CHAPTER 3: REPORTING: MANAGEMENT’S RESPONSIBILITIES AND IMPORTANCE TO THE EXTERNAL

AUDITORS

IMPORTANCE OF INTERNAL CONTROL OVER FINANCIAL REPORTING

- Helps an organization mitigate the risks of not achieving its objectives

o Examples of objectives are:
 Achieving profitability
 Ensuring efficiency of operations, manufacturing high-quality products or
providing high quality service
 Adhering to governmental and regulatory requirements
 Providing users with reliable financial informations
 Conducting operations and employee relations in a socially responsible manner
- EXTERNAL AUDITOR is the most interested in the objective of reliable financial reporting
- Management implements controls to provide reasonable assurance that material
misstatements do not occur in the FS
- Benefits of internal control
o Providing confidence regarding the reliability of their financial information
o Helping reduce unpleasant surprises
o Improve the quality of information
o Allowing for more informed decisions by internal and external users of the financial
information

IMPORTANCE OF INTERNAL CONTROL TO THE EXTERNAL AUDIT

- To identify and assess a client’s risk of material misstatement, whether it’s due to fraud or error
- The auditor needs to understand a company’s internal controls in order to anticipate the types
of material misstatements that may occur and then develop appropriate audit procedures to
determine whether those misstatements exist in the FS
- INTEGRATED AUDIT
o Includes providing an opinion on the effectiveness of the client’s internal control over
financial reporting in addition to the opinion on the FS

INTERNAL CONTROL-INTEGRATED FRAMEWORK

- By the COSO (Committee of Sponsoring Organizations of Treadway Commission)

- Original: 1992
- In 2013, they updated to Internal Control-Integrated Framework (COSO)
o Most widely used internal control framework in the US, and is also used throughout the
world
o Internationally known
- COSO defines internal control as:
o a process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance.
o Important elements of the definition
 A process consisting of ongoing tasks and activities
 Effected by people and is not just about policy manuals, systems, and forms.
People at every level of the organization ranging from shipping clerks to the
internal auditor to the CFO, CEO, and the BODs, impact internal control
  Able to provide reasonable assurance, but not absolute assurance, regarding
the achievement of objectives. Limitations of internal control preclude absolute
assurance. These limitations include faulty human judgment, breakdowns
because of mistakes, circumventing controls by collusion of multiple people,
and management ability to override controls
 Geared toward the achievement of multiple objectives. The definition
highlights that internal control provides reasonable assurance regarding three
categories of objectives.

ENTITY-WIDE CONTROLS

- Affect multiple processes, transactions, accounts, and assertions

- The following are entity-wide controls:
o Controls related to the control
o Controls over management override
o The organization’s risk assessment process
o Centralized processing and controls, including shared service environments
o Controls to monitor results of operations
o Controls to monitor other controls, including activities of the internal audit function,
the audit committee, and self-assessment programs
o Controls over the period-end financial reporting process
o Policies that address significant business control and risk management practices

TRANSACTION CONTROLS

- Other controls such as control activities that typically affect only certain processes, transactions,
accounts and assertions
- Not expected to have a pervasive effect throughout the organization
- Common examples:
o Segregation of duties over cash receipts and recording
o Authorization procedures for purchasing
o Adequately documented transaction trail for all sales transactions
o Physical controls to safeguard assets such as inventory
o Reconciliation of bank accounts
FIVE COMPONENTS OF INTERNAL CONTROL

1. CONTROL ENVIRONMENT (5 principles)

- Set of standards, processes, and structures that provides the basis for carrying out internal
control across the organization
- Most important, foundation for all other components of internal control
- has a pervasive impact on the overall system of internal control
- Broad controls
- Principles:
o Integrity and ethics
o BOD oversight
o Lines of authority
 BOD – authority over significant decisions and reviews management’s
assignments
 Senior management – establish directives, guidance, and controls to help
employees understand and carry out their internal control responsibilities
 Management – guides and facilitates senior management’s directives
 Personnel – understand internal control requirements relative to their position
in the organization
 Outsourced service providers – adhere to management’s definition of the scope
of authority and responsibility for all non-employees engaged
o Commitment to competence
 Attract, develop, and retain competent individuals
o Accountability
 Accountability mechanisms include establishing and evaluating performance
measures and appropriate incentives and rewards
 Excessive pressures: unrealistic performance targets, imbalance between short-
term and long-term performance measures

i. Set of standards, processes and structures that provide basis for carrying out
internal control across the organization
ii. Includes tone at the top regarding the importance of internal control and the
expected standards of conduct
iii. Has a pervasive impact on the overall system of internal control
- Deficiencies:
o Ineffective board of directors dominated by top management
o Management teams driven by the increase of stock price
o Low level of control consciousness within the organization
 o Audit committee does not have independent members
o Absence of an ethics policy or lack of reinforcement of ethical behavior within the
organization
o Audit committee is not viewed as the client of the external auditor
o Management overrides controls over accounting transactions
o Personnel do not have competencies to carry out their tasks

2. RISK ASSESSMENT (6-9 principles)

- Involves the process of identifying and assessing risks that may affect an organization from
achieving its objectives
- Risk – the possibility that an event will adversely affect the organization’s achievement of
objectives; comes from both internal and external sources
o Internal risks – changes in management responsibilities, changes in information
technology, and a poorly conceived business model
o External risks – economic recessions, increases in competition, development of
substitute products or services, and changes in regulation
- Principles:
o Identify relevant objectives
 Management should consider the level of materiality when specifying
objectives
o Assess overall risk
 Appropriate levels of management need to be involved
 Risk identification should include both internal and external factors
 Risks should be analyzed to include an estimate of the potential significance of
the risks and consideration of how each risk should be addressed
o Assess fraud risk
 Related to misappropriation of assets and fraudulent financial reporting
o Identifies and analyze significant change
 Identify and analyze changes in internal and external factors that can affect its
ability to produce reliable financial reports
i. Process of identifying and assessing the risks that may affect an organization
from achieving its objectives
ii. Needs to be conducted before an organization can determine the other
necessary controls
3. CONTROL ACTIVITIES (10-12 principles)
- Are the actions that have been established by policies and procedures that help ensure that
management’s directives regarding controls are accomplished
- Are performed within processes
- May be preventive or detective, manual or automated
- Help ensure that management’s directives regarding the internal control are carried out
- Principles:
o Selects and develops control activities
 No universal set of control activities is applicable to all organizations
 Control activities are present within each of an organization’s processes and
help mitigate transaction-processing risks within each of those processes
 Transaction controls/application controls
 Implemented to provide assurance that all transactions that occurred
are recorded that the transactions are recorded in an accurate and
timely manner, and that only valid transactions are recorded

Accounting Estimates
Financial Statement
Account Balances and
Disclosure
Business Process
Transactions Adjusting Entries, closing
entries, or unusual entries
 Transaction processing:
o Recorded transactions exist and have occurred
o All transactions are recorded
o Transactions are properly valued
o Transactions are properly presented and disclosed
o Transactions relate to rights and obligations of the organization
 Input controls – designed to ensure that authorized transactions are correct
and complete ad that only authorized transactions can be input
 Two common types: input validation tests (edit tests) and self-checking
digits
 Processing controls – designed to provide reasonable assurance that the correct
program is used for processing, all transactions are processed, and transactions
update appropriate files
 Output controls – designed to provide reasonable assurance that all data are
completely processed and that output is distributed only to authorized
recipients
 Typical controls include reconciliation of control totals, output
distribution schedules and procedures, and output reviews
 Organization should protect the privacy and retaining records
 Segregation of duties – designed to protect against the risk that an individual
could both perpetrate and cover up a fraud
 Physical controls – necessary to protect and safeguard assets from accidental or
intentional destruction and theft
 Security locks, vaults, safes, inventory warehouses
 Preventive controls – designed to prevent the occurrence of a misstatement;
cost efficient
 Detective controls – designed to discover errors that occurred during
processing
o Technology control
 Management needs to determine the extent to which automated control
activities and general computer controls are part of the mix of control activities
 Information technology general controls
 Pervasive control activities that affect multiple types of information
technology systems
 Technology infrastructure – provides support for information technology to
effectively function
 Communication network that links technologies together
 Security management –control activities that limit access to technologies;
includes policies that restrict authorized users to applications that are related
to their job responsibilities
 Technology acquisition, development, and maintenance
o Policies and procedures
 Policies (orally or writing), should establish clear responsibility and
accountability
  Appropriate and competent personnel should perform the procedures
diligently, consistently, and in a timely manner
i. Actions that have been established by policies and procedures
ii. Help ensure that the management’s directives regarding internal control are
carried out
iii. Occur at all levels within the organization
4. INFORMATION AND COMMUNICATION (13-15)
- Process of identifying, capturing, and exchanging information in a timely fashion to enable
accomplishment of the organization’s objectives
- Recognizes that information is necessary for an organization to carry out its internal control
responsibilities
- there should be a two-way communication with relevant parties external to the organization
- Can be internal or external (information)
- Communication – the process of providing, sharing, and obtaining necessary information
- Help all relevant parties understand internal control responsibilities and how internal control
are related to achieving objectives
- Principles:
o Identify and obtain control information
 To support its internal control and achieve its objective of financial reporting
 Internal information
 Internal emails, minutes from meetings, and time reporting systems
 External information
 Industry research reports, whistleblower hotlines, and competitor
earnings releases
o Communicate internally
 Occurs throughout the organization (up, down, and across the organization)
 Periodic newsletters, posters in the break rooms, or more formal
communication
 Whistleblower function –special line of communication (needed for anonymous
or confidential information) especially when an employee is concerned that
something is inappropriate in the organization’s operations
o Communicate externally
 Organizations need a two-way communication with parties external to
organization
i. Recognizes that information is necessary for an organization to carry out its
internal control responsibilities
ii. Information: internal or external sources
iii. Communication- the process of providing, sharing, and obtaining necessary
information
iv. Helps all relevant parties understand internal control responsibilities and how
internal controls are related to achieving objectives

5. MONITORING (16-17)
- a process that provides feedback on the effectiveness of each of the five components of
internal control
- management selects a mix of ongoing evaluations, separate evaluations, or some combination
of the two to accomplish monitoring
- requires that identified deficiencies in internal control are communicated to appropriate
personnel and follow-up action to be taken
 - Necessary to determine whether the controls, including all five components, are present and
continuing to function effectively
- Principles:
o Ongoing and/or separate evaluations
 Ongoing evaluations – procedures that are built into the normal recurring
activities of an entity
 Computerized monitoring transactions
 Separate evaluations – are conducted periodically, typically by objective
management personnel, internal auditors, or external consultants
 Not as timely as ongoing evaluations
o Evaluates and communicates deficiencies
 Control deficiencies is identified through monitoring or other activities should
be communicated to appropriate personnel such as management or BOD so
that appropriate corrective action can be taken.
 Included is the need for an organization to implement a system to track
whether deficiencies are corrected on a timely basis
i. Determine whether the controls, including all five components, are present and
continuing to function effectively

INTERNAL CONTROLS NEED TO:

- be effectively designed and implemented

- operate effectively, procedures are consistent with the design of the controls
MANAGEMENT’S RESPONSIBILITIES FOR INTERNAL CONTROL OVER FINANCIAL REPORTING

- management provides the first line of defense in achieving reliable financial reporting
- management is responsible for designing, implementing, and maintaining effective internal
control over financial reporting
 Management Documentation of Internal Control
o Needs sufficient and appropriate documentation of the internal controls that they have
designed and implemented to achieve the objective of reliable financial reporting
o Communicates standards and expectations to internal control
o Documentation – useful in training new employees or reference tool for all employees
 Provides evidence that controls are operating, enables proper monitoring
activities, and supports reporting on internal control effectiveness
 Management should have documentation that provides evidence of
authorization of transactions, existence of transactions, support of journal
entries, and financial commitments of the organization
 Can be paper or electronic
 Prenumbered paper or computer generated documents
 Timely preparation
 Evidence of authorization
 Transaction trail
 Management Reporting on Internal Control Over Financial Reporting
 o Sarbanes-Oxley Act of 2002 requires public company management to annually report
on the design and operating effectiveness of the organization’s internal control over
financial reporting.
o SEC guidelines require that suitable criteria be used as a benchmark in assessing
internal control effectiveness
 Evaluating Internal Control Over Financial Reporting
o SEC’s guidance for management encourages a risk-based approach to evaluation
o Steps in management evaluation
 Identify financial reporting risks and controls implemented to mitigate those
risks
 Evaluate the operating effectiveness of internal control over financial reporting
 Provide report on effectiveness of internal control over financial reporting
o Designing effectiveness of the controls intended
 Conduct a walkthrough – following a transaction from origination to when it is
reflected in the financial records; helps management determine whether
controls are effectively designed or implemented

ASSESSING DEFICIENCIES IN INTERNAL CONTROL OVER FINANCIAL REPORTING

 CONTROL DEFICIENCY
o Shortcoming in internal control such that the objective of reliable financial reporting
may not be achieved
o Deficiency in design (control objective is missing, control not properly designed)
o Deficiency in operation (properly designed control does not operate as designed or
person performing the control does not possess the necessary authority or
competence)
o Assess the LIKELIHOOD OF MISSTATEMENT AND MAGNITUDE OF POTENTIAL
MISSTATEMENT
 SIGNIFICANT DEFICIENCY
o Deficiency or a combination of deficiencies in internal control over financial reporting
that is less severe than a material weakness, yet important enough to merit attention
by those responsible for oversight of the organization’s financial reporting
o Does not need to be reported to external users
o Would not be included in management’s report on effectiveness of internal control
 MATERIAL WEAKNESS
o Deficiency or a combination of deficiencies in internal control over financial reporting
such that there is a reasonable possibility that a material misstatement of the
company’s annual or interim financial statements will not be prevented or detected on
a timely basis
o There is reasonable possibility that this type of control deficiency could lead to material
misstatement
o Management will report that such material weakness in internal control existed
o One or more material weakness: issue report that internal control over financial
reporting is not effective

Material weakness or significant deficiency? PROFESSIONAL JUDGMENT is used.

IMPORTANCE OF INTERNAL CONTROL TO EXTERNAL AUDIT

- Assessment requires an understanding of the organization and its environment including its
internal control over financial reporting
- In order to anticipate the types of material misstatement that may occur and then develop
appropriate audit procedures to determine whether those misstatements exist in the financial
statements
- If a client has ineffective internal control, the auditor will plan the audit with this in mind.