I. Internal control
In terms of internal control, the COSO Report (Committee Of Sponsoring Organizations of the Treadway Commission) was issued in 1992, it is named like this, because it is a job that was commissioned: the American Institute of Public Accountants, the American Accounting Association, the Institute of Internal Auditors, the Institute of Administration and Accounting and the Institute of Financial Executives.
The document "Internal Control Integrated" issued by "Committee Of Sponsoring Organizations of the Treadway Commission (COSO)" defines internal control, describes its components and provides a criterion with which the information systems can be evaluated. The document provides a guide for informing the public about internal control and provides materials that managers, auditors, and others can use to evaluate an internal control system.
Definition
It is a process designed to provide reasonably certainty regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations.
• Reliability of the financial information.
• Compliance with applicable laws and regulations.
This definition allows to have an approach to the vision of internal control of the business of the managers with the main executives, in fact, they often speak in terms of control and exist or live in control.
Process
Processes are conducted within, or through individual organizations or functions, are managed through basic planning, execution, and managerial oversight processes.
The internal control system is interwoven with the operating activities of an entity, and exists for fundamental business reasons. Internal controls have the highest degree of effectiveness when they are built within the entity's infrastructure and are part of the essence of the company. They should be built inside rather than built on.
Building within controls can directly affect an entity's ability to achieve its goals, quality of its business, and initiatives and supports. The quality of the initiative becomes part of the manufacturing operation of a company. Internal control is not only integrated with quality programs, it is usually critical of its results.
Building inside or inside controls has implications for cost components and time responses.
All companies face highly competitive markets and the need to suppress costs. Focusing existing operations towards effective internal control.
Persons
Internal control is carried out in an entity, by the board of directors and managers, and is carried out by the people of an organization.
Internal control recognizes that each individual brings to the workplace a unique background and technical ability or aptitude, and has different needs and priorities.
People have to know their responsibilities and limits of authority. Therefore, there needs to be a clear and close articulation between the duties of the people and the way in which they are fulfilling them.
Reasonable security
No matter how well designed and operational internal control is, it can only provide reasonable assurance to management and the board of directors regarding the achievement of the entity's objectives. The probability of realization is affected by limitations inherent in all internal control systems. This includes that those responsible for establishing controls need to consider their relative costs and benefits, and collapse can occur because such human failures are simply a mistake or a mistake.
Controls can be evaluated by collusion of two or more people. Finally, management has the power or ability to override or override the internal control system.
goals
Any entity enacts a mission, setting goals, and wants achievements and strategies to accomplish them. Although many goals are specific to a particular entity, some are widely shared. For this study, the objectives fall into three categories:
• Operations: Relating to the effective and efficient use of the entity's resources.
• Financial Information: Preparation and disclosure of financial statements.
• Compliance: Relating to the entity's compliance with laws and regulations.
An internal control system can be expected to provide reasonable assurance of objective achievement, relative to the reliability of financial information and compliance with laws and regulations. The achievement of these objectives, which are largely based on guidelines imposed by external persons, depend on how the control activities within the entity are carried out.
The execution of operating objectives is not always within the control of the entity. Internal control cannot prevent bad judgments or decisions, or external events that may, in execution of their purposes, cause the failure of a business.
Component:
a) Control Environment.
Sets the tone of an organization, influencing people's awareness of control and providing discipline and structure, and Understands:
• Communication and enforced compliance with integrity and ethical values: The effectiveness of controls cannot be above the integrity and ethical values of people, considered essential elements in the design, administration, supervision and monitoring of other components. They are a product of the entity's ethical and behavioral standards, the way they communicate, and the way compliance is made mandatory in practice.
• Commitment to competence: Competition is the knowledge and skills necessary to perform the individual's tasks and / or work.
• Participation of those in charge of the government: Control consciousness is influenced by those who are in charge of the government, the extent of their participation and scrutiny of the activities, the information they receive, and their interaction with the auditors.
• Management philosophy and style of operation: They comprise a wide range of characteristics, attitudes, and actions toward financial reporting versus information processing and accounting functions and staff.
• Organizational structure: Provides the conceptual structure within which its activities are planned, executed, controlled, and reviewed to achieve the entity's broad objectives. Consider key areas of authority and responsibility and appropriate lines of information.
• Assignment of authority and responsibility: This factor includes how authority and responsibility for operating activities are assigned and how relationship and authorization hierarchies are established. It includes policies related to appropriate business practices, knowledge and experience of key personnel, and resources provided to carry out obligations.
• Human resources policies and practices: They are related to hiring, orientation, training, evaluation, counseling, promotion, compensation, and remedial actions.
b) Risk assessment process in the entity.
Process to identify and respond to business risks and the results derived from it. It includes the way in which management identifies the relevant risks for the preparation of financial statements that give rise to a reasonable presentation, in all important aspects in accordance with the policies and procedures used for accounting and financial reporting, estimates its importance, evaluates the probability of their occurrence, and decides the consequent actions to manage them.
Relevant risks for financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with management's assertions contained in the statements. financial.
Risks may arise or change due to circumstances such as the following:
• Changes in the operating environment.
• New staff.
• New or modernized information systems.
• Rapid growth.
• New technology.
• New business model, products, or activities.
• Corporate restructuring.
• Expanded foreign operations.
• New accounting pronouncements.
c) Information and communication systems.
An information system consists of infrastructure, software, people, procedures, and data.
The information system relevant to financial reporting objectives consists of the procedures and records established to initiate, record, process, and report the entity's transactions and to maintain the obligation to account for assets, liabilities, and equity net related. Transactions can be initiated manually or automatically using scheduled procedures.
Processing includes functions such as editing and validation, calculation, measurement, valuation, summary, and reconciliation, whether performed by automated or manual procedures. Accordingly, an information system comprises methods and records that:
• Identify and record all valid transactions.
• Measures the value of transactions in a way that allows you to record your own monetary value in the financial statements.
• Determine the period in which the transactions occurred.
• Properly presents related transactions and disclosures.
d) Control Procedures.
These are the policies and procedures that help ensure that management directives are carried out, have various objectives, and are applied at different organizational levels. They are generally relevant to an audit that categorizes the policies and procedures that relate to the following:
• Performance Reviews: Include reviews versus budgets, forecasts, and performance from the prior period; they link different data sets (operational or financial), along with investigative and corrective actions.
• Information processing: It is developed to verify the accuracy, integrity, and authorization of transactions. The two broadest groupings of information systems control procedures are "application controls" (processing individual applications, helping to ensure that transactions occurred, are authorized, and are fully and accurately recorded and processed) and "controls General ”(includes controls over data centers and network operations; acquisition and maintenance of system software; access security; and acquisition, development, and maintenance of the application system).
• Physical controls: These comprise the physical security of assets, including adequate safeguards such as secured facilities, secure access to assets and records; authorization for access to computer programs and data files; and periodic counting and comparisons with the quantities shown in the control records.
• Segregation of Duties: The assignment of different people for the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce opportunities to allow anyone in a position to make and hide errors or fraud in the normal course of the auditor's obligations.
e) Supervision and monitoring of controls.
It is a process to assess the quality of internal control performance over time. It involves evaluating the design and operation of controls on a timely basis and taking necessary corrective actions. It is done to ensure that the controls continue to operate effectively.
In many entities, internal auditors or personnel performing similar functions contribute to the oversight and monitoring of an entity's controls through separate evaluations. They provide information on the operation of internal control, paying considerable attention to the evaluation of the design and operation of internal control. They communicate information on strengths and weaknesses and offer recommendations to improve internal control.
II. Internal control audit
1. Definition:
It is the evaluation of the integrated internal control, with the purpose of determining the quality of the same, and the level of confidence that can be given to them and whether they are effective and efficient in meeting their objectives. This evaluation will have the necessary scope to rule on internal control and, therefore, it is not limited to determining the degree of confidence that can be conferred on it for other purposes.
In an internal control audit carried out with the aim of issuing an opinion on it, a methodology should be used that covers the following:
• Planning.
• Testing of Controls
• Communication of results.
2. Planning:
The planning stage of the Internal Control Audit is the understanding of the entity's business, its environment and the components of internal control.
The audit procedures aimed at obtaining such an understanding are known as "risk assessment procedures" since some of the information obtained through the development of such procedures may be used by the auditor as audit evidence.
To obtain an understanding of the entity, its environment, and the internal control components, the auditor should develop the following valuation procedures:
• Inquiries to the administration and others within the entity.
• Analytical procedures.
• Observation and inspection.
• Other audit procedures that are appropriate.
The understanding of the entity and its environment includes knowledge of:
The auditor should develop risk assessment procedures to obtain an understanding of the components of internal control. To identify the types of potential misstatements, consider the factors that affect the risks of material misstatement, and design the nature, timing, and extent of additional audit procedures.
Evaluating the design of a control includes considering whether the control is capable of effectively preventing, or detecting and correcting, significant misstatements.
Obtaining audit evidence about the design and implementation of relevant controls may involve investigating the entity's personnel, observing the application of specific controls, inspecting documents and reports, and tracking transactions through the relevant information system for the presentation of financial reports.
a) Controls relevant to the audit.
An entity's objectives and the controls it implements to provide reasonable assurance of its achievement relate to financial reporting, operations, and compliance with each of the entity's operating units and business processes.
b) Effect of information technology on internal control.
The use of information technology may affect any of the five internal control components relevant to achieving the objectives of financial reporting, operations, or compliance of the entity and its units of operation or business process.
The use of information technology also affects how transactions are initiated, recorded, processed, and reported. In a manual system, an entity uses manual procedures and records in paper format.
Controls in such a system are also manual and may include procedures such as approval and review of activities, and item reconciliation reconciliations and follow-ups.
Information technology provides potential benefits of effectiveness and efficiency for the internal control of an entity since it allows it to:
• Apply predefined business rules and develop complex calculations in the processing of large volumes of transactions or data.
• Enrich the opportunity, availability and accuracy of the information.
• Reduce the risk that controls will be circumvented.
Information technology also generates specific risks for an entity's internal control, including:
• Trust in systems or programs that are inaccurately processing data, are processing inaccurate data, or both.
• Unauthorized changes to the data in the master files.
• Unauthorized changes to systems or programs.
c) Internal control limitations.
Internal control, no matter how well designed and operated, can provide an entity with only reasonable assurance about achieving the entity's objectives.
The probability of achievement is affected by limitations inherent in internal control. Those limitations include the realities that human judgment in decision-making may be imperfect and that breaks in internal control may occur due to human failure, such as simple mistakes or errors.
3. Testing of controls:
In tests of controls supporting internal control auditing, it should be clear that the auditor must identify the procedures applicable in the circumstances to form an opinion on internal control and design his work program to carry out the necessary tests.
The auditor should develop tests of controls to obtain sufficient and appropriate audit evidence that the controls were operating effectively during the period under audit.
When developing tests of the effectiveness of the controls' operation, the auditor obtains audit evidence that the controls operate effectively, this includes obtaining audit evidence about how the controls were applied during the period subject to audit, consistency with which were applied, and by whom and by what means they were applied.
a) Nature of tests of controls.
The auditor selects the audit procedures to obtain assurance about the effectiveness of the controls operation. A single inquiry will not provide sufficient and appropriate audit evidence to prove the effectiveness of the controls operation. Tests of the effectiveness of the operation of controls ordinarily include those procedures used to evaluate the design of controls and to determine if they have been implemented, and also the auditor's re-performance of the application of control.
The nature of a particular control influences the type of audit procedure that is required to obtain audit evidence about whether the control was effectively operating during the period under audit. For some controls, the effectiveness of the operation is evidenced by documentation.
b) Timing of tests of controls.
The timing of testing of controls depends on the auditor's objective and determines the period of confidence in those controls. If the auditor tests the controls at a particular time, the auditor only obtains audit evidence that the controls effectively operated at that time. However, if you test the controls throughout the period, the auditor obtains audit evidence about the effectiveness of the controls operation during the period.
If the auditor requires audit evidence regarding the effectiveness of a control over a period of time, audit evidence that relates only to one point in time may not be sufficient and the auditor supplements those tests with other tests of controls that are capable of provide audit evidence that the control effectively operated at the relevant times during the period under audit.
When the auditor obtains audit evidence about the effectiveness of the controls operation during an interim period, he must determine what additional audit evidence should be obtained for the remainder of the period.
Additional audit evidence can be obtained by extending the effectiveness test of the controls over the challenges of the period, considering the supervision and monitoring of the entity's controls, or developing substantive procedures.
If the auditor plans to use audit evidence about the effectiveness of the controls operation obtained in prior periods, the auditor should obtain audit evidence about whether changes have occurred in those specific controls subsequent to the previous audit.
If the auditor plans to rely on controls that have changed since they were last tested, they must prove the operating effectiveness of such controls in the current audit.
If the auditor plans to rely on controls that have not changed since they were last tested, they must test the operating effectiveness of such controls at least every third audit.
Where there are a number of controls for which the auditor determines that it is appropriate to use the audit evidence obtained in previous audits, the auditor should test the operating effectiveness of some controls in each audit.
The purpose of this requirement is to avoid the possibility that the auditor may follow the testing approach at least every third audit, so that all controls that the auditor intends to rely on, but test only those controls in a single reporting period. audit without test of controls in the two subsequent audit periods.
In addition to providing audit evidence about the operating effectiveness of the controls being tested in the current audit, the development of such tests provides collateral evidence about the continued effectiveness of the control environment and therefore contributes to the decision about whether it is appropriate. rely on audit evidence obtained in previous audits.
c) Extension of the tests of the controls.
The greater the auditor's confidence in the effectiveness of the controls' operation in the assessed risk, the greater the extent of the tests of the controls that the auditor performs (because the substantive tests will be reduced). Furthermore, as the rate of operated deviation of a particular attribute increases, the auditor increases the extent of testing of controls.
However, given the inherent consistency of information technology processing, the auditor may not require increasing the length of the test of an information technology control. A scheduled application control should work consistently unless the program is changed.
Once the auditor determines that an automated control is operating as intended, the auditor considers developing tests to determine that the control continues to function effectively.
Such tests may include determining that changes to the program are not made without being subject to the appropriate controls for the program change, that the authorized version of the program is used for transaction processing, and that other relevant general controls are effective.. Such tests may also include determining that no changes have been made to the program, as may be the case when the entity uses packaged software applications without modifying or maintaining them.
d) Approach to tests of controls.
An effective audit approach for testing controls in jobs where reporting or commenting on internal control is required, as would be the case with comprehensive auditing, is that of audit cycles. The approach to conducting the audit through a more analytical and in-depth review of internal control requires that the transactions characteristic of each business be grouped in an orderly manner. The study of this concept requires, as a fundamental basis, that such transactions be defined and how they can be grouped.
Although companies have different kinds of transactions according to their characteristics, for practical purposes they can be organized according to their normal development and present themselves in the following typical cycles generally applicable to most businesses:
- Income Cycle: Sale of goods and services to third parties.
- Purchase Cycle: Acquisition of capital assets, labor, important services in exchange for cash.
- Cycle of Payroll or Personnel: Expenditures and transactions of the RR.HH.
- Treasury Cycle: Management of company funds; It begins with the recognition of income, includes the distribution of cash in current operations and other uses, and ends with the return of it to investors and creditors.
- Production Cycle: Transformation of the assets acquired into goods and services for sale.
- Financial Information Cycle: Preparation of financial statements that summarize the result of the business activities at a date or for a determined period.
Each cycle comprises one or more functions, which are tasks or segments of a system that logically processes transactions. Certain accounting entries, documents and files are used in each cycle. The functions, accounting entries and typical documents of the cycles described are listed below, which may vary according to the type of company.
The analysis of the cycles for the evaluation of internal control included below is a summary prepared from the cycles included in the IMCP Auditing Standards and Procedures.
Income Cycle:
a) Opinion or opinion on internal control.
The auditor shall communicate the audit matters arising from the internal control audit to those in charge of the entity's management.
The auditor shall promptly communicate the audit matters of interest to the administration; this makes it possible to take appropriate actions.
The auditor shall report to management any significant weakness found in internal control that has become known to the latter, as a result of carrying out the audit.
When the auditor has identified significant weaknesses in internal control, the auditor must communicate to management the significant weaknesses found. Due to the serious implications of important weaknesses in internal control, it is equally important that such deficiencies are brought to the attention of those in charge of management.
The main objective of the report is to induce the examined entity to adopt the necessary measures to correct deficiencies and strengthen internal control.
Communication of test results of controls should be done in a timely manner. Communications should include the objectives and scope of the work as well as the corresponding conclusions and recommendations.
It is recommended to communicate the results at the conclusion of the test of a cycle if the revision by cycles is adopted. Otherwise make communications as important tests on controls are developed.
When non-compliances are discovered in the course of the work, the communication of the results must expose:
• The norm object of the breach.
• The reasons for non-compliance.
• The impact of non-compliance on controls and on the final report of the comprehensive audit, if any.
b) Opinion or opinion on internal control.
If the auditor undertakes to present an independent opinion on internal control, he must present it in accordance with the elements of the report indicated in ISA 100 "Assurance Services".
