Internal Control

• What is Internal Control?

• What is the purpose of internal control (I/C)?
• Audit Risk model(AR): CR X IR x DR
• Control risk!
 What is (purpose) Internal control?
• Internal control are policies, processes and procedures set by management to
achieve the following:
1. Reliability of financial reporting
2. Efficiency and effectiveness of operation
3. Compliance with laws and regulations (materially effecting financial reporting).
4. Safeguarding of assets
 Reliability of Financial Reporting
Assurance that financial statements provide a true and fair view of the organization's
financial position crucial for stakeholders including:
investors,
creditors,
regulators, and
the general public,
to make informed decisions.
How to achieve?
 Reliability of Financial Reporting
a. Accuracy:
Information in financial statements should be free from material
misstatements and errors.
b. Completeness:
All relevant financial information should be disclosed to present a
comprehensive view of the organization's financial situation.
c. Neutrality:
Financial reporting should be free from bias or any attempts to
manipulate information to favor certain interests (investors vs. creditor.
d. Transparency:
Disclosures should be clear, comprehensive, and understandable,
providing sufficient information for users to make informed decisions.
e. Consistency:
Accounting policies and practices should be applied consistently from
one reporting period to another, facilitating comparability.
 Efficiency and effectiveness of operation
• Efficiency: Internal controls can help an organization achieve its goals using the least amount
of resources possible.
• Efficient processes reduce waste, prevent errors, and save time. For instance,
automation of certain processes such as data entry, invoicing, and reconciliation can
reduce manual errors and save employee time, thus improving operational efficiency.
• Effectiveness: Effectiveness refers to the ability of the organization to meet its objectives.
• Internal controls can help ensure that the business operations are effective in achieving the intended
results.
• The efficiency and effectiveness of operations are typically measured through financial
performance metrics like revenue, cost control, and profitability, as well as non-financial
metrics such as customer satisfaction, market share, and operational quality.
 Compliance with Laws and Regulations
• It ensures that a business operates within the legal framework, thereby minimizing the risk of
 lawsuits,
 penalties, and
 damage to its reputation.
• Internal control mechanisms focused on compliance can take many forms, and their precise
nature will depend on the company's industry, the countries in which it operates, and the
specific laws and regulations it must adhere to.
• Training, monitoring systems, reporting mechanism, compliance officer/department
 Safeguarding of Assets
• Involves procedures and measures designed to prevent theft, fraud, misuse, or
damage to a company's assets.
• Assets include not only tangible assets like cash, inventory, equipment, and property, but also
intangible assets such as intellectual property, trade secrets, and company reputation.
1.Physical Controls: This involves physical security measures to protect tangible assets.
For example, cash may be stored in a safe, and warehouses may have security cameras or guards.
For valuable equipment, access may be restricted to authorized personnel only.
2.Authorization Controls: Important transactions that could affect the company's
assets should require approval from a higher-level manager or from multiple
individuals.
For example, large purchases might need to be approved by a senior manager.
 Examples of Safeguarding of Assets
3. Inventory Controls: Regular inventory counts and reconciliations can help ensure that the
recorded inventory matches the actual physical inventory, thereby identifying theft or loss in a
timely manner.
4. Document Controls: Document controls include timely and accurate recording of transactions
and proper document retention.
For example, all sales transactions should be promptly recorded, and the invoices should be kept for a
specific period of time for future reference or audits.
5. Access Controls: For digital assets, access controls are crucial. This includes things like
passwords, two-factor authentication, and limiting access to sensitive information to only those
who need it. Network and system security measures are also important to prevent cyber theft or
damage.
6. Auditing: Regular internal or external audits can help identify any deficiencies in the asset
protection controls and suggest ways to improve them.
Audits also act as a deterrent to internal fraud.
7.Insurance: Although not strictly an internal control, insurance can be considered part of a
company's overall strategy to safeguard its assets. Insurance coverage can provide financial
compensation if assets are lost, stolen, or damaged.
 Internal Control: Control Environment
• Prior Session: Internal Control
 Control Environment
Actions, policies, and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about internal control and
its importance to the entity.
How can we learn about their attitude?
1. Management Philosophy and Operating Style
2. Integrity and Ethical Values
3. Commitment to Competence
4. Board of Director or Audit Committee Participation
5. Internal Audit function
6. Organizational Structure/Accountability
 Management Philosophy and Operating Style (1 of 6)
• Serve as the most apparent indicators to the workforce
about the significance of internal control.
• It essentially reflects the attitudes, behaviors, and
actions of the organization's leadership, and it plays a
crucial role in setting the tone for the internal control
climate.
• Key questions to consider might include:
• Is the management setting unrealistic sales or profit
targets?
• Are employees being urged to adopt aggressive
strategies to achieve these goals?
• Gaining insight into the management's philosophy can
provide auditors with a better understanding of the
organization's stance towards internal controls.
 Integrity and Ethical Values (2 of 6)
Integrity and ethical values can greatly influence how internal controls are
perceived and practiced within the company.
• Several important aspects to consider include:
 Is there a well-understood and enforced stance against fraudulent
financial reporting, irrespective of the level at which it occurs or its
form?
 Are individuals held accountable, either through dismissal or
disciplinary action, if they participate in such behavior?
 Do board members and senior executives consistently demonstrate a
high standard of integrity and ethical behavior?
 Their actions can significantly impact the overall ethical climate
within the organization. 10/80/10
 Is there a written code of conduct available for employees?
 And beyond just its existence, is it actively reinforced through
training, communication from leadership, and requirements for
regular written statements of compliance from key personnel?
 In other words, is the code a living document or something that
was created, filed, and forgotten?
 Commitment to Competence (3 of 6)
• Relates to the knowledge and skills needed to effectively perform tasks that
define a person's role within the organization.
• Important factors to consider include:
• Does management prioritize competence when hiring, or is favoritism
towards friends and relatives prevalent?
• This could potentially compromise the quality and integrity of the workforce, as well
as the overall effectiveness of internal control.
• It's crucial to remember that the presence of incompetent or dishonest individuals can
drastically undermine the effectiveness of any internal control system.
• On the other hand, honest and efficient employees can maintain high performance
levels even in the absence of substantial support from other control mechanisms.
• However, elements like boredom, dissatisfaction, or personal issues can still disrupt
their performance.
• What policies are in place regarding the hiring, evaluation, promotion, and
compensation of competent, trustworthy individuals?
• A well-defined and robust policy in these areas can contribute significantly to
maintaining a competent workforce and a strong control environment.
Participation of Board of Directors or Audit Committee (4 of 6)
• The participation of the Board of Directors (BOD) or Audit Committee
plays a pivotal role in shaping the control environment of an organization.
• Considerations include:
Does the organization have an Audit Committee in place to provide assistance and
oversight?
Is the Audit Committee genuinely functioning independently from management?
Is there open and ongoing communication between the Audit Committee and
both internal and external auditors? Does the committee have the responsibility
for hiring the external auditor?
Does the Audit Committee authorize non-audit services, ensuring there is no
conflict of interest that may compromise the independence of the audit function?
Do the members of the Audit Committee have a diverse range of expertise,
including both operational and financial control knowledge?
Is the Audit Committee responsible for overseeing the creation of, and compliance
with, ethical standards within the organization? Their oversight can be critical in
promoting an ethical corporate culture.
 Internal Audit Function (5 of 6)
• Its effectiveness often relies on the support of top
management, the audit committee, and the board of directors.
• Key aspects to evaluate include:
 Is there substantial backing from top management, the audit
committee, and the board of directors for the internal auditing
function?
 This support is essential for the effective operation of internal audits.
 Has the written scope of the internal audit's responsibilities been
evaluated by the audit committee for adequacy?
 This evaluation ensures that the internal audit covers all necessary areas.
 Is the organizational relationship between the internal auditing
department and senior executives appropriate?
 Is there a high turnover rate that may indicate instability or misalignment in this
relationship?
 Are audit reports addressing relevant subjects, distributed to the
appropriate individuals, and acted upon promptly? The timeliness and
relevance of audit reports are crucial for maintaining an effective
 Organizational Structure/Accountability (6 of 6)
• The organizational structure, comprising the entity level,
divisions, operating units, and their functions, all have their
own controls.
• By grasping this structure, auditors can comprehend the business's
managerial and functional aspects and see how controls are
enacted.
• Management and the board are tasked with setting
expectations and ensuring accountability for internal controls.
• This process's success relies on creating suitable structures and
reporting lines, and incentivizing employees to meet their control
responsibilities.
 Internal Control: Risk Assessment
• Prior Session: Internal Control
 Risk Assessment
• Risks:
• both internal and external, are events posing a threat (stopping
you from) to the achievement of goals, particularly those
related to financial statement preparation.
• How the company assess their own risk. Not how we assess the
risk of the company.
• Risk assessment involves identifying, assessing, and
strategizing on handling these events.
• It considers the event's probability of occurrence,
potential impact, prevention or mitigation strategies, and
whether management is actively identifying risks.
 Why perform Risk Assessment?
 Why do we need to discuss risk assessment?
 What’s the relevancy for us?

 Determining Audit Approach: It guides the auditor in

determining the nature, timing, and extent of further audit
procedures.
 Higher risk areas may require more extensive testing.
 If management effectively mitigates risks, auditors usually
need to collect less evidence than when management
doesn't address these risks properly.
 Some companies might be riskier than others.
 What is the role of Auditor?
The auditor gains insight into management's
risk assessment process by understanding:
 how management identifies relevant financial
reporting risks,
 evaluates their significance and probability of
occurrence, and
 plans risk mitigation actions.
 Factors that could increase risk
Rapid growth of the organization. Management is not up to
the challenge.
Marketing budgeting from sampling went from $800 to $800,000 vs
WAWA  Quality and supply chain!
Changes in technology affecting production processes or
information systems. NYT, Kodak, Polaroid, Borders Book
Changes in the regulatory (SOX) or operating environment.
New accounting pronouncements (revenue recognition).
Changes in key personnel.
New one might not be familiar or know what they are doing!
Implementation of a new or modified information system.
Debugging and testing is not fully completed
Introduction of new lines of business, products, or processes.
 Internal Control: Risk Assessment
• Prior Session: Internal Control
 Management and Auditor’s Responsibilities
of Internal Control
• Prior Session: Internal control
(purpose)
• It's the management's
responsibility, not the auditor’s
(important), to establish and
maintain internal controls and
prepare financial statements
(memorize this!)
 Management Role
• Management is responsible for establishing and maintaining a sufficient
internal control structure
• Management should design internal controls that offer reasonable assurance
(highest), but not absolute, assurance of fair financial statements.
• Management must weigh the costs and benefits of these controls, which aim
to minimize the chance of significant misstatements slipping through
undetected or uncorrected.
Inherent Limitations of Internal Controls
• No matter how well-designed, internal controls are not
foolproof due to human factors.
• Even the best system's effectiveness hinges on users'
competency and reliability.
• For instance, even with a meticulously crafted inventory
counting procedure, errors can occur:
 if employees misunderstand instructions,
act carelessly,
manipulate results for personal gain or to inflate earnings, or
conspire in fraudulent actions like theft - a practice known as
collusion.
Public companies must issue an internal control report. This report includes the following components:
1. A statement acknowledging management's responsibility for establishing and maintaining a sufficient
internal control structure and procedures for financial reporting.
2. An assessment of the effectiveness of the internal control structure and procedures for financial
reporting, conducted at the end of the fiscal year.
In addition, management is required to specify the framework used to evaluate internal control effectiveness.
The most common framework in the U.S. is the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal Control.
The assessment of internal control over financial reporting involves two crucial aspects:
1. Evaluating the design of internal control and
2. Testing the operating effectiveness of these controls.
 Design of Internal Control
• Management is responsible for assessing whether the controls are
designed and implemented to prevent or detect significant errors in the
financial statements.
• They concentrate on controls that address risks associated with all
relevant aspects of the financial statements, such as:
significant accounts
transactions, and
Disclosures
• This evaluation includes examining the initiation, authorization,
recording, processing, and reporting of significant transactions to identify
potential points where errors or fraudulent misstatements could arise.
 Example of Design of Internal Control
• Suppose a retail store wants to ensure the accuracy of its inventory records to
prevent financial misstatements.
• To achieve this, management sets up internal controls.
• One control they implement is regular physical counts of the store's inventory.
• These counts help ensure that the quantity of items in stock matches what the
records indicate.
• Additionally, they establish a control for the authorization of inventory
purchases. All purchases must be approved by a designated manager, reducing
the risk of unauthorized or fraudulent purchases being recorded.
• By having these controls in place, management aims to minimize the possibility
of errors or fraud that could affect the accuracy of the store's financial
statements, specifically those related to inventory.
 Operating Effectiveness of Internal Control
• Management is required to test (not only design!) the effectiveness of
controls.
• This involves verifying if the controls are operating as intended and if
the person responsible for each control has the required authority and
qualifications.
• The test results, documented by management, serve as the foundation
for their assertion about the controls' effectiveness by the end of the
fiscal year.
• In case there is any “material significant weakness” (of them) in internal
control, management must disclose it ineffective
 Sample Report
• UB company it's responsible for establishing and maintaining adequate internal
control over financial reporting. UB’s internal control system was designed to
provide reasonable assurance to the company's management on board of directors
regarding the preparation and fair presentation of published financial statements.
• UB management assessed the effectiveness of the company's internal control over
financial reporting as of December 31st, 20X1. And making this assessment, it used
the criteria set forth by the Committee of Sponsoring Organization of the Treadway
Commission (COSO) and Internal Control -- integrated framework.
• Based on our assessment, we believe that, as of December 31st, 20X1 the
company's internal control over financial reporting is effective based on those
criteria.
• UB’s independent auditor have issued an audit report on our assessment of the
company's internal control over financial reporting this report appears on the
following page XX.
 Auditor’s Responsibility
• One key principle in auditing standards is for the auditor to identify and
assess risks of material misstatement, whether caused by fraud or error.
• This is done by understanding the entity and its environment, including
its internal control.
• Auditing standards mandate that auditors must understand the relevant
internal control on every audit engagement.
• Their primary focus lies on controls ensuring the reliability of financial
reporting and controls over classes of transactions.
 Controls Over the Reliability of Financial
Reporting
• Auditors prioritize controls related to the reliability of financial reporting,
as this impacts the accuracy of GAAP in the financial statements.
• Efficiency and operational controls are of lesser concern to auditors since
they may not directly influence the fair presentation of financial
statements.
• Nevertheless, auditors do consider controls over internal management
information, such as budgets and performance reports, as they can serve
as important evidence to assess the fairness of financial statements.
• Inadequate controls over these internal reports can reduce their value as
evidence for the auditor's assessment.
 Controls Over Classes of Transactions
• Auditors focus more on internal control over classes of transactions
rather than account balances.
• The accuracy of account balances heavily relies on the accuracy of inputs and
processing of transactions.
• For instance, errors in billing customers for sales, units shipped, or unit
selling prices can lead to misstatements in both sales and accounts
receivable.
• However, with effective controls in place for billings, cash receipts, sales
returns, and allowances, and write-offs, the ending balance in accounts
receivable is likely to be accurate.
 Controls Over Classes of Transactions
• While auditors primarily focus on transaction-related controls, they must
also understand controls over ending account balances and related
disclosures.
• Transaction-related audit objectives usually don't impact balance-related
objectives like realizable value and rights and obligations, nor do they
significantly influence related disclosure objectives.
• The auditor evaluates separately whether management has implemented
internal control for each of these account balance and disclosure
objectives.
• Mandates the auditor to provide a
report on the effectiveness of internal
control over financial reporting.
• In order to form an opinion on these
controls, the auditor understand and
conducts tests on controls for all
significant account balances,
transaction categories, and disclosures,
along with their related assertions in
the financial statements.
 Multiple Choice Question
• Which of the following is the auditor's primary concern regarding the
management’s assertions about the implementation of internal
controls?
A- compliance with applicable laws and regulations
B- efficiency of operations
C- reliability of financial reporting
D- effectiveness of operations
Internal Control: Information and Communication
 Information System (Accounting)
• In the context of an internal control system, information can range
from operational and financial data, internal as well as external,
that is necessary for the day-to-day operation of the business.
• Quality information systems produce reports that are timely,
current, accurate, and accessible.
• An Accounting Information System (AIS) should be established to
appropriately initiate, document, process, and disclose an entity's
transactions.
• Purchase order:
• Proper Authorization by someone
• Used only preapproved vendors
• Process The order
• Issue a report (A/P)
• Payment
 Multiple Elements of AIS
• An AIS comprises numerous elements, including categories
like sales, sales returns, cash receipts, acquisitions, among
others.
• For each type of transaction, the accounting system is
required to satisfy all relevant management assertions
associated with these transactions.
• The system should identify and accurately document all valid
transactions, ensuring that all shipments are correctly recorded
(emphasizing completeness and accuracy).
• For financial reporting purposes, it should present transactions in
the appropriate period (applying the cutoff principle).
• It should generate reports that accurately reflect the current
impact of transactions (in terms of classification).
• Moreover, the AIS must be capable of recognizing instances when
encountered risks exceed the company's risk tolerance, such as
sales to customers who are over 90 days past due on payments.
 Communication
• Communication is the continual, iterative process of
providing, sharing, and obtaining necessary information
• It involves both downward and upward communication
flows, ensuring that information is distributed throughout
the organization, including communication with external
parties like customers, suppliers, and regulators.
• Effective communication should ensure that all employees
understand their roles, responsibilities, and how their
individual activities relate to the work of others.
• They should also receive a clear message from senior
management that internal control responsibilities must be
taken seriously.
 Example
• New policy that all production line issues must be reported immediately to
management to prevent potential losses or delays.
1.Downward Communication: The new policy is communicated to all relevant
employees through several channels.
These might include a company-wide meeting, emails, a post on the company's internal
website, and trainings for those directly affected.
In these communications, the management clearly explains the reasoning behind the
policy, what exactly is required from employees, and the potential consequences of not
following the policy.
2.Upward Communication: The company sets up a dedicated hotline and an
online form where employees can report any production line issues.
They also encourage feedback about the new policy and any potential problems that
might arise from its implementation.
This allows employees on the production line to communicate quickly and effectively
Internal Control: Monitoring
 Control Activities
• Protocols, policies, procedures and guidelines exist to help
manage and mitigate risks that could prevent a company
from reaching its goals.
• This can involve a range of control activities (applicable to
various cycles and more specific), which may be either
manual or integrated into automated, computer-based
systems.
• Typically, these activities can be categorized into five main
types:
• 1. Segregation of duties (responsibilities) 4 types of SoDs
• 2. Appropriate approval (authorization) of operations and tasks
• 3. Comprehensive (adequate) documentation and record-keeping
• 4. Physical control over assets
• 5. Independent audits of performance
 Monitoring
• Activities involve regular evaluations of internal
control quality by management to ascertain that
controls function as planned and are adjusted as
necessary due to changing circumstances.
• But, what are the sources of these activities?
1. Internal controls: staff who are independent of
both the operating and accounting, internal
auditor reports.
2. Exceptions reporting on control activities:
 Sales exceeding the limit.
 Adding of new vendor.
 Monitoring tools
3. Budget review: variance analysis
4. Reports by regulators: Bank regulatory agencies or
quality control ISO 8000, 9000 etc.
5. Feedback from operating personnel: important
6. Complaints from customers about billing charges and
product quality:
 Yelp!
 Travelocity,
 Website reviews,
 google review,
 BBB etc.
 Multiple Choice Question From Farhat

• Which of the following are the two key concepts

underlying management’s design and implementation
of internal control?
A) Reasonable assurance and inherent limitations
B) Materiality and absolute assurance
C) Management override of controls and absolute
assurance
D) Materiality and collusion
Internal Control: Information and Communication