Upload
haythem-ali
View
138
Download
10
Tags:
Embed Size (px)
Citation preview
2010 CMA Part 1 Section D – Internal Controls 1
2010 CMA Part 1 - Section DInternal Controls
2010 CMA Part 1 Section D – Internal Controls 2
Section D – Internal Controls• This section is 15% of Part 1• Five larger categories of topics are included in this
section– Risk assessment, controls and risk management– Internal auditing– Systems controls and security measures– Internet security– Contingency planning
2010 CMA Part 1 Section D – Internal Controls 3
Risk Assessment, Controls, and Risk Management
2010 CMA Part 1 Section D – Internal Controls 4
Benefits of Internal Control• The internal controls of a company are an
important part of its overall operations. A strong internal control system will provide may benefits:– Lower external audit costs,– Better control over and usage of company assets, and– More reliable information that may be used for
decision making by managers and others in the company.
• A company with weak internal controls is putting itself at risk for employee theft, loss of control over the information relating to operations, and other inefficiencies in operations and decision-making.
2010 CMA Part 1 Section D – Internal Controls 5
Internal Control Definition and Objective• Internal control is the method or process
performed by a company that is designed to provide reasonable assurance that three things will be achieved:1. Effectiveness and efficiency of operations,2. Reliability of financial reporting, and3. Compliance with applicable laws and regulations.
• Objectives #2 and #3, the financial reporting and compliance objectives, are based on standards imposed by external entities (example: SEC). Internal control only provides reasonable assurance, not a guarantee, that these goals will be achieved.
2010 CMA Part 1 Section D – Internal Controls 6
Internal Control Definition and Objective Cont´d
• Regarding point #1: an internal control system cannot provide reasonable assurance that operations objectives will be met. It provides only reasonable assurance that management and the board of directors are made aware in a timely manner about the progress towards achieving operational objectives.
• Therefore, internal control can be judged effective if management has reasonable assurance that:– They understand the extent to which the company’s
operations objectives are being achieved;– Published financial statements are prepared reliably– Applicable laws and regulations are being complied with.
2010 CMA Part 1 Section D – Internal Controls 7
Who is Interested in the IC of a Company?• There are a number of diverse parties that are interested in
the internal control system of a company:– Investors and potential investors rely on the IC system to be
able to evaluate management and the performance of the company.
– External auditors will base the amount of work that they perform in part on the effectiveness of the IC system.
– Legislative and regulatory bodies rely on the IC system to help ensure that the company is operating in compliance with applicable laws and regulations.
– Management uses the information that comes out of the internal systems so management needs to make certain that the information that they receive is correct.
– Customers may benefit from a strong internal control system because it may reduce the costs of production and therefore also the products´ costs.
2010 CMA Part 1 Section D – Internal Controls 8
Who is Responsible for Internal Control?• The COSO report, Internal Control – Integrated
Framework (1992) defined the responsibility of the group or person listed below to maintain and assess internal controls as follows:– The board of directors is responsible for overseeing the
internal control system, providing governance, guidance and insight.
– The CEO is ultimately responsible for the internal control system and the “tone at the top”.
– Senior managers delegate responsibility for establishment of specific internal control policies and procedures to personnel responsible for each unit’s functions.
2010 CMA Part 1 Section D – Internal Controls 9
Who is Responsible for Internal Control Cont´d?• The COSO report, Internal Control – Integrated
Framework (1992) defined the responsibility of the group or persons listed below to maintain and assess internal controls as follows (cont´d):– Financial officers and their staffs are central to the
exercise of control– Internal auditors play a monitoring role by evaluating the
effectiveness of the internal controls.– Virtually all employees are involved in internal control:
• they produce information used in the internal control system or carry out activities that put the internal control systems into effect
• they inform their managers if they become aware of problems in operation or that rules or policies are being violated.
2010 CMA Part 1 Section D – Internal Controls 10
Components of Internal Control• The COSO report, Internal Control – Integrated
Framework lists five interrelated components that make up internal control:1. The Control Environment2. Risk Assessment,3. Control Activities,4. Information and Communication5. Monitoring.
• Note: These elements may be remembered by the mnemonic CRIME as identified by the bold letters in the list above.
2010 CMA Part 1 Section D – Internal Controls 11
Component #1: Control Environment• This is the most important element of internal
controls because it is the basis on which the other elements are built.
• Factors that influence the scope and effectiveness of the control environment include:– Integrity and ethical values of the entity´s people– A commitment to competence – The attention and direction provided by the board of
directors and/or audit committee– Management´s philosophy and operating style– The company´s organizational structure
2010 CMA Part 1 Section D – Internal Controls 12
Component #1: Control Environment cont´d
• Factors that influence the scope and effectiveness of the control environment include (cont´d):– The way management assigns authority and
responsibility for operating activities– Human resource policies and practices
2010 CMA Part 1 Section D – Internal Controls 13
Component #1: Control Environment cont´d
• Internal controls are more likely to function well if management believes that the controls are important and communicates that support to all employees. They set a positive “tone at the top” by: – transmitting guidance both verbally and by example,
communicating the entity’s values and code of conduct– fostering a “control consciousness” by setting formal and
clearly communicated policies and procedures– Specifying the competence level needed for particular
jobs and delegating authority accordingly– Working closely with a board of directors who help ensure
the company is operating in the best interest of the shareowners
2010 CMA Part 1 Section D – Internal Controls 14
Component #2: Risk Assessment• Once the company objectives are defined, risk
identification can begin. – Risks can exist at the entity level or the activity level– Risks can be both internal and external
• After the company has identified its entity-level and activity-level risks, it should perform a risk analysis: – To estimate the significance of each risk– To assess the likelihood or frequency of each risk’s
occurring– To consider how each risk should be managed by
assessing what actions need to be taken.
2010 CMA Part 1 Section D – Internal Controls 15
Component #2: Risk Assessment cont´d
• Within the control environment management is responsible for assessment of the risks that the company faces.
• Risk assessment is the process of identifying, analyzing and managing the risks that have the potential to prevent the organization from achieving its objectives.– The company’s objectives must be established before
the risks to them can be assessed. Objective setting is therefore a key part of the management process of risk assessment.
2010 CMA Part 1 Section D – Internal Controls 16
Component #2: Risk Assessment cont´d
• Once the significance and likelihood of risks have been assessed, the following steps should be taken to manage the identified risks:– The amount of potential loss from each identified risk
should be estimated to the extent possible.– Consider how each risk should be managed by
determining what can be done and analyzing the costs, if any, associated with managing each risk.
– Procedures should be established to ensure that the plans for implementing the risk management are implemented. These procedures are the control activities.
2010 CMA Part 1 Section D – Internal Controls 17
Component #3: Control Activities• After the risks have been assessed, controls
should be designed to limit the risk. To accomplish this, control activities are implemented.
• These activities are the policies that are developed to address the risks of the company, and procedures that ensure the policies will be followed.
• Any control implemented must have a benefit that is greater than the cost of that control.– Because of this, not all controls are implemented and
the control environment cannot provide a guarantee that all risks are eliminated.
2010 CMA Part 1 Section D – Internal Controls 18
Component #3: Control Activities cont´d
• Control activities may be classified by their objective:– Preventive controls attempt to prevent the mistake or
problem from ever occurring in the first place.– Directive controls attempt to ensure the occurrence of
a desirable event,– Detective controls attempt to find the mistake or
problem after it has occurred,– Corrective controls attempt to fix the problem after it
has occurred, and– Compensating controls attempt to address a
weakness in controls in one place by setting up additional controls in a related area
2010 CMA Part 1 Section D – Internal Controls 19
Component #3: Control Activities cont´d
• Examples of control activities are:1. Top level reviews2. Direct functional or activity management3. Information processing4. Independent checks 5. Performance indicators6. Physical controls to safeguard assets7. Documents and records8. Authorization9. Segregation of duties
2010 CMA Part 1 Section D – Internal Controls 20
Component #4: Information and Communication• Information needs to be obtained and
communicated to people to allow them to perform their duties.– Communication must be ongoing– Duties and responsibilities need to be communicated to
all effected parties so that they are able to communicate significant information upstream
– Reports containing operational, financial, and compliance information must be avaialble for informed decisions
– Some information must be communicated to those outside the organization and must also be available from external sources
2010 CMA Part 1 Section D – Internal Controls 21
Component #4: Information and Communication cont´d
• Some examples of communication that should take place include:– Information systems must provide reports to appropriate
personnel so they can carry out their responsibilities.– All personnel need to receive clear communication from
top management that their internal control responsibilities must be taken seriously. Each person needs to understand his or her role in the internal control system and how the system works.
– People need to know what behavior is expected of them and what behavior is unacceptable.
– Employees need to know that if they report a suspected violation of the company’s code of conduct, they will not get into trouble for it
2010 CMA Part 1 Section D – Internal Controls 22
Component #4: Information and Communication cont´d
• Some examples of communication that should take place include:– communications between management and the Board of
Directors are vital. Senior management must inform board members about performance, new developments, major initiatives, potential risks, and other relevant information.
– Appropriate communication is also needed with those who are outside of the organization. Communications from outside parties such as external auditors can provide important information about the functioning of the internal control system.
– Any outsider dealing with the company must be informed that improper actions such as kickbacks or other improper incentives from vendors will not be tolerated.
2010 CMA Part 1 Section D – Internal Controls 23
Component #5: Monitoring• Monitoring is the process of reviewing the controls
over time to make sure that they are still relevant and still functioning as they were intended.
• As technologies change and business operations change, some of the controls that had been relevant may no longer be relevant.
• Monitoring needs to be undertaken on a regular (if not relatively constant) basis.
• Monitoring can be done in two ways:1. ongoing monitoring during normal operations2. Separate evaluations by management with the
assistance of the internal audit function
2010 CMA Part 1 Section D – Internal Controls 24
Segregation of Duties• Duties need to be divided among various employees to
reduce the risk of errors or inappropriate activities. No single individual should have enough responsibility to be in a position to both perpetrate and conceal irregularities.
• Note: Different people must always perform the following four functions:– Authorizing a transaction.– Recording the transaction, preparing source documents,
maintaining journals.– Keeping physical custody of the related asset– The periodic reconciliation of the physical assets to the
recorded amounts for those assets.
2010 CMA Part 1 Section D – Internal Controls 25
Responsibilities of the Board of Directors• The board of directors of a company is responsible for
ensuring that the company is operated in the best interest of the shareholders
• The board’s general responsibility is to provide governance, guidance and oversight of the management of the company. Specifics related to internal control include:– Selecting management– Defining expectations of management regarding integrity
and ethics– Playing a role in the strategic objective setting and
planning – Investigating issues that they judge important
2010 CMA Part 1 Section D – Internal Controls 26
Responsibilities of the Board of Directors cont´d
• Board members are responsible for questioning and scrutinizing management’s activities. Therefore it is important that the board has members who are independent of the company.– An independent director has no material relationship
with the company. An independent director is not an officer or employee of the company and is not active in the day-to-day management of the company.
• Most boards of directors carry out their duties through committees. Committees are made up of selected board members and are smaller, working groups of directors that are tasked with specific oversight responsibilities. One the of the committees whose members is prescribed by SEC regulations is the audit committee.
2010 CMA Part 1 Section D – Internal Controls 27
The Audit Committee• Audit committees of the boards of directors were
first recommended by the SEC in 1972. Stock exchanges began requiring or at least recommending that listed companies have audit committees. Thereafter responsibilities of audit committees increased over the years and have been formalized by statute.
• The Sarbanes-Oxley Act of 2002 increased audit committees’ responsibilities further. It also increased the qualifications required for members of audit committees and it increased the authority of audit committees.
2010 CMA Part 1 Section D – Internal Controls 28
The Audit Committee cont´d
• The major requirements for audit committees and their members:– The consist of at least 3 members– Members must be independent (example: not employed
by the company)– At least one member must have accounting or financial
management expertise– All members must be financially literate (at the time of
appointment or shortly thereafter)– New York stock exchange requires a 5 year “cooling off”
period during which former employees of the company or its external auditor are not allowed to serve on the audit committee
2010 CMA Part 1 Section D – Internal Controls 29
The Audit Committee cont´d
• The responsibilities of the Audit Committee include:– Being an intermediary between management, the
external auditor and the internal auditor,– Nominate an external auditor,– Discuss the scope of the audits with the internal and
external auditors,– Review the results of the audits,– Review evaluations of internal controls,– Review the work of the internal auditors,– Review the interim and annual financial statements.
2010 CMA Part 1 Section D – Internal Controls 30
Legislative Initiatives on Internal Control• There are a handful of legislative initiatives
regarding internal control issues that we will look at in more detail:– The Foreign Corrupt Practices Act,– Sarbanes-Oxley Act– SEC Release 33-8810
2010 CMA Part 1 Section D – Internal Controls 31
The Foreign Corrupt Practices Act• This Act was passed in response to the discovery
in the 1970’s that American companies were making large, questionable or illegal payments to foreign governments, officials or politicians.
• This is an amendment to the 1934 Securities Exchange Act.
• There are two main provisions:– Anti-bribery provisions– Accounting provisions
2010 CMA Part 1 Section D – Internal Controls 32
Applicability and Responsibility• The anti-bribery provisions apply to all
companies, whether or not the are publicly traded and registered with the SEC.
• The accounting provisions are applicable only to companies that are under the regulation of the SEC.
• The responsibility for compliance with the Act is given to the company as a whole.– Responsibility is not placed with a specific person or
position, but with everyone within the organization.– However, individuals are personally liable for their
actions.
2010 CMA Part 1 Section D – Internal Controls 33
Anti-Bribery Provisions• It is illegal to offer or authorize corrupt payments to any
foreign official, foreign party chief or official or a candidate for political office in a foreign country.– It is also illegal to make these payments through another party (an
intermediary)
• A corrupt payment is one that intends to cause the recipient to misuse their position in order to direct business to the payer of the corrupt payment.– A payment is corrupt simply by the fact it is made. Even if the
benefits that were expected are not received, the payment was corrupt.
2010 CMA Part 1 Section D – Internal Controls 34
Accounting Provisions• Management is required to maintain records and
books and accounts that represent transactions properly.
• Management must also develop and implement a system of internal controls. – The logic is that if the company has an effective internal
control system, it will be more difficult for corrupt payments to be made.
2010 CMA Part 1 Section D – Internal Controls 35
Penalties of the FCPA• Fines for making illegal payments are:
– Up to $2 million in fines against the company, and– Up to $100,000 in fines and 5 years of imprisonment for
individuals who make or authorize an illegal transaction.
• Companies can also be prevented from participating in government contracts and have their export license revoked. Shareholders are also able to file lawsuits against the company for illegal payments.
2010 CMA Part 1 Section D – Internal Controls 36
Sarbanes-Oxley Internal Control Provisions
The Sarbanes-Oxley Act was enacted in 2002. Its provisions with respect to internal control are:• Audit committees to be responsible for the
appointment, compensation and oversight of the registered public accounting firm.
• Audit committees to have the authority and funding to engage independent counsel and advisors as deemed necessary.
• Auditors are to report directly to the audit committee.
• Members of the audit committee must be truly independent.
2010 CMA Part 1 Section D – Internal Controls 37
Sarbanes-Oxley (cont.)• It is unlawful for any corporate officer or director or
person acting under their direction to fraudulently influence, coerce, manipulate or mislead any accountant engaged in preparing an audit, for the purpose of causing the audit report to be materially misleading.
• The company’s annual report filed with the SEC must be accompanied by a statement of management that management is responsible for creating and maintaining adequate internal controls, along with a statement of management’s assessment of the effectiveness of these controls.
2010 CMA Part 1 Section D – Internal Controls 38
Sarbanes-Oxley Internal Control Provisions (cont.)
• There are several main aspects of Sarbanes-Oxley (SOX) that we will now cover in more detail. They include:1. The Public Company Accounting Oversight Board
(PCAOB)2. SOX Section 302 – Corporate Responsibility for
Financial Reports3. SOX Section 404 – Management Assessment of
Internal Controls4. The PCAOB Auditing Standard 5 and the preferred
approach to auditing internal controls
2010 CMA Part 1 Section D – Internal Controls 39
Public Company Accounting Oversight Board• Title 1 of the Sarbanes-Oxley Act established the
Public Company Accounting Oversight Board (PCAOB) to oversee the auditing of public companies that are subject to the securities laws.
• The board:– Contains 5 board members appointed by the SEC– Includes only members who are financially literate and
must be from the private sector– Only 2 of the board members can be CPAs.
• The PCAOB has many responsibilities. Its role to provide guidance to auditors on their auditing of internal controls is just one responsibility.
2010 CMA Part 1 Section D – Internal Controls 40
Public Company Accounting Oversight Board Cont´d
• The primary responsibilities of the PCAOB include:– Registering accounting firms that audit public companies. – Establishing standards related to the preparation of audit
reports regarding auditing, quality control, ethics, and independence
– Conducting inspections of registered public accounting firms with the Sarbanes-Oxley Act, the rules of the Board, the rules of the SEC, and other professional standards
– Enforcing compliance with appropriate laws and professional standards relating to audit reports and the obligations of accountants for them.
– Conducting investigations and disciplinary proceedings and imposing appropriate sanctions.
2010 CMA Part 1 Section D – Internal Controls 41
SOX Section 302• Section 302 relates to the corporate responsibility
for financial reports. • Each annual or quarterly report of a company must
include certifications by the CEO and CFO that:– They have reviewed the report– The report does not contain any untrue material
statement or mot to state any material fact that could make the report misleading
– Based upon their knowledge the financial statements fairly present in all material aspects the financial condition and results of operations of the company
– They understand that they are responsible for internal controls in the company
2010 CMA Part 1 Section D – Internal Controls 42
SOX Section 302 cont´d
• Each annual or quarterly report of a company must include certifications by the CEO and CFO that (cont´d):– They have disclosed required information to the company
´s auditors and audit committee of the board of directors including:• Any fraud that involves management or other employee with
significant responsibilities in the company´s internal controls• All deficiencies in the design or operation of the company internal
controls– They have disclosed in the report any material changes
in the company internal controls that have occurred after the report date but prior to its publication
2010 CMA Part 1 Section D – Internal Controls 43
SOX Section 404• Section 404 relates to the management
assessment of internal control. • Each annual report required by the SEC must
contain an assessment by management of the adequacy of the company’s internal control over financial reporting (ICFR for short). This internal control report shall:– State the responsibility of management for establishing
and maintaining an adequate internal control structure and procedures for financial reporting
– Contain an assessment of the effectiveness of the internal control structure and procedures of the company for financial reporting as of the fiscal yearend
2010 CMA Part 1 Section D – Internal Controls 44
SOX Section 404 cont´d
• The SEC provided interpretative guidance (SEC release No 33-8810) to implement Section 404. The guidance is is organized around two broad principles:1. Management should determine whether it has
implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner.
2. Management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.
2010 CMA Part 1 Section D – Internal Controls 45
PCAOB Auditing Standard #5• PCAOB Auditing Standard No. 5 calls for a top-
down, risk-based approach to assessing and attesting to internal controls. Important details regarding this approach are:– A risk-based approach begins by identifying the risks that
a material misstatement of the financial statements would not be prevented or detected in a timely manner.
– The auditor should perform procedures such as inquiry, inspection of documents, or walkthroughs – which is a combination of the preceding procedures, to understand and identify the likely sources of potential misstatements
– A fraud risk assessment should be taken into account during the audit of internal controls.
2010 CMA Part 1 Section D – Internal Controls 46
PCAOB Auditing Standard #5 cont´d
• The steps to follow in a top-down risk based auditing approach are:1. Start with entity level controls2. Identify entity level controls3. Identify significant accounts and disclosures and their
relevent financial statement assertions4. Understand the likely sources of misstatement5. Select controls to test6. Test design effectiveness and operating effectiveness of
the controls7. Evaluate identified deficiencies
2010 CMA Part 1 Section D – Internal Controls 47
SEC Release 33-8810• SEC Release 33-8810, the guidance for
management in assessing its internal control over financial reporting, also contains information about how a risk-based, top-down approach to assessing internal control over financial reporting should be performed. It reports the following steps to follow:1. Identify financial reporting risks and controls2. Evaluate evidence of the operating effectiveness of the
internal controls over financial reporting3. Consider impact of multiple locations adequately (rely
on central controls? review of remote locations, etc)4. Evaluate control deficiencies to determine whether they
are a material weakness
2010 CMA Part 1 Section D – Internal Controls 48
What Internal Controls Can and Cannot Do• Internal controls can help an organization get to
where it wants to go.• Internal controls can help an organization achieve
its goals and prevent loss of resources.• Internal controls can ensure reliable financial
reporting.• Internal controls can ensure that the organization
complies with laws and regulations.• Internal controls cannot provide a guarantee. They
can provide only reasonable assurance to management and the board of directors regarding achievement of the entity’s objectives.
2010 CMA Part 1 Section D – Internal Controls 49
Internal Auditing
2010 CMA Part 1 Section D – Internal Controls 50
Internal Auditing• The IIA defines internal auditing as:
“an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes.”
• Internal auditing provides a mechanism for management to monitor the reliability of financial reporting and the company’s control over operations.
2010 CMA Part 1 Section D – Internal Controls 51
Types of Internal Auditing Services• Internal auditing services fall into three
fundamental categories:1. Operational – reviewing the various functions within
the organization in order to appraise the efficiency and economy of operations and the effectiveness with which the functions achieve their objectives.
2. Financial – reviewing the economic activity of the organization as it is measured and reported by accounting methods.
3. Compliance – reviewing both financial and operating controls and transactions to determine whether they conform to laws, standards, regulations and procedures.
2010 CMA Part 1 Section D – Internal Controls 52
Responsibilities of Internal Auditors• The responsibility of the internal audit function is
to review and appraise policies, procedures, plans and records for the purpose of informing and advising management.
• Perhaps more important is what internal audit is not responsible for.– Internal audit is not responsible for and has no
authority over operating activities.– Internal audit makes no decisions about what should
be done – they provide information and advice, and then management makes a decision.
– Internal audit may help with implementation, but management makes the decision.
2010 CMA Part 1 Section D – Internal Controls 53
Internal Auditors and the Internal Control System• The internal auditors are not responsible for the
internal control system (management is responsible for that).
• The internal auditor’s function is to test, examine, review, evaluate and make recommendations about the internal control system.
• In this way, internal auditing assists management in carrying out its monitoring responsibilities.
2010 CMA Part 1 Section D – Internal Controls 54
Organizational Status• The internal audit function should report to the
board of directors through the audit committee.• The internal auditors need to be perceived as an
important part of the company in order to be able to do their job effectively.– People in the company need to know that the board will
listen to what the auditors say and therefore the conclusions of the auditor are important.
• By reporting to a high level the function has organizational independence. This means that they do not have any direct relationships with who they are auditing. The people they are auditing cannot tell them what to do or fire them.
2010 CMA Part 1 Section D – Internal Controls 55
Internal Auditors and External Auditors• External auditors are focused on one thing – the
opinion about the financial statements.– External auditors are not concerned about the
efficiency or effectiveness of operations, just that the financial statements reflect fairly the operations of the company.
• Internal auditors have a wider range of interests and engagements. They compare “what is” in the company with “what should be” and report to management their findings. In addition to their findings, the internal auditor develops and reports recommendations for improvement.
2010 CMA Part 1 Section D – Internal Controls 56
Coordination of Internal and External Auditors• Some of the work of the internal auditors may be
relevant to and used by the external auditor.• Before using the work of the internal auditors,
however, the external auditor must assess the internal auditors’– Competence (how well they do their job), and– Objectivity (their organizational independence, or their
role within the organization)
2010 CMA Part 1 Section D – Internal Controls 57
Use of the Internal Auditor’s Work• If the external auditor decides to use some of the
work of the internal auditor, – The external auditor will supervise, manage and
review all of the work done by the internal auditors.– The internal auditors will not assess risk.– The internal auditors will not draw any conclusions.– The internal auditor will be more likely to be used in
areas that are objective (existence of fixed assets) than subjective (valuation of future cash flows).
2010 CMA Part 1 Section D – Internal Controls 58
Types of Engagements• Internal auditors perform two basic types of
services:1. Assurance services: performing an objective
examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control process for the organization.
2. Consulting services: advisory and other related client service activities. They are usually performed at the request of the client, and their nature ands scope are agreed upon with the client. They are intended to add value and improve an organization's governance, risk management and control processes.
2010 CMA Part 1 Section D – Internal Controls 59
Assurance ServicesAssurance services include:
1. Financial audit: analyze the economic activity as measured and reported by accounting methods. The goal is to determine whether financial assertions can be proven:• Existence or occurrence• Completeness• Rights and obligations• Valuation or allocation• Presentation and disclosure
2. Performance (or operational) audit: it focuses on the efficiency, effectiveness, and economy of the company´s internal control system based upon the company standards.
2010 CMA Part 1 Section D – Internal Controls 60
Assurance Services cont´d
Assurance services include (cont´d):3. Audit of financial controls: involves examining two
aspects of financial internal controls:• Controls over financial resources• Controls over the accounting for financial resources
4. Compliance audit: performed in order to determine whether an organization is operating in an orderly way, effectively and visibly confirming to certain specific requirements of its polices, procedures, or standards
5. System security audit: auditing the controls in place for information systems.
6. Due Diligence engagement: to confirm company records, both financial and those of property ownership
2010 CMA Part 1 Section D – Internal Controls 61
Consulting Services• Examples of consulting services include:
1. Quality audit: evaluating the quality of the product or service being provided
2. Special engagements: an example of a special engagement is a fraud audit. Fraud audits are performed for the purpose of discovering the presence, scope and means of either misappropriation of assets or fraudulent reporting.
• Consulting services are intended to add value and improve an organization´s activities in a specific area without assuming management responsibility.
2010 CMA Part 1 Section D – Internal Controls 62
Consulting Services cont´d
• Per Internal Auditing Standard No. 2120 the internal auditor should following the following standard during a consulting engagement:– address risk consistent with the engagement’s
objectives and be alert to the existence of other significant risks.
– incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes.
– When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.
2010 CMA Part 1 Section D – Internal Controls 63
Which Audit Engagements to Accept• The beginning of the audit process is to determine
which engagements to conduct.• The chief audit executive makes the decisions
regarding which engagements to perform based upon risk based factors such as:– Length of time since last audit was performed in this area– Requests from senior management– Relation of the proposed engagement to the external
audits of financial statements and internal controls– Changing circumstances in the business, operations,
systems or controls– Potential benefit that could be achieved by the
engagement
2010 CMA Part 1 Section D – Internal Controls 64
Audit Planning• According to Internal Auditing Standard 2201, the
internal auditor considers the following in planning the engagement:– The objectives of the activity being reviewed and the
means by which the activity controls its performance;– The significant risks to the activity, its objectives,
resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;
– The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model;
– The opportunities for making improvements to the activity's risk management and control processes.
2010 CMA Part 1 Section D – Internal Controls 65
Establishing Audit Objectives• When establishing an audit´s objectives, internal
auditing standard 2210 states that the auditor must: – conduct a preliminary assessment of the risks relevant to
the activity under review.– consider the probability of significant errors, fraud,
noncompliance, and other exposures– Ensure that adequate criteria is available to evaluate
controls. If they are adequately defined by management, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria.
– Address governance, risk management, and control processes to the extent agreed upon with the client during consulting engagements.
2010 CMA Part 1 Section D – Internal Controls 66
Assessing Audit Risk• Assessing audit risk is an important part of the
audit process. Audit risk is the risk that the auditor will conclude that everything is working properly, when in fact, it is not working correctly. It is made up of three components:– Inherent risk (IR) – is the risk that exists in what is being
audited. The risk of a problem in the absence of controls.– Control risk (CR) – is the risk that a mistake is NOT
prevented or detected by the internal control system– Detection risk (DR) – is the risk that the mistake is NOT
detected by the auditor• The audit risk is calculated by multiplying these risks
together: AR = IR × CR × DR
2010 CMA Part 1 Section D – Internal Controls 67
Assessing Audit Risk cont´d
• Control risk and detection risk operate inversely to each other. – If control risk decreases (the internal controls are
better) the detection risk can be increased (auditors do less testing) and the audit risk will remain the same.
– If control risk increases (the internal controls are worse) the detection risk can be decreased (auditors do more testing) and the audit risk will remain the same.
• The auditor assesses inherent and control risk, but is able to influence only detection risk.
2010 CMA Part 1 Section D – Internal Controls 68
Understanding Internal Controls in the Planning• After the engagement objectives are determined
and the inherent risks identified, the next step is the understanding of internal controls.
• The auditor’s understanding needs to encompass the 5 components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring.
• The auditor will use this understanding to:– Identify types of potential misstatements that may occur in
whatever is being audited– Consider factors related to risk of material misstatement– Design the substantive tests to be performed
2010 CMA Part 1 Section D – Internal Controls 69
Flowcharting• Internal control systems may be documented in a
flowchart.– A systems flowchart (or horizontal flowchart) shows
departments and functions across the top and documents manual and automated processes. Control points are identified.
– A program flowchart (or vertical flowchart) shows the steps in the process and how they will be executed.
– A data flow diagram is a graphic representation of the internal control system.
2010 CMA Part 1 Section D – Internal Controls 70
The Internal Audit Program• The audit program is written after the assessment of the
relevant internal controls.• The program should include the objectives of the area to
be audited and the controls in place to achieve the area’s objectives, which determine the audit objectives.
• It gives details on the procedures to be followed to reach the objectives of the audit: what is to be done and how it will be done.
• It must be written and must be detailed enough so that the auditors know what is to be done.
• It is used to supervise and review the work.• Standardized audit programs may be used when
appropriate.
2010 CMA Part 1 Section D – Internal Controls 71
Audit Evidence• Evidence is what the auditor gathers to be able to
support their conclusion. The evidence should be – Sufficient – there must be enough evidence– Competent – it must be reliable and the best available– Relevant – must be consistent with the objectives of
the audit– Useful – assists the organization to achieve its goals
• The most competent, or best source of evidence is something obtained by the auditor directly. Evidence from the client is the worst, and evidence from a third party is in the middle.
2010 CMA Part 1 Section D – Internal Controls 72
Audit Evidence cont´d
• Audit evidence is classified according to legal rules of evidence. These include:– Direct – acquired directly by the party offering it– Hearsay – secondhand account where the witness does
not have personal direct knowledge– Documentary – any original record, dead, or document– Opinion – not generally considered useful evidence.– Circumstantial – evidence that is consistent with a
particular inference– Secondary – not the original documentation– Corroborative – supports other evidence– Conclusive – it is indisputable
2010 CMA Part 1 Section D – Internal Controls 73
Auditing Financial Controls• The Sarbanes-Oxley Act requires management to
assess the adequacy of the company’s internal controls over financial reporting. Internal auditors can assist in this through an audit of financial controls
• A financial audit focuses on accounting controls. An operational audit focuses on administrative controls.– Accounting controls are concerned with the integrity and
accuracy of the accounting system and the financial reports being generated
– Administrative controls are more focused on managements' operating objectives.
2010 CMA Part 1 Section D – Internal Controls 74
Auditing Financial Controls cont´d
• Accounting controls are intended to achieve the following characteristics for the financial records:– Completeness: Are all of the transactions reflected in or
captured by the accounting system?– Validity: Are only valid transactions recorded?– Authorization: Are all transactions properly authorized?– Accuracy: Are reported numbers accurate representations
of the economic transactions that have occurred?
2010 CMA Part 1 Section D – Internal Controls 75
Objectives of an Audit of Controls• An audit of controls has the following objectives:
1. determine if controls are in place2. determine if the existing controls are structurally sound3. determine if the controls are designed to achieve a
specific management objective, to achieve compliance with predetermined requirements, or to ensure accuracy and propriety of transactions
4. determine whether the controls are being used properly5. determine if the controls are efficiently serving their
purpose6. determine whether the controls are effective7. determine if management is using the output of the control
system
2010 CMA Part 1 Section D – Internal Controls 76
Testing Compliance with Controls• The auditor investigates the following to test
compliance with controls and evaluate their effectiveness:1. Are procedures being followed?2. Is the output being used?3. Is the input into the system valid, accurate, and
reasonable?4. If the system is computerized, is it operating properly?5. Is the output of the control operation valid?6. Is the control output achieving management’s objective in
establishing the control?7. Is the control system operating as intended?
2010 CMA Part 1 Section D – Internal Controls 77
Testing Compliance with Controls cont´d
• The auditor investigates the following to test compliance with controls and evaluate their effectiveness (cont´d):8. Does the control system have the following required
characteristics?• Flexibility.• Timeliness.• Accountability.• Cause identification.• Appropriateness.• Placement.
2010 CMA Part 1 Section D – Internal Controls 78
Testing Compliance with Controls cont´d
• Procedures the auditor performs to test operating effectiveness of controls include a mix of tests. Some types of tests produce greater evidence of the effectiveness of the controls than other tests.
• Here are the tests that an auditor might perform in order of the evidence they would usually produce, from the lowest quality evidence to the highest quality evidence:1. Inquiry of appropriate personnel;2. Observation;3. Inspection of relevant documentation; and4. Re-performance of a control
2010 CMA Part 1 Section D – Internal Controls 79
Control Breakdowns• If an auditor identifies a deficiency in a control over
financial reporting, the auditor should evaluate the severity of the deficiency to determine whether the deficiency, either individually or in combination with other deficiencies, represents a material weakness. The severity depends upon:– Whether there is a reasonable possibility that the
company’s controls will fail to prevent or detect a misstatement of an account balance or disclosure; and
– The magnitude of the potential misstatement resulting from the deficiency or deficiencies.
2010 CMA Part 1 Section D – Internal Controls 80
Control Breakdowns cont´d
• Risk factors affect whether there is a reasonable possibility that a deficiency or combination of deficiencies will result in a misstatement of an account balance or disclosure. These risk factors include:– The nature of the financial statement accounts,
disclosures, and assertions involved;– The susceptibility of the related asset or liability to loss or
fraud, or how likely it is that something could go wrong;– The subjectivity, complexity, or extent of judgment
required to determine the amount involved;
2010 CMA Part 1 Section D – Internal Controls 81
Control Breakdowns cont´d
• Risk factors affect whether there is a reasonable possibility that a deficiency or combination of deficiencies will result in a misstatement of an account balance or disclosure. These risk factors include (cont´d):– The interaction or relationship of the control with other
controls, including if they are interdependent or redundant– The interaction of the deficiencies, i.e., if there is more
than one, could they in combination cause a material misstatement
– The possible future consequences of the deficiency
2010 CMA Part 1 Section D – Internal Controls 82
Control Breakdowns cont´d
• If multiple control deficiencies affect the same financial statement balance or disclosure, that increases the likelihood of misstatement and may, in combination, constitute a material weakness(though each deficiency individually may not be severe)
• Factors that affect the size of a misstatement that might result from a deficiency in controls include:– The financial statement amounts or total of transactions
exposed to the deficiency; and– The volume of activity in the account balance or class of
transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.
2010 CMA Part 1 Section D – Internal Controls 83
Fraud Audits• In a financial statement audit, the audit should be
prepared so that any material misstatement is detected, no matter what the cause of the misstatement.
• The auditor is responsible for examining the controls to determine if they are adequate to prevent or detect fraud and must also have sufficient knowledge to be able to identify the indicators that fraud may have occurred.
• However, the deterrence of fraud is the responsibility of management, not the auditor.
2010 CMA Part 1 Section D – Internal Controls 84
Fraud Audits, cont´d
• It is preferable (and usually cheaper) to prevent fraud than it is to discover it after the fact.
• If the auditor detects control weaknesses, additional tests should be performed to identify other factors of fraud that may be present.
• When fraud is detected, the auditor should immediately report it to the appropriate level of management.
2010 CMA Part 1 Section D – Internal Controls 85
Types of Fraud• There are three main classifications of fraud:
– Misstatements from fraudulent financial reporting,– Misappropriation (theft) of company assets.– Corruption (bribes, conflicts of interest).
• In the misappropriation of assets, the employee is more likely to be ‘living beyond their means’ because they have more money than their salary as a result of the theft.
2010 CMA Part 1 Section D – Internal Controls 86
Factors Contributing to Fraud• The following items do not indicate that fraud is
occurring, but rather that conditions exist in which fraud may occur more easily.– No segregation of duties;– Lack of controls such as limiting access to assets,
comparing existing assets with recorded assets, and requiring proper authorization for executing transactions;
– Lack of qualified personnel;– Collusion among employees;– The existence of high-value, small, liquid assets; and– Management override of controls that are in place.
2010 CMA Part 1 Section D – Internal Controls 87
The IIA´s Position regarding Fraud• The Institute of Internal Auditors’ (IIA’s) position on
deterrence, detection, investigation and reporting of fraud is:– Deterrence of fraud is the responsibility of management.– Internal auditors must have sufficient knowledge to be
able to identify the indicators that fraud may have occurred.
– If control weaknesses are detected, additional tests should be performed to identify other factors of fraud that may be present.
– Audit procedures alone will not guarantee that fraud will be detected.
– A fraud that is detected needs to be reported.
2010 CMA Part 1 Section D – Internal Controls 88
Considering Fraud in Audit Planning • The auditor should develop and plan the audit with a
reasonable assurance of detecting material fraud or misstatements. However, due to the fact that the perpetrators of fraud will try to hide the fact, it is not possible to guarantee discovery of material frauds.
• Fraud is different from an error in that fraud is an intentional misstatement while an error is unintentional. The three main types of fraud are:1. Fraudulent financial reporting2. Misappropriation of assets3. Corruption
2010 CMA Part 1 Section D – Internal Controls 89
Internal Audit Reports• Audit reports may be written or oral. Oral reports
are more timely but do not replace written reports. Any oral reports should be followed with a written report confirming the oral report.
• All reports should include:– The purpose,– The scope of the engagement,– The results of the engagement, including
recommendations, if applicable.
• Reports might include summaries, background information, status of previous audit findings or other comments.
2010 CMA Part 1 Section D – Internal Controls 90
Purpose of the Engagement• The purpose should include:
– The engagement objectives – should be described in enough detail so readers know what to expect from the rest of the report.• Objectives should address the risks, controls and
governance processes associated with the activities under review.
• The purpose may also include:– Why the engagement was performed– What the expected results were (i.e., cost savings,
increased efficiencies, etc.)
2010 CMA Part 1 Section D – Internal Controls 91
Scope of the Engagement• Description of the work done to achieve the
engagement’s objectives. The scope should be sufficient to address the agreed-upon objectives.
• Activities reviewed and time period reviewed• Any related activities not reviewed• The nature and extent of the work performed
– Should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties
• The scope should specifically state what areas were not covered that readers might expect to be covered unless told differently.
2010 CMA Part 1 Section D – Internal Controls 92
Results of the Engagement• Includes observations, conclusions, an opinion if
appropriate, recommendations, and action plans from the engagement.• Observations – audit findings made by comparing
what is with what should be.• An audit finding should include: Background, criteria,
condition, cause, and effect.• Background – Identify people involved, environment of
the operation, reason why the situation is reportable, etc.• Criteria – the standards used to judge the operation
being audited. (The “what should be.”)• Condition – the facts determined through observation,
questioning, analysis, verification and investigation. (The “what is.”)
2010 CMA Part 1 Section D – Internal Controls 93
Results of the Engagement cont´d
• Audit findings (continued)– Cause – Explains the reason why “what is” is different from
“what should be.”– Effect – The consequences of the difference between “what
is” and “what should be.” To be reportable, an audit finding should have consequences – who or what was hurt, and how badly.
• Conclusions – the internal auditor’s evaluations such as whether a function is operating as intended, if control criteria are being met, if objectives are being met, etc.
• Recommendations – for improved performance, acknowledgement of satisfactory performance, any corrective actions needed.
2010 CMA Part 1 Section D – Internal Controls 94
Summary Reports• One or two page “executive summary.”
– To inform senior management of matters that need prompt or continued attention.
• To inform senior management about significant findings.– Should include:
• Brief description of the audit,• Conclusions,• Summary statements of significant findings with references to
where the detail can be found in the full audit report, and• Brief description of actions taken by the client as a result of
the audit findings.• May be issued in addition to the full audit report.
2010 CMA Part 1 Section D – Internal Controls 95
Writing and Distributing the Report• The report should be:
– Objective,– Clear,– Concise (no longer than necessary),– Timely, and– Constructive.
• The report should be reviewed with the auditee before it is issued.
• The report should be distributed to everyone who has a direct interest in the area being audited.
2010 CMA Part 1 Section D – Internal Controls 96
Incidents That Should be Reported• The auditor should report:
– All material facts that they know that, if not reported, could cause the audit report to be distorted or conceal unlawful acts,
– Any variances between what should have been and what was,
– Any suspected fraud,– The violation of any law,– Inconsistent product quality (in a quality audit), and– Any other reportable condition that management
should be informed about.
2010 CMA Part 1 Section D – Internal Controls 97
Auditor Follow-Up• Unlike the external auditor, the internal auditor
should follow-up on engagements after they are completed.
• The follow-up is to determine whether the recommendations have been implemented, whether they were timely, and whether they have been effective, and just how the department is doing.
2010 CMA Part 1 Section D – Internal Controls 98
Computerized Audit TechniquesUse of computers to audit information systems:
• Generalized audit software• Test data• Integrated test facility• Parallel simulation• Embedded audit routines• Extended records• Snapshots• Tracing• Mapping
2010 CMA Part 1 Section D – Internal Controls 99
Systems Controls and Security Measures
2010 CMA Part 1 Section D – Internal Controls 100
Systems Controls• The objectives of controls for an information
system are similar to the objectives of overall organizational controls. There are, however, special threats to information systems. Examples:– Errors can occur in system design– Data can be stolen over the internet– Data and programs can be damaged– Programs can be altered by dishonest employees to
divert assets to their own use– Viruses, trojan horses, and worms can infect a system,
causing a system crash, stolen or damaged data– Physical facilities can be damaged by natural disasters,
illegal activity, or sabotage
2010 CMA Part 1 Section D – Internal Controls 101
Systems Controls cont´d
• Information system internal control guidelines are based upon two documents: 1. The report of the Committee of Sponsoring
Organizations (COSO) Internal Control – Integrated Framework
2. Control Objectives for Information and related Technology (COBIT), authored by the IT Governance Institute and published by the Information Systems Audit and Control Foundation (ISACF).
• Systems controls are broken down into two categories:1. General Controls2. Application controls
2010 CMA Part 1 Section D – Internal Controls 102
General Controls• General controls relate to the environment where
transactions are processed.• Controls over development, modification and maintenance
of programs, segregation of duties, data security, administrative controls, provision for disaster recovery.
• The categories of general controls are:– The organization and operation of the computer facilities,
including segregation of duties;– General operating procedures, including written procedures
and manuals;– Equipment and hardware controls, including backup
procedures;– Access controls, including both physical access and password
access to data and programs.
2010 CMA Part 1 Section D – Internal Controls 103
Application Controls• Application controls are specific to individual
applications. They should be designed to prevent, detect and correct errors in transactions.
• The three main categories are:– Input controls,– Processing controls, and– Output controls.
2010 CMA Part 1 Section D – Internal Controls 104
System and Program Development and Change• By having controls in place during the design of
the system, the accuracy, validity, safety and security of the system is improved.
• The stages in system development are:– Statement of objectives,– Investigation and feasibility,– Systems analysis,– Systems design and development,– Program coding and testing,– Systems implementation,– Systems evaluation and maintenance.
2010 CMA Part 1 Section D – Internal Controls 105
Internet Security
2010 CMA Part 1 Section D – Internal Controls 106
Internet Security• A minimum level of internet security includes
– User account management,– A firewall,– Anti-virus protection, and– Encryption.
2010 CMA Part 1 Section D – Internal Controls 107
Viruses, Trojan Horses and Worms• A computer virus is a program that executes
itself and replicates itself, damaging the host computer and others.
• A Trojan horse does not replicate itself, though it may still damage the computer by causing the loss of data, or theft of data.
• A worm is similar to a virus, but a worm replicates itself without the use of a host file.
2010 CMA Part 1 Section D – Internal Controls 108
Cybercrime• The Internet, online communications and e-
business are all subject to computer crime and this threat is growing every day.
• The most serious computer crimes, as defined by the FBI, are:– Intrusions of the Public Switched Network (the telephone
company),– Major computer network intrusions– Network integrity violations– Privacy violations,– Industrial espionage, and– Pirated computer software
2010 CMA Part 1 Section D – Internal Controls 109
Cybercrime cont´d
• Other types of computer crime include:– Copyright infringement such as the illegal copying of
copyrighted material– Denial of Service (DOS) attacks in which a website is
accessed repeatedly so that other, legitimate users cannot connect to it,
– Theft of credit card numbers from retailers’ files– Phishing, a high-tech scam that uses spam e-mail to
deceive consumers into disclosing sensitive personal information
– Installation of malware on a computer without the user’s knowledge.
2010 CMA Part 1 Section D – Internal Controls 110
Cybercrime cont´d
• Defenses against cybercrime include:– Firewalls– Proxy servers– Antisniffer tools– Switched networks– Encryption
2010 CMA Part 1 Section D – Internal Controls 111
Firewalls and Encryption• A firewall is a barrier between the internal
network of a company and external networks.
• A firewall prevents unauthorized access to the network and can also record attempts that were made to access the network.
• Encryption is the method of converting text into a code for transmission and then converting back to text when received.
2010 CMA Part 1 Section D – Internal Controls 112
Backup and Contingency Planning• The company must have plans for the backup and recovery
of data.• The more extreme form of contingency planning is disaster
recovery. A disaster recovery plan includes:– Who will participate in the recovery and what their roles are,– What hardware, software and facilities should be used, and– The priority of applications to be processed.
• A hot site is a backup site that has similar equipment and is able to be used immediately. A cold site is a site where power and space are available, but it requires getting computer equipment installed there quickly if needed.