Internal Controls: Purpose, Responsibilities & Audit

Questions and Answers

Which of the following best describes the primary purpose of internal controls?

• To provide absolute assurance that all business risks are eliminated.
• To guarantee the complete accuracy of financial statements.
• To detect all instances of fraud perpetrated by management.
• To provide reasonable assurance regarding the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. (correct)

According to the SEC Chief Accountant Wesley Bricker, what is the main consequence of unaddressed internal control deficiencies?

• No impact on financial reporting.
• A potential weakening in the quality of financial reporting. (correct)
• An improvement in the quality of financial reporting.
• An increase in operational efficiency.

An entity's internal control is considered a 'process'. Which of the following statements best explains this?

• Internal control is static and does not require updates.
• Internal controls must be documented in a procedures manual.
• Internal control is a series of ongoing actions that occur throughout an entity's operations. (correct)
• Internal control is a one-time action implemented by management.

Which parties within an entity are responsible for effecting internal control?

The board of directors, management, and other personnel. (C)

A company's objective is to improve its operational efficiency. Which type of internal control objective does this fall under?

Effectiveness and efficiency of operations. (C)

When auditing a public company, what is the auditor's responsibility regarding internal control over financial reporting (ICFR)?

To audit and issue an opinion about the effectiveness of the ICFR. (C)

Management has specific responsibilities relating to internal controls. Which of the following best describes those responsibilities?

Establishing and maintaining adequate internal control over financial reporting and assessing its effectiveness. (B)

According to auditing standards, what must auditors do regarding fraud risks during an audit?

Evaluate whether controls are in place to mitigate the fraud risks. (D)

How does an auditor's assessment of control risk impact the audit procedures performed?

It determines the nature, timing, and extent of substantive procedures. (C)

What was the primary goal of the Committee of Sponsoring Organizations of the Treadway Commission (COSO)?

To improve financial reporting through internal control and ethics. (C)

Which of the following is NOT one of the five components of internal control according to the COSO framework?

Compliance with Laws and Regulations (C)

An audit team encounters significant limitations in the scope of their assessment of internal controls. Which type of opinion is most appropriate in this scenario?

Disclaimer of opinion (C)

How many principles are associated with the five components of internal control in the COSO's 2013 integrated framework?

17 (D)

An auditor identifies a significant deficiency in a company's internal controls. What is the auditor's responsibility?

To communicate the deficiency to management and those charged with governance. (C)

Which report is issued when one or more material weaknesses are found?

Adverse opinion (A)

What is the implication of an unqualified opinion on internal control over financial reporting?

No material weaknesses were found. (D)

In the context of reporting on internal controls, what are the available options for auditors?

Either a combined report or two separate reports. (D)

If an auditor chooses to issue two separate reports, what characteristics would each report possess?

Each report would be separately titled, dated, and signed. (B)

Which of the following best describes the primary role of the control environment within an organization?

To establish the ethical tone and culture influencing the control consciousness of its people. (A)

An auditor discovers a weakness in the control environment. What is the MOST likely impact on the audit?

The auditor will increase the scope of substantive testing to reduce detection risk. (D)

Which of the following is a primary responsibility of the audit committee?

Overseeing the appointment, compensation, and work of the external auditor. (B)

An audit committee member is considered a 'financial expert' if they possess which combination of attributes?

Understanding of GAAP, experience preparing or auditing financial statements, and knowledge of internal controls. (D)

Management identifies a new risk related to a significant accounting estimate. According to the principles of risk assessment, what should management do FIRST?

Analyze the potential likelihood and impact of the risk. (D)

Which scenario exemplifies a detective control?

Performing regular bank reconciliations. (C)

To promote effective internal control, which of the following duties should ideally be segregated?

Authorizing transactions and maintaining custody of assets. (B)

A company implements a policy requiring all employees to take a mandatory one-week vacation each year. Which internal control component does this primarily address?

Control Activities (D)

Which scenario exemplifies a limitation of internal control due to 'management override'?

Senior executives intentionally misrepresent financial results to secure personal bonuses. (A)

Which of the following best describes the concept of 'reasonable assurance' in the context of internal controls?

Ensuring that the cost of internal controls does not exceed the expected benefits they provide. (D)

During Phase 1 of an internal control evaluation, what is the primary objective when understanding the client's internal control?

Gaining a thorough understanding of the design and implementation of internal controls. (B)

Which approach is recommended for auditors to understand a client's internal control system effectively?

Top-down, risk-based approach, beginning with significant accounts and assertions. (B)

What is the main goal when performing a 'walkthrough' in the context of understanding transaction-level controls?

To assess the design effectiveness of controls by tracing transactions from origination to completion. (C)

When documenting the understanding of internal control, what is considered the most common method used by audit teams?

Preparing a narrative description of the system. (D)

Which of the following is an example of collusion that can undermine internal controls?

Two employees working together to override segregation of duties for personal gain. (C)

In the context of internal controls, which of the following represents an entity-level control?

Management's review of the company's performance against budget. (C)

Which combination of responsibilities within the revenue cycle would present the highest risk of misstatement due to fraud?

Authorizing sales transactions and maintaining custody of the related assets. (C)

An auditor discovers that the same employee is responsible for both authorizing sales transactions and updating customer account balances. What is the auditor's most appropriate course of action?

Increase substantive testing of both sales transactions and accounts receivable. (C)

A company's internal audit department performs regular evaluations of its sales transaction controls. Which monitoring activity would provide the most persuasive evidence of effective control operation?

Reconciling a sample of sales invoices to shipping documents and customer orders. (C)

Which of the following is not a primary principle related to information and communication within an effective internal control system?

Using only electronic documents to maintain a complete audit trail. (D)

Which of the following scenarios represents the greatest deficiency in a company's monitoring activities?

Internal audit periodically tests the effectiveness of controls, but findings are not reported to senior management. (B)

A company's IT system automatically posts sales transactions to the general ledger. As part of understanding the information system, what aspect should the auditor focus on most to ensure the reliability of financial reporting?

The controls over data input, processing, and output within the IT system. (C)

A company implements a new Enterprise Resource Planning (ERP) system. Which control activity is most important to ensure the integrity of sales data during the migration process?

Performing a parallel run, comparing data between the old and new systems. (C)

What is the purpose of segregating the duties of authorizing transactions, recording transactions, and maintaining custody of assets?

To prevent employees from having incompatible responsibilities that could allow them to conceal fraud. (A)

Flashcards

Internal Control

A process designed to provide reasonable assurance regarding the achievement of objectives in reliability of financial reporting, effectiveness/efficiency of operations, and compliance with laws/regulations.

Reliability of Financial Reporting

One of the objectives of internal control, ensuring that financial statements are accurate and reliable.

Effectiveness and Efficiency of Operations

An objective of internal control focused on how well a company uses its resources.

Compliance with Applicable Laws and Regulations

An objective of internal control concerning adherence to rules and regulations.

Adequate Internal Controls

Necessary to detect and prevent material errors or fraud in financial reporting.

Control Environment

Sets the 'tone at the top' influencing control consciousness. It's the foundation for all other components.

Audit Committee

A subcommittee of the board providing a buffer between the audit team and management.

Audit Committee Duties

Appoint auditors, resolve disagreements, oversee internal audit, approve non-audit services, oversee fraud hotline, engage legal counsel.

Risk Assessment

Management's process to identify, analyze, and manage risks to achieving objectives.

Control Activities

Policies and procedures ensuring management directives are carried out.

Types of Control Activities

Physical, Separation of duties, Information Processing, Management Review

Preventive Controls

Prevent errors or fraud before they occur.

Detective Controls

Detect errors or fraud after they have occurred..

Management's Responsibility

Management is responsible for establishing and maintaining adequate internal control over financial reporting, as well as assessing and reporting on its effectiveness.

Auditors' ICFR Responsibility

Auditors must audit and give an opinion on the effectiveness of internal control over financial reporting (ICFR) for public companies. They must also evaluate controls for fraud risks and assess control risk.

Audit Procedures

The nature, timing, and extent of substantive audit procedures are determined based on the assessed control risk.

What is COSO?

COSO is a group of professional organizations that aims to improve financial reporting

Five COSO Components

Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.

What is the Control Environment?

The overall attitude, awareness, and actions of management and those charged with governance concerning internal control and its importance in the entity.

What is Risk Assessment?

The entity's process for identifying and responding to business risks and the results thereof.

What are Control Activities?

The policies and procedures that help ensure management directives are carried out.

Unqualified Opinion (IC)

No material weaknesses found in internal control.

Disclaimer of Opinion (IC)

The audit team can't complete all necessary procedures.

Adverse Opinion (IC)

One or more material weaknesses were found.

Separate Reports (IC)

Auditors can issue a separate report for financial statements and internal control, each titled, dated, and signed.

Combined Report (IC)

Auditors can express one opinion on the financial statements and another on internal control effectiveness in a single document.

Incompatible Responsibilities

Responsibilities that, if combined, allow one person to both commit and conceal errors or fraud.

Separation of Duties

Separating authorization, recording, custody, and reconciliation duties to prevent fraud and errors.

Audit Trail

A record that allows auditors to trace financial data from source documents to financial reports and vice versa.

Quality Information

Ensures information is relevant, reliable, and timely for internal control.

Internal Communication

Communicating necessary information to support the functioning of internal control.

External Communication

Communicating with external parties regarding matters affecting the functioning of internal control.

Ongoing and Separate Evaluations

Evaluating internal control performance on an ongoing or periodic basis.

Reporting Deficiencies

Communicating discovered internal control deficiencies in a timely manner.

Internal Control Limitations

Limitations exist due to human errors, collusion, management override, and cost-benefit considerations.

Cost/Benefit Analysis

Balancing the cost of a control with the expected benefits.

Internal Control Evaluation Phases

Gaining familiarity with the client's controls, assessing risk, and performing tests.

Phase 1: Understand and Document

Understanding, documenting, assessing control risk, and testing controls.

Entity-Level Controls

Controls applicable to the whole organization and financial statements.

Transaction-Level Controls

Controls related to particular types of transactions, balances, and disclosures.

Walkthrough

Following a transaction from start to finish to confirm understanding and design effectiveness.

Documenting Internal Control

Narratives, questionnaires, and flowcharts.

Study Notes

Internal Control

• A process effected by an entity's board, management, and personnel.
• The goal is providing assurance about achieving objectives in three categories.
• These categories include financial reporting reliability, operational effectiveness/efficiency, and compliance with laws/regulations.

Responsibilities for Internal Control

• Management is responsible for establishing and maintaining internal control over financial reporting.
• It must assess and report on the effectiveness of internal control over financial reporting.
• Auditors must audit and provide an opinion about the effectiveness of internal control over financial reporting (ICFR) for public companies.
• They must also evaluate if controls are in place to mitigate fraud risks, and must assess control risk.
• Control risk helps determine nature, timing, and extent of substantive audit procedures.

Relationship Between Internal Control Reliance and Audit Procedures

• Less reliance on internal control (higher control risk) means more effective tests, testing at year-end, and higher sample size.
• More reliance on IC (lower control risk) allows less effective tests, interim testing, and lower sample size.

Committee of Sponsoring Organizations (COSO)

• COSO was from the National Commission of Fraudulent Financial Reporting, aka the Treadway Commission.
• The organization looks to improve financial reporting.
• COSO member representatives include Financial Executives Institute (FEI), American Accounting Association (AAA), Institute of Internal Auditors (IIA).
• Other member representatives include Institute of Management Accountants (IMA), and American Institute of Certified Public Accountants (AICPA).
• The COSO website is www.coso.org.

Internal Control Components - COSO

• The framework features five components
• Identifies aspects like control environment (5 principles), risk assessment (4 principles), and control activities (3 principles).
• Also included are information and communication (2 principles), and monitoring (3 principles).
• This results in 17 principles associated with the components that affect internal control.

Control Environment

• Sets "tone at the top" and influences control consciousness.
• It acts as the foundation for all other components.
• Auditors need to obtain a detailed understanding and document it.

Principles of Control Environment - according to COSO Framework:

• Commitment to integrity and ethical values.
• Board demonstrates independence from management.
• Management establishes structure and appropriate authorities in pursuit of objectives.
• Commitment to competent individuals.
• Individuals held accountable for their internal control responsibilities.

Audit Committee

• A subcommittee of the board of directors with 3-6 members.
• Acts as a buffer between the audit team and operating management.
• All members must be financially literate.
• At least one member must be a financial expert.

Audit Committee Duties

• Appoints, compensates, and oversees the public accounting firm for entity's audit.
• Resolves disagreements between management and audit team.
• Oversees the entity's internal audit function.
• Approves any nonaudit services provided by the public accounting firm.
• Oversees the anonymous fraud hotline.
• Has authority to engage legal counsel in the event of management fraud.

Risk Assessment

• Management identifies, analyzes, and manages relevant risks to achieve its objectives.
• It also sets objectives and identifies success factors.
• Auditors focus on risk of material misstatement, especially due to fraud.

Principles of Risk Assessment - according to COSO Framework:

• Organization identifies and assesses changes that could significantly impact the internal control system.
• Organization considers the potential for fraud, with clear objectives to manage risks.

Control Activities

• Policies and procedures help ensure management directives are carried out by physical controls to secure assets, separation of duties and information processing.
• Information processing includes having approvals, authorization, verifications and reconciliations
• Management Review Controls are also used
• Includes preventative vs. detective controls.

Principles of Control Activities - according to COSO Framework:

• The organization deploys control activities through policies establishing expectations and procedures.
• The organization selects and develops control activities contributing to risk mitigation, and general control activities, using technology

Separation of Duties

• Functions should be performed by different people/departments.
• Four types are: authorization, recording, custody, and reconciliation.
• Incompatible responsibilities are combinations of responsibilities creating opportunity to create/conceal misstatements.
• Separating duties makes fraud more difficult, requiring collusion.

Information and Communication

• Auditors must understand the data systems used in areas related to financial reporting.
• Auditors can never fully rely on data provided until investigation.
• Information systems create an "audit trail" of activities.

Principles of Information and Communication - according to COSO Framework:

• Organization uses relevant information, in quality, for supporting effective control
• Organization internally communicates control responsibilities and objectives, while communicating with external parties about effective control.

Monitoring

• A well functioning monitoring system is characterized by these philosophies: ongoing/separate evaluations and reporting deficiencies.
• Management evaluates of the controls, including periodic evaluation by internal auditing, supervisory reviews of controls, and f/u on customer complaints.

Principles of Monitoring Activities - according to COSO Framework

• Organization selects, develops, and performs reviews to ascertain if control components function.
• Organization communicates control deficiencies to those responsible for action, senior management and the board alike

Limitations of Internal Control

• Human error, collusion, and management override.
• Cost/benefit analysis.
• Trade off between cost and effectiveness.
• The concept of reasonable assurance recognizes that the cost of IC should not outweigh related benefits.

Internal Control Evaluation Phases:

• Phase 1: Understand and document client's internal control.
• Phase 2: Assess control risk (preliminary).
• Phase 3: Identify controls to test and perform tests of controls.

Phase 1:

• Obtain understanding and document it.
• Documentation can be performed top-down.
• Top down manner includes:
  • Identify accounts that are significant, and their related assertions.
  • Determine significance using inherent risk

Identifying Entity-Level Controls

• Pervasive to internal control system and reliability of the financial statements.

Identifying Transaction-Level Controls

• Relate to specific classes of transactions, account balances, and disclosures.
• Auditors obtain through walkthroughs, to determine design effectiveness.

Document Internal Control Understanding

• Must be able to document its understanding of an internal control system.
• Includes Narrative Description (common), questionnaires or Flowcharts

Key Decision: Deciding Whether to Test Controls

• Too ineffective at preventing, therefore, they test substantive evidence
• For non-issuers, it may take more time to test the controls.

Phase 2: Assess the Control Risk (Preliminary)

• Identify internal control activities designed to support financial reporting.
• Consider cost effectiveness of reliance/testing,
• Determine if controls are preventative/detective, automated/manual, and how often the control is preformed
• This phase is often with phase 1

Phase 3: Identify Controls to Test and Perform Test of Controls

• Two common approaches are by nature
  • test items from population: Automated R/R analysis for amount owed with credit limit
  • testing sample: audit sampling

Tests of Controls

• Testing specific controls will reduce substantive testing.
• A hierarchy of tests exists, with least persuasive being inquiry, and most, reperformance.
• These tests are followed by Observation of control and review and the test directions do matter.

Evaluating ICFR Effectiveness - phases of engagement

• Planning, Using a top-down approach, Testing controls, Evaluating deficiencies, Wrapping up and Reporting on internal control

Step 1: Planning the Engagement

• Significant accounts, locations, and assertions must be identified.
• Inherent risk should be used to determine nature, timing, and extent of tests.
• All relevant assertions should be present on evaluating controls

Step 2: Using a Top-Down Approach

• Integrates integrity from financial process
• Identifies entity-level controls that is highly impactful
• Significant accounts and disclosures should be identified as well as their relevant assertions; a perform assessment is required to maintain.

Step 3: Testing Controls

• Auditors test and decide controls
• Tests of operating effectiveness like inquiry, observation,.inspection etc
• If design isn't effective testing is skipped

Step 4: Evaluating Identified Deficiencies

• A deficiency exists when a control design or operation cannot prevent misstatements.
• Two main groups:
  • Material weaknesses -Significant deficiencies

Evaluating Identified - Material Weaknesses

• A deficiency, or combination of deficiencies, resulting in a reasonable possibility that a misstatement would not be prevented/detected on time.
• Indicators of possible material weakness: restatement of issued statements., misstatements evidence, ineffective oversight and fraud indication

Step 5: Wrapping Up

• Can issue 3 opinions after audit -Unqualified: No weaknesses, Disclaimer: team cannot perform -Adverse: weaknesses are detected

Step 6: Reporting on Internal Control

• Reporting has 2 separate report options
• Report details overall, and then details fairness of financial statements, and internal of controls.
• Or, auditors may include reports of fairness, as well as of internal controls

Description

Explore the primary purpose, responsibilities, and auditing of internal controls. Understand management's role, auditor's responsibilities regarding fraud risks, and the impact of control risk assessment on audit procedures. Learn about improving operational efficiency through internal controls.