Audit chapter 11
The SEC requires management to include its report on internal control in its annual
Form 10-K report filed with the SEC.
The general structure of the Framework remains unchanged, but the updated
Framework provides a principles-based approach that provides additional guidance on designing and implementing effective systems of internal control.
General controls
General controls apply to all aspects of the IT function, including IT administration; separation of IT duties; systems development; physical and online security over access to hardware, software, and related data; backup and contingency planning in the event of unexpected emergencies; and hardware controls
Hardware controls
Hardware controls are built into computer equipment by manufacturers to detect and report equipment failures. Auditors are more concerned with how the client handles errors identified by the hardware controls than with their adequacy.
Ideally, responsibilities for IT management, systems development, operations, and data control should be separated as follows:
IT management. The CIO or IT manager should be responsible for oversight of the IT function to ensure that activities are carried out consistent with the IT strategic plan. A security administrator should monitor both physical and online access to hardware, software, and data files and investigate all security breaches
Virtually all entities, including small, family-owned businesses, rely on
IT to record and process business transactions. As a result of advancements in IT, even relatively small businesses use personal computers with commercial accounting software for their accounting
Those charged with governance
Individuals responsible for overseeing the strategic direction of the entity and the accountability of the entity, including financial reporting and disclosure, by auditing standards
Input controls
Input controls are designed to ensure that the information entered into the computer is authorized, accurate, and complete.
Typical controls developed for manual systems, such as those listed below, are still important in IT systems:
Management's authorization of transactions Adequate preparation of input source documents Competent personnel
Service center
Many clients outsource some or all of their IT needs to an independent organization commonly referred to as a computer service center, including application service providers (ASPs) and cloud computing environments, rather than maintain an internal IT center.
3
Operations. Computer operators are responsible for the day-to-day operations of the computer, following the schedule established by the CIO. They also monitor computer consoles for messages about computer efficiency and malfunctions.
Output controls
Output controls focus on detecting errors after processing is completed, rather than on preventing errors.
Processing controls
Processing controls prevent and detect errors while transaction data are processed
2
Testing all software to ensure that the new software is compatible with existing hardware and software and determining whether the hardware and software can handle the needed volume of transactions. Whether software is purchased or developed internally, extensive testing of all software with realistic data is critical
Cybersecurity
The IT and internal control processes an organization has in place to protect computers, networks, programs, and data from unauthorized access is often referred to as cybersecurity
Parallel testing
The old and new systems operate simultaneously in all locations.
Information and communication
The purpose of an entity's accounting information and communication system is to initiate, record, process, and report the entity's transactions and to maintain accountability for the related assets
Digital signatures
To authenticate the validity of a trading partner conducting business electronically, companies may rely on external certification authorities, who verify the source of the public key by using digital signatures
Automated controls
When controls are done by computers, they are called automated controls.
Input controls are critical because
a large portion of errors in IT systems result from data entry errors and, of course, regardless of the quality of information processing, input errors result in output errors
Application controls fall into three categories
input, processing, and output. Although the objectives for each category are the same, the procedures for meeting the objectives vary considerably.
The five underlying principles related to the control environment include a commitment to
integrity and ethical values; having an independent board of directors that is responsible for oversight of internal controls; establishing appropriate structures and reporting lines; maintaining a commitment to attracting, developing, and retaining competent personnel; and holding individuals accountable for internal control responsibilities.
The information being assessed comes from a variety of sources, including studies of existing internal controls,
internal auditor reports, exception reporting on control activities, reports by regulators such as bank regulatory agencies, feedback from operating personnel, and complaints from customers about billing charges.
Independent checks
internal control acts designed for the continuous internal verification of other controls
The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about
internal control and its importance to the entity.
COSO's Internal Control — Integrated Framework was first developed in 1992 and has become the most widely accepted
internal control framework in the United States and the world. Since the original development of the Framework, business and operating environments have become more global, complex, and technologically driven.
Specific risks related to information technology (IT) should be considered, as these risks can lead to
substantial losses if ignored, as demonstrated in the opening vignette related to the cyberattack on Sony Pictures. If IT systems fail, organizations can be paralyzed by the inability to retrieve information or by the use of unreliable information caused by processing errors
Computerized encryption changes a standard message or data file into one that is coded (encrypted),
requiring the receiver of the electronic message or user of the encrypted data file to use a decryption program to decode the message or data
Risk assessment specifically related to financial reporting involves management's identification and analysis of
risks relevant to the preparation of financial statements in conformity with appropriate accounting standards
They also are unlikely to have an effect on the related disclosure objective. The auditor is likely to evaluate
separately whether management has implemented internal control for each of these two account balance objectives and the objectives related to presentation and disclosure.
Deficiencies in internal control can cause
significant losses, delay financial reporting, or result in material misstatements in financial statements
This allows the auditors and directors to discuss matters that might relate to
such things as management integrity or the appropriateness of actions taken by management.
Internal controls can never be completely effective, regardless of the care followed in their design and implementation. Even if management can design an ideal
system, its effectiveness depends on the competency and dependability of the people using it.
Stakeholders have become more engaged, seeking greater transparency and accountability for the integrity of
systems of internal control, including controls related to reporting objectives beyond financial reporting, such as corporate responsibility and sustainability
The four underlying principles related to risk assessment are
that the organization should have clear objectives in order to be able to identify and assess the risks relating to those objectives; should determine how the risks should be managed; should consider the potential for fraudulent behavior; and should monitor changes that could impact internal controls.
By understanding the client's organizational structure,
the auditor can learn the management and functional elements of the business and perceive how controls are implemented.
In addition, management must test the operating effectiveness of controls. The testing objective is to determine whether
the controls are operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Management's test results, which must also be documented, form the basis for management's assertion at the end of the fiscal year about the controls' operating effectiveness.
Section 404(b) of the Sarbanes-Oxley Act requires that the auditor report on
the effectiveness of internal control over financial reporting.
Naturally, the extent of separation of duties depends on
the organization's size and complexity
Without an effective control environment,
the other four components are unlikely to result in effective internal control, regardless of their quality. The essence of an effectively controlled organization lies in the attitude of its board of directors and senior management.
Similar to the effect that the control environment has on other components of internal control,
the six categories of general controls affect all IT functions. Auditors typically evaluate general controls early in the audit because of their impact on application controls.
PCAOB auditing standards define the extent that auditors can use
the work done by internal auditors when reporting on internal control under Section 404. Auditing standards provide guidance to help the external auditor obtain evidence that supports the competence, integrity, and objectivity of internal auditors, which allows the external auditor to rely on the internal auditor's work in a number of ways.
he use of e-commerce systems also exposes sensitive company data, programs, and hardware
to potential interception or sabotage by external parties. To limit these exposures, companies use firewalls, encryption techniques, and digital signatures.
Local area networks (LANs)
. Local area networks (LANs) link equipment within a single or small cluster of buildings and are used only within a company. LANs are often used to transfer data and programs from one computer or workstation using network system software that allows all of the devices to function together.
Within each of the COSO components, the updated Framework includes a total of
17 broad principles that provide more guidance to support the respective component.
Pilot testing
A new system is implemented in one part of the organization while other locations continue to rely on the old system.
Internal control
A process designed to provide reasonable assurance regarding the achievement of management's objectives in the following categories: reliability of reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations
Section 404(a) of the Sarbanes-Oxley Act requires management of all public companies to issue an internal control report that includes the following:
A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company's fiscal year
The control activities generally fall into the following five types, which are discussed next:
Adequate separation of duties Proper authorization of transactions and activities Adequate documents and records Physical control over assets and records Independent checks on performance
Controls specific to IT include the following:
Adequately designed input screens with preformatted prompts for transaction information Pull-down menu lists of available software options
Collusion
An act of two or more employees who conspire to steal assets or misstate records
Manual controls
Application controls may be done by computers or client personnel. When they are done by client personnel, they are called manual controls.
Application controls
Application controls typically operate at the business process level and apply to processing transactions, such as controls over the processing of sales or cash receipts.
Entity-level controls
Certain control elements within the five COSO control components have a pervasive effect on the entity's system of internal control and are referred to as entity-level controls in auditing standards.
Management must also identify the framework used to evaluate the effectiveness of internal control. The internal control framework used by most U.S. companies is the
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, which was originally published in 1992 and updated in 2013
enterprise resource planning (ERP) systems
Companies often integrate database management systems within the entire organization using enterprise resource planning (ERP) systems that integrate numerous aspects of an organization's activities into one accounting information system.
3
Compliance with laws and regulations. Section 404 requires management of all public companies to issue a report about the operating effectiveness of internal control over financial reporting. In addition to the legal provisions of Section 404, public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations. Some relate to accounting only indirectly, such as environmental protection and civil rights laws.
The COSO internal control components include the following:
Control environment Risk assessment Control activities Information and communication Monitoring
4
Data control. Data input/output control personnel independently verify the quality of input and the reasonableness of output. Organizations frequently use databases to store information shared by accounting and other functions, and database administrators are responsible for the operation and access security of shared databases.
2
Efficiency and effectiveness of operations. Controls within a company encourage efficient and effective use of its resources to optimize the company's goals.
Systems development includes these steps:
Purchasing software or developing in-house software that meets the organization's needs. A key to implementing the right software is to involve a team of both IT and non-IT personnel, including key users of the software and internal auditors. This combination increases the likelihood that information needs, as well as software design and implementation concerns, are properly addressed. Involving users also results in better acceptance by key users.
Management typically has three broad objectives in designing an effective internal control system:
Reliability of reporting. This objective relates to internal and external financial reporting as well as nonfinancial reporting; however, in this chapter we focus our discussion on the reliability of external financial reporting.
Separation of duties
Separation of the following acts in an organization: custody of assets from accounting, authorization from custody of assets, operational responsibility from record keeping, and IT duties from outside users of IT
2
Systems development. Systems analysts are not only responsible for the overall design of each application system; they also coordinate the development, acquisition, and changes to IT systems by the IT personnel (who are responsible for programming the application or acquiring software applications) and primary system users outside of IT (such as accounts receivable personnel). Programmers develop flowcharts for each new application, prepare computer instructions, test the programs, and document the results.
These policies and procedures are often called controls
and collectively they make up the entity's internal control.
Auditors emphasize internal control over classes of transactions rather than account balances because the
accuracy of accounting system outputs (account balances) depends heavily on the accuracy of inputs and processing (transactions)
Monitoring
activities deal with ongoing or periodic assessment of the quality of internal control by management to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions.
Because general controls often apply to the entire entity and
affect many different software applications, auditors evaluate general controls for the company as a whole.
Proper documentation of the system is required for
all new and modified software
Database management systems
allow clients to create databases that include information that can be shared across multiple applications. In nondatabase systems, each application has its own data file, whereas in database management systems, many applications share files.
Backup and contingency plans should also identify
alternative hardware that can be used to process company data. Companies with small IT systems can purchase replacement computers in an emergency and reprocess their accounting records by using backup copies of software and data files. Larger companies often contract with IT data centers that specialize in providing access to offsite computers and data storage and other IT services for use in the event of an IT disaster.
The use of networks that link equipment such as desktops, midrange computers, mainframes, workstations, servers,
and printers is common for most businesses. Local area networks (LANs) link equipment within a single or small cluster of buildings and are used only within a company.
Specific authorization
applies to individual transactions. For certain transactions, management prefers to authorize each transaction.
Control activities
are the policies and procedures, in addition to those included in the other four control components, that help ensure that necessary actions are taken to address risks to the achievement of the entity's objectives.
Because of the nature of computer processing
automated controls, if properly designed, lead to consistent operation of the controls.
One of the principles in AICPA auditing standards is that the auditor "identifies and assesses risks of material misstatement, whether due to fraud or error
based on an understanding of the entity and its environment, including the entity's internal control
Companies using e-commerce systems to transact
business electronically link their internal accounting systems to external parties' systems, such as customers and suppliers. As a result, a company's risks depend in part on how well its e-commerce partners identify and manage risks in their own IT systems.
Management designs systems of internal control to accomplish all three objectives. The auditor's focus in both the audit of financial statements and the audit of internal controls is on
controls over the reliability of financial reporting plus those controls over operations and compliance with laws and regulations that could materially affect financial reporting.
Technology can strengthen a company's system of internal control but can also provide
challenges. To address risks associated with reliance on technology, organizations often implement specific IT controls. Auditing standards describe two categories of controls for IT systems: general controls and application controls.
Management, through its activities, provides
clear signals to employees about the importance of internal control
If top management believes that control is important, others in the organization will sense this
commitment and respond by conscientiously observing the controls established. If members of the organization believe that control is not important to top management, most likely management's control objectives will not be effectively achieved.
To manage these interdependency risks,
companies must ensure that their business partners manage IT system risks before conducting business with them electronically.
Similarly, failure to meet prior objectives, quality of personnel, geographic dispersion of
company operations, significance and complexity of core business processes, introduction of new information technologies, economic downturns, and entrance of new competitors are examples of factors that may lead to increased risk. Once management identifies a risk, it estimates the significance of that risk, assesses the likelihood of the risk occurring, and develops specific actions that need to be taken to reduce the risk to an acceptable level.
he effectiveness of manual controls depends on both the
competence of the people performing the controls and the care they exercise when doing them.
As businesses grow and have increased information needs, they typically upgrade their IT systems. The accounting function's use of
complex IT networks, databases, the Internet, cloud computing, and centralized IT functions is now commonplace.
Programmers should not have access to input data or
computer operations to avoid using their knowledge of the system for personal benefit. They should be allowed to work only with test copies of programs and data so they can only make software changes after proper authorization.
The IT and internal control processes an organization has in place to protect
computers, networks, programs, and data from unauthorized access is often referred to as cybersecurity.
To authenticate the validity of a trading partner
conducting business electronically, companies may rely on external certification authorities, who verify the source of the public key by using digital signatures. A trusted certification authority issues a digital certificate to individuals and companies engaging in e-commerces
Control environment
consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity.
In addition to its role in monitoring an entity's internal
control, an adequate internal audit staff can reduce external audit costs by providing direct assistance to the external auditor.
Auditors should not, however, ignore
controls affecting internal management information, such as budgets and internal performance reports.
To express an opinion on these controls, the auditor obtains an understanding of and performs tests of
controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements.
Auditing standards require the auditor to obtain an understanding of internal control relevant to the audit on every audit engagement. Auditors are primarily concerned about
controls over the reliability of financial reporting and controls over classes of transactions.
A firewall is a system of hardware and software that monitors and
controls the flow of e-commerce communications by channeling all network connections through controls that verify external users, grant access to authorized users, deny access to unauthorized users, and direct authorized users to requested programs or data. Firewalls are becoming increasingly sophisticated as the frequency and severity of cyberattacks grow.
Physical controls over computers and restrictions to online software and related
data files decrease the risk of unauthorized changes to programs and improper use of programs and data files.
Controls often improve when data are centralized in a database management system by eliminating duplicate
data files. However, database management systems also can create internal control risks. Risks increase when multiple users, including individuals outside of accounting, can access and update data files.
Cloud computing is a computer resource
deployment and procurement model that enables an organization to obtain IT resources and applications from any location via an Internet connection. Depending on the arrangement, all or parts of an entity's IT hardware, software, and data might reside in an IT service center shared with other organizations and managed by a third-party vendor. The name cloud computing comes from the use of a cloud-shaped symbol in systems diagrams to represent complex IT infrastructures.
Outsourcing can provide challenges from an internal control perspective. Management is responsible for the
design and operating effectiveness of internal controls, and this includes controls that are outsourced to a service provider. The ethics and integrity of service providers, as well as the design and functioning of their internal controls, need to be considered by management when selecting a service provider, and evaluated regularly.
The COSO Framework describes five components of internal control that management
designs and implements to provide reasonable assurance that its control objectives will be met. Each component contains many controls, but auditors concentrate on those designed to prevent or detect material misstatements in the financial statements.
In networks, application software and data files used to process transactions are included on several computers that are linked together. Access to the application from
desktop computers or workstations is managed by network server software or other interfaces with cloud computing technology. Even small companies can have several computer servers linked together on a network, while larger companies may have hundreds of servers in dozens of locations networked together.
The audit committee's independence from management and knowledge of financial reporting issues are important
determinants of its ability to effectively evaluate internal controls and financial statements prepared by management. The Sarbanes-Oxley Act directed the SEC to require the national stock exchanges (NYSE and NASDAQ) to strengthen audit committee requirements for public companies listing securities on the exchanges.
A company should develop internal controls that provide reasonable, but not absolute, assurance that the financial statements are fairly stated. Internal controls are
developed by management after considering both the costs and benefits of the controls. Reasonable assurance is a high level of assurance that allows for only a low likelihood that material misstatements will not be prevented, or detected and corrected, on a timely basis by internal control.
There are three underlying principles related to control activities:
developing control activities that mitigate risks to an acceptable level; developing general controls over technology; and establishing appropriate policies, procedures, and expectations. There are potentially many such control activities in any entity, including controls performed manually and controls built into a computer-based system (automated controls).
For many companies, especially larger ones, an internal audit department is essential for
effective monitoring of the operating performance of internal controls. To be effective, the internal audit function must be performed by staff who are independent of both the operating and accounting departments and who report directly to a high level of authority within the organization, either top management or the audit committee of the board of directors.
While management assesses risks as a part of designing and operating internal controls to minimize
errors and fraud, auditors assess risks to decide the evidence needed in the audit. If management effectively assesses and responds to risks, the auditor will typically accumulate less evidence than when management fails to identify or respond to significant risks.
Integrity and ethical values are the product of the entity's
ethical and behavioral standards, as well as how they are communicated and reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts.
In contrast, when management assigns technology issues
exclusively to lower-level employees or outside consultants, an implied message is sent that IT is not a high priority. The result is often an understaffed, underfunded, and poorly controlled IT function.
To counter the risks of unauthorized, inaccurate, and incomplete data
files, companies must implement proper database administration and access controls. With the centralization of data in a single system, they must also ensure proper backup of data on a regular basis.
Even though auditors emphasize transaction-related controls, the auditor must also
gain an understanding of controls over ending account balances and related disclosures.
Power failures, fire, excessive heat or humidity, water damage, or even sabotage can
have serious consequences to businesses using IT. To prevent data loss during power outages, many companies rely on battery backups or onsite generators.
To respond to the risk of combining traditional custody, authorization, and record-keeping responsibilities by
having the computer perform those tasks, well-controlled organizations separate key duties within IT.
Application controls are designed for each software application and are intended to
help a company satisfy the transaction-related management assertions discussed in previous chapters. Although some application controls affect one or only a few transaction-related assertions, most controls prevent or detect several types of misstatements. Other application controls concern account balance and related disclosure assertions.
Responsibilities for internal controls differ between management and the auditor. Management is responsible for establishing and maintaining the entity's
internal controls. Management is also required by Section 404 to publicly report on the operating effectiveness of those controls. In contrast, the auditor's responsibilities include understanding and testing internal control over financial reporting. Auditors of larger public companies are required by the SEC to annually issue an audit report on the operating effectiveness of those controls.
Risk assessment
involves a process for identifying and analyzing risks that may prevent the organization from achieving its objectives.
In response, the exchanges will not list any security from a company with an audit committee that
is not comprised solely of independent directors. is not solely responsible for hiring and firing the company's auditors. does not establish procedures for the receipt and treatment of complaints (e.g., "whistleblowing") regarding accounting, internal control, or auditing matters. does not have the ability to engage its own counsel and other advisors. is inadequately funded.
A public key encryption technique is often used, where one
key (the public key) is used for encoding the message and another key (the private key) is used to decode the message. The public key is distributed to all approved users of the e-commerce system. The private key is distributed only to internal users with the authority to decode the message.
The digital signature contains the holder's name and its public
key. It also contains the name of the certification authority and the certificate's expiration date and other specified information. To guarantee integrity and authenticity, each signature is digitally signed by the private key maintained by the certification authority.
Wide Area Network (WAN)
link equipment in larger geographic regions, including global operations.
General authorization
management establishes policies and subordinates are instructed to implement these general authorizations by approving all transactions within the limits set by the policy
Management's assessment of internal control over financial reporting consists of two key aspects. First,
management must evaluate the design of internal control over financial reporting. Second, management must test the operating effectiveness of those controls.
In nondatabase systems, each application has its own data file, whereas in database
management systems, many applications share files. Clients implement database management systems to reduce data redundancy, improve control over data, and provide better information for decision making by integrating information throughout functions and departments
Management must evaluate whether the controls are designed and put in place to prevent or detect material
misstatements in the financial statements. Management's focus is on controls that address risks related to all relevant assertions for all significant accounts, transactions, and disclosures in the financial statements.
Management, not the auditor, must establish and maintain the entity's internal controls. This concept is consistent with the requirement that management,
not the auditor, is responsible for the preparation of financial statements in accordance with applicable accounting frameworks such as GAAP or IFRS. Two key concepts underlie management's design and implementation of internal control—reasonable assurance and inherent limitations.
2
online access controls
For more serious disasters,
organizations need detailed backup and contingency plans such as offsite storage of critical software and data files or outsourcing to firms that specialize in secure data storage.
Regardless of the quality of hardware controls,
output will be corrected only if the client has provided for handling machine errors.
For sensitive computer output, such as payroll checks, control can be improved by
requiring employees to present employee identification before they receive their checks or by requiring the use of direct deposit into the employees' preapproved bank accounts.
To assist the board in its oversight, the board creates an audit committee that is charged with
oversight responsibility for financial reporting. The audit committee is also responsible for maintaining ongoing communication with both external and internal auditors, including the approval of audit and nonaudit services done by auditors for public companies.
Many privately held companies also create an effective audit committee. For other privately held companies, governance may be provided by
owners, partners, trustees, or a committee of management, such as a finance or budget committee. Individuals responsible for overseeing the strategic direction of the entity and the accountability of the entity, including financial reporting and disclosure, are called those charged with governance by auditing standards.
The board of directors' and senior management's attitude about IT affect the
perceived importance of IT within an organization. Their oversight, resource allocation, and involvement in key IT decisions each signal the importance of IT to the organization. In complex environments, management may establish IT steering committees to help monitor the organization's technology needs. In less complex organizations, the board may rely on regular reporting by a chief information officer (CIO) or other senior IT manager to keep management informed
The underlying principles related to monitoring include performing
periodic evaluations and communicating any identified deficiencies to the appropriate parties responsible for taking actions to remediate the deficiencies.
Certain control elements within the five COSO control components have a
pervasive effect on the entity's system of internal control and are referred to as entity-level controls in auditing standards.
Security plans should be in writing and monitored. Security controls include both physical controls and online access controls.
physical controls
Companies typically use one or a combination of the following two test approaches:
pilot testing, and parallel testing
A system of internal control consists of
policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals
LANs are often used to transfer data and
programs from one computer or workstation using network system software that allows all of the devices to function together. Wide area networks (WANs) link equipment in larger geographic regions, including global operations.
Encryption techinques
protect the security of electronic communication when information is transmitted and when it is stored
Firewall
protects data, programs, and other IT resources from unauthorized external users accessing the system through networks, such as the Internet
The most important output control is review of the data for
reasonableness by someone knowledgeable about the output. Users can often identify errors because they know the approximate correct amounts.
Smaller companies often outsource their payroll function because payroll is
reasonably standard from company to company, and many reliable providers of payroll services are available. Companies also outsource their e-commerce systems to external website service providers, including those that offer cloud computing services. Companies decide whether to outsource IT on a cost-benefit basis.
The system must also avoid duplicate
recording of sales and recording a sale if a shipment did not occur (occurrence assertion).
Auditors must evaluate application controls for every class of transactions or account in which the auditor plans to
reduce assessed control risk, because IT controls will be different across classes of transactions and accounts and related disclosures. Application controls are likely to be effective only when general controls are effective.
Auditors focus primarily on controls related to the first of management's internal control concerns:
reliability of financial reporting. Financial statements are not likely to correctly reflect GAAP or IFRS if internal controls over financial reporting are inadequate. Unlike the client, the auditor is less concerned with controls that affect the efficiency and effectiveness of company operations, because such controls may not influence the fair presentation of financial statements.
The COSO principles apply across all types of entities and to each of the internal control objectives:
reporting, operations, and compliance. All of the 17 principles must be present and functioning for internal controls to be effective.
COSO principles
represent the fundamental concepts related to each of the five components of internal control; all principles must be functioning for controls to be effective
An accounting information and communication system has several subcomponents,
typically made up of classes of transactions such as sales, sales returns, cash receipts, acquisitions, and so on.
The board of directors is essential for effective corporate governance because it has
ultimate responsibility to make sure management implements proper internal control and financial reporting processes
The underlying principles related to information and communication stress the importance of
using relevant, quality information that is communicated both internally and externally as necessary to support the proper functioning of internal controls.
Companies often integrate database management systems
within the entire organization using enterprise resource planning (ERP) systems that integrate numerous aspects of an organization's activities into one accounting information system. ERP systems share data across accounting and nonaccounting business functions of the organization