Professional Documents
Culture Documents
INTERNAL CONTROL
8 AND COSO c. Based upon the case facts, do you agree with the audi-
tors’ statement regarding their inability to detect frauds
involving collusion between client management and
LEARNING OBJECTIVES
After studying this chapter, you should be able to:
1 Describe the four primary objectives of effective internal control.
2 Contrast management’s responsibilities for maintaining controls with the auditor’s
responsibilities for evaluating and reporting on internal control.
3 Explain the five components of the COSO internal control framework and the 17
principles of effective control.
4 Understand the important risks and controls in small businesses.
246
Keeping his trades hidden required constant vigilance. Kerviel needed to continue to delete
and re-enter fake trades to avoid detection. As a result, he regularly skipped holidays and rarely
took vacation. “It is one of the rules of controls: a trader who doesn’t take holidays is a trader who
doesn’t want his books to be seen by others,” Kerviel stated to investigators.
Finally, a fictitious trade made in the name of a German brokerage house triggered an alarm in
Société Générale’s systems. Under repeated questioning, Kerviel revealed that his bets had over
50 billion euros at risk for the bank. By the time the French bank unwound the bets, it had lost
4.9 billion euros (US$7.4 billion), nearly destroying the 145-year-old bank.
At Kerviel’s June 2010 trial, one of the bank’s former executives admitted that the bank failed
by creating an environment where there was “too much trust.” And, his former boss commented, “If
you’re not looking for anything, you don’t find anything.”
Sources: Adapted from Nicola Clark and Katrin Behnhold, “A Société Générale trader remains a mystery as his criminal
trial ends,” The New York Times, June 25, 2010. David Gauthier-Villars and Carrick Mollenkamp, “Portrait emerges of
rogue trader at French bank,” The Wall Street Journal, February 2–3, 2008, p. A1.
Collusion—a cooperative
effort among employees or
management to defraud a
THE Reasonable Assurance
RESPONSIBI A company should develop internal controls that provide reasonable, but not abso-
lute, assurance that the financial statements are fairly stated. Management devel-
LITIES OF ops internal controls after considering both the costs and benefits of the controls.
MANAGEME Reasonable assurance is a high level of assurance that allows only a low likelihood
that material misstatements will not be prevented or detected on a timely basis by
NT AND THE internal control.
AUDITOR
Inherent Limitations
Management and the
Internal controls cannot be regarded as completely effective, regardless of the
auditor have
care fol- lowed in their design and implementation. Even if systems personnel
different
could develop, design, and program an ideal system, the effectiveness of the
responsibilities for
system would also depend on the competence and dependability of the people
internal controls.
using it. For example, assume that a procedure for counting inventory is carefully
Management, not the
developed and requires two employees to count independently. If neither of the
auditor, must
employees understands the instructions or if both are careless in doing the counts,
establish and
the count of inventory is likely to be incorrect. Even if the count is right,
maintain the entity’s
management might override the procedure and instruct an employee to increase
internal con- trols.
the count of quantities in order to improve reported earn- ings. Similarly, the
Also, in the case of
employees might decide to overstate the counts intentionally to cover up a theft
public companies,
of inventory by one or both of them. This collaborative effort among employees
management is
to defraud is called collusion.
required to publicly
report on the
operating
effectiveness of
internal controls over
financial reporting.
In the United States,
auditors of large
public companies are
required to provide
an audit opinion on
management’s report
of the effectiveness
of internal controls
over finan- cial
reporting. However,
auditors of
companies solely
listed on Canadian
securities exchanges
are not required to
issue an audit report
on the operating
effectiveness of
internal controls.
Two key concepts
underlie
management’s design
and implementation
of controls—
reasonable assurance
and inherent
limitations.
Management’s Reporting Responsibilities
For public companies in Canada, management is required to publicly report on the
operating effectiveness of those controls. The internal control framework used by
most public companies is the Committee of Sponsoring Organizations of the Tread-
way Commission (COSO) Internal Control—Integrated Framework. The COSO
framework is the internal control equivalent to generally accepted accounting pol-
icies (GAAP). In other words, it is the framework that is used to assess the effective-
ness of internal control over financial reporting. Management’s assessment of
internal control over financial reporting consists of two key aspects. First,
management must evaluate the design of internal control over financial reporting.
Second, management must test the operating effectiveness of those controls.
Auditor’s Responsibilities
Auditors are responsible for understanding the entity’s internal controls where they
are relevant to the audit, in order to achieve the auditors’ objective of identifying
the risks of material misstatement at the financial statement and assertion level.
Obtaining this understanding of internal control applies to all audits, even when
an auditor does not intend to place reliance on internal controls.
Control Risk
Specify Environment
financial Assessment
reporting
objectives
Control
Activities
Monitoring
Information
and Communication
Table 8-1 COSO Components of Internal Control and Principles for Effective Control
Internal Control
Component Description of Component Principles for Effective Control
Control environment The set of standards, processes, and structures 1. Demonstrate commitment to integrity
and that provide the basis for internal control ethical values.
across the entity. The board of directors 2. Board of directors demonstrates
indepen and management establish the overall tone dence from management
and exercises regarding internal control and its importance. oversight
responsibility.
The control environment has a pervasive 3. Management, with board oversight,
estab impact on the overall system of control. lishes structure, authority, and
responsibility.
4. The organization demonstrates commitment
to competence.
5. The organization establishes and enforces
accountability.
Risk assessment The process of identification and analysis of 6. Specifies relevant objectives with
sufficient risks relevant to the preparation of financial clarity to enable
identification of risks. statements in conformity with an applicable 7. Identifies and
assesses risks.
financial reporting framework 8. Considers the potential for fraud in
assessing risk.
9. Identifies and assesses significant changes
that could impact internal control.
Control activities Actions established by policies and procedures 10. Selects and develops control activities.
to help ensure that management’s directives 11. Selects and develops general controls
over to mitigate risks to achieve its objectives are technology.
met. Control activities are performed at all 12. Deploys policies and
procedures. levels of the entity.
Information and communication Information is necessary to carry out internal 13. Obtains or generates relevant, quality
control responsibilities. Communication is information.
the continued, iterative process of providing, 14. Communicates
internally. sharing, and obtaining necessary information 15. Communicates
externally. to design, implement, and conduct internal
control and to assess its effectiveness.
Monitoring The activities used to ascertain whether the five 16. Selects, develops, and performs
ongoing and components of internal control to address separate evaluations.
the principles are present and functioning. 17. Evaluates and communicates
deficiencies.
Control Environment
The control environment is the foundation of effective internal control. It addresses
governance and management functions, as well as the attitudes, awareness, and Control environment—the
actions, policies, and procedures
actions of those charged with governance and management concerning internal that reflect the overall attitudes
control and its importance. Controls at this level are generally pervasive in nature. of top management, directors,
Although they will not directly prevent or detect and correct a material misstatement, and owners of an entity about
they provide the discipline and structure for all other components. If top management control and its importance to
the entity.
believes control is important, others in the organization will sense that and respond
by conscientiously observing the policies and procedures established. However, if it
is clear to members of the organization that control is not an important concern to top
management and is given “lip service” rather than meaningful support, it is almost
certain that control objectives will not be effectively achieved. Or, as in the case of
Société Générale (in our opening vignette), if management fails in its monitoring role
by placing too much trust in the system or the people operating the controls, then the
risk for fraud and error is high.
CONCEPT CHECK
C8-1 Which of the five categories of COSO internal controls is most important? Justify
your response.
C8-2 What are entitylevel controls and why are they so important?
AUDITING IN ACTION 8-1
Material Weaknesses at Penn West Petroleum—The Importance
of Corporate Culture
In 2014, Penn West Petroleum, one of the largest conventional governance of the company, the integrity of management, and
oil and natural gas producers in Canada, announced the on the ability of the company itself to generate reliable
results of an independent internal review conducted by data on which to base investment decisions.”
forensic accountants hired by the audit committee, which As a result of these material weaknesses, the company
arose from certain accounting practices that came to the had to restate the first quarter of 2014, along with the
attention of the new CFO (chief finan cial officer). In 2013 and 2012 audited consolidated financial statements.
determining why the accounting practices were undetected, The restate ment did not mean “The sky is falling”—the
the audit committee identified the following material company was onside with all of its debt covenants, its
weaknesses in the internal control over financial reporting: borrowing base had not been affected, and neither had
• Control environment. Management concluded that the former the value of its reserves changed. Further, the senior
senior accounting management did not adequately establish accounting personnel responsible for the misstatements
and enforce a strong culture of compliance and controls. were no longer with the company and Penn West had
There was a lack of awareness or unwillingness of some taken several remedial actions to rectify the material
staff with knowl edge of improper practices to use the weaknesses. However, the inappropriate adjustments
company’s whistleblowing hotline or to take other actions boosted cash flow and netbacks (a measure of profitability
that could have brought to light the improper accounting per barrel of oil), two key metrics that influence stock
practices much sooner. Management concluded that this price.
material weakness was a factor that contrib uted to the Following the announcement of the restatements, the
other weaknesses that were discovered. share price dropped significantly and several class action
• Lack of appropriate review of journal entries. The company lawsuits were filed. In the end, Penn West and the investors
had journal entry policies requiring that the person settled on a
creating an entry be unable to approve the entry and $53 million payout.
that each entry include appropriate documentation; Sources: Claudia Cattaneo, “Rocked by accounting scandal, Penn
West has now turned the corner, CEO says,” Financial Post, November
however, those polices were not followed. 2014. Penn West press release, CNW Newswire, September 18,
2014, accessed April 6, 2015, at http://business.financialpost.com/
• Management override. Senior accounting management commodities/energy/rocked-by-accounting-scandal-penn-west-has-
now-turned-the-corner-ceo-says. Daniel Healing, “Settlement revealed
over rode the company’s accounting processes and to be $53 million in Penn West accounting scandal,” Calgary Herald,
February 17, 2016. David Milstead, “Penn West, WorldCom: The warn-
recorded incorrect amounts in the financial statements. ing signs we may have missed,” The Globe and Mail, August 8, 2014.
Crystal Schlick, “Yedlin: Penn West tries to move forward with release
Lynn Turner, former chief accountant of the SEC, in of audit,” Calgary Herald, September 27, 2014.
com menting on the weaknesses, noted: “It reflects very
poorly on the
Risk Assessment
Risk assessment involves a process for identifying and analyzing risks that might
Risk assessment—management’s
identification and analysis of
pre- vent the organization from achieving its objectives. There are four underlying
risks relevant to the princi- ples related to risk assessment: the organization should have clear objectives
preparation of financial in order to be able to identify and assess the risks relating to its objectives; it should
statements in conformity with determine how the risks should be managed; the organization should consider the
an applicable financial potential for fraudulent behaviour; and it should monitor changes that could impact
reporting framework.
internal con- trols. Specific risks related to information technology (IT) should be
considered, as these risks can lead to substantial losses. If IT systems fail,
organizations can be para- lyzed by the inability to retrieve information or by the use
of unreliable information caused by processing errors.
Risk assessment specifically related to financial reporting involves management’s
identification and analysis of risks relevant to the preparation of financial statements
in conformity with an applicable financial reporting framework. For example, if a
company frequently sells products at a price below inventory cost because of rapid
technology changes, it is essential for the company to incorporate adequate controls
to address the risk of overstating inventory. Once management identifies a risk, it
estimates the significance of that risk, assesses the likelihood of the risk occurring,
and develops specific actions that need to be taken to reduce the risk to an accept-
able level.
Management’s risk assessment differs from but is closely related to the auditor’s
risk assessment discussed in Chapter 7. While management assesses risks as a part of
designing and operating internal controls to minimize errors and fraud, auditors
assess risks to decide the evidence needed in the audit. If management effectively
assesses and responds to risks, the auditor will typically choose to accumulate less
evidence than when management fails to identify or respond to significant risks.
Control Activities
Control activities—policies and
Control activities are the actions established by the policies and procedures to help procedures that help ensure the
ensure that management directives to mitigate risks are carried out. Control activities necessary actions to address
are performed at all levels of the entity, at various stages within business processes, risks in the achievement of the
entity’s objectives.
Authorization
STOP! Without
authorization you
can’t proceed.
Documentation
VS
control panel
Segregation of Duties
Review
Are there
any errors?
General authorization—
companywide policies for the
approval of all transactions
within stated limits.
Specific authorization—case
bycase approval of transactions
not covered by companywide
policies.
Independent checks—internal
authorizes those sales based on its comparison of customer credit limits to the master
file and posts all approved sales in the sales cycle journals. Therefore, the computer
plays a significant role in the authorization and record keeping of sales transactions.
To compensate for these potential overlaps of duties, it is important for companies to
separate major IT-related functions from key user department functions. In this
Application controls—controls exam- ple, responsibility for designing and controlling accounting software programs
typically at the business that contain the sales authorization and posting controls should be under the authority
process level that apply to
of IT, whereas the ability to update information in the master file of customer credit
processing transactions, such
as the inputting, processing, limits should reside in the company’s credit department outside the IT function.
and outputting of sales or
cash receipts. Independent Checks of Performance, Recorded Data, and Actual Results The need for
Input controls—controls careful and continuous review of the other controls, often referred to as independent
designed by an organization checks on performance or internal verification, arises because internal control tends
to ensure that the to change over time unless there is a mechanism for frequent review. Computerized
information to be processed
by the computer is
accounting systems can be designed so that many internal verification procedures
authorized, accurate, and can be automated as part of the system, such as separate addition of subsidiary files
complete. for agreement with general ledger totals.
In the case of manual reviews, an essential characteristic of the persons perform-
ing internal verification procedures is independence from the individuals originally
responsible for preparing the data. The least expensive means of internal verification
is the separation of duties in the manner previously discussed. For example, when the
bank reconciliation is performed by a person independent of the accounting records
and handling of cash, there is an opportunity for verification without incurring signif-
icant additional costs.
In addition to reviews that involve verification, controls that involve period
perfor- mance serve an important means of highlighting unexpected variations that
should be investigated and, if necessary, corrected. Effective reviews involve
relating different sets of data (operating, financial, internal, and external) to one
another. These types of reviews are very helpful in highlighting both potential errors
and fraud.
For IT systems that group similar transactions together into batches, the use of
financial batch totals, hash totals, and record count totals helps increase the accuracy
and completeness of input. Batch input controls are described in Table 8-3. For exam-
ple, the comparison of a record count calculated before data entry of the number of
vendor invoices to be entered and the number of vendor invoices processed by the
system would help determine if any invoices were omitted or entered more than once
during data entry.
Processing controls prevent and detect errors while transaction data are pro-
Processing controls—controls
cessed. General controls, especially controls related to systems development and designed to ensure that data
secu- rity, provide essential control for minimizing processing errors. Specific input into the system are
application processing controls are often programmed into software to prevent, accurately and completely
detect, and correct processing errors. Examples of processing controls are illustrated processed
in Table 8-4.
Output controls—controls
Output controls focus on detecting errors after processing is completed, rather designed to ensure that
than on preventing errors. The most important output control is review of the data for computergenerated data are
reasonableness by someone knowledgeable about the output. Users can often identify valid, accurate, complete, and
errors because they know the approximate correct amounts. Several common distributed only to authorized
people.
controls for detecting errors in outputs include the following:
• Reconcile computer-produced output to manual control totals.
• Compare the number of units processed to the number of units submitted for
processing.
CONCEPT CHECK
C8-3 What are control activities? Explain their role in the financial reporting process.
Cash Receipts
Application
Controls
Sales Payroll
Application Application
Controls Controls
Other
Cycle
Application
Controls
GENERAL CONTROLS
IT Systems
IT Infrastructure Outsourced IT
Personal Computing IT Governance
Servers, networks, internet, Use of cloud off-site
Business use of mobile
Wi-Fi, operating system service providers, software How the IT function is
devices and laptops;
(O/S) and application as a service (SaaS), backup organized and managed
software, and data interface use of spreadsheet files and storage
Source: John White, “How to use COSO to assess IT controls,” Journal of Accountancy, May 1, 2014.
Database management
systems—hardware and
software systems that allow
clients
to establish and maintain
databases shared by multiple
applications
Regarding communications with public networks, the organization should have secure data storage.
a firewall. A firewall is a system of hardware and software that monitors and
controls the flow of e-commerce communications by channelling all network
connections through controls that verify external users, grant access to authorized
users, deny access to unauthorized users, and direct authorized users to requested
programs or data. Firewalls are becoming increasingly sophisticated as the frequency
and severity of cyberattacks grow (as highlighted in Auditing in Action 8-3). The
firewall should have the following characteristics:
• Hides the structure of the network;
• Provides an audit trail of communication with public parties;
• Generates alarms when suspicious activity is suspected; and
• Defends itself and/or the organization’s network against attack.
Backup and disaster recovery planning enables the organization to continue
operations in the event of failure of part or all of its information systems. Some-
thing as simple as a hard drive crash can cause enormous problems if a com-
pany has not given careful thought to contingency procedures. Power failures, fire,
excessive heat or humidity, water damage, or even sabotage can have serious
conse- quences for businesses using IT. To prevent data loss during power outages,
many companies rely on battery backups or on-site generators. For more serious
disasters, organizations need detailed backup and contingency plans such as off-site
storage of critical software and data files or outsourcing to firms that specialize in
Backup—copies of systems and
data that can be used to bring
Firewall—a system of hardware and software that monitors and controls the flow of ecommerce failed system back online.
communications by channelling all network connections through a control gateway.
Disaster recovery plan (DRP)—
planning for potential information
technology disruptions. The
purpose of the DRP is to
enable the business to
continue operations in event
of failure of information
systems.
Backup and contingency plans should also identify alternative hardware that can
be used to process company data. Companies with small IT systems can purchase
replacement computers in an emergency and reprocess their accounting records by
using backup copies of software and data files. Larger companies often contract with
IT data centres that specialize in providing access to off-site computers and data stor-
age and other IT services for use in the event of an IT disaster.
CONCEPT CHECK
C8-4 What are general controls? Explain how they are similar to entitylevel
controls.
Accounting information and
communication systems—entity Information and Communication
systems that are used to The purpose of an entity’s accounting information and communication systems
initiate, record, process, and is to initiate, record, process, and report the entity’s transactions and to maintain
report the entity’s accountability for the related assets. The system includes the entity’s business pro-
transactions, events,
and conditions and to maintain
cesses as well as the accounting system (accounting software, electronic spreadsheets,
accountability for the related and the policies and procedures to prepare periodic financial reports and period-end
assets. financial statements).
Figure 8-5 summarizes the inputs, processes, and outputs of the accounting infor-
mation system.
Figure 8-5 The Accounting Information System
Source: This chart is an extract from Guide to Using International Standards on Auditing in the Audits of Small and Medium-Sized Entities of the Small and
Jyotsna.Ojha
Medium Practices (SMP) Committee published by the International Federation of Accountants (IFAC) in 2010. Reproduced 2018-02-22with14:35:26
permission of IFAC.
--------------------------------------------
permission of IFAC. All rights reserved.
Contact HYPERLINK
As Figure 8-5 highlights, controls over the accounting systems are distinct from "mailto:Permissions@ifac.org"
the business processes, and include controls over the following: (1) the transfer of Permissions@ifac.org for permission to
business process information to the general ledger; (2) the capture of relevant events/ reproduce, store or transmit, or to
conditions, such as amortization, valuation of inventory and accounts receivable, and make other similar uses of these
other estimates that are not transaction based; (3) journal entries; and (4) the accu- extracts.
mulation and summation of other information that must be disclosed in the financial
statements. As mentioned in our earlier discussion of control activities, an important
control is the chart of accounts, which lists and classifies transactions into individual
balance sheet and income statement accounts.
CONCEPT CHECK
C8-5 What are the accounting information and communication controls? How are they distinct
from business process controls?
Monitoring
Monitoring activities deal with ongoing or periodic assessment of the quality of
Monitoring—management’s
ongoing and periodic
internal control performance to determine that controls are operating as intended
assessment of the quality of and that they are modified as appropriate for changes in conditions. Monitoring also
internal control performance requires that deficiencies in internal control are reported and appropriate remedial
to determine action is taken.
that controls are operating as
intended and modified when Principle 16: Selects, Develops, and Performs Ongoing and Separate
needed. Evaluations Monitoring should include evaluation built into business/financial
reporting and performed on a real-time basis (ongoing), as well as separate
periodic evaluations. Information for assessment and modification comes from a
variety of sources, including studies of existing internal controls, internal auditor
reports, excep- tion reporting on control activities, reports by regulators (such as,
in the case of financial institutions, the Office of the Superintendent of Financial
Institutions), feedback from operating personnel, and complaints from customers
about billing charges.
For many companies, especially larger ones, a competent internal audit depart-
ment is essential for effective monitoring of internal controls, and the department
often performs the periodic reviews. For an internal audit function to be effective, it
is important that the internal audit staff be independent of both the operating and
accounting departments, and that it report directly to a high level of authority within
the organization, usually the audit committee of the board of directors.
CONCEPT CHECK
C8-6 How is management’s risk assessment relevant to the audit?
C8-7 What is the role of monitoring to support internal controls?
UNDERSTANDING CONTROLS LO
4
Understand the
OF SMALL BUSINESSES important risks and
controls in small
Regardless of the size of the organization, the auditor is required to obtain an under- businesses.
standing of internal controls. However, the size of a company does have a significant
effect on the nature of internal control activities and the specific monitoring controls.
It is often difficult for a small business to establish adequate separation of duties.
Fur- ther, the entity is unlikely to have in-house expertise in systems and would place
more reliance on software and hardware suppliers for system support and
maintenance. Passwords may be in use but in simple form (for example, accounting
personnel may have a single password that allows access to all systems and
functions). Note that this would be a significant control deficiency.
While it is difficult for a small company to formalize all its policies, it is certainly
possible for a small company to implement some practical controls, such as a cul-
ture that values ethics; competent, trustworthy personnel with clear lines of authority;
proper procedures for authorization, execution, and recording of transactions; ade-
quate documents, records, and reports; physical controls over assets and records; and,
to a limited degree, checks on performance.
A major control available in a small company is the knowledge and concern of
the top operating person, who is frequently an owner–manager. Having knowledge
about and a personal interest in the organization and a close relationship with person-
nel (often called “executive controls”), the owner-manager can carefully evaluate the
competence of the employees and the effectiveness of the overall systems. An
import- ant owner–manager control is monitoring revenues and expenditures against
an estab- lished budget and other important performance indicators. Internal control
can also be significantly strengthened if the owner conscientiously performs such
duties as signing all cheques after carefully reviewing supporting documents,
reviewing bank reconciliations, examining accounts receivable statements sent to
customers, approv- ing credit, examining all correspondence from customers and
vendors, and approving the write-off of bad debts.
CONCEPT CHECK
C8-8 What is the key internal control risk at a small business, and how can a small
business owner deal with it?
SUMMARY
This chapter focused on internal controls, including internal controls related to computer-based
information systems, and the COSO framework. We use this framework as a basis for discussing MyLab Accounting
Make the grade with MyLab
the auditor’s responsibilities related to internal controls in the next chapter. To rely on a client’s Accounting: The questions,
internal controls to reduce planned audit evidence for audits of financial statements, the auditor exercises, and problems
must first obtain an understanding of each of the five components of internal control. Knowledge marked with a can be
about the design of the client’s control environment, risk assessment, control activities, informa- found on MyLab Accounting.
tion and communication, and monitoring activities, and the auditors’ evaluation of whether inter- You can practise them as
nal control components are effective lays the foundation of the auditor’s assessment of control risk often as you want, and most
at the financial statement level and at the assertion level. feature step-
by-step guided instructions to
help you find the right answer.