Internal Control summary

Internal Control summary

 

 

Internal Control summary

CHAPTER 7

Internal Control

 

Highlights of the Chapter

1.             A number of years ago the major accounting organizations commissioned a study to develop a comprehensive set of criteria for evaluating internal control.  This set of criteria is referred to as Internal Control--Integrated Framework, and was developed by the committee of sponsoring organizations (COSO) of the Treadway Commission.   The study defines internal control as:

                A process effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

                   Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.               

2.             Not all controls are relevant to an audit of financial statements.  Generally, the controls relevant are those that pertain to the reliability of financial reporting.

3.             The Foreign Corrupt Practices Act of 1977 prohibits the making of payments to foreign government officials to obtain business and requires all companies under SEC jurisdiction to maintain an adequate system of internal control.

4.             A company's internal control may be divided into five components: (1) the control environment, (2) risk assessment, (3) the accounting information system, and (4) control activities, and (5) monitoring.

5.             The control environment is the foundation for other components of internal control, and consists of the following factors:

Integrity and ethical values--The behavioral and ethical standards established by management to discourage employees from engaging in improper acts.  These values should be communicated through appropriate means, such as codes of conduct.

               Commitment to competence--Management’s commitment to hiring employees with appropriate levels of education and experience, and providing them with adequate supervision and training.                             
Board of directors or audit committee--An effective board of directors or audit committee is important to ensuring that management is acting in the best interest of the stockholders.

                Management philosophy and operating style--The reliability of financial statements is affected by the philosophy of management toward financial reporting, and management’s attitudes toward taking business risks.

                Organizational structure--An entity’s organizational structure refers to the division of authority, responsibilities, and duties among departments of the organization. The major principle that should be applied in designing a plan of organization is effective segregation of duties among functional departments.

                Human resource policies and procedures--Management’s policies and practices for hiring, training, evaluating, promoting, and compensating employees.

                Assignment of authority and responsibility--Methods of communicating to personnel their level of authority and responsibilities, such as job descriptions. 

6.             An important step in achieving an effective control environment is separation of the accounting function from custody of the related assets. When the accounting and custodial departments are relatively independent, periodic comparisons of the accounting records to the existing assets serves to check the work of both departments.

7.             When the principle of subdivision of duties is applied to a large company, separate and independent departments are necessary for such functions as purchasing, receiving, manufacturing, selling, accounting, and finance. Departments should be organized so that one department has an incentive to monitor another.

8.             It is important for the accounting and finance departments to be adequately separated in a company. The finance department should have custody of the liquid assets and responsibility for financial operations of the company, while the accounting department is responsible for all accounting functions and the design and implementation of internal control.

9.             The second component of internal control is risk assessment, which is management’s process for identifying and responding to business risks faced by the organization.

10.          An effective accounting information system (the third component of internal control) should include methods to achieve the following objectives: (1) identify and record all valid transactions, (2) describe on a timely basis the transactions in sufficient detail to permit proper classification in the financial statements, (3) measure the appropriate value of the transactions, (4) permit recording of transactions in the proper accounting period, and (5) present properly the transactions and related disclosures in the financial statements.

11.          Management establishes other control activities to help ensure that management’s directives are carried out. Major types of control activities that are relevant to the audit of financial statements include:

                Performance reviews--Controls that evaluate the performance of departments or individuals by comparison of actual performance to standards, budgets or forecasts.

                Information processing--Control activities designed to check the accuracy, completeness, and authorization of transactions.  The two broad categories of information processing controls include general control activities  and application control activities.

                Physical controls--Controls that restrict access to assets and records to authorized personnel.

                Segregation of duties--The assignment of responsibilities among personnel so that no one individual is in a position to perpetrate an error or irregularity and prevent the error or irregularity from being detected.  Generally, the functions of authorizing transactions, recording transactions, and maintaining  transactions (custody of assets) should be segregated.  Also, to the extent possible, individuals executing the transactions should be segregated from these functions.

12.          The last component of internal control is monitoring, which involves assessing the quality of  internal control over time.  An important aspect of the monitoring component is the internal audit function.

13.          An important role of the internal auditors is to investigate and appraise internal control and the efficiency with which various units of a business carry out their functions.

14.          Internal auditors are not independent of the employer and, therefore, cannot attest to the fairness of the company's financial statements. In performing their evaluations, however, the internal auditors should be independent of the departments being investigated. If the internal auditors report directly to the audit committee of the board of directors or to a high-level executive, they may achieve a greater degree of independence than if they report to an official of lesser rank.

15.          In addition to evaluating controls, many internal auditing departments conduct operational audits. Operational auditing involves evaluation of the efficiency and effectiveness of an operating department within the business.

16.          Internal control has certain limitations. The extent of the controls is limited by cost considerations; to maintain internal control that would make errors and fraud "impossible" would cost more than the benefits it would provide. Also, controls may be rendered ineffective by collusion or may be overridden by management of the company.

17.          In 2004 the Committee of Sponsoring Organizations (COSO) issued a second framework that goes beyond internal control to focus on how organizations can maximize value for their stakeholders by effectively managing risks and opportunities—the Enterprise Risk Management—Integrated Framework.

17.          When auditing financial statements, auditors consider those controls that are designed to prevent or detect misstatements of the financial statements. 

18.          Recall from chapter 6 that the overall approach that auditors use in a financial statement audit may be viewed as:
a.            Plan the audit.
b.             Obtain an understanding of the client and its environment, including internal control.
c.             Assess the risks of misstatement and design further audit procedures.
d.             Perform further audit procedures.
e.             Complete the audit.
f.             Form an opinion and issue the audit report.

                Internal control is most directly related to steps b. through d.  Related, the second field-work standard states:

                A sufficient understanding of the entity and its environment, including its internal control, is to be obtained to assess the risk of material misstatement of the financial statements, whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.

19.          Recall that the risk of material misstatement consists of inherent risk and control risk.  The auditors use risk assessment procedures to obtain an understanding of internal control, including control risk.  The auditors’ understanding of internal control helps them to assess the risks of material misstatement and to determine the types of further audit procedures that should be performed (tests of controls and substantive procedures).

20.          In determining the extent of the understanding of internal control that is necessary, the auditors should realize that the information is subsequently used to (a) identify types of potential misstatements, (b) consider factors that affect the risk of material misstatement, (c) design tests of controls (when applicable), and (d) design substantive procedures.

21.          In every audit, the auditors must obtain an understanding of the five components of a client’s internal control.  In obtaining this understanding, the auditors will determine whether the controls have been implemented (placed in operation).

22.          In obtaining an understanding of a client's accounting information system and the related control activities, auditors generally find it useful to subdivide the overall system into its major transaction cycles, such as the sales and collection cycle, the purchase or acquisition cycle, the production or conversion cycle, the payroll cycle, and the financing cycle.

23.          Three methods commonly used to record the auditors' understanding of the client's internal control are: questionnaires, written narratives, and flowcharts.

24.          Internal control questionnaires inquire into the existence of controls and provide a space for explanatory comments in the event a yes or no answer is insufficient. The advantages of questionnaires are that they are comprehensive, and "no" answers help the auditors to identify deficiencies (weaknesses) in internal control..

25.          Written narratives usually follow the flow of each major transaction cycle, identifying the employees performing various tasks, documents prepared, records maintained, and the division of duties.

26.          A systems flowchart is a diagram symbolic representation of a system or a series of procedures with each procedure shown in sequence. The advantage of a flowchart over a questionnaire is that a flowchart provides a clearer, more specific, portrayal of the system.

27.          To clarify their understanding of a system, the auditors will normally “walkthrough” one or more of each major type of transaction through the processing steps.  This procedure is required the initial year of an integrated audit performed under Public Company Accounting Oversight Board Standard No. 2.

28.          After obtain an understanding of the client and its environment, including internal control, the auditors assess the risks of material misstatement (the third stage of the audit); the general approach is:

  • Identify risks.
  • Relate the identified risks to what can go wrong at the relevant assertion level.
  • Consider whether the risks are of a magnitude that could result in a material misstatement.
  • Consider the likelihood that the risks could result in a material misstatement.

 
29.          Risks are assessed both at the financial statement level and at the relevant assertion level.  Responses to risks at the financial statement level include:

  • Assigning more experienced staff or those with specialized skills.
  • Providing more supervision and emphasizing the need to maintain professional skepticism.
  • Incorporating additional elements of unpredictability in the selection of further audit procedures.
  • Increasing the overall scope of audit procedures, including the nature, timing, or extent.

                Responses at the relevant assertion level are dictated by other audit evidence available and by the nature of the client’s information system.

30.          After assessing the risks of material misstatement, the auditors consider what can go wrong and design further audit procedures, ordinarily substantive procedures and, when the assessed level of risk presumes that controls operate effectively, tests of controls.

31.          Tests of controls are performed when the assessed level of the risk of misstatement includes a presumption that controls operate effectively.  Test of controls include observation, inquiry, inspection, and reperformance. In some cases, the test will involve the use of audit sampling. In order to use sampling to test a procedure, performance of that procedure must leave some form of evidence of performance, such as a completed document or the signature of the person performing the procedure.

32.          After the auditors have completed their tests of controls, they must determine if they must revise their assessed risks of material misstatement (or control risk) based on the results of those tests.  If the results indicate that controls operated as effectively as had been assumed, no revision is necessary.  However, if results reveal controls are less effective than originally thought, the auditors will revise their assessment and carefully consider the possible misstatements that may exist and design substantive procedures.

33.          CPA firms have added more structure to these audit program decisions by developing decision aids. A decision aid is a check list or standard form that helps ensure that auditors consider all relevant information and/or appropriately combine that information in making a decision. 

34.          In assessing the contribution of the internal audit function to internal control, the auditors obtain an understanding of the internal auditors' work and its relevance to the audit. If the independent auditors conclude that the internal auditors' work is relevant and it would be efficient to consider it, the independent auditors assess the competence and objectivity of the internal audit staff, and evaluate the quality of their work.  In evaluating the objectivity of the internal auditors, the auditors consider the level in the organization to which the director of internal audit reports, consider the policies for assigning internal audit staff to activities, and compare the content of selected reports to related audit findings. Competence is evaluated by examining a sample of the work of auditors, and considering the educational level, professional experience, and professional certifications of the internal audit staff. They also investigate the internal auditors' policies, programs, procedures, working papers, and reports.

35.          Auditors must communicate significant deficiencies and material weaknesses in internal control to the audit committee of the board of directors.  The following definitions apply to both management and auditor reporting on internal control.  The following definitions apply to internal control deficiencies:

Control deficiency—exists when the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis

Significant deficiency—a control deficiency (or a combination of control deficiencies) that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles, such that there is more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected.

Material weakness—a significant deficiency  (or a combination of significant deficiencies) that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

Observations on definitions:

a.             The deficiencies build on one another in that: a significant deficiencies are control deficiencies and all material weaknesses are significant deficiencies.
b.             The likelihood of a material misstatement for significant deficiencies and material weaknesses is the same—more than remote.
c.             The amount involved differs between significant deficiencies and material weaknesses is the amount involved:

  • Significant deficiency—more than inconsequential.
  • Material weakness—material misstatement.

               
36.          Section 404 of Sarbanes-Oxley Act of 2002 requires management of public companies to acknowledge responsibility for internal control and to assess internal control, and auditors perform integrated audits that report on the effectiveness of management’s internal control over financial reporting.
a.             Section 404a requires management to: accept responsibility for the effectiveness of internal control; evaluate the effectiveness of internal control using suitable control criteria; support the evaluation with sufficient evidence; and provide a report on internal control.

b.             Section 404b requires auditors to attest to, and report on, the assessment made by management.  As implemented by PCAOB Standard No. 2, the auditor’s report provides 2 opinions: (1) the auditors’ opinion on whether management’s assessment of internal controls is appropriate and (2) the auditor’s opinion on whether the company maintained effective internal control over financial reporting (as of the last day of the year).

  • An audit of internal control may be viewed as having the following stages:

 

  • Plan the engagement.
  • Evaluate management’s assessment process.
  • Obtain an understanding of internal control.
  • Test and evaluate design effectiveness of internal control. 
  • Test and evaluate operating effectiveness of internal control.
  • Form an opinion on the effectiveness of internal control.

38.          Tests of controls are performed relating to all major accounts and significant assertions.  The approach is one of identifying the company’s control objectives and risks in each area, and then to identify the controls that satisfy each control objective.  Tests of controls are performed first to consider the design of controls, and then, if the design seems appropriate, to test operating effectiveness. 

39.          Unqualified opinions on internal control may be issued when no material weaknesses in internal control have been identified that exist at year-end and when there have been no restrictions on the scope of the auditor’s work.  One or more material weaknesses in internal control result in an adverse opinion.  Scope limitations may result in either a qualified opinion or a disclaimer of opinion.


Test Yourself on Chapter 7

True or False

For each of the following statements, circle the T or the F to indicate whether the statement is true or false.

T       F        1.         The basic purpose of internal control is to prevent fraud.

T       F        2.         The five components of internal control are risk assessment, control activities, the accounting information and communication system, general controls, and the control environment.

T       F        3.         In performing an audit, the auditors are concerned with those controls that prevent or detect financial statement misstatements.

T       F        4.         The establishment of sales terms is an example of a control.

T       F        5.         Establishing and maintaining internal control is a responsibility of the stockholders of the company.

T       F        6.         The Foreign Corrupt Practices Act applies only to corporations that have foreign operations.

T       F        7.         An employee has incompatible duties if the person is in a position to perpetrate and conceal errors or fraud in the normal course of performing his or her duties.

T       F        8.         For well controlled operations, the same employee that maintains custody of assets should also keep the accounting records for the assets.

T       F        9.         The accounting department should maintain custody of the company's marketable securities.

T       F        10.      Internal auditors normally are responsible for reconciling the company's bank accounts to monitor the controls over cash.

T       F        11.      Internal control is not generally effective at preventing all fraud by top management of the company.

T       F        12.      The internal audit function is an important part of the monitoring component of internal control.

T       F        13.      Auditors are required to test all strengths in an audit client's internal control.

T       F        14.      The controls over a client's sales cycle are part of that client's control environment.

T       F        15.      Internal control should provide management with reasonable assurance that they are achieving the objectives related to effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.

T       F        16.      An advantage of an internal control questionnaire is that weaknesses in internal control are highlighted by the questionnaire.

T       F        17.      Flowcharts are generally a less flexible method of depicting a system of internal control than an internal control questionnaire.

T       F        18.      To be effective, a walk‑through test must involve tracing at least 60 transactions through each cycle.

T       F        19.      A control activity that leaves evidence of compliance is usually tested by inquiry and observation.

T       F        20.      In audits of both public and nonpublic companies significant deficiencies and material weaknesses noted by the auditors must be communicated to management in writing.

T       F        21.      All material weaknesses are also significant deficiencies.

T       F        22.      An audit report under PCAOB Standard No. 2 on internal control includes both an opinion on management’s assessment of internal controls, and the auditor’s opinion on company compliance with the Sarbanes-Oxley Act of 2002.

T.      F.       23.      An audit of internal control includes an opinion on whether the internal control operated effectively during the entire year under audit.

T       F        24.      Both the design of controls and the operating effectiveness of controls is considered in an audit of internal control performed under PCAOB Standard No. 2.

 

Completion

Fill in the necessary words to complete the following statements.

1.             The five components of a client's internal control include the __________ __________,  __________ __________, the _____________ _____________ ____ _____________ _________, ____________ _____________, and ____________.
2.             The Foreign Corrupt Practices Act of 1977 prohibits __________ to foreign officials to obtain business and requires companies to maintain an effective system of __________ __________.
3.             No single employee in a company should have __________ __________, allowing the employee to both perpetrate and conceal errors or fraud in the normal course of performing his or her job.
4.             The two broad categories of information processing controls are _____________ _____________ and _______________ ____________.
5.             Controls that rely on segregation of duties may be circumvented by __________ among employees.
6.             A client's __________ __________ factors include such things as management philosophy and operating style, and organizational structure.
7.             A form of insurance in which an insurance company agrees to reimburse an employer for losses attributable to employee theft is referred to as ____________ _____________.
8.             A "no" answer in an __________ __________ __________ indicates a weakness in the client's internal control.
9.             Auditors are required by professional standards to communicate __________ __________ and  __________ __________ to the audit committee.
10.          One or more __________ _________ in internal control result in a(n) _________ opinion on internal control.

 

Multiple Choice

Choose the best answer for each of the following questions and enter the identifying letter in the space provided.

_____    1.         Before assessing control risk at a level lower than the maximum, the auditor obtains reasonable assurance that controls are in use and operating effectively.  This assurance is most likely obtained in part by:

  • preparing flowcharts.
  • performing substantive procedures.
  • analyzing tests of trends and ratios.
  • inspecting documents.

 

_____    2.         Auditors must communicate internal control significant deficiencies to:

  • the Public Company Accounting Oversight Board.
  • the audit committee.
  • the shareholders.
  • the SEC.

 

_____    3.         A situation in which exists when the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis is referred to as a(n):

  • material weakness in internal control.
  • inherent limitation of internal control.
  • significant deficiency.
  • control deficiency.

 

_____    4.         Which of the following is most likely to provide an auditor with the most assurance about the effectiveness of the operation of internal control?

  • Inquiry of client personnel.
  • Recomputation of account balance amounts.
  • Observation of client personnel applying the control.
  • Confirmation with outside parties.

 

_____    5.         Monitoring is considered:

  • a component of internal control.
  • an element of the control environment.
  • the primary asset safeguarding technique.
  • a portion of the information and communication system.

 

_____    6.         Which of the following is not a control environment factor?

  • Board of directors.
  • Human resource policies.
  • Communication system.
  • Commitment to competence.
  •  

_____    7.         Effective internal control requires organizational independence of departments. Organizational independence would be impaired in which of the following situations?

  • The internal auditors report to the audit committee of the board of directors.
  • The controller reports to the vice president of production.
  • The payroll accounting department reports to the chief accountant.
  • The cashier reports to the treasurer.

 

_____    8.         The purpose of tests of controls is to provide reasonable assurance that the:

  • accounting treatment of transactions and balances is valid and proper.
  • controls are operating effectively.
  • entity has complied with disclosure requirements of generally accepted accounting principles.
  • entity has complied with requirements of quality control.
  •  

_____    9.         Tests of controls are most likely in which of the following situations?

  • When substantive procedures are being used as the only further audit procedures.
  • The cost of tests of controls is likely to exceed the savings brought about by a resulting decrease in the scope of substantive procedures.
  • The assessed level of the risk of misstatement includes a presumption that controls operate effectively.
  • Few transactions have occurred, but for very material amounts.

 

_____    10.      An auditor's flowchart of a client's internal control is a diagrammatic representation which depicts the auditors':

  • understanding of the system.
  • program for tests of controls.
  • documentation of control risk.
  • Planned tests of controls.

 

_____    11.      Which of the following is ordinarily considered a test of a control?

  • Send confirmation letters to financial institutions.
  • Count and list cash on hand.
  • Examine signatures on checks.
  • Obtain or prepare reconciliations of bank accounts as of the balance sheet date.
  •  

_____    12.      Taylor Sales Co. maintains a large full‑time internal audit staff which reports directly to the chief accountant. Audit reports prepared by the internal auditors indicate that internal control is functioning as it should and that the accounting records are reliable. The independent auditor will probably:

  • eliminate tests of controls.
  • increase the depth of the consideration of administrative controls.
  • avoid duplicating the work performed by the internal audit staff.
  • make limited use of the work performed by the internal audit staff.

 

_____    13.      Of the following statements about internal control, which one is not valid?

  • No one person should be responsible for the custodial responsibility and the recording responsibility for an asset.
  • Transactions must be properly authorized before such transactions are processed.
  • Because of the cost benefit relationship, a client may apply controls on a test basis.
  • Control activities reasonably insure that collusion among employees cannot occur.

 

_____    14.      Which of the following statements regarding auditor documentation of the client's internal control is correct?

  • Documentation must include flowcharts.
  • Documentation must include procedural write‑ups.
  • No documentation is necessary although it is desirable.
  • No one particular form of documentation is required, and the extent of documentation may vary.
  •  

_____    15.      When performing an audit of internal control, the period or date on which the opinion relates under PCAOB Standard No. 2 is the:

  • as of date.
  • entire period under audit.
  • last day of significant field work.
  • end of each quarter of the year.
  •  

_____    16.      Under PCAOB Standard No. 2, when a significant deficiency exists, the auditors’ report on internal control is most likely to include an opinion that is:

  • adverse.
  • disclaimer
  • qualified.
  • unqualified.
  •  

 


Exercises

1.            List four control environment factors.

a.            

 

b.            

 

c.            

 

d.            

 

2.            Define each of the following terms.

a.             Internal control questionnaire

b.             Internal control flowchart

c.             Walk‑through of the system

d.             Management letter

 

Source: http://highered.mheducation.com/sites/dl/free/0073010847/296569/ch07_studyguide.doc

Web site to visit: http://highered.mheducation.com

Author of the text: not indicated on the source document of the above text

If you are the author of the text above and you not agree to share your knowledge for teaching, research, scholarship (for fair use as indicated in the United States copyrigh low) please send us an e-mail and we will remove your text quickly. Fair use is a limitation and exception to the exclusive right granted by copyright law to the author of a creative work. In United States copyright law, fair use is a doctrine that permits limited use of copyrighted material without acquiring permission from the rights holders. Examples of fair use include commentary, search engines, criticism, news reporting, research, teaching, library archiving and scholarship. It provides for the legal, unlicensed citation or incorporation of copyrighted material in another author's work under a four-factor balancing test. (source: http://en.wikipedia.org/wiki/Fair_use)

The information of medicine and health contained in the site are of a general nature and purpose which is purely informative and for this reason may not replace in any case, the council of a doctor or a qualified entity legally to the profession.

 

Internal Control summary

 

Internal Control summary

 

The following texts are the property of their respective authors and we thank them for giving us the opportunity to share for free to students, teachers and users of the Web their texts will used only for illustrative educational and scientific purposes only.

All the information in our site are given for nonprofit educational purposes

The information of medicine and health contained in the site are of a general nature and purpose which is purely informative and for this reason may not replace in any case, the council of a doctor or a qualified entity legally to the profession.

 

Internal Control summary

 

www.riassuntini.com

 

Topics

Term of use, cookies e privacy

 

Contacts

Search in the site

Internal Control summary