Chapter 3: Internal Control over Financial Reporting: Management’s Responsibilities and
Importance to the External Auditors
Importance of Internal Control Over Financial Reporting
Internal Control
- help mitigate the risks of not achieving its objectives.
- External auditor is most interested in the objective of reliable financial reporting
- Management needs to:
a) Identify the risks to their organization of not achieving reliable financial reporting.
b) Implements controls to provide reasonable assurance that material
misstatements do not occur in the financial statements.
Internal Control over Financial Reporting
- provides many benefits to organizations, including providing confidence regarding the
reliability of their financial information and helping reduce unpleasant surprises.
Effective internal control
- improves the quality of information, thereby allowing for more informed decisions by
internal and external users of the financial information.
Importance of Internal Control to External Audit
Professional auditing standards
- require the auditor to identify and assess a client’s risks of material misstatement
- This assessment is based on an understanding of the organization and its environment,
including its internal control over financial reporting.
- The auditor needs to understand a company’s internal controls in order to anticipate the
types of material misstatements that may occur and then develop appropriate audit
procedures to determine whether those misstatements exist in the financial statements.
Integrated Audit
- includes providing an opinion on the effectiveness of the client’s internal control over
financial reporting in addition to the opinion on the financial statements.
Internal Control by COSO
- a process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating
to operations, reporting, and compliance.
Important elements:
● A process consisting of ongoing tasks and activities.
● Effected by people and is not just about policy manuals, systems, and forms. People at
every level of the organization impact internal control.
● Able to provide reasonable assurance, but not absolute assurance, regarding the
achievement of objectives. Limitations of internal control preclude absolute assurance.
These limitations include faulty human judgment, breakdowns because of mistakes,
circumventing controls by collusion of multiple people, and management ability to override
controls.
● Geared toward the achievement of multiple objectives. The definition highlights that
internal control provides reasonable assurance regarding three categories of objectives.
However, the external auditor is primarily interested in the objective related to the
reliability of financial reporting.
Five Components of Internal Control by COSO
1. Risk Assessment
- involves the process for identifying and assessing the risks that may affect an organization
from achieving its objectives.
- needs to be conducted before an organization can determine other necessary controls.
2. Control Environment
- is the set of standards, processes and structures that provides the basis for carrying out
internal control across the organization.
- includes the tone at the top regarding the importance of internal control and the expected
standards of conduct.
- has a pervasive impact on the overall system of internal control.
3. Control Activities
- are the actions that have been established by policies and procedures.
- help ensure that management’s directives regarding internal control are carried out.
- Occur at all levels within the organization.
4. Information and Communication
- recognizes that information is necessary for an organization to carry out its internal
control responsibilities.
- Information: internal and external
- Communication - process of providing, sharing, and obtaining necessary information.
5. Monitoring
- is necessary to determine whether the controls and all components are present and
continuing to function effectively.
Effective Internal Control COSO 2013: 5 Components and 17 Principles
- requires that all five components be implemented and operate effectively.
- need to:
(1) be effectively designed and implemented,
(2) operate effectively; procedures are consistent with the design of the controls

Entity-Wide Controls
- components of internal control operate across an entity
- affect multiple processes, transactions, accounts, and assertions. Including:
● Controls related to the control environment
● Controls over management override
● The organization’s risk assessment process
● Centralized processing and controls, including shared service environments
● Controls to monitor results of operations
● Controls to monitor other controls, including activities of the internal audit function, the
audit committee, and self-assessment programs
● Controls over the period-end financial reporting process
● Policies that address significant business control and risk management

Transaction Controls
- control activities typically affect only certain processes, transactions, accounts, and
assertions.
- not expected to have a pervasive effect. Including:
● Segregation of duties over cash receipts and recording
● Authorization procedures for purchasing
● Adequately documented transaction trail for all sales transactions
● Physical controls to safeguard assets such as inventory
● Reconciliations of bank accounts

Components and Principles of Internal Control


1. COSO Component: Control Environment
Control Environment
- the foundation for all other components of internal control.
- starts with the leadership of the organization and is often referred to as the “tone at the
top” or the “internal control culture.”
a) Commitment to Integrity and Ethical Values (COSO Principle 1)
- demonstrated through the tone set by the board and management throughout
the organization.
b) The Board of Directors Exercises Oversight Responsibility (COSO Principle 2)
- Members of the board of directors are the elected representatives of
shareholders.
- Compensation committee
- should review and approve the compensation of the organization’s CEO
and other top officers, oversee the organization’s benefit plans.
- Audit committee
- is expected to exercise objective oversight for the development and
performance of internal control.
c) Management Establishes Structure, Authority, and Responsibility
(COSO Principle 3)
- has an appropriate structure and clearly defined lines of responsibility and
authority
- Internal control responsibilities:
1. The board of directors retains authority over significant decisions and
reviews management’s assignments.
2. Senior management establish directives, guidance, and controls to help
employees understand and carry out their internal control
responsibilities.
3. Management guides and facilitates senior management’s directives.
4. Personnel understand internal control requirements relative to their
position in the organization.
5. Outsourced service providers adhere to management’s definition of
the scope of authority and responsibility for all non-employees
engaged.
d) The Organization Demonstrates Commitment to Competence
(COSO Principle 4)
- needs to attract, develop, and retain competent individuals.
Competence
- is the knowledge and skills necessary to accomplish tasks that define the
individual’s job.
e) The Organization Enforces Accountability (COSO Principle 5)
Accountability mechanisms
- include establishing and evaluating performance measures and providing
appropriate incentives and rewards.
- be sensitive to and address pressures: avoid excessive Pressures
2. COSO Component: Risk Assessment
Risk
- is the possibility that an event will adversely affect the organization’s achievement of its
objectives.
- comes from: Internal Sources & External Sources
Risk Assessment
- process for identifying and assessing the risks
- requires considering how changes in either the external environment or within the
organization’s business model may impact the controls necessary to mitigate risk.
a) Specifies Relevant Objectives (COSO Principle 6)
- Objective: Reliable financial reporting is important for accessing capital markets,
being awarded sales contracts, and dealing with vendors, suppliers, and other
third parties.
- Financial reporting objectives should be consistent with the accounting
principles that are suitable for the organization.
- Broad reporting objectives should be cascaded down to various business units.
- consider the level of materiality when specifying objectives.
b) Identifies and Analyzes Risk (COSO Principle 7)
- Risk identification should include both internal and external factors.
- Identified risks should be analyzed to include an estimate of the potential
significance of the risks and consideration of how each risk should be managed.
c) Assesses Fraud Risk (COSO Principle 8)
- Fraud risks
- risks related to misappropriation of assets and fraudulent financial
reporting.
- Assessment of fraud risk
- considers ways that fraud could occur, fraud risk factors that impact
financial reporting, and incentives, opportunities and rationalization of fraud
which is the fraud triangle.
d) Identifies and Analyzes Significant Change (COSO Principle 9)
- needs to consider changes in management and other personnel and their
respective attitudes and philosophies on the system of internal control.
- needs a process for identifying and assessing changes in internal and
external factors that can affect its ability to produce reliable financial
reports.
3. COSO Component: Control Activities
Control Activities - are designed to ensure that authorized transactions are correct
- are the actions that are established through policies and procedures that help ensure that and complete, and that only authorized transactions can be input.
management’s directives regarding controls are accomplished. Types of Input Control
a) Selects and Develops Control Activities (COSO Principle 10) 1. Input validation tests
- select and develop control activities that are specific to the risks they identify - are often referred to as edit tests because they are
during risk assessment. control tests built into an application to examine or edit
Transaction controls input data for obvious errors.
- (also referred to as Application Controls) represent an important type of 2. Self-checking digits
control activities. - are a type of input validation test that have been
- are control activities implemented to mitigate transaction processing risk, developed to test for transposition errors associated
and they affect certain processes, transactions, accounts, and assertions. with identification numbers.
- wants reasonable assurance that the information processing is complete, Process Controls
accurate, and valid. - are designed to provide reasonable assurance that the correct
Types of Transactions that are significant in Financial Report program is used for processing, all transactions are processed, and
1. Business Processes the transactions update appropriate files.
- Include verification, reconciliations, control accounts, and Output Controls
authorization and approvals. - are designed to provide reasonable assurance that all data are
2. Accounting Estimates completely processed, and that output is distributed only to
- subject to significant management judgment. authorized recipients.
- need to provide reasonable assurance that the data are accurate, Other Important Control Activities
the estimates are faithful to the data, and the underlying 1. Segregation of duties
estimation model reflects current economic conditions and has - an important control activity that is designed to protect against
proven to provide reasonable estimates in the past. the risk that an individual could both perpetrate and cover up a
3. Adjusting, Closing and other unusual entries fraud.
- there should be reference to underlying supporting data with a - requires that at least two employees be involved such that one
well-developed transaction trail does not have (a) the authority and ability to process transactions
Transaction Trail and (b) custodial responsibilities.
- includes the documents and records that allow a user (or auditor) 2. Physical controls
to trace a transaction from its origination through to its final - are necessary to protect and safeguard assets from accidental or
disposition, or vice versa. intentional destruction and theft.
Preventive Controls
- are designed to prevent the occurrence of a misstatement.
- Most cost efficient
Detective Controls
- are designed to discover errors that occurred during processing.

Input Controls b) Selects and Develops General Controls Over Technology (COSO Principle 11)
 General Computer Controls
- referred to as information technology general controls
- are pervasive control activities that affect multiple types of information
technology systems, from mainframe computers, to desktop computers, to
laptop computers, to the mobile devices that you use to organize your everyday
life.
Coverage
1. Technology infrastructure
- provides the support for information technology to effectively
function.
- Includes communication network, computing resources and
electricity.
2. Security Management
- includes control activities that limit access to technologies.
3. Technology Acquisition, Development and Maintenance
- may be developed in-house or acquired through outsourcing a
packaged software.
c) Deploys through Policies and Procedures (COSO Principle 12)
- needs to have policies that outline what is expected and procedures that put
the policies into action.
- a need for two-way communication with parties external to the organization,
including shareholders, business partners, customers, and regulators.
5. COSO Component: Monitoring
Monitoring
- is defined as a process that provides feedback on the effectiveness of each of the five
components of internal control.
- requires that identified deficiencies in internal control be communicated to appropriate
personnel and follow-up action be taken.
a) Conducts Ongoing and/or Separate Evaluations (COSO Principle 16)
Ongoing evaluations
- are procedures built into the normal recurring activities of an entity.
Separate evaluations
- are conducted periodically, typically by objective management personnel,
internal auditors, or external consultants.
b) Evaluates and Communicates Deficiencies (COSO Principle 17)
- the need to be communicated to appropriate personnel so that appropriate
corrective action can be taken.
- the need for an organization to implement a system to track whether
deficiencies are corrected on a timely basis.

4. COSO Component: Information and Communication

- the process of identifying, capturing, and exchanging information in a timely fashion to
enable accomplishment of the organization’s objectives.
Communication
- is the process of providing, sharing, and obtaining information.
Information
- is communicated internally throughout the organization.
a) Uses Relevant Information (COSO Principle 13)
- needs to identify and obtain relevant internal and external information to
support its internal control and achieve its objective of reliable financial
reporting.
b) Communicates Internally (COSO Principle 14)
- internal communication of information occurs throughout the organization,
including up, down, and across the organization.

Whistleblower Function
- a special line of communication is needed for anonymous or confidential
communications, particularly when an employee is concerned that something is
inappropriate in the company’s operations.

c) Communicates Externally (COSO Principle 15) Management’s Responsibilities Related to Internal Control over Financial Reporting
Management
- first line of defense
- responsible for designing, implementing, and maintaining effective internal control over
financial reporting.
- Public Companies: responsibility to provide users with a report on the effectiveness of the
organization’s internal control based on the requirements in Sarbanes-Oxley Act of 2002.
Documentation of Internal Control
- should provide clarity and communicate standards and expectations related to internal
control.
- is also useful in training new personnel or serving as a reference tool for all
employees.
- provides evidence that the controls are operating, enables proper monitoring activities,
and supports reporting on internal control effectiveness.
- External auditor: use this to obtain an understanding of the client’s internal control
system
Nature and Extent: should be sufficient to support the design and operating effectiveness
of controls.
Sarbanes-Oxley Act of 2002
- Public Company: to annually report on the design and operating effectiveness of the
organization’s controls.
U.S. Securities and Exchange Commission (SEC)
- provided guidelines to assist management in its evaluation of the effectiveness of internal
controls over financial reporting.
- require a suitable criteria to used as the benchmark in assessing internal control
effectiveness.
-Public Report: management’s annual assessment of internal control effectiveness
Managements Report
● Provides a statement that management is responsible for internal control
● Includes a definition of internal control
● Discusses the limitations of internal control
● Identifies the criteria (COSO) used in assessing internal control
● Concludes as to the effectiveness of internal control at a point in time (year-end)
● References the report on internal control provided by the company’s external auditors

Guideline for Developing Reliable Documentation

● Prenumbered paper or computer-generated documents facilitate the control of, and
accountability for, transactions and are crucial to the completeness assertion.
● Timely preparation improves the credibility and accountability of documents and
decreases the rate of errors on all documents.
● Authorization of a transaction should be clearly evident in the records.
● A transaction trail should exist such that a user (or auditor) could trace a transaction
from its origination through to its final disposition, or vice versa. A transaction trail serves
many purposes, including providing information in order to respond to customer inquiries
and identify and correct errors.

Evaluating Internal Control Over Financial Reporting

Reporting on Internal Control Over Financial Reporting
- in order to report on its design and operating effectiveness.
- encourages a risk-based approach to evaluation
1. Identifying the significant risks to reliable financial reporting (Significant Account)
2. Substantial judgment required by accounting personnel in valuing the inventory suggests
that valuation is a particularly relevant assertion
3. Focuses on the design and operating effectiveness of the controls intended to mitigate
the risks to reliable financial reporting and conduct a walkthrough
4. Gathers evidence through various procedures whether the controls are operating
effectively
5. Test the procedures
6. Evaluate identified control deficiencies and provides its management report as part of
its filings with the SEC.
Assessing Internal Control Deficiencies
Control deficiency
- shortcoming in internal controls such that the objective of reliable financial reporting may
not be achieved.
Deficiency in design
- a control necessary to meet the control objective is missing, or an existing control is not
properly designed, even if the control operates as designed, the control objective would not
be met.
Deficiency in operation
- a properly designed control does not operate as designed, or when the person performing
the control does not possess the necessary authority or competence to perform the control
effectively
Categories of Deficiencies
1. Material weakness
- deficiency, or a combination of deficiencies, in internal control over financial reporting,
such that there is a reasonable possibility that a material misstatement will not be
prevented or detected on a timely basis.
- Cannot conclude that its internal control over financial reporting is effective.
- could lead to a material misstatement.
- 1 or more material misstatement: issue report that internal control is not effective
- Can include deficiencies in other components of internal control, including the control
environment, risk assessment, information and communication, and monitoring.
2. Significant Deficiency
- is a deficiency, or a combination of deficiencies, in internal control over financial
reporting that is less severe than a material weakness, yet important enough to merit
attention by those responsible for oversight of the organization’s financial reporting.
- is important enough that it should be brought to the attention of management and
the audit committee, but it does not need to be reported to external users.
- not included in management’s report on internal control effectiveness.