4

Device

Chapter6PPT4thedition.pptx

Home >Business & Finance homework help >Accounting homework help >4

Internal Auditing: Assurance & Advisory Services

4th edition

Internal Control

Chapter 6

Chapter 6: Internal Control

Learning objectives

Understand what is meant by internal control in a variety of frameworks.

Identify the objectives, components, and principles of an effective internal control framework.

Know the roles and responsibilities each group in an organization has regarding internal control.

Identify the different types of controls and the appropriate application for each of them.

Obtain an awareness of the process for evaluating the system of internal controls.

Chapter 6: Internal Control

Standards Relevant to Internal control

Chapter 6: Internal Control

Frameworks

A framework is a body of guiding principles that form a template against which organizations can evaluate a multitude of business practices.

These principles are comprised of various concepts, values, assumptions, and practices intended to provide a benchmark against which an organization can assess or evaluate a particular structure, process, or environment, or a group of practices or procedures.

Specific to the practice of internal auditing, various frameworks are used to assess the design adequacy and operating effectiveness of controls.

Chapter 6: Internal Control

Internal control frameworks

There are no substantive differences among COSO, CoCo, and FRC Internal Control Guidance. All of the frameworks include definitions of internal control that describe a process that provides reasonable assurance for achieving the objectives of an organization in three specific categories: effectiveness and efficiency of operations, reliability of reporting, and compliance.

The components of each internal control framework are basically the same and can be examined using the COSO titles for each component. They are: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.

Chapter 6: Internal Control

U.S. SARBANES-OXLEY ACT OF 2002 COMPLIANCE

Many organizations were able to successfully apply the COSO frameworks in their efforts to comply with Section 404 of Sarbanes-Oxley, despite encountering significant unanticipated costs. Smaller publicly held companies (as defined in exhibit 6-4), on the other hand, struggled to comply due to the prohibitive costs as well as several other challenges unique to smaller organizations.

Chapter 6: Internal Control

Definition of internal control

COSO broadly defines internal control as:

. . . a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. This definition emphasizes that internal control is:

Geared to the achievement of objectives in one or more separate but overlapping categories—operations, reporting, and compliance.

A process consisting of ongoing tasks and activities—a means to an end, not an end in itself.

Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control.

Able to provide reasonable assurance, but not absolute assurance, to an entity’s senior management and board of directors.

Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process.*

* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 1.

Chapter 6: Internal Control

THE OBJECTIVES, COMPONENTS,

AND PRINCIPLES OF INTERNAL CONTROL

COSO explains, “A direct relationship exists between objectives, which are what an entity strives to achieve, components [and principles], which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube.”*

* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 5.

Chapter 6: Internal Control

THE PRINCIPLES OF

INTERNAL CONTROL

In addition to the five integrated components, COSO also defines 17 supporting principles representing the fundamental concepts associated with each component of internal control.

Chapter 6: Internal Control

Control Objectives

The COSO framework sets forth three categories of objectives, which allow organizations to focus on differing aspects of internal control:

Operations Objectives - These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

Reporting Objectives - These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies.

Compliance Objectives - These pertain to adherence to laws and regulations to which the entity is subject.*

* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 2.

Chapter 6: Internal Control

Internal Control Components

COSO indicates, “Supporting the organization in its efforts to achieve objectives are five components of internal control:

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

These components are relevant to an entire entity and to the entity level, its subsidiaries, divisions, or any of its individual operating units, functions, or other subsets of the entity.”*

* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 5.

Chapter 6: Internal Control

Monitoring

Chapter 6: Internal Control

Internal CONTROL ROLES

AND RESPONSIBILITIES

Everyone in an organization has responsibility for internal control:

Board of Directors

Management

Internal Auditors

Other Personnel

There are legitimate reasons for different groups to be interested in different objectives. Likewise, different groups, because of their different perspectives, will perceive the benefits and related costs of internal control very differently, which is valuable to the organization when assessing the adequate design and effective operation of internal control.

Chapter 6: Internal Control

Inherent Risk, Controllable Risk,

and Residual Risk

Inherent risk is the gross risk that exists assuming there are no internal controls in place. Acknowledgement of the existence of inherent risk and that certain events or conditions are simply outside of management’s control (external risks) is critical to recognizing the inherent limitations of internal control.

Identifying external and internal risks at an entity and activity (process and transaction) level is fundamental to effective risk assessment. Once key risks have been identified, management can link them to business objectives and the related business processes.

Once entity-level and activity-level risks have been identified, they must be assessed in terms of impact and likelihood. Risk analysis processes vary depending on many factors specific to an organization, but typically they include:

Estimating the impact (or severity) of a risk.

Assessing the likelihood (or frequency) of the risk occurring (probability).

Considering how to manage the risk—that is, assessing what actions to take.

Chapter 6: Internal Control

Inherent Risk, Controllable Risk,

and Residual Risk (cont’d)

Controls: risk responses management takes to reduce the impact and/or likelihood of threats to objective achievement.

Risk appetite: the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value*

Acceptable variation in performance: the boundaries of acceptable outcomes related to achieving a business objective (both the boundary of exceeding the target and the boundary of trailing the target)**

Controllable risk: that portion of inherent risk that management can directly influence and reduce through day-to-day business activities.

Residual risk: the portion of inherent risk that remains after mitigating all controllable risks

*ERM exposure draft glossary, page 105

*ERM exposure draft glossary, page 19

Chapter 6: Internal Control

LIMITATIONS OF INTERNAL CONTROL

While internal control provides reasonable assurance of achieving the entity’s objectives, limitations do exist. Internal control cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve its operational goals. In other words, even an effective system of internal control can experience a failure. Limitations may result from the:

Suitability of objectives established as a precondition to internal control.

Reality that human judgment in decision-making can be faulty and subject to bias.

Breakdowns that can occur because of human failures such as simple errors.

Ability of management to override internal control.

Ability of management, other personnel, and/or third parties to circumvent controls through collusion.

External events beyond the organization’s control.

While a well-designed system of internal controls can provide reasonable assurance to management relative to achievement of the organization’s objectives, no system of internal controls can provide absolute assurance for the reasons listed above.*

* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 9.

Chapter 6: Internal Control

TYPES OF CONTROLS

There are many types of controls that are used by an organization to increase the likelihood that objectives will be met:

Entity-level, Process-level, and Transaction-level Controls

Key Controls and Secondary Controls

Compensating Controls

Preventive and Detective Controls

Information Systems (Technology) Controls

Specific controls can fit into several categories at the same time. For example, a control can be an entity-level control at the same time that it is a key control. That same control also can be a detective control.

Chapter 6: Internal Control

EVALUATING THE SYSTEM OF

INTERNAL CONTROLS

Management is responsible for putting in place adequately designed and effectively operating entity-level and activity-level controls to mitigate risks associated with the achievement of business objectives in each of the three COSO-defined categories: operations, reporting, and compliance.

Internal auditors play a significant role in the verification that management has met its responsibility. Initially, management performs the primary assessment of internal controls using a formalized process developed for that purpose. The internal audit function then independently validates management’s results.

A report is typically submitted to the audit committee by either senior management or the CAE outlining the results of management’s assessment regarding the design adequacy and operating effectiveness of the organization’s system of internal controls.

Chapter 6: Internal Control