Chapter 5 – Risk Assessment: Internal Control Evaluation

What is the main goal of evaluating internal control in auditing?

To determine whether a client’s internal control system is properly designed and operating effectively so auditors can rely on it to prevent or detect material misstatements.

Why are internal controls important?

They ensure reliable financial reporting.

Promote operational efficiency and effectiveness.

Help ensure compliance with laws and regulations.

What triggered increased attention to internal controls by regulators?

The SEC’s enforcement actions against companies with unaddressed material weaknesses (e.g., Lifeway Foods, Digital Turbine, CytoDyn, Grupo Simec).

What law emphasizes management and auditor responsibility for internal controls?

The Sarbanes–Oxley Act of 2002 (SOX), specifically Section 404, which requires management to assess internal controls and auditors to evaluate their effectiveness.

Why does the SEC consider internal control so important?

Because weak controls can lead to financial reporting failures and investor harm. Properly functioning controls help ensure reliable, transparent reporting.

What does “internal control” mean according to COSO?

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories:

1⃣ Reliability of financial reporting
2⃣ Effectiveness and efficiency of operations
3⃣ Compliance with applicable laws and regulations

What is the key word in the definition of internal control?

“Process” — internal control is continuous, dynamic, and embedded in daily operations.

Who developed the COSO Framework?

The Committee of Sponsoring Organizations (COSO), made up of:

• The Financial Executives Institute

• The American Accounting Association

• The Institute of Internal Auditors

• The Institute of Management Accountants

• The American Institute of CPAs (AICPA)

Why is COSO important to auditors?

It provides the benchmark used by auditors worldwide to evaluate internal control effectiveness.

What are the three management objectives of internal control per COSO?

1⃣ Financial Reporting Objective — Ensures accuracy and reliability of financial data.
2⃣ Operations Objective — Promotes efficiency and proper asset use.
3⃣ Compliance Objective — Ensures adherence to laws and regulations.

Which of these three objectives is most important to external auditors?

The Financial Reporting Objective, since it directly affects the reliability of audited financial statements.

Does internal control guarantee prevention of all errors and fraud?

No. It provides reasonable assurance, not absolute assurance.

Why can’t internal control provide absolute assurance?

Because humans are involved — mistakes, judgment errors, or intentional override can still occur.

What are common limitations of internal control systems?

Human error (carelessness, fatigue, or poor judgment).

Management override (executives bypass controls using authority).

Collusion (two or more employees working together to override controls).

Cost–benefit constraints (too expensive to implement perfect controls).

What is meant by “reasonable assurance”?

Controls should be effective enough to reduce risk to an acceptable level, but not so costly that the cost exceeds the benefit.

Why is cost–benefit important in internal control design?

Because implementing perfect control systems may be too expensive or inefficient — management must balance risk reduction with practicality.

Why is internal control described as a process?

It’s ongoing — helping management achieve objectives daily, not a one-time procedure.

Why do auditors care about management’s internal control system?

Because it helps determine how much substantive testing the auditor must perform — strong controls reduce audit effort; weak controls increase it.

What is COSO and its purpose?

A joint committee that created the framework for assessing internal control effectiveness.

What are the three management objectives of internal control?

Financial reporting, operations, and compliance (financial reporting is most important to auditors).

What is “reasonable assurance,” and what are key limitations of internal control?

Assurance that controls reduce risk to acceptable levels, limited by human error, override, collusion, and cost constraints.

Who is responsible for establishing and maintaining a company’s internal control system?

Management — they must design, implement, and monitor the system to ensure accurate financial reporting and safeguarding of assets.

What specific tasks fall under management’s internal control responsibilities?

Assessing risks that could impact financial reporting.

Establishing and documenting control policies and procedures.

Ensuring transactions are properly authorized and accurately recorded.

Protecting assets (including physical and digital).

Maintaining an effective control environment (ethical tone, supervision, and accountability).

Preparing documentation showing the system is designed and operating effectively.

Why is management documentation important?

It provides evidence that controls were considered and decisions properly made, and it enables auditors to evaluate whether internal controls can be relied upon.

What are auditors required to do regarding internal controls?

Gain an understanding of the client’s internal control system.

Document that understanding.

Assess control risk as part of evaluating the risk of material misstatement (RMM).

What is control risk?

The probability that a client’s controls will fail to prevent or detect material misstatements due to errors or fraud.

What are the two components of RMM (Risk of Material Misstatement)?

Inherent Risk – likelihood of misstatement before considering controls.

Control Risk – likelihood that misstatements won’t be prevented or detected by controls.

How do auditors express control risk assessments?

Using qualitative terms like high, moderate, or low, based on their professional judgment and evidence.

What does a high control risk mean for the auditor’s work?

Auditors cannot rely on controls.

Must perform more substantive tests (e.g., detailed transaction testing).

Conduct testing at year-end.

Use larger sample sizes.

What does a low control risk mean for the auditor’s work?

Auditors can rely on controls.

Perform less extensive tests.

May test at interim periods.

Use smaller sample sizes.

What does Exhibit 5.1 (“Relationship between Internal Control Reliance and Audit Procedures”) summarize?

It shows how control risk impacts the nature, timing, and extent of audit testing.

Less Reliance on Internal Control (High Control Risk)	More Reliance on Internal Control (Low Control Risk)
Nature: More effective, detailed tests	Fewer, less detailed tests (more analytical)
Timing: Testing at year-end	Testing can be done at interim
Extent: Larger sample sizes	Smaller sample sizes

What happens if auditors assess control risk as high?

They will rely primarily on substantive testing, not on internal controls.

What happens if auditors assess control risk as low?

They will rely more on the client’s controls and perform less substantive testing.

What’s the purpose of assessing control risk early in the audit?

It helps auditors plan audit procedures efficiently and determine how much testing is required.

What is the overall relationship between control risk and detection risk?

They are inversely related — when control risk is high, auditors must lower detection risk by doing more testing.

What additional evaluation must auditors perform when assessing control risk?

They must consider whether control activities address identified fraud risks (e.g., revenue recognition, journal entries).

Why focus on journal entries and adjustments?

Many major frauds (e.g., WorldCom, Waste Management, Dell) involved manipulated journal entries made near year-end.

What are management’s vs. auditors’ responsibilities?

Management designs and maintains controls;

Auditors evaluate and assess their effectiveness.

Define control risk and explain its role.

Risk that client controls fail to detect/prevent misstatement; helps plan audit procedures.

What’s the purpose of evaluating a client’s internal control?

To determine whether controls can be relied upon to reduce substantive testing.

How does control risk affect the nature, timing, and extent of testing?

High control risk = more testing;

Low control risk = less testing, smaller samples, interim timing.

What is the definition of internal control under COSO?

Internal control is a management process designed to achieve:
1⃣ Effectiveness and efficiency of operations,
2⃣ Reliable financial reporting, and
3⃣ Compliance with laws and regulations.

What are the five basic components of internal control?

1⃣ Control Environment
2⃣ Risk Assessment
3⃣ Control Activities
4⃣ Information and Communication
5⃣ Monitoring

What is the control environment?

The foundation for all other components of internal control. It sets the tone at the top and influences the control consciousness of employees throughout the organization.

What are key elements of the control environment?

Integrity and ethical values – Management’s commitment to honesty and fairness.

Board of directors’ oversight – Understanding responsibilities and independence.

Management’s philosophy and operating style – Attitude toward risk, controls, and reporting accuracy.

Organizational structure – Clear authority lines and responsibilities.

Financial reporting competencies – Qualified, trained financial staff.

Authority and responsibility – Proper delegation and accountability.

Human resources – Effective hiring, training, and evaluation practices.

Why is the control environment critical?

Because it has a “pervasive effect” on reliability of financial reporting—weak tone at the top undermines all other controls.

What happened in the Hertz case?

Hertz overstated income by $235 million (2012–2014) due to pressure from management to meet unrealistic financial targets.

What caused the failure?

A poor control environment — the CEO fostered a “pressure-cooker” culture, overriding accounting policies to manipulate results.

What’s the key lesson?

Ethical tone and accountability from top management are essential to prevent control failures and financial fraud.

What is the role of an audit committee in internal control?

A subcommittee of the board that oversees the audit process and helps maintain auditor independence.

What are key duties of the audit committee?

Appointing, compensating, and overseeing auditors.

Resolving disputes between management and auditors.

Overseeing internal audit.

Ensuring non-audit services don’t impair independence.

Providing a confidential way for employees to report wrongdoing.

Who must serve on the audit committee?

Members must be financially literate,

At least one must be a financial expert,

All must be independent of company management.

What does “risk assessment” mean in internal control?

The process management uses to identify and analyze business risks that could prevent the organization from achieving objectives.

What framework do companies often use for risk assessment?

Enterprise Risk Management (ERM) — a COSO framework used to identify, manage, and monitor business risks.

What are examples of risks management might assess?

Changes in regulations or technology.

Cybersecurity threats.

Fraud risks.

Financial reporting risks (errors or misstatements).

What is the auditor’s role in risk assessment?

To understand management’s process and determine whether it effectively identifies risks of material misstatement.

What are control activities?

The policies and procedures designed to ensure management directives are carried out to prevent or detect misstatements.

What types of control activities exist?

Manual controls (performed by people).

Automated controls (performed by systems).

Preventive controls (stop errors before they occur).

Detective controls (identify errors after they occur).

Exhibit 5.3 — Revenue Account Example

Relevant Assertion	What Could Go Wrong?	Control Activity
Occurrence	Sales recorded before goods shipped	Match invoices to shipping documents before recording
Valuation	Sales to customers unable to pay	Perform credit checks for new customers
Completeness	Goods shipped but revenue not recorded	Match shipping documents to sales invoices

What are IT control activities?

Controls that ensure accuracy and completeness of data processed in computerized systems.

What are examples of system-generated reports and related controls (Exhibit 5.4)?

Report	Control Activity
Accounts Receivable Aging Report	Reviewed monthly by CFO to evaluate collectability.
Three-Way Match Exception Report	Matches vendor invoice, purchase order, and receiving report to detect discrepancies.
New-Hires Report	Reviewed quarterly by payroll manager to ensure all new employees are included.

What happened in this case?

Nine companies lost almost $100 million to cybercriminals who sent fake vendor emails to executives, tricking them into wiring money.

What internal control weakness caused the loss?

Poor cybersecurity and email verification controls (failure to confirm vendor identity).

What’s the lesson for auditors?

Weak IT controls — especially over authorization and verification — can lead to major financial losses.

What are physical security controls?

Measures to prevent unauthorized access to assets or records (e.g., locked inventory rooms, passwords, surveillance). They protect both physical and digital assets from theft, misuse, or alteration.

What is separation of duties?

Dividing responsibilities so no single person can control all aspects of a transaction (reduces opportunity for fraud).

What are the four key functions that should be separated (Exhibit 5.5)?

1⃣ Authorization – Approving transactions.

2⃣ Recording – Entering transactions in the books.

3⃣ Custody – Holding the physical or digital assets.

4⃣ Reconciliation – Comparing records to detect discrepancies.

Why is segregation of duties important in computerized systems?

To prevent one person from both entering and approving transactions, often done via access controls and passwords.

What is a manual control?

A control performed by humans (e.g., supervisor review, signature approvals).

What is an automated control?

A control fully executed by computer systems without manual intervention.

How can technology strengthen or weaken controls?

Automation increases consistency and efficiency but can amplify risks if poorly designed or monitored.

What does the information and communication component involve?

Ensuring that data and information systems provide timely, reliable, and relevant information to management and employees.

What is meant by the “audit trail”?

A visible path that links source documents to final reports, allowing auditors to trace transactions forward (completeness) and backward (occurrence).

What does Exhibit 5.6 illustrate?

The occurrence and completeness direction of a sales transaction flow:

Sales Order → Sales Authorization → Shipping Documents → Sales Invoice → Financial Statements

Why is this component critical?

Without accurate and transparent communication systems, even strong control activities may fail to prevent or detect misstatements.

What are the five COSO components?

Control environment, risk assessment, control activities, information & communication, monitoring.

What is the control environment?

Tone at the top; foundation of internal control.

What is an audit committee and its purpose?

Oversees the audit process; ensures independence and accountability.

What is risk assessment in internal control?

Management’s process to identify and mitigate business risks.

What are control activities?

Policies and procedures ensuring management’s directives are followed.

Difference between preventive and detective controls?

Preventive = stop errors; Detective = find errors afterward.

What is a management review control?

Ongoing supervision/review to ensure policies are followed.

What is a system-generated report?

Automated reports supporting internal control (e.g., AR aging).

What is a physical security control?

Protects physical/digital assets from unauthorized access.

Why separate duties among different departments?

Prevent fraud or concealment of misstatements.

What is the objective of evaluating internal control?

To determine the extent to which auditors can rely on the client’s internal controls to reduce substantive testing and to assess control risk as part of the overall risk of material misstatement (RMM).

What are the three phases of the internal control evaluation process?

1⃣ Understand and document the client’s internal control system.

2⃣ Assess control risk for each relevant assertion.

3⃣ Identify controls to test and perform tests of controls.

Phase 1: Understand and Document the Client’s Internal Control

What is the purpose of this first phase?

To gain an understanding of how the client’s internal controls are designed and implemented, and to identify areas where material misstatements could occur.

Phase 1: Understand and Document the Client’s Internal Control

What are relevant assertions in this process?

Assertions that have a reasonable possibility of material misstatement, such as existence, completeness, valuation, and presentation.

Phase 1: Understand and Document the Client’s Internal Control

What are entity-level controls?

Controls that are pervasive across the organization and relate to the overall financial statement reliability (e.g., management integrity, board oversight, risk assessment).

Phase 1: Understand and Document the Client’s Internal Control

What are transaction-level controls?

Controls that relate to specific accounts or classes of transactions (e.g., payroll, cash disbursements, sales).

Exhibit 5.8 — Examples of Entity-Level Controls

Type	Assessment Focus
Controls related to control environment	Integrity, ethics, management’s attitude toward controls.
Controls related to management override	Whether management enforces segregation of duties and limits override authority.
Centralized processing and shared service centers	Whether systems ensure consistent control application.
Controls monitoring results of operations	Whether management reviews results for unusual trends.
Period-end financial reporting process	Whether financial close procedures are formalized and reviewed.
Policies affecting significant business control areas	Whether documentation and updates are reviewed and approved.

What is a walkthrough?

Tracing one transaction through the entire accounting system—from initiation to inclusion in the financial statements—to observe how controls are applied.

What does a walkthrough help auditors evaluate?

Design effectiveness — whether controls are properly designed to prevent/detect misstatements.

Operating effectiveness — whether controls are functioning as designed and performed by qualified personnel.

What three main tools do auditors use to document their understanding of internal controls?

1⃣ Narrative memo

2⃣ Flowchart

3⃣ Internal control questionnaire

What is a narrative memo?

A written description of control processes, personnel responsibilities, and transaction flows.

What are its pros and cons?

✅ Useful for small, less complex entities.

❌ Time-consuming for large clients with complex processes.

What is a flowchart used for in auditing?

To graphically show how transactions are initiated, authorized, recorded, and reported, and where controls exist.

Why are flowcharts useful?

Easy to visualize segregation of duties.

Highlight points where misstatements could occur.

Simplify communication among audit team members.

What is an internal control questionnaire (ICQ)?

A checklist of yes/no questions about control procedures in specific areas (e.g., payroll, cash, inventory).