Lecture 8

Internal Control & Control risk

Adapted from 2014 Pearson Education

Internal control objectives
Management & auditor responsibilities for internal control
COSO components of internal control
Obtain & document understanding of internal control
Assess control risk
Test of controls

Learning Objectives
2
 Internal Control Objectives

Management has three broad objectives in

designing an effective internal control system

Reliability of
financial
Compliance reporting Efficiency/
with laws and effectiveness
regulations of operations
10-3
Contrast
management’s responsibilities for
maintaining and reporting on internal
controls
with
the auditor’s responsibilities for
understanding, testing, and reporting on
internal control.

10-4
Management’s Responsibilities
for Establishing Internal Control

Ø Management must establish and

maintain the entity’s internal controls

Ø Management’s design and implementation

of internal controls is based on two key
underlying concepts:

ØReasonable ØInherent
assurance limitations
10-5
Management’s Assessment of
Internal Controls

Ø Management must evaluate the design of

internal controls over financial reporting.

Ø Management must also test the operating

effectiveness of those controls.

10-6
Auditor Responsibilities for
Understanding Internal Control

Ø Must assess control risk in every audit

Ø Primarily concerned about controls over:

• reliability of financial reporting
• classes of transactions

10-7
Auditor Responsibilities for
Reporting on Internal Control

ØObtains understanding of controls

ØPerforms tests of controls:

• significant account balances
• classes of transactions
• disclosures and related financial statement
assertions

10-8
 FIGURE 11-3 Five Components of Internal Control

Control Environment

Risk Control Information and

Monitoring
Assessment Activities Communication

Five Components of Internal

The five underlying principles related to the control environment include a com-
mitment to integrity and ethical values; an independent board of directors that is
responsible for oversight of internal controls; establishing appropriate structures and
Control
reporting lines; a commitment to attracting, developing, and retaining competent
personnel; and holding individuals accountable for internal control responsibilities.
To understand and assess the control environment, auditors should consider these
important control subcomponents.
Integrity and Ethical Values Integrity and ethical values are the product of the entity’s
ethical and behavioral standards, as well as how they are communicated and reinforced
10-9
in practice. They include management’s actions to remove or reduce incentives and
The Control Environment

Integrity and ethical values

Board of directors or audit committee

participation

Organizational structure

Commitment to Competence

Accountability
10-10
 Identify factors that may increase risk

Estimate the significance of the risk

Assess the likelihood of the risk occurring

Determine actions necessary to manage the risk

Risk Assessment
10-11
Adequate separation of duties

Proper authorization of transactions and activities

Adequate documents and records

Physical control over assets and records

Independent checks on performance

Control Activities
10-12
 Adequate Separation of Duties

Custody of assets from Accounting

Authorization The custody of

from
of transactions related assets

Operational Record-keeping
from
responsibility responsibility

IT duties from User departments

10
10-13

-
Proper Authorization of
Transactions and Activities

Transaction Approval Policies

General Specific
Authorization Authorization

10-14
 PRENUMBERED CONSECUTIVELY

PREPARED AT THE TIME OF TRANSACTION

Adequate
Documents
and Records DESIGNED FOR MULTIPLE USE

CONSTRUCTED TO ENCOURAGE CORRECT

PREPARATION

10-15
Physical Control Over Assets & Records

The most important type of protective measure for

safeguarding assets and records is the use of
physical precautions.

Independent Checks on Performance

The need for independent checks arises because
internal control tends to change over time, unless
there is frequent review.

10-16
 Information and Communication

The purpose of an accounting information

and communication system

Initiate
Report Maintain
Record Accountability
transactions
for Related Assets
Process
10-17
Monitoring

Monitoring activities deal with management’s ongoing and

periodic assessment of the quality of internal control
performance…

to determine whether controls are operating as intended

and modified when needed.

10-18
Lec 10 :Part 2

19
 required for an audit of only the financial statements.
ant risks
r error Figure 12-1 provides an overview of the process of understanding internal control

Process for Understanding Internal Control

nt risk
and assessing control risk. The figure shows that there are four steps in the process.
Each of these four steps is discussed in this chapter.

nal control
and Assessing Control Risk
trol risk
Process for Understanding Internal Control
FIGURE 12-1
and Assessing Control Risk
l audit
dit plan
Obtain and document
understanding of
Step 1
internal control
design and operation

Step 2 Assess control risk

Design, perform,
Step 3 and evaluate
tests of controls

Decide planned
Step 4 detection risk and
substantive tests
10-20
Obtain and Document Understanding of
Internal Control

Auditing standards require auditors to obtain

an understanding of internal control for every
audit.

Procedure to obtain an understanding:

Ø Inspection
Ø Inquiry of entity personnel
Ø Observation of employees
Ø Reperformance

10-21
Understanding design of internal control

Narrative

Flowchart
Internal
control
questionnaire

10-22
Narrative

The origin of every document and record in

the system

All processing that takes place

The disposition of every document and

record in the system

An indication of the controls relevant to the

assessment of control risk
10-23
Flowchart & Internal control
questionnaire

u Flowchart is a diagram of the client’s

documents and their sequential flow in the
organization
u Flowchart provides overview of the system
u Questionnaire is a checklist of specific
internal controls

24
Evaluating Internal Control
Operation

UPDATE AND MAKE INQUIRIES OF EXAMINE DOCUMENTS

EVALUATE AUDITOR’S CLIENT PERSONNEL AND RECORDS
PREVIOUS EXPERIENCE
WITH THE ENTITY

OBSERVE ENTITY PERFORM WALK-

ACTIVITIES AND THROUGHS OF THE
OPERATIONS ACCOUNTING SYSTEM

10-25
Assess Control Risk

Assess whether the financial statements

are auditable.

Determine assessed control risk supported

by the understanding obtained.

Use a control risk matrix to assess

control risk.

10-26
Control Risk Matrix

Many auditors use the control risk matrix

to assist in the control risk assessment
process at the transaction level.

10-27
Control Risk Matrix

u Identify audit objectives

u Identify existing controls
u Associate controls with related audit
objectives
u Identify and evaluate
• control deficiencies
• significant deficiencies
• and material weaknesses

10-28
 5. Determine potential misstatements that could result. This step is intended to iden-
tify specific misstatements that are likely to result because of the significant
deficiency or material weakness. The importance of a significant deficiency or
material weakness is directly related to the likelihood and materiality of potential
misstatements.

FIGURE 12-4 Evaluating Significant Control Deficiencies

SIGNIFICANCE
Material

Material Weakness
LIKELIHOOD
Remote Reasonably Possible

Immaterial

Source: MichaelSource:
Ramos,Michael
“SectionRamos, “Sectionin404
404 Compliance the Compliance in the
Annual Report,” Annual
Journal Report,” Journal
of Accountancy, of 2004, pp. 43–48.
October
Accountancy,
Copyright by American October
Institute 2004,
of CPAs. Allpp. 43–48.
rights reserved. Used with permission.

Chapter 12 / ASSESSING CONTROL RISK AND REPORTING ON INTERNA

10-29
Identify Deficiencies and Material
Weaknesses
u Identify existing controls
u Identify the absence of key controls
u Consider the possibility of compensating controls
u Decide whether there is a significant deficiency or material
weakness
u Determine potential misstatements that could result

10-30
Tests of
Controls

Ø The procedures to test

effectiveness of controls
in support of a reduced
assessed control risk are
called tests of controls.

10-31
INQUIRE OF CLIENT EXAMINE REPERFORM CLIENT OBSERVE CONTROL-
PERSONNEL DOCUMENTS,RECORDS, PROCEDURES RELATED ACTIVITIES
REPORTS

Procedures for Tests of Controls

10-32
Reliance on evidence from prior
year’s audit

Testing of controls related to

significant risks

Testing less than the entire audit

period

Extent of Procedures
10-33
 Relationship of Assessed Control
Risk and Extent of Procedures
Relationship of Assessed Control Risk and
TABLE 12-1
Extent of Procedures
Assessed Control Risk
High Level: Procedures to Lower Level:
Type of Procedure Obtain an Understanding Tests of Controls*
Inquiry Yes—extensive Yes—some
Inspection Yes—with transaction walkthrough Yes—using sampling
Observation Yes—with transaction walkthrough Yes—at multiple times
Reperformance No Yes—using sampling or audit software

*Note: In an integrated audit for a public company, the auditor will likely combine procedures to obtain an understanding
with tests of controls and perform them simultaneously.

The determination of the appropriate sample size for tests of controls is an impor-
tant audit decision. That topic is covered in Chapter 15. 10-34

Understanding Internal Controls in Outsourced Systems When clients use a ser-

Decide Planned Detection Risk and Design
Substantive Tests
Control risk Planned
assessment detection
process results risk

Related
Tests of
substantive
controls
tests

Control risk Balance

assessments related audit
objectives
10-35
 Communications to those charged with
governance

Management letters

Reporting on Internal Control

10-36