Professional Documents
Culture Documents
Internal Control
LEARNING OBJECTIVES
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Definitions:
◼ Objectives: Are what an entity desires
to achieve.
◼ Components: Represent what is
required to achieve objectives.
◼ Entity Structure: Represent the
operating units, legal entities and other
structures
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
CONTROL OBJECTIVES
The COSO framework sets forth three categories of objectives, which allow
organizations to focus on differing aspects of internal control:
Operations Objectives - These pertain to effectiveness and efficiency
of the entity’s operations, including operational and financial
performance goals, and safeguarding assets against loss.
Reporting Objectives - These pertain to internal and external financial
and non-financial reporting and may encompass reliability, timeliness,
transparency, or other terms as set forth by regulators, standard setters,
or the entity’s policies.
Compliance Objectives - These pertain to adherence to laws and
regulations to which the entity is subject.*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 2.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
These components are relevant to an entire entity and to the entity level, its
subsidiaries, divisions, or any of its individual operating units, functions, or
other subsets of the entity.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 5.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
The control environment is the set of standards, processes, and structures that provide
the basis for carrying out internal control across the organization.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Festival Ltd, a diversified manufacturer, has three divisions that operate throughout
Australia. Festival has always allowed its divisions to operate autonomously, with head
office intervention occurring only when planned results were not obtained. Head
office management has high integrity, but the board of directors and audit committee
are not very active. Festival has a policy of hiring very competent people and has an
ethical code of conduct, but there is little monitoring of compliance by
employees. Management is relatively conservative in terms of accounting principles
and practices, but employee compensation packages depend largely on performance.
REQUIRED
Evaluate the strengths and weaknesses of Festival’s control environment.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Every entity faces a variety of risks from external and internal sources. Risk is defined as
the possibility that an event will occur and adversely affect the achievement of
objectives.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Spectrum Ltd has had the following changes in its operations recently.
(a) To help achieve budgeted sales for the year, Spectrum is about to introduce bonuses for sales staff.
The bonuses will be an increasing percentage of the gross sales made by each salesperson above
certain monthly targets.
(b) Spectrum plans to close an inefficient factory in country Tasmania before the end of 2018. It is
expected that the redeployment and disposal of the factory assets will not be completed until the end
of the following year. However, Justin is confident that he will be able to determine reasonably
accurate closure provisions.
(c) The chief executive officer (CEO), Geoff Alderton, has just returned from Italy, where he signed a
contract to import a line of clothing that has become the latest fashion fad there. The company has not
previously been engaged in the clothing industry.
(d) Due to Justin’s workload, the company recently employed a treasurer, Alice Campbell. Justin is
excited about the appointment, because in the three months since Alice has been with the company
she has realised a small profit for the company through foreign exchange transactions in US dollars.
REQUIRED
How the above information affects risk assessment.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Control activities are the actions taken by management, the board, and other parties to
mitigate risk and increase the likelihood that established objectives and Segregation of
Duties goals will be achieved.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
• General controls: Policies and procedures that relate to many applications and
support the effective function of application controls by helping to ensure the
continued proper operation of information systems.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
INTERNAL CONTROL ROLES
AND RESPONSIBILITIES
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
INHERENT RISK, CONTROLLABLE RISK,
AND RESIDUAL RISK
Inherent risk is the gross risk that exists assuming there are no internal controls in place.
Acknowledgement of the existence of inherent risk and that certain events or conditions are simply
outside of management’s control (external risks) is critical to recognizing the inherent limitations of
internal control.
Identifying external and internal risks at an entity and activity (process and transaction) level is
fundamental to effective risk assessment. Once key risks have been identified, management can link
them to business objectives and the related business processes.
Once entity-level and activity-level risks have been identified, they must be assessed in terms of
impact and likelihood. Risk analysis processes vary depending on many factors specific to an
organization, but typically they include:
Estimating the impact (or severity) of a risk.
Assessing the likelihood (or frequency) of the risk occurring (probability).
Considering how to manage the risk—that is, assessing what actions to take.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
INHERENT RISK, CONTROLLABLE RISK,
AND RESIDUAL RISK (CONT’D)
Controls: risk responses management takes to reduce the impact and/or likelihood of
threats to objective achievement.
Risk appetite: the types and amount of risk, on a broad level, an organization is
willing to accept in pursuit of value*
Acceptable variation in performance: the boundaries of acceptable outcomes related
to achieving a business objective (both the boundary of exceeding the target and the
boundary of trailing the target)**
Controllable risk: that portion of inherent risk that management can directly influence
and reduce through day-to-day business activities.
Residual risk: the portion of inherent risk that remains after mitigating all controllable
risks
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
While internal control provides reasonable assurance of achieving the entity’s objectives, limitations do
exist. Internal control cannot prevent bad judgments or decisions, or external events that can cause an
organization to fail to achieve its operational goals. In other words, even an effective system of internal
control can experience a failure. Limitations may result from the:
Suitability of objectives established as a precondition to internal control.
Reality that human judgment in decision-making can be faulty and subject to bias.
Breakdowns that can occur because of human failures such as simple errors.
Ability of management to override internal control.
Ability of management, other personnel, and/or third parties to circumvent controls through
collusion.
External events beyond the organization’s control.
Segregation of duties
While a well-designed system of internal controls can provide reasonable assurance to management
relative to achievement of the organization’s objectives, no system of internal controls can provide
absolute assurance for the reasons listed above.*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations ofth the Treadway Commission, 2013), 9.
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.