internal control chapter 7 mcgraw-hill/irwin copyright © 2010 by the mcgraw-hill companies, inc....
TRANSCRIPT
Internal Control
Chapter 7
McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
7-2
Summary of Internal Control Summary of Internal Control DefinitionDefinition
A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives on: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and
regulations
7-3
Control ObjectivesControl Objectives
In each area of internal control (financial reporting, operations and compliance)
Control objectives and Subobjectives exist
Example: Area of financial reporting Top level objective – prepare and issue reliable financial information Detailed level applied to A/R subobjectives
• All goods shipped are accurately billed in the proper period
• Invoices are accurately recorded for all authorized shipments and only for such shipments
• Authorized and only authorized sales returns and allowances are accurately recorded
• The continued completeness and accuracy of A/R is ensured
• Accounts receivable records are safeguarded
7-4
Foreign Corrupt Practices ActForeign Corrupt Practices Act
Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business
The Act Requires an effective system of internal control Makes illegal payment of bribes to foreign officials
7-5
Controls over Financial ReportingControls over Financial Reporting Preventive
Aimed at avoiding the occurrence of misstatements in the financial statements
Example: Segregation of duties Detective
Designed to discover misstatements after they have occurred Example: Monthly bank reconciliations
Corrective Needed to remedy the situation uncovered by detective controls Example: Backups of master file
Controls overlap Complementary – function together Redundant – address same assertion or control objective Compensating – reduces risk existing weakness will result in misstatement
7-6
Components of Internal Components of Internal Control Control
The Control Environment
Risk Assessment
The Accounting Information and Communication System
Control Activities
Monitoring
7-7
7-7
Control Environment FactorsControl Environment Factors
Integrity and ethical values Commitment to competence Board of directors or audit committee Management philosophy and operating
style Organizational structure Human resource policies and practices Assignment of authority and responsibility
7-8
7-8
Risk Assessment--Factors Indicative of Risk Assessment--Factors Indicative of Increased Financial Reporting RiskIncreased Financial Reporting Risk
Changes in the regulatory or operating environment
Changes in personnel Implementation of a new or modified information
system Rapid growth of the organization Changes in technology affecting production
processes or information systems Introduction of new lines of business, products, or
processes
7-9
7-9
Control ActivitiesControl Activities Performance reviews
Information processing General control activities
Application control activities
Physical controls
Segregation of duties Segregate authorization, recording and
custody of assets
7-10
Segregation of Duties
7-11
Objectives of an Accounting SystemObjectives of an Accounting System
Identify and record valid transactions Describe on a timely basis the transactions in
sufficient detail to permit proper classification of transactions
Measure the value of transactions appropriately Determine the time period in which the transactions
occurred to permit recording in the proper period Present properly the transactions and related
disclosures in the financial statements
7-12
MonitoringMonitoring Ongoing monitoring activities
Regularly performed supervisory and management activities
Example: Continuous monitoring of customer complaints
Separate evaluations Performed on nonroutine basis Example: Periodic audits by internal audit
7-13
Limitations of Internal ControlLimitations of Internal Control
Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc.
Controls that depend on the segregation of duties may be circumvented by collusion
Management may override the structure
Compliance may deteriorate over time
7-14
Enterprise Risk Management (ERM)Enterprise Risk Management (ERM)
COSO issued a new internal control framework in 2004 on enterprise risk management. It does not replace the original COSO internal control framework.
It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities.
The auditing standards are still structured around the original COSO internal control framework.
7-15
Financial Statement Audits: The Financial Statement Audits: The Role of Internal ControlRole of Internal Control
Second Field Work Standard
The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. [emphasis added]
7-16
Auditors’ Overall Approach with Auditors’ Overall Approach with Internal Control Internal Control
Overall approach of an audit1. Plan the audit
2. Obtain an understanding of the client and its environment, including internal control
3. Assess the risks of material misstatement and design further audit procedures
4. Perform further audit procedures
5. Complete the audit
6. Form an opinion and issue the audit report
Steps 2-4 relate most directly to the role of internal control in financial statement audits
7-17
2. Obtain an understanding of the client and 2. Obtain an understanding of the client and its environment, including internal controlits environment, including internal control
The understanding of internal control is used to help the auditor to
Identify types of potential misstatements Consider factors that affect the risks of material misstatement. Design tests of controls (when applicable) and substantive
procedures. Auditors must consider all five internal control
components Control environment Accounting information system Risk assessment Control activities Monitoring
Also consider areas difficult to control like nonroutine transactions
7-18
Obtaining the UnderstandingObtaining the Understanding
Procedures include Inquiring of entity personnel Observing the application of specific controls Inspecting documents and reports Tracing transactions through the information
system relevant to financial reporting May also obtain evidence on operating
effectiveness of various controls
7-19
Documenting the Understanding Documenting the Understanding of Internal Controlof Internal Control
Questionnaires Typically standardized by firm
Written Narratives Memos that describe flow of transactions
Flowcharts Systems flowcharts
Walk-through Trace one or two transaction through cycle
7-20
7-21
3. Assess the risks of material 3. Assess the risks of material misstatementmisstatement
General approach Identify risks while obtaining an understanding of the
client and its environment, including its internal control Relate the identified risks to what can go wrong at the
relevant assertion level Consider whether the risks are of a magnitude that
could result in a material misstatement Consider the likelihood that the risks could result in a
material misstatement
7-22
The nature of transactionsThe nature of transactions Consider the nature of the transactions
Routine transactions—e.g., revenue, purchases, and cash receipts and disbursements
Nonroutine transactions—e.g., taking of inventory, calculating depreciation expense
Estimation transactions—e.g., determining the allowance for doubtful accounts
Generally routine transactions have the strongest controls
7-23
Assessing Risks at the Financial Assessing Risks at the Financial Statement LevelStatement Level
Examples Preparing the period-end financial statements, including the
development of significant accounting estimate and preparation of the notes
The selection and application of significant accounting policies IT general controls The control environment
Responses to high risks Assigning more experience staff or those with specialized skills Providing more supervision and emphasizing the need to
maintain professional skepticism Incorporating additional elements of unpredictability in the
selection of further audit procedures to be performed Increasing the overall scope of audit procedures, including the
nature, timing or extent
7-24
Assessing Risks at the Assessing Risks at the Assertion LevelAssertion Level
Examples Failure to recognize an impairment loss on a
long-lived asset affects only the valuation assertion
Inaccurate counting of inventory at year-end affect the valuation of inventory and the accuracy of cost of goods sold
Responses Decisions are made here as to the appropriate
combination of tests of controls and substantive procedures
7-25
4. Design and Perform audit 4. Design and Perform audit procedures – test of controls (1 of 2)procedures – test of controls (1 of 2)
Approach: Identify controls likely to prevent or detect material
misstatements Perform tests of controls to determine whether they
are operating effectively
Tests of controls address: How controls were applied The consistency with which controls were applied By whom or by what means (e.g., electronically) the
controls were applied
7-26
4. Perform further audit proce-dures4. Perform further audit proce-dures—tests of controls (2 of 2)—tests of controls (2 of 2)
Tests of controls include: Inquiries of appropriate client personnel Inspection of documents and reports Observation of the application of controls Reperformance of the controls
The results of the tests of controls are used to determine the nature, timing and extent of substantive procedures
7-27
Diagram of the Diagram of the Auditors’ Auditors’
Consideration Consideration of Internal of Internal Control Control
7-28
Other ConsiderationsOther Considerations
Audit decision aids Checklist, standard form or computer program that
helps auditors make a decision by ensuring that they have all relevant information or by assisting them in combining the information.
Use of the work of internal auditors Must assess internal audit competence and objectivity
and test work Can rely on work of internal audit to reduce amount of
testing done by independent auditors
7-29
Relationships Among DeficienciesRelationships Among Deficiencies
Deficiency in
Internal Control
Less than Significant Material
Significant Deficiency Weakness
7-30
Management’s Report on Internal Management’s Report on Internal Control under Section 404aControl under Section 404a
Acknowledgment of responsibility for internal control
An assessment of internal control effectiveness as of the last day of the company’s fiscal yearn using suitable criteria
Support the evaluation with sufficient evidence
7-31
Approach to Audit of Internal Approach to Audit of Internal Control under Section 404bControl under Section 404b
Plan the engagement Use a top-down approach to identify the
controls to test Test and evaluate design effectiveness of
internal control Test and evaluate operating effectiveness of
internal control Form an opinion on effectiveness of internal
control over financial reporting
7-32
Internal Control in Internal Control in the Small Companythe Small Company
Due to lack of employees, internal control is seldom strong in small businesses
Specific practices for small businesses Record all cash receipts immediately Deposit all cash receipts intact daily Make all payments by serially numbered checks, with exception of petty
cash disbursements Reconcile bank accounts monthly and retain copies Use serially numbered invoices, Pos, and receiving reports Issue checks to vendors only in payment of approved invoices that have
been matched with purchase orders and receiving reports Balance subsidiary ledger with control accounts Prepare comparative financial statements monthly to disclose significant
variations in any category of revenue or expense
7-32