Académique Documents
Professionnel Documents
Culture Documents
General definition:
Internal Control is Policies, ways, procedures, strategies > the client use to manage his business and achieve his
objectives.
If we have excellent internal control system it must be affected by its components, “policies, strategies and system
inside it”.
It is affecting “Accounting system” which is a part of it.
________
Management responsibilities for establishing good and effective internal control -in general- :
1. Establish internal control system
2. Prepare Financial Statements.
They will provide reasonable assurance -which is good level of assurance, but not 100%-, because internal control can
never be regarded as completely effective, therefore it is expected that there is “inherent risk” -which mean errors,
mistakes- >This may appear in the presentation of F/S or in other parts of the system, rather than F/S. “So F/S may be
affected and may be not”.
Management responsibilities in section 404 of Sarbanes-Oxley-Act:
Section 404 require management of all public companies to issue an internal control report that include the
following:
1. A statement that clarify management responsible for establishing an adequate and effective internal control system
and prepare F/S.
This is -the statement- required from them to put pressure on them, so they are responsible for it.
2. An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the
end of the company fiscal year.
Management should measure, evaluate their internal control system, and give it to CPA, because they are the one
who establish it, so they must know everything about its strengths and weaknesses.
CPA will audit internal control system first, and then compare it with the given assessment from the management
after finishing auditing it, and he will express his opinion.
1
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
Management assessment
CPA
Responsibilities
3- Reporting in public sector 2- Evaluate and Test
1- CPA should understand the client internal control system. He must know everything about it. (Before doing anything).
CPA must keep/document these information in the audit file as evidence when any problem happens between him
and his client.
The responsibilities is the same for audits of both public and nonpublic companies
CPA are primary concerned about controls related to :
1) Reliability of financial reporting. 2) Controls over class of transactions.
2- CPA will start to evaluate and test the system. “Why does it important to test?”
Because there are some information/Facts about the internal control, may appear differently than understood.
CPA will perform tests of controls over: Significant account balances, Classes of transactions, disclosure and related
financial statement assertions.
3- This step is required in public sector in USA. > CPA will issue separate report for internal control, and other one for
F/S.
In private sector, CPA is free to add/highlight any information about the internal control system in his report.
(All together - one report only -)
2
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
Having a good/effective control system, will affect Accounting system -which is a part of it positively-.
> What is the evidence?
All transaction will be recoded when they are happened and real, exist “occur”. All of them will be completed
“recorded and posted” and by accurate -correct- amounts > and posted, summarized correctly, classified correctly
in Journal + recorded at the time they are happened. [Occurrence, completeness, accuracy, posting and
summarization, classification, timing >Are all met]
1- (There is a direct relationship “link” between Internal control system and transaction.
Therefore, it is expected to have correct transaction + Balances > Financial statements are free from errors.
____________
Auditor responsibilities in Section 404 in Sarbanes-Oxley-Act:
CPA is responsible to write two opinions about internal control in his report.
1- Express opinion over management assessment. [Does the assessment fairly stated or not?]
2- Express his personal opinion about internal control system overall.
___
To decide whether the Internal control system is good and effective, it must be compared with a given standards and
criteria developed by professional bodies in accounting and auditing, who suggest a framework called “COSO system”.
To have a good system, at least these 5 components are exist: (Minimum requirement)
If all them are included it is enough, but “more” is accepted, while “less” is NOT
Why the first component “Control Environment” is the most important one?
Because it affect all the other components. “It is the main component”.
If we have a good control environment, it is expected that other component will work effectively > good system
-internal control system-
____
COSO: is used as standard to compare with clients internal control.
It’s about the framework it-self, not details of the system, because there is no one internal control system for all kind of
business and organization
1) The control environment:
Consist of action, polices, and procedures > reflect overall attitudes of top management, directors, and owners about
internal control and its importance to the entry.
Depending on top management attitude, if they value internal control system and believe in its importance > this
will be reflected in their action > like: improving the system from time to time, hire qualified employees.
3
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
1. Integrity and ethical values:
Working with other system harmoniously all together, otherwise conflict, problem will occur
Unethical practices may lead to enter wrong data and information. [Because people will operate the system,
therefore if they are ethical > good result are expected and vice versa]
2. Commitment to competence:
Management should have the responsibility to do their best regarding their internal control system. -By providing
high quality system- > therefore, effective system is expected.
3. Board of director or audit committee participation:
Management will work with board of director and the audit committee to run and improve their internal control
system to work efficiency.
4. Management philosophy and operating style:
How management deal with their employees to run the organization? Dictatorial? Democratic?
His attitude will affect employee’s attitudes.
5. Organization structure:
Management levels:
1- Top management
2- Middle management In each level there are different -but linked- duties, responsibilities
and authorization > Identified by the top management
3- First line management
4- Employee’s
- When top management believes in the importance of the internal control system, they will have a direct link with it,
therefore when any situation occur, they will be able to solve everything quickly and to update the system continuously.
- The opposite situation, occur when top management don’t believe on internal control system importance, this will
result in occurrence of problems.
- If there is no control over the organization structure, middle, and the first line, management may not inform top
management with the problems when they occur.
6. Human resource policies and practices:
It is important to choose the employee’s carefully, setting a number of standard to choose them, because they will
operate the system, so they must be qualified to run the system efficiency.
____
2) Risk assessment:
It is mandatory, because there is nothing like guarantee protecting the organization from different risk and
problems.
Management should trace risk and assess them > to have the chance to take action toward any problem.
(When they know about it, they will be able to solve it).
4
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
3) Control Activities: (Minimum require)
1. Adequate separation of duties.
[Each employee/group of employees will be responsible for one duty/function; it is not allowed to let them do more
than one]
Examples:
a) Custody of assets > From > Accounting Books.
(e.g.: The cashier, who holds the cash, cannot work with accounting books)
b) Authorization of transaction > From > The custody of related assets.
(Authorization to make decisions related to the transaction, not only one person to take all the decisions
related to specific transaction.)
c) Operational responsibility > From > Record- Keeping responsibility
(e.g.: Time-card of employees working hours, the employees who will work on computing their working hours > must
not working on recording them in Accounting books)
d) IT duties > From > User departments.
(IT employees are not allowed to excess other user accounts; their job is to deal with technician problems over
the system)
______
2. Proper Authorization of transaction and Activities:
Ability to take decisions.
Types of Authorizations:
Specific Authorization
General Authorization
For normal decisions: For critical (abnormal) decisions:
Daily Very important
Routine Doesn’t happen all the time
This type of decisions are taken over This type of decisions needs agreement
problems/situations that happen each from top management. “dealing with new
day/daily case -rare-
For CPA it is important to know who is responsible -have the authority- to do anything inside the
organization. (e.g.: the authority to sign checks, to decide whether to accept them or not)
5
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
4. Physical control over assets and records.
Keep assets secured as well as the records, so they will be protected from anyone, therefore they will be preserved.
It’s the most important type of protective measure for safeguarding assets and records is the use of physical
precautions
5. Independent check on performance.
Other employees from different branches will check the performance of different branch rather than the one they
work at.
For small business, this policy will be applied between departments. [This is required to make sure that the work is
done properly and legally]
The need for independent check arises , because internal controls tend to change over time unless there is a
mechanism for frequent review
___
4) Information and communication. (Accounting system)
The purpose of an accounting information and communication system:
Provide information for decision making
Initiate, record, process, and report the entity’s transactions, then prepare Financial statements.
Maintain accountability for the related assets.
___
5) Monitoring.
Deal with management ongoing and periodic assessment of the quality of internal control performance.
To trace the system all the time and check if there is any need to make improvement in its performance.
Make sure that the system will keep working effectively.
________
Process for understanding internal control and assessing control risk:
(How CPA will audit control system?)
Phase.1: Obtain and document understanding of internal control design and operation [CPA will know every
details about the system]
Phase.2: Assess control risk. [After finishing “Phase.1”, CPA must be able to find out if there is any missing in the
system from the requirements].
Phase.3: Design, perform, and evaluate tests of control. [To be satisfied with his evaluation, CPA need to apply
some tests to confirm his understanding].
Phase.4: Decide *planned detection risk and substantive tests. (Over F/S)
Planned detection risk: Dangerous type of risk, because it contains of group of risks*, and impact over F/S.
* Acceptable audit risk, control risk, inherent risk. (All of this affect PDR).
This phase -Phase.4- is the connection point between the two main parts of auditing process:
Audit internal control system.
Audit Financial Statements.
6
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
Phase.1: Obtain and document understanding of internal control
3) Internal control questionnaire: CPA will prepare -design- questionnaire about the internal control system to be
answered by the client’s employees -CPA may choose specific groups to answers it- then he will collect it back and
analyses its outcomes.
Evaluating internal control operation:
(Audit procedure -actions-) done by CPA over internal control or F/S.
1. Update and evaluate auditor’s previous experience with the entity.
2. Make inquire of the client personnel. Types of evidence to check the
3. Examine documents and records. (A must) internal control system
4. Observe entity activities and operations. (Important)
For example: CPA will go to the cashier to find out if there is any indicator shows the absence of “adequate
separation of duties”, like finding “Accounting Books”.
This procedure is done when CPA has audited his client before -previously-, therefore he already has knowledge about
their internal control, but, CPA must update this knowledge.
5. Perform walkingthroughs of the accounting system.
To find out how operations are done? How the client did record his actions?
CPA will trace the transactions document from the beginning until the end.
Example:
Sale transaction: From customer order > Sale invoice > Shipping document > A/C Rec. > Collection.
7
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
Phase.2: Assess Control risk.
Audit objectives related to transactions:
Key internal control: Occurrence
/Completeness/Accuracy/Timing/Classification/Posting&summarization
Proper Authorization This is “Control risk matrix” it is used by CPA to assist in the control risk
assessment process by identify: Controls + Weakness
Adequate Documents &
CPA will check if the all 5 items of control activities exist, if not, the missing
records
item will be consider as “Control deficiency”.
Physical control over assets While internal control system is related directly with the transactions, this is
why
Control deficiencies:
“Audit objectives related to transactions” are placed in the matrix.
CPA will:
Adequate separation of duties 1. Identify existing controls
2. Identify audit objectives
Independent check 3. Link between “1” and “2”
4. Link between “2” and “control deficiencies”.
8
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
C) Material weakness: More than Significant deficiencies, “a combination of Significant deficiencies” > it expected that
there will be “material misstatement in F/S”. [Adverse audit report to be issued is expected]
5 Steps approach to identify the three level of the absence of internal control:
1. Identify existing controls
2. Identify absence of the key controls. “While CPA identifies existing controls in “first step”, he must be able to
conclude, and assess what missing.
3. Consider the probability of compensating controls. “If CPA has identified missing controls in the system, he will look
for any applied compensation that can cover the absence of those specific controls”. [e.g.: adequate separation of
duties is not applied, but as a compensation of its absence, management are watching, and checking closely their
employees work performance
Management attitude is serving as an alternative for this missing control.
4. Decide whether there is significance deficiency or material weakness.
5. Determine potential -identify possible- misstatements that could results based on step.4 outcomes. “Then it will be
possible to determine what type of opinion to be issued”.
__
In public sector, after auditing internal control, and discovering significant deficiencies, material weakness > CPA must
communicate with audit committee or governance committee to inform them with what he had found.
Some public sectors have “audit committee”, other have “Governance committee”, however the two of them are exist
to help CPA in his audit process.
[Informing the committee is Compulsory}
When the control weakness is less significant CPA may write “Management letter” > to suggest some improvements for
internal control system.
[This is optional]
The scope of auditors report on the internal control is limited to obtaining reasonable assurance that material
weaknesses in internal control are identified.