[AUD] Internal Control (Planning stage, TOC)
0. General
Responsibility
Management
establish and maintain the effective and efficient internal control
Auditor
plan audit and assess control risk
ensure the audit committee is aware of SD and MW which come to the auditor's attention
> no obligation to search for SD of IC
Limitation
reasonable assurance
- cost constraints
- mgt override
- human judgment in decision-making
- human failure
- control circumvented by collusion
COSO
independent private sector initiative
1992 IC -integrated framework
2013 Fundamental Concept Framework update
Objective
O: effectiveness and efficiency of operations
R: reliability of financial reporting (most relevant objective for audit)
C: Compliance with applicable laws and regulations
Components by COSO
- each of the five components of IC may affect any of the three overall entity objectives
- five components of IC are applicable to all audits
- auditor is required to have an understanding of each component
- five components > useful framework for identifying and evaluating controls
| C | Control environment | integrity | ||
| E | commitment to ethics and integrity | sets the tone of the organization | competence | |
| b | board independence and oversight | participation of those charged w govenance | ||
| o | organization structure | mgt philosophy | ||
| c | commitment to competence | organizational structure | ||
| a | accountability | assignment of responsibility | ||
| human resource policies | ||||
| R | Risk assessment | identiification by management of the risk relevant to the preparation of the FS |
||
| S | specifiy objectives | |||
| A | assess changes | |||
| F | fraud | NEW | Risks are generally related to changes | |
| R | risk analysis | |||
| I | Information and communication | Methods used to classify and report transactions, and to communicate roles and responsibilities | initiating, authorizing, recording, processing, and reporting entity transactions, conditions and events | |
| O | obtain and use information | |||
| I | internal communication | communicating roles and reponsibilities | ||
| E | external communication | |||
| M | Monitoring | Procedures established to assess the QC performance over time |
internal audit function | |
| SO | ongoing and separate evaluation | regular mgt and supervisory activities | ||
| D | communication of deficiencies | Ensure that IC continues to operate effectively | mailing customer statements(assess info from external parties) | |
| E | Existing Control activity | policies and procedures established to ensure that mgt objectives are carried out |
||
| CA | select and develop control activity | authorization segregation of duties | ||
| T | select and develop technology controls | operating performance review | safeguarding of assets | |
| P | deploy through policies and procedures | asset accountability |
Prenumbering of Documents
Authorization and approval of transactions
Independent checks to maintain asset accountability
Documentation
Timely and appropriate financial performance reviews
Information processing controls
Physical or logical controls for safeguarding assets and information
Segregation of duties
1. Understanding of internal control
understand the design of IC components and ascertain whether IC has been implemented (not operating effectiveness)
Procedure( risk assessment procedures : CR)
- inquiries, inspection, observation, tracing > walk-through
Documentation
- Size, complexity, nature
Auditors' understanding of control activities
audit does not require an understanding of all control activities
auditor's primary consideration should be whether, and how a control prevents, or detects and corrects, MM
Automated environment
- automated controls not always more efficient + cost-effective
- unauthorized access to data, system, programs > add IC risk
- info used in monitoring IC provided by IT, accuarcy of the IT system is crucial
- effectiveness of manual user controls my depend on accuracy of info provided by IT systems
2. Assess risk of material misstatement
understanding and assessing control risk can be done concurrently
3. Test of Controls
effectiveness of the design or operation of a control
procedure( inquires, inspection, observation, reperformance )
* inquiry alone is not enough
* ST가 TOC보다 효과적인 경우, TOC안하고 ST만 할수도 있음
Interim
use evidence obtained in PY > see changes have occurred
4. Reassess control risk
sufficient evidential matter > further reduce the assessed level of control risk
conditions to reassess control risk
- Additional test of control is efficient
- sufficient data is available
- cost of additional test of control is below the benefit
Documentation (must)
| Procedure | CR at Max | CR below Max |
| understanding IC | Yes | Yes |
| Test of control * scope of IC testing performed |
No | Yes |
| assessment of CR-conclusion | Yes | Yes |
| Basis for conclusion | No | Yes |
Establishing budgets and forecasts to identify variances from expectations
> mgt control, improve mgt's ability to supervise company activities