AK/ADMS 3511 - Management Information Systems

9-1

Chapter 9: Internal Controlsand Control Risk

9-2

Chapter 9 objectives

Explain why the study of internal control isimportant

List the four components of internal control

Discuss the relationship between the controlenvironment and application controls

Examine how control risk is assessed

Describe the process used to understand,document and test internal controls

Identify internal control reports

9-3

What is Internal Control?

A process designed and effected bymanagement (or board or employees) inproviding reasonable assurance about theachievement of the entity’s objectives(reliable reporting, effectiveness andefficiency, compliance with laws)

See CICA Handbook 5141.042

9-4

GAAS and Internal Controls

Why is it mandatoryfor the auditor tounderstand theinternal controlsystem?

How likely is it thatthere are NO internalcontrols at all?

9-5

Management responsibilities withrespect to internal control

Should be cost-effective

Provide reliable accounting and operatingdata

Safeguard assets and records

Promote operational efficiency

Prevent and detect error, fraud or illegal acts

Ensure compliance with laws and regulations

9-6

Auditor responsibilities withrespect to internal control

Exercise professionalskepticism

Document and evaluateinternal controls offinancial systems

Test controls if relianceintended

Communicate weaknessesthat could cause materialerrors

9-7

Concepts when studying internalcontrol

Remember, it is management’sresponsibility to establish and maintaininternal controls: the auditor evaluates andmay test these controls

The auditor can provide reasonable, but notabsolute assurance

Internal controls have inherent limitations

9-8

Inherent limitations of internalcontrols

No such thing as 100%internal controls

Effectiveness dependsupon the competency anddependability ofindividuals (or systems)executing the controls

Most internal controls canbe overridden usingcollusion

9-9

Four components of internal control

9-10

The control environment

Actions, policies and procedures that reflect theoverall attitudes of top management, directors,and owners of an entity about controls

The essence of an effectively controlledorganization lies in the attitude of itsmanagement

Control environment (CE) factors are assessed aspart of the knowledge of business and are used todevelop a client risk profile

9-11

CE factor: management philosophyand operating style

Management should operate ethically andhonestly

Like behaviour should be encouragedamong employees, perhaps by means ofdocumented policies such as a code ofethics

Service policies could include acommitment to quality and competence

9-12

CE factor: board of directors andaudit committee

Board should include independent directors

Audit committee should includeindependent directors

Audit committee should have competencein financial reporting assessment

Board members should participate actively,meet with internal and external auditors

9-13

CE factor: organizational structure

A structure that is appropriate forplanning, directing and controllingoperations

Authority and responsibility assignmentsclear

Information systems steering committee tooversee systems development andmanagement of information systems

9-14

CE factor: methods of assigningauthority and responsibility

Take into account reporting relationshipsand responsibilities within organizationalculture

Organizational goals, ethical and socialissues considered

Development and implementation ofpolicies such as job descriptions and codesof conduct

9-15

CE factor: management controlmethods

Methods used to implement objectives andpolicies (many possible examples)

Logical access controls and monitoring fordata communications

Monitoring activities of employees

Implementing of effective budgetingsystems with follow up of differences

9-16

CE factor: systems developmentmethodology

Policies and procedures for selecting,development/purchase and maintenance ofinformation systems

Formal methodologies for customizedsystems

Implementation of systems consistent withorganizational objectives

9-17

CE factor: management reaction toexternal influences

Monitoring of the external environment,including changes in laws

Ability to respond to changes in theexternal environment, including changes inbusiness procedures or organizationalstructures

9-18

CE factor: human resource policiesand practices

Hiring practices to ensurecompetent andtrustworthy employees

Evaluation andcompensation processesto help motivateemployees to continuedcompetence and honesty

9-19

Role of internal audit

To help ensure independence, internalaudit should report to the audit committeeof the board of directors

Can be part of control environment wheneffective, competent, independent andwell-trained

Can contribute to reduced external auditcosts

9-20

Risk assessment

Involves managements identification andanalysis of risks relevant to the preparationof financial statements in conformity withGAAP

Management needs to: identify risks,estimate significance, assess likelihood ofoccurrence, develop action plans to reducethe risk to an acceptable level

9-21

Control systems include:

General controls: controlsystems that affectmultiple classes oftransactions (also calledapplication systems)

Application (oraccounting system)controls: can be manual,computer-assisted, orfully automated

9-22

Impact of inadequate generalcontrols

Organization and management: Cannotrely on automated or combined controls

Systems acquisition, development andmaintenance: Cannot rely upon automatedor combined controls

Operations and information systemssupport: May result in going concern issues

9-23

Accounting (application) systemcontrol procedures

Appropriate segregation of duties

Proper authorization of transactions andactivities

Adequate documents and records

Adequate safeguards over access to anduse of assets and records

Independent verification of performanceand the accuracy of recorded amounts

9-24

Monitoring

Deals with ongoing or periodic assessmentof the quality of internal controlperformance by management

Internal audit department may provideindependent evaluation of the quality of themonitoring process

9-25

Internal control audit process:1. Obtain understanding

Obtain understanding of design andoperation

Methods used to understand and documentthis process:

–Flow charts

–Narrative

–Internal control questionnaire

9-26

Knowing the difference between astrength and a weakness

Question 9-17, p. 278

Identifying the absent control when anerror or fraud occurred

Which audit objective(s) were not met?

Also be able to identify: Controls to helpprevent the problem from occurring

9-27

Internal control audit process:2. Assess control risk

Using the audit risk model

Control risk is assessed at one of the followinglevels:

–Maximum (100%) – no reliance, only substantivetesting is completed

–High

–Moderate

–Low

Decide whether controls will be tested or not (itmay be more efficient to only go substantive)

9-28

Internal control audit process:3. Test controls if reliance is intended

Procedures completed to ensure that keycontrols have been operating:

–Inquiry

–Inspection

–Observation

–Reperformance

Procedures must be linked to auditobjectives

9-29

Where controls are functioning:

Identify the errors that are less likely tooccur

Link to the related substantive test

Perform less or limited or no substantiveprocedures in this area

More analytical procedures can be used

9-30

Identify the potential impact ofweaknesses

If a control is not functioning, or does not exist,this is a WEAKNESS:

–Need to identify potential monetary error (isthe impact MATERIAL?)

–Do expanded substantive tests, if necessary

–Analytical procedures

–No internal controls testing in this area

9-31

Internal control audit process:4. Decide PDR and substantive tests

After control testing you are better able toassess planned detection risk (PDR or justDR)

Then substantive tests are designed foreach audit objective based on the PDR forthat cycle or objective

9-32

Internal control audit process:5. Report potentially materialweaknesses

Specific wording is required for theseweaknesses

Must be reported to management, boardand audit committee (GAAS requires)

Other weaknesses (i.e. non-material) wouldalso be included in a management letter