2. Chapter 7
Understanding Internal Control over Financial Reporting and Auditing Design Effectiveness

3. Learning Objectives
1. Understand the value of effective internal control. 2. Learn the components and mechanisms of internal control. 3. Describe the internal control-related requirements imposed on management of public companies. 4. Analyze the relationship between management’s assertions, ICFR, and activities of an integrated audit. 5. Explain the approach and steps an auditor uses to understand a company’s ICFR and assess its design effectiveness.

4. Audit Planning and Risk Assessment
Exhibit 7-1

5. Authoritative Sources for this Chapter
Sarbanes Oxley Act (SOX)
Securities and Exchange Commission (SEC)
Public Company Accounting Oversight Board (PCAOB)
American Institute of CPAs (AICPA)
Statements on Auditing Standards (SAS)
International Auditing and Assurance Standards Board (IAASB)
International Standards on Auditing (ISA)
Committee of Sponsoring Organizations (COSO)
Foreign Corrupt Practices Act, 1977 (FCPA)

6. Auditors and ICFR
Auditor has to understand the client’s Internal Control over Financial Reporting and assess the effectiveness of its design:
An important part of planning
To be able to select which controls to test in the audit and plan substantive audit procedures

7. Corporate Accountants and ICFR
Accountants inside a company need to understand Internal Control over Financial Reporting because good ICFR helps the company:
use cost effective procedures
manage costs of processing accounting information
manage productivity of the company’s financial functions
maintain an effective financial control system

8. Definition of Internal Control over Financial Reporting
Internal control over financial reporting is a subset of the entire system of internal control
Two important sources of definitions
PCAOB’s definition in AS 5
COSO’s definition in Internal Control Framework
The COSO definition is broader than the PCAOB’s definition
…this makes sense because the PCAOB defines the target of an audit, while COSO’s Internal Control Framework is for more general use

9. PCAOB AS 5, Definition of Internal Control
Internal control over financial reporting is a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that --

10. PCAOB AS 5 Definition (continued)
Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements

11. Investor Confidence and Internal Control
In the simplest terms, investors can have much more confidence in the reliability of a corporate financial statement if corporate management demonstrates that it exercises adequate control over bookkeeping, the sufficiency of books and records for the preparation of accurate financial statements, adherence to rules about the use of company assets and the possibility of misappropriation of company assets.
(PCAOB Release , p. 3)

12. Concepts from COSO Definition
Internal control is a process. It is a means to an end, not an end in itself.
Internal control depends on people. It is not just policy manuals and forms, but people at every level of an organization.
Internal control only provides reasonable assurance – not absolute assurance.
Internal control objectives may address single or overlapping categories of internal control components.

13. COSO Categories of Internal Control
Reliability of financial reporting
Directly relates to integrated audit goals
Effectiveness and efficiency of operations
Important to management
Compliance with laws and regulations
Less directly related to integrated audit goals

14. Overview of the COSO IC Structure
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
The PCAOB uses these same categories in As 12, Identifying and Assessing Risks of Material Misstatement.

15. Control Environment “Tone at the top” Integrity and ethical values
Commitment to competence
Board of Directors or audit committee participation
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resources policies

16. Risk Assessment
Risks defined: Anything that can keep an organization from achieving its objectives.
Organization must set its objectives
Organization must identify threats to achieving the objectives
Guidance to risk assessment is in the COSO Enterprise Risk Management (ERM) Framework
Risk can be
From external and internal factors
At entity and activity levels

17. Risk Assessment Considerations
Significance or degree of impact of the risk on the company
Likelihood of the risk occurring or frequency with which it may occur
Best ways to manage the risk

18. Ways to Identify Risks
Qualitative and quantitative approaches to identify higher-risk activities
Period review of economic and industry factors
Business planning conferences and meetings
Forecasting
Strategic planning

19. External and Internal Sources of Risk
Technological developments
Changing customer needs or expectations
Competition
New legislation and regulation
Natural catastrophes
Economic changes
Internal
Disruption in information systems processing
Personnel: hiring, training, motivation
Change in management responsibilities
Entity’s activities and employee access to assets
Unassertive or ineffective board or audit committee

20. Circumstances Demanding Special Risk Assessment Attention
Changed Operating Environment
New Personnel
New or Revamped Information Systems
Rapid Growth
New Technology
New Lines, Products, Activities
Corporate Restructurings
Foreign Operations

21. Control Activities
Control activities defined: the policies and procedures that help ensure management directives are carried out
Policies: establish what should be accomplished in carrying out management’s directives to address risk
Procedures: the activities that should be followed to carry out the policies

22. Categories of Control Activities
Performance reviews
Used to monitor the business, often on an ongoing basis
Information processing
Controls over use of IT to initiate, record, process and report transactions and other financial data
General and Application controls
Physical controls
Over assets and access to information
Segregation of duties
Assigning different people responsibility for authorizing transactions, recording transactions and maintaining custody of assets
Collusion is a threat to segregation of duties

23. Information and Communication
Quality of Information
Content appropriate: Is the needed information available?
Information timely: Is it available when required?
Information current: Is the latest information available?
Information accurate: Are the data correct?
Information accessible: Can the information be obtained easily by the appropriate parties?
Communication
Tool for control related to ICFR
Means of enabling achievement of the objectives of the business

24. Monitoring
Ongoing monitoring: those things that are a part of running the business
Separate monitoring: activities conducted for the specific purpose of monitoring
Tradeoff…the more ongoing monitoring exists the less separate monitoring may be needed

25. COSO Guidance on Monitoring Internal Control Systems
Monitoring is a normal state of affairs in the organization.
Monitoring is a formal part of the organization.
Someone has responsibility for developing monitoring procedures.
Employees execute monitoring activities and make reports as a normal part of their jobs.
Management assesses reports and take whatever action is needed.

26. Management’s Responsibility for Internal Control
Foreign Corrupt Practices Act, 1977
Requires management of public companies to maintain a system of control
Sarbanes Oxley Act
Section 302: management certification
Section 404: management assessment, report and audit
Dodd Frank Act
Permanently exempts smaller public companies from the requirement of having ICFR audited; retains management requirement to assess ICFR and report

27. SOX Section 302 Management Certification
Specific officers or those with officer functions must sign
Reviewed the SEC filing; annual or quarterly report
SEC filing does not include anything material that is untrue
SEC filing does not omit anything material that makes statements untrue
Fair financial reporting
Management is responsible for internal control
Controls permit people within the company to prepare the SEC reports
Have evaluated effectiveness of ICFR within 90 days prior and are presenting their conclusions
Have told the auditor and audit committee about ICFR problems
Have told the auditor and audit committee of management fraud
Have reported any changes in internal control
Have reported any events that occurred after the report date that may affect internal control

28. SOX Section 404
Annual SEC filing must include an internal control report
Report states management’s responsibility for internal control and producing financial information
Report includes management’s assessment at fiscal year end about internal controls and procedures for financial reporting
SEC Interpretive Release 2007: No requirement that management’s assessment be performed using the guidance in the Interpretive Release, but the guidance provides an acceptable way to perform the assessment of ICFR

29. SOX Section 404, Audits of ICFR
ICFR must be audited for all companies except those exempted by Dodd Frank
Auditor must
Be registered with PCAOB
Attest to (audit) management’s report
Follow PCAOB standards for an audit of ICFR
Since SOX requires that the financial statement and ICFR audit be one integrated engagement, the same auditor must do both

30. Background to an Audit of ICFR
Objective of an integrated audit report on ICFR and the financial statements
Opinion on the fairness of the financial statements
Opinion on the effectiveness of ICFR
Opinions can be in a combined or separate reports
If the auditor disagrees with management’s assessment this is added to the audit report
Auditor must audit the financial statements to audit ICFR
Auditor uses information and conclusions from each part of the audit in the other part of the audit

31. Approach to an Integrated Audit
Identify what would make the financial statements materially misstated.
Focus on management’s assertions in understanding the accounting system
Identify
…important controls….that address significant risks…associated with management’s assertions
Assess whether the controls are designed effectively so that, if operating effectively, they can prevent or detect material misstatements
Test operating effectiveness of controls
Perform substantive procedures

32. Assertions defined…
Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur.
ISA 315

33. Management’s Assertions
PCAOB uses 5
AICPA and IAASB use 13
Auditors have to cover the important concepts in the assertions, but otherwise can express them however they choose
…it is easy to see how both sets of assertions cover the same concepts….

34. PCAOB Assertions: AS 15, Audit Evidence
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.

35. AICPA and IAASB, 13 Assertions
Classes of Transactions and Events
Occurrence
Completeness
Accuracy
Cutoff
Classification
Account Balances
Existence
Rights and Obligations
Valuation and Allocation
Presentation and Disclosure
Occurrence, Rights, Obligations
Classification and Understandability
Accuracy and Valuation

36. Difference between 5 and 13…
The AICPA and IAASB use additional terms:
Accuracy, Cutoff, Classification, Understandability
Explanations to consider:
If an item posted is not accurate – including being posted in the wrong period or to the wrong account --it either did not occur as shown or the balance is incomplete
If a disclosure is not accurate it cannot meet the requirements for the presentation and disclosure assertion
Proper classification is a part of the presentation and disclosure assertion
If an item is not understandable it cannot be properly described under the presentation and disclosure assertion

37. Reminder: Use of Management Assertions
Auditor identifies
Significant accounts and disclosures
Relevant assertions for those accounts and disclosures
Auditor considers risks that might cause the assertions to be wrong
Auditor looks for ICFR controls in place to prevent or detect any misstatements resulting from the risks
Auditor assesses whether controls are designed so that they can be effective if they operate properly
Audit continues with
Selecting controls to test; considering whether to always rely on controls in financial statement audit
Deciding how controls tests should be performed
Deciding on substantive procedures needed

38. Time Periods Covered by Audit Procedures
For an audit opinion that ICFR is effective it must be effective at fiscal year end
ICFR must be effective at and for a period of time prior to fiscal year end so that the auditor has confidence in the conclusion
To rely on ICFR in the financial statement audit, the auditor must test ICFR for the entire period of reliance
If ICFR was not effective throughout the entire financial period, this affects the financial statement audit procedures
Even in an integrated audit, the auditor may choose not to rely on ICFR for an account, and consequently only test related controls at fiscal year end

39. Evidence Related to ICFR
Making inquiries of appropriate management, supervisory, and staff personnel
Inspecting company documents
Observing the application of specific controls
Tracing transactions through the information system relevant to financial reporting
Walkthroughs – a set of procedures performed together; an efficient way to understand ICFR and assess design effectiveness

40. Walkthroughs
Tracing a transaction from origination until it is reflected in the company’s financial records
Includes inquiry and observation steps
Information from a walkthrough:
Who performs the control? Or, if automated, what system
What is performed and why? What is the management assertion?
When is the activity performed, including how often?
What evidence is produced showing that the control occurred?
How are problems or exceptions investigated and resolved?

41. Examples of Walkthrough Inquiries
What do you do when you find an error?
What are you looking for to determine if there is an error?
What kinds of errors have you found?
What happens as a result of finding errors?
How are errors resolved?
Have you ever been asked to override the process or controls? Is so, what happened and why did it occur?

42. Audit Documentation
Audit documentation is the written record of the auditor’s work.
Information included in documentation:
Planning and performance of the work
Procedures performed
Evidence obtained
Conclusions reached
Professional judgment is used to decide how extensive audit documentation must be

43. AS 3 Documentation Requirements
Demonstrate that the engagement complied with the standards of the PCAOB
Support the auditor’s conclusions concerning every relevant financial statement assertion
Nature, timing, extent and results of procedures performed – means: what was done, when, by whom, outcomes, reviewer, date of review
Demonstrate that the underlying accounting records agreed or reconciled with the financial statements

44. Characteristics that Cause More Documentation
An audit task that is difficult to understand or interpret
An audit task that requires a lot of judgment
An audit task that is very important to the audit
A management assertion that has a lot of risk

45. Required Documentation of Contradicting Issues
AS 3.8: In addition to the documentation necessary to support the auditor’s final conclusions, audit documentation must include information the auditor has identified relating to significant findings or issues that is inconsistent with or contradicts the auditor’s final conclusions. The relevant records to be retained include, but are not limited to, procedures performed in response to the information, and records, documentation, consultations on, or resolutions of, differences in professional judgment among members of the engagement team or between the engagement team and others consulted.

46. Documentation of the Company’s ICFR
SEC requires management to have significant documentation to support its conclusions about ICFR
Form of documentation varies depending on company characteristics (size, complexity, etc.)
Management can rely on documents it uses day-to- day or develop specific ICFR documentation
Auditor may use company’s documentation to advance understanding of the company and ICFR assessment

47. ICFR Documentation Techniques Used
Flowcharts
Process models
Narrative descriptions
Job descriptions
Samples of transaction documents and forms, procedures manuals, organization charts
Questionnaires and checklists

48. Information in Management’s ICFR Documentation
The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements
Information about how significant transactions are initiated, authorized, recorded, processed, and reported
Information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur
Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties
Controls over the safeguarding of assets
The results of management’s testing and evaluation of ICFR

49. Entity Level Controls
Pervasive controls; those that exist at the organization or company level, but have an impact on controls at the process, transaction, or application level
Examples
Controls related to the control environment
Controls over management override
The company’s risk assessment process
Centralized processing and controls
Controls over shared service environments
Controls to monitor other controls
Period-end financial reporting process controls
Policies that address significant business control and risk management practices

50. Three Categories of Entity-Level Controls
1. Have an important, but indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis
2. Monitor the effectiveness of other controls; might identify breakdowns in lower-level controls but not at a level of precision that would sufficiently address the risk of material misstatements
3. Operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions

51. Indicators of Audit Committee Function
Oversight of external financial reporting
Oversight of internal control over financial reporting
Independence of audit committee members from management
Clarity of responsibilities
Interaction with independent and internal auditors
Interaction with chief financial officer, chief accounting officer
Interaction with other key members of financial management
Questions asked of management and the auditor
Understanding of critical accounting policies
Understanding of accounting estimate judgments
Responsiveness to issues raised by the auditor (AS )

52. Anti-Fraud Controls Must be included in design of ICFR
Discussed previously related to Fraud Triangle
Controls that prevent, deter, and detect fraud
Controls restraining misappropriation of assets
Risk assessment processes
Codes of ethics or conduct
Adequacy of internal audit
Adequacy of procedures for handling complaints and accepting confidential communications on accounting and auditing matters
Auditor evaluates all controls specifically directed at the risk of fraud
Inquiries of management, audit committee, internal auditors is an important audit procedure

53. IT Impact on the Company and Auditor
AS 12 identifies need for auditors to consider manual and automated systems when understanding the company and assessing risks
Nature and extent of IT affects the risks and therefore controls needed and audit steps
IT might affect initiation, recording, processing and reporting of financial information
Alternatively, manual steps might affect approvals, reviews of transactions, reconciliations and follow up of reconciling items

54. IT Impact on Controls Needed
Benefits of IT to Internal Control
Consistent application of rules and complex calculations
Timeliness, availability and accuracy of information
Facilitates additional analysis of information
Enhances monitoring ability
Reduces risk that controls will be circumvented
Controls are used for applications, databases and operating systems
Risks of IT to Internal Control
Possibility of consistently incorrect processing
Possibility of processing the wrong data
Unauthorized access and changes to data and programs
Failure to change systems or programs as intended
Inappropriate manual intervention
Potential loss of data

55. Period End Financial Reporting Process
Must be considered in every ICFR audit
Is always considered a significant process so the auditor must consider controls
Procedures that are a part of the period end financial reporting process that the auditor evaluates
Entering transaction totals into the general ledger
Selecting and applying accounting policies
Initiating, authorizing, recording and processing journal entries into the general ledger
Recording recurring and nonrecurring adjustments to the financial statements
Preparing financial statements and related disclosures

56. Timing of Period End ICFR Audit Procedures
Audit tests of ICFR are performed while the process is occurring.
The client closes its books and prepares its financial statements after fiscal year end.
Period end financial reporting procedures occur and are tested after fiscal year end, even though the management report and auditor’s opinion are as of fiscal year end.

57. Significant Accounts and Disclosures
Auditor must determine what amount is material to the financial statements; qualitative characteristics also impact materiality
Auditor can then identify significant accounts and the relevant assertions for the accounts
Relevant assertions are those that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated
PCAOB Risk Assessment standards (2010) states that relevance stems from inherent risk

58. Classes of Transactions
One account may have different major classes of transactions and relevant assertions may differ for the classes
For example, cash sales and sales on account include different relevant assertions
Another approach for identifying and understanding major classes of transactions is grouping them:
Routine transactions
Non-routine transactions
Estimating transactions

59. Understanding Likely Sources of Misstatement
After identifying material accounts and disclosures, any major classes of transactions and relevant assertions the auditor must understand likely sources of misstatement
From AS 2.74:
Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported
Identify the points with the process at which a misstatement – including a misstatement due to fraud – could arise

60. Last Steps of Understanding
After identifying likely sources of misstatement…
Auditor identifies controls management has implemented in the system that are intended to prevent each type of potential misstatement
Auditor also identifies controls specifically intended to prevent or detect unauthorized acquisition, use or disposal of assets that could cause a material financial statement misstatement
IT is an integral part of the analysis – not a separate audit step

61. IT Related to Likely Sources of Misstatement
Factors that impact the need for specialized IT knowledge include:
Chapter 7-42
Learning Objective #5

62. Appendix A: Specifics of IT General Controls
IT general controls (ITGC): IT policies and procedures that apply throughout the entire company
Application controls are usually programmed controls that are specific to a single process or activity
Entity-level vs. transaction-level controls are not the same as IT general controls and IT application controls

63. Relationship Among Different Control Types

64. Big Picture: Organization of ITGC
Internal control environment
Software acquisition
Hardware acquisition
Network technology acquisition
Program development
Program changes
Computer operations
Access to programs and data
Software and interface controls
Contingency controls
Human resources
Physical facilities controls

65. IT Control Environment
Policies
Licensing agreements
Passwords
Use of company resources, Internet, and
Physical control over portable resources
Social engineering issues
Control breakdowns
Use of third-party providers
Segregation of Duties
Monitoring

66. Acquisitions and Changes
Software: plans, approval, company strategy, compatibility, cost effectiveness
Hardware and Network Technology: authorization and approval, fit with needs, security
Program Development and Changes: project initiation, analyses and design, construction, testing and quality assurance, data conversion, documentation and training

67. Computer Operations
Policies and procedures, includes organizational structure
Batch processing and end user computing
Batch: scheduling and planning functions
“End user: authorized access
Backup management, sophistication varies
Data center controls
Physical access, climate controls, lock up, passwords
Capacity planning and performance issue management
Short and long term planning, expected service level
Recovery
Appropriate plan, tested and updated as needed

68. Access and Interface Access to Programs and Data
Password complexity and security
Privacy policies
Security in place and tested
Security measures monitored
Software and Interface Controls
Denial of service attacks
Intrusion detection controls
Cookie policies and detection

69. Contingency Controls Backup Procedures
Procedures for control breakdowns: incident detection, reaction, damage limitation, analysis, recovery, future monitoring
Data backup procedures: full backups, incremental backups, storage mediums – physical or electronic, reconstruction of data
Service interruption, disaster and recovery
Backup or alternate power source
Redundant computer processing system
Identified responsible individual

70. Human Resources
Hiring policies: recruiting, verifying information, testing, interviewing
Should address candidate ability and integrity
Training: cross training, job rotations, mandatory vacations, ongoing training
Termination policies and controls
Immediately revoking computer access and physical access
Change passwords and codes
Send files to another manager

71. Physical Facilities Protected environment Climate control
Fire suppression and evacuation
Inconspicuous location
Limited access
Limited access to network administration offices
Lock up of critical equipment
Physically secure portable equipment, programming to limit unauthorized access
Store least possible amount of data on portable equipment

72. Appendix B: Enterprise Risk Management
Enterprise Risk Management (ERM) framework
September 2004, COSO
ERM: a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives

73. ERM and Internal Control
ERM addresses the environment within which controls function
Internal control is encompassed within and an integral part of enterprise risk management. Enterprise risk management is broader than internal control, expanding and elaborating on internal control to form a more robust conceptualization focusing more fully on risk.

74. Categories of ERM Objectives
Strategic objectives
Operations objectives
Reporting objectives
Compliance objectives

75. Components of ERM Internal Environment Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring

76. Appendix C: ICFR in Smaller Public Companies
Dodd Frank Act (2010) removed the requirement for smaller public companies to have ICFR audited, but management must still perform the assessment and issue the report required by SOX 404
Guidance on ICFR geared to smaller companies
COSO, 2006 Guidance for Smaller Public Companies
COSO, 2009 Guidance on Monitoring Internal Control Systems
SEC Interpretive Release (Release )
AS 5 (replaced AS 2)
PCAOB Staff Views, Guidance for Auditors of Smaller Public Companies

77. Common Characteristics of Smaller Companies
Fewer business lines
Less complex business processes
Less complex financial reporting system
More centralized accounting functions
Extensive involvement by senior management
Fewer levels of management with wide spans of control

78. SEC Interpretive Release
Fundamentals required of management to assess ICFR effectiveness are not different for smaller companies
Identify risks
Determine whether controls are in place that address the risks
Evaluate the operating effectiveness of the controls
How the ICFR assessment activities are accomplished may differ

79. Differences in Process
Management can judge whether all aspects of ITGC are relevant to financial reporting risks
Only evaluate those that are important
Documentation of controls and evidence selected can vary based on management’s’ judgment of importance
Limited documentation may be created just for assessment
Emphasis placed on role of on-going monitoring

80. PCAOB Guidance Directed toward auditors not companies
Includes characteristics of smaller companies that are important considerations for auditors
Use of entity-level controls to achieve control objectives
Risk of management override
Implementation of segregation of duties and alternative controls
Use of information technology (IT)
Maintenance of financial reporting competencies
Nature and extent of documentation