Module – 3: Internal Control

Module – 3: Internal Control.

Contents of Internal Control. Internal control systems – the use and evaluation of internal control systems by auditors – Tests of control – Communication on internal –control..

Internal Control- Definition. According to W.W. Biggs “Internal control is best regarded as indicating the whole system of controls financial and otherwise, established by the management in the conduct of a business, including internal check, internal audit and other forms of control” Methods put in place by a company to ensure the integrity of financial and accounting information, meet operational and profitability targets and transmit management policies throughout the organization..

Internal Control System. Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance: That information is reliable, accurate and timely Of compliance with applicable laws, regulations, contracts, policies and procedures Of the reliability of financial reporting Internal controls are intended to prevent errors and irregularities, identify problems and ensure that corrective action is taken.

Control definition reflects certain fundamental concepts:.

Objectives of Internal Controls. Strategic – high-level goals and objectives, aligned with and supporting the mission. Operational – effective and efficient use of resources. Reporting – integrity and reliability of reporting. Compliance – compliance with applicable laws and regulations. Stewardship – protection and conservation of assets..

Internal control structure. derived from the way management runs an operation or function and is integrated with the management process. The internal control structure consists of five inter-related components: 1. Control environment : Control environment factors include the integrity, ethical values and competence of the entity's people; (2) management's philosophy and operating style; (3) the way management assigns authority and responsibility and organizes and develops its people; and (4) the attention and direction provided by the organisation. 2. Risk assessment: Is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed..

3. Control activities: are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Ex: Purchasing limits, Approvals, security etc. 4. Information and communication: Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that makes it possible to run and control the organization. Ex: Vision and values, reporting. 5. Monitoring: Internal control systems need to be monitored, a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the Regents. Ex: Monthly examination of performance reports..

Internal control types. 1. Preventive and detection controls: attempt to deter or stop an unwanted outcome before it happens. Ex: Include use of passwords. Attempt to uncover errors or irregularities that may already have occurred. Ex: inclusion of reconciliations. 2. Hard vs. soft controls: are formal and tangible. Examples include organizational structure, policies, procedures and segregation of duties Are informal and intangible. Examples include tone at the top, ethical climate integrity, trust and competence 3. Manual vs. automated controls: manually performed, either solely manual or IT-dependent, where a system-generated report is used to test a particular control. Automated controls are performed entirely by the computer system..

4. Key vs. secondary controls: are those that must operate effectively to reduce the risk to an acceptable level. Are those that help the process run smoothly but are not essential..

Evaluation of Internal Controls. An evaluation of internal control involves an examination of the effectiveness of an organization's system of internal controls. By engaging in this evaluation, an auditor can determine the extent of other tests that must be performed in order to arrive at an opinion regarding the fairness of the entity's financial statements. A robust system of internal controls reduces the risk of fraudulent activity, which moderates the need for additional audit procedures. The examination concentrates on such issues as the separation of duties, checks and balances, safeguarding of records, the training level and competence of employees, and the effectiveness of the entity's internal audit function..

Methods of Evaluation. Narrative Method Check List Method Questionnaire Method Flow Chart Method.

The steps involved in this evaluation process include the following:.

Internal control, in the broad sense includes, therefore, controls which may be characterized as either accounting or administrative as follows:.

Test of Controls. A test of control describes any auditing procedure used to evaluate a company’s internal controls. The aim of tests of control in auditing is to determine whether these internal controls are sufficient to detect or prevent risks of material misstatements. A robust internal control system is essential for businesses to keep their financial records accurate. A test of controls involves many similar audit procedures to a test of detail, but the outcomes are different. While a test of controls supports control risk assessment, a test of details is performed to support the overall audit opinion of a company’s balance sheet and accompanying transactions.

Purposes of tests of control. There are several reasons to perform tests of control in auditing. If a company’s internal controls are working effectively, it reduces the need for additional substantive audit procedures, which can be time-consuming and costly. Another purpose of these tests is to obtain further audit evidence to support the auditor’s statements..

Audit sampling methods for tests of controls. Tests of control fall into four main categories: Inquiry: auditors may ask clients to explain their control processes. Simply inquiring about procedures qualifies as a test of control, but it provides limited evidence, so it will need to be supplemented with additional audit sampling. Observation: The test may involve observing a business process or transaction while it’s happening, taking note of all relevant control elements. One example of observational audit sampling for tests of controls would be to watch the client’s year-end inventory counting procedures..

3. Reperformance: The auditor might start a new transaction to repeat the internal controls used by the client during this process. This is considered to be one of the most reliable audit sampling methods for tests of controls because it actively gathers direct evidence rather than relying on observation alone. 4. Inspection: Tests of control involve the examination of business documents for any signs of review. Signatures, checkmarks, and stamps are all signs that internal controls have been used. In this fourth category, audit sampling for tests of controls requires the inspector to look at a random selection of documents over time. If only a few of them show signs of review, this indicates a weak internal control system. However, if they are all uniformly marked with a verifying signature, this would indicate efficient controls..

A single test of controls is usually insufficient to draw any conclusions, so auditors will draw from all four types of control tests for greater assurance. An inquiry should be combined with inspection or reperformance for more accurate results. When errors are found during the tests of internal controls, auditors can take this process to the next step by increasing their audit sampling size. The greater the number of errors, the greater the chance that there is a systemic controls issue..

HOW ENGAGEMENT LETTER MANAGEMENT LETTER DIALOGUE COMMUNICATING WITH THOSE CHARGED WITH GOVERNANCE WHAT ACCOUNTING POLICIES RISKS ADJUSTMENTS DISAGREEMENTS MODIFICATIONS DEFICIENCY WHEN PLANNING DURING AFTER.

The main forms of formal communication between the auditors and management are: the engagement letter (see 'Ethics and Acceptance' chapter); and another written communication, usually sent at the end of the audit, which is often referred to as 'the management letter.’ In addition, the auditor will communicate with those charged with governance throughout the audit as required..

Reasons for communicating with those charged with governance.

Matters to be communicated. The auditor's responsibilities in relation to the financial statements audit. The planned scope and timing of the audit including, for example: – How the auditor plans to address the risks of material misstatement – The application of materiality in the context of an audit – Preliminary views about matters which may be key audit matters – The auditor's approach to the entity’s system of internal control – The extent to which the auditor is planning to use the work of internal audit and the arrangements for so doing – Business risks that may result in material misstatements – Communications with regulators..

Significant findings from the audit, such as: – The auditor's views about qualitative aspects of the entity's accounting practices/policies – Significant difficulties encountered during the audit – Significant matters arising during the audit that were discussed with management – Written representations the auditor is requesting – Circumstances that affect the form and content of the auditor's report, if any. This includes any expected modifications to the opinion, key audit matters and material uncertainty related to going concern – Other matters that, in the auditor's opinion, are significant to the oversight of the reporting process..

Matters of auditor independence including: – A statement that the firm has complied with ethical requirements, – Professional fees for audit and non-audit services charged during the period – Safeguards applied to eliminate or reduce threats to independence..

Ultimately what constitutes a matter requiring the attention of those charged with governance is a matter of professional judgment. Typical examples include: • Delays in obtaining information for the audit. • An unreasonably brief time within which to complete the audit. • Expected limitations on the audit, either imposed by management or other circumstances. • The potential effect on the financial statements of any material risks and exposures, such as pending litigation, that are required to be disclosed in the financial statements. • A summary of identified misstatements, whether corrected or not by the entity and a request that they are adjusted. • Material uncertainties related to events and conditions that may cast significant doubt on the entity’s ability to continue as a going concern. • Any other matters agreed upon in the terms of the audit engagement..

Communicating deficiencies in internal control to those charged with governance and management (SA - 265).

The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. This SA specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management. Nothing in this SA precludes the auditor from communicating to those charged with governance and management other internal control matters that the auditor has identified during the audit..

Objective:. The objective of the auditor is to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor’s professional judgment, are of sufficient importance to merit their respective attentions..

Requirements: The auditor shall determine whether, on the basis of the audit work performed, the auditor has identified one or more deficiencies in internal control. If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on the basis of the audit work performed, whether, individually or in combination, they constitute significant deficiencies. The auditor shall communicate in writing significant deficiencies in internal control identified during the audit to those charged with governance on a timely basis..

The auditor shall also communicate to management at an appropriate level of responsibility on a timely basis (a) In writing, significant deficiencies in internal control that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances; and (b) Other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention.

The auditor shall include in the written communication of significant deficiencies in internal control: (a) A description of the deficiencies and an explanation of their potential effects; and (b) Sufficient information to enable those charged with governance and management to understand the context of the communication. In particular, the auditor shall explain that: (i) The purpose of the audit was for the auditor to express an opinion on the financial statements;.

ii) The audit included consideration of internal control relevant to the preparation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control; and (iii) The matters being reported are limited to those deficiencies that the auditor has identified during the audit and that the auditor has concluded are of sufficient importance to merit being reported to those charged with governance..

Timing of communication with those charged with governance Stage of audit Planning During the audit Conclusion of the audit Communication required Significant risks identified by the auditor How the auditor plans to address the risks Auditor's approach to intemal control relevant to the audit Application of materiality in the context of an audit If any situation occurs and it would not be appropriate to delay communication until the audit is concluded Major findings from the audit work. Delays caused by management The auditor must take care not to compromise the effectiveness of the audit by communicating too much information about the planned scope and timing of the audit to such an extent that procedures become too predictable..

Thank You.