Internal Control over Financial Reporting 1

Chapter 3: INTERNAL CONTROL OVER FINANCIAL • Effective internal control needs to:
REPORTING: RESPONSIBILITIES OF MANAGEMENT AND
• Be effectively designed and
THE EXTERNAL AUDITORS
implemented
THE AUDIT OPINION FORMULATION PROCESS
• Operate effectively

**Exhibit 3.1 - COSO Framework for Internal Control

Importance of Internal Control Over Financial

Reporting

• Internal control helps:

• Mitigate risks of not achieving

Components of internal control
organizational objectives
• Control environment
• Provide assurance regarding reliability
of financial information • Set of standards, processes, and
structures that provides the basis for
• Reduce occurrence of unforeseen
carrying out internal control across the
circumstances
organization
• Improve quality of information
• Includes the tone at the top regarding
Internal Control - Integrated Framework importance of:

• COSO defines internal control as a process: • Internal control

• Effected by an entity’s board of • Expected standards of conduct

directors, management, and other
• Risk assessment: Process for identifying and
personnel
assessing risks that may affect organizations
• Designed to provide reasonable from achieving objectives
assurance regarding achievement of
• Components of internal control
objectives relating to operations,
reporting, and compliance • Control activities: Actions established by
policies and procedures
Internal Control over Financial Reporting 2

• Help ensure that management’s 3. Management establishes, with board oversight,

directives regarding internal control are structures, reporting lines, and appropriate authorities
carried out and responsibilities in the pursuit of objectives.

• Information and communication 4. The organization demonstrates a commitment to

attract, develop, and retain competent individuals in
• Information from internal and external
alignment with objectives..
sources
5. The organization holds individuals accountable for
• Communication is the process of their internal control responsibilities in the pursuit of
providing, sharing, and obtaining objectives
necessary information
COSO Component - Risk Assessment
• Monitoring: Helps determine whether the
controls are present and continuing to function • Internal sources of risk
effectively
• Changes in management
• Describe the Control Environment responsibilities
Component of Internal Control, List its
Principles, and Provide Examples of • Changes in internal information
technology
Each Principle

COSO Component: Control Environment • Poorly conceived business model

• Foundation for all other components of internal • External sources of risks

control • Economic recessions decrease product
• A strong control environment protects against or service demand
risks related to reliability of financial statements • Increase in competition
• Examples of control environment deficiencies • Changes in regulation that make the
• Low level of control consciousness business model unsustainable
within an organization • Changes in the reliability of source
• Audit committee not having goods that reduce profitability
independent members COSO Component - Risk Assessment PRINCIPLES
• Absence of an ethics policy within an 6. The organization specifies objectives with sufficient
organization clarity to enable the identification and assessment of
COSO Component: Control Environment PRINCIPLES risks relating to objectives.

1. The organization demonstrates a commitment to 7. The organization identifies risks to the achievement
integrity and ethical values. of its objectives across the entity and analyzes risks as a
2. The board of directors demonstrates independence basis for determining how the risks should be managed.
from management and exercises oversight of the
development and performance of internal control.
Internal Control over Financial Reporting 3

8. The organization considers the potential for fraud in • The underlying estimation
assessing risks to the achievement of objectives. model reflects current
economic conditions and has
9. The organization identifies and assesses changes that proven to provide reasonable
could significantly impact the system of internal control. estimates in the past
COSO Component: Control Activities
• Transaction Processing
• Ensure that management’s directives regarding
• Adjusting, Closing, and Other Unusual Entries
controls are accomplished
• Control activities include:
• Performed within processes
• Documented support for all
• May be preventive or detective entries
• May be manual or automated • Reference to underlying
COSO Component: Control Activities PRINCIPLES supporting data with a well-
developed transaction trail
10. The organization selects and develops control
activities that contribute to the mitigation of risks to the • Transaction trail:
achievement of objectives to acceptable levels. Records that allow
auditors to trace
11. The organization selects and develops general transactions from
control activities over technology to support the origination through
achievement of objectives. final disposition, or vice
versa
12. The organization deploys control activities through
policies that establish what is expected and in • Review by CFO or controller
procedures that put policies into action.
Automated and Manual Transaction Controls
Transaction Processing
• Input Controls: Designed to ensure that
• Business Process Transactions authorized transactions are correct and
complete, and that only authorized transactions
• Control activities include verifications,
can be input
reconciliations, authorizations and
approvals • Processing controls: Designed to ensure that:

• Accounting Estimates • Correct program used for

processing
• Control activities should provide
reasonable assurance that: • All transactions are processed

• The data are accurate • Transactions update

appropriate files
• The estimates are faithful to the
data
Internal Control over Financial Reporting 4

• Output controls: Designed to ensure that: • Communication

• All data are completely • Process of providing, sharing,

processed and obtaining information
internally
• Output is distributed only to
authorized recipients • Requires two-way
communication with external
Other Important Control Activities parties
• Segregation of duties: Protect against risk that COSO Component - Information and Communication
individuals may collude to conceal a fraud PRINCIPLES
• Requires that a minimum of two 13. The organization obtains or generates and uses
employees be involved such that one relevant, quality information to support the functioning
does not have:
of internal control.
• Authority and ability to process 14. The organization internally communicates
transactions information, including objectives and responsibilities for
• Custodial responsibilities internal control, necessary to support the functioning of
internal control.
• Physical controls over assets: Protect and
safeguard assets from accidental or intentional 15. The organization communicates with external
destruction and theft parties regarding matters affecting the functioning of
internal control.
• Describe the Information and
Communication Component of COSO Component - Monitoring
Internal Control, List Its • Process that provides feedback on effectiveness
Principles, and Provide of each of the five components of internal
Examples of Each Principle control
COSO Component - Information and Communication • Managers select either of the following or a
• Process of identifying, capturing, and combination of both
exchanging information in a timely fashion to
• Mix of ongoing evaluations
enable accomplishment of the organization’s
objectives • Separate evaluations

• Information • Requires that identified deficiencies in internal

control be communicated to the personnel
• Required by an organization
concerned with follow-up action taken
from internal and external
sources to carry out its internal
control responsibilities
Internal Control over Financial Reporting 5

COSO Component – Monitoring PRINCIPLES by those responsible for oversight of the company’s
financial reporting
16. The organization selects, develops, and performs
ongoing and/or separate evaluations to ascertain • Material weakness : A deficiency, or a
whether the components of internal control are present combination of deficiencies, in internal control over
and functioning. financial reporting, such that there is a reasonable
possibility that a material misstatement of the
17. The organization evaluates and communicates company’s annual or interim financial statements
internal control deficiencies in a timely manner to those will not be prevented or detected on a timely basis
parties responsible for taking corrective action,
including senior management and the board of INDICATORS OF A MATERIAL WEAKNESS
directors, as appropriate.
• Identification of fraud, whether or not material,
MANAGEMENT RESPONSIBILITES on the part of senior management

• Design, implement, maintain internal control to • Multiple control deficiencies affecting the same
mitigate risks of material misstatements in the financial statement account
financial statements
• Significant deficiencies from the previous
• Document internal control
management report that the organization has
• Test effectiveness of internal control not remediated

• Annually report on the design and operating • Restatement of previously issued financial
effectiveness of controls statements to reflect the correction of a
material misstatement
STEPS IN MANAGEMENT’S EVALUATION OF INTERNAL
CONTROL OVER FINANCIAL REPORTING Importance of Internal Control FOR the External Audit
1. Identify Financial Reporting Risks and Controls
Implemented to Mitigate those risks
2. Evaluate the Operating effectiveness of internal • Auditors are required to identify and assess
control over financial reporting risks of material misstatement due to fraud or
3. Provide Report on effectiveness of internal error
control over financial reporting
• The auditor needs to understand the
Assessing Internal Control Deficiencies company’s internal controls to
determine appropriate audit
• Control deficiency: Shortcoming in internal procedures
controls such that objective of reliable financial
reporting may not be achieved • Integrated audit: Occurs when an auditor
provides an opinion on:
• Could be in design or operation
• The effectiveness of the client’s internal
• Significant deficiency: A deficiency, or a control over financial reporting and
combination of deficiencies, in internal control over
financial reporting that is less severe than a material • The financial statements
weakness, yet important enough to merit attention