Internal controls (14)
Types of Controls in ICOFR (3)
- business process controls -monitoring control -financial reporting control
Limitation of management control
- failure to link to organization objectives -poor assumptions -no accountability -communication breakdowns -top management circumvention
Internal control attributes (5)
- ongoing process -management's responsibility -hardly ever totally effective in eliminating all risk (reasonable assurance not absolute protection -reduces the potential for negative consequences of risk -increases the org's ability to achieve its objectives
types of process controls (5)
- process performance reviews -processing controls -application controls -physical controls (limit access) -segregation of duties
ICOFR objectives: Reduce the risk of errors in financial reporting
-accurately report routine transactions (revenue) -conformity with GAAP -prevent fraud -Serve as general control over ITGC -facilitates estimation process for non-routine transactions -facilitate period-end close and preparation of financial statements
application controls
-authorization -use of documents and records
errors and fraud differing in manual vs auto
-frauds can built into design and difficult to detect -errors might not surface for lagged period -unauthorized access to information a significant risk
control objectives (3)
-improve the effectiveness of decisions making and the efficiency of business processes -increase the reliability of information -to comply with laws, regulations and contractual obligations
types of management controls
-top-level reviews -performance indicators & bench marking -independent evaluations
Implications of Residual Risk (5)
1. conditions expectations about financial results 2. suggest potential financial misstatements 3. raises concerns about viability 4. indicates proper threats to the control environment 5. highlights potential comments for client
Characteristics of good control activities (5)
1. separation of duties 2. proper authorization 3. adequate documents and records 4. physical control over assets and records 5. independent checks on performance
business process control
Authorizing specific transactions and capturing information at the point that a transaction occurs (e.g., linking the invoicing system to the sales journal).
Operations
Contingency planning (backup/offsite storage)
IT General controls (auto system control)
Controls that are indirect to the actual system application ("Wall" built around the application)
Preventive
Controls that are put in place to avoid material misstatements. EX segregation of duties, approvals
Detective
Controls that are put in place to discover or identify material misstatements. EX: reconciliations, reviews, inventory counts
Corrective
Controls that are put in place to remove material misstatements that were discovered by detective controls Example: Backups of master file, corrective journal entries, updating password access after firings
Financial Reporting Controls
Estimating accruals, making adjusting entries, and preparing disclosures and reports.
Development of systems
How designed, tested, and placed in operation (Formal Procedures)
Changes to systems
How modified once application in place (separation of duties/testing of changes)
process performance review example (process control types)
KPIs and detailed reviews
Performance indicators (i.e., KPIs) and benchmarking (management controls)
Potential inventory valuation problems arising from competition or new entrants may be indicated by looking at the rate at which inventory is being sold, disaggregated by product line and geographic region
Monitoring Controls
Provide periodic performance reports to process owners and can lead to managerial intervention when problems occur (e.g., KPIs, performance reports).
PCAOB Standard No. 5
Requires audits to include opinions on financial statements and ICFR (based on SOX 404)
Access to programs and data (ITGC - ctrls within auto system)
Security issues (passwords/firewalls/encryption)
Top-level reviews
Senior management periodically reviewing the results of operations against forecasts and budgets and quickly following up on potential problems
Input controls
The key objective associated with the front end of an application
threat to mgt override (auto vs manual)
Those who design or program can have a significant impact on risk of fraud if they are able to circumvent controls
Independent evaluations (management control)
Unfavorable budget variances may not be followed up aggressively unless brought to the attention of someone who is independent of the process creating the variances
Output controls
What are the key objectives associated with the results of transactions and systems performance?
Process controls
What are they key objective associated with the actual transaction processing and master file maintenance?
control definition
a control is a process that "compromises an organization (including its resources, systems, processes, culture structure and tasks) that, taken together, support people in the achievement of the org's objectives."
significant deficiency (auditor reporting)
a deficiency that has more than a remote likelihood of leading to a misstatement that is consequential but not material
material weakness (adverse ICOFR opinion)
a deficiency with more than a remote likelihood of leading to a material misstatement
You can plot risk with and without ________ on a risk map
controls
application controls
controls built into application (often prepackaged and documented)
compensating (control)
controls that can be relied upon to reduce the risk that an existing material weakness results in a material misstatement
redundant
controls that cover the same financial statement assertion or control objective
complementary
controls that function together
management controls
controls that mitigate risks to the organization and promote effectiveness of decision making activities
manual controls
do not use information technology EX: bank recs, reviews
segregation of duties
employees should have different duties for things like authorization (responsible for only one)
segregation of duties
employees should only be responsible for one of the following operational decisions, authorization, custody of assets, and accounting transactions
physical controls
limiting access
process control have the ability to affect the ______ and ______ of risk
magnitude and likelihood
process controls
monitoring and reacting to process level risks (inventory count at Walmart)
processing controls
procedures and systems documentation
automated control
within a system EX system report over inventory level fluctuations
manual control with an automated component inventory example
you get the inventory report and then a human supervisor signs off on it