Question

(1) What is the concept of reasonable assurance? What are the key limitations of an internal control system?

(2) What are management's and auditors' respective responsibilities regarding internal control?

Answer 1

Please mentioned below the answers

(1) What is the concept of reasonable assurance? What are the key limitations of an internal control system?

Ans : Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. Although not absolute assurance, reasonable assurance is, nevertheless, a high level of assurance. Reasonable assurance is a high level of assurance regarding material misstatements, but not an absolute one. Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. To achieve reasonable assurance, the auditor needs to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. This means that there is some uncertainty arising from the use of sampling, since it is possible that a material misstatement will be missed.

When conducting an audit of financial statements, the high-level objectives of the auditor include obtaining reasonable assurance as to whether a client’s financial statements are free from material misstatement, thereby allowing the auditor to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework (such as generally accepted accounting principles).

This is the deduction that financial reports aren’t materially misstated. It is a high-level guarantee but no absolute guarantee. It includes the understanding that there is a remote likelihood that material misstatements will not be detected or prevented on time. Reasonable assurance is the assurance level auditors are required to acquire by the execution of audit procedures and assessing the resultant audit evidence when conveying a judgment that the financial reports are fairly presented in accordance with GAAP. Reasonable assurance refers to the degree of satisfaction of the auditor that the evidence acquired during auditing backs the declarations embodied in the financial reports. Reasonable assurance is important because it gives directions on the valuations of the soundness and dependability of the financial reports by auditors. It also shows the efficiency of internal control by the firms’ management and audit done internally by internal auditors. Reasonable assurance also helps to determine negligence and liability of the auditor.

Factors affecting reasonable assurance are:

1. Audit limitations which are inbuilt. This is basically audit procedures failures to sense material misstatements in the financial reports because of;

2. Sampling When using audit procedures.

3. Inherent limits of internal control systems and accounting.

4. Audit evidence is convincing rather than decisive in nature

5. The auditor uses judgment when coming up with the audit evidence and conclusions.

Limitations of Internal Control

Limitations of internal control will always exist no matter what industry the company is in or how strong the control procedures are in place. Hence, it is important to understand those limitations of internal control and be warned so that we can avoid them as much as possible.

In the table below are the six limitations of internal control:

Reasonable assurance	Internal control can only provide reasonable assurance, not absolute assurance. It cannot ensure 100% that error or fraud will never occur.
Override control	Internal control will not work if it is overridden by management or personnel with high authority. It may be possible that management can override the controls with their authority, e.g. if the CEO tells low-level employees to do something, they usually will do so, even it will not comply with control policies.
Collusion	Internal control will not work either if the personnel or management collude to by-pass the control. This limitation of control is the type that overtakes the segregation of duties control procedures. For example, segregation of duties can be extremely effective in an internal control system. However, if people who are supposed to act independently collude among themselves, the internal control of segregation of duties here will not work anymore.
Deliberate circumvention	Although the internal controls are implemented to prevent or detect errors, deliberate circumvention by people in the system can still occur.
Events outside expectation	Controls are usually designed to cope with routine activities. The controls might not work against any irregular event outside the expectation. This limitation of control usually happens for the new implementation of control procedures and requires a regular monitoring process.
Cost-benefit consideration	Controls that cost more than the benefit they are expected to receive are not worth having. Usually, the company may decide that certain controls are too costly to implement, considering the risk that can occur due to the lack of such controls.

However, strong internal controls are still essential despite having those existences of internal control limitations. This is due to internal controls bring many benefits to the business operations of the company. In this case, good internal controls can help the company achieve efficient and effective business operations.

In addition to having efficient and effective business operations, internal controls also help the company to minimize the risk of error and fraud, safeguard its assets, and comply with various laws and regulations.

In short, internal controls are the policies and procedures that the company implements in order to minimize the risks that prevent it from achieving its objective.

2) What are management's and auditors' respective responsibilities regarding internal control?

Ans : Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).

At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal controls refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls. The main controls in place are sometimes referred to as "key financial controls"

Roles & Responsibilities in Internal Control :

According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, non-compliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:

Management

The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.

Board of directors

Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfil their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.

Auditors

The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting.

Audit committee

The role and the responsibilities of the audit committee, in general terms, are to: (a) Discuss with management, internal and external auditors and major stakeholders the quality and adequacy of the organization’s internal controls system and risk management process, and their effectiveness and outcomes, and meet regularly and privately with the Director of Internal Audit; (b) Review and discuss with management and the external auditors and approve the audited financial statements of the organization and make a recommendation regarding inclusion of those financial statements in any public filing. Also review with management and the independent auditor the effect of regulatory and accounting initiatives as well as off-balance sheet issues in the organization’s financial statements; (c) Review and discuss with management the types of information to be disclosed and the types of presentations to be made with respect to the Company's earning press release and financial information and earnings guidance provided to analysts and rating agencies; (d) Confirm the scope of audits to be performed by the external and internal auditors, monitor progress and review results and review fees and expenses. Review significant findings or unsatisfactory internal audit reports, or audit problems or difficulties encountered by the external independent auditor. Monitor management's response to all audit findings; (e) Manage complaints concerning accounting, internal accounting controls or auditing matters; (f) Receive regular reports from the Chief Executive Officer, Chief Financial Officer and the Company's other Control Committees regarding deficiencies in the design or operation of internal controls and any fraud that involves management or other employees with a significant role in internal controls; and (g) Support management in resolving conflicts of interest. Monitor the adequacy of the organization’s internal controls and ensure that all fraud cases are acted upon.

Personnel benefits committee

The role and the responsibilities of the personnel benefits, in general terms, are to: (a) Approve and oversee administration of the Company's Executive Compensation Program; (b) Review and approve specific compensation matters for the Chief Executive Officer, Chief Operating Officer (if applicable), Chief Financial Officer, General Counsel, Senior Human Resources Officer, Treasurer, Director, Corporate Relations and Management, and Company Directors; (c) Review, as appropriate, any changes to compensation matters for the officers listed above with the Board; and (d)Review and monitor all human-resource related performance and compliance activities and reports, including the performance management system. They also ensure that benefit-related performance measures are properly used by the management of the organization.

Operating staff

All staff members should be responsible for reporting problems of operations, monitoring and improving their performance, and monitoring non-compliance with the corporate policies and various professional codes, or violations of policies, standards, practices and procedures. Their particular responsibilities should be documented in their individual personnel files. In performance management activities they take part in all compliance and performance data collection and processing activities as they are part of various organizational units and may also be responsible for various compliance and operational-related activities of the organization.

Staff and junior managers may be involved in evaluating the controls within their own organizational unit using a control self-assessment.