Chapter 8 - Understanding the Internal Control System

System of Internal Control

Policies and procedures designed and implemented by management to mitigate risk and provide reasonable assurance that the entity’s objectives can be met 

Policies

statements of what should/ should not be done within an entity to effect control

Procedures

Actions to implement policies

What are the four broad objectives of management designs of systems of internal control

Strategic, high-level goals that support the mission of the entity

Reliability of financial reporting

Efficiency and effectiveness of operation

Compliance with laws and regulations

Management’s Responsibility for Internal Control

must establish and maintain the entity’s internal controls.

Management’s Responsibility for Internal Control if public

• management is required to publicly report on the operating effectiveness of inertial controls over financial reporting. This is done on a quarterly basis 

Effective systems of control over financial reporting

Entity-level controls, Information technology controls, Business process controls

Entity-level controls

Controls that have a pervasive effect on the achievement of the organization’s objectives for internal control (Reasonable assurance)

Information technology controls

Controls that relate to many operating systems, applications and databases supporting the operating of information systems, and form the foundation of the information technology control environment.

Business process controls

Controls that are embedded within a specific key financial business process

Purpose of internal controls

provide reasonable assurance (not absolute) that the financial statements are fairly stated. 

Inherent Limitations of Internal Controls 

Internal controls cannot be completely effective, regardless of the care followed in their design and implementation

Management override (FRAUD)

The ability of management and/ or those charged with governance to manipulate accounting records and prepare misleading and/or fraudulent financial statements by overriding controls, even where the controls might otherwise appear to be operating effectively 

Collusion (STEALING)

A cooperative effort among employees or management to defraud a business of cash, inventory, or other assets.

Auditors’ Responsibilities for Internal Control

•  responsible for understanding identifying, and evaluating the entity’s internal controls relevant to the audit to achieve their objective of identifying the risks of material misstatement at the financial statement and assertion level. 

• Obtaining this understanding of internal control applies to all audits, even when an auditor does not intend to place reliance on internal controls 

Direct controls

Controls that are precise enough to address RMM as the assertion level 

Indirect Controls

Controls that are not sufficiently precise to prevent, detect, or correct misstatements at the assertion level but which support direct controls and therefore have an indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis

Components of Internal Control (CRIME)

Control Activities

Risk aseessment

Information and Communicaiton

Monitoring

Control Environment

Control Environment

the foundation of effective internal control. It addresses governance and management functions as well as the attitudes, awareness, and actions of those charged with governance and management concerning internal control and its importance. 

Demonstrate commitment to integrity and ethical values.

Control environment component

BoD demonstrates independence from management and exercises oversight responsibility.

Control environment component

Management, with board oversight, establishes structure, authority, and responsibility

Control environment component

The organization demonstrates a commitment to competence

Control environment components

The organization establishes and enforces accountability

Control environment components

Risk assessment

Management’s identification and analysis of risks relevant to the preparation of financial statements in conformity with applicable financial reporting framework

Specifies relevant objectives with sufficient clarity to enable the identification of risks

Risk assessment procedures

Identifies and assesses risks

Risk assessment procedures

Considers the potential for fraud in assessing risk

Risk assessment procedures

Identifies and assesses significant changes that could impact internal control

Risk assessment procedures

Monitoring

Management’s ongoing periodic assessment of the quality of internal control performance of the quality of internal control performance to determine that controls are operating as intended and modified when needed.

How can monitoring be effective

internal audit staff must be independent of both the operating and accounting departments, and report directly to a high level of authority within the organization.

Selects, develops and performs ongoing and separate evaluations

Principles for monitoring

Evaluate and communicate deficiencies

Principles for monitoring

Information and communication

Accounting information systems and communication are used to initiate, record, process and report the entity’s transactions, events and conditions and to maintain accountability for the related assets. 

• Includes entity’s business processes as well as the accounting system 

Accounting systems controls are distinct from business processes and include controls over

• Transfer of business process information to GL

• Capture of relevant events/ conditions that are not transaction-based (amortization, valuation, e.g.) 

• Journal entries 

• Accumulation and summary of other information that needs to be disclosed in financial statements 

Obtains or generates relevant, quality information

Principles for Information and Communication

Communicates internally

Principles for Information and Communication

Communicates externally

Principles for Information and Communication

Relevant and Quality Information Controls should be developed and implemented related to:

• Completeness and accuracy of data 

• Capture of data at the necessary frequency 

• Provision of information when needed 

• Protection of sensitive data 

• Retention of data to comply with relevant business, audit, and regulatory needs 

Internal communication

Communication within the organization includes both formal and informal communication, such as policy manuals, newsletters, job descriptions, and training. 

The organization’s messaging should reinforce that internal control responsibility must be taken seriously and critical information should be disseminated quickly 

External Communication

The organization should have in place processes to communicate relevant and timely information to external parties including shareholders, members, partners, owners, regulators, customers, financial analysts, and any other relevant stakeholder.

Control activities

Policies and procedures that help ensure the necessary actions to address risks in the achievement of the entity’s objectives.  

Manual controls

Application controls are done by people. Effectiveness depends on competence and care given by people doing them

Automated Controls

Application controls are done by computer. Performed within the IT application, and have embedded checks on data validity, accuracy, and completeness

Selects and develops control activities

Principles for control activities

Selects and develops general controls over technology

Principles for control activities

Deploys policies and procedures

Principles for control activities

Preventives controls

Controls designed to avoid errors or irregularities

Detective controls

Controls that identify errors or irregularities after they have occurred so corrective action can be taken

Business process Controls

the set of manual and/or computerized procedures that collect, record and process data and report the resulting output is also known as an “application system”

Typical controls of the business processes would include

1. Proper authorization of transactions and activities

2. Adequate documents and records

3. Physical and logical control over assets and records

4. Adequate segregation of duties. (ARRC)

5. Independent checks of performance recorded data and actual results 

Proper authorization of transactions and activities

Every transaction should be properly authorized if controls are to be satisfactory

Adequate documents and records

Paper or electronic files on which transactions are entered and summarized

Renumbered or automatically numbered consecutively to facilitate control over missing records, and to aid in locating records when they are needed. 

Designed to minimize errors

Physical and logical control over assets and records

A protective measure for safeguarding physical assets and access to electronic records

Adequate’s segregation of duties. (ARRC)

• Authorization 

• Reconciliation 

• Recording/ data entry 

• Custody of assets 

Independent checks of performance recorded data and actual results

internal control tends to change over time unless there is a mechanism for frequent review 

• Computerized accounting systems can be designed so that many internal verification procedures can be automated as part of the system, such as the separate addition of subsidiary files for agreement to general ledger totals.