Professional Documents
Culture Documents
Importance to the External Auditors - a process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating
Importance of Internal Control Over Financial Reporting to operations, reporting, and compliance.
Important elements:
Internal Control ● A process consisting of ongoing tasks and activities.
- help mitigate the risks of not achieving its objectives. ● Effected by people and is not just about policy manuals, systems, and forms. People at
- External auditor is most interested in the objective of reliable financial reporting every level of the organization impact internal control.
- Management needs to: ● Able to provide reasonable assurance, but not absolute assurance, regarding the
a) Identify the risks to their organization of not achieving reliable financial reporting. achievement of objectives. Limitations of internal control preclude absolute assurance.
b) Implements controls to provide reasonable assurance that material These limitations include faulty human judgment, breakdowns because of mistakes,
misstatements do not occur in the financial statements. circumventing controls by collusion of multiple people, and management ability to override
Internal Control over Financial Reporting controls.
- provides many benefits to organizations, including providing confidence regarding the ● Geared toward the achievement of multiple objectives. The definition highlights that
reliability of their financial information and helping reduce unpleasant surprises. internal control provides reasonable assurance regarding three categories of objectives.
Effective internal control However, the external auditor is primarily interested in the objective related to the
- improves the quality of information, thereby allowing for more informed decisions by reliability of financial reporting.
internal and external users of the financial information.
Five Components of Internal Control by COSO
Importance of Internal Control to External Audit 1. Risk Assessment
Professional auditing standards - involves the process for identifying and assessing the risks that may affect an organization
- require the auditor to identify and assess a client’s risks of material misstatement from achieving its objectives.
- This assessment is based on an understanding of the organization and its environment, - needs to be conducted before an organization can determine other necessary controls.
including its internal control over financial reporting. 2. Control Environment
- The auditor needs to understand a company’s internal controls in order to anticipate the - is the set of standards, processes and structures that provides the basis for carrying out
types of material misstatements that may occur and then develop appropriate audit internal control across the organization.
procedures to determine whether those misstatements exist in the financial statements. - includes the tone at the top regarding the importance of internal control and the expected
Integrated Audit standards of conduct.
- includes providing an opinion on the effectiveness of the client’s internal control over - has a pervasive impact on the overall system of internal control.
financial reporting in addition to the opinion on the financial statements. 3. Control Activities
- are the actions that have been established by policies and procedures.
- help ensure that management’s directives regarding internal control are carried out.
- Occur at all levels within the organization.
4. Information and Communication
- recognizes that information is necessary for an organization to carry out its internal
control responsibilities.
- Information: internal and external
- Communication - process of providing, sharing, and obtaining necessary information.
5. Monitoring
- is necessary to determine whether the controls and all components are present and
continuing to function effectively.
Effective Internal Control COSO 2013: 5 Components and 17 Principles
- requires that all five components be implemented and operate effectively.
- need to:
(1) be effectively designed and implemented,
(2) operate effectively; procedures are consistent with the design of the controls
Entity-Wide Controls
- components of internal control operate across an entity
- affect multiple processes, transactions, accounts, and assertions. Including:
● Controls related to the control environment
● Controls over management override
● The organization’s risk assessment process
● Centralized processing and controls, including shared service environments
● Controls to monitor results of operations
● Controls to monitor other controls, including activities of the internal audit function, the
audit committee, and self-assessment programs
● Controls over the period-end financial reporting process
● Policies that address significant business control and risk management
Transaction Controls
- control activities typically affect only certain processes, transactions, accounts, and
assertions.
- not expected to have a pervasive effect. Including:
● Segregation of duties over cash receipts and recording
● Authorization procedures for purchasing
● Adequately documented transaction trail for all sales transactions
● Physical controls to safeguard assets such as inventory
● Reconciliations of bank accounts
e) The Organization Enforces Accountability (COSO Principle 5) 3. COSO Component: Control Activities
Control Activities - are designed to ensure that authorized transactions are correct
- are the actions that are established through policies and procedures that help ensure that and complete, and that only authorized transactions can be input.
management’s directives regarding controls are accomplished. Types of Input Control
a) Selects and Develops Control Activities (COSO Principle 10) 1. Input validation tests
- select and develop control activities that are specific to the risks they identify - are often referred to as edit tests because they are
during risk assessment. control tests built into an application to examine or edit
Transaction controls input data for obvious errors.
- (also referred to as Application Controls) represent an important type of 2. Self-checking digits
control activities. - are a type of input validation test that have been
- are control activities implemented to mitigate transaction processing risk, developed to test for transposition errors associated
and they affect certain processes, transactions, accounts, and assertions. with identification numbers.
- wants reasonable assurance that the information processing is complete, Process Controls
accurate, and valid. - are designed to provide reasonable assurance that the correct
Types of Transactions that are significant in Financial Report program is used for processing, all transactions are processed, and
1. Business Processes the transactions update appropriate files.
- Include verification, reconciliations, control accounts, and Output Controls
authorization and approvals. - are designed to provide reasonable assurance that all data are
2. Accounting Estimates completely processed, and that output is distributed only to
- subject to significant management judgment. authorized recipients.
- need to provide reasonable assurance that the data are accurate, Other Important Control Activities
the estimates are faithful to the data, and the underlying 1. Segregation of duties
estimation model reflects current economic conditions and has - an important control activity that is designed to protect against
proven to provide reasonable estimates in the past. the risk that an individual could both perpetrate and cover up a
3. Adjusting, Closing and other unusual entries fraud.
- there should be reference to underlying supporting data with a - requires that at least two employees be involved such that one
well-developed transaction trail does not have (a) the authority and ability to process transactions
Transaction Trail and (b) custodial responsibilities.
- includes the documents and records that allow a user (or auditor) 2. Physical controls
to trace a transaction from its origination through to its final - are necessary to protect and safeguard assets from accidental or
disposition, or vice versa. intentional destruction and theft.
Preventive Controls
- are designed to prevent the occurrence of a misstatement.
- Most cost efficient
Detective Controls
- are designed to discover errors that occurred during processing.
Input Controls b) Selects and Develops General Controls Over Technology (COSO Principle 11)
General Computer Controls - a need for two-way communication with parties external to the organization,
- referred to as information technology general controls including shareholders, business partners, customers, and regulators.
- are pervasive control activities that affect multiple types of information
technology systems, from mainframe computers, to desktop computers, to 5. COSO Component: Monitoring
laptop computers, to the mobile devices that you use to organize your everyday Monitoring
life. - is defined as a process that provides feedback on the effectiveness of each of the five
Coverage components of internal control.
1. Technology infrastructure - requires that identified deficiencies in internal control be communicated to appropriate
- provides the support for information technology to effectively personnel and follow-up action be taken.
function. a) Conducts Ongoing and/or Separate Evaluations (COSO Principle 16)
- Includes communication network, computing resources and Ongoing evaluations
electricity. - are procedures built into the normal recurring activities of an entity.
2. Security Management Separate evaluations
- includes control activities that limit access to technologies. - are conducted periodically, typically by objective management personnel,
3. Technology Acquisition, Development and Maintenance internal auditors, or external consultants.
- may be developed in-house or acquired through outsourcing a b) Evaluates and Communicates Deficiencies (COSO Principle 17)
packaged software. - the need to be communicated to appropriate personnel so that appropriate
c) Deploys through Policies and Procedures (COSO Principle 12) corrective action can be taken.
- needs to have policies that outline what is expected and procedures that put - the need for an organization to implement a system to track whether
the policies into action. deficiencies are corrected on a timely basis.
Whistleblower Function
- a special line of communication is needed for anonymous or confidential
communications, particularly when an employee is concerned that something is
inappropriate in the company’s operations.
c) Communicates Externally (COSO Principle 15) Management’s Responsibilities Related to Internal Control over Financial Reporting
Management Sarbanes-Oxley Act of 2002
- first line of defense - Public Company: to annually report on the design and operating effectiveness of the
- responsible for designing, implementing, and maintaining effective internal control over organization’s controls.
financial reporting. U.S. Securities and Exchange Commission (SEC)
- Public Companies: responsibility to provide users with a report on the effectiveness of the - provided guidelines to assist management in its evaluation of the effectiveness of internal
organization’s internal control based on the requirements in Sarbanes-Oxley Act of 2002. controls over financial reporting.
- require a suitable criteria to used as the benchmark in assessing internal control
Documentation of Internal Control effectiveness.
- should provide clarity and communicate standards and expectations related to internal -Public Report: management’s annual assessment of internal control effectiveness
control.
- is also useful in training new personnel or serving as a reference tool for all Managements Report
employees. ● Provides a statement that management is responsible for internal control
- provides evidence that the controls are operating, enables proper monitoring activities, ● Includes a definition of internal control
and supports reporting on internal control effectiveness. ● Discusses the limitations of internal control
- External auditor: use this to obtain an understanding of the client’s internal control ● Identifies the criteria (COSO) used in assessing internal control
system ● Concludes as to the effectiveness of internal control at a point in time (year-end)
Nature and Extent: should be sufficient to support the design and operating effectiveness ● References the report on internal control provided by the company’s external auditors
of controls.