Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Internal Controls and Control Risk
Transcript of Internal Controls and Control Risk
Sayaka Nomura What is Internal Control? A system of internal control consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals.
• Evaluation of Internal control and the associated control risk is part of the audit planning process
• CAS 315 explains that the auditor considers internal control that is relevant to the financial statement audit. These will normally include cycles of events (transactions) that lead to information recorded in the financial statements
• Auditor examines whether internal controls prevent, detect or correct material misstatements when risks of error are high, auditor will expand tests of details, potentially abandoning tests of controls.
Inherent Limitations of Internal Controls • Effectiveness depends upon the competency and dependability of individuals executing the controls
• Most internal controls can be overridden using collusion
• Even with the most effectively designed internal controls, the auditor must audit evidence beyond testing the controls for every material financial statement account What Are the Three Primary
Internal Control??? 1. Help ensure reliable financial reporting 2. Enable efficient and effective operations 3. Comply with laws and regulations Three Basic Concepts that Enable
an Auditor’s Study of Internal Controls • Management is responsible for the establishment and maintenance of the entity’s controls
• Controls help provide reasonable assurance of the fairness of the financial statements
• Internal controls cannot be completely effective (inherent limitations)
Small Business Controls Control Environment Risk Assessment Control Activities Segregation of duties Systems acquisition, development and maintenance controls Operations and Information
systems support What Are the Management Objectives with Respect to Internal Control? Maintaining reliable control systems
Optimizing the use of resources
Preventing and detecting error and fraud What Are the Auditor Objectives with
Respect to Internal Control? Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Have risks changed ? Is there risk
management and audit commitee if yes If yes:
assessment Obtain an understanding
of relevant controls Planned detection risk
Understanding the components of internal control
Understanding the control environment
Understanding general controls
Fully automated controls
Understanding the control activities Documentation of the understanding Narrative Flowchart Internal control questionnaire Evaluate design effectiveness
of controls for risk assessment Consider design effectiveness of controls
I. Are controls present for relevant assertions?
II. Which controls are more important for the relevant assertions?
III. What the potential weakness in internal control to determine whether there are compensating controls? Assess control risk a measure of the auditor’s expectation I. Transaction-related audit objectives
II. Specific controls
III. Internal control weakness
Determine the level of control risk supported by
the understanding obtained
Assess whether it is likely that a lower assessed
control risk could be supported
Decide on the appropriate assessed control risk Identify and assess risk
of material misstatement Financial statement level Assertion level Design test of control Test controls Procedures to obtain an understanding
I. Make inquiries of appropriate entity personnel
II. Inspection of document, record, and reports
III. Observe control-related activities
IV. Perform client procedures The lower the assessed level of control risk,
the more extensive the test of controls
must be done. Evaluate results; integrate
with planned detection
risk and substantive test Is assessed level of control
risk below maximum? The audit
process Five Components of Internal Control Risk Assesment Risk assessment involves the identification and analysis of relevant risks to the achievement of an entity’s objectives. It forms a basis for how Management identify and analysis risk. Control Activities The policies and procedures that help ensure that necessary actions are taken to address risks in the achievement of the entity’s objectives. Also known as application controls 5 Groups Of Controls Activities Information and Communication Monitoring Management’s ongoing assessment of the quality of internal control performance is key in determining the effectiveness of the company’s internal controls.
Internal controls are effective if management and interested stakeholders have reasonable assurance that:
They understand the extent to which the operations objectives are being achieved.
Published financial statements are being prepared reliably
Applicable laws and regulations are being complied with.
Internal audit department may provide independent evaluation of the quality of the monitoring process.
• The purpose of an entity’s accounting information and communication systems is to initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets.
• An accounting information and communication system has several subcomponents, typically made up of classes of transactions. MONITORING CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES Information & Communication Information & Communication A material weakness in internal controls?
The Control Environtment Commitment to Competence
Is commitment to competence important within the organization?
Do employees have the proper training to do their jobs? Integrity
Does management practice active Integrity and promotes ethical values and like behavior among employees?
What actions are being taken to reduce the likelihood of illegal behavior? Board of Directors & Audit Committee Participation:
Is the board of directors independent of management? i.e. include independent directors.
Is the Audit committee competent to perform an effective financial reporting assessment of the organization? Management Philosophy and Operating Style:
Management, through its activities, provides clear signals to employees about the importance of control within the organization.
Does Management take significant risks or is it risk averse?
Do policies exist to protect information & ensure privacy & confidentiality?
Is the company’s budget set as a “best as possible plan" or a “most likely ”target?
Does Management use aggressive accounting to ensure budget targets are met”? Organizational Structure:
Does the current organizational structure promote an adequate environment for the planning, management and successful control of the company’s operations? Human Resources Policies & Practices:
Are the current hiring practices promoting hiring of competent and trustworthy employees?
Are descriptions of roles and responsibilities accurate and up to date?
Are the level of training and authority provided appropriate to perform the responsibilities assigned?
Are the evaluation and compensation processes established helping to motivate employees to achieve the company’s goals? Methods of Assigning Authority & Responsibility:
Is the method used for the assignment of authority and responsibility appropriate for the organizational culture? Management Control Methods:
Are there logical access and monitoring controls for data communications and access
Are employee activities monitored? System Development Methodology:
Is implementation of information systems consistent with the organizational objectives of the entity? Management reactions to external influences:
Is management aware of the effects of possible changes in its external environment?
Can management effectively respond to these changes? Internal Audit:
Is the internal audit department staff competent?
Does the audit department report directly to the audit committee?
Is their work reliable? Management Identify Risk Estimate Significance Assess likelihood of occurrence Action plans to reduce risk 1. Adequate segregarion of duties 2.Proper authorization of transaction activities 3. Adequate documents and records 4. Physical and logical control over assets and records. 5. Independent checks of performance and recorded data 2 Types of Control Activities Accounting (Application) Controls General Controls General Controls Occurrence Completeness Accuracy Posting & Summarization Classification Timing Accounting Controls Organizational & Management Controls System Controls Operations &
IT System Controls