Internal Control and Audit Risk
Department of Internal Control Structure
The structure of an entity’s internal control consists of policies and procedures established to provide reasonable assurance that specific entity objectives will be achieved. Policies and procedures relevant to an audit refer to the entity’s ability to record, process, summarize, and report financial data consistent with the financial statements.
Elements of Internal Control Structure
For purposes of an audit of financial statements, an entity’s internal control structure comprises the following elements:
- The control environment
- The accounting system
- Control procedures
This division of the control structure facilitates discussion of its nature and how the auditor considers it in an audit.
Control Environment
The control environment represents the combined effect of several factors that establish the effectiveness of specific policies and procedures. These factors include:
- Management’s philosophy and operating style
- The entity’s organizational structure
- The operation of the board and its committees, including the audit committee
- Methods of assigning authority and responsibility
- Management control methods to monitor and track performance, including internal audit
- Personnel policies and practices
- Various external influences that affect the entity’s operations and practices, such as regulatory bodies.
Accounting System
The accounting system consists of the methods and records established to identify, collect, analyze, classify, record, and report the entity’s transactions and to maintain accounts for assets and liabilities. An effective accounting system should establish methods and records that:
- Identify and record all valid transactions
- Describe all transactions in a timely manner with sufficient detail for proper classification in financial reporting
- Quantify the value of transactions for proper monetary value in the financial statements
- Determine the period in which transactions occur for recording in the appropriate accounting period
- Present transactions and related disclosures properly in the financial statements
Control Procedures
Control procedures are those policies and procedures established by management, in addition to the control environment and accounting system, to provide reasonable security for achieving the entity’s specific objectives. These procedures can be categorized as follows:
- Properly authorize transactions and activities
- Segregate duties to reduce opportunities for errors or irregularities. This involves assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets.
- Design and use appropriate documentation and records
- Implement and maintain appropriate security devices for access to and use of assets and records
- Independently verify the proper recording and valuation of figures
Audit Risk
Development: The Concept of Risk
The concept of risk arises naturally from the review of internal control:
- The auditor forms beliefs about account balances.
- Given a company’s complexity, the auditor cannot review all items.
- Therefore, the auditor evaluates internal control to streamline balance validations.
- However, the focus remains on balances.
- The auditor spends considerable time checking internal control, on which no opinion is given, creating risk.
The classical view of risk includes three types:
- Control Risk (related to the internal control system)
- Inherent Risk (related to the nature of the business)
- Detection Risk (associated with the audit process)
Audit Risk Assessment
Proper audit planning is essential. During planning and execution, the auditor makes decisions, from overall strategy to specific audit procedures. Risk assessment is the most important factor in these decisions.
This section discusses the importance of risk assessment in planning and executing the audit of financial statements in accordance with generally accepted auditing standards.
Audit Risk and Materiality
Audit risk and materiality, along with other aspects, must be analyzed together to determine the nature, scope, and timing of audit procedures and to evaluate the results.
Audit risk is the risk that the auditor may unknowingly fail to appropriately modify their opinion on materially misstated financial statements. This means concluding that the financial statements are fairly presented when they are not, or concluding that they are not fairly presented when they are.
Risk Assessment
Audit risk (the risk of an inappropriate opinion on misstated financial statements) has the following components:
- Inherent Risk: The probability of misstated financial information due to the nature of transactions or subjective decisions.
Examples:
a) Transactions subject to calculation methods: restatements, depreciation, equity method investments, tax transactions.
b) Transactions related to provisioning.
Control Risk: Management’s ability to detect errors in financial information. This depends on the internal control system. A stronger system means lower control risk.Detection Risk: The probability that the auditor will not detect material misstatements during the audit. This depends on the effectiveness of audit procedures.Inherent and control risks exist independently of the audit, while detection risk relates to the auditor’s procedures.
Financial statement audits are dynamic. As the auditor performs procedures and gathers evidence, the nature, timing, and extent of other procedures may change. Re-evaluation may be necessary.
Detection risk has an inverse relationship with inherent and control risk. Lower inherent and control risk means the auditor can accept higher detection risk, and vice versa.
Consideration of Internal Control in Audit Planning
The auditor must understand all components of the internal control structure, including the design of policies, procedures, and records, and the extent to which they are implemented.
This knowledge is used to:
- Identify potential errors
- Consider factors affecting the risk of material misstatement
- Design substantive tests
Concerns about management’s integrity or the adequacy of records may lead the auditor to conclude that an audit is not possible.
Understanding the Internal Control Structure
The auditor considers the following:
- Factors influencing substantive tests
- Previous audits
- Industry knowledge
- Inherent risk assessments
- Judgments on the significance, complexity, and sophistication of operations
- The entity’s systems
- Knowledge of potential errors
As operations become more complex, more attention may be needed on the control environment, accounting system, and control procedures.
The auditor performs procedures to understand the internal control structure, including:
- Inquiries of personnel
- Review of documents
- Observation of activities
The nature and extent of procedures vary depending on the entity’s size, complexity, and the auditor’s prior experience.
The auditor documents their understanding of the internal control structure. This documentation may include flowcharts, questionnaires, decision tables, or memoranda.
Internal Control and Organization
- Lines of responsibility and authority should be clearly defined in writing and organizational charts.
- There must be independence between authorization, execution, control of operations, and custody of assets.
- Managers should have a reasonable number of subordinates for effective supervision.
- Work should be rationally divided.
- Internal audit should report to the highest level.
Organizational Structure
The organizational structure provides a framework for planning, directing, and controlling operations. It includes the organizational units, data processing organization, and roles and relationships of information management. Authority and responsibilities should be adequately assigned.
Methods of Assigning Authority and Responsibility
These methods affect the understanding of relationships and responsibilities for information. They include:
- Policies on acceptable business practices, conflicts of interest, and code of conduct
- Assignment of responsibility and delegation of authority
- Job descriptions outlining functions, dependencies, and obligations
- Documentation of computer systems, including authorization procedures and system change approvals
Control Areas
Control operates in all areas and at all levels of the company. The main control areas are:
Production Areas
For industrial companies, this is where products are made. For service providers, it’s where services are provided. Main controls include:
- Production Control: Scheduling, coordinating, and implementing measures for optimal production performance.
- Quality Control: Correcting deviations from quality standards.
- Cost Control: Continuously verifying production costs.
- Production Time Control: Eliminating wasted time.
- Inventory Control: Managing raw materials, parts, tools, and finished goods.
- Production Operations Control: Fixing routing, software, and supplies.
- Waste Control: Minimizing waste.
- Maintenance Control: Managing machine downtime and costs.
Sales Area
This area is responsible for selling or marketing products or services. Main controls include:
- Sales Control: Monitoring sales volume by customer, vendor, region, product, etc.
- Advertising Control: Tracking advertising effectiveness.
- Cost Control: Verifying sales costs and commissions.
Financial Area
This area manages financial resources. Main controls include:
- Budgetary Control: Controlling expected financial costs by department.
- Cost Control: Controlling overall costs, including production, sales, administration, and financial costs.
Human Resources Area
This area manages personnel. Main controls include:
- Attendance Control: Tracking attendance and tardiness.
- Vacation Control: Managing employee vacations.
- Payroll Control: Verifying salaries and adjustments.
COSO Approach (Committee of Sponsoring Organizations)
The COSO framework provides a common structure for internal control. It defines internal control as a process to provide reasonable assurance regarding effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.
The five components of COSO are:
- Control environment
- Risk assessment
- Control activities (policies and procedures)
- Information and communication
- Monitoring (supervision)
Control Environment
The control environment sets the tone for internal control, influencing behavior and procedures. It reflects management’s attitude towards internal control. Key factors include:
- Management philosophy and style
- Organizational structure
- Integrity, ethical values, and competence
- Accountability and development
- Documentation of policies and decisions
- Oversight bodies
Risk Assessment
Internal control limits risks. Risk assessment involves identifying and analyzing risks and evaluating how controls mitigate them. Objectives must be set before assessing risk. Risk analysis includes estimating significance, assessing probability, and defining management strategies.
Changes require special attention. These include:
- Environmental changes
- Policy changes
- Reorganizations
- New personnel
- New systems and technologies
- Rapid growth
- New products or activities
Control Activities
These are procedures to achieve objectives and mitigate risks. They are implemented at all levels and can be categorized by objective (operations, financial reporting, compliance). Control activities can be preventive, corrective, manual, automated, or managerial.
Examples include:
- Management analysis
- Monitoring by supervisors
- Transaction verification
- Physical controls
- Security devices
- Segregation of duties
- Performance indicators
Control of information technologies is crucial.
Information and Communication
Information must be timely and relevant. It should be collected, processed, and communicated effectively. Communication flows in all directions. Open communication is vital.
Monitoring
Internal control systems must be monitored and updated. Monitoring can be ongoing or through specific assessments. Deficiencies should be communicated and corrected.