7/27/2019 Assurance Internal Control

1/6

F I N A N C I A L R E P O R T I N G P L A I N E N G L I S H G U I D E

Understanding Internal Control

7/27/2019 Assurance Internal Control

2/6

The Plain English Guide

WHAT IS INTERNAL CONTROL?

series of publications is written for owners, governing boards, and

management of businesses and other organizations. The objective of these publications is to explain, in

non-technical terms, important business and financial reporting matters that auditors need to

communicate to their clients.

Since the Enron scandal, auditors, regulators and financial statement users have placed a renewed emphasis on

evaluating financial accounting control. Business owners are being called upon to understand and explain their

companys internal control, and, in some cases, to attest to its reliability. The purpose of this publication is to

help you better understand

The key elements of internal control,

The auditors responsibilities with regard to internal control testing, and

How to improve internal control at your organization.

Internal control is a process, an interconnected web of policies, procedures, attitudes and actions that worktogether to achieve a desired result. Businesses, not-for-profit organizations, state and local governments and

other organizations often produce financial statements for outside users. These organizations all seek to produce

reliable financial reports, and that requires a reliable system of internal control.

7/27/2019 Assurance Internal Control

3/6

Identifying What Can Go Wrong

Good internal control begins with an assessment of the risks facing the organization. You first need to ask what

can go wrong? in capturing, processing and reporting financial information, and then design controls and

procedures to prevent what can go wrong from going wrong.

Implementing Controls to Manage Risk

Control activities are designed to address the specific risks that management has identified. For example, if you

are a business owner concerned about fraudulent cash disbursements, then your business needs to design and

implement control procedures that address this risk.

Monitoring Control Performance

Management should supervise the performance of the control activities it puts in place. Business owners and

those responsible for preparing reliable financial information should monitor the performance of the system as awhole and be alert for signs that the systems may not be functioning well. If management becomes aware of

control weaknesses, it should take prompt corrective action.

Communicating Information

Information must be effectively communicated throughout the organization. For example, the person responsible

for preparing a report or performing an important control procedure must have a clear understanding of their

responsibilities. If an error in processing financial information is found, it needs to be promptly communicated

to the person who can correct it.

Implementing a Reliable Financial Information System

Business owners, management and employees use the information generated from the companys system to

perform their job functions and make important decisions. Accordingly, all organizations must have a reliable

system to ensure that the information is

Accurate

Complete, and

Timely

Establishing an Effective Control Environment

Management must establish a proper tone at the top, one that consistently reinforces the organizations

commitment to complete, transparent, and accurate financial reporting. The control environment is comprised of

a variety of attitudes, policies, procedures and the conduct of its employees, which range from the organizations

personnel policies to how management responds to reports of potential unethical business practices. The control

environment is the foundation of the organizations internal control. Without a solid foundation, all other

control components are quickly rendered ineffective.

COMPONENTS OF INTERNAL CONTROL

7/27/2019 Assurance Internal Control

4/6

Internal Control Isnt Just for the Accounting Department

The components of internal control span many aspects of an entitys operations and involve individuals outside

the accounting department. For example

The entitys hiring, training, and promotion policies are an important element of the control environment,

helping to ensure that key procedures are performed by qualified personnel.

Operations personnel may observe non-financial inaccuracies in the information they use to run the business.

Reporting these inaccuracies is critical for management to effectively monitor control performance.

Sales personnel may negotiate special terms with certain customers, and these terms should be communicated

to others within the organization so that a sale can be authorized and properly accounted for.

The scope of internal control is very broad. In implementing and maintaining their control system, management

should consider how the entire organization is managed, and how the various elements of control work togetherto prevent or detect and correct errors in the information system.

Managements Responsibilities

A business owner, the governing board, and management share the ultimate responsibility for establishing and

maintaining internal control. Certain internal control functions can be outsourced or delegated, but not the

responsibility for internal control. An annual financial statement audit cannot be the first line of defense in

finding and correcting errors in the information used every day to manage the organization.

As part of a financial statement audit, your organizations auditors evaluate some of the entitys internal controls.

When evaluating internal control design as part of the audit of a non-public entity, the auditors primary

objectives are to obtain an understanding of control that will enable him or her to

Identify the types of misstatements that could occur in the capture, processing and reporting of important

information

Assess the likelihood that these misstatements could occur and, if they did, their magnitude, and

Based on that assessment, the design of further audit tests

How Auditors Achieve Their Internal Control Objectives

Auditors evaluate the design of each component of internal control. Typically, the auditor gathers information

about entity-wide controls that affect the entire organization. For example, the auditor assesses characteristics

of the control environment to determine whether it provides an appropriate level of control consciousness within

AUDITORS AND INTERNAL CONTROL

IMPLEMENTING AND MAINTAINING INTERNAL CONTROL

7/27/2019 Assurance Internal Control

5/6

the organization and supports the effective functioning of other control activities. Auditors also evaluate other

entity-wide control elements such as communication and the preparation of the financial statements.

After evaluating the design of entity-wide controls, the auditor then focuses attention on the more specific

controls related to significant classes of transactions, material accounts, and those areas that seem most

vulnerable to fraud. At this more specific, activity-level, auditors perform a what can go wrong analysis to

determine what control activities the organization should have in place. They then determine which controls the

organization actually has implemented to identify potential gaps in internal control design.

Audit Procedures Related to Internal Control

Inquiries of management and company personnel constitute a significant portion of the procedures auditors

typically perform to gather information about the design of internal controls. However, auditors also corroborate

the responses they receive by performing additional procedures, such as reading related documentation,

observing the performance of control activities, or performing walkthroughs of the entitys information

processing and related controls.

The auditors evaluation of internal control allows the auditor to identify some, but not necessarily all,

deficiencies that may exist in the design of an organizations internal control. The auditor may also decide to

test the operation of certain internal controls. There may have been problems in the way a control procedure

was performed during the year, but the nature of the auditors work is such that these deficiencies in control

operation probably will not be detected as part of the financial statement audit.

Evaluating the Severity of a Control Deficiency

When an auditor identifies a gap in the design of internal control, he or she must evaluate the significance of

that gap by determining whether it is a material weakness (severe), a significant deficiency (less severe), or

inconsequential.

To make this determination, auditors will assess

The likelihood that a misstatement to the financial statements could exist as a result of the control deficiency,

and

The magnitude of the misstatement that would occur.

In general, as the likelihood and magnitude of the misstatement increases, the relative severity of the control

deficiency also rises.

Determining the relative significance of a control deficiency requires professional judgment.

Written Communication of Internal Control Deficiencies

Auditors must communicate in writing all identified material weaknesses and significant deficiencies in internal

control identified. In many instances, the auditor will communicate these matters in a letter at the conclusion

of the engagement; however the auditor also may communicate the existence of control deficiencies as they are

identified.

IDENTIFICATION AND COMMUNICATION OF INTERNAL CONTROL DEFICIENCIES

7/27/2019 Assurance Internal Control

6/6

How Management Contributes to Internal Control Effectiveness

In order to establish and maintain internal control, management should be actively involved in matters

such as

Identifying and assessing what can go wrong in preparing reliable financial information. (See table below).

Determining how best to mitigate or control these risks, based on the magnitude and likelihood of the threat.

Monitoring others in the performance of their control functions.

Setting an appropriate tone at the top for employees to follow by displaying the proper attitude toward

financial reporting and internal control matters.

Exercising proper oversight of the financial reporting process.

Remember that internal control is not a one-size fits all proposition. Your organizations internal control shouldbe designed to fit your organizations particular circumstances, including its people, its information system and

its organizational structure.

Seven Questions

Management Should Ask

About Internal Control

A key step in establishing

a reliable system of

internal control is to

identify and respond to

the risks relating to

financial reporting. This

process should begin by

asking the question what

can go wrong in the

capture, processing and

reporting of information.

WHAT CAN GO WRONG?

Here are seven questions management should askabout each class of transactions that is significant tothe companys operations (for example, sales, payroll,

or cash disbursements).

Are the transactions that have been captured validand properly authorized transactions?

Have all valid transactions been captured?

Have transactions been recorded at their properamounts?

Have the transactions been captured in the properaccounting period?

Have individual transactions been properly

summarized?

Have the transactions been classified properly foraccounting purposes? That is, if an expense is amarketing expense, are there controls in place tomake sure it has been classified as a marketingexpense?

Have all summarized transactions been postedcorrectly to the accounting records?

WHAT YOU CAN DO TO IMPROVE YOUR ORGANIZATIONS INTERNAL CONTROL