CHAPTER 13: INTERNAL CONTROL PDF

Preview

Summary

CHAPTER 13OVERVIEW OF INTERNAL CONTROLNATURE AND PURPOSE OF INTERNAL CONTROLInternal control is the process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity's objectives with regard to reliabili...

Description

CHAPTER 13 OVERVIEW OF INTERNAL CONTROL

NATURE AND PURPOSE OF INTERNAL CONTROL Internal control is the process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliancewith applicable laws and regulations. It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives. INTERNAL CONTROL SYSTEM DEFINED Internal control system means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. The internal control system extends beyond these matters which relate directly tothe functions of the accounting system and consists of the following components: a. the control environment; b. the entity's risk assessment process; c. the information system, including the related business processes, relevant to financial reporting, and communication; d. control activities; e. monitoring of controls. A. Control Environment The control environment which means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance in the entity. Factors reflected in the controlenvironment include: 

The function of the board of directors and its committees;



Management's philosophy and operating style;



The entity's organizational structure and methods of assigning authority and responsibility;



Management's control system including the internal audit function, personnel policies and procedures and segregation of duties.

The environment in which internal control operates has an impact on theeffectiveness of the specific control procedures. Several factors comprise the control environment including: 1. Communication and Enforcement of Integrity and Ethical Values Integrity and ethical values are essential elements of the internal control environment. They affect the design, administration, and monitoring of other components of internal control. Integrity and ethical values include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal,or unethical acts. They also include the communication of entity valuesand behavioral standards to personnel through policy statements, a code of conduct, and management's example of appropriate behavior. 2. Commitment to Competence Commitment to competence means thatmanagement considers the competence levels for particular jobs in determining the skills and knowledge required of each employee and thatit hires employees competent to perform the tasks. 3. Participation by those Charged with Governance An entity's control consciousness is influenced significantly by those charged with governance. The responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures and the process for reviewing the effectiveness of the entity's internal control. 4. Management's Philosophy and Operating Style This refers to management's attitude towards (a) business risk, (b) financial reporting, (c) meeting budget, profit and other established goals which all have impact on the reliability of the financial statements. Management's approach to taking and monitoring business risks, its conservative or aggressive selection from alternative accounting principles, its conscientiousness and conservatism in developing accounting estimates, and its attitude toward information processing and the accounting function and personnel are factors that affect the control environment. 5. Organizational Structure The responsibilities and authorities of the various personnel within the organization should be established in such a manner as to (1) assist the entity in meeting its goals and objectives and (2) ensure that transactions are processed, recorded, summarized and reported in an accurate and timely manner. Organizational structure provides the overall framework for planning, directing and controlling operations. 6. Assignment of Authority and Responsibility Personnel within an organization need to have a clear understanding of their responsibilities and the rules and regulations that govern their actions. Management may develop job descriptions, computer system documentation. It may also establish policies regarding acceptable business practice, conflicts of interest and code of conduct.

7. Human Resources Policies and Procedures Perhaps the most important element of an internal accounting control system is the people who perform and execute the established policies and procedures. Personnel policies should be adopted by the client to reasonably ensure that only capable and honest persons are hired and retained. Policies with respect to employee selection, training, and supervision should be adopted and implemented by the client. B. Entity's Risk Assessment Process Risk assessment is the "identification, analysis, and management of risks pertaining to the preparation of financial statements". An entity's risk assessment process is its process for identifying and responding to business risks and the results thereof. For financial reporting purposes, the entity's risk assessment process includes how management identifies risks relevant to the preparation of financial statements that arepresented fairly, in all material respects in accordance with the entity's applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following: 

Changes in operating environment. Changes in the regulatory or operating environment can result in changes in competitive pressures and significantly different risks.



New personnel. New personnel may have a different focus on or understanding of internal control.



New or revamped information systems. Significant and rapid changes in information systems can change the risk relating to internal control.



Rapid growth - Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.



New technology - Incorporating new technologies into production processes or information systems may change the risk associated with internal control.



New business models, products, or activities -Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with internal control.



Corporate restructurings -Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with internal control.



Expanded foreign operations - The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control.



New accounting pronouncements - Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements.

C. Information System, including the Business Processes, Relevant to Financial Reporting and Communication An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. It includes the accounting system, consists of the procedures and records designed and established to:: 

Initiate, record, process and report entity transactions



Resolve incorrect processing of transactions



Process and account for systems overrides or bypasses to controls



Transfer information from transaction processing systems to the general ledger



Capture information relevant to financial reporting



Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized and appropriately reported in the financial statements.

Journal Entries An entity's information system typically includes the use of standard journal entries that are required on a recurring basis to record transactions such as to record purchase, sales and disbursements. On the other hand, the use of non-standard journal entries to record non-recurring, unusual transactions or adjustments like consolidating adjustments. Related Business Processes 

Develop, purchase, produce, sell and distribute an entity’s products and services



Ensure compliance with laws and regulations



Recording of accounting and financial reporting information

Business processes result in the transactions that are recorded, processed and reported by the information system. Understanding the entity's business processes, and how transactions are originated, assists the auditor obtain an understanding of the entity's information system relevant to financial reporting in a manner that is appropriate to the entity's circumstances. Thus, an information system encompasses methods and records that: • Identify and record all valid transactions. • Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.

• Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. • Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. • Present properly the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Thus, open communication channels help ensure that exceptions are reported and acted on. Application to Small Entities Information systems, related business processes, and communication may be less formal and easier to achieve in a smaller entity than in a larger entity due to the small entity's size and fewer levels as well as management's greater visibility and availability. D. CONTROL ACTIVITIES Control activities are the policies and procedures that help ensure that management directives are carried out. The major categories of control procedures are: A. Performance Review – it uses accounting and operating data to assess performance, and it then takes corrective action. Such reviews include: • comparing actual performance with prior period performance, •investigating performance indicators based on operating or financial data, such as quantity or purchase price variances •reviewing functional or activity performance, such as relating the performance of a manager responsible for a bank's consumer loans with some standard B. Information Processing Controls - are policies and procedures designed to require authorization of transactions and to ensure the accuracy and completeness of transaction processing. Control activities may be classified according to the scope of the system they affect. General controls are control activities that prevent or detect errors or irregularities for all accounting systems. Application controls - are controls that pertain to the processing of a specific type of transactions such a payroll, or sales and collections. These controls help ensure that transactions occurred are authorized and are completely and accurately recorded and processed. Examples of application controls includes:

   

checking the arithmetical accuracy of records maintaining and reviewing accounts and trial balances automated controls (such as input data and numerical sequence checks);and manual follow-up of exception reports

General IT Controls - are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.

General IT Controls commonly includes:   

controls over data center and network operations; access security; and application system acquisition, development, and maintenance

Internal controls relating to the accounting systems are concerned with achieving objectives such as:  

 

Transaction are executed in accordance with management’s general or specific authorization All transactions and other events are promptly recorded in the correct amount, in the appropriate accounts and in the proper accounting period so as to permit preparation of financial statements in accordance with an identified financial reporting framework. Access to assets and records is permitted only in accordance with management’s authorization. Recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken regarding any differences.

Control activities related to the processing of transactions may be grouped as follows: (1) Proper authorization of transactions and activities - the authorization for the execution of transactions flows from the stockholders to management and its subordinates. (2) Segregation of duties - an important element in designing an internal accounting control system that safeguards assets and reasonably ensures the reliability of the accounting records (3) Adequate documents and records - it allows the company to obtain reasonable assurance that all valid transactions have been recorded (4) Access to assets - the resources of a client can be protected by the establishment of physical barriers and appropriate policies (5) Independent checks on performance - the objective of a well-designed internal accounting control system is the adoption of procedures that periodically compare the actual asset with its recorded balance

C. Physical Controls Controls that encompasses:   

The physical security of assets The authorization for access to computer programs and data files The periodic counting and comparison with amounts shown on control records

The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation.

D. Monitoring of Controls Monitoring, the final component of internal control, is the process that an entity uses to assess the quality of internal control over time. Monitoring involves the assessing the design and operation of controls on a timely basis and taking corrective action as necessary. Monitoring activities may include using information from communications from external parties that may indicate problems are highlight areas in need of improvement. For example, customers implicitly corroborate sales data by paying their bills or raising questions and customers implicitly corroborate billing data by paying their invoices or complaining about their charges.

Applications to Small Entities Ongoing monitoring activities of small entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will...