chapter 5 internal control over financial reporting
TRANSCRIPT
CHAPTER 5
INTERNAL CONTROL OVER FINANCIAL REPORTING
Comment on the Quality of an Organization’s Internal Controls
The quality of an organization's internal controls affects not only the reliability of its financial reporting, but also its ability to make good decisions and stay in business
Internal control processes must effectively address risks that are present in the industry and in the organization
Auditors gain an understanding of their client's control system in order to
Better understand the client, its risks, and how it manages those risks
Assess control risk and identify types of most likely misstatements
Plan extent of substantive testing needed Report on effectiveness of internal controls (publicly-
held companies)
Define Internal Controls
Internal controls is a process designed to provide reasonable assurance of achieving the following:
Generating reliable financial accounting information
Safeguarding assetsComplying with applicable laws and
regulationsOperating efficiently and effectively
Review the Need for Control
Control is part of corporate governance whereby the owners and creditors of an organization exert control and require accountability for its resources
Governance begins with stockholders, who delegate certain responsibilities to the board of directors and in turn to management
That delegation must occur within a framework of control and accountability
The control system exists to ensure that
Responsibilities are properly identified
Tasks are assigned in accordance with responsibilities and accountability
Who is Interested in an Organization's Control System? Board of directors and the audit
committeeManagementRegulatorsInternal and external auditorsSuppliers and customersInvestors and creditorsCustomers or others using the Web for
commerce
Discuss the Integrated Audit
The Sarbanes-Oxley Act of 2002 requires publicly held companies to report on the effectiveness of their internal controls over financial reporting
The Public Company Accounting Oversight Board requires external auditors to perform an integrated audit of the effectiveness of internal controls and financial reporting
In essence, the auditor must attest to both the financial statements and management's assertions regarding the effectiveness of internal controls over financial reporting
Review the Components of an Internal Control System
An internal control system consists of five components
Control environment: overall attitude, awareness, and actions of significant internal groups to maintain a well-controlled organization (tone at the top)
Risk assessment: process designed to identify and manage risks that may affect its ability to achieve its objectives
Control activities: policies and procedures established by management to help ensure that internal control objectives are achieved and risks mitigated
Information and communication: process of identifying, capturing, and exchanging information in a timely fashion to enable the organization to achieve its objectives
Monitoring: process that assesses the quality of internal controls over time
What are the components of an internal control system?
There is a logical loop to an organization's internal controls, starting with
1. Design of the control environment2. Identification of organizational risks
and controls to minimize those risks3. Design and implementation of controls
and a communication system4. Monitoring of the effectiveness of the
controls to mitigate risk
Discuss Understanding & Assessing the Control Environment
There are a number of factors an auditor should look at when evaluating an organization's control environment:
Management's philosophy and operating style Organizational structure, including assignment of
authority and responsibility Board of directors and audit committee Human resource policies and practices Integrity and ethical values Commitment to competence Compensation and evaluation programs Effectiveness of the internal audit function
Reporting on Internal Control - Management Reports to External Parties
The Sarbanes-Oxley Act of 2002 requires publicly held companies to report on the effectiveness of their internal controls over financial reporting
The report must describe the following: Statement of management's responsibility for
establishing and maintaining effective internal controls over financial reporting
Identify the framework used by management to evaluate internal controls
Assessment of the effectiveness of the company's internal controls
Description of any material deficiencies in internal control Statement that the report has been audited The external auditor must attest to management's report
Reporting on Internal Control - Internal Management Reports
Management often requests reports on the quality of its internal controls in order to ensure the company can achieve its major objectives and is not exposed to unnecessary risks
Management receives reports from three sources:
Ongoing monitoring reports from operationsInternal audit reportsExternal audit reports
Audit Reporting on Internal Control
External auditors of non-public companies must report significant internal control deficiencies to management
Such reports are for management's use
Not intended to be distributed to the public
External auditors of public companies must go beyond the report to management and also report on management's assertion regarding the effectiveness of internal controls over financial reporting
Includes an opinion on the client's internal controls
Included in the company's annual report
Audit Reporting on Internal Control
In performing an audit of controls, the auditor must
Review client documentation including how controls are supposed to work (design)
Review client testing of controls (operations)Determine which controls to test, sample
sizes, and how to judge whether a control is operating effectively
Reach conclusion about the effectiveness of client internal controls over financial reporting
Audit Reporting on Internal Control (continued)
The PCAOB's proposed report on internal controls would include a(n):
Description of internal control, its objectives, and inherent limitations
Definition of material deficiency in internal control
Description of all material deficiencies found
Opinion regarding effectiveness of company's internal controls
Audit Reporting on Internal Control (continued)
According to the Sarbanes-Oxley Act, if an auditor identifies significant or material deficiencies in internal control,
Those deficiencies must be reported to both management and the audit committee
Deficiencies must be reported to the audit committee even if management has addressed the deficiency and implemented new controls
The stated intent of the Sarbanes-Oxley Act is to ensure boards of directors understand they have a responsibility to improve the governance of the organization
Discuss Relationship of Controls to Auditing
Minimum level of control is necessary for an entity to be auditable
The quality of internal controls affects the operating effectiveness and ultimately, the organization's ability to remain a going concern
The quality of internal controls drives the audit approach and amount of testing
Analysis of control deficiencies helps identify the types of likely misstatements
Inadequate controls may place an organization in violation of federal laws
Auditor is required to attest to management's assessment of the effectiveness of internal control over financial reporting for all public companies
Review Accounting Information Systems
Accounting systems capture, record, summarize, and report information
An accounting information system is typically not one big system, but a network of smaller accounting application/subsystem
Each application processes a unique type of transactionExamples: sales, accounts receivable, accounts
payable, cash receipt cash disbursements, payroll, inventory, etc
Each application has its own unique source documents, processes, and controls
The quality of internal control can vary between applications
The auditor develops understanding of how transactions are entered and processed, and the controls for each significant accounting application
Discuss Internal Control & Financial Statement Account Balances
Auditor assesses control risk for each relevant assertion for each important class of transactions and account balance as a basis for planning the audit
Auditor needs to understand and evaluate the internal control design for all important accounting applications
Auditor needs to evaluate the effectiveness of internal control over financial reporting for accounting applications that process material transactions
Auditor has to evaluate controls in systems that Record revenue Deal with significant estimates Process journal entries near the end of the year to close the
books Deal with off-statement financing or related party
transactions Auditor needs to jointly assess organization's
control environment and the specific accounting system controls to evaluate the risk of material deficiency in internal control
To conclude internal controls are effective, auditor must obtain evidence that the control structure is soundly designed AND operating effectively
Discuss Internal Control & Financial Statement Account Balances
Review Assessing the Effectiveness of Control Procedures
Management designs and implements specific control procedures to ensure that the company will achieve its control objectives - and if the control objectives are achieved, the management assertions are likely to be valid, and the account balance and transactions properly recorded
The auditor assesses the organization's control procedures within a framework of control objectives and management assertions
In order to perform this assessment, the auditor must understand the accounting processes within each system, the related accounts, and the risk associated with incorrect processes
With this knowledge, the auditor can identify which management assertions and control objectives are most likely to be violated
From this, the auditor can identify appropriate control procedures that can then be assessed for effectiveness in design and operation
Discuss Overview of Controls Testing - Pervasive Control Activities
Some control procedures are found in almost all accounting systems:
Segregation of incompatible dutiesAuthorization proceduresDocumented transaction trailPhysical controls to limit access to
assetsIndependent reconciliation Competent, trustworthy employees
Comment on Control Effectiveness and Control Risk Assessment
Process for evaluating controls:Phase 1: Obtain an understanding of risks and
internal controlsPhase 2: Make a preliminary assessment of
control risk and decide whether to test operation of control procedures
Phase 3: Test operating effectiveness of controls
Phase 4: Based on the results of testing, determine whether to revise the assessment of control risk and incorporate this revision into the substantive testing
Review Phase One - Obtain an Understanding
Auditor needs to gain understanding of each significant accounting application operates and the control procedures used
The auditor gathers evidence Performing walkthroughs of the accounting system and
processing procedures Making inquires of management, and accounting and
operational employees Taking plant and operational tours Reviewing client documentation including accounting
manuals and program and system descriptions Reviewing prior year audit work papers
The auditor documents his/her understanding using flowcharts, questionnaires, and narratives
Review Phase Two - Make Preliminary Assessment of Control Risk
After gaining an understanding, the auditor makes a preliminary assessment of control risk - this assessment is crucial because it drives the planning for the rest of the audit
The relationship between the assessed level of control risk and the rigor of the subsequent substantive testing is inverse:
If control risk is assessed as high, No reliance is placed on the client's internal controls The amount and rigor of substantive testing must be
increased If control risk is assessed as low
The auditor would like to rely on the client's internal controls
The amount and rigor of substantive testing may not have to be increased
However, the auditor must test the controls to make sure they are operating effectively
Review Phase Three - Perform Tests of Controls
The preliminary assessment of control risk is based on the auditor's understanding of the control system and how it has operated in the past
When control risk is assessed low, and the auditor intends to rely on the client's controls, the auditor may reduce (or not increase) the amount of substantive testing
To ensure that the auditor's reliance on the client's control is warranted, the auditor must test the control to make sure it is operating effectively
Guidance on Sample Size for Testing Controls Testing Controls Across Multiple Locations Dual Purpose Tests Assessing Control Risk as Moderate
Review Phase Four - Update Assessment of Control Risk & Need
for Substantive Testing
If testing indicates the control is not operating effectively, the auditor will revise the preliminary assessment of control risk and incorporate this revision into the subsequent substantive testing