8/2/2019 Topic 5 Internal Control
1/49
www.theiia.org
Internal Control
Week 3 (1)
8/2/2019 Topic 5 Internal Control
2/49
www.theiia.org
Common definition
Internal control comprises the plan oforganisation and all of the coordinatemethods adopted within a business tosafeguard its assets, check the
accuracy and reliability of itsaccounting data, promote operationalefficiency, and encourage adherence to
prescribed managerial policies.
8/2/2019 Topic 5 Internal Control
3/49
www.theiia.org
Definition of Internal control
The Committee of Sponsoring Organisations ofthe Treadway Commission (COSO) definesinternal control as:
a process, affected by an entitys board of
directors, management and other personnel,designed to provide reasonable assuranceregarding the achievement of objectives in thefollowing categories
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
8/2/2019 Topic 5 Internal Control
4/49
www.theiia.org
Compliance with laws and regulations
Efficiency and effectiveness of operations
Reliability of financial reporting
Internal Control Objectives
8/2/2019 Topic 5 Internal Control
5/49
www.theiia.org
INTERNAL CONTROLS
Managements Perspective;
Auditors Perspective.
Introduction
8/2/2019 Topic 5 Internal Control
6/49
www.theiia.org
INTERNAL CONTROLS
Managements to consider in implementing good
control:
Determine the need of control; Design suitable controls;
Implement these controls;
Check that they have been applied correctly;
Maintain & update controls;
Management Responsibilities
8/2/2019 Topic 5 Internal Control
7/49
www.theiia.org
INTERNAL CONTROLS
Assessing those areas that are most at risky;
Defining & undertaking a program for reviewing
the high profile systems that attract the most risk;
Review each of the systems by examining &evaluating the associated systems;
Advising management whether controls are
operating adequately & effectively;
Recommending improvements;
Follow up audit.
Internal Audits Role
8/2/2019 Topic 5 Internal Control
8/49
www.theiia.org
The framework
8/2/2019 Topic 5 Internal Control
9/49
www.theiia.org
COSO Five Components ofInternal Control
Riskassessment
Controlactivities
Information andcommunication
Monitoring
8/2/2019 Topic 5 Internal Control
10/49
www.theiia.org
Control environment
The foundation for all internal control Influencing the control consciousness in
organisation
Control environmental factor
Integrity, Ethical values, Competence oforganisations people
Managements philosophy and operating style
The way management assigns authority andresponsibility, organises and develops its people
Attention and direction provided by BOD
8/2/2019 Topic 5 Internal Control
11/49
www.theiia.org
Risk Assessment
Assessment of internal and external risks inachieving organisations objectives
Economic, industry, regulatory and operatingcondition will continually change
Identify and address the specific riskassociated with change
8/2/2019 Topic 5 Internal Control
12/49
www.theiia.org
Control activities
All policies and procedures to ensuremanagement directives are carried out
Ensure necessary actions to address risks
Occur at all levels and functions
Eg: approvals, authorisations, verifications,reconciliations, security of assets andsegregation of duties
8/2/2019 Topic 5 Internal Control
13/49
www.theiia.org
Information and communication
information must be identified, captured andcommunicated
Includes operational, financial and compliance-relate information
Flowing down, across and up
To be communicated well so people understandtheir roles in the internal control system
Should effectively communicate to externalparties such as customers, suppliers, regulatorsand shareholders
8/2/2019 Topic 5 Internal Control
14/49
www.theiia.org
Monitoring
Assess the quality of system performance
Achieved via ongoing monitoring activities andindependent evaluations
Internal control deficiencies should becommunicated to top management
8/2/2019 Topic 5 Internal Control
15/49
www.theiia.org
INTERNAL CONTROLS
Integrity & ethical values;
A commitment to competence;
Participation of the board of directors & auditcommittee;
Managements philosophy & operating style;
Organisational structure;
Assignment of authority & responsibility; Human Resource policies & practices.
Factors Affecting ControlEnvironment
8/2/2019 Topic 5 Internal Control
16/49
www.theiia.org
INTERNAL CONTROL
Changes in Operating Environment;
New Personnel;
New or revamped information system; Rapid growth;
New technology;
New lines, products or activities;
Corporate restructuring; Foreign operations; &
Accounting pronouncements.
Factors Affecting ClientBusiness Risks
8/2/2019 Topic 5 Internal Control
17/49
www.theiia.org
INTERNAL CONTROL
Identify & record all valid transactions;
Describe on a timely basis the transactions in sufficient detail topermit proper classification of transactions for financial reporting;
Measure the value transactions in a manner that permits recording
their proper monetary value in the financial statements;
Determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period; Properly present the transactions & related disclosures in the financial
statements.
Information & CommunicationSystems
8/2/2019 Topic 5 Internal Control
18/49
www.theiia.org
INTERNAL CONTROLS
Performance Review;
Information processing; Physical Controls;
Segregation of Duties.
Control Procedures
8/2/2019 Topic 5 Internal Control
19/49
www.theiia.org
INTERNAL CONTROLS
Management override of Internal Control;
Personnel Errors & Mistakes; Collusion.
Limitation of Internal Control
8/2/2019 Topic 5 Internal Control
20/49
www.theiia.org
INTERNAL CONTROLS
Overview;
Substantive strategy; Reliance Strategy;
Implementation.
Planning an Audit Strategy
8/2/2019 Topic 5 Internal Control
21/49
www.theiia.org
INTERNAL CONTROLS
Validity;
Completeness; Timeliness;
Authorisation;
Valuation;
Classification;
Posting & Summarisation.
Internal Control Objectives
8/2/2019 Topic 5 Internal Control
22/49
www.theiia.org
INTERNAL CONTROLS
Procedures Manuals & Organisation Charts;
Narrative descriptions; Internal control questionnaires;
Flowcharts.
Documenting the UnderstandingOf Internal Control
8/2/2019 Topic 5 Internal Control
23/49
www.theiia.org
INTERNAL CONTROLS
Audit procedures directed at testing the
operating effectiveness of controls in preventing,or detecting & correcting, material misstatements
at the assertion level are referred as test of
controls.
Test of Controls
8/2/2019 Topic 5 Internal Control
24/49
www.theiia.org
INTERNAL CONTROLS
Procedures:
Inquiry of appropriate client personnel;
Inspection of documents, reports, & electronic
media indicating the performance of the policy orprocedure;
Observation of the application of the policies &
procedures;
Reperformance of the application of the policy orprocedure by the auditor.
Test of Controls
8/2/2019 Topic 5 Internal Control
25/49
www.theiia.org
INTERNAL CONTROL
Assessing control risk involves evaluating theeffectiveness of an entitys internal controls in
preventing or detecting material misstatements in
the financial statements.
Assessing & Documenting TheLevel of Control Risk
8/2/2019 Topic 5 Internal Control
26/49
www.theiia.org
INTERNAL CONTROLS
Last step of decision process;
Directly to detection risk;
Substantive Procedures
8/2/2019 Topic 5 Internal Control
27/49
www.theiia.org
INTERNAL CONTROLS
Interim test of controls;
Interim substantive procedures.
Timing of audit procedures
8/2/2019 Topic 5 Internal Control
28/49
www.theiia.org
INTERNAL CONTROLS
Authorisation;
Physical access restriction;
Supervision;
Compliance checks;
Procedures manuals;
Recruitment & staff development practices;
Segregation of duties; Organisation structure;
Sequential numbering of documents;
Reconciliations;
Project & procurement management;
Financial systems control; IT security;
Performance management.
Control Mechanism
8/2/2019 Topic 5 Internal Control
29/49
www.theiia.org
Obtain and document anunderstanding of internal control.
8/2/2019 Topic 5 Internal Control
30/49
www.theiia.org
Four Phases of a Financial
Statement Audit
Phase 1
Obtain anunderstanding ofinternal control:
design andoperation
Phase 2 Assess controlrisk.
Phase 3Design, perform,
and evaluate testsof controls
Phase 4
Decide planned
detection riskand substantive
tests.
8/2/2019 Topic 5 Internal Control
31/49
www.theiia.org
Obtain and DocumentUnderstanding of Internal
ControlSAS 55 and PCAOB Standard 2 both require
the auditor to obtain an understandingof internal control for every audit.
Procedures to obtain an understanding:Design of internal controls
Whether placed in operationUses this information as a basis for the
integrated audit.
8/2/2019 Topic 5 Internal Control
32/49
www.theiia.org
Methods Used
Narrative
FlowchartInternalcontrol
questionnaire
8/2/2019 Topic 5 Internal Control
33/49
www.theiia.org
Narrative
1. The origin of every documentand record in the system
2. All processing that takes place
3. The disposition of every documentand record in the system
4. An indication of the controls relevantto the assessment of control risk
8/2/2019 Topic 5 Internal Control
34/49
www.theiia.org
Evaluating Internal Control
OperationUpdate and evaluate auditors previous
experience with the entity.
Make inquiries of auditee personnel.
Examine documents and records.
Observe entity activities and operations.Perform walkthroughs of the accounting system.
8/2/2019 Topic 5 Internal Control
35/49
www.theiia.org
Assess control risk by linking key
controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.
8/2/2019 Topic 5 Internal Control
36/49
www.theiia.org
Assess Control Risk
Assess whether the financial statementsare auditable.
Determine assessed control risk supportedby the understanding obtained assuming
the controls are being followed.
Use of a control risk matrixto assess control risk
8/2/2019 Topic 5 Internal Control
37/49
www.theiia.org
Control Risk Matrix
Auditors use the control risk matrixtoidentify both controls and weaknesses
and to assess control risk.
8/2/2019 Topic 5 Internal Control
38/49
www.theiia.org
Control Risk Matrix
Identify transaction-related audit objectives.
Identify existing controls.
Associate controls with transaction-relatedaudit objectives.
Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses
8/2/2019 Topic 5 Internal Control
39/49
www.theiia.org
Evaluating Significant
Control Deficiencies
MaterialWeakness
LIKELIHOOD
SIGNIFICANCE
Material
Immaterial
ProbableRemote
8/2/2019 Topic 5 Internal Control
40/49
www.theiia.org
Communicate InternalControl Deficiencies and
Related Matters
Management letters
Audit committee communications
8/2/2019 Topic 5 Internal Control
41/49
www.theiia.org
Describe the process of designing
and performing tests of controls.
8/2/2019 Topic 5 Internal Control
42/49
www.theiia.org
Tests of Controls
The procedures to test effectiveness of controlsin support of a reduced assessed control
risk are called tests ofcontrols.
8/2/2019 Topic 5 Internal Control
43/49
www.theiia.org
Procedures for Tests of
Controls1. Make inquiries of client personnel.
2. Examine documents, records, and reports.
3. Observe control-related activities.
4. Reperform client procedures.
8/2/2019 Topic 5 Internal Control
44/49
www.theiia.org
Extent of Procedures
Reliance on evidence from prior years audit
Testing less than the entire audit period
8/2/2019 Topic 5 Internal Control
45/49
www.theiia.org
Understand Section 404
requirements for auditorreporting on internal control.
8/2/2019 Topic 5 Internal Control
46/49
www.theiia.org
Section 404 Reporting on
Internal Control
The auditors opinion on whether managementsassessment of the effectiveness of internalcontrol over financial reporting as of the
end of the fiscal period is fairly stated,in all material respects.
1
8/2/2019 Topic 5 Internal Control
47/49
www.theiia.org
Section 404 Reporting on
Internal Control
The auditors opinion on whether the companymaintained, in all material respects, effective
internal control over financial reporting
as of the specified date.
2
8/2/2019 Topic 5 Internal Control
48/49
www.theiia.org
Types of Opinions
Unqualified
Adverse
Qualified or disclaimer of opinion
8/2/2019 Topic 5 Internal Control
49/49
www.theiia.org
Thank You