Chapter 5

Internal Control
over Financial
Reporting

Copyright © 2012 South-Western/Cengage Learning

Audit Opinion Formulation Process
LO 1: Importance of Internal Control to
Financial Statement Audits
• The quality of internal control over financial reporting is
an important part of an organization’s commitment to
good governance
• Internal control processes must effectively address risks
that are present between an organization and the
accomplishment of its objectives
• Internal controls are needed because every organization
faces significant risks like:
– corporate failure
– misuse of corporate assets
– incorrect or incomplete preparation of financial
information
LO 2: COSO Framework for
Internal Control
 COSO: A Framework for Internal
Control
• Internal controls is a process designed to
provide reasonable assurance of achieving the
following:
– Generating reliable financial accounting
information
– Safeguarding assets
– Complying with applicable laws and regulations
– Operating efficiently and effectively
 What are the components of an
internal control system?
There is a logical loop to an organization’s internal
controls, starting with
1. Identification of organizational risks that affect the
accomplishment of objectives
2. Design of the control environment
3. Design and implementation of controls activities to
prevent or detect errors
4. Communicate the policies effectively through
information and communication process
5. Monitoring of the effectiveness of the controls to
operate effectively
 Components of Internal Control
• An internal control system consists of five
components
• Risk assessment: process designed to identify and
manage risks that may affect its ability to achieve its
objectives
• Control environment: overall attitude, awareness,
and actions of significant internal groups to maintain
a well-controlled organization (tone at the top)
• Control activities: policies and procedures
established by management to help ensure that
internal control objectives are achieved and risks
mitigated
 Components of Internal Control
• Information and communication: process of
identifying, capturing, and exchanging information in
a timely fashion to enable the organization to achieve
its objectives
• Monitoring: process that assesses the quality of
internal controls over time
 Risk Assessment
• Risk assessment involves the identification
and analysis of the risks of material
misstatement in financial reports
• Failure to identify risks, results in deficiencies
in the control processes to mitigate the risks
• Risk assessment questionnaire is used for
identifying the significant risks related to
financial reporting and documenting
 LO 3: Understanding the Control
Environment
Factors an auditor should look at when evaluating an
organization’s control environment:
• Integrity and ethical values
• Board of directors and audit committee
• Management’s philosophy and operating style
• Organizational structure, including assignment of
authority and responsibility
• Commitment to financial reporting competence
• Authority and Responsibility
• Human resource policies and practices
 Control Activities
• Control activities are policies and procedures
implemented across the organization to reduce
the risk of financial reporting misstatements
• Control activities involve:
– The design of the control
– The operations of the control
• The sources to misstatement includes:
– Transaction processing
 Control Activities
– Accounting estimates
– Adjusting and closing entries
• Organizations use Preventive and Detective
controls
 Information and Communication
• Information and communication represent a
company’s processes for gathering key financial
information to support the achievement of financial
reporting objectives
• Information must be communicated to the right
people
• It must also be assured that substantive issues are
report to audit committee for investigation
 Monitoring
• Monitoring represents a company’s processes to
determine whether internal control over financial
reporting is operating effectively
• Ongoing monitoring processes are designed to
identify control failures
• Effective control system rely heavily on monitoring
• Internal auditing is a highly effective monitoring
control
 LO 4: Common Control Activities
Control activities implemented in almost all
accounting systems include:
• Segregation of duties
• Authorization procedures
• Adequately documented transaction trail
• Physical controls to safeguard assets
• Reconciliation of control accounts with subsidiary
ledgers, of transactions recorded with transactions
submitted for processing, and of physical counts of
assets with recorded assets
• Competent, trustworthy employees
 LO 5: IT Controls Integrated into
Internal Control Evaluations
• General computer controls are pervasive and affect
every computerized system
• These controls address the following:
– Planning and controlling the data processing function
– Controlling applications development and changes to
programs and/or data files and records
– Controlling access to equipment, data, and programs
– Assuring business continuity such that control failures do
not affect data or programs
– Controlling data transmission
IT Controls Integrated into Internal
Control Evaluations
• Application controls are specific control procedures
designed into and around the computer program to
ensure that processing objectives are attained
• The control procedures include:
– Input Controls
– Processing Controls
– Output Controls
• It leads to better data for decisions and increases the
organizational success and sustainability
LO 6: Management Reports on Internal
Control over Financial Reporting
• The Sarbanes-Oxley Act of 2002 requires
management to implement effective internal
controls over financial reporting and to certify
that the controls have been implemented
properly and are operating effectively
• To guide management and auditor, SEC and
PCAOB provides definitions of
– Material Weakness
– Significant Deficiency
 Material Weakness
• Deficiency, or a combination of deficiencies,
in internal control over financial reporting,
such that there is a reasonable possibility that a
material misstatement of the company’s annual
or interim financial statements will not be
prevented or detected on a timely basis
 Significant Deficiency
• Deficiency, or a combination of deficiencies,
in internal control over financial reporting that
is less severe than a material weakness, yet
important enough to merit attention by those
responsible for oversight of the company’s
financial reporting
 LO 7: Auditor Evaluation of
Internal Controls
The steps in the integrated audit process are:
1. Update information about various risks
2. Consider the possibility of account misstatements
3. Complete preliminary analytical procedures
4. Understand the client’s internal controls
– Obtain an Understanding of Management’s Risk
Assessment Process and the Control Environment
 Auditor Evaluation of Internal
Controls
– Obtain an Understanding of Significant Accounts
and Disclosures and Their Relevant Assertions
Within the Information and Communication
System
– Obtain an Understanding of the Control Activities
in Accounting Processes
– Obtain an Understanding of Management’s
Monitoring Activities
5. Identify controls to test
– Auditor needs to test all the five components of
internal control
 Auditor Evaluation of Internal
Controls
6. Make a plan to test the controls and execute
that plan
– Use “top-down approach” that begins with
at financial statement level
7. Consider the results of control testing
– It is a part of the process designed to
conduct the most efficient audit possible
while minimizing overall audit risk
8. Conduct substantive audit tests
 LO 8: Documenting the Auditor’s Understanding
and Assessment of an Organization’s Internal
Controls
• Documentation should clearly identify each
component of the internal control framework
• Documentation should show
– How each significant control is tested
– The sampling approach used and the size of the sample
used in testing
– The conclusions of the tests,
– The individual performing the test
– The auditor’s conclusion on the effectiveness of the control
– The implications for the audit of related financial account
balances