internal control basics

7/30/2019 Internal Control Basics

1/19

Internal Control Basic

Concepts


2/19

2

Why do stores use cash

registers?

To safeguard assets

To insure accuracy and

reliability of accountingdata

To provide efficiency inoperations

To encourage adherenceto prescribed policies &procedures


3/19

3

Why Consider Internal

Controls?

The second standard of fieldwork:

A sufficient understanding of the internal

control structure is to be obtained to plan theaudit and to determine the nature, timing ,and extent of tests to be performed.

To ensure that the companys objectivesare being met.


4/19

4

Internal Control Basics

The Auditing Standards Board (ASB) hasdefined the internal control structure as

the policies and procedures establishedto provide reasonable assurance thatspecific entity objectives will be achieved.

SAS No. 55 and No. 78 relate to theinternal control structure.


5/19

5


Recently, the Information Systems Auditand Control Foundation (ISACF)

developed the Control Objectives forInformation and related Technology(COBIT)

Business aspects

IT resources

IT processes


6/19

6


The Committee of Sponsoring Organizations (COSO)defines internal control as the process implementedby the board of directors, management, and those

under their direction to provide reasonableassurance that control objectives are achieved withregard to the following:

1. Effectiveness and efficiency of operations

2. Reliability of financial reporting

3. Compliance with applicable laws and regulations


7/19

7

COSO Integrated

Framework


8/19

8

Internal Control Components

Control Environment - The collective effect ofvarious factors on establishing, enhancing, or mitigating theeffectiveness of specific policies and procedures.

Integrity and Ethical Values

Managements Philosophy and Operating Style

Organizational Structure

The Board of Directors and the Audit Committee

Methods of Assigning Authority and Responsibility

Human Resources Policies and Practices

External Influences


9/19

9


Risk Assessment - This is the entitys identificationand analysis of relevant risks to achievement of itsobjectives, forming a basis for determining how the risksshould be managed.

Identify Threats

Estimate Risk

Estimate ExposureIdentify Controls

Estimate Costs and Benefits


10/19

10


Control Activities - Policies and procedures inaddition to the control environment and risk

assessment that provide reasonable assurance thatentity objectives will be achieved.

S egregation of duties

C omparisons and compliance monitoring

A dequate documents and records

L imited access to and use of assets and records

P roper authorization of transactions and activities


11/19

11


Classifications

Preventive, Detective, Corrective

General and ApplicationInput, Processing, and Output


12/19

12


Information and Communication - This areadeals with the identification, capture, and exchange ofinformation in a form and time frame that enable people tocarry out their responsibilities.

Identify and record all valid transactions (existence &completeness)

Properly classify transactions (presentation)

Record transactions at their proper monetary value(valuation)

Record transactions in the proper accounting period(allocation)

Properly present transactions and related disclosures inthe financial statements. (presentation & disclosure)


13/19

13


Monitoring - The process that assesses thequality of the internal control performance over

time.Effective supervision

Responsibility accounting

Internal auditing


14/19

14

Document Your

Understanding

Narrative

Flowchart

Questionnaire


15/19

15

Internal Control Risk

Rt = IR x CR x DR

SAS No. 47 requires the auditor to assescontrol risk. Maximum control risk is

100%


16/19

16

Assessing Control Risk

Start with the assertions

Existence or Occurrence

CompletenessRights and Obligations

Valuation or Allocation

Presentation and Disclosure


17/19

17

Assessing Control Risk

Match the documented control procedureswith the assertions

Three considerations:Are there adequate controls in place?

Are the controls in place designed adequately?

Are the controls in place operating effectively?


18/19

18

Tests of Controls

Inquiry

Inspection

Observation

Re-performance


19/19

19

Additional Issues

SAS No. 55 requires documentation of theassessed level of control risk

SAS No. 60 requires the auditor tocommunicate any reportable conditions tothe audit committee

internal control basics

Documents