5-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Internal Control Evaluation: Assessing Control Risk “If everything

McGraw-Hill/Irwin

©2005 by the McGraw-Hill Companies, Inc. All rights reserved.

5-1

Chapter 5

Internal Control Evaluation:

Assessing Control Risk

“If everything seems under control, you're just not going fast enough.”

-- Mario Andretti, Race car driver

McGraw-Hill/Irwin


5-2

Chapter 5 Objectives

1. Distinguish between management’s and auditors’ responsibilities for a company’s internal control.

2. Define internal control. 3. Describe the five basic components of internal control

and some of their characteristics.4. Describe the phases of an evaluation of control and risk

assessment. 5. Explain the communication of internal control

deficiencies.6. Explain the limitations of a company’s internal control. 7. Understand Auditors’ responsibilities for evaluating

internal controls under GAAS and PCAOB#2

McGraw-Hill/Irwin


5-3

Responsibility for Internal Control

• Management responsibility– Foreign Corrupt Practices Act– Sarbanes-Oxley Act of 2002

• Auditor responsibility– Second standard of fieldwork– PCAOB #2

McGraw-Hill/Irwin


5-4

Exhibit 5-1Trade-off Between Testing of Controls and Substantive Testing

Substantive Testing

Substantive Testing

Testing of Controls

More EffectiveMore Efficient

Year-endInterim

McGraw-Hill/Irwin


5-5Internal Control – An Integrated Framework (COSO)

Internal Control

A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

(1) Reliability of financial reporting,

(2) Compliance with applicable laws and regulations,

(3) Effectiveness and efficiency of operations.

McGraw-Hill/Irwin


5-6Exhibit 5-2Internal Control—Integrated Framework

McGraw-Hill/Irwin


5-7

Internal Control – An Integrated Framework (COSO)

Components of internal control• Control environment• Risk assessment• Control activities• Information & communication• Monitoring

McGraw-Hill/Irwin


5-8

Monitoring

Exhibit 5-3Interrelated components of Internal Control

RiskAssessment

ControlProcedures

Control Environment

Information andCommunication

McGraw-Hill/Irwin


5-9

Control Environment

• Sets the tone of an organization, influencing the control consciousness of its people.

• It is the foundation for all other components.

McGraw-Hill/Irwin


5-10CONTROL

ENVIRONMENT

• MANAGEMENT'S PHILOSOPHY AND STYLE

• INTEGRITY AND ETHICAL VALUES

• PROVIDING AND COMMUNICATING MORAL GUIDANCE

• COMMITMENT TO COMPETENCE

• THE ENTITY'S ORGANIZATION STRUCTURE

McGraw-Hill/Irwin


5-11

CONTROL ENVIRONMENT (CONT.)

• THE FUNCTIONING OF THE BOARD OF DIRECTORS AND ITS COMMITTEES, PARTICULARLY THE AUDIT COMMITTEE

• METHODS OF ASSIGNING AUTHORITY AND RESPONSIBILITY (ACCOUNTABILITY)

• PERSONNEL POLICIES AND PRACTICES• EXTERNAL INFLUENCES

McGraw-Hill/Irwin


5-12

PERSONNEL POLICIES AND PRACTICES

• RECRUITING AND HIRING

• ORIENTATION• TRAINING• COUNSELING• RECOGNITION

• PROMOTION• ADEQUATE PAY• JOB ROTATION• REQUIRED

VACATIONS• BONDING

McGraw-Hill/Irwin


5-13

Risk Assessment

• The entity's identification and analysis of relevant risks to achievement of its objectives.

• COSOs Enterprise risk management (ERM) framework

McGraw-Hill/Irwin


5-14

Exhibit 5-4Enterprise Risk Management Framework

Internal Environment

Monitoring

Information and

Communication

RiskResponse

RiskAssessment

ObjectiveSetting

EventIdentification

ControlProcedures

McGraw-Hill/Irwin


5-15

Control Procedures

• The policies and procedures that help ensure management directives are carried out.– Physical controls over the security of assets– Segregation of duties– Information Processing

• General Controls• Application Controls

– Performance reviews

McGraw-Hill/Irwin


5-16

Exhibit 5-5Segregation of Duties

Authorization

Custody Recording

Reconciliation

McGraw-Hill/Irwin


5-17

GENERAL CONTROLS

• ORGANIZATION

• PROCEDURES FOR CHANGES

• HARDWARE CONTROLS

• ACCESS CONTROLS

• CONTINGENCY PLANS

McGraw-Hill/Irwin


5-18APPLICATIONS

CONTROLS• INPUT CONTROLS• PROCESSING CONTROLS• OUTPUT CONTROLS

McGraw-Hill/Irwin


5-19

Information & Communication

• The identification, capture, and exchange of information in the form and time frame that enables people to carry out their responsibilities.

McGraw-Hill/Irwin


5-20

Information and Communication

• Data identification

• Data description and entry

• Transaction measurement and processing

• Report production and distribution

McGraw-Hill/Irwin


5-21

Monitoring

• The process that assesses the quality of the internal control's performance over time.

McGraw-Hill/Irwin


5-22

Phases of a Control Evaluation

• Phase 1: Understand and Document– Understand the Client’s Internal Control– Document the Internal Control understanding

• Internal Control questionnaire• Narrative• Accounting and Control System Flowcharts

• Phase 2: Assess Control Risk (Preliminary)• Phase 3: Testing and Reassessment

– Perform Test of Controls Audit Procedures– Re-Assess Control Risk

McGraw-Hill/Irwin


5-23Exhibit 5-8Phases of Internal Control Evaluation

McGraw-Hill/Irwin


5-24Exhibit 5-10Example Flowchart:Credit Approval and Sales Processing and Shipment

McGraw-Hill/Irwin


5-25

Limitations of Internal Controls

• Human error• Collusion• Management override• Cost/benefit analysis

– There is often a trade-off between the cost and the effectiveness of internal controls.

– The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.

McGraw-Hill/Irwin


5-26

Exhibit 5-7Internal Controls Maturity Framework

Unreliable Informal Standardized Monitored Optimized

Unpredictableenvironmentwhere controlsare not designedor in place.

Controls aredesigned and in place but arenot adequatelydocumented.

Controls are designed, in place, and are adequately documented.

Standardized controls with periodic testing for effective design and operation with reporting to management. .

Integrated internal controls with real-time monitoring by management and continuous improvement. .

Source: PricewaterhouseCoopers, The Sarbanes-Oxley Act of 2002: Strategies for Meeting New Internal Control Reporting Challenges: A White Paper.

McGraw-Hill/Irwin


5-27

PCAOB Internal Control Standard

• Auditor Attests To Management’s Assessment• Not A Separate Engagement

– Integrated Audit Of Internal Control And Financial Statements

• Objective—“to Form An Opinion As To Whether Management's Assessment Of The Effectiveness Of The Registrant's Internal Control Over Financial Reporting Is Fairly Stated in All Material Respects.”

McGraw-Hill/Irwin


5-28

Audit Of Internal Control--steps

• Planning The Audit• Evaluating The Management’s Process For

Assessing IC• Obtaining An Understanding Of IC• Evaluating Effectiveness

– Design– Operation

• Forming An Opinion About Effectiveness

McGraw-Hill/Irwin


5-29

Evaluating Management's Assessment

• The More Extensive And Reliable Management’s Is, The Less Extensive The Auditor’s Work Needs To Be.

• Can Incorporate Work Of IA And Others– Must Assess Competence And Objectivity– Limited Reliance– Can’t Reduce Work on Control Environment

• Auditor Must Perform Work Related To– Company-wide Anti-fraud Programs– Controls That Have A Pervasive Effect – Auditor Must Obtain “Principal Evidence”

McGraw-Hill/Irwin


5-30

Planning The Audit

• Knowledge Of Industry

• Knowledge Of Business

• Extent Of Changes In Operations

• Extent Of Changes In IC

McGraw-Hill/Irwin


5-31

Obtain Understanding

• Must Understand That Controls Have Actually Been Implemented And Are Operating As Designed

• Must Perform Walkthroughs– Major classes of transactions– Routine And Unusual Transactions

• Identify Significant Accounts Processes• Identify Relevant Assertions

McGraw-Hill/Irwin


5-32

Evaluating Effectiveness

• Design Effectiveness– Will Controls Be Effective If Operated As Designed

– Are All Necessary Controls In Place?

– Inquiry, Observation, Walkthroughs

– Specific Evaluation Of Whether The Controls Are Likely To Prevent Or Detect Financial Misstatements

– Specifically evaluate Audit Committee

– Can Use SAS 70 Report for Service Organizations

McGraw-Hill/Irwin


5-33

Evaluating Effectiveness

• Testing Operating Effectiveness– Evaluation As Of End Of Fiscal Year– Can Test At Different Times And Update– Inquiries, Inspection Of Documentation,

Observation, Reperformance.– May Use Tests By Management, IAs And 3rd

Parties– Read IA Reports

McGraw-Hill/Irwin


5-34

Evaluating Results And Forming An Opinion

• “An Internal Control Deficiency Exists When The Design Or Operation Of A Control Does Not Allow The Company’s Management Or Employees, In The Normal Course Of Performing Their Assigned Functions, To Prevent Or Detect Misstatements On A Timely Basis.”

McGraw-Hill/Irwin


5-35


• Significant Deficiency—more Than A Remote Likelihood Of A Misstatement Of The Annual Or Interim Financial Statements That Is More Than Inconsequential In Amount

• Material Weakness—more Than A Remote Likelihood Of A Material Misstatement

• Material Weakness=Adverse Opinion• Significant Deficiencies And Material

Misstatements Must Be Communicated In Writing To Audit Committee

McGraw-Hill/Irwin


5-36


• Inadequate Documentation Is A Deficiency– Design Of Controls– Objectives Of Controls– Qualifications Of People– Process Used To Assess Effectiveness

• Nature And Results Of Tests

McGraw-Hill/Irwin


5-37

Significant Deficiencies

• Ineffective Control Environment

• Ineffective Oversight By Audit Committee.

• Material Misstatement Not Identified or Prevented By Internal Controls.

• Significant Uncorrected Deficiencies

McGraw-Hill/Irwin


5-38

Report

• Two Opinions– Management’s Assessment– Effectiveness Of Controls Over Financial Reporting

• No Material Weaknesses—Unqualified Opinion.• Cannot Perform All Procedures—Qualify Or

Disclaim Opinion• If Opinion Cannot Be Expressed—Explain Why• Management Certifies Responsibility Quarterly

– Auditor Performs Limited Procedures.

McGraw-Hill/Irwin


5-39

Reporting on Internal Control Related Matters Noted in an Audit

• Sarbanes-Oxley requires that the report be in writing.

• The auditor may communicate during or after audit.

• Communications with management is not required; however, communications with management or other individuals within the entity who may, in the auditor's judgment, benefit from the communications are not precluded.

McGraw-Hill/Irwin


5-40

Example Report of Significant Deficiencies

In planning and performing our audit of the financial statements of Apollo Shoes, Inc. for the year ended December 31, 2004, we considered its internal control in order to determine our audit procedures for the purpose of expressing our opinion on the financial statements and not to provide assurance on the internal control system. Our consideration of internal control would not necessarily disclose all deficiencies in internal control that might be significant deficiencies. However, we noted a certain matter involving the internal control and its operation that we consider to be a significant deficiency under standards established by the American Institute of Certified Public Accountants. A significant deficiency involves a matter coming to our attention relating to a weakness in the design or operation of the internal control that, in our judgment, could adversely affect the company’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements.

[Include paragraphs to describe the significant deficiencies noted.]

This report is intended solely for the information and use of the board of directors and its audit committee and is not intended to be and should not be used by anyone other than these specified parties.

Documents

5-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Internal Control Evaluation: Assessing Control Risk “If everything