5-1

Chapter 5

Internal Control Evaluation:

Assessing Control Risk

“If everything seems under control, you're just not going fast enough.”
-- Mario Andretti, Race car driver
McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.
 5-2

Chapter 5 Objectives
1. Distinguish between management’s and auditors’ responsibilities for
a company’s internal control.
2. Define and describe internal control.
3. Define and describe the five basic components of internal control
and some of their characteristics.
4. Explain the phases of an evaluation of control and risk assessment
and the documentation and extent of audit work required.
5. Describe additional responsibilities for management and auditors of
public companies required by Sarbanes-Oxley and AS No. 2
6. Explain the communication of internal control deficiencies to the
audit committee and other key management personnel.
7. Explain the limitations of all internal controls.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-3

Responsibility for Internal Control

• Management responsibility
– Primary responsibility for internal control
– Sarbanes-Oxley Act of 2002 (publicly traded
companies)
• Auditor responsibility
– Second standard of fieldwork
– PCAOB Auditing Standard No. 2 (PCAOB 2): An Audit
of Internal Control Over Financial Reporting
Performed in Conjunction with an Audit of Financial
Statements

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-4
Management’s Responsibility for
Internal Control (Sarbanes-Oxley)
• In addition to certifying the company’s financial
statements (Section 302), management must also report
on the company’s internal control over financial
reporting (Section 404).
• Specifically, the company’s annual report must include:
• A statement that management is responsible for establishing and
maintaining adequate internal control over financial reporting.
• A statement identifying the framework (usually COSO)
management uses to evaluate the effectiveness of the company’s
internal control.
• A statement providing management's assessment of the
effectiveness of the company’s internal control.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-5

PCAOB 2: Audit of Internal Control

• The auditor must attest to management’s

assessment of internal control.
– Objective:
“To form an opinion as to whether management's assessment of
the effectiveness of the registrant's internal control over
financial reporting is fairly stated in all material respects.”
• Auditors must also provide their own opinions on
the effectiveness of internal control.
• Not a separate engagement
– Integrated audit of internal control and financial
statements

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-6

COSO
• Committee of Sponsoring Organizations of
the National Commission of Fraudulent
Financial Reporting (Treadway
Commission)
• FEI, AAA, IIA, IMA, AICPA

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-7

Assess Control Risk

• Determine nature, timing, and extent of
audit procedures.
• Trade-off between testing of controls and
substantive procedures

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-8
Exhibit 5.2 Trade-off Between Tests of Controls and
Substantive Testing

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

Internal Control – 5-9
An Integrated Framework (COSO)

Internal Control
A process, effected by an entity's board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories:

(1) Reliability of financial reporting,

(2) Compliance with applicable laws and regulations,
(3) Effectiveness and efficiency of operations.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-10
Exhibit 5.3
Internal Control—Integrated Framework

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-11
Exhibit 5.4
Interrelated Components of Internal Control

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-12

Control Environment
• Sets the tone of an
organization,
influencing the control
consciousness of its
people.
• It is the foundation for
all other components.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-13

Control Environment
• Philosophy And • Functioning Of Board
Operating Style • Authority And
• Integrity And Ethical Responsibility
Values • Internal Audit
• Organizational • Human Resources
Structure Policies
• Commitment To • External Environment
Competence

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-14

Risk Assessment
• The entity's
identification and
analysis of relevant
risks to achievement
of its objectives.
• COSO's Enterprise
risk management
(ERM) framework

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-15
Control Procedures
• The policies and procedures that help
ensure management directives are carried
out.
– Physical controls over the security of assets
– Segregation of duties
– Information Processing
• Approvals and authorization
• Verifications and reconciliations
– Performance reviews

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-16
Exhibit 5.5
Segregation of Duties

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-17

Information Processing Controls

• Information Technology General controls
– Physical security
– Hardware controls
– Segregation of IT duties
– Documentation
– Back-up procedures
• Information Technology Application controls
– Input controls
– Processing controls
– Output controls
• Spreadsheet controls

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-18

Information & Communication

• The identification, capture, and exchange

of information in the form and time
frame that enables people to carry out
their responsibilities.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-19

Monitoring
• Management’s process that
assesses the quality of the internal
control's performance over time.
– Internal auditing
– Follow-up of reporting errors

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-20

General Phases of Internal Control Evaluation

• Phase 1: Understand and Document

– Understand the Client’s Internal Control
– Document the understanding of Internal Control
• Internal Control questionnaire
• Narrative
• Accounting and Control System Flowcharts
• Phase 2: Assess Control Risk (Preliminary)
• Phase 3: Testing and Reassessment
– Perform Test of Controls Audit Procedures
– Re-Assess Control Risk

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-21
Exhibit 5.7
Company-level Controls

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-22
Exhibit 5.10
Payroll System Flowchart

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-23
Exhibit 5.10
Bridge Workpaper

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-24
Exhibit 5.12 Assertions about Class Transactions
and Events for the Period: Payroll Cycle

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-25
Exhibit 5.13
Dual Direction Test of Payroll Controls

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-26

Audit of Internal Control (PCAOB 2)

(for Publicly Traded Companies)

Phases of the engagement

1. Plan the audit
2. Evaluate management’s process for
assessing internal control
3. Obtain an understanding of Internal Control
4. Evaluate internal control effectiveness
a) Design
b) Operation
5. Form an opinion about effectiveness

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-27

Plan the Audit (PCAOB 2)

• Consider knowledge of industry
• Consider knowledge of business
• Consider extent of changes in operations
• Consider extent of changes in internal
control

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-28
Evaluating Management's Internal
Control Assessment (PCAOB 2)
• The more extensive and reliable management’s assessment
is, the less extensive the auditor’s work needs to be.
• Auditor must perform work related to:
– Company-wide anti-fraud programs
– Controls that have a pervasive effect
• Auditor must obtain “principal evidence,” but can
incorporate work of Internal Auditors and others
– Must assess competence and objectivity
– Limited reliance
– Can’t reduce work on control environment

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-29
Obtain an Understanding of
Internal Control (PCAOB 2)
• Must understand that controls have actually
been implemented and are operating as
designed
• Must perform walkthroughs
– Major classes of transactions
– Routine and unusual transactions
• Identify significant accounts and processes
• Identify relevant assertions

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-30
Evaluate Design
Effectiveness
(PCAOB 2)
• Key Questions
– Will controls be effective if operated as designed?
– Are all necessary controls in place?
• Methods
– Inquiry, observation, walkthroughs
– Specific evaluation of whether the controls are likely to
prevent or detect financial misstatements
– Specifically evaluate audit committee
– Can use SAS 70 report for service organizations

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-31
Evaluating Results and Forming an
Opinion (PCAOB 2)

• Management must document

– Design of controls
– Objectives of controls
– Qualifications of people
– Process used to assess effectiveness
• Nature and results of tests
• Inadequate documentation is a deficiency

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-32
Evaluate Operating Effectiveness
(PCAOB 2)
• Timing
– Evaluation as of end of fiscal year
– Can test at interim and update
• Methods
– Inquiries, inspection of documentation, observation,
reperformance.
– May use tests by management, internal audit staff and
3rd parties
– Read internal audit reports

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-33

Evaluate Results (PCAOB 2)

• Internal Control Deficiency
– “An internal control deficiency exists when the design or operation
of A control does not allow the company’s management or
employees, in the normal course of performing their assigned
functions, to prevent or detect misstatements on a timely basis.”
• Significant deficiency
– More than a remote likelihood of a misstatement of the annual or
interim financial statements that is more than inconsequential in
amount
• Material weakness
– More than a remote likelihood of a material misstatement
• Significant deficiencies and material misstatements must
be communicated in writing to audit committee

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-34

Significant Deficiencies
• Ineffective control environment
• Ineffective oversight by audit committee.
• Material misstatement not identified or
prevented by internal controls.
• Significant uncorrected deficiencies

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-35
Reporting on Internal Control
(PCAOB 2)
• Two opinions
– Management’s assessment of internal control effectiveness.
– Actual effectiveness of controls over financial reporting
• Types of opinions
– If no material weaknesses are discovered, issue an
unqualified opinion.
– If the auditor cannot perform all procedures, either qualify
or disclaim opinion. If opinion cannot be expressed,
explain why.
– If any material weaknesses are discovered, issue an adverse
opinion.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-36
Types of Internal Control Reports
(PCAOB 2)
• Separate Report on Internal Control
– Opinions on management’s assertion of internal control
effectiveness as well as actual internal control effectiveness
– Opinion on financial statements contained in separate audit
report
• Integrated Audit Report and Report on Internal
Control
– Includes auditor’s opinions on 1) management’s assertion
of internal control effectiveness, 2) internal control
effectiveness, and 3) the fairness of the company’s financial
statements.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-37
Reporting to Audit Committee on
Internal Control Related Matters
• Sarbanes-Oxley requires that the report be in
writing.
• The auditor may communicate during or after
audit.
• Communications with management is not
required; however, communications with
management or other individuals within the entity
who may, in the auditor's judgment, benefit from
the communications are not precluded.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.

 5-38

Limitations of Internal Controls

• Human error
• Collusion
• Management override
• Cost/benefit analysis
– There is often a trade-off between the cost and the
effectiveness of internal controls.
– The concept of reasonable assurance recognizes that
the cost of an entity’s internal control should not
exceed the benefits that are expected to be derived.

McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved.