Control Testing and Control Risk

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 48

CONTROL TESTING

AND CONTROL RISK


INTERNAL CONTROL - Definition

Internal control is defined by Committee of


Sponsoring Organizations of the Treadway
Commission (the COSO Commission) as
a process, effected by an entity’s board of directors,
management, and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following categories:
(a) reporting, (b) operations, and (c) compliance.
INTERNAL CONTROL - Objectives

Operations Objectives
related to the effectiveness and efficiency of the
entity’s operations, including operational and
financial performance goals, and safeguarding assets
against loss.
INTERNAL CONTROL - Objectives

Reporting Objectives
elated to internal and external financial and non-
financial reporting to stakeholders, which would
encompass reliability, timeliness, transparency, or
other terms as established by regulators, standard
setters, or the entity’s policies.
INTERNAL CONTROL - Objectives

Compliance Objectives
related to adhering to laws and regulations that the
entity must follow.
Major Components of Internal Control

Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Major Components of Internal Control
Control Environment
“The control environment is the set of standards,
processes, and structures that provide the basis for
carrying out internal control across the organization.
The board of directors and senior management
establish the tone at the top regarding the importance
of internal control and expected standards of
conduct.”
Control Environment – Five Principles

1. The organization demonstrates a commitment to


integrity and ethical values.
2. The board of directors demonstrates independence
from management and exercises oversight of the
development and performance of internal control.
3. Management establishes, with board oversight,
structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.
Control Environment – Five Principles

4. The organization demonstrates a commitment to


attract, develop, and retain competent individuals in
alignment with objectives.
5. The organization holds individuals accountable for
their internal control responsibilities in the pursuit of
objectives.
Control Environment – Seven Factors

I—Integrity and ethical values


C—Commitment to competence
H—Human resource policies and practices
A—Assignment of authority and responsibility
M—Management’s philosophy and operating style
B—Board of directors or audit committee participation
O—Organizational structure
Risk Assessment
“Risk assessment involves a dynamic and iterative
process for identifying and analyzing risks to
achieving the entity’s objectives, forming a basis for
determining how risks should be managed.
Management considers possible changes in the
external environment and within its own business
model that may impede its ability to achieve its
objectives.”
Risk Assessment
For financial reporting purposes an entity’s risk
assessment is its identification, analysis, and
management of risks relevant to the preparation of
financial statements following GAAP (or some other
comprehensive basis).
Risk Assessment
The following are considered risks that may affect an entity’s
ability to properly record, process, summarize, and report
financial data:
(1) Changes in the operating environment (e.g., increased
competition)
(2) New personnel
(3) New information systems
(4) Rapid growth
Risk Assessment
(5) New technology
(6) New lines, products, or activities
(7) Corporate restructuring
(8) Foreign operations
(9) Accounting pronouncements
Control Activities
“Control activities are the actions established by the
policies and procedures to help ensure that management
directives to mitigate risks to the achievement of
objectives are carried out. Control activities are
performed at all levels of the entity, at various stages
within business processes, and over the technology
environment.
Control Activities
They may be preventive or detective in nature and may
encompass a range of manual and automated activities
such as authorizations and approvals, verifications,
reconciliations, and business performance reviews.
Segregation of duties is typically built into the selection
and development of control activities. Where
segregation of duties is not practical, management
selects and develops alternative control activities.”
Control Activities
Those policies and procedures include
P—Performance reviews (reviews of actual
performance against budgets, forecasts, one another,
etc.)
I—Information processing (controls that check
accuracy, completeness, and authorization of
transactions)
P—Physical controls (activities that assure the physical
security of assets and records)
S—Segregation of duties (separate authorization,
recordkeeping, and custody)
Information and Communication
“Information is necessary for the entity to carry out
internal control responsibilities in support of
achievement of its objectives. Communication occurs
both internally and externally and provides the
organization with the information needed to carry out
day-to-day internal control activities. Communication
enables personnel to understand internal control
responsibilities and their importance to the achievement
of objectives.”
Information and Communication
To be effective, the information and communication
system should accomplish the following goals for
transactions:
(1) Identify and record all valid transactions
(2) Describe on a timely basis
(3) Measure the value properly
(4) Record in the proper time period
(5) Properly present and disclose
(6) Communicate responsibilities to employees
Monitoring
“Ongoing evaluations, separate evaluations, or some
combination of the two are used to ascertain whether
each of the five components of internal control,
including controls to effect the principles within each
component, are present and functioning. Findings are
evaluated and deficiencies are communicated in a
timely manner, with serious matters reported to senior
management and to the board.”
Limitations of Internal Control
Internal control provides reasonable, but not absolute,
assurance that specific entity objectives will be
achieved. Even the best internal control may break
down due to
(1) Human judgment in decision making can be faulty
(2) Breakdowns can occur because of human failures
such as simple errors or mistakes
(3) Controls, whether manual or automated, can be
circumvented by collusion
Limitations of Internal Control
(4) Management has the ability to override internal
control
(5) Cost constraints (the cost of internal control should
not exceed the expected benefits expected to be
derived)
(6) Custom, culture, and the corporate governance
system may inhibit fraud, but they are not absolute
deterrents
The Auditor’s Consideration of Internal Control

After planning the audit, auditors


A. Obtain an understanding of the entity and its
environment, including its internal control
B. Assess the risks of material misstatement and design
further audit procedures
C. Perform further audit procedures, including test of
controls and substantive tests
The Auditor’s Consideration of Internal Control

Internal control is a part of each of the three stages.


Auditors obtain an understanding of internal control to
aid them in their assessment of the risks of material
misstatement and to design further audit procedures.
Tests of controls, performed to determine whether
controls operate effectively, are further audit
procedures.
The Auditor’s Consideration of Internal Control

Obtain an understanding of the entity and its


environment, including its internal control
As part of the auditor’s risk assessment procedures, the
auditor uses procedures to obtain an understanding,
which involve gathering evidence about the design of
internal controls and whether they have been
implemented, and then uses that information as a basis
for the integrated audit.
The Auditor’s Consideration of Internal Control

Obtain An Understanding Of The Entity And Its


Environment, Including Its Internal Control
Auditors commonly use three types of documents to
obtain and document their understanding of the design
of internal control: narratives, flowcharts, and
internal control questionnaires.
The Auditor’s Consideration of Internal Control

NARRATIVES
A narrative is a written description of a client’s
internal controls. A proper narrative of an accounting
system and related controls describes four things:
1. The origin of every document and record in the
system. For example, the description should state
where customer orders come from and how sales
invoices are generated.
The Auditor’s Consideration of Internal Control

NARRATIVES
2. All processing that takes place. For example, if
sales amounts are determined by a computer program
that multiplies quantities shipped by standard prices
contained in price master files, that process should be
described.
The Auditor’s Consideration of Internal Control

NARRATIVES
3. The disposition of every document and record in
the system. The filing of documents, sending them to
customers, or destroying them should be described.

4. An indication of the controls relevant to the


assessment of control risk. These typically include
separation of duties (such as separating recording cash
from handling cash), authorizations and approvals
(such as credit approvals), and internal verification
(such as comparison of unit selling prices to sales
contracts).
The Auditor’s Consideration of Internal Control

FLOWCHART
An internal control flowchart is a diagram of the
client’s documents and their sequential flow in the
organization. An adequate flowchart includes the same
four characteristics identified for narratives.
The Auditor’s Consideration of Internal Control

FLOWCHART
Flowcharts have two advantages over narratives:
typically they are easier to read and easier to update. It
is unusual to use both a narrative and a flowchart to
describe the same system because both present the
same information.
The Auditor’s Consideration of Internal Control

INTERNAL CONTROL QUESTIONNAIRE


An internal control questionnaire asks a series of
questions about the controls in each audit area as a
means of identifying internal control deficiencies. Most
questionnaires require a “yes” or a “no” response, with
“no” responses indicating potential internal control
deficiencies.
The Auditor’s Consideration of Internal Control

Assess the risks of material misstatement and design


further audit procedures
After obtaining an understanding of internal control,
the auditor makes a preliminary assessment of control
risk as part of the auditor’s overall assessment of the
risk of material misstatement. This assessment is a
measure of the auditor’s expectation that internal
controls will prevent material misstatements from
occurring or detect and correct them if they have
occurred.
The Auditor’s Consideration of Internal Control

Assess the risks of material misstatement and design


further audit procedures
After obtaining an understanding of internal control,
the auditor makes a preliminary assessment of control
risk as part of the auditor’s overall assessment of the
risk of material misstatement. This assessment is a
measure of the auditor’s expectation that internal
controls will prevent material misstatements from
occurring or detect and correct them if they have
occurred.
The Auditor’s Consideration of Internal Control

Assess the risks of material misstatement and design


further audit procedures
After obtaining an understanding of internal control,
the auditor makes a preliminary assessment of control
risk as part of the auditor’s overall assessment of the
risk of material misstatement. This assessment is a
measure of the auditor’s expectation that internal
controls will prevent material misstatements from
occurring or detect and correct them if they have
occurred.
Communication of Internal Control–Related
Matters.
The Auditor’s Consideration of Internal Control

Perform further audit procedures, including test of


controls and substantive tests
Assessing control risk requires the auditor to consider
both the design and operation of controls to evaluate
whether they will likely be effective in meeting related
audit objectives.
The Auditor’s Consideration of Internal Control

Perform further audit procedures, including test of


controls and substantive tests
The procedures to test effectiveness of controls in
support of a reduced assessed control risk are called
tests of controls.
The Auditor’s Consideration of Internal Control

Perform further audit procedures, including test of


controls and substantive tests
Approaches include
a. Inquiries of appropriate personnel
b. Inspection of documents and reports
c. Observation of the application of controls
d. Reperformance of the control by the auditor (when
evaluating operation)
Evaluating the Results of Tests of Controls.

Based on the results of the tests of controls the auditor


will determine whether it is necessary to modify
substantive procedures. If tests of control reveal that the
system operates as expected, there will generally be no
need to change the scope of planned substantive
procedures.
SECTION 404 AUDITS OF
INTERNAL CONTROL AND
CONTROL RISK
SECTION 404 REPORTING ON INTERNAL
CONTROL

Based on the auditor’s assessment and testing of


internal control, the auditor is required to prepare an
audit report on internal control over financial
reporting for accelerated filer public companies
subject to Section 404(b) reporting requirements.
SECTION 404 REPORTING ON INTERNAL
CONTROL

The scope of the auditor’s report on internal control is


limited to obtaining reasonable assurance that
material weaknesses in internal control are identified.
Thus, the audit is not designed to detect deficiencies
in internal control that individually, or in the
aggregate, are less severe than a material weakness.
SECTION 404 REPORTING ON INTERNAL
CONTROL - Example
Summary of Understanding Internal Control and
Assessing Control Risk
Summary of Understanding Internal Control and
Assessing Control Risk
END

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy