ITAC Exam 2

Impact of SAS 94 and IT Sophistication

"When evidence of a company's initiation, recording, and processing of transactions exists only in electronic form, the auditor's ability to obtain assurance from substantive testing is diminished." (SAS 94) -IT audits should: 1. Focus on the computer-based aspects of an organization's information system 2. Assess the proper implementation, operation, and control of IT resources -->SAS No. 94 guidance suggests.... the effect of IT on financial reporting processes is not related to the size of the entity but rather the level of sophistication of its IT environment. -Important to identify the IT weaknesses that can lead to ROMM where no compensating controls exist. -Conclusion: Level of IT sophistication determines the nature, extent, and scope of internal control testing procedures.

SAS 109

(a Statements on Auditing Standards) by AICPA (American Institutes of CPAs) - describes the second standard of field work, relating to the auditor obtaining a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. This section also discusses risk assessment procedures and sources of information about the entity and its environment.

Internal Environment

- AKA Company culture -Foundation for all other ERM components -Influences how organizations establish strategy and objectives, structure business activities, and identify, assess, and respond to risk

Receiving

--> Generates receiving report when goods arrive (the receiving report is frequently an annotated version of the "blind" copy of the purchase order (i.e. a copy which has no quantities indicated) received from purchasing Step 1: Before taking custody of goods (accepting delivery), match packing slip to purchase order to insure that goods were in fact ordered Step 2: Count items and list on receiving report; also note condition of items Step 3: Forward receiving report to accounts payable; deliver goods to user

General Ledger and Reporting System

--> Primary function is to collect and organize data from the following sources: 1. Accounting cycle subsystems provide information about regular transactions 2. The treasurer provides information about financing and investing activities 3. The budget department provides budget numbers 4. The controller provides adjusting entries

Access Controls

-Access controls prevent and detect unauthorized and illegal access to a company's assets -Physical assets at risk are cash and inventory

Purchasing Subsystem-Accounts Payable

--> Approves payment of vendor invoice by preparing a cash disbursement voucher and recording liability in the accounting records Step 1: When vendor invoice is received, reconcile invoice to the purchase order and the receiving report Step 2: Prepare cash disbursement voucher (C/D voucher) to record the accounts and amounts to be charged for the purchase; attach supporting documents Step 3: Record transaction in the Purchases Journal and prepare Journal Voucher (JV); post transactions to the A/P Subsidiary Ledger Step 4: Forward approved Voucher Package (C/D voucher, vendor invoice, receiving report and purchase order) to Cash Disbursements Department for payment Step 5: Approval of the C/D voucher & supporting documents by a supervisor is required before further processing

Purchasing

--> Generates purchase orders in response to receipt of purchase requisition sent by an individual or department within the organization Step 1: Verify department budget authority -appropriate authorization on document -valid type(s) of expenditure -amounts are consistent with budget constraints Step 2: Select a vendor in accordance with procedures - "approved vendor list" Step 3: Generate a multi-copy purchase order (copies go to vendor, receiving and accounts payable)

Cash Collections

-->Collects customer payments on account and deposits the payments in the bank 1. Mailroom: receives customer payments and distributes documents appropriately Step 1: customer payments (checks and remittance advices) are received and the checks are endorsed Step 2: payments are separated from the remittance advices and an independent listing of the monies received is created (this is called a remittance list) Step 3: checks and a copy of the remittance list are forwarded to the cash receipts department; remittance 2. Cash Receipts Department: prepares bank deposit Step 1: upon receipt of the checks and remittance list, records the receipt into the Cash Receipts Journal; an actual Cash Receipt document is prepared and sent to the customer to acknowledge payment Step 2: prepares a deposit slip in duplicate; the deposit and checks are taken to the bank and a validated deposit slip is returned in the bank statement to document the transaction Step 3: a journal voucher documenting the cash receipts is prepared and forwarded to the GL Dept. The bank sends the validated deposit slip to the Controller for an independent reconciliation. 3. Accounts Receivable Step 1: upon receipt of the remittance advices & remittance list, pulls the copy of the customer invoice from the open invoice file and posts the credit to the customer account in the A/R Subsidiary Ledger and files the paid invoices in the closed invoice file Step 2: prepares a posting summary and sends the summary to the general ledger clerk where it is reconciled to the journal voucher to ensure that the A/R subsidiary ledger balances to the A/R control account

Unrecorded Liabilities

-->Major risk in the expenditure cycle! Why? -Unrecorded Liabilities exist due to time lag in the recording process by A/P -Copies of the PO and Receiving Report are received before the supplier's invoice. -Accountants must estimate the liability for all periods prior to the arrival of the invoice from the supplier -Auditors & Tax Professionals need to be aware of unrecorded liabilities at quarter-end to prepare the Tax Provision and Form 10-Q

Billing

-->Prepares the invoice Step 1: matches sales order data with shipping advice data Step 2: calculates prices and discounts and extends totals for invoice Step 3: generates customer invoice and sends to customer Step 4: the invoice information is recorded in the Sales Journal; a journal voucher is periodically sent to the General Ledger to update the B/S and I/S accounts Step 5: copy of invoice is forwarded to accounts receivable to record the receivable

Sales Order Entry

-->Processing the customer's order Step 1: a customer order is received and a sales order is created Step 2: customer credit is verified Step 3: product availability and budget is verified -a backorder is created if product not available Step 4: Copies of the sales order are forwarded to the warehouse, shipping, billing and accounts receivable while picking ticket (a part of the sales order form) goes just to warehouse

Accounts Receivable

-->Records customer credit purchases and payments/manages customer accounts and generates periodic customer statements and aging reports Step 1: Upon receipt of the customer invoice, pulls the copies of the sales order and shipping advice and reconciles all three documents Step 2: Posts the debit to the customer account in AR subsidiary ledger and files the invoice in the open invoice file with supporting docs alphabetically Step 3: Periodically sends a summary of the customer postings to the general ledger clerk; the summary is used to ensure that the AR subsidiary ledger balances to the AR control account

What is Monitoring?

-->The process for assessing the effectiveness of 1) IC design and 2) IC operation -Evidence of control adequacy obtained by testing controls and communicating control strengths and weaknesses.

Inherent Risks in Revenue Recognition Cycle

-->The risk of material misstatement (ROMM) due to revenue recognition mistakes and/or fraud: 1. Early revenue recognition 2. Holding the books open past the close of the accounting period 3. Fictitious sales 4. Failure to record sales returns 5. Side agreements used to alter sales terms and conditions 6. Channel stuffing

Segregation of Duties

-->To maintain proper Segregation of Accounting Duties, no employee should be responsible for more than one of the following four functions for a single transaction: -Authorization -Recording -Custody -Reconciliation -->There is also Segregation of Systems Duties: To combat the threat of any person who has unrestricted access to the computer, its programs, and live data

3 Way Match

-->Upon receipt of the supplier's invoice, -A/P reconciles 3 documents (PO, Receiving Report, and Invoice), updates the purchases journal, and records the liability. -Independent Verification Control

Warehouse/Shipping

-->Warehouse=goods selection Step 1: upon receipt of the sales order, goods are picked from the warehouse shelves to complete the order Step 2: actual quantities picked are noted on the sales order, producing an annotated sales order Step 3: the completed order with documents is forwarded to shipping Step 4: shipping signs a copy of the annotated sales order or a log to recognize receipt of goods -->Shipping=ship goods Step 1: reconciles sales order with annotated sales order and generates shipping advice Step 2: arranges for delivery of goods creating a bill of lading if delivery is by common carrier Step 3: a copy of the shipping advice is included with goods as a packing slip Step 4: copies of the shipping advice and (bill of lading, if applicable) are forwarded to billing and accounts receivable

Revenue Cycle

-A recurring set of business activities and related information processing operations associated with providing goods and services to customers and collecting cash in payment for those sales -Four basic revenue cycle activities include: 1. Sales order entry 2. Warehouse/Shipping 3. Billing 4. Cash collections

Expenditure Cycle

-A recurring set of business activities and related information processing operations associated with the purchase of and payment for goods and services -Primary external exchange of information is with suppliers (vendors) -Primary objective is to minimize the total cost of acquiring and maintaining inventories, supplies, and the various organization needs to function -For basic expenditure cycle activities include: 1. Ordering materials, supplies, and services 2. Receiving materials, supplies, and services 3. Approving supplier invoices 4. Cash disbursements

Step 3: Determining Level of Controls

-An appropriate combination of the following general controls should be implemented to mitigate the risks. -All spreadsheets, even those with low complexity should have controls 1-6 below: 1. Change Control - process for requesting changes and independent review and sign-off that the change is functioning as intended. 2. Version control - ensuring only current and approved versions are being used (requires naming conventions and directory structures) 3. Access control - limiting access at the file level on a central server and assigning appropriate rights (password protected) 4. Input control - ensuring that reconciliations occur to ensure data is input completely and accurately (downloads preferred) 5. Security and Integrity of data - data embedded is current and secure. (locking and protecting cells to prevent inadvertent or intentional changes) 6. Documentation - narratives and flowcharts are maintained and kept up-to-date to explain functions of the spreadsheet -->As complexity and importance increase, controls 7-12 below are necessary: 7. Backup policy - implement a process to back up each spreadsheet located on central servers and local desktops. 8. Logic Inspection - independent review of the logic in each cell of the critical spreadsheet (review is formally documented) 9. Development Lifecycle - Applying a standard SDLC to the development process of more critical and complex spreadsheets 10. Archiving - Maintaining historical files no longer available to update in a segregated drive and locking them as read-only 11. Segregation of Duties -Defining and implementing roles, authorities, responsibilities and procedures for issues such as ownership, sign-off, and usage 12. Overall analytics - Implementing analytics as a detective control to find errors in spreadsheets used for calculations. However, analytics alone are not a sufficient control.

Overview of SOX of 2002

-Applied to publicly held companies and their auditors -Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls and punish executives who perpetrate fraud

Conceptual Purchasing Process

-Begins when inventory levels drop to a predetermined reorder point -Inventory Control prepares a purchase requisition (PR) and sends the PR to Purchasing -Purchasing selects vendor(s) & prepares a purchase order (PO) & updates Open PO file -PO copies are sent to: 1. Vendor 2. Inventory control 3. AP 4. Blind copy to receiving -Receiving clerk receives the goods and reconciles with packing slip and blind copy of PO -Sends receiving report to: 1. Inventory Control 2.Purchasing 3. Files hard copy -Accounts Payable reconciles invoice, purchase order and receiving report (3-Way Match) -Records transaction in the purchases journal & AP sub-ledger -General Ledger department receives journal voucher from AP dept and Account Summary from Inventory Control.

Application Controls

-Careful consideration is given to the type of controls that should be used to mitigate each risk. -Three types of controls: 1. Manual Controls -performed without assistance of technology (supervisory controls, written authorizations) 2. Automated Controls -performed by computers, always function as designed 3. IT Dependent/Manual Controls (hybrid) -combination of manual and automated processes. -Ex: System-generated Receivables Aging report is reviewed by the Receivables Manager for reasonableness.

Cash Disbursements

-Cash Disbursements Department --> Responsible for timely drawing of the check Step 1: Issues payment in accordance with cash management procedures dictated by treasury (typical policy is to hold payments as long as possible while taking advantage of early payment discounts) Step 2: When voucher package is received, c/d clerk reviews documents, marks invoices "Paid" and prepares check (custody) Step 3: Checks & supporting documentation are presented to supervisor for final authorization; the payment is recorded in the Cash Disbursements Journal (or Check Register) and a Journal Voucher is prepared (Note: segregation of duties are important among individuals in the same department Step 4: clerk mails check to vendor; Voucher Package with copy of check is returned to accounts payable -Accounts Payable: --> Responsible for recording the payment in the vendor's account Step 1: Accounts payable uses Voucher Package and check to record & update the A/P Subsidiary Ledger and prepares posting summary for General Ledger clerk; the posting summary is used to ensure that the A/P Subsidiary Ledger is balanced to the A/P Control Account

COSO Update

-Clarifies requirements for effective internal control -Effective internal control provides reasonable assurance regarding the achievement of objectives AND requires that: 1. Each component and each relevant principle is present and functioning 2. The five components are operating together in an integrated manner

Risk Assessment and Risk Response

-Companies should assess inherent risk, develop a response, and assess residual risk -The risk assessment approach to designing internal controls include: 1. Identify threats 2. Estimate risk and exposure 3. Identify controls 4. Estimate costs and benefits -->Once all of this happens, management has four ways to respond to it: 1. Reduce 2. Accept 3. Share 4. Avoid

What is ongoing monitoring?

-Computer modules integrated into routine operations -Management reports which highlight trends and exceptions from normal performance in sales, purchasing, production, cash disbursements

Control Activities: Physical

-Control Procedures fall into the following categories: 1. Proper authorization of transactions and activities 2. Segregation of Duties 3. Project Development and acquisition controls 4. Change management controls 5. Design and use of documents and records 6. Access Controls (Safeguarding assets, records, and data) 7. Independent checks on performance

Objective Setting

-Corporate vision 1. Strategic objectives: high level goals that are aligned with the company's mission, support it, and create shareholder value 2. Operations objectives: deal with the effectiveness and efficiency of company operations and determining how to allocate resources 3. Reporting objectives: help ensure the accuracy, completeness, and reliability of company reports 4. Compliance objectives

Batch Controls

-Reconcile system output with input originally entered into the system -Controls provide assurance that: 1. All records in the batch are processed 2. No records are processed more than once 3. An audit trail of transaction processing is created Control examples include: record count, batch control total, hash total

COSO Framework and SAS 109

-Describes the complex relationship between the firm's internal control structure, auditor's assessment of risk, and the planning of audit procedures -->How do these three interrelate? -The weaker of IC structure, the higher the assess level of risk; the higher the risk, the greater the number of auditor procedures applied in the audit

XBRL Definitions

-Element: each specific data item in an XBRL document -Taxonomy: set of files that defines the various elements and the relationships between them (XBRL taxonomies are classification schemes) -Schema: a part of the taxonomy which is a file that contains the definition of every element that could appear in an instance document

Potential Threats in the General Ledger System

-Improperly prepared journal entries -Unposted journal entries -Debits do not equal Credits -Subsidiary ledgers not equal to G/L control accounts -Inappropriate access to the G/L -Lost or damaged data -Account balances that are misstated because of unauthorized or incorrect journal vouchers

Independent Checks

-Independent checks on performance, done by someone other than the person who performs the original operation, help ensure that transactions are processed accurately -They include: 1. Top-level reviews 2. Analytical reviews 3. Reconciliation of independently maintained records 4. Comparison of actual quantities with recorded amounts 5. Double-entry accounting 6. Independent review -->Must involve either a second person, second set of documents/records, or second process

Input Controls Overview

-Input controls are need to verify the validity of data -Designed into the system at different points in the business process, depending on whether the data is processed in real time or batch. -Prevent and detect errors that occur when transaction data is input prior to data processing -They encompass: 1. Forms -Source documents and other forms should be designed to minimize the chance of errors and omissions -Examples include sequentially numbered and turnaround documents -Source documents that have been entered into the system should be canceled so they cannot inadvertently or fraudulently reentered in the system 2. Data entry controls -Field, sign, limit, range, size, completeness, validity, etc -Bach processing: financial and hash total, record count -Online data entry controls: prompting and closed-loop verification

Control Activites

-Policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out -Control activities are grouped by COSO into 2 distinct categories: 1. IT Controls -relates specifically to the information systems/AIS environment 2. Physical Controls -primarily pertain to business processes (human/manual activities)

Importance of Application Controls

-Pre-SOX, many organizations placed all their reliance on manual controls and failed to consider the risks that existed within their IT systems. -The Challenge: companies were relying on their systems without understanding how the systems supported their financial and tax reporting objectives. -The Result: this practice was a significant oversight and led to material weaknesses in internal control.

Information and Communication and SAS 109

-SAS 109 requires that we, as external parties, obtain sufficient knowledge of the AIS to understand: 1. The classes of transactions that are material -how these transactions are initiated -the accounting records and accounts used in processing 2. The transaction processing steps involved from the initiation of a transaction to its inclusion in the financial statements (i.e. account walkthroughs) 3. The financial reporting process used to compile financial statements, disclosures, and estimates

XBRL: Extensible Business Reporting Language

-Special programming language designed specifically to facilitate the communication of business information (an XML-based language for standardizing methods for preparing, publishing, and exchanging financial information) -Before XBRL, computers could not automatically process the digital paper reports until it was entered manually -XBRL changes that by encoding information about what a particular data item means so that other computer programs can understand what to do -Instance Document: the XBRL file containing the tagged data deliver to users; contains facts about specific financial statement line items and whether the value is for a specific point in time -Advantages include: 1. Companies publish financial information once! 2. Computers read and interpret the tagged data, so users are not re-keying data 3. Consumers (you and me) import XBRL documents into internal databases and analysis tools to greatly facilitate the decision-making process.

Why do we need spreadsheet controls?

-Spreadsheets lack system-wide, general controls -Almost any employee can create, access, manipulate, and distribute spreadsheet data -As a result, any employee can make a critical error while manually entering data, creating formulas, changing cell references. -->Balance must be struck between: 1. Control in the hands of end-users 2. Proper Internal Controls & Standards

Processing Integrity

-States that a reliable system is one that produces information that is accurate, complete, timely, and valid -Requires controls over the input, processing, and output of data

Inherent Limitations of Internal Controls

-Susceptibility to simple errors and mistakes -Faulty judgements and decision making -Management overrides -Collusion

COSO

-The authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities -Developed two frameworks: Internal Control-Integrated Framework (IC) and Enterprise Risk Management-Integrated Framework (ERM) -5 components of IC include: 1. Control Environment 2. Control Activities 3. Risk Assessment 4. Information and Communication 5. Monitoring

Enterprise Risk Management

-The process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals -Basic principles include: 1. Companies are formed to create value for their owners 2. Manage uncertainty as it creates value 3. Uncertainty results in risk 4. Uncertainty results in opportunity -->Takes a risk based approach rather than a controls based approach and adds three additional elements to COSO's IC framework: setting objectives, identifying events that may affect the company, and developing a response to assessed risks

Batch Processing

-Transactions are processed in groups during off-peak processing times to maximize network capacity. -Processing occurs in three separate stages: 1. Data is entered (input stage) 2. Master file is updated (processing stage) 3. System-generated reports are produced (output stage)

AIS Revenue Sub-systems

-Two economic events occur: physical and financial -Subsystems are created to manage the individual events 1. Sales Subsystem: delivery of goods to customer-->Physical 2. Cash Receipts System: receipt of payment from customer-->Financial -Time lag exists between transfer of the physical asset and the receipt of the financial asset from the customer

User-Developed Applications (UDAs)

-UDAs can be simple calculations, macros, or complex spreadsheets that gather financial data. -Examples: Spreadsheets, Query tools, SQL scripts, and, Databases developed, maintained and used by end-users (not IT developed). -Typically these applications are used by business units to process data for financial reporting purposes. -Currently, UDAs are developed by end users on an ad hoc basis without consultation from internal audit or consideration of IT controls and management approvals

Independent Verification

-Verify the accuracy and completeness of tasks that are performed in the revenue cycle. -Independent verification must occur at key points in the process -Errors can be detected quickly and corrected prior to the next step in the process

XBRL Implications on the Accounting Profession

-taxonomy errors: invalid mapping may cause material misrepresentation of financial data (XBRL Errors) -validation of instance documents: ensure that appropriate taxonomy and tags have been applied (#1 bottleneck) -audit scope and timeframe: unknown potential impact on auditor responsibility as a consequence of real-time distribution of financial statements

Cash Disbursement-Financial Process Overview

1. Accounts Payable reviews Voucher packages each day, identifies items due, sends supporting documents to cash disbursements department. 2. Cash Disbursements reviews documents for completeness and accuracy and prepares the payment for approval and signature. 3. Accounts Payable removes the liability from AP sub-ledger and sends AP summary to GL department. 4. General ledger department posts to the general ledger control accounts and files the documents.

Adjusting Entries

1. Accruals - reflect events that have occurred for which cash has not yet been paid/received. -Examples: wages payable 2. Deferrals - reflect the exchange of cash prior to performance of the related event. -Examples: unearned revenue 3. Estimates - reflect a portion of expenses expected to occur over a number of accounting periods -Examples: bad debt 4. Revaluations - reflect differences between actual and recorded value of an asset or change in accounting principle 5. Corrections - entries made to correct errors in the GL

Key Duties to Segregate

1. Approving changes to customer credit and sales order entry. -If both duties are performed by the same person, they could authorize sales to friends/family that are subsequently not paid. 2. Shipping and billing. -If the same person performs both duties, they could ship merchandise to friends/family without billing them. 3. Depositing customer payments and recording accounts receivable. If the same person performs both duties, they could commit the fraud known as lapping (stealing payments and covering it up by adjusting the accounts so that the customer does not complain about a missing credit). 4. Depositing customer payments and issuing credit memos -If the same person performs both duties, they could steal payments and create a credit memo to cover up the theft and adjust the customer's account so that they do not complain about a missing credit. 5. Depositing customer payments and reconciling the bank account -If the same person did both duties, they could steal cash and cover up the difference by listing fraudulent bank expenses to adjust the cash balance. 6. Recording accounts receivable and issuing credit memos. -If the same person performed both tasks, they could write off their friends' and family's accounts receivable.

Batch vs. Real-Time General Ledger Systems

1. Batch GL systems -Transaction processing applications summarize and capture transactions in journal vouchers where they are held, reviewed, and later posted to the GL. -->Journal vouchers are the authorization and source of GL postings. 2. Real-Time GL systems (SAP) - Each transaction posted directly to the general ledger and a journal voucher is created concurrently as an SAP Document. -->Journal voucher in this system does not authorize a GL entry. Rather, it provides a posting reference and audit trail, linking GL summary account to transactions.

Why is it hard to implement controls for UDAs?

1. Complexity of spreadsheet 2. Purpose and use is unknown 3. Number of spreadsheet users 4. Abundance of errors 5. Lack of documentation 6. Frequency and extent of changes 7. Development and testing of the spreadsheet before utilization is not performed and/or documented

Aspects of SOX

1. Creation of the PCAOB: controls the auditing profession 2. New rules for auditors 3. New roles for audit committees 4. New rules for management 5. New internal control requirements

Processing Controls Examples

1. Data Matching Multiple data values must match before processing occurs. 2. File Labels Ensure correct and most current file is being updated. 3. Cross-Footing and Zero Balance Tests Compute totals using multiple methods to ensure the same results. 4. Write Protection Eliminate possibility of overwriting or erasing existing data. 5. Concurrent Update Locking records or fields when they are being updated so multiple users are not updating at the same time.

Risk Categories of UDAs

1. Data integrity risks -no balancing or change management controls 2. Availability risk -UDAs may not be part of the IT backup process 3. Confidentiality risk -No control over transmission of data outside the company

Why do we need internal controls?

1. Data is not adequately protected 2. Information is available to large number of workers 3. Information is distributed across corporate networks 4. Information is available to customers and suppliers

Examples of Input Controls

1. Field check Characters are proper type? Text (alpha), Integer (numeric), date 2. Sign check Proper arithmetic sign? 3. Limit check Input checked against fixed value? 4. Range check Input within low and high range value? 5. Size check Input fit within field? 6. Completeness check Have all required data been entered? 7. Validity check Input compared with master data to confirm existence 8. Reasonableness check Logical comparisons 9. Check digit verification Computed from input value to catch typo errors 10. Close-loop verification Uses input data to retrieve and display related data

Categories of Internal Controls

1. General Controls: make sure an organization's control environment is stable and well managed 2. Application Controls: make sure transactions are processed correctly -Concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported

Step 2: Risk Assessment

1. Impact -Considerations for assess impact include total dollar value processed by the spreadsheet and purpose of the spreadsheet output 2. Likelihood -Consideration for assessing likelihood include complexity of the spreadsheet, number of users of the spreadsheet, and frequency of changes to the spreadsheet

Spreadsheet Risks

1. Improper use of spreadsheet calculations 2. Spreadsheet failure due to corrupted or damaged file 3. Inappropriate or unintentional changes to spreadsheet data and formulas 4. Incorrect or incomplete data being used in calculations 5. Inappropriate or unintentional changes by inappropriate personnel accessing spreadsheets 6. Use of dated or unapproved versions 7. Historical data is lost or corrupted 8. Complex spreadsheets are developed ad-hoc and errors go undetected 9. Errors are detected after the financial statements and tax reporting have been released

What can go wrong when there are not input control?

1. Input errors carry through the entire process 2. Most human involvement occurs in the input stage 3. Easiest place to insert fictitious transactions 4. Easiest place to alter data (intentionally or unintentionally) 5. Easiest place to lose data

ERM's Framework

1. Internal Environment 2. Objective Setting 3. Event Identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring 3 new elements are Setting objectives, identifying events, and developing a response (SID)

What are spreadsheets used for?

1. Operational -track and monitor workflow of business processes -ex: unpaid invoices 2. Analytical -supports analytical review for management decision making 3. Financial -used to quantify financial statement transactions or adequacy of balances in the general ledger

Functions of Internal Controls

1. Preventive Controls: deter problems before they arise Ex: segregation of dutiesm asset accessm hiring policies 2. Detective Controls: discover problems that are not prevented Ex: preparing account reconciliations, balancing 3. Corrective Controls: identify and correct problems as well as correct and recover from the resulting errors Ex: correcting data entry errors and GL account misclassifications -->Preventive Controls are superior to detective controls

Where does Segregation of Duties take place?

1. Sales Order Processing -credit authorization separate from sales order processing -warehouse separate from shipping -accounts receivable sub-ledger separate from general ledger control account 2. Cash Receipts Processing -cash receipts separate from accounts receivable -accounts receivable sub-ledger separate from general ledger

AICPA Trust Services Framework

1. Security (Textbook pages 200 - 224) Access to the system and its data is controlled and restricted to legitimate users. 2. Confidentiality (Textbook pages 234 - 249) Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure. 3. Privacy (Textbook pages 234 - 249) Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.

What is an effective control environment?

1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. -->Points of focus: tone at the top, establishes standards of conduct, evaluate adherence to standards, and addresses deviations in timely manner

What is effective monitoring?

1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Purchasing Segregation of Duties

1. Transaction authorization should be separate from transaction processing 2. Asset custody should be separate from asset receiving 3. Recording of journals and ledgers are separately maintained from the General Ledger Rule 1: Inventory Control (requisitioning) is separate from purchasing Rule 2: Receiving is separate from Accounts Payable (recording in subledger) Rule 3: Accounts payable is separate from General Ledger

Three Rules of Segregation of Duties

1. Transaction authorization should be separate from transaction processing. 2. Asset custody should be separate from asset recording. 3. Recording of journals and ledgers are separately maintained from the GL

Importan General Ledger Control Procedures

1. Transaction authorization: -journal vouchers must be authorized by a manager in each recording dept 2. Segregation of duties: -G/L clerks should not: have recording responsibility for special journals or subsidiary ledgers prepare journal vouchers have custody of physical assets

Output Controls

1. User review of output 2. Reconciliation procedures 3. External data reconciliation 4. Data transmission controls -Checksums -Parity Bits

Key Independent Verification Controls

Controls exist at the following points: 1. Shipping reconciles the picking ticket document and packing slip with the sales order and verifies the goods sent from the warehouse are correct in type and quantity 2. Billing reconciles the shipping advice with the sales order before preparing the sales invoice 3. General Ledger reconciles journal vouchers from billing, inventory control, cash receipts, and accounts receivable before posting to the general ledger.

Event Identificaiton

Event= an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives -Represent uncertainty

Functions of a GL and Reporting System

General ledger systems should: 1. Collect transaction data promptly and accurately. 2. Classify/code data and accounts. 3. Validate collected transactions/ maintain accounting controls (e.g., debits = credits). 4. Process transaction data -post transactions to proper accounts -update general ledger accounts and transaction files -record adjustments to accounts 6. Store transaction data. 7. Generate timely financial reports

Online/Real Time Processing

Online, real-time processing characteristics: 1. Transactions are processed individually as they occur 2. All data processing steps (input, processing, output) take place at one time as the transaction is processed 3. Requires an online (networked) environment, so the master file account codes are available during data entry and can be verified -->As can be seen, Input Controls are critical: Validity, Reasonableness, and Closed Loop

What does pencils down mean and why is it important?

Pencils down refers to the number of business days prior to a planned filing when an outsourced XBRL solution provider requires a final version of the document

What is the most challenging aspect of XBRL for large accelerated filers?

Proper Handling of Negative Values

How do we mitigate UDAs risk?

SOX 404 5 step approach 1. Inventory Spreadsheets 2. Risk Assessment 3. Determine necessary level of controls for key spreadsheets 4. Evaluate existing controls for each spreadsheet 5. Develop action plans for remediation of control deficiencies

Audit Trail

Source Document--> Journal--> General Ledger--> Financial Statements And backwards

Control Objectives for Information and Related Technology (COBIT)

The COBIT Framework consolidates systems security and control standards into a single framework. This allows management to benchmark security and control practices of IT environments, users to be assured that adequate IT security and control exist, and auditors to substantiate their internal control opinions and to advise on IT security and control matters. The framework addresses control from three vantage points: 1. Business objectives, to ensure information conforms to and maps into business objectives. 2. IT resources, including people, application systems, technology, facilities, and data. 3. IT processes, including </planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation.

Transaction Authorization

The first step of a business process is authorization and is comprised of: 1. External authorization - the request to initiate a transaction must come from a third party - a person or department that is not involved in processing the transaction 2. Internal authorization - the initiating request is independently reviewed to ensure that it is consistent with management's policies and objectives

Step 1: Inventory Spreadsheets

The inventory should include: 1. Name of the spreadsheet 2. Brief description and financial amounts calculated 3. Department responsible for the spreadsheet as well as any other department that utilizes it 4. Frequency and extent of changes to the spreadsheet -->list all spreadsheets used in the process (use flowcharts and DFDs to identify files used)

Internal Control

The process implemented to provide reasonable assurance that the following objectives are achieved: 1) Safeguard assets 2) Maintain records in sufficient detail 3) Provide accurate and reliable information 4) Prepare financial reports in accordance -All above are financial objectives 5) Promote and improve operational efficiency 6) Encourage adherence to prescribed managerial policies 7) Comply with applicable laws and regulations -5 through 7 are operational objectives

Billing Threats and Controls

Threats: 1. Failure to bill 2. Billing errors 3. Posting errors in accounts receivable 4. Inaccurate or invalid credit memos Controls: 1.1 Separation of billing and shipping functions 1.2 Period reconciliations of invoices with sales orders, picking tickets, and shipping documents 2.1 Configuration of system to automatically enter pricing data 2.2 Restriction of access to pricing master data 2.3 Mailing of monthly statements to customers 2.4 Reconciliation of subsidiary accounts to general ledger 3.1 Data entry controls 3.2 Reconciliation of batch totals 3.3 Mailing of monthly statements to customers 3.4 Reconciliation of subsidiary accounts to general ledger 4.1 Segregation of duties of credit memo authorization from both sales order entry and customer account maintenance 4.2 Configuration of system to block credit memos

General Ledger and Reporting System Threats and Controls

Threats: 1. Inaccurate or invalid general ledger data 2. Unauthorized disclosure of financial statement 3. Loss or destruction of data Controls: 1.1 Data processing integrity controls 2.1 Access controls 3.1 Backups

Threats and Controls for the General Issues throughout the Expenditure Cycle

Threats: 1. Inaccurate or invalid master data 2. Unauthorized disclosure of sensitive information 3. Loss or destruction of data 4. Poor Performance Controls: 1.1 Data processing integrity controls 1.2 Restriction of access to master data 1.3 Review of all changes to master data 2.1 Access controls 2.2 Encryption 3.1 Backup and disaster recovery procedures 4.1 Managerial reports

Threats and Controls Throughout the Entire Revenue Cycle

Threats: 1. Inaccurate or invalid master data 2. Unauthorized disclosure of sensitive information 3. Loss or destruction of data 4. Poor performance Controls: 1.1 Data processing integrity controls 1.2 Restriction of access to master data 1.3. Review of all changes to master data 2.1 Access controls 2.2 Encryption 3.1 Backup and disaster recovery procedures 4.1 Managerial reports

Sales Order Entry Threats and Controls

Threats: 1. Incomplete/inaccurate orders 2. Invalid orders 3. Uncollectible amount 4. Stockouts or excess inventory 5. Loss of customers Controls: 1.1 Data entry edit controls 1.2 Restriction of access to master data 2.1 Digital signatures or written signatures 3.1 Credit limits 3.2 Specific authorization to approve sales to new customers or sales that exceed a customer's credit limit 3.3 Aging of accounts receivable 4.1 Perpetual physical counts of inventory 4.2 Use of bar codes or RFID 4.3 Training 4.4 Period physical counts of inventory 4.5 Sales forecasts and activity reports 5.1 Customer Relationship Management (CRM), self-help web sites, and proper evaluation of customer service ratings

Warehouse/Shipping Threats and Controls

Threats: 1. Picking the wrong items or the wrong quantity 2. Theft of inventory 3. Shipping errors (delay, wrong quantities, wrong items, wrong address, duplication) Controls: 1.1 Bar-Code and RFID technology 1.2 Reconciliation of picking lists to sales order details 2.1 Restriction of physical access to inventory 2.2 Documentation of all inventory transfers 2.3 RFID and bar-code technology 2.4 Periodic physical counts of inventory and reconciliation to recorded quantities 3.1 Reconciliation of shipping documents with sales orders, picking lists, and packing slips 3.2 Use RFID systems to identify delays 3.3 Data entry via bar-code scanners or RFID 3.4 Data entry edit controls 3.5 Configuration of ERP system to prevent duplicate systems

Cash Collections Threats and Controls

Threats: 1. Theft of Cash 2. Cash flow problems Controls: 1.1 Separation of cash handling function from accounts receivable and credit functions 1.2 Regular reconciliation of bank account 1.3 Lockboxes 1.4 Prompt, restrictive endorsement of all customer checks 1.5 Having two people open all mail 1.6 Use of cash registers 1.7 Daily deposit of all cash receipts 2.1 Lockbox 2.2 Discounts for prompt payment 2.3 Cash flow budgets

Receiving Threats and Controls

Threats: 12. Accepting unordered items 13. Mistakes in counting 14. Verifying receipt of services 15. Theft Controls: 13.1 Do not inform employees of quantity ordered 14.1 Budgets 14.2 Audits 15.1 Restriction of physical access to inventory 15.4 Segregation of duties

Accounts Payable Threats and Controls

Threats: 16. Errors in supplier invoices 17. Mistakes in posting to accounts payable Controls: 16.1 Verification of invoice accuracy 17.1 Data entry edit controls

Purchasing Threats and Controls

Threats: 5. Inaccurate inventory record 6. Purchasing items not needed 7. Purchasing at inflated prices 8. Purchasing goods of inferior quality 9.Unreliable supplier 10. Purchasing from unauthorized suppliers 11. Kickbacks Controls: 5.1 Perpetual Inventory System 5.2 RFID and Bar-Coding 6.1 Perpetual inventory system 6.2 Review and approval of purchase requisitions 7.1 Price lists 7.2 Competitive bidding 8.1 Purchasing only from approved suppliers 9.1 Requiring suppliers to possess quality certification 10.1 Maintaining a list of approved suppliers

Benefits of UDAs

UDAs are extensively used for these reasons: 1. Access to data is readily available 2. Files are easily customizable 3. Less costly to develop and maintain by end-users 4. No need for consultation with the IT department

Who is the leading XBRL solution provider based on satisfaction rates?

WebFilings

Authorization Controls

Within the revenue cycle, authorization controls should be present when: 1. a sale is made on credit 2. a refund is requested 3. cash payment received and posted to a customer's account