AUDITING CHAPTER 8 Internal Control By David N
AUDITING CHAPTER 8 Internal Control By David N. Ricchiute
TOPICS COSO framework of internal control Auditor’s consideration of internal control Audit of internal control mandated by Sarbanes-Oxley 2 GBW 8 th ed. , Ch. 8
INTRODUCTION Auditor responsible for considering internal control in audit program design n Audit planning w What is assessed level of control risk? w Based on control risk assessment, can auditor relax nature, extent, timing of substantive tests? Sarbanes-Oxley Act requires auditor to audit internal control n 3 To comply with Act & SEC’s rules GBW 8 th ed. , Ch. 8
COSO FRAMEWORK COSO provides guidance for auditor’s consideration of internal control n n n A framework to assess internal controls Common definition for internal controls Applies to financial reporting & other management objectives Sarbanes-Oxley Act applies only to financial reporting 4 GBW 8 th ed. , Ch. 8
INTERNAL CONTROL: COSO Definition A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws & regulations COSO, 1992, p. 9 5 GBW 8 th ed. , Ch. 8
CONCEPTS OF COSO DEFINITION Internal control is a process Internal control accomplished by people at all levels Internal control is means to achieve entity’s objectives Internal controls provide reasonable, not absolute, assurance 6 GBW 8 th ed. , Ch. 8
INTERNAL CONTROL OBJECTIVES Operations objectives n Market share, ROI, product/service diversification Financial reporting objectives n Producing reliable financial statements Compliance objectives n 7 Compliance with laws, regulations GBW 8 th ed. , Ch. 8
SEC & PCAOB Control Over Financial Reporting Sarbanes-Oxley Act Section 404 n n 8 Management to certify internal control over financial reporting is effective Auditor to issue opinion on management’s certification GBW 8 th ed. , Ch. 8
INTERNAL CONTROL OVER FINANCIAL REPORTING SEC, PCAOB definition Section 404 A process designed by, or under supervision of principal executive & principal financial officers. . . To provide reasonable assurance regarding reliability of financial reporting, preparation financial statements in accordance with GAAP SEC, Final Rule. Washington, D. C. : SEC, 2003. 9 GBW 8 th ed. , Ch. 8
INTERNAL CONTROL Policies & Procedures Maintain records in reasonable detail n To accurately, fairly reflect transactions, dispositions of assets Provide reasonable assurance that n n n 10 Transactions recorded as necessary to prepare financial statements in accord with GAAP Receipts, expenditures in accord with management’s, directors’ authorization Unauthorized acquisition, use of assets having material effect on financial statements will be prevented, detected in timely manner GBW 8 th ed. , Ch. 8
COSO COMPONENTS OF INTERNAL CONTROL Control environment Risk assessment Control activities Information & communications support Monitoring COSO & adopted by SAS 94 11 GBW 8 th ed. , Ch. 8
CONTROL ENVIRONMENT Management’s & board of director’s attitude, awareness, & actions regarding internal control Captures importance of control in management’s operating style “Tone at the top” 12 GBW 8 th ed. , Ch. 8
ELEMENTS OF CONTROL ENVIRONMENT Attitude & awareness Integrity Codes of conduct Commitment Committed to quality Directors, audit Board independent of committee management Management Attitude about false philosophy records Organization structure Proper flow information Authority Responsibilities defined HR policies, procedures Policies training, promotion, etc. 13 GBW 8 th ed. , Ch. 8
RISK ASSESSMENT Management’s responsibility to identify risks for § § § Financial reporting Operations Compliance Management’s responsibility to take action to manage risks 14 GBW 8 th ed. , Ch. 8
MANAGING RISKS IN CHANGE Change agents Operating environment New personnel New information system Rapid growth New technology New products, services Corporate restructuring Foreign operations 15 Divestiture Organization culture Time constraints for redesign Back orders Production delays Unfamiliar risks Staff reductions, inadequate supervision Local customs, culture GBW 8 th ed. , Ch. 8
CONTROL ACTIVITIES Policies & procedures to provide reasonable assurance that objectives are met § § 16 Authorization, execution of transactions Segregation of duties Design & use of documents & records Access to assets & records GBW 8 th ed. , Ch. 8
CONTROL ACTIVITIES Categories Preventive controls n Intended to prevent misstatement Detective controls n 17 Detect misstatements that have occurred GBW 8 th ed. , Ch. 8
CONTROL ACTIVITIES Authorization All transactions should be authorized by responsible personnel acting within scope of prescribed authority, responsibility n Specific authorization w Required for each transaction w Typically unusual transactions n General authorization w Policies, procedures for typical transactions 18 GBW 8 th ed. , Ch. 8
SEGREGATION OF DUTIES Optimum segregation of duties exists when collusion is necessary to circumvent controls Separate functions for n n 19 Management (authorization) Custody (transaction execution) Accounting (recording transactions) Monitoring (independent checks on performance GBW 8 th ed. , Ch. 8
DESIGN, USE DOCUMENTS & RECORDS Evidence of executed transactions n Represent an audit trail Impact efficiency n n n 20 Designed for multiple use Prenumbered consecutively Easy to complete GBW 8 th ed. , Ch. 8
ACCESS TO ASSETS & RECORDS Access limited to authorized personnel by n n n 21 Locks for physical protection Limits on employee access online Codes to authorize access GBW 8 th ed. , Ch. 8
INFORMATION, COMMUNICATION: Defined System identifies, captures, communicates external & internal information in form & timeframe to discharge responsibilities Includes accounting system 22 GBW 8 th ed. , Ch. 8
INFORMATION, COMMUNICATION: Sources External n Market share, regulatory requirements, complaints Internal n n n 23 Identify valid transactions Record proper time period Sufficient detail to classify, measure, present in financial statements GBW 8 th ed. , Ch. 8
INFORMATION, COMMUNICATION: Accounting Methods, records, to identify valid transactions Transactions recorded in proper period Describe transactions on timely basis, sufficient detail to properly n n 24 Classify Measure Summarize Disclose GBW 8 th ed. , Ch. 8
TRANSATION CYCLES Defined Accounting system organized & processes information in cycles n n 25 Financing Expenditure & disbursement Conversion Revenue & receipt GBW 8 th ed. , Ch. 8
TRANSATION CYCLES Examples Financing Expenditure/ disbursement Conversion Revenue/receipt 26 Cycles Capital funds received, used, invested Goods, services acquired from vendors, employees & paid Resources used, held, transformed Resources distributed to outsiders; payment received GBW 8 th ed. , Ch. 8
MONITORING Continuous or periodic evaluation Resolution of discrepancies To ensure reliability 27 GBW 8 th ed. , Ch. 8
RESTATEMENT, FRAUD, & INTERNAL CONTROL Section 13(b)(2)(B) of 1934 Securities Exchange Act requires issuers to devise, maintain system of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accord with GAAP. Internal control is a matter of law 28 GBW 8 th ed. , Ch. 8
ASSESSING CONTROL RISK A sufficient understanding of internal control is to be obtained to plan the audit & determine the nature, timing, and extent of tests to be performed. (2 nd GAAS fieldwork) Obtain understanding Assess control risk Determine nature, timing, extent of substantive tests 29 GBW 8 th ed. , Ch. 8
ASSESSING V. AUDITING COSO INTERNAL CONTROLS Assessing controls Auditing Section 404 Obtain understanding Evaluate effectiveness Assess control risk for Form opinion on assertions about internal control over balances & transactions financial reporting Determine nature, Obtain understanding extent, timing of substantive tests 30 GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING Audit Committee Effectiveness Final authority over financial reporting n n n 31 Challenge CEO, CFO over financial reporting Seek advice of independent auditor Engages independent counsel when necessary GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING Auditor’s Evaluation Auditor evaluates audit committee effectiveness by considering n n n 32 Nominating process & independence Clarity of responsibilities Level management cooperation Committee involvement with auditor & internal auditing Time devoted to audit, internal controls GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING Information Technology Personal computers & local area networks Database management systems End-user computing Telecommunications Service bureaus Internet technology Software for information systems n 33 Operating & applications software GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING IT & “Section 404 Documentation” For information technology, did management n n 34 Document & test controls related to financial reporting? Evaluate effectiveness, likelihood of failure? Communicate findings to auditor? Reach assessment that documentation supports? GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING Document System To demonstrate compliance with requirement to understand & evaluate client’s system n n n 35 Internal control questionnaire Flowchart Narrative memorandum GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING Identify Transactions Cycles To identify cycles n n n 36 Review account components for homogeneity Identify representative cycles Flowchart each cycle Trace representative transactions through each cycle Revise flowcharts if necessary GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING Perform Transaction Walkthroughs Required by Section 404 of Sarbanes-Oxley Act Trace wide range of transactions, common, uncommon, from each cycle through system from n n 37 Authorization to Execution to Recording to Summarization GBW 8 th ed. , Ch. 8
OBTAIN UNDERSTANDING Auditor Responsibilities In transactions walkthroughs, auditor must n Understand controls over end-of-period financial reporting w Especially for effects on earnings 38 GBW 8 th ed. , Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Reliability When documenting controls n Identify controls to be relied upon w Test controls w If acceptable, assess control risk below maximum n Identify controls not suitable to justify reliance w Do not test these controls w Assess control risk at maximum w Plan audit to rely heavily on substantive tests 39 GBW 8 th ed. , Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Risk Assess Control Risk n Consider errors, frauds that could occur n Identify relevant control activities to prevent, detect errors, frauds n Perform tests of controls on control activities that may prevent, detect errors, frauds 40 GBW 8 th ed. , Ch. 8
EVALUATE CONTROL EFFECTIVENESS: Tests of Controls Testing design of controls n Whether policy, procedure suitably designed to prevent, detect material misstatements Testing operations of controls n n n 41 Were control activities performed? How were they performed? By whom were they performed? GBW 8 th ed. , Ch. 8
EVALUATE CONTROL EFFECTIVENESS: General Controls Computer assisted tests n n n 42 Organization, operation controls Systems development & documentation controls Hardware controls Access controls Data & procedural controls GBW 8 th ed. , Ch. 8
GENERAL CONTROL EFFECTIVENESS: Operation Organization & operation n 43 Segregate computer department & users Provide general authorization over execution of transactions Segregate functions within the computer department GBW 8 th ed. , Ch. 8
GENERAL CONTROL EFFECTIVENESS: Documentation Development & documentation n n n 44 Participation by users, accounting personnel, internal auditors in system design Review, approval of system specifications Joint system testing by user, computer personnel Approval new applications, changes Control over master, transaction files Procedures to create, maintain documentation GBW 8 th ed. , Ch. 8
GENERAL CONTROL EFFECTIVENESS: Hardware controls n 45 Controls built into computers by manufacturers GBW 8 th ed. , Ch. 8
GENERAL CONTROL EFFECTIVENESS: Access Controls Limit access to authorized personnel for n n 46 Hardware Software Data files Software support documentation GBW 8 th ed. , Ch. 8
GENERAL CONTROL EFFECTIVENESS: Data & procedural controls n n 47 Written procedures, authorization manuals Control groups GBW 8 th ed. , Ch. 8
EVALUATE CONTROL EFFECTIVENESS Computer-Assisted Tests of Application Controls n n n 48 Input controls Processing controls Output controls GBW 8 th ed. , Ch. 8
APPLICATION CONTROL EFFECTIVENESS: Input controls n n n 49 Input authorization, approval Code verification Data conversion Data movement Occurrence correction GBW 8 th ed. , Ch. 8
APPLICATION CONTROL EFFECTIVENESS: Processing controls n n n 50 Control totals File labels Limit (reasonableness) tests GBW 8 th ed. , Ch. 8
APPLICATION CONTROL EFFECTIVENESS: Output controls n n 51 Control totals comparisons Output distribution GBW 8 th ed. , Ch. 8
COMPUTER-ASSISTED TESTS OF CONTROLS: Types Test data: uses client software to process data with valid & invalid transactions Base Case System Evaluation (BCSE): develops test data to text expected conditions Integrated test facility: tests whether client actually uses software by running live and fictitious data simultaneously Parallel simulation: processing client data with auditor’s software 52 GBW 8 th ed. , Ch. 8
COMPUTER-ASSISTED TESTS OF CONTROLS: Types (cont. ) Embedded audit modules: selects client data for subsequent testing & analysis n SCARFs: logs created from embedded audit modules that collect transaction information Audit hooks & tagging: transaction records tagged & traced through critical control points 53 GBW 8 th ed. , Ch. 8
CONTROL DEFICIENCIES, MATERIAL WEAKNESSES Deficiencies do not allow management, employees to prevent, detect misstatements in normal course of business Material weakness is a significant deficiency more than remotely likely to cause a material misstatement that will not be prevented, detected 54 GBW 8 th ed. , Ch. 8
NATURE, TIMING, EXTENT Audit risk strategy n n 55 Determine acceptable detection risk Design nature, timing, extent of substantive tests GBW 8 th ed. , Ch. 8
NATURE, TIMING, EXTENT & SUBSTANTIVE TESTS Effect Level of Detection Risk Lower Higher Nature Use more persuasive Use less persuasive tests (confirmation) tests (documentation) Timing Test at balance Test at interim dates sheet date Extent Test more (increase Test less (decrease sample size) 56 GBW 8 th ed. , Ch. 8
AUDITOR’S OPINION ON INTERNAL CONTROLS Auditor evaluates n n Reports by internal auditors Significant deficiencies Results of test of controls Results of substantive test of details To issue an opinion on controls 57 GBW 8 th ed. , Ch. 8
- Slides: 57