 Hello, and welcome to this session in which we will discuss management and auditor responsibilities when it comes to internal control. In the prior session, we defined internal control and we looked at the purpose of internal control. So if you don't know what internal control is or what's the purpose of internal control, I suggest you view the prior recording. The first thing I want you to understand about internal control and the role of management and auditors is this. Management is responsible for establishing and maintaining internal control as well as preparing financial statements. And I suggest you memorize this. Why? Because many questions on the CPA exam or in your audit course, they will try to confuse you between the roles of management and auditor. And that's why this session is important because it's going to define, it's going to explain the role of each management and auditor. So you want to make sure you don't confuse who does what. Management is responsible for establishing, think about it. To run the company, you need to have some sort of internal control system. You need to have policies and procedures. The auditor is an outsider. The auditor should not, I mean they can, but they should not establish those policies and procedures. Management, it's in their best interest to have internal control and management is responsible for financial statements. Now the auditor, it's going to evaluate management internal control, but they will not establish or maintain it or prepare financial statements. It's management responsibility. So what I'm going to do now, I'm going to go over the role of each management first, then the auditor starting with the management role. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat Accounting Lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions as well as exercises. Go ahead, start your free trial today. Management role, as I mentioned, management is responsible for establishing and maintaining a sufficient internal control structure. Also, the management should design that system to offer reasonable assurance that's important. Management cannot provide an absolute reasonable is the highest level of assurance. There is no such thing as absolute assurance that the financial statements are presented fairly assurance for the fair presentation of the financial statements. Now, the internal control would help in this process. Also, the management must weigh the cost and benefit of these controls. Now, you can have perfect control. I mean, as close to perfect as possible, but it's going to cost a lot of money. So management will have to evaluate whether the cost outweigh the benefit. Simply put, the whole purpose of internal control is to minimize the chances of significant major misstatement slipping undetected or uncorrected through the accounting information system. That's the whole purpose of it. Now, if you want to have strong internal control, very, very strong, extremely strong. Yes, you can, but it's going to cost you a lot of money. Also, we have to understand, no matter how well an internal control is designed, they are not full proof. Why? Because we have human errors. Even the best system hinges on the competency and the reliability of the users. You can have the best system, but if you don't use it properly, it's not good. Even with the best internal control system for inventory, errors could still occur. For example, employees my misunderstood instruction. They misunderstand instruction. They told them what to do, but they did not really what they did. They did something else. They could act carelessly, tiredness, laziness, and as a result, they may not follow the instruction properly. They could also manipulate the result for either personal gain or to inflate earnings for the company. Also, inflating earnings is basically part of a personal gain as well because you're looking to make yourself or your department looks good. That's also a limitation because management would override internal control and that's a limitation. Also, we could conspire in fraudulent actions like theft, a practice known as collision. So also, people at the company, they could collide, collude with each other, agree with each other to commit the fraud. Internal control is defeated. So you want to know the limits. Internal control has inherent limits. You need to know what these limits are. What else do we need to know about internal control and management? Management is mandated to issue an internal control report. Basically, they have to state clearly as what I just told you, acknowledging management responsibility for establishing and maintaining a sufficient internal control structure and procedures for financial reporting. We're going to repeat the same information, but repetition is good. You would learn the information. Also, an assessment of the effectiveness of internal control structure conducted at the end of the fiscal year. We also have it. We assessed the internal control. It's effectiveness. In addition, management is required to specify which framework. What did they use to evaluate its effectiveness? You need a standard. Well, that standard in the United States, we use what we called COSO, the Committee for Sponsoring Organization of the Threadway Commission, simply put known as COSO. Now, we need to learn about COSO, the various components of COSO. We're going to do that in the next few sessions. But that's the standard. Now, international companies, they might use another standard. But the assessment of internal control involved two crucial aspects, evaluating the design and testing the operating effectiveness. So when you assess it, you want to see how good is it in terms of design. Is it designed properly? Well, that's good. On paper, it looks good. Now, let's test it and see if it's operating. There's a difference between design. You could have the best design, the best plan, but if you don't execute the plan, how good it is. Then we test the operating effectiveness of these controls. Starting with the design of internal control, as we mentioned several times already, and we're going to mention one more time, management is responsible for assessing whether controls are designed and implemented to prevent or detect. Prevent means don't let it happen or if it happens, it detects significant errors in the financial statement. Now, management will concentrate on the risks that address relevant aspect of the financial statements. What are those relevant aspects? We would look at major significant accounts and we want to make sure those are protected from errors. We want to look at significant transactions. We want to look at disclosure. Those are significant relevant aspects of the financial statements. Now, the evaluation would involve, which is the testing would involve examination of the initiation, authorization, recording, processing, and reporting of significant transaction to identify any potential points where errors or fraudulent activities could arise. We would look at the whole process from initiation until the numbers make it to the financial statement, until it's reported. We would try to see if there's any weakness area where errors could slip in the system. For example, suppose a retail store wants to ensure the accuracy of its inventory record to prevent financial statement misstatement. Well, to achieve this, management will set up internal controls one internal control, one common internal control is to do what? Count the inventory on regular basis. These count help to ensure quantity of the items in stock matches what's on record. Also, they establish a control for authorization of inventory purchases. All purchases, for example, must be approved by a designated manager reducing the risk of unauthorized or fraudulent purchases being recorded. By having these control, management will aim to minimize the possibility of errors or fraud that could affect the accuracy of the store financial statement, specifically those related to inventories. So this is the design. This is what they want to do. Now, okay, great. We designed it that way. Now within each step, for example, for counting the inventory, when we do the count, there are maybe several steps. For example, the counter should not be the people who work, who handle inventory. The counter might be an outside company. The counters should be, for example, people from another department, they should use pre-number tags, so on and so forth. We would look at specific steps later on. All we're doing here is we'll show you the big picture. So this is the design. Again, after the design, we have to test the operating effectiveness. For example, if we build a calculator, that's great. We design it properly. Now we want to make sure if the addition, multiplication is working properly. Management is required to test. Remember, not only design, they have to test its effectiveness because the design, anyone can design it. That's no problem at all. But is it working as expected, and that's what really matters. What does testing involve? Verifying the controls are operating as designed, as intended. And the person responsible for each control has the required authority and qualification. So if we said this person is doing that, what's their qualification? What's their authority? Are they authorized to do so? Now the results should be documented by management and should serve the foundation for the assertion about the control effectiveness. Because what we do is we collect evidence and we say at the end, well, the control is effective or ineffective. If there's any material significant weakness, and we're going to define this later on much, much more in details, just for now say, what's material significant weakness? A major issue. Management must disclose the control is ineffective. So if there's a major material weakness, then the control is ineffective. Major material weakness means it's allowing an error to affect the financial statements. As I mentioned, the management will issue a report, and this is what a report would look like. I'm going to go over the report. And basically it's going to be a summary of everything that we mentioned so far. Farhat Company is responsible for establishing and maintaining adequate internal control. We mentioned this, that the company is responsible for that. Farhat's internal control was designed to provide reasonable assurance. We mentioned that. Provide reasonable assurance to the company's management and board of directors for the fair presentation of the financial statement. Also, Farhat management assessed the effectiveness. It means that the effectiveness of the company's internal control using the COSO framework, which framework they used. Based on our assessment, we believe the internal control over financial reporting is effective. It means they did not find this material significant weakness. Farhat's independent auditor, which is another company, have issued a report on our assessment of the company's internal control and it's appearing on page XX. We're going to see the auditor's report later on. So management issue a report, then the auditor assessed that report as well. Now let's move to the auditor's responsibility. Now we're leaving management. Now what is the auditor responsible for? Well, we have to understand the role of the auditor. One key principle in the AICPA auditing standard is for the auditor to identify and assess risk of material misstatement. Where could misstatement happen, whether caused by error, mistake, or intentional error fraud? Now how would the company do that? How would the auditor, not the company? The auditor will need to understand the entity's environment. How do they operate and which environment do they operate? And that's very important because part of that is understanding their internal control. What are their policies and procedures to prevent those risk of material misstatements? And here we have to understand. The auditor will have to understand internal control and we're going to have several sessions. We already have several sessions about understanding. How do they understand it? And sometimes they might have to test it. If they're going to rely on it, they're going to have to test it. And we're going to talk about that. Auditing standard mandate that auditor must understand, notice must understand. The least you have to do is to understand it. Whether you're going to test it or not, we'll talk about that later. The relevant internal control on every audit engagement. Now the primary focus for testing those internal control is for the reliability of financial reporting. Remember, internal control has four objectives. One of them is reliability of financial reporting. The other one is making sure the company is running effectively and efficiently. Then there is the compliance with laws and regulation and there is the safeguarding of assets. Four different objectives we looked at in the prior session. The auditor's primary objective is reliability of financial reporting. It doesn't mean they ignore the other objective. That's not what I'm saying. I'm saying their primary objective is that. So control over financial, reliability of financial reporting. The auditor prioritized control over related, over control related to reliability of financial reporting. And those are the, that's what's mainly impact, not mainly directly impact the financial statement, which is what we are auditing based on gap. Now, efficiency and operation control are of a lesser concern, not not a concern, a lesser concern, since they may not directly influence the fear presentation. Well, if they're running the company in not the most efficient way, they're wasting money, that's not our problem. That's maybe management problem. They have to run the company efficiently and effectively to reach their goal. They're wasting a lot of resources. We can, we can maybe mention that to them. You know, we tell them, look, you might want to hire a consultant to help you run the company more efficiently, but that's not our concern as auditor. Nevertheless, auditors do consider control over internal management information. We look at budget, performance report. Why? Because they can serve as important evidence to assess the fairness of the financial statements. If they're preparing a budget, we're going to look at the budget because the budget help you run the company. We're going to look at the budget and compare the budget numbers to the financial statement numbers to see if that makes sense. We also look at the performance report. That's information for us, but we're not going to evaluate how well they are within budget or outside budget. That's not our concern, how they run the company. Inadequate control over these internal reports can reduce the value, can reduce their value as evidence for the auditor's assessment. So inadequate control, okay? If they have inadequate control over internal reports, well, then we really cannot rely a lot on their system if we see that. But again, we're going to test control rate later on. Control over classes of transactions, okay? So we're going to be concerned with, we're going to focus mainly, it doesn't mean the only thing, mainly over transaction, rather than account balances. What's the difference between a transaction and account balance? A transaction is when you buy or sell something. It's a transaction. Account balance is the balance at the end of the period. Now, because of the transaction, you have the balance, because when you have a transaction, the balance might go up, the balance might go down. So we don't look at the balance. We want to see if the transaction are conducted properly. If the transactions are properly being recorded, then obviously the balance should be proper. So the accuracy of the balance heavily relies on the accuracy of the inputs and processing of transaction. So if your input output is correct, if your input is correct, your output should be correct. That's the assumption. For example, errors in billing customers for sales, unit ship or unit selling prices can lead to misstatement in both sales and account receivable. You don't look at sales and account receivable balance. Let's see what's being inputted in this account is proper. If what's being inputted is proper, the balance should be proper. If it's not, then the balance might be misstated. However, with effective internal control in place for billing, cash receipt, sales return and allowances, the ending balance in the account receivable is likely to be accurate. That's the assumption that we can fairly make. If the system is working properly, if the transaction is working properly and everything going to the right place, the accounting balance should be correct. Now, I don't want you to think that auditors focus solely only on transaction. They focus on the transaction, but they most also understand control over ending account balances and related disclosure. So transaction related audit objective usually don't impact balance related objective like realizable value and rights and obligation, nor do they significantly influence related disclosure objective. Now, we're going to talk more about those audit objectives later on. I don't want to go into the details yet. I just want to let you know that we, the primary focus is transaction, but we don't ignore account balances or disclosure. They have their own objective as well. The auditor evaluates separately whether management has implemented internal control for each of these account balances and disclosure. So we also evaluate that. And what do we do at the end? We issue a report, mandate that the auditor to provide a report on the effectiveness of internal control over financial reporting. And we look at this internal control when we looked at reports early on. In order to form an opinion on these control, we must first understand, of course, how can you not understand internal control? You have to understand how they do things. And again, there's steps on how to understand it and conduct tests on control for all significant account balances, transaction categories and disclosure. So notice we do test it from a transaction perspective, account balances and disclosure, along with the related assertions. Don't worry about the assertions. We'll look at the assertions later on. Let's take a look at this multiple choice, which you can find on Fahat Lectures. Which of the following is the auditor's primary concern regarding the management assertion about the implementation of internal control? Again, here is what we're looking at is the primary concern of the auditor when it comes to internal control. What's our primary concern? Is it their compliance with applicable laws and regulation? Is this a concern for us? Yes, it is a concern. Whether they are complying with laws and regulation, it tells us whether this company is ethical or not the least. So that is a concern, but is it the primary concern? Well, it could be a primary concern, but is this when we go in? Is this what we are looking at initially? Not really. We're not looking to see if they are in compliance with laws and regulation. We might be engaged to do that. Specifically, that's a different story. But that's not our primary concern. Is it how well efficient of operation? Is it how well they are running their operation? Are they running their operation at the least amount of resources? Well, if they do, that's great. If they don't, that's their problem. But that's not our concern as auditor. So efficiency is important for the company. We would look if they are wasting resources, but that's not our primary concern as well. Is it reliability of financial reporting? Well, what is financial reporting? Basically, reporting financial statements for the US based on GAP. Is this our concern and the answer? Yes, this is our main concern. When we audit a financial statement, when we audit a company, our concern, whether those financial statements are in compliance with generally accepted accounting principles or whatever framework we are using. And that is our main concern. That's why we look at their internal control to see if we can rely on it. Why? If we can rely on it, then it's going to help us in the financial reporting, which is GAP. Our primary concern, I would say yes, but let's look at the last one. Effectiveness of operation. Effectiveness means whether they are reaching their objective or not. Well, that's their problem really. There means the management problem, whether they are doing it or not. As auditors, that's not our concern. Our concern is whether the financial statements are in compliance with fairly presented according to GAP or whatever framework we are using in the US we use GAP. Therefore, our primary concern is reliability of financial reporting. The other three, our objective of internal control, but our primary concern as auditor is reliability of financial reporting. What should you do? You should go to our lectures, look at additional MCQs and true-false questions, such as this one to help you understand this important concept better. The role of management when it comes to internal control. The role of auditors when it comes to internal control. Two separate objectives. The management objective is totally different than the auditors. You want to make sure you understand the difference between the two. Whether you are a CPA exam candidate, enrolled agent or an accounting student. Good luck. Study hard, invest in yourself and stay safe.