The document discusses the five components of an internal control system according to CAS 315: control environment, risk assessment, control activities, information and communication, and monitoring activities. It describes the objectives and responsibilities for internal controls of both management and auditors. Management is responsible for designing and implementing controls, while auditors must obtain an understanding of internal controls to identify risks of material misstatement. The five components provide an framework for management to mitigate risks and help ensure reliable financial reporting and compliance.
The document discusses the five components of an internal control system according to CAS 315: control environment, risk assessment, control activities, information and communication, and monitoring activities. It describes the objectives and responsibilities for internal controls of both management and auditors. Management is responsible for designing and implementing controls, while auditors must obtain an understanding of internal controls to identify risks of material misstatement. The five components provide an framework for management to mitigate risks and help ensure reliable financial reporting and compliance.
The document discusses the five components of an internal control system according to CAS 315: control environment, risk assessment, control activities, information and communication, and monitoring activities. It describes the objectives and responsibilities for internal controls of both management and auditors. Management is responsible for designing and implementing controls, while auditors must obtain an understanding of internal controls to identify risks of material misstatement. The five components provide an framework for management to mitigate risks and help ensure reliable financial reporting and compliance.
In this chapter the primary objectivers of internal control and explain reporting.we then discuss the five components of the internal control system, as well as the role of IT, and the factors auditors consider to develop an understanding of the IT environment. 1. Internal Control Objectives System of internal control consist of polices and procedure desagin and implemented by management to mitigate risk and to provide reasonable assurance that the entity can achive its objectives and goals. Polices can be written or implied through actions and decisions. Procedures are action to implement polices. Management design for system of internal control to accomplish the following four broad objectives: 1) Strategic, high-level goals, that support the mission of the entity 2) Reliability of financial reporting 3) Efficiency and effectiveness of operations 4) Compliance with laws and regulations 2. Management Responsibilty for Internal Control Management and the auditor have different responsibilities for internal controls over financial reporting. Management, not the auditor, must establish and maintain the entity’s internal control. the operating effectiveness of internal control over financial reporting. The design and implementation of an effective system of control over financial reporting involves controls at three levels: 1) Entity 2) Information technology 3) Business process Two key concepts underlie management’s design and implementation of controls reasonable assurance and inherent limitations. 3. Auditors Responsibilities for Internal Control Provides an overview of the prosess of obtaining an understanding of the entity’s system of internal control as explained in CAS 315. Auditors are responsible for understanding, identifying, and evaluating those internal controls, that are relevant to the audit. as in the inherent risk assessment, the objective is to identifiy the risks of material misstatement at the financial statement and assertion level. Relevant controls given that management’s internal control objectivers encompass more than financial reporting, not all controls are relevant to the audit. Direct and indirect controls, direct control are control directly address risks to the integrity of information that transactions are complete, accurate, and valid. Indirect controls are controls that are not sufficiently precise to prevent, detect, or correcty missataments at the assertion level but which support direct control. Understanding controls and identifying RMM the final output of understanding internal control is identifying RMM at the financial statement level and the assertion level. 4. Coso Components of Internal Control A system of internal control as defined by CAS 315 encompasses five interrelated components: 1) Control environment The control environment is the foundation of effective international control. If top management believes control is important, others in the organization will sense that and respond by conscientiously observing the polices and procedures established. If management or those charge with governance fails in its monitoring role by placing to much trust in the system or the people operating the controls, then the risk for fraud and error is high. a) Integrity and ethical values b) Board of directors oversight responsibility c) Structure, authority and responsibility d) Commitment to competence e) Accountability 2) Risk assessment Involves a process identifying and analyzing risks that might prevent the organization from achieving its objectives. There are four underlying principles able to identify and assess the risk relating to its objectives, it should determine how the risks related to information technology (IT) should be consider the potential for fraudulent behavior , and it should monitor changes the could impact internal controls. Once management identifies a risk, it estimates the significance of the risk, assesses the likelihood of the risk occurring, and develops specific actions that need to be taken to reduce the risk to an acceptable level. a) Relevant objectivies and risk assessment, in order to ensure that the organization meets its objective of reliable external financial reporting, management should consider whether its reporting objectives are consistent with the relevant financial reporting framework and appropriate in the circumstances. b) Fraud risk assessment, the assessment should consider the various ways that financial reporting fraud could occur. Such factors could include the following: Management bias in selection of accounting polices Degree of estimates and judgments in external reporting Fraud schemes and scenarios common the industry in which the organization operates Geographic regions Incentives that may motivate fraudulent behavior Nature of technology and management’s ability to manipulate information Unnusual or complex transactions subject to significant management influence Vulnerability to management override and potential schemes to circumvent controls c) Significant changes, change creates risk, therefore, management should implement prosesses that enable it to identify and evaluate changes in the external and internal environment that could significantly impact the system of internal control 3) Monitoring activities deal with ongoing or periodic assessment of the quality of internal control performance to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring also requires that deficiencies in internal control are reported and appropriate remedial action is taken. a. Perform ongoing and separate evaluation, Monitoring should include evaluation built into business/financial reporting and performed on a real- time basis (ongoing), as well as separate periodic evaluations. b. Evaluates and communicates deficiencies, Internal control deficiencies need to be reported in a timely manner to those responsible for taking corrective action, senior management, and the board of directors (or the audit committee). 4) Information system and communication The purpose of an entity’s accounting information system and communication is to initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets. controls over the accounting systems are distinct from the business processes and include controls over the following: The transfer of business process information to the general ledger The capture of relevant events/conditions, such as amortization, valuation of inventory and accounts receivable, and other estimates that are not transaction based Journal entries The accumulation and summation of other information that must be disclosed in the financial statements As mentioned in our earlier discussion of control activities, an important control is the chart of accounts, which lists and classifies transactions into individual balance sheet and income statement accounts. a. Relevant and quality information b. Effective internal and external communications 5) Control activities are the policies and procedures that help ensure the necessary actions to address risks in the achievement of the entity’s objectives. They are the controls that ensure the proper application of the policies in all the other components of the entity’s system of internal control, and they include indirect and direct controls. the organization should have in place a process that maps controls to address each risk related to the relevant financial statement assertion. Some key points to consider when determining if all risks are addressed: Are all relevant business processes, information technology, and locations where control activities are needed (including outsourced service providers and other business partners) considered? Are control activities related to the integrity of information sent to and received from outsourced service providers considered? Are the controls performed by outsourced service providers adequate? Preventive controls are designed to stop errors or fraud from occurring (e.g., supervisor review of journal entry/purchase order or automated input edit controls). Detective controls identify errors or irregularities after they have occurred so corrective action can be taken (e.g., reconciliations, validation of results). A business process is a structured set of activities designed to produce specified output. An individual business process, also called an application system, can have different types of control activities. An example of a business process or application system would be a sales system, which processes sales transactions initiated by media such as the internet, telephone, or a purchase order form received in the mail. 1. Proper authorization and approval 2. Adequate documents and records 3. Physical and logical control over assets and record 4. Adequate segregation of duties 5. Independent checks of performance, recorded data, and actual results
5. Internal Controls Specific to Information Technology
the system of internal control contains manual and automated controls and each component of the system of internal control may use some extent of information technology (IT). Technology can strengthen a company’s system of internal control but can also provide challenges. To address risks associated with reliance on technology, organizations often implement specific IT controls. 1) General Control apply to all aspects of the IT function, including IT administration; separation of IT duties; systems development; physical and online security over access to hardware, software, and related data; backup and contingency planning in the event of unexpected emergencies; and hardware controls. General computer controls can be manual (such as IT budgets and contracts with service providers) or automated (embedded in the computer programs). a) IT Governance b) Separation of IT duties c) System Development and Change d) Physical and Online Security e) Hadware Controls 2) Aplication Controls are controls typically at the business process level that apply to processing transactions, such as the inputting, processing, and outputting of sales or cash receipts. Application controls can be manual or automated controls. Input controls are designed to ensure that the information entered into the computer is authorized, accurate, and complete. Processing controls prevent and detect errors while transaction data are processed. General controls, especially controls related to systems development and security, provide essential control for minimizing processing errors. Output controls focus on detecting errors after processing is completed, rather than on preventing errors. 6. Impact of Information Technology on the System of Internal Control The organization’s use of IT, which includes the degree to which an organization is automated as well as its IT applications, infrastructure, and processes, has a significant impact on the way in which the entity’s system of internal control is designed and implemented. Below we focus on how the complexity of the IT system can vary according to (1) type of IT applications and data management systems, (2) the complexity of the infrastructure, and (3) the degree to which the organization relies upon third-party hosting or outsourcing. 7. Impact of Emerging Technologies on Internal Control Technology has always been changing and evolving. Today’s current emerging technologies will impact how an organization obtains or generates and uses relevant, quality information to support an effective internal control system. In this section, we will briefly cover three different emerging technologies that are expected to have a significant impact on organizations’ business models, processes, and system of internal control. 1) Internet of things and periphera devices 2) Smart contracts and blokchain 3) Machine learning and articifia intelligence 8. Understanding Controls of Small Businesses the auditor is required to obtain an understanding of internal controls. However, the size of a company does have a significant effect on the nature of internal control activities and the specific monitoring controls. It is often difficult for a small business to establish adequate separation of duties. Further, the entity is unlikely to have in-house expertise in systems and would place more reliance on software and hardware suppliers for system support and maintenance.