Importance of internal control to the external audit

Importance of Internal Control Over Financial Reporting
Internal control helps an organization mitigate the risks of not achieving its objectives. Examples of objectives include achieving profitability, ensuring efficiency of operations, manufacturing high-quality products or providing high-quality service, adhering to governmental and regulatory requirements, providing users with reliable financial information, and conducting operations and employee relations in a socially responsible manner. While an organization has these multiple objectives, the external auditor is most interested in the objective of reliable financial reporting. Organizations face many risks of not achieving reliable financial reporting. For example, a salesperson may overstate sales to improve the likelihood of receiving a bonus. Employees in the receiving area may be too busy to accurately record inventory when it is received. Management may misapply judgment and overvalue intangible assets. Management needs to identify the risks to their organization of not achieving reliable financial reporting. Once these risks to reliable financial reporting are identified, management implements controls to provide reasonable assurance that material misstatements do not occur in the financial statements.
Internal control over financial reporting provides many benefits to organizations, including providing confidence regarding the reliability of their financial information and helping reduce unpleasant surprises. Effective internal control improves the quality of information, thereby allowing for more informed decisions by internal and external users of the financial information. The Auditing in Practice feature “Control Deficiencies and Poor Decisions at Reliable Insurance Co.” illustrates how poor internal controls can result in poor decision making.

Importance of Internal Control to the External Audit
Professional auditing standards require the auditor, as part of planning an audit, to identify and assess a client’s risks of material misstatement, whether organization and its environment, including its internal control over financial reporting. The auditor needs to understand a company’s internal controls in order to anticipate the types of material misstatements that may occur and then develop appropriate audit procedures to determine whether those misstatements exist in the financial statements. If a client has ineffective internal controls, the auditor will plan the audit with this in mind. For example, if an auditor notes that a client does not have effective controls to provide reasonable assurance that all sales are recorded in the correct time period, then the auditor needs to develop sufficient and appropriate audit  procedures to test whether sales and receivables are materially misstated because of the absence of effective controls.
Auditors of large public companies have an additional interest in their client’s internal controls. When conducting a financial statement audit for these companies, the auditor performs an integrated audit, which includes providing an opinion on the effectiveness of the client’s internal control over financial reporting in addition to the opinion on the financial statements.

Defining Internal Control
Just as a U.S. company might refer to generally accepted accounting principles (GAAP) as a framework for determining whether its financial statements are fairly presented, companies need to refer to a framework of internal control when assessing the effectiveness of internal control over financial reporting. The most widely used framework in the United States is the Internal Control– Integrated Framework published by COSO (Committee of Sponsoring Organizations of the Treadway Commission). The sponsoring organizations first came together in the 1980s to address the increasing fraudulent financial reporting that was occurring at that time.

COSO released the original
COSO’s updated Internal Control–Integrated Framework in 1992. The framework gained widespread acceptance following the financial failures of the early 2000s. In 2013 COSO updated, enhanced, and clarified the framework. Today, Internal Control–Integrated Framework (often referred to simply as “COSO”) is the most widely used internal control framework in the United States, and is also used throughout the world. COSO defines internal control as:

a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. 
Important elements of the definition recognize that internal control is:
  •  A process consisting of ongoing tasks and activities.
  • Effected by people and is not just about policy manuals, systems, and forms. People at every level of the organization, ranging from shipping clerks to the internal auditor to the chief financial officer (CFO), chief executive officer (CEO), and the board of directors, impact internal control.
  •  Able to provide reasonable assurance, but not absolute assurance, regarding the achievement of objectives. Limitations of internal control preclude absolute assurance. These limitations include faulty human judgment, breakdowns because of mistakes, circumventing controls by collusion of multiple people, and management ability to override controls
  •  Geared toward the achievement of multiple objectives. The definition highlights that internal control provides reasonable assurance 

regarding three categories of objectives. However, the external auditor is primarily interested in the objective related to the reliability of financial reporting. COSO identifies five components of internal control that support an organization in achieving its objectives. These components of the COSO’s updated Internal Control–Integrated Framework are shown in Exhibit 3.1, which highlights that internal control starts with setting the organization’s financial reporting objectives, that is, to produce financial statements that are free from material misstatement. The five components include:

1. Risk Assessment involves the process for identifying and assessing the risks that may affect an organization from achieving its objectives. Risk assessment needs to be conducted before an organization can determine the other necessary controls.

2. Control Environment is the set of standards, processes and structures that provides the basis for carrying out internal control across the organization. It includes the tone at the top regarding the importance of internal control and the expected standards of conduct. The control environment has a pervasive impact on the overall system of internal control.

3. Control Activities are the actions that have been established by policies and procedures. They help ensure that management’s directives regarding internal control are carried out. Control activities occur at all levels within the organization.

4. Information and Communication recognizes that information is necessary for an organization to carry out its internal control responsibilities. Information can come from internal and external sources. Communication is the process of providing, sharing, and obtaining necessary information. Information and communication help all relevant parties understand internal control responsibilities and how internal controls are related to achieving objectives.

5. Monitoring is necessary to determine whether the controls, including all five components, are present and continuing to function effectively.

Effective internal control requires that all five components be implemented and operate effectively. Specifically, the controls need to (1) be effectively designed and implemented, and (2) operate effectively; that is, procedures are consistent with the design of the controls. These considerations are necessary for internal control to achieve the intended benefits.
SHARE

.

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment