Chapter 10

Section 404 Audits of Internal

Control and Control Risk
Internal Control

Risk

Internal Control

Presentation Outline
I. An Overview of Internal Control
II. The Components of Internal Control
III. Process for Understanding Internal
Control and Assessing Control Risk
IV. Communications with the Audit
Committee and Management

I. An Overview of Internal
Control
A. Internal Control Defined
B. Reasonable Assurance
C. Section 404 Reporting Requirements for
Management
D. Key Components of Managements
Assessment of Internal Control
E. Auditor Responsibilities for
Understanding Internal Control

A. Internal Control Defined

An entitys system of internal control consists of
policies and procedures designed to provide
management with reasonable assurance that the
company achieves its objectives and goals
including:
Reliability of financial reporting
Compliance with applicable laws and regulations
Effectiveness and efficiency of operations

B. Reasonable Assurance
Code the
missing cash
to bad debts.

Collusion

Reasonable assurance
involves two
considerations:
The cost of the entitys
internal control should
not exceed the
expected benefits.
Limitations exist in
any entitys internal
control.

C. Section 404 Reporting Requirements for

Management

Section 404 of Sarbanes-Oxley requires the management of

public companies to issue an internal control report that
includes:
A statement that management is responsible for establishing
and maintaining an adequate internal control structure and
procedures for financial reporting.
An assessment of the effectiveness of the internal control
structure and procedures for financial reporting as of the end
of the companys fiscal year.

D. Key Components of Managements Assessment

of Internal Control
Management must
evaluate the design of
internal control over
financial reporting.
Management must test
the operating
effectiveness of those
controls.

E. Auditor Responsibilities for

Understanding Internal Control
Public and private companies A sufficient understanding of internal
control is to be obtained to plan the audit and to determine the nature,
timing, and extent of tests to be performed. (2nd standard of
fieldwork)
Public companies Section 404 requires effort beyond that stated
above so that the auditor can provide a report on internal controls that
contains the following two opinions:
Whether managements assessment of the effectiveness of internal control over
financial reporting as of the end of the fiscal period is fairly stated in all material
respects.
Whether the company maintained, in all material respects, effective internal
control over financial reporting as of the specified date.

II. The Components of Internal

Control
The internal control framework for most U.S. companies is the
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal ControlIntegrated
Framework, issued in 1992.

A. The Control Environment

B. Risk Assessment
C. Control Activities
D. Information and Communication
E. Monitoring

A. The Control Environment

The control environment is concerned with the
actions, policies, and procedures that reflect the
overall attitude of the clients top management,
directors, and owners of an entity about internal
control and its importance.
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Managements philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices

1. Integrity and Ethical Values

Management actions
to remove incentives
that prompt a person
to behave improperly.
Communication of
behavioral standards
by codes of conduct
and example.

2. Commitment to Competence
Managements
consideration of the
competence levels for
specific jobs and how
those translate into
requisite skills and
knowledge.

3. Board of Directors and Audit

Committee
Board delegates responsibility
for internal control to
management and is charged
with regular independent
assessments of managementestablished internal control.
The major stock exchanges
require listed companies to have
an audit committee composed of
entirely independent directors
who are financially literate.

4. Managements Philosophy and

Operating Style

Management, through its activities, provides clear

signals to employees about the importance of internal
control. For example, are sales and earnings targets
unrealistic, and are employees encouraged to take
aggressive actions to meet those targets.

5. Organizational Structure
Understanding the
clients organizational
structure provides the
auditor with an
understanding of how
the clients business
functions and
implements controls.

6. Assignment of Authority and

Responsibility
Formal methods of
communication including:
Top management
memoranda concerning
internal control
Organizational operating
plans
Employee job descriptions

Em
pl
De J oy
sc ob ee
ri p
tio
ns

7. Human Resource Policies and

Practices
If employees are honest
and trustworthy, other
controls can be absent and
reliable financial
statements will still result.
Methods by which persons
are hired, trained,
promoted, and
compensated are important
elements of internal
control.

B. Risk Assessment

Client managements identification and analysis of

risks relevant to the preparation of the financial
statements in accordance with GAAP.
1. Client Managements Risk Assessment
2. Auditor Risk Assessment

1. Client Managements Risk Assessment

Client management assesses risk as part of designing and

operating internal controls to minimize errors and fraud.
Three steps involve:
i. Identify factors that may increase risk
ii. Determine significance of risk and likelihood of
occurrence
iii. Develop specific actions to reduce risk to an acceptable
level.

2. Auditor Risk Assessment

The auditor obtains knowledge
about managements risk
assessment process by:
Determining how management
identifies risks relevant to
financial reporting
Evaluating their significance and
likelihood of occurrence
Deciding the actions needed to
address the risks.

C. Control Activities

Policies and procedures that client management has

established to meet its objectives for financial
reporting.
1. Adequate segregation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance

1. Adequate Segregation of
Duties
Separation of the
functions of
authorization,
recordkeeping, and
custody.
Separating IT duties
from User
Departments

2. Proper Authorization of
Transactions and Activities
General authorization
is permissible for
routine events for
which there are
policies to follow.
For some transactions
specific authorization
is needed on a caseby-case basis.

3. Adequate Documents and

Records
Prenumbered
consecutive documents
so missing items are
noticed
Prepared as near to
transaction time as
possible
Good design with
instructions and
appropriate spaces

4. Physical Control Over Assets

and Records
Deterrents to prevent
physical access.
Access controls to
prevent getting into
computer system.
Backup and recovery
procedures

Incorrect
Password

5. Independent Checks on
Performance

Personnel are likely to

forget or intentionally
fail to follow
procedures, or they
may become careless
unless someone
observes and evaluates
their performance.

D. Information and Communication

Methods used to initiate, record, process, and report an
entitys transactions and to maintain accountability
for related assets.
For a small company with active involvement by the
owner, a simple computerized accounting system that
involves one honest, competent accountant may
provide an adequate accounting system.
A larger company requires a more complex system
that includes carefully defined responsibilities and
written procedures.

E. Monitoring
Client managements ongoing and periodic assessment
of the quality of internal control performance to
determine whether controls are operating as intended
and modified when needed.
For many companies, especially larger ones, an
internal audit department is essential for effective
monitoring.
To maintain internal audit independence, it is
imperative that they be independent of operating and
accounting departments; and that they report to a high
level of authority, preferably the audit committee of
the board of directors.

III. Process for Understanding Internal

Control and Assessing Control Risk
A. Phase 1: Obtain and Document
Understanding of Internal Control: Design
and Operation
B. Phase 2: Assess Control Risk
C. Phase 3: Design, Perform, and Evaluate
Tests of Controls
D. Phase 4: Decide Planned Detection Risk
and Substantive Tests

A. Phase 1: Obtain and Document

Understanding of Internal Control
Three methods commonly used by auditors to obtain and
document their understanding of the design of internal
control are narratives, flowcharts, and internal control
questionnaires (see Figure 10-4 on p. 286).
The auditor must also evaluate whether the designed
controls are actually placed in operation.
PCAOB Standard 2 requires the auditor to perform at least
one walkthrough for each major class of transactions. In a
walkthrough, the auditor selects one or a few documents for
the initiation of a transaction type and traces them through
the entire accounting process.

B. Phase 2: Assess Control Risk

Two specific assessments must be
made to arrive at the
preliminary assessment:
The first assessment is whether
the entity is auditable. This is
determined by considering the
integrity of management and the
adequacy of the accounting
records.
Determine assessed control risk
supported by the understanding
obtained assuming the controls
are being followed.

C. Phase 3: Design, Perform, and Evaluate

Tests of Controls

If the results of tests of controls support the design and

operating of controls as expected, the auditor uses the
same assessed control risk as the preliminary assessment.
Otherwise, assessed control risk must be reconsidered.
If the auditor wants a lower assessed control risk, more
extensive tests of controls are applied.
PCAOB Standard 2 requires the auditor to determine
whether controls are operating effectively at year end.
The auditor may test at an interim date and later determine
if changes have occurred.

D. Phase 4: Decide Planned

Detection Risk and Substantive Tests
The greater the
control risk (weak
internal controls) the
lower the detection
risk the auditor can
accept.
To lower detection
risk, the auditor
performs more
substantive testing.

IV. Communications with the Audit

Committee and Management
As part of understanding internal control and assessing
control risk, the auditor is required to communicate
certain matters to the audit committee:
Significant deficiencies and material weaknesses must be
communicated in writing to the audit committee as a part
of every audit. Timely communication may help
management in correcting the problem before their yearend report on internal control.
Less significant internal-control matters and
recommendations for operational improvements may be
communicated through a management letter. Although
such letters are not required by auditing standards, they
are often provided as a value-added service of the audit.

Summary
1.
2.
3.
4.

Internal control defined

Management and auditor responsibilities
The most prevalent internal control framework
Phases of understanding and assessing control
risk
5. Communication of internal control matters
Risk