Audit chapter 11

¡Supera tus tareas y exámenes ahora con Quizwiz!

The SEC requires management to include its report on internal control in its annual

Form 10-K report filed with the SEC.

The general structure of the Framework remains unchanged, but the updated

Framework provides a principles-based approach that provides additional guidance on designing and implementing effective systems of internal control.

General controls

General controls apply to all aspects of the IT function, including IT administration; separation of IT duties; systems development; physical and online security over access to hardware, software, and related data; backup and contingency planning in the event of unexpected emergencies; and hardware controls

Hardware controls

Hardware controls are built into computer equipment by manufacturers to detect and report equipment failures. Auditors are more concerned with how the client handles errors identified by the hardware controls than with their adequacy.

Ideally, responsibilities for IT management, systems development, operations, and data control should be separated as follows:

IT management. The CIO or IT manager should be responsible for oversight of the IT function to ensure that activities are carried out consistent with the IT strategic plan. A security administrator should monitor both physical and online access to hardware, software, and data files and investigate all security breaches

Virtually all entities, including small, family-owned businesses, rely on

IT to record and process business transactions. As a result of advancements in IT, even relatively small businesses use personal computers with commercial accounting software for their accounting

Those charged with governance

Individuals responsible for overseeing the strategic direction of the entity and the accountability of the entity, including financial reporting and disclosure, by auditing standards

Input controls

Input controls are designed to ensure that the information entered into the computer is authorized, accurate, and complete.

Typical controls developed for manual systems, such as those listed below, are still important in IT systems:

Management's authorization of transactions Adequate preparation of input source documents Competent personnel

Service center

Many clients outsource some or all of their IT needs to an independent organization commonly referred to as a computer service center, including application service providers (ASPs) and cloud computing environments, rather than maintain an internal IT center.

3

Operations. Computer operators are responsible for the day-to-day operations of the computer, following the schedule established by the CIO. They also monitor computer consoles for messages about computer efficiency and malfunctions.

Output controls

Output controls focus on detecting errors after processing is completed, rather than on preventing errors.

Processing controls

Processing controls prevent and detect errors while transaction data are processed

2

Testing all software to ensure that the new software is compatible with existing hardware and software and determining whether the hardware and software can handle the needed volume of transactions. Whether software is purchased or developed internally, extensive testing of all software with realistic data is critical

Cybersecurity

The IT and internal control processes an organization has in place to protect computers, networks, programs, and data from unauthorized access is often referred to as cybersecurity

Parallel testing

The old and new systems operate simultaneously in all locations.

Information and communication

The purpose of an entity's accounting information and communication system is to initiate, record, process, and report the entity's transactions and to maintain accountability for the related assets

Digital signatures

To authenticate the validity of a trading partner conducting business electronically, companies may rely on external certification authorities, who verify the source of the public key by using digital signatures

Automated controls

When controls are done by computers, they are called automated controls.

Input controls are critical because

a large portion of errors in IT systems result from data entry errors and, of course, regardless of the quality of information processing, input errors result in output errors

Application controls fall into three categories

input, processing, and output. Although the objectives for each category are the same, the procedures for meeting the objectives vary considerably.

The five underlying principles related to the control environment include a commitment to

integrity and ethical values; having an independent board of directors that is responsible for oversight of internal controls; establishing appropriate structures and reporting lines; maintaining a commitment to attracting, developing, and retaining competent personnel; and holding individuals accountable for internal control responsibilities.

The information being assessed comes from a variety of sources, including studies of existing internal controls,

internal auditor reports, exception reporting on control activities, reports by regulators such as bank regulatory agencies, feedback from operating personnel, and complaints from customers about billing charges.

Independent checks

internal control acts designed for the continuous internal verification of other controls

The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about

internal control and its importance to the entity.

COSO's Internal Control — Integrated Framework was first developed in 1992 and has become the most widely accepted

internal control framework in the United States and the world. Since the original development of the Framework, business and operating environments have become more global, complex, and technologically driven.

Specific risks related to information technology (IT) should be considered, as these risks can lead to

substantial losses if ignored, as demonstrated in the opening vignette related to the cyberattack on Sony Pictures. If IT systems fail, organizations can be paralyzed by the inability to retrieve information or by the use of unreliable information caused by processing errors

Computerized encryption changes a standard message or data file into one that is coded (encrypted),

requiring the receiver of the electronic message or user of the encrypted data file to use a decryption program to decode the message or data

Risk assessment specifically related to financial reporting involves management's identification and analysis of

risks relevant to the preparation of financial statements in conformity with appropriate accounting standards

They also are unlikely to have an effect on the related disclosure objective. The auditor is likely to evaluate

separately whether management has implemented internal control for each of these two account balance objectives and the objectives related to presentation and disclosure.

Deficiencies in internal control can cause

significant losses, delay financial reporting, or result in material misstatements in financial statements

This allows the auditors and directors to discuss matters that might relate to

such things as management integrity or the appropriateness of actions taken by management.

Internal controls can never be completely effective, regardless of the care followed in their design and implementation. Even if management can design an ideal

system, its effectiveness depends on the competency and dependability of the people using it.

Stakeholders have become more engaged, seeking greater transparency and accountability for the integrity of

systems of internal control, including controls related to reporting objectives beyond financial reporting, such as corporate responsibility and sustainability

The four underlying principles related to risk assessment are

that the organization should have clear objectives in order to be able to identify and assess the risks relating to those objectives; should determine how the risks should be managed; should consider the potential for fraudulent behavior; and should monitor changes that could impact internal controls.

By understanding the client's organizational structure,

the auditor can learn the management and functional elements of the business and perceive how controls are implemented.

In addition, management must test the operating effectiveness of controls. The testing objective is to determine whether

the controls are operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Management's test results, which must also be documented, form the basis for management's assertion at the end of the fiscal year about the controls' operating effectiveness.

Section 404(b) of the Sarbanes-Oxley Act requires that the auditor report on

the effectiveness of internal control over financial reporting.

Naturally, the extent of separation of duties depends on

the organization's size and complexity

Without an effective control environment,

the other four components are unlikely to result in effective internal control, regardless of their quality. The essence of an effectively controlled organization lies in the attitude of its board of directors and senior management.

Similar to the effect that the control environment has on other components of internal control,

the six categories of general controls affect all IT functions. Auditors typically evaluate general controls early in the audit because of their impact on application controls.

PCAOB auditing standards define the extent that auditors can use

the work done by internal auditors when reporting on internal control under Section 404. Auditing standards provide guidance to help the external auditor obtain evidence that supports the competence, integrity, and objectivity of internal auditors, which allows the external auditor to rely on the internal auditor's work in a number of ways.

he use of e-commerce systems also exposes sensitive company data, programs, and hardware

to potential interception or sabotage by external parties. To limit these exposures, companies use firewalls, encryption techniques, and digital signatures.

Local area networks (LANs)

. Local area networks (LANs) link equipment within a single or small cluster of buildings and are used only within a company. LANs are often used to transfer data and programs from one computer or workstation using network system software that allows all of the devices to function together.

Within each of the COSO components, the updated Framework includes a total of

17 broad principles that provide more guidance to support the respective component.

Pilot testing

A new system is implemented in one part of the organization while other locations continue to rely on the old system.

Internal control

A process designed to provide reasonable assurance regarding the achievement of management's objectives in the following categories: reliability of reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations

Section 404(a) of the Sarbanes-Oxley Act requires management of all public companies to issue an internal control report that includes the following:

A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company's fiscal year

The control activities generally fall into the following five types, which are discussed next:

Adequate separation of duties Proper authorization of transactions and activities Adequate documents and records Physical control over assets and records Independent checks on performance

Controls specific to IT include the following:

Adequately designed input screens with preformatted prompts for transaction information Pull-down menu lists of available software options

Collusion

An act of two or more employees who conspire to steal assets or misstate records

Manual controls

Application controls may be done by computers or client personnel. When they are done by client personnel, they are called manual controls.

Application controls

Application controls typically operate at the business process level and apply to processing transactions, such as controls over the processing of sales or cash receipts.

Entity-level controls

Certain control elements within the five COSO control components have a pervasive effect on the entity's system of internal control and are referred to as entity-level controls in auditing standards.

Management must also identify the framework used to evaluate the effectiveness of internal control. The internal control framework used by most U.S. companies is the

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, which was originally published in 1992 and updated in 2013

enterprise resource planning (ERP) systems

Companies often integrate database management systems within the entire organization using enterprise resource planning (ERP) systems that integrate numerous aspects of an organization's activities into one accounting information system.

3

Compliance with laws and regulations. Section 404 requires management of all public companies to issue a report about the operating effectiveness of internal control over financial reporting. In addition to the legal provisions of Section 404, public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations. Some relate to accounting only indirectly, such as environmental protection and civil rights laws.

The COSO internal control components include the following:

Control environment Risk assessment Control activities Information and communication Monitoring

4

Data control. Data input/output control personnel independently verify the quality of input and the reasonableness of output. Organizations frequently use databases to store information shared by accounting and other functions, and database administrators are responsible for the operation and access security of shared databases.

2

Efficiency and effectiveness of operations. Controls within a company encourage efficient and effective use of its resources to optimize the company's goals.

Systems development includes these steps:

Purchasing software or developing in-house software that meets the organization's needs. A key to implementing the right software is to involve a team of both IT and non-IT personnel, including key users of the software and internal auditors. This combination increases the likelihood that information needs, as well as software design and implementation concerns, are properly addressed. Involving users also results in better acceptance by key users.

Management typically has three broad objectives in designing an effective internal control system:

Reliability of reporting. This objective relates to internal and external financial reporting as well as nonfinancial reporting; however, in this chapter we focus our discussion on the reliability of external financial reporting.

Separation of duties

Separation of the following acts in an organization: custody of assets from accounting, authorization from custody of assets, operational responsibility from record keeping, and IT duties from outside users of IT

2

Systems development. Systems analysts are not only responsible for the overall design of each application system; they also coordinate the development, acquisition, and changes to IT systems by the IT personnel (who are responsible for programming the application or acquiring software applications) and primary system users outside of IT (such as accounts receivable personnel). Programmers develop flowcharts for each new application, prepare computer instructions, test the programs, and document the results.

These policies and procedures are often called controls

and collectively they make up the entity's internal control.

Auditors emphasize internal control over classes of transactions rather than account balances because the

accuracy of accounting system outputs (account balances) depends heavily on the accuracy of inputs and processing (transactions)

Monitoring

activities deal with ongoing or periodic assessment of the quality of internal control by management to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions.

Because general controls often apply to the entire entity and

affect many different software applications, auditors evaluate general controls for the company as a whole.

Proper documentation of the system is required for

all new and modified software

Database management systems

allow clients to create databases that include information that can be shared across multiple applications. In nondatabase systems, each application has its own data file, whereas in database management systems, many applications share files.

Backup and contingency plans should also identify

alternative hardware that can be used to process company data. Companies with small IT systems can purchase replacement computers in an emergency and reprocess their accounting records by using backup copies of software and data files. Larger companies often contract with IT data centers that specialize in providing access to offsite computers and data storage and other IT services for use in the event of an IT disaster.

The use of networks that link equipment such as desktops, midrange computers, mainframes, workstations, servers,

and printers is common for most businesses. Local area networks (LANs) link equipment within a single or small cluster of buildings and are used only within a company.

Specific authorization

applies to individual transactions. For certain transactions, management prefers to authorize each transaction.

Control activities

are the policies and procedures, in addition to those included in the other four control components, that help ensure that necessary actions are taken to address risks to the achievement of the entity's objectives.

Because of the nature of computer processing

automated controls, if properly designed, lead to consistent operation of the controls.

One of the principles in AICPA auditing standards is that the auditor "identifies and assesses risks of material misstatement, whether due to fraud or error

based on an understanding of the entity and its environment, including the entity's internal control

Companies using e-commerce systems to transact

business electronically link their internal accounting systems to external parties' systems, such as customers and suppliers. As a result, a company's risks depend in part on how well its e-commerce partners identify and manage risks in their own IT systems.

Management designs systems of internal control to accomplish all three objectives. The auditor's focus in both the audit of financial statements and the audit of internal controls is on

controls over the reliability of financial reporting plus those controls over operations and compliance with laws and regulations that could materially affect financial reporting.

Technology can strengthen a company's system of internal control but can also provide

challenges. To address risks associated with reliance on technology, organizations often implement specific IT controls. Auditing standards describe two categories of controls for IT systems: general controls and application controls.

Management, through its activities, provides

clear signals to employees about the importance of internal control

If top management believes that control is important, others in the organization will sense this

commitment and respond by conscientiously observing the controls established. If members of the organization believe that control is not important to top management, most likely management's control objectives will not be effectively achieved.

To manage these interdependency risks,

companies must ensure that their business partners manage IT system risks before conducting business with them electronically.

Similarly, failure to meet prior objectives, quality of personnel, geographic dispersion of

company operations, significance and complexity of core business processes, introduction of new information technologies, economic downturns, and entrance of new competitors are examples of factors that may lead to increased risk. Once management identifies a risk, it estimates the significance of that risk, assesses the likelihood of the risk occurring, and develops specific actions that need to be taken to reduce the risk to an acceptable level.

he effectiveness of manual controls depends on both the

competence of the people performing the controls and the care they exercise when doing them.

As businesses grow and have increased information needs, they typically upgrade their IT systems. The accounting function's use of

complex IT networks, databases, the Internet, cloud computing, and centralized IT functions is now commonplace.

Programmers should not have access to input data or

computer operations to avoid using their knowledge of the system for personal benefit. They should be allowed to work only with test copies of programs and data so they can only make software changes after proper authorization.

The IT and internal control processes an organization has in place to protect

computers, networks, programs, and data from unauthorized access is often referred to as cybersecurity.

To authenticate the validity of a trading partner

conducting business electronically, companies may rely on external certification authorities, who verify the source of the public key by using digital signatures. A trusted certification authority issues a digital certificate to individuals and companies engaging in e-commerces

Control environment

consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity.

In addition to its role in monitoring an entity's internal

control, an adequate internal audit staff can reduce external audit costs by providing direct assistance to the external auditor.

Auditors should not, however, ignore

controls affecting internal management information, such as budgets and internal performance reports.

To express an opinion on these controls, the auditor obtains an understanding of and performs tests of

controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements.

Auditing standards require the auditor to obtain an understanding of internal control relevant to the audit on every audit engagement. Auditors are primarily concerned about

controls over the reliability of financial reporting and controls over classes of transactions.

A firewall is a system of hardware and software that monitors and

controls the flow of e-commerce communications by channeling all network connections through controls that verify external users, grant access to authorized users, deny access to unauthorized users, and direct authorized users to requested programs or data. Firewalls are becoming increasingly sophisticated as the frequency and severity of cyberattacks grow.

Physical controls over computers and restrictions to online software and related

data files decrease the risk of unauthorized changes to programs and improper use of programs and data files.

Controls often improve when data are centralized in a database management system by eliminating duplicate

data files. However, database management systems also can create internal control risks. Risks increase when multiple users, including individuals outside of accounting, can access and update data files.

Cloud computing is a computer resource

deployment and procurement model that enables an organization to obtain IT resources and applications from any location via an Internet connection. Depending on the arrangement, all or parts of an entity's IT hardware, software, and data might reside in an IT service center shared with other organizations and managed by a third-party vendor. The name cloud computing comes from the use of a cloud-shaped symbol in systems diagrams to represent complex IT infrastructures.

Outsourcing can provide challenges from an internal control perspective. Management is responsible for the

design and operating effectiveness of internal controls, and this includes controls that are outsourced to a service provider. The ethics and integrity of service providers, as well as the design and functioning of their internal controls, need to be considered by management when selecting a service provider, and evaluated regularly.

The COSO Framework describes five components of internal control that management

designs and implements to provide reasonable assurance that its control objectives will be met. Each component contains many controls, but auditors concentrate on those designed to prevent or detect material misstatements in the financial statements.

In networks, application software and data files used to process transactions are included on several computers that are linked together. Access to the application from

desktop computers or workstations is managed by network server software or other interfaces with cloud computing technology. Even small companies can have several computer servers linked together on a network, while larger companies may have hundreds of servers in dozens of locations networked together.

The audit committee's independence from management and knowledge of financial reporting issues are important

determinants of its ability to effectively evaluate internal controls and financial statements prepared by management. The Sarbanes-Oxley Act directed the SEC to require the national stock exchanges (NYSE and NASDAQ) to strengthen audit committee requirements for public companies listing securities on the exchanges.

A company should develop internal controls that provide reasonable, but not absolute, assurance that the financial statements are fairly stated. Internal controls are

developed by management after considering both the costs and benefits of the controls. Reasonable assurance is a high level of assurance that allows for only a low likelihood that material misstatements will not be prevented, or detected and corrected, on a timely basis by internal control.

There are three underlying principles related to control activities:

developing control activities that mitigate risks to an acceptable level; developing general controls over technology; and establishing appropriate policies, procedures, and expectations. There are potentially many such control activities in any entity, including controls performed manually and controls built into a computer-based system (automated controls).

For many companies, especially larger ones, an internal audit department is essential for

effective monitoring of the operating performance of internal controls. To be effective, the internal audit function must be performed by staff who are independent of both the operating and accounting departments and who report directly to a high level of authority within the organization, either top management or the audit committee of the board of directors.

While management assesses risks as a part of designing and operating internal controls to minimize

errors and fraud, auditors assess risks to decide the evidence needed in the audit. If management effectively assesses and responds to risks, the auditor will typically accumulate less evidence than when management fails to identify or respond to significant risks.

Integrity and ethical values are the product of the entity's

ethical and behavioral standards, as well as how they are communicated and reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts.

In contrast, when management assigns technology issues

exclusively to lower-level employees or outside consultants, an implied message is sent that IT is not a high priority. The result is often an understaffed, underfunded, and poorly controlled IT function.

To counter the risks of unauthorized, inaccurate, and incomplete data

files, companies must implement proper database administration and access controls. With the centralization of data in a single system, they must also ensure proper backup of data on a regular basis.

Even though auditors emphasize transaction-related controls, the auditor must also

gain an understanding of controls over ending account balances and related disclosures.

Power failures, fire, excessive heat or humidity, water damage, or even sabotage can

have serious consequences to businesses using IT. To prevent data loss during power outages, many companies rely on battery backups or onsite generators.

To respond to the risk of combining traditional custody, authorization, and record-keeping responsibilities by

having the computer perform those tasks, well-controlled organizations separate key duties within IT.

Application controls are designed for each software application and are intended to

help a company satisfy the transaction-related management assertions discussed in previous chapters. Although some application controls affect one or only a few transaction-related assertions, most controls prevent or detect several types of misstatements. Other application controls concern account balance and related disclosure assertions.

Responsibilities for internal controls differ between management and the auditor. Management is responsible for establishing and maintaining the entity's

internal controls. Management is also required by Section 404 to publicly report on the operating effectiveness of those controls. In contrast, the auditor's responsibilities include understanding and testing internal control over financial reporting. Auditors of larger public companies are required by the SEC to annually issue an audit report on the operating effectiveness of those controls.

Risk assessment

involves a process for identifying and analyzing risks that may prevent the organization from achieving its objectives.

In response, the exchanges will not list any security from a company with an audit committee that

is not comprised solely of independent directors. is not solely responsible for hiring and firing the company's auditors. does not establish procedures for the receipt and treatment of complaints (e.g., "whistleblowing") regarding accounting, internal control, or auditing matters. does not have the ability to engage its own counsel and other advisors. is inadequately funded.

A public key encryption technique is often used, where one

key (the public key) is used for encoding the message and another key (the private key) is used to decode the message. The public key is distributed to all approved users of the e-commerce system. The private key is distributed only to internal users with the authority to decode the message.

The digital signature contains the holder's name and its public

key. It also contains the name of the certification authority and the certificate's expiration date and other specified information. To guarantee integrity and authenticity, each signature is digitally signed by the private key maintained by the certification authority.

Wide Area Network (WAN)

link equipment in larger geographic regions, including global operations.

General authorization

management establishes policies and subordinates are instructed to implement these general authorizations by approving all transactions within the limits set by the policy

Management's assessment of internal control over financial reporting consists of two key aspects. First,

management must evaluate the design of internal control over financial reporting. Second, management must test the operating effectiveness of those controls.

In nondatabase systems, each application has its own data file, whereas in database

management systems, many applications share files. Clients implement database management systems to reduce data redundancy, improve control over data, and provide better information for decision making by integrating information throughout functions and departments

Management must evaluate whether the controls are designed and put in place to prevent or detect material

misstatements in the financial statements. Management's focus is on controls that address risks related to all relevant assertions for all significant accounts, transactions, and disclosures in the financial statements.

Management, not the auditor, must establish and maintain the entity's internal controls. This concept is consistent with the requirement that management,

not the auditor, is responsible for the preparation of financial statements in accordance with applicable accounting frameworks such as GAAP or IFRS. Two key concepts underlie management's design and implementation of internal control—reasonable assurance and inherent limitations.

2

online access controls

For more serious disasters,

organizations need detailed backup and contingency plans such as offsite storage of critical software and data files or outsourcing to firms that specialize in secure data storage.

Regardless of the quality of hardware controls,

output will be corrected only if the client has provided for handling machine errors.

For sensitive computer output, such as payroll checks, control can be improved by

requiring employees to present employee identification before they receive their checks or by requiring the use of direct deposit into the employees' preapproved bank accounts.

To assist the board in its oversight, the board creates an audit committee that is charged with

oversight responsibility for financial reporting. The audit committee is also responsible for maintaining ongoing communication with both external and internal auditors, including the approval of audit and nonaudit services done by auditors for public companies.

Many privately held companies also create an effective audit committee. For other privately held companies, governance may be provided by

owners, partners, trustees, or a committee of management, such as a finance or budget committee. Individuals responsible for overseeing the strategic direction of the entity and the accountability of the entity, including financial reporting and disclosure, are called those charged with governance by auditing standards.

The board of directors' and senior management's attitude about IT affect the

perceived importance of IT within an organization. Their oversight, resource allocation, and involvement in key IT decisions each signal the importance of IT to the organization. In complex environments, management may establish IT steering committees to help monitor the organization's technology needs. In less complex organizations, the board may rely on regular reporting by a chief information officer (CIO) or other senior IT manager to keep management informed

The underlying principles related to monitoring include performing

periodic evaluations and communicating any identified deficiencies to the appropriate parties responsible for taking actions to remediate the deficiencies.

Certain control elements within the five COSO control components have a

pervasive effect on the entity's system of internal control and are referred to as entity-level controls in auditing standards.

Security plans should be in writing and monitored. Security controls include both physical controls and online access controls.

physical controls

Companies typically use one or a combination of the following two test approaches:

pilot testing, and parallel testing

A system of internal control consists of

policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals

LANs are often used to transfer data and

programs from one computer or workstation using network system software that allows all of the devices to function together. Wide area networks (WANs) link equipment in larger geographic regions, including global operations.

Encryption techinques

protect the security of electronic communication when information is transmitted and when it is stored

Firewall

protects data, programs, and other IT resources from unauthorized external users accessing the system through networks, such as the Internet

The most important output control is review of the data for

reasonableness by someone knowledgeable about the output. Users can often identify errors because they know the approximate correct amounts.

Smaller companies often outsource their payroll function because payroll is

reasonably standard from company to company, and many reliable providers of payroll services are available. Companies also outsource their e-commerce systems to external website service providers, including those that offer cloud computing services. Companies decide whether to outsource IT on a cost-benefit basis.

The system must also avoid duplicate

recording of sales and recording a sale if a shipment did not occur (occurrence assertion).

Auditors must evaluate application controls for every class of transactions or account in which the auditor plans to

reduce assessed control risk, because IT controls will be different across classes of transactions and accounts and related disclosures. Application controls are likely to be effective only when general controls are effective.

Auditors focus primarily on controls related to the first of management's internal control concerns:

reliability of financial reporting. Financial statements are not likely to correctly reflect GAAP or IFRS if internal controls over financial reporting are inadequate. Unlike the client, the auditor is less concerned with controls that affect the efficiency and effectiveness of company operations, because such controls may not influence the fair presentation of financial statements.

The COSO principles apply across all types of entities and to each of the internal control objectives:

reporting, operations, and compliance. All of the 17 principles must be present and functioning for internal controls to be effective.

COSO principles

represent the fundamental concepts related to each of the five components of internal control; all principles must be functioning for controls to be effective

An accounting information and communication system has several subcomponents,

typically made up of classes of transactions such as sales, sales returns, cash receipts, acquisitions, and so on.

The board of directors is essential for effective corporate governance because it has

ultimate responsibility to make sure management implements proper internal control and financial reporting processes

The underlying principles related to information and communication stress the importance of

using relevant, quality information that is communicated both internally and externally as necessary to support the proper functioning of internal controls.

Companies often integrate database management systems

within the entire organization using enterprise resource planning (ERP) systems that integrate numerous aspects of an organization's activities into one accounting information system. ERP systems share data across accounting and nonaccounting business functions of the organization


Conjuntos de estudio relacionados

Gazdasagi szereplők, piacok, kereslet, kínálat

View Set

Tinker v. Des Moines Independent Community School District (1969)

View Set

Research Methods Exam 1- Chapter 2: Sources of Info

View Set

NU372 Week 5 EAQ Evolve Elsevier: Perfusion (Custom Quiz)

View Set