1

CHAPTER 5

INTERNAL CONTROL OVER FINANCIAL REPORTING

2

Define Internal Controls - COSO Internal controls is a process designed

to provide reasonable assurance of achieving the following:Generating reliable financial accounting

informationSafeguarding assetsComplying with applicable laws and

regulationsOperating efficiently and effectively

3

The Need for Control Control is part of corporate governance whereby

the owners and creditors of an organization exert control and require accountability for its resources

Governance begins with stockholders, who delegate certain responsibilities to the board of directors and in turn to management

That delegation must occur within a framework of control and accountability

The control system exists to ensure that Responsibilities are properly identified Tasks are assigned in accordance with

responsibilities and accountability

4

The Integrated Audit The Sarbanes-Oxley Act of 2002 requires

publicly held companies to report on the effectiveness of their internal controls over financial reporting

The Public Company Accounting Oversight Board requires external auditors to perform an integrated audit of the effectiveness of internal controls and financial reporting

In essence, the auditor must attest to both the financial statements and management's assertions regarding the effectiveness of internal controls over financial reporting

5

LO2 - The components of an internal control system

An internal control system consists of five components

1. Control environment: overall attitude, awareness, and actions of significant internal groups to maintain a well-controlled organization (tone at the top)

2. Risk assessment: process designed to identify and manage risks that may affect its ability to achieve its objectives

3. Control activities: policies and procedures established by management to help ensure that internal control objectives are achieved and risks mitigated

4. Information and communication: process of identifying, capturing, and exchanging information in a timely fashion to enable the organization to achieve its objectives

5. Monitoring: process that assesses the quality of internal controls over time

6

CONTROL ENVIRONMENTCONTROL ENVIRONMENT

RISK ASSESSMENTRISK ASSESSMENT

CONTROL CONTROL ACTIVITIESACTIVITIES

Information & Information & CommunicationCommunication

MONITORINGMONITORING

Internal Control Components

7

LO4 - Understanding & Assessing the Control Environment – The most pervasive of them allThere are a number of factors an auditor should look at

when evaluating an organization's control environment: Management's philosophy and operating style Organizational structure, including assignment of

authority and responsibility Board of directors and audit committee Human resource policies and practices Integrity and ethical values Commitment to competence Compensation and evaluation programs Effectiveness of the internal audit function

8

LO6 - Audit Reporting on Internal Control

External auditors of non-public companies must report to management significant internal control deficiencies in the design or operation of internal controls that are identified in the normal course of a financial audit.

Such reports are for management's use and are not intended to be distributed to the public

External auditors of public companies must go beyond the report to management and also report on management's assertion regarding the effectiveness of internal controls over financial reporting Includes an opinion on the client's internal controls

Included in the company's annual report

9

LO7 Audit Reporting on Internal Control (continued)

The PCAOB's proposed report on internal controls would include a(n):Description of internal control, its objectives,

and inherent limitations

Definition of material deficiency in internal control

Description of all material deficiencies found

Opinion regarding effectiveness of company's internal controls

10

Audit Reporting on Internal Control (continued)

According to the Sarbanes-Oxley Act, if an auditor identifies significant or material deficiencies in internal control, Those deficiencies must be reported to both

management and the audit committee Deficiencies must be reported to the audit committee

even if management has addressed the deficiency and implemented new controls

The stated intent of the Sarbanes-Oxley Act is to ensure boards of directors understand they have a responsibility to improve the governance of the organization

11

CHAPTER 5 - b

INTERNAL CONTROL OVER FINANCIAL REPORTING

12

Account Balance Assertions & Related Objectives Presentation & Disclosure – an item is

disclosed, classified, and described in accordance with the applicable financial reporting framework

Existence - an asset or a liability exists at a given date;

Rights and obligations - an asset or a liability pertains to the entity at a given date..

Completeness - there are no unrecorded assets, liabilities, transactions or events, or undisclosed items

Valuation - an asset or liability is recorded at an appropriate carrying value

13

Transaction Assertions & Related Control Objectives Occurrence – Recorded transactions and

events have occurred and pertain to the entity Completeness – All transactions and events

that should have been recorded have been recorded

Accuracy – Amounts and other data have been recorded accurately

Cutoff – Transactions and events have been recorded in the correct accounting period

Classification – Transactions and events have been recorded in the proper accounts

14

Overview of Controls Testing - Pervasive Control Activities (types of) Some control procedures are found in almost

all accounting systems:a) Segregation of dutiesb) Authorization proceduresc) Documented transaction traild) Physical controls to limit access to assetse) Independent reconciliation f) Competent, trustworthy employees

15

(a) Segregation of Duties

Very fundamental, should always separate:AuthorizationRecord keepingCustody (Physical)

16

(b) Authorization Procedures

These ensure that only authorizedTransactions take placeActivities take placeAccess to records are permitted

17

(c) Documentation

Documentation must be such that a proper audit trail existsThis will obviously be more difficult in a

computerized environment, but still can be achieved.

18

(d) Physical Controls to Assets

Security locks Fences Keys Password etc Vaults, safes

19

(e) Reconciliation

Comparisons must always be done between what was submitted and what was processedWhat physically exists and what is recorded Internal records and external records

20

(f) Competent & Trustworthy employees These employees help to make controls

work

21

Overview of Controls Testing – Integrated Audit (per PCAOB) vs. Normal Audit

Compare Exhibit 5.11 and Exhibit 5.12 on page 168 & 169

22

Control Effectiveness and Control Risk Assessment Process for evaluating controls:

1. Obtain an understanding of risks and internal controls

2. Make a preliminary assessment of control risk and decide whether to test operation of control procedures

3. Test operating effectiveness of controls4. Based on the results of testing, determine

whether to revise the assessment of control risk and incorporate this revision into the substantive testing

23

1. Obtain an UnderstandingAuditor needs to gain understanding of each significant accounting

application operates and the control procedures used

The auditor gathers evidence by Performing walkthroughs of the accounting system and processing

procedures and document via narrative memo and/or flowchart Making inquires of management, and accounting and operational

employees Taking plant and operational tours Reviewing client documentation including accounting manuals

and program and system descriptions Reviewing prior year audit work papers and then focus on

changes

The auditor documents his/her understanding using flowcharts (visio), questionnaires, and narratives (see pages 176 & 177)

24

2. Make Preliminary Assessment of Control Risk

After gaining an understanding, the auditor makes a preliminary assessment of control risk - this assessment is crucial because it drives the planning for the rest of the audit

The relationship between the assessed level of control risk and the rigor of the subsequent substantive testing is inverse:

If control risk is assessed as high, No reliance is placed on the client's internal controls The amount and rigor of substantive testing must be

increased If control risk is assessed as low

The auditor would like to rely on the client's internal controls The amount and rigor of substantive testing may not have

to be increased However, the auditor must test the controls to make sure

they are operating effectively (and document it)

25

3. Perform Tests of Controls The preliminary assessment of control risk is based on

the auditor's understanding of the control system and how it has operated in the past

When control risk is assessed low, and the auditor intends to rely on the client's controls, the auditor may reduce (or not increase) the amount of substantive testing

To ensure that the auditor's reliance on the client's control is warranted, the auditor must test the control to make sure it is operating effectively Guidance on Sample Size for Testing Controls (Ch 9) Testing Controls Across Multiple Locations Dual Purpose Tests (transaction & substantive) Assessing Control Risk as Moderate (see next slide)

26

4. Update Assessment of Control Risk & Need for Substantive Testing

If testing indicates the control is not operating effectively, the auditor will revise the preliminary assessment of control risk and incorporate this revision into the subsequent substantive testing