sameh el lithy, cma, cia - مصطفى الطواشي · pdf file1 internal controls (15%...

1

Internal Controls

(15% - Level A)

Part 1 Financial Planning, Performance and Control

© Sameh El lithy, CMA, CIA . U.9&10.CMA, Part 1

PREPARED BY

Sameh El lithy, CMA, CIA .

2

Internal Controls (15% - Level C)Internal Controls (15% - Level C)� 1. Risk assessment, controls, and risk management

A. Internal control structure and management philosophyB. Internal control policies for safeguarding and assuranceC. Internal control riskD. Implications of the Sarbanes-Oxley Act of 2002E. U.S. Foreign Corrupt Practices Act internal control requirementsF. COSO Internal Control Framework

� 2. Internal auditing


� 2. Internal auditingA. Responsibility and authority of the internal audit functionB. Types of audits conducted by internal auditors

� 3. Systems controls and security measuresA. General accounting system controlsB. Application and transaction controlsC. Network controlsD. Flowcharting to assess controlsE. Backup controlsF. Disaster recovery procedures

3

In the Past

1980s

Treadway Commission

It is important to realize that before the publication of Internal Control –Integrated Framework, there had been no common agreement on what internal control was or what it consisted of. Therefore, entities had no standard to consult for determining whether their own internal control systems were effective. This lack of guidance had contributed to a good deal of confusion surrounding this important topic.

The events of the early 1980s also led also a private sector initiative, sponsored by five organizations, to identify the causes of fraudulentfinancial reporting and make recommendations to reduce its incidence.These five sponsoring organizations were known as COSO, or Committee of Sponsoring Organizations. COSO sponsored the Treadway Commission, or The National Commission on Fraudulent Financial Reporting(AICPA, IMA,IIA,AAA,FEI)

The commission issued its report in 1987, called Report of the National


1985

The commission issued its report in 1987, called Report of the National Commission on Fraudulent Financial Reporting. The 1987 report of the Treadway Commission placed responsibility for prevention and earlierdetection of fraudulent financial reporting on the entity that prepares thefinancial reports. The commission’s recommendations focused primarily on the public company.

1992As a result of this recommendation, a task force was appointed by theTreadway Commission to develop practical, broadly accepted guidelinesfor establishing internal control and evaluating its effectiveness.The results of this task force’s work were published in a document titledInternal Control – Integrated Framework. The document was publishedin September 1992. This document has provided the framework for the internal control function in all organizations today.

4

� IMA Definition of IC� The whole system of controls (financial and otherwise) established by

managementA. to carry on the business of the enterprise in an orderly and efficient manner,B. to ensure adherence to management policies, safeguard the assets, andC. ensure as far as possible the completeness and accuracy of the records.

� AICPA Definition of IC� Internal control is a process -- effected by an entity’s board of directors,

management, and other personnel -- designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

A. Reliability of financial reporting,


A. Reliability of financial reporting,

B. Effectiveness and efficiency of operations, and C. Compliance with applicable laws and regulations.

� Sawyer’s Definition (The Father Of IA)� The employment of all the means devised in an enterprise to promote, direct,

restrain, govern, and check upon its various activities for the purpose of seeing that enterprise objectives are met. These means of control include, but are not limited to,� form of organization, policies, systems, procedures, instructions, standards, committees,

charts of accounts, forecasts, budgets, schedules, reports, records, checklists, methods, devices, and internal auditing.

5

�Internal Control� The internal controls of a company are an important part of its overall

operations. A strong internal control system will provide many benefits to a company including:� Lower external audit costs,� Better control over the assets of the company, and� Reliable information for use in decision-making.

� A company with weak internal controls is putting itself at risk for employee theft, loss of control over the information relating to operations, and other inefficiencies in operations and decision-


operations, and other inefficiencies in operations and decision-making that can damage its business.

� As a process, internal control is a means to an end, not an end in itself. Internal control can provide reasonable assurance but is not a guarantee . People, not policy manuals or forms, carry out internal control.

6

� The concept of internal control is based on two major premises: responsibility and reasonable assurance.

� The first premise, responsibility, has to do with management and the board of directors being responsible for establishing and maintaining the internal control process. � While specific responsibilities for

controls may be delegated to subordinates, final responsibility remains with management and the board of directors.

� The second premise, reasonable assurance, has to do with the relative costs and benefits of controls. Prudent management should not spend more on controls than the benefits to be received from the controls.


remains with management and the board of directors.

� External auditors, internal auditors, and other parties may be concerned directly with an organization's internal control process, but the ultimate responsibility for the control remains with management and the board of directors.

received from the controls. Management must exercise its judgment to attain reasonable assurance that its control objectives are being met.

7

1. Control Environment2. Risk assessment3. Control activities4. Information and

Major 5 Components of Internal Control


4. Information and communication,

5. Monitoring.

The mnemonic : CRIME

(as identified by the bold letters in the list above – though not in the correct order in the above list).

8

-CONTROL ENVIRONMENT1


Establishes the foundation for an internal control system by

providing discipline and structure.

9

�The control environment factors set the tone of an organization, influencing the control consciousness of its people. The seven control environment factors, which you may remember using the mnemonic IC HAMBO, are

� I - Integrity and ethical values� C - Commitment to competence� H - Human resource policies and practices


� H - Human resource policies and practices� A - Assignment of authority and responsibility� M - Management’s philosophy and operating style� B - Board of directors or audit committee participation� O - Organizational structure

10

� The control environment reflects the tone at the top.” Thus, it encompasses the attitudes and actions of the board of directors and managers regarding the significance of control. It provides the discipline and structure for the achievement of the objectives of internal control by influencing the control consciousness of the people within the organization.

� Top management must set the right tone , by:�Identifying, understanding and assessing the factors that could lead

to fraudulent financial reporting;�Maintaining internal controls that provide reasonable assurance that


�Maintaining internal controls that provide reasonable assurance that fraudulent financial reporting will be prevented or detected early;

�Developing and enforcing effective, written codes of corporate conduct;

�Having the company’s audit committee review annually the program established by management to monitor compliance with the code.

11

� Organizations with effective control environments s et a positive “tone at the top.”

� They transmit guidance both verbally and by example, communicating the entity’s values, standards and code of conduct; and they follow up on violations.� There are mechanisms to encourage employee reporting of suspected violations,

and disciplinary actions are taken when employees fail to report them.

� They foster a “control consciousness” by setting formal and clearly communicated policies and procedures that are to be followed at all times, without exception, and which result in shared values and teamwork.

� They specify the competence level needed for particular jobs; hire and retain


� They specify the competence level needed for particular jobs; hire and retain competent people; and assign authority and responsibility appropriately.

� The board of directors is responsible for setting corporate policy and for seeing that the company is operated in the best interest of shareholders.� The attention and direction provided by the directors are critical. � The board consists of both inside and outside directors who have adequate

expertise and who are active and involved. Independence from management is critical, so that if necessary, difficult and probing questions will be raised.

12

� Integrity and ethical values .Control effectiveness is limited by the integrity and ethical values of the people who design, implement, and monitor controls.� Integrity and ethical values are essential because they affect all aspects of

control. �Ethical behavior results from the entity’s standards, the way they are

transmitted, and how they are reinforced.� Hence, management should

� remove incentives for dishonest, illegal, or unethical behavior.


� communicate entity values and behavioral standards by means of policy statements and codes of conduct and by setting an example.

13

�Board of directors or audit committee participation.�Control consciousness is in large part a function of

certain attributes of the board or audit committee:� degree of independence from management, their

experience and prestige, the commitment to oversight of activities, the propriety of their actions, the extent to which significant issues are discussed with management, and their relationship with internal and external auditors.


relationship with internal and external auditors.

�To be effective, the audit committee must maintain communication with an organization's internal audit function as well as with the organization's external auditors (i.e., public accountants).

14

�Commitment to competence .�Competence consists of the knowledge and abilities necessary

by members of the organization to complete tasks. �Thus, management should consider the competence required

for particular tasks and how that relates to necessary knowledge and abilities.

�Competence in employees is essential to the proper functioning of any process of internal control.


� In the final analysis, it is the quality and competence of the employees that ensure the ability to carry out the control process. No control proces s can function adequately without competent employees.

15

�Management philosophy and operating style .�Philosophy and operating style embrace such characteristics

as the attitude toward business risk; and the attitude and actions with respect to financial reporting, such as whether accounting estimates and the selection of accounting principles are appropriate; and attitudes toward activities of the information system, the accounting function, and employees.

�Effective control in an organization begins with and


�Effective control in an organization begins with and ultimately rests with management philosophy . If management believes that controls are important, then it will see to it that effective control policies and procedures are implemented.

16

� Organizational structure . This framework should allow the organization to achieve its objectives by planning, executing, controlling, and monitoring appropriate activities.

� Key areas of authority and responsibility as well as appropriate lines of reporting are reflected in a relevant organizational structure.

� The structure should be suited to the entity’s needs and be reflective of its size and activities.

� Assignment of authority and responsibility . This element of the control environment pertains not only to authority and responsibility for operations but also to determination of reporting


responsibility for operations but also to determination of reporting relationships and authorization of transactions.�Other relevant concerns are the propriety of business practices, the

qualifications of key employees, and the resources needed to execute duties.

�Assignment of authority and responsibility also encompasses efforts to ensure that employees know organizational objectives, how their interrelated activities contribute to achieving the objectives, and how and for what they will be accountable.

17

� Personnel policies and practices . This element concerns, among other things, hiring, training, evaluating, promoting, and compensating employees.� Thus, hiring standards that emphasize education, prior experience, past

achievements, and evidence of integrity and ethical behavior display a commitment to employing people who are competent and trustworthy.

� Training policies should impart to employees a knowledge of their roles and responsibilities and expectations about their conduct and performance.

�Promotions based on periodic performance appraisals should reflect a commitment to rewarding merit.


commitment to rewarding merit.

� In the final analysis, personnel are the key compon ents in any control system.

� In addition to properly selecting and adequately training employees, proper supervision is necessary to ensure that duties are being carried out as assigned. Supervision becomes very important in a small firm or in other situations where segregation of duties is not possible.

� Job Rotation and Forced Vacations� Job rotation and forced vacations allow employees to check or verify the operations

of other employees by performing their duties for a period of time. Several advantages may be gained by these techniques.

18

� A board of directors consists of inside members (such as officers and employees) and outside members.

� It is the governing authority of a corporation and is therefore responsible for establishing overall corporate policy.

� Thus, the directors have a fiduciary duty to the organization and its shareholders.

� They must exercise reasonable care in the performance of their duties, which entails being informed about and conversant with pertinent corporate information, attending meetings, analyzing corporate financial statements, etc.

� Directors typically


� Directors typically� Select and remove officers� Determine the capital structure� Add, amend, or repeal bylaws� Initiate fundamental changes, e.g., mergers or spinoffs, which must be

approved by the shareholders� Declare dividends�Set the compensation of officers and management

19

� An audit committee is a subcommittee made up of outside directors who are independent of management. Its purpose is to help keep external and internal auditors independent of management and to assure that the directors are exercising due care. The role of an audit committee or an equivalent body in strengthening the position of both internal and external auditing is now widely recognized.

� The following are some of its Characteristics and Responsibilities� The appropriate governing authority should develop and approve a written charter

describing the audit committee’s duties and responsibilities.� Reports to shareholders or other stakeholders should include a letter from the chair

of the audit committee describing its responsibilities and activities.� The audit committee should have necessary resources available.� The audit committee should oversee the regulatory reporting process, monitor


� The audit committee should oversee the regulatory reporting process, monitor compliance with codes of conduct, review the independence of the independent public accountant.

� An audit committee composed of nonmanagement directors promotes the independence of internal as well as external auditors, especially when it selects the external audit firm and the chief audit executive (the person in the organization with responsibility for oversight of internal auditing activities). Thus, a strong audit committee insulates the auditors from influences that may compromise their independence and objectivity.

� An audit committee may also serve as a mediator of disputes between the auditors and management.

20

� Audit Committee Functions� Selecting an external auditor and reviewing the audit fee and the engagement letter� Reviewing the external auditor’s overall audit plan� Reviewing preliminary annual and interim financial statements� Reviewing results of engagements performed by external auditors� Approving the charter of the internal audit activity� Reviewing and approving the internal audit activity’s plans and resource

requirements and receiving a summary of the IAA’s work schedule, staffing plan, and financial budget

� Directly communicating with the chief audit executive who regularly attends and participates in meetings


participates in meetings� Reviewing evaluations of risk management, control, and governance processes

reported by the internal auditors� Reviewing policies on unethical and illegal procedures� Reviewing financial statements to be transmitted to regulatory agencies� Reviewing observations of organizational personnel� Participating in the selection of accounting policies� Reviewing the impact of new or proposed legislation or governmental regulations� Reviewing the external auditor’s management letter

21

� External auditors have recognized the importance of reporting to audit committees

� Among the matters that may be communicated are� internal-control-related matters, � significant accounting policies, � management judgments and accounting estimates, � significant audit adjustments, � disagreements with management, and difficulties encountered during the audit.� Fraud involving senior management or fraud that materially misstates the financial

statements should be reported directly to the audit committee.� The auditors also should be assured that the audit committee is adequately informed about other


� The auditors also should be assured that the audit committee is adequately informed about other illegal acts coming to their attention.

� The control consciousness of the entity is improved if the audit committee is independent, composed of experienced and respected people, extensively involved in scrutinizing entity activities, willing to raise and pursue difficult questions with management, and in close communication with the internal and external auditors.

22

Risk Assessment 2


Involves the identification and analysis by management of relevant risks to achieving

predetermined objectives, forming a basis for determining how those risks should be

managed.

23

� Within the control environment, management is responsible for the assessment of risk .� All systems of internal control involve tradeoffs between cost and benefit. For this

reason, no system of internal control can be said to be “100% effective.”� Organizations accept the fact that risk can only be mitigated , not eliminated

� A risk is anything that endangers the achievement of an objective. The questions should always be asked: What could go wrong here? What assets do we need to protect?

� Risk assessment is the process of identifying, analyzing and managing the risks that have the potential to prevent the organization from achieving its objectives. Assessment of risk involves determining the dollar value of assets


objectives. Assessment of risk involves determining the dollar value of assets that are exposed to loss ( consequences) , as well as the probability that a loss will occur (likelihood).� Accordingly, the expected value of a loss due to a risk exposure may be calculated

if monetary estimates of potential losses and their probabilities can be made. This expected value is the maximum that should be spent on controls designed to minimize the risk.

� Therefore, the company’s objectives must be established before the risks to them can be assessed. The risk assessment forms the basis for determining how the risks should be managed.

24

� External risks include � changes in technology, � changes in the market in which

an entity operates, � new legislation bringing new

requirements, � natural disasters, � economic changes, �

� Internal risks include � employee embezzlement

accompanied by falsification of records to conceal the theft,

� lack of compliance with government regulations, or

� other illegal acts by employees, such as taking a bribe

� disruption in computer systems,

Types of Risks


� a failure of a key supplier, or� being sued, defrauded, or

robbed.

� disruption in computer systems,� poor management decisions, � errors or accidents. �Changes in management

responsibilities can affect control activities; and an ineffective board or audit committee may leave openings for fraudulent actions on the part of anyone inside the organization.

25

Components of Audit Risk

� The AICPA’s audit risk model for the account balance or class of transactions level describes the components of audit risk, which is the risk that an auditor may unwittingly fail to modify his/her opinion on materially misstated financial statements. These components are defined as follows:� Inherent risk (IR)


� Inherent risk (IR)�Control risk (CR)�Detection risk (DR)� Total audit risk (AR) = IR x CR x DR

26

� Inherent risk (IR) is the susceptibility of a financial statement assertion to material misstatement in the absence of related controls.� This risk is greater for some assertions than for others, e.g., cash has a greater

inherent risk than property, plant, and equipment.

� Control risk (CR) is the risk that a possible material misstatement of an assertion will not be prevented or detected by the related controls in a timely manner.� This risk depends on the effectiveness of the design and operation of those controls.

� However, control risk cannot be eliminated because of the inherent limitations of internal control,

� for example, the possibility of simple error or mistake due to faulty human judgment,


� for example, the possibility of simple error or mistake due to faulty human judgment, the ability of management to override internal control inappropriately, the potential for circumventing internal control as a result of collusion by two or more people, or an unfavorable relationship of the cost of control to its benefits.

� Detection risk (DR) is the risk that a material misstatement of an assertion will not be detected by the auditor,� for example, because the auditor merely sampled the account balance or class of

transactions, selected an inappropriate audit procedure, misapplied an audit procedure, or misinterpreted the audit results.�1) The level of detection risk is the only one of the three subject to the auditor’s

direct control.

27

Control Procedures3


Control procedures are implemented to manage or limit risk in accordance with the entity’s risk assessments whenever risk exposures exist that threaten

loss of assets or misstatements of accounting or management information.

28

�Control procedures (control activities) are designed and placed in operation to ensure that management’s directives are executed.� Hence, they should include the requisite steps to respond to the risks that

threaten the attainment of organizational objectives.� For this purpose, controls should be suitably designed to prevent or detect

unfavorable conditions arising from particular risk exposures. � They should also be placed in operation and operate effectively. If controls

are not always in force, then, no matter how effective their design, they cannot operate effectively.

�Control activities can be viewed from


�Control activities can be viewed from �Time of control

�Detective ,Preventive, Directive , Corrective.

�Control and achieving the main objective (FOCS)�Reliability of financial reporting�Efficiency and effectiveness of operations�Compliance with applicable laws and regulations�Safeguarding of assets

29

�Controls can be classified according to the function they are intended to perform; for example, �Detective , to discover the occurrence of an

unwanted event ,�Preventive, to avoid the occurrence of an unwanted

event�Directive , to ensure the occurrence of a desirable

event


�Directive , to ensure the occurrence of a desirable event

�Corrective, to correct an occurrence of an undesirable event

�A control activity can also be compensating , to compensate for what appears to be a weakness in controls

30

�Preventive , to avoid the occurrence of an unwanted event�Preventive: segregation of duties, suitable authorization of

transactions, checking credit worthiness of customers before goods are shipped.

�Preventive controls are usually more cost beneficial than detective or corrective controls.

�In general, preventive controls are more important than detective controls because the benefits typically outweigh the costs.


costs.

�Preventive controls dependent upon functions or people performing their roles effectively may include:�Separation of duties, which is covered in more detail later in

this section.�Supervisory review, such as a supervisor approving a

purchase transaction.�Dual control, such as two signers on every check.

31

�Detective , to detect the occurrence of an unwanted event�Detective: bank reconciliations, checking for missing

document numbers in prenumbered documents, performance reporting with variances.

�Detective controls are intended to back up preventive controls by detecting errors after they have occurred. Reconciliation of bank statements is an example of a detective control over cash assets. Detective controls complement preventive controls and arc essential components of a well-designed control system. In some cases, detective controls may be less costly than


some cases, detective controls may be less costly than preventive controls because random transactions, rather than every transaction, can be examined.

�Directive , to ensure the occurrence of a desirable event�Directive: for example, managers of a construction company

instructing project managers to hire local workers in order to create a favorable image in the communities in which it operates.

32

�Directive , to ensure the occurrence of a desirable event�Directive: for example, managers of a construction company instructing

project managers to hire local workers in order to create a favorable image in the communities in which it operates.

�While the focus of preventive, detective, and corrective controls is on the prevention, detection, and correction of negative results, directive controls are designed to produce positive results. For example, a firm may have a policy to use local vendors as often as possible. Directive controls may be intended to create a favorable image for the company in the community.

�Corrective, to correct an occurrence of an undesirable event.


Corrective, to correct an occurrence of an undesirable event.�Corrective: procedures put in place to remedy problems discovered by

detective controls, such as steps taken to identify the cause of the problem, to correct errors arising from the problem, and to modify the processing system to minimize future occurrences of the problem.

33

�Compensating controls Compensating controls are designed to compensate for Shortcomings elsewhere in the control structure.

�Compensating controls replace the normal controls, such as segregation of duties, when the latter cannot feasibly be implemented.� Compensating controls may include redundancy .


� Compensating controls may include redundancy .�For example, a bank reconciliation process

performed by a party who is independent of accounts payable can compensate for a number of flaws in the controls over these types of transactions.

34

�Control and the achieving the main objective of Internal control (FOCS)�Reliability of financial reporting�Efficiency and effectiveness of operations�Compliance with applicable laws and regulations�Safeguarding of assets


35

�Reliability of financial reporting� Management has legal and professional responsibility to ensure

that information in financial statements is fairly represented and prepared in accordance with generally accepted accounting principles (GAAP). Examples of controls for reliability of financial reporting include control procedures for budgeting, internal performance reports, accounting classes to which transactions arc posted, and control over account balances.

� These controls have importance not only for financial reporting but also for ensuring that management decisions arc based upon


These controls have importance not only for financial reporting but also for ensuring that management decisions arc based upon accurate information.

36

�Safeguarding Assets�The objective of safeguarding assets requires that

access be limited to authorized personnel.�Access includes both direct physical access and indirect

access through the preparation or processing of documents that authorize the use or disposition of assets.

�Examples Controls to safeguard assets:�The various means of segregation of duties.


�The various means of segregation of duties.� The use of cash registers, establishment of a lockbox system

for collecting cash receipts from customers, e.g., direct deposit in a bank, intact deposit of daily receipts, and custody of cash by the treasury function.

�Controls to prevent improper granting of credit, approval of credit memos by persons other than sales agents, and approval of writeoffs of uncollectibles by a person independent of the credit manager or the accounts receivable function.

37

�Use of sequentially pre-numbered forms accounted for by an independent third party to permit detection of unrecorded and unauthorized transactions;

� requiring proper documentation, that is, purchase order, supplier’s invoice, and receiving report, before authorization of payment for goods received; and cancelation of vouchers and supporting documents to prevent duplicate payments.

�Preparation of payroll from time cards approved by line supervisors; distribution of paychecks by the treasury function, not line supervisors; and custody of unclaimed checks by an independent party.

�Custody of securities by the treasury function, the presence of at least two authorized persons when the safe deposit box is opened, recording and reconciliation of identifying information about securities, and registration in the name of the owner.


the name of the owner.�Controls over excess use of materials in production; custody of inventories

by the storekeeper, with proper documentation of transfers; and perpetual inventory records.

�Restriction of access to property, plant, and equipment and periodic inspections by internal auditing.

� The controls over computer processing.�Physical measures taken to protect assets from natural disasters (e.g.,

floods, wind damage, or earthquakes).

38

� Reconciliation of recorded accountability with asse ts . The purpose of comparing recorded accountability with assets is to determine whether the actual assets agree with the recorded accountability.� Typical examples of this comparison include cash and securities counts, bank

reconciliations, and physical inventories.� A comparison revealing that the assets do not agree with the recorded accountability

provides evidence of unrecorded or improperly recorded transactions.� The converse, however, does not necessarily follow. For example, agreement of a cash

count with the recorded balance does not provide evidence that all cash received has been properly recorded.

� When assets are susceptible to loss through errors or fraud, the comparison with recorded accountability should be made independently. An independent


recorded accountability should be made independently. An independent reconciliation or check, performed by someone other than the person responsible for the initial preparation, increases the likelihood that the control will be effective because, in the absence of collusion, the same person will not be in the position to perpetrate and conceal an error or fraud in the course of his/her normal duties.� The frequency of such comparisons for the purpose of safeguarding assets depends on the

nature and amount of the assets involved and the cost of making the comparison.� For example, it may be reasonable to count cash daily, but not reasonable to take a physical

inventory at that interval. However, a daily inventory of products in the custody of route salesmen, for example, may be necessary as a means of determining their accountability for sales. Similarly, the value and vulnerability of some products may make frequent complete inventories worthwhile.

39

�Note: Different people must always perform the following four functions :

Authorizing

a transaction.

Recording

the transaction,

preparing source documents,

maintaining journals.


The periodic reconciliation

of the physical assets

to the recorded amounts

for those assets.

Keeping

physical custodyof the related asset

� Be aware, however, that segregation of duties does not guarantee that fraud will not occur.� Two or more employees could collude with one another to commit fraud, covering for one another

and, presumably, sharing the proceeds.

40

�Establishing and maintaining internal control is an important management responsibility.

�In establishing specific internal controls, some of the specific objectives management may wish to consider include the following:�Transactions are executed in accordance with management’s

general or specific authorization .�Transactions are recorded as necessary to


�Transactions are recorded as necessary to�Permit preparation of financial statements in conformity with generally

accepted accounting principles or any other criteria applicable to such statements

�Custody of assets is permitted only in accordance with management’s authorization.

�The recorded accountability for assets is reconciled with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

41

� Segregation of Authorization from Recording of Tran sactions Segregation of authorization of transactions from recording of transactions reduces opportunities for errors and irregularities by establishing independent accountability for authorization functions. If each function in an organization kept its own records, there would be no accountability. There would be no basis for an independent reconciliation and analysis of a function's activities because there would be no assurances that all transactions have been recorded. In order to ensure unbiased information, record-keeping functions are usually centralized in a separate function headed by the controller.

� For example, in a sales order application, the sales manager authorizes credit sales. A copy of the sales order form is sent to the warehouse to authorize the shipment of goods. If notice of the shipment is subsequently sent only to the sales manager, then


goods. If notice of the shipment is subsequently sent only to the sales manager, then the sales manager is accountable for his or her own performance. The sales manager is thus in a position to perpetrate errors and irregularities in the normal course of his or her duties. Perhaps he or she has authorized a shipment to a relative or friend. When notice of the shipment is received, the sales manager simply may destroy it or ignore it rather than forward it to billing for collection.

42

� Segregation of Authorization from Custody of AssetsSegregation of authorization of transactions from custody of assets reduces opportunities for errors and irregularities by establishing independent accountability for the use (custody) of assets. Authorization of activities is communicated to those who have custody of assets and simultaneously communicated to the record-keeping function (i.e., accounting). Those charged with the custody of assets subsequently communicate the results of activity (i.e., transactions) to the record-keeping function. Reconciliation of these data with the authorizations that were


Reconciliation of these data with the authorizations that were received from an independent function provides accountability for both the authorization and the subsequent use of assets.

� For example, in a sales order application, the sales manager authorizes credit sales. A copy of the sales order form is sent to the warehouse to authorize the shipment of goods. Another copy of the sales order form is sent to accounting. Notice of the shipment is subsequently sent to accounting. Reconciliation of shipment data with the authorizations that were received from an independent function provides accountability for both the authorization and the subsequent use of assets. Notice of shipment without a matching authorization indicates unauthorized shipments. Notice of authorization without subsequent shipment indicates ineffectiveness or inefficiency in completing sales transactions.

43

� Segregation of Recording Transactions from Custody of AssetsSegregation of recording transactions from custody of assets reduces opportunities for errors and irregularities by establishing independent accountability for the use of assets. Authorization of activities is communicated to those who have custody of assets and simultaneously communicated to the record-keeping function (i.e., accounting). Those charged with the custody of assets subsequently communicate the results of activity (i.e., transactions) to the record-keeping function. Reconciliation of these data with the authorizations that were received from an independent function provides accountability for both the authorization and the subsequent use of assets.

� If there is no segregation of duties between recording transactions from custody of assets, then those charged with the custody of assets are accountable for their own performance. There would be no basis for an independent reconciliation and analysis of


performance. There would be no basis for an independent reconciliation and analysis of a function's activities because there would be no assurances that all transactions have been recorded. The persons charged with the custody of assets are in a position to perpetrate errors and irregularities in the normal course of their duties by omitting records or falsifying entries into the records. In the preceding sales example, goods may be shipped by those who have custody of assets without authorization and without recording the shipment because there is no independent accountability for shipments.

44

Examples of segregation of duties include separating

the functions in

�Purchases-Payables Cycle�Payroll Cycle�Production Cycle�Sales-Receivables Cycle


�Sales-Receivables Cycle

45

� In the purchases-payables cycle:� separating the functions of the initiation of a purchase, receipt and checking in

of the merchandise, authorization to pay the vendor, custody of the merchandise, record keeping for the merchandise, and verification that the amounts of the merchandise on hand match the amounts in the books.

� One person authorizes issuance of purchase orders, while a different person is responsible for recording receipt of inventory.� (Without such segregation, one person could issue a purchase order to a

fictitious vendor using a rented post office box, then prepare a fictitious receiving record and mail an invoice to the company using a post office box personally rented for that purpose, resulting in the company’s paying for


personally rented for that purpose, resulting in the company’s paying for something it never ordered or received.)

� In the payroll cycle:� separating the functions of authorization of pay rates and deductions, hiring

and termination of employees, payroll preparation, check distribution, and reconciliation of checks cut and cleared to the payroll register and HR records.

46

� In the production cycle:� separating the functions of planning production and inventory levels, inventory

custody, inventory recording, cost accounting, and reconciliation of materials requisitions to production reports.

� In the sales-receivables cycle:� separating the functions of authorization of customer credit levels, authorization

of a sale to a customer, custody of product, custody of cash, record keeping, and reconciliation of accounts receivable records to cash receipts.

� One person has authority to adjust accounts receivable, while a different person posts payments on customer accounts. � (Without segregation here, one person could divert cash receipts and then


� (Without segregation here, one person could divert cash receipts and then falsify the account balances of the customers who paid the cash in order to conceal the diversion.)

� One person has custody of cash receipts, while a different person has the authority to authorize account write-offs.� (Without segregation, one person could authorize a false write-off while

diverting the collection on the account.)� One person is responsible for preparing the bank deposit, while a different

person reconciles the checking account. � (Without segregation, one person could divert cash receipts and cover the

activity by creating “reconciling items” in the account reconciliation.)

47

�Compliance with applicable laws and regulations

�Organizations are required to follow many laws and regulations; these are imposed upon the organization from the outside. The firm establishes internal controls in the form of policies, plans, and procedures to ensure planned, systematic, and orderly operation .


planned, systematic, and orderly operation .�Failure to comply with such controls jeopardizes

the firm's compliance with the associated laws and regulations.

48

Information & 4


Information &

Communication

Supports all other control components by communicating control responsibilities to employees; provides information in a form

and time frame that allow people to carry out their duties.

4

49

� The fourth component includes the accounting system, consisting of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of the related assets and liabilities. To be effective, the information and communication system must accomplish the following goals for transactions:� (1) Identify and record all valid transactions , (2) Describe on a timely basis� (3) Measure the value properly, (4) Record in the proper time period� (5) Properly present and disclose, (6) Communicate responsibilities to employees.

� Relevant information must be identified, captured and communicated in a manner that enables people to carry out their responsibilities. This means reports must contain the information that management needs and they must be available in a timely manner.� Communication must be ongoing, both within and between various levels and


� Communication must be ongoing, both within and between various levels and activities of the organization. All staff must understand their roles in the internal control system and be able to communicate significant information upstream.

� Reports containing operational, financial and compliance information that are needed for informed decisions – both internally generated and external information – must be available.

� Supervisors must communicate duties and responsibilities to the employees that report to them, and employees must alert management to potential problems.

� Information must be communicated to those outside the organization, such as vendors, and must also be available from external sources.

� The systems must provide a way to communicate important information to the very top of the organization, when appropriate.

50

Monitoring 5


Covers the oversight of internal controls by management or other parties outside the

process; or the application of independent methodologies, such as customized

procedures or standard checklists, by employees within a process.

51

�Monitoring assesses the quality of internal control performance over time. Monitoring activities may be ongoing, separate evaluations , or a combination thereof.� Ongoing monitoring activities are often designed into recurring

activities such as sales and purchases. �Separate evaluations are often performed by internal auditors

or other personnel and often include communication of information about strengths and weaknesses and


information about strengths and weaknesses and recommendations for improving internal control. Monitoring activities may also be performed by external parties (e.g., customers implicitly corroborate billing data by paying invoices).

� Finally, management must monitor the entire system. Monitoring assesses the quality of the internal control system’s performance over time. Management must also revisit previously identified problems to make sure they have been corrected.

52

� Monitoring can be done in two ways: 1. through ongoing monitoring during normal operations, and 2. separate evaluations by management with the assistance of

the internal audit function. If monitoring is done regularly during normal operations, it lessens the need for separate evaluations.

� If operating reports are used to manage ongoing operations, exceptions to anticipated results will be recognized quickly.

� Monitoring should be done on a regular basis.


� When deficiencies in internal control are discovered, they should be reported immediately to top management and, for very significant matters, to the board of directors. Appropriate remedial action should be taken, and the results of the remedial action should be monitored.

� An internal audit function is common in large organ izations to monitor and evaluate controls on an ongoing basis. The expa nded span of control and the growth in the volume of transaction s associated with large organizations were factors in the emergence o f the internal audit function .

53

Controls cannot give Absolute Assurance

�Fraud differs from error because it is intentional. It typically involves pressures or incentives to engage in wrongdoing and a perceived opportunity to do so. �Examples are fraudulent financial reporting and

misappropriation of assets.


misappropriation of assets.

�Internal controls are designed to, among other things, prevent fraud. �However, because of the concealment aspects of fraudulent

activity (e.g., collusion or falsification of documents), the controls cannot give absolute assurance that material fraud will be prevented or detected.

54

A. Make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;

B. Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that

1. Transactions are executed in accordance with management's general or specific authorization;

2.

� Section 102 of the FCPA requires all companies who are subject to the Securities Exchange Act of 1934 to


2. Transactions are recorded as necessary (i) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements and (ii) to maintain accountability for assets;

3. Access to assets is permitted only in accordance with management's general or specific authorization;

4. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

� Making it illegal for individuals or business entities to make payments to foreign officials to secure business.

55

Sarbanes-Oxley Act

� The proper design and operation of an organization’s system of internal controls is the responsibility of management . Section 404 of the Sarbanes-Oxley Act of 2002 requires publicly traded companies to issue a report


publicly traded companies to issue a report stating that

1. Management takes responsibility for establishing and maintaining the firm’s system of internal controls, and

2. The system has been functioning effectively over the reporting period.

56

What Internal Control Can and Cannot Do


It is important that we remember what can be expected of internal control and what internal control

cannot do.

57

� What Internal Control Can Do

� Internal control can help an organization get where it wants to go, avoiding pitfalls and surprises along the way.

� It can help an organization achieve its performance and profitability goals and prevent loss of resources.

� It can help ensure reliable financial reporting.

� It can help ensure that the

� What Internal Control Cannot Do� The COSO report warns against

promoting internal control as a guarantee that the entity will achieve its financial reporting, operational, and compliance objectives.

� Internal control has limitations including simple human error or faulty judgments; and controls can be circumvented through collusion and well-planned fraud, Management override.


� It can help ensure that the organization complies with laws and regulations.

� No matter how well designed and operated, internal control can provide only reasonable assurance to management and the board of directors regarding achievement of the entity’s objectives.

� Controls must be evaluated in terms of the cost-benefit relationship, so as to avoid excessive controls that result in increased bureaucracy and reduced productivity.

58

Who Is Responsible for Internal Control?


Some people believe that the internal audit function has primary responsibility for establishing and maintaining the

internal control system. But the COSO report corrected that belief. It advanced corporate governance by delineating the

responsibility of each group or person listed below to maintain and assess internal controls as follows:

59

� Responsibility for establishing and maintaining the Internal Control system

� The board of directors is responsible for overseeing th e internal control system , providing governance, guidance and insight.

� The CEO is ultimately responsible for the “tone at the top.” The CEO should provide leadership and direction to the senior managers and review the way they are controlling the business.

� Senior managers delegate responsibility for establishment of specific internal control policies and procedures to personnel responsible for each unit’s functions.

� Financial and accounting officers and staff are cen tral to the exercise of


� Financial and accounting officers and staff are cen tral to the exercise of control , as their activities cut across as well as up and down the organization. However, all management personnel are involved, especially in controlling their own units’ activities.

� Internal auditors evaluate the effectiveness of the control systems and contribute to their ongoing effectiveness , but they do not have the primary responsibility for establishing or maintaining it.

� External parties such as independent auditors often provide information useful to effective internal control.

60

Internal Controls (15% - Level A)Internal Controls (15% - Level A)

1.Internal auditing Main Subtopics UU11 11 a.Responsibility and authority of the internal audit

function b.Types of audits conducted by internal auditors c.Internal audit assistance provided to management


c.Internal audit assistance provided to management

� The candidate should be able to:A. define the internal audit function and identify its functions B. demonstrate an understanding of the scope of internal auditing C. identify incidents that internal auditors should report to management or the

Board of Directors D. define a compliance audit and identify its objectives E. define an operational audit and identify its objectives

61

�Internal Auditing� The primary purpose of an internal audit is the appraisal of the

design of, effectiveness of, and adherence to internal control policies and procedures and the assessment of the firm's quality of performance. The internal auditor ensures that any risk to the business is addressed and verifies that the firm's goals and objectives are met efficiently and effectively.

�The Institute of Internal Auditors, the U.S. professional organization of internal auditors, has


professional organization of internal auditors, has defined internal auditing as: “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

62

� Responsibility and Authority of the Internal Audit Function

� The IIA practice standards include five categories for guidance:

1. Responsibility and scope of work2. Independence.


3. Professional proficiency4. Performance of audit work, and 5. Management of the internal auditing

department.

63

� Responsibility and scope of work� An effective internal audit function provides to management and the audit

committee a means of monitoring the reliability of financial reporting and the organization’s control over operations.

� This monitoring of control over operations includes the effectiveness and efficiency of operations as well as its compliance with applicable laws and regulations.

� The internal audit function should encompass every part of the organization’s operations , and to this end it should have unlimited access to the company’s documents, records or


unlimited access to the company’s documents, records or properties.

� As we saw in the previous section on Internal Control, a company’s management – and the board of directors – is responsible for the organization’s internal control. Internal auditors are utilized to monitor the performance of the organization’s internal control systems.

The overall scope of work for the internal auditor is

broader than that of the external auditor.

64

� Thus, internal auditing has developed in order to assist management in carrying out its monitoring responsibilities in an effective and efficient manner. The objective of internal audit is to promo te effective control at a reasonable cost. Internal auditors’ responsibilities with respect to the internal control system include:� Testing individuals’ compliance with controls to determine whether policies and

procedures established by management are being followed, i.e., the quality of performance in carrying out assigned responsibilities.

� Evaluation of the adequacy and effectiveness of the control system in a systematic and thorough manner.

� Examination and evaluation of the reliability and integrity of financial and operating information and the means used to identify, measure, classify and report the


information and the means used to identify, measure, classify and report the information.

� Reviewing systems that impact operations and reports to determine whether the organization is in compliance with policies, plans, procedures, and regulations.

� Examination and evaluation of the effective and efficient use of an entity’s resources.

� Reviewing the means used to safeguard assets and verifying the existence of those assets as appropriate.

� Furnishing analyses, appraisals, recommendations, counsel and information concerning activities reviewed to the management of the organization in order to assist them in the effective discharge of their responsibilities.

65

�Independence.� The internal auditor must remain independent of operations in order to maintain

objectivity throughout the audit process. The auditor should also remain independent of decision-making processes and undue influence by management. The board of directors should be the primary audience for the internal auditor.

� For the internal audit department to accomplish these responsibilities, it must have the necessary level of organizational status. This means it must have adequate authority and freedom to carry out the activities that need to be accomplished.

� The internal audit function should report to the bo ard of directors


� The internal audit function should report to the bo ard of directors through the audit committee . Also, the internal auditors need to be supported by both the audit committee and the board in order to make sure that those who are audited are cooperative with the internal auditors. The support of the board and audit committee will demonstrate that the work is viewed as important for the organization.

� Along with the correct level of organizational status, the internal audit department must have organizational independence . � This means that the internal audit function should not have any direct relationships

with the various departments it will be auditing. Reporting directly to the board of directors achieves this organizational independence.

66

The Difference Between Internal Auditors and External Auditors

� External, independent auditors perform financial audits. Their responsibility is to issue an opinion on the accuracy and fairness of management’s assertions regarding the financial statements.

� The external auditor focuses on the financial accounting system and activities that have direct, material effect upon the financial statements.

� A CPA firm that is nominated by the

� The responsibility of internal auditors, on the other hand, is to compare “what is” with “what should be” and report to management their findings, along with suggestions and recommendations for improvement.

� Internal auditors are employees of the organization they audit. They are not referred to as “independent auditors,” because that term is


� A CPA firm that is nominated by the board of directors does the external auditing.� The auditors are not employees of

the company. External auditors, along with company management, have legal responsibility to issue financial statements that do not contain serious errors or mistakes.

� This legal responsibility was increased with the Sarbanes-Oxley Act of 2002.

auditors,” because that term is reserved for external auditors. Despite this, internal auditors must maintain a degree of independence from the activities they audit, in order to preserve their objectivity.

� Despite the fact that internal auditors are distinct from external auditors, internal auditors do have responsibility to assist the external auditors in the external audit of the organization’s financial statements.

67� Coordination of Work Between Internal and External Auditors� Costs of the external audit can be greatly reduced if the external auditor can use the

work already done by internal auditors or performed by internal auditors to assist during the external audit.

� However, external auditors must base their justification for reliance on work by internal auditors upon � the internal auditors’ competence and the internal auditors’ objectivity .

� If internal auditors are competent, skilled in auditing techniques and have a broad perspective of controls, they can assist the external auditors with the financial audit of the organization. Competent internal auditors can eliminate the need for some of the work that might otherwise be done by the external auditors.

� Work done by internal auditors to test internal financial controls can be valuable to external auditors, subject to the following guidelines:


valuable to external auditors, subject to the following guidelines:1. The internal auditors are not to direct the external audit of the organization’s

financial statements.2. Before relying on the work of internal auditors, the external auditors must review

and test the work performed by the internal auditors.3. In the assessment of audit risk and in the performance of the audit, the external

auditors will make all of the final decisions and conclusions.4. The work of the internal and external auditors should be coordinated so as to

reduce the amount of duplicate work that is done by both parties.5. Because the internal auditors are a related party to the company, the external

auditor will supervise any work done by the internal auditor as part of the external audit.

68

� Professional proficiency� The technical proficiency and educational background of an

internal auditor should be appropriate for the types of audits performed. In large firms, the audit department may have many members, some of which perform specialized types of audits, such as information systems audits.

� Proficiency refers to the ability of the internal auditor to apply knowledge to situations likely to be encountered, and to deal with them without extensive recourse to technical research and assistance. Proficiency in accounting principles and techniques


assistance. Proficiency in accounting principles and techniques is only required of auditors who work extensively with financial records and reports.

� Internal audit activity should collectively possess (or obtain) the knowledge, skills, and other competencies needed to perform its responsibilities.

� If certain knowledge, skills, or other competencies required to perform all or part of an engagement is lacking, the CAE should seek external advice and assistance.

69

� The Authority and Responsibility of Internal Audito rs

� The CAE and staff of the internal audit activity are authorized to:� Have unrestricted access to all

functions, records, property, and personnel.

� Have full and free access to the audit committee.

� Allocate resources, set frequencies, select subjects,

� Unless otherwise directed, the CAE and staff of the internal auditing activity are not authorized to:

� Perform any operational duties for the organization or its affiliates.

� Initiate or approve accounting transactions external to the internal auditing activity.


frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.

� Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.

transactions external to the internal auditing activity.

� Direct the activities of any organization employee not employed by the internal auditing activity, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.

70

� The responsibility of the internal auditor is to review and appraise policies, procedures, plans and records for the purpose of informing and advising management.

� Internal auditors do not have any authority or responsibility over operating activities .� If they did, it would impair any independence and objectivity they may have

in working in these areas.� It is important that internal auditors remain detached from the items that

they are auditing or reviewing so that they will be able to carry out their

� The Authority and Responsibility of Internal Audito rs


they are auditing or reviewing so that they will be able to carry out their duties to management. Therefore, after a person joins internal audit, that person should not audit the area he came from for a reasonable amount of time. The IIA recommends this reasonable time to be a minimum of one year.

� The responsibility of internal audit ends with the making of recommendations . Auditors should have no authority over or responsibility for the activities they audit. It is the responsibility of the board or management to implement the recommendations brought to them by the internal auditors.

71

� Performance of audit work� Audit work should include:1. Planning the audit.2. Examining and evaluating information & documentation of the audit work.3. Communicating results.4. Following up to determine that appropriate action is taken on reported audit

findings.

� Management of the internal auditing department� The director of internal auditing should manage the auditing department,


� The director of internal auditing should manage the auditing department, including establishing the following controls:� Statement of purpose, authority, and responsibility for the internal auditing

department� Plans to carry out the department's responsibilities� Written policies and procedures to guide the audit staff� Program for selecting and developing the human resources of the audit department� Coordination of internal and external audit efforts� A quality assurance program to evaluate the operation of the internal auditing

department

72

� Reporting Audit Results� Potential audiences for the audit report include divisional and operational

managers as well as top management and the board of directors. The internal auditor should inform management of all problems. Because of the possible use of the internal audit report by external auditors, legal counsel may need to be consulted before highly sensitive information is included in a written audit report. In addition, according to IIA Guideline 430.02, "The internal auditor should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports." Such discussions minimize misunderstandings.

� The auditor's report identifies conditions as findings, or issues to address or recognize. One audit report may include several specific findings, and each


recognize. One audit report may include several specific findings, and each finding, which may be positive or negative, should be documented on a separate summary findings sheet. Negative findings are called exceptions. Findings are performance or actions as measured against the firm's policies, procedures, standards, or external laws and regulations and against risks such as inadequate safeguarding of company assets.

� Each summary findings sheet should report the condition; the policy, legal criteria, or expectation; the effect of the condition; the cause of the condition; and recommendations that offer alternatives relative to the specific control objective.

73

� A recommendation docs not necessarily represent a solution for the condition. The auditor can make four types of recommendations:� Make no changes.� Modify internal control policies and/or procedures.� Add insurance for potential risks discovered during the audit.� Adjust the required rate of return on an activity to match the associated risk.

� An internal auditor may report a number of findings to management. General findings may include such items as inadequate control procedures, lack of adherence to control procedures (e.g., disorganized records), inadequate safeguarding of assets, inefficient allocation of resources, etc.

� Each general finding should be supported by specific findings. For example, an


� Each general finding should be supported by specific findings. For example, an internal auditor conducting a compliance audit might provide managers with a report indicating which employees failed to have their timecards up-to-date. An internal auditor conducting an audit of the physical security of assets might report anyone whose sensitive files were found unlocked during an after-hours check. Or a software audit might result in a report of computers on which unlicensed software had been loaded.

74

� Types of Audits Conducted by Internal Auditors� Internal audits are conducted for a number of reasons, including financial control,

assurance of compliance with regulations, and assessment of internal control policies and procedures. An internal auditor could conduct one or more of several types of audits: financial, operational, performance, electronic data processing, contract. compliance, and special investigations (such as li·aud).

� Internal auditors have concentrated less on financial audits and more on operational audits. Over half of the average internal auditor's time is spent on operational audits. Compliance audits are another key type of audit.

� According to Sawyer, internal auditing services may be classified in three categories:

� Financial.�The analysis of the economic activity of an entity as measured and reported by


�The analysis of the economic activity of an entity as measured and reported by accounting methods.

�Compliance.�The review of both financial and operating controls and transactions to see how

well they conform with established laws, standards, regulations, and procedures.

�Operational. �The comprehensive review of the varied functions within an enterprise to

appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives.

75

� Financial audit� A financial audit is an audit of the film's financial statements. The objective of a

financial audit is to determine whether the overall financial statements fairly represent the firm's operations and financial condition. The internal auditor may conduct an audit of financial reports for a department or a segment of a department. The audience for a financial audit is the board of directors and senior management. The direction of a financial audit conducted by an internal auditor is forward-looking, in contrast to the external audit. which is backward-looking.

� Audit of financial statements – to evaluate the assertions made by management on the organization’s financial statements and to issue an opinion on the fairness of the statements. Those assertions are:


on the fairness of the statements. Those assertions are:� Existence or occurrence (the information represents actual transactions and

events);� Completeness (no material financial information has been omitted);� Rights and obligations (all material rights and obligations with respect to assets,

liabilities and equity accounts have been disclosed;� Valuation or allocation (the numbers reported on the financial statements are

materially correct);� Presentation and disclosure (the format, organization and classification of

accounts on the financial statements and disclosures in the accounts, footnotes and accounting policies conform to generally accepted accounting principles).

76

� Audit of financial controls – examining two aspects of financial internal controls:

1. controls over financial resources; and 2. controls over the accounting for financial resources.

� Internal auditors are concerned with the accountability of the assets. At all times someone should be responsible for them and there should be periodic checks of the existence and condition of those assets. Protection is needed against risks such as fire, flood and other natural disasters.

� Financial audits are normally conducted by external auditors, however, they are also part of the internal audit universe. Coordination with external auditor is preferably made in these audits to minimize duplicate efforts and ensure


is preferably made in these audits to minimize duplicate efforts and ensure optimum audit coverage using the organization's scarce resources

� 2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effective ness of controls encompassing the organization’s governance, operati ons, and information systems . This should include:

� Reliability and integrity of financial and operational information.� Effectiveness and efficiency of operations.� Safeguarding of assets.� Compliance with laws, regulations, and contracts.

77

� The CAE's core role is to ensure that the audit com mittee receives needed support and assurance services . A prime objective of the audit committee is to oversee financial reporting. Thus, the IAA is usually requested to form an opinion on the adequacy and effectiveness of internal control over financial reporting and the reliability of financial reports.

� The external auditor would most likely detect an unreported disposal of a fixed asset due to the audit objective.

� Internal auditors are often requested to coordinate their work with that of the external auditors .


� For example, external auditors would keep the work of attesting to the fairness of presentation of cash position in the balance sheet. �Shared audit work between these auditors would be evaluating the

system of controls over cash collections and similar transactions, evaluating the adequacy of the organization's overall system of internal controls, and reviewing the system established to ensure compliance with policies and procedures that could have a significant impact on operations.

78

� Operational audit� An operational audit is technically a nonfinancial audit. The scope of the

operational audit exceeds that of a financial statement audit� Operational audit – examining and evaluating systems of internal control,

overall company operations and the quality of performance in carrying out assigned responsibilities. In order to assess these items, a company must have a standard level of behavior or output, or something that is to be achieved. Auditors will then compare the results of the operations with these standards. The focus of an operational audit is on the three Es – efficiency, effectiveness and economy . � The main techniques for the auditor in an operational audit are financial analysis,


� The main techniques for the auditor in an operational audit are financial analysis, the observation of departmental activities and questionnaire interviews of employees.

� In addition, as part of an operational audit, the internal auditor will make recommendations about how to improve the process or operation.

� The operational audit is a tool for regularly and systematically appraising the effectiveness of the firm against corporate and industry standards and applicable laws and regulations. The objectives are to ensure the board of directors and senior management that the firm's goals and objectives are being carried out and to identify conditions that can be improved.

79

� In an operational audit, the auditor has the responsibility of discovering operating problems, informing the board of directors and management of the problems, and recommending realistic courses of action for resolving the problems. Internal auditors will evaluate the adequacy and effectiveness of the controls that are in place in relation to operating information, as well as financial, records and information, which is the focus of the financial statement audit. � Though external auditors are concerned with operations as they affect the financial

audit, the internal auditors are going to be more involved in this and will also look at those areas that do not affect the financial statements themselves. This will include controls related to policies, procedures and decision-making.

� An operational audit is thus a thorough examination of a department, division,


� An operational audit is thus a thorough examination of a department, division, function, etc. Its purpose is to appraise managerial organization, performance, and techniques.� It attempts to determine the extent to which organizational objectives have been

achieved.� It is a control technique that provides management with a method for evaluating the

effectiveness of operating procedures and internal controls.� The report resulting from an operational audit consists primarily of specifying where

problems exist or emphasizing the absence of problems.� The internal auditor compares a department’s operations with company policies and

procedures, industry averages, and departmental trends.

80� Compliance audit – determining to what degree an organization is operating

in an orderly way, effectively and visibly conforming to certain specific requirements of its policies, procedures, standards, or laws and governmental regulations. Compliance auditing is more objective than other internal auditing applications. To perform a compliance audit, the auditor must know exactly what policies, procedures, standards, etc., are required.

� In a compliance audit, the internal auditor is not interested only in the compliance or lack of compliance, but in case of noncompliance, he will also determine the cause of the noncompliance, the cost of the noncompliance and what needs to be done in order to be in compliance.

� The causes of noncompliance may be faulty procedures, changes in the conditions related to the regulation, or perhaps simply mistakes and lack of


conditions related to the regulation, or perhaps simply mistakes and lack of review or supervision.

� Compliance audits can be initiated by management or may be required by law or regulation.

A strong commitment by management to comply is a positive factor in

reducing the risk of noncompliance.

81

Other Types of Audits

�Performance audit�Fraud audit�Control Self Assessment �Environmental Audits


�Environmental Audits�Quality audit

82

� Performance audit – evaluating efficiency and effectiveness. These audits require that performance criteria be established as goals against which performance can be evaluated.

� This is another way in which the work of the internal auditor is different from the work of the external auditor. The internal auditor is concerned with the way and manner in which assets are used, and not only the result of the usage. The auditor should review the standards and be sure that they are being met. In cases where they are not being met, the internal auditor needs to report the inefficiency so that it may be corrected.

� Fraud audit . Fraud audits are performed for the purpose of discovering the presence, scope and means of either misappropriation of assets or fraudulent reporting. The objective of a fraud audit is to uncover what has been intentionally covered up, and thus a fraud audit is more detailed than other types of audits.


types of audits.� If wrongdoing is suspected as a result of a routine internal audit and if

management decides to perform a fraud audit in response, several departments, such as a fraud investigation or security department, may be involved in the audit along with the internal auditor. The internal auditor will work with them as part of a team.�Additionally, external auditors or other parties outside the organization may

be called in to assist, and the internal auditor will work cooperatively with them, as well.

83

�Control Self Assessment or Control/Risk Self-Assessment is the Examination & Assessment process of the system of Internal Control

� Traditional auditing techniques address hard controls (e.g., authorization, accurate and timely recording of transactions, limit controls, segregation of duties). They do not address the soft controls.

� CSA techniques address the soft controls (e.g., risk assessment, the achievement of business objectives and goals, and the attitude of people toward control as well as the hard controls.


controls.� Traditional auditing techniques

create an atmosphere of hostility and mistrust and an attitude of "us against them."

� CSA techniques create an atmosphere of partnership and an attitude of "us against us."

�The CSA is not suitable to situations such as �finding fraud, compliance reviews (e.g., regulatory audits), or

when participants have conflicting objectives, as in third-party contracts.

84

� CSA is a collaboration between managers and internal auditors to evaluate control. Programs vary but share key features. A formal, documented process allows those directly involved to participation1. identifying risks and exposures,2. assessing relevant controls, 3. developing plans, and4. estimating the probability of achieving objectives.

� Outcomes of CSA may include1. training in assessment of the entity's‘ objectives-risks-controls

infrastructure,


infrastructure, 2. recognition of "soft" controls,3. willingness of work teams to take "ownership" of control, 4. greater monitoring and improvement, 5. greater internal auditor knowledge of CSA, 6. better internal auditor allocation of scarce resources to audits

of control, and 7. reinforcement of management's responsibility for control.

85

� Environmental Audits

� Compliance audit is a site-specific, detailed audit of on-going operations, past practices, and/or planned future operations to test for compliance with environmental laws.

� Environmental management system audit ascertains that the systems are operating properly to curtail any future environmental risk

� Transactional audit is an audit to assess the potential risk/liability of a real property as a result of environmental contamination . (Also referred to as Acquisition and Divestiture Audits, property. Transfer Site Assessments ; property Transfer evaluations, and/or Due Diligence Audits)Pollution prevention audit


� Pollution prevention audit refers to the elimination of the pollution at source� Environmental liability accrual audit is the process of recognizing,

quantifying, and reporting liability accruals for environmental issues.� Product audit is the audit of a product to ensure that it is in compliance with

current environmental requirements.

86

� Due diligence audit engagements refer to very limited and specific audits of specific areas of third parties that the organization has interest in.� For example, a bank granting a loan to an organization in return for a

pledge over its inventories or accounts receivable may perform a due diligence to ensure their existence and valuation.

� Due diligence audit assignments are also performed to assist in the management decision making when joint-ventures, mergers, or other similar transactions are involved.

� These audits are the minimum managerial requirements to ensure


� These audits are the minimum managerial requirements to ensure that all applicable laws and regulations are met and that risks and exposures are minimized.� For example, due diligence audits are a risk management tool for banks,

land buyers, and lending agencies when a buyer is purchasing land or accepting it as a gift. Here the buyer wants to minimize the potential legal liability resulting from the land acquisition.

� Due diligence audits are team-based effort with internal auditors, external auditors, lawyers, engineers, IT staff, and other specialists.

87

� Quality audit engagements refer to audits of a function or unit in the internal audit universe to ensure it is meeting defined quality standards.

� If there are no defined standards, the auditor should coordinate with management and the related department to establish such standards.

� In organizations where a quality assurance department and/or quality team performs regular audits, the internal auditor could coordinate with such department. Further, the department itself would be part of the internal audit universe.


would be part of the internal audit universe.

88

�Internal Audit Assistance Provided to Management� To assist management, the internal audit function provides analyses,

appraisals, recommendations, counsel, and information concerning activities reviewed.

� Operating management� Operating management, such as department heads or

supervisors, is accountable for the effectiveness and efficiency of operations. Audit reports aid operating management in this regard by identifying areas needing improvement and stimulating action in the appropriate direction. In addition, the results of an internal


in the appropriate direction. In addition, the results of an internal audit may provide objective support to the operations manager for issues that will require the support of upper management to address and improve. Due to the nature of the auditing process, the auditor may bring to the production manager's attention activities or practices of which he or she has not yet become aware. expectations of the internal audit, as well as lessons learned from previous internal audits, may ultimately serve to promote more disciplined operations.

89

� Board of directors and senior management� Audit reports serve to identify for the board of directors and senior

management the changing level and types of risks that management needs to address. An internal audit report can provide senior management with details about operations as well as controls that are not included in other reports. This may be due to the nature or scope of the audit or the independence and objectivity of the internal auditor.

� Internal Audit Reports� Communications by internal auditors to management may be formal or


� Communications by internal auditors to management may be formal or informal, oral or written , as is appropriate.

� Pronouncements of The Institute of Internal Auditors require communications to include the purpose, scope, and results of the engagement and, if appropriate, an opinion .

90

Auditor Follow-Up

� IIA Standards require that internal auditors follow up on the actions taken by the company regarding any deficiencies found. � The auditor should determine that either corrective action has been taken,

or management has assumed the risk of not taking corrective action.� In following up, the auditor should receive all of the responses from the

auditees to the audit, �evaluate if those replies are adequate and then be certain that actions are


�evaluate if those replies are adequate and then be certain that actions are actually taken to correct the problems.

� In order to ensure that the actions have been taken, the auditor may need to do additional testing after the correction has been put into place.

� The auditor is the best person to carry out this necessary step because he is more familiar with the situation and the potential risks. He should also be more impartial or objective than the manager who has to make the changes.

91

End


92

IMA Q


93

�3. An operational audit �a. determines whether the overall financial

statements fairly represent the firm's operations and financial condition.

�b. appraises the effectiveness of the business against corporate and industry standards.

�c. verifies that capital assets are accurately


�c. verifies that capital assets are accurately tracked.

�d. verifies that the company is following all applicable laws and regulations.

94

�4. Which of the following are objectives of internal controls?

I. Reliability of financial reportsII. Guarantees against fraudIII. Effectiveness of operationsIV. Efficiency of operationsV. Compliance with applicable laws and


V. Compliance with applicable laws and regulations

�a. I, III, IV, and V only �b. I, III, and V only �c. I, II, III, IV, and V �d. I, II, and IV only

95

�6. Which of the following has the most effect on the control environment?

�a. Whether controls are changed on a regular basis

�b. Size of the company �c. Management philosophy and operating

style


style �d. Organizational structure

96

�7. Which of the following is true regarding the board of directors?

�a. The board of directors must act in the best interest of the shareholders.

�b. The board of directors must establish an audit committee to oversee all internal controls.


controls. �c. The board of directors must act in the best

interest of management. �d. The board of directors must act in the best

interest of the employees.

97

�14. Which of the following incidents should the auditor report to management or the board of directors?

�a. Several employees have been observed coming in late or leaving early.

�b. Control procedures require that the same person not enter and ship a transaction, but both have been observed being done by the


both have been observed being done by the same person.

�c. An error of $0.05 was found in the data entry of one transaction.

�d. Compensation for the customer service manager is higher than for the internal auditor.

98

�15. Which of the following are required under the Foreign Corrupt Practices Act?

I. A firm must design internal control procedures.II. A firm must have an internal audit department.III. Transactions must be executed with


III. Transactions must be executed with management's authorization.IV. Access to assets must be authorized.

�a. I and III only �b. I, III, and IV only �c. I, II, III, and IV

99

�16. Which of the following might an internal auditor provide as a result of an audit?

I. Appraisal of performanceII. Recommendations for changesIII. Advice to management on improving controlsIV. Recommendations to management on


IV. Recommendations to management on changes to their compensation.

�a. I and II only �b. III and IV only �c. I, II, III, and IV �d. I, II, and III only

100

�18. Which of the following is a reason for independent checks?

�a. To ensure that management appears compliant with external audit standards

�b. To ensure that mistakes can be corrected within the fiscal year they are made

�c. To assess an employee and determine


�c. To assess an employee and determine whether he or she is following control procedures

�d. To detect and correct errors and misappropriation of assets

101

�21. Which of the following statements is true? �a. Control procedures can completely make

up for careless employees. �b. Higher-paid employees tend to follow

control procedures more carefully and consistently.

�c. Control procedures are ineffective if


�c. Control procedures are ineffective if employees are not all highly educated and trained.

�d. Hiring, promoting, and training competent personnel are integral to an efficient control environment.

102

�23. A compliance audit verifies �a. whether internal control policies and

procedures are adequate for safeguarding assets.

�b. that the company is following all applicable laws and regulations.

�c. that transactions are accurately recorded


�c. that transactions are accurately recorded and financial information is fairly reported.

�d. whether employees are wearing appropriate attire.

103

�24. Which of the following could a compliance audit verify?

I. Compliance with GAAPII. Compliance with employment lawsIII. Compliance with OSHA lawsIV. Compliance with tax laws

�a. II, III, and IV only


�a. II, III, and IV only �b. I and II only �c. I, II, III, and IV

104

�25. Which of the following is not a function of an internal auditor?

�a. Verifying that management compensation is reasonable

�b. Verifying that laws and regulations are followed

�c. Verifying that the computer system


�c. Verifying that the computer system controls are effective

�d. Verifying that transactions are correctly recorded

105

�27. Which of the following are within the scope of work for the internal auditor?

I. Review reliability and integrity of financial an d operating information.II. Review established controls to ensure compliance with policies, procedures, regulations, contracts, and laws.III. Review methods for safeguarding assets.IV.Appraise the efficiency with which resources are employed.


IV.Appraise the efficiency with which resources are employed.V. Review operations to ascertain whether results are consistent with the firm's goals.

�a. I, II, III, IV, and V �b. I, II, III, and IV only �c. I, II, IV, and V only �d. I, II, and IV only

106

�31. Which of the following statements is false?

�a. Internal controls can be most effective if they are supported by word and example of management.

�b. The auditor will examine internal controls to determine control risk.


to determine control risk. �c. Thorough and well documented internal

controls can guarantee that fraud cannot be committed.

�d. Thorough and well-documented internal controls can result in fewer misstatements of information.

107

�32. Which of the following is NOT an internal control?

�a. Pre-numbered forms �b. Requirements for accurate recording of

vacations �c. Required dress code �d. Employee pay records


�d. Employee pay records

108

�33. Which of the following is true of control risk?

�a. Control risk is an assessment of the likelihood that misstatements exceeding an acceptable level will not be detected by an internal audit.

�b. Control risk is measured in combination with safeguarding risk to determine overall


with safeguarding risk to determine overall risk.

�c. Control risk is dependent on detection risk. �d. Control risk is an assessment of the

likelihood that misstatements exceeding an acceptable level will not be detected or prevented by internal controls.

109

�35. Inherent risk is the risk �a. that measures the effectiveness of a firm's

internal controls. �b. that internal controls will not be followed. �c. that the business will naturally experience,

regardless of internal controls. �d. that an internal audit will not uncover


�d. that an internal audit will not uncover incidents where controls have not been followed.

110

�36. Which of the following is an example of segregation of duties?

�a. The president of a small company is able to access payroll records and adjust entries.

�b. The shipping manager can access the order-entry computer software and enter an order.


order. �c. A clerk in the order department does not

have access to the products and therefore cannot ship products to customers.

�d. The person who takes the order from a customer enters the order into the system and supervises the shipment of the product.

111

�37. The internal audit function is �a. required by the Foreign Corrupt Practices

Act. �b. a part of the accounting department and

reports directly to the operations manager. �c. independent of operations and responsible

for reviewing the reliability and integrity of


for reviewing the reliability and integrity of financial and operating information.

�d. responsible for ensuring that all information on financial statements is accurate and true.

112

�39. Detection risk is the risk �a. that an internal audit will not uncover

incidents where controls have not been followed.

�b. that internal controls will not be followed. �c. that measures the effectiveness of a firm's

internal controls.


internal controls. �d. that the business will naturally experience,

regardless of internal controls.

113

IMA A


114

�The correct answer is: appraises the effectiveness of the business against corporate and industry standards.The operational audit is technically a non-financial audit. The purpose of an operational audit is to evaluate the organization and efficiency of the firm or one of its subdivisions. Operational audits are designed


subdivisions. Operational audits are designed to examine and evaluate systems of internal control and overall company operations.

115

�The correct answer is: I, III, IV, and V onlyInternal controls cannot guarantee that fraud will not be perpetrated.


116

�The correct answer is: Management philosophy and operating styleManagement's philosophy and operating style send signals to employees about the importance of establishing and following internal controls. The size of the company, the frequency with which controls are changed, and the organizational structure by


changed, and the organizational structure by themselves do not impact the control environment as much as management's philosophy.

117

�The correct answer is: The board of directors must act in the best interest of the shareholders.The board of directors' primary responsibility is to act in the best interest of the shareholders. It is not required to establish an audit committee.


118

�The correct answer is: Control procedures require that the same person not enter and ship a transaction, but both have been observed being done by the same person.The auditor must report findings that include inadequate control procedures, lack of adherence to control procedures, inefficient allocation of resources, etc. The auditor is not


allocation of resources, etc. The auditor is not responsible for reporting on personnel behavior that does not affect accuracy of data reporting or safeguarding of assets, and the auditor has no concern with levels of employee compensation.

119

�The correct answer is: I, III, and IV onlyThe Foreign Corrupt Practices Act (FCPA) does not require a firm to have an internal audit department.


120

�The correct answer is: I, II, and III onlyThe internal audit function reports primarily to the board of directors but also provides analyses, appraisals, recommendations, counsel, and information concerning activities reviewed to assist management. The audit report does not deal with levels of employee compensation.


employee compensation.

121

�The correct answer is: To detect and correct errors and misappropriation of assetsIndependent checks are a preventive measure. They try to catch mistakes before they become integrated into the financial system, thus providing a higher level of assurance of financial integrity.


122

�The correct answer is: Hiring, promoting, and training competent personnel are integral to an efficient control environment.Hiring, promoting, and training competent personnel are integral to an efficient control environment. However, control procedures will not be ineffective without this, and adherence to control procedures does not


adherence to control procedures does not necessarily follow with higher levels of education or pay.

123

�The correct answer is: that the company is following all applicable laws and regulations.The compliance audit verifies that the company has complied with all applicable laws and regulations.


124

�The correct answer is: I, II, III, and IVThe auditor could verify compliance with any law or regulation.


125

�The correct answer is: Verifying that management compensation is reasonableThe auditor is not responsible for judging the reasonableness of executive compensation, only for verifying that it is recorded and reported accurately.


126

�The correct answer is: I, II, III, IV, and VAll of these items are within the scope of the internal auditor's job.


127

�The correct answer is: Thorough and well documented internal controls can guarantee that fraud cannot be committed.Internal controls are not a guarantee against fraud.


128

�The correct answer is: Required dress codeAll of the choices except required dress code are internal controls.


129

�The correct answer is: Control risk is an assessment of the likelihood that misstatements exceeding an acceptable level will not be detected or prevented by internal controls.Control risk is an assessment of the effectiveness of a firm's internal controls in preventing or detecting misstatements.


preventing or detecting misstatements.

130

�The correct answer is: that the business will naturally experience, regardless of internal controls.Inherent risk is the normal risk of the business, such as the risk of droughts for farmers or the risk of a recession.


131

�The correct answer is: A clerk in the order department does not have access to the products and therefore cannot ship products to customers.One of the purposes of segregation of duties is to safeguard assets. If the same person can enter an order and then ship it, he or she may be able to steal product by shipping to him or


be able to steal product by shipping to him or herself or an accomplice.

132

�The correct answer is: independent of operations and responsible for reviewing the reliability and integrity of financial and operating information.The internal auditing department should remain independent of company operations, so that it can remain objective. The internal auditor cannot assure that all information is


auditor cannot assure that all information is accurate. The Foreign Corrupt Practices Act (FCPA) does not require a firm to have an internal audit department.

133

�The correct answer is: that an internal audit will not uncover incidents where controls have not been followed.Detection risk can also be planned detection risk and is a measure of the risk that audit evidence will fail to detect misstatements exceeding an acceptable audit risk.


sameh el lithy, cma, cia - مصطفى الطواشي · pdf file1 internal controls (15%...

Documents