Chapter 8 – Internal Control and COSO Framework PDF

Preview

Summary

Chapter 8 – Internal Control and COSO FrameworkInternal Control Objectives A system of internal control consists of policies and procedures designed and implemented by management to mitigate risk and to provide reasonable assurance that the company can achieve its objectives and goals  Management ...

Description

Chapter 8 – Internal Control and COSO Framework Internal Control Objectives 



A system of internal control consists of policies and procedures designed and implemented by management to mitigate risk and to provide reasonable assurance that the company can achieve its objectives and goals Management designs systems of internal control to accomplish the following four broad objectives: 1. Strategic, high-level goals that support the mission of the entity 2. Reliability of financial reporting 3. Efficiency and effectiveness of operations 4. Compliance with laws and regulations

The Responsibilities of Management and the Auditor Reasonable Assurance  

A company should develop internal controls that provide reasonable, but not absolute, assurance that the financial statements are fairly stated Management develops internal controls after considering both the costs and benefits of the controls

Inherent Limitations  

The effectiveness of the system would also depend on the competence and dependability of the people using it – those conducting internal controls should be competent There is the collaborative effort of employees colluding to commit fraud which is a limitation

Management’s Reporting Responsibilities   

The internal control framework used by most public companies is the Committee of Sponsoring Organizations of the Tread-way Commission (COSO) The COSO framework is the internal control equivalent to generally accepted accounting policies (GAAP) COSO assess the effective-ness of internal control over financial reporting

Auditor’s Responsibilities 

Auditors are responsible for understanding the entity’s internal controls where they are relevant to the audit

Relevant Control  



Not all controls are relevant to the audit Operational controls, such as manufacturing quality control and employee compliance with health and safety guidelines, would not normally be relevant to the audit, except where the information produced is used to develop analytical procedures or the information is required for disclosure in the financial statements Controls affecting internal management information, such as budgets and internal performance reports, can also be relevant if the management information is used to develop expectations for analytical procedures

Entity – Level Controls and Transactions Controls 





 

Entity-level controls are those controls that are pervasive in nature and do not address particular transaction cycles but may prevent or detect and correct misstatements in several cycles Entity-level controls—such as controls over management override, period-end reporting, hiring competent staff, and fraud-risk controls—have an impact on all other control processes Transaction controls are specific controls designed to prevent or detect and correct misstatements in classes of transactions, account balances, or disclosures and their related assertions Auditors are primarily focused on risk at the assertion level and are therefore concerned with the transaction-related audit objectives and assertions Transaction-related audit objectives and assertions are five audit objective that must be met before the auditor can conclude that the total for any given class of transactions is fairly stated; the assertions are occurrence, completeness, accuracy, cutoff, and classification

COSO Components of Internal Control

Control Environment Principle 1: Demonstrate Commitment to Integrity and Ethical Values 



The organization should have standards that guide its behaviour and a process to communicate those standards of conduct throughout the organization, including external partners and outsourced service providers The organization should also have in place a process to evaluate the performance of individuals and teams against those standards of conduct

Principle 2: Board of Directors Exercises Oversight Responsibility 

An effective board of directors has the appropriate background and expertise, the outside directors are independent of management, and its members are involved in and scrutinize management’s activities



The audit committee considers the potential for management override of internal controls and oversees management’s fraud-risk assessment process, as well as antifraud programs and controls

Principle 3: Management Establishes Structure, authority and Responsibility  

  

Are there adequate policies and procedures for authorization and approval of transactions? Is there appropriate structure for assigning ownership of data, including who is authorized to initiate and/or change transactions? Is ownership assigned to each application and database? Is there appropriate segregation of incompatible activities both physically and through access to IT infrastructure? Are outsourced service providers’ authority and responsibility limited by the organization’s guidelines? Are there appropriate policies for accepting new business, conflicts of business, and security practices?

Principle 4: Commitment to Competence  

If employees are competent and trustworthy, other controls can be absent, and reliable financial statements will still result However, incompetent or dishonest people can have the opposite effect regardless of the number of controls present

Principle 5: Organization Establishes and Enforces Accountability   

A well-controlled organization should have a structure and tone at the top that establishes and enforces individual accountability for internal control Does management set realistic financial targets and expectations for operations personnel? Do the board and management act to reduce or remove incentives or temptations that might prompt employees to engage in dishonest, illegal, or unethical acts?

Risk Assessment Principles 6: Organization Specifics Relevant Objectives  

Management should consider whether its reporting objectives are consistent with the relevant financial reporting framework and appropriate in the circumstances Management should also establish a materiality threshold for the purpose of identifying significant accounts

Principle 7: Identifies and Assesses Risks 

A risk assessment process would normally address such matters as the following: changes in the operating environment; new or revamped information systems; rapid growth; new business models, products, or activities; corporate restructuring; expanded foreign operations; and new accounting pronouncements

Principle 8: Considers the Potential for Fraud in Assessing Risk  

The organization considers risks related to financial reporting, management override, misappropriation of assets, and corruption The assessment should consider the various ways that financial reporting fraud could occur o Management bias in selection of accounting policies; o Degree of estimates and judgments in external reporting; o Fraud schemes and scenarios common to the industry in which the organization operates; o Geographic regions; o Incentives that may motivate fraudulent behaviour; o Nature of technology and management’s ability to manipulate information; o Unusual or complex transactions subject to significant management influence; and o Vulnerability to management override and potential schemes to circumvent controls

Principle 9: Identifies and Assesses Significant Changes 



Change creates risk; there-fore, management should implement processes that enable it to identify and evaluate changes in the external and internal environment that could significantly impact the system of internal control The auditor should ask, “Does the organization have processes to consider changes in management and their respective attitudes and philosophies?”

Control Activities Principle 10: Selects and Develops Control Activities  

Control activities will vary among organizations Some key points to consider when deter-mining if all risks are addressed: o Are all relevant business processes, information technology, and locations where control activities are needed (including outsourced service providers and other business partners) considered? o Are control activities related to the integrity of information sent to and received from outsourced service providers considered? o Are the controls performed by outsourced service providers adequate?

Transaction (or Application) Controls 

   

Transaction or application controls are control activities implemented to mitigate transaction processing risk for specific business processes, such as the processing of sales or cash receipts Preventive controls are designed to stop errors or fraud from occurring (e.g., supervisor review of journal entry/purchase order or automated input edit controls) Detective controls identify errors or irregularities after they have occurred so corrective action can be taken (e.g., reconciliations, validation of results) A business process is a structured set of activities designed to produce specified output o An example of a business process or application system would be a sales system Typical control activities of the business processes include o Proper authorization of transactions and activities o Adequate documents and records o Physical and logical control over assets and records o Adequate segregation of duties o Independent checks of performance, recorded data, and actual results

Proper Authorization of Transactions and Activities 





Under general authorization, management establishes policies, and subordinates are instructed to implement these general authorizations by approving all transactions within the limits set by the policy Specific authorization applies to individual transactions o Specific authorization applies to individual transactions  An example is the authorization of a sales transaction by the sales manager for a used-car company Approval is the implementation of management’s general authorization decisions

Adequate Documents and Records  



They include such diverse items as sales invoices, purchase orders, subsidiary records, sales journals, and employee time cards Documents should be: o Pre-numbered or automatically numbered consecutively to facilitate control over missing records and to aid in locating records when they are needed at a later date o Prepared at the time a transaction takes place, or as soon as possible thereafter, to minimize timing errors (the cutoff assertion) o Designed for multiple use, when possible, to minimize the number of different forms o Constructed in a manner that encourages correct preparation A control closely related to documents and records is the chart of accounts, which classifies transactions into individual balance sheet and income statement accounts

Physical Control Over Assets and Records    

If assets are left unprotected, they can be stolen If records are not adequately protected, they can be duplicated, stolen, damaged, or lost When a company is highly computerized, its computer equipment, programs, and data files represent the records of the company that must be protected Locks, backups, security cameras etc.

Adequate Segregation of Duties 

Naturally, the extent of segregation of duties depends heavily on the size of the organization

Separation of Custody of Assets from Accounting  

The reason for not permitting the per-son who has temporary or permanent custody of an asset to account for that asset is to protect the firm against theft When one person performs both custody and accounting functions, there is an excessive risk of that person’s disposing of or using the asset for personal gain and adjusting the records to hide the theft or use

Separation of the Authorization of Transactions from the Custody of Related Assets 

It is desirable to prevent persons who authorize transactions from having control over the related assets, to reduce the likelihood of embezzlement o For example, the same per-son should not authorize the payment of a vendor’s invoice and also approve the disbursement of funds to pay the bill

Separation of Operation Responsibility from Record-Keeping Responsibility 

To ensure unbiased information, record-keeping is typically included in a separate accounting department under the controller o For example, if a department or division oversees the creation of its own records and reports, it might change the results to improve its reported performance

Separation of Reconciliation from Data Entry 

Reconciliation involves comparing information from two or more sources, or independently verifying the work that has been completed by others

Separation of IT Duties from User Departments 



As the level of complexity of IT systems increases, the separation of authorization, record keeping, and custody often becomes blurred o For example, sales agents may enter customer orders online The computer plays a significant role in the authorization and record keeping of sales transactions

Independent Checks of Performance, Recorded Data, and Actual Results 





The need for careful and continuous review of the other controls, often referred to as independent checks on performance or internal verification, arises because internal control tends to change over time unless there is a mechanism for frequent review In the case of manual reviews, an essential characteristic of the persons performing internal verification procedures is independence from the individuals originally responsible for preparing the data The least expensive means of internal verification is the separation of duties

Software Application Controls  

  

Application controls designed for each software application are intended to help a company satisfy the transaction-related management assertions Input controls are designed to ensure that the information entered into the computer is authorized, accurate, and complete

Processing controls prevent and detect errors while transaction data are processed General controls, especially controls related to systems development and security, provide essential control for minimizing processing error Output controls focus on detecting errors after processing is completed, rather than on preventing errors

Principle 11: Selects and Develops General Controls Over Technology  

Practically all organizations rely upon some sort of information technology to enable reliable financial reporting For the application (transaction) controls to operate effectively, the organization must have effective general IT controls (normally called general controls) over the internal control activities that are pervasive (they operate across applications) and affect multiple classes of transactions or multiple groups of accounts

Information and Communication 

The purpose of an entity’s accounting information and communication systems is to initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets



The business processes, and include controls over the following: (1) the transfer of business process information to the general ledger; (2) the capture of relevant events/ conditions, such as amortization, valuation of inventory and accounts receivable, and other estimates that are not transaction based; (3) journal entries; and (4) the accumulation and summation of other information that must be disclosed in the financial statements

Principle 13: Obtains or Generates Relevant, Quality Information  

An organization must have established information requirements to support effective operations of controls within the five components of internal controls Controls should be developed and implemented related to: o Completeness and accuracy of data; o Capture of data at the necessary frequency; o Provision of information when needed; o Protection of sensitive data; o Retention of data to comply with relevant business, audit, and regulatory needs

Principle 14: Communicates Internally 

Communication within the organization includes both formal and informal communication, such as policy manuals, news-letters, job descriptions, and training sessions



The organization’s messaging should reinforce the idea that internal control responsibilities must be taken seriously and critical information should be disseminated quickly

Principle 15: Communicates Externally 



The organization should have in place processes to communicate relevant and timely information to external parties, including shareholders, members, partners, owners, regulators, customers, financial analysts, and any other relevant stakeholder Many organizations have separate communications, such as a whistleblower hotline, to allow direct communication with management and personnel

Monitoring Principle 16: Selects, Develops, and Performs Ongoing and Separate Evaluations  

Monitoring should include evaluation built into business/financial reporting and performed on a real-time basis (ongoing), as well as separate periodic evaluations For many companies, especially larger ones, a competent internal audit department is essential for effective monitoring of internal controls, and the department often performs the periodic reviews

Principle 17: Evaluates and Communicates Deficiencies 

Internal control deficiencies need to be reported in a timely manner to those responsible for taking corrective action, senior management, and the board of directors (or the audit committee)

Understanding Controls of Small Business 

While it is difficult for a small company to formalize all its policies, it is certainly possible for a small company to implement some practical controls, such as a culture that values ethics; competent, trustworthy personnel with clear lines of authority; proper procedures for authorization, execution, and recording of transactions; adequate documents, records, and reports; physical controls over assets and records; and, to a limited degree, checks on performance...