(Excerpted from the 2009 Roger CPA Review AUDIT text book)

  • Management is responsible for the establishment and maintenance of Internal controls. We want Reasonable assurance that Internal controls are achieving certain Objectives (ACE):
    • Accurate & Reliable financial reporting
    • Compliance with laws and regulations
    • Effectiveness and efficiency of operations

The mnemonic ACE will remind management that it should try to establish a strong internal control structure so as to have an ACE in the hole.

The primary interest of the outside auditor is in the first objective, accurate and reliable financial reporting which relate to the fair presentation of the financial statements being audited. The second goal, compliance with laws and regulations, is primarily relevant to compliance auditing, which may occur in connection with audits under government auditing standards. The third goal, promoting effectiveness and efficiency of operations, is of little interest to an outside auditor except in the case of rarely-performed operational audits.

The auditor should obtain an understanding of the 5 components of internal control in order to evaluate the design of relevant controls and determine whether they have been implemented, assess the risk of material misstatement and design the nature, timing and extent of further audit procedures.

Elements of internal control: (CRIME)

  • Control activities
    • Policies and procedures that help ensure that management directives are carried out.
      • Performance reviews actual vs. budget, P/Y, financial to non-financial
      • Information processing (IT) General vs. Application controls
      • Physical controls Access to assets
      • Segregation of duties includes assigning different people the responsibilities of authorizing transactions, recording transactions, maintaining custody of assets, and performing comparisons. It is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or irregularities in the normal course of their duties.
        • Authorization of transactions
        • Recording (posting) of transactions
        • Custody of assets
        • Comparisons

  • Risk assessment
    • An entity's risk assessment for financial reporting purposes is its identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with GAAP. Risk assessment includes risks that may affect an entity's ability to properly record, process, summarize, and report financial data. Risk assessment, for example, may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements.

      Risks relevant to financial reporting include external and internal factors such as the following:

      • Changes in operating environment
      • New personnel
      • New or revamped information systems
      • Rapid growth
      • New technology
      • New lines of business, products or activities
      • Corporate restructurings
      • Foreign operations
      • Accounting pronouncements
  • Information and communication
    • Refers to the I.D, retention, and transfer of information in a timely manner allowing personnel to perform their responsibilities.
      • Info system consists of the methods and records used to record, process, summarize and report Co.'s transactions and to maintain accountability for the related accounts
      • Communication involves establishing individual duties and responsibilities relating to internal control and making them known to involved personnel.

  • Monitoring
    • An important management responsibility is to establish and maintain internal control. Management monitors controls to consider whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring is a process that assesses the quality of internal control performance over time.

  • Control Environment (CHOPPER)

    The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the following:

    • Commitment to competence - Effective control requires a sincere interest on the part of the employees in performing good work.
    • Human resource policies & practices - A company can minimize the control difficulties created by new employees by sound hiring and training policies for employees.
    • Organizational structure - A company that operates all over the world has different internal control problems than one operating entirely within a single building.
    • Participation of those charged with Governance - An audit committee of the board of directors that actively monitors the internal audit function produces a more attentive management on such matters.
    • Philosophy of management & operating style - The belief (or lack of it) in the importance of internal control by management will affect the seriousness with which is taken by the rest of the employees. This is especially the case when decision-making in the company is dominated by a single individual.
    • Ethical values & Integrity - Honest employees will be less likely to cause internal control difficulties related to fraud and improve the opportunity for those resulting from errors to be effectively detected.
    • Responsibility assignment - The manner in which authority, responsibility and accountability is assigned to different employees determines the controls that will be needed. Again, the domination of decision-making by a single individual holds significance, since such power makes it extremely difficult for internal control to be trusted.

The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.

For more great information on the CPA Exam, presented using Roger's RealResults method, visit our website and request a FREE one hour long demo of our course today!