A client’s internal control is a process designed to provide reasonable, but not absolute, assurance that the following entity objectives will be achieved: reliable financial reporting, effective and efficient operations, compliance with laws and regulations. A client’s internal control consists of five interrelated components: control environment, risk assessment, control activities, information and communication systems support, monitoring. This post provides a brief overview about internal control, its interrelated core components, its relationship to the auditors and IT people in “questions and answers” form. Enjoy!
Question: What Is the Control Environment?
Answer: The control environment, which is the foundation for the other components of internal control, provides discipline and structure by setting the tone of an organization and influencing control consciousness. Factors to consider in assessing the client’s control environment include:
- Integrity and ethical values, including (1) management’s actions to eliminate or mitigate incentives and temptations on the part of personnel to commit dishonest, illegal, or unethical acts, (2) policy statements, and (3) codes of conduct
- Commitment to competence, including management’s consideration of competence levels for specific tasks and how those levels translate into necessary skills and knowledge.
- Board of directors or audit committee participation, including interaction with internal and external (independent) auditors
- Management’s philosophy and operating style, such as management’s attitude and actions regarding financial reporting, as well as management’s approach to taking and monitoring risks
- The entity’s organizational structure
- Assignment of authority and responsibility, including fulfilling job responsibilities
- Human resource policies and practices, including those relating to hiring, orientation, training, evaluating, counseling, promoting, and compensating employees
Question: What Is Meant By Risk Assessment?
Answer: An entity’s risk assessment for financial reporting purposes is its identification, analysis, and management of risks pertaining to financial statement preparation. Accordingly, risk assessment may consider the possibility of executed transactions that remain unrecorded.
The following internal and external events and circumstances may be relevant to the risk of preparing financial statements that are not in conformity with generally accepted accounting principles [or another comprehensive basis of accounting]:
- Changes in operating environment, including competitive pressures
- New personnel that have a different perspective on internal control
- Rapid growth that can result in a breakdown in controls
- New technology in information systems and production processes
- New lines, products, or activities
- Corporate restructuring that might result in changes in supervision and segregation of job functions
- Accounting pronouncements requiring adoption of new accounting principles
Answer: Control activities are the policies and procedures management has implemented in order to ensure that directives are carried out. Control activities that may be relevant to a financial statement audit may be classified into the following categories:
- Performance reviews, including comparisons of actual performance with budgets, forecasts, and prior period results.
- Information processing. Controls relating to information processing are generally designed to verify accuracy, completeness, and authorization of transactions. Specifically, controls may be classified as general controls or application controls. General controls might include controls over data center operations, systems software acquisition and maintenance, and access security; application controls apply to the processing of individual applications and are designed to ensure that transactions that are recorded are valid, authorized, and complete.
- Physical controls, which involve adequate safeguards over the access to assets and records, include authorization for access to computer programs and files and periodic counting and comparison with amounts shown on control records.
- Segregation of duties, which is designed to reduce opportunities that allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties, involves assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets.
Question: What knowledge about the “information and communication systems support” component should an auditor obtain?
Answer: The auditor should obtain sufficient knowledge about the information system relevant to financial reporting. The information system generally consists of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of related assets, liabilities, and equity. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.
Question: What is Meant by Monitoring?
Answer: Monitoring is management’s process of assessing the quality of internal control performance over time. Accordingly, management must assess the design and operation of controls on a timely basis and take necessary corrective actions.
Monitoring may involve: (1) separate evaluations, (2) the use of internal auditors, and (3) the use of communications from outside parties (e.g., complaints from customers and regulator comments).
Is There a Relationship Between Internal Control Objectives and Components?
Answer: There is a direct relationship between objectives and components. This results from the fact that objectives are what an entity strives to achieve, while components are what an entity needs to achieve the objectives. It is also important to remember that internal control is relevant not only to the entire entity, but also to an entity’s operating units and business functions.
Question: What Objectives and Controls are Relevant to a Financial Statement Audit?
Answer: In general, the auditor should consider the controls that pertain to the entity’s objective of preparing financial statements for external use that are presented fairly in conformity with generally accepted accounting principles (GAAP) or some other comprehensive basis of accounting other than GAAP (OCBOA).
The controls relating to operations and compliance objectives may be relevant to a financial statement audit if they pertain to data the auditor evaluates or uses. For example, the auditor may consider the controls relevant to nonfinancial data (such as production statistics) used in analytical procedures.
Caution: Not all of the objectives and related controls are relevant to a financial statement audit. Furthermore, an understanding of internal control relevant to each operating unit and business function may not be essential.
Question: What is the auditor’s primary consideration with respect to the components of internal control?
Answer: The auditor’s primary consideration is whether a specific control affects the financial statement assertions rather than its classification into any particular component. Although the five components are applicable to every audit, they should be considered in the context of the following:
- Entity size
- Organization and ownership characteristics
- Nature of the entity’s business
- Diversity and complexity of operations
- Methods of transmitting, processing, maintaining, and accessing information
- Applicable legal and regulatory requirements
Question: How does information technology (IT) affect internal control?
- An entity’s use of IT may affect any of the five interrelated components of internal control.
- Controls in systems that use IT consist of a combination of automated controls (e.g., controls embedded in computer programs) and manual controls.
Question: What are the potential benefits of IT to internal control?
Answer: IT provides potential benefits of effectiveness and efficiency for internal control because it enables the entity to:
- Consistently apply predefined rules and perform complex calculations in processing large volumes of transactions or data.
- Enhance the timeliness, availability, and accuracy of information.
- Facilitate the additional analysis of information.
- Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.
- Reduce the risk that controls will be circumvented.
- Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.
Question: What risks does IT pose to internal control?
Answer: IT poses specific risks to internal control, including:
- Reliance on inaccurate systems or programs
- Unauthorized access to data that may result in destruction of data or improper alterations to data.
- Unauthorized changes to master files
- Unauthorized changes to systems or programs
- Failure to make necessary changes to systems or programs
- Inappropriate manual intervention
- Potential loss of data
Note: The extent and nature of these risks to internal control depend on the nature and characteristics of the entity’s information system.
Question: To what extent must I consider the client’s internal control?
Answer: The practitioner must obtain a sufficient understanding of internal control to enable the proper planning of the audit. Whether controls have been placed in operations is of prime importance. Operating effectiveness is not to be judged by the practitioner. The understanding of the internal control should: (1) provide a basis for identifying types of potential misstatements, (2) enable the assessment of the risk that such misstatements will occur, and (3) enable the auditor to design substantive tests.
Question: What are the procedures used to obtain an understanding of internal control?
Answer: Ordinarily, a combination of the following procedures is used in obtaining a sufficient understanding of internal control:
- Previous experience with the client
- Inquiry of appropriate client personnel
- Observation of client activities
- Reference to prior year working papers
- Inspection of client-prepared descriptions, such as organization charts and accounting manuals.
Question: How should I document my understanding of internal control?
Answer: The auditor must exercise professional judgment in determining the methods and extent of documentation. The most frequently used methods of documentation are:
- Narrative memos (written descriptions)
Question: What is meant by assessing control risk?
Answer: The assessment of control risk is a process of evaluating the effectiveness of a client’s internal controls in preventing or detecting material misstatements in the financial statements.
Question: How do I assess control risk?
Answer: If the auditor concludes, based on his or her understanding of internal control, that controls are likely to be ineffective or that evaluation of their effectiveness would be inefficient, then the auditor may assess control risk at the maximum level for some or all financial statement assertions.
If specific controls are likely to prevent or detect material misstatements and the auditor performs tests of controls in order to evaluate the effectiveness of the controls identified, then assessment of control risk below the maximum level is permissible.
Question: What are tests of controls?
Answer: SAS 55 defines tests of controls as tests directed toward the design or operation of an internal control to assess its effectiveness in preventing or detecting material misstatements in a financial statement assertion. Inquiry of company personnel, inspection of client documents and records, observation of client activities, and re-performance of controls represent some of the procedures used in performing tests of controls.
In performing tests of controls, the auditor seeks answers to the following questions:
- Who performed the control?
- When was the control performed?
- How was the control performed?
- Was the control consistently applied?
- What is the relationship between the assessed level of control risk and substantive testing?
Since the auditor’s determination of the nature, extent, and timing of substantive tests is dependent on detection risk, the assessed level of control risk must be considered in conjunction with inherent risk (see SAS 47). There is an inverse relationship between detection risk and the assurances to be.