ACCT 3109 – Auditing

Internal Control Over Financial Reporting:

Responsibilities of Management and the
External Auditor

Chapter 3

Fall Semester, 2021/22

Dr. Sammy Fung

1
Importance of Internal Control Over Financial
Reporting
● Internal control helps an organization mitigate the risks of
not achieving its objectives.
● Examples of objectives include
● Achieving profitability
● Ensuring efficient operations
● Manufacturing high-quality products
● Providing high-quality services
● Adhering to governmental and regulatory requirements
● Conducting operations and employee relations in a socially
responsible manner
● Providing users with reliable financial information

2
Internal Control Defined
● Process, effected by an entity’s board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and
compliance

3
Components of Internal Control
● Control environment
● Risk assessment
● Control activities
● Information and communication
● Monitoring

4
Entity-Wide Controls and Transaction Controls
● Controls related to the control environment
● Controls over management override
● The organization’s risk assessment process
● Centralized processing and controls, including shared
service environments
● Controls to monitor results of operations
● Controls to monitor other controls, including activities of
the internal audit function, the audit committee, and self-
assessment programs
● Controls over the period-end financial reporting process
● Policies that address significant business control and risk
management practices
5
Transaction Controls
● Common examples
● Segregation of duties over cash receipts and recording
● Authorization procedures for purchasing
● Adequately documented transaction trail for all sales
transactions
● Physical controls to safeguard assets such as inventory
● Reconciliations of bank accounts

6
Check Your Basic Knowledge—True/False
3-5 The purpose of internal control is to provide absolute
assurance that an organization will achieve its objective of
reliable financial reporting. (T/F)
3-6 Organizations use the GAAP framework of internal control
as a benchmark when assessing the effectiveness of
internal control over financial reporting. (T/F)

7
Check Your Basic Knowledge (3-7)
3-7 What are the components of internal control per COSO’s
Internal Control–Integrated Framework?
a. Organizational structure, management philosophy,
planning, risk assessment, and control activities.
b. Control environment, risk assessment, control activities,
information and communication, and monitoring.
c. Risk assessment, control structure, backup facilities,
responsibility accounting, and natural laws.
d. Legal environment of the firm, management philosophy,
organizational structure, control activities, and control
assessment.

8
Control Environment
● Foundation for all other components of internal control
● Leadership culture of the organization—tone at the top
● Importance of internal control and expected standards of
conduct
● Reinforced throughout the organization
● Strong control environment
● Important line of defense against the risks related to financial
statement reliability
● Deficiencies in the control environment
● Associated with many financial frauds

9
Control Environment—COSO Principles
● Commitment to Integrity and Ethical Values (Principle 1)
● The Board of Directors Exercises Oversight Responsibility
(Principle 2)
● Management Establishes Structure, Authority, and
Responsibility (Principle 3)
● The Organization Demonstrates Commitment to
Competence (Principle 4)
● The Organization Enforces Accountability (Principle 5)

10
Check Your Basic Knowledge—True/False
3-9 The control environment component of internal control is a
pervasive or entity-wide control because it affects multiple
processes and multiple types of transactions. (T/F)
3-10 The control environment is seen as the foundation for all
other components of internal control. (T/F)

11
Check Your Basic Knowledge (3-11)
3-11 Which of the following principles would not be considered
a principle of an organization’s control environment?
a. Independence and competence of the board.
b. Competence of accounting personnel.
c. Structures, reporting lines, and authorities and
responsibilities.
d. Commitment to integrity and ethical values.
e. They would all be considered principles of the control
environment.

12
Risk Assessment
● Risk is the possibility that an event will adversely affect
the organization’s achievement of its objectives.
● Risk comes from both internal and external sources.
● Examples of internal risks
● Changes in management responsibilities
● Changes in information technology
● Poorly conceived business model
● Examples of external risks
● Economic recessions
● Increases in competition
● Development of substitute products or services
● Changes in regulation

13
Risk Assessment—COSO Principles
● Management Specifies Relevant Objectives (Principle 6)
● The Organization Identifies and Analyzes Risk (Principle 7)
● The Organization Assesses Fraud Risk (Principle 8)
● The Organization Identifies and Analyzes Significant
Change (Principle 9)

14
Check Your Basic Knowledge—True/False
3-13 Only organizations in high-risk industries face a risk that
they will not achieve their objective of reliable financial
reporting. (T/F)
3-14 An organization’s risk assessment process should identify
risks to reliable financial reporting from both internal and
external sources. (T/F)

15
Check Your Basic Knowledge (3-15)
3-15 Which of the following statements is false regarding the
risk assessment component of internal control?
a. Risk assessment includes assessing fraud risk.
b. Risk assessment includes assessing internal and external
sources of risk.
c. Risk assessment includes the identification and analysis
of significant changes.
d. Economic changes would not be considered a risk that
needs to be analyzed as part of the risk assessment
process.

16
Control Activities
● Actions established through policies and procedures that
help ensure that management’s directives regarding
controls are accomplished
● Performed within processes (e.g., segregation of duties
required in processing cash receipt transactions) and over
the technology environment
● Preventive or detective
● Manual or automated

17
Control Activities—COSO Principles
● The Organization Selects and Develops Control Activities
(COSO Principle 10)
● Management Selects and Develops General Controls Over
Technology (COSO Principle 11)
● The Organization Deploys Control Activities Through
Policies and Procedures (COSO Principle 12)

18
Exhibit 3.5

19
Check Your Basic Knowledge (3-19)
3-19 Which of the following scenarios provides the best example
of segregation of duties?
a. Employees perform multiple jobs, and have access to
related records.
b. The internal audit function performs an independent
test of transactions throughout the year and reports any
errors to departmental managers.
c. The person responsible for reconciling the bank account
is responsible for cash disbursements but not for cash
receipts.
d. The payroll department cannot add employees to the
payroll or change pay rates without the explicit
authorization of the Human Resources Department.
20
Check Your Basic Knowledge (3-20)
3-20 Which of the following statements about application
controls is true?
a. Organizations can have manual application controls or
automated application controls, but not a combination
of the two.
b. Application controls are intended to mitigate risks
associated with data input, data processing, and data
output.
c. Application controls are a part of the monitoring
component of internal control.
d. Self-checking digits are an output control.

21
Information and Communication
● Refers to the process of identifying, capturing, and
exchanging information in a timely fashion to enable
accomplishment of the organization’s objectives
● Includes the organization’s accounting system and
methods for recording and reporting on transactions, as
well as other communications such as key policies, code
of conduct, and strategies

22
Information and Communication– COSO Principles
● The Organization Uses Relevant Information (Principle 13)
● The Organization Communicates Internally (Principle 14)
● The Organization Communicates Externally (Principle 15)

23
Check Your Basic Knowledge (3-23)
3-23 Which of the following is an effective implementation of the
information and communication component of COSO’s Internal
Control–Integrated Framework?
a. The organization has one-way communication with parties
external to the organization.
b. The organization has a whistleblower function that allows
parties internal and external to the organization to
communicate concerns about possible inappropriate actions
in the organization’s operations.
c. The organization has a robust process for assessing risks
internal and external to the organization.
d. The organization builds in edit checks to determine whether
all purchases are made from authorized vendors.
e. All of the above.
24
Monitoring
● Monitoring is a process that provides feedback on the
effectiveness of each of the five components of internal
control.
● Management selects a mix of ongoing evaluations,
separate evaluations, or some combination of the two to
accomplish monitoring.
● Monitoring requires that identified deficiencies in internal
control are communicated to appropriate personnel and
follow-up action be taken.

25
Monitoring—COSO Principles
● The Organization Conducts Ongoing and/or Separate
Evaluations (Principle 16)
● Management Evaluates and Communicates Deficiencies
(Principle 17)

26
Check Your Basic Knowledge (3-27)
3-27 Which of the following is not an effective implementation
of the monitoring component of COSO’s Internal Control–
Integrated Framework?
a. Internal audit periodically works to improve internal controls.
b. Management reviews current economic performance against
expectations and investigates to determine causes of
significant deviations from the expectations.
c. The organization implements software that captures all
instances in which the underlying program identifies
processed transactions that exceed company-authorized
limits.
d. The organization builds in edit checks to determine whether
all purchases are made from authorized vendors, and flags
those that are not.
27
Management’s Responsibilities for Internal Control
Over Financial Reporting
● Management Documentation of Internal Control
● Management Reporting on Internal Control Over
Financial Reporting
● Evaluating Internal Control Over Financial Reporting

28
Evaluating Internal Control Over Financial Reporting
● SEC’s guidance for management
● Encourages a risk-based approach to evaluation
● Steps in management’s evaluation
● Identify financial reporting risks and controls implemented to
mitigate those risks
● Evaluate the operating effectiveness of internal control over
financial reporting
● Provide report on effectiveness of internal control over
financial reporting

29
Exhibit 3.10

30
Exhibit 3.11

31
Check Your Basic Knowledge (3-31)
3-31 Which of the following statements is false regarding
management’s documentation of internal control over
financial reporting?
a. Management needs to maintain sufficient and appropriate
documentation of the internal controls they have designed and
implemented to achieve the objective of reliable financial
reporting.
b. Internal control documentation is useful in training new
personnel or serving as a reference tool for all employees.
c. Management only needs to maintain documentation if the
company’s auditors will be providing an opinion on internal
control effectiveness.
d. Documentation provides evidence that the controls are
operating.

32
Check Your Basic Knowledge (3-32)
3-32 Which of the following is not included in management’s
report on internal control?
a. A statement that management is responsible for internal
control.
b. A definition of internal control.
c. A discussion of the limitations of internal control.
d. The criteria used in assessing internal control.
e. A description of the work that the internal auditors
performed.

33
Assessing Deficiencies in Internal Control Over
Financial Reporting
● Control deficiency:
● Shortcoming in internal controls such that objective of reliable
financial reporting may not be achieved
● Design deficiency - Control necessary to meet control objective missing
● Operation deficiency - Properly designed control does not operate as designed
● Significant deficiency
● A deficiency, or a combination of deficiencies, in internal control over
financial reporting that is less severe than a material weakness, yet
important enough to merit attention by those responsible for
oversight of the company’s financial reporting
● Not needed to be reported to external users
● Not included in management’s report on internal control effectiveness
● Material weakness
● A deficiency, or a combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of
the company’s annual or interim financial statements will not be prevented or
detected on a timely basis
34
Exhibit 3.12

35
Exhibit 3.13

36
Check Your Basic Knowledge (3-35)
3-35 Assume that an organization sells software. The sales contracts with the
customers often have nonstandard terms that impact the timing of revenue
recognition. Thus, there is a risk that revenue may be recorded
inappropriately. To mitigate that risk, the organization has implemented a
policy that requires all nonstandard contracts greater than $1 million to be
reviewed on a timely basis by an experienced and competent revenue
accountant for appropriate accounting, prior to the recording of revenue.
Management has classified this deficiency as a material weakness. Which of
the following best describes the conclusion made by management?
a. There is more than a remote possibility that a material misstatement
could occur.
b. The likelihood of misstatement is reasonably possible.
c. There is more than a remote possibility that a misstatement could occur.
d. There is a reasonable possibility that a material misstatement could
occur.
e. There is a reasonable possibility that a misstatement could occur.

37
Check Your Basic Knowledge (3-36)
3-36 Which of the following scenarios represents a control
deficiency?
a. A missing control that is required for achieving
objectives.
b. A control that operates as designed.
c. A control that provides reasonable, but not absolute
assurance, about the reliability of financial reporting.
d. An immaterial individual misstatement in internal.

38
Importance of Internal Control to the External Audit
● The auditor needs to understand a client’s internal
controls in order to:
● Anticipate the types of material misstatements that may occur
● Develop appropriate audit procedures to determine whether
those misstatements exist in the financial statements
● Ineffective internal controls
● If a client has ineffective internal controls, the auditor will plan
the audit with this in mind.
● Auditors of large public companies
● Auditor performs an integrated audit

39
Application: Assessing Control Design Effectiveness,
Implementation, and Operating Effectiveness
● Management assessment of controls
● Control deficiencies
● Segregation of duties
● Required approval
● Auditor assessment of controls

40
Check Your Basic Knowledge—True/False
3-37 The auditor needs to understand a client’s internal controls
in order to anticipate the types of material misstatements
that may occur in the financial statements and then
develop sufficient appropriate audit procedures to
determine whether those misstatements exist in the
financial statements. (T/F)
3-38 While understanding a client’s internal control over
financial reporting may help the external auditor plan the
audit, the external auditor is not required to obtain this
understanding for all audit engagements. (T/F)

41
Check Your Basic Knowledge (3-39)
3-39 Which of the following is a reason that the auditor obtains
an understanding of the client’s internal control over
financial reporting?
a. This understanding is required by professional auditing
standards.
b. Understanding of internal control is needed to properly plan the
audit.
c. This understanding helps an auditor assess a client’s risk of
material misstatement.
d. All of the above are reasons why the auditor obtains an
understanding of the client’s internal control over financial
reporting.

42