Upload
lehanh
View
217
Download
2
Embed Size (px)
Citation preview
Audit Training-of-Trainers Workshop,
18-19 November 2014, Vienna
Components of internal control within
organization
Andrei Busuioc,
Senior Financial Management Specialist, CFRR
The session will compare and highlight the practical guidance
contained in ISA 315 Identifying and Assessing the Risk of
Material Misstatement through Understanding of the Entity
and its Environment and COSO Internal Control - Integrated
Framework that can help auditors understand the internal
control system in an organization.
Session objectives
2
4
ISA 315 :
- the process
- designed, implemented and
maintained by those charged
with governance,
management and other
personnel
- to provide reasonable
assurance about the
achievement of an entity’s
objectives with regard to
- the reliability of financial
reporting,
- effectiveness and efficiency
of operations and
- compliance with applicable
laws and regulations
Internal control definition
COSO:
- a process
- effected by an entity’s board of
directors, management, and other
personnel, designed to provide
reasonable assurance
- regarding the achievement of
objectives relating to operations,
- reporting, and compliance.
5
1. Governance and
management functions
(e.g. Corporate
Governance arrangements)
2. Attitudes, awareness and
actions of management
3. “Sets the tone” by creating
a culture of honesty and
ethical behaviour (e.g.
ethics code and training)
4. Provide an appropriate
foundation for the other
components of internal
control
Components IC system – the control environment
ISA
1. The organization demonstrates a
commitment to integrity and ethical values.
2. The board of directors demonstrates
independence from management and
exercises oversight of the development and
performance of internal control.
3. Management establishes, with board
oversight, structures, reporting lines, and
appropriate authorities and responsibilities in
the pursuit of objectives.
4. The organization demonstrates a
commitment to attract, develop, and retain
competent individuals in alignment with
objectives.
5. The organization holds individuals
accountable for their internal control
responsibilities in the pursuit of objectives.
COSO
6
How management identifies risks
and decides upon actions to
manage them
Identifying business risks
relevant to financial reporting
objectives;
Estimating the significance of
the risks;
Assessing the likelihood of
their occurrence; and
Deciding about actions to
address those risks.
Components IC system – risk assessment
ISA COSO
The organization specifies objectives
with sufficient clarity to enable the
identification and assessment of risks
relating to objectives.
The organization identifies risks to the
achievement of its objectives across
the entity and analyzes risks as a basis
for determining how the risks should be
managed.
The organization considers the potential
for fraud in assessing risks to the
achievement of objectives.
The organization identifies and
assesses changes that could
significantly impact the system of
internal control.
The information system
infrastructure, software,
people, procedures and
data
the related accounting
records, supporting
information and specific
accounts in the financial
statements that are used
to record, process and
report transactions
Components IC system – Information systems/communication
7
Information and Communication
The organization obtains or generates
and uses relevant, quality information to
support the functioning of other
components of internal control
The organization internally
communicates information, including
objectives and responsibilities for
internal control, necessary to support
the functioning of internal control
The organization communicates with
external parties regarding matters
affecting the functioning of other
components of internal control
ISA COSO
• The policies and
procedures that help
ensure that management
directives are carried out
(e.g. Existence of
manuals/guidelines).
• The categories most
relevant to an audit are:
- Performance reviews
- Information processing
- Physical controls
- Segregation of duties
Components IC system – Control activities
8
• The organization selects and
develops control activities that
contribute to the mitigation of risks
to the achievement of objectives to
acceptable levels.
• The organization selects and
develops general control activities
over technology to support the
achievement of objectives.
• The organization deploys control
activities through policies that
establish what is expected and
procedures that put policies into
action
ISA COSO
Monitoring of controls
• Assess the design and
operation of controls over
time
• Ongoing monitoring is part of
regular management activity
• Separate monitoring may be
performed by the internal
audit function
Components IC system – Monitoring of controls/monitoring
activities
9
Monitoring Activities
• The organization selects, develops, and
performs ongoing and/or separate
evaluations to ascertain whether the
components of internal control are
present and functioning
• The organization evaluates and
communicates internal control
deficiencies in a timely manner to those
parties responsible for taking corrective
action, including senior management
and the board of directors, as
appropriate
ISA COSO
A direct relationship
between objectives an entity,
components - what is required
to achieve the objectives, and
the organizational structure of
the entity (the operating units,
legal entities, and other)
Cube -
The three categories of
objectives—operations,
reporting, and compliance—
are represented by the
columns
The five components are
represented by the rows
An entity’s organizational
structure is represented by the
third dimension
Relationship of Objectives and Components (COSO)
10
11
ISA 315 - 'the auditor shall obtain an understanding of
internal control relevant to the audit'.
• Identify types of potential misstatements (e.g.
unrecorded revenues, especially if cash sales)
• Consider factors that affect the risks of material
misstatement (e.g. procedures, systems, people)
• Design the nature, timing and extent of further audit
procedures (e.g. if controls are strong – less
substantive testing is needed)
Understanding design and implementation
15
Asses whether controls (individually or in combination with other
controls) will actually mitigate the risk:
- Preventing material misstatements from occurring
- Detecting and correcting material misstatements after they
have occurred
2 ways to match risks to controls (pp. 146-149, v.2 guide –
examples of matrixes):
- One-risk-to many controls;
- Many-risks-to-many-controls
E.g. how to control prices – authorization levels and the systems
to control them (IT controls) – one risk, but few controls;
Step 2 – assess control design
16
Whether controls are actually operating
Inquiring of entity personnel
Observing the application of controls
Inspecting documents and reports
Tracing one or more transactions -
walkthrough
E.g. sometimes personnel responds how they
think it should be and not how it is in practice;
review authorizations; review the systems of
controlling credit limits (IT controls), etc.
Step 3 – Assess control implementation
17
Provide context – from inception to financial reporting
Documentation – does not have to be complex or comprehensive
– the auditor should not describe an entire business process, or
controls that are less relevant to audit –
Flow charts, descriptions, questionnaires and checklists (examples
in next sessions)
Documenting:
How significant transactions are initiated, authorized, recorded,
processed and reported
The flow of transactions in sufficient detail – to identify the
points at which material misstatements caused by error or fraud
could occur
ICs over the period-end financial reporting process, including
estimates and disclosures
Written representations by management
Step 4 – documenting relevant controls
18
Controls may have less formality and less
evidence (e.g. no manuals or guidelines)
Certain controls may not be necessary – risks
mitigated by senior management (entity level
controls – error preventing)
Fewer employees – segregation of duties is not
always practical; owner-manager exercises
effective oversight (entity-level controls)
Greater potential for management override of
controls
IC in smaller entities
19
The auditor can never rely solely on tests of controls because
of the inherent limitations in any system of internal control
Inherent limitations in any system of internal control
Human judgments, and human failures, such as errors &
mistakes
Circumvention of internal controls by the collusion of two
or more people
Inappropriate management override of internal controls
(for example changing the terms of a sales contracts or
overriding customer’s credit limits)
Limitations of internal control
20
ISA do not prescribe – professional judgment
Possible approach:
Discussing deficiencies with management
Assessing the severity of the deficiencies
Considering the need for any additional audit
procedures to respond to unmitigated risk
(e.g. extensive testing in case controls are not
proper)
Preparing the required communication to
management and TCWG
Documenting IC deficiencies