Chap 6 - Internal Control Revised

CHAPTER 6
Internal Control
Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
LEARNING OBJECTIVES
◼ Identify the objectives, components, and

principles of an effective internal control
framework.
◼ Know the roles and responsibilities each
group in an organization has regarding
internal control.
◼ Analyze the limitations of internal control
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
DEFINITION OF INTERNAL CONTROL
COSO broadly defines internal control as:

. . . a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance. This definition
emphasizes that internal control is:
 Geared to the achievement of objectives in one or more separate but overlapping categories—
operations, reporting, and compliance.
 A process consisting of ongoing tasks and activities—a means to an end, not an end in itself.
 Effected by people—not merely about policy and procedure manuals, systems, and forms, but about
people and the actions they take at every level of an organization to effect internal control.
 Able to provide reasonable assurance, but not absolute assurance, to an entity’s senior management
and board of directors.
 Adaptable to the entity structure—flexible in application for the entire entity or for a particular
subsidiary, division, operating unit, or business process.*
*
Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 1.
THE OBJECTIVES, COMPONENTS,

AND PRINCIPLES OF INTERNAL CONTROL
COSO explains, “A direct

relationship exists between
objectives, which are what an entity
strives to achieve, components [and
principles], which represent what is
required to achieve the objectives,
and entity structure (the operating
units, legal entities, and other
structures). The relationship can be
depicted in the form of a cube.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of
Sponsoring Organizations of the Treadway Commission, 2013), 5.
THE OBJECTIVES, COMPONENTS,

AND PRINCIPLES OF INTERNAL CONTROL
Definitions:
◼ Objectives: Are what an entity desires
to achieve.
◼ Components: Represent what is
required to achieve objectives.
◼ Entity Structure: Represent the
operating units, legal entities and other
structures
CONTROL OBJECTIVES
The COSO framework sets forth three categories of objectives, which allow
organizations to focus on differing aspects of internal control:
 Operations Objectives - These pertain to effectiveness and efficiency
of the entity’s operations, including operational and financial
performance goals, and safeguarding assets against loss.
 Reporting Objectives - These pertain to internal and external financial
and non-financial reporting and may encompass reliability, timeliness,
transparency, or other terms as set forth by regulators, standard setters,
or the entity’s policies.
 Compliance Objectives - These pertain to adherence to laws and
regulations to which the entity is subject.*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 2.
INTERNAL CONTROL COMPONENTS
COSO indicates, “Supporting the organization in its efforts to achieve

objectives are five components of internal control:
 Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring Activities

These components are relevant to an entire entity and to the entity level, its
subsidiaries, divisions, or any of its individual operating units, functions, or
other subsets of the entity.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 5.
THE PRINCIPLES OF INTERNAL CONTROL

CONTROL ENVIRONMENT - PRINCIPLES 1-5
The control environment is the set of standards, processes, and structures that provide
the basis for carrying out internal control across the organization.
CASE STUDY 1: FESTIVAL LTD – CONTROL ENVIRONMENT
Festival Ltd, a diversified manufacturer, has three divisions that operate throughout
Australia. Festival has always allowed its divisions to operate autonomously, with head
office intervention occurring only when planned results were not obtained. Head
office management has high integrity, but the board of directors and audit committee
are not very active. Festival has a policy of hiring very competent people and has an
ethical code of conduct, but there is little monitoring of compliance by
employees. Management is relatively conservative in terms of accounting principles
and practices, but employee compensation packages depend largely on performance.
REQUIRED
Evaluate the strengths and weaknesses of Festival’s control environment.

RISK ASSESSMENT - PRINCIPLES 6-9
Every entity faces a variety of risks from external and internal sources. Risk is defined as
the possibility that an event will occur and adversely affect the achievement of
objectives.
INTERNAL CONTROL COMPONENTS – RISK ASSESSMENT

PROCESS
CASE STUDY 2: SPECTRUM LTD – RISK ASSESSMENT
Spectrum Ltd has had the following changes in its operations recently.
(a) To help achieve budgeted sales for the year, Spectrum is about to introduce bonuses for sales staff.
The bonuses will be an increasing percentage of the gross sales made by each salesperson above
certain monthly targets.
(b) Spectrum plans to close an inefficient factory in country Tasmania before the end of 2018. It is
expected that the redeployment and disposal of the factory assets will not be completed until the end
of the following year. However, Justin is confident that he will be able to determine reasonably
accurate closure provisions.
(c) The chief executive officer (CEO), Geoff Alderton, has just returned from Italy, where he signed a
contract to import a line of clothing that has become the latest fashion fad there. The company has not
previously been engaged in the clothing industry.
(d) Due to Justin’s workload, the company recently employed a treasurer, Alice Campbell. Justin is
excited about the appointment, because in the three months since Alice has been with the company
she has realised a small profit for the company through foreign exchange transactions in US dollars.
REQUIRED
How the above information affects risk assessment.

CONTROL ACTIVITIES - PRINCIPLES 10-12
Control activities are the actions taken by management, the board, and other parties to
mitigate risk and increase the likelihood that established objectives and Segregation of
Duties goals will be achieved.
INTERNAL CONTROL COMPONENTS – CONTROL ACTIVITIES
CASE STUDY 3: CHERRY BLOSSOM CO - CONTROL ACTIVITIES
Cherry Blossom Co maintains perpetual inventory records. Which of the following

control activities would contribute to the auditor's confidence that inventory
recorded in the financial statements exists?
1. Procedures to identify obsolete and damaged inventory
2. Physical safeguards to protect inventory from theft
3. Sequential numbering of goods dispatched notes
4. Reconciliation of inventory records to results of inventory counts
A. (1) and (2)
B. (2) and (4)
C. (2) and (3)
D. (1) and (3)

INFORMATION & COMMUNICATION - PRINCIPLES 13-15
INTERNAL CONTROL COMPONENTS – INFORMATION &

COMMUNICATION
The internal controls in a computerised environment include both manual procedures

and procedures designed into computer programs. Such manual and computer control
procedures comprise two types of control:
• Application controls: Manual or automated procedures that typically operate at a
business process level. Application controls can be preventative or detective in
nature and are designed to ensure the integrity of the accounting records.
Accordingly, application controls relate to procedures used to initiate, record,
process and report transactions or other financial data.
• General controls: Policies and procedures that relate to many applications and
support the effective function of application controls by helping to ensure the
continued proper operation of information systems.

MONITORING ACTIVITIES - PRINCIPLES 16-17

– MONITORING ACTIVITIES
INTERNAL CONTROL ROLES
AND RESPONSIBILITIES
Everyone in an organization has responsibility for internal control:

 Board of Directors
 Management
 Internal Auditors
 Other Personnel
There are legitimate reasons for different groups to be interested in different

objectives. Likewise, different groups, because of their different perspectives,
will perceive the benefits and related costs of internal control very differently,
which is valuable to the organization when assessing the adequate design and
effective operation of internal control.
INTERNAL CONTROL – MATURITY LEVELS
INHERENT RISK, CONTROLLABLE RISK,
AND RESIDUAL RISK
Inherent risk is the gross risk that exists assuming there are no internal controls in place.
Acknowledgement of the existence of inherent risk and that certain events or conditions are simply
outside of management’s control (external risks) is critical to recognizing the inherent limitations of
internal control.
Identifying external and internal risks at an entity and activity (process and transaction) level is
fundamental to effective risk assessment. Once key risks have been identified, management can link
them to business objectives and the related business processes.

Once entity-level and activity-level risks have been identified, they must be assessed in terms of
impact and likelihood. Risk analysis processes vary depending on many factors specific to an
organization, but typically they include:
 Estimating the impact (or severity) of a risk.
 Assessing the likelihood (or frequency) of the risk occurring (probability).
 Considering how to manage the risk—that is, assessing what actions to take.
INHERENT RISK, CONTROLLABLE RISK,
AND RESIDUAL RISK (CONT’D)
 Controls: risk responses management takes to reduce the impact and/or likelihood of
threats to objective achievement.
 Risk appetite: the types and amount of risk, on a broad level, an organization is
willing to accept in pursuit of value*
 Acceptable variation in performance: the boundaries of acceptable outcomes related
to achieving a business objective (both the boundary of exceeding the target and the
boundary of trailing the target)**
 Controllable risk: that portion of inherent risk that management can directly influence
and reduce through day-to-day business activities.
 Residual risk: the portion of inherent risk that remains after mitigating all controllable
risks
*ERM exposure draft glossary, page 105

*ERM exposure draft glossary, page 19
LIMITATIONS OF INTERNAL CONTROL
While internal control provides reasonable assurance of achieving the entity’s objectives, limitations do
exist. Internal control cannot prevent bad judgments or decisions, or external events that can cause an
organization to fail to achieve its operational goals. In other words, even an effective system of internal
control can experience a failure. Limitations may result from the:
 Suitability of objectives established as a precondition to internal control.
 Reality that human judgment in decision-making can be faulty and subject to bias.
 Breakdowns that can occur because of human failures such as simple errors.
 Ability of management to override internal control.
 Ability of management, other personnel, and/or third parties to circumvent controls through
collusion.
 External events beyond the organization’s control.
 Segregation of duties
While a well-designed system of internal controls can provide reasonable assurance to management
relative to achievement of the organization’s objectives, no system of internal controls can provide
absolute assurance for the reasons listed above.*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations ofth the Treadway Commission, 2013), 9.
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.

Chap 6 - Internal Control Revised

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chap 6 - Internal Control Revised

Uploaded by

Copyright:

Available Formats

CHAPTER 6

Internal Auditing: Assurance &Internal

◼ Identify the objectives, components, and

DEFINITION OF INTERNAL CONTROL

COSO broadly defines internal control as:

THE OBJECTIVES, COMPONENTS,

COSO explains, “A direct

THE OBJECTIVES, COMPONENTS,

INTERNAL CONTROL COMPONENTS

COSO indicates, “Supporting the organization in its efforts to achieve

THE PRINCIPLES OF INTERNAL CONTROL

INTERNAL CONTROL COMPONENTS

CASE STUDY 1: FESTIVAL LTD – CONTROL ENVIRONMENT

INTERNAL CONTROL COMPONENTS

INTERNAL CONTROL COMPONENTS – RISK ASSESSMENT

CASE STUDY 2: SPECTRUM LTD – RISK ASSESSMENT

INTERNAL CONTROL COMPONENTS

INTERNAL CONTROL COMPONENTS – CONTROL ACTIVITIES

INTERNAL CONTROL COMPONENTS – CONTROL ACTIVITIES

INTERNAL CONTROL COMPONENTS – CONTROL ACTIVITIES

CASE STUDY 3: CHERRY BLOSSOM CO - CONTROL ACTIVITIES

Cherry Blossom Co maintains perpetual inventory records. Which of the following

INTERNAL CONTROL COMPONENTS

INTERNAL CONTROL COMPONENTS – INFORMATION &

The internal controls in a computerised environment include both manual procedures

INTERNAL CONTROL COMPONENTS

INTERNAL CONTROL COMPONENTS

Everyone in an organization has responsibility for internal control:

There are legitimate reasons for different groups to be interested in different

INTERNAL CONTROL – MATURITY LEVELS

*ERM exposure draft glossary, page 105

LIMITATIONS OF INTERNAL CONTROL

You might also like