CH. 5: Internal Control

Internal Control

A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following 3 categories: reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

Limitations to Internal Controls

1) Human Error2) Deliberate Circumvention3) Management Override4) Collusion

Cost-Benefit Relationship of Internal Control

At some point, the cost of protecting exceeds the benefit of the internal control activity

Management's Responsibilities for internal control

1) Control Environment2) Assessing Risks to control3) Information and Communication channels4) Designing and implementing control activities5) Monitoring control activities

Reasons for Auditing Internal Control

1) Required by SOX2) To determine if management has implemented a working control for each risk identified in the planning stage3) To assess the Risk of Material Misstatement (RMM) at the assertion level

Control Risk Relationship to Sample Size

High CR = Large Sample SizeLow CR = Small Sample Size

Detection Risk Relationship to Sample Size

High DR = Small Sample SizeLow DR = Large Sample Size

The 5 Components of the COSO Framework

1) Control Environment 2) Risk Assessment3) Information & Communication4) Monitoring5) Control Activities

Control Environment Factors

1) Integrity & ethical values2) Board of directors3) Management's philosophy and operating style4) Organizational structure5) Financial reporting competencies6) Authority & responsibility7) Human resources

Risk Assessment

Done by management. Not the auditor's responsibility. Management identifies risks, considers their likelihood, and considers how to manage them.

Purpose of Control Activities

To eliminate, mitigate, or compensate for the risks to management objectives that have been identified

Principles related to Control Activities

1) Information technology2) Level of integration with their risk assessment process3) Selection and development of control activities4) Policies and procedures

Types of Control Activities

1) Performance Reviews2) Separation of Duties3) Physical Controls4) Information-processing Controls

Control Activity: Performance Reviews

If done frequently, gives management more opportunities to detect errors in the records

Control Activity: Separation of Duties

1) Authorization to execute transactions2) Recording transactions3) Custody of assets involved in the transactions4) Periodic reconciliation of existing assets to recorded amounts

Control Activity: Physical Controls

Physical access to assets and important records, documents, and blank forms should be limited to authorized personnel

Control Activity: Information-processing

Essential to the effectiveness of the internal control system. Ex: Purchase orders have to be authorized by purchasing dept before purchase is made

Information and Communication

Information systems should produce a trail of activities from data identification to reports that auditors can follow for occurrence and completeness assertions

Principles of Monitoring

1) Ongoing and separate evaluations2) Reporting deficiencies

Procedure to Assess Control Risk

1) Understand and Document the Client's Internal Control2) Assess the Control Risk (Preliminary)3) Identify Controls to Test and Perform Tests of Controls

Steps to Understand Client's Internal Control

1) Identify significant accounts (based on their inherent risk) and disclosures 2) Examine entity-level controls (CRIME)3) Identify and examine transaction-level controls using a walkthrough

Purpose of Understanding Client's Internal Control

To evaluate design effectiveness (whether controls, if operating effectively, would prevent or detect errors or fraud)

What happens if the audit team assesses CR at 1?

More extensive and effective substantive procedures are required to lower the RMM

Assessing CR- Preliminary

Audit team should document internal control strengths and weaknesses in a bridge work paper (which connects control evaluation to subsequent audit procedures)

Tests of controls should only be performed on...

Control strengths

If a control doesn't operate effectively...

The auditor should assess a higher level of CR and do substantive testing

Which controls should be tested?

Controls with CR below 1

4 methods for testing controls

1) Inquiry2) Observation3) Document Examination4) Reperformance

Main Assertions tested with Tests of Controls

Occurrence & Completeness

Traits of Good Controls

1) Relate to an assertion2) Material3) Cost-benefit4) Well-designed5) Consistent6) Maintained7) Data Reliability 8) Testable