Consideration of Internal Control
Red Sir ug CONSIDERA TIONS OF ENTITY’S INTER NA L CONTROL
INTER NA L CONTROL – the process designed, implemented and maintained by those charged with gover nance, management and other personnel to provide reasonable assurance abou t the achieve ment of an entity’s objectives Essent ial Concepts of Internal Control: Internal control is (a): 1. Process – a means of achieving the entity's objectives 2. Effected by: a. Those char ged with governance: ensure the integrity of accounting and financial reporting systems through oversight of management b. Management: design, implement and maintain internal control c. Staff personnel: perform their respective functions 3. Prov ides reasonable assurance about the achievement of an ent ity’s object ives – internal control is be designed to prevent, or detect and correct problems to help in achieving entity’s objectives Inherent limitat ions of internal control system: Even a well designed and effective internal control system cannot eliminate material misstatements, w hether due to fraud or error. Examples of inherent limitations of internal control: 1. Management overriding the inter nal control. 2. Circumvention of internal controls through the collusion among employees. 3. Cost-benefit considerations (concept of reasonable assurance) – the costs of a control to be established should not exceed its expected benefits 4. Most controls tend to be directed at routine transactions rather than non-routine transactions. 5. Human error (such as due to carelessness, distraction, mistakes of judgment, the misunderstanding of instructions, errors in the design or use of automated controls 6. The possibility that procedures may become inadequate due to changes in conditions, and compliance with procedures may deteriorate. 7. Segregation of duties may be difficult to achieve in a smaller entity. 4. Helps to achieve the entity's object ives Objectives represent what an entity strives to achieve. Categor ies of ent ity's objectives: 1. Financial report ing objective – this objective relates to reliability of financial repor ting 2. Operational objective – this objective is intended to enhance effectiveness and efficiency of operations 3. Compliance objective – this objective relates to entity’s compliance with applicable laws and regulations Benefits of Strong Internal Control: Reliability of financial information for decision-making purposes Enhances the effectiveness and efficiency of operations Assurance of compliance with applicable laws and regulations Protection of assets and impor tant documents and recor ds Reduced cost of an external audit – because the auditor may rely on the effectiveness of internal control Classification of Internal Control: 1.
According to objectives: a. Financial report ing controls – controls to achieve reliability of financial reporting objective b. Operational effectiveness controls – controls to achieve operational effectiveness objective c. Compliance controls – controls to achieve compliance objective Relationship between the ent ity’s objectives and internal control: There is a direct relationship between the entity’s objectives and the internal control it implements to provide reasonable assurance about their achievement. According to functions: a. Preventive controls – controls that deter problems before they arise (for example, segregation of incompatible employee functions/duties and control physical access to assets, facilities and information) b. Detective controls – controls that discover or detect problems as they arise (for example, preparing bank reconciliation and preparing monthly trial balance) c. Corrective controls – controls that remedy problems discovered with detective controls (for example, maintaining backup copies of transactions and master files)
AT – Considering the Entity’s Internal Control
Components of Internal Control: Obtaining understanding of internal control means obtaining understanding of the five interrelated and essential components or aspects of internal control as follows: 1.
Control env ironment – it includes the gover nance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its impor tance in the entity It sets the tone of an organization, influencing the control consciousness of its people. It is a set of characteristics that defined good control wor king relationships in an entity. It is the foundation for effective internal control for it provides an appropriate foundation for other components of inter nal control. Elements of control environment: 1. Communication and enforcement of integr ity and ethical va lues – These influence the effectiveness of the design, administration and monitoring of controls. 2. Commit ment to competence – Management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and k nowledge. 3. Participation by those char ged with governance (BOD and audit committee) 4. Management’s philosophy and operating style – Management’s approach to taking and managing business risks, attitudes and actions toward financial reporting, and attitudes toward information processing and accounting functions and personnel. 5. Organizat ional structure – The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled and reviewed. 6. Assignment of author ity and respo nsibility – How authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. Appropriate methods of assigning responsibility must be implemented to avoid incompatible functions and to minimize the possibility of errors because of too much work load assigned to an employee. 7. Personnel or Human resource policies and procedures – Policies and practices that relate to recruitment/hiring, orientation, training, evaluation, counseling, promotion, compensation, and remedial actions.
Considering the control environment: The auditor shall obtain understanding of control environment and evaluate: a. Whether the management, with the oversight of those charged with governance, has create d and maintained a culture of honesty and ethical behavior b. Whether the strengths in the control environment provide foundation for the other components of internal control c. Whether other components of internal control are not undermined by control environme nt weaknesses 2.
Entity’s risk assessment process – entity’s own process of identification, analysis, and management of risks relevant to the preparation and fair presentation of financial statements
Considering the entity’s risk assessment process: The auditor shall obtain understanding of whether the entity has a process for: a. Identifying business risks relevant to financial reporting objectives b. Estimating the significance of the risks c. Assessing the likelihood of their occurrence d. Deciding about actions to address those risks 3.
Infor mation system (including the related business processes, relevant financial reporting and communicat ion) – information and communication systems support the identification, capture, and exchange of information in a timely and useful manner The information system relevant to financial reporting objectives, w hich includes the accounting system, consists of the methods and records established to record, process, summarize, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. Communication may take such forms as policy manuals and financial reporting manuals. Open communication channels help ensure that exceptions are reported and acted on.
Considering the information system: The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: AT – Considering the Entity’s Internal Control
a. The classes of transactions in the entity’s operations that are significant to the financial statements; b. The procedures, within both information techno logy (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements; c. The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. d. The records may be in either manual or electronic form; e. How the information system captures events and conditions, other than transactions, that are significant to the financial statements; f. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures; and g. Controls surrounding journal entries, including non-standard journal entries used to record nonrecurring, unusual transactions or adjustments. 4.
Control act iv ities – the policies and procedures that help ensure management’s directives are carried out and that necessary steps to address risks are taken. Control activities address risks that if not mitigated would threaten the achievement of the entity’s objectives. Examples of specific control activities include those relating to: Authorization Performance reviews Information processing Physical controls Segregation activities
Considering the control activities: The auditor shall obtain understanding of control activities relevant to the audit. Control activ it ies relevant to the audit are those that the auditor judges it necessary to understand i n order to: a. Assess the risks of material misstatement at the assertion level and b. Design further audit procedures responsive to the assessed risks. An audit does not require an understanding of all the control activities. In understanding the entity’s control activities, the auditor shall obtain understanding of how the entity has responded to risks arising from IT. Examples of s pecific control act ivit ies that may be relevant to an audit: 1. Prenumbering of documents – helps to assure that: a. All transactions are recorded (completeness). b. No transactions are recorded more than once (existence). 2. Authorization of transact ions – authorization should occur before commitment of resources 3. Independent checks to maintain asset accountability – independent checks involve the verification of wor k previously performed by others, such as: Review of bank reconciliations Comparison of subsidiar y records to control accounts Comparison of physical counts of inventory to perpetual records 4. Documentation – provides evidence of the underlying transactions and is a basis for establishing responsibility for the execution and recor ding of transactions 5. Perfor mance reviews – includes review and analyses of the following: a. Actual performance versus budgets, forecasts, and prior period performance b. Relationship between different sets of data to one another, together with analyses of the relationships and investigative and corrective actions (for example, the management of a sports team might use attendance data to ascertain the reasonableness of ticket sales). c. Comparison between internal data and exter nal sources of information, and d. Functional or activity performance (for example, sales repor ts, receivable reports, etc., may be used to analyze performance and to identify errors). 6. Infor mation processing controls – ensure that transactions are valid, properly authorized, and completely and accurately recor ded a. Applicat ion controls – controls which apply to the processing of individual applications Examples of application controls: Checking the arithmetical accuracy of records Maintaining and reviewing accounts and trial balance Automated controls such as edit checks of input data and numerical sequence checks Manual follow-up of exception reports Controls surrounding receivables
AT – Considering the Entity’s Internal Control
Controls surrounding payroll
General controls – controls that relate to many applications and support the effective
functioning of application controls by helping to ensure the continued proper operation of information systems. General controls apply to information processing throughout the company. Examples of general controls: Program change controls Controls that restrict access to pr ograms or data Controls over the implementation of new releases of packaged software applications Controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail Controls over data center and networ k operations Physical controls – physical controls for safeguarding assets involve security devices and limited access to programs and to restricted areas, including computer facilities a. Physical segregation and security of assets, including adequate safeguards such secured facilities over access to assets and records. Examples of physical controls: Protective or security devices Bonded or independent custodians Physical and security of assets: Cash – placed in cash boxes, vault or safe deposit boxes Cash – deposited in a bank Inventor y – placed in a warehouse PPE items – tagged with non-movable labels b. Authorization for access to computer programs and data files (for example, requiring password prior to access) c. Authorized access to assets and records (such as through the use of computer access codes, prenumbered forms, and required signatures on documents for the removal or disposition of assets) d. Required signatures on documents for the removal or disposition of assets e. Periodic counting and comparison with amounts show n on control records Examples: Comparing the results of cash, security and inventory counts with accounting records Reconciliations f. The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as w hen assets are highly susceptible to misappropriation. Segregation of dut ies – involves ensuring that individuals do not perform incompatible duties. Duties should be segregated such that the work of one individual provides a crosscheck on the wor k of another individual. A proper segregation of duties (or incompatible functions) requires that one person should not be responsible for all phases of a transaction. This means that different employees should be assigned to the following functions: Authorizing transactions Recording transactions – recordkeeping Maintaining custody of assets involved in the transactions For example, the responsibilities of the treasury department include handling of cash and custody of securities but do not include data processing. Segregation of duties is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties.
Monitoring – the process to assess the effectiveness (or quality) of internal control performance over time Management’s monitoring of controls includes: Assessing the effectiveness of controls on a timely basis and ta king necessar y corrective actions Monitoring of controls through ongoing activities Using information from communications from exter nal parties such as customer complaints and regulator comments that may indicate problems, highlight areas in need of impr ovement
Considering the monitoring of controls: The auditor shall obtain understanding of: a. The major activities that the entity uses to monitor control over financial reporting, including those related to those activities relevant to the audit b. How the entity initiates corrective actions to its controls c. Sources of the information used in the entity’s monitoring activities AT – Considering the Entity’s Internal Control
d. The basis upon which management considers the information to be sufficiently reliable for the purpose CONSIDERING INTER NA L CONTROL Internal control is relevant to the entire entity and each of the five components of internal control may affect any of the three entity objectives, but not all of an entity's objectives and related controls are relevant to the audit. The auditor shall obtain an understanding of internal control relevant to the audit. Generally, those controls that pertain to financial reporting objective are most relevant to the audit. Thus, the auditor shall consider and understand financial reporting controls. The auditor need not assess all controls related to financial reporting, but rather applies professional judgment in determining which controls to assess. Purpose of Understanding of Internal Control: Pr imary purpose: To provide a basis for planning the audit to determine the nature, timing, and extent of fur ther audit procedures Specifically, such understanding is used by the auditor in: 1. Identifying types of potential misstatements 2. Identifying factors that affect the risks of material misstatements, and 3. Designing the nature, timing, and extent of further audit procedures Secondary purpose: To provide a basis for constr uctive suggestions to management about improvements in internal control Steps in Considering Internal Control: 1. The auditor shall obtain an understanding of interna l control relevant to the audit – involves performing procedures to evaluate the design of relevant controls and determine whether they have been implemented (placed in operation) This procedure includes understanding of the five interrelated components of inter nal control to evaluate the design and determine if the control has been implemented. a. Evaluate the design of relevant controls – involves determining whether those controls, individually or in combination with other controls, is capa ble of effectively preventing or detecting and correcting material misstatements The design refers to capability of a control to prevent or detect and correct material misstatements Major emphasis in the design of effective control: a. Assets are properly protected b. Incompatible duties are segregated c. Transactions are authorized An improperly designed control may represent a material weakness in the entity’s internal control. b.
Deter mine whether the controls have been implemented – involves determining w hether the control is placed in operation; implementation of a control means that the control exists and is being used by the entity Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls: Inquir y of entity personnel (inquiry alone is not sufficient obtain audit evidence about the design and implementation of relevant controls) Observing the application of specific controls Inspecting documents and records Performing a “walk-through” test – tracing a transaction through the information system relevant to financial reporting, from initial recording to presentation in the financial statements
Perfor m preliminary assessment of control r isk – assessing the level of control risk (such as high, medium or low) based on understanding of internal control (the design of controls and w hether they have been implemented) The ultimate purpose of assessing control risk at the assertion level for each material account balance or class of transactions is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements. The assessment of control risk is the process of evaluating the effectiveness of an entity’s internal control in preventing or detecting and correcting material misstatements. Control risk is assess in terms of financial statement assertions. a.
Maximum level: Control risk is assessed at high/maximum level if: Controls are poorly designed, or
AT – Considering the Entity’s Internal Control
Properly designed controls have not been implemented, or It is inefficient to rely on internal control (inefficient to perform tests of controls) – for example, it is inefficient to obtain evidence to justify the assessment of control risk at less than high level Auditor’s response if control r isk is assessed at a high/ maximum level: Auditor will not per form tests of controls Auditor will primarily rely on substantive tests
Less than high/ maximum level: Control risk is assessed at less than high/maximum level if controls are properly designed and have been implemented; the auditor should perform tests of operating effectiveness of relevant controls. The PSA requires the auditor to document the basis or the evidence to justify the assessment of control risk at less than high/maximum level.
Perfor m tests of controls if preliminary assessment of control r isk is below high/ maximum level (performed when the auditor intends to rely on the internal control) Tests of controls are audit procedures designed to evaluate the operating effectiveness of internal controls that are likely to detect or prevent material misstatements in support of a reduced assessed level of control risk. In other words, tests of controls are performed to confirm that the controls tested are w orking effectively in order to substantiate the reduced assessed level of control risk. When to perfor m tests of controls: a. When the auditor intends to rely on the operating effectiveness of relevant controls in determining the nature, timing and extent of substantive procedures; or Tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion. b. When substantive procedures alone cannot provide sufficient appropriate evidence at the assertion level Unlike substantive tests of details, tests of controls are not required audit procedure. The greater the reliance the auditor plans to place on internal control, the more extensive the tests of those controls that need to be performed. Tests of controls generally consist of one (or combination of the following evidence gathering techniques: a. Inquir y b. Observation c. Inspection d. Reperformance of a control by the auditor Results of tests of controls: a. Results do not confirm effectiveness of controls – the auditor should revise the preliminar y risk assessment of control risk from less than high to high level In addition, the auditor shall also make the necessary revision on the overall audit strategy, audit plan and preliminary audit pr ogram. In this case, the auditor’s general approach to audit would be to use the substant ive approach (an appr oach w hose emphasis is on substantive procedures). b. Results confirm effectiveness of controls – the auditor relies on the entity’s internal control and decrease substantive testing In this case, the auditor’s general approach to audit would be the reliance or combined approach (an approach that uses both tests of controls and substantive procedures).
Required Documentation: 1. Document the understanding of account ing and internal co ntrol systems Form of documentation may var y One form or a combination of forms of documentation may be used at the same time Forms of documentation: 1. Internal control questionnaire – consists of a list of questions on inter nal control be answered by "Yes" or "No" response. A negative response is designed to draw attention to a possible weakness in internal contr ol. Written explanations are required for "No" answers. 2. Flowcharts – pictorial/symbolic diagram depicting the operation of a program/system or the sequential flow of authority, processes, transactions and documents. T he use of standard symbols makes flowcharts easy to understand. a. Systems flowcharts – used to evaluate internal control because it shows the origin of each document in the system, its subsequent processing, and its final disposition b. IT flowcharts – used in evaluating the inter nal control in an automated/computerized accounting environment. The auditor can use these flowcharts to evaluate both the flow of the pr ogram and the internal controls related to the IT function in general. 3. Internal control checklists – a detailed listing of ideal control measures (the auditor tickmar ks
AT – Considering the Entity’s Internal Control
the controls adopted by the client) Narrative memoranda – a written version of a flowchar t. It is a description of the auditor's understanding of the system of internal control. Note that flow charts are more appropriate for documenting complex control structures, w hile written narratives are more appropriate for less complex structures. Decision trees or tables – a. Decision trees – are graphic illustrations that depict the logic of an operation or process. They generally employ questions with "Yes" or "No" answers, which direct the user to the next relevant questions. b. Decision tables – are graphic illustrations tha t depict the logical relationships of a system in table form. Both approaches document the auditor's understanding of a process.
Document the assessed level of control r isk If the control risk is assessed at a high level, the auditor should document his conclusion that control risk is at a high level. If the control risk is assessed at less than high level, the auditor should document: a. His conclusion that control risk is at less than high level, and b. The basis for that assessment – results of tests of controls confirming the assessment of control risk at below high/maximum level
Effect of Infor mation Technology on Internal Control: Effect on Internal Control An entity's use of information technology may affect any of the five components of internal control : a. Management's failure to appropriately address IT risks may negatively impact the control
The use of IT may enhance an entity's risk assessment by providing more timely information. Many information and communication systems make extensive use of IT, and the way in which IT is used often affects an entity's inter nal control. d. Much of the information used in monitoring is provided by IT, and therefore, the accuracy of the IT system is crucial. e. The use of IT may affect the way in which existing control activities are implemented. Also, the effectiveness of user controls may depend upon the accuracy of information provided to the user by IT systems. Manual vs. Automated Controls a. Manual controls may be more appropriate than automated controls in sit uations w here judgment and discretion is required, such as circumstances in which misstatements are difficult to define, anticipate, or predict. b. Manual controls, however, may pose additional risks because they can be more easily ignored or overridden, they are subject to human error, and they are less consistent than automated controls. b. c.
Test ing Automated Controls a. In testing automated controls, the auditor needs to identify and test not just specific application controls but relevant general controls on whi ch the application controls depend. (Application controls and general controls are covered further below.) b. In a manual system, manual controls such as approvals, reviews, and reconciliations are used. In an automated system using information technology, bo th manual and automated controls may be used; however, even manual controls may be dependent to some extent on the effective functioning of IT. IT Benefits IT is used by an entity to improve the efficiency and effectiveness of its internal control. The a uditor should consider the effect of such benefits as par t of assessing inter nal control. Benefits may include: a. The ability to pr ocess large volumes of transactions and data accurately and consistently. b. Improved timeliness and availability of information. c. Facilitation of data analysis and performance monitoring. d. Reduction in the risk that controls will be circumvented. e. Enhanced segregation of duties thr ough effective implementation of security controls. IT Risks The use of IT may also create additional internal control risks. The auditor must evaluate the entity's use of IT to determine whether and to what extent the following risks exist: a. Potential reliance on inaccurate systems. b. Unauthorized access to data, w hich may result in loss of data and/or data inaccuracies. c. Unauthorized changes to data, systems, or programs. d. Failure to make required changes or updates to systems or programs.
AT – Considering the Entity’s Internal Control