2Chapter 7Understanding Internal Control over Financial Reporting and Auditing Design Effectiveness
3Learning Objectives1. Understand the value of effective internal control. 2. Learn the components and mechanisms of internal control. 3. Describe the internal control-related requirements imposed on management of public companies. 4. Analyze the relationship between management’s assertions, ICFR, and activities of an integrated audit. 5. Explain the approach and steps an auditor uses to understand a company’s ICFR and assess its design effectiveness.
5Authoritative Sources for this Chapter Sarbanes Oxley Act (SOX)Securities and Exchange Commission (SEC)Public Company Accounting Oversight Board (PCAOB)American Institute of CPAs (AICPA)Statements on Auditing Standards (SAS)International Auditing and Assurance Standards Board (IAASB)International Standards on Auditing (ISA)Committee of Sponsoring Organizations (COSO)Foreign Corrupt Practices Act, 1977 (FCPA)
6Auditors and ICFRAuditor has to understand the client’s Internal Control over Financial Reporting and assess the effectiveness of its design:An important part of planningTo be able to select which controls to test in the audit and plan substantive audit procedures
7Corporate Accountants and ICFR Accountants inside a company need to understand Internal Control over Financial Reporting because good ICFR helps the company:use cost effective proceduresmanage costs of processing accounting informationmanage productivity of the company’s financial functionsmaintain an effective financial control system
8Definition of Internal Control over Financial Reporting Internal control over financial reporting is a subset of the entire system of internal controlTwo important sources of definitionsPCAOB’s definition in AS 5COSO’s definition in Internal Control FrameworkThe COSO definition is broader than the PCAOB’s definition…this makes sense because the PCAOB defines the target of an audit, while COSO’s Internal Control Framework is for more general use
9PCAOB AS 5, Definition of Internal Control Internal control over financial reporting is a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that --
10PCAOB AS 5 Definition (continued) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; andProvide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements
11Investor Confidence and Internal Control In the simplest terms, investors can have much more confidence in the reliability of a corporate financial statement if corporate management demonstrates that it exercises adequate control over bookkeeping, the sufficiency of books and records for the preparation of accurate financial statements, adherence to rules about the use of company assets and the possibility of misappropriation of company assets.(PCAOB Release , p. 3)
12Concepts from COSO Definition Internal control is a process. It is a means to an end, not an end in itself.Internal control depends on people. It is not just policy manuals and forms, but people at every level of an organization.Internal control only provides reasonable assurance – not absolute assurance.Internal control objectives may address single or overlapping categories of internal control components.
13COSO Categories of Internal Control Reliability of financial reportingDirectly relates to integrated audit goalsEffectiveness and efficiency of operationsImportant to managementCompliance with laws and regulationsLess directly related to integrated audit goals
14Overview of the COSO IC Structure Control environmentRisk assessmentControl activitiesInformation and communicationMonitoringThe PCAOB uses these same categories in As 12, Identifying and Assessing Risks of Material Misstatement.
15Control Environment “Tone at the top” Integrity and ethical values Commitment to competenceBoard of Directors or audit committee participationManagement’s philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resources policies
16Risk AssessmentRisks defined: Anything that can keep an organization from achieving its objectives.Organization must set its objectivesOrganization must identify threats to achieving the objectivesGuidance to risk assessment is in the COSO Enterprise Risk Management (ERM) FrameworkRisk can beFrom external and internal factorsAt entity and activity levels
17Risk Assessment Considerations Significance or degree of impact of the risk on the companyLikelihood of the risk occurring or frequency with which it may occurBest ways to manage the risk
18Ways to Identify RisksQualitative and quantitative approaches to identify higher-risk activitiesPeriod review of economic and industry factorsBusiness planning conferences and meetingsForecastingStrategic planning
19External and Internal Sources of Risk Technological developmentsChanging customer needs or expectationsCompetitionNew legislation and regulationNatural catastrophesEconomic changesInternalDisruption in information systems processingPersonnel: hiring, training, motivationChange in management responsibilitiesEntity’s activities and employee access to assetsUnassertive or ineffective board or audit committee
20Circumstances Demanding Special Risk Assessment Attention Changed Operating EnvironmentNew PersonnelNew or Revamped Information SystemsRapid GrowthNew TechnologyNew Lines, Products, ActivitiesCorporate RestructuringsForeign Operations
21Control ActivitiesControl activities defined: the policies and procedures that help ensure management directives are carried outPolicies: establish what should be accomplished in carrying out management’s directives to address riskProcedures: the activities that should be followed to carry out the policies
22Categories of Control Activities Performance reviewsUsed to monitor the business, often on an ongoing basisInformation processingControls over use of IT to initiate, record, process and report transactions and other financial dataGeneral and Application controlsPhysical controlsOver assets and access to informationSegregation of dutiesAssigning different people responsibility for authorizing transactions, recording transactions and maintaining custody of assetsCollusion is a threat to segregation of duties
23Information and Communication Quality of InformationContent appropriate: Is the needed information available?Information timely: Is it available when required?Information current: Is the latest information available?Information accurate: Are the data correct?Information accessible: Can the information be obtained easily by the appropriate parties?CommunicationTool for control related to ICFRMeans of enabling achievement of the objectives of the business
24MonitoringOngoing monitoring: those things that are a part of running the businessSeparate monitoring: activities conducted for the specific purpose of monitoringTradeoff…the more ongoing monitoring exists the less separate monitoring may be needed
25COSO Guidance on Monitoring Internal Control Systems Monitoring is a normal state of affairs in the organization.Monitoring is a formal part of the organization.Someone has responsibility for developing monitoring procedures.Employees execute monitoring activities and make reports as a normal part of their jobs.Management assesses reports and take whatever action is needed.
26Management’s Responsibility for Internal Control Foreign Corrupt Practices Act, 1977Requires management of public companies to maintain a system of controlSarbanes Oxley ActSection 302: management certificationSection 404: management assessment, report and auditDodd Frank ActPermanently exempts smaller public companies from the requirement of having ICFR audited; retains management requirement to assess ICFR and report
27SOX Section 302 Management Certification Specific officers or those with officer functions must signReviewed the SEC filing; annual or quarterly reportSEC filing does not include anything material that is untrueSEC filing does not omit anything material that makes statements untrueFair financial reportingManagement is responsible for internal controlControls permit people within the company to prepare the SEC reportsHave evaluated effectiveness of ICFR within 90 days prior and are presenting their conclusionsHave told the auditor and audit committee about ICFR problemsHave told the auditor and audit committee of management fraudHave reported any changes in internal controlHave reported any events that occurred after the report date that may affect internal control
28SOX Section 404Annual SEC filing must include an internal control reportReport states management’s responsibility for internal control and producing financial informationReport includes management’s assessment at fiscal year end about internal controls and procedures for financial reportingSEC Interpretive Release 2007: No requirement that management’s assessment be performed using the guidance in the Interpretive Release, but the guidance provides an acceptable way to perform the assessment of ICFR
29SOX Section 404, Audits of ICFR ICFR must be audited for all companies except those exempted by Dodd FrankAuditor mustBe registered with PCAOBAttest to (audit) management’s reportFollow PCAOB standards for an audit of ICFRSince SOX requires that the financial statement and ICFR audit be one integrated engagement, the same auditor must do both
30Background to an Audit of ICFR Objective of an integrated audit report on ICFR and the financial statementsOpinion on the fairness of the financial statementsOpinion on the effectiveness of ICFROpinions can be in a combined or separate reportsIf the auditor disagrees with management’s assessment this is added to the audit reportAuditor must audit the financial statements to audit ICFRAuditor uses information and conclusions from each part of the audit in the other part of the audit
31Approach to an Integrated Audit Identify what would make the financial statements materially misstated.Focus on management’s assertions in understanding the accounting systemIdentify…important controls….that address significant risks…associated with management’s assertionsAssess whether the controls are designed effectively so that, if operating effectively, they can prevent or detect material misstatementsTest operating effectiveness of controlsPerform substantive procedures
32Assertions defined…Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur.ISA 315
33Management’s Assertions PCAOB uses 5AICPA and IAASB use 13Auditors have to cover the important concepts in the assertions, but otherwise can express them however they choose…it is easy to see how both sets of assertions cover the same concepts….
34PCAOB Assertions: AS 15, Audit Evidence Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.Completeness – All transactions and accounts that should be presented in the financial statements are included.Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
35AICPA and IAASB, 13 Assertions Classes of Transactions and EventsOccurrenceCompletenessAccuracyCutoffClassificationAccount BalancesExistenceRights and ObligationsValuation and AllocationPresentation and DisclosureOccurrence, Rights, ObligationsClassification and UnderstandabilityAccuracy and Valuation
36Difference between 5 and 13… The AICPA and IAASB use additional terms:Accuracy, Cutoff, Classification, UnderstandabilityExplanations to consider:If an item posted is not accurate – including being posted in the wrong period or to the wrong account --it either did not occur as shown or the balance is incompleteIf a disclosure is not accurate it cannot meet the requirements for the presentation and disclosure assertionProper classification is a part of the presentation and disclosure assertionIf an item is not understandable it cannot be properly described under the presentation and disclosure assertion
37Reminder: Use of Management Assertions Auditor identifiesSignificant accounts and disclosuresRelevant assertions for those accounts and disclosuresAuditor considers risks that might cause the assertions to be wrongAuditor looks for ICFR controls in place to prevent or detect any misstatements resulting from the risksAuditor assesses whether controls are designed so that they can be effective if they operate properlyAudit continues withSelecting controls to test; considering whether to always rely on controls in financial statement auditDeciding how controls tests should be performedDeciding on substantive procedures needed
38Time Periods Covered by Audit Procedures For an audit opinion that ICFR is effective it must be effective at fiscal year endICFR must be effective at and for a period of time prior to fiscal year end so that the auditor has confidence in the conclusionTo rely on ICFR in the financial statement audit, the auditor must test ICFR for the entire period of relianceIf ICFR was not effective throughout the entire financial period, this affects the financial statement audit proceduresEven in an integrated audit, the auditor may choose not to rely on ICFR for an account, and consequently only test related controls at fiscal year end
39Evidence Related to ICFR Making inquiries of appropriate management, supervisory, and staff personnelInspecting company documentsObserving the application of specific controlsTracing transactions through the information system relevant to financial reportingWalkthroughs – a set of procedures performed together; an efficient way to understand ICFR and assess design effectiveness
40WalkthroughsTracing a transaction from origination until it is reflected in the company’s financial recordsIncludes inquiry and observation stepsInformation from a walkthrough:Who performs the control? Or, if automated, what systemWhat is performed and why? What is the management assertion?When is the activity performed, including how often?What evidence is produced showing that the control occurred?How are problems or exceptions investigated and resolved?
41Examples of Walkthrough Inquiries What do you do when you find an error?What are you looking for to determine if there is an error?What kinds of errors have you found?What happens as a result of finding errors?How are errors resolved?Have you ever been asked to override the process or controls? Is so, what happened and why did it occur?
42Audit DocumentationAudit documentation is the written record of the auditor’s work.Information included in documentation:Planning and performance of the workProcedures performedEvidence obtainedConclusions reachedProfessional judgment is used to decide how extensive audit documentation must be
43AS 3 Documentation Requirements Demonstrate that the engagement complied with the standards of the PCAOBSupport the auditor’s conclusions concerning every relevant financial statement assertionNature, timing, extent and results of procedures performed – means: what was done, when, by whom, outcomes, reviewer, date of reviewDemonstrate that the underlying accounting records agreed or reconciled with the financial statements
44Characteristics that Cause More Documentation An audit task that is difficult to understand or interpretAn audit task that requires a lot of judgmentAn audit task that is very important to the auditA management assertion that has a lot of risk
45Required Documentation of Contradicting Issues AS 3.8: In addition to the documentation necessary to support the auditor’s final conclusions, audit documentation must include information the auditor has identified relating to significant findings or issues that is inconsistent with or contradicts the auditor’s final conclusions. The relevant records to be retained include, but are not limited to, procedures performed in response to the information, and records, documentation, consultations on, or resolutions of, differences in professional judgment among members of the engagement team or between the engagement team and others consulted.
46Documentation of the Company’s ICFR SEC requires management to have significant documentation to support its conclusions about ICFRForm of documentation varies depending on company characteristics (size, complexity, etc.)Management can rely on documents it uses day-to- day or develop specific ICFR documentationAuditor may use company’s documentation to advance understanding of the company and ICFR assessment
47ICFR Documentation Techniques Used FlowchartsProcess modelsNarrative descriptionsJob descriptionsSamples of transaction documents and forms, procedures manuals, organization chartsQuestionnaires and checklists
48Information in Management’s ICFR Documentation The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statementsInformation about how significant transactions are initiated, authorized, recorded, processed, and reportedInformation about the flow of transactions to identify the points at which material misstatements due to error or fraud could occurControls designed to prevent or detect fraud, including who performs the controls and the related segregation of dutiesControls over the safeguarding of assetsThe results of management’s testing and evaluation of ICFR
49Entity Level ControlsPervasive controls; those that exist at the organization or company level, but have an impact on controls at the process, transaction, or application levelExamplesControls related to the control environmentControls over management overrideThe company’s risk assessment processCentralized processing and controlsControls over shared service environmentsControls to monitor other controlsPeriod-end financial reporting process controlsPolicies that address significant business control and risk management practices
50Three Categories of Entity-Level Controls 1. Have an important, but indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis2. Monitor the effectiveness of other controls; might identify breakdowns in lower-level controls but not at a level of precision that would sufficiently address the risk of material misstatements3. Operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions
51Indicators of Audit Committee Function Oversight of external financial reportingOversight of internal control over financial reportingIndependence of audit committee members from managementClarity of responsibilitiesInteraction with independent and internal auditorsInteraction with chief financial officer, chief accounting officerInteraction with other key members of financial managementQuestions asked of management and the auditorUnderstanding of critical accounting policiesUnderstanding of accounting estimate judgmentsResponsiveness to issues raised by the auditor (AS )
52Anti-Fraud Controls Must be included in design of ICFR Discussed previously related to Fraud TriangleControls that prevent, deter, and detect fraudControls restraining misappropriation of assetsRisk assessment processesCodes of ethics or conductAdequacy of internal auditAdequacy of procedures for handling complaints and accepting confidential communications on accounting and auditing mattersAuditor evaluates all controls specifically directed at the risk of fraudInquiries of management, audit committee, internal auditors is an important audit procedure
53IT Impact on the Company and Auditor AS 12 identifies need for auditors to consider manual and automated systems when understanding the company and assessing risksNature and extent of IT affects the risks and therefore controls needed and audit stepsIT might affect initiation, recording, processing and reporting of financial informationAlternatively, manual steps might affect approvals, reviews of transactions, reconciliations and follow up of reconciling items
54IT Impact on Controls Needed Benefits of IT to Internal ControlConsistent application of rules and complex calculationsTimeliness, availability and accuracy of informationFacilitates additional analysis of informationEnhances monitoring abilityReduces risk that controls will be circumventedControls are used for applications, databases and operating systemsRisks of IT to Internal ControlPossibility of consistently incorrect processingPossibility of processing the wrong dataUnauthorized access and changes to data and programsFailure to change systems or programs as intendedInappropriate manual interventionPotential loss of data
55Period End Financial Reporting Process Must be considered in every ICFR auditIs always considered a significant process so the auditor must consider controlsProcedures that are a part of the period end financial reporting process that the auditor evaluatesEntering transaction totals into the general ledgerSelecting and applying accounting policiesInitiating, authorizing, recording and processing journal entries into the general ledgerRecording recurring and nonrecurring adjustments to the financial statementsPreparing financial statements and related disclosures
56Timing of Period End ICFR Audit Procedures Audit tests of ICFR are performed while the process is occurring.The client closes its books and prepares its financial statements after fiscal year end.Period end financial reporting procedures occur and are tested after fiscal year end, even though the management report and auditor’s opinion are as of fiscal year end.
57Significant Accounts and Disclosures Auditor must determine what amount is material to the financial statements; qualitative characteristics also impact materialityAuditor can then identify significant accounts and the relevant assertions for the accountsRelevant assertions are those that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstatedPCAOB Risk Assessment standards (2010) states that relevance stems from inherent risk
58Classes of Transactions One account may have different major classes of transactions and relevant assertions may differ for the classesFor example, cash sales and sales on account include different relevant assertionsAnother approach for identifying and understanding major classes of transactions is grouping them:Routine transactionsNon-routine transactionsEstimating transactions
59Understanding Likely Sources of Misstatement After identifying material accounts and disclosures, any major classes of transactions and relevant assertions the auditor must understand likely sources of misstatementFrom AS 2.74:Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reportedIdentify the points with the process at which a misstatement – including a misstatement due to fraud – could arise
60Last Steps of Understanding After identifying likely sources of misstatement…Auditor identifies controls management has implemented in the system that are intended to prevent each type of potential misstatementAuditor also identifies controls specifically intended to prevent or detect unauthorized acquisition, use or disposal of assets that could cause a material financial statement misstatementIT is an integral part of the analysis – not a separate audit step
61IT Related to Likely Sources of Misstatement Factors that impact the need for specialized IT knowledge include:Chapter 7-42Learning Objective #5
62Appendix A: Specifics of IT General Controls IT general controls (ITGC): IT policies and procedures that apply throughout the entire companyApplication controls are usually programmed controls that are specific to a single process or activityEntity-level vs. transaction-level controls are not the same as IT general controls and IT application controls
64Big Picture: Organization of ITGC Internal control environmentSoftware acquisitionHardware acquisitionNetwork technology acquisitionProgram developmentProgram changesComputer operationsAccess to programs and dataSoftware and interface controlsContingency controlsHuman resourcesPhysical facilities controls
65IT Control Environment PoliciesLicensing agreementsPasswordsUse of company resources, Internet, andPhysical control over portable resourcesSocial engineering issuesControl breakdownsUse of third-party providersSegregation of DutiesMonitoring
66Acquisitions and Changes Software: plans, approval, company strategy, compatibility, cost effectivenessHardware and Network Technology: authorization and approval, fit with needs, securityProgram Development and Changes: project initiation, analyses and design, construction, testing and quality assurance, data conversion, documentation and training
67Computer OperationsPolicies and procedures, includes organizational structureBatch processing and end user computingBatch: scheduling and planning functions“End user: authorized accessBackup management, sophistication variesData center controlsPhysical access, climate controls, lock up, passwordsCapacity planning and performance issue managementShort and long term planning, expected service levelRecoveryAppropriate plan, tested and updated as needed
68Access and Interface Access to Programs and Data Password complexity and securityPrivacy policiesSecurity in place and testedSecurity measures monitoredSoftware and Interface ControlsDenial of service attacksIntrusion detection controlsCookie policies and detection
69Contingency Controls Backup Procedures Procedures for control breakdowns: incident detection, reaction, damage limitation, analysis, recovery, future monitoringData backup procedures: full backups, incremental backups, storage mediums – physical or electronic, reconstruction of dataService interruption, disaster and recoveryBackup or alternate power sourceRedundant computer processing systemIdentified responsible individual
70Human ResourcesHiring policies: recruiting, verifying information, testing, interviewingShould address candidate ability and integrityTraining: cross training, job rotations, mandatory vacations, ongoing trainingTermination policies and controlsImmediately revoking computer access and physical accessChange passwords and codesSend files to another manager
71Physical Facilities Protected environment Climate control Fire suppression and evacuationInconspicuous locationLimited accessLimited access to network administration officesLock up of critical equipmentPhysically secure portable equipment, programming to limit unauthorized accessStore least possible amount of data on portable equipment
72Appendix B: Enterprise Risk Management Enterprise Risk Management (ERM) frameworkSeptember 2004, COSOERM: a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives
73ERM and Internal Control ERM addresses the environment within which controls functionInternal control is encompassed within and an integral part of enterprise risk management. Enterprise risk management is broader than internal control, expanding and elaborating on internal control to form a more robust conceptualization focusing more fully on risk.
74Categories of ERM Objectives Strategic objectivesOperations objectivesReporting objectivesCompliance objectives
75Components of ERM Internal Environment Objective Setting Event IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation and CommunicationMonitoring
76Appendix C: ICFR in Smaller Public Companies Dodd Frank Act (2010) removed the requirement for smaller public companies to have ICFR audited, but management must still perform the assessment and issue the report required by SOX 404Guidance on ICFR geared to smaller companiesCOSO, 2006 Guidance for Smaller Public CompaniesCOSO, 2009 Guidance on Monitoring Internal Control SystemsSEC Interpretive Release (Release )AS 5 (replaced AS 2)PCAOB Staff Views, Guidance for Auditors of Smaller Public Companies
77Common Characteristics of Smaller Companies Fewer business linesLess complex business processesLess complex financial reporting systemMore centralized accounting functionsExtensive involvement by senior managementFewer levels of management with wide spans of control
78SEC Interpretive Release Fundamentals required of management to assess ICFR effectiveness are not different for smaller companiesIdentify risksDetermine whether controls are in place that address the risksEvaluate the operating effectiveness of the controlsHow the ICFR assessment activities are accomplished may differ
79Differences in Process Management can judge whether all aspects of ITGC are relevant to financial reporting risksOnly evaluate those that are importantDocumentation of controls and evidence selected can vary based on management’s’ judgment of importanceLimited documentation may be created just for assessmentEmphasis placed on role of on-going monitoring
80PCAOB Guidance Directed toward auditors not companies Includes characteristics of smaller companies that are important considerations for auditorsUse of entity-level controls to achieve control objectivesRisk of management overrideImplementation of segregation of duties and alternative controlsUse of information technology (IT)Maintenance of financial reporting competenciesNature and extent of documentation