Professional Documents
Culture Documents
5
…..4.1 Meaning and Nature of an internal
control system
• Contrasting Management’s & Auditor’s Responsibility
for Internal Control System
– Management’s Responsibility
• Primary responsibility to establish and maintain control
system
• To publicly report on the operating effectiveness of those
controls (Sarbanes-Oxley Act of 2002)
– Auditor’s Responsibility
• To understand and test internal control over financial
reporting Second standard of field work).
• To annually issue an audit report on the operating
effectiveness of those controls
6
4.2 Internal Control and Internal Audit
Internal control and internal audit are related but not the same.
Internal controls are policies and procedures designed to control 7
all of an entity’s functions. They are built in operations.
4.3-4.5 Basic internal control structure
Control Environment
9
.. Basic internal control structure
1.Control environment (CE)
– The control environment consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an entity about internal
control and its importance to the entity.
– It sets the tone of an organization, it influences the control consciousness of the staff
– It is the foundation for all other components of internal control
It has pervasive influence on all the decisions and activities of an organization.
10
.. Basic internal control structure
• How do auditor’s understand and assess the control environment of an entity?
They consider important factors (elements of the CE).
• Factors considered in assessing the control environment:
– Integrity and ethical values- Auditors assessment include whether
the entity has ethical and behavioral standards; If it has, are these
standards communicated to employees? Are they enforced? What is
management’s reaction for unethical behavior? Does it
encourage/discourage illegal practices and unethical behaviors?
– Commitment to competence – this is related to the human resource
policy of the organization. Eg. Is management committed for better
result by assigning the right person for the job? Is management
committed for continuous improvement of staff’s knowledge and
skill-to develop the human capital in the entity?
11
.. Basic internal control structure
…..Factors considered in assessing the control environment:
– The functioning of BOD’s and Audit committee
• Auditors collect information about the composition of the BODs,
the audit committee, their independence from management since it
provide an insight about the effectiveness of the governance of the
organization.
• If the audit committee is composed of individuals with knowledge
of financial reporting issues, they will be able to effectively
evaluate the internal control system, the internal audit functions
and the financial statement prepared by the management, thus, the
likely hood that material misstatement exists in financial
statement will be low.
12
..Basic internal control structure
…..Factors considered in assessing the control environment:
Management’s philosophy and operating style
Management, through its activities, provides clear signals to employees about the
importance of internal control. If management is a type that override internal
controls, employees will follow the same, so the risk that misstatements exist will
be high
Organizational Structure
– The entity’s organizational structure shows the lines of responsibility and
authority, it gives an insight as to how controls are implemented.
Human resource Policies & Practices
• The most important aspect of internal control is personnel.
• If the human resource policy of an organization enables the company to attract and
retain competent and trustworthy employees, with minimum control, reliable
financial statements will still result. In this case, the risk that financial statements
will misstate will be low.
13
.. Basic internal control structure
…..Factors considered in assessing the control environment:
• On the other hand, incompetent or dishonest people can damage the system
even if there are numerous controls in place. In such cases, the risk of
misstatement will be high.
• However, honest and efficient people who are able to perform at a high level
even when there are few other controls to support them, may also make an
error when they are dissatisfied or due to other personal problems.
• In general, the human resource policy is integral part of the internal control
system of the organization. Then, by assessing its strength/weakness, auditors
can obtain information about the strength/weakness of the internal control
system of the organization.
• Thus, a control conscious environment is an environment that
– supports ethical values and business practices,
– conveys an attitude of honesty and accountability at all levels.
14
..Basic internal control structure
2. Risk assessment
Risks are internal & external events (economic conditions,
staffing changes, new systems, regulatory changes, natural
disasters, etc.) that threaten the accomplishment of objectives.
Risk assessment is management’s process of identifying,
evaluating, and deciding how to manage these events… What is
the likelihood of the event occurring? What would be the impact if
it were to occur? What can we do to prevent or reduce the risk?
• Risk assessment for financial reporting is management’s
identification and analysis of risks relevant to the preparation of
financial statements in conformity with appropriate accounting
standards.
15
.. Basic internal control structure
…….2. Risk assessment
•Factors that may lead to increased risk include:
– Failure to meet prior objectives, Poor quality of personnel,
Complexity of core business processes, Introduction of new
information technologies, Economic downturns, and Entrance
of new competitors
– Once management identifies a risk, it estimates the significance
of that risk (it evaluates as high, medium, low), assesses the
likelihood of the risk occurring, and develops specific actions
that need to be taken to reduce the risk to an acceptable level. It
is clear that management addresses the high category risk
16
..Basic internal control structure
authorization is about the decision on the policies & procedures; but approval is
about implementation of the authorized policies & procedures .
20
..Basic internal control structure
………3. Control activities –five categories
3. Adequate documents and records
• Documents showing the occurrence of transactions should be
adequately documented. This means,
Documents should be:
• Pre-numbered to identify if there are missing documents;
• Prepared at the time a transaction takes place, or as soon as possible thereafter, to
minimize timing errors
• Designed for multiple use, when possible, to minimize the number of different
forms. (one form can be designed in a way that it can provide many related
information)
• Constructed in a manner that encourages correct preparation. (Eg well designed
chart of account ensure accurate classification of accounts)
-
21
.. Basic internal control structure
….3. Control activities –five categories
4. Physical control over assets and records
• To maintain adequate internal control, assets and records must be protected.
• If assets are left unprotected, they can be stolen.
• If records are not adequately protected, they can be stolen, damaged, altered, or
lost, which can seriously disrupt the accounting process and business operations.
• When a company is highly computerized, its computer equipment, programs, and
data files must be protected. The data files are the records of the company and, if
damaged, could be costly or even impossible to reconstruct.
• The most important type of protective measure for safeguarding assets and records
is the use of physical precautions.
22
..Basic internal control structure
Note: management should:
• Secure and restrict access to equipment, cash,
inventory, confidential information, etc. is essential
to reduce the risk of loss or unauthorized use.
• Perform periodic physical inventories to verify
existence, quantities, location, condition, and
utilization.
• If such protections are adequate, the level of risk for
misstatement of financial statement will minimize.
23
..Basic internal control structure
….3. Control activities –five categories
5. Independent checks on performance
• This last category of control activities is the careful and continuous review of the
other four, it is called independent checks or internal verification (eg. It can be
achieved through strict application of separation of duties (least costly method);
or having internal audit department that performs independent review).
• What justify the need for internal verifications?
– Internal controls tend to change over time, unless there is frequent review.
– Personnel are likely to forget or intentionally fail to follow procedures, or they
may become careless unless someone observes and evaluates their
performance.
– Regardless of the quality of the controls, personnel can make errors or commit
fraud.
24
.. Basic internal control structure
…. 3. Control activities
Control activities can be summarized as Directive, preventive, detective and
corrective controls
Directive controls-are designed to establish outcomes eg. Laws, policies,
procedures, manuals
Preventive controls: These are measures that occur before a transaction/action is
performed to prevent a risk from occurring. (eg training, pre-authorization,
physical control over assets, system access control etc)
Detective controls: these are measures that occur after a transaction or action is
performed to detect misdeeds/something that had gone wrong. (eg reviews and
comparisons, reconciliations, physical count of inventories and post audits ).
Corrective controls are controls designed to correct errors that have been
discovered. (Controls that restore the system or process back to the state prior to a
harmful event. Eg. Restoring from a back up after it is known that someone has
improperly altered the payment data on the computer)
25
..Basic internal control structure
…. 3. Control activities
• As general rule, preventive controls are the better than detective
controls, any good system of internal control should have a good
mixture of both.
• However, it is not advisable to place excessive reliance only on
preventive control and ignoring detective control, because, once
preventive controls are compromised there is no way of detecting the
illegal act that has occurred
• Controls can also be categorized as Soft Controls and Hard Controls
• Soft Controls include tone at the top, performance evaluations, and
training programs
• Hard controls include segregation of duties, reviews and approvals and
reconciliations
26
.. Basic internal control structure
4. Information and Communication
It refers to the identification, capture, and exchange of information in the
form and time frame that enables people to carryout their responsibilities
Adequate internal control require an entity to maintain an information
system:
That allow the flow of information across organizations
That clearly communicate employees duties and responsibilities
30