Ch. 3: Internal Controls (AUDIT)

Internal Controls (Definition 1)

Overall system of components that work together

• Process that management uses to make GAAP financial statements

Internal Controls (Definition 2)

A process effected by an entity’s BOD and management, designed to provide reasonable assurance regarding achievement of objectives relating to operations, reporting, compliance

• Objective= Operations, reporting, and compliance

COSO

Standards used to create internal controls

• 5 Components:

  • Control Environment

  • Risk Assessment

  • (Existing) Control Activities

  • Information and Communication

  • Monitoring Activities 

Control Environment 

Management must set a prosperous tone for employees to take controls seriously 

• Tone at the top 

• Management’s attitudes and actions; control awareness

Risk Assessment

Management’s identification of risk

• How well does management manage their risk?

• What things are most likely to go wrong?

1. External Risk:  Technology, customer demand

2. Internal Risk: Embezzlement, computer downtime 

Existing Control Activities

Existing policies and procedures that helps make sure objectives are achieved by placing actual controls and activities

Segregation of Duties

Authorizing, recording, and physical assets should be seperate

• Delegation of power= Equal powers

Authorization Procedures

Controls so that only authorized transactions occur

Documentation

Provide evidence of authorization and provide accountability

Reconciliation

Submitted transactions are processed, G/L amounts match subsystem records, physical count match recorded amounts

• Make sure account matches economic transactions

Information and Communication

Ways to record transactions 

• How does management make capture data and make sure all employees know data 

• Capture data and gets released 

Monitoring Activities 

Assessment of internal control performance 

• Inspecting/ checking on people

  • Examples:

    • Bank reconciliations

    • Internal audit 

Entity-Wide Controls (Entitiy-Level Controls)

Operate across entire entity; control can help at overall entity level

• Level control can operate at

• Very pervasive  as it affects processes, transactions, accounts, and assertions

  • Example: Mission statement

Transaction Control

Specific control procedure to mitigate risk related to very specific occurrences

• No entity-wide effect

• Level control can operate atCollusion

  • Very specific individual transactions

Collusion

Deliberate circumvention by 2 or more peopler

• Limitation of internal control

Scooping

Looking for financial statement impact/ “material misstatement”

• Identify significant accounts based on materiality

• Identify relevant assertions for significant accounts

Walkthrough

Tracing the processing of a transaction from its beginning to its recoding in the general ledger

• Part of understanding control process

Test of Design

Look at process/ control and see if it would work

• Inquiry: Ask people what they are doing

• Inspection: Look/ check on things 

Test of Operating Effectiveness

Look at objective and see if people are suppose to be doing what they are told

Dual Purpose Test

Test controls and assertions at same time

Corroborative Inquiry

Obtain same information from two different people

Deficiency 

Exists when design or the operation of a control does not allow management or employees to prevent, detect, or correct misstatements on a timely basis

1. Deficiency in design

2. Deficiency in operation

• Lowest severity: Base-Level

  • No need for auditor to report to anyone

Material Weakness

Deficiency, or combination of deficiencies, in internal control, that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, detected, or corrected on timely basis

• So bad that financial statements are most likely misstated 

• Highest Deficiency 

  • Controls are Ineffective

Significant Deficiency 

Deficiency/ combination of deficiencies, in internal control that is less severe than a material weakness, but important enough to merit attention by those charged with governance (Audit committee)

• Audit committee and operations knows about it 

  • Loss= IRRELEVANT…. All about what they could have loss

• World does NOT know 

  • Controls aren’t perfect, but generally effective

Compensating Control

Control that can prevent a significant deficiency to becoming material weakness deficiency

• Helps mitigate controls