chapter 5 risk assessment: internal control evaluation
DESCRIPTION
TRANSCRIPT
Chapter 5
Risk Assessment: Internal Control Evaluation
“If everything seems under control, you're just not going fast enough.”-- Mario Andretti, Race car driver
McGraw-Hill/Irwin
Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved.
Responsibility for Internal Control
• Management responsibility– Management has primary responsibility for internal
control– Sarbanes-Oxley Act of 2002 (publicly traded
companies)• Auditor responsibility
– Second standard of fieldwork– PCAOB Auditing Standard No. 5 (AS 5): An Audit of
Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements
5-2
Management’s Responsibility for Internal Control (Sarbanes-Oxley)
• In addition to certifying the company’s financial statements (Section 302), management must also report on the company’s internal control over financial reporting (Section 404).
• Specifically, the company’s annual report must include: • A statement that management is responsible for establishing and
maintaining adequate internal control over financial reporting.• A statement identifying the framework (usually COSO)
management uses to evaluate the effectiveness of the company’s internal control.
• A statement providing management's assessment of the effectiveness of the company’s internal control.
5-3
AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements
• Auditors must provide their opinion on the effectiveness of client’s internal control.
• Not a separate engagement– Integrated audit of internal control and financial
statements
5-4
COSO
• Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (Treadway Commission)
• FEI, AAA, IIA, IMA, AICPA
5-5
Why Assess Control Risk?
• Determine nature, timing, and extent of audit procedures.
• Trade-off between testing of controls and substantive procedures.
• Note: Control testing required for public companies (AS 5), but not for private companies and not-for-profit organizations.
5-6
Exhibit 5.2 Trade-off Between Tests of Controls and Substantive Testing
5-7
Internal Control – An Integrated Framework (COSO)
Internal ControlA process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
(1) Reliability of financial reporting, (2) Compliance with applicable laws and regulations, (3) Effectiveness and efficiency of operations.
5-8
Exhibit 5.3Internal Control—Integrated Framework
5-9
Exhibit 5.4Interrelated Components of Internal Control
5-10
Control Environment
• Sets the tone of an organization, influencing the control consciousness of its people.
• It is the foundation for all other components.
5-11
Control Environment
• Philosophy And operating style
• Integrity And ethical values
• Organizational structure
• Commitment to competence
• Functioning of board• Authority and
responsibility• Internal audit• Human resources
policies• External environment
5-12
Risk Assessment
• The entity's identification and analysis of relevant risks to achievement of its objectives.
• COSO's Enterprise risk management (ERM) framework
5-13
Control Procedures
• The policies and procedures that help ensure management directives are carried out.– Physical controls over the security of assets– Segregation of duties– Information Processing
• Approvals and authorization• Verifications and reconciliations
– Performance reviews
5-14
Exhibit 5.5Separation of Duties
5-15
Information Processing Controls
• Information technology general controls (ITGC)– Physical security– Hardware controls– Segregation of IT duties– Documentation– Back-up procedures
• Information technology application controls (ITAC)– Input controls– Processing controls– Output controls
• Spreadsheet controls
5-16
Information and Communication
• The identification, capture, and exchange of information in the form and time frame that enables people to carry out their responsibilities.
5-17
Monitoring
• Management’s process that assesses the quality of the internal control's performance over time.– Internal auditing– Follow-up of reporting errors
5-18
General Phases of Internal Control Evaluation
• Phase 1: Understand and document– Understand the client’s internal control– Document the understanding of internal control
• Internal Control questionnaire• Narrative• Accounting and control system flowcharts
• Phase 2: Assess control risk (Preliminary)• Phase 3: Testing and reassessment
– Perform test of controls audit procedures– Re-assess control risk
5-19
Exhibit 5.10Payroll System Flowchart
5-20
Exhibit 5.11Bridge Workpaper
5-21
Exhibit 5.12Assertions about Class Transactions and Events for the Period: Payroll Cycle
5-22
Exhibit 5.13Dual Direction Test of Payroll Controls
5-23
AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements (for Publicly Traded Companies)Phases of the engagement
1. Plan the engagement2. Use a top-down approach to gain an understanding
a) Identify entity-level controlsb) Walkthroughs
3. Testing internal control effectivenessa) Design effectivenessb) Operating effectiveness
4. Evaluating control deficienciesa) Deficienciesb) Significant deficienciesc) Material weaknesses
5. Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting
6. Reporting on internal control
5-24
Step 1: Plan the Audit
• Consider knowledge of industry• Consider knowledge of business• Consider extent of changes in operations• Consider extent of changes in internal control• Evaluation must be done for all relevant assertions for all
significant accounts or disclosures. Thus, significant accounts, locations, and assertions must be identified.
• The key to determining whether an account, location, or assertion is significant is whether there is a more-than-reasonable possibility that a material misstatement could be associated with it. – Just as control risk is used to determine the nature,
timing, and extent of substantive procedures, inherent risk is used to determine the nature, timing, and extent of tests of controls.
5-25
Step 2: Use a top-down approach to gain an understanding
• Identify entity-level controls• Perform walkthroughs• Auditor must perform work related to:
• Company-wide anti-fraud programs• Controls that have a pervasive effect
• Auditor must obtain “principal evidence,” but can incorporate work of internal auditors and others– Must assess competence and objectivity– Limited reliance– Can’t reduce work on control environment
5-26
Exhibit 5.8Entity-Level Controls
• Controls related to the control environment.• Controls related to management override.• Centralized processing and controls including
shared service environments.• Controls to monitor results of operations.• Controls to monitor other controls.• Management’s risk assessment.• Period-end financial reporting process• Policies that address significant business control
and risk management practices
5-27
Test Controls: Design Effectiveness
• Design effectiveness determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements.
• After an understanding of internal controls is gained through inquiry, inspection, and observation, the controls are evaluated for the possibility that the controls would not prevent or detect a misstatement.
5-28
Test Controls: Operating Effectiveness
• Operating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.
• A sample of transactions is examined using inquiry, observation, inspection, and reperformance.
• Tests of controls are not performed if design is not effective.
5-29
Step 4a: Evaluate control deficiencies
• Whether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the entity’s management or employees to detect or prevent misstatements in a timely fashion.
– A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control’s objective.
– An operating deficiency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained).
• More serious internal control deficiencies can be categorized into one of two groups, significant deficiencies or material weaknesses, depending on their severity.
5-30
Step 4b: Identify significant deficiencies
• Significant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements.
• While not material, they are important enough to bring to the attention of those charged with governance (usually the audit committee).
– Absence of appropriate separation of duties.– Absence of appropriate reviews and approvals of
transactions.– Evidence of failure of control procedures.
5-31
Step 4c: Identify Material Weaknesses
• A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis.
– Restatement of previously issued financial statements to reflect the correction of a misstatement.
– Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client’s internal controls.
– Ineffective oversight of financial reporting process by entity’s audit committee.
– Indication of fraud (either material or immaterial) by senior management.
5-32
Summary of Internal Control Deficiencies
• Three categories– Internal control deficiency– Significant deficiency– Material weaknesses
• The difference between a significant deficiency and a material weakness is the (1) likelihood and (2) materiality that a potential (or actual) misstatement would not be detected on a timely basis.
5-33
Step 5: Wrapping up: Forming an opinion on the effectiveness of internal control over financial reporting
• Auditors can issue one of three types of opinions on internal control over financial reporting:
– Unqualified. No material weaknesses found.– Disclaimer of opinion. The audit team cannot
perform all of the procedures considered necessary.– Adverse opinion. One or more material weaknesses
found.
5-34
Step 6: Reports on Internal Control• Separate report on internal control
– Opinion on financial statements contained in separate audit report
– Extra paragraph added to report on internal control referencing opinion on financial statements.
• Integrated audit report and report on internal control – Includes auditor’s opinions on 1) internal control
effectiveness, and 2) the fairness of the company’s financial statements.
5-35
Reporting to Audit Committee on Internal Control Related Matters
• Sarbanes-Oxley requires that the report be in writing.
• The auditor may communicate during or after audit.
• Communications with management is not required; however, communications with management or other individuals within the entity who may, in the auditor's judgment, benefit from the communications are not precluded.
5-36
Limitations of Internal Control
• Human error• Collusion• Management override• Cost/benefit analysis
– There is often a trade-off between the cost and the effectiveness of internal controls.
– The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.
5-37