Chapter 9: Internal Controls and Control Risk

Copyright © 2007 Pearson Education Canada

9-1

Chapter 9 objectives
 Explain why the study of internal control is important  List the four components of internal control  Discuss the relationship between the control environment and application controls  Examine how control risk is assessed  Describe the process used to understand, document and test internal controls  Identify internal control reports
9-2
Copyright © 2007 Pearson Education Canada

What is Internal Control?
 A process designed and effected by management (or board or employees) in providing reasonable assurance about the achievement of the entity’s objectives (reliable reporting, effectiveness and efficiency, compliance with laws)  See CICA Handbook 5141.042
9-3
Copyright © 2007 Pearson Education Canada

GAAS and Internal Controls
 Why is it mandatory for the auditor to understand the internal control system?  How likely is it that there are NO internal controls at all?
9-4
Copyright © 2007 Pearson Education Canada

Management responsibilities with respect to internal control
 Should be cost-effective  Provide reliable accounting and operating data  Safeguard assets and records  Promote operational efficiency  Prevent and detect error, fraud or illegal acts  Ensure compliance with laws and regulations

9-5
Copyright © 2007 Pearson Education Canada

Auditor responsibilities with respect to internal control
 Exercise professional skepticism  Document and evaluate internal controls of financial systems  Test controls if reliance intended  Communicate weaknesses that could cause material errors
9-6
Copyright © 2007 Pearson Education Canada

Concepts when studying internal control
 Remember, it is management’s responsibility to establish and maintain internal controls: the auditor evaluates and may test these controls  The auditor can provide reasonable, but not absolute assurance  Internal controls have inherent limitations
9-7
Copyright © 2007 Pearson Education Canada

Inherent limitations of internal controls
 No such thing as 100% internal controls  Effectiveness depends upon the competency and dependability of individuals (or systems) executing the controls  Most internal controls can be overridden using collusion
9-8
Copyright © 2007 Pearson Education Canada

Four components of internal control

9-9
Copyright © 2007 Pearson Education Canada

The control environment
 Actions, policies and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about controls  The essence of an effectively controlled organization lies in the attitude of its management  Control environment (CE) factors are assessed as part of the knowledge of business and are used to develop a client risk profile
9-10
Copyright © 2007 Pearson Education Canada

CE factor: management philosophy and operating style
 Management should operate ethically and honestly  Like behaviour should be encouraged among employees, perhaps by means of documented policies such as a code of ethics  Service policies could include a commitment to quality and competence
9-11
Copyright © 2007 Pearson Education Canada

CE factor: board of directors and audit committee
 Board should include independent directors  Audit committee should include independent directors  Audit committee should have competence in financial reporting assessment  Board members should participate actively, meet with internal and external auditors
9-12
Copyright © 2007 Pearson Education Canada

CE factor: organizational structure
 A structure that is appropriate for planning, directing and controlling operations  Authority and responsibility assignments clear  Information systems steering committee to oversee systems development and management of information systems
9-13
Copyright © 2007 Pearson Education Canada

CE factor: methods of assigning authority and responsibility
 Take into account reporting relationships and responsibilities within organizational culture  Organizational goals, ethical and social issues considered  Development and implementation of policies such as job descriptions and codes of conduct
9-14
Copyright © 2007 Pearson Education Canada

CE factor: management control methods
 Methods used to implement objectives and policies (many possible examples)  Logical access controls and monitoring for data communications  Monitoring activities of employees  Implementing of effective budgeting systems with follow up of differences
9-15
Copyright © 2007 Pearson Education Canada

CE factor: systems development methodology
 Policies and procedures for selecting, development/purchase and maintenance of information systems  Formal methodologies for customized systems  Implementation of systems consistent with organizational objectives
9-16
Copyright © 2007 Pearson Education Canada

CE factor: management reaction to external influences
 Monitoring of the external environment, including changes in laws  Ability to respond to changes in the external environment, including changes in business procedures or organizational structures

9-17
Copyright © 2007 Pearson Education Canada

CE factor: human resource policies and practices
 Hiring practices to ensure competent and trustworthy employees  Evaluation and compensation processes to help motivate employees to continued competence and honesty

9-18
Copyright © 2007 Pearson Education Canada

Role of internal audit
 To help ensure independence, internal audit should report to the audit committee of the board of directors  Can be part of control environment when effective, competent, independent and well-trained  Can contribute to reduced external audit costs
9-19
Copyright © 2007 Pearson Education Canada

Risk assessment
 Involves managements identification and analysis of risks relevant to the preparation of financial statements in conformity with GAAP  Management needs to: identify risks, estimate significance, assess likelihood of occurrence, develop action plans to reduce the risk to an acceptable level
9-20
Copyright © 2007 Pearson Education Canada

Control systems include:
 General controls: control systems that affect multiple classes of transactions (also called application systems)  Application (or accounting system) controls: can be manual, computer-assisted, or fully automated
9-21
Copyright © 2007 Pearson Education Canada

Impact of inadequate general controls
 Organization and management: Cannot rely on automated or combined controls  Systems acquisition, development and maintenance: Cannot rely upon automated or combined controls  Operations and information systems support: May result in going concern issues
9-22
Copyright © 2007 Pearson Education Canada

Accounting (application) system control procedures
 Appropriate segregation of duties  Proper authorization of transactions and activities  Adequate documents and records  Adequate safeguards over access to and use of assets and records  Independent verification of performance and the accuracy of recorded amounts
9-23
Copyright © 2007 Pearson Education Canada

Monitoring
 Deals with ongoing or periodic assessment of the quality of internal control performance by management  Internal audit department may provide independent evaluation of the quality of the monitoring process

9-24
Copyright © 2007 Pearson Education Canada

Internal control audit process: 1. Obtain understanding
 Obtain understanding of design and operation  Methods used to understand and document this process: – Flow charts – Narrative – Internal control questionnaire
9-25
Copyright © 2007 Pearson Education Canada

Knowing the difference between a strength and a weakness
 Question 9-17, p. 278  Identifying the absent control when an error or fraud occurred  Which audit objective(s) were not met?  Also be able to identify: Controls to help prevent the problem from occurring

9-26
Copyright © 2007 Pearson Education Canada

Internal control audit process: 2. Assess control risk
 Using the audit risk model  Control risk is assessed at one of the following levels:
– Maximum (100%) – no reliance, only substantive

testing is completed – High – Moderate – Low

 Decide whether controls will be tested or not (it may be more efficient to only go substantive)
9-27
Copyright © 2007 Pearson Education Canada

Internal control audit process: 3. Test controls if reliance is intended
 Procedures completed to ensure that key controls have been operating:
– – – –

Inquiry Inspection Observation Reperformance

 Procedures must be linked to audit objectives
9-28
Copyright © 2007 Pearson Education Canada

Where controls are functioning:
 Identify the errors that are less likely to occur  Link to the related substantive test  Perform less or limited or no substantive procedures in this area  More analytical procedures can be used

9-29
Copyright © 2007 Pearson Education Canada

Identify the potential impact of weaknesses
 If a control is not functioning, or does not exist, this is a WEAKNESS: – Need to identify potential monetary error (is the impact MATERIAL?) – Do expanded substantive tests, if necessary – Analytical procedures – No internal controls testing in this area

9-30
Copyright © 2007 Pearson Education Canada

Internal control audit process: 4. Decide PDR and substantive tests
 After control testing you are better able to assess planned detection risk (PDR or just DR)  Then substantive tests are designed for each audit objective based on the PDR for that cycle or objective

9-31
Copyright © 2007 Pearson Education Canada

Internal control audit process: 5. Report potentially material weaknesses
 Specific wording is required for these weaknesses  Must be reported to management, board and audit committee (GAAS requires)  Other weaknesses (i.e. non-material) would also be included in a management letter
9-32
Copyright © 2007 Pearson Education Canada

Sign up to vote on this title
UsefulNot useful