Internal Control Over Financial Reporting
What You Really Need to Know
Chapter 7: Internal Control Over Financial Reporting
LO1 Describe the five components of the internal control framework: the control environment, management’s risk assessment process, information systems and communication, control activities, and monitoring
· Business risk and internal control are so tightly linked that auditors need to consider them together.
· Internal control is defined as the process designed, implemented, and maintained by management and other auditee personnel to provide reasonable assurance about the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.
· The auditor is primarily interested in the accounting controls.
· Management’s and directors’ attitudes, awareness, and actions concerning the company’s internal controls set the tone for the control environment. Management must act to remove or reduce incentives and temptations which motivate people in the organization to act unethically.
· Two categories of controls are preventive controls and detective/corrective controls. Generally, environmental controls can be characterized as preventive controls since they are there to prevent misstatements from arising in the first place. Preventive controls are more effective controls designed to detect and correct misstatements after they have entered the system. Auditors tend to focus their preliminary evaluation on environmental controls.
· An information system is defined as a set of interrelated functions that collect, process, store, and distribute information in an organization. An information system has three main activities: input, processing, and output. The input is mainly data, the raw facts collected from the environment, while processing coverts data into output in an understandable and useful form referred to as information.
· The information system is related to all of the key business processes. An auditor must understand how the information system relates to financial reporting and then identify the risk associated with IT use.
· Two broad groups of control activities are general controls and application controls. General controls are primarily preventive include organizational features such as capable personnel, segregation of responsibilities, controlled access and periodic comparison. Application controls help ensure all recorded transactions really occurred, are authorized, and are completely and accurately entered and processed through the system.
· All control procedures are directed toward preventing, detecting and correcting errors, irregularities, frauds, and misstatements.
LO2 Explain how the auditor’s understanding of an organization’s internal control helps the auditor to assess and respond to the risk that its financial statements are misstated
· The auditor gains knowledge of controls mainly by making enquiries of auditee personnel. This provides an understanding of the flow of transactions through the accounting information system and the elements of the control environment that affect it. The auditor gathers information about the following features:
(a) the organizational structure,
(b) the methods used by the auditee to communicate responsibility and authority,
(c) the methods used by management to supervise the accounting information systems, including the existence of an internal audit function, and
(d) the accounting information system.
· A questionnaire is sometimes used to guide the enquiries.
LO3 Differentiate among errors, frauds, and illegal acts that might occur in an organization
· In order to understand fraud awareness auditing, a first step is knowledge of the types of fraud, irregularities, illegal acts and errors that can take place.
· Errors are unintentional misstatements or omissions of amounts or disclosures in financial statements.
· Fraud is knowingly making material misrepresentations of fact, with the intent of inducing someone to believe the falsehood, act upon it, and thus suffer loss or damage. In essence, it is about lying, cheating, stealing, and misleading. It isn’t necessarily associated with a company’s financial statements.
· Employee fraud is fraudulently taking money or other property from an employer.
· Embezzlement is employees or nonemployees wrongfully taking money or property entrusted to their case, custody and control. Defalcation is another name for employee fraud and embezzlement.
· Management fraud is deliberate fraud through exploitation of authority.
· Irregularities are intentional misstatements or omissions of amounts or disclosures in financial statements.
· Illegal Acts are violations of laws or government regulations by the company, its management, or the employees that produce direct and significant effects on dollar amounts in financial statements.
LO4 Describe auditors’ responsibilities to detect and report frauds, errors and illegal acts
· External, internal and governmental auditors all have standards of care explaining the responsibilities for errors, irregularities and illegal acts. Fraud examiners’ sole purpose is to detect fraud, so they are unconstrained by any such standards or guidelines.
· In response to the growing problems of fraud, external auditors have taken on increased responsibilities for detecting fraud and other illegal acts in recent years. They need to obtain reasonable assurance that the financial statements are free of material misstatements, including those due to fraud.
· Auditors are required by CAS to make enquiries of management about fraud and to consider fraud risk factors on every engagement. Auditors should also obtain written management representations about the extent of fraud. Auditors must now presume a risk of fraudulent revenue recognition, a presumption that is “rebuttable” by the audit evidence.
· Auditors should inform the audit committee of all irregularities, except those that are “clearly inconsequential”.
· Internal auditors are required to inform management of suspected wrongdoing.
· The largest frauds are committed by people who hold high executive positions, have long tenure with an organization, and are respected and trusted employees.
· Fraud awareness auditing involves familiarity with human behaviour, organizational behaviour, knowledge of common fraud schemes, evidence and its sources, standards of proof and sensitivity to red flags.
LO5 Describe some of the conditions that lead to fraud risks
· Fraud usually occurs when three conditions are present: a motive, opportunity, and a lapse of integrity. Together, these three factors form what is known as the “Fraud Triangle.”
· A motive is a pressure a person experiences and believes cannot be shared with friends and confidants. It is often financial in nature.
· A fraud opportunity is like an open door for solving the unshareable problem by violating a trust by, for example, getting around an organization’s internal controls.
· A lapse in integrity (rationalization) permits motive and opportunity to take the form of fraud. It provides the rationalization to act.
LO6 (Appendix 7A) Describe control frameworks used for risk management in organizations, and how auditors use them for understanding an auditee’s internal control
· COSO’s Internal Control—Integrated Framework begins by describing why internal controls are put in place: to keep the company on course toward profitability goals and achievement of its mission, minimizing surprises along the way; to enable management to deal with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth; and to promote efficiency, reduce risk of asset loss, and help ensure reliability of financial statements and compliance with laws and regulations.
· COSO defines internal control broadly as a process put into effect by an entity’s board of directors, management, and other personnel, and it is designed to provide reasonable assurance that objectives in the following categories will be achieved:
o Operations objectives: These relate to the effectiveness and efficiency of the organization’s operations, including operational and financial performance goals and safeguarding assets against loss.
o Reporting objectives: These relate top internal and external financial and non-financial reporting, including the reliability, timeliness, transparency, and other qualities as required by the organization’s regulators, standard setters, or internal policies.
o Compliance objectives: These relate to adherence to the laws and regulations that apply to the organization.
· A direct relationship exists between objectives, which are what an entity strives to achieve; components, which represent what is required to achieve the objectives; and the organizational structure of the entity (the operating units, legal entities, and other). The five components are:
o control environment,
o risk assessment,
o control activities,
o information and communication, and
o monitoring activities.
· CPA Canada’s Criteria of Control (CoCo) guidance provides an alternative approach which outlines the criteria broken down into four categories: purpose, commitment, capability, and monitoring and learning. These evaluation criteria and tools can serve as a starting point for developing a detailed assessment of the relevant management controls.
LO7 (Appendix 7B) Describe fraud risk assessment and auditing procedures, and the company documents auditors can use to detect fraud
· Detecting Employee Fraud
· Telltale hints of a cover-up often appear in the accounting records. The key is to notice exceptions and oddities such as transactions at an odd time of the day, month, or season; too many or too few of them; amounts too high, too low, too consistent, or too inconsistent.
· Fraud awareness auditing involves awareness of employee perceptions of the controls in place (or not in place), plus “thinking like a crook”.
· Internal control is important in preventing and detecting fraud. All policies and procedures should be documented and communicated to all employees.
· Detecting Fraudulent Financial Reporting
· Through fraud or “creative accounting”, companies create financial statements that are materially misleading by either (1) overstating revenues and assets, (2) understating expenses and liabilities, or (3) giving disclosures that are misleading or that omit important information.
· Frauds that affect financial statements are often accompanied by the following conditions:
1. high debt
2. unfavourable industry conditions
3. excess capacity
4. profit squeeze
5. strong foreign competition
6. lack of working capital
7. rapid expansion
8. product obsolescence
9. slow customer collections
10. related party transactions.
· Documents for Fraud Risk Assessment and Detection
· Common documents include cheques, bank statements and payroll information.
· It is important for auditors to be able to read a cancelled cheque and endorsement to ensure payment was accurately made.
· Social insurance numbers identify people. SINs can be used to check the personnel files and the validity of the people on the payroll.
Smieliauskas/Bewley, 7e © McGraw-Hill Education, 2016
What You Really Need to Know 7-XXX