Audit Training-of-Trainers Workshop,

18-19 November 2014, Vienna

Components of internal control within

organization

Andrei Busuioc,

Senior Financial Management Specialist, CFRR

The session will compare and highlight the practical guidance

contained in ISA 315 Identifying and Assessing the Risk of

Material Misstatement through Understanding of the Entity

and its Environment and COSO Internal Control - Integrated

Framework that can help auditors understand the internal

control system in an organization.

Session objectives

2

3

Internal control – is part of risk assessment

4

ISA 315 :

- the process

- designed, implemented and

maintained by those charged

with governance,

management and other

personnel

- to provide reasonable

assurance about the

achievement of an entity’s

objectives with regard to

- the reliability of financial

reporting,

- effectiveness and efficiency

of operations and

- compliance with applicable

laws and regulations

Internal control definition

COSO:

- a process

- effected by an entity’s board of

directors, management, and other

personnel, designed to provide

reasonable assurance

- regarding the achievement of

objectives relating to operations,

- reporting, and compliance.

5

1. Governance and

management functions

(e.g. Corporate

Governance arrangements)

2. Attitudes, awareness and

actions of management

3. “Sets the tone” by creating

a culture of honesty and

ethical behaviour (e.g.

ethics code and training)

4. Provide an appropriate

foundation for the other

components of internal

control

Components IC system – the control environment

ISA

1. The organization demonstrates a

commitment to integrity and ethical values.

2. The board of directors demonstrates

independence from management and

exercises oversight of the development and

performance of internal control.

3. Management establishes, with board

oversight, structures, reporting lines, and

appropriate authorities and responsibilities in

the pursuit of objectives.

4. The organization demonstrates a

commitment to attract, develop, and retain

competent individuals in alignment with

objectives.

5. The organization holds individuals

accountable for their internal control

responsibilities in the pursuit of objectives.

COSO

6

How management identifies risks

and decides upon actions to

manage them

Identifying business risks

relevant to financial reporting

objectives;

Estimating the significance of

the risks;

Assessing the likelihood of

their occurrence; and

Deciding about actions to

address those risks.

Components IC system – risk assessment

ISA COSO

The organization specifies objectives

with sufficient clarity to enable the

identification and assessment of risks

relating to objectives.

The organization identifies risks to the

achievement of its objectives across

the entity and analyzes risks as a basis

for determining how the risks should be

managed.

The organization considers the potential

for fraud in assessing risks to the

achievement of objectives.

The organization identifies and

assesses changes that could

significantly impact the system of

internal control.

The information system

infrastructure, software,

people, procedures and

data

the related accounting

records, supporting

information and specific

accounts in the financial

statements that are used

to record, process and

report transactions

Components IC system – Information systems/communication

7

Information and Communication

The organization obtains or generates

and uses relevant, quality information to

support the functioning of other

components of internal control

The organization internally

communicates information, including

objectives and responsibilities for

internal control, necessary to support

the functioning of internal control

The organization communicates with

external parties regarding matters

affecting the functioning of other

components of internal control

ISA COSO

• The policies and

procedures that help

ensure that management

directives are carried out

(e.g. Existence of

manuals/guidelines).

• The categories most

relevant to an audit are:

- Performance reviews

- Information processing

- Physical controls

- Segregation of duties

Components IC system – Control activities

8

• The organization selects and

develops control activities that

contribute to the mitigation of risks

to the achievement of objectives to

acceptable levels.

• The organization selects and

develops general control activities

over technology to support the

achievement of objectives.

• The organization deploys control

activities through policies that

establish what is expected and

procedures that put policies into

action

ISA COSO

Monitoring of controls

• Assess the design and

operation of controls over

time

• Ongoing monitoring is part of

regular management activity

• Separate monitoring may be

performed by the internal

audit function

Components IC system – Monitoring of controls/monitoring

activities

9

Monitoring Activities

• The organization selects, develops, and

performs ongoing and/or separate

evaluations to ascertain whether the

components of internal control are

present and functioning

• The organization evaluates and

communicates internal control

deficiencies in a timely manner to those

parties responsible for taking corrective

action, including senior management

and the board of directors, as

appropriate

ISA COSO

A direct relationship

between objectives an entity,

components - what is required

to achieve the objectives, and

the organizational structure of

the entity (the operating units,

legal entities, and other)

Cube -

The three categories of

objectives—operations,

reporting, and compliance—

are represented by the

columns

The five components are

represented by the rows

An entity’s organizational

structure is represented by the

third dimension

Relationship of Objectives and Components (COSO)

10

11

ISA 315 - 'the auditor shall obtain an understanding of

internal control relevant to the audit'.

• Identify types of potential misstatements (e.g.

unrecorded revenues, especially if cash sales)

• Consider factors that affect the risks of material

misstatement (e.g. procedures, systems, people)

• Design the nature, timing and extent of further audit

procedures (e.g. if controls are strong – less

substantive testing is needed)

Understanding design and implementation

12

Assessing the controls design and implementation – 4

steps (p. 142-143 v.2 guide)

13

Evaluation of control design and implementation (p. 142-143 v.2

guide)

14

Step 1- what risks should be mitigated

15

Asses whether controls (individually or in combination with other

controls) will actually mitigate the risk:

- Preventing material misstatements from occurring

- Detecting and correcting material misstatements after they

have occurred

2 ways to match risks to controls (pp. 146-149, v.2 guide –

examples of matrixes):

- One-risk-to many controls;

- Many-risks-to-many-controls

E.g. how to control prices – authorization levels and the systems

to control them (IT controls) – one risk, but few controls;

Step 2 – assess control design

16

Whether controls are actually operating

Inquiring of entity personnel

Observing the application of controls

Inspecting documents and reports

Tracing one or more transactions -

walkthrough

E.g. sometimes personnel responds how they

think it should be and not how it is in practice;

review authorizations; review the systems of

controlling credit limits (IT controls), etc.

Step 3 – Assess control implementation

17

Provide context – from inception to financial reporting

Documentation – does not have to be complex or comprehensive

– the auditor should not describe an entire business process, or

controls that are less relevant to audit –

Flow charts, descriptions, questionnaires and checklists (examples

in next sessions)

Documenting:

How significant transactions are initiated, authorized, recorded,

processed and reported

The flow of transactions in sufficient detail – to identify the

points at which material misstatements caused by error or fraud

could occur

ICs over the period-end financial reporting process, including

estimates and disclosures

Written representations by management

Step 4 – documenting relevant controls

18

Controls may have less formality and less

evidence (e.g. no manuals or guidelines)

Certain controls may not be necessary – risks

mitigated by senior management (entity level

controls – error preventing)

Fewer employees – segregation of duties is not

always practical; owner-manager exercises

effective oversight (entity-level controls)

Greater potential for management override of

controls

IC in smaller entities

19

The auditor can never rely solely on tests of controls because

of the inherent limitations in any system of internal control

Inherent limitations in any system of internal control

Human judgments, and human failures, such as errors &

mistakes

Circumvention of internal controls by the collusion of two

or more people

Inappropriate management override of internal controls

(for example changing the terms of a sales contracts or

overriding customer’s credit limits)

Limitations of internal control

20

ISA do not prescribe – professional judgment

Possible approach:

Discussing deficiencies with management

Assessing the severity of the deficiencies

Considering the need for any additional audit

procedures to respond to unmitigated risk

(e.g. extensive testing in case controls are not

proper)

Preparing the required communication to

management and TCWG

Documenting IC deficiencies