Вы находитесь на странице: 1из 112

2010 CMA Part 1 - Section D

Internal Controls

2010 CMA Part 1 Section D Internal Controls 1


Section D Internal Controls
This section is 15% of Part 1
Five larger categories of topics are included in this
section
Risk assessment, controls and risk management
Internal auditing
Systems controls and security measures
Internet security
Contingency planning

2010 CMA Part 1 Section D Internal Controls 2


Risk Assessment, Controls, and Risk
Management

2010 CMA Part 1 Section D Internal Controls 3


Benefits of Internal Control
The internal controls of a company are an
important part of its overall operations. A strong
internal control system will provide may benefits:
Lower external audit costs,
Better control over and usage of company assets, and
More reliable information that may be used for
decision making by managers and others in the
company.
A company with weak internal controls is putting
itself at risk for employee theft, loss of control over
the information relating to operations, and other
inefficiencies in operations and decision-making.
2010 CMA Part 1 Section D Internal Controls 4
Internal Control Definition and Objective
Internal control is the method or process
performed by a company that is designed to
provide reasonable assurance that three things
will be achieved:
1. Effectiveness and efficiency of operations,
2. Reliability of financial reporting, and
3. Compliance with applicable laws and regulations.
Objectives #2 and #3, the financial reporting and
compliance objectives, are based on standards
imposed by external entities (example: SEC).
Internal control only provides reasonable
assurance, not a guarantee, that these goals will
be achieved.
2010 CMA Part 1 Section D Internal Controls 5
Internal Control Definition and Objective Contd

Regarding point #1: an internal control system


cannot provide reasonable assurance that
operations objectives will be met. It provides only
reasonable assurance that management and the
board of directors are made aware in a timely
manner about the progress towards achieving
operational objectives.
Therefore, internal control can be judged effective if
management has reasonable assurance that:
They understand the extent to which the companys
operations objectives are being achieved;
Published financial statements are prepared reliably
Applicable laws and regulations are being complied with.

2010 CMA Part 1 Section D Internal Controls 6


Who is Interested in the IC of a Company?
There are a number of diverse parties that are interested in
the internal control system of a company:
Investors and potential investors rely on the IC system to be
able to evaluate management and the performance of the
company.
External auditors will base the amount of work that they perform
in part on the effectiveness of the IC system.
Legislative and regulatory bodies rely on the IC system to help
ensure that the company is operating in compliance with
applicable laws and regulations.
Management uses the information that comes out of the internal
systems so management needs to make certain that the
information that they receive is correct.
Customers may benefit from a strong internal control system
because it may reduce the costs of production and therefore also
the products costs.
2010 CMA Part 1 Section D Internal Controls 7
Who is Responsible for Internal Control?
The COSO report, Internal Control Integrated
Framework (1992) defined the responsibility of the
group or person listed below to maintain and
assess internal controls as follows:
The board of directors is responsible for overseeing the
internal control system, providing governance, guidance
and insight.
The CEO is ultimately responsible for the internal control
system and the tone at the top.
Senior managers delegate responsibility for
establishment of specific internal control policies and
procedures to personnel responsible for each units
functions.
2010 CMA Part 1 Section D Internal Controls 8
Who is Responsible for Internal Control Contd ?
The COSO report, Internal Control Integrated
Framework (1992) defined the responsibility of the
group or persons listed below to maintain and
assess internal controls as follows (contd):
Financial officers and their staffs are central to the
exercise of control
Internal auditors play a monitoring role by evaluating the
effectiveness of the internal controls.
Virtually all employees are involved in internal control:
they produce information used in the internal control system or
carry out activities that put the internal control systems into effect
they inform their managers if they become aware of problems in
operation or that rules or policies are being violated.

2010 CMA Part 1 Section D Internal Controls 9


Components of Internal Control
The COSO report, Internal Control Integrated
Framework lists five interrelated components that
make up internal control:
1. The Control Environment
2. Risk Assessment,
3. Control Activities,
4. Information and Communication
5. Monitoring.

. Note: These elements may be remembered by the


mnemonic CRIME as identified by the bold letters
in the list above.
2010 CMA Part 1 Section D Internal Controls 10
Component #1: Control Environment
This is the most important element of internal
controls because it is the basis on which the other
elements are built.

Factors that influence the scope and effectiveness


of the control environment include:
Integrity and ethical values of the entitys people
A commitment to competence
The attention and direction provided by the board of
directors and/or audit committee
Managements philosophy and operating style
The companys organizational structure
2010 CMA Part 1 Section D Internal Controls 11
Component #1: Control Environment contd
Factors that influence the scope and effectiveness
of the control environment include (contd):
The way management assigns authority and
responsibility for operating activities
Human resource policies and practices

2010 CMA Part 1 Section D Internal Controls 12


Component #1: Control Environment contd
Internal controls are more likely to function well if
management believes that the controls are
important and communicates that support to all
employees. They set a positive tone at the top by:
transmitting guidance both verbally and by example,
communicating the entitys values and code of conduct
fostering a control consciousness by setting formal and
clearly communicated policies and procedures
Specifying the competence level needed for particular
jobs and delegating authority accordingly
Working closely with a board of directors who help ensure
the company is operating in the best interest of the
shareowners
2010 CMA Part 1 Section D Internal Controls 13
Component #2: Risk Assessment
Once the company objectives are defined, risk
identification can begin.
Risks can exist at the entity level or the activity level
Risks can be both internal and external
After the company has identified its entity-level and
activity-level risks, it should perform a risk analysis:
To estimate the significance of each risk
To assess the likelihood or frequency of each risks
occurring
To consider how each risk should be managed by
assessing what actions need to be taken.

2010 CMA Part 1 Section D Internal Controls 14


Component #2: Risk Assessment contd
Within the control environment management is
responsible for assessment of the risks that the
company faces.
Risk assessment is the process of identifying,
analyzing and managing the risks that have the
potential to prevent the organization from
achieving its objectives.
The companys objectives must be established before
the risks to them can be assessed. Objective setting is
therefore a key part of the management process of risk
assessment.

2010 CMA Part 1 Section D Internal Controls 15


Component #2: Risk Assessment contd
Once the significance and likelihood of risks have
been assessed, the following steps should be
taken to manage the identified risks:
The amount of potential loss from each identified risk
should be estimated to the extent possible.
Consider how each risk should be managed by
determining what can be done and analyzing the costs,
if any, associated with managing each risk.
Procedures should be established to ensure that the
plans for implementing the risk management are
implemented. These procedures are the control
activities.

2010 CMA Part 1 Section D Internal Controls 16


Component #3: Control Activities
After the risks have been assessed, controls
should be designed to limit the risk. To accomplish
this, control activities are implemented.
These activities are the policies that are
developed to address the risks of the company,
and procedures that ensure the policies will be
followed.
Any control implemented must have a benefit that
is greater than the cost of that control.
Because of this, not all controls are implemented and
the control environment cannot provide a guarantee
that all risks are eliminated.
2010 CMA Part 1 Section D Internal Controls 17
Component #3: Control Activities contd
Control activities may be classified by their
objective:
Preventive controls attempt to prevent the mistake or
problem from ever occurring in the first place.
Directive controls attempt to ensure the occurrence of
a desirable event,
Detective controls attempt to find the mistake or
problem after it has occurred,
Corrective controls attempt to fix the problem after it
has occurred, and
Compensating controls attempt to address a
weakness in controls in one place by setting up
additional controls in a related area
2010 CMA Part 1 Section D Internal Controls 18
Component #3: Control Activities contd
Examples of control activities are:
1. Top level reviews
2. Direct functional or activity management
3. Information processing
4. Independent checks
5. Performance indicators
6. Physical controls to safeguard assets
7. Documents and records
8. Authorization
9. Segregation of duties

2010 CMA Part 1 Section D Internal Controls 19


Component #4: Information and Communication
Information needs to be obtained and
communicated to people to allow them to perform
their duties.
Communication must be ongoing
Duties and responsibilities need to be communicated to
all effected parties so that they are able to communicate
significant information upstream
Reports containing operational, financial, and
compliance information must be avaialble for informed
decisions
Some information must be communicated to those
outside the organization and must also be available from
external sources

2010 CMA Part 1 Section D Internal Controls 20


Component #4: Information and Communication contd

Some examples of communication that should


take place include:
Information systems must provide reports to appropriate
personnel so they can carry out their responsibilities.
All personnel need to receive clear communication from
top management that their internal control
responsibilities must be taken seriously. Each person
needs to understand his or her role in the internal control
system and how the system works.
People need to know what behavior is expected of them
and what behavior is unacceptable.
Employees need to know that if they report a suspected
violation of the companys code of conduct, they will not
get into trouble for it
2010 CMA Part 1 Section D Internal Controls 21
Component #4: Information and Communication contd

Some examples of communication that should take


place include:
communications between management and the Board of
Directors are vital. Senior management must inform board
members about performance, new developments, major
initiatives, potential risks, and other relevant information.
Appropriate communication is also needed with those who
are outside of the organization. Communications from
outside parties such as external auditors can provide
important information about the functioning of the internal
control system.
Any outsider dealing with the company must be informed
that improper actions such as kickbacks or other improper
incentives from vendors will not be tolerated.

2010 CMA Part 1 Section D Internal Controls 22


Component #5: Monitoring
Monitoring is the process of reviewing the controls
over time to make sure that they are still relevant
and still functioning as they were intended.
As technologies change and business operations
change, some of the controls that had been
relevant may no longer be relevant.
Monitoring needs to be undertaken on a regular (if
not relatively constant) basis.
Monitoring can be done in two ways:
1. ongoing monitoring during normal operations
2. Separate evaluations by management with the
assistance of the internal audit function
2010 CMA Part 1 Section D Internal Controls 23
Segregation of Duties
Duties need to be divided among various employees to
reduce the risk of errors or inappropriate activities. No
single individual should have enough responsibility to be in
a position to both perpetrate and conceal irregularities.
Note: Different people must always perform the following
four functions:
Authorizing a transaction.
Recording the transaction, preparing source documents,
maintaining journals.
Keeping physical custody of the related asset
The periodic reconciliation of the physical assets to the
recorded amounts for those assets.

2010 CMA Part 1 Section D Internal Controls 24


Responsibilities of the Board of Directors
The board of directors of a company is responsible for
ensuring that the company is operated in the best interest
of the shareholders
The boards general responsibility is to provide governance,
guidance and oversight of the management of the
company. Specifics related to internal control include:
Selecting management
Defining expectations of management regarding integrity
and ethics
Playing a role in the strategic objective setting and
planning
Investigating issues that they judge important

2010 CMA Part 1 Section D Internal Controls 25


Responsibilities of the Board of Directors contd

Board members are responsible for questioning and


scrutinizing managements activities. Therefore it is
important that the board has members who are
independent of the company.
An independent director has no material relationship
with the company. An independent director is not an
officer or employee of the company and is not active in
the day-to-day management of the company.
Most boards of directors carry out their duties through
committees. Committees are made up of selected board
members and are smaller, working groups of directors that
are tasked with specific oversight responsibilities. One the
of the committees whose members is prescribed by SEC
regulations is the audit committee.
2010 CMA Part 1 Section D Internal Controls 26
The Audit Committee
Audit committees of the boards of directors were
first recommended by the SEC in 1972. Stock
exchanges began requiring or at least
recommending that listed companies have audit
committees. Thereafter responsibilities of audit
committees increased over the years and have
been formalized by statute.
The Sarbanes-Oxley Act of 2002 increased audit
committees responsibilities further. It also
increased the qualifications required for members
of audit committees and it increased the authority
of audit committees.
2010 CMA Part 1 Section D Internal Controls 27
The Audit Committee contd
The major requirements for audit committees and
their members:
The consist of at least 3 members
Members must be independent (example: not employed
by the company)
At least one member must have accounting or financial
management expertise
All members must be financially literate (at the time of
appointment or shortly thereafter)
New York stock exchange requires a 5 year cooling off
period during which former employees of the company
or its external auditor are not allowed to serve on the
audit committee
2010 CMA Part 1 Section D Internal Controls 28
The Audit Committee contd
The responsibilities of the Audit Committee
include:
Being an intermediary between management, the
external auditor and the internal auditor,
Nominate an external auditor,
Discuss the scope of the audits with the internal and
external auditors,
Review the results of the audits,
Review evaluations of internal controls,
Review the work of the internal auditors,
Review the interim and annual financial statements.

2010 CMA Part 1 Section D Internal Controls 29


Legislative Initiatives on Internal Control
There are a handful of legislative initiatives
regarding internal control issues that we will look at
in more detail:
The Foreign Corrupt Practices Act,
Sarbanes-Oxley Act
SEC Release 33-8810

2010 CMA Part 1 Section D Internal Controls 30


The Foreign Corrupt Practices Act
This Act was passed in response to the discovery
in the 1970s that American companies were
making large, questionable or illegal payments to
foreign governments, officials or politicians.
This is an amendment to the 1934 Securities
Exchange Act.
There are two main provisions:
Anti-bribery provisions
Accounting provisions

2010 CMA Part 1 Section D Internal Controls 31


Applicability and Responsibility
The anti-bribery provisions apply to all
companies, whether or not the are publicly traded
and registered with the SEC.
The accounting provisions are applicable only to
companies that are under the regulation of the
SEC.

The responsibility for compliance with the Act


is given to the company as a whole.
Responsibility is not placed with a specific person or
position, but with everyone within the organization.
However, individuals are personally liable for their
actions.
2010 CMA Part 1 Section D Internal Controls 32
Anti-Bribery Provisions
It is illegal to offer or authorize corrupt payments to any
foreign official, foreign party chief or official or a candidate
for political office in a foreign country.
It is also illegal to make these payments through another party (an
intermediary)

A corrupt payment is one that intends to cause the


recipient to misuse their position in order to direct
business to the payer of the corrupt payment.
A payment is corrupt simply by the fact it is made. Even if the
benefits that were expected are not received, the payment was
corrupt.

2010 CMA Part 1 Section D Internal Controls 33


Accounting Provisions
Management is required to maintain records and
books and accounts that represent transactions
properly.

Management must also develop and implement a


system of internal controls.
The logic is that if the company has an effective internal
control system, it will be more difficult for corrupt
payments to be made.

2010 CMA Part 1 Section D Internal Controls 34


Penalties of the FCPA
Fines for making illegal payments are:
Up to $2 million in fines against the company, and
Up to $100,000 in fines and 5 years of imprisonment for
individuals who make or authorize an illegal
transaction.

Companies can also be prevented from


participating in government contracts and have
their export license revoked. Shareholders are also
able to file lawsuits against the company for illegal
payments.

2010 CMA Part 1 Section D Internal Controls 35


Sarbanes-Oxley Internal Control Provisions
The Sarbanes-Oxley Act was enacted in 2002. Its
provisions with respect to internal control are:
Audit committees to be responsible for the
appointment, compensation and oversight of the
registered public accounting firm.
Audit committees to have the authority and
funding to engage independent counsel and
advisors as deemed necessary.
Auditors are to report directly to the audit
committee.
Members of the audit committee must be truly
independent.
2010 CMA Part 1 Section D Internal Controls 36
Sarbanes-Oxley (cont.)
It is unlawful for any corporate officer or director or
person acting under their direction to fraudulently
influence, coerce, manipulate or mislead any
accountant engaged in preparing an audit, for the
purpose of causing the audit report to be materially
misleading.
The companys annual report filed with the SEC
must be accompanied by a statement of
management that management is responsible for
creating and maintaining adequate internal
controls, along with a statement of managements
assessment of the effectiveness of these controls.
2010 CMA Part 1 Section D Internal Controls 37
Sarbanes-Oxley Internal Control Provisions (cont.)
There are several main aspects of Sarbanes-Oxley
(SOX) that we will now cover in more detail. They
include:
1. The Public Company Accounting Oversight Board
(PCAOB)
2. SOX Section 302 Corporate Responsibility for
Financial Reports
3. SOX Section 404 Management Assessment of
Internal Controls
4. The PCAOB Auditing Standard 5 and the preferred
approach to auditing internal controls

2010 CMA Part 1 Section D Internal Controls 38


Public Company Accounting Oversight Board
Title 1 of the Sarbanes-Oxley Act established the
Public Company Accounting Oversight Board
(PCAOB) to oversee the auditing of public
companies that are subject to the securities laws.
The board:
Contains 5 board members appointed by the SEC
Includes only members who are financially literate and
must be from the private sector
Only 2 of the board members can be CPAs.
The PCAOB has many responsibilities. Its role to
provide guidance to auditors on their auditing of
internal controls is just one responsibility.
2010 CMA Part 1 Section D Internal Controls 39
Public Company Accounting Oversight Board Contd

The primary responsibilities of the PCAOB include:


Registering accounting firms that audit public companies.
Establishing standards related to the preparation of audit
reports regarding auditing, quality control, ethics, and
independence
Conducting inspections of registered public accounting firms
with the Sarbanes-Oxley Act, the rules of the Board, the
rules of the SEC, and other professional standards
Enforcing compliance with appropriate laws and professional
standards relating to audit reports and the obligations of
accountants for them.
Conducting investigations and disciplinary proceedings and
imposing appropriate sanctions.
2010 CMA Part 1 Section D Internal Controls 40
SOX Section 302
Section 302 relates to the corporate responsibility
for financial reports.
Each annual or quarterly report of a company must
include certifications by the CEO and CFO that:
They have reviewed the report
The report does not contain any untrue material
statement or mot to state any material fact that could
make the report misleading
Based upon their knowledge the financial statements
fairly present in all material aspects the financial
condition and results of operations of the company
They understand that they are responsible for internal
controls in the company
2010 CMA Part 1 Section D Internal Controls 41
SOX Section 302 contd
Each annual or quarterly report of a company must
include certifications by the CEO and CFO that
(contd):
They have disclosed required information to the company
s auditors and audit committee of the board of directors
including:
Any fraud that involves management or other employee with
significant responsibilities in the companys internal controls
All deficiencies in the design or operation of the company internal
controls
They have disclosed in the report any material changes
in the company internal controls that have occurred after
the report date but prior to its publication

2010 CMA Part 1 Section D Internal Controls 42


SOX Section 404
Section 404 relates to the management
assessment of internal control.
Each annual report required by the SEC must
contain an assessment by management of the
adequacy of the companys internal control over
financial reporting (ICFR for short). This internal
control report shall:
State the responsibility of management for establishing
and maintaining an adequate internal control structure
and procedures for financial reporting
Contain an assessment of the effectiveness of the
internal control structure and procedures of the company
for financial reporting as of the fiscal yearend
2010 CMA Part 1 Section D Internal Controls 43
SOX Section 404 contd
The SEC provided interpretative guidance (SEC
release No 33-8810) to implement Section 404.
The guidance is is organized around two broad
principles:
1. Management should determine whether it has
implemented controls that adequately address the risk
that a material misstatement of the financial statements
would not be prevented or detected in a timely manner.
2. Managements evaluation of evidence about the
operation of its controls should be based on its
assessment of risk.

2010 CMA Part 1 Section D Internal Controls 44


PCAOB Auditing Standard #5
PCAOB Auditing Standard No. 5 calls for a top-
down, risk-based approach to assessing and
attesting to internal controls. Important details
regarding this approach are:
A risk-based approach begins by identifying the risks that
a material misstatement of the financial statements would
not be prevented or detected in a timely manner.
The auditor should perform procedures such as inquiry,
inspection of documents, or walkthroughs which is a
combination of the preceding procedures, to understand
and identify the likely sources of potential misstatements
A fraud risk assessment should be taken into account
during the audit of internal controls.
2010 CMA Part 1 Section D Internal Controls 45
PCAOB Auditing Standard #5 contd
The steps to follow in a top-down risk based
auditing approach are:
1. Start with entity level controls
2. Identify entity level controls
3. Identify significant accounts and disclosures and their
relevent financial statement assertions
4. Understand the likely sources of misstatement
5. Select controls to test
6. Test design effectiveness and operating effectiveness of
the controls
7. Evaluate identified deficiencies

2010 CMA Part 1 Section D Internal Controls 46


SEC Release 33-8810
SEC Release 33-8810, the guidance for
management in assessing its internal control over
financial reporting, also contains information about
how a risk-based, top-down approach to assessing
internal control over financial reporting should be
performed. It reports the following steps to follow:
1. Identify financial reporting risks and controls
2. Evaluate evidence of the operating effectiveness of the
internal controls over financial reporting
3. Consider impact of multiple locations adequately (rely
on central controls? review of remote locations, etc)
4. Evaluate control deficiencies to determine whether they
are a material weakness
2010 CMA Part 1 Section D Internal Controls 47
What Internal Controls Can and Cannot Do
Internal controls can help an organization get to
where it wants to go.
Internal controls can help an organization achieve
its goals and prevent loss of resources.
Internal controls can ensure reliable financial
reporting.
Internal controls can ensure that the organization
complies with laws and regulations.
Internal controls cannot provide a guarantee. They
can provide only reasonable assurance to
management and the board of directors regarding
achievement of the entitys objectives.
2010 CMA Part 1 Section D Internal Controls 48
Internal Auditing

2010 CMA Part 1 Section D Internal Controls 49


Internal Auditing
The IIA defines internal auditing as:

an independent, objective assurance and


consulting activity designed to add value and
improve an organizations operations. It helps an
organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management,
control and governance processes.
Internal auditing provides a mechanism for
management to monitor the reliability of
financial reporting and the companys control
over operations.
2010 CMA Part 1 Section D Internal Controls 50
Types of Internal Auditing Services
Internal auditing services fall into three
fundamental categories:
1. Operational reviewing the various functions within
the organization in order to appraise the efficiency and
economy of operations and the effectiveness with which
the functions achieve their objectives.
2. Financial reviewing the economic activity of the
organization as it is measured and reported by
accounting methods.
3. Compliance reviewing both financial and operating
controls and transactions to determine whether they
conform to laws, standards, regulations and
procedures.

2010 CMA Part 1 Section D Internal Controls 51


Responsibilities of Internal Auditors
The responsibility of the internal audit function is
to review and appraise policies, procedures,
plans and records for the purpose of informing
and advising management.
Perhaps more important is what internal audit is
not responsible for.
Internal audit is not responsible for and has no
authority over operating activities.
Internal audit makes no decisions about what should
be done they provide information and advice, and
then management makes a decision.
Internal audit may help with implementation, but
management makes the decision.
2010 CMA Part 1 Section D Internal Controls 52
Internal Auditors and the Internal Control System
The internal auditors are not responsible for the
internal control system (management is
responsible for that).

The internal auditors function is to test, examine,


review, evaluate and make recommendations
about the internal control system.

In this way, internal auditing assists management


in carrying out its monitoring responsibilities.

2010 CMA Part 1 Section D Internal Controls 53


Organizational Status
The internal audit function should report to the
board of directors through the audit committee.
The internal auditors need to be perceived as an
important part of the company in order to be able
to do their job effectively.
People in the company need to know that the board will
listen to what the auditors say and therefore the
conclusions of the auditor are important.
By reporting to a high level the function has
organizational independence. This means that
they do not have any direct relationships with who
they are auditing. The people they are auditing
cannot tell them what to do or fire them.
2010 CMA Part 1 Section D Internal Controls 54
Internal Auditors and External Auditors
External auditors are focused on one thing the
opinion about the financial statements.
External auditors are not concerned about the efficiency
or effectiveness of operations, just that the financial
statements reflect fairly the operations of the company.
Internal auditors have a wider range of interests
and engagements. They compare what is in the
company with what should be and report to
management their findings. In addition to their
findings, the internal auditor develops and reports
recommendations for improvement.

2010 CMA Part 1 Section D Internal Controls 55


Coordination of Internal and External Auditors
Some of the work of the internal auditors may be
relevant to and used by the external auditor.
Before using the work of the internal auditors,
however, the external auditor must assess the
internal auditors
Competence (how well they do their job), and
Objectivity (their organizational independence, or their
role within the organization)

2010 CMA Part 1 Section D Internal Controls 56


Use of the Internal Auditors Work
If the external auditor decides to use some of the
work of the internal auditor,
The external auditor will supervise, manage and
review all of the work done by the internal auditors.
The internal auditors will not assess risk.
The internal auditors will not draw any conclusions.
The internal auditor will be more likely to be used in
areas that are objective (existence of fixed assets)
than subjective (valuation of future cash flows).

2010 CMA Part 1 Section D Internal Controls 57


Types of Engagements
Internal auditors perform two basic types of
services:
1. Assurance services: performing an objective
examination of evidence for the purpose of providing an
independent assessment on governance, risk
management, and control process for the organization.

2. Consulting services: advisory and other related client


service activities. They are usually performed at the
request of the client, and their nature ands scope are
agreed upon with the client. They are intended to add
value and improve an organization's governance, risk
management and control processes.

2010 CMA Part 1 Section D Internal Controls 58


Assurance Services
Assurance services include:
1. Financial audit: analyze the economic activity as
measured and reported by accounting methods. The
goal is to determine whether financial assertions can
be proven:
Existence or occurrence
Completeness
Rights and obligations
Valuation or allocation
Presentation and disclosure
2. Performance (or operational) audit: it focuses on the
efficiency, effectiveness, and economy of the company
s internal control system based upon the company
standards.
2010 CMA Part 1 Section D Internal Controls 59
Assurance Services contd
Assurance services include (contd):
3. Audit of financial controls: involves examining two
aspects of financial internal controls:
Controls over financial resources
Controls over the accounting for financial resources
4. Compliance audit: performed in order to determine
whether an organization is operating in an orderly way,
effectively and visibly confirming to certain specific
requirements of its polices, procedures, or standards
5. System security audit: auditing the controls in place
for information systems.
6. Due Diligence engagement: to confirm company
records, both financial and those of property ownership
2010 CMA Part 1 Section D Internal Controls 60
Consulting Services
Examples of consulting services include:
1. Quality audit: evaluating the quality of the product or
service being provided
2. Special engagements: an example of a special
engagement is a fraud audit. Fraud audits are
performed for the purpose of discovering the presence,
scope and means of either misappropriation of assets
or fraudulent reporting.
. Consulting services are intended to add value
and improve an organizations activities in a
specific area without assuming management
responsibility.

2010 CMA Part 1 Section D Internal Controls 61


Consulting Services contd
Per Internal Auditing Standard No. 2120 the
internal auditor should following the following
standard during a consulting engagement:
address risk consistent with the engagements
objectives and be alert to the existence of other
significant risks.
incorporate knowledge of risks gained from consulting
engagements into their evaluation of the organizations
risk management processes.
When assisting management in establishing or
improving risk management processes, internal
auditors must refrain from assuming any management
responsibility by actually managing risks.
2010 CMA Part 1 Section D Internal Controls 62
Which Audit Engagements to Accept
The beginning of the audit process is to determine
which engagements to conduct.
The chief audit executive makes the decisions
regarding which engagements to perform based
upon risk based factors such as:
Length of time since last audit was performed in this area
Requests from senior management
Relation of the proposed engagement to the external
audits of financial statements and internal controls
Changing circumstances in the business, operations,
systems or controls
Potential benefit that could be achieved by the
engagement
2010 CMA Part 1 Section D Internal Controls 63
Audit Planning
According to Internal Auditing Standard 2201, the
internal auditor considers the following in
planning the engagement:
The objectives of the activity being reviewed and the
means by which the activity controls its performance;
The significant risks to the activity, its objectives,
resources, and operations and the means by which the
potential impact of risk is kept to an acceptable level;
The adequacy and effectiveness of the activity's risk
management and control processes compared to a
relevant control framework or model;
The opportunities for making improvements to the
activity's risk management and control processes.
2010 CMA Part 1 Section D Internal Controls 64
Establishing Audit Objectives
When establishing an audits objectives, internal
auditing standard 2210 states that the auditor must:
conduct a preliminary assessment of the risks relevant to
the activity under review.
consider the probability of significant errors, fraud,
noncompliance, and other exposures
Ensure that adequate criteria is available to evaluate
controls. If they are adequately defined by management,
internal auditors must use such criteria in their
evaluation. If inadequate, internal auditors must work with
management to develop appropriate evaluation criteria.
Address governance, risk management, and control
processes to the extent agreed upon with the client
during consulting engagements.
2010 CMA Part 1 Section D Internal Controls 65
Assessing Audit Risk
Assessing audit risk is an important part of the
audit process. Audit risk is the risk that the auditor
will conclude that everything is working
properly, when in fact, it is not working correctly.
It is made up of three components:
Inherent risk (IR) is the risk that exists in what is being
audited. The risk of a problem in the absence of controls.
Control risk (CR) is the risk that a mistake is NOT
prevented or detected by the internal control system
Detection risk (DR) is the risk that the mistake is NOT
detected by the auditor
The audit risk is calculated by multiplying these risks
together: AR = IR CR DR
2010 CMA Part 1 Section D Internal Controls 66
Assessing Audit Risk contd
Control risk and detection risk operate
inversely to each other.
If control risk decreases (the internal controls are
better) the detection risk can be increased (auditors do
less testing) and the audit risk will remain the same.
If control risk increases (the internal controls are worse)
the detection risk can be decreased (auditors do more
testing) and the audit risk will remain the same.

The auditor assesses inherent and control risk,


but is able to influence only detection risk.

2010 CMA Part 1 Section D Internal Controls 67


Understanding Internal Controls in the Planning
After the engagement objectives are determined
and the inherent risks identified, the next step is the
understanding of internal controls.
The auditors understanding needs to encompass
the 5 components of internal control: the control
environment, risk assessment, control activities,
information and communication, and monitoring.
The auditor will use this understanding to:
Identify types of potential misstatements that may occur in
whatever is being audited
Consider factors related to risk of material misstatement
Design the substantive tests to be performed
2010 CMA Part 1 Section D Internal Controls 68
Flowcharting
Internal control systems may be documented in a
flowchart.
A systems flowchart (or horizontal flowchart) shows
departments and functions across the top and
documents manual and automated processes. Control
points are identified.
A program flowchart (or vertical flowchart) shows the
steps in the process and how they will be executed.
A data flow diagram is a graphic representation of the
internal control system.

2010 CMA Part 1 Section D Internal Controls 69


The Internal Audit Program
The audit program is written after the assessment of the
relevant internal controls.
The program should include the objectives of the area to
be audited and the controls in place to achieve the areas
objectives, which determine the audit objectives.
It gives details on the procedures to be followed to reach
the objectives of the audit: what is to be done and how it
will be done.
It must be written and must be detailed enough so that the
auditors know what is to be done.
It is used to supervise and review the work.
Standardized audit programs may be used when
appropriate.

2010 CMA Part 1 Section D Internal Controls 70


Audit Evidence
Evidence is what the auditor gathers to be able to
support their conclusion. The evidence should be
Sufficient there must be enough evidence
Competent it must be reliable and the best available
Relevant must be consistent with the objectives of
the audit
Useful assists the organization to achieve its goals

The most competent, or best source of evidence


is something obtained by the auditor directly.
Evidence from the client is the worst, and evidence
from a third party is in the middle.
2010 CMA Part 1 Section D Internal Controls 71
Audit Evidence contd
Audit evidence is classified according to legal rules
of evidence. These include:
Direct acquired directly by the party offering it
Hearsay secondhand account where the witness does
not have personal direct knowledge
Documentary any original record, dead, or document
Opinion not generally considered useful evidence.
Circumstantial evidence that is consistent with a
particular inference
Secondary not the original documentation
Corroborative supports other evidence
Conclusive it is indisputable

2010 CMA Part 1 Section D Internal Controls 72


Auditing Financial Controls
The Sarbanes-Oxley Act requires management to
assess the adequacy of the companys internal
controls over financial reporting. Internal auditors
can assist in this through an audit of financial
controls
A financial audit focuses on accounting controls. An
operational audit focuses on administrative controls.
Accounting controls are concerned with the integrity and
accuracy of the accounting system and the financial
reports being generated
Administrative controls are more focused on
managements' operating objectives.
2010 CMA Part 1 Section D Internal Controls 73
Auditing Financial Controls contd
Accounting controls are intended to achieve the
following characteristics for the financial records:
Completeness: Are all of the transactions reflected in or
captured by the accounting system?
Validity: Are only valid transactions recorded?
Authorization: Are all transactions properly authorized?
Accuracy: Are reported numbers accurate representations
of the economic transactions that have occurred?

2010 CMA Part 1 Section D Internal Controls 74


Objectives of an Audit of Controls
An audit of controls has the following objectives:
1. determine if controls are in place
2. determine if the existing controls are structurally sound
3. determine if the controls are designed to achieve a
specific management objective, to achieve compliance
with predetermined requirements, or to ensure accuracy
and propriety of transactions
4. determine whether the controls are being used properly
5. determine if the controls are efficiently serving their
purpose
6. determine whether the controls are effective
7. determine if management is using the output of the control
system
2010 CMA Part 1 Section D Internal Controls 75
Testing Compliance with Controls
The auditor investigates the following to test
compliance with controls and evaluate their
effectiveness:
1. Are procedures being followed?
2. Is the output being used?
3. Is the input into the system valid, accurate, and
reasonable?
4. If the system is computerized, is it operating properly?
5. Is the output of the control operation valid?
6. Is the control output achieving managements objective in
establishing the control?
7. Is the control system operating as intended?
2010 CMA Part 1 Section D Internal Controls 76
Testing Compliance with Controls contd
The auditor investigates the following to test
compliance with controls and evaluate their
effectiveness (contd):
8. Does the control system have the following required
characteristics?
Flexibility.
Timeliness.
Accountability.
Cause identification.
Appropriateness.
Placement.

2010 CMA Part 1 Section D Internal Controls 77


Testing Compliance with Controls contd
Procedures the auditor performs to test operating
effectiveness of controls include a mix of tests.
Some types of tests produce greater evidence of the
effectiveness of the controls than other tests.
Here are the tests that an auditor might perform in
order of the evidence they would usually produce,
from the lowest quality evidence to the highest
quality evidence:
1. Inquiry of appropriate personnel;
2. Observation;
3. Inspection of relevant documentation; and
4. Re-performance of a control
2010 CMA Part 1 Section D Internal Controls 78
Control Breakdowns
If an auditor identifies a deficiency in a control over
financial reporting, the auditor should evaluate the
severity of the deficiency to determine whether the
deficiency, either individually or in combination with
other deficiencies, represents a material weakness.
The severity depends upon:
Whether there is a reasonable possibility that the
companys controls will fail to prevent or detect a
misstatement of an account balance or disclosure; and
The magnitude of the potential misstatement resulting
from the deficiency or deficiencies.

2010 CMA Part 1 Section D Internal Controls 79


Control Breakdowns contd
Risk factors affect whether there is a reasonable
possibility that a deficiency or combination of
deficiencies will result in a misstatement of an
account balance or disclosure. These risk factors
include:
The nature of the financial statement accounts,
disclosures, and assertions involved;
The susceptibility of the related asset or liability to loss or
fraud, or how likely it is that something could go wrong;
The subjectivity, complexity, or extent of judgment
required to determine the amount involved;

2010 CMA Part 1 Section D Internal Controls 80


Control Breakdowns contd
Risk factors affect whether there is a reasonable
possibility that a deficiency or combination of
deficiencies will result in a misstatement of an
account balance or disclosure. These risk factors
include (contd):
The interaction or relationship of the control with other
controls, including if they are interdependent or redundant
The interaction of the deficiencies, i.e., if there is more
than one, could they in combination cause a material
misstatement
The possible future consequences of the deficiency

2010 CMA Part 1 Section D Internal Controls 81


Control Breakdowns contd
If multiple control deficiencies affect the same
financial statement balance or disclosure, that
increases the likelihood of misstatement and may, in
combination, constitute a material weakness(though
each deficiency individually may not be severe)
Factors that affect the size of a misstatement that
might result from a deficiency in controls include:
The financial statement amounts or total of transactions
exposed to the deficiency; and
The volume of activity in the account balance or class of
transactions exposed to the deficiency that has occurred
in the current period or that is expected in future periods.
2010 CMA Part 1 Section D Internal Controls 82
Fraud Audits
In a financial statement audit, the audit should be
prepared so that any material misstatement is
detected, no matter what the cause of the
misstatement.
The auditor is responsible for examining the
controls to determine if they are adequate to
prevent or detect fraud and must also have
sufficient knowledge to be able to identify the
indicators that fraud may have occurred.
However, the deterrence of fraud is the
responsibility of management, not the auditor.

2010 CMA Part 1 Section D Internal Controls 83


Fraud Audits, contd
It is preferable (and usually cheaper) to prevent
fraud than it is to discover it after the fact.

If the auditor detects control weaknesses,


additional tests should be performed to identify
other factors of fraud that may be present.

When fraud is detected, the auditor should


immediately report it to the appropriate level of
management.

2010 CMA Part 1 Section D Internal Controls 84


Types of Fraud
There are three main classifications of fraud:
Misstatements from fraudulent financial reporting,
Misappropriation (theft) of company assets.
Corruption (bribes, conflicts of interest).

In the misappropriation of assets, the employee is


more likely to be living beyond their means
because they have more money than their salary
as a result of the theft.

2010 CMA Part 1 Section D Internal Controls 85


Factors Contributing to Fraud
The following items do not indicate that fraud is
occurring, but rather that conditions exist in which
fraud may occur more easily.
No segregation of duties;
Lack of controls such as limiting access to assets,
comparing existing assets with recorded assets, and
requiring proper authorization for executing
transactions;
Lack of qualified personnel;
Collusion among employees;
The existence of high-value, small, liquid assets; and
Management override of controls that are in place.

2010 CMA Part 1 Section D Internal Controls 86


The IIAs Position regarding Fraud
The Institute of Internal Auditors (IIAs) position on
deterrence, detection, investigation and reporting of
fraud is:
Deterrence of fraud is the responsibility of management.
Internal auditors must have sufficient knowledge to be
able to identify the indicators that fraud may have
occurred.
If control weaknesses are detected, additional tests
should be performed to identify other factors of fraud that
may be present.
Audit procedures alone will not guarantee that fraud will
be detected.
A fraud that is detected needs to be reported.
2010 CMA Part 1 Section D Internal Controls 87
Considering Fraud in Audit Planning
The auditor should develop and plan the audit with a
reasonable assurance of detecting material fraud or
misstatements. However, due to the fact that the
perpetrators of fraud will try to hide the fact, it is not
possible to guarantee discovery of material frauds.
Fraud is different from an error in that fraud is an
intentional misstatement while an error is
unintentional. The three main types of fraud are:
1. Fraudulent financial reporting
2. Misappropriation of assets
3. Corruption

2010 CMA Part 1 Section D Internal Controls 88


Internal Audit Reports
Audit reports may be written or oral. Oral reports
are more timely but do not replace written reports.
Any oral reports should be followed with a written
report confirming the oral report.
All reports should include:
The purpose,
The scope of the engagement,
The results of the engagement, including
recommendations, if applicable.

Reports might include summaries, background


information, status of previous audit findings or
other comments.
2010 CMA Part 1 Section D Internal Controls 89
Purpose of the Engagement
The purpose should include:
The engagement objectives should be described in
enough detail so readers know what to expect from the
rest of the report.
Objectives should address the risks, controls and
governance processes associated with the activities under
review.
The purpose may also include:
Why the engagement was performed
What the expected results were (i.e., cost savings,
increased efficiencies, etc.)

2010 CMA Part 1 Section D Internal Controls 90


Scope of the Engagement
Description of the work done to achieve the
engagements objectives. The scope should be
sufficient to address the agreed-upon objectives.
Activities reviewed and time period reviewed
Any related activities not reviewed
The nature and extent of the work performed
Should include consideration of relevant systems,
records, personnel, and physical properties, including
those under the control of third parties
The scope should specifically state what areas
were not covered that readers might expect to be
covered unless told differently.
2010 CMA Part 1 Section D Internal Controls 91
Results of the Engagement
Includes observations, conclusions, an opinion if
appropriate, recommendations, and action plans
from the engagement.
Observations audit findings made by comparing
what is with what should be.
An audit finding should include: Background, criteria,
condition, cause, and effect.
Background Identify people involved, environment of
the operation, reason why the situation is reportable, etc.
Criteria the standards used to judge the operation
being audited. (The what should be.)
Condition the facts determined through observation,
questioning, analysis, verification and investigation. (The
what is.)
2010 CMA Part 1 Section D Internal Controls 92
Results of the Engagement contd
Audit findings (continued)
Cause Explains the reason why what is is different from
what should be.
Effect The consequences of the difference between what
is and what should be. To be reportable, an audit finding
should have consequences who or what was hurt, and how
badly.
Conclusions the internal auditors evaluations such as
whether a function is operating as intended, if control
criteria are being met, if objectives are being met, etc.
Recommendations for improved performance,
acknowledgement of satisfactory performance, any
corrective actions needed.

2010 CMA Part 1 Section D Internal Controls 93


Summary Reports
One or two page executive summary.
To inform senior management of matters that need
prompt or continued attention.
To inform senior management about significant
findings.
Should include:
Brief description of the audit,
Conclusions,
Summary statements of significant findings with references to
where the detail can be found in the full audit report, and
Brief description of actions taken by the client as a result of
the audit findings.
May be issued in addition to the full audit report.
2010 CMA Part 1 Section D Internal Controls 94
Writing and Distributing the Report
The report should be:
Objective,
Clear,
Concise (no longer than necessary),
Timely, and
Constructive.

The report should be reviewed with the auditee


before it is issued.
The report should be distributed to everyone
who has a direct interest in the area being
audited.

2010 CMA Part 1 Section D Internal Controls 95


Incidents That Should be Reported
The auditor should report:
All material facts that they know that, if not reported,
could cause the audit report to be distorted or
conceal unlawful acts,
Any variances between what should have been and
what was,
Any suspected fraud,
The violation of any law,
Inconsistent product quality (in a quality audit), and
Any other reportable condition that management
should be informed about.

2010 CMA Part 1 Section D Internal Controls 96


Auditor Follow-Up
Unlike the external auditor, the internal auditor
should follow-up on engagements after they are
completed.

The follow-up is to determine whether the


recommendations have been implemented,
whether they were timely, and whether they
have been effective, and just how the department
is doing.

2010 CMA Part 1 Section D Internal Controls 97


Computerized Audit Techniques
Use of computers to audit information systems:
Generalized audit software
Test data
Integrated test facility
Parallel simulation
Embedded audit routines
Extended records
Snapshots
Tracing
Mapping

2010 CMA Part 1 Section D Internal Controls 98


Systems Controls and Security Measures

2010 CMA Part 1 Section D Internal Controls 99


Systems Controls
The objectives of controls for an information
system are similar to the objectives of overall
organizational controls. There are, however,
special threats to information systems. Examples:
Errors can occur in system design
Data can be stolen over the internet
Data and programs can be damaged
Programs can be altered by dishonest employees to
divert assets to their own use
Viruses, trojan horses, and worms can infect a system,
causing a system crash, stolen or damaged data
Physical facilities can be damaged by natural disasters,
illegal activity, or sabotage
2010 CMA Part 1 Section D Internal Controls 100
Systems Controls contd
Information system internal control guidelines are
based upon two documents:
1. The report of the Committee of Sponsoring
Organizations (COSO) Internal Control Integrated
Framework
2. Control Objectives for Information and related
Technology (COBIT), authored by the IT Governance
Institute and published by the Information Systems Audit
and Control Foundation (ISACF).
Systems controls are broken down into two
categories:
1. General Controls
2. Application controls
2010 CMA Part 1 Section D Internal Controls 101
General Controls
General controls relate to the environment where
transactions are processed.
Controls over development, modification and maintenance
of programs, segregation of duties, data security,
administrative controls, provision for disaster recovery.
The categories of general controls are:
The organization and operation of the computer facilities,
including segregation of duties;
General operating procedures, including written procedures
and manuals;
Equipment and hardware controls, including backup
procedures;
Access controls, including both physical access and password
access to data and programs.

2010 CMA Part 1 Section D Internal Controls 102


Application Controls
Application controls are specific to individual
applications. They should be designed to prevent,
detect and correct errors in transactions.
The three main categories are:
Input controls,
Processing controls, and
Output controls.

2010 CMA Part 1 Section D Internal Controls 103


System and Program Development and Change
By having controls in place during the design of
the system, the accuracy, validity, safety and
security of the system is improved.
The stages in system development are:
Statement of objectives,
Investigation and feasibility,
Systems analysis,
Systems design and development,
Program coding and testing,
Systems implementation,
Systems evaluation and maintenance.

2010 CMA Part 1 Section D Internal Controls 104


Internet Security

2010 CMA Part 1 Section D Internal Controls 105


Internet Security
A minimum level of internet security includes
User account management,
A firewall,
Anti-virus protection, and
Encryption.

2010 CMA Part 1 Section D Internal Controls 106


Viruses, Trojan Horses and Worms
A computer virus is a program that executes
itself and replicates itself, damaging the host
computer and others.

A Trojan horse does not replicate itself, though


it may still damage the computer by causing the
loss of data, or theft of data.

A worm is similar to a virus, but a worm replicates


itself without the use of a host file.

2010 CMA Part 1 Section D Internal Controls 107


Cybercrime
The Internet, online communications and e-
business are all subject to computer crime and this
threat is growing every day.
The most serious computer crimes, as defined by
the FBI, are:
Intrusions of the Public Switched Network (the telephone
company),
Major computer network intrusions
Network integrity violations
Privacy violations,
Industrial espionage, and
Pirated computer software
2010 CMA Part 1 Section D Internal Controls 108
Cybercrime contd
Other types of computer crime include:
Copyright infringement such as the illegal copying of
copyrighted material
Denial of Service (DOS) attacks in which a website is
accessed repeatedly so that other, legitimate users
cannot connect to it,
Theft of credit card numbers from retailers files
Phishing, a high-tech scam that uses spam e-mail to
deceive consumers into disclosing sensitive personal
information
Installation of malware on a computer without the users
knowledge.

2010 CMA Part 1 Section D Internal Controls 109


Cybercrime contd
Defenses against cybercrime include:
Firewalls
Proxy servers
Antisniffer tools
Switched networks
Encryption

2010 CMA Part 1 Section D Internal Controls 110


Firewalls and Encryption
A firewall is a barrier between the internal
network of a company and external networks.

A firewall prevents unauthorized access to the


network and can also record attempts that were
made to access the network.

Encryption is the method of converting text into


a code for transmission and then converting
back to text when received.

2010 CMA Part 1 Section D Internal Controls 111


Backup and Contingency Planning
The company must have plans for the backup and recovery
of data.
The more extreme form of contingency planning is disaster
recovery. A disaster recovery plan includes:
Who will participate in the recovery and what their roles are,
What hardware, software and facilities should be used, and
The priority of applications to be processed.

A hot site is a backup site that has similar equipment and


is able to be used immediately. A cold site is a site where
power and space are available, but it requires getting
computer equipment installed there quickly if needed.

2010 CMA Part 1 Section D Internal Controls 112

Оценить