Internal Control

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

1 A Framework for Control

• The quality of an organisation’s internal controls affects not only the reliability of its financial
reporting, but also its ability to make good decisions and stay in business.
• Internal control processes must effectively address risks that are present in the industry and
in the organisation
2 A Framework for Control (cont.)
• Auditors gain an understanding of their client’s control system in order to
– better understand the client, its risks, and how it manages those risks
– assess control risk and identify types of most likely misstatements
– plan extent of substantive testing needed
– in some instances to report on effectiveness of internal controls (businesses in Australia
needing to report in the US).

3 Internal Control
• Internal control is a process designed to provide reasonable assurance of:
– generating reliable financial accounting information
– safeguarding assets
– complying with applicable laws and regulations
– operating efficiently and effectively.
4 The Need for Control
• Control is part of corporate governance whereby the owners and creditors of an
organisation exert control and require accountability for its resources.
• Governance begins with stockholders, who delegate certain responsibilities to the board of
directors and in turn to management.
• That delegation must occur within a framework of control and accountability. The control
system exists to ensure that:
– responsibilities are properly identified
– tasks are assigned in accordance with responsibilities and accountability.
5 Who Is Interested in an Organisation’s Control Structure?
• Board of directors and the audit committee
• Management
• Regulators
• Internal and external auditors
• Suppliers and customers
• Equity and debt investors
• Customers or others using the web for commerce
6 Components of an Internal Control System
• Control environment: overall attitude, awareness and actions of significant internal groups
to maintain a well-controlled organisation (tone at the top)
• Risk assessment: process designed to identify and manage risks that may affect the
organisation’s ability to achieve its objectives

1
organisation’s ability to achieve its objectives
7 Components of an Internal Control System (cont.)
• Control activities: policies and procedures established by management to help ensure that
internal control objectives are achieved and risks mitigated
• Information and communication: the process of identifying, capturing and exchanging
information in a timely fashion to enable the organisation to achieve its objectives
• Monitoring: a process that assesses the quality of internal controls over time

8 Framework for
Internal Controls

9 Components of an Internal Control System (cont.)


• There is a logical loop to an organisation’s internal controls, starting with:
1 design of the control environment
2 identification of organisational risks and controls to minimise those risks
3 design and implementation of controls and a communication system
4 monitoring of the effectiveness of the controls to mitigate risk
5 return to design (managing internal control is an ongoing activity).
10 Understanding the Control Environment
• There are a number of factors an auditor should look at when evaluating an organisation’s
control environment:
– management’s philosophy and operating style
– organisational structure, including assignment of authority and responsibility
– board of directors and audit committee
– human resource policies and practices
– integrity and ethical values
– commitment to competence
– compensation and evaluation programs
– effectiveness of the internal audit function.
11 Internal Reports to Management
• Management often requests reports on the quality of its internal controls in order to ensure
the company can achieve its major objectives and is not exposed to unnecessary risks
• Management receives reports from three sources:
– ongoing monitoring reports from operations
– internal audit reports
– external audit reports.
12 Reporting on Internal Control (cont.)
• In performing an audit of controls, the auditor must:
– review client documentation, including the way controls are supposed to work (design)
– review client testing of controls (operations)

2
– review client testing of controls (operations)
– determine which controls to test, sample sizes and how to judge whether a control is
operating effectively
– reach a conclusion about the effectiveness of client internal controls over financial
reporting.
13 Reporting on Internal
Control (cont.)
• Matters that an auditor might report on could include:
– a description of the internal control, its objectives and its inherent limitations
– a definition of material deficiency in
internal control
– a description of all material deficiencies found
– an opinion regarding the effectiveness of the company’s internal controlsl.
14 Relationship of Controls
to Auditing
• A minimum level of control is necessary for an entity to be auditable
• The quality of internal controls affects the organisation’s operating effectiveness and
ultimately its ability to remain a going concern.
• The quality of internal controls drives the audit approach and amount of testing.
15 Relationship of Controls
to Auditing (cont.)
• Analysis of control deficiencies helps identify the types of likely misstatements.
• Inadequate controls may place an organisation in violation of federal laws.
• The auditor is required to attest to management’s assessment of the effectiveness of
internal controls over financial reporting for all public companies.

16 Accounting Information Systems
• Accounting systems capture, record, summarise and report information.
• An accounting information system is typically not one big system, but a network of smaller
accounting applications/subsystems.
• Each application processes unique types of transactions:
– sales
– accounts receivable
– accounts payable
– cash receipts
– cash disbursements
– payroll
– inventory, etc.
17 Accounting Information Systems
• Each application has its own unique source documents, processes and controls.
• The quality of internal controls can vary between applications.
• The auditor develops an understanding of:

3
• The auditor develops an understanding of:
– how transactions are entered and processed
– the controls for each significant accounting application.
18 Internal Control & Financial Statement Account Balances
• Auditors assess control risk for each relevant assertion for each important class of
transactions and account balance as a basis for planning the audit.
• Auditors need to understand and evaluate the internal control design for all important
accounting applications.
• Auditors need to evaluate the effectiveness of internal control over financial reporting for
accounting applications that process material transactions.
19 Internal Control &
Financial Statement
Account Balances (cont.)
• Auditors must evaluate controls in systems that:
– record revenue
– deal with significant estimates
– process journal entries near the end of the year to close the books
– deal with off-statement financing or related party transactions.
20 Internal Control &
Financial Statement
Account Balances (cont.)
• Auditors must jointly assess the organisation’s control environment and the specific
accounting system controls to evaluate the risk of material deficiency in internal control.
• To conclude internal controls are effective, auditors must obtain evidence that the control
structure is soundly designed and operating effectively.

21 Assessing the Effectiveness of Control Procedures
• Management designs and implements specific control procedures to ensure that the
company will achieve its control objectives – and if the control objectives are achieved, the
management assertions are likely to be valid and the account balance and transactions
properly recorded.
• The auditor assesses the organisation’s control procedures within a framework of control
objectives and management assertions.

22 Assessing the Effectiveness of Control Procedures (cont.)
• In order to perform this assessment, the auditor must understand the accounting processes
within each system, the related accounts and the risk associated with incorrect processes.
• With this knowledge, the auditor can identify which management assertions and control
objectives are most likely to be violated.
• From this, the auditor can identify appropriate control procedures that can then be assessed
for effectiveness in design and operation.
23 Overview of Controls Testing: Pervasive Control Activities

4
• Some control procedures are found in almost all accounting systems:
– segregation of incompatible duties
– authorisation procedures
– documented transaction trail
– physical controls to limit access to assets
– independent reconciliation
– competent, trustworthy employees.
24 Control Effectiveness and Control Risk Assessment
• Process for evaluating controls:
Phase 1 Obtain an understanding of risks and internal controls
Phase 2 Make a preliminary assessment of control risk and decide whether to test
operation of control procedures
Phase 3 Test operating effectiveness of controls
Phase 4 Based on the results of testing, determine whether to revise the assessment of
control risk and incorporate this revision into the substantive testing.
25 Phase 1: Obtain an Understanding
• Auditors must gain an understanding of how each significant accounting application
operates and the control procedures used. Auditors can gather evidence through:
– walk-throughs of the accounting system and processing procedures
– inquiring of management, and accounting and operational employees
– taking plant and operational tours
– reviewing documentation, including accounting manuals and program and system
descriptions
– reviewing prior year audit work papers
• Auditors document understanding using flowcharts, questionnaires and narratives.
26 Phase 2: Make a
Preliminary Assessment of
Control Risk and Effectiveness
• After gaining an understanding, the auditor makes a preliminary assessment of control risk.
This assessment is crucial because it drives the planning for the rest of the audit.
• The relationship between the assessed level of control risk and the rigour of the subsequent
substantive testing is inverse.
27 Phase 2: Make a Preliminary Assessment of Control Risk and Effectiveness (cont.)
• If control risk is assessed as high:
– no reliance is placed on the client’s internal controls
– the amount and rigour of substantive testing must be increased.
• If control risk is assessed as low:
– the auditor would like to rely on the client’s internal controls
– the amount and rigour of substantive testing may not have to be increased. However, the
auditor must test the controls to make sure they are operating effectively.
28 Phase 3: Perform Test

5
Phase 3: Perform Test
of Controls
• The preliminary assessment of control risk is based on the auditor’s understanding of the
control system and how it has operated in the past.
• When control risk is assessed as low, and the auditor intends to rely on the client’s controls,
the auditor may reduce (or not increase) the amount of substantive testing.
• To ensure that the auditor’s reliance on the client’s control is warranted, the auditor must
test the control to make sure it is operating effectively.
29 Phase 3: Perform Test of Controls (cont.)
• Guidance on sample size for testing controls
• Testing controls across multiple locations
• Dual purpose tests
• Assessing control risk as moderate
30 Phase 4: Update Assessment of Control Risk & Need for Substantive Testing
• If testing indicates the control is not operating effectively, the auditor will revise the
preliminary assessment of control risk and incorporate this revision into the subsequent
substantive testing.

You might also like