copyright: internal auditing: assurance and advisory services, by the institute of internal auditors...

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1

Chapter 6

Internal Control


2

Chapter 6 OutlineI. Frameworks of Internal Control

II. Definitions of Internal Control

III. Components of Internal Control

IV. Roles and Responsibilities in Control

a. Inside Organization

b. Internal Audit Function

V. Limitations of Internal Controls

VI. Types of Controls

VII. Application of Controls

VIII. Overview of Evaluating Controls (CH12-15)


3

Exhibit 6-1

2100 – Nature of Work

The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.


4

2130 – Control

The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.


5

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

Achievement of the organization’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts.


6


7

I. Internal Control Frameworks A framework is a body of guiding principles that

form a template against which organizations can evaluate a multitude of business practices.

Blueprint of Knowledge and Guidance Specific to the practice of internal auditing,

various frameworks are used to assess the design and operating effectiveness of internal controls.


8

Exhibit 6-2


9


10


11

Internal Control FrameworksThere are currently only 3 comprehensive internal control frameworks recognized globally by management, independent outside accountants/auditors, and internal audit professionals:

1. Internal Control – Integrated Framework, issued by COSO in 1992

2. Guidance on Control (CoCo), published in 1995 by the Canadian Institute of Chartered Accountants

3. Internal Control: Revised Guide for Directors on the Combined Code (Turnbull Report), published by the Financial Reporting Council in 1999 and updated in 2005.


12


13

Exhibit 6-3


15


16

SOX Act of 2002 In the US, the SOX Act of 2002 put responsibility for the design,

maintenance, and effective operation of internal control squarely on the shoulders of senior management, specifically the CEO and

CFO. To comply with this legislation, the SEC requires the CEO and CFO

of publicly traded companies to produce opinion on the adequate design and effective operations of the internal control over financial reporting (ICFR) as part of the annual filing of financial statements with the SEC, as well as report any substantial changes in ICFR on a quarterly basis, if any.

The SEC recommends that companies use the COSO framework in their evaluation. This is known as Section 404 of SOX.

Summary of Section 404 Issuers are required to publish information in

their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.

The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

17


18

Exhibit 6-4


19

II. What is Internal Control? Internal Control is a process, effected by an

entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations


20

Control Control has long been a component of the

“unique” franchise of internal auditing. The emergence of broad management control

frameworks such as COSO and CoCo has elevated the internal auditor’s focus from financial and compliance-oriented controls to management controls and governance processes that address broad organizational risks.


21

III. Components of Internal Control: ERM Cube (2004); COSO Pyramid (1992)

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information & Communication

5. Monitoring


22

Exhibit 6-6


23

Exhibit 6-7


24

The 20 (now 17) basic principles of the COSO framework are listed in Exhibit 6-6 (6-10)and correspond to the five components of the COSO framework (Exhibit 6-7)


25

Exhibit 6-10

1. Control Environment


26


27

Control Environment

Control Environment: sets the tone of an organization, influencing the control consciousness of its people

Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors


28

Control Environment Effectively controlled entities establish

appropriate policies and procedures, often including a written code of conduct, which foster shared values and team work in the pursuit of the entity’s objectives.

2. Risk Assessment


29


30

Risk Assessment Risk Assessment: the identification and analysis

of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed

There must first be objectives, established in a strategy-setting environment, before management can identify risks (event identification) that might impede the achievement of the objectives and take necessary actions to manage those risks (risk response)


31

Risk Assessment Objective setting is not an internal control but it is

a prerequisite to and enabler of internal control By setting objectives at the entity and activity

(process) levels, an entity can identify critical success factors – key things that must go right if goals are to be attained


32

Risk Assessment There are three broad categories of objectives:

1. Operations objectives – these pertain to effectiveness and efficiency of operations, including performance and profitability goals and safeguarding resources against loss. They vary based on management’s choices about structure and performance.

2. Financial reporting objectives – these pertain to the preparation of reliable published financial statements, including prevention of fraudulent public financial reporting. They are driven primarily by external requirements.

3. Compliance objectives – these pertain to adherence to laws and regulations to which the entity is subject. They tend to be similar across all entities in some cases and across an industry in others.

3. Control Activities


33


34

Control Activities Control Activities: occur throughout the organization, at all

levels and in all functions Can be divided into 3 categories based on the nature of the

entity’s objectives to which they relate: operations, financial reporting, or compliance.

Although controls relate solely to one area, there is often overlap. Thus, operations controls also can help ensure reliable financial

reporting, financial reporting controls can serve to effect compliance, and so on.

The particular category in which a control is placed is not as important as the role it plays in achieving a particular activity’s objectives.

4. Info and Communication and 5. Monitoring

35


36

Information and CommunicationInformation and Communication: Pertinent information must be identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication must occur in a broader sense, flowing down, across, and up the organization. All personnel must understand their own role in the internal control system, as well as how individual activities relate to the work of others. hey must have a means of communicating significant information upstream.


37

Information and Communication There also needs to be effective communication with

external parties such as customers, suppliers, regulators and shareholders.

Information is only useful when communicated appropriately.

This interdependency is why COSO combines information and communication into one component.

Communication takes the form of policy manuals, memos, bulletin board notices, and videotaped messages. Tone of voice and body language also convey information.


38

Monitoring Monitoring: A process that assesses the

quality of the system’s performance over time.

This is accomplished through ongoing monitoring activities separate (periodic) evaluations or a combination of the two


39

Monitoring Ongoing monitoring occurs in the course of operations.

It includes regular management and supervisory activities, and other actions personnel take in performing their duties.

The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.

Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board of directors.

Exhibit 6-9 - Deficiency (also called audit observation) is defined as a condition within an internal control system worthy of attention.


40

IV. Internal Control Roles and Responsibilities:

Management: The CEO is ultimately responsible and should assume ownership of the system.

More than any other individual, the CEO sets the tone at the top that affects integrity and ethics and other factors of a positive control environment.

In a large company, the CEO fulfills this duty by providing leadership and direction to senior managers and reviewing the way they’re controlling the business.

Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit’s functions.


41

Internal Control Roles and Responsibilities:

Board of Directors: Effective board members are objective, capable, and inquisitive. They have knowledge of the entity’s activities and environment and commit the time necessary to fulfill their board responsibilities.

Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management that intentionally misrepresents results to cover its tracks.

A strong active board is best able to identify and correct such a problem.


42


Internal Auditors: Internal auditors play a significant role in verifying that management has an adequate system of internal controls.

Management performs the primary assessment, testing and certification of the system of internal controls and then IA independently validates management’s results.


43


Other Personnel: Internal control is, to some degree, the responsibility of everyone in an organization and should be an explicit or implicit part of everyone’s job description.

External auditors contribute directly through the financial

statement audit and indirectly by providing information useful to management and the board in carrying out their responsibilities.

In many cases, outside vendors are used to perform elements of the internal control system. In these cases, ownership or accountability for the outsourced elements remains with internal management.


44

Limitations of Internal Controls: Internal controls can provide only reasonable

assurance to management and the BOD regarding achievement of an entity’s objectives.

The likelihood of achievement is affected by limitations inherent in all internal control systems including: Faulty human- judgment in decision-making and

human errors such as simple mistakes


45

Limitations of Internal Controls:

Controls can be circumvented by the collusion of two or more people and management has the ability to override the control system.

Another limiting factor is the need to consider controls’ relative costs and benefits.


46

Risk A key to understanding the concepts of inherent limitations and

reasonable assurance lies in understanding the linkage and interdependency of the business objectives and the risks that directly or indirectly affect an organization’s ability to achieve its business objectives.

An organization’s ability to achieve established business objectives is affected by both internal and external risk factors.

The combination of internal and external risk factors in their pure, uncontrolled state is referred to as inherent risk


47

Risk After the entity has identified entitywide and activity

risks, a risk analysis needs to be performed Estimating the significance of a risk (severity or

impact) Assessing the likelihood (or frequency) of the risk

occurring (probability) Considering how the risk should be managed – that is,

an assessment of what actions need to be taken (control activities)


48

Risk A risk that does not have a significant effect and has a

low likelihood of occurrence generally does not warrant serious concern.

A significant risk with a high likelihood of occurrence usually demands considerable attention.

Circumstances in-between require difficult judgments; thus, it is important that the analysis be rational and careful.


49

Risk The specific action management chooses to take to

reduce the significance or likelihood of a risk depends largely on the risk appetite established by an organization’s management and BOD.

COSO’s ERM Integrated Framework defines risk appetite as “ the broad-based amount of risk a company is willing to accept in pursuit of its mission or vision”.

A company needs to ensure it has neither excessive risk nor excessive control. Exhibit 6-10


50

Risk Controllable risk is that portion of inherent risk

specifically related to risk factors internal to an organization.

Said another way, controllable risk is the risk that management can directly influence and that can be reduced or managed through day-to-day business operations.


51

Risk The portion of inherent risk that remains after

mitigating controllable risk is defined as residual risk.

If residual risk is less than the established risk appetite, then the system of internal controls is operating at an acceptable level and within an organization’s defined risk appetite.


52

Risk If residual risk exceeds the organization’s established risk appetite,

it is necessary to re-evaluate the system of internal controls to determine if additional cost effective control activities can be implemented to further reduce residual risk to an acceptable level.

If not, management must consider other options such as sharing or transferring a portion of the uncontrolled risk to a willing independent third party through insurance or outsourcing.

If the uncontrolled risk cannot be transferred or shared, management can either accept the higher level of risk and adjust their risk appetite accordingly or discontinue the activity.


53

Viewing Internal Control From Different Perspectives

Management: views internal control from the broad perspective of the entire organization. Its responsibility is to develop the entity’s objectives and strategies, and to direct its human and material resources to achieve the objectives.

Internal Auditors: examine and evaluate the planning, organizing, and directing processes to determine whether reasonable assurance exists that goals and objectives will be achieved. All of an entity’s systems, processes, operations, functions and activities are included within this view of internal control.


54

Viewing Internal Control From Different Perspectives

Independent Auditors: focus on those aspects of control that support or affect the entity’s external financial reporting.

Other External Parties: include legislators and regulatory agencies. Their view of control generally relate to the types of activities monitored and may encompass achievement of the entity’s goals and objectives, reporting requirement, use of resources in compliance with laws and regulations, and safeguarding resources against waste, loss and misuse.


55

Types of Control Activities: Many commonly recognized control activities that are present in a

well-designed system of internal controls include:• segregation of duties performance reviews and follow-up authorization (approvals) IT access control activities Documentation (rigorous and comprehensive) Physical access control activities IT application (input, processing, output) control activities Independent verifications and reconciliations


56

Entitywide and Process-level Control Activities

All control activities are designed to mitigate risk either at the enterprise level or at the operational level within an organization.

Entitywide control activities are very broadly focused and often

deal with the organizational environment or atmosphere.

Process level control activities are more detailed in their focus than entitywide control activities and reduce risk relative to a group of operational level activities (tasks).


57

Key Control Activities and Secondary Control Activities:

A key control activity is a control activity designed to reduce risk associated with a critical business objective.

Failure to implement adequately designed and effectively operating key controls can result in the failure of the organization not only to achieve critical business objectives but to survive.

A secondary control activity is one that is designed to either reduce risk associated with business objectives that are not critical to the organization’s survival or success, or serve as a backup to a key control.

Secondary control activities are typically a subset of compensating or complementary control activities.


58


Compensating control activities are redundant controls designed to supplement key controls that are either ineffective or cannot fully mitigate a risk by themselves to an acceptable level within the risk appetite

A complementary control is not directly related to the risk it mitigates and is not enough to fully mitigate the risk by itself, but when taken together with other control activities that are in place, does contribute to the overall effective mitigation of risk


59


A detective control is one that is designed to discover undesirable events that have already occurred.

A preventive control is a control designed to deter unintended events from occurring in the first place.

It is much more difficult and costly to design a preventive control activity that is both economical and efficient. As a result most organizations use a combination of preventive and detective controls.

A directive control is a control that gives explicit direction regarding what actions need to take place to cause or encourage a desirable event to occur.

A corrective control is one in which detected omissions and errors are corrected.


60

Information Systems Control Activities: Two broad groupings of information systems control

activities can be used. 1. General computing controls (a type of entitywide

control) apply to many if not all application systems and help ensure their continued, proper operation.

2. Application controls include computerized steps within the application software and related manual procedures to control the processing of various types of transactions.


61

Evaluating the System of Internal Controls: Three key considerations in reaching an evaluation of the overall

effectiveness of the organization’s risk management and control activities are:

1. Were significant discrepancies or weaknesses discovered from the audit work performed and other assessment information gathered?

2. If so, were corrections or improvements made after the discoveries?

3. Do the discoveries and their consequences lead to the conclusion that a pervasive condition exists resulting in an unacceptable level of business risk (or operating effectiveness)?


62

VIII. Evaluating the System of Internal Controls:

A control maturity model is a tool that an organization uses to assess the sophistication of its system of internal controls

DQs


63


64

What is residual risk?a. Impact of riskb. Risk that is under controlc. Risk that is not managedd. Underlying risk in the environment


65

Appropriate internal control for a multinational corporation’s branch office that has a department responsible for the transfer of money requires that:a. The individual who initiates wire transfers does not reconcile the bank statement.b. The branch manager receives all wire transfersc. Foreign currency rates be computed separately by two different employees

d. Corporate management approves the hiring of monetary transfer unit employees


66

All of the following are entitywide control activities EXCEPT:a. assignment of authority and responsibilityb. consistent policies and proceduresc. transaction approvald. management’s risk assessment process


67

The requirement that purchases be made from suppliers on an approved vendor list is an example of a :a. preventive controlb. detective controlc. corrective controld. monitoring control


68

Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing risk management, control, and governance processes?1. to help determine the nature, timing, and extent of tests necessary to

achieve engagement objectives2. to ensure that weaknesses in the internal control system are

corrected.3. to provide reasonable assurance that the processes will enable the

organization’s objectives and goals to be met efficiently and economically.

4. to determine whether the processes ensure that the accounting records are correct and the financial statements are fairly presented.


69

Discussion Question 1 (pg. 6-31): An audit report contains the following observations:

a. A service department’s location is not well suited to allow adequate service to other units.

b. Employees hired for sensitive positions are not subjected to background checks.

c. Managers do not have access to reports that profile overall performance in relation to other benchmarked organizations.

d. Management has not taken corrective action to resolve past engagement observations related to inventory controls.

Which two of these observations are most likely to indicate the existence of control weaknesses over safeguarding of assets? Why?


70

Discussion Question 2 (page 6-31) To meet waste discharge standards, a factory implements

a control system designed to prevent the release of wastewater that does not meet those standards. One of the controls requires chemical analysis of the water, prior to discharge, for components specified in the permit. Is this an appropriate control? Why or why not?


71

Discussion Question 3 An organization has a goal to prevent the ordering of

inventory quantities in excess of its needs. One individual in the organization wants to design a control that requires a review of all purchase requisitions by a supervisory in the user department prior to submitting them to the purchasing department. Another individual wants to institute a policy requiring agreement of the receiving report and packing slip before storage of new inventory receipts. Which of these controls is (are) relevant in achieving the stated goal?


72

WB 3.14 COSO Components of Internal Control Exercise:

For each control issue described below, select the component or components of the COSO framework that best characterize the issue

Control Issue #1: Within a contracting process, levels of authorization are not defined for contracts at specified dollar values.

___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring Environment ment Activities Communication Control Issue #2: Employees providing customer support for a new product are not

sure how to handle certain transactions.___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring

Environment ment Activities Communication


73

WB 3.14 COSO Components of Internal Control Exercise:

Control Issue #3: Management encourages employees who are staffing a customer “help” line to describe certain calls in a particular way even when the calls do not fit that description.___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring Environment ment Activities Communication

Control Issue #4: A particular system is essential to operations, but data from that system is not covered by the disaster-recovery plan for the organization.___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring Environment ment Activities Communication

Control Issue #5: Reports on the volume of certain types of transactions are not reviewed by the appropriate level of management.___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring Environment ment Activities Communication


74

Exhibit CS2-4Compliance and Ethics

Program Maturity Attributes


75

Maturity Levels with Maturity Attributes World Class The compliance and ethics program

is considered “worldclass,” based on benchmarking and continuous improvement; many aspects of the program are highly automated and self-updating,thus creating a competitive advantage; extensive use of real-time monitoring and executive dashboards.


76

Maturity Levels with Maturity Attributes Mature KPIs and monitoring techniques are

employed to measure success; greater reliance on prevention versus detection of compliance violations and ethical misconduct; strong self-assessment of operating effectiveness; assignments of responsibilities and accountabilities exist and are well understood.


77

Maturity Levels with Maturity Attributes Defined Compliance and ethics requirements are

well defined and documented, thus there is consistency even in times of change; overall compliance and ethics awareness exists; gaps are detected and remediated timely; performance monitoring is informal, placing great reliance on the diligence of people and independent audits.


78

Maturity Levels with Maturity Attributes Repeatable Compliance and ethics practices are

established with some policy structure; formal requirements are still lacking; some clarity on roles, responsibilities, and authorities, but not on accountability; increased discipline and guidelines support repeatability; high reliance on existing personnel creates exposure to change.


79

Maturity Levels with Maturity Attributes Initial Compliance and ethics practices are

fragmented and ad hoc; generally managed in silos and reactive; lack of formal policies and procedures; dependent on the “heroics” of individuals to ensure compliance and sound ethical conduct; greater potential for violations; higher costs due to inefficiencies; not sustainable.


80

The PCAOB (Public Company Accounting Oversight Board) was created to establish guidelines that independent outside auditors must adhere to in order to company with SOX reporting requirements.

In 2007, the PCAOB issued Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements


81

MYTH FACT

Internal control starts with a strong set of policies and procedures.

Internal control starts with a strong control environment.

Internal control – that’s why we have internal auditors. Management is the owner of internal control.

Internal control is a finance thing. We do what the controller’s office tells us to do.

Internal control is integral to every aspect of the business.

Internal controls are essentially negative, like a list of “thou shalt nots”.

Internal control makes the right things happen the first time, and every time.

Internal controls are a necessary evil. They take time away from our core activities – making products, making sales, and serving customers.

Internal controls should be built into, not onto, business processes.

With downsizing and empowerment, we have to give up a certain amount of control.

With downsizing and empowerment, we need different forms of control.

If controls are strong enough, we can be sure there will be no fraud, and financial statements will be accurate.

Internal controls provide reasonable, but not absolute assurance that the organization’s objectives will be achieved.

From IIA’s Tone at the Top newsletter, November 2003


82

Exhibit 6-5


83

Exhibit 6-8


84

Exhibit 6-9


85

Exhibit 6-11


86

Exhibit 6-1210 OPPORTUNITIES FOR THE INTERNAL AUDIT DEPARTMENT TO PROVIDE INSIGHT ON EFFECTIVE INTERNAL CONTROL

1. Help the organization develop a comprehensive framework for assessing the adequate design and effective operation of internal control.

2. Help management establish a logical structure for analyzing, documenting, and assessing the organization’s design and operation of internal control.

3. Help the organization develop a process for identifying, evaluating, and remediating internal control deficiencies.

4. Provide independent assurance on the adequate design and effective operation of internal control.

5. Act decisively when potentially significant or material internal control changes or deficiencies are identified.

6. Assist in postmortem analysis when internal control deficiencies occurs.7. Inform management of potential breakdowns in internal control that present increased risk to

the organization.8. Assist management in developing a culture of ethical behavior (“tone at the top”) and low

tolerance of ineffective internal control.9. Stay abreast and inform management of emerging issues, regulations, and laws related to the

effectiveness of internal control.10. Provide internal control awareness training throughout the organization.


87

Add slides as desired

copyright: internal auditing: assurance and advisory services, by the institute of internal auditors...

Documents

internal auditing

internal audit activity

advisory services

maitland avenue

altamonte springs

effectiveness of controls

efficiency of operations

organizations governance