0
0
Many managers, supervisors and accountants in business, government or nonprofits are not able to identify their departmental policies and procedures that function as the primary controls against errors and fraud. On the other hand, auditors performing fieldwork may be confused as to how to interpret and evaluate management’s documentation of accounting processes and controls. And neither party may truly understand how their duties differ.
This course is designed to give participants a solid understanding of systems and control documentation at the significant process level. After an overview of the latest COSO guidance on the components and principles of effective internal control, this course introduces participants to basic tools used to document an accounting process. Participants then identify the risks of errors and fraud in the accounting system and the presence (or absence) of compensating controls. Finally, participants will practice identifying key controls and control weaknesses.
Objective:
Prerequisite: None
Value Aid! Internal Control – Integrated Framework
Course Overview This course is designed to give participants a solid understanding of systems and control documentation at the significant process level. After an overview of the latest COSO, SASs, and ASs guidance on the components and principles of effective internal control, this course introduces participants to basic tools used to document an accounting process. Participants then identify the risks of errors and fraud in the accounting system and the presence (or absence) of compensating controls. Finally, participants will practice identifying key controls and control weaknesses.
Chapter Summary
Chapter 1 – Internal Control for Smaller Entities
This chapter contains a list of auditors’ responsibilities under AS No. 2, An Audit of Internal
Control over Financial Reporting in Conjunction with an Audit of Financial Statements. This
chapter addresses characteristics of smaller public companies. The cost/benefit aspects of
internal control are illustrated by an example – one example uses probability theory and expected
value techniques in the analysis. Internal control challenges for small companies are addressed
and possible compensating controls to overcome these challenges are reviewed. Methods that
management can employ to enhance their efficiencies in assessing internal control are discussed.
Chapter 2 – The Auditing Standards Board and Internal Control
This chapter addresses the audit risk standards and implications for management and auditors of
non-public entities. It is stressed that the purpose of obtaining an understanding of internal
control is to assess risk. Various factors that should be considered when obtaining an
understanding of the entity and its environment are addressed. There is a discussion of risk
assessment procedures and a detailed discussion of one of the procedures – analytical review
procedures. The impact of the external auditor assistance in preparing financial statements as a
control deficiency is stressed.
Chapter 3 – Internal Control Definition and Concepts
The various definitions of internal control, provided by congress, COSO, and the PCAOB are
discussed. An overview of the COSO framework is provided and the five elements of internal
control are reviewed. These five elements include the control environment, risk assessment,
control activities, information and communication, and monitoring. The relationship of internal
control to the entity’s objectives is presented by use of the COSO model. The three types of AS
No. 2 controls are discussed in detail and include company-level, account/transaction level, and
financial statement level controls.
Chapter 4 – The Control Environment – An In-Depth Review
The chapter provides an in-depth review of the control environment principles. These include
integrity and ethical values, board of directors, management’s philosophy and operating style,
organizational structure, financial reporting competencies, authority and responsibility, and
human resources. Antifraud controls are also addressed as this classification of controls is
contained in AS No. 2. The company-level controls contained in AS No. 2 are discussed in this
chapter. Numerous examples of company-level controls are provided and include, but are not
limited to, general IT controls, controls over the period-end financial reporting process, and
selection of accounting policies.
Chapter 5 – Risk Assessment and Fraud – An In-Depth Review
This chapter provides a detail review of risk assessment and fraud. General sources of risk are
addressed in addition to the COSO principles related to risk assessment. The fraud risk factors
from SAS No. 99, categorized as to the fraud triangle components (pressure, opportunity,
rationalization), and also classified as to fraudulent financial reporting or misappropriation of
assets are presented in detail. Several examples of risks of misstatement of financial statements
are provided.
Chapter 6 – Control Activities – An In-Depth Review
There is a detailed review of control activities. Documentation of control activities is addressed.
Control activities in an IT environment are reviewed and include input, processing, and output
controls. The complexity of IT systems impact on internal control is covered. The three types of
end-user computing and related risks, particularly with respect to the use of spreadsheets, are
reviewed. Examples of COSO and AS No. 2 control activities and principles are presented. The
application of SAS No. 109 and COSO to small and midsized entities is highlighted.
Chapter 7 – Information and Communication – An In-Depth Review
This chapter discusses information and communication. COSO’s principles and attributes of
information and communication are reviewed, together with SAS No. 109’s guidance on this
topic. The IT Governance Institute’s viewpoint on information and communication is also
presented.
Chapter 8 – Monitoring – An In-Depth Review
The COSO principles and attributes of monitoring are reviewed. Different types of monitoring
are addressed and include ongoing monitoring activities, separate evaluations, and reporting
deficiencies. The underlying conceptual framework contained in AS No. 2 for categorizing
deficiencies as either not significant, significant, or as a material weakness is presented in detail.
AS No. 2 and SAS No. 112s’ de facto categorizations of deficiencies as either significant or as a
material weakness are reviewed. The additional control deficiencies contained in the appendix to
SAS No. 112 are reviewed to provide a plethora of examples of control deficiencies. These
deficiencies are categorized as to whether they are deficiencies in design or deficiencies in
operation of internal control.
Chapter 9 – Documentation – Guidance and Tools A review of the items that auditors are required to document as contained in AS No. 2 for audits of public entities and SAS No. 103 for audits of non-public entities are provided in detail. Numerous documentation tools, including their related benefits and weaknesses, are reviewed and include internal control questionnaires, narratives, flowcharts, and control matrices. Numerous examples of systems are provided. The various documentation tools are used in mini cases to serve as illustrations of applying the documentation tools. The appendix contains an article that reviews a number of software packages commonly used by auditors and management to document internal control over financial reporting.
Chapter 10 – Illustrative Case This chapter is a case of a portion of a revenue system in a manufacturing environment. The different documentation tools addressed in Chapter 10 are utilized to illustrate how the revenue system might be documented using questionnaires, flowcharts, narratives, and control matrices.
Chapter 1 Internal Control for Smaller Entities
Learning Objectives
Upon completion of this chapter you should be able to
Introduction
Internal control has been a major topic for corporate management and auditors of publicly held companies ever since Sarbanes-Oxley Act of 2002 (SOX) was passed by Congress. SOX also established the Public Company Accounting Oversight Board (PCAOB), a private-sector, nonprofit corporation whose mission is to “oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports.”
To date, the PCAOB has issued four auditing standards. The one that has had the most significant impact on public companies is AS No. 2 – An Audit of Internal Control over Financial Reporting in Conjunction with and Audit of Financial Statements. This standard sets the following objective for auditors:
The auditor’s objective in an audit of internal control over financial reporting is to express an opinion on management’s assessment of the effectiveness of the company’s internal control over financial reporting.
AS 2 notes that, in order for the auditor to fulfill his/her responsibilities, management must
Typically, these companies have tested and evaluated their effectiveness of internal control over financial reporting using three methodologies:
Large publicly held companies who have already implemented AS No. 2 have had a significant investment in documenting and assessing internal control. A survey of corporate boards found that the average compliance cost of SOX compliance was $16 million. The survey noted that GE reported $30 million in internal control requirements alone. AIG is spending $300 million a year on SOX.3
In response to the needs of smaller publicly held businesses and concern for cost containment, COSO has provided a report, Internal Control over Financial Reporting – Guidance for Smaller Public Companies. This report, which is also relevant to private companies and their auditors, is discussed below and has three volumes:
Customer Service
Customer Service
Customer Service
Back to Browsing Products