10 - Internal Control and Control Risk

8/17/2019 10 - Internal Control and Control Risk

1/31

1

FAKULTAS EKONOMIUNIVERSITAS INDONESIA

Internal Control andControl Risk

Audit Process Model

Phase II: Planning

Objective: Determine the amount and type of evidence and review requiredto give the auditor assurance that there is no materialmisstatement of the financial statements.

Procedures: (1) Perform audit procedures to understand the entity and its

environment, including the entity’s internal controls(2) Assess the risks of material misstatements of the financialstatements

(3) Determine materiality; and(4) Prepare the planning memorandum and audit program,

containing the auditor’s response to the identified risks

2


2/31

2

Learning Objectives

After studying this chapter, you should be able to:

1. Understand the basic definition of internal control.

2. Discuss why internal controls are important to the auditor.

3. Characterize the differences between general andapplication IT controls and how to reduce IT risk.

4. Distinguish between the different components of internalcontrol.

5. Describe the elements of the control environment.6. Evaluate how management’s objectives are related to risk

assessment.

7. Explain the effects of information and communication onthe internal control system.

3

Learning Objectives

After studying this chapter, you should be able to:

8. Distinguish between the major types of control activities.

9. Give examples of major types of control procedures(activities).

10. Identify monitoring controls.11. Distinguish between hard and soft controls and understand

their control objectives.

12. Know what is meant by design of controls.

13. Follow what an auditor does in preliminary planningassessments of internal control risk.

4


3/31

3


LO 1:Understand the basic

definition of internal control.

COSO says Internal Control is

A process, effected by an entity’sboard of directors, management andother personnel, designed to provide

reasonable assurance regarding the achievementof objectives in the following categories:

effectiveness and efficiency of operations ,

reliability of financial reporting ,compliance with applicable laws and regulationsand safeguarding of assets against unauthorized

acquisition, use or disposition.

6


4/31

4

International Federation of Accountants

Internal Control Defini tion

Internal control — The process designed,implemented and maintained by those chargedwith governance , management and other

personnel to provide reasonable assurance aboutthe achievement of an entity’s objectives withregard to reliability of financial reporting ,

effectiveness and efficiency of operations , andcompliance with applicable laws and regulations .

7


LO 2:

Discuss why internal controlsare important to the auditor.


5/31

5

Internal control i s geared to the achievement ofobjectives in one or more separate overlapping

categories:

1 effective operations — relating to effective and efficientuse of the entity's resources

2 financial reporting — relating to preparation of reliablepublished financial statements

3 compliance — relating to the entity's compliance withapplicable laws and regulations

4 safeguarding of assets

9

Which of the three categories of managementcontrol objectives is the most important to:

• The External Auditors?

• Management?

• Government Auditors?

• Internal Auditors?• The shareholders?

• Employees?

10


6/31

6

US SEC rules require that management must base itsevaluation of the effectiveness of the company's internalcontrol over financial reporting on a suitable, recognizedcontrol framework established by a body or group thatfollowed due-process procedures , including the broaddistribution of the framework for public comment. Twoframeworks:

The report of the Committee of Sponsoring Organizations ofthe Treadway Commission (known as the COSO report )

The Financial Reporting Council, Internal Control RevisedGuidance for Directors on the Combined Code, October2005 (known as the Turnbull Report ).

11

Management control objectives

• Effective Operations goal safeguarding of assets (cash,accounts receivable, accounting records)

• Financial Reporting Need for accurate informationbecause management has a responsibility to see thatstatements are prepared fairly in accordance withaccounting standards. Auditor is interested primarily infinancial reporting controls (especially controls overtransactions).

• Compliance Companies must comply with many lawsand regulations including company law, tax law andenvironmental protection regulations.

12


7/31

7

Auditor’s primary controlconsideration and emphasis

• To understand an entity’s internal control, theauditor will evaluate the design and implementationof a control .

• The auditor's primary consideration is whether, andhow, a specific control prevents, or detects andcorrects, material misstatements in classes oftransactions, account balances or disclosures.

• The heaviest emphasis by auditors is on controlsover classes of transactions rather than accountbalances or disclosures.

13

Design and implementation ofcontrols

• To understand the entity’s internal control theauditor will evaluate the design of a control and

judge whether it has been implemented . – He determines if the control is design ed to prevent ,

detect , or correct transactions that misstate the accountbalances.

– Implement ation of a control means that the controlexists and that the entity is using it.

14


8/31

8

Why do you think internal controlsare important to a business? 15


LO 3:Characterize the differences

between general and

application IT controls andhow to reduce IT risk.


9/31

9

Information technology controls -general

General IT controls are policies andprocedures that relate to many applicationsand support the effective functioning ofapplication controls by helping to ensure thecontinued proper operation of informationsystems For example:

– controls over data center and network

operations; system software acquisition,change and maintenance; access security;back-up and recovery; and application systemacquisition, development, and maintenance.

17

IT controls – application controls

Application controls are controls that apply toapplications that initiate, record, process, and reporttransactions (such as MS Office, SAP, QuickBooks),rather than the computer system in general.

Examples are chart of accounts, edit checks of input data,numerical sequence checks, and manual follow-up ofexception reports.

18


10/31

10

IT risks

Reliance on systems or programs that are inaccurately processingdata, processing inaccurate data, or both.

Unauthorized access to data that may result in destruction of dataor improper changes to data

The possibility of IT personnel gaining access privileges beyondthose necessary to perform their assigned duties thereby breakingdown segregation of duties.

Unauthorized changes to data in master files.

Unauthorized changes to systems or programs.

Failure to make necessary changes to systems or programs.

Input by people or systems without authorized access.

Potential loss of data or inability to access data as required

19


LO 4:Distinguish between the

different components ofinternal control.


11/31

11

Components of COSO internalcontrol are

• Control Environment ,

• Risk Assessment ,

• Control Activities / Control Procedures ,

• Information and Communication and

• Monitoring .

21

Componentsof InternalControl

22


12/31

12


LO 5:Describe the elements ofthe control environment.

Control environment

Control environment—Includes the governanceand management functions and the attitudes,awareness and actions of those charged with

governance and management concerning theentity’s internal control and its importance in theentity.

24


13/31

13

Cumulative effect of controls

When analyzing the control environment, the auditormust think about the collective effect of variouscontrol environment elements. Strengths in one of theelements might mitigate weaknesses in anotherelement.

For example, an active and independent board of directorsmay influence the philosophy and operating style of senior

management. Alternatively, human resource policiesdirected toward hiring competent accounting personnelmight not mitigate a strong bias by top management tooverstate earnings.

25

Elements contributing to a successfulcontrol environment

Communication and enforcement of integrity andethical values ;Commitment to competence ;Participation by those charged with governance -

independence and integrity of the board ofdirectors ;Management's philosophy and operating style -leadership via control by example ;Organizational structure ;Assignment of authority and responsibility ; andHuman resource policies and practices.

26


14/31

14

Integri ty and ethical values andcommitment to competence

The integrity and ethical values of the people whocreate, administer, and monitor controlsdetermines their effectiveness.

Management might remove incentives andtemptations that prompt personnel to engage infraudulent or unethical behavior.

A company’s control environment will be moreeffective if its culture is one in which quality andcompetence are openly valued.

27

Participation of those charged withgovernance

The guidance and oversight responsibilities of anactive and involved board of directors whopossess an appropriate degree of management,technical, and other expertise is critical to effective

internal control.Because the board must be prepared to questionand scrutinize management’s activities, presentalternative views and have the courage to act inthe face of obvious wrongdoing, it is necessarythat the board contain at least a critical mass ofindependent (non-executive) directors

28


15/31

15

Management’s philosophy and operatingstyle and organizational structure

Management’s philosophy and operating style istheir attitude about, and approach to, financialreporting, accounting issues, and to taking andmanaging business risk.

Management philosophy may create significant risk.

Important organizational considerations are clarityof lines of authority and responsibility; the level atwhich policies are established; adherence to thesepolicies; adequacy of supervision; andappropriateness of organizational structure for theentity.

29

Assignment of au thority and responsibili ty;Human resource policies and practices

Responsibility and delegation of authority shouldbe clearly assigned. How responsibility isdistributed is usually spelled out in formalcompany policy manuals.

With trustworthy and competent employees,weaknesses in other controls can be compensatedand reliable financial statements might still result.Honest, efficient people are able to perform at ahigh level even when there are few other controlsto support them.

30


16/31

16


LO 6:Evaluate how

management’s objectivesare related to risk

assessment.

Risk assessment

• Management assesses risks as part of designing andoperating the internal control system to minimize errors andirregularities.

• Auditors assess risks to decide the evidence needed in theaudit.

• If management effectively assesses and responds to risks,the auditor will typically need to accumulate less auditevidence than when management fails to, because controlrisk is lower.

32


17/31

17

Identify risks

A technique to identify risks involves identifying andprioritizing high risk activities:

1. identify the essential resources of the business anddetermine which are most at risk;

2. identify possible liabilities which may arise;

3. review the risks that have arisen in the past;

4. consider any additional risks imposed by newobjectives or new external factors; and

5. seek to anticipate change by considering problemsand opportunities on a continuing basis.

33


LO 7:Explain the effects of

information and

communication on the internalcontrol system.


18/31

18

Information systems, communication, andrelated business processes

• Every enterprise must capture pertinent informationrelated to both internal and external events andactivities in both financial and non-financial forms.

• The information must be identified by managementas relevant and then communicated to people whoneed it in a form and time frame that allows them todo their jobs.

35

Communication

Not just a matter of reporting, communicationoccurs in a broader sense, flowing down, across,and up the organization. All personnel mustreceive a clear message from top management

that control responsibilities must be takenseriously.

Employees must understand their own role in theinternal control system, as well as how individualactivities relate to the work of others, and how toreport significant information to seniormanagement.

36


19/31

19

Contents of an Information System

Accounting system

Production system

Personnel system

Systems software

Applications for word-processing, presentations,data bases, etc. and all records and files generated

by these applicationsinformation about external events, activities andconditions

37


LO 8:Distinguish between the

major types of controlactivities.


20/31

20

Two elements of control procedures

Control procedures may be divided into two elements:a policy establishing what should be done andprocedures to effect that policy . Examples are:

– A policy is that a securities dealer retail branch managermust monitor (conduct performance reviews of)customer trades.

– A procedure to effect that policy world be a review of

daily reports of customer trade activities with attentiongiven to the nature and volume of securities traded

39


LO 9:Give examples of major

types of control procedures(activities).


21/31

21

Contro l activities (control procedures)

Control procedures implement the control policies byspecific routine tasks, performed at particular times bydesignated people, held accountable by adequatesupervision and evidence of performance.

Authorization of transactions and activities, GeneralControls;

P erformance reviews;

Information processing: accuracy, adequatedocuments and records, Application controls;

P hysical control over assets and records;

adequate S egregation of duties.

41

Authorization

• Proper authorization – Appropriate delegation of authority sets

limits on what levels of risk are acceptable

• General Controls – access to the computer system is limited to

people who have a right to the information

– back-up and recovery procedures

– User ID and general system access

42


22/31

22

Performance reviews

Performance reviews are independentchecks on performance by a third partynot directly involved in the activity.These control activities include reviewsand analyses of actual performanceversus budgets and actual performance;relating different sets of data – operating

or financial – to one another; comparinginternal data with external sources ofinformation; and review of functional oractivity performance.

43

Information processing; adequatedocuments

• Well-designed documents in a manual systemand preformatted input screens in a CIS

• Assets are properly controlled and alltransactions correctly recorded

• Document prepared at the time a transactiontakes place• Document simple enough to be clearly

understood,• Document designed for multiple use to minimize

the number of different forms• Document constructed in a manner that

encourages correct preparation.

44


23/31

23

Information processing : applicationcontrols

• The chart of accounts• Use of serial numbers on documents and

input transactions• Checks, tickets, sales invoices, purchase

orders, stock certificates and many otherbusiness papers

• Systems manuals for computeraccounting software should providesufficient information to make theaccounting functions clear

• Passwords that allow only authorizedpeople admittance to the computersoftware on line

45

Physical controls

• Physical controls are procedures toensure the physical security of assets.

• Only individuals who are properlyauthorized should be allowed access tothe company’s assets.

• Direct physical access to assets may becontrolled through physical precautions

46


24/31

24

Segregation of duties

Segregation of duties entail th ree fundamentalfunct ions which must be separated andadequately supervised:

authorization

recording

custody

47


LO 10:

Identify monitoringcontrols.


25/31

25

Monitoring of controls

Monitoring is assessing the design of controlsand their operation on a timely basis and takingnecessary corrective actions.

Ongoing monitoring information comes fromseveral sources: exception reporting on controlactivities, reports by government regulators,feedback from employees, complaints fromcustomers, and most importantly from internalauditor reports.

49

Evaluation of monitoring

When evaluating the ongoing monitoring thefollowing issues might be considered:

Periodic comparisons of amounts recorded withthe accounting system and with physical assets.

Responsiveness to internal and external auditorrecommendations to strengthen internal controls.

Extent to which training seminars, planningsessions and other meetings provide informationon effective operation of controls.

Effectiveness of internal audit activities

Extent to which personnel obtain evidence oninternal control function

50


26/31

26


LO 11:Distinguish between hard

and soft controls andunderstand their control

objectives.

Hard and soft controls

Management designs and sets in place a set ofrules, physical constraints and activities called“internal controls”. Due to the explicit, formal andtangible character of these controls, these controls

are generally referred to as hard controls . Soft controls are the intangible factors in an

organization that influence the behavior ofmanagers and employees.

Whereas soft controls are founded in the culture orclimate of an organization, the hard-controls aremore explicit, formal and visible.

52


27/31

27

Seven factors influence the way peopleexamine their control activities

1. Clarity for directors, managers and employees as to whatconstitutes desirable and undesirable behavior

2. Role-modeling among administrators, management orimmediate supervisors

3. Achievability of goals, tasks and responsibilities set

4. Commitment in the organization

5. Transparency of behavior

6. Openness to discussion of viewpoints, emotions, dilemmasand transgressions

7. Enforcement of behavior , such as appreciation desirable behavior, sanctioning of undesirable behavior

53


LO 12:Know what is meant by

design of controls.


28/31

28

Design and implementation ofinternal control

• Evaluating the design of a control involves consideringwhether the control , individually or in combination with othercontrols, is capable of effectively preventing, or detectingand correcting, material misstatements.

• Implementation of a control means that the control existsand that the entity is using it.

• There is little point in assessing the implementation of acontrol that is not effective, and so the design of a control isconsidered first. An improperly designed control mayrepresent a significant deficiency in internal control.

55


LO 13:Follow what an auditor

does in preliminaryplanning assessments of

internal control risk.


29/31

29

Methods for obtaining controls auditevidence

Risk assessment procedures to obtain audit evidenceabout the design and implementation of relevantcontrols may include:

(1) Inquiring of entity personnel .

(2) Observing and re-performing the application of aspecific control .

(3) Inspecting documents and reports ,(4) Tracing transactions through the information

system (referred as “walkthrough”)

57


Recap of this session


30/31

30

59Recap

• Internal controls and its importance to the audit

• Understand component of internal controls

• Risk assessment procedures to obtain auditevidence about the design and implementation ofrelevant controls


Further readings


31/31

Selected materials

Hayes, Wallage, and Gortemaker, “Ch. 7, Internal Control and Control Risk”in Principles of Auditing – an Introduction to International Standards on

Auditing, 3rd Edition , 2014

61

10 - Internal Control and Control Risk

Documents

Transcript of 10 - Internal Control and Control Risk