might be observed in manual systems.

44. Benefits and Risks of IT Systems
5. IT systems may be more vulnerable to physical disaster, unauthorized manipulation, and mechanical malfunction than information in manual systems.
6. Various functions may be concentrated in IT systems, with a corresponding reduction in the traditional segregation of duties followed in manual systems.
7. Changes in the system are often more difficult to implement and control in IT systems than in manual systems.

45. Overview of Computer Controls Figure 9A-5

46. Comprehensive Flowcharting Illustration Appendix 9B
Most auditors prepare flowcharts for each material class of transactions. Most flowcharts include:
1. The flow of transactions from initiating the transactions to their summarization in the general ledger.
2. The key functions included in the flowchart.
3. The documentary audit trail.
4. Key reports produced by the accounting system.
5. Computer programs and files where information is stored.

47. System Flowchart — Cash Receipts Transactions Figure 9B-2

48. CHAPTER 9 UNDERSTANDING INTERNAL CONTROL

49. Copyright
Copyright 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.