Chapter 11
One of the principles in thr preface to the clarified AICPA auditing standards is that the auditor
"identifies and assess risks of mm, whether due to fraud or error, based on an understanding of the entity and its environment, including teh entity's intenrla control auditing standards require the auditor to obtain an understanding of IC relevant to the audit on every audit engageemnt audiitors are primarly concerned abt controls over the reliability of financial reporting and controls over clasess of transactions
Two categories of controls for IT systems:
-General Controls apply to all aspects of the IT function, including IT administration, separation of IT duties, systems development, physical and online security over access to hardware, software, and related data, backup and contingenecy planning in the event of unexpected emergiencies, and hardware contorls OFten apply on an entity-wide basis and affect many different software application, auditors evaluate general controls for the company as a whole -Application Controls typically operate at the business process level and apply to processing transactions, such as conrols over the processing of sales or cash receipts must evalaute application conorrls for every clas of ransactionso or account in which the auditor plans to reduce assessed control risk b/c IT contorls will be different across classes of transaction and accounts likely to be effective only when genral cotrols are effective
to understand and assess the control environemnt, auditors should consider thse important control subscomponents:
-Integrity and Ethical Values product of the entity's ethical and behavioral standards, as well as how they are communicated and reinforced in practice include mgmt's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts include the communication of entity values and behavioral standards to personnel through policy statements, codes of conduct, and by example Mgmt through its activites, provides clear signals to employees about the importance of IC Understanding aspects of mgmt's philosophy and oeprating style gives the auditor a sense of mgmt's attitude abt IC -Board of Director or Audit Committee Participation BOD is essential for effective corporate governance b/c it has ultimate responsibility to make sure mgmt implements proper IC and fianacial reporting processes an effective BOD is indepeent of mgmt and its memebers stay involved in and scruitiize mgmt's activities Althoguh teh board delegates responsibility for IC to mgmt, the board must exercise oversight of the design, and performance of contorls. In addition, an active and objective board can reduce the likihood that mgmt overrides existing contorls To assist the board in its oversight, the board creates an audit committe that is charged with oversight responsbility for financial reporting. The audit committee is also responsbile for maintaining ongoing communication w/ both exernal and intenral auditors, including the approval of audit and nonaudit services done by auditors for public companies. Allows auditors and directors ot discuss matters that might relate to such things as mgmt integrity or the appropriateness of actions taken by mgmt The audit committee's independence form mgmt and knowledge of Finanical reporting issues are important determinatns of its ability to effectively evaluate IC and F/S prepared by mgmt SOX diecte the SEC to require the natioanl stock exchanges (NYSE and NASDAQ) to stregthen audit committe requirements for public companies listing securities on the exchanges. The exchanges will not list any security from a company withan audit comitte that: 1. is not comprised soley of independent directors 2. is not solely responsible for hirign and firing the company's auditors 3. does not establish procedures for the receipt and treatment of compliants (e.g., "whistleblowing" regarding accounting, intenral contorl, or auditing matters 4. does not have the abilioty to engage its own counsle and other advisors 5. is inadequately funded similar provisions exist outside teh U.S such as the European Commissions' 8th Directive, which requires each public-interest entity to have an audit committe w/ at least on ememebnr who is indepedent and who has competence in accounting or auditing. PCAOB auditing standards requrie teh auditor ot evaluate teh effectivness of the audit committee's overight of the company's exernal financail reporting and IC over financail reporting Many privately held companies also create an effective audit committe For other privately held companies, governancemay be provided by owners, partners, trusteees, or a committee of mgmt, such as a finance or budget committee. Individuals responsible for overseeing the strategic direction of the entity and the accountability of the entity, including fianancial reporting and disclosue are called "those charged with governance" by auditing standards -Organizational Sturcture entity's organizational structure defines the existing lines of responsibility and authority Can consist of thet entity level, divisons, operating units, and functions within those units, and controls operate at each of those levels by understnading the cleint's organizational strucutre, the auditor can learn the mgmt and functional elements of the business and perceive how controls are implemented -Commitment to COmpetence COmpetence is the knowlevge and skills necessary to accomplish tasks that define an individual's job commitment to competenace includes mgmt's consideration of the competence levels fo specific jobs an dhow those levels translate into requiste skills and knowledge If employees are competent and trustworthy, other contorls can be absent, and reliable F?S will still result Incompetent or dishonest people can reduce the system to a shambles - even if there are numerous controls in place Honest, efficent people are able to perform at a high level even when there are few other controls to support them However, even competent and trustworthy people have shortcomings (become bored or dissatsfied, personal problems can disrupt their performance, or their goals mya change) b/c of the importance of competent, trustworhty personnel in providing effective contorl, teh methods by which persons are hired, evalauted, trained, promoted, and compensated are an important part of IC -Accountability mgmt and the BOD are responsible for communicating expectations and holding individuals accountable for IC duties effectivness of this process depends on the other subcomponents discussed above
Mgmt typically ahs 3 broad objectives in designing an effective IC system
1. Relibility of reporting relates to intenral and external financial reporting as well as nonfinancial reporting. Focus on relaibaility of external financial reporting mgmt is responsible for preparing F/S for investors, creditors, and other users. MGmt has both a legal and professional responsbility to be sure that the info is fairly presented in accordance w/ repoting requirements of accounting frameworks such as U.S. GAAP and IFRS objective of effective IC over financail reporting is to fulfill these finanial reporting responsibilites 2. Efficiency and Effectivenss of Operations controls wthin a company encourage efficient and effective use of its resources to optimize the company's goals. An important objective of tehse contorls is accurate finanical and nonfinancial info abt the company's operations for decision making 3. Compliance w/ laws and regulations section 404 requires mgmt of all public companies ot issue a report abt the operating effectiveness of IC over fifnacla reporting. In addition to legal provisions of Section 404, public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations. Some relate to accounting donly indirectly, suhc as environmentla protection and civil rights laws. Others are closely related to accounting, ushc as income tax regulations and anti-fraud legal provisions
Mgmt's assessment of IC over finanical reporting consists of two key aspects
1.. Mgmt must evaluate the design of IC over financial reporting 2. Mgmt must test the operating effectiveness of those controls
Similar to the efect that the conorl environment has on other compnnetos of IC, the 6 cateegorie so fgenral conorls have an entity-wide effect on all IT fucntions.
AUdiotrs typically evaulae generla conrols early in tehaudit b/c o their impac ton application conrols
General Contolrs
Admiistration of the IT fucntin Separtion of IT duties Systems development Physical and ONline Secuitry Backup and Continguency Planning Hardware Contorls
Segregation of IT duties
Chief Information OFficr or IT magange Secutiy administor Systems Development (systems analyst, programmers), Operations (computer operators, librarian, netowrk adminsitrator), Data Contorl (data input/output control, database administrator)
Certain principals dictate the proper design and use of documents and records
Documents and records should be: -prenumbered consecutively to facilitate control over missing documents and records and as an aid in locating them when they are needed at a later date prenumbred document and records ar eimportant for completeness assertions -prepared at the time a transaction takes place or as soon as possible thereafer to minimize timing errors -designed for multiple use, when possible to minimize the number of different forms -constructed in a manner that encourages correct preparation can be done by providing internal checks within the form or record computer screen promopts
virtually all entities inlcuding small familu owne dbusienss rely on
IT to record and process business transactions as a result of advancement in IT, even relatively small business use perosnal computes with commerical ccotning software ofr their accounting as businesses growna dn have inforcreastinfo need,s they typically upagradet their IT systems acocnting function's useo fof complex IT netowrks, databeses, the Inernaet (cloud computing) and centralized IT function si now commonplace types of IC will vary baed on the type and complexity of the IT system
Application controls fall into 3 categoeire:
Input Processing Output
Application Controls:
Input Controls Processing Controls Output Controls
the use of networks that link equipmetn such as desktops, midrange computers, mainframes, workstateions, servcers, and printieros is comon for most mobusines
Local area netowrks (LAn) link equimetn within asingle or smal cluter o builidng sna are used only witan company ofen use to transafer data nad oprograms fro one computer or workstation using network sytem software that allows all of the evices to unciton togeehr Wide area networks (WANs_ link equipemtn in lrager geographic regions, including global operations
4 General Guidelines for Adequate Separation of Dutie to preven both fraud and errors are especially signiciant for auditors
Separation of the custody of assets from accounting to protect a company from embezzlement, a person who has temporary or permanent custody of an assets shouold not account for that assets allowing one person to perform both functions increases the risk of that person disposing of the asset for personal gain and adjusting teh records to cover up the theft Separation of teh Authorization of Transactions from the Custody of Related Assets it is desirable to prevent persons who authorize transactions from having control over the related asset, to reduce the likihood of embezzlement Separation of Operational Responsibility from Record-Keeping Responsibility to ensure unbiased info, record keeping is typically the responsibility of a separate department reporting to the controller Separtion of IT Duties from User Departments as the level of complexity of IT systems increases, the separation of authorization, record keeping, and custody often becomes blurred to compensate for these potenetial overlap of duties, it si important for companies to separte major IT-major functions from key user departement functions
There are poteentially many such control activites in any entity, including controls performed manually and controls built into a computer-based system (automated controls)
The control activites generally fall into these 5 types: 1.Adequate Separation of Duties 2.Proper Authorization of Transactions and Activites 3. Adequte documents and records 4. Physical control over assets and records 5. Independent checks on performance
Risk assessment involves
a process for identifying and analyzing risks that may prevent the organization from achieving its objectives the 4 underlying principles related to risk assessment are that the organization should have clear objectives in order to be able to identify and assess the risks relating to those objectives; should determine how the risks should be managed; should consider the potential for fradulent behavior; and should monitor changes that could impact IC specific risks related to info technology (IT) should bve considered, as these risks can lead to substantial losses if ignored if IT systems fail, organizations can be paralyzed by the inability to retrieve ifno or by the use of unreliabel info cuased by processing errors
Section 404 of the SOX requires mgmt of all public companies to issue an IC report that includes the following:
a statement that mgmt is responsible for establishing and maintaining an adequate IC structure and procedures for financial reporting an assessment of the effectiveness of IC structure and procedures for financial reporting as of the end of the company's fiscal year mgmt must also identify the framework used to evaluate the effectiveness of IC IC framework used by most US companies is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework, which was originally published in 1992 and updated in 2013. Other IC frameworks exist around the world, such as the Financial Reporting Council of the UK's Guidance on Risk Mgmt, IC and Related Financial and Business Reporting, and Canada's Guidance on Assessing Control (Known as "CoCo")
the COSO principles apply
across all types of entities and to each of the IC objectives: reporting, operations, and compliance all of the 17 principles must be present and functioning for IC to be effective
To maintain adequate internal control,
assets and records must be protected if assets are left unprotected, tey can be stolen if records are not adequately protected, they can be stolen, dmaaged, altered, or lost, which can seriously disrupt the accounting process and business operations when a company is highly computerized, its computer equipment, programs, and data files represent the records of the company must be portected, given they culd be costly or even impossible to reconstruct the most important type of protective measure for safeguarding assets and records is the use of phyiscal precautions when the storeroom is under the control of a competent employee, there is further assurance that theft is minimized fireproof safes and safety deposit vaults for the protection of assets such as currency and securities are other important phsyical safeguards in addition t off-site backup of computer softeware and data files
General controls provide ..
assurance that all applicaton conrols are effective: -cash receipts application contorls -payroll application cotrls -other cycle application controls -sales application conrols reduce the types of risks identified -risk of unauthorize change to application software -risk of ystem crash -risk of unauthorized master file update -risk of unauthorized processing
A company should develop IC that provide reasonable, but not absolute,
assurance the the F/S are fairly stated IC are developed by mgmt after considering both the costs and benefits of the controls Reasonable assurance is a high level of assurance that alllows for only a low likelihood that mm will not be prevented or detected on a timely basis by IC
Auditor's focus is both the
audft of F/S and the audit of IC is on contorls over the reliability of financial reporting plus those contorls over operations and compliance w/ laws and regulations that could materially affect financial reporting
Hardware contorls are
built inot compute requopment by manufactuors to detect and report equpment failures authoidors are more concenrd with how htec leint handles errors identiifed by the hrdware conrols than with their adequenayc regardles of the qualiyf hardware contorls, coutput will be corected onl if the client has provided for hanling machine errors
to respond to risk of combining traditional custody, authorization, and record-keeping responsibllies
by having the computer perofrm those taks, well-contorlle dorgaizations separte key duties wihtin IT sould be separation of IT duteis to prevent IT personnel from authorizing and recording transactions to ocve the theft of assets Ideally responsbilites for IT mgmt, systems development, operations, and data conrol should be separated as follows: -IT mgmt CIO or IT manager should be resonsible for oversight of the IT functio to ensure that acitivities are carrie dout consistent with the IT strategic plan a security administrator should monitor both physical an donline access to hardware, software, and data files and inveestigate all security breaches -Systems Development systems analysts are not only repsonsible for the overall deisng of each application system, but htey also coordinate teh development, acequison, an dchanges to IT system by the IT personnel (who are responsible fo programming th applciation r acqurig software applications) and primay system users outside of IT (such as A/R personnel) programers develop flowcharts for each new applciation, prepare computer insutractions, test the programs, and document the results programmers should shoudl not have access ot input data or computer operatons to avoid useing their knowledge of the systm for personal benefit tey should be allwod to work only with test cpies of prgoram sna ddata so they can make software cahgnes after roper authoirzation -Operations computer operations are responsiblle for day-to-day operations of the compute,r follwong teh scheudle aestablsihed by the CIO, They also monitor cmputer consoles of mesages about computer efficiency and malfuctntions a libraring is responsible fo controlling th euse of compute rprogras, transaction files, adnother other computer roecrods and documentation, librarian relases them to operatiors only when uahtorized -Data control data input/output conrol personnel idendpently verify the quality of input and esonablness of output for organizations tha tuse databases ot sotroe ino share dby accting and other functions, dtabase admins are responsibele for the operation and access security of shared databses naturally the extent of sepration of duites depends on the organization's siz ena domplexity in many small companies, it is not pracical to segregate the duties to the sme extet somet entities aquier accounting system from 3rd party vendos or they access applications though the INtenrnet may have few staff dedicated ot systems edevleopment or the librarifn afucntion
Independent Checks (or internal verification)
careful and continous review of the other 4 control acitivites needed b/c IC tend to change over time, unless there is frequent review personnel are likely to forget or intentially fail to follow procedures or they may become careless unless someone observes and evaluates their performance regardless of the equality of the controls, personnel can make errors or commit fruad Personnel responsible for intenral verification procedures must be indpendent of those originally responsible for preparing the data least expensive means is the separation of duties most accounting systems involve technologies where many intenral veification proceures are automated as part of the system with the extneive reliance on teh use of technology to perform a number of control activites, there are a number of risks related to the overall security and functionality of IT-based services that must be managed at a system-wide or enterprise-wide level
A control closely related to documents nad reocrs ithe
chart of accounts classifies transactions into individual balance sheet and income statement accounts helpful in preventing classifiation errors if it accurately describes which type of transaction should be in each account
Auditors emphasise IC over
classes of trasnactions rather than account balances b/.c the accuracy of accounting sytem outputs (Account baalnces) depends heavely on the accuracy of inputs and processing *(transactions) auditors are primarily concerned w/ the transaction-related audit objectives when assessing IC over financail reporting even throuhg auditors emphasise transaction-related controls, teh auditor must also gain an understnaidng of contorls over ending account balance and presentation and disclosure objectives likley to evaulate separately whether mgmt has implemented IC for each of these two account balance objectivfe and the four presentation and disclosure objectives
Database management systems allow
clients to create databases that include info that can be shared across multiple applications in nondatabaese ystems, each appliaton has its own data file, whereas database mgmt systems, may applications share files clients impleent databses mgmt system otredurce data reduennca, mprove conrol over data, adn provide better info for deicison making by intergation info througout fnction na depatarmtnets companies often integrate datbased magmt systems within the entire organiztion using enterprise rsource planning (ERP) system th atintegerate numerous aspects of an organizations acitivites into one accotnign info ystem ERP systems shre data acorss accoutning an nonaccouting busines fucntion of the ogranziation cotnrols often imporve whn data are centalize din a databse mgmt syste by eleiminateing duplicate data files hwoever, datbages mgmt systems asl can create IC risks risks increase when muplicse ers incldiuing indivual outside of acocunting can access na dupate data files to coune the risk of unauthorize, inaccourate, and incomplete data fies, companie must implemtn proper database admin and acces cotorls withithe centralization f datain a signle system tjeymust aso ensore roper backup of data on a regular basis copanies using e-commerance styesmt o transact business electronially link their internal accounting systems to exernal parties' ystems, such as cusotmers and uspplies as a resutl a compay's risk dpened in part on how wel its e-commerance partenrs idnetify and maaget isk in their own IT systems to mangage these ineterdpendancy risk, companies must ensure that their pbusiness partners managet IT system risk befoe conducint business with them eclectonrically som eo the aourcance services porivde objective info about the relaibilit of abuines partiers IT system sue of e-commerace systesm aslo eposes senvintiv company data, programs,a nd ahardaear to potential interacpetion or sabotage by exnterl apartees to limit htese expusres, companie suse firewarsl, encryption techincal,s age and digital signications
An act of two or more employees who conspire to steal assets or misstate records is called
collusion
Auditors focus primarily on
controls related to the first of mgmt's intnerla control concerns: reliability of financial rpeorting f/s are not likely to reflect GAAP or IFRS if IC over financial reporting are inadeuqate. Unlike the client, the auditor is less concerned with controls that effect teh efficiency and effectviness of company operations b/c such contorls myay not influence the fiar presentation of F/S aduitors hsould not, however, ignore controls affecting internal mgmt info, ushc as budgets and intenrla performance reports these types of info are often important sources used by mgmt to run the business and can be important sources of evidence that help the auditor decide whether the F/S are fairly presented If the controls over these intenral reports are inadequate, the value of the reports as evidence dimishies
Physical contrls over computers and restrictions to online software and relted data files
decrease the risk of unauthorizec hagnes to programs and improper use of programs an ddata files info tech an IC processes an orgaiztion has in place to protect computers, networks, prgorams, and andata from unoauthoize aocess is often refered to as Cybersecutiy secuitry plans shoul db ein wiritn and moinotried.Secutry conrols inlcude both physical controls and online access conrols Physical Controls proper physical contorls over computer equpmetn restirct access ot hardware, software, and backup data files Examples:keypad entrances, badeg-entry systems ecutiry camers, secuity personnel more seophicalted controls only allow physical and online access afer employee fingerprints are read or employee retinas are scanned andmoathce dwith an a[orache database others ilcude monitorin of cooling andhumidity to esnure that the equpmetn funciton s properly and insitalli fire-extinguihin equopmetn to reduce fire datame Online Access Controls -proper user IDs and passwords conrol access to software and related data files, reducin the likihood that uauthorize changes are made to software applications and data files separate add-on secuitry software packages, such as firewall and encryption porgams can be installed to improve a system's secuirty Cybersecity i sbecoming an increase focus on mgmt and BOD due to potentially severe damage that can occur to an organizion in a cyber attack
Input conrols are
designe dto ensure tha tinfo entered into th ecomputer is autoirze, accurate, adn complete critical b/c a large protio of errors in IT systems result from data entry erros ad of course, regardless o the quality of info processing, nput erors result in output errors Typical conrols developed for manualsystem are important in IT systems, such as: mgmt's authorization of transactions adequate prepartion ofinput source documents competent personnel Controls speicifc to IT incldue: adequately designed input screens with preformatted prompts for transaction info pull-down menu listsof available sofware options computer-performed validataion tests of input accuracy, such as the validation of customer numbes against customer master files online-based input conrls for e-commerce applciations where external parties, such as customers and suppliers, perform the intial part o the transaction inputting immeidate eror corection procedures, to provide for early detection and correction of input erros accumulation of errors in an error file for subsequent follow-up by data input personnel for IT systems that group smilar transaction otgehter into batches, th use of finacal batch totals, hash totals, and rcord count helps increase th eaccuracy and completemness of iput
Output controls focus on
detecting errors afer processsing is completed, rathe than on preventing errors most important output conrol is review of the data for reasonableness by someone knowledgeable about the output users can often identify errors b/c they know th eappromizate correct amounts severla comon contorls for detecting eros in outputs include: -reconcile computer-procedures output to manual conrol ctotal -compare the numebr of units processed ot he umber of units ubmitted for processing -compare a smaple of tranaction output to input source documetns -eriyf dates and times or proecessing to identify any out-of-sequence processing for senstive computer output, such as payrool checks, conrl can be mproved by reqiiign employes to rpesent employee ID before they reciev their checks or by reuqiring the use of direc deposit nt into the emploees' preapproved bank ccouts also, access ot sentiveitv eotuput store d in electeronic files or transamitted across networks, inlcuding the INternet, is foten restecited by ruqiing passwrods, User IDs, and encryinptino tehcniques
A firewall portects
dta, programs,a dn other IT resources form unauthoirze extenral users accessin he stem thorugh networks, such as the Internet a firewall is a sytem of hardwar and softwar ethat monior san dconrls the folow foec=ommerce comunciation by channeling al network connections thorugh corls that veify extenral users, grnat acccess ot authorize nuser,de ney access o unahtorize uers, and iect ahtorize uer sot requrest program sor data f friewraealls war ebcoein increaisngly sophicaleated a the reuqiqenc na dn secuity o cyebrarctivitys grow
Applications contorls are deisgnfed foe
each software applicatona odn are intended to help a company satsifiy the ransaction-related mgmt assertions altough some applcaiton conrola ffect only one or only afew transaction-related assertons, most conrols prevent or detect several types of mistatements, OTher application conrols concern acoutn abalnce and presentation and disclosure assertion amy be done by computers or client personnel when teyare done by client personnel they are called manual coorls effectives dependes on oth ethe copetence of the perople performin th econrosl and the care they excrise when dong them when conrosl aredone by computers, tehy are called automated contolrs b/c o the antureo f cmputer processing. automate conorls if properly deisgned,lead to consistent operation of the contorls
Certain control elements within the 5 COSO control components have a pervasive effect on the entity's system of IC and are referred to as
entity-level controls in auditing standards Examples: board and audit committee element of the control environment, the entity's risk asessment process, and internal aduit's role in monitoring controls
Mgmt, not the audit, musty
establish and maintain the entity's IC consistent w/ the requirement that mgmt, not the auditor, is responsible for the preparation of F/S in accordance w/ applicable accounting frameworks such as GAAP or IFRS. Two key concepts underlie mgmt's design and implementation of IC - reasonable assurance and inherent limitations
Mgmt is reponsibile fror
establishing and maintaining the entity's IC required by Section 404 to publicly report on the operating effectiveness of those controls
tot autheneticate th validity of a tradiing partenr conditucint busines sexlectonrically, companyies may erley on
exnterla ceriiation authorizties, who weryfi the sourc eof htepbulic key by using difiatla sginfiatures a trusted certiiaction authoirity isues a digital certiicatie to indentcald an dcompanies engageing in e-commerace the digital signicate conrols ti theholder's name an dit spblic key it also conroain th ane of thecrification authoriztiy and thecerificater expieroation dat na dothe speicifc info to guarantee integrity and uthorienti each isngicati ie ssdgitally signe dby the private key maintiane dby certiciation authority
The purpose of an entity's information and commnication system is to
initiate, record, process, and report the entity's transactions and to maintain accountability for the related asets underlying principles stress the importance of using relevant, quality fnroamtion that is commnicated both internally and externally as necessary to support the proper functioning of internal controls has several subcomponents, typically made up of classes of transactions, such as sales, sales returns, cash receipts, acquistions, and so on for each class of transactions, teh accounting system must satisfy all of the transaction-related mgmt assertions
many clients outside osurc or alof their IT needs ot an indiepennd torganiaon commonly refered ot as a computer service center,
inlcuding appliation serice providee s(ASPs) and clod computing enivornemnts, rathehtna minatin an intenral IT center clou dcomputein is a computer resource deplometn and proceument modelt aht enable sna ogrnaiztio otbtain IT resources and paplciation from any lcoatio via an Internet connection erpatding o the arragneennt al or aprt sof an entity' IT hardware, sfotware, and data miht reside in an IT service cneter share diwht other orgnaization oan dmaagne dby a theird-party venor name cloud computin comes from the use of a cloud-shred symbol in systems diagrams ot rpepsent complex IT infrasturcutes
risk assessment specifically related to finanical reporting involves
mgmt's indication and analysis of risk relevant to the preparation of F/S in conformity w/ appropriate accounting standards essential for the company to incorproate adequate contorls to address the risk of overstating inventory failure to meet prior objectives, quality of personnel, geogrpahic dispersion of company oeprationsg, significance and complexity fo core business processes, introduction of new info technologies, econimic downturns, and entrance of new competitors are examples of factors that may lead to increased risk once mgmt idnetifies a risk, it estimates the sginficanance of that risk, assess the likihood of the risk occuring, and develops speicifc actionst that need to be taken to reduce the risk to an acceptable level mgmt's risk assessment differs from but is closely relaed to the auditor's risk assesment while mgmt assesses risks as part of designing and operating IC to minimize errors and fraud, auditors assess rissk to decide teh evidence needed in the audit If mgmt effectively assessess and responds to risks, teh auditor will typically accumulate less evdience than when mgmt fails to identify or respond to signicant risks
COSCO's Internal Control - Integrated Framework was first developed in 1992 and has become the
most widely accepted internal control framework in the US and the world since the original development of the Framework, business and operating environemnt have become more global, complex, and technologically driven stakeholders have become more engaged, seeking greater transparency and accountbaliliy for the integrity of systems of IC, including controls related to reporting ojbectives beyond finanical reporting (such as corporate responsbility and sustainbaility) COSO updated teh framwoekr in 2013 to make it more relevant in the current business environment general structure of the Framework remains unchanged but the updated Framwoekr provides a principles-based approach that provides additional guidance on designging and implementing effective systems of internal control
Internal controls can
never be completely effective, regardless of the care followed in their design and implementation even if mgmt can design an ideal system, its effectiveness depends on the competency and dependability of the people using it Example: a carefully developed procedure for counting inventory requires two employees to count independently. If neither of the employees understands the instructions or if both are careless in doing the counts, the inventory count is likely to be wrong. Even if the count is correct, mgmt might override the procedure and instruct an employee to increase the count to improve reported earnings Similarly, the employees might decide to overstate the counts to intentionally cover up a theft of inventory by one or both of them
Montoring activites deal with
ongoing or periodic assessment of the quality of internal contorl by mgmt to determine that contorls are operating as intened and that ehy are modifed as appropriate for changes in conditions underlying principles related to monitoring include performing periodic evaluations and communicating an identifie deficiencies to the appropriate parties responsible for taking actions to remediate teh deficienices info being asessed comes from a variety of sources, including studies of existing IC, intenral auditor report, exception reporting on conorl activites, reports by regulators such as bank regulatory agencies, feedback from operating personnel, and complaints from customers about billing charges for many companies, especially larger ones, an intenrla audit department is essntial for effective montioring of the operating performance of internal controls to be effective, the internal aduti function must be performed by staff who are indepdent of both the operating and accounting departments and who report directly to a high level of authority within the organization, either top mgmt or the audit comite of the BO in addition to its role in monitoring an entity's IC, an adequate interal audit staff can reduce external audit costs by providing direct assistance to the external auditor PCAOB auditing standards define the extent that auditors can use the work doen by intenrla auditors when reporting on IC under Section 404 Auditing standards provide guidance to help the external auditor obtain evidence that supports the competence, integrity, and objectivity of internal auditors, which allows the external audtior to rely on teh intenal auditor's work in a number of ways
smaller companeis often ourcanac thei rpayrool fnction b/
parool is resonabley shtandard from company to company and may reliable provide or payroll eives are avialable companies als ooutisdourc thei recommerance ystem to setenrla webs it eprovides, including those that offte coloud computing sevices like al outspucin dieicison, companies deicde whter to outsiourc eon a caost-cbenift basis when outsiding ot acomputer service cnete,r th client submits input data ,whic the service cetner processfes for afre ad then returns th sagred-uopn output an the orogianl input outsorucin gcna provide challengs form an IC persective magmt is repsosibel for the deisng and operatin geffective of IC and this cinlcudes conlr sthat are oursoruce od to aservic eprovided. the ethics and integeriy fo service provides, as well as teh deign and fucntio ftheir IC need tobe consider ebdy mgmt when selecitn g aerive proceivde and evalauted regulatly
A system of internal controls consists of
policies and procedures designed to provide mgmt w/ reasonable assurance that the company achieves its objectives adn goals often called controls collectively mke up the entity's internal controls
Control acitivites are the
policies and procedures, in addition to the those incldued in the other 4 contorl components that help ensure that necessary actions are taken to address risks to the achievement of the entity's objectives 3 underlying principles related to contorl activiites; -developing control activigites that mittigate risks to an acceptable level -developing general controls over technology -establishing policies, procedures, and expectations
Processing conrols
prevent nand detect eror s whil tranaction data are processed genral conrls , espeical conrols related to systems development and esuict, provide esential conrol for minimizming porcessciessng aerors specific applciation aporcesing conrls are foten programied into software to prevent, detect, and correc tprocessing erors
in networks, application osftware and data files use to
process transactions ar eincluded on several computers that are linked together access to the application from detsop computers or workstatiosn is magnemted by netowrk server softtware or other infteractces iwth cloud computing ehcnology even small compnaies can have several computes servers linked togethe ron a netowk, whil large companies may have nhundareds of servers in dozenso flcoations networked togehter common for netowrks ot consist of vaious comso fequpment and procedures, whic amy not hav standard security options lack of equopmetn compatibility across a network may occur when responsbilityf or purchaing equpment and software, aintanenance, admin, and physical securityresides w/ key user groups rather than with a centralized IT fucntion sometime network security may be compromised when netowrks consist o fequpmetn with incompatible security finctionsq
Every transactions must be
properly authorized if controls are to be satisfcatory if any person in an organization could aquire or expend assets at will, complete chaos would result Authorization coan be either genral or speicifc General Authorization: mgmt establishes policies and subordiantes are instructed to implement these general authorizations by approving all transactions within th limits set by the policy. General authorization decisions include the issuance of fixed price lists for the sale of products, credit limits for customers, and fixed reorder points for making acquistions Specific Authorization: applies to individual transactions for certain transactions, mgmt prefers to authorize each transaction distrinction btwn authorization and approval is important authorization is a policy deicsion for eithe ra genral class of transactions or specficic transactions Approval is the implementation of mgmt's general authorization decisiosn
Encryption tehcniqquare
protec tthe seuctiy of electonic communcation when tinfo is transmitted and whe it is stored computrerize encryptin changes a stanard message or dta file inot one that is coded (encryptied) rewupiing the recieve ro fth electronic mesage o rth user of ete encryptin data at file to ue a decrptino program ot decod eth emsage or data a pblic key encryptin otecniis ofen ysed her ne key *te pbusbolci key) is ued for encoding the message na dnoathe rdkey i uesd ot decidee the message pblic key is deitricte dto all approved user of the e0commerage ystem pruvate key is dsticuted oly to inernacla users with teh autorizty to ecoed eth messag
Technology can stregthen a company's systme of IC, but can also
provide challenges to address risks associated w/ reliance on technology, organizations often implmeent specific IT contorls
Systems development icludes:
purchaisng software or developin in-house software that meets the organizations needs a key to implemnetin the right software is to involve a team of both IT nad non-IT personnel, inlcudng key users of th software and intenral uaditors combiniation increases the likihood that inof needs, as wel as software deisgnand implementation concerns,a re properly addressed involving users also result in better accetance by users -testing all softwrae to esnure that hte new software is compatbale with existing hardward and sofwra and dermrining whethe rht harrdware and ssotware can handle the neded volume of ransactions wehterh software is pruchaed or developed intenral, enxtenisve testinof all softwrae w/ relaistic data is critical, Companies typically use one or a combiatio of the these 2 test apporaches: Pilot testing a new ystem is implemented in one part o fht eorganizaiwton wihle other lcoations contonie to rel on the old esystem Parallel testing old and new systems operatie simultaneously in all locations proper doucment atio the system is reuqrie dofr all new na dmodife sotwar afte rth system has been successfully tested and documetned, it is transacfeered ot the librarin in a conroole dmanner ot ensure only autorized software is ultimately accepte as the autorize version
Documents and records are
records upon which transactions are entered and summarzinged include such diverse items as sales incoices, purchase orders, subsidiary records, sales journals, and employee time reports many are maintianed in electronic rather than paper formats adequate documents are essential for correct recording of transactions and control of assets
Pwoer filaures, fire, excessive heat or humiity, water damagne, or even sabtoage can hav
serious conseuqnec to busiensess using IT to prevent data loss udirng power outages, many companies rely on battery backups or on-site generators for more srious diastatepors, organizations needed detailed backup and contingency plans such as offi-stie ostrage of critical sfotware and data files and outsourcing to irms that specialize in secure data storage backup and ocntinguency pans should also identify altnernativ haredwar tha cn be used to process company data companeis with small IT systems can pruchase replacement computers inan emergancy and reporcess their acounting roecrds by using backup copies of software and dta files larger compnaies often contract with IT data controls that specialize in providng acess ot off-site computes and dta sotrage and othe rIT services for use in teh evne to fan IT disaster
In addition, mgmt must
test the operating effectiveness of controls testing objective is to determine whether the controls are operating as designed and whether the person performing the the control posesses the necessary authority and qualifications to perform teh control effectively mgmt's test resuts, which must also be documented, form the basis for mgmt's assertion at the end of the fiscal year abt the controls operaitng effectiveness mgmt must disclose any material weakness in IC. Even if only one material weakness is present, mgmt must ocnclude that the company's IC over financial reporting is not effective SEC requires mgmt to include its report on IC in its annual Form 10-K report filed with the SEC
COSO Frameowrk describes 5 components of IC that mgmt designs and implements to provide reasonable assurance that its control objectives will be met each component contains many controls, but auditors concenrate on those designed to prevent or detect mm in the F/S
the COSO IC control components include the following: 1. Control Environment 2. RIsk Assessment 3. Control Activities 4. Information and COmmunication 5. Monitoring represents the direct relationship btwn 3 IC objectives, teh 5 componetns of IC, and the organizational strucutre in the form of a cube within each of the COSO compoents, teh updated Frameowrk includes a total of 17 broad principles that proivde more guidance to support the repsective compoent
THe control environment consists of
the actions, policies, and procedures that reflect the overall attitudes of top mgmt, directors, and owners of an entity abt IC and its importance to teh entity control envrionemtn serves as the umbrella for the other 4 components w/o an effective control environment, the other 4 components are unlikely to result in effective IC, regardless of their quality the essence of an effectively controlled organization lies in the attitude of its BOD and senior mgmt IF top mgmt believes that control is important, others in the organization will sense this commitment and respond by conscientiously observing the controls established if members of the organiation believe that contorl is not an important concern to top mgmt, it is almost certain that mgmt's control objectives will not be effectively achieved the 5 underlying principles related to the control environment include a commitment to integrity and ethical values, an independnet BOD that is responsible for oversight of IC, establishing appropriate structures and reporting lines, a commitement to attracting, developing, and retaining competent personnel, and holding individuals accountbale for IC responsibilities
Section 404(b) of SOX requires that the auditor report on
the effectiveness of IC over financial reproting as a result of the Dodd-Frank federal financial reform legislation passed by Conrgress in July 2010, only larger public coampnies (accelearted filers) are required to obtain an audit report on IC over finacal reporting to express an opinion on these controls, the auditor obtains an understanding of and performs tests of controls for all signiciant account balances, classess of transactions, and disclosures and related assertions in the F/S
The BOD and senior mgmt's attitue about IT affect
the percieve importance of IT withinn an organizatio their oversight, resource allocation,a n inovlvemnt in key IT decisiosn each signal the importance of IT to the organization in complex envrionments, mgmt may establish IT steering committees to help monitor the organzation's echnology neededs IN less complex organizations, teh board may rely n regulat reporting by a CIO or other senior IT manage rot keep mgmt informed IN contrast, when mgmt assigns technology issues exclusively to lwoer-level employees or outside consultants, an implied message is sent tthat IT is not a high priorty result is often an understaffed, underfuned, an dpoorly controlled IT fucntion
Auditor is responsible for
understanding and testing IC over financial reporting larger public companies are required by the SEC to annually issue an audit report on the operating effectiveness of those controls
Mgmt must evaluate
whether controls are designed and put in place to prevent or detect mm in the F/S focus is on controls that address risks rleated to all relevant assertions for all significant accounts and disclosures in teh F/S includes evaluating how significant transactions are initiated, authorized, recorded, processed, and reported to identify points in the flow of transactions where mm due to error or fraud could ocur