Internal control policies, processes, and procedures are established by management to achieve reliability of financial reporting, efficiency and effectiveness of operations, compliance with laws and regulations, and safeguarding of assets. Key aspects of internal control include the control environment set by top management's attitudes towards internal control, integrity and ethical values, commitment to competence, participation of the board of directors or audit committee, internal audit functions, and organizational structure and accountability. An effective system of internal control helps ensure an organization operates smoothly and achieves its objectives.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
52 views47 pages
Assess Internal Controls
Internal control policies, processes, and procedures are established by management to achieve reliability of financial reporting, efficiency and effectiveness of operations, compliance with laws and regulations, and safeguarding of assets. Key aspects of internal control include the control environment set by top management's attitudes towards internal control, integrity and ethical values, commitment to competence, participation of the board of directors or audit committee, internal audit functions, and organizational structure and accountability. An effective system of internal control helps ensure an organization operates smoothly and achieves its objectives.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 47
Internal Control
• What is Internal Control?
• What is the purpose of internal control (I/C)? • Audit Risk model(AR): CR X IR x DR • Control risk! What is (purpose) Internal control? • Internal control are policies, processes and procedures set by management to achieve the following: 1. Reliability of financial reporting 2. Efficiency and effectiveness of operation 3. Compliance with laws and regulations (materially effecting financial reporting). 4. Safeguarding of assets Reliability of Financial Reporting Assurance that financial statements provide a true and fair view of the organization's financial position crucial for stakeholders including: investors, creditors, regulators, and the general public, to make informed decisions. How to achieve? Reliability of Financial Reporting a. Accuracy: Information in financial statements should be free from material misstatements and errors. b. Completeness: All relevant financial information should be disclosed to present a comprehensive view of the organization's financial situation. c. Neutrality: Financial reporting should be free from bias or any attempts to manipulate information to favor certain interests (investors vs. creditor. d. Transparency: Disclosures should be clear, comprehensive, and understandable, providing sufficient information for users to make informed decisions. e. Consistency: Accounting policies and practices should be applied consistently from one reporting period to another, facilitating comparability. Efficiency and effectiveness of operation • Efficiency: Internal controls can help an organization achieve its goals using the least amount of resources possible. • Efficient processes reduce waste, prevent errors, and save time. For instance, automation of certain processes such as data entry, invoicing, and reconciliation can reduce manual errors and save employee time, thus improving operational efficiency. • Effectiveness: Effectiveness refers to the ability of the organization to meet its objectives. • Internal controls can help ensure that the business operations are effective in achieving the intended results. • The efficiency and effectiveness of operations are typically measured through financial performance metrics like revenue, cost control, and profitability, as well as non-financial metrics such as customer satisfaction, market share, and operational quality. Compliance with Laws and Regulations • It ensures that a business operates within the legal framework, thereby minimizing the risk of lawsuits, penalties, and damage to its reputation. • Internal control mechanisms focused on compliance can take many forms, and their precise nature will depend on the company's industry, the countries in which it operates, and the specific laws and regulations it must adhere to. • Training, monitoring systems, reporting mechanism, compliance officer/department Safeguarding of Assets • Involves procedures and measures designed to prevent theft, fraud, misuse, or damage to a company's assets. • Assets include not only tangible assets like cash, inventory, equipment, and property, but also intangible assets such as intellectual property, trade secrets, and company reputation. 1.Physical Controls: This involves physical security measures to protect tangible assets. For example, cash may be stored in a safe, and warehouses may have security cameras or guards. For valuable equipment, access may be restricted to authorized personnel only. 2.Authorization Controls: Important transactions that could affect the company's assets should require approval from a higher-level manager or from multiple individuals. For example, large purchases might need to be approved by a senior manager. Examples of Safeguarding of Assets 3. Inventory Controls: Regular inventory counts and reconciliations can help ensure that the recorded inventory matches the actual physical inventory, thereby identifying theft or loss in a timely manner. 4. Document Controls: Document controls include timely and accurate recording of transactions and proper document retention. For example, all sales transactions should be promptly recorded, and the invoices should be kept for a specific period of time for future reference or audits. 5. Access Controls: For digital assets, access controls are crucial. This includes things like passwords, two-factor authentication, and limiting access to sensitive information to only those who need it. Network and system security measures are also important to prevent cyber theft or damage. 6. Auditing: Regular internal or external audits can help identify any deficiencies in the asset protection controls and suggest ways to improve them. Audits also act as a deterrent to internal fraud. 7.Insurance: Although not strictly an internal control, insurance can be considered part of a company's overall strategy to safeguard its assets. Insurance coverage can provide financial compensation if assets are lost, stolen, or damaged. Internal Control: Control Environment • Prior Session: Internal Control Control Environment Actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity. How can we learn about their attitude? 1. Management Philosophy and Operating Style 2. Integrity and Ethical Values 3. Commitment to Competence 4. Board of Director or Audit Committee Participation 5. Internal Audit function 6. Organizational Structure/Accountability Management Philosophy and Operating Style (1 of 6) • Serve as the most apparent indicators to the workforce about the significance of internal control. • It essentially reflects the attitudes, behaviors, and actions of the organization's leadership, and it plays a crucial role in setting the tone for the internal control climate. • Key questions to consider might include: • Is the management setting unrealistic sales or profit targets? • Are employees being urged to adopt aggressive strategies to achieve these goals? • Gaining insight into the management's philosophy can provide auditors with a better understanding of the organization's stance towards internal controls. Integrity and Ethical Values (2 of 6) Integrity and ethical values can greatly influence how internal controls are perceived and practiced within the company. • Several important aspects to consider include: Is there a well-understood and enforced stance against fraudulent financial reporting, irrespective of the level at which it occurs or its form? Are individuals held accountable, either through dismissal or disciplinary action, if they participate in such behavior? Do board members and senior executives consistently demonstrate a high standard of integrity and ethical behavior? Their actions can significantly impact the overall ethical climate within the organization. 10/80/10 Is there a written code of conduct available for employees? And beyond just its existence, is it actively reinforced through training, communication from leadership, and requirements for regular written statements of compliance from key personnel? In other words, is the code a living document or something that was created, filed, and forgotten? Commitment to Competence (3 of 6) • Relates to the knowledge and skills needed to effectively perform tasks that define a person's role within the organization. • Important factors to consider include: • Does management prioritize competence when hiring, or is favoritism towards friends and relatives prevalent? • This could potentially compromise the quality and integrity of the workforce, as well as the overall effectiveness of internal control. • It's crucial to remember that the presence of incompetent or dishonest individuals can drastically undermine the effectiveness of any internal control system. • On the other hand, honest and efficient employees can maintain high performance levels even in the absence of substantial support from other control mechanisms. • However, elements like boredom, dissatisfaction, or personal issues can still disrupt their performance. • What policies are in place regarding the hiring, evaluation, promotion, and compensation of competent, trustworthy individuals? • A well-defined and robust policy in these areas can contribute significantly to maintaining a competent workforce and a strong control environment. Participation of Board of Directors or Audit Committee (4 of 6) • The participation of the Board of Directors (BOD) or Audit Committee plays a pivotal role in shaping the control environment of an organization. • Considerations include: Does the organization have an Audit Committee in place to provide assistance and oversight? Is the Audit Committee genuinely functioning independently from management? Is there open and ongoing communication between the Audit Committee and both internal and external auditors? Does the committee have the responsibility for hiring the external auditor? Does the Audit Committee authorize non-audit services, ensuring there is no conflict of interest that may compromise the independence of the audit function? Do the members of the Audit Committee have a diverse range of expertise, including both operational and financial control knowledge? Is the Audit Committee responsible for overseeing the creation of, and compliance with, ethical standards within the organization? Their oversight can be critical in promoting an ethical corporate culture. Internal Audit Function (5 of 6) • Its effectiveness often relies on the support of top management, the audit committee, and the board of directors. • Key aspects to evaluate include: Is there substantial backing from top management, the audit committee, and the board of directors for the internal auditing function? This support is essential for the effective operation of internal audits. Has the written scope of the internal audit's responsibilities been evaluated by the audit committee for adequacy? This evaluation ensures that the internal audit covers all necessary areas. Is the organizational relationship between the internal auditing department and senior executives appropriate? Is there a high turnover rate that may indicate instability or misalignment in this relationship? Are audit reports addressing relevant subjects, distributed to the appropriate individuals, and acted upon promptly? The timeliness and relevance of audit reports are crucial for maintaining an effective Organizational Structure/Accountability (6 of 6) • The organizational structure, comprising the entity level, divisions, operating units, and their functions, all have their own controls. • By grasping this structure, auditors can comprehend the business's managerial and functional aspects and see how controls are enacted. • Management and the board are tasked with setting expectations and ensuring accountability for internal controls. • This process's success relies on creating suitable structures and reporting lines, and incentivizing employees to meet their control responsibilities. Internal Control: Risk Assessment • Prior Session: Internal Control Risk Assessment • Risks: • both internal and external, are events posing a threat (stopping you from) to the achievement of goals, particularly those related to financial statement preparation. • How the company assess their own risk. Not how we assess the risk of the company. • Risk assessment involves identifying, assessing, and strategizing on handling these events. • It considers the event's probability of occurrence, potential impact, prevention or mitigation strategies, and whether management is actively identifying risks. Why perform Risk Assessment? Why do we need to discuss risk assessment? What’s the relevancy for us?
Determining Audit Approach: It guides the auditor in
determining the nature, timing, and extent of further audit procedures. Higher risk areas may require more extensive testing. If management effectively mitigates risks, auditors usually need to collect less evidence than when management doesn't address these risks properly. Some companies might be riskier than others. What is the role of Auditor? The auditor gains insight into management's risk assessment process by understanding: how management identifies relevant financial reporting risks, evaluates their significance and probability of occurrence, and plans risk mitigation actions. Factors that could increase risk Rapid growth of the organization. Management is not up to the challenge. Marketing budgeting from sampling went from $800 to $800,000 vs WAWA Quality and supply chain! Changes in technology affecting production processes or information systems. NYT, Kodak, Polaroid, Borders Book Changes in the regulatory (SOX) or operating environment. New accounting pronouncements (revenue recognition). Changes in key personnel. New one might not be familiar or know what they are doing! Implementation of a new or modified information system. Debugging and testing is not fully completed Introduction of new lines of business, products, or processes. Internal Control: Risk Assessment • Prior Session: Internal Control Management and Auditor’s Responsibilities of Internal Control • Prior Session: Internal control (purpose) • It's the management's responsibility, not the auditor’s (important), to establish and maintain internal controls and prepare financial statements (memorize this!) Management Role • Management is responsible for establishing and maintaining a sufficient internal control structure • Management should design internal controls that offer reasonable assurance (highest), but not absolute, assurance of fair financial statements. • Management must weigh the costs and benefits of these controls, which aim to minimize the chance of significant misstatements slipping through undetected or uncorrected. Inherent Limitations of Internal Controls • No matter how well-designed, internal controls are not foolproof due to human factors. • Even the best system's effectiveness hinges on users' competency and reliability. • For instance, even with a meticulously crafted inventory counting procedure, errors can occur: if employees misunderstand instructions, act carelessly, manipulate results for personal gain or to inflate earnings, or conspire in fraudulent actions like theft - a practice known as collusion. Public companies must issue an internal control report. This report includes the following components: 1. A statement acknowledging management's responsibility for establishing and maintaining a sufficient internal control structure and procedures for financial reporting. 2. An assessment of the effectiveness of the internal control structure and procedures for financial reporting, conducted at the end of the fiscal year. In addition, management is required to specify the framework used to evaluate internal control effectiveness. The most common framework in the U.S. is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control. The assessment of internal control over financial reporting involves two crucial aspects: 1. Evaluating the design of internal control and 2. Testing the operating effectiveness of these controls. Design of Internal Control • Management is responsible for assessing whether the controls are designed and implemented to prevent or detect significant errors in the financial statements. • They concentrate on controls that address risks associated with all relevant aspects of the financial statements, such as: significant accounts transactions, and Disclosures • This evaluation includes examining the initiation, authorization, recording, processing, and reporting of significant transactions to identify potential points where errors or fraudulent misstatements could arise. Example of Design of Internal Control • Suppose a retail store wants to ensure the accuracy of its inventory records to prevent financial misstatements. • To achieve this, management sets up internal controls. • One control they implement is regular physical counts of the store's inventory. • These counts help ensure that the quantity of items in stock matches what the records indicate. • Additionally, they establish a control for the authorization of inventory purchases. All purchases must be approved by a designated manager, reducing the risk of unauthorized or fraudulent purchases being recorded. • By having these controls in place, management aims to minimize the possibility of errors or fraud that could affect the accuracy of the store's financial statements, specifically those related to inventory. Operating Effectiveness of Internal Control • Management is required to test (not only design!) the effectiveness of controls. • This involves verifying if the controls are operating as intended and if the person responsible for each control has the required authority and qualifications. • The test results, documented by management, serve as the foundation for their assertion about the controls' effectiveness by the end of the fiscal year. • In case there is any “material significant weakness” (of them) in internal control, management must disclose it ineffective Sample Report • UB company it's responsible for establishing and maintaining adequate internal control over financial reporting. UB’s internal control system was designed to provide reasonable assurance to the company's management on board of directors regarding the preparation and fair presentation of published financial statements. • UB management assessed the effectiveness of the company's internal control over financial reporting as of December 31st, 20X1. And making this assessment, it used the criteria set forth by the Committee of Sponsoring Organization of the Treadway Commission (COSO) and Internal Control -- integrated framework. • Based on our assessment, we believe that, as of December 31st, 20X1 the company's internal control over financial reporting is effective based on those criteria. • UB’s independent auditor have issued an audit report on our assessment of the company's internal control over financial reporting this report appears on the following page XX. Auditor’s Responsibility • One key principle in auditing standards is for the auditor to identify and assess risks of material misstatement, whether caused by fraud or error. • This is done by understanding the entity and its environment, including its internal control. • Auditing standards mandate that auditors must understand the relevant internal control on every audit engagement. • Their primary focus lies on controls ensuring the reliability of financial reporting and controls over classes of transactions. Controls Over the Reliability of Financial Reporting • Auditors prioritize controls related to the reliability of financial reporting, as this impacts the accuracy of GAAP in the financial statements. • Efficiency and operational controls are of lesser concern to auditors since they may not directly influence the fair presentation of financial statements. • Nevertheless, auditors do consider controls over internal management information, such as budgets and performance reports, as they can serve as important evidence to assess the fairness of financial statements. • Inadequate controls over these internal reports can reduce their value as evidence for the auditor's assessment. Controls Over Classes of Transactions • Auditors focus more on internal control over classes of transactions rather than account balances. • The accuracy of account balances heavily relies on the accuracy of inputs and processing of transactions. • For instance, errors in billing customers for sales, units shipped, or unit selling prices can lead to misstatements in both sales and accounts receivable. • However, with effective controls in place for billings, cash receipts, sales returns, and allowances, and write-offs, the ending balance in accounts receivable is likely to be accurate. Controls Over Classes of Transactions • While auditors primarily focus on transaction-related controls, they must also understand controls over ending account balances and related disclosures. • Transaction-related audit objectives usually don't impact balance-related objectives like realizable value and rights and obligations, nor do they significantly influence related disclosure objectives. • The auditor evaluates separately whether management has implemented internal control for each of these account balance and disclosure objectives. • Mandates the auditor to provide a report on the effectiveness of internal control over financial reporting. • In order to form an opinion on these controls, the auditor understand and conducts tests on controls for all significant account balances, transaction categories, and disclosures, along with their related assertions in the financial statements. Multiple Choice Question • Which of the following is the auditor's primary concern regarding the management’s assertions about the implementation of internal controls? A- compliance with applicable laws and regulations B- efficiency of operations C- reliability of financial reporting D- effectiveness of operations Internal Control: Information and Communication Information System (Accounting) • In the context of an internal control system, information can range from operational and financial data, internal as well as external, that is necessary for the day-to-day operation of the business. • Quality information systems produce reports that are timely, current, accurate, and accessible. • An Accounting Information System (AIS) should be established to appropriately initiate, document, process, and disclose an entity's transactions. • Purchase order: • Proper Authorization by someone • Used only preapproved vendors • Process The order • Issue a report (A/P) • Payment Multiple Elements of AIS • An AIS comprises numerous elements, including categories like sales, sales returns, cash receipts, acquisitions, among others. • For each type of transaction, the accounting system is required to satisfy all relevant management assertions associated with these transactions. • The system should identify and accurately document all valid transactions, ensuring that all shipments are correctly recorded (emphasizing completeness and accuracy). • For financial reporting purposes, it should present transactions in the appropriate period (applying the cutoff principle). • It should generate reports that accurately reflect the current impact of transactions (in terms of classification). • Moreover, the AIS must be capable of recognizing instances when encountered risks exceed the company's risk tolerance, such as sales to customers who are over 90 days past due on payments. Communication • Communication is the continual, iterative process of providing, sharing, and obtaining necessary information • It involves both downward and upward communication flows, ensuring that information is distributed throughout the organization, including communication with external parties like customers, suppliers, and regulators. • Effective communication should ensure that all employees understand their roles, responsibilities, and how their individual activities relate to the work of others. • They should also receive a clear message from senior management that internal control responsibilities must be taken seriously. Example • New policy that all production line issues must be reported immediately to management to prevent potential losses or delays. 1.Downward Communication: The new policy is communicated to all relevant employees through several channels. These might include a company-wide meeting, emails, a post on the company's internal website, and trainings for those directly affected. In these communications, the management clearly explains the reasoning behind the policy, what exactly is required from employees, and the potential consequences of not following the policy. 2.Upward Communication: The company sets up a dedicated hotline and an online form where employees can report any production line issues. They also encourage feedback about the new policy and any potential problems that might arise from its implementation. This allows employees on the production line to communicate quickly and effectively Internal Control: Monitoring Control Activities • Protocols, policies, procedures and guidelines exist to help manage and mitigate risks that could prevent a company from reaching its goals. • This can involve a range of control activities (applicable to various cycles and more specific), which may be either manual or integrated into automated, computer-based systems. • Typically, these activities can be categorized into five main types: • 1. Segregation of duties (responsibilities) 4 types of SoDs • 2. Appropriate approval (authorization) of operations and tasks • 3. Comprehensive (adequate) documentation and record-keeping • 4. Physical control over assets • 5. Independent audits of performance Monitoring • Activities involve regular evaluations of internal control quality by management to ascertain that controls function as planned and are adjusted as necessary due to changing circumstances. • But, what are the sources of these activities? 1. Internal controls: staff who are independent of both the operating and accounting, internal auditor reports. 2. Exceptions reporting on control activities: Sales exceeding the limit. Adding of new vendor. Monitoring tools 3. Budget review: variance analysis 4. Reports by regulators: Bank regulatory agencies or quality control ISO 8000, 9000 etc. 5. Feedback from operating personnel: important 6. Complaints from customers about billing charges and product quality: Yelp! Travelocity, Website reviews, google review, BBB etc. Multiple Choice Question From Farhat
• Which of the following are the two key concepts
underlying management’s design and implementation of internal control? A) Reasonable assurance and inherent limitations B) Materiality and absolute assurance C) Management override of controls and absolute assurance D) Materiality and collusion Internal Control: Information and Communication