Assurance Internal Control
Transcript of Assurance Internal Control
-
7/27/2019 Assurance Internal Control
1/6
F I N A N C I A L R E P O R T I N G P L A I N E N G L I S H G U I D E
Understanding Internal Control
-
7/27/2019 Assurance Internal Control
2/6
The Plain English Guide
WHAT IS INTERNAL CONTROL?
series of publications is written for owners, governing boards, and
management of businesses and other organizations. The objective of these publications is to explain, in
non-technical terms, important business and financial reporting matters that auditors need to
communicate to their clients.
Since the Enron scandal, auditors, regulators and financial statement users have placed a renewed emphasis on
evaluating financial accounting control. Business owners are being called upon to understand and explain their
companys internal control, and, in some cases, to attest to its reliability. The purpose of this publication is to
help you better understand
The key elements of internal control,
The auditors responsibilities with regard to internal control testing, and
How to improve internal control at your organization.
Internal control is a process, an interconnected web of policies, procedures, attitudes and actions that worktogether to achieve a desired result. Businesses, not-for-profit organizations, state and local governments and
other organizations often produce financial statements for outside users. These organizations all seek to produce
reliable financial reports, and that requires a reliable system of internal control.
-
7/27/2019 Assurance Internal Control
3/6
Identifying What Can Go Wrong
Good internal control begins with an assessment of the risks facing the organization. You first need to ask what
can go wrong? in capturing, processing and reporting financial information, and then design controls and
procedures to prevent what can go wrong from going wrong.
Implementing Controls to Manage Risk
Control activities are designed to address the specific risks that management has identified. For example, if you
are a business owner concerned about fraudulent cash disbursements, then your business needs to design and
implement control procedures that address this risk.
Monitoring Control Performance
Management should supervise the performance of the control activities it puts in place. Business owners and
those responsible for preparing reliable financial information should monitor the performance of the system as awhole and be alert for signs that the systems may not be functioning well. If management becomes aware of
control weaknesses, it should take prompt corrective action.
Communicating Information
Information must be effectively communicated throughout the organization. For example, the person responsible
for preparing a report or performing an important control procedure must have a clear understanding of their
responsibilities. If an error in processing financial information is found, it needs to be promptly communicated
to the person who can correct it.
Implementing a Reliable Financial Information System
Business owners, management and employees use the information generated from the companys system to
perform their job functions and make important decisions. Accordingly, all organizations must have a reliable
system to ensure that the information is
Accurate
Complete, and
Timely
Establishing an Effective Control Environment
Management must establish a proper tone at the top, one that consistently reinforces the organizations
commitment to complete, transparent, and accurate financial reporting. The control environment is comprised of
a variety of attitudes, policies, procedures and the conduct of its employees, which range from the organizations
personnel policies to how management responds to reports of potential unethical business practices. The control
environment is the foundation of the organizations internal control. Without a solid foundation, all other
control components are quickly rendered ineffective.
COMPONENTS OF INTERNAL CONTROL
-
7/27/2019 Assurance Internal Control
4/6
Internal Control Isnt Just for the Accounting Department
The components of internal control span many aspects of an entitys operations and involve individuals outside
the accounting department. For example
The entitys hiring, training, and promotion policies are an important element of the control environment,
helping to ensure that key procedures are performed by qualified personnel.
Operations personnel may observe non-financial inaccuracies in the information they use to run the business.
Reporting these inaccuracies is critical for management to effectively monitor control performance.
Sales personnel may negotiate special terms with certain customers, and these terms should be communicated
to others within the organization so that a sale can be authorized and properly accounted for.
The scope of internal control is very broad. In implementing and maintaining their control system, management
should consider how the entire organization is managed, and how the various elements of control work togetherto prevent or detect and correct errors in the information system.
Managements Responsibilities
A business owner, the governing board, and management share the ultimate responsibility for establishing and
maintaining internal control. Certain internal control functions can be outsourced or delegated, but not the
responsibility for internal control. An annual financial statement audit cannot be the first line of defense in
finding and correcting errors in the information used every day to manage the organization.
As part of a financial statement audit, your organizations auditors evaluate some of the entitys internal controls.
When evaluating internal control design as part of the audit of a non-public entity, the auditors primary
objectives are to obtain an understanding of control that will enable him or her to
Identify the types of misstatements that could occur in the capture, processing and reporting of important
information
Assess the likelihood that these misstatements could occur and, if they did, their magnitude, and
Based on that assessment, the design of further audit tests
How Auditors Achieve Their Internal Control Objectives
Auditors evaluate the design of each component of internal control. Typically, the auditor gathers information
about entity-wide controls that affect the entire organization. For example, the auditor assesses characteristics
of the control environment to determine whether it provides an appropriate level of control consciousness within
AUDITORS AND INTERNAL CONTROL
IMPLEMENTING AND MAINTAINING INTERNAL CONTROL
-
7/27/2019 Assurance Internal Control
5/6
the organization and supports the effective functioning of other control activities. Auditors also evaluate other
entity-wide control elements such as communication and the preparation of the financial statements.
After evaluating the design of entity-wide controls, the auditor then focuses attention on the more specific
controls related to significant classes of transactions, material accounts, and those areas that seem most
vulnerable to fraud. At this more specific, activity-level, auditors perform a what can go wrong analysis to
determine what control activities the organization should have in place. They then determine which controls the
organization actually has implemented to identify potential gaps in internal control design.
Audit Procedures Related to Internal Control
Inquiries of management and company personnel constitute a significant portion of the procedures auditors
typically perform to gather information about the design of internal controls. However, auditors also corroborate
the responses they receive by performing additional procedures, such as reading related documentation,
observing the performance of control activities, or performing walkthroughs of the entitys information
processing and related controls.
The auditors evaluation of internal control allows the auditor to identify some, but not necessarily all,
deficiencies that may exist in the design of an organizations internal control. The auditor may also decide to
test the operation of certain internal controls. There may have been problems in the way a control procedure
was performed during the year, but the nature of the auditors work is such that these deficiencies in control
operation probably will not be detected as part of the financial statement audit.
Evaluating the Severity of a Control Deficiency
When an auditor identifies a gap in the design of internal control, he or she must evaluate the significance of
that gap by determining whether it is a material weakness (severe), a significant deficiency (less severe), or
inconsequential.
To make this determination, auditors will assess
The likelihood that a misstatement to the financial statements could exist as a result of the control deficiency,
and
The magnitude of the misstatement that would occur.
In general, as the likelihood and magnitude of the misstatement increases, the relative severity of the control
deficiency also rises.
Determining the relative significance of a control deficiency requires professional judgment.
Written Communication of Internal Control Deficiencies
Auditors must communicate in writing all identified material weaknesses and significant deficiencies in internal
control identified. In many instances, the auditor will communicate these matters in a letter at the conclusion
of the engagement; however the auditor also may communicate the existence of control deficiencies as they are
identified.
IDENTIFICATION AND COMMUNICATION OF INTERNAL CONTROL DEFICIENCIES
-
7/27/2019 Assurance Internal Control
6/6
How Management Contributes to Internal Control Effectiveness
In order to establish and maintain internal control, management should be actively involved in matters
such as
Identifying and assessing what can go wrong in preparing reliable financial information. (See table below).
Determining how best to mitigate or control these risks, based on the magnitude and likelihood of the threat.
Monitoring others in the performance of their control functions.
Setting an appropriate tone at the top for employees to follow by displaying the proper attitude toward
financial reporting and internal control matters.
Exercising proper oversight of the financial reporting process.
Remember that internal control is not a one-size fits all proposition. Your organizations internal control shouldbe designed to fit your organizations particular circumstances, including its people, its information system and
its organizational structure.
Seven Questions
Management Should Ask
About Internal Control
A key step in establishing
a reliable system of
internal control is to
identify and respond to
the risks relating to
financial reporting. This
process should begin by
asking the question what
can go wrong in the
capture, processing and
reporting of information.
WHAT CAN GO WRONG?
Here are seven questions management should askabout each class of transactions that is significant tothe companys operations (for example, sales, payroll,
or cash disbursements).
Are the transactions that have been captured validand properly authorized transactions?
Have all valid transactions been captured?
Have transactions been recorded at their properamounts?
Have the transactions been captured in the properaccounting period?
Have individual transactions been properly
summarized?
Have the transactions been classified properly foraccounting purposes? That is, if an expense is amarketing expense, are there controls in place tomake sure it has been classified as a marketingexpense?
Have all summarized transactions been postedcorrectly to the accounting records?
WHAT YOU CAN DO TO IMPROVE YOUR ORGANIZATIONS INTERNAL CONTROL