Internal Control - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Internal Control

Description:

Title: Internal Control Author: Ray Whittington Last modified by: Harry Created Date: 6/17/1995 11:31:02 PM Document presentation format: On-screen Show (4:3) – PowerPoint PPT presentation

Number of Views:2383
Avg rating:3.0/5.0
Slides: 36
Provided by: RayWhit7
Category:

less

Transcript and Presenter's Notes

Title: Internal Control


1
Internal Control
2
Internal Control System Definition
  • A process...designed to provide reasonable
    assurance regarding, achievement of (the
    entitys) objectives in the following categories
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
  • Source Committee of Sponsoring Organizations

3
Components of Internal Control
  • The Control Environment
  • Risk Assessment
  • The Accounting Information and Communication
    System
  • Control Activities
  • Monitoring

4
Control Environment(Internal)
  • Integrity and ethical values
  • Commitment to competence
  • Board of directors or audit committee
  • Management philosophy and operating style
  • Organizational structure
  • Human resource policies and practices
  • Assignment of authority and responsibility

5
Control Environment (External)
  • Reviews by Governmental Agencies
  • OSHA, FDA, IRS, GAO, EPA, DCAA, Bank Examiners,
    Bd of Equalization, State Franchise Tax Bd
  • Reviews by Non-Governmental Agencies
  • ISO, Industry Associations

6
Components of Internal Control
  • The Control Environment
  • Risk Assessment
  • The Accounting Information and Communication
    System
  • Control Activities
  • Monitoring

7
Client Risk Assessment
  • Clients must constantly reassess its ICS because
    of
  • Changes in regulatory or operating environment
  • Changes in key personnel
  • Implementation of new/modified information system
  • Rapid growth of the organization
  • Changes in technology affecting production
    processes or information systems
  • Introduction of new lines of business, products,
    or processes

8
Components of Internal Control
  • The Control Environment
  • Risk Assessment
  • The Accounting Information and Communication
    System
  • Control Activities
  • Monitoring

9
Primary Objectives of Accounting Information
Systems
  • Identify record all, but only, valid
    transactions
  • Describe on a timely basis the transactions in
    sufficient detail to permit proper classification
    of transactions
  • Measure the value of transactions appropriately
  • Determine time period in which the transactions
    occurred to permit recording in the proper period
  • Present properly the transactions and related
    disclosures in the financial statements

10
Components of Internal Control
  • The Control Environment
  • Risk Assessment
  • The Accounting Information and Communication
    System
  • Control Activities
  • Monitoring

11
Types of Control Activities
  • Performance Reviews (Usually Detection)
    (Reconcile, Analyze Approve)
  • IT General Application Controls (Ch 8)
  • Physical Security Controls
  • Segregation of Duties
  • Recording Transactions
  • Authorizing Transactions
  • Custody of Related Asset

12
Components of Internal Control
  • The Control Environment
  • Risk Assessment
  • The Accounting Information and Communication
    System
  • Control Activities
  • Monitoring

13
Monitoring
  • Monitoring ICS Effectiveness Compliance
  • Ongoing Monitoring Activities
  • (Management review follow-up)
  • Separate Evaluations
  • (Internal Audits or Self Compliance)
  • Public Companies SOX Section 404 Monitoring and
    Assessment

14
Monitoring Internal ControlsDo Public Companies
do More?
  • Section 404 of Sarbanes-Oxley requires at least
    quarterly monitoring assessment of financial
    reporting internal control effectiveness. Comment
    required on any material change during a fiscal
    quarter.
  • CFO normally leads, generally with Internal Audit
    involvement.

15
Limitations of Even A Good (Well Designed) ICS
  • Errors may arise from misunderstandings of
    instructions, mistakes of judgment, fatigue, etc.
  • Controls that depend on the segregation of duties
    may be circumvented by collusion.
  • Management may override the structure
  • Compliance may deteriorate over time

16
Auditors Basic Requirements Regarding Clients
Internal Controls
  • Obtain an understanding and
  • Document the understanding

17
Documenting Internal Control
18
Sources of ICS Information
  • Client Policies Procedures
  • Client Inquiry
  • Inspection of Documents
  • Observations

19
The Auditors Consideration of Clients
Internal Controls
  • Obtain an understanding
  • Document the understanding
  • Determine planned (initial) assessed level of
    control risk

20
Assessing Control Risk
21
Assessing Control Risk
  • At the F.S. Statement/Overall Level
  • Preparation of F.S., incl. estimates
    disclosures
  • Selection of Significant Accounting Policies
  • The Control Environment
  • General IT Controls (chapter 8)
  • At the Assertion/Account Level
  • Relates to specific assertions about specific
    accounts. (Transactions)

22
To Test or Not to Test Controls
  • We Test Controls When We Expect That
  • We Will Be Able Rely on the Clients Internal
    Controls to Set Control Risk Below Maximum
  • AND
  • Estimated Time Spent to Test Controls Will Be lt
    the Reduction in Substantive Testing Time IF We
    Find the Controls to be Operating Effectively.

23
The Auditors Consideration of Clients Internal
Controls
  • Obtain an understanding
  • Document the understanding
  • Determine planned assessed level of control risk
  • Design additional tests of control
  • (Testing procedures include review of documents,
    observations, questioning client employees,
    re-performing the controls, review of error
    detection correction reports.)

24
Relying on PreviousTests of Controls
  • Auditors should obtain evidence of changes in
    internal controls/business processes since the
    last audit and must test any changed
    controls/processes for which reliance is desired.
  • For controls/process that havent changed,
    reliance can be placed on testing for operating
    effectiveness in prior years audits if the
    control tested every 3rd year.

25
The Auditors Consideration of Clients Internal
Controls
  • Obtain an understanding
  • Document the understanding
  • Determine planned assessed level of control risk
  • Design additional tests of control
  • Perform test of controls likely to prevent or
    detect material misstatements and Reassess
    control risk

26
The Auditors Consideration of Clients Internal
Controls
  • Obtain an understanding
  • Document the understanding
  • Determine planned assessed level of control risk
  • Design additional tests of control
  • Test Controls and Reassess control risk
  • Design nature, timing and extent of substantive
    tests

27
Documentation Requirements
  • Understanding of Internal Controls
  • Assessed Level of Control Risk and the Combined
    Level of the Risk of Material Misstatements (IR
    CR)
  • Basis for the Risk Assessment
  • Auditors Response to the Risks and Link to Audit
    Procedures Performed
  • Use of Prior Years Tests of Controls

28
ICS in a Small Client
  • Adequate segregation of duties impossible.
  • Owner may have to be more active.
  • But, this could foster fraudulent F.S.
  • Therefore, we usually apply the substantive
    rather than the reliance audit approach.

29
IA as Part of the ICS
  • Some of their work may overlap what CPA would
    do.
  • We may be able to rely on (1) their work to
    reduce our work, just like any other part of
    clients ICS, or (2) use of their auditors to
    perform on the F.S. audit.
  • To rely, we must assess
  • 1. Objectivity
  • 2. Competency
  • 3. Quality
  • Source SAS 128

30
Communicating ICS Weaknesses
  • Report to Mgmt and Those Charged with Governance
    (Board of Directors)
  • Must Communicate
  • Significant Deficiencies
  • Material Weaknesses
  • Previously Reported, But Not Remediated
  • Potential Effects of the Deficiencies/Weaknesses
  • In Writing Within 60 Days of Release Date of
    Audit Report on Financial Statements

31
Classifying ICS Weaknesses
  • A deficiency in internal control exists when the
    design or operation of a control does not allow
    management or employees, in the normal course of
    performing their assigned functions, to prevent,
    or detect and correct misstatements on a timely
    basis.
  • A significant deficiency is a deficiency, or a
    combination of deficiencies, in internal control
    that is less severe than a material weakness, yet
    important enough to merit attention by those
    charged with governance.
  • A material weakness is a deficiency, or
    combination of deficiencies, in internal control,
    such that there is a reasonable possibility that
    a material misstatement of the entitys financial
    statements will not be prevented, or detected and
    corrected on a timely basis.
  • Source AU 325 with SAS 115 (eff. 2009) and 99

32
Classifying ICS Weaknesses (cont)
  • Indicators of material weaknesses include
  • Identification of fraud, whether or not material,
    on the part of senior management
  • Restatement of previously issued financial
    statements to reflect the correction of a
    material misstatement due to error or fraud
  • Identification by the auditor of a material
    misstatement of the financial statements under
    audit in circumstances that indicate that the
    misstatement would not have been detected by the
    entitys internal control and
  • Ineffective oversight of the entitys financial
    reporting and internal control by those charged
    with governance
  • Source AU 325 with SAS 115

33
Classifying ICS Weaknesses (cont)
Level Generally Accepted Meaning
Probable The future event or events are likely to occur (probability is gt 50).
Reasonably Possible The chance of the future event or events occurring is more than remote, but less than likely (probability is 20 to 50).
Remote The chance of the future event or events occurring is slight (probability is lt 20).

34
Classifying ICS Weaknesses (cont)
Material A misstatement which would alter a reasonable person's decision making.
More than Inconse-quential When a reasonable person would not reach a conclusion regarding a particular misstatement that the misstatement is inconsequential, then that misstatement is more than inconsequential.
Inconse-quential When a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. (Generally, less than 20 of overall financial statement materiality threshold.)

35
Summary
  • Why do we consider a clients ICS?
  • 1. Assess Control Risk
  • 2. To plan the audit
  • (nature, timing extent of tests)
  • What must we do before we set Control Risk below
    maximum?
  • Test the controls we want to rely on.
  • Why Wouldnt We Test Controls?
  • 1. Appear Very Weak - Reliance Unlikely
  • 2. Time to Test gt Savings in Reduced Sub. Tests
Write a Comment
User Comments (0)
About PowerShow.com