Professional Documents
Culture Documents
Audit report
Conclusion
Evidence
Procedures
Planning
Audit planning
Understanding the entity and its
environment
Risk assessment
Materiality
Preliminary analytics
Audit procedures
Tests of control
Substantive procedures
Substantive Analytics
Substantive Tests of detail
Audit approach
Planning
Weak Strong
Tests of control
Substantive procedures
Extensive Reduced
Audit approach
INTERNAL CONTROLS
What is internal control?
Internal control is a process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Common day questions – Internal Control
Monitoring Risk
Assessment
Control
Environment
Information & Control
Communication Activities
1. Control environment
Foundation for all other components of internal control.
Pervasive influence on all the decisions and activities of an
organization.
Effective organizations set a positive “tone at the top”.
Factors include the integrity, ethical values and
competence of employees, and, management’s philosophy
& operating style.
Examples of soft controls:
Management philosophy
Organizational structure
Communication
Competency of employees
2. Risk assessment
Risks are internal & external events (economic
conditions, staffing changes, new systems,
regulatory changes, natural disasters, etc.) that
threaten the accomplishment of objectives.
Risk assessment is the process of identifying,
evaluating, and deciding how to manage these
events… What is the likelihood of the event
occurring? What would be the impact if it
were to occur? What can we do to
prevent or reduce the risk?
3. Control activities
Tools - policies, procedures, processes -designed and
implemented to help ensure that management directives are
carried out.
Help prevent or reduce the risks that can impede the
accomplishment of objectives.
Occur throughout the organization, at all levels, and in all
functions.
Includes training, approvals, authorizations,
verifications, reconciliations, security of assets,
reviews of operating performance, and
segregation of duties.
Types of Controls
Preventative
Detective
4. Information & Communication
Pertinent information must be captured,
identified and communicated on a timely basis.
Effective information and communication
systems enable the organization’s people to
exchange the information needed to conduct,
manage, and control its operations.
5. Monitoring
Internal control systems must be monitored to
assess their effectiveness… Are they operating as
intended?
Ongoing monitoring is necessary to react
dynamically to changing conditions…Have controls
become outdated, redundant, or obsolete?
Monitoring occurs in the course of everyday
operations, it includes regular management &
supervisory activities and other actions personnel
take in performing their duties.
Periodic testing can be done by the process owner,
internal audit and external audit.
Key control activities
1. Segregation of duties
2. Documentation
3. Authorization and approvals
4. Security of assets
5. Reconciliation and review
1. Segregation of duties
Divide responsibilities between different
employees so one individual doesn’t control all
aspects of a transaction.
Reduce the opportunity for an employee to
commit and conceal errors (intentional or
unintentional) or perpetrate fraud.
2. Documentation
Document & preserve evidence to substantiate:
Critical decisions and significant
Develop yourself!!!
Payroll system
Inventory System
Cash system
IT related controls
Employees with access to computer systems have an
established need for the access.
Passwords are secure and not shared.
Procedures are in place to prevent unauthorized use or
transmission of information.
Access to the system is removed for terminated or transferred
faculty, and staff, timely.
Computers located in heavily traveled public areas have a
screen saver with password activation invoked.
Each computer software package is licensed for the current
user.
Computer files are backed up on a regular basis. Backup data
is stored in a location away from the originals
The department has sufficient technical support for ongoing
operations to keep downtime minimal.
The department has adequate resumption procedures for their
automated systems that are considered critical or vital to their
daily operations.
Why controls may be ineffective?
Human error may result in incomplete or
inaccurate processing
May not always be cost effective to design
controls for everything in organizations
Controls may be in place but may be
overridden by management
Collusion may result in breach of segregation
of duties