Internal Control

Consideration
J. Tamayao
 INTERNAL CONTROL
The process designed, implemented and maintained by those charged with governance, management
and other personnel to provide reasonable assurance about the achievement of an entity's objectives.

Internal Control Provides REASONABLE ASSURANCE to achieve Objectives

Why reasonable assurance?
ü Financial reporting objective – this objective
1. Management overriding the internal control. relates to reliability of financial reporting
2. Circumvention of internal controls through the collusion among
employees. ü Operational effectiveness objective – this
3. The cost-benefit relationship is a primary criterion in designing objective is intended to enhance effectiveness
internal control. and efficiency of operations
4. Most internal controls tend to be directed at routine transactions
ü Compliance objective – this objective relates to
5. The potential for human error entity‘s compliance with applicable laws and
6. The possibility that procedures may become inadequate due to regulations
changes in conditions, and compliance with procedures may
deteriorate.
7. Segregation of duties may be difficult to achieve in a smaller
entity
 CLASSIFICATION OF INTERNAL CONTROLS
According to Objectives According to Functions

v Financial reporting controls v Preventive controls – to deter problems before

v Operating effectiveness control they arise
v Compliance controls v Segregation of employee duties
v Control physical access to assets,
What control is relevant to audit? facilities and information
v Access controls
v Financial reporting controls = fives rise to ROMM
v Detective controls – to discover problems as
v Other controls for the other objectives MAY be
relevant but are usually not relevant to the audit. they arise
v Preparing bank reconciliation
v Preparing monthly trial balance
v Physical counts
v Corrective controls – to remedy problems
discovered with detective controls
v Maintaining backup copies of
transactions and master files
 RESPONSIBILITIES OVER INTERNAL CONTROL
Management Auditor

v To design, implement and maintain internal v To obtain an understanding of internal

controls controls
v To test internal control over financial reporting

When to place control?

v Before an expensive part of the project.

v Before points of no (or difficult) return
v Where one phase of an operation ends and another starts
v Where corrective action is easier to take
v Where accountability for resources change
 COMPONENTS OF INTERNAL CONTROL {CRIME}
Control Environment The control conscience of an organization. TONE AT THE TOP.

Risk Assessment The evaluation of internal and external factors that impact an organization’s performance.

Information, Reporting & The process which ensures that relevant information is identified and communicated in a timely
Communication System manner.

The process to determine whether internal control is adequately designed, executed, effective,
Monitoring and adopted.

The policies and procedures that help ensure that actions are identified to manage risk and
Existing Control Activities executed and timely.
 CONTROL ENVIRONMENT
v Competence should reflect the knowledge and skills needed to accomplish
Commitment to Competence
tasks that define the individual’s job.

v Method by which personnel are hired, evaluated, trained, promoted,

Human Resources Policies and Practices compensated and given remedial actions

v Establishes structures, reporting lines, and appropriate authorities and

Assignment of Authority and Responsibility responsibilities in the pursuit of objectives.

v Management’s approach in taking and managing business risk and

Management’s Philosophy and Operating Style
attitude toward financial reporting & information processing
v BOD – oversee the design and implementation of internal controls
Participation by Those Charged with Governance v Audit Committee – independent directors with oversight function

v Provides the framework for planning, executing, controlling and monitoring

Organizational Structure
the entity’s operation
v Commitment to integrity is communicated through entity’s standard of
Communication and enforcement of Integrity conduct and emphasized through directives, actions and behavior
and ethical values v Includes management actions to remove or reduce incentives and
temptations
 RISK ASSESSMENT PROCESS
Identify Assess
ü SIGNIFICANT RISK Other Conditions:
v Whether the risk is a risk of fraud q Changed Operating
Entity Level Risk v Whether the risk is related to recent Environment
significant economic accounting or q New Personnel
v Changes in economic, industry, regulatory other developments and, therefore, q New or Revamped Information
and operating conditions should be requires specific attention Systems
identified and the risks associated with v Complexity of transactions q Rapid Growth of Business
changes should be assessed. v Whether the risk involves significant q Significant Decline in Economic
transactions with related parties Condition
v The degree of subjectivity in the q New Technology
Transaction Level Risk measurement of financial information q New product lines and activities
related to the risk, especially those q Corporate restructuring
v Risks within divisions, operating units or
involving uncertainty
functions of the organization
v Whether the risk involves significant
transactions that are outside the
normal course of business for the entity,
or that otherwise appear to be unusual
 INFORMATION & COMMUNICATION CONTROL
Information System Accounting Information System Communication
ü Pertains to the initiation, recording, ü Identify and record all valid How the entity communicates roles and
processing and reporting of the transactions (Occurrence and responsibilities of each employee.
entity’s transaction Completeness) Normally in the form of: manuals,
ü Consists of: ü Proper classification of memorandums, bulletin board notices.
ü People transactions (Classification)
ü Input data ü Proper measurement of the value
of transactions (Accuracy)
ü Infrastructure (physical ü Permits recording of transactions
and hardware in the proper accounting period
components) (Cut-off)
ü Software (processes or ü Present properly the transactions
procedures) and related disclosures (Posting
ü Output or meaningful and summarization)
information
 EXISTING CONTROL ACTIVITIES
ü Policies and procedures that management has established to mitigate the risk that the entity’s
objectives are not met
v Includes review of actual performance as compared to budgets, forecasts and prior period performance
Performance Review v By investigating reasons for unexpected performance, management may make timely changes in
strategies and plans

v The giving of approval before an action

Authorization v General – for routine transactions
v Specific – when transactions are authorized on an individual basis

Physical Controls v Physical security over both assets and documents

v No one person or department should handle all aspects of a transaction from beginning to end
Segregation of Duties v Custody, Authorization, Recording

v To check the accuracy, completeness and authorization of transactions

Information Processing
 MONITORING
Assessment of the quality or performance of internal controls over time

Ongoing Routine monitoring activities which are built into the operations of the organization

Performed on a nonroutine basis such as periodic audits by internal auditors. Occur

Separate with varying frequencies depending on management’s judgment of risks involved
and importance of the processes to the organization

Examples:
q Periodic review of expenses against budget
q Analysis of trends
q Review of performance indicators
q Internal and external audits
q Operations audit
EVALUATION OF INTERNAL CONTROLS

Obtain and Document

Determine NTE of Substantive
Assess CR Test

Perform TOC
 Obtain & Document Understanding of the Control Structure
Goal: How?
ü The auditor should obtain an v Gather evidence about the design of internal controls and whether they have been
implemented
understanding of the client’s internal
v Procedures: Reperformance + IOI (trifecta)
control system, including the related v Identify TRANSACTION CYCLES – policies and sequence of procedures for
business processes, relevant to financial processing a particular transaction
reporting, in order to: v Revenue Cycle
v receive order > approval of credit sales > shipment of goods > billing
ü Identify types of potential
customers > collection
misstatements in the financial v Acquisition Cycle
statements. v processing purchase order > receipt of goods > recognize liability >
ü Identify factors that affect the risk of payment
v Payroll Cycle
material misstatements in the v hiring of employee > preparation of time record > salary computation >
financial statements. payment
ü Design the nature, extent and timing of v Document understanding of the Control Structure
further audit procedures. v Create a Narrative
Origin of Document Disposition of document & recording
Processes Indication of Related Controls
v Internal Control Questionnaire
v Flowcharting
v Walkthrough
 Assessing Control Risk
ü measurement of auditor’s expectation that internal controls will prevent material misstatements
from occurring or detect and correct them if it does occur
ü assess risk for both Financial Statement Level and Assertion Level

Level Response:
Maximum
v controls do not pertain to an assertion v No need for TOC
v controls that pertain are unlikely to be effective v More Substantive Tests
v evaluating the effectiveness of relevant controls would be inefficient

Less than Maximum

v relevant controls are likely to prevent or detect and correct material v Perform TOC that the auditor intends to rely upon to evaluate
misstatements the effectiveness of such control
v Less Substantive Tests
 Performing TOCs
ü Evaluate the design of relevant control – involves determining whether the control, individually or
in combination with other controls, is capable of effectively preventing or detecting and
correcting material misstatements
ü Determine whether the control has been implemented

Major Emphasis: How? (Procedures)

v Assets are properly protected vIOI
v Duties are segregated vReperformance
v Transactions are authorized
 COMMUNICATION WITH TCWG
ü The auditor should make management aware, as soon as practicable and at an appropriate level
of responsibility, of material weaknesses in the design or operation of the internal control system,
which have come to the auditor’s attention. (Reportable Conditions)
ü Through: Management Letter