Professional Documents
Culture Documents
Arens Aas17 PPT 11
Arens Aas17 PPT 11
Seventeenth Edition
Chapter 11
Internal Control and COSO
Framework
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Learning Objectives
11.1 Describe the three primary objectives of effective
internal control
11.2 Contrast management’s responsibilities for maintaining
internal control with the auditor’s responsibilities for
evaluating and reporting on internal control
11.3 Explain the five components of the COSO internal
control framework
11.4 Explain how general controls and application controls reduce
information technology risks
11.5 Identify types of information technology systems and
their impact on internal controls
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Learning Objective 11.1
Describe the three primary objectives of effective internal control
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Internal Control Objectives (1 of 2)
• A system of internal control consists of:
– Policies and procedures designed to provide management
with reasonable assurance that the company achieves its
objectives and goals
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Internal Control Objectives (2 of 2)
• Management typically has three broad objectives in
designing an effective internal control system:
– Reliability of reporting
– Efficiency and effectiveness of operations
– Compliance with laws and regulations
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Learning Objective 11.2
Contrast management’s responsibilities for maintaining internal
control with the auditor’s responsibilities for evaluating and
reporting on internal control
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Management and Auditor
Responsibilities for Internal Control
• Management, not the auditor, must establish and maintain the
entity’s internal controls
• Two key concepts underlie management’s design and
implementation of internal control:
– Reasonable assurance
– Inherent limitations
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Management’s Section 404 Reporting
Responsibilities (1 of 2)
• Management of all public companies are to issue an internal
control report that includes the following:
– A statement that management is responsible for establishing
and maintaining an adequate internal control structure and
procedures for financial reporting
– An assessment of the effectiveness of the internal control
structure and procedures for financial reporting as of the
end of the company’s fiscal year
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Management’s Section 404 Reporting
Responsibilities (2 of 2)
• Management’s assessment of internal control over financial
reporting consists of two key aspects:
– Management must
Evaluate the design of internal control over financial
reporting
Test the operating effectiveness of those controls
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Auditor Responsibilities for
Understanding Internal Control
• Auditors are required to:
– Obtain an understanding of internal control relevant to the
audit on every audit engagement
– Report on the effectiveness of internal control over financial
reporting, if the client is an accelerated filer
• Auditors are primarily concerned about:
– Controls over the reliability of financial reporting
– Controls over classes of transactions
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Figure 11.1 Example Section 404
Management Report on Internal
Control over Financial Reporting
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Let’s Discuss (1 of 6)
• Describe the three broad objectives management has when
designing effective internal control.
• Section 404(a) of the Sarbanes–Oxley Act requires management
to issue a report on internal control over financial reporting.
– Identify the specific Section 404(a) reporting requirements
for management.
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Let’s Discuss (2 of 6)
• Describe which of the three categories of broad objectives for
internal controls are considered by the auditor in an audit of
both the financial statements and internal control over financial
reporting.
• What two aspects of internal control must the auditor assess
when performing procedures to obtain an understanding of
internal control?
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Learning Objective 11.3
Explain the five components of the COSO internal control
framework
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
COSO Components of Internal
Control (1 of 3)
• Control environment
– Consists of the actions, policies, and procedures that reflect
the overall attitudes of top management, directors, and
owners of an entity about internal control and its importance
to the entity
• Risk assessment
– Involves a process for identifying and analyzing risks that
may prevent the organization from achieving its objectives
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
COSO Components of Internal
Control (2 of 3)
• Control activities
– Policies and procedures that help ensure that necessary
actions are taken to address risks to the achievement of the
entity’s objectives
• Information and communication
– To initiate, record, process, and report the entity’s
transactions and to maintain accountability for the related
assets
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
COSO Components of Internal
Control (3 of 3)
• Monitoring
– Deal with ongoing or periodic assessment of the quality of
internal control by management to determine that controls
are operating as intended and that they are modified as
appropriate for changes in conditions
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Figure 11.2 COSO Internal Control
Objectives and Components
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Figure 11.3 Five Components of
Internal Control
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Let’s Discuss (3 of 6)
• What are the five components of internal control in the COSO
internal control framework?
– What is the relationship among these five components?
• How do the COSO principles help an organization assess
whether internal controls are designed and operating
effectively?
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Let’s Discuss (4 of 6)
• Frank James, a highly competent employee of Brinkwater Sales
Corporation, had been responsible for accounting-related
matters for two decades. His devotion to the firm and his duties
had always been exceptional, and over the years, he had been
given increased responsibility. Both the president of Brinkwater
and the partner of an independent CPA firm in charge of the
audit were shocked and dismayed to discover that James had
embezzled more than $500,000 over a 10-year period by not
recording billings in the sales journal and subsequently
diverting the cash receipts.
– What major factors permitted the embezzlement to take
place?
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Learning Objective 11.4
Explain how general controls and application controls reduce
information technology risks
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Internal Controls Specific to
Information Technology
• Technology can strengthen a company’s system of internal
control but can also provide challenges
– To address risks associated with reliance on technology,
organizations often implement specific IT controls
• Auditing standards describe two categories of controls for
IT systems:
– General controls
– Application controls
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Figure 11.4 Relationship Between
General and Application Controls
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
General Controls
• There are six categories of general controls have an entity-
wide effect on all IT functions:
– Administration of the IT function
– Separation of IT duties
– Systems development
– Physical and online security
– Backup and contingency planning
– Hardware controls
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Application Controls
• Application controls are designed for each software application
• These controls may be manual or automated and include:
– Input controls
– Processing controls
– Output controls
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Table 11.2 Categories of General and
Application Controls (1 of 2)
Control Type Category of Control Example of Control
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Table 11.2 Categories of General and
Application Controls (2 of 2)
Control Type Category of Control Example of Control
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Figure 11.5 Segregation of IT Duties
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Learning Objective 11.5
Identify types of information technology systems and their impact
on internal controls
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Impact of IT Infrastructure on Internal
Control (1 of 3)
• The accounting function’s use of complex IT networks,
databases, the Internet, cloud computing, and centralized IT
functions is now commonplace
• The types of internal controls will vary based on the type and
complexity of the IT system
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Impact of IT Infrastructure on Internal
Control (2 of 3)
• Types of information technology systems include:
– Local area networks (LANs)
– Wide area networks (WANs)
– Database management systems
– Enterprise resource planning (ERP) systems
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Impact of IT Infrastructure on Internal
Control (3 of 3)
• Companies use firewalls, encryption techniques, and digital
signatures to limit risks and to increase IT security
• Many companies outsource some or all of their IT needs to an
independent organization rather than maintain an internal IT
center
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Let’s Discuss (5 of 6)
• Distinguish general controls from application controls and give
two examples of each.
• Identify the typical duties within an IT function and describe
how those duties should be segregated among IT personnel.
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Let’s Discuss (6 of 6)
• Explain how the effectiveness of general controls impacts the
effectiveness of automated application controls.
• Compare the risks associated with network systems and
database systems to those associated with centralized IT
functions.
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Copyright
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved