New CMA Part 1 Section D

2010 CMA Part 1 Section D – Internal Controls 1

2010 CMA Part 1 - Section DInternal Controls


Section D – Internal Controls• This section is 15% of Part 1• Five larger categories of topics are included in this

section– Risk assessment, controls and risk management– Internal auditing– Systems controls and security measures– Internet security– Contingency planning


Risk Assessment, Controls, and Risk Management


Benefits of Internal Control• The internal controls of a company are an

important part of its overall operations. A strong internal control system will provide may benefits:– Lower external audit costs,– Better control over and usage of company assets, and– More reliable information that may be used for

decision making by managers and others in the company.

• A company with weak internal controls is putting itself at risk for employee theft, loss of control over the information relating to operations, and other inefficiencies in operations and decision-making.


Internal Control Definition and Objective• Internal control is the method or process

performed by a company that is designed to provide reasonable assurance that three things will be achieved:1. Effectiveness and efficiency of operations,2. Reliability of financial reporting, and3. Compliance with applicable laws and regulations.

• Objectives #2 and #3, the financial reporting and compliance objectives, are based on standards imposed by external entities (example: SEC). Internal control only provides reasonable assurance, not a guarantee, that these goals will be achieved.


Internal Control Definition and Objective Cont´d

• Regarding point #1: an internal control system cannot provide reasonable assurance that operations objectives will be met. It provides only reasonable assurance that management and the board of directors are made aware in a timely manner about the progress towards achieving operational objectives.

• Therefore, internal control can be judged effective if management has reasonable assurance that:– They understand the extent to which the company’s

operations objectives are being achieved;– Published financial statements are prepared reliably– Applicable laws and regulations are being complied with.


Who is Interested in the IC of a Company?• There are a number of diverse parties that are interested in

the internal control system of a company:– Investors and potential investors rely on the IC system to be

able to evaluate management and the performance of the company.

– External auditors will base the amount of work that they perform in part on the effectiveness of the IC system.

– Legislative and regulatory bodies rely on the IC system to help ensure that the company is operating in compliance with applicable laws and regulations.

– Management uses the information that comes out of the internal systems so management needs to make certain that the information that they receive is correct.

– Customers may benefit from a strong internal control system because it may reduce the costs of production and therefore also the products´ costs.


Who is Responsible for Internal Control?• The COSO report, Internal Control – Integrated

Framework (1992) defined the responsibility of the group or person listed below to maintain and assess internal controls as follows:– The board of directors is responsible for overseeing the

internal control system, providing governance, guidance and insight.

– The CEO is ultimately responsible for the internal control system and the “tone at the top”.

– Senior managers delegate responsibility for establishment of specific internal control policies and procedures to personnel responsible for each unit’s functions.


Who is Responsible for Internal Control Cont´d?• The COSO report, Internal Control – Integrated

Framework (1992) defined the responsibility of the group or persons listed below to maintain and assess internal controls as follows (cont´d):– Financial officers and their staffs are central to the

exercise of control– Internal auditors play a monitoring role by evaluating the

effectiveness of the internal controls.– Virtually all employees are involved in internal control:

• they produce information used in the internal control system or carry out activities that put the internal control systems into effect

• they inform their managers if they become aware of problems in operation or that rules or policies are being violated.


Components of Internal Control• The COSO report, Internal Control – Integrated

Framework lists five interrelated components that make up internal control:1. The Control Environment2. Risk Assessment,3. Control Activities,4. Information and Communication5. Monitoring.

• Note: These elements may be remembered by the mnemonic CRIME as identified by the bold letters in the list above.


Component #1: Control Environment• This is the most important element of internal

controls because it is the basis on which the other elements are built.

• Factors that influence the scope and effectiveness of the control environment include:– Integrity and ethical values of the entity´s people– A commitment to competence – The attention and direction provided by the board of

directors and/or audit committee– Management´s philosophy and operating style– The company´s organizational structure


Component #1: Control Environment cont´d

• Factors that influence the scope and effectiveness of the control environment include (cont´d):– The way management assigns authority and

responsibility for operating activities– Human resource policies and practices


Component #1: Control Environment cont´d

• Internal controls are more likely to function well if management believes that the controls are important and communicates that support to all employees. They set a positive “tone at the top” by: – transmitting guidance both verbally and by example,

communicating the entity’s values and code of conduct– fostering a “control consciousness” by setting formal and

clearly communicated policies and procedures– Specifying the competence level needed for particular

jobs and delegating authority accordingly– Working closely with a board of directors who help ensure

the company is operating in the best interest of the shareowners


Component #2: Risk Assessment• Once the company objectives are defined, risk

identification can begin. – Risks can exist at the entity level or the activity level– Risks can be both internal and external

• After the company has identified its entity-level and activity-level risks, it should perform a risk analysis: – To estimate the significance of each risk– To assess the likelihood or frequency of each risk’s

occurring– To consider how each risk should be managed by

assessing what actions need to be taken.


Component #2: Risk Assessment cont´d

• Within the control environment management is responsible for assessment of the risks that the company faces.

• Risk assessment is the process of identifying, analyzing and managing the risks that have the potential to prevent the organization from achieving its objectives.– The company’s objectives must be established before

the risks to them can be assessed. Objective setting is therefore a key part of the management process of risk assessment.


Component #2: Risk Assessment cont´d

• Once the significance and likelihood of risks have been assessed, the following steps should be taken to manage the identified risks:– The amount of potential loss from each identified risk

should be estimated to the extent possible.– Consider how each risk should be managed by

determining what can be done and analyzing the costs, if any, associated with managing each risk.

– Procedures should be established to ensure that the plans for implementing the risk management are implemented. These procedures are the control activities.


Component #3: Control Activities• After the risks have been assessed, controls

should be designed to limit the risk. To accomplish this, control activities are implemented.

• These activities are the policies that are developed to address the risks of the company, and procedures that ensure the policies will be followed.

• Any control implemented must have a benefit that is greater than the cost of that control.– Because of this, not all controls are implemented and

the control environment cannot provide a guarantee that all risks are eliminated.


Component #3: Control Activities cont´d

• Control activities may be classified by their objective:– Preventive controls attempt to prevent the mistake or

problem from ever occurring in the first place.– Directive controls attempt to ensure the occurrence of

a desirable event,– Detective controls attempt to find the mistake or

problem after it has occurred,– Corrective controls attempt to fix the problem after it

has occurred, and– Compensating controls attempt to address a

weakness in controls in one place by setting up additional controls in a related area


Component #3: Control Activities cont´d

• Examples of control activities are:1. Top level reviews2. Direct functional or activity management3. Information processing4. Independent checks 5. Performance indicators6. Physical controls to safeguard assets7. Documents and records8. Authorization9. Segregation of duties


Component #4: Information and Communication• Information needs to be obtained and

communicated to people to allow them to perform their duties.– Communication must be ongoing– Duties and responsibilities need to be communicated to

all effected parties so that they are able to communicate significant information upstream

– Reports containing operational, financial, and compliance information must be avaialble for informed decisions

– Some information must be communicated to those outside the organization and must also be available from external sources


Component #4: Information and Communication cont´d

• Some examples of communication that should take place include:– Information systems must provide reports to appropriate

personnel so they can carry out their responsibilities.– All personnel need to receive clear communication from

top management that their internal control responsibilities must be taken seriously. Each person needs to understand his or her role in the internal control system and how the system works.

– People need to know what behavior is expected of them and what behavior is unacceptable.

– Employees need to know that if they report a suspected violation of the company’s code of conduct, they will not get into trouble for it


Component #4: Information and Communication cont´d

• Some examples of communication that should take place include:– communications between management and the Board of

Directors are vital. Senior management must inform board members about performance, new developments, major initiatives, potential risks, and other relevant information.

– Appropriate communication is also needed with those who are outside of the organization. Communications from outside parties such as external auditors can provide important information about the functioning of the internal control system.

– Any outsider dealing with the company must be informed that improper actions such as kickbacks or other improper incentives from vendors will not be tolerated.


Component #5: Monitoring• Monitoring is the process of reviewing the controls

over time to make sure that they are still relevant and still functioning as they were intended.

• As technologies change and business operations change, some of the controls that had been relevant may no longer be relevant.

• Monitoring needs to be undertaken on a regular (if not relatively constant) basis.

• Monitoring can be done in two ways:1. ongoing monitoring during normal operations2. Separate evaluations by management with the

assistance of the internal audit function


Segregation of Duties• Duties need to be divided among various employees to

reduce the risk of errors or inappropriate activities. No single individual should have enough responsibility to be in a position to both perpetrate and conceal irregularities.

• Note: Different people must always perform the following four functions:– Authorizing a transaction.– Recording the transaction, preparing source documents,

maintaining journals.– Keeping physical custody of the related asset– The periodic reconciliation of the physical assets to the

recorded amounts for those assets.


Responsibilities of the Board of Directors• The board of directors of a company is responsible for

ensuring that the company is operated in the best interest of the shareholders

• The board’s general responsibility is to provide governance, guidance and oversight of the management of the company. Specifics related to internal control include:– Selecting management– Defining expectations of management regarding integrity

and ethics– Playing a role in the strategic objective setting and

planning – Investigating issues that they judge important


Responsibilities of the Board of Directors cont´d

• Board members are responsible for questioning and scrutinizing management’s activities. Therefore it is important that the board has members who are independent of the company.– An independent director has no material relationship

with the company. An independent director is not an officer or employee of the company and is not active in the day-to-day management of the company.

• Most boards of directors carry out their duties through committees. Committees are made up of selected board members and are smaller, working groups of directors that are tasked with specific oversight responsibilities. One the of the committees whose members is prescribed by SEC regulations is the audit committee.


The Audit Committee• Audit committees of the boards of directors were

first recommended by the SEC in 1972. Stock exchanges began requiring or at least recommending that listed companies have audit committees. Thereafter responsibilities of audit committees increased over the years and have been formalized by statute.

• The Sarbanes-Oxley Act of 2002 increased audit committees’ responsibilities further. It also increased the qualifications required for members of audit committees and it increased the authority of audit committees.


The Audit Committee cont´d

• The major requirements for audit committees and their members:– The consist of at least 3 members– Members must be independent (example: not employed

by the company)– At least one member must have accounting or financial

management expertise– All members must be financially literate (at the time of

appointment or shortly thereafter)– New York stock exchange requires a 5 year “cooling off”

period during which former employees of the company or its external auditor are not allowed to serve on the audit committee


The Audit Committee cont´d

• The responsibilities of the Audit Committee include:– Being an intermediary between management, the

external auditor and the internal auditor,– Nominate an external auditor,– Discuss the scope of the audits with the internal and

external auditors,– Review the results of the audits,– Review evaluations of internal controls,– Review the work of the internal auditors,– Review the interim and annual financial statements.


Legislative Initiatives on Internal Control• There are a handful of legislative initiatives

regarding internal control issues that we will look at in more detail:– The Foreign Corrupt Practices Act,– Sarbanes-Oxley Act– SEC Release 33-8810


The Foreign Corrupt Practices Act• This Act was passed in response to the discovery

in the 1970’s that American companies were making large, questionable or illegal payments to foreign governments, officials or politicians.

• This is an amendment to the 1934 Securities Exchange Act.

• There are two main provisions:– Anti-bribery provisions– Accounting provisions


Applicability and Responsibility• The anti-bribery provisions apply to all

companies, whether or not the are publicly traded and registered with the SEC.

• The accounting provisions are applicable only to companies that are under the regulation of the SEC.

• The responsibility for compliance with the Act is given to the company as a whole.– Responsibility is not placed with a specific person or

position, but with everyone within the organization.– However, individuals are personally liable for their

actions.


Anti-Bribery Provisions• It is illegal to offer or authorize corrupt payments to any

foreign official, foreign party chief or official or a candidate for political office in a foreign country.– It is also illegal to make these payments through another party (an

intermediary)

• A corrupt payment is one that intends to cause the recipient to misuse their position in order to direct business to the payer of the corrupt payment.– A payment is corrupt simply by the fact it is made. Even if the

benefits that were expected are not received, the payment was corrupt.


Accounting Provisions• Management is required to maintain records and

books and accounts that represent transactions properly.

• Management must also develop and implement a system of internal controls. – The logic is that if the company has an effective internal

control system, it will be more difficult for corrupt payments to be made.


Penalties of the FCPA• Fines for making illegal payments are:

– Up to $2 million in fines against the company, and– Up to $100,000 in fines and 5 years of imprisonment for

individuals who make or authorize an illegal transaction.

• Companies can also be prevented from participating in government contracts and have their export license revoked. Shareholders are also able to file lawsuits against the company for illegal payments.


Sarbanes-Oxley Internal Control Provisions

The Sarbanes-Oxley Act was enacted in 2002. Its provisions with respect to internal control are:• Audit committees to be responsible for the

appointment, compensation and oversight of the registered public accounting firm.

• Audit committees to have the authority and funding to engage independent counsel and advisors as deemed necessary.

• Auditors are to report directly to the audit committee.

• Members of the audit committee must be truly independent.


Sarbanes-Oxley (cont.)• It is unlawful for any corporate officer or director or

person acting under their direction to fraudulently influence, coerce, manipulate or mislead any accountant engaged in preparing an audit, for the purpose of causing the audit report to be materially misleading.

• The company’s annual report filed with the SEC must be accompanied by a statement of management that management is responsible for creating and maintaining adequate internal controls, along with a statement of management’s assessment of the effectiveness of these controls.


Sarbanes-Oxley Internal Control Provisions (cont.)

• There are several main aspects of Sarbanes-Oxley (SOX) that we will now cover in more detail. They include:1. The Public Company Accounting Oversight Board

(PCAOB)2. SOX Section 302 – Corporate Responsibility for

Financial Reports3. SOX Section 404 – Management Assessment of

Internal Controls4. The PCAOB Auditing Standard 5 and the preferred

approach to auditing internal controls


Public Company Accounting Oversight Board• Title 1 of the Sarbanes-Oxley Act established the

Public Company Accounting Oversight Board (PCAOB) to oversee the auditing of public companies that are subject to the securities laws.

• The board:– Contains 5 board members appointed by the SEC– Includes only members who are financially literate and

must be from the private sector– Only 2 of the board members can be CPAs.

• The PCAOB has many responsibilities. Its role to provide guidance to auditors on their auditing of internal controls is just one responsibility.


Public Company Accounting Oversight Board Cont´d

• The primary responsibilities of the PCAOB include:– Registering accounting firms that audit public companies. – Establishing standards related to the preparation of audit

reports regarding auditing, quality control, ethics, and independence

– Conducting inspections of registered public accounting firms with the Sarbanes-Oxley Act, the rules of the Board, the rules of the SEC, and other professional standards

– Enforcing compliance with appropriate laws and professional standards relating to audit reports and the obligations of accountants for them.

– Conducting investigations and disciplinary proceedings and imposing appropriate sanctions.


SOX Section 302• Section 302 relates to the corporate responsibility

for financial reports. • Each annual or quarterly report of a company must

include certifications by the CEO and CFO that:– They have reviewed the report– The report does not contain any untrue material

statement or mot to state any material fact that could make the report misleading

– Based upon their knowledge the financial statements fairly present in all material aspects the financial condition and results of operations of the company

– They understand that they are responsible for internal controls in the company


SOX Section 302 cont´d

• Each annual or quarterly report of a company must include certifications by the CEO and CFO that (cont´d):– They have disclosed required information to the company

´s auditors and audit committee of the board of directors including:• Any fraud that involves management or other employee with

significant responsibilities in the company´s internal controls• All deficiencies in the design or operation of the company internal

controls– They have disclosed in the report any material changes

in the company internal controls that have occurred after the report date but prior to its publication


SOX Section 404• Section 404 relates to the management

assessment of internal control. • Each annual report required by the SEC must

contain an assessment by management of the adequacy of the company’s internal control over financial reporting (ICFR for short). This internal control report shall:– State the responsibility of management for establishing

and maintaining an adequate internal control structure and procedures for financial reporting

– Contain an assessment of the effectiveness of the internal control structure and procedures of the company for financial reporting as of the fiscal yearend


SOX Section 404 cont´d

• The SEC provided interpretative guidance (SEC release No 33-8810) to implement Section 404. The guidance is is organized around two broad principles:1. Management should determine whether it has

implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner.

2. Management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.


PCAOB Auditing Standard #5• PCAOB Auditing Standard No. 5 calls for a top-

down, risk-based approach to assessing and attesting to internal controls. Important details regarding this approach are:– A risk-based approach begins by identifying the risks that

a material misstatement of the financial statements would not be prevented or detected in a timely manner.

– The auditor should perform procedures such as inquiry, inspection of documents, or walkthroughs – which is a combination of the preceding procedures, to understand and identify the likely sources of potential misstatements

– A fraud risk assessment should be taken into account during the audit of internal controls.


PCAOB Auditing Standard #5 cont´d

• The steps to follow in a top-down risk based auditing approach are:1. Start with entity level controls2. Identify entity level controls3. Identify significant accounts and disclosures and their

relevent financial statement assertions4. Understand the likely sources of misstatement5. Select controls to test6. Test design effectiveness and operating effectiveness of

the controls7. Evaluate identified deficiencies


SEC Release 33-8810• SEC Release 33-8810, the guidance for

management in assessing its internal control over financial reporting, also contains information about how a risk-based, top-down approach to assessing internal control over financial reporting should be performed. It reports the following steps to follow:1. Identify financial reporting risks and controls2. Evaluate evidence of the operating effectiveness of the

internal controls over financial reporting3. Consider impact of multiple locations adequately (rely

on central controls? review of remote locations, etc)4. Evaluate control deficiencies to determine whether they

are a material weakness


What Internal Controls Can and Cannot Do• Internal controls can help an organization get to

where it wants to go.• Internal controls can help an organization achieve

its goals and prevent loss of resources.• Internal controls can ensure reliable financial

reporting.• Internal controls can ensure that the organization

complies with laws and regulations.• Internal controls cannot provide a guarantee. They

can provide only reasonable assurance to management and the board of directors regarding achievement of the entity’s objectives.


Internal Auditing


Internal Auditing• The IIA defines internal auditing as:

“an independent, objective assurance and consulting activity designed to add value and

improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and

improve the effectiveness of risk management, control and governance processes.”

• Internal auditing provides a mechanism for management to monitor the reliability of financial reporting and the company’s control over operations.


Types of Internal Auditing Services• Internal auditing services fall into three

fundamental categories:1. Operational – reviewing the various functions within

the organization in order to appraise the efficiency and economy of operations and the effectiveness with which the functions achieve their objectives.

2. Financial – reviewing the economic activity of the organization as it is measured and reported by accounting methods.

3. Compliance – reviewing both financial and operating controls and transactions to determine whether they conform to laws, standards, regulations and procedures.


Responsibilities of Internal Auditors• The responsibility of the internal audit function is

to review and appraise policies, procedures, plans and records for the purpose of informing and advising management.

• Perhaps more important is what internal audit is not responsible for.– Internal audit is not responsible for and has no

authority over operating activities.– Internal audit makes no decisions about what should

be done – they provide information and advice, and then management makes a decision.

– Internal audit may help with implementation, but management makes the decision.


Internal Auditors and the Internal Control System• The internal auditors are not responsible for the

internal control system (management is responsible for that).

• The internal auditor’s function is to test, examine, review, evaluate and make recommendations about the internal control system.

• In this way, internal auditing assists management in carrying out its monitoring responsibilities.


Organizational Status• The internal audit function should report to the

board of directors through the audit committee.• The internal auditors need to be perceived as an

important part of the company in order to be able to do their job effectively.– People in the company need to know that the board will

listen to what the auditors say and therefore the conclusions of the auditor are important.

• By reporting to a high level the function has organizational independence. This means that they do not have any direct relationships with who they are auditing. The people they are auditing cannot tell them what to do or fire them.


Internal Auditors and External Auditors• External auditors are focused on one thing – the

opinion about the financial statements.– External auditors are not concerned about the

efficiency or effectiveness of operations, just that the financial statements reflect fairly the operations of the company.

• Internal auditors have a wider range of interests and engagements. They compare “what is” in the company with “what should be” and report to management their findings. In addition to their findings, the internal auditor develops and reports recommendations for improvement.


Coordination of Internal and External Auditors• Some of the work of the internal auditors may be

relevant to and used by the external auditor.• Before using the work of the internal auditors,

however, the external auditor must assess the internal auditors’– Competence (how well they do their job), and– Objectivity (their organizational independence, or their

role within the organization)


Use of the Internal Auditor’s Work• If the external auditor decides to use some of the

work of the internal auditor, – The external auditor will supervise, manage and

review all of the work done by the internal auditors.– The internal auditors will not assess risk.– The internal auditors will not draw any conclusions.– The internal auditor will be more likely to be used in

areas that are objective (existence of fixed assets) than subjective (valuation of future cash flows).


Types of Engagements• Internal auditors perform two basic types of

services:1. Assurance services: performing an objective

examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control process for the organization.

2. Consulting services: advisory and other related client service activities. They are usually performed at the request of the client, and their nature ands scope are agreed upon with the client. They are intended to add value and improve an organization's governance, risk management and control processes.


Assurance ServicesAssurance services include:

1. Financial audit: analyze the economic activity as measured and reported by accounting methods. The goal is to determine whether financial assertions can be proven:• Existence or occurrence• Completeness• Rights and obligations• Valuation or allocation• Presentation and disclosure

2. Performance (or operational) audit: it focuses on the efficiency, effectiveness, and economy of the company´s internal control system based upon the company standards.


Assurance Services cont´d

Assurance services include (cont´d):3. Audit of financial controls: involves examining two

aspects of financial internal controls:• Controls over financial resources• Controls over the accounting for financial resources

4. Compliance audit: performed in order to determine whether an organization is operating in an orderly way, effectively and visibly confirming to certain specific requirements of its polices, procedures, or standards

5. System security audit: auditing the controls in place for information systems.

6. Due Diligence engagement: to confirm company records, both financial and those of property ownership


Consulting Services• Examples of consulting services include:

1. Quality audit: evaluating the quality of the product or service being provided

2. Special engagements: an example of a special engagement is a fraud audit. Fraud audits are performed for the purpose of discovering the presence, scope and means of either misappropriation of assets or fraudulent reporting.

• Consulting services are intended to add value and improve an organization´s activities in a specific area without assuming management responsibility.


Consulting Services cont´d

• Per Internal Auditing Standard No. 2120 the internal auditor should following the following standard during a consulting engagement:– address risk consistent with the engagement’s

objectives and be alert to the existence of other significant risks.

– incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes.

– When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.


Which Audit Engagements to Accept• The beginning of the audit process is to determine

which engagements to conduct.• The chief audit executive makes the decisions

regarding which engagements to perform based upon risk based factors such as:– Length of time since last audit was performed in this area– Requests from senior management– Relation of the proposed engagement to the external

audits of financial statements and internal controls– Changing circumstances in the business, operations,

systems or controls– Potential benefit that could be achieved by the

engagement


Audit Planning• According to Internal Auditing Standard 2201, the

internal auditor considers the following in planning the engagement:– The objectives of the activity being reviewed and the

means by which the activity controls its performance;– The significant risks to the activity, its objectives,

resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;

– The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model;

– The opportunities for making improvements to the activity's risk management and control processes.


Establishing Audit Objectives• When establishing an audit´s objectives, internal

auditing standard 2210 states that the auditor must: – conduct a preliminary assessment of the risks relevant to

the activity under review.– consider the probability of significant errors, fraud,

noncompliance, and other exposures– Ensure that adequate criteria is available to evaluate

controls. If they are adequately defined by management, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria.

– Address governance, risk management, and control processes to the extent agreed upon with the client during consulting engagements.


Assessing Audit Risk• Assessing audit risk is an important part of the

audit process. Audit risk is the risk that the auditor will conclude that everything is working properly, when in fact, it is not working correctly. It is made up of three components:– Inherent risk (IR) – is the risk that exists in what is being

audited. The risk of a problem in the absence of controls.– Control risk (CR) – is the risk that a mistake is NOT

prevented or detected by the internal control system– Detection risk (DR) – is the risk that the mistake is NOT

detected by the auditor• The audit risk is calculated by multiplying these risks

together: AR = IR × CR × DR


Assessing Audit Risk cont´d

• Control risk and detection risk operate inversely to each other. – If control risk decreases (the internal controls are

better) the detection risk can be increased (auditors do less testing) and the audit risk will remain the same.

– If control risk increases (the internal controls are worse) the detection risk can be decreased (auditors do more testing) and the audit risk will remain the same.

• The auditor assesses inherent and control risk, but is able to influence only detection risk.


Understanding Internal Controls in the Planning• After the engagement objectives are determined

and the inherent risks identified, the next step is the understanding of internal controls.

• The auditor’s understanding needs to encompass the 5 components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring.

• The auditor will use this understanding to:– Identify types of potential misstatements that may occur in

whatever is being audited– Consider factors related to risk of material misstatement– Design the substantive tests to be performed


Flowcharting• Internal control systems may be documented in a

flowchart.– A systems flowchart (or horizontal flowchart) shows

departments and functions across the top and documents manual and automated processes. Control points are identified.

– A program flowchart (or vertical flowchart) shows the steps in the process and how they will be executed.

– A data flow diagram is a graphic representation of the internal control system.


The Internal Audit Program• The audit program is written after the assessment of the

relevant internal controls.• The program should include the objectives of the area to

be audited and the controls in place to achieve the area’s objectives, which determine the audit objectives.

• It gives details on the procedures to be followed to reach the objectives of the audit: what is to be done and how it will be done.

• It must be written and must be detailed enough so that the auditors know what is to be done.

• It is used to supervise and review the work.• Standardized audit programs may be used when

appropriate.


Audit Evidence• Evidence is what the auditor gathers to be able to

support their conclusion. The evidence should be – Sufficient – there must be enough evidence– Competent – it must be reliable and the best available– Relevant – must be consistent with the objectives of

the audit– Useful – assists the organization to achieve its goals

• The most competent, or best source of evidence is something obtained by the auditor directly. Evidence from the client is the worst, and evidence from a third party is in the middle.


Audit Evidence cont´d

• Audit evidence is classified according to legal rules of evidence. These include:– Direct – acquired directly by the party offering it– Hearsay – secondhand account where the witness does

not have personal direct knowledge– Documentary – any original record, dead, or document– Opinion – not generally considered useful evidence.– Circumstantial – evidence that is consistent with a

particular inference– Secondary – not the original documentation– Corroborative – supports other evidence– Conclusive – it is indisputable


Auditing Financial Controls• The Sarbanes-Oxley Act requires management to

assess the adequacy of the company’s internal controls over financial reporting. Internal auditors can assist in this through an audit of financial controls

• A financial audit focuses on accounting controls. An operational audit focuses on administrative controls.– Accounting controls are concerned with the integrity and

accuracy of the accounting system and the financial reports being generated

– Administrative controls are more focused on managements' operating objectives.


Auditing Financial Controls cont´d

• Accounting controls are intended to achieve the following characteristics for the financial records:– Completeness: Are all of the transactions reflected in or

captured by the accounting system?– Validity: Are only valid transactions recorded?– Authorization: Are all transactions properly authorized?– Accuracy: Are reported numbers accurate representations

of the economic transactions that have occurred?


Objectives of an Audit of Controls• An audit of controls has the following objectives:

1. determine if controls are in place2. determine if the existing controls are structurally sound3. determine if the controls are designed to achieve a

specific management objective, to achieve compliance with predetermined requirements, or to ensure accuracy and propriety of transactions

4. determine whether the controls are being used properly5. determine if the controls are efficiently serving their

purpose6. determine whether the controls are effective7. determine if management is using the output of the control

system


Testing Compliance with Controls• The auditor investigates the following to test

compliance with controls and evaluate their effectiveness:1. Are procedures being followed?2. Is the output being used?3. Is the input into the system valid, accurate, and

reasonable?4. If the system is computerized, is it operating properly?5. Is the output of the control operation valid?6. Is the control output achieving management’s objective in

establishing the control?7. Is the control system operating as intended?


Testing Compliance with Controls cont´d

• The auditor investigates the following to test compliance with controls and evaluate their effectiveness (cont´d):8. Does the control system have the following required

characteristics?• Flexibility.• Timeliness.• Accountability.• Cause identification.• Appropriateness.• Placement.


Testing Compliance with Controls cont´d

• Procedures the auditor performs to test operating effectiveness of controls include a mix of tests. Some types of tests produce greater evidence of the effectiveness of the controls than other tests.

• Here are the tests that an auditor might perform in order of the evidence they would usually produce, from the lowest quality evidence to the highest quality evidence:1. Inquiry of appropriate personnel;2. Observation;3. Inspection of relevant documentation; and4. Re-performance of a control


Control Breakdowns• If an auditor identifies a deficiency in a control over

financial reporting, the auditor should evaluate the severity of the deficiency to determine whether the deficiency, either individually or in combination with other deficiencies, represents a material weakness. The severity depends upon:– Whether there is a reasonable possibility that the

company’s controls will fail to prevent or detect a misstatement of an account balance or disclosure; and

– The magnitude of the potential misstatement resulting from the deficiency or deficiencies.


Control Breakdowns cont´d

• Risk factors affect whether there is a reasonable possibility that a deficiency or combination of deficiencies will result in a misstatement of an account balance or disclosure. These risk factors include:– The nature of the financial statement accounts,

disclosures, and assertions involved;– The susceptibility of the related asset or liability to loss or

fraud, or how likely it is that something could go wrong;– The subjectivity, complexity, or extent of judgment

required to determine the amount involved;



• Risk factors affect whether there is a reasonable possibility that a deficiency or combination of deficiencies will result in a misstatement of an account balance or disclosure. These risk factors include (cont´d):– The interaction or relationship of the control with other

controls, including if they are interdependent or redundant– The interaction of the deficiencies, i.e., if there is more

than one, could they in combination cause a material misstatement

– The possible future consequences of the deficiency



• If multiple control deficiencies affect the same financial statement balance or disclosure, that increases the likelihood of misstatement and may, in combination, constitute a material weakness(though each deficiency individually may not be severe)

• Factors that affect the size of a misstatement that might result from a deficiency in controls include:– The financial statement amounts or total of transactions

exposed to the deficiency; and– The volume of activity in the account balance or class of

transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.


Fraud Audits• In a financial statement audit, the audit should be

prepared so that any material misstatement is detected, no matter what the cause of the misstatement.

• The auditor is responsible for examining the controls to determine if they are adequate to prevent or detect fraud and must also have sufficient knowledge to be able to identify the indicators that fraud may have occurred.

• However, the deterrence of fraud is the responsibility of management, not the auditor.


Fraud Audits, cont´d

• It is preferable (and usually cheaper) to prevent fraud than it is to discover it after the fact.

• If the auditor detects control weaknesses, additional tests should be performed to identify other factors of fraud that may be present.

• When fraud is detected, the auditor should immediately report it to the appropriate level of management.


Types of Fraud• There are three main classifications of fraud:

– Misstatements from fraudulent financial reporting,– Misappropriation (theft) of company assets.– Corruption (bribes, conflicts of interest).

• In the misappropriation of assets, the employee is more likely to be ‘living beyond their means’ because they have more money than their salary as a result of the theft.


Factors Contributing to Fraud• The following items do not indicate that fraud is

occurring, but rather that conditions exist in which fraud may occur more easily.– No segregation of duties;– Lack of controls such as limiting access to assets,

comparing existing assets with recorded assets, and requiring proper authorization for executing transactions;

– Lack of qualified personnel;– Collusion among employees;– The existence of high-value, small, liquid assets; and– Management override of controls that are in place.


The IIA´s Position regarding Fraud• The Institute of Internal Auditors’ (IIA’s) position on

deterrence, detection, investigation and reporting of fraud is:– Deterrence of fraud is the responsibility of management.– Internal auditors must have sufficient knowledge to be

able to identify the indicators that fraud may have occurred.

– If control weaknesses are detected, additional tests should be performed to identify other factors of fraud that may be present.

– Audit procedures alone will not guarantee that fraud will be detected.

– A fraud that is detected needs to be reported.


Considering Fraud in Audit Planning • The auditor should develop and plan the audit with a

reasonable assurance of detecting material fraud or misstatements. However, due to the fact that the perpetrators of fraud will try to hide the fact, it is not possible to guarantee discovery of material frauds.

• Fraud is different from an error in that fraud is an intentional misstatement while an error is unintentional. The three main types of fraud are:1. Fraudulent financial reporting2. Misappropriation of assets3. Corruption


Internal Audit Reports• Audit reports may be written or oral. Oral reports

are more timely but do not replace written reports. Any oral reports should be followed with a written report confirming the oral report.

• All reports should include:– The purpose,– The scope of the engagement,– The results of the engagement, including

recommendations, if applicable.

• Reports might include summaries, background information, status of previous audit findings or other comments.


Purpose of the Engagement• The purpose should include:

– The engagement objectives – should be described in enough detail so readers know what to expect from the rest of the report.• Objectives should address the risks, controls and

governance processes associated with the activities under review.

• The purpose may also include:– Why the engagement was performed– What the expected results were (i.e., cost savings,

increased efficiencies, etc.)


Scope of the Engagement• Description of the work done to achieve the

engagement’s objectives. The scope should be sufficient to address the agreed-upon objectives.

• Activities reviewed and time period reviewed• Any related activities not reviewed• The nature and extent of the work performed

– Should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties

• The scope should specifically state what areas were not covered that readers might expect to be covered unless told differently.


Results of the Engagement• Includes observations, conclusions, an opinion if

appropriate, recommendations, and action plans from the engagement.• Observations – audit findings made by comparing

what is with what should be.• An audit finding should include: Background, criteria,

condition, cause, and effect.• Background – Identify people involved, environment of

the operation, reason why the situation is reportable, etc.• Criteria – the standards used to judge the operation

being audited. (The “what should be.”)• Condition – the facts determined through observation,

questioning, analysis, verification and investigation. (The “what is.”)


Results of the Engagement cont´d

• Audit findings (continued)– Cause – Explains the reason why “what is” is different from

“what should be.”– Effect – The consequences of the difference between “what

is” and “what should be.” To be reportable, an audit finding should have consequences – who or what was hurt, and how badly.

• Conclusions – the internal auditor’s evaluations such as whether a function is operating as intended, if control criteria are being met, if objectives are being met, etc.

• Recommendations – for improved performance, acknowledgement of satisfactory performance, any corrective actions needed.


Summary Reports• One or two page “executive summary.”

– To inform senior management of matters that need prompt or continued attention.

• To inform senior management about significant findings.– Should include:

• Brief description of the audit,• Conclusions,• Summary statements of significant findings with references to

where the detail can be found in the full audit report, and• Brief description of actions taken by the client as a result of

the audit findings.• May be issued in addition to the full audit report.


Writing and Distributing the Report• The report should be:

– Objective,– Clear,– Concise (no longer than necessary),– Timely, and– Constructive.

• The report should be reviewed with the auditee before it is issued.

• The report should be distributed to everyone who has a direct interest in the area being audited.


Incidents That Should be Reported• The auditor should report:

– All material facts that they know that, if not reported, could cause the audit report to be distorted or conceal unlawful acts,

– Any variances between what should have been and what was,

– Any suspected fraud,– The violation of any law,– Inconsistent product quality (in a quality audit), and– Any other reportable condition that management

should be informed about.


Auditor Follow-Up• Unlike the external auditor, the internal auditor

should follow-up on engagements after they are completed.

• The follow-up is to determine whether the recommendations have been implemented, whether they were timely, and whether they have been effective, and just how the department is doing.


Computerized Audit TechniquesUse of computers to audit information systems:

• Generalized audit software• Test data• Integrated test facility• Parallel simulation• Embedded audit routines• Extended records• Snapshots• Tracing• Mapping


Systems Controls and Security Measures


Systems Controls• The objectives of controls for an information

system are similar to the objectives of overall organizational controls. There are, however, special threats to information systems. Examples:– Errors can occur in system design– Data can be stolen over the internet– Data and programs can be damaged– Programs can be altered by dishonest employees to

divert assets to their own use– Viruses, trojan horses, and worms can infect a system,

causing a system crash, stolen or damaged data– Physical facilities can be damaged by natural disasters,

illegal activity, or sabotage


Systems Controls cont´d

• Information system internal control guidelines are based upon two documents: 1. The report of the Committee of Sponsoring

Organizations (COSO) Internal Control – Integrated Framework

2. Control Objectives for Information and related Technology (COBIT), authored by the IT Governance Institute and published by the Information Systems Audit and Control Foundation (ISACF).

• Systems controls are broken down into two categories:1. General Controls2. Application controls


General Controls• General controls relate to the environment where

transactions are processed.• Controls over development, modification and maintenance

of programs, segregation of duties, data security, administrative controls, provision for disaster recovery.

• The categories of general controls are:– The organization and operation of the computer facilities,

including segregation of duties;– General operating procedures, including written procedures

and manuals;– Equipment and hardware controls, including backup

procedures;– Access controls, including both physical access and password

access to data and programs.


Application Controls• Application controls are specific to individual

applications. They should be designed to prevent, detect and correct errors in transactions.

• The three main categories are:– Input controls,– Processing controls, and– Output controls.


System and Program Development and Change• By having controls in place during the design of

the system, the accuracy, validity, safety and security of the system is improved.

• The stages in system development are:– Statement of objectives,– Investigation and feasibility,– Systems analysis,– Systems design and development,– Program coding and testing,– Systems implementation,– Systems evaluation and maintenance.


Internet Security


Internet Security• A minimum level of internet security includes

– User account management,– A firewall,– Anti-virus protection, and– Encryption.


Viruses, Trojan Horses and Worms• A computer virus is a program that executes

itself and replicates itself, damaging the host computer and others.

• A Trojan horse does not replicate itself, though it may still damage the computer by causing the loss of data, or theft of data.

• A worm is similar to a virus, but a worm replicates itself without the use of a host file.


Cybercrime• The Internet, online communications and e-

business are all subject to computer crime and this threat is growing every day.

• The most serious computer crimes, as defined by the FBI, are:– Intrusions of the Public Switched Network (the telephone

company),– Major computer network intrusions– Network integrity violations– Privacy violations,– Industrial espionage, and– Pirated computer software


Cybercrime cont´d

• Other types of computer crime include:– Copyright infringement such as the illegal copying of

copyrighted material– Denial of Service (DOS) attacks in which a website is

accessed repeatedly so that other, legitimate users cannot connect to it,

– Theft of credit card numbers from retailers’ files– Phishing, a high-tech scam that uses spam e-mail to

deceive consumers into disclosing sensitive personal information

– Installation of malware on a computer without the user’s knowledge.


Cybercrime cont´d

• Defenses against cybercrime include:– Firewalls– Proxy servers– Antisniffer tools– Switched networks– Encryption


Firewalls and Encryption• A firewall is a barrier between the internal

network of a company and external networks.

• A firewall prevents unauthorized access to the network and can also record attempts that were made to access the network.

• Encryption is the method of converting text into a code for transmission and then converting back to text when received.


Backup and Contingency Planning• The company must have plans for the backup and recovery

of data.• The more extreme form of contingency planning is disaster

recovery. A disaster recovery plan includes:– Who will participate in the recovery and what their roles are,– What hardware, software and facilities should be used, and– The priority of applications to be processed.

• A hot site is a backup site that has similar equipment and is able to be used immediately. A cold site is a site where power and space are available, but it requires getting computer equipment installed there quickly if needed.