10 - Internal Control and Control Risk
-
Upload
shafiramaulida -
Category
Documents
-
view
227 -
download
0
Transcript of 10 - Internal Control and Control Risk
-
8/17/2019 10 - Internal Control and Control Risk
1/31
1
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
Internal Control andControl Risk
Audit Process Model
Phase II: Planning
Objective: Determine the amount and type of evidence and review requiredto give the auditor assurance that there is no materialmisstatement of the financial statements.
Procedures: (1) Perform audit procedures to understand the entity and its
environment, including the entity’s internal controls(2) Assess the risks of material misstatements of the financialstatements
(3) Determine materiality; and(4) Prepare the planning memorandum and audit program,
containing the auditor’s response to the identified risks
2
-
8/17/2019 10 - Internal Control and Control Risk
2/31
2
Learning Objectives
After studying this chapter, you should be able to:
1. Understand the basic definition of internal control.
2. Discuss why internal controls are important to the auditor.
3. Characterize the differences between general andapplication IT controls and how to reduce IT risk.
4. Distinguish between the different components of internalcontrol.
5. Describe the elements of the control environment.6. Evaluate how management’s objectives are related to risk
assessment.
7. Explain the effects of information and communication onthe internal control system.
3
Learning Objectives
After studying this chapter, you should be able to:
8. Distinguish between the major types of control activities.
9. Give examples of major types of control procedures(activities).
10. Identify monitoring controls.11. Distinguish between hard and soft controls and understand
their control objectives.
12. Know what is meant by design of controls.
13. Follow what an auditor does in preliminary planningassessments of internal control risk.
4
-
8/17/2019 10 - Internal Control and Control Risk
3/31
3
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 1:Understand the basic
definition of internal control.
COSO says Internal Control is
A process, effected by an entity’sboard of directors, management andother personnel, designed to provide
reasonable assurance regarding the achievementof objectives in the following categories:
effectiveness and efficiency of operations ,
reliability of financial reporting ,compliance with applicable laws and regulationsand safeguarding of assets against unauthorized
acquisition, use or disposition.
6
-
8/17/2019 10 - Internal Control and Control Risk
4/31
4
International Federation of Accountants
Internal Control Defini tion
Internal control — The process designed,implemented and maintained by those chargedwith governance , management and other
personnel to provide reasonable assurance aboutthe achievement of an entity’s objectives withregard to reliability of financial reporting ,
effectiveness and efficiency of operations , andcompliance with applicable laws and regulations .
7
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 2:
Discuss why internal controlsare important to the auditor.
-
8/17/2019 10 - Internal Control and Control Risk
5/31
5
Internal control i s geared to the achievement ofobjectives in one or more separate overlapping
categories:
1 effective operations — relating to effective and efficientuse of the entity's resources
2 financial reporting — relating to preparation of reliablepublished financial statements
3 compliance — relating to the entity's compliance withapplicable laws and regulations
4 safeguarding of assets
9
Which of the three categories of managementcontrol objectives is the most important to:
• The External Auditors?
• Management?
• Government Auditors?
• Internal Auditors?• The shareholders?
• Employees?
10
-
8/17/2019 10 - Internal Control and Control Risk
6/31
6
US SEC rules require that management must base itsevaluation of the effectiveness of the company's internalcontrol over financial reporting on a suitable, recognizedcontrol framework established by a body or group thatfollowed due-process procedures , including the broaddistribution of the framework for public comment. Twoframeworks:
The report of the Committee of Sponsoring Organizations ofthe Treadway Commission (known as the COSO report )
The Financial Reporting Council, Internal Control RevisedGuidance for Directors on the Combined Code, October2005 (known as the Turnbull Report ).
11
Management control objectives
• Effective Operations goal safeguarding of assets (cash,accounts receivable, accounting records)
• Financial Reporting Need for accurate informationbecause management has a responsibility to see thatstatements are prepared fairly in accordance withaccounting standards. Auditor is interested primarily infinancial reporting controls (especially controls overtransactions).
• Compliance Companies must comply with many lawsand regulations including company law, tax law andenvironmental protection regulations.
12
-
8/17/2019 10 - Internal Control and Control Risk
7/31
7
Auditor’s primary controlconsideration and emphasis
• To understand an entity’s internal control, theauditor will evaluate the design and implementationof a control .
• The auditor's primary consideration is whether, andhow, a specific control prevents, or detects andcorrects, material misstatements in classes oftransactions, account balances or disclosures.
• The heaviest emphasis by auditors is on controlsover classes of transactions rather than accountbalances or disclosures.
13
Design and implementation ofcontrols
• To understand the entity’s internal control theauditor will evaluate the design of a control and
judge whether it has been implemented . – He determines if the control is design ed to prevent ,
detect , or correct transactions that misstate the accountbalances.
– Implement ation of a control means that the controlexists and that the entity is using it.
14
-
8/17/2019 10 - Internal Control and Control Risk
8/31
8
Why do you think internal controlsare important to a business? 15
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 3:Characterize the differences
between general and
application IT controls andhow to reduce IT risk.
-
8/17/2019 10 - Internal Control and Control Risk
9/31
9
Information technology controls -general
General IT controls are policies andprocedures that relate to many applicationsand support the effective functioning ofapplication controls by helping to ensure thecontinued proper operation of informationsystems For example:
– controls over data center and network
operations; system software acquisition,change and maintenance; access security;back-up and recovery; and application systemacquisition, development, and maintenance.
17
IT controls – application controls
Application controls are controls that apply toapplications that initiate, record, process, and reporttransactions (such as MS Office, SAP, QuickBooks),rather than the computer system in general.
Examples are chart of accounts, edit checks of input data,numerical sequence checks, and manual follow-up ofexception reports.
18
-
8/17/2019 10 - Internal Control and Control Risk
10/31
10
IT risks
Reliance on systems or programs that are inaccurately processingdata, processing inaccurate data, or both.
Unauthorized access to data that may result in destruction of dataor improper changes to data
The possibility of IT personnel gaining access privileges beyondthose necessary to perform their assigned duties thereby breakingdown segregation of duties.
Unauthorized changes to data in master files.
Unauthorized changes to systems or programs.
Failure to make necessary changes to systems or programs.
Input by people or systems without authorized access.
Potential loss of data or inability to access data as required
19
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 4:Distinguish between the
different components ofinternal control.
-
8/17/2019 10 - Internal Control and Control Risk
11/31
11
Components of COSO internalcontrol are
• Control Environment ,
• Risk Assessment ,
• Control Activities / Control Procedures ,
• Information and Communication and
• Monitoring .
21
Componentsof InternalControl
22
-
8/17/2019 10 - Internal Control and Control Risk
12/31
12
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 5:Describe the elements ofthe control environment.
Control environment
Control environment—Includes the governanceand management functions and the attitudes,awareness and actions of those charged with
governance and management concerning theentity’s internal control and its importance in theentity.
24
-
8/17/2019 10 - Internal Control and Control Risk
13/31
13
Cumulative effect of controls
When analyzing the control environment, the auditormust think about the collective effect of variouscontrol environment elements. Strengths in one of theelements might mitigate weaknesses in anotherelement.
For example, an active and independent board of directorsmay influence the philosophy and operating style of senior
management. Alternatively, human resource policiesdirected toward hiring competent accounting personnelmight not mitigate a strong bias by top management tooverstate earnings.
25
Elements contributing to a successfulcontrol environment
Communication and enforcement of integrity andethical values ;Commitment to competence ;Participation by those charged with governance -
independence and integrity of the board ofdirectors ;Management's philosophy and operating style -leadership via control by example ;Organizational structure ;Assignment of authority and responsibility ; andHuman resource policies and practices.
26
-
8/17/2019 10 - Internal Control and Control Risk
14/31
14
Integri ty and ethical values andcommitment to competence
The integrity and ethical values of the people whocreate, administer, and monitor controlsdetermines their effectiveness.
Management might remove incentives andtemptations that prompt personnel to engage infraudulent or unethical behavior.
A company’s control environment will be moreeffective if its culture is one in which quality andcompetence are openly valued.
27
Participation of those charged withgovernance
The guidance and oversight responsibilities of anactive and involved board of directors whopossess an appropriate degree of management,technical, and other expertise is critical to effective
internal control.Because the board must be prepared to questionand scrutinize management’s activities, presentalternative views and have the courage to act inthe face of obvious wrongdoing, it is necessarythat the board contain at least a critical mass ofindependent (non-executive) directors
28
-
8/17/2019 10 - Internal Control and Control Risk
15/31
15
Management’s philosophy and operatingstyle and organizational structure
Management’s philosophy and operating style istheir attitude about, and approach to, financialreporting, accounting issues, and to taking andmanaging business risk.
Management philosophy may create significant risk.
Important organizational considerations are clarityof lines of authority and responsibility; the level atwhich policies are established; adherence to thesepolicies; adequacy of supervision; andappropriateness of organizational structure for theentity.
29
Assignment of au thority and responsibili ty;Human resource policies and practices
Responsibility and delegation of authority shouldbe clearly assigned. How responsibility isdistributed is usually spelled out in formalcompany policy manuals.
With trustworthy and competent employees,weaknesses in other controls can be compensatedand reliable financial statements might still result.Honest, efficient people are able to perform at ahigh level even when there are few other controlsto support them.
30
-
8/17/2019 10 - Internal Control and Control Risk
16/31
16
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 6:Evaluate how
management’s objectivesare related to risk
assessment.
Risk assessment
• Management assesses risks as part of designing andoperating the internal control system to minimize errors andirregularities.
• Auditors assess risks to decide the evidence needed in theaudit.
• If management effectively assesses and responds to risks,the auditor will typically need to accumulate less auditevidence than when management fails to, because controlrisk is lower.
32
-
8/17/2019 10 - Internal Control and Control Risk
17/31
17
Identify risks
A technique to identify risks involves identifying andprioritizing high risk activities:
1. identify the essential resources of the business anddetermine which are most at risk;
2. identify possible liabilities which may arise;
3. review the risks that have arisen in the past;
4. consider any additional risks imposed by newobjectives or new external factors; and
5. seek to anticipate change by considering problemsand opportunities on a continuing basis.
33
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 7:Explain the effects of
information and
communication on the internalcontrol system.
-
8/17/2019 10 - Internal Control and Control Risk
18/31
18
Information systems, communication, andrelated business processes
• Every enterprise must capture pertinent informationrelated to both internal and external events andactivities in both financial and non-financial forms.
• The information must be identified by managementas relevant and then communicated to people whoneed it in a form and time frame that allows them todo their jobs.
35
Communication
Not just a matter of reporting, communicationoccurs in a broader sense, flowing down, across,and up the organization. All personnel mustreceive a clear message from top management
that control responsibilities must be takenseriously.
Employees must understand their own role in theinternal control system, as well as how individualactivities relate to the work of others, and how toreport significant information to seniormanagement.
36
-
8/17/2019 10 - Internal Control and Control Risk
19/31
19
Contents of an Information System
Accounting system
Production system
Personnel system
Systems software
Applications for word-processing, presentations,data bases, etc. and all records and files generated
by these applicationsinformation about external events, activities andconditions
37
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 8:Distinguish between the
major types of controlactivities.
-
8/17/2019 10 - Internal Control and Control Risk
20/31
20
Two elements of control procedures
Control procedures may be divided into two elements:a policy establishing what should be done andprocedures to effect that policy . Examples are:
– A policy is that a securities dealer retail branch managermust monitor (conduct performance reviews of)customer trades.
– A procedure to effect that policy world be a review of
daily reports of customer trade activities with attentiongiven to the nature and volume of securities traded
39
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 9:Give examples of major
types of control procedures(activities).
-
8/17/2019 10 - Internal Control and Control Risk
21/31
21
Contro l activities (control procedures)
Control procedures implement the control policies byspecific routine tasks, performed at particular times bydesignated people, held accountable by adequatesupervision and evidence of performance.
Authorization of transactions and activities, GeneralControls;
P erformance reviews;
Information processing: accuracy, adequatedocuments and records, Application controls;
P hysical control over assets and records;
adequate S egregation of duties.
41
Authorization
• Proper authorization – Appropriate delegation of authority sets
limits on what levels of risk are acceptable
• General Controls – access to the computer system is limited to
people who have a right to the information
– back-up and recovery procedures
– User ID and general system access
42
-
8/17/2019 10 - Internal Control and Control Risk
22/31
22
Performance reviews
Performance reviews are independentchecks on performance by a third partynot directly involved in the activity.These control activities include reviewsand analyses of actual performanceversus budgets and actual performance;relating different sets of data – operating
or financial – to one another; comparinginternal data with external sources ofinformation; and review of functional oractivity performance.
43
Information processing; adequatedocuments
• Well-designed documents in a manual systemand preformatted input screens in a CIS
• Assets are properly controlled and alltransactions correctly recorded
• Document prepared at the time a transactiontakes place• Document simple enough to be clearly
understood,• Document designed for multiple use to minimize
the number of different forms• Document constructed in a manner that
encourages correct preparation.
44
-
8/17/2019 10 - Internal Control and Control Risk
23/31
23
Information processing : applicationcontrols
• The chart of accounts• Use of serial numbers on documents and
input transactions• Checks, tickets, sales invoices, purchase
orders, stock certificates and many otherbusiness papers
• Systems manuals for computeraccounting software should providesufficient information to make theaccounting functions clear
• Passwords that allow only authorizedpeople admittance to the computersoftware on line
45
Physical controls
• Physical controls are procedures toensure the physical security of assets.
• Only individuals who are properlyauthorized should be allowed access tothe company’s assets.
• Direct physical access to assets may becontrolled through physical precautions
46
-
8/17/2019 10 - Internal Control and Control Risk
24/31
24
Segregation of duties
Segregation of duties entail th ree fundamentalfunct ions which must be separated andadequately supervised:
authorization
recording
custody
47
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 10:
Identify monitoringcontrols.
-
8/17/2019 10 - Internal Control and Control Risk
25/31
25
Monitoring of controls
Monitoring is assessing the design of controlsand their operation on a timely basis and takingnecessary corrective actions.
Ongoing monitoring information comes fromseveral sources: exception reporting on controlactivities, reports by government regulators,feedback from employees, complaints fromcustomers, and most importantly from internalauditor reports.
49
Evaluation of monitoring
When evaluating the ongoing monitoring thefollowing issues might be considered:
Periodic comparisons of amounts recorded withthe accounting system and with physical assets.
Responsiveness to internal and external auditorrecommendations to strengthen internal controls.
Extent to which training seminars, planningsessions and other meetings provide informationon effective operation of controls.
Effectiveness of internal audit activities
Extent to which personnel obtain evidence oninternal control function
50
-
8/17/2019 10 - Internal Control and Control Risk
26/31
26
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 11:Distinguish between hard
and soft controls andunderstand their control
objectives.
Hard and soft controls
Management designs and sets in place a set ofrules, physical constraints and activities called“internal controls”. Due to the explicit, formal andtangible character of these controls, these controls
are generally referred to as hard controls . Soft controls are the intangible factors in an
organization that influence the behavior ofmanagers and employees.
Whereas soft controls are founded in the culture orclimate of an organization, the hard-controls aremore explicit, formal and visible.
52
-
8/17/2019 10 - Internal Control and Control Risk
27/31
27
Seven factors influence the way peopleexamine their control activities
1. Clarity for directors, managers and employees as to whatconstitutes desirable and undesirable behavior
2. Role-modeling among administrators, management orimmediate supervisors
3. Achievability of goals, tasks and responsibilities set
4. Commitment in the organization
5. Transparency of behavior
6. Openness to discussion of viewpoints, emotions, dilemmasand transgressions
7. Enforcement of behavior , such as appreciation desirable behavior, sanctioning of undesirable behavior
53
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 12:Know what is meant by
design of controls.
-
8/17/2019 10 - Internal Control and Control Risk
28/31
28
Design and implementation ofinternal control
• Evaluating the design of a control involves consideringwhether the control , individually or in combination with othercontrols, is capable of effectively preventing, or detectingand correcting, material misstatements.
• Implementation of a control means that the control existsand that the entity is using it.
• There is little point in assessing the implementation of acontrol that is not effective, and so the design of a control isconsidered first. An improperly designed control mayrepresent a significant deficiency in internal control.
55
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
LO 13:Follow what an auditor
does in preliminaryplanning assessments of
internal control risk.
-
8/17/2019 10 - Internal Control and Control Risk
29/31
29
Methods for obtaining controls auditevidence
Risk assessment procedures to obtain audit evidenceabout the design and implementation of relevantcontrols may include:
(1) Inquiring of entity personnel .
(2) Observing and re-performing the application of aspecific control .
(3) Inspecting documents and reports ,(4) Tracing transactions through the information
system (referred as “walkthrough”)
57
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
Recap of this session
-
8/17/2019 10 - Internal Control and Control Risk
30/31
30
59Recap
• Internal controls and its importance to the audit
• Understand component of internal controls
• Risk assessment procedures to obtain auditevidence about the design and implementation ofrelevant controls
FAKULTAS EKONOMIUNIVERSITAS INDONESIA
Further readings
-
8/17/2019 10 - Internal Control and Control Risk
31/31
Selected materials
Hayes, Wallage, and Gortemaker, “Ch. 7, Internal Control and Control Risk”in Principles of Auditing – an Introduction to International Standards on
Auditing, 3rd Edition , 2014
61