Chapter 7 Int Control and Control Risk.ppt

Editor's Notes

• #2: Last Updated 13 October 2012 International Auditing and Assurance Standards Board (IAASB). 2012. Handbook of International Quality Control, Auditing Review, Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1 AND Volume 2. International Federation of Accountants. New York ISA 400 Risk Assessments and Internal Control, ISA 401 Auditing in a Computer Information Systems Environment, ISA 402 Audit Considerations Relating to Entities Using Service Organizations, 1008 Risk Assessments and Internal Control CIS Characteristics and Considerations; AU: AU 319 (SAS 55, 78) Consideration of Internal Control in a Financial Statement Audit, AU 325 (SAS 60) The Communication of Internal Control Related Matters Noted in an Audit COSO report on Small Business. Modifications to Chapter 7: COSO report on small business controls. 10% revision
• #3: Page 230 - 231 This definition reflects certain fundamental concepts: • Internal control is a 'process'. Internal control is not one event or circumstance, but a series of actions that permeate an entity's activities. These actions are persuasive and are inherent in the way management runs the business. • Internal control is effected by people. A board of directors, management and other personnel in an entity effects internal control. The people of an organization accomplish it, by what they do and say. People establish the entity's objectives and put control mechanisms in place. • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board that the company's objectives are achieved. The likelihood of achievement is affected by limitations inherent in all internal control systems. These limitations include the realities that human judgment can be faulty, breakdowns may occur because of human failures such as simple error and controls may be circumvented by collusion [i] of two or more people. Finally, management has the ability to override the internal control system. • [i] Collusion is the act of two or more employees to steal assets or misstate records.  
• #4: *Internal control— The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.
• #5: Page 231
• #7: 5.  The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting. (Footnote 7) Securities Exchange Act Rules 13a-15(c) and 15d-15(c), 17 C.F.R. §§ 240.13a-15(c) and 240.15d-15(c). SEC rules require management to base its evaluation of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework (also known as control criteria) established by a body or group that followed due-process procedures, including the broad distribution of the framework for public comment. For example, the report of the Committee of Sponsoring Organizations of the Treadway Commission (known as the COSO report) provides such a framework, as does the report published by the Financial Reporting Council, Internal Control Revised Guidance for Directors on the Combined Code, October 2005 (known as the Turnbull Report).
• #8: Page 233 CLASS QUESTION: Why are financial reporting controls important to the auditor? Financial Reporting: Why internal control matters to the auditor is quite obvious. If the auditor is able to assess the quality of accounting and internal control systems and to verify their proper operation throughout the year under audit, the auditor might be able to rely heavily on these systems for sufficient audit evidence. Emphasis by auditors is placed on understanding controls over classes of transactions rather than account balances or disclosures. The reason is that the accuracy of the output of the accounting system (account balances) is dependent upon the accuracy of the inputs and processing (transactions). If, for example, controls are adequate to ensure all billings, cash receipts, charge-offs and returns and allowances are correct, then the ending balance in accounts receivable is likely to be correct. Disclosures are generally dependent on the account balances. Examples of the laws requiring 'proper record-keeping systems' or proper accounting records' are the Foreign Corrupt Practices Act of 1977 in the US and the UK Companies Act 1985.
• #9: Pages 233-234 The auditor's primary consideration is whether, and how, a specific control prevents, or detects and corrects, material misstatements in classes of transactions, account balances or disclosures. The heaviest emphasis by auditors is on controls over classes of transactions rather than account balances or disclosures. The reason is that the accuracy of the output of the accounting system (account balances) is heavily dependent upon the accuracy of the inputs and processing (transactions). If, for example, controls are adequate to ensure all billings, cash receipts, charge-offs and returns and allowances are correct, the ending balance in accounts receivable is likely to be correct. Disclosures are generally dependent on the account balances *Material—Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements.  *Misstatement—A difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud. Where the auditor expresses an opinion on whether the financial statements are presented fairly, in all material respects, or give a true and fair view, misstatements also include those adjustments of amounts, classifications, presentation, or disclosures that, in the auditor’s judgment, are necessary for the financial statements to be presented fairly, in all material respects, or to give a true and fair view.  * Classes of transactions are groups of accounting entries in an accounting cycle of transactions such as the revenue cycle, expenditure cycle, production cycle, or personnel cycle or any sub-categories of those cycles.
• #10: Page 234
• #12: General IT controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT controls commonly include controls over data center and network operations; system software acquisition, change and maintenance; access security; back-up and recovery; and application system acquisition, development, and maintenance. A good example of a general control in accounting software is an error message if there is a problem in using the operating system (e.g. “Please insert a CD-ROM in Drive E”).
• #13: Application controls are controls that apply to applications that initiate, record, process, and report transactions (such as MS Office, SAP, QuickBooks), rather than the computer system in general. In manual systems, general controls are controls over proper authorization of transactions and activities. Examples of application controls are edit checks of input data, numerical sequence checks, and manual follow-up of exception reports. In manual systems applications controls may be referred to as adequate document and record controls.
• #14: Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. For instance, individuals may inappropriately override such automated processes, by changing the amounts being automatically passed to the general ledger or to the financial reporting system. Furthermore, where IT is used to transfer information automatically, there may be little or no visible evidence of such intervention in the information systems. Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. A frequent problem in audits of small to medium sized businesses is that there is only one IT employee and he has unlimited access to all computer systems hardware and software, all security systems and all back-ups. A response to this risk is to have someone periodically review the security and access logs to monitor the IT employee’s activity. Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data or inability to access data as required Management’s failure to commit sufficient resources to address IT security risks may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or unauthorized transactions to be processed. Inconsistencies between the entity’s IT strategy and its business strategies. Changes in the IT environment.
• #15: Pages 235 – 236, Illustration 7.2 Components of Internal Control Structure, page 236 Components based on COSO framework, PCAOB Audit Standard #5 requires that internal control be based on some framework – they suggest the COSO or Turnbull PCAOB AS 5
• #16: Illustration 7.1 Components of Internal Control – COSO Report, page 232
• #17: Pges 236 – 245 Handbook Glossary Control environment—Includes the governance and management functions and the attitudes, awareness and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity. The control environment is a component of internal control.
• #19: Page 237 Illustration 7.4 Factors on Which to Assess Internal Control Environment, page 244; Illustration 7.3 Organizational Chart Segregation Of Duties And Assignment Of Authority And Responsibility, page 241 ISA 315 “Identifying And Assessing The Risks Of Material Misstatement Through Understanding The Entity And Its Environment”. A70. Elements of the control environment that may be relevant when obtaining an understanding of the control environment include the following: (a) Communication and enforcement of integrity and ethical values – These are essential elements that influence the effectiveness of the design, administration and monitoring of controls. (b) Commitment to competence – Matters such as management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. (c) Participation by those charged with governance – Attributes of those charged with governance such as: • Their independence from management. • Their experience and stature. • The extent of their involvement and the information they receive, and the scrutiny of activities. • The appropriateness of their actions, including the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external auditors. (d) Management’s philosophy and operating style – Characteristics such as management’s: • Approach to taking and managing business risks. • Attitudes and actions toward financial reporting. • Attitudes toward information processing and accounting functions and personnel. (e) Organizational structure – The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled, and reviewed. (f) Assignment of authority and responsibility – Matters such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. (g) Human resource policies and practices – Policies and practices that relate to, for example, recruitment, orientation, training, evaluation, counselling, promotion, compensation, and remedial actions.
• #24: Pages 245 – 247, Illustration 7.5 Risk Assessment Blank Evaluation Tool, page 246 Handbook Glossary *Risk assessment procedures—The audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. ISA 315 A79. The entity’s risk assessment process forms the basis for how management determines the risks to be managed. If that process is appropriate to the circumstances, including the nature, size and complexity of the entity, it assists the auditor in identifying risks of material misstatement. Whether the entity’s risk assessment process is appropriate to the circumstances is a matter of judgment.
• #25: CLASS QUESTION: Can someone give me an example of how they would evaluate the risk of a business using these steps? Pick a business and follow these steps. Page 245 ISA 315 A67. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes.
• #28: CLASS QUESTION: What would be risks to inputting this data and what control would you put in place to mitigate that risk?
• #30: Pages 251 – 255 ISA 315 A88. Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels. Proper Authorization of Transactions and Activities. Appropriate delegation of authority sets limits on what levels of risk are acceptable. Authorization may be general or specific. General controls such as computer User ID, password, building entry codes and keys, alarm codes, cashier controls, computer back-up and recovery Performance Reviews. These reviews include reviews individual performance, of actual performance versus budgets; surprise checks of procedures; periodic comparisons of accounting records and physical assets; and a review of functional or activity performance. Information Processing, Adequate Documentation. Documents and records must be accurate and adequate to provide reasonable assurance that all assets are properly controlled and all transactions correctly recorded. Documents are prepared at the time the transaction takes place Application controls include use of serial numbers on documents and input transactions, systems manuals, personnel manuals, and passwords for special applications software (like personnel or accounting systems). Physical Controls. Only individuals who are properly authorized should be allowed access to the company’s assets. Doors, locks, security systems, safes, etc. Segregation of duties responsibilities for Authorizing transactions, Recording them and handling the related assets (called ‘Custody of assets’) are kept seperate.
• #31: General IT controls assure that access to the computer system is limited to people who have a right to the information. Appropriate delegation of authority sets limits on what levels of risk are acceptable and these limits determine the discretion of the employees delegated to authorize the main types of business transactions. Authorization may be general or specific. Computer facilities may have several types of controls. Access controls are general or application controls such as passwords that allow only authorized people admittance to the computer software on line. A very important general control is back-up and recovery procedures, as anyone who has had a system go down without current records being adequately backed up will tell you. Physical controls such as locks on the doors to the computer room and locked cabinets for software and back-up tapes protect the tangible components of a computer system.
• #32: ISA 315 Addendix I 9. Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that pertain to the following: • Performance reviews. These control activities include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data – operating or financial – to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and review of functional or activity performance.
• #33: These records must be adequate to provide good assurance that all assets are properly controlled and all transactions correctly recorded. Well-designed documents in a manual system and preformatted input screens in a computer system should be: pre-numbered consecutively, prepared at the time a transaction takes place, simple enough to be clearly understood, designed for multiple use to minimize the number of different forms, and constructed in a manner that encourages correct preparation.
• #36: Pages 253 –255. Illustration 7.7 Overview of Segregation of Duties, 254 The authorization of a transaction and the handling of the related asset by the same person increase the possibility of defalcation within the organization.
• #37: Page 256 –259 Management’s monitoring activities may include using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement. Two more examples of monitoring activities are management’s review of bank reconciliations, and an internal auditors’ evaluation of sales personnel’s compliance with the company’s human resource policies. ISA 315 Components of Internal Control—Monitoring of Controls (Ref: Para. 22) A98. Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls on a timely basis and taking necessary remedial actions. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities. A99. Management’s monitoring activities may include using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement.
• #38: Overall Internal Control Evaluation Tool Illustration 7.8
• #40: 1. Clarity for directors, managers and employees as to what constitutes desirable and undesirable behavior: the clearer the expectations, the better people know; what they must do, how to perform the control and the more likely they are to act on it. 2. Role-modeling among administrators, management or immediate supervisors: the better the examples given in an organization, the better people behave, while the worse the example, the worse the behavior. 3. Achievability of goals, tasks and responsibilities set: the better equipped people in an organization are, the better they are able to execute the control activities that are expected from them. 4. Commitment on the part of directors, managers and employees in the organization: the more the organization treats its people with respect and involves them in the organization, the more these people will try to serve the interests of the organization and reach the internal control objectives. 5. Transparency of behavior: the better people observe their own and others’ behavior, and its effects, the more they take this into account and the better they are able to control and adjust their behavior to the expectations of others. 6. Openness to discussion of viewpoints, emotions, dilemmas and transgressions: the lower the bar for people within the organization to talk about moral or ethical issues regarding internal control, the more they will be likely to do this, and the more they will learn from one another. 7. Enforcement of behavior, such as appreciation or even reward for desirable behavior, sanctioning of undesirable behavior and the extent to which people learn from mistakes, near misses, incidents, and accidents: the better the enforcement, the more people tend towards what will be rewarded and avoid what will be punished.
• #41: Pages 259 –261 ISA 315 Nature and Extent of the Understanding of Relevant Controls 13. When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel. (Ref: Para. A66–A68) A66. Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. There is little point in assessing the implementation of a control that is not effective, and so the design of a control is considered first. An improperly designed control may represent a significant deficiency in internal control. A68. Obtaining an understanding of an entity’s controls is not sufficient to test their operating effectiveness, unless there is some automation that provides for theconsistent operation of the controls. For example, obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit. However, because of the inherent consistency of IT processing (see paragraph A55), performing audit procedures to determine whether an automated control has been implemented may serve as a test of that control’s operating effectiveness, depending on the auditor’s assessment and testing of controls such as those over program changes. Tests of the operating effectiveness of controls are further described in ISA 330.  
• #42: Page 260 ISA 315 A67. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes. (1) Inquiring of entity personnel. Inquiries directed toward internal audit personnel may relate to their activities concerning the design and effectiveness of the entity’s internal control. Ordinarily, only inquiring of entity personnel will not be sufficient to evaluate the design of a control or to determine whether a control has been implemented. (2) Observing and reperforming the application of a specific control. The auditors may observe the application of the control or reperform the application themselves. (3) Inspecting documents and reports, and (4) Tracing transactions through the information system relevant to financial reporting. [i] IAASB. 2003. International Standard on Auditing 315 (ISA 315). “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”. Para. 55. International Federation of Accountants. New York. October.