Internal Control
A process effected by those charged with governance, management, and other personnel that is designed, implemented, and maintained to address identified business risks that threaten the achievement of any of the entity’s objectives that concern
The reliability of the entity’s financial reporting
The effectiveness and efficiency of its operations
Its compliance with applicable laws and regulations
Components of Internal Control
Control Environment: Sets tone of organization, influencing the control consciousness of its people. It is the foundation for all other components,… providing discipline and structure; encompasses the following elements:
Communication and enforcement of integrity and ethical values
Commitment to competence
Participation by those charged with governance
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
Risk Assessment: Entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for how the risks should be managed; risks can arise or change due to:
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New technology
New business models, products or activities
Corporate restructurings
Expanded foreign operations
New accounting pronouncements
Control Activities: Policies and procedures that help ensure that management directives are carried out; usually pertain to:
Performance reviews
Information processing
Physical controls
Physical security of assets, including inadequate safeguards
Authorization for access to computer programs and data files
Periodic counting and comparison with amounts shown on control records
Segregation of duties
Information and Communication: Identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities
Monitoring: Process that assesses the quality of internal control performance over time
Other
While the division of internal control into the five components provides a useful conceptual framework, the auditor’s primary concern is whether, and how, a specific control prevents, or detects and corrects, material misstatements, rather than its classification into any particular component
Ordinarily, controls that are most directly relevant to a financial statement audit pertain to the entity’s objective concerning reliability of financial reporting
Internal control systems are subject to inherent limitations and thus are capable of providing reasonable assurance regarding achieving the entity’s objectives
Examples of inherent limitations of internal control include:
Faulty decision making and human failures such as errors and mistakes
Inappropriate override by management—the most significant in a typical audit of a large, public corporation
Collusion by two or more people
An auditor’s understanding of internal control may be documented in various forms, including memos, questionnaires, flowcharts, and decision tables
So-called owner-manager controls, which may mitigate a lack of segregation of duties or other formal control procedures, are likely to be more important in smaller nonpublic companies, rather than larger public companies
[CH. 8] Acquisition and Expenditure Cycle
Typical Activities
Purchasing Goods and Services
Purchases are requested via a purchase requisition by people who know the needs of the organization
A purchasing department seeks the best prices and quality and issues a purchase order to a selected vendor from an approved vendor list
Inventory is often ordered automatically from approved vendors through electronic data interchange (EDI)
The purchasing department is an area of high fraud risk due to abuses such as a conflict of interest, kickbacks, or a “shell” company—often difficult