6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk

McGraw-Hill/Irwin

©2002 by The McGraw-Hill Companies, Inc. All rights reserved.

6-1

Chapter 6Chapter 6

Internal Control Evaluation: Assessing Control Risk

McGraw-Hill/Irwin


6-2INTERNAL CONTROL -- AN INTERNAL CONTROL -- AN INTEGRATED FRAMEWORK (COSO)INTEGRATED FRAMEWORK (COSO)

Internal Control

A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

(1) Reliability of financial reporting,

(2) Compliance with applicable laws and regulations,

(3) Effectiveness and efficiency of operations.

McGraw-Hill/Irwin


6-3

Internal Control—Integrated Framework (COS0)

McGraw-Hill/Irwin


6-4INTERNAL CONTROL -- ANINTERNAL CONTROL -- ANINTEGRATED FRAMEWORK (COSOINTEGRATED FRAMEWORK (COSO))

COMPONENTS OF INTERNAL CONTROL• CONTROL ENVIRONMENT• RISK ASSESSMENT• CONTROL ACTIVITIES• INFORMATION & COMMUNICATION• MONITORING

McGraw-Hill/Irwin


6-5

CONTROL ENVIRONMENTCONTROL ENVIRONMENT

• Sets the tone of an organization, influencing the control consciousness of its people.

• It is the foundation for all other components.

McGraw-Hill/Irwin


6-6

RISK ASSESSMENTRISK ASSESSMENT

• The entity's identification and analysis of relevant risks to achievement of its objectives.

McGraw-Hill/Irwin


6-7

CONTROL ACTIVITIESCONTROL ACTIVITIES

• The policies and procedures that help ensure management directives are carried out.– Information Processing

• Approvals and authorization

• Verifications and reconciliations– Physical controls over the security of assets– Segregation of duties– Performance reviews

McGraw-Hill/Irwin


6-8INFORMATION & INFORMATION & COMMUNICATIONCOMMUNICATION

• The identification, capture, and exchange of information in the form and time frame that enables people to carry out their responsibilities.

McGraw-Hill/Irwin


6-9

MONITORINGMONITORING

• The process that assesses the quality of the internal control's performance over time.

McGraw-Hill/Irwin


6-10

Responsibility for Internal ControlResponsibility for Internal Control

• Management responsibility– Foreign Corrupt Practices Act

• Auditor responsibility– Second standard of fieldwork

McGraw-Hill/Irwin


6-11Reasons for Internal Control EvaluationReasons for Internal Control Evaluation

• Planning the substantive audit program• Communicating internal control deficiencies

– Reportable conditions are matters the auditors believe should be communicated to the client’s audit committee because they represent significant deficiencies in the design or application of the internal controls that could adversely affect the organization’s ability to record, process, summarize, and report financial data in the financial statements.

• Report of material weaknesses– Material weaknesses are reportable conditions in which the

design or operation of internal controls does not reduce to a relatively low level the risk that material errors or frauds may occur and may not be detected within a timely period by employees in the course of performing their normal assigned functions.

McGraw-Hill/Irwin


6-12Reporting on Internal Control Related Matters Noted in an

Audit• Report, preferably in writing; if not, document

reporting via memoranda in working papers.• The auditor may communicate during or after

audit.• A previously communicated reportable

condition that has not been corrected ordinarily should be communicated again if there has been major turnover in upper-level management and the Board of Directors.

McGraw-Hill/Irwin


6-13Example Report of Reportable

Conditions In planning and performing our audit of the financial statements of the

ABC Corporation for the year ended December 31, 20XX, we considered its internal control structure in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide assurance on the internal control structure. However, we noted certain matters involving internal control and its operation that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control structure that, in our judgment, could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

[Include paragraphs to describe the reportable conditions noted.]

This report is intended solely for the information and use of the audit committee (board of directors, board of trustees, or owners in owner‑managed enterprises), management, and others within the organization (or specified regulatory agency or other specified third party).

McGraw-Hill/Irwin


6-14

Required Communication Required Communication with Audit Committeeswith Audit Committees

• The auditor should communicate the following issues to the Audit Committee:– The Auditor's Responsibility Under Generally Accepted

Auditing Standards– Significant Accounting Policies– Management Judgments and Accounting Estimates– Significant Audit Adjustments– Other Information in Documents Containing Audited

Financial Statements– Disagreements With Management– Consultation With Other Accountants– Major Issues Discussed With Management Prior to Retention– Difficulties Encountered in Performing the Audit– Reportable Conditions and MATERIAL WEAKNESSES

McGraw-Hill/Irwin


6-15Required Communication Required Communication

with Audit Committees with Audit Committees (Continued)(Continued)

• The communications may be oral or written.• When the auditor communicates in writing, the report

should indicate that it is intended solely for the use of the audit committee or the board of directors and, if appropriate, management.

• If information is communicated orally, the auditor should DOCUMENT the communication by appropriate memoranda or notations in the working papers.

• Communications with management is not required; however, communications with management or other individuals within the entity who may, in the auditor's judgment, benefit from the communications are not precluded.

McGraw-Hill/Irwin


6-16PHASES OF A CONTROL EVALUATIONPHASES OF A CONTROL EVALUATION

• Phase 1: Understand and Document– Understand the Client’s Internal Control

– Document the Internal Control understanding• Internal Control questionnaire

• Narrative

• Accounting and Control System Flowcharts

• Phase 2: Assess Control Risk (Preliminary)• Phase 3: Testing and Reassessment

– Perform Test of Controls Audit Procedures

– Re-Assess Control Risk

McGraw-Hill/Irwin


6-17

Phases of Internal Control Evaluation

McGraw-Hill/Irwin


6-18

Limitations of Internal ControlsLimitations of Internal Controls

• Collusion

• Management override

• Cost/benefit analysis

McGraw-Hill/Irwin


6-19

Cost-Benefit AnalysisCost-Benefit Analysis

• There is often a trade-off between the cost and the effectiveness of internal controls.

• The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.