topic 5 internal control

8/2/2019 Topic 5 Internal Control

1/49

www.theiia.org

Internal Control

Week 3 (1)


2/49

www.theiia.org

Common definition

Internal control comprises the plan oforganisation and all of the coordinatemethods adopted within a business tosafeguard its assets, check the

accuracy and reliability of itsaccounting data, promote operationalefficiency, and encourage adherence to

prescribed managerial policies.


3/49

www.theiia.org

Definition of Internal control

The Committee of Sponsoring Organisations ofthe Treadway Commission (COSO) definesinternal control as:

a process, affected by an entitys board of

directors, management and other personnel,designed to provide reasonable assuranceregarding the achievement of objectives in thefollowing categories

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations


4/49

www.theiia.org

Compliance with laws and regulations

Efficiency and effectiveness of operations

Reliability of financial reporting

Internal Control Objectives


5/49

www.theiia.org

INTERNAL CONTROLS

Managements Perspective;

Auditors Perspective.

Introduction


6/49

www.theiia.org

INTERNAL CONTROLS

Managements to consider in implementing good

control:

Determine the need of control; Design suitable controls;

Implement these controls;

Check that they have been applied correctly;

Maintain & update controls;

Management Responsibilities


7/49

www.theiia.org

INTERNAL CONTROLS

Assessing those areas that are most at risky;

Defining & undertaking a program for reviewing

the high profile systems that attract the most risk;

Review each of the systems by examining &evaluating the associated systems;

Advising management whether controls are

operating adequately & effectively;

Recommending improvements;

Follow up audit.

Internal Audits Role


8/49

www.theiia.org

The framework


9/49

www.theiia.org

COSO Five Components ofInternal Control

Riskassessment

Controlactivities

Information andcommunication

Monitoring


10/49

www.theiia.org

Control environment

The foundation for all internal control Influencing the control consciousness in

organisation

Control environmental factor

Integrity, Ethical values, Competence oforganisations people

Managements philosophy and operating style

The way management assigns authority andresponsibility, organises and develops its people

Attention and direction provided by BOD


11/49

www.theiia.org

Risk Assessment

Assessment of internal and external risks inachieving organisations objectives

Economic, industry, regulatory and operatingcondition will continually change

Identify and address the specific riskassociated with change


12/49

www.theiia.org

Control activities

All policies and procedures to ensuremanagement directives are carried out

Ensure necessary actions to address risks

Occur at all levels and functions

Eg: approvals, authorisations, verifications,reconciliations, security of assets andsegregation of duties


13/49

www.theiia.org

Information and communication

information must be identified, captured andcommunicated

Includes operational, financial and compliance-relate information

Flowing down, across and up

To be communicated well so people understandtheir roles in the internal control system

Should effectively communicate to externalparties such as customers, suppliers, regulatorsand shareholders


14/49

www.theiia.org

Monitoring

Assess the quality of system performance

Achieved via ongoing monitoring activities andindependent evaluations

Internal control deficiencies should becommunicated to top management


15/49

www.theiia.org

INTERNAL CONTROLS

Integrity & ethical values;

A commitment to competence;

Participation of the board of directors & auditcommittee;

Managements philosophy & operating style;

Organisational structure;

Assignment of authority & responsibility; Human Resource policies & practices.

Factors Affecting ControlEnvironment


16/49

www.theiia.org

INTERNAL CONTROL

Changes in Operating Environment;

New Personnel;

New or revamped information system; Rapid growth;

New technology;

New lines, products or activities;

Corporate restructuring; Foreign operations; &

Accounting pronouncements.

Factors Affecting ClientBusiness Risks


17/49

www.theiia.org

INTERNAL CONTROL

Identify & record all valid transactions;

Describe on a timely basis the transactions in sufficient detail topermit proper classification of transactions for financial reporting;

Measure the value transactions in a manner that permits recording

their proper monetary value in the financial statements;

Determine the time period in which transactions occurred to permit

recording of transactions in the proper accounting period; Properly present the transactions & related disclosures in the financial

statements.

Information & CommunicationSystems


18/49

www.theiia.org

INTERNAL CONTROLS

Performance Review;

Information processing; Physical Controls;

Segregation of Duties.

Control Procedures


19/49

www.theiia.org

INTERNAL CONTROLS

Management override of Internal Control;

Personnel Errors & Mistakes; Collusion.

Limitation of Internal Control


20/49

www.theiia.org

INTERNAL CONTROLS

Overview;

Substantive strategy; Reliance Strategy;

Implementation.

Planning an Audit Strategy


21/49

www.theiia.org

INTERNAL CONTROLS

Validity;

Completeness; Timeliness;

Authorisation;

Valuation;

Classification;

Posting & Summarisation.

Internal Control Objectives


22/49

www.theiia.org

INTERNAL CONTROLS

Procedures Manuals & Organisation Charts;

Narrative descriptions; Internal control questionnaires;

Flowcharts.

Documenting the UnderstandingOf Internal Control


23/49

www.theiia.org

INTERNAL CONTROLS

Audit procedures directed at testing the

operating effectiveness of controls in preventing,or detecting & correcting, material misstatements

at the assertion level are referred as test of

controls.

Test of Controls


24/49

www.theiia.org

INTERNAL CONTROLS

Procedures:

Inquiry of appropriate client personnel;

Inspection of documents, reports, & electronic

media indicating the performance of the policy orprocedure;

Observation of the application of the policies &

procedures;

Reperformance of the application of the policy orprocedure by the auditor.

Test of Controls


25/49

www.theiia.org

INTERNAL CONTROL

Assessing control risk involves evaluating theeffectiveness of an entitys internal controls in

preventing or detecting material misstatements in

the financial statements.

Assessing & Documenting TheLevel of Control Risk


26/49

www.theiia.org

INTERNAL CONTROLS

Last step of decision process;

Directly to detection risk;

Substantive Procedures


27/49

www.theiia.org

INTERNAL CONTROLS

Interim test of controls;

Interim substantive procedures.

Timing of audit procedures


28/49

www.theiia.org

INTERNAL CONTROLS

Authorisation;

Physical access restriction;

Supervision;

Compliance checks;

Procedures manuals;

Recruitment & staff development practices;

Segregation of duties; Organisation structure;

Sequential numbering of documents;

Reconciliations;

Project & procurement management;

Financial systems control; IT security;

Performance management.

Control Mechanism


29/49

www.theiia.org

Obtain and document anunderstanding of internal control.


30/49

www.theiia.org

Four Phases of a Financial

Statement Audit

Phase 1

Obtain anunderstanding ofinternal control:

design andoperation

Phase 2 Assess controlrisk.

Phase 3Design, perform,

and evaluate testsof controls

Phase 4

Decide planned

detection riskand substantive

tests.


31/49

www.theiia.org

Obtain and DocumentUnderstanding of Internal

ControlSAS 55 and PCAOB Standard 2 both require

the auditor to obtain an understandingof internal control for every audit.

Procedures to obtain an understanding:Design of internal controls

Whether placed in operationUses this information as a basis for the

integrated audit.


32/49

www.theiia.org

Methods Used

Narrative

FlowchartInternalcontrol

questionnaire


33/49

www.theiia.org

Narrative

1. The origin of every documentand record in the system

2. All processing that takes place

3. The disposition of every documentand record in the system

4. An indication of the controls relevantto the assessment of control risk


34/49

www.theiia.org

Evaluating Internal Control

OperationUpdate and evaluate auditors previous

experience with the entity.

Make inquiries of auditee personnel.

Examine documents and records.

Observe entity activities and operations.Perform walkthroughs of the accounting system.


35/49

www.theiia.org

Assess control risk by linking key

controls, significant deficiencies,

and material weaknesses to

transaction-related audit

objectives.


36/49

www.theiia.org

Assess Control Risk

Assess whether the financial statementsare auditable.

Determine assessed control risk supportedby the understanding obtained assuming

the controls are being followed.

Use of a control risk matrixto assess control risk


37/49

www.theiia.org

Control Risk Matrix

Auditors use the control risk matrixtoidentify both controls and weaknesses

and to assess control risk.


38/49

www.theiia.org

Control Risk Matrix

Identify transaction-related audit objectives.

Identify existing controls.

Associate controls with transaction-relatedaudit objectives.

Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses


39/49

www.theiia.org

Evaluating Significant

Control Deficiencies

MaterialWeakness

LIKELIHOOD

SIGNIFICANCE

Material

Immaterial

ProbableRemote


40/49

www.theiia.org

Communicate InternalControl Deficiencies and

Related Matters

Management letters

Audit committee communications


41/49

www.theiia.org

Describe the process of designing

and performing tests of controls.


42/49

www.theiia.org

Tests of Controls

The procedures to test effectiveness of controlsin support of a reduced assessed control

risk are called tests ofcontrols.


43/49

www.theiia.org

Procedures for Tests of

Controls1. Make inquiries of client personnel.

2. Examine documents, records, and reports.

3. Observe control-related activities.

4. Reperform client procedures.


44/49

www.theiia.org

Extent of Procedures

Reliance on evidence from prior years audit

Testing less than the entire audit period


45/49

www.theiia.org

Understand Section 404

requirements for auditorreporting on internal control.


46/49

www.theiia.org

Section 404 Reporting on

Internal Control

The auditors opinion on whether managementsassessment of the effectiveness of internalcontrol over financial reporting as of the

end of the fiscal period is fairly stated,in all material respects.

1


47/49

www.theiia.org

Section 404 Reporting on

Internal Control

The auditors opinion on whether the companymaintained, in all material respects, effective

internal control over financial reporting

as of the specified date.

2


48/49

www.theiia.org

Types of Opinions

Unqualified

Adverse

Qualified or disclaimer of opinion


49/49

www.theiia.org

Thank You

topic 5 internal control

Documents