internal control part 1

audting

what is the second step of the audit process

Obtain an understanding of the client and its environment, including internal control.

control

Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established goals and objectives will be achieved.

control process

The policies procedures, and activities designed and operated to manage risks to be within the level of an organization’s risk tolerance.

preventative control

are aimed at avoiding the occurrence of misstatements in the financial statements

detective controls

are designed to discover misstatements after they have occurred

corrective control

When detective controls discover a misstatement, these types are ordinarily needed to remedy the situation.

directive control

are instructions that establish desired outcomes and guide how to perform tasks. They are broad in nature and can include policies, procedures, and guidelines

complementary controls

function together with each other to achieve the same control objective.

redundant controls

are duplicate controls that address the same control objective.

compensating controls

reduce the risk that an existing or potential control weakness will result in a misstatement

entity-level controls

Apply to the entire organization and are designed to ensure that organizational objectives are achieved and to mitigate entity-wide risks.

process-level controls

are designed to achieve process objectives and address process risks.

transaction level controls

are designed to achieve transaction objectives and address risks specific to transactions

active/manual controls

People-based controls dependent on the intervention of humans for their proper operation. More suitable for large, unusual, or nonrecurring transactions.

passive/automated controls

System-based controls executed whenever needed with no human intervention. More suitable for high-volume transactions that require additional calculations, circumstances that require a high degree of accuracy, and/or situations with routine errors that can be predicted and corrected.

IT controls

general + application

general control

apply to all computerized systems or applications. They include a mixture of software, hardware, and manual procedures that shape an overall control environment.

application controls

in contrast, are specific controls that differ with each computerized application.

key controls

The essential procedures that directly mitigate significant risks, prevent fraud, and are vital for ensuring accuracy and reliability. They must operate effectively to reduce a significant risk to an acceptable level.

secondary controls

Supplementary controls that assist and support the key controls. They help maintain process efficiency but are not critical for risk mitigation. They also provide additional oversight for less significant issues.

level controls

entity level

process level

transaction level

essential controls

key

secondary

function controls

preventive.

Detective.

Directive.

Corrective.

Compensating.

Complementary

Redundant

level of human interaction

active/manual

passive/automated

foreign corrupt practices act of 1977

A United States federal law that prohibits U.S. entities from bribing foreign government officials to benefit their business interests.

It requires all corporations under the jurisdiction of the SEC to maintain of system of internal control that will provide reasonable assurance

4 requirements that will provide reasonable assurance

1.Transactions are executed with the knowledge and authorization of management.

2.Transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets.

3.Access to assets is limited to authorized individuals.

4.Accounting records of assets are compared to existing assets at reasonable intervals and appropriate action taken with respect to any differences.

COSO

committee of sponsoring organizations

COSO organizations

AICPA

AAA

IMA

…

…

COSO objectives

operations

reporting

compliance

COSO broadly defines internal control as:

a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

5 components of internal control

Control environment.

Risk assessment.

Control activities.

Information & communication.

Monitoring activities.

compents of internal control must be

present, functioning, operating

operations objectives

These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss

reporting objectives

These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies.

compliance objectives

These pertain to adherence to laws and regulations to which the entity is subject

to conduct an internal audit, the auditor needs to understand…

objectives, risks, and controls relate to one another

inherent risk

The combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk that exists, assuming there are no internal controls in place

residual risk

The portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk)

controls

risk responses management takes to reduce the impact and/or likelihood of threats to objective achievement.

risk appetite

the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value

acceptable variation in performance

the boundaries of acceptable outcomes related to achieving a business objective (both the boundary of exceeding the target and the boundary of trailing the target) think the tolerance

controllable risk

that portion of inherent risk that management can directly influence and reduce through day-to-day business activities.

residual risk

the portion of inherent risk that remains after mitigating all controllable risks

6 limitations of internal control

Suitability of objectives established as a precondition to internal control.

Reality that human judgment in decision-making can be faulty and subject to bias.

Breakdowns that can occur because of human failures such as simple errors.

Ability of management to override internal control.

Ability of management, other personnel, and/or third parties to circumvent controls through collusion.

External events beyond the organization’s control.