companion with independent auditor report of SEC listed company’s financial statement, SOX required external auditor to provide an opinion on the adequacy and the effectiveness of internal control over financial reporting (ICoFR) of the company. However, principally, the management, not the auditor, who has ultimate responsibility to assess the adequacy and effectiveness of internal controls.
Basically, the assessment of internal control consist of two aspects:
- The adequacy of the design of internal control.
Internal control is designed to provide reasonable assurance of the achievement of objectives, by mitigating significance general and specific risks. Or, in financial audit engagement, internal control is designed to prevent or detect material misstatement in the financial statement.
- The operating effectiveness of controls.
Controls are operating as designed and whether the person performing the control possesses the necessary authority and qualifications.
We will discuss about how to assess the adequacy and the effectiveness of internal control in a simple way (simple practice guide), in our next postings, labeling control and risk. Just keep visiting our blog.
The determination of the adequacy and the effectiveness of internal control would be based on the identification of control deficiencies and its magnitude effect on the achievement of organization objectives.
Internal Control Deficiencies ExamplesControl Deficiency definition:
"A shortcoming in some aspects (principle, attribute, components) of the system of internal control, and no compensating controls, and has the potential to adversely affect the ability of the entity to achieve its objectives." When a deficiency is exist, management needs to assess the impact of deficiency on the effectiveness of the internal control. Control deficiencies can be categories by its reporting purpose:
- Deficiencies in Internal Control over Operations, Compliance, and Reporting other than External Financial Reporting:
- Major non-conformities.
- Minor non-conformities.
- Deficiencies in Internal Control over Financial Reporting (ICoFR)
- Material Weaknesses
- Significant Weaknesses.
|Classification Material and Significant|
Remember ...., the above matrix is classifying control deficiencies in assessing ICoFR. Deficiency Matrix for assessing internal control over operation and compliance will be differ from above, although the basic principle is still the same. For example, in the operation of airplane transportation business, just ONE EXCEPTION found in safety procedures, will result a conclusion that internal control contains a material weaknesses.
The example of the above deficiencies are as follows (not limited to):
1. Deficiencies in Internal Control over Operations, Compliance, and Reporting other than External Financial Reporting:
Any deficiencies in internal control that relates to compliance, operation, and non-financial reporting activities that adversely affects the likelihood that the entity will achieve its objectives.
Example of MAJOR non-conformity:
- Shipping a nonconforming product – e.g. a product that does not meet quality requirements.
- Making unauthorized significant changes to product design and manufacturing specifications.
- Not completing routing maintenance of assets, especially those relate to public safety (e.g.: aircraft, railsways, or public transit).
- Administering improper medicine doses to hospitals patients.
- Recurring misreporting of incidences of non-compliance to regulators.
- Omitting important information supporting budgeting and forecasting activities.
- Improperly treating, storing, or disposing of hazardous wastes.
- Improperly reporting child labod found to occurring at own or supplier’s factories.
- Improperly reporting CO2 emissions to customers and investors.
- Acquiring incomplete or inaccurate data for use in actuarial valuations.
- Using product which violated intellectual right – e.g. installing unlicensed program/ application to a company’s computer.
Any deficiency relating to compliance, operation, and non-financial reporting activities that does not adversely affect the likelihood that the entity will achieve its objectives. Multiple minor non-conformities when considered collectively may result in a determination that a major non-conformity exists. Example: 6% incidences of failing to keep in maintenance schedule, which exceed 4% tolerable exceptions, would result a conclusion of major non-conformity.
Example of MINOR non-conformities:
- Failing to document a part of the quality systems.
- Not inspecting an instrument past its calibration date.
- Failing to conduct routine maintenance of an assets needed to keep a warranty in effect.
- Filing a compliance statement with a regulator one day after the required filing date.
- Not retaining a training record for future reference.
- Using in accurate data to prepare management information for internal analysis.
2. Deficiencies in Internal Control over Financial Reporting (ICoFR):
Example of material weaknesses:
Each of the following is an indicator of a control deficiency that should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control:
- Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.
- Restatement of previously issued financial statements to reflect the correction of a material misstatement. (The correction of a misstatement includes misstatements due to error or fraud; it does not include restatements to reflect a change in accounting principle to comply with a new accounting principle or a voluntary change from one generally accepted accounting principle to another generally accepted accounting principle.)
- Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity’s internal control. This includes misstatements involving estimation and judgment for which the auditor identifies likely material adjustments and corrections of the recorded amounts. (This is a strong indicator of a material weakness even if management subsequently corrects the misstatement.).
- An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for very large or highly complex entities.
- For complex entities in highly regulated industries, an ineffective regulatory compliance function. This relates solely to those aspects of the ineffective regulatory compliance function for which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
- Identification of fraud of any magnitude on the part of senior management. (The auditor has a responsibility to plan and perform procedures to obtain reasonable assurance about whether the financial statements are free of material misstatement caused by error or fraud. However, for the purposes of evaluating and communicating deficiencies in internal control, the auditor should evaluate fraud of any magnitude— including fraud resulting in immaterial misstatements—on the part of senior management, of which he or she is aware.)
- Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected.
- An ineffective control environment. Control deficiencies in various other components of internal control could lead the auditor to conclude that a significant deficiency or material weakness exists in the control environment.
A deficiency or combination of deficiencies less severe than a material weakness, yet may be important enough to merit attention by the board of directors. Multiple significant deficiencies when considered collectively may result in a determination that a material weakness exists.
Example of significant weaknesses:
Deficiencies in the following areas ordinarily are at least significant deficiencies in internal control:
- Controls over the selection and application of accounting principles that are in conformity with generally accepted accounting principles. Having sufficient expertise in selecting and applying accounting principles is an aspect of such controls.
- Antifraud programs and controls.
- Controls over nonroutine and nonsystematic transactions.
- Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.
Others Examples of Deficiencies of ICoFR(Depending on severity could also be significant deficiencies and material weaknesses)
1. Deficiencies in the Design of Controls:
- Inadequate design of internal control over the preparation of the financial statements being audited.
- Inadequate design of internal control over a significant account or process.
- Inadequate documentation of the components of internal control.
- Insufficient control consciousness within the organization, for example, the tone at the top and the control environment.
- Absent or inadequate segregation of duties within a significant account or process.
- Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting).
- Inadequate design of information technology (IT) general and application controls that prevent the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.
- Employees or management who lack the qualifications and training to fulfill their assigned functions. For example, in an entity that prepares financial statements in accordance with generally accepted accounting principles, the person responsible for the accounting and reporting function lacks the skills and knowledge to apply generally accepted accounting principles in recording the entity’s financial transactions or preparing its financial statements.
- Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity’s internal control over time.
- The absence of an internal process to report deficiencies in internal control to management on a timely basis.
- Failure in the operation of effectively designed controls over a significant account or process, for example, the failure of a control such as dual authorization for significant disbursements within the purchasing process.
- Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy, for example, the failure to obtain timely and accurate consolidating information from remote locations that is needed to prepare the financial statements.
- Failure of controls designed to safeguard assets from loss, damage, or misappropriation. This circumstance may need careful consideration before it is evaluated as a significant deficiency or material weakness. For example, assume that a company uses security devices to safeguard its inventory (preventive controls) and also performs periodic physical inventory counts (detective control) timely in relation to its financial reporting. Although the physical inventory count does not safeguard the inventory from theft or loss, it prevents a material misstatement of the financial statements if performed effectively and timely. Therefore, given that the definitions of material weakness and significant deficiency relate to likelihood of misstatement of the financial statements, the failure of a preventive control such as inventory tags will not result in a significant deficiency or material weakness if the detective control (physical inventory) prevents a misstatement of the financial statements. Material weaknesses relating to controls over the safeguarding of assets would only exist if the company does not have effective controls (considering both safeguarding and other controls) to prevent or detect a material misstatement of the financial statements.
- Failure to perform reconciliations of significant accounts. For example, accounts receivable subsidiary ledgers are not reconciled to the general ledger account in a timely or accurate manner.
- Undue bias or lack of objectivity by those responsible for accounting decisions, for example, consistent understatement of expenses or overstatement of allowances at the direction of management.
- Misrepresentation by client personnel to the auditor (an indicator of fraud).
- Management override of controls.
- Failure of an application control caused by a deficiency in the design or operation of an IT general control.