Internal Control Essentials for Financial Managers, Accountants and Auditors

• Chapter 0 - Course Overview
  • Chapter Summary
• Chapter 1 - Internal Control for Smaller Entities
  • Learning Objectives
  • Introduction
  • Internal Control over Financial Reporting - Guidance for Companies
    • Smaller Company Characteristics
    • Cost/Benefit of Internal Control
    • How Internal Controls Benefit Small Public Companies
  • Internal Controls Appropriate for Smaller Companies
    • Segregation of Duties
    • Mitigation of Management Override Risk
    • Board of Directors
    • Qualified Accounting Personnel
    • Management's Focus on Accounting and Financial Reporting
    • Information Technology
    • Automated Controls
    • Monitoring Activities
  • Additional Efficiency Opportunities
    • Financial Reporting Objectives
    • Risk Assessment
    • Internal Control as an Integrated Process
    • Right-sizing Documentation
  • Summary
• Chapter 2 - The Auditing Standards Board and Internal Control
  • Learning Objectives
  • Auditing Standards Board - Beyond Internal Controls
    • Industry Controllers and the Audit Standards
  • Factors to Consider When Obtaining an Understanding of the Entity and Its Environment
  • Risk Assessment Procedures
  • Brainstorming
  • Inquiries
  • Analytical Procedures
    • Expectation Formulation
    • Identification, Investigation, and Evaluation
    • Possible Adjustments to Unadjusted Client Accounts
  • Observation and Inspection
  • Are Independent Auditors Part of the Entity's Internal Control?
  • Summary
• Chapter 3 - Internal Control Definitions and Concepts
  • Learning Objectives
  • Introduction
  • SOX Section 404
    • Auditing Standards Board's Definition of Internal Control
  • COSO Framework
  • COSO Definition of Internal Control
  • Auditing Standard No. 5 - Levels of Controls
    • Entity-Level Controls
    • Account/Process Level of Controls
    • A Combined Model
  • Summary
• Chapter 4 - The Control Environment - An In-Depth Review
  • Learning Objectives
  • Introduction
  • The Control Environment
    • Integrity and Ethical Values
    • Board of Directors
    • Management's Philosophy and Operating Style
    • Organizational Structure
    • Financial Reporting Competencies
    • Authority and Responsibility
    • Human Resources
  • Entity-Level Controls
  • Controls over the Period-End Financial Reporting Process
    • Spreadsheets
    • Selection of Accounting Policies
  • General IT Controls
  • Summary
• Chapter 5 - Risk Assessment and Fraud - An In-Depth Review
  • Learning Objectives
  • Introduction
  • Risk Assessment and Objectives
    • Risk Sources
  • COSO for Smaller Public Companies
  • Financial Reporting Objectives
  • Financial Reporting Risks
  • Fraud Risk
  • Risk Assessment - Application to Small and Midsized Entities
  • Examples of Risks of Misstatement of Financial Statements
    • Revenue Cycle Example - Flawed System Design - Errors
    • Expenditure Cycle - Flawed System Design - Errors
    • Cash Receipts Example - Flawed System Design - Misappropriation of Assets
    • Fraudulent Financial Reporting
  • Summary
• Chapter 6 - Control Activities - An In-Depth Review
  • Learning Objectives
  • Introduction
  • Control Activities
    • Integration with Risk Assessment
    • Selection and Development of Control Activities
    • Policies and Procedures
    • Documentation Issues - Management
  • Information Technology
  • Input Controls
    • Examples of Input Controls
  • Processing Controls
    • Examples of Processing Controls
  • Output Controls
  • Other Attributes of IT Controls
  • Complexity of IT
    • Complex IT System Characteristics
    • Less Complex IT System Characteristics
  • End-User Computing
    • Description
    • Advantages
    • Three Forms
    • Acquisition and Use of Hardware - Risks
    • Acquisition and Use of Software - Risks and Controls
    • Application Development - Risks
    • Logical Access to Sensitive Data - Risks
    • Physical Security of Data and Systems - Risks and Responses
  • COSO - Internal Control - Integrated Framework Control Activities
    • Type of Control Activities
    • Integration with Risk Assessment
    • Controls over Information Systems
    • Entity-specific Controls
  • Documentation of Account/Transaction Level Controls
  • Application to Small and Midsized Entities
  • Summary
• Chapter 7 - Information and Communication - An In-Depth Review
  • Learning Objectives
  • Introduction
  • Information and Communication
  • Financial Reporting Information
  • Internal Control Information
  • Internal Communication
  • External Communication
  • AU Section 314 - Information and Communication
    • Audit Requirements: Information and Communication
  • Automated and Manual Procedures
  • Communication
  • IT: Information and Communication
  • Information and Communication - Application to Small and Midsized Entities
  • Summary
• Chapter 8 - Monitoring - An In-Depth Review
  • Learning Objectives
  • Introduction
  • Monitoring
  • Attributes of the Principle
  • Reporting Deficiencies
  • Monitoring - COSO, Integrated Framework
  • Ongoing Monitoring
  • Separate Evaluations
    • Documentation in a Separate Evaluation
    • How to Conduct a Separate Evaluation
    • Reporting Deficiencies in a Separate Evaluation
    • AS No. 5's Categories of Deficiencies
  • Deficiencies that Are at Least Significant
  • Additional Control Deficiencies: AU Section 325A
  • Update to Standards on Communicating Internal Control Related Matters Identified in an Audit
  • Monitoring - AU Section 314
    • Audit Requirements and Monitoring
  • Monitoring - Application to Small and Midsized Entities
  • Summary
• Chapter 9 - Documentation - Guidance and Tools
  • Learning Objectives
  • Introduction
  • Internal Control Questionnaires
    • Internal Control Questionnaires Issues
  • Narratives
  • Flowcharts
  • Control Matrices
    • Example
  • Other Internal Control Documentation Tools
  • Summary
  • Appendix - "Choose the Right Tools for Internal Control Reporting"
• Chapter 10 - Illustrative Case
  • Learning Objective
  • Overview
  • Case
    • Narrative
    • Requirements
    • Solution to Case
• Chapter 11 - Latest Developments
• Appendix A - AU Section 314 - Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

731855

Chapter 0 - Course Overview

This course is designed to give participants a solid understanding of systems and control documentation at the significant process level. After an overview of the latest COSO, SAS, and PCAOB guidance on the components and principles of effective internal control, this course introduces participants to basic tools used to document an accounting process. Participants then identify the risks of errors and fraud in the accounting system and the presence (or absence) of compensating controls. Finally, participants will practice identifying key controls and control weaknesses.

The course is appropriate for both smaller public and non-public entities. Guidance in the course will assist those in smaller public companies in complying with the PCAOB's auditing standards. Additionally, this course will assist personnel in non-public entities and their external auditors in understanding how to apply the audit risk standards (SAS No. 104 to 111, which are integrated within AU Sections 150, 230, 311, 312, 314, 318, 326, and 350) and AU Section 325A (previously indexed as SAS No. 112) on reporting control deficiencies.

The focus of this course is not on the testing and reporting aspects of performing an audit of internal control over financial reporting in conjunction with an audit of financial statements as promulgated by the PCAOB's Auditing Standard No. 5, An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements.¹ Its objective is to provide the participant with the tools necessary to interpret basic internal control documentation, identify significant internal control risks, locate compensating controls, and identify key internal controls and weaknesses.

Chapter Summary

Chapter 1 – Internal Control for Smaller Entities
This chapter contains a list of auditors' responsibilities under AS No. 5. This chapter addresses characteristics of smaller public companies. The cost/benefit aspects of internal control are illustrated by an example – one example uses probability theory and expected value techniques in the analysis. Internal control challenges for small companies are addressed and possible compensating controls to overcome these challenges are reviewed. Methods that management can employ to enhance their efficiencies in assessing internal control are discussed.

Chapter 2 – The Auditing Standards Board and Internal Control
This chapter addresses the audit risk standards and implications for management and auditors of non-public entities. It is stressed that the purpose of obtaining an understanding of internal control is to assess risk. Various factors that should be considered when obtaining an understanding of the entity and its environment are addressed. There is a discussion of risk assessment procedures and a detailed discussion of one of the procedures – analytical review procedures. The impact of the external auditor assistance in preparing financial statements as a control deficiency is stressed.

Chapter 3 – Internal Control Definition and Concepts
The various definitions of internal control, provided by congress, COSO, and the PCAOB are discussed. An overview of the COSO framework is provided and the five elements of internal control are reviewed. These five elements include the control environment, risk assessment, control activities, information and communication, and monitoring. The relationship of internal control to the entity's objectives is presented by use of the COSO model. AS No. 5 controls are addressed in detail and include entity-level, account/transaction level, and financial statement level controls.

Chapter 4 – The Control Environment – An In-Depth Review
The chapter provides an in-depth review of the control environment principles. These include integrity and ethical values, board of directors, management's philosophy and operating style, organizational structure, financial reporting competencies, authority and responsibility, and human resources. Antifraud controls are also addressed as this classification of controls is contained in AS No. 5. AS No. 5's entity-level controls are explored in even more detail in this chapter. Numerous examples of entity-level controls are provided and include, but are not limited to, general IT controls, controls over the period-end financial reporting process, and selection of accounting policies.

Chapter 5 – Risk Assessment and Fraud – An In-Depth Review
This chapter provides a detailed review of risk assessment and fraud. General sources of risk are addressed in addition to the COSO principles related to risk assessment. The fraud risk factors from AU Section 316 (SAS No. 99), categorized as to the fraud triangle components (pressure, opportunity, rationalization), and also classified as to fraudulent financial reporting or misappropriation of assets are presented in detail. Several examples of risks of misstatement of financial statements are provided.

Chapter 6 – Control Activities – An In-Depth Review
There is a detailed review of control activities. Documentation of control activities is addressed. Control activities in an IT environment are reviewed and include input, processing, and output controls. The complexity of IT systems' impact on internal control is covered. The three types of end-user computing and related risks, particularly with respect to the use of spreadsheets, are reviewed. Examples of COSO and AS No. 5 control activities and principles are presented. The application of AU Section 314 (SAS No. 109) and COSO to small and midsized entities is highlighted.

Chapter 7 – Information and Communication – An In-Depth Review
This chapter discusses information and communication. COSO's principles and attributes of information and communication are reviewed, together with AU Section 314's guidance on this topic. The IT Governance Institute's viewpoint on information and communication is also presented.

Chapter 8 – Monitoring – An In-Depth Review
The COSO principles and attributes of monitoring are reviewed. Different types of monitoring are addressed and include ongoing monitoring activities, separate evaluations, and reporting deficiencies. The underlying conceptual framework for categorizing deficiencies as either not significant, significant, or as a material weakness is presented in detail. AS No. 5's and AU Section 325A's (SAS No. 112's) de facto categorizations of deficiencies as either significant deficiencies or as material weaknesses are reviewed. The additional control deficiencies contained in the appendix to AU Section 325A are reviewed to provide a plethora of examples of control deficiencies. These deficiencies are categorized as to whether they are deficiencies in design or deficiencies in operation of internal control.

Chapter 9 – Documentation – Guidance and Tools
Numerous documentation tools, including their related benefits and weaknesses, are reviewed and include internal control questionnaires, narratives, flowcharts, and control matrices. Numerous examples of systems are provided. The various documentation tools are used in minicases to serve as illustrations of applying the documentation tools. The appendix contains an article that reviews a number of software packages commonly used by auditors and management to document internal control over financial reporting.

Chapter 10 – Illustrative Case
This chapter is a case of a portion of a revenue system in a manufacturing environment. The different documentation tools addressed in Chapter 9 are utilized to illustrate how the revenue system might be documented using questionnaires, flowcharts, narratives, and control matrices.

Chapter 1 - Internal Control for Smaller Entities

Learning Objectives

Upon completion of this chapter you should be able to

• Identify characteristics of smaller entities, whether public, private, non-profit, or governmental.
• Understand ways to obtain cost efficiencies and effectiveness in internal controls in various types of smaller entities.
• Apply these concepts in a variety of small businesses and non-profits.
• Assess whether it is financially worth implementing a particular control or set of controls.

Introduction

Internal control has been a major topic for corporate management and auditors of publicly held companies ever since Sarbanes-Oxley Act of 2002 (SOX) was passed by Congress. SOX also established the Public Company Accounting Oversight Board (PCAOB), a private-sector, nonprofit corporation whose mission is to "oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports."

To date, the PCAOB has issued five auditing standards. The one that currently has the most significant impact on public companies is AS No. 5 – An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements.¹ This standard sets the following objective for auditors:

The auditor's objective in an audit of internal control over financial reporting is to express an opinion on management's assessment of the effectiveness of the company's internal control over financial reporting. 1 AS No. 5 supersedes AS No. 2 and is effective for audits of financial statement with years ending after November 15, 2007, with earlier adoption permitted and encouraged.

Management must:

1. Accept responsibility for the effectiveness of the company's internal control over financial reporting.

2. Evaluate the effectiveness of the company's internal control over financial reporting using suitable control criteria.²

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year.³

Typically, these companies have tested and evaluated their effectiveness of internal control over financial reporting using three methodologies:

• Hiring a CPA firm, separate from the firm that performs the audit of financial statements and internal control over financial reporting, to provide these internal services;
• Increase the number of internal auditors and/or train existing internal auditors in SOX compliance work;
• Perform a control self-assessment – whereby the company uses staff and line personnel to do the SOX compliance work.

In response to the needs of smaller publicly held businesses and concern for cost containment, COSO has provided a report, Internal Control over Financial Reporting – Guidance for Smaller Public Companies. This report, which is also relevant to private companies and their auditors, is discussed below and has three volumes:

• Executive Summary
• Guidance
• Evaluation Tools

¹ AS No. 5 supersedes AS No. 2 and is effective for audits of financial statements ending on or after November 15, 2007, with earlier adoption permitted and encouraged.
² Many companies use the criteria contained in Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1992.
³ http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf

731855