1 chapter 9 the study of internal control and assessment of control risk

1

CHAPTER 9The Study of

Internal Control and Assessment of

Control Risk

2

What is What is internal internal controlcontrol??

Internal control is a process designed toprovide reasonable assurance regardingthe achievement of management’s ob-jectives regarding:

3

- reliability of financial reporting- operational effectiveness and efficiency- compliance with laws and regulations

Internal control is a process designed toprovide reasonable assurance regardingthe achievement of management’s ob-jectives regarding:

The Foreign Corrupt PracticesAct requires “proper recordkeeping

systems” of SEC companies; i.e., reliable financial statements and ac-

counting records.

4

performpreliminaryanalytical

procedures

Steps in audit planningSteps in audit planning

preplan

understandinternal control

and assesscontrol risk

setmateriality, and

assess acceptableaudit risk andinherent risk

obtainbackgroundinformation

obtain information about client’s legal obligations

5

performpreliminaryanalytical

procedures

Steps in audit planningSteps in audit planning

preplan

Why is an understanding of internal control important?

setmateriality, and

assess acceptableaudit risk andinherent risk

understandinternal control

and assesscontrol risk

obtainbackgroundinformation

obtain information about client’s legal obligations

6

Second Fieldwork Standard:A sufficient understanding of internalcontrol is to be obtained to plan the audit and to determine the nature, tim-ing, and extent of tests to be performed.

Why is anunderstanding

of internalcontrol

important?

7

Audit Risk has 3 components Audit Risk has 3 components which combine to make the which combine to make the audit risk modelaudit risk model: (AU 312): (AU 312)

= x xaudit risk

inherent risk

control risk

detection risk

therisk that material

misstatements will not be prevented ordetected by

internal controls

8

- internal control is the client’s responsibility and should be designed to help the client attain goals- internal control should provide reasonable but not absolute assurance; cost/benefit must be considered- internal control has inherent limita- tions (e.g., misunderstandings, mis- takes, fatigue, carelessness, collusion, management override)

Key Internal Control ConceptsKey Internal Control Concepts

9

What are the components of What are the components of internal control?internal control?

10

the controlenvironment


11

The control environment is theactions, policies, and procedures thatreflect management’s attitude regard-

ing controls and their importance.

All these controls are unnecessary!

12

Factors related to the Control Environment:Factors related to the Control Environment:

- integrity and ethical values

Does man-agement com-municate com-

pany values andbehavioral stan-

dards to personnelthrough policy state-ments, codes of con-

duct, and by example?

Does managementremove or reduce

incentives or temp-tations that mightprompt personnelto engage in dis-honest, illegal,

or unethicalacts?

13


- commitment to competence

Does management consider com-petence levels for specific jobs

and how those levels translate into requisite skills and knowledge?

14


- board of directors or audit committee The audit committee maintains communication between the Board of Directors and internal and external auditors. The committee is composed of outside members of the board. SEC companies are required to have an audit committee.

BOARD OFDIRECTORS

auditcommittee

internalauditors

externalauditors

15


- management’s philosophy and operating style

16


- management’s philosophy and operating style Consider the following: - their approach to taking and monitoring business risk

17

Factors related to the Control Environment:Factors related to the Control Environment:- management’s philosophy and operating style Consider the following: - their attitude and actions toward financial reporting

18


- management’s philosophy and operating style Consider the following: - their emphasis on meeting financial and operating goals

...our bonusesare based on net income.We all want fat bonuses!

What can we do?

19


- organizational structure The auditor should consider lines of responsibility and authority.

20

What are theformal methods that

management uses to communicateinternal controls to

employees?

Factors related to the Control Environment:Factors related to the Control Environment:- assignment of authority and responsibility

EmployeeHandbook

CompanyPolicies

JobDescription

Memo:

21


- human resource policies and practices Management should ensure that competent, trustworthy, motivated personnel are employed to meet client goals and objectives.

Employees are the critical com-ponent of effective internal control.

22

With competent, trustworthy, motivated per-sonnel, even a poorly designed system ofinternal control may function adequately.

Employees are the critical com-ponent of effective internal control.

23

Without such personnel, even a well-designed system will probably fail.

With competent, trustworthy, motivated per-sonnel, even a poorly designed system ofinternal control may function adequately.

24

Risk assessment for financial reportingis management’s identification and anal-ysis of risks relevant to financial state-

ment preparation in conformity with GAAP.

riskassessment


25

controlactivities

Control activities are policies and pro-cedures, in addition to those related to

other components, established to enablethe entity to address risks in the achievement of their objectives.

26

1. Adequate separation of duties - separate custody of assets from accounting

Mr. Controller

Categories of Control ActivitiesCategories of Control Activities

27

1. Adequate separation of duties - separate custody of assets from authorization of transactions

As custodian ofthe corporate auto fleet, I hearby authorize retire- ment of auto #43 because of obso- lescence.

#43

joe


28

1. Adequate separation of duties - separate operational responsibility from record keeping responsibility


Example: Ace company has two plants; one inGreat Britain and one in the U.S.A. Manage-ment is deciding whether the plant controllersshould report directly to the plant managersor the corporate vice president of finance.

29

plantcontroller

V.P.-production

V.P.- finance

plant manager

plantcontroller

plant manager

plantcontroller

V.P.-production

V.P.- finance

plant manager

plantcontroller

plant manager

plantcontroller

plant manager

Which arrangement creates a potential conflict of interest?

30

plantcontroller

V.P.-production

V.P.- finance

plant manager

plantcontroller

plant manager

Which arrangement creates a potential conflict of interest?

If the plant controller reports directly to theplant manager, a potential conflict of interestexists. In an effort to make that plant’s resultsappear favorable, the plant manager may at-

tempt to influence the plant controller.

31

1. Adequate separation of duties - separate duties within EDP


32

What kind of company typically has What kind of company typically has difficulty accomplishing adequate difficulty accomplishing adequate

segregation of duties?segregation of duties?

33

What kind of company typically has What kind of company typically has difficulty accomplishing adequate difficulty accomplishing adequate

segregation of duties?segregation of duties?

Small companies frequently have diffi-culty with segregation of duties because

of fewer employees.

34

Collusion is the defeat of adequate sep-aration of duties wherein employees

cooperate to perpetrate fraud.

...we’re agreed.We’ll be rich be-yond our wildest

dreams!

What is collusioncollusion??

35

What is the most effective way to What is the most effective way to preventprevent collusion? collusion?

36

hire competent, trustworthy,motivatedpersonnel

What is the most effective way to What is the most effective way to preventprevent collusion? collusion?

37

Competent, untrustworthy, motivatedpersonnel oftenknow how to conceal theirfraud.

Why is collusion particularly Why is collusion particularly troublesome for auditors?troublesome for auditors?

38

1. Adequate separation of duties2. Proper authorization of transactions and activities


39

1. Adequate separation of duties2. Proper authorization of transactions and activities - general authorization - management establishes authorization policies


accountspayablepolicies &procedures

cashreceiptspolicies &procedures

humanresourcespolicies &procedures

40

I’m thepresident and

I want to approveevery cashpayment!

Categories of Control ActivitiesCategories of Control Activities1. Adequate separation of duties2. Proper authorization of transactions and activities - specific authorization - management makes authorizations on a case-by- case basis.

41

1. Adequate separation of duties2. Proper authorization of transactions and activities3. Adequate documents and records should provide reasonable assurance that all assets are properly controlled and all transactions are correctly recorded.


42

DocumentDocumentGuidelinesGuidelinesDocumentsshould be:prenumbered and accountedfor

PURCHASE ORDER 32494 Date: Vendor: 234 Reynolda Rd. Winston-Salem, NC27109 Purchasing agent: Quantity Description Price

WAIT FORESTU N I V E R S I T Y

total cost of order

Est. shipment date: Terms of sale (including discounts and freight costs): Carrier:

Internal Use Only: (routing instructions)1.PO made in purchasing 3. receiving notes ship2.Copies to vendor, receiv. 4. acctg. reconciles

U N I V E R S I T Y

43

DocumentDocumentGuidelinesGuidelinesDocumentsshould be:preparedduring or soon after therelated transaction



total cost of order



U N I V E R S I T Y

44

DocumentDocumentGuidelinesGuidelinesDocumentsshould be:understand-able andcorrectlydesigned(includingrouting andauthorization)



total cost of order



U N I V E R S I T Y

45

DocumentDocumentGuidelinesGuidelines

Documentsshould be:designedformultiplepurposes

bc



total cost of order



U N I V E R S I T Y

a

46

2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records - locking rooms, fenced areas, fireproof safes, safe deposit boxes, security guards, backup files


47

2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records5. Independent checks on performance - those reviewing performance should be independent of those performing a task


48

5. Independent checks on performance


Separation of duties is the leastexpensive method of performing

independent checks.

49

informationand

communication


50

The accounting information andThe accounting information andcommunication system should becommunication system should be

designed to satisfy audit objectives.designed to satisfy audit objectives.

informationand

communication

51

- existence - the system should ensure that recorded transactions exist - no fictitious transactions


designed to satisfy audit objectives:designed to satisfy audit objectives:

52

- existence- completeness - the system should ensure that all existing transactions are recorded



53

How do the How do the existenceexistence and and completenesscompletenessobjectives differ?objectives differ?



- existence- completeness

54


Existence con-cerns the existence offictitious data; i.e., overstatement.

55


Existence con-cerns the existence offictitious data; i.e., overstatement.

Completeness concerns omission of information; i.e., under-

statement.

56

- existence- completeness- accuracy - the system should ensure that recorded transactions are stated at the correct amounts



57

- existence- completeness- accuracy- classification - the system should ensure that transactions are properly classified, possibly through use of a chart of accounts.



58

- existence- completeness- accuracy- classification- timing - the system should ensure that transactions are recorded on the correct dates. Generally, transactions should be recorded during or shortly after their occurrence.



59

- existence- completeness- accuracy- classification- timing- posting and summarization -the system should ensure that transactions are included in the accounting records and accurately summarized.



60

monitoring


61

monitoring

Monitoring activities deal with Monitoring activities deal with ongoing or periodic assessmentongoing or periodic assessment

of internal control.of internal control.

62

Internal auditing departmentsInternal auditing departments frequently perform monitoring frequently perform monitoring

activities.activities.

63

monitoringcontrol

activities

riskassessment

the controlenvironment

information andcommunication


64

ControlExamina-

tionOverview Obtain an understanding

of internal control.

HOW?HOW?

65

ControlExamina-

tionOverview

- review prior year workpapers- interview prior year auditors- interview client personnel- study client policies and procedures- study client documents, records, information and communication system

Obtain an understandingof internal control.

66

ControlExamina-

tionOverview

- narratives- flowcharts- internal control questionnaires

What is aninternal controlquestionnaire?

How do auditors document their under-

standing of internalcontrol?

67

Internal Control QuestionnaireInternal Control Questionnaire

What are theadvantages provided by

an IC questionnaire?

- a series of questions about internal controls and their application to groups of accounts and cycles- generally, a “no” answer indicates an internal control weakness

68

What are theadvantages provided by



- can be designed to cover most aspects of internal control - is relatively applicable from one en- gagement to another- when complete, can be quickly re- viewed for weaknesses

69


- concentrates on pieces of internal control rather than the system as a whole- has questionable reliability; oral client responses should be supported by other evidence- may be too standardized for some clients, especially smaller clients

What are thedisadvantages of using


70

Arefinancial statements

auditable?

ControlExamina-

tionOverview

- management lacks integrity- significantly deficient accounting records or internal controls

When would theWhen would theanswer be answer be NONO??

71

ControlExamina-

tionOverview

Assess control risk, basedon understanding.

72

ControlExamina-

tionOverview

Assess the cost/benefit offurther enhancing under-

standing of internal control.

73

ControlExamina-

tionOverview

high medium low

Assesscontrol

risk.

74

ControlExamina-

tionOverview

- high: poor controls indicate a very risky situation

high medium low

Assesscontrol

risk.

75

ControlExamina-

tionOverview

- high: poor controls indicate a very risky situation- medium: mix of effective and in- effective controls indicate a moderate level of risk

high medium low

Assesscontrol

risk.

76

ControlExamina-

tionOverview

- medium: mix of effective and in- effective controls indicate a moderate level of risk- low: effective controls indicate a low level of risk

high medium low

Assesscontrol

risk.

77

ControlExamina-

tionOverview

Perform tests of controls.

78

ControlExamina-

tionOverview

Decidewhether the initial

internal control assessmentwas appropriate.

79

ControlExamina-

tionOverview

Based on appropriatelevel of detection risk,

perform substantive tests.

80

What are What are reportable conditionsreportable conditions??

Reportable conditions are signifi-cant internal control deficiencieswhich adversely affect financial

data (AU 325).

81

AU 325requires the auditor to com-

municate (oral or written)with the audit committeeregarding the reportable

conditions.

Reportable conditions are signifi-cant internal control deficiencieswhich adversely affect financial

data (AU 325).