Arens Aas17 PPT 11

Auditing and Assurance Services
Seventeenth Edition
Chapter 11
Internal Control and COSO
Framework
Copyright © 2020, 2017, 2014 by Pearson Education, Inc. All Rights Reserved
Learning Objectives
11.1 Describe the three primary objectives of effective
internal control
11.2 Contrast management’s responsibilities for maintaining
internal control with the auditor’s responsibilities for
evaluating and reporting on internal control
11.3 Explain the five components of the COSO internal
control framework
11.4 Explain how general controls and application controls reduce
information technology risks
11.5 Identify types of information technology systems and
their impact on internal controls
Learning Objective 11.1
Describe the three primary objectives of effective internal control
Internal Control Objectives (1 of 2)
• A system of internal control consists of:
– Policies and procedures designed to provide management
with reasonable assurance that the company achieves its
objectives and goals
Internal Control Objectives (2 of 2)
• Management typically has three broad objectives in
designing an effective internal control system:
– Reliability of reporting
– Efficiency and effectiveness of operations
– Compliance with laws and regulations
Contrast management’s responsibilities for maintaining internal
control with the auditor’s responsibilities for evaluating and
reporting on internal control
Management and Auditor
Responsibilities for Internal Control
• Management, not the auditor, must establish and maintain the
entity’s internal controls
• Two key concepts underlie management’s design and
implementation of internal control:
– Reasonable assurance
– Inherent limitations
Management’s Section 404 Reporting
Responsibilities (1 of 2)
• Management of all public companies are to issue an internal
control report that includes the following:
– A statement that management is responsible for establishing
and maintaining an adequate internal control structure and
procedures for financial reporting
– An assessment of the effectiveness of the internal control
structure and procedures for financial reporting as of the
end of the company’s fiscal year
Management’s Section 404 Reporting
Responsibilities (2 of 2)
• Management’s assessment of internal control over financial
reporting consists of two key aspects:
– Management must
 Evaluate the design of internal control over financial
reporting
 Test the operating effectiveness of those controls
Auditor Responsibilities for
Understanding Internal Control
• Auditors are required to:
– Obtain an understanding of internal control relevant to the
audit on every audit engagement
– Report on the effectiveness of internal control over financial
reporting, if the client is an accelerated filer
• Auditors are primarily concerned about:
– Controls over the reliability of financial reporting
– Controls over classes of transactions
Figure 11.1 Example Section 404
Management Report on Internal
Control over Financial Reporting
Let’s Discuss (1 of 6)
• Describe the three broad objectives management has when
designing effective internal control.
• Section 404(a) of the Sarbanes–Oxley Act requires management
to issue a report on internal control over financial reporting.
– Identify the specific Section 404(a) reporting requirements
for management.
• Describe which of the three categories of broad objectives for
internal controls are considered by the auditor in an audit of
both the financial statements and internal control over financial
reporting.
• What two aspects of internal control must the auditor assess
when performing procedures to obtain an understanding of
internal control?
Explain the five components of the COSO internal control
framework
COSO Components of Internal
Control (1 of 3)
• Control environment
– Consists of the actions, policies, and procedures that reflect
the overall attitudes of top management, directors, and
owners of an entity about internal control and its importance
to the entity
• Risk assessment
– Involves a process for identifying and analyzing risks that
may prevent the organization from achieving its objectives
Control (2 of 3)
• Control activities
– Policies and procedures that help ensure that necessary
actions are taken to address risks to the achievement of the
entity’s objectives
• Information and communication
– To initiate, record, process, and report the entity’s
transactions and to maintain accountability for the related
assets
Control (3 of 3)
• Monitoring
– Deal with ongoing or periodic assessment of the quality of
internal control by management to determine that controls
are operating as intended and that they are modified as
appropriate for changes in conditions
Figure 11.2 COSO Internal Control
Objectives and Components
© 2013, COSO. All rights reserved. Used by permission.
Figure 11.3 Five Components of
Internal Control
• What are the five components of internal control in the COSO
internal control framework?
– What is the relationship among these five components?
• How do the COSO principles help an organization assess
whether internal controls are designed and operating
effectively?
• Frank James, a highly competent employee of Brinkwater Sales
Corporation, had been responsible for accounting-related
matters for two decades. His devotion to the firm and his duties
had always been exceptional, and over the years, he had been
given increased responsibility. Both the president of Brinkwater
and the partner of an independent CPA firm in charge of the
audit were shocked and dismayed to discover that James had
embezzled more than $500,000 over a 10-year period by not
recording billings in the sales journal and subsequently
diverting the cash receipts.
– What major factors permitted the embezzlement to take
place?
Explain how general controls and application controls reduce
information technology risks
Internal Controls Specific to
Information Technology
• Technology can strengthen a company’s system of internal
control but can also provide challenges
– To address risks associated with reliance on technology,
organizations often implement specific IT controls
• Auditing standards describe two categories of controls for
IT systems:
– General controls
– Application controls
Figure 11.4 Relationship Between
General and Application Controls
General Controls
• There are six categories of general controls have an entity-
wide effect on all IT functions:
– Administration of the IT function
– Separation of IT duties
– Systems development
– Physical and online security
– Backup and contingency planning
– Hardware controls
Application Controls
• Application controls are designed for each software application
• These controls may be manual or automated and include:
– Input controls
– Processing controls
– Output controls
Table 11.2 Categories of General and
Application Controls (1 of 2)
Control Type Category of Control Example of Control
General Administration of the IT Chief information officer or IT manager reports to

controls function senior management and board.
Blank Separation of IT duties Responsibilities for programming, operations, and
data control are separated.
Blank Systems development Teams of users, systems analysts, and
programmers develop and thoroughly test
software.
Blank Physical and online security Access to hardware is restricted, passwords and
user IDs limit access to software and data files,
and encryption and firewalls protect data and
programs from external parties.
Blank Backup and contingency Written backup plans are prepared and tested
planning regularly throughout the year.
Blank Hardware controls Memory failure or hard-drive failure causes error
messages on the monitor.
Table 11.2 Categories of General and
Application Controls (2 of 2)
Control Type Category of Control Example of Control
Application Input controls Preformatted screens prompt data input personnel

controls for information to be entered.
Blank Processing controls Reasonableness tests review unit-selling prices
used to process a sale.
Blank Output controls The sales department does postprocessing review
of sales transactions.
Figure 11.5 Segregation of IT Duties
Identify types of information technology systems and their impact
on internal controls
Impact of IT Infrastructure on Internal
Control (1 of 3)
• The accounting function’s use of complex IT networks,
databases, the Internet, cloud computing, and centralized IT
functions is now commonplace
• The types of internal controls will vary based on the type and
complexity of the IT system
Control (2 of 3)
• Types of information technology systems include:
– Local area networks (LANs)
– Wide area networks (WANs)
– Database management systems
– Enterprise resource planning (ERP) systems
Control (3 of 3)
• Companies use firewalls, encryption techniques, and digital
signatures to limit risks and to increase IT security
• Many companies outsource some or all of their IT needs to an
independent organization rather than maintain an internal IT
center
• Distinguish general controls from application controls and give
two examples of each.
• Identify the typical duties within an IT function and describe
how those duties should be segregated among IT personnel.
• Explain how the effectiveness of general controls impacts the
effectiveness of automated application controls.
• Compare the risks associated with network systems and
database systems to those associated with centralized IT
functions.
Copyright
This work is protected by United States copyright laws and is

provided solely for the use of instructors in teaching their
courses and assessing student learning. Dissemination or sale of
any part of this work (including on the World Wide Web) will
destroy the integrity of the work and is not permitted. The work
and materials from it should never be made available to students
except by instructors using the accompanying text in their
classes. All recipients of this work are expected to abide by these
restrictions and to honor the intended pedagogical purposes and
the needs of other instructors who rely on these materials.

Arens Aas17 PPT 11

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Arens Aas17 PPT 11

Uploaded by

Copyright:

Available Formats

Auditing and Assurance Services

© 2013, COSO. All rights reserved. Used by permission.

General Administration of the IT Chief information officer or IT manager reports to

Application Input controls Preformatted screens prompt data input personnel

This work is protected by United States copyright laws and is

You might also like