Chapter 4

Internal Control and Control Risk

Internal Control

Risk

. Internal Control
 Presentation Outline

I. An Overview of Internal Control

II. The Components of Internal Control
III. Process for Understanding Internal
Control and Assessing Control Risk
IV. Communications with the Audit
Committee and Management
 Internal Control Defined
An entity’s system of internal control consists of
policies and procedures designed to provide
management with reasonable assurance that the
company achieves its objectives and goals
including:

• Reliability of financial reporting

• Compliance with applicable laws and regulations
• Effectiveness and efficiency of operations
Responsibility for Internal Control
• Management’s responsibility
– Responsibility for establishing and maintaining
adequate internal control over financial reporting
– Assess and report on the effectiveness of internal
control over financial reporting
• Auditors’ responsibility
– For public companies, must audit and issue an opinion
about the effectiveness of the internal control over
financial reporting
– For each fraud risk, must evaluate whether controls
are in place to mitigate the fraud risk
– Must assess control risk to determine the nature,
timing and extent of substantive procedures to be
performed

5-4
II. The Components of Internal Control

A. The Control Environment

B. Risk Assessment
C. Control Activities
D. Information and Communication
E. Monitoring
 A. The Control Environment
The control environment is concerned with the
actions, policies, and procedures that reflect the
overall attitude of the client’s top management,
directors, and owners of an entity about internal
control and its importance.

1. Integrity and ethical values

2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating
style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
1. Integrity and Ethical Values

 Management actions
to remove incentives
that prompt a person
to behave improperly.
 Communication of
behavioral standards
by codes of conduct
and example.
 2. Commitment to Competence
Management’s consideration of the competence
levels for specific jobs and how those translate
into requisite skills and knowledge.
3. BoD and Audit Committee
 Board delegates responsibility
for internal control to
management and is charged
with regular independent
assessments of management-
established internal control.
 The major stock exchanges
require listed companies to
have an audit committee
composed of entirely
independent directors who are
financially literate.
 4. Management’s Philosophy and
Operating Style

Management, through its activities, provides

clear signals to employees about the
importance of internal control. For example,
are sales and earnings targets unrealistic, and
are employees encouraged to take aggressive
actions to meet those targets.
5. Organizational Structure
Understanding the
client’s organizational
structure provides the
auditor with an
understanding of how
the client’s business
functions and
implements controls.
 6. Assignment of Authority and
Responsibility
Formal methods of
communication
including: Em
 Top management pl
De J oy
memoranda s c ob ee
concerning internal ri p
tio
control ns
 Organizational
operating plans
 Employee job
descriptions
7. Human Resource Policies and
Practices
 If employees are honest
and trustworthy, other
controls can be absent
and reliable financial
statements will still
result.

 Methods by which
persons are hired,
trained, promoted, and
compensated are
important elements of
internal control.
 B. Risk Assessment
Client management’s identification and analysis
of risks relevant to the preparation of the
financial statements in accordance with GAAP.

1. Client Management’s Risk Assessment

2. Auditor Risk Assessment
 1. Client Management’s Risk Assessment

Client management assesses risk as part of

designing and operating internal controls to
minimize errors and fraud. Three steps involve:
i. Identify factors that may increase risk
ii. Determine significance of risk and likelihood of
occurrence
iii. Develop specific actions to reduce risk to an
acceptable level.
2. Auditor Risk Assessment
The auditor obtains knowledge
about management’s risk
assessment process by:
 Determining how
management identifies risks
relevant to financial
reporting
 Evaluating their significance
and likelihood of occurrence
 Deciding the actions needed
to address the risks.
 C. Control Activities
Policies and procedures that client
management has established to meet its
objectives for financial reporting.

1. Adequate segregation of duties

2. Proper authorization of transactions and
activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
1. Adequate Segregation of Duties

 Separation of the
functions of
authorization,
recordkeeping, and
custody.
 Separating IT duties
from User
Departments
 2. Proper Authorization of
Transactions and Activities
 General authorization
is permissible for
routine events for
which there are
policies to follow.
 For some transactions
specific authorization
is needed on a case-
by-case basis.
3. Adequate Documents and
Records
 Pre-numbered
consecutive
documents so missing
items are noticed
 Prepared as near to
transaction time as
possible
4. Physical Control Over Assets and
Records
 Deterrents to prevent
physical access.
 Access controls to Incorrect
prevent getting into Password
computer system.
 Backup and recovery
procedures
5. Independent Checks on
Performance

Personnel are likely to

forget or intentionally
fail to follow
procedures, or they may
become careless unless
someone observes and
evaluates their
performance.
D. Information and Communication
Methods used to initiate, record, process, and report
an entity’s transactions and to maintain
accountability for related assets.

 For a small company with active involvement by the

owner, a simple computerized accounting system that
involves one honest, competent accountant may
provide an adequate accounting system.
 A larger company requires a more complex system
that includes carefully defined responsibilities and
written procedures.
 E. Monitoring
Client management’s ongoing and periodic assessment
of the quality of internal control performance to
determine whether controls are operating as
intended and modified when needed.
 For many companies, especially larger ones, an
internal audit department is essential for effective
monitoring.
 To maintain internal audit independence, it is
imperative that they be independent of operating and
accounting departments; and that they report to a
high level of authority, preferably the audit
committee of the board of directors.
 Limitations of Internal Control

• Human error
• Collusion
• Management override
• Cost/benefit analysis
– There is often a trade-off between the cost and the
effectiveness of internal controls.
– The concept of reasonable assurance recognizes that
the cost of an entity’s internal control should not
exceed the benefits that are expected to be derived.

5-25
 Code the
missing cash
to bad
debts.
Collusion
 III. Process for Understanding Internal
Control and Assessing Control Risk
A. Phase 1: Obtain and Document
Understanding of Internal Control: Design
and Operation
B. Phase 2: Assess Control Risk
C. Phase 3: Design, Perform, and Evaluate
Tests of Controls
D. Phase 4: Decide Planned Detection Risk
and Substantive Tests
 A. Phase 1: Obtain and Document
Understanding of Internal Control
 Three methods commonly used by auditors to obtain
and document their understanding of the design of
internal control are narratives, flowcharts, and
internal control questionnaires.
 The auditor must also evaluate whether the designed
controls are actually placed in operation.
 Standards require the auditor to perform at least one
walkthrough for each major class of transactions. In a
walkthrough, the auditor selects one or a few
documents for the initiation of a transaction type and
traces them through the entire accounting process.
B. Phase 2: Assess Control Risk
Two specific assessments must
be made to arrive at the
preliminary assessment:
 The first assessment is
whether the entity is
auditable. This is determined
by considering the integrity
of management and the
adequacy of the accounting
records.
 Determine assessed control
risk supported by the
understanding obtained
assuming the controls are
being followed.
 C. Phase 3: Design, Perform, and Evaluate
Tests of Controls
 If the results of tests of controls support the design
and operating of controls as expected, the auditor
uses the same assessed control risk as the
preliminary assessment. Otherwise, assessed control
risk must be reconsidered.
 If the auditor wants a lower assessed control risk,
more extensive tests of controls are applied.
 Standards require the auditor to determine whether
controls are operating effectively at year end. The
auditor may test at an interim date and later
determine if changes have occurred.
D. Phase 4: Decide Planned Detection
Risk and Substantive Tests
 The greater the control
risk (weak internal
controls) the lower the
detection risk the
auditor can accept.
 To lower detection
risk, the auditor
performs more
substantive testing.
 IV. Communications with the Audit Committee
and Management
As part of understanding internal control and assessing
control risk, the auditor is required to communicate
certain matters to the audit committee:
 Significant deficiencies and material weaknesses must
be communicated in writing to the audit committee as
a part of every audit. Timely communication may
help management in correcting the problem before
their year-end report on internal control.
 Less significant internal-control matters and
recommendations for operational improvements may
be communicated through a management letter.
Although such letters are not required by auditing
standards, they are often provided as a value-added
service of the audit.