Auditing - Evaluation of Internal Controls · i Auditing - Evaluation of Internal Controls...
63
i Auditing - Evaluation of Internal Controls Presented by And Publication Date: June 16, 2020
Transcript of Auditing - Evaluation of Internal Controls · i Auditing - Evaluation of Internal Controls...
i
Auditing - Evaluation of
Internal Controls
Presented by
And
Publication Date: June 16, 2020
ii
Copyright Notice
Copyright 2020 by CPE365.
All rights reserved. No part of this work may be used, reproduced, or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or by any information storage and retrieval system, without prior
agreement and written permission from CPE365.
The contents of this program are subject to revision without notice due to the continued evolution of auditing standards.
This program is presented as is, without warranty of any kind, including but not limited to implied warranties of the
workbook's quality, performance, merchantability, or fitness for any particular purpose. CPE365 shall not be liable to the
purchaser or any other entity with respect to liability, loss, or damage caused directly or indirectly by using this program.
All brand names, trademarks, and registered trademarks are the property of their respective holders.
CPE365
5098 Foothills Blvd.
Suite 3101
Roseville, CA 95747
iii
Table of Contents Introduction ............................................................................................................................................................ 1
Course Objectives ................................................................................................................................................... 1
Internal Controls ..................................................................................................................................................... 1
Effects of Internal Auditor on Controls .................................................................................................................. 2
AU 322.9 Competence of the Internal Auditors ..................................................................................................... 3
AU 322.10 Objectivity of the Internal Auditors ...................................................................................................... 3
AU 322 .11 .............................................................................................................................................................. 4
Audit Committee .................................................................................................................................................... 5
Internal Controls Vary by Organization .................................................................................................................. 5
Reliability of Financial Reporting ........................................................................................................................ 6
Efficiency of Operations ..................................................................................................................................... 6
Compliance with Laws and Regulations ............................................................................................................. 6
Example of Section 404 Management Report on Internal Control over Financial Reporting ............................ 7
AU Section 110.03 .................................................................................................................................................. 8
Reasonable Assurance ............................................................................................................................................ 9
AU Section 110.02 ................................................................................................................................................ 11
Auditing Standard No. 5 ....................................................................................................................................... 12
Inherent Limitations ............................................................................................................................................. 13
Internal Control Design ........................................................................................................................................ 14
Effectiveness of Internal Controls ........................................................................................................................ 15
Standards for Financial Audits .............................................................................................................................. 16
Reliability of Financial Reporting Controls ........................................................................................................... 17
Classes of Transactions Controls .......................................................................................................................... 17
Auditor Responsibilities for Testing Internal Control ........................................................................................... 18
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. ................................................................. 18
Internal Control Components ............................................................................................................................... 18
Control Environment ........................................................................................................................................ 19
iv
Organizational Ethical Values and Integrity ..................................................................................................... 19
Commitment to Competence ........................................................................................................................... 20
Obtaining Written Representations ............................................................................................................. 21
Management Operating Style and Practices .................................................................................................... 21
Organizational Structure .................................................................................................................................. 21
Human Resource Policies and Practices ........................................................................................................... 22
Risk Assessment ................................................................................................................................................... 22
Audit Risk .............................................................................................................................................................. 24
.27 ................................................................................................................................................................. 25
.28 ................................................................................................................................................................. 26
.29 ................................................................................................................................................................. 26
.30 ................................................................................................................................................................. 26
.31 ................................................................................................................................................................. 27
.32 ................................................................................................................................................................. 27
.33 ................................................................................................................................................................. 27
Control Activities .................................................................................................................................................. 28
Segregation of duties .................................................................................................................................... 28
Separation of the Custody of Assets from Accounting ................................................................................. 28
Separation of the Authorization of Transactions from the Custody of Related Assets ............................... 29
Separation of Operational Responsibility from Record-Keeping Responsibility .......................................... 29
Separation of IT Duties from User Departments .......................................................................................... 29
Transaction Authorization ................................................................................................................................ 29
Adequate Documents and Records .................................................................................................................. 30
Physical Control Over Assets and Records ....................................................................................................... 31
Independent Checks on Performance .............................................................................................................. 31
Information and Communication ..................................................................................................................... 32
Monitoring ........................................................................................................................................................ 33
Understanding and Evaluation of Internal Accounting Controls .......................................................................... 35
.04 ................................................................................................................................................................. 37
v
Internal Control Questionnaires ....................................................................................................................... 38
Update and Evaluate Auditor's Previous Experience with the Entity .......................................................... 38
Make Inquiries of Client Staff ....................................................................................................................... 38
Examine Documents and Records ................................................................................................................ 38
Observe Activities and Daily Operations ...................................................................................................... 39
Narratives ......................................................................................................................................................... 39
Flowcharts ........................................................................................................................................................ 39
Walk-through.................................................................................................................................................... 41
Assess Control Risk ............................................................................................................................................... 42
Identify Audit Objectives ...................................................................................................................................... 43
Identify Existing Controls ...................................................................................................................................... 43
Communications to Those Charged With Governance ........................................................................................ 45
Management Letters ........................................................................................................................................ 46
Test of Controls .................................................................................................................................................... 46
Purpose of Tests of Controls ............................................................................................................................ 46
Make inquiries ofappropriate client personnel. ........................................................................................... 47
Examine documents, records, and reports. ................................................................................................. 47
Observe control-related activities. ............................................................................................................... 47
Reperform client procedures. ...................................................................................................................... 47
Extent of Procedures ............................................................................................................................................ 48
Tests of Controls and Procedures to Obtain and Understanding ........................................................................ 48
Decide Planned Detection Risk and Design Substantive Tests ............................................................................. 49
Reporting on Internal Controls ............................................................................................................................. 49
Section 404 Reporting Requirements .................................................................................................................. 51
Audit Report on Internal Control Example ........................................................................................................... 53
Evaluation of Internal Controls............................................................................................................................. 54
Glossary ................................................................................................................................................................ 55
Index ..................................................................................................................................................................... 58
1
Introduction
Internal controls are required to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. This course will describe the importance of internal controls and the
purpose of audit committee. This course will review the goals for internal controls and discuss the internal control framework used by most companies based in the United States. This course will describe the interrelated components for an effective internal control system. This course will discuss the importance of identifying audit risk. Finally, this course will discuss the difference between control deficiency, significant difiency and material weakness.
Course Objectives
At the end of this course, students will be able to:
• Identify the purpose of internal controls.
• Identify the purpose of an audit committee.
• Recognize the goals for internal controls.
• Recognize the internal control framework used by most companies based in the United States.
• Identify the interrelated components for an effective internal control system.
• Recognize the purpose of identifying audit risk.
• Recognize the difference between control deficiency, significant difiency and material weakness.
Internal Controls
Internal control, as defined for accounting and auditing, is a process to provide reasonable assurance
regarding the achievement of management's objectives for the following:
(1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and
(3) compliance with applicable laws and regulations
Investopedia defines internal controls as:
“[T]he mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial
and accounting information, promote accountability, and prevent fraud. Besides complying with laws and
regulations, and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.”
- This definition provided by Investopedia
2
Effects of Internal Auditor on Controls
Auditors should understand the functioning of the internal audit department for the entity they are auditing. The auditor should examine the charter and mission statement of the internal audit department as well as
their objectives. Auditors must determine that the internal audit function applies a systematic and disciplined approach, including quality control when they perform internal audits. The auditor should verify that the company has an effective internal audit department. The auditor should also verify that the controls of the company are strong.
One of the requirements of the auditor is to assess competence of the internal auditor. The assessment
should take into account the following factors:
• Education,
• Experience,
• Professional certifications, and
• Quality of work.
AU 322 states that when assessing the internal auditors' competence, the auditor should obtain or update
information from prior years about such factors as:
• Educational level and professional experience of internal auditors.
• Professional certification and continuing education.
• Practices regarding assignment of internal auditors.
• Supervision and review of internal auditors' activities.
• Quality of working-paper documentation, reports, and recommendations.
• Evaluation of internal auditors' performance.
3
AU 322.9 Competence of the Internal Auditors
When assessing the internal auditors' competence, the auditor should obtain or update
information from prior years about such factors as—
▪ Educational level and professional experience of internal auditors.
▪ Professional certification and continuing education.
▪ Audit policies, programs, and procedures.
▪ Practices regarding assignment of internal auditors.
▪ Supervision and review of internal auditors' activities.
▪ Quality of working-paper documentation, reports, and recommendations.
▪ Evaluation of internal auditors' performance.
AU 322.10 Objectivity of the Internal Auditors
When assessing the internal auditors' objectivity, the auditor should obtain or update
information from prior years about such factors as—
▪ The organizational status of the internal auditor responsible for the internal audit function, including—
o Whether the internal auditor reports to an officer of sufficient status to ensure broad audit
coverage and adequate consideration of, and action on, the findings and recommendations of the
internal auditors.
o Whether the internal auditor has direct access and reports regularly to the board of directors, the
audit committee, or the owner-manager.
o Whether the board of directors, the audit committee, or the owner-manager oversees
employment decisions related to the internal auditor.
▪ Policies to maintain internal auditors' objectivity about the areas audited, including—
o Policies prohibiting internal auditors from auditing areas where relatives are employed in
important or audit-sensitive positions.
o Policies prohibiting internal auditors from auditing areas where they were recently assigned or are
scheduled to be assigned on completion of responsibilities in the internal audit function.
4
Note - Internal auditors can assist in the audit work itself with proper supervision and good controls. The work
of the internal auditor can reduce the amount of testing of controls but can never eliminate them completely
(subordinate judgment). However, internal auditors will usually not be allowed to perform audit procedures in high risk areas.
AU 322 states that in assessing competence and objectivity, the auditor usually considers the following types
of information:
• Information obtained from previous experience with the internal audit function,
• Information from discussions with management personnel, and
• Information from recent quality reviews of the internal audit function's activities.
The auditor may also use professional internal auditing standards as criteria in making the assessment. If the auditor determines that the internal auditors are sufficiently competent and objective, the auditor should
then consider how the internal auditors' work may affect the audit.
AU 322 .11
In assessing competence and objectivity, the auditor usually considers information obtained from
previous experience with the internal audit function, from discussions with management
personnel, and from a recent external quality review, if performed, of the internal audit
function's activities. The auditor may also use professional internal auditing standards fn 4 as
criteria in making the assessment. The auditor also considers the need to test the effectiveness of
the factors described in paragraphs .09 and .10. The extent of such testing will vary in light of the
intended effect of the internal auditors' work on the audit. If the auditor determines that the
internal auditors are sufficiently competent and objective, the auditor should then consider how
the internal auditors' work may affect the audit.
5
Audit Committee
An audit committee is typically created to assist the board in its oversight of the organization’s management. Usually, the board creates an audit committee that is charged with oversight responsibility for financial
reporting. One of the primary responsibilities of the audit committee is any required communication with both external and internal auditors. The auditor should be able to discuss any problems related to the audit, any reportable conditions, problems with GAAP and GAAS and any of the other items deemed necessary by the auditor.
It is important fo the audit committee to be separate from management. An audit committee that is separate
from management allows the auditors and the directors to discuss matters such as management integrity or to evaluate actions taken by management. In addition, the independence of the audit committee from management and the audit committee’s knowledge of financial reporting issues are important factors of its ability to effectively evaluate internal controls and financial statements prepared by management
Internal Controls Vary by Organization
Internal control is a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. This means that internal controls result from the policies and procedures designed
by management to provide reasonable assurance that the organization achieves its goals and objectives. These policies and procedures are called ‘controls.’ All of the organization’s controls are referred to as
‘internal controls.’
The organization’s management typically has three broad objectives of good internal controls which is in line
with what management strives to achieve.
1. Reporting - reliability of financial reporting.
2. Operations - being effective and efficiency in the operations of the company and safeguarding assets of the company.
3. Compliance - following the applicable laws and regulations.
The management body of any corporation has both a legal and professional responsibility to ensure that all pertinent information is fairly presented in accordance with reporting requirements of all applicable accounting frameworks (GAAP for U.S. based companies and IFRS for international companies). At the end of the day, the primary objective of effective internal control over a company’s financial reporting is to fulfill these financial reporting responsibilities.
6
Reliability of Financial Reporting
Reliability of financial reporting is extremely important because management is ultimately responsible for
preparing financial statements for all interested parties including investors, creditors, and other individuals or organizations. Management has both a legal and professional obligation to uphold that financial information is fairly presented in accordance with reporting requirements of accounting frameworks such as Generally Accepted Account Principles (GAAP) and International Financial Reporting Standards (IFRS). The objective of
effective internal control over financial reporting is to comply with these financial reporting responsibilities.
Efficiency of Operations
Controls within a company encourage the efficient and effective use of its resources to both correctly
prioritize and optimize the company's larger goals. An important objective of these controls is accurate financial and non-financial information about the company's operations for decision making. If accurate financial and non-financial information concerning the company’s operations cannot be found, it will be
impossible to make effective and efficient use of all of the company’s available resources.
Compliance with Laws and Regulations
Section 404 of the Sarbanes Oxley Act requires management bodies of all publicly traded companies to issue a report about the operating effectiveness of internal control over financial reporting. In addition to the legal provisions of section 404 of the Sarbanes Oxley Act, public, non-public, and not-for-profit organizations are required to follow various laws and regulations to ensure that their business dealings are legitimate and to ensure that their workers are being treated fairly. Some are closely related to accounting, such as income tax regulations. Others are indirectly related to accounting, such as civil rights and labor laws.
7
Management is responsible for designing systems for internal control to accomplish all three objectives. The Auditor’s focus in both “The audit of financial statements” and “The audit of internal controls” is on the controls over the reliability of financial reporting. In addition, the auditor’s focus includes the controls over
operations and compliance with laws and regulations that could materially affect the company’s financial reporting and accuracy.
These components work in conjunction with one another to establish the foundation for solid internal controls within the company through directed leadership, shared values, and a workplace culture that emphasizes accountability for control as both a management and employee priority. The various risks facing the company are identified and assessed routinely at all levels and within all functions within the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks that might undermine the established internal controls. Information critical to identifying risks and meeting larger business objectives is communicated through established channels up to management, down to employees, and laterally across the company’s divisions and branches. When a company’s system of internal controls is implemented correctly, the entire system of internal control is monitored continuously for discrepancies and problems are addressed in a timely manner.
There are differing responsibilities for internal controls between management and the auditor. The management of the organization is responsible for establishing and maintaining the internal controls for the
organization. The management of a public organization is also responsible for complying with the reporting requirements of section 404 of the Sarbanes Oxley Act on the operating effectiveness of their internal controls. The auditor has their own responsibilities. The auditor’s responsibilities include understanding the
Example of Section 404 Management Report on Internal Control over Financial Reporting The management of ABC Corporation is responsible for establishing and maintaining adequate internal control over financial reporting. ABC Corporation’s internal control system was designed to provide reasonable assurance to the company's management and board of directors regarding the preparation and fair presentation of published financial statements. ABC Corporation’s management assessed the effectiveness of the company's internal control over financial reporting as of December 31, 20XX. In making this assessment, it used the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal Control- Integrated Framework. Based on our assessment, we believe that, as of December 31, 20XX, the company's internal control over financial reporting is effective based on those criteria. ABC Corporation's independent auditors have issued an audit report on our assessment of the company's internal control over financial reporting.
8
organization’s internal controls and testing the organization’s internal controls over financial reporting. In
addition, the Securities and Exchange Commission (SEC) requires the auditors of publicly traded companies to
issue annual audit reports pertaining to the operating effectiveness of the organization’s internal controls.
It is important to emphasize that the management of the organization is responsible for establishing and
maintaining the organization’s internal controls and ensuring that they are effective. This is also in line with the fact that the management of the organization is responsible for the preparation of financial statements. Financial statements must be prepared in accordance with applicable accounting rules and standards such as Generally Accepted Account Principles (GAAP) and International Financial Reporting Standards (IFRS). There
are two requirements that the organizations management must apply when creating and implementing internal controls, which are reasonable assurance and inherent limitations. This is defined in AU Section 110.3
– Responsibilities and Functions of the Independent Auditor.
AU Section 110.03
Responsibilities and Functions of the Independent Auditor
The financial statements are management's responsibility. The auditor's responsibility is to express an
opinion on the financial statements. Management is responsible for adopting sound accounting policies
and for establishing and maintaining internal control that will, among other things, initiate, record, process, and report transactions (as well as events and conditions) consistent with management's assertions embodied in the financial statements. The entity's transactions and the related assets,
liabilities, and equity are within the direct knowledge and control of management. The auditor's knowledge of these matters and internal control is limited to that acquired through the audit. Thus, the
fair presentation of financial statements in conformity with generally accepted accounting principles fn3 is an implicit and integral part of management's responsibility. The independent auditor may make suggestions about the form or content of the financial statements or draft them, in whole or in part,
based on information from management during the performance of the audit. However, the auditor's responsibility for the financial statements he or she has audited is confined to the expression of his or her opinion on them. [Revised, April 1989, to reflect conforming changes necessary due to the issuance of
Statement on Auditing Standards Nos. 53 through 62. As amended, effective for audits of financial statements for periods beginning on or after January 1, 1997, by Statement on Auditing Standards No. 78. Paragraph renumbered by the issuance of Statement on Auditing Standards No. 82, February 1997. Revised, April 2002, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]
9
Reasonable Assurance
All organizations are required to develop internal controls that are meant to provide reasonable, but not
absolute, assurance that the company’s financial statements are fairly stated. As stated earlier, the organization’s internal controls are developed and overseen by the company’s management body. They do this after weighing both the costs and benefits of the proposed internal controls that are considered. The name of the concept that management wants to achieve is known as reasonable assurance, which recognizes
that no one internal control or combination of internal controls are completely full proof. Implementing reasonable assurance ensures that a remote possibility that material misstatements will occur. However, if
any material misstatements remain undetected, even with the use of internal controls, they will be detected
and corrected on a timely basis by the organization’s monitoring and other internal controls.
Accountants, auditors, and regulators all acknowledge that it is impossible to assert with absolute certainty that an event will or will not occur, or even whether or not an event has already occurred. This type of absolute certainty is also known as “absolute assurance.” Auditors are unable to obtain absolute assurance not because they do not use sufficient care when conducting their engagements, but instead, it is because there are limitations that are essential to the process of conducting a business audit that render an auditor unable to provide a guarantee of absolute assurance. All Accountants, auditors, and regulators acknowledge that there is always some form of judgment that must be exercised when rendering an opinion during an audit. It is also common knowledge that those judgments are not always 100 percent accurate.
The website “Accounting Tools” defines reasonable assurance using the following definition:
“Reasonable assurance is a high level of assurance regarding material misstatements, but not an
absolute one. Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. To achieve reasonable
assurance, the auditor needs to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. This means that there is some uncertainty arising from the use of sampling, since it
is possible that a material misstatement will be missed.”
The most important word to recognize from this definition is the word “reasonable.” An auditor is not required to provide absolute assurance, but only reasonable assurance that no material misstatements are occurring within a company. Absolutes are simply not practical or reasonable to expect when conducting any type of audit. This is mainly because of factors such as the necessary use professional judgment, the use of testing, the inherent limitations in all internal controls, and the fact that audit evidence is generally persuasive rather than conclusive.
Many skeptics and critics complain that relying on “reasonable assurance” leaves too much room for variances in audit reports. However, accounting and audit practitioners alike acknowledge that an audit
10
conducted in accordance with Generally Accepted Auditing Standards (GAAS) provides reasonable assurance, but not “absolute” assurance, which will produce financial statements that are free of material misstatements.
Because of the inherent limitations of any internal control structure, it may be impossible to provide absolute assurance that the objectives of a company’s internal controls are satisfied. Reasonable assurance, which recognizes that the cost of an entity's internal control structure should not exceed the benefits that are expected to be derived through its implementation, may be enough.
The audit profession has made significant efforts to educate the public and close the expectation gap between the levels of assurance that financial statement readers presume an audit report can deliver, and the level of assurance that it actually delivers. Auditing standards have been updated to provide more explicit guidance. In addition, regulators today provide more active oversight and dispensed more disciplinary measures for issuing erroneous reports than in the past. This is forward process in this area and the progress is expected to continue.
Therefore, when an auditor is performing an audit of financial statements, one of the high-level objectives of the auditor is to obtain reasonable assurance as to whether a client’s financial statements are free from
material misstatement. This will allow the auditor to express an opinion on whether the financial statements are presented fairly, in all material respects, and in accordance with the applicable financial reporting
frameworks such as generally accepted accounting principles (GAAP) or IFRS.
It is the responsibility of the auditor to use reasonable assurance so that the audited financial statements
provide an accurate view of an organization's financial position. This requires the auditor to be reasonably certain that audited financial statements are free from material misstatements. To do this the concept of
reasonable assurance is used to the issuance of financial statements and to assess the organization’s internal controls.
In the Responsibilities and Functions of the Independent Auditor, adopted by the Public Company Accounting Oversight Board, the relevant standard in the United States is Audit Section 110.02, which states:
“The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement …”. The full text reads as follows:
11
In addition, Auditing Standard No. 5, pertaining to An Audit of Internal Control Over Financial Reporting, says that:
“Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management's assessment.” The full text reads as follows:
AU Section 110.02
The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain
reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no
responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements are detected. [Paragraph added, effective for audits of financial statements for periods ending on or after December 15, 1997, by Statement
on Auditing Standards No. 82.]
12
Ultimately, reasonable assurance must come from the judgment of a trained practitioner or regulator. Reasonable assurance is the assurance from the trained practitioner or regulator that the audit risk will be
limited to a low level based on their professional judgment. Both internal and external auditors should be prepared to express opinions on the adequacy of the organization’s internal control, as well as the
management of risk and governance processes. Finally, based on this information should express an option on the resulting financial statements that are created.
Auditing Standard No. 5
An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
Introduction
1. This standard establishes requirements and provides direction that applies when an auditor is engaged
to perform an audit of management's assessment of the effectiveness of internal control over financial
reporting ("the audit of internal control over financial reporting") that is integrated with an audit of the
financial statements.
2. Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. If one or
more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective.
3. The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Because a company's internal
control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is
sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified
in management's assessment. A material weakness in internal control over financial reporting may exist even when financial statements are not materially misstated.
4. The general standards are applicable to an audit of internal control over financial reporting. Those standards require technical training and proficiency as an auditor, independence, and the exercise of due professional care, including professional skepticism. This standard establishes the fieldwork and reporting
standards applicable to an audit of internal control over financial reporting.
5. The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness
of the company's internal control over financial reporting.
13
Inherent Limitations
Internal controls can never be 100 percent effective no matter how carefully they were designed and implemented. There are always factors that prevent the best system from being 100 percent effective. The system’s effectiveness will always depend on the competency and dependability of the people using it. These are called inherent limitations. As a result, the system of controls does not provide absolute assurance that the control objectives of an organization will be realized. The inherent limitations in any system reduce the level of assurance in the system. As a result of these limitations auditor is expected provide reasonable assurance which is high level of assurance i.e. reasonably high but not achieving the levels of absoluteness or 100 percent.
• Inherent limitations of an accounting system: o Use of judgement in establishing estimates for reporting purposes: In reporting many
important financial quantities management takes help of estimation and this opens the door to inaccuracies as well. For example, depreciation expense for the year is a perfect example which can either be more or less than the real depreciation. As there is almost no way available to quantify the devaluation of asset, accountants can only estimate it.
o Human error: To enter the data which is to be processed by accounting system we have to employ humans and humans can make mistakes and such mistakes that would be represented in the financial information. Although we can devise several checks to fight these errors but we cannot completely eliminate it. One reason for not able to do so is cost-benefit issues and after all even if we have the system that eliminates human errors, it will be too slow to be any good!
o Absence of clear instructions on accounting treatment: There are many instances where certain events and resulting transactions happened for which accounting standards do not provide clear instructions regarding accounting treatment and this may lead to confusions and puts management in a position to use their judgment to decide about best possible reporting alternative available.
o Room for more than one possible interpretations of the requirements or more than one possible treatments: This as well adds up to the confusion on part of management and auditor and both may have differing opinions. Most often standards give this option on their own to those preparing financial statement.
o Degree of uncertainty and complexity of the transactions involved: Auditors conduct audit on sampling basis. More the complexity more the risk will be and use of sampling techniques limit the auditor to reach such conclusions that provide absolute assurance as auditor has not tested each and every item in the population.
o Negative effects of subjective decisions or bias on part of the management or employee of the entity.
o Existence of fraud committed by entity’s management or employees and thus concealing important financial information leading towards fraud.
14
Careless and inattentive employees lead to the faults in most systems. For example, one employee responsible for verifying inventory may count incorrectly or purposely misstate the count to cover up theft. The system does not improve with two employees counting if the second employee has the same reliability issues as the first employee. The inventory count is still likely to be wrong. Even if the count is correct, management might record different inventory numbers to improve reported earnings. Section 404 of the Sarbanes-Oxley Act requires the management of all public companies to issue an internal control report that includes the following:
1. A requirement that management is responsible for establishing and maintaining an adequate internal control structure and adequate procedures for the financial reporting for the organization. 2. A requirement that there must be an assessment of the effectiveness of the internal control structure and an assessment of the procedures for financial reporting at the end of the company's fiscal year.
Management is also required to identify the framework that is used to evaluate the effectiveness of internal control. The internal control framework used by most companies based in the United States is the COSO Internal Control Integrated Framework. COSO is an abbreviation for the Committee of Sponsoring Organizations of the Treadway Commission. The COSO Internal Control - Integrated Framework is recognized as a leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control. Management assessment of internal control over financial reporting consists of two assessments. First, management must “evaluate the design” of the internal controls that are being used over financial reporting. Second, management must “test the operating effectiveness” of the internal controls that are being used for financial reporting.
Internal Control Design Auditing Standard No. 5 - An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements states that: “A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's internal control over financial reporting and the amount of audit attention that should be devoted to that area. In addition, the risk that a company's internal control over financial reporting will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error.” Internal control is the general responsibility of all members in an organization. However, management holds ultimate responsibility for establishing and maintaining an effective internal control structure. As a result, it is
15
the responsibility of the organization’s management to evaluate whether the internal controls that are being used are designed and put in place to prevent or detect material misstatements in the financial statements. The organization’s management attention must be focused on controls that address risks related to all significant accounting and disclosures in the financial statements. This means evaluating how all significant transactions are initiated, authorized, recorded, processed, and reported in order to identify any points in the flow of transactions where material misstatements due to error or fraud could possibly occur.
Effectiveness of Internal Controls The goals for an effective internal control structure are to implement practices and procedures to:
• Protect the assets of the organization against theft and waste.
• Ensure compliance with company policies and federal law.
• Evaluate the performance of all personnel to promote efficient operations.
• Ensure accurate and reliable operating data and accounting reports. Since the purpose of internal control is to ensure the efficient operations of an organization, the only way to know if the internal controls are effective is to test them. Once again, it is the responsibility of the organization’s management to test the effectiveness of the internal controls being used. The objective of the internal control testing is to determine whether the controls are operating as designed and whether the person performing the control possesses the necessary qualifications and authority in the organization to perform the control effectively. The internal control test results must be documented in order to form the basis for management's assertion regarding the effectiveness of the internal controls being used. If the testing identifies any material weaknesses, management must disclose any identified material weakness. If one material weakness is identified, management must conclude that the organization's internal control over financial reporting is “not effective”. The SEC requires management of all publicly traded companies to include its report on internal control in its annual form 10-K report that must be filed with the SEC. The auditor must obtain an understanding of the internal control in order to assess control risk in every audit. Therefore, auditors must be concerned about all controls over the reliability of financial reporting and the controls over classes of transactions. In fact, the GAAS Yellow Book requires that auditors report on internal controls and compliance with provisions of the law. The full text reads as follows:
16
Standards for Financial Audits
Reporting on Internal Control; Compliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements; and Instances of Fraud
Requirements: Reporting on Internal Control; Compliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements; and Instances of Fraud
6.39 Auditors should report on internal control and compliance with provisions of laws, regulations,
contracts, or grant agreements regardless of whether they identify internal control deficiencies or
instances of noncompliance.
6.40 When providing an opinion or a disclaimer on financial statements, auditors should report as findings any significant deficiencies or material weaknesses in internal control over financial reporting that the
auditors identified based on the engagement work performed.
6.41 Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or
suspect
a. noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives
or
b. fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives.
6.42 Auditors should include either in the same or in separate report(s) a description of the scope of the auditors’ testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests
they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements.
6.43 If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over
financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity’s internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal
control and compliance available to users in the same manner as the financial audit report to which it relates.
17
Reliability of Financial Reporting Controls Financial statements are not likely to accurately reflect GAAP or IFRS if internal controls over financial reporting are inadequate. In many cases, a client is more interested in controls that are effective for the company’s operations. However, the auditor is only interested in controls that result in the fair presentation of financial statements. Auditors have the responsibility for discovering material fraudulent financial reporting and misappropriation of assets (commonly known as fraud), as well as any other illegal acts. Auditors must be concerned with a client's internal control over the safeguarding of assets and compliance with laws and regulations if they affect the fairness the financial statements. Internal controls, if properly designed and implemented, can be effective in preventing and detecting fraud. It is important for auditors to pay attention to the controls affecting internal management information, such as budgets and internal performance reports. These types of information are often important sources of information that are used by management to run the business. They can also be important sources of evidence to help the auditor decide whether the financial statements are fairly presented. If the controls over these internal reports are inadequate, the value of this information is diminished.
Classes of Transactions Controls
An emphasis for auditors is internal control over classes of transactions rather than account balances because the accuracy of account balances (known as the outputs of the accounting system) depend heavily on the accuracy of the inputs and processing (known as the transactions of the accounting system). For example, sales and accounts receivable will be misstated if products sold, units shipped, or unit selling prices are incorrect in the billing system. However, if the internal controls are adequate, the ending balance in accounts receivable is likely to be correct. This is because the internal controls would ensure that all facets related to billing such as cash receipts, sales returns, and allowances, and write-offs transactions are correct. Because of the emphasis on classes of transactions, auditors can focus on transaction-related audit objectives when assessing internal controls over financial reporting. It is important for the auditor to gain an understanding of controls that impact ending account balances and presentation and disclosure objectives. For example, transaction-related audit objectives typically have no effect on to balance related audit objectives: realizable value and rights and obligations. They also are unlikely to have an effect on the four presentation and disclosure objectives. The auditor is likely to evaluate separately whether management has implemented internal control for each of these two account balance objectives and the four presentation and disclosure objectives.
18
Auditor Responsibilities for Testing Internal Control Section 404 of the Sarbanes-Oxley Act requires that the auditor report on the effectiveness of internal control over financial reporting. As a result of the federal financial reform legislation passed by Congress in 2010, only large paw companies are required to obtain an audit report on internal control over financial reporting. To express an opinion on these controls, the auditor obtains an understanding of and performs tests of controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements.
Internal Control Components
An “effective” internal control system has five interrelated components. These five components work to support the achievement of an entity’s mission, strategies and related business objectives. The five internal
control components include the following:
1. Control environment 2. Risk assessment 3. Control activities
4. Information and communications 5. Monitoring
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control
structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness
of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.— With respect to the internal control assessment required by subsection
(a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made
under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
19
Control Environment
The control environment, also known as the "internal control environment", is a term that is used for a financial audit, internal audit, and when identifying risk management. This term is used to express or identify the following characteristics about an organization: management style, corporate culture, organizational values, management philosophy and operating style, the organizational structure, and human resources
policies and procedures. Management is responsible for setting the tone of for the organization so it is essentially an assessment regarding management’s influencing over the entire organization. In order to
understand the control environment and to be able to assess it, an auditor must evaluate all control elements
including:
• The organization’s ethical values • Commitment to competence • Board of Directors and audit committee participation • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resource policies and procedures
Therefore, the control environment consists of the actions, policies, and procedures which reflect the overall attitudes of the managers, directors, and business owners regarding internal control. It also includes their attitudes regarding the importance of internal controls to the entity. Overall, the control environment sets the tone for the organization and is crucial for the other four components. Without an effective control environment, the other four controls are unlikely to result in effective internal control for the organization, regardless of their implementation. Finally, it is important for the auditor to concentrate on the substance of controls rather than their form because controls may be established but not acted upon.
Organizational Ethical Values and Integrity
Ethical values are the combined product of the organization’s written policy statements and unwritten codes of conduct or ethical standards. It also includes the standards that are directly enforced and communicated to all workers in the organization. This includes standards that are indirectly enforced or encourage through management’s use of rewards and incentives, which may promote workers engaging in illegal, dishonest, or unethical actions. Integrity is how employees adhere to the written policies and unwritten spirit of the organizational values.
20
Commitment to Competence
Competence is defined as: “the ability to do something successfully or efficiently.” For auditors, competence is the knowledge and skills necessary to accomplish tasks required to complete the audit engagement. Achieving competence requires continuous training for all auditors and a commitment to keep knowledge current. Commitment to competence is a term that assesses management’s commitment for the competence levels for specific jobs and how those levels translate into required skills and knowledge to successfully perform required job tasks.
Board of Director or Audit Committee Participation
The board of directors perform the duty of providing effective corporate governance for the business entity. The board of directors has the responsibility to make sure management implements proper internal control and financial reporting processes. An effective board of directors is independent of management, and its members actively monitor business activities as well as monitoring management’s activities. The board passes the responsibility for internal control to management. It is the board’s just to regularly assess the controls that management has implemented. In addition, an active and objective board can reduce the likelihood that management ignores or fails to implement existing controls.
Typically, the board creates an audit committee that is charged with oversight responsibility for financial reporting to assist the board in its oversight. The audit committee is responsible for maintaining ongoing communication with both external and internal auditors. This includes all communications with the approved auditor as well as the practitioner performing nonaudit services for public companies. This arrangement allows the auditors and directors to discuss matters that might relate to such things as management integrity or the appropriateness of actions taken by management.
The audit committee’s independence from management and knowledge of financial reporting issues are important factors for its ability to effectively evaluate internal controls and financial statements prepared by management. The Sarbanes- Oxley Act directed the SEC to require the national stock exchanges (NYSE and NASDAQ) to strengthen audit committee requirements for public companies listing securities on the exchanges. In response, the exchanges will not list any security from a company with an audit committee that: 1. Is not comprised solely of independent directors; 2. Is not solely responsible for hiring and firing the company’s auditors; 3. Does not establish procedures for the receipt and treatment of complaints regarding accounting, internal control or auditing matters; 4. Does not have the ability to engage its own counsel and other advisors; and 5. Is inadequately funded
21
There are similar provisions exist outside the United States. One such provision is the 8th Directive, which is defined by the European Commission. The European Commission’s 8th Directive requires that each public-interest entity must have an audit committee with at least one member who is independent and who has competence in accounting or auditing. In the United States, the PCAOB Standard 5 requires the auditor to evaluate the effectiveness of the audit committee’s oversight of the company’s external financial reporting and internal control over financial reporting.
Eventhough it is not required, many privately held companies also create an audit committee. For these companies, governance is typically provided by the business owner, partners, or a management committee with accounting, finance, or budget experience. Any individual or individuals that are responsible for overseeing the strategic direction of the business entity and the financial accountability of the business entity, including financial reporting and disclosure, are designed as - those charged with governance by auditing standards.
Management Operating Style and Practices
Management’s implicit and explicit actions send clear signals to employees about the importance of internal control. These traits are typically established from the culture of the organization. The operating style of the management for a business entity will reflect how they view topics such as risk taking or rule following. For example, some organizations are created from a start up and they continue to operate that way. The mananagement of these organizations may have needed to take considerable risks during the start up phase to survive. As a result, the management may continue to take significant risks. In addition, risk takers tend to be poor rule followers. Finally,the management of these organizations must set aggressive sales and earnings targets unrealistic. This may require employees to take aggressive actions to meet those targets. Understanding these and similar aspects of management’s philosophy and operating style gives the auditor a sense of management’s attitude about internal control.
Organizational Structure
Companies are structured with a defined organizational structure. Each organizational structure has its own style and organizational culture that will have a direct impact on how work is performed. Auditors should be aware of the organizational structure and the corresponding culture that exists in each type of organizational structure. This will provide an indication of the level of autonomy and authority given to the management.
Obtaining Written Representations
79. If the auditor concludes that the oversight of the company's external financial reporting and internal
control over financial reporting by the company's audit committee is ineffective, the auditor must communicate that conclusion in writing to the board of directors.
22
The entity’s organizational structure usually defines the existing lines of responsibility and authority within the organization. Some are top-down organization and some are distributed. By understanding the client’s organizational structure, the auditor can learn the management and functional elements of the business and perceive how controls are implemented.
Human Resource Policies and Practices
In most cases, the most important aspect of internal control is employees for the business, which is defined by human resource policies and practices. Business entities that hire competent and trustworthy employees will not require extensive controls. This is because competent and trustworthy employees will do the right thing resulting in reliable financial statements. Incompetent or dishonest employees require extensive controls to keep the system accurate. Competent and trustworthy employees are able to perform at a high level even when there are few other controls to support them. However, it should be mentioned that competent and trustworthy people can have shortcomings. For example, honest employees can get into financial trouble or they can become bored or dissatisfied with their pay. This may result in dishonent behavior. Competent and trustworthy employees are critical in providing effective control for the organization. This means that the methods by which employees are hired, evaluated, trained, promoted, and compensated are an important part of internal control. After obtaining information about each of the control elements, the auditor must use this their understanding as a basis for assessing internal controls. It starts with management’s attitude about the importance of implementing strong controls.
Risk Assessment
The second internal control component is risk assessment. Risk assessment is defined as the entity's
identification and analysis of relevant risks to achievement of its objectives and forming a basis for
determining how the risks should be managed. This would include the following:
• Company-wide objectives, • Process-level objectives, • Risk identification and analysis, and • Managing change.
Risk assessment for financial reporting is the identification and analysis of risks that are relevant to the preparation of financial statements in conformity with appropriate accounting standards. For example, if a company sells their merchandise below inventory cost because of rapid technology changes, it is essential for the company to incorporate adequate controls to address the risk of overstating inventory. In addition, the following are examples of factors that may lead to increased risk:
23
• Failure to meet prior business objectives,
• Low quality of company personnel,
• geographic dispersion of company operations,
• Complexity of core business processes,
• New technologies,
• economic downturns, and
• New competitors entering significant markets. Once management identifies significant risks, it must estimate the significance of the identified risks, assesses the likelihood of the risks occurring, and develops specific actions to be taken to in order to reduce the risks to an acceptable level. The auditor seeks to understand how management considers risks. There is a difference between the entity's assessment process and the auditor's risk assessment considerations. The entity is to identify, analyze and manage risk that affects the internal control objectives. The auditor assesses inherent and control risks to evaluate the likelihood that material misstatements could occur in the financial statements.
Although it is closely releated, it is important to recognize that management's risk assessment differs from to the auditor's risk assessment. Management assesses risks as a part of designing and operating internal controls to minimize errors and fraud. Auditors only assess risks in order to evaluate the evidence needed in an audit. If management effectively identifies and responds to those identified risks, the auditor will have less evidence than when management fails to identify or respond to significant risks. Auditors typically learn about management's risk assessment process by using questionnaires and holding discussions with management. The auditor’s objectives is to determine how management is identifying risks that are relevant to financial reporting. In addition, the auditor must learn how management evaluates the significance and likelihood of the identified risks occurring and what their plan is for addressing the risks.
24
Audit Risk The next step is for auditor is to make an assessment as to the audit risk. Audit risk is the risk that the financial statements are materially misstated and the auditor fails to detect such a misstatement or appropriately modity the auditor's opinion. Risk assessment evaluates the risks of material misstatement for financial statements. RMM is the combination of inherent risk and control risk. Audit risk is the product of three risks.
1. Inherent risk —the susceptibility of an assertion to a material misstatement, assuming that there are
no internal controls. Inherent risk is greater for some assertions and related account balances, classes of transactions, and disclosures than for others.
2. Control risk —the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the client's internal control. Control risk is a function of the effectiveness of the design and operation of the client's internal control.
3. Detection risk —is the risk that the auditor will not detect such misstatements in an account or
disclosure item.
Inherent risk and control risk are called the risk of material misstatement.
25
.27
At the account-balance or class-of-transactions level, audit risk consists of (a) the risk (consisting
of inherent risk and control risk) that the balance or class and related assertions contain
misstatements (whether caused by error or fraud) that could be material to the financial
statements when aggregated with misstatements in other balances or classes and (b) the risk
(detection risk) that the auditor will not detect such misstatements. The discussion that follows
describes audit risk in terms of three component risks. fn 12 The way the auditor considers these
component risks and combines them involves professional judgment and depends on the audit
approach.
a. Inherent risk is the susceptibility of an assertion to a material misstatement, assuming that there are no
related controls. The risk of such misstatement is greater for some assertions and related balances or
classes than for others. For example, complex calculations are more likely to be misstated than simple
calculations. Cash is more susceptible to theft than an inventory of coal. Accounts consisting of amounts
derived from accounting estimates pose greater risks than do accounts consisting of relatively routine,
factual data. External factors also influence inherent risk. For example, technological developments might
make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement. In
addition to those factors that are peculiar to a specific assertion for an account balance or a class of
transactions, factors that relate to several or all of the balances or classes may influence the inherent risk
related to an assertion for a specific balance or class. These latter factors include, for example, a lack of
sufficient working capital to continue operations or a declining industry characterized by a large number of
business failures.
b. Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or
detected on a timely basis by the entity's internal control. That risk is a function of the effectiveness of the
design and operation of internal control in achieving the entity's objectives relevant to preparation of the
entity's financial statements. Some control risk will always exist because of the inherent limitations of
internal control.
c. Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.
Detection risk is a function of the effectiveness of an auditing procedure and of its application by the
auditor. It arises partly from uncertainties that exist when the auditor does not examine 100 percent of an
account balance or a class of transactions and partly because of other uncertainties that exist even if he or
she were to examine 100 percent of the balance or class. Such other uncertainties arise because an auditor
might select an inappropriate auditing procedure, misapply an appropriate procedure, or misinterpret the
audit results. These other uncertainties can be reduced to a negligible level through adequate planning and
supervision and conduct of a firm's audit practice in accordance with appropriate quality control standards.
26
.28
Inherent risk and control risk differ from detection risk in that they exist independently of the
audit of financial statements, whereas detection risk relates to the auditor's procedures and can
be changed at his or her discretion. Detection risk should bear an inverse relationship to inherent
and control risk. The less the inherent and control risk the auditor believes exists, the greater the
detection risk that can be accepted. Conversely, the greater the inherent and control risk the
auditor believes exists, the less the detection risk that can be accepted. These components of
audit risk may be assessed in quantitative terms such as percentages or in nonquantitative terms
that range, for example, from a minimum to a maximum. [Paragraph renumbered by the issuance
of Statement on Auditing Standards No. 82, February 1997.]
.29
When the auditor assesses inherent risk for an assertion related to an account balance or a class
of transactions, he or she evaluates numerous factors that involve professional judgment. In
doing so, the auditor considers not only factors peculiar to the related assertion, but also, other
factors pervasive to the financial statements taken as a whole that may also influence inherent
risk related to the assertion. If an auditor concludes that the effort required to assess inherent
risk for an assertion would exceed the potential reduction in the extent of auditing procedures
derived from such an assessment, the auditor should assess inherent risk as being at the
maximum when designing auditing procedures. [Paragraph renumbered by the issuance of
Statement on Auditing Standards No. 82, February 1997.]
.30
The auditor also uses professional judgment in assessing control risk for an assertion related to
the account balance or class of transactions. The auditor's assessment of control risk is based on
the sufficiency of evidential matter obtained to support the effectiveness of internal control in
preventing or detecting misstatements in financial statement assertions. If the auditor believes
controls are unlikely to pertain to an assertion or are unlikely to be effective, or believes that
evaluating their effectiveness would be inefficient, he or she would assess control risk for that
assertion at the maximum. [Paragraph renumbered by the issuance of Statement on Auditing
Standards No. 82, February 1997.]
27
.31
The auditor might make separate or combined assessments of inherent risk and control risk. If the auditor
considers inherent risk or control risk, separately or in combination, to be less than the maximum, he or
she should have an appropriate basis for these assessments. This basis may be obtained, for example,
through the use of questionnaires, checklists, instructions, or similar generalized materials and, in the case
of control risk, the understanding of internal control and the performance of suitable tests of controls.
However, professional judgment is required in interpreting, adapting, or expanding such generalized
material as appropriate in the circumstances. [Paragraph renumbered by the issuance of Statement on
Auditing Standards No. 82, February 1997.]
.32
The detection risk that the auditor can accept in the design of auditing procedures is based on the level to
which he or she seeks to restrict audit risk related to the account balance or class of transactions and on
the assessment of inherent and control risks. As the auditor's assessment of inherent risk and control risk
decreases, the detection risk that can be accepted increases. It is not appropriate, however, for an auditor
to rely completely on assessments of inherent risk and control risk to the exclusion of performing
substantive tests of account balances and classes of transactions where misstatements could exist that
might be material when aggregated with misstatements in other balances or classes. [Paragraph
renumbered by the issuance of Statement on Auditing Standards No. 82, February 1997.]
.33
An audit of financial statements is a cumulative process; as the auditor performs planned auditing
procedures, the evidence obtained may cause him or her to modify the nature, timing, and extent of other
planned procedures. As a result of performing auditing procedures or from other sources during the audit,
information may come to the auditor's attention that differs significantly from the information on which
the audit plan was based. For example, the extent of misstatements detected may alter the judgment
about the levels of inherent and control risks, and other information obtained about the financial
statements may alter the preliminary judgment about materiality. In such cases, the auditor may need to
re-evaluate the auditing procedures he or she plans to apply, based on the revised consideration of audit
risk and materiality for all or certain of the account balances or classes of transactions and related
assertions. [Paragraph renumbered and amended, effective for audits of financial statements for periods
ending on or after December 15, 1997, by Statement on Auditing Standards No. 82.]
28
Control Activities
The third internal control component is control activities. Control activities are the policies and procedures that help ensure that management directives are carried out.
AU 319 states that control activities are those policies and procedures, in addition to the control environment and accounting system, that management has established to provide reasonable assurance that specific entity objectives will be achieved. Control activities have various objectives and are applied at
various organizational and data processing levels. They may also be integrated into specific components of
the control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to:
1. Segregation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
Segregation of duties
Segregation of duties is a technique that will reduce the opportunities to both conduct illegal actions and conceal irregularities. This basic techniques will assign different employees the responsibilities of authorizing
transactions, recording transactions, and maintaining custody of assets. Segregation of duties makes it difficult for any employee to commit fraud without being detected by employees in the course of their jobs. This technique can also be useful for detecting mistakes as well.
There are four techniques that can be used to separate duties in order to prevent fraud and errors. The
following techniques are beneficial for auditors:
• Separation of the Custody of Assets from Accounting.
• Separation of the Authorization of Transactions from the Custody of Related Assets.
• Separation of Operational Responsibility from Record-Keeping Responsibility.
• Separation of IT Duties from User Departments.
Separation of the Custody of Assets from Accounting
To protect company assets from internal embezzlement, any employee who has either permanent custody
or even temporary custody of an asset should not account for that asset. Allowing one employee to perform
both functions increases the risk of that person disposing of the asset for personal gain and falseifying records to cover up the theft. For example, if an employee receives cash and is also responsible for recording
29
the entries for daily cash receipts and sales, that employee could pocket the some of the cash received and
falseifying the customer's account by failing to record the entry for that day or by recording a lower amount
to the account.
Separation of the Authorization of Transactions from the Custody of Related Assets
Another technique to implement is to prevent employees who authorize transactions from having control over the related asset. This will also reduce the likelihood of internal embezzlement. This means that the
same employee should not authorize the payment of a vendor's invoice and also approve the disbursement
of funds to pay the bill.
Separation of Operational Responsibility from Record-Keeping Responsibility
A technique that should be used to ensure unbiased information is for the record keeping duties to be the
responsibility of a separate department that reports directly to the controller. This can prevent records to be altered, which may indicate false business results for the company or a single division.
Separation of IT Duties from User Departments
As the level of complexity of IT systems increases, the separation of authorization, record keeping, and custody must not become blurred. For example, sales reps may enter customer orders online. The sales
application authorizes those sales based on a comparison of customer credit limits to the master file and posts all approved sales in the sales cycle journals. As a result, the sales application plays a significant role in the authorization and record keeping of sales transactions. To control for potential overlaps or to prevent
the possibility of false orders being implemented, it is important for companies to separate major IT-related functions from key user department functions.
It is important for all companies to think about and implement controls between the sales and accounting
software programs or apps. It is important for the sales authorization and posting controls to be under the
authority of the IT department, whereas the ability to update information in the master file of customer
credit limits to reside in the company's credit department outside the IT function.
Transaction Authorization
All transactions must be properly authorized if internal controls are to be sufficient. This will prevent any
employee from acquire assets or expend assets at will. Transaction authorization can be established to be either general or specific. Under general authorization, management establishes policies and subordinates are instructed to implement these general authorizations by approving all transactions within the limits set
by the policy. General authorization decisions might include the publishing of fixed price lists for specific products that are regularly purchase, credit limits for customers looking to receive credit, or fixed reorder
30
points for replentishing inventory items. Specific authorization typically applies to specific individual
transactions. For these specific individual transactions, a control should be established to authorize each
transaction. It is important to note that the distinction between authorization and approval is also important. Authorization is a policy decision for either a general class of transactions or specific transactions. Approval is the implementation of management's general authorization decisions. An example of a general authorization is management setting a policy authorizing the ordering of inventory when less than a two-week supply is on
hand. When a department orders inventory to replentish inventory that have been sold, the employee responsible for maintaining these record approves the order to indicate that the criteria for the authorization
policy has been achieved. In broader cases, an inventory app approves the transactions by comparing
quantities of inventory on hand to a master file of reorder levels and automatically submits purchase orders to authorized suppliers in the vendor master file. In this case, the inventory application is performing the approval function using preauthorized information contained in the master files.
Adequate Documents and Records
It is important to implement controls requiring adequate documents and records. This requirement will help to ensure that the proper recording of transactions and events occurs, such as monitoring the use of
prenumbered shipping documents.
Documents and records are the transaction records that are entered and summarized. They include such diverse items as sales invoices, purchase orders,subsidiary records, sales journals, and employee time cards. Many of these documents and records are maintained in electronic form, such as in a database, rather than
paper formats. Adequate documents are essential for correct recording of transactions and for the control of assets. A simple example be when the receiving department completes an electronic receiving report when
inventory is received. In this example, the accounts payable application will verify the quantity and
description on the vendor's invoice by comparing it with the information on the receiving report.
The following principles are required for the proper design and use of documents and records. The following are recommendations for documents and records:
• Documents should be prenumbered with consecutive numbers to facilitate internal control over
missing documents and records and will aid in locating them when they are needed at a later date. It should be noted that prenumbered documents and records are important for the completeness of
transaction-related audit objectives.Documents that are prepared at the time the transaction takes place, or soon thereafter,to minimize timing errors.
• Documents should be designed for multiple uses,when possible, to minimize the number of different
forms that are being used for business operations. For example, a properly designed electronic
shipping record can be the basis for releasing goods from storage to the shipping department,
informing the billing department of the quantity of goods to bill to the customer and the appropriate billing date.
31
• Documents should be constructed in a manner that encourages correct preparation. This can be done by providing internal checks within the form or record. For example, the application screen may prompt the employee completing the form to enter critical information before the record is
electronically routed for authorizations and approvals. Similarly, screen controls can validate the
information entered. For example, an error may be displayed when an invalid general ledger account number entered and it may be automatically rejected when the account number does not match the chart of accounts master file.
The chart of accounts is a control that is closely related to documents and records. The chart of accounts
classifies transactions into individual balance sheet and income statement accounts. The chart of accounts is helpful in preventing classification errors if it accurately describes which type of transactions should be in each account.
Physical Control Over Assets and Records
In order to maintain adequate internal controls, assets and records must be protected. If assets are left unprotected, they can be stolen or manipulated. Unprotected records can be stolen, damaged, or altered. Stolen, damaged, or altered accounting records can seriously disrupt the accounting process and business
operations.
Company that are highly automated may be placing their systems, applications and and data at risk if they
are not protected. Application data files, if damaged, could be costly to recover or even impossible to reconstruct. The most important type of protective measure for safeguarding assets and records is the use of
multiple backup technologies. This would include local backups as well as cloud based backups. Finally, local security technologies such as fireproof safes and safety deposit vaults for the protection of assets such as currency and securities are other important physical safeguards.
Independent Checks on Performance
Lastly, it is important careful and continuous review the four independent checks or internal verifications.
The need for independent checks arises because internal controls tend to change over time. These changes are only identified by periodic reviews. Employees may be likely to neglect required procedures or
intentionally fail to follow procedures. It is also possible for employess may become careless unless someone with authority observes and verifies their performance. Regardless of the quantity or quality of the internal
controls, employees can make errors or commit fraud.
Employees that are responsible for performing internal verification procedures must be independent of
those originally responsible for preparing the data. The least expensive means of internal verification is the separation of duties. For example, when the employee performing bank reconciliation is independent from
32
the employee updating accounting records and handling of cash, there is an opportunity for verification
without incurring significant additional costs.
Accounting systems can be implemented so that many internal verification procedures can be automated. For example, the computer can prevent processing payment on a vendor invoice if there is no matching purchase order number or receiving report number for that invoice included in the system. Auditing
standards require the auditor to obtain an understanding of the process that employees follow to reconcile detail records supporting a significant account balance to the general ledger.These procedures can help the auditor design and perform audit procedures. However, before planning the confirmation procedures the
auditor needs to understand the design and implementation of internal controls that company employees use to reconcile the accounts receivable master file to the related general ledger account balance. This is
why it is important to have the following:
1. Physical controls over assets and records.
2. Independent checks on performance.
It is also required for management to monitor these requirements.
Information and Communication
The fourth internal control component is information and communication. Information and communication
is defined as the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities. The auditor should obtain knowledge of the means that are used by
the business entity to communicate such information.
The purpose of an entity's accounting information and communication system is to initiate, record, process,
and report the entity's transactions and to maintain account ability for the related assets. An accounting information and communication system has several subcomponents. The accounting information and
communication system subcomponents typically include classes of transactions such as sales, sales returns, cash receipts, etc. For each class of transactions, the accounting system must satisfy all of the six transaction-
related audit objectives. For example, the sales accounting system should be designed to ensure that all
shipments of goods are correctly recorded as sales and are reflected in the financial statements in the proper period. The system must also avoid duplicate recording of sales and recording a sale if a shipment did not
occur. To understand the design of the accounting information system, the auditor must identify the following:
(1) the major classes of transactions of the entity;
(2) how those transactions are initiated and recorded;
(3) what accounting records existand their nature;
(4) how the system captures other events that are significant to the financial statements, such as declines in
asset values; and
(5) the nature and details of the financial reporting process followed, including procedures to enter transactions and adjustments in the general ledger.
33
Monitoring
The fifth internal control component is monitoring. Monitoring is a process that assesses the quality of internal performance over time. The purpose is to see if the controls are operating as intended and that they
are modified as appropriate for changes in conditions. Monitoring includes the use of internal auditors.
Monitoring activities deal with ongoing or periodic assessment of the quality of internal controls by
management to determine that controls are operating as intended. Monitoring activities should also verify
that internal controls are appropriately adjusted, modified and or changed for all changes in conditions. The information being assessed comes from a variety of sources, including existing internal controls, internal
auditor reports, exception reporting on control activities, reports by regulators, feedback from operating
personnel, and complaints from customers about billing charges.
For many larger business entities, an internal audit department is essential for effective monitoring of the
operating performance of internal controls. To be effective, the internal audit function must be performed by employees that are independent of both the operating and accounting departments. These employees
should report directly to a high level of authority within the organization. This could be either upper
management or the audit committee. In addition to its role in monitoring an entity's internal control, a
competent internal audit department can reduce external audit costs by providing direct assistance to the external auditor.
PCAOB Standard 5 defines the extent that auditors can leverage the work completed by internal auditors
when reporting on internal control under Section 404. Auditing standards provide guidance to help the
external auditor obtain evidence that supports the competence, integrity, and objectivity of internal auditors. This guidance allows the external auditor to rely on the internal auditor's work in a number of ways.
Overvall, the five internal control components represent what is needed to achieve the objectives. Internal
control is applicable to business units and the functions of each business unit. he five components of internal control should be considered in the context of the following:
1. The entity's size. 2. The entity's organization and ownership characteristics.
3. The nature of the entity's business.
4. The diversity and complexity of the entity's operations. 5. The entity's methods of transmitting, processing, maintaining, and accessing information.
6. Applicable legal and regulatory requirements.
34
When internal controls are working effectively, the end result will be excellent financial statements.
However, there are inherent limitations within all systems and limiting factors for the effectiveness of
internal controls including:
1. Management can override any control system. 2. Controls can be circumvented by employees (collusion).
3. Human error caused by misunderstanding instructions, fatigue, carelessness. 4. Need by management to balance the cost/benefit principle. 5. The best controls in the world at not always absolute deterrents to fraud.
Management is responsible for establishing and maintaining an effective internal controls system. They
alone must establish a functional system on internal controls. In fact, the Foreign Corrupt Practices Act of 1977 requires public companies to have a good system and makes management legally liable.
35
Understanding and Evaluation of Internal Accounting Controls
Auditing standards require auditors to obtain and document their understanding of internal control for every audit. This understanding is necessary for both the audit of internal controls over financial reporting and the
audit of financial statements. The level of understanding internal control and extent of testing required for the audit of internal control exceeds what is required for an audit of only the financial statements. Therefore, when auditors first focus on the understanding and testing of
internal control for the audit of internal controls, they will have met the requirements
for assessing internal control for the financial statement audit.
Section 404 requires management to document the processes being used for assessing the effectiveness of the company's internal control overfinancial reporting. Management must document the design of controls
to include all five control components. Management must also document the results of its testing and evaluation of all controls being implemented. The types of information gathered by management to assess
and document internal control effectiveness can take many forms including:
• Policy manuals,
• Flowcharts,
• Narratives,
• Documents, and
• Questionnaires
Manage ment's documentation is a primary source of information for the auditor for gaining an understanding of internal controls. As part of the auditor's risk assessment procedures, the auditor uses
procedures to obtain the required understanding. This will typically involve gathering evidence about the design of internal controls and an assessment on whether they have been implemented. This information is
then used as a basis for the audit.
The auditor typically uses the following types of evidence to obtainan understanding of the design and
implementation of controls:
• Documentation,
• Q&A of business personnel involved with implementing controls,
• Observation of the employees performing control processes, and
• Tracing a single transaction or a few transactions through the accounting system from start to finish.
Auditors commonly use three types of documents to acquired knowledge of controls and document their understanding of the design of internal control:
• Narratives,
• Flowcharts, and
• Internal control questionnaires.
36
Section 404 requires management to assess and document the design effectiveness of internal control over
financial reporting. As a result, management should already have prepared documentation to share with the
auditor. Narratives, flowcharts, and internal control questionnaires are used separately by the auditor to establish their understand and to document internal control that is in use.
The first step is for the auditor to obtain an understanding of the system. The purpose of understanding is to make a preliminary evaluation about the dependability of the system when creating their plan. Once again,
the techniques that are used to gain an understanding of the system include:
1. Internal control questionnaires
2. Narratives
3. Flowcharts 4. Walk-through
AU 311 states that the procedures that an auditor may consider in planning the audit usually involve a review of their own records relating to the entity and discussion with employees of the firm. Their discussion
may also extend to other personnel of the entity. This may include consultants, specialists, and internal auditors.
37
.04
Procedures that an auditor may consider in planning the audit usually involve review of his
records relating to the entity and discussion with other firm personnel and personnel of the
entity. Examples of those procedures include:
a. Reviewing correspondence files, prior year's working papers, permanent files, financial statements, and
auditor's reports.
b. Discussing matters that may affect the audit with firm personnel responsible for non-audit services to the
entity.
c. Inquiring about current business developments affecting the entity.
d. Reading the current year's interim financial statements.
e. Discussing the type, scope, and timing of the audit with management of the entity, the board of directors, or
its audit committee.
f. Considering the effects of applicable accounting and auditing pronouncements, particularly new ones.
g. Coordinating the assistance of entity personnel in data preparation.
h. Determining the extent of involvement, if any, of consultants, specialists, and internal auditors.
i. Establishing the timing of the audit work.
j. Establishing and coordinating staffing requirements.
The auditor may wish to prepare a memorandum setting forth the preliminary audit plan,
particularly for large and complex entities.
38
Internal Control Questionnaires
An internal control questionnaire asks a series of questions about the controls in each audit area as a means of identifying internal control deficiencies. Internal control questionnaires are designed to answer questions about the system with a yes or no answer. A yes should mean good control points and a no response indicating potential internal control deficiency. Questionnaires are a tool that allow auditors to obtain
information concerning each audit area quickly. Questionnaires have many advantages but they also have two main disadvantages, which is their inability to provide an overview of the system and they are not
appropriate for smaller audits. Questionnaires are typically designed to incorporate the six transaction-
related audit objectives.
The use of questionnaires and flowcharts together is useful for understanding the client's internal control design and identifying internal controls and deficiencies. Flow charts provide an overview of the system,
while questionnaires act as a checklists for the different types of internal controls that should exist. In
addition to understanding the design of the internal controls, the auditor must
also evaluate whether the designed controls are implemented. In practice, the under
standing of the design and implementation are often done simultaneously. The following
are common methods that are commonly used:
Update and Evaluate Auditor's Previous Experience with the Entity
Many times the audit of a company is performed annually by the same CPA firm. After the first year's audit,
the auditor starts the next year’s audit with a great deal of information from prior years about the internal
controls that are being used. Past information is especially useful to determine whether controls are still operating and any controls that were difficient have been improved.
Make Inquiries of Client Staff
Auditors should ask management, supervisors, and staff to provide an explanation their duties. Careful questioning of selected staff will help auditors evaluate whether employees understand their duties and are actually following the procedures that are described in the control documentation.
Examine Documents and Records
The five components of internal control involve the creation of documents and records. By examining completed documents, records, and electronic files, the auditor can evaluate whether the procedures defined in flowcharts and narratives has been implemented.
39
Observe Activities and Daily Operations
Observing staff members carrying out their normal accounting and control activities, including the preparation of documents and records, improves the auditor’s understanding and knowledge of the controls have been implemented.
Narratives
Narratives are a written statement of the flow of documents through a system. A narrative is the written
description of a client's internal controls. A proper narrative of an accounting system and related controls describes the following items:
1. The origin of every document and record in the system. The origin should state where customer orders come from and how sales invoices are generated.
2. All processing that occurs. This should include a description for pricing that is implemented and that process should be described.
3. The state and flow of every document and record in the system. This should include the filing of documents, how they are sent to customers, and the destruction of them should be described.
4. An indication of the controls relevant to the assessment of control risk. These typically include separation
of duties, authorizations and approvals, and internal verification for accuracy.
Flowcharts
Flowcharts are a pictorial representation of the narratives using symbols. An internal control flowchart is a
diagram of the client's documents and their sequential flow in the organization. An adequate flowchart
includes the same four characteristics identified for narratives including:
1. The origin of every document and record in the system. The origin should state where customer orders come from and how sales invoices are generated.
2. All processing that occurs. This should include a description for pricing that is implemented and that process should be described.
3. The state and flow of every document and record in the system. This should include the filing of
documents, how they are sent to customers, and the destruction of them should be described.
4. An indication of the controls relevant to the assessment of control risk. These typically include separation of duties, authorizations and approvals, and internal verification for accuracy.
Well prepared flowcharts are advantageous primarily because they provide a concise overview of the client's system, which helps auditors identify controls and deficiencies in the client's system. Flowcharts are usually
easier to read and easier to update than narratives. It is unusual to use both a narrative and a flowchart to describe the same system because both present the same information.
40
The flowchart will present a visual diagram that depicts the flow of documents and controls within the
internal control system. A flowchart uses symbols to represent different functions and it should be read top
to bottom and flow left to right.
The major symbols used in program flowcharting are shown below:
Start / Stop
Any start or stop point in the program
Input/Output
Any function of an Input or Output Device
Processing
Operation or operations to be performed
Decision
A choice is to be made from two or more options
(yes/no; greater than; less than/equal)
Connector
An entry to or exit from a point on the same page
Off page Connector
An entry to or exit from different page
41
Document or Hardcopy printouts
Manual Operation
Any non-machine operations in the system
Online Storage
Offline Storage
The rule for direction of flow is always down and to the right unless an arrow indicates otherwise.
Walk-through
Walk-through is an activity where the auditor walks a single transaction or a number of transactions through the accounting system and talking to the actual people involved in that system. In a walkthrough, the auditor typically selects a few documents of a specific transaction type to be tested and traces them from initiation through the entire accounting process. At each stage of processing, the auditor makes inquiries, observes
activities, and examines all completed documents and records from the process. Walk throughs combine observation, documentation, and inquiry in order to assure that the controls designed by management have
been implemented and are working as intended.
42
Assess Control Risk
The auditor obtains an understanding of the design and implementation of the internal controls in order to make a preliminary assessment of control risk. This is done as part of the auditor's overall assessment of the
risk of material misstatements. The auditor uses this preliminary assessment of control risk to plan the audit for each material class of transactions. However, in some instances the auditor may learn that the control deficiencies are significant, which may mean that the client's financial statements may not be auditable. As a result, the auditor must first decide whether the entity is auditable before making a preliminary assessmentof control risk for each material class of transactions.
The two primary factors that determine auditability are:
• The integrity of management, and
• The adequacy of accounting records.
Management integrity is extremenly important. Most auditors will not accept the engagement if management lacks integrity.
The accounting records are one of the most important sources of audit evidence for most audit objectives. If the accounting records are deficient, necessary audit evidencemay not be available for the auditor. For
example, if the audit client has not kept duplicate sales invoices and vendors'
invoices, it is usually impractical to do an audit.
In complex IT environments, most of the transaction information is available only in electronic form without
an available audit trail of documents and records. In these cases, the client is still auditable; however, auditors must assess whether they have the necessary skills or time to gather evidence that is only available in electronic form. In some cases, a programmer, a consultant or another IT specialist with adequate IT
training and experience may need to be involved.
After obtaining an understanding of internal control, the auditor first makes a preliminary assessment of
control risk as part of the auditor's overall assessment of the risk of material misstatement. This assessment is a measure of the auditor's expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred.
The starting point for most auditors is the assessment of entity-level controls. It is important to recognize that entity-level controls have an impact on most major types of transactions in each transaction cycle. For example, management may have failed to implement a process to identify, assess, or manage key risks. This
can have the potential to undermine controls for most of the transaction-related audit objectives. As a result,
auditors must assess entity-level controls before assessing transaction specific controls.
Once the auditor determines that entity-level controls exist, are designed correctly, and operating, they can make a preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle. For example, in the sales and collection cycle, the types of transactions
43
usually involve sales, sales returns and allowances, cash receipts, and the provision for and write-off of
uncollectible accounts. The auditor should also make a preliminary assessment for controls affecting audit
objectives for balance sheet accounts and presentations and disclosures in each cycle.
Many auditors use a control risk matrix to assist in the control risk assessment process at the transaction level. The purpose of a control risk matrix is to provide a convenient way to organize the job of assessing control risk for each audit objective. Auditors use a similar control risk matrix format to assess control risk for
balance-related and presentation and disclosure-related audit objectives.
Identify Audit Objectives
The first step in the assessment is to identify the audit objectives for classes of transactions, account balances, and presentation and disclosure where the assessment applies. This is typically applied for classes
of transactions by focusing on the specific transaction-related audit objectives. These are stated in general form and applied to each major type of transaction for the business entity. This means that the auditor
makes an assessment of the occurrence objective for sales and a separate assessment of the completeness objective.
Identify Existing Controls
The next steps in this process is for the auditor to use the information gleened when understanding internal
controls to identify the controls that contribute to accomplishing transaction-related audit objectives. One way for the auditor to do this is to identify controls to satisfy each objective. It is common for the auditor to use their knowledge of the client's system to identify controls that are likely to prevent errors or fraud in the
occurrence transaction-related audit objective. The same approaches can be use for all of the other audit objectives. It is also helpful for the auditor to use the five control activities as reminders of controls such as
asking the following questions:
• Is there adequate separation of duties and how is it being achieved?
• Are transactions properly authorized and what is the authorization method being used?
• Are prenumbered documents properly accounted for?
• Are keymaster files properly restricted from unauthorized access?
The auditor should identify and include only those controls that are expected to have the greatest effect on
achieving the transaction-related audit objectives, which are called key controls. The reason for including only key controls is that they will be sufficient to achieve the transaction-related audit objectives and also provide audit efficiency.
44
A risk control matrix can be used to identify controls. The body of the matrix is used to show how each
control contributes to the accomplishment of one or more transaction-related audit objectives. A similar
control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives. Auditors must evaluate whether key controls are absent in the design of internal control over financial reporting as a part of evaluating control risk and the likelihood of financial statement misstatements.
Auditing standards define three levels of the absence of internal controls:
1. Control deficiency. A control deficiency exists if the design or operation of controls does not permit
company personnel to prevent or detect misstatements on a timely basis in the normal course of performing their assigned functions. A design deficiency exists if a necessary control is missing or not properly designed. An operation deficiency exists if a well-designed control does not operate as designed or if the individual performing the control is insufficiently qualified or authorized.
2. Significant deficiency. A significant deficiency exists if one or more control deficiencies exist that is less severe than a material weakness, but important enough to merit attention by those responsible for oversight of the company's financial reporting.
3. Material weakness. A material weakness exists if a significant deficiency, by itself, or in combination with other significant deficiencies, results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis.
To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be
evaluated according to these two factors:
1. The likelihood of occurring, and 2. The significance or impact if they occur.
If there is more than a reasonable possibility that a material misstatement could result from the significant
deficiency or deficiencies, then it is considered a material weakness.
The following five-step approach can be used to identify deficiencies, significant deficiencies, and
material weaknesses:
1. Identify existing controls. This is required because deficiencies and material weaknesses represent the absence of adequate controls. As a result, the auditor must first know which controls exist.
2. Identify the absence of key controls. Internal control questionnaires, flowcharts, and walkthroughs are useful tools to identify where controls are lacking and can help to identify when the likelihood of misstatement is increased. It is also useful to examine the control risk matrix to look for objectives where there are no or only a few controls to prevent or detect misstatements.
3. Consider the possibility ofcompensating controls. A compensating control is another control elsewhere in the system that offsets the absence of a key control. When a compensating control is established, there is no longer a significant deficiency or material weakness.
4. Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses.
45
5. Determine potential misstatements that could result. This final step is intended to identify' specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant deficiency or material weakness is directly related to the likelihood and materiality of potential misstatements.
Each significant deficiency or material weakness can apply to one or more related audit objectives. As a result, the auditor must associate significant deficiencies and material weaknesses with related audit objectives. After this is done, the auditor must assess control risk for each related audit objectives.
After controls, significant deficiencies, and material weaknesses are identified and associated with
transaction-related audit objectives, the auditor can assess control risk for transaction related audit
objectives. This is the critical decision in the evaluation of internal control. The auditor uses all of the information discussed previously to make a subjective control risk assessment for each objective. There are
different ways to express this assessment. Some auditors use a subjective expression such as high, moderate,
or low. Others may prefer to use numerical probabilities such as 1.0, 0.5, or 0.1.
The control risk matrix is a useful tool for making the assessment. This assessment is not the final one. Before
making the final assessment at the end of the integrated audit, the auditor will test controls and perform
substantive tests. These procedures can either support the preliminaryassessment or cause the auditor to
make changes. In some cases, management can correct deficiencies and material weaknesses before the auditor performes significant testing. This would result in a reduction in control risk.
After a preliminary assessment of control risk is made for sales and cash receipts, the auditor can complete the three control risk rows of the evidence-planning work sheet. If tests of controls results do not support
the preliminary assessment of control risk, the auditor must modify the worksheet later. Alternatively, the auditor can wait until tests of controls are done to complete the three control risk rows of the worksheet.
As part of understanding internal control and assessing control risk, the auditor is
required to communicate certain matters to those charged with governance. This
information and other recommendations about controls are also often communicated
to management.
Communications to Those Charged With Governance
The auditor is required to communicate significant deficiencies and material weaknesses in writing to those
charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit committee and to management. Timely communications may provide management an opportunity to address control deficiencies before management's report on internal control
must be issued. In some cases, deficiencies can be corrected sufficiently early such that both management and the auditor can conclude that controls are operating effectively as of the balance sheet date. Communication letters must be issued no later than 60 days following the audit report release.
46
Management Letters
In addition to significant internal control-related matters, auditors often identify less significant internal control-related issues. These letters may also present management with opportunities to make operational
improvements, which should also be communicated to the client. The form of communication is often a separate letter for that purpose, called a management letter. Although management letters are not required by auditing standards, auditors generally prepare them as a value-added service of the audit.
Test of Controls
When evaluating internal controls, the auditor makes a preliminary evaluation of controls after gaining an understanding of the system that is being used. If the auditor feels that the system is weak and cannot be
relied upon, the auditor will then gather more substantive evidence. If the auditor believes that the system is
dependable, the auditor must test the controls to determine if, in fact, they are working the way management says they are working. The auditor must design, perform and evaluate tests of controls. Not testing the
system is subordinating judgment to management.
Purpose of Tests of Controls
Assessing control risk requires the auditor to consider both the design and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives. During the learning and
understanding phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementation by using procedures to obtain an understanding. In most cases, the auditor will not have gathered enough evidence to reduce assessed control risk to a sufficiently low level.
The auditor must therefore obtain additional evidence about the operating effectiveness of controls throughout all, or at least most, of the period under audit. The procedures to test effectiveness of controls in
support of a reduced assessed control risk are called ‘tests of controls’.
If the results of tests of controls support the design and operation of controls as expected, the auditor uses
the same assessed control risk as the preliminary assessment. If, on the other hand, the tests of controls
indicate that the controls did not operate effectively, the assessed control risk must be reevaluated. When the controls do not operate effectively, the auditor uses a higher assessed control risk. The only alternative is when compensating controls are implemented. The auditor must also consider the impact of those controls that are not operating effectively on the auditor's report on internal control. The auditor is likely to use four types of procedures to support the operating effectiveness of internal controls. Management's testing of
internal control will likely include the same types of procedures. The four types of procedures include the
following:
47
1. Make inquiries of appropriate client personnel.
2. Examine documents, records, and reports.
3. Observe control-related activities. 4. Reperform client procedures.
Make inquiries ofappropriate client personnel.
Although inquiry of employees is not a highly reliable source of evidence about the effective operation of
controls, it is still useful for obtaining pertitent information.
Examine documents, records, and reports.
Many controls produce a clear trail of documentary evidence. This evidence can be used to test controls. An example of this is when a customer order is received and that order is used to create a customer sales order.
This particular customer sales order was approved for credit. The customer order is attached to the sales order as authorization for further processing. The auditor can test the control by examining the documents
to make sure that they are complete and properly matched. The documents can also be checked to verify
that the required signatures or initials are present.
Observe control-related activities.
Some controls do not leave an evidence trail, which means that it is not possible to examine evidence that
the control was executed at a later date. The separation of duties relies on specific employees performing specific tasks and there is typically no documentation
of the separate performance. For controls that leave no documentary evidence, the auditor generally observes the controls being applied at various points during the year.
Reperform client procedures.
There are also control-related activities where there are related documents and records, but their content is
insufficient for the auditor's purpose of assessing whether controls are operating effectively. For example,
assume that prices on sales invoices are obtained from the master price list, but no indication of the control is documented on the sales invoices. In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. To test this particular scenario, the auditor can reperform the procedure by tracing the sales prices to the authorized price list in effect at the date of the
transaction. If no misstatements are found, the auditor can conclude that the procedure is operating as intended.
48
Extent of Procedures
The extent to which tests of controls are applied depends on the preliminary assessed control risk. If the auditor wants a lower assessed control risk, more extensive tests of controls are applied. This mean both in
terms of the number of controls tested and the extent of the tests for each control. If the auditor wants to use a low assessed control risk, a larger sample size for documentation, observation, and reperformance procedures should be applied. The extent of testing also depends on the frequency of the operation of the controls, and whether it is manual or automated.
When auditors plan to use evidence about the operating effectiveness of internal control obtained in prior
audits, auditing standards require tests of the controls' effectiveness at least every third year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. When there are a number of controls tested in prior audits that have not been changed, auditing standards require auditors to test some of those controls each year to ensure there is a rotation of controls testing
throughout the three year period.
Significant risks are those risks that the auditor believes require special audit consideration. When the
auditor's risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on
those controls to support a control risk assessment below one hundred percent. The greater the risk, the more audit evidence the auditor should obtain that verifies that controls are operating effectively.
Management's report on internal control deals with the effectiveness of internal controls as of the end of the fiscal year. PCAOB Standard 5 requires the auditor to perform tests of controls that are adequate to
determine whether controls are operating effectively at year-end. The timing of the auditor s tests ofcontrols will depend on the nature of the controls and when the company uses them. For controls that are applied
throughout the accounting period, it is usually practical to test them at an interim date. The auditor will then determine later if changes in controls occurred in the period not tested and decide the implication ofany
change. Controls dealing with financial statement preparation occur only quarterly or at year-end and must
also be tested at quarter and year-end.
Tests of Controls and Procedures to Obtain and Understanding
There is a significant overlap between tests of controls and procedures to obtain an understanding. Both
required inquiry, documentation, and observation by the auditor. There are two primary differences in the
application of these common procedures.
1. In obtaining an understanding of internal controls, the procedures to obtain an understanding are applied
to all controls identified during that phase. Tests of controls, on the other hand, are applied only when the
assessed control risk has not been satisfied by the procedures to obtain an understanding.
49
2. Procedures to obtain an understanding are performed only on one or a few transactions or, in the case of
observations, at a single point in time. Tests of controls are performed on larger samples of transactions (the
exact amount to be determined by the auditor), and often, observations are made at more than one point in time. For key controls, tests of controls other than reperformance are essentially an extension of procedures to obtain an understanding. The auditor’s plan to obtain a low assessed control risk will likely combine both types of procedures and perform them simultaneously. One option is to perform the audit procedures
separately. This means that minimum procedures to obtain an understanding of design and operation are performed first. Next, additional tests of controls are performed. An alternative is to combine both and do
them simultaneously. The same amount of evidence is accumulated in the second approach, but more
efficiently. Finally, deciding on the appropriate sample size for tests of controls is an important audit decision.
Decide Planned Detection Risk and Design Substantive Tests
At this point, the auditor should have assess control risk for each related audit objective and supported the control risk assessments with tests of controls. The completion of these activities is sufficient for the audit of
internal control over financial reporting, even though the report will not be finalized until the auditor completes the audit of financial statements.
The auditor should use the control risk assessment and results of tests of controls to determine planned detection risk and related substantive tests for the audit of financial statements. The auditor does this by
linking the control risk assessments to the balance related audit objectives for the accounts affected by the major transaction types and to the four presentation and disclosure audit objectives. The appropriate level of
detection risk for each balance-related audit objective is then decided using the audit risk model.
Reporting on Internal Controls
The auditor is required to communicate, in writing, to management and those charged with governance,
significant deficiencies and material weaknesses identified in an audit. An auditor must evaluate identified
control deficiencies and determine whether those deficiencies, individually or in the aggregate, are significant deficiencies or material weaknesses. The communication is best to be made by the report release date, but no later than 60 days following the report release date. The report may identify a control
deficiency, a significant deficiency, or a combination.
A control deficiency exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Significant deficiency is a control, or combination of control deficiencies that adversely
affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance
with GAAP such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. Material weakness is a
50
significant deficiency, or combination of control deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be prevented or detected.
The communication should do the following:
1 State that the purpose of the audit was to express an opinion on the statements but not to express an opinion on internal control.
2 State that he auditor is not expressing an opinion on the effectiveness of internal control.
3 Include the definition of the two terms above
4 Identify the matters considered to be weaknesses.
5 State that this communication is intended solely for the information and use of management.
If the auditor is asked to provide a written communication when there are not material weaknesses, the auditor may do so but is not permitted to state that there are no significant deficiencies identified during the
audit. The reason for not making that statement is that the auditor has not performed an audit of the
internal control system and therefore cannot make such a statement.
Opinion Based Upon an Audit of the Internal Control System
The auditor may issue a report on internal control based upon an audit of the entire internal control system.
If issued, the report should indicate the following:
1 Describe the scope of the engagement.
2 Include the date to which the opinion relates — either as of a point in time for the period ended.
3 Indicate that establishment and maintenance of the system is the responsibility of management.
4 Briefly explain the broad objectives and inherent limitations of the system.
5 Provide an opinion on whether the system meets the objectives of internal control.
6 Be dated the date of completion of the audit.
51
Section 404 Reporting Requirements
Based on the auditor's assessment and testing of internal control, the auditor is required to prepare an audit
report on internal control over financial reporting for accelerated filer public companies subject to Section 404(b) reporting requirements. The auditor may issue separate or combined audit reports on the financial statements and on internal control over financial reporting. The scope of the auditor's report on internal control is limited to obtaining reasonable assurance that material weaknesses in internal control are identified. Thus, the audit is not designed to detect deficiencies in internal control that individually, or in the
aggregate, are less severe than a material weakness.
Unqualified Opinion – The auditor will issue an unqualified opinion on internal control over financial reporting when two conditions exist:
• There are no identified material weaknesses.
• There have been no restrictions on the scope of the auditor's work.
Adverse Opinion – The auditor will issue an adverse opinion when one or more material weaknesses exist. In
these cases, the auditor must express an adverse opinion on the effectiveness of internal control. The most common cause of an adverse opinion in the auditor's report on internal control is when management
identified a material weakness in its report.
Qualified or Disclaimer of Opinion - A scope limitation requires the auditor to express a qualified opinion or a disclaimer of opinion on internal control over financial reporting. This type of opinion is issued when the auditor is unable to determine if there are material weaknesses, due to a restriction on the scope of the
audit of internal control over financial reporting or other circumstances where the auditor is unable to obtain
sufficient appropriate evidence. Because the audit of the financial statements and the audit of internal
control over financial reporting are integrated, the auditor must consider the results of audit procedures performed to issue the audit report on the financial statements when issuing the audit report on internal
control.
When issuing the report, the following four responses to the findings of the audit are likely:
1. Because there is a material error in the financial statements, the auditor should consider whether the misstatement indicates the existence of a material weakness. Determining if the misstatement is in fact a material weakness or a significant deficiency involves judgment and depends on the nature and size of
the misstatement.
2. The auditor can issue an unqualified opinion on the financial statements if the client adjusts the statements to correct the misstatement prior to issuance.
3. Management is likely to change its report on internal control to assert that the controls are not operating
effectively. 4. The auditor must issue an adverse opinion on internal control over financial reporting if the deficiency is
considered a material weakness.
52
The following are examples for the definition of material weakness and opinion paragraphs from an auditor's
separate report on internal control when the auditor expresses an adverse opinion on the effectiveness of internal control over financial reporting because of the existence of a material weakness. If the material weakness has not been included in management's assessment, the report should note that a material
weakness has been identified but not included in management's assessment.
Definition of material weakness
A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the cornpany’s interim or annual financial statements will not be prevented or detected on a timely basis.
Opinion paragraph
In our opinion, because of the effect of the material weakness described above on the achievement of the
objectives of the control criteria, <Company Name > has not maintained effective internal control over financial reporting as of December 31, 20XX, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
53
Audit Report on Internal Control Example To the Board of Directors and Shareholders of ABC Company
We have audited ABC Company's internal control over financial reporting as of December 31, 20XX, based
on criteria established in Internal Control — Integrated Framework issued by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). ABC Company's management is responsible for
maintaining effective internal control over financial reporting and for its assessment of the effectiveness of
internal control over financial reporting included in the accompanying Management's Annual Report on
Internal Control over Financial Reporting. Our responsibility is to express an opinion on the effectiveness of
the company's internal control over financial reporting based on our audit.
A company's internal control over financial reporting is a process designed to provide reasonable assurance
regarding the reliability of financial reporting and the preparation of financial statements for external
purposes in accordance with generally accepted accounting principles. A company's internal control over
financial reporting includes those policies and procedures that (1) pertain to the maintenance of records
that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the
company; (2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting principles, and that
receipts of the company; and (3) provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on
the financial statements.
We conducted our audit in accordance with the standards of the Public Company Accounting Oversight
Board (United States). Those standards require that we plan and perform the audit to obtain reasonable
assurance about whether effective internal control over financial reporting was maintained in all material
respects. Our audit included obtaining an understanding of internal control over financial reporting,
evaluating management's assessment, testing and evaluating the design and operating effectiveness of
internal control, and performing such other procedures as we considered necessary in the circumstances.
We believe that our audit provides a reasonable basis for our opinion.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect
misstatements. Also, projections of any evolution of effectiveness to future periods are subject to the risk
that controls may become inadequate because of changes in conditions, or that the degree of compliance
with the policies and procedures may deteriorate.
In our opinion, ABC Company maintained, in all material respects, effective internal control over financial
reporting as of December 31, 20XX, based on criteria established in Internal Control — Integrated
Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Auditor Signature
City and State or Country
Date
54
Evaluation of Internal Controls
DETERMINE AUDIT RISK
ENGAGEMENT PLANNING
(PRIMARILY IN THE OFFICE)
UNDERSTANDING OF THE SYSTEM
(Designed by Management and Placed into Operation)
PRELIMINARY EVALUATION
GOOD (BELOW MAX CR) BAD (MAX CR)
TEST OF CONTROLS (EFFECTIVENESS - IC WORKS)
FINAL EVALUATION
GOOD (BELOW MAX) (CR) BAD (MAX)
GATHER MORE EVIDENCE (DR)
LESS EVIDENCE (DR) GATHER
ISSUE THE REPORT ISSUE THE REPORT
55
Glossary
Assessment of control risk—a measure of the auditor's expectation that internal controls will neither prevent material misstatements from occurring nor detect and correct them if they have occurred;
control risk is assessed for each trans action-related audit objective in a cycle or class of transactions
Chart of accounts—a listing of all the entity's accounts, which classifies transactions into individual balance
sheet and income statement accounts
Compensating control—a control else where in the system that offsets the absence of a key control
Collusion—a cooperative effort among employees to steal assets or misstate records
Control activities—policies and procedures, in addition to those included in the other four components of internal control, that help ensure that necessary actions are taken to address risks in the achievement of the
entity's objectives; they typically include the following five specific control activities: (1) adequate separation of duties, (2) proper authorization of transactions and activities, (3) adequate documents and records, (4) physical control over assets and records, and (5) independent checks on performance
Control deficiency—a deficiency in the design or operation of controls that does not permit company
personnel to prevent or detect misstatements on a timely basis
Control environment—the actions, policies, and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about internal control and its importance to the entity
Control risk matrix—a methodology used to help the auditor assess control risk by matching key internal
controls and internal control deficiencies with transaction-related audit objectives
Entity-level controls—Controls that have a pervasive effect on the entity's system of internal control; also referred to as company-level controls"
Flowchart—a diagrammatic representation of the client's documents and records and the sequence in which
they are processed
General authorization—companywide policies for the approval of all transactions within stated limits
Independent checks—internal control activities designed for the continuous internal verification of other controls
Information and communication—the set of manual and/or computerized procedures that initiates, records, processes, and reports an entity's transactions and maintains accountability for the related assets
56
Internal control—a process designed to provide reasonable assurance regarding the achievement of
management's objectives in the following categories:
(1) reliability of financial reporting, (2) effectiveness and efficiency of opera tions, and (3) compliance with applicable laws and regulations
Internal control questionnaire—a series of questions about the controls in each audit area used as a means of indicating to the auditor aspects of internal control that may be inadequate
Key controls—controls that are expected to have the greatest effect on meeting the transaction-related
audit objectives
Management letter—an optional letter written by the auditor to a client's management containing the auditor's recommendations for improving any aspect of the client's business
Material wreakness—a significant deficiency in internal control that, by itself, or in combination with other significant deficiencies, results in a reasonable possibility that a material misstatement of the financial
statements will not be prevented or detected
Monitoring—management's ongoing and periodic assessment of the quality of internal control performance
to determine that controls are operating as intended and are modified when needed
Narrative—a written description of a client's internal controls, including the origin, processing, and
disposition of documents and records, and the relevant control procedures
Procedures to obtain an understanding— procedures used by the auditor to gather evidence about the
design and implementation of specific controls
Risk assessment—management's identification and analysis of risks relevant to the preparation of financial
statements in accordance withan applicable accounting framework
Separation of duties—separation of the following activities in an organization-(1) custody of assets from accounting, (2) authorization from custody of assets, (3) operational responsibility from record keeping, and (4) IT duties from outside users of IT
Significant deficiency—one or more control deficiencies exist that is less severe than a material weakness,
but important enough to merit attention by those responsible for oversight of the company's financial reporting
Significant risks—risks the auditor believes require special audit consideration; the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit if control risk is to
be assessed below the maximum
57
Specific authorization—case-by-case approval of transactions not covered by companywide policies
Tests of controls—audit procedures to test the operating effectiveness of controls in support of reduced assessed control risk
Those charged with governance—the person(s) with responsibility for over seeing the strategic direction of
the entity and its obligations related to the accountability of the entity, including overseeing the financial
reporting and disclosure process
Walkthrough—the tracing of selected transactions through the accounting system to determine that controls are in place
58
Index
AU 322, iii, 3, 5
audit committee, 1, 6, 21, 22, 23, 35, 47
audit risk, 1, 11, 14, 26, 52
classes of transactions, 17, 19, 20, 26, 34, 45
control activities, 30, 35, 41, 45, 58
control environment, 21, 30
Control risk, 26, 58
COSO, 16, 55, 56
Detection risk, 26
Ethical values, 21
financial statements, 6, 7, 8, 9, 11, 12, 14, 17, 19, 20, 22,
24, 25, 26, 34, 36, 37, 44, 52, 54, 55, 56, 59
Flowcharts, v, 37, 38, 41
Generally Accepted Account Principles (GAAP), 7, 9
inherent limitations, 9, 11, 12, 15, 36, 53, 56
Inherent risk, 26
internal audit department, 3, 35
Internal control, 1, 6, 16, 35, 37, 38, 40, 46, 59
internal control questionnaire, 40
International Financial Reporting Standards (IFRS), 7, 9
material misstatement, 11, 12, 26, 44, 46, 53, 55, 59
Monitoring, iv, 20, 35, 59
Narratives, v, 37, 38, 41
PCAOB Standard 5, 23, 35, 51
Public Company Accounting Oversight Board, 12, 56
reasonable assurance, 1, 6, 9, 11, 12, 13, 14, 15, 30, 54,
56, 59
Reliability of financial reporting, 7
Risk assessment, 20, 24, 26, 59
Section 404 of the Sarbanes Oxley Act, 7
Segregation of duties, iv, 30
Transaction authorization, 31
Walk-through, v, 38, 43
