OVERVIEW OF INTERNAL CONTROL Expected” Learning Outcomes After Studying the chapter, you should be able to... 1. Explain what internal Control is, 2: Describe the nature and Purpose of internal control. 3. Define internal control Syste: 4. Explain the elements of internal control, namely, ¢ . Control environment ¢ Entity’s risk assessment Process ¢ Information system ¢ Control actions ¢ Monitoring of controlsCHAPTER 13 OVERVIEW OF INTERNAL CONTROL NATURE AND PURPOSE OF INTERNAL CONTROL Internal control is the process designed and effected by those charged with governance, management and other Personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives. Those objectives fall into three categories: + Reliability of the entity’s financial reporting + Effectiveness and efficiency of operations + Compliance with applicable laws and regulations Whether an entity achieves its objectives relating to financial reporting and compliance is determined by activities within the entity's control. However, ‘hieving its objectives relating to operations will depend not only on ateements decisions but also on competitor's actions and other factors outside entity, INTERNAL CONTROL SYSTEM DEFINED h sl contr ol system means all the policies and procedures (internal controls) Ahiective ofehe Management of an entity to assist in achieving management's ness, hichadi as far as practicable, the orderly and efficient conduct of its , the ing adherence to management policies, the safeguarding of “mpletenes veMtion and detection of fraud’ and error, the accuracy and ness _ 2 , Tana inf ate accounting records, and the timely preparation of reliable ion.198 Chapter 13 ELEMENTS / COMPONENTS OF INTERNAL CONTROL Internal control structures vary significantly from one company to’ the next Factors such as size of the business, nature of operations, the geographical dispersion of its activities, and objectives of the organization affect the specific control features of an organization. However, certain elements or features must be present to have a satisfactory system of control in almost any large scale organization. 7 The internal control system extends beyond these matters which relate directly to the functions of the accounting system and consists of the following components in. accordance with the COSO’s updated Internal Control — Integrated Framework. a. -the control environment; b. the entity's risk assessment process; c. the information system, including the related business processes, relevant to financial reporting, and communication; d. control activities; monitoring of controls. - A. Control Environment The control environment which means the overall attitude, awareness ee actions of directors and management regarding the internal control SY and its importance in the entity. The control environment has an effect a 1 effectiveness of the specific control procedures. A strong reative environment, for example, one with tight budgetary controls and an oy internal audit function, can significantly complement specific ip Procedures. However, a strong environment does not, by itself, ensure ol d t . sont effectiveness of the internal control system. Factors reflected in the © environment include: . The function of the board of directors and its committees; : Management's philosophy and operating style; ae lise q rity ‘The entity's organizational structure and methods of assigning auth and responsibi agement! : fiom Mensusgicats ‘control system including the internal audit fune Policies and procedures and segregation of duties.Overview Of Internal Control 199 The environment in which internal control Operates has an im on the , wi pact on effectiveness of the specific control procedures. Several factors comprise ‘i control environment, including: e 1. Communication and Enforcement of Integrity and Ethical Values Integrity and ethical values are essential elements of the internal control environment. They affect the design, administration, and monitoring of other components of internal control. An entity's ethical and behavioral standards and the manner in which it communicates and reinforces them determine the entity's integrity and ethical behavior. Integrity and ethical values include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements, a code of conduct, and management's example of appropriate behavior. 2. Commitment to Competence Competence is the knowledge and skills necessary to accomplish tasks that define an employee's job. Commitment to competence méans that management considers the competence fevels for particular jobs in determining the skills and knowledge required of each employee and that ithires employees competent to perform the tasks. Participation by those Charged with Governance An entity's control consciousness is influenced significantly by those charged with governance. Attributes of those charged with governance Include independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the ePrepriateness of theiactions, the information they receive, the mia a racy difficult questions are raised and pursued with aa ee eat interaction with internal and external auditors. The ead in responsibilities of those charged with, governance 1s reson the benef a ratice and other regulations or guidance produced shee hi a those charged with governance. Other responsibilities ve Peron tt Severance include oversight of the design and ee ia Rectivg OF whistle blower procedures and the process for revie NESs of the entity's internal control.200 Chapter 13 4, Management's Philosophy and Operating Style This refers to management's attitude towards (a) ee Rhee (b) financial reporting, (c) meeting budget, profit and other established goals which all have impact on the reliability of the financial statements, . Management's approach to taking and monitoring business risks, its conservative or aggressive selection from alternative accounting principles, its conscientiousness and conservatism in developing accounting estimates, and its attitude toward information processing and the accounting function and personnel are factors that affect the control environment. 5. Organizational Structure The responsibilities and authorities of the various personnel within the organization should be established in such a manner as to (1) assist the entity in meeting its goals and objectives and (2) ensure that transactions are processed, recorded, summarized and reported in an accurate and timely manner. Organizational structure provides the overall framework for planning, directing and controlling operations. . Assignment of Authority and Responsibility Personnel within an organization need to have a clear understanding of their responsibilities and the rules and regulations that govern their actions. Management may develop job descriptions, computer system documentation, It may also establish policies regarding acceptable siness practice, conflicts of interest and code of | conduct. Human Resources Policies and Procedures Perha i apa ie be an meee lament of an internal accounting conto) and procedures. Person pe and execute the established Po Feasonably ensure th Be Policies should be adopted by the client d Tetained. Policies wah ne capable and honest persons are hired aM Supervision should Fd Tespect to employee selection, training, 4! selection of aioe ¢ adopted and implemented . by, the client. assure that driis'og 6 and honest Personnel does not automatically Personnel policies oy vreetlarities will not occur, However, adequate this Section, cnhanee Oa with the design concepts suggested earlier eS, Ince i a ay Procedures Will be fallowt likelihood that the client's policies ™Overview of Internal Control 204 . Entity's Risk Assessment Process Risk assessment is the "identification, analysis, and management of risks pertaining to the preparation of financial statements". For example vsk assessment may focus on how the entity considers the possibility of transactions not being recorded or identifies and assesses significant estimates recorded in the financial statements. ‘An entity's risk assessment process ‘is its process for identifying and responding to business risks and the results thereof. For financial reporting purposes, the entity's risk assessment process includes how management identifies risks relevant to the preparation of financial statements that are presented fairly, in all material respects in accordance with the entity's applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. For example, the entity's risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes: significant estimates recorded in the financial statements, Risks relevant to reliable financial reporting also relate to specific events or transactions. Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their securrence, and how they should be managed. Management may initiate Plans, programs, or actions to’address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise OF change due to circumstances such as the following: . or * Changes in operating environment. Changes n the eae es operating environment can result in changes in competitive P and significantly different risks. . yn OF * New personnel, New personnel may have @ different focus 07° Understanding of internal control. iy pid change! ighics at i ignificant and amped information systems. Signi icant and ca 2 i‘ the risk relating to intern in ji . In information systems can change Control, =”F 202 Chapter 13 igni } ion of operations id growth. Significant and rapid expansion of ca peered and increase the risk of a breakdown in controls. « New technology. Incorporating new technologies into production processes or information systems may change the risk associated with internal control. © New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with internal control. © Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with internal control. © Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may.affect internal control, for example, additional or changed risks from foreign currency transactions. e New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements. The basic concepts of the entity's risk assessment process are relevant to every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small entities than in larger ones. All entities should have established financial reporting objectives, but they may. be recognized implicitly rather than explicitly in small entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct personal involvement with employees and outside parties. Considerations Specific to Smaller Entities any nal entities are carried out entirely by the engagement partner (who “ed ES Sole practitioner). In such situations, it is the engagement partner we ng personally conducted the planning of the audit, would be responsible considering the Susceptibility of the entity's financial statements to we misstatement due to fraud and error.Overview of Internal Control 203 Information System, including the Business Processes, Relevant to Financial Reporting and Communication ‘An information system consists of infrastructure (physical and hardware components), software, people, Procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of IT. ’ 4 The Information System, Including Related Business Processes, Relevant to Financial Reporting The information system relevant to financial reporting objectives, which includes the accounting system, ‘consists of the procedures. and records designed and established to: . * Initiate, record, process, and report entity transactions (as well.as events and conditions) and to maintain accountability for the related assets, liabilities, and equity; , - * Resolve incorrect Processing of transactions, for example, automated Suspense files and procedures followed to clear Suspense items out on a timely basis; j Process and account for system overrides or bypasses to controls; i le information from transaction Processing systems to the general edger; Capture information relevant to financial reporting for events and entitions other than transactions, such as the depreciation and ‘ortization of assets and changes in the. recoverability of accounts receivables: and information required to be disclosed by the applicable financial and ae framework is accumulated, recorded, processed, summarized Priately reported in the financial statements. J Mal Entries ‘sure Teportin, An Entity’; F i - we th in poem 'ypically includes the use of standard journal Shera JOumal cnitieg on a recurring basis to record transactions. Examples Page BEL, OF to . {0 record Sales, purchases, and cash disbursements in the "eeieg et Such cord 2ccounting estimates that are periodically made by a 8S changes in the estimate of uncollectible accounts >»204 Chapter 13 = : 2 i f includes the use of non-standard ar entity's fine i cael transactions or adjustments, scans at soc entries include consolidating adjustments and entries for a illizes combination or disposal or nonrecurring ee et as the impairment of an asset. In manual general ledger systems, Tae ee Journal entries may be identified through inspection of ledgers, journals, and supporting documentation. When automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may therefore be more easily identified through the use of computer- assisted audit techniques. Related Business Processes An entity's business processes are the activities designed to: ¢ Develop, purchase, produce, sell and distribute an entity's products and services; © Ensure compliance with laws and regulations; and ¢ Record information, including accounting and financial reporting information. Business processes result in the transactions that are recorded, processed and reported by the information system. Obtaining an understanding of the entity's business. processes, which include how transactions are originated, assists the auditor obtain an understanding of the entity's information system relevant to financial reporting in a manner that is appropriate to the entity's circumstances. Accordingly, an information System encompasses methods and records that: Identify and record all valid transactions. * Describe on a timely basis the transactions in sufficient detail to permit Proper classification of transactions for financial reporting. f A or the value of transactions in a manner that permits recording Proper monetary value in the financial statements. * Determi i ede i it heaneeee meting, Period in which transactions occurred to per™ 8 Of transactions in the Proper accounting period. * Present pro; | - . i cial statements, Perly the transactions and related disclosures in the finanOverview of Internal Control 205 Communication involves providing an understanding of individual rote responsibilities pertaining to internal control over financial reporting, It inches the extent to which personnel understand how their activities in the finan ial reporting information system relate to the work of others and the sicaattoe reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on. Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda..Communication also can be made electronically, orally, and through the actions of management. Application to Small Entities Information systems and related business processes relevant to financial reporting in small entities are likely to be less formal than in larger entities but their role is just as significant. Small entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small entity than in a larger entity due to the small entity's size and fewer levels as well as management's greater visibility and availability. D. Control Activities : : Control activities ‘are the policies and procedures that help ensure that Management directives are carried out, for example, that necessary actions ate taken to address risks that threaten the achievement of the entity’s objectives. Control activities, whether within IT or manual systems, have lake objectives and are applied at various organizational and functions eels, * 7 T ; 7 he major categories of control procedures are: . Performance Review . nronmation Processing Controls ) Proper authorization of transactions and activities Segregation of duties ‘dequate documents and records afeguards over access to assets; and Cc: ndependent checks on performance sical controls :206 Chapter 13 A brief discussion of these control procedures follows: A. Performance Review In a performance review management uses accounting and Operating data to assess performance, and it then takes corrective action, Such reviews include: * comparing actual performance (or operating results) with budgets, forecasts, prior period performance, or competitors’ data or tracking major initiatives such as cost-containment or Cost-reduction programs to measure the extent to which targets are being met. investigating’ performance indicators based on operating or financial data, such as quantity or purchase price variances or the percentage of returns to total orders. reviewing functional or activity performance, such as relating the performance of a manager responsible for a bank's consumer loans with some standard, such as economic statistics or targets, Personnel at various performance reviews, managers for the sole pl levels in’ an organization may’ make Performance reviews may be used by urpose of making operating decisions. For example, managers may analyze performance data and base Operating decisions on them because the data are consistent with their expectations. This type of review improves the reliability of the data. However, when ‘managers follow up on unexpected results determined by a financial Teporting system, performance reviews become a useful Control over financial reporting. - Information Processing Controls information Processing controls a designed to require authorization of curacy and Completeness oj eos Ss re policies and procedie transactions and to oe ae dale f transacti ing. Con acti e on processing, affect Co be classified according to the scons of the system ey eran 2 pea Controls are control activities that prevent oF oe Bularities for al] accounting systems, General cont’? affect all tr =o as ©s and apply to information processing ® ‘aNsaction cycl Center, hard es ‘ware and systems Software acquisition and maintenanOverview of Internal Control 207 and backup and Tecovery procedures, Application controls are controls that pertain to the Processing of a Specific type of transaction, such a payroll, or sales and collections, These controls. help ensure that transactions Occurred, are authorized, and are completely and accurately recorded and processed. Examples of application controls include checking the arithmetical records, maintaining and reviewing accounts and tri center and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development, and maintenance. These controls apply to mainframe, miniframe, and end-user environments. Examples of such general IT-controls are Program change controls, controls that Internal controls relating to the accounti ing system are concerned with achieving objectives such as: es * Transactions are executed in accordance with management's 8eneral or specific authorization. All transactions and other events are Promptly recorded in the correct amount, in the appropriate accounts and in the Proper accounting period so as to permit preparation of financial Statements in accordance with an identified financial Teporting framework. Access to assets and records is permitted only in accordance with Management's authori tion. Recordeg &Ssets are compared with the existing assets at Teasonable i : intervals and Appropriate action is taken « "8arding any differences,208 Chapver 13 i tions may be ivitic the processing of transact Scie © fellows ay athe! ‘authorization, (2) design and use of vas dune and records, and (3) independent checks on performance. 1, Proper authorization of transactions and activities AS suggested earlier, authorization for the execution of transactions flows from the stockholders to management and its subordinates. Before a transaction is entered into with another Party, certain conditions must usually be met. As Part of the documents -and comparing them with company policy, the auditor may be Teasonably satisfied that a business ‘transaction Was authorized and executed in a manner consistent with company policy. " 2._ Segregation of duties An important element in designing an internal accounting control system that safe reliability of the accounting records is t of. Fesponsibilities, No would allow that 3. Adequate documents nd rec, The use of ade, ny i quate docume, e compa! 10 obtain reaso nts and records allow th nable assurance i tions have been recorded, that all valid transa ‘ords 4, Access 10 assets Th i ' ; of es of a client can be Protected by the establish , inventories al @PPropriate policies. For ssa le ies be kept in 4 Storeroom, or nes2 Overview of Internal Control 209 in a safe deposit box. Appropriate ae eee ee so that only authorized Persons Siete, to company resources. Safeguarding of assets is ne than establishing physical barriers, A client should design ies nal accounting control system so that documents ior the movement of assets into an Organization or out of an organization are adequately controlled, . Independent checks on ‘Performance to the balances in the general ledger a Count of inventory ane ‘ccount. Examples are the id the Prepar "conciliation, ration of monthly bank Physical Controls Controls that ncompass: * including adequate Ver access to assets th amounts shown inves ao > Comparing the Tesults of "Y counts wi accounting Tecords), vel itended (0 prevent theft of ind therefo, e fain ! nancial statement 8Ssets ary hi ere pen S On circumstances Plible to Misappropriation,210 Chapter 13 The concepts underlying control activities in small entities are likely to be similar to those in larger entities, but the formalit with which they operate varies. Further, small entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and drawdown’s on lines of credit can Provide strong control over those activities, lessening or removing the need for more detailed control activities. An appropriate segregation of duties often appears to present difficulties in small entities. Even companies that have only a few employees, however, may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible; to use management oversight of the incompatible activities to.achieve control objectives. E. Monitoring of Controls Monitoring, the final component of intemal control, is the process that an entity uses to assess the quality of internal contro! over time. Monitering involves assessing the design and operation of controls on a timely basis Le taking corrective action as necessary. Management monitors controls e consider whether they are operating as intended and to modify ps appropriate for changes in conditions. In many entities, internal au a evaluate the design and operation of intemal control and So for information about strengths and weaknesses and recommendation‘ improving internal control. ‘ nal Some monitoring activities may include communications tom ain parties. For example, customers implicitly corroborate sales data iors an their bills or raising questions. Also, bank regulators, other Frevtiveness of Outside auditors may communicate about the design or effe internal control. nications Monitoring activities may include using information from cas i nee from external parties that may indicate problems are nie te y payin of improvement. Customers implicitly corroborate billing repulat0”s of their invoices or complaining about their charges. In addition! function! 5 bY communicate with the entity concerning matters that affect dl exarni io internal control, for example, communications concerning munic® “der com! bank regulatory agencies, Also, management may considerOverview of Internal Control 211 relating to internal control from external auditors in performing, monitoring activities. Application to Small Entities Ongoing monitoring activities of small entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data leading to corrective action to the control. REVIEW QUESTIONS AND EXERCISES Questions 7 |. For each of the following statements, determine whether it is True or False: a. Effective internal control allows for more informed decisions by internal and external users of the financial information. 6. While understanding a client’s internal contro! over financial Teporting may help the external auditor plan the audit, the external auditor is not required to obtain this understanding for ‘all audit engagements, ‘ Internal control is intended to provide absolute assurance that an ; "ganization will achieve its objective of reliable reporting. etting financial Feporting objectives is a prerequisite for an Organizati aye % x i a -uanization designing and implementing internal control over nancial Teporting, . he Control enviroy Pervasive op Processes and mul ment component of internal control is considered entity-wide control because if affects multiple i Itiple types of transactions, hat ji Adige Meant by Must eval the control environment? What are the factors the uate to understand it? Wa It? stig 'elationshi : Onship among the five components of internal control?