Lesson 3: Internal Control System

Internal Control Objectives

1. Strategic, high-level goals that support the mission of the entity

2. Reliability of financial reporting

3. Efficiency and effectiveness of operations

4. Compliance with laws and regulations

Management Responsibilities for Internal Control

Responsible for the design and implementation of an effective system of internal control over financial reporting. Constrained by the cost of implementing good control procedures. A system of internal control is created based on the assumption of employees’ good faith; that is, employees are assumed to perform their duties honestly and to the best of their abilities. Canadian public companies listed on US stock exchanges or Canadian subsidiaries of such companies must comply with US regulations. These companies are required to issue an internal control report stating that management is responsible for establishing and maintaining adequate internal controls and procedures. The report also contains an assessment of the internal controls for the fiscal year. In Canada, management is required to report on the effectiveness of internal controls.

Auditor Responsibilities for Internal Control

Required to obtain a sufficient understanding of the internal controls to plan the audit. The auditor is concerned with maintaining reliable systems because this is the area that has a direct impact on financial statements. The auditor relies on internal controls to help establish whether the financial statements are fairly stated. However, for smaller clients, the auditor’s understanding of internal controls may be limited to determining whether the client is auditable, assessing management attitude, and examining the controls associated with the accounting system. The components of the internal control system relevant to the auditor are those that affect the assessment of control risk, that is, the policies and procedures that pertain to the organization’s ability to process reliable financial information. The auditor also has the responsibility for evaluating factors that help to determine if there is an increased likelihood of management fraud. If auditors encounter conditions that cause them to suspect fraud, they must increase their testing in these areas to determine if fraud has actually occurred.

Internal Control Components

1. Control Environment

2. Risk Assessment

3. Monitoring

4. Information and communication

5. Control Activities

Control Environment

Comprises policies, actions, and procedures that reflect the overall attitudes of the owners, board of directors, and senior management. CAS 315 of the CPA Canada Handbook – Assurance lists the following five elements (COSO principles) that enhance or diminish internal control:

• How management’s responsibilities are carried out

• When those charged with governance are separate from management, how those charged with governance demonstrate independence from management and exercise oversight of the entity’s system of internal control

• How the entity assigns authority and responsibility in pursuit of its objectives

• How the entity attracts, develops, and retains competent individuals in alignment with its objectives

• How the entity holds individuals accountable for their responsibilities in pursuit of the objectives of the entity’s system of internal control

Risk Assessment

Management must be aware of risks that exist at all levels of the organization. Management is responsible for the identification and analysis of risk to achieve the entity’s objectives and must come up with a plan of action that will reduce these risks to an acceptable level. There are four underlying principles related to the risk assessment:

1. Specifies relevant objectives with sufficient clarity to enable identification of risks

2. Identifies and assesses risks

3. Considers the potential for fraud in assessing risk

4. Identifies and assesses significant changes that could impact on internal control

Monitoring

Control systems must be monitored on an ongoing basis to ensure they are working and meeting their objectives by following the two principles as below:

1. Selects, develops, and performs ongoing and separate evaluations

2. Evaluates and communicates deficiencies

Information and Communication

A company’s information and communication systems are what allow the company to maintain the accounting records. These systems will ensure that the company’s historical data is reflected in the accounting records.

To understand the design of these systems, the auditor must explore the following three principles:

1. How the entity obtains or generates relevant, quality information (

2. What the internal communication process is

3. What the external communication process is

Control Activities

Control activities are policies and procedures that help ensure the necessary actions to address risks in the achievement of the entity’s objectives. Typical control activities are performed within business processes and over technology environment, so there are manual control and automated control in nature.

There are three principles relating to control activities:

1. Select and develops control activities

2. Selects and develops general controls over technology

3. Deploy policies and procedures

Select and develops control activities

• Authorization and approval

• Documents and records

• Physical or logical controls

• Segregation of Duties

Selects and Develops General Controls Over Technology

Organizations often implement specific IT controls to address risks associated with reliance on technology. The “general controls over technology” refer to the general controls and application controls for information technology systems in this textbook

Deploy Policies and Procedures

Management deploys control activities through policies that establish what is expected and procedures that put policies into action. The design of control activities should be a combination of preventive and detective controls

Preventive Controls

Prevent the occurrence of errors and fraud. Examples include the use of preprinted forms, computer edit checks of a customer’s credit limit, hiring competent and adequately educated employees, and implementing appropriate physical safeguards over inventories.

Detective Controls

Detect errors and fraud as they occur. Examples include computer edit checks on data entry, supervisory review of completed work, having a second cheque signatory, and periodic inventory counts. Some controls can be both preventive and detective.

General Control

Often apply to all software applications. Effective ____________ will reduce the following four major risks in the information technology environment:

1. Unauthorized change to application software

2. System crash

3. Unauthorized master file update

4. Unauthorized processing

General Controls Categories

1. IT Governance

2. Separation of IT Duties

3. System development and changes

4. Physical and online security

5. Backup and contingency planning

6. Hardware controls

IT Governance

Represents control of activities over the IT control environment. They may include:

• Establish an IT governance strategy subcommittee to provide oversight of IT risk management and control activities

• Establish clear reporting lines and appropriate authorities and responsibilities for Chief Information Officer (CIO) (e.g., CIO reports to the board of directors)

• Review IT strategies regularly to ensure the IT resources (employees, applications, hardware) are allocated to support the overall organizational objectives etc.

Separation of IT Duties

A good system of internal control will attempt to segregate the following six functions:

1. Recording transactions.

2. Authorizing transactions.

3. Access to assets.

4. Computer operations.

5. Systems development.

Within a company's computer operations, the following functions should be segregated to reduce the possibility of creating a "super-user":

• systems analysis (designing the system)

• programming (writing programs)

• computer operations (operating programs)

• librarian (maintaining security over software)

• data control group (monitoring completeness of data)

The extent of separation of duties depends on the size of the organization. In small companies, it is not feasible or economical to segregate the duties as listed. Hence, audit evidence requires modification.

Recording Transactions

Record keeping should be maintained as a separate responsibility in the accounting department to ensure unbiased information

Authorizing Transactions

Personnel who handle assets should not have authorizing privileges

Access to Assets

Employees who have access to assets should not have access to the accounting for assets

Computer Operations

Personnel in operations should not have authority or ability to make changes to programs

Reconciliation

The work completed by others should be verified independently

Systems Development

Acquisition and maintenance activities should be monitored to ensure that only authorized programs and systems are implemented

System Development and Changes

An organization needs to follow a natural system (software) development lifecycle in order to convert management needs to an IT system or application and to maintain the system. Management needs to organize and manage the resources to ensure the system development process is completed within defined scope, quality, time and cost constraints. Some examples of controls are provided for a simple system development lifecycle as below.

• Development Phase

• Testing Phase

• Production Phase

Development Phase

• Both IT and non-IT personnel must be involved in the development team to identify and analyze the key users' business requirements and determine whether to build the software in-house or to buy an external package.

• The system development process must be monitored and measured regularly to identify variances from the plan including budget so that corrective action can be taken when necessary

Testing Phase

Pilot or parallel testing must be implemented by quality assurance staff and users to demonstrate that the developed system conforms to business requirements as intended

Production Phase

A change management process should be in place to schedule, coordinate, and implement the new software (e.g., manage communication to obtain buy-in from all stakeholders, resolve the problems identified in the testing phase, and provide adequate training and support to gain the acceptance of the end users).

Physical and Online Security

Some security controls have been introduced in the above physical and logical controls. In addition, some larger organizations also have backup and disaster recovery plans (DRP), such as on-site generators, off-site storage or cloud service as well as regular backup schedule for financial data etc., to ensure continuous operations in the event of failure of part or all of its information systems (such as power failure, fire, and water damage etc.).

Backup and Contingency Planning

A written backup and disaster recovery plan (DRP) should be prepared to address the risk mitigation strategies for serious disasters such as power failure, fire, excessive heat or humidity, water damage, or even sabotage.

Hardware Controls

Hardware controls are built into computer equipment by manufacturers to detect and report equipment failure (e.g., error messages for memory failure or hard drive failure on the monitor).

Application Controls

1. Input Controls

2. Processing Controls

3. Output Controls

Input Controls

Designed to ensure that the data entered into an application is authorized, accurate and complete.

Examples include:

• Input screens with preformatted prompts

• Pull-down menu lists of available software options

• Data validation check (e.g., exception reporting, such as error report for the vendor numbers that are different from vendor master files)

• Data edit check to ensure valid, accurate, and complete data entry (e.g., the system may not process an invoice that doesn't have a valid customer code number).

Processing Controls

Programmed into software to prevent, detect and correct processing errors and ensure that data input into the system are accurately and completely processed. According to CAS 315, the auditor often uses the system-generated reports as audit evidence such as a trade receivable aging report or inventory valuation report. To ensure the accuracy and completeness of such reports, the auditor may determine to test the operating effectiveness of the controls over the preparation and maintenance of the reports as well as inappropriate or unauthorized data changes in the report. In other cases, the auditor may plan to directly test the inputs and outputs of such reports (not controls).

Output Controls

Output controls ensure that computer-generated data are valid, accurate, complete, and distributed only to authorized people. Examples include:

• Reconcile output totals (computer-generated report) to input totals (source data)

• Compare individual data (a sample of transaction) to input source information

• Verify dates and timing of processing to identify any out-sequence processing

• Distribute reports to only those authorized