Understanding Internal Controls

Questions and Answers

Which concept supports the auditor's consideration of internal controls?

• Auditors should disregard internal controls to maintain audit independence.
• Internally generated evidence is less reliable, regardless of related controls.
• Effective internal control increases the chance of errors and fraud.
• An effective internal control system reduces the possibility of error and fraud. (correct)

What is the primary objective of internal control?

• To provide reasonable assurance about achieving an entity's objectives. (correct)
• To ensure the complete accuracy of financial reporting.
• To guarantee absolute assurance of achieving an entity's objectives.
• To detect all instances of fraud within an organization.

Which of the following best describes the relationship between an entity's objectives and its internal controls?

• Internal controls directly dictate what an entity's financial objectives should be.
• Objectives are independent of the internal controls implemented.
• There is an inverse relationship: strong controls indicate poor objectives.
• Internal controls are implemented to assure the achievement of an organization's objectives. (correct)

Which statement regarding the limitations of internal control is most accurate?

Internal control provides reasonable assurance due to inherent limitations. (B)

Which scenario represents a limitation of internal control due to human error?

Staff consistently apply controls incorrectly due to lack of training. (B)

The risk that procedures may become inadequate due to changes in condition and compliance with procedures may deteriorate falls under what limitation?

Procedures may become inadequate (A)

What is the primary purpose of corporate governance?

To guide organizations in fulfilling long-term obligations to stakeholders. (D)

In the context of corporate governance, what is the role of the Board of Directors?

To exercise corporate powers, conduct business, and control properties. (C)

In the context of corporate governance, what is the role of Risk Owners?

To execute daily risk management activities to effectively address business risks. (A)

What is the auditor trying to identify when performing risk assessment procedures?

Risks of material misstatement (ROMMs). (C)

Which of the following is NOT a component of an entity's system of internal control (CRIME)?

Competitive Analysis (C)

What is the difference between direct and indirect controls?

Direct controls address risks of material misstatement at the assertion level, while indirect controls support direct controls. (B)

Which of the following best describes the 'control environment' component of internal control?

The overall culture of an organization regarding the importance of control. (B)

Which of the following should an auditor obtain from the set of controls, processes, and structures that address elements of the control environment component?

An understanding of the ethics of the the organization. (D)

What is the definition of 'business risk' in the context of the entity's risk assessment process?

Uncertainties that may hinder an entity from achieving its organizational objectives. (A)

Which of the following is an example of a change or risk that could affect the entity's risk assessment process?

A new ERP system (D)

What is the overall goal of the entity's process to monitor the system of internal control?

To assess the quality of internal control performance over time. (B)

Which activity is one way monitoring can be accomplished?

Ongoing monitoring activities (performed by persons within the same line function). (B)

What is the purpose of testing a control?

To evaluate the operating effectiveness of controls in preventing or correcting material misstatements. (D)

When would an auditor perform tests of controls?

When the auditor expects the controls are operating effectively or when substantive procedures alone are not enough. (D)

Flashcards

Internal control

Process designed, implemented, and maintained to provide reasonable assurance about achieving an entity's objectives.

Internal Control as a Process

Internal control is a continuous action, and a means to an end, designed to achieve entity objectives.

Personnel's Role in Internal Control

Designed and implemented by an entity's personnel, from management to staff, with each member performing respective roles and responsibilities.

Reasonable Assurance

Internal control cannot guarantee the entity will achieve its objectives due to inherent limitations.

Corporate governance

The system of stewardship and control to guide organizations in fulfilling long-term obligations to stakeholders.

Corporate governance

A system of direction, feedback, and control using regulations, ethical guidelines, ensuring ethical behavior, and reconciling long-term satisfaction.

Entity's Risk Assessment Process

The process for identifying and responding to business risks.

Business risk

Uncertainties that may hinder an entity from achieving its organizational objectives.

Monitoring Internal Controls

The process of assessing internal control quality over time including assessing design and operation of controls, and taking corrective action.

Control activities

Actions described in policies and procedures to mitigate risks and ensure objectives are achieved.

Authorization

Affirms that a transaction is valid, representing an actual economic event within policy.

Reconciliations

Compare two or more data elements, with action taken to resolve differences.

Verifications

Compare two or more items or compare an item with a policy followed by action when items don't match.

Physical controls

Provides safeguards to assets and documents.

Tests of Control

An audit procedure designed to evaluate the operating effectiveness of controls in preventing or correcting, material misstatements

Entity-Wide Controls

Operate across the whole organization and affect processes, accounts, and assertions.

Transaction Controls

Operate at a certain level/department and affect specific processes, accounts, and assertions.

Major Deficiency

If a control objective isn't being met, a principle/component isn't functioning or the components aren't operating together.

Auditor Responses to Assessed Risks

Requires the auditor to determine the overall responses to address the identified and assessed risks of material misstatements.

Testing Substantive

Performed when the auditor assesses that the controls are operating effectively (i.e. the auditor intends to rely on the operating effectiveness of controls).

Study Notes

Introduction to Internal Control

• Auditors need to understand accounting and internal control to plan effective audits.
• Internal controls impact the reliability of internally generated evidence.
• Effective internal control lowers the risk of errors and fraud.
• Evidence of effective internal controls may lead to less extensive audit work, improving efficiency.
• Understanding internal control helps to identify potential misstatements, consider risk factors, and design audit procedures.

Internal Control Definition

• Internal control is a process designed, implemented, and maintained to provide reasonable assurance of achieving an entity's objectives.
• The components of internal control are:
  • Reliability of financial reporting
  • Effectiveness and efficiency of operations
  • Compliance with laws and regulations
• "Controls" are any aspect of internal control components.
• The design, implementation, and maintenance of internal control varies with entity size and complexity.

Characteristics of Internal Control

• Internal control is a process designed to achieve entity’s objectives.
• It is designed and implemented by the entity's personnel and each member must perform their duties.
• Management and those charged with governance establish policies and procedures.
• Staff comply with policies and procedures.
• Internal control provides reasonable assurance but has limitations due to cost-benefit considerations and potential for management override.
• There is also the possibility of collusion, inadequate procedures due to changes, human error, and focus on routine transactions.

Internal Control Objectives

• Internal control is geared toward the entity's objectives, falling into the categories of reliability of financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations.
• Having the ability to generate reliable financial reports assists the entity in having favorable outcomes for each activity performed.
• Effective and efficient operations compliant with laws and regulations allows the entity to generate revenues, minimize costs, and avoid penalties, enabling it to achieve its overall objectives as a business.

Corporate Governance

• Business organizations create a system through which decisions are determined, commonly referred to as "corporate governance" or simply "governance".
• Corporate governance guides organizations in fulfilling obligations to stakeholders, using regulations, standards, and ethical guidelines.
• It aims to ensure accountability, ethical behavior, customer satisfaction, and long-term success, creating value for shareholders, stakeholders, and the nation.
• The governing body exercises corporate powers, management implements policies, and risk owners execute risk management activities.

Code of Corporate Governance

• The Securities and Exchange Commission approved a Code of Corporate Governance for Publicly-Listed Companies (CCG for PLC).
• It is intended to raise corporate governance standards of Philippine corporations.
• Principles are high-level statements, recommendations are objective criteria, and explanations provide additional information.

Identifying and Assessing Risks

• Risk assessment is an audit procedure that enables the auditor to identify and assess risks of material misstatements (ROMMs) by obtaining an understanding of the entity, the applicable financial reporting framework, and the system of internal control.

Understanding the System of Internal Control

• The system of internal control is composed of five components: Control Environment, Risk assessment, Monitoring, Information and communication, and Control Activities (CRIME).
• The components may be categorized as direct or indirect.
• Direct controls address risks of material misstatement, while indirect controls support direct controls.
• The control environment, risk assessment process, and monitoring are primarily indirect and support other controls, however some may still be direct.
• Controls in the information system and communication, and control activities components are generally direct.

Control Environment

• The control environment sets the tone by influencing control consciousness.
• Management's responsibilities include creating and maintaining the entity's culture and demonstrating its commitment to integrity and ethical values.
• Governance demonstrates independence and oversight. Authority and responsibility are assigned and competent individuals are employed.
• Individuals are held accountable for the objectives of the system of internal control.
• Management's commitment to integrity and ethical values are understood through inquiries and external sources.
• Auditors can look at management's communications, code of conduct, and actions.

Evaluating the Control Environment

• The auditor evaluates whether:
  • Management has created a culture of honesty and ethical behavior
  • the control environment provides an appropriate foundation
  • control deficiencies in the control environment undermine other components.

The Risk Assessment Process

• An entity's risk assessment process identifies and responds to business risks.
• Business risk includes uncertainties hindering an entity from achieving organizational objectives.
• For financial reporting, the risk assessment process identifies risks relevant to financial statements, estimates their significance, assesses their likelihood, and decides upon actions.
• Risks can arise or change due to operating environment changes, new personnel, new systems, rapid growth, new technology, new business models, corporate restructurings, expanded foreign operations, and new accounting pronouncements.

Understanding and Evaluating Risk Assessments

• The auditor shall obtain an understanding of the entity's risk assessment process relevant to the preparation of financial statements.
• This involves understanding the entity's process for identifying business risks, assessing their significance and likelihood, and determining the appropriate responses.
• The auditor evaluates whether the process is appropriate considering the nature and complexity of the entity, identifies risks, and understands where those risks have been responded to.
• The auditor should also consider what the implications are on their overall evaluation of the component.

Monitoring the System of Internal Control

• Monitoring assesses the quality of internal control performance over time by assessing the design and operations of controls on a timely basis and taking necessary corrective actions.
• It is done to ensure that controls are present and continue to function effectively.
• Ongoing monitoring activities, separate evaluations, and combinations of both can be used.
• Monitoring may come from communications from external parties (customers, regulators, external auditors).
• Supervisory reviews may be either a monitoring activity or information system review.
• Auditors should understand how an entity undertakes monitoring and the sources of information used.
• The auditor must also evaluate whether the entity's monitoring system is appropriate to the entity's circumstances.

Information Systems and Communication

• Information is obtained or generated by management from internal and external sources to support internal control components.
• Activities, policies, accounting, and supporting records create an information system.
• Communication involves understanding individual roles and responsibilities, in the form of policy manuals and memoranda.
• An understanding of the system shall include flows of information, specific accounts, the financial reporting process, and entity resources.
• It should also include communication between people, management, governance and external parties.

Primary Direct Controls

• Auditors should obtain an understanding of the entity's business processes, also referred to as transaction cycles.
• The auditor evaluates whether the information system and communication appropriately support the preparation of financial statements.

Control Activities

• Control activities are actions that help mitigate risks, and include information processing and general IT controls.
• Information processing controls are procedures that support an entity's information policies and may be automated or manual.
• The controls may cover authorizations and approvals, reconciliations of data, verifications, security like physical and logical, and segregation of duties.
• Segregation of duties is when functions (independent checks, custody of assets, authorization, recording, execution) are performed by different employees.
• If segregation is not practical, the owner should conduct oversight.
• Old categories of control activities include performance reviews, authorization, physical controls and information processing.

Identifying Control Activities

• The auditor shall obtain an understanding of the control activities component by identifying controls that address ROMM.
• These include addressing significant risks, journal entries, testing operating effectiveness, substantive procedures and professional judgement.
• The auditor shall evaluate the design and implementation of each control identified.
• Design involves assessing whether the control effectively addresses the risk of material misstatement.

Implementation of Internal Control System

• Implementation involves performing audit procedures beyond inquiry of personnel
• The auditor determines that the control exists and the entity is using it.
• When obtaining an understanding, the auditor focuses on design and implementation, not on effectiveness.
• Effectiveness is evaluated during tests of controls.
• Procedures to obtain audit evidence about the design and implementation include inquiring of personnel, observing the application of controls, inspecting documents, and tracing transactions.

Documentation of Internal Control System

• Auditors must document the discussion among the engagement team, key elements of understanding, risk assessment procedures, evaluation of the design, and identified risks.
• The manner of documentation varies based on nature, size, knowledge of the entity, and auditor's methodology.
• Common documentation forms include flowcharts, narratives, questionnaires, risk and control matrices, and policy manuals.

Forms and Content

• Flowcharts describe the flow of activity through a process, and show graphical representations of events.
• Narratives describe process flows in written form, providing a useful supplement.
• Effective control questionaire documents help simplify the expediting of the control evaluation process.
• Risk and control matrices link controls with objectives and related risks.
• Policy manuals establish a framework for specific processes and activities.
• Auditors should focus on documentation, regardless of methods used.

Concepts Related to Components of Internal Control

• Concepts relate to the systems vs areas of internal control, control, entities, and deficiencies.
• Areas of internal control are classified as administrative (management's authorization) or accounting (safeguarding of assets).
• The internal system includes all policies and procedures adopted by management.
• Some controls are designed across the whole organization while others only affect certain areas.

Entity-Wide Controls and Transaction Controls

• Entity-wide controls operate across the organization and include management override, risk assessment, operations monitoring, reporting controls and management policies.
• Transaction controls operate at a certain level and include periodic inventory, bank reconciliation, match and review of expenses, and reviews of contracts.

Requirements for Effective Systems

• The key requirements are all components and principles must be present and functioning, and operate in an integrated manner.

Parties Affecting Internal Control

• The design and implementation are influenced by internal and external parties.
• Internal parties are part of the system, while external parties contribute through their actions.
• Internal control deficiencies exist with design or with components if management is unable to prevent fraud.
• Auditors must respond to assessed risks by detailing nature and level of misstatements to properly plan.
• The auditor should make a preliminary assessment of the control risk based on evaluation of controls.

Responses to Assessed Risk

• The auditor must determine how to respond to identified and assessed risks of material misstatements.
• To plan responses, auditors use their understanding of the entity's system of internal control
• Auditors ordinarily assess control risk at a high level when systems are not effective or if evaluation would not be efficient.
• Assessment should be low when internal controls prevent errors and tests are performed.

Performing Tests of Control

• Test of control is an audit procedure designed to evaluate the operating effectiveness of controls.
• The quality of the system impacts how audit procedures are carried out.
• Those tests should occur when risks of material misstatement at the assertion level include an expectation that controls are operating effectively, or those substantive procedures alone cannot provide sufficient appropriate audit evidence.
• Tests can include inquiry, observation, inspection, or reperformance.

Recurring Audits

• The auditor shall establish the continuing relevance of past audit evidence by receiving evidence about changes.
• That is done by inquiry combined with other procedures, testing controls in the current audit. These controls are tested once every third audit.
• The audit should determine which risks are significant, by weighing complexity, recent actions and other factors.
• The auditor should obtain an understanding of the entity's controls relevant to that significant risk.
• These controls should be tested in the current period.

Reassessing Control Risk

• The nature of the test for the audit can depend on whether the risks have remained low or were changed to high.

Service Organizations

• Service organizations are when businesses outsource their business to organizations for specific tasks like business unit functions.
• The user auditor must understand how a user entity uses a service, how the services effect control, the degree of interaction, and nature of the relationship.
• Reports on service organization controls are Type 1 on the design and description of controls, and type 2 on the design, description, and operation of controls.

Documentation Required

• The auditor should communicate identified deficiencies appropriately.
• A summary of requirements are listed to determine whether there are high risks, whether the internal control is properly understood, and if so what the basis for the internal control is.
• Communications must be maintained about internal control and design.