I NT E R N A L

C ONTR O L A N D
C ONTR O L R I S K
CHAPTER 5
INTERNAL CONTROL
• According to Coso (the committee of sponsoring organizations of the treadway
commission ) 2013:

• “ INTERNAL CONTROL IS A PROCESS, EFFECTED BY AN ENTITY’S BOARD OF

DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL, DESIGNED TO PROVIDE
REASONABLE ASSURANCE REGARDING THE ACHIEVEMENT OF OBJECTIVES
RELATING TO OPERATIONS, REPORTING, AND COMPLIANCE “
 B. REASONABLE ASSURANCE
Code the
missing cash
to bad debts.

Reasonable assurance involves two

considerations:
1. The cost of the entity’s internal
control should not exceed the expected
benefits.
2. Limitations exist in any entity’s
Collusion internal control.
 OBJECTIVES OF INTERNAL
CONTROL
• Operations objectives – related to the effectiveness and efficiency
of the entity’s operations, including operational and financial performance goals,
and safeguarding assets against loss

• Reporting objectives – related to internal and external financial and non-

financial reporting to stakeholders, which would encompass reliability, timeliness,
transparency, or other terms as established by regulators, standard setters, or
the entity’s policies.

• Compliance objectives – related to adhering to laws and regulations that the

entity must follow
MANAGEMENT’S RESPONSIBILITY FOR
ESTABLISH INTERNAL CONTROL
Section 404 of sarbanes-oxley requires the management of public
companies to issue an internal control report that includes:

A statement that management is responsible for establishing and

maintaining an adequate internal control structure and procedures for
financial reporting.

An assessment of the effectiveness of the internal control structure and

procedures for financial reporting as of the end of the company’s fiscal
year.
AUDITOR RESPONSIBILITIES FOR
UNDERSTANDING INTERNAL CONTROL

• Public and private companies – A sufficient understanding of

internal control is to be obtained to plan the audit and to
determine the nature, timing, and extent of tests to be
performed. (2nd standard of fieldwork)
THE COMPONENTS OF INTERNAL
CONTROL
A. Control enviroment

B. Risk assesment

c. Control activities

D. Information and communication

E. Monitoring
 CONTROL ENVIRONMENT
• “The control environment is the set of standards, processes, and
structures that provide the basis for carrying out internal control
across the organization.
• The board of directors and senior management establish the tone
at the top regarding the importance of internal control and
expected standards of conduct.”
CONTROL ENVIRONMENT
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
1. INTEGRITY AND ETHICAL
VALUES
Management actions to
remove incentives that prompt
a person to behave
improperly.
Communication of
behavioral standards by
codes of conduct and
example.
 2. COMMITMENT TO
COMPETENCE

Management’s consideration of the

competence levels for specific
jobs and how those translate into
requisite skills and knowledge.
3. BOARD OF DIRECTORS AND AUDIT
COMMITTEE
Board delegates responsibility for internal
control to management and is charged with
regular independent assessments of
management-established internal control.
The major stock exchanges require listed
companies to have an audit committee
composed of entirely independent directors
who are financially literate.
 4. MANAGEMENT’S PHILOSOPHY AND
OPERATING STYLE

Management, through its activities, provides clear signals to

employees about the importance of internal control.
For example, sales and earnings targets unrealistic, and employees
encouraged to take aggressive actions to meet those targets.
5. ORGANIZATIONAL
STRUCTURE
Understanding the client’s
organizational structure
provides the auditor with an
understanding of how the
client’s business functions and
implements controls.
 6. ASSIGNMENT OF AUTHORITY AND
RESPONSIBILITY

Formal methods of communication

including: Em

Top management memoranda D p

es Jo loy
cr b ee
ip
concerning internal control ti
on
Organizational operating plans s

Employee job descriptions

7. HUMAN RESOURCE POLICIES AND
PRACTICES
If employees are honest and
trustworthy, other controls can
be absent and reliable financial
statements will still result.
Methods by which persons
are hired, trained, promoted,
and compensated are
important elements of internal
control.
 B. RISK ASSESSMENT

Client management’s identification and analysis of risks relevant

to the preparation of the financial statements in accordance
with GAAP.

1. Client management’s risk assessment

2. Auditor risk assessment
 1. CLIENT MANAGEMENT’S RISK ASSESSMENT

Client management assesses risk as part of designing and operating

internal controls to minimize errors and fraud. Three steps involve:
i. Identify factors that may increase risk
ii. Determine significance of risk and likelihood of occurrence
iii. Develop specific actions to reduce risk to an acceptable level.
2. AUDITOR RISK
ASSESSMENT
The auditor obtains knowledge about
management’s risk assessment process by:
Determining how management identifies risks
relevant to financial reporting
Evaluating their significance and likelihood of
occurrence
Deciding the actions needed to address the
risks.
 C. CONTROL ACTIVITIES

Policies and procedures that client management

has established to meet its objectives for
financial reporting.

1. Adequate segregation of duties

2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
1. ADEQUATE SEGREGATION
OF DUTIES

Separation of the functions

of authorization,
recordkeeping, and custody.
Separating it duties from
user departments
 2. PROPER AUTHORIZATION OF
TRANSACTIONS AND ACTIVITIES

General authorization is
permissible for routine events for
which there are policies to follow.
For some transactions specific
authorization is needed on a
case-by-case basis.
3. ADEQUATE DOCUMENTS AND
RECORDS
Prenumbered consecutive
documents so missing items
are noticed
Prepared as near to
transaction time as possible
Good design with
instructions and appropriate
spaces
4. PHYSICAL CONTROL OVER ASSETS AND
RECORDS

Deterrents to prevent
physical access. Incorrect
Access controls to prevent Password
getting into computer system.
Backup and recovery
procedures
5. INDEPENDENT CHECKS ON
PERFORMANCE
Personnel are likely to
forget or intentionally
fail to follow
procedures, or they
may become careless
unless someone
observes and
evaluates their
performance.
D. INFORMATION AND COMMUNICATION

Methods used to initiate, record, process, and

report an entity’s transactions and to maintain
accountability for related assets.

 For a small company with active involvement by the owner, a simple

computerized accounting system that involves one honest, competent
accountant may provide an adequate accounting system.
 A larger company requires a more complex system that includes carefully
defined responsibilities and written procedures.
 E. MONITORING

Client management’s ongoing and periodic assessment of the

quality of internal control performance to determine whether
controls are operating as intended and modified when needed.

 For many companies, especially larger ones, an internal audit department is

essential for effective monitoring.
 To maintain internal audit independence, it is imperative that they be
independent of operating and accounting departments; and that they report
to a high level of authority, preferably the audit committee of the board of
directors.
PROCESS FOR UNDERSTANDING
INTERNAL CONTROL AND ASSESSING
CONTROL RISK

A. Phase 1: obtain and document understanding of internal

control: design and operation
B. Phase 2: assess control risk
C. Phase 3: design, perform, and evaluate tests of controls
D. Phase 4: decide planned detection risk and substantive tests
 A. PHASE 1: OBTAIN AND DOCUMENT
UNDERSTANDING OF INTERNAL CONTROL

Three methods commonly used by auditors to obtain and document their understanding of the
design of internal control are narratives, flowcharts, and internal control questionnaires

The auditor must also evaluate whether the designed controls are actually placed in operation.
Usually, auditor are required to perform at least one walkthrough for each major class of
transactions. In a walkthrough, the auditor selects one or a few documents for the initiation of a
transaction type and traces them through the entire accounting process.
B. PHASE 2: ASSESS
CONTROL RISK Two specific assessments must
be made to arrive at the
preliminary assessment:
The first assessment is
whether the entity is auditable.
This is determined by
considering the integrity of
management and the adequacy
of the accounting records.
Determine assessed control
risk supported by the
understanding obtained
assuming the controls are being
followed.
 C. PHASE 3: DESIGN, PERFORM, AND
EVALUATE TESTS OF CONTROLS

If the results of tests of controls support the design and operating of
controls as expected, the auditor uses the same assessed control risk
as the preliminary assessment. Otherwise, assessed control risk
must be reconsidered.
If the auditor wants a lower assessed control risk, more extensive
tests of controls are applied.
auditor is required to determine whether controls are operating
effectively at year end. The auditor may test at an interim date and
later determine if changes have occurred.
D. PHASE 4: DECIDE PLANNED DETECTION
RISK AND SUBSTANTIVE TESTS

The greater the control risk (weak

internal controls) the lower the
detection risk the auditor can
accept.
To lower detection risk, the
auditor performs more substantive
testing.
 IV. COMMUNICATIONS WITH THE AUDIT COMMITTEE
AND MANAGEMENT

As part of understanding internal control and assessing control risk, the auditor
is required to communicate certain matters to the audit committee:
Significant deficiencies and material weaknesses must be communicated in
writing to the audit committee as a part of every audit. Timely communication
may help management in correcting the problem before their year-end report
on internal control.
Less significant internal-control matters and recommendations for
operational improvements may be communicated through a management
letter. Although such letters are not required by auditing standards, they are
often provided as a value-added service of the audit.