Chapter 5

Internal Control over Financial

Reporting

Copyright © 2010 South-Western/Cengage Learning

Audit Opinion Formulation Process

LO 1 - Importance of Internal Control to Financial Statement Audits

• The quality of internal control over financial reporting is an important part of an organization’s commitment to good governance

• Internal control processes must effectively address risks that are present between an organization and the accomplishment of its objectives

• Internal controls are needed because every organization faces significant risks like:– corporate failure– misuse of corporate assets– incorrect or incomplete preparation of financial

information

LO 2 – COSO Framework for Internal Control

COSO: A Framework for Internal Control

• Internal controls is a process designed to provide reasonable assurance of achieving the following:– Generating reliable financial accounting

information– Safeguarding assets– Complying with applicable laws and regulations– Operating efficiently and effectively

What are the components of an internal control system?

There is a logical loop to an organization's internal controls, starting with

1. Identification of organizational risks that affect the accomplishment of objectives

2. Design of the control environment3. Design and implementation of controls activities to

prevent or detect errors4. Communicate the policies effectively through

information and communication process5. Monitoring of the effectiveness of the controls to

operate effectively

Components of Internal Control

• An internal control system consists of five components

• Risk assessment: process designed to identify and manage risks that may affect its ability to achieve its objectives

• Control environment: overall attitude, awareness, and actions of significant internal groups to maintain a well-controlled organization (tone at the top)

• Control activities: policies and procedures established by management to help ensure that internal control objectives are achieved and risks mitigated

Components of Internal Control

• Information and communication: process of identifying, capturing, and exchanging information in a timely fashion to enable the organization to achieve its objectives

• Monitoring: process that assesses the quality of

internal controls over time

Risk Assessment

• Risk assessment involves the identification and analysis of the risks of material misstatement in financial reports.

• Failure to identify risks, results in deficiencies in the control processes to mitigate the risks

• Risk assessment questionnaire is used for identifying the significant risks related to financial reporting and documenting

LO 3 - Understanding the Control Environment

Factors an auditor should look at when evaluating an organization's control environment:

• Integrity and ethical values• Board of directors and audit committee• Management's philosophy and operating style• Organizational structure, including assignment of

authority and responsibility• Commitment to financial reporting competence• Authority and Responsibility• Human resource policies and practices

Control Activities

• Control activities are policies and procedures implemented across the organization to reduce the risk of financial reporting misstatements

• Control activities involve:– The design of the control– The operations of the control

• The sources to misstatement includes:– Transaction processing

Control Activities

– Accounting estimates– Adjusting and closing entries

• Organizations use Preventive and Detective controls

Information and Communication

• Information and communication represent a company’s processes for gathering key financial information to support the achievement of financial reporting objectives

• Information must be communicated to the right people

• It must also be assured that substantive issues are report to audit committee for investigation

Monitoring

• Monitoring represents a company’s processes to determine whether internal control over financial reporting is operating effectively

• Ongoing monitoring processes are designed to identify control failures

• Effective control system rely heavily on monitoring

• Internal auditing is a highly effective monitoring control

LO 4 - Common Control Activities

Control activities implemented in almost all accounting systems include:

• Segregation of duties• Authorization procedures• Adequately documented transaction trail• Physical controls to safeguard assets• Reconciliation of control accounts with subsidiary

ledgers, of transactions recorded with transactions submitted for processing, and of physical counts of assets with recorded assets

• Competent, trustworthy employees

LO 5 - IT Controls Integrated into Internal Control Evaluations

• General computer controls are pervasive and affect every computerized system

• These controls address the following:– Planning and controlling the data processing function

– Controlling applications development and changes to programs and/or data files and records

– Controlling access to equipment, data, and programs

– Assuring business continuity such that control failures do not affect data or programs

– Controlling data transmission

IT Controls Integrated into Internal Control Evaluations

• Application controls are specific control procedures designed into and around the computer program to ensure that processing objectives are attained

• The control procedures include:– Input Controls– Processing Controls– Output Controls

• It leads to better data for decisions and increases the organizational success and sustainability

LO 6 - Auditor Evaluation of Internal Controls

The steps in the integrated audit process are:1.Update information about various risks2.Consider the possibility of account

misstatements3.Complete preliminary analytical procedures4.Understand the client’s internal controls

• Obtain an Understanding of Management’s Risk Assessment Process and the Control Environment

LO 6 - Auditor Evaluation of Internal Controls

• Obtain an Understanding of Significant Accounts and Disclosures and Their Relevant Assertions Within the Information and Communication System

• Obtain an Understanding of the Control Activities in Accounting Processes

• Obtain an Understanding of Management’s Monitoring Activities

5. Identify controls to test• Auditor needs to test all the five components

of internal control

Auditor Evaluation of Internal Controls

6. Make a plan to test the controls and execute that plan

• Use “top-down approach” that begins with at financial statement level

7. Consider the results of control testing• It is a part of the process designed to conduct

the most efficient audit possible while minimizing overall audit risk

8. Conduct substantive audit tests

LO 7 - Documenting the Auditor’s Understanding and Assessment of an Organization’s Internal

Controls

• Documentation should clearly identify each component of the internal control framework

• Documentation should show– How each significant control is tested,– The sampling approach used and the size of the sample

used in testing,– The conclusions of the tests,– The individual performing the test,– The auditor’s conclusion on the effectiveness of the

control, and– The implications for the audit of related financial account

balances.

LO 8 - Management Reports on Internal Control over Financial Reporting

• The Sarbanes-Oxley Act of 2002 requires management to implement effective internal controls over financial reporting and to certify that the controls have been implemented properly and are operating effectively

• To guide management and auditor, SEC and PCAOB provides definitions of– Material Weakness– Significant Deficiency

Material Weakness

Deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis

Significant Deficiency

Deficiency, or a combination of deficiencies,

in internal control over financial reporting that

is less severe than a material weakness, yet

important enough to merit attention by those

responsible for oversight of the company’s

financial reporting