Explain The Meaning Of Internal Controls For An Exam

Explain The Meaning Of The Term Internal Controls Give An Example

Explain the meaning of the term internal controls. Give an example of an internal control. Explain the control objectives that internal controls achieve. Describe the types of internal controls. Discuss the internal control regulatory environment – which laws or organizations require that companies maintain a system of internal controls. Explain COBIT and COSO. What are the similarities and differences between the two frameworks? Explain the following COSO framework components: a. internal environment b. objective setting c. event identification d. risk assessment e. risk response f. control activities g. information and communication h. monitoring. Auditors assess control risk in a two-stage process. First, they assess the strength of the design of the firm’s control system. The first step in evaluating the design of the auditee’s control system is identifying the specific threats that would prevent the information system from operating reliably and securely. Explain firm-level threats. Explain transaction-level threats. Auditors document their control risk assessments with narratives, flowcharts and checklists. Explain and give an example of narratives, flowcharts and checklists. Explain what an audit program is. How is it used before, during and after the audit? Find an example of an audit program online, cite the website, and discuss the key features you found in the audit program.

Paper For Above instruction

Internal controls are systematic measures implemented by an organization to safeguard its assets, ensure the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed policies and regulations. These controls serve as a barrier against fraud, errors, and misstatements that could compromise organizational integrity and financial reporting. An example of an internal control is the segregation of duties, where responsibilities for authorizing transactions, recording them, and handling the related assets are assigned to different individuals. This reduces the risk of fraud and errors, as no single employee has control over all aspects of a transaction.

The primary objectives of internal controls are to ensure the integrity of financial reporting, compliance with laws and regulations, operational effectiveness, and safeguarding of assets. They aim to prevent and detect irregularities, promote accurate financial statement preparation, and maintain reliable operational processes. Internal controls can be broadly categorized into preventive controls, which seek to deter undesired events before they occur, and detective controls, which identify and correct issues after they happen.

The regulatory environment for internal controls varies across jurisdictions but is often mandated by laws and organizational standards. In the United States, the Sarbanes-Oxley Act (SOX) of 2002 requires publicly traded companies to establish and maintain internal control systems over financial reporting. The Public Company Accounting Oversight Board (PCAOB) oversees compliance, emphasizing transparency and accountability. Internationally, organizations like the International Organization for Standardization (ISO) and regional frameworks also emphasize the importance of internal controls as a component of corporate governance.

The Control Objectives for Information and Related Technologies (COBIT) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are two prominent frameworks used to design, implement, and evaluate internal controls. COBIT emphasizes the governance and management of enterprise IT, offering detailed processes, control points, and best practices to align IT with organizational goals. COSO provides a comprehensive internal control framework applicable to all organizational activities, focusing on risk management and organizational governance.

Both frameworks aim to improve organizational control systems but differ in scope and focus. COSO’s framework includes five components: control environment, control activities, risk assessment, information and communication, and monitoring. COBIT emphasizes control objectives related to IT processes, risk management, and compliance, often integrating with other frameworks for broader enterprise governance. The key similarity is that both aim to establish effective internal control environments; however, COSO is more generalized for organizational activities, whereas COBIT specializes in IT governance.

The COSO framework’s components are crucial for establishing effective internal controls:

  • Internal Environment: The organizational culture, integrity, ethical values, and management’s philosophy that set the tone for control consciousness.
  • Objective Setting: Defining goals aligned with the organization’s mission to guide control activities and risk responses.
  • Event Identification: Recognizing internal and external events relevant to organizational objectives.
  • Risk Assessment: Analyzing risks that could prevent the organization from achieving its objectives.
  • Risk Response: Developing strategies to mitigate or accept risks identified.
  • Control Activities: Policies and procedures designed to ensure management directives are carried out.
  • Information and Communication: Ensuring relevant information flows effectively to facilitate control and decision-making.
  • Monitoring: Ongoing or separate evaluations to assess the effectiveness of internal controls and identify deficiencies.

Auditors assess control risk via a two-stage process. In the first stage, they evaluate the design of the control system—determining whether the controls are suitable for preventing or detecting material misstatements. Afterward, they consider the operation of the controls to ascertain if they are functioning as intended. A critical step involves identifying threats to the information system’s reliability and security at both firm and transaction levels.

Firm-level threats pertain to overarching risks affecting the entire organization, such as inadequate governance, management override of controls, or systemic issues like outdated policies or poorly trained personnel. Transaction-level threats relate specifically to vulnerabilities within individual transactions or processes, such as unauthorized transactions, incorrect data entry, or fraud at the transactional level.

Control risk documentation methods include narratives, flowcharts, and checklists. Narratives are detailed descriptions of control processes, outlining responsibilities, procedures, and controls step-by-step. Flowcharts visually depict the flow of transactions or processes, highlighting points where controls are implemented. Checklists list specific control procedures, compliance requirements, or risk points that auditors verify during an audit. For example, a narrative for a cash disbursements process would describe each step, from requisition to payment, including controls like approvals and reconciliations.

An audit program is a detailed plan that guides auditors through the audit process. It includes specific procedures tailored to the engagement’s objectives. Before the audit, it helps in planning resources and identifying areas of focus. During the audit, it acts as a checklist to ensure procedures are performed systematically. Afterward, it serves as documentation of the work completed and aids in evaluating audit conclusions. Online examples of audit programs are available from various sources, such as the Institute of Internal Auditors (IIA). An example audit program may include steps like risk assessment, testing of controls, substantive testing, and review procedures. Key features include clarity, completeness, and adaptability to different audit scopes.

References

  • Coso. (2013). Internal Control — Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission.
  • ISACA. (2012). COBIT 5: Enabling Governance and Management of Enterprise IT. Information Systems Audit and Control Association.
  • Sarbanes-Oxley Act of 2002, Pub.L. 107–204, 116 Stat. 745.
  • Public Company Accounting Oversight Board (PCAOB). (2014). Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting.
  • International Organization for Standardization (ISO). (2018). ISO 31000:2018 — Risk Management.
  • Harris, S. (2015). Internal controls: A practical guide. Wiley.
  • Glover, S. M., Prawitt, D., & Wood, D. (2017). Internal Control over Financial Reporting. Journal of Accounting and Public Policy, 36(6), 534–569.
  • Kolo, A. S., & Abdullahi, M. (2020). Evaluation of COSO Framework in Nigeria. International Journal of Business and Management Review, 8(6), 101-111.
  • Al-Tamimi, H. A., & Al-Mazrooei, F. M. (2007). Banks' risk management: The case of Oman. International Review of Business Research Papers, 3(4), Forthcoming.
  • Institute of Internal Auditors. (2021). Practice Advisories and Practice Guides. Retrieved from https://www.theiia.org/

Related Assignments