Professional Documents
Culture Documents
Two of the most important elements of internal control that candidates need to
understand are the segregation of duties and the elements that make up the components
of internal control.
Corporate Governance also concerned with ‘agency problem’. Agency problem arise due to
ownership of corporation (shareholders) and manager of corporation (agents of share
holder) are two different people.
Corporate governance specifies the distribution of rights and responsibilities among the
various parties with conflicting priorities and concerns in an effort to mitigate the ‘agency
problem’ and bring about congruence between the goals of the shareholders and the goals
of the agents , like by attaching managers bonuses with increase in stock price of share
holders.
Corporate governance does not exist as a set of distinct and separate processes and
structures. It is interconnected with the company’s internal control and enterprise risk
management
The internal audit activity serves as the “eyes and ears” of management and the audit
committee and thus has an important role in the governance function of the organization
Corporation ordinarily is treated as a legal person with rights and obligations separate from
its owners and managers
Corporations are governed by shareholders (owners) who elect a board of directors and
approve fundamental changes in the corporate structure
Directors establish corporate policies, adapt bylaws, and elect or appoint corporate officers
who carry out the policies in the day-to-day management of the organization
Incorporation may be in any state. Articles of incorporation must be filed with the secretary
of state or another designated official
Corporation’s name (must differ from the name of any corporation authorized to do
business in the state)
Number of authorized shares of stock
Street address of the corporation’s initial registered office
Name of the registered agent at that office
Name and address of each incorporator
Bylaws govern the internal structure and operation of the corporation
Initial bylaws are adopted by the incorporators or the board
They may contain any provision for managing the business and regulating the
entity’s affairs that does not conflict with the law or the articles
Governance has two major components :
Strategic Direction – Board is source of overall direction
Oversight – Ultimate responsibility of Oversight
Board AUDIT COMMITTEE is responsible for promoting independence of external and
internal Auditor and to make sure they are not influenced with management
Management performs day to day management function and also risk management function
by evaluating and monitoring and also by creating risk committee if needed.
Audit Approaches :
Substantive Procedure (bottom up) : A bottom-up approach is not risk based and
views all controls equally, therefore, testing a high number of controls instead of
focusing on high-risk controls, processes, and transactions
Balance Sheet Approach : substantive procedures are performed on balance sheet
accounts, with only limited procedures applied
Systems Based : Auditors assess the effectiveness of the internal controls and then
perform substantive procedures primarily on accounts that are least likely to meet
systems objectives
Risk Based (top down) : Audit on appropriate financial statement assertions based
on the auditor’s assessment of the risk of material misstatements. Auditor identify
the key day-to-day risks faced by a business, consider the effect these risks could
have on the financial statements, and plan their audit procedures accordingly
Audit Opinions : An external auditor may express four types of audit opinions in audit
reports on financial statements
Every organization faces risks, that is, unforeseen obstacles to the pursuit of its objectives.
Risks take many forms and can originate from inside or outside the organization
All systems of internal control involve tradeoffs between cost and benefit. For this reason,
no system of internal control can be said to be “100% effective.” Organizations accept the
fact that risk can only be mitigated, not eliminated
Risk management is the ongoing process of designing and operating internal controls that
mitigate the risks identified in the organization’s risk assessment
Risk can be quantified as a combination of two factors: the severity of consequences and the
likelihood of occurrence. The expected value of a loss due to a risk exposure can thus be
stated numerically as the product of the two factors
Audit risk model, audit risk is defined as the risk that an auditor may express an
inappropriate opinion on materially misstated financial statements. The model may be
adapted to the system of internal control as follows:
1) Inherent risk (IR) is the susceptibility of one of the company’s objectives to obstacles
arising from the nature of the objective, assuming no related internal controls. For example,
a uranium mine is inherently riskier than a shopping mall.
2) Control risk (CR) is the risk that the controls put in place will fail to prevent an obstacle
from interfering with the achievement of the objective. For example, a policy requiring two
approvals for expenditures over a certain dollar amount could be bypassed by collusion.
3) Detection risk (DR) is the risk that an obstacle to an objective will not be detected before
a loss has occurred. For example, an embezzlement that continues for a year before
detection is much costlier than one that is discovered after 1 month.
4) Total audit risk (TR) may thus be stated as follows : TR = IR × CR × DR
The Committee of Sponsoring Organizations (COSO) was formed in 1985 to guide efforts to
articulate and improve accounting controls
COSO Internal Control Framework helps companies visualize three dimensions of internal
controls. There are 3 Dimensions of Internal Controls :
3- Where to have Internal Controls (Different parts of the organization require different
controls. Thus, companies should consider appropriate controls at each of the following
levels)
Flow Charting symbols represents process end points and connectors and also represents
processes , and also represents input and output. Vertical (top to bottom) and horizontal
flowchart (system flowchart , flow back and forth between departments with activities and
documents)
PCAOB Approach :
One of the requirements of the Sarbanes-Oxley Act is that the annual financial
statement audit also address the firm’s system of internal control over financial
reporting
An Audit of Internal Control Over Financial Reporting That Is Integrated with An
Audit of Financial Statements,” to provide guidance when these two audits are
integrated
It requires the external auditor to express an opinion on both the system of internal
control over financial reporting and the fair presentation of financial statements
The auditor should use a top-down (risk-based) approach to audit internal controls
over financial reporting. Under the top-down approach, the auditor begins at the
financial statement level, focusing on entity-level controls, and then works down to
significant accounts and disclosures and their relevant assertions
Auditos have to focus on the existence of material weaknesses in internal control
Internal Control – System Controls and Security Measures
An evaluation reward system for encouraging compliance with the control system
Types of Controls
Primary Controls :
Preventive Control - stops problems before they occur eg storing petty cash in safe
Detective Control – altering after detective problem , installing alarm
Corrective Control – correct the negative effect , isolating and removing virus
Directive Control – encourage or cause occurrence of desirable event
Secondary Controls :
Compensatory (mitigative) control – reduce risk when primary control did not work
Complementary control – work with other control to reduce risk
Time Based :
Feed back – control after its done and improvement in future , like inspection of
completed goods
Concurrent – ongoing control
Feed forward – anticipate and prevent problem , eg long term perspective ,
Organization policies and procedure
Control Activities :
Availability
Confidentiality
Integrity
Effective system development require setting up of priority and achieved through steering
committee composed of both IT and end user functions
Control during the development and design and implementation of system. Only
programmer should be allowed for programming duties (neither system analyst nor
operator)
Operator should not have custody of files , only librarian should have
Physical Control :
Access control : through password and ID number , system access log , Encryption , call
back , Automatic log off , Biometric technology
Environment Control : Facility should have proper cooling and heating system and fire
suppression system
Logical Control :
Processing control – all data submitted for processing is processed and only approved data
are processed , by Validation , Arithmetic check , Sequence check
Output control – Assurance that processing was complete and accurate , Audit trail and
Error listing should be provided and checked
Auditing around computer – by checking data manually and comparing with computer
processed result
Storage Control :
Cloud computing – lower infrastructure cost but lower control is its advantage
Firewalls :