Process for Understanding Internal Control and Assessing Control Risk
Phase 1
Obtain and document understanding of internal control design and operation
Phase 2
Assess control risk
Phase 3
Design, perform, and evaluate tests of controls
Phase 4
Decide planned detection risk and substantive tests
Definition of Internal Control
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
COSO Internal Control (2013) – Integrated Framework – Guidelines
Process: Internal control is a process. It is a means to an end, not an
end in itself
People: Internal control is effected by people. It is not merely about
policy and procedure manuals, systems, and forms, but people
and the actions they take at every level of an organization
affect internal control
Reasonable assurance: Internal control can be expected to provide reasonable assurance, but not absolute assurance, to an entity’s senior
management and board of directors
Achievement of objectives: Internal control is geared to the achievement of objectives in one or more categories (operations, reporting, and compliance)
Entity structure: Internal control is flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or
business process
Who should be invovlved in internal control?
– Supervisory board
– Management
– Internal Auditors
– Employees
– External Auditors
– Consultants
– Others
integrated framework components, component 1:
what is the control environment, and what are the 5 principles ?
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.
The five principles relating to the control environment are:
- The organization demonstrates a commitment to integrity and ethical values
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
- The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives
integrated framework components, component 1:
what is the risk assessment?
- Risk assessment is a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives
- Risks are assessed according to their probability and impact
how many components are there in the COSO framework?
- control environment
- risk assessment
- control activities
- info and communication
- monitoring
what are the control activities?
- Control activities are actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.
- For effective control activities formal and informal measures are relevant:
− Formal: laws, regulations, process descriptions, organizational structures, separation of functions, financial controls
− Informal: knowledge, trust, high ethical standards, openness and transparency
examples of control activities
• Directive Controls
– Support the achievement of objectives
- *• Preventive Controls**
- Prevent non-beneficial behavior or events
- Organizational measures: Control effected by the company itself in terms of separation of functions, design of work processes
- Organizational tools: Plan of the organization, plan of processes, plan of functions, guidance, time stamp, signatory power
- Technical tools: Securities, IT controls
• Detective Controls
– Are designed to detect misstatements or omissions as soon as possible
• Corrective Controls
– Are designed to re-align the actual state with the target state
Internal Control – Integrated Framework Components
Component 4: Information & Communication
- Information and communication are necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives.
- Relevant information are:
− Information relating to operations, finances and compliance which enable internal control of the company
− Information relating to external events, conditions and activities which are identified in terms of an early warning system and serve to facilitate decision making and influence communication directed at external addressees.
- Communication should be effected in an adequate manner so that every member of the organization understands his or her role with respect to internal control and its implications.
Internal Control – Integrated Framework Components
Component 5: Monitoring
- Internal control processes change in the course of time due to different factors such as fluctuation of personnel or resource restrictions.
- The monitoring of internal control ensures that the control measures stay effective under changing conditions.
- Monitoring includes:
– Ongoing evaluations (dependent on the
process) and / or
– Separate evaluations (independent from the process)
- In case of deviances corrective measures must be taken.
Responsibility for Internal Control
(…) The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.
The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles and for maintaining an appropriate relationship with the company’s auditors.
Responsibility of the Auditor
Art. 728a Swiss Code of Obligations
(1) The auditor examines whether:
- the annual accounts and, if applicable, the consolidated accounts comply with the statutory provisions, the articles of association and the chosen set of financial reporting standards;
- the motion made by the board of directors to the general meeting on the allocation of the balance sheet profit complies with the statutory provisions and the articles of association;
- there is an internal system of control.
(2) The auditor takes account of the internal system of control when
carrying out the audit and in determining the extent of the audit.
(3) The management of the board of directors is not the subject matter of the audit carried out by the auditor.
Responsibility of the Auditor
Art. 728b Swiss Code of Obligations
(1) The auditor provides the board of directors with a comprehensive report with conclusions on the financial reporting, the internal system of control as well as the conduct and the result of the audit.
(2) The auditor provides the general meeting with a summary report in writing on the result of the audit. This report contains:
- an assessment on the result of the audit;
- information on independence;
- information on the person who managed the audit and on his specialist qualifications;
- a recommendation on whether the annual accounts and the consolidated accounts should be approved or rejected with or without qualification.
(3) Both reports must be signed by the person who managed the audit.
Purposes of Control Frameworks
Purpose 1: A control framework provides a way of understanding the important elements of control, including their important relationships between them (CoCo, §19)
Purpose 2: Implementation and improvement of internal control
– As a basis for implementing internal control processes
– As a benchmark for evaluating and improving internal control
– Increases transparency of internal control
Purpose 3: Audit of internal control
– CF allows comprehensive audit of the relevant control processes
– Higher legitimization of recommendations and better support by management and board
– More efficient and effective communication of the audit results, e.g., between internal and external audit, as both parties use the same language
– Results of audit can be reconstructed by a third party
Purpose 4: Self-assessment of internal control
– CF allows a systematic and comprehensive assessment of internal control
– When performing a self-assessment, management and employees get an idea of an „ideal“ internal control
Opportunities and Limitations of Internal Control
Internal control may help the organization
- To achieve its objectives
- To ensure reliable financial reporting
- To ensure compliance with laws and regulations or avoid violation thereof
- To prevent reputation damage
Internal Control may not
- Guarantee the success and the viability of the company; effective internal control may only help to achieve the objectives
- Guarantee reliability of financial reporting and compliance with laws and regulations
Internal control – irrespective of how well the internal control system is designed or functions – may only provide a reasonable but not absolute security/assurance
External auditors consider two types of illegal actions
– Fraudulent financial reporting
– Peculation of assets
• External auditors have to gain reasonable assurance that material misstatements are detected, independent from whether these are caused by error or fraud.
