Coso DeIines internal controls how?

A process eIIected by an entity's BoD, mgt, and other personnel, designed to provide a reasonable assurance regarding the
achievement oI objectives in the Iollowing categories:
-Reliability oI Iinancial reporting
-Compliance with applicable law and regulations
-EIIectiveness and eIIiciency oI operations
COSO stands Ior? Committee oI Sponsoring Organizations oI the Treadway Commission
Internal Control Elements?
Is a process designed to accomplish the organization's objectives
Start at top oI organization with BoD and MGT creating and reinIorcing a structure and a tone Ior controls in the org
Directly or indirectly includes all people in the org, ranging Irom the shipping clerk to the internal auditor to the CFO
Is broader than internal control over Iinancial reporting
Five components oI the internal control
Iramework?
MGT must asses risk the aIIect the accomplishment oI internal control objectives (judgmental mistakes)
The control environment (Tone at the Top) is critical in mitigating risks (hiring competent accountants)
Errors can occur in processing, so the org needs to implement control activities designed to prevent and detect errors
MGT should communicate its policies eIIectively, provide upward inIormation through the entity's inIormation and
communication process
MGT should monitor the operation oI controls to provide assurance that all Iive components continue to operate eIIiciently
Risk management (Risk assessment) is?
Is a process designed to identiIy potential events that may aIIect the entity's ability to accomplish its objectives and then to
manage those risks within the entity's risk appetite.
What are control activities?
Policies and procedures that are established to assist in accomplishing objectives and to mitigate risks
-Controls can be embedded into processes
What is InIormation and
Communication?
ReIers to the process oI identiIying, capturing, and exchanging inIormation in a timely Iashion to enable accomplishment
oI the org objectives.
-Includes accounting system and methods Ior recording
-Two way Ilow
What is Monitoring?
A process that provides Ieedback on the eIIectiveness oI the other Iour components oI internal control.
-Can be done through ongoing activities or seperate evaluations
What should a skilled auditor do?
Be able to:
-Ask the right questions
-Review BoD minutes
-Assess the adequacy oI corporate policies
-Assess the competence oI top MGT, BoD, Audit Committee and determine whether policies and procedures have been
eIIectively implemented
7 principles oI an eIIective control
environment?
Integrity and ethical values
Importance oI the BoD
Mgt's philosophy and operating style
Organizational structure
Commitment to Iinancial reporting competencies
Authority and responsibility
Human Resources
Integrity and Ethical values
Sound integrity and ethical values, particularly top mgt, are developed and set the standard oI conduct Ior Iinancial
reporting
Importance oI the BoD The BoD understands and exercises oversight responsibility related to Iinancial reporting and related internal controls
Management's philosophy and operating
style
Mgt philosophy and operating style support achieving eIIective internal control over Iinancial reporting
-Sets the Tone (high quality Iinancial reporting)
-Articulate objectives (establish and clearly articulate Iinancial reporting objectives and internal controls)
-Selects accounting principles and oversees estimates (mgt Iollows a disciplined, objective process in selecting accounting
principles and developing accounting estimates)
Organizational structure
The organizational structure supports eIIective internal control over Iinancial reporting
Don't
-Enron outsourced its internal auditing to its external auditors
-WorldCom's internal audit Iunction reported to its CFO and was told to Iocus on improving operational eIIiciency
-HealthSouth's internal audit Iunction Iocused solely on accuracy oI data
Commitment to Iinancial reporting
competencies
The company retains individuals competent in Iinancial reporting and related oversight roles
Steps
-IdentiIy competencies
-Retain individuals with those competencies
-Periodically evaluate competencies
Authority and responsibility
Mgt and employees are assigned appropriate levels oI authority and responsibility to Iacilitate eIIective internal control
over Iinancial reporting
Considerations
-Board oversees Iinancial responsibility
-DeIined responsibilities (clearly Ior all employees)
-Limit oI authority (authority includes limitations)
Human resources
Human resource policies and practices are designed and implemented to Iacilitate eIIective internal control over Iinancial
reporting
Control Activities elements
Control activities are linked to the risks identiIied to mitigate those risks
Elements
The design oI the controls, which might include policies establishing what should be done or a description oI control
activities
The operation oI controls (procedures implemented consistent with the design oI the controls
Control Activities, which important ones
aIIect the quality oI data?
transactions processing
accounting estimates
adjusting and closing journal entries
Controls Ior adjusting, closing and other
journal entires
Documented support Ior all entries
ReIerence to underlying supporting data with a well-developed audit trail
Review by the CFO or controller
Independent reviews, as needed, by internal audit to determine that all supporting items are present and entries are
appropriate
Preventive and Detective Controls
Preventive - Are designed to prevent the occurrence oI a misstatement and should be emphasized in the design oI process
Detective - Provide evidence on whether processing has been eIIective on the Iunctioning oI other controls
Examples oI Common Internal Control
Activities
Recorded transactions are valid, exist, and have occurred
All transactions are recorded
Transactions are properly valued
Transactions are properly presented and disclosed
Transitions relate to rights or obligations oI the entity
Common Control Activities
Implemented in almost all accounting systems:
-Segregation oI duties
-Authorization procedures
-Adequately documented transaction trail
-Physical controls to saIeguard assets
-Reconciliation oI control accounts with subsidiary ledgers, oI transactions recorded with transactions submitted Ior
processing, and oI physical counts oI assets with recorded assets
-Competent, trustworthy employees
Segregation oI duties
A person should not be in a situation where they could singly perpetrate and cover up a Iraudulent transaction
-Authorizing, recording, physical custody should be kept separately
Authorization procedures
Guidelines
-Authorization to enter transactions should be consistent with job
-Ability to commit the org to long tern Iinancial plans should be reserved Ior high level mgt
-Policies should be clearly spelled out
-Blanket transactions should be reviewed by supervisors
-Authorization should be limited to deptartments
Adequate Documentation
Documentation should exist to provide evidence oI authorization oI transactions, the existence, the support Ior journal
entries, and Iinancial commitments.
Auditing in Practice Ieature demonstrates the linkage oI control weaknesses and audit tests.
Auditors can give moderate level control
risk without testing when
The company is a continuing client
Past years audit results did not yield any material misstatements in the Iinancial statements
Preliminary analysis oI the system indicates no signiIicant chances since last year
Management has eIIective monitoring oI controls
The company is not issuing a report on internal control
Otherwise control risk should be assessed as high
IdentiIy controls to test (which)
Once auditor has concluded controls are well designed, then test operating eIIectiveness
-provide an opinion on the entity's internal controls
-reduce substantive testing Ior the Iinancial statement audit
No need to test them all
purpose oI the internal controls is to mitigate any material misstatement that will make it through the system
What must the auditor test (internal
controls)
both the proper recording oI transactions and the eIIectiveness oI control activities at the same time
PCAOB auditing standard No 5
indicates that auditors should use a "top-down approach" that begins at the Iinancial statement level.
Iocus Iirst on entity level controls
work down to signiIicant accounts and their relevant assertions
SigniIicant controls identiIied by the
auditor
use oI pre numbered shipping documents
review oI sales order Iorms by supervisory personnel Ior completeness
requirement that all shipments have speciIic supervisory authorization
requirement that sales have credit approval beIore shipment
reconciliation oI the total number oI items billed with the number oI items shipped
5 control procedure types
Manual transactions - oriented controls that are designed to operate on every transaction throughout the year
Transactions controls built into computer applications that are designed to operate independently oI manual intervention
throughout the year
Monthly control procedures, such as monthly bank reconciliation's or reconciliation oI subsidiary ledgers with control
ledgers
Year-end controls that are more relevant to estimate account balances at the end oI the year (eg allowance Ior doubtIul
accounts)
Adjusting-entry controls that aIIect the closing oI the books at year end as well as adjustments that are made to signiIicant
estimates during the year
Manual transaction-oriented controls
sample size
should be tested using the guidelines developed Ior attribute testing utilizing statistical sampling techniques
sample size is based on
-whether Iailure oI the control procedure is likely to lead to a signiIicant misstatement
-rate oI Iailure would lead to a material misstatement
-a statistical conIidence level that would assure the auditor there is not more than a remote likelihood that the control
could be Iailing
on avg 30-100 transactions
Transaction controls built into computer
applications sample size
suIIicient sample size to persuade the auditor that the control operates eIIectively across a wide variety oI transactions
throughout the year.
identiIy how unusual transactions are handled
Monthly control procedures sample
Assuming the design oI these procedures is adequate, the auditor could choose one month and retest the clients tests oI
these accounts (e.g. re-perIorm the bank reconciliation Ior a month)
Year-End Controls sample
make sure year end controls are working iI amounts will be in balance sheet
Auditor should take a sample oI transactions during the latter part oI the year (e.g. last quarter or aIter year-end Ior
controls related to the year-end close process)
Adjusting-Entry Controls sample
Adjusting entries represent a high risk oI material misstatement
testing oI controls is inversely related to the control environment
auditor wants to review a number oI transactions to determine:
-other controls are not being overridden by mgt
-there is support Ior the adjusting entries
-entries receive proper approval by the appropriate level oI mgt
iI the number oI transactions is high the auditor can do sampling, or iI its low the auditor can Iocus on something else
Consider the results oI control testing
control testing will inIluence the Iinancial statements
iI control risk is assessed as high, the extent oI substantive testing oI account balances must be higher
What should the internal control
documentation show?
How each signiIicant control is tested
The sampling approach used and the size oI the sample used in testing
The conclusions oI the tests
The individual perIorming the test
The auditors conclusion on the eIIectiveness oI the control
The implications Ior the audit oI related Iinancial account balances
What weakness and deIiciency on
internal controls should be reported as
stated by the SEC and PCAOB
Material weakness in internal control - is a deIiciency, or a combination oI deIiciencies, in internal control over Iinancial
reporting, such that there is a reasonable possibility that a material misstatement oI the company's annual or interim
Iinancial statements will not be prevented or detected on a timely bases
SigniIicant deIiciency in internal control - is a deIiciency, or a combination oI deIiciencies, in internal control over
Iinancial reporting that is less severe than a material weakness, yet important enough to merit attention by those
responsible Ior oversight oI the company's Iinancial reporting