Understanding Internal Control over Financial Reporting and

advertisement
Chapter 7
Understanding Internal Control
over Financial Reporting and
Auditing Design Effectiveness
Learning Objectives
1. Understand the value of effective internal control.
2. Learn the components and mechanisms of internal
control.
3. Describe the internal control-related requirements
imposed on management of public companies.
4. Analyze the relationship between management’s
assertions, ICFR, and activities of an integrated audit.
5. Explain the approach and steps an auditor uses to
understand a company’s ICFR and assess its design
effectiveness.
Audit Planning and Risk Assessment
Exhibit 7-1
Authoritative Sources for this Chapter




Sarbanes Oxley Act (SOX)
Securities and Exchange Commission (SEC)
Public Company Accounting Oversight Board (PCAOB)
American Institute of CPAs (AICPA)
 Statements on Auditing Standards (SAS)
 International Auditing and Assurance Standards
Board (IAASB)
 International Standards on Auditing (ISA)
 Committee of Sponsoring Organizations (COSO)
 Foreign Corrupt Practices Act, 1977 (FCPA)
Auditors and ICFR
 Auditor has to understand the client’s Internal
Control over Financial Reporting and assess the
effectiveness of its design:
 An important part of planning
 To be able to select which controls to test in
the audit and plan substantive audit
procedures
Corporate Accountants and ICFR
 Accountants inside a company need to understand
Internal Control over Financial Reporting because
good ICFR helps the company:
 use cost effective procedures
 manage costs of processing accounting information
 manage productivity of the company’s financial
functions
 maintain an effective financial control system
Definition of Internal Control over Financial Reporting
 Internal control over financial reporting is a subset
of the entire system of internal control
 Two important sources of definitions
 PCAOB’s definition in AS 5
 COSO’s definition in Internal Control Framework
 The COSO definition is broader than the PCAOB’s
definition
 …this makes sense because the PCAOB defines the
target of an audit, while COSO’s Internal Control
Framework is for more general use
PCAOB AS 5, Definition of Internal Control
 Internal control over financial reporting is a process
designed by, or under the supervision of, the
company’s principal executive and principal financial
officers, or persons performing similar functions, and
effected by the company’s board of directors,
management and other personnel, to provide
reasonable assurance regarding the reliability of
financial reporting and the preparation of financial
statements for external purposes in accordance with
GAAP and includes those policies and procedures
that --
PCAOB AS 5 Definition (continued)
 Pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of
the assets of the company;
 Provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles, and
that receipts and expenditures of the company are being made
only in accordance with authorizations of management and
directors of the company; and
 Provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use, or disposition of the
company’s assets that could have a material effect on the
financial statements
Investor Confidence and Internal Control
 In the simplest terms, investors can have much more
confidence in the reliability of a corporate financial
statement if corporate management demonstrates
that it exercises adequate control over
bookkeeping, the sufficiency of books and records
for the preparation of accurate financial statements,
adherence to rules about the use of company assets
and the possibility of misappropriation of company
assets.
(PCAOB Release 2004-001, p. 3)
Concepts from COSO Definition
 Internal control is a process. It is a means to an end,
not an end in itself.
 Internal control depends on people. It is not just
policy manuals and forms, but people at every level
of an organization.
 Internal control only provides reasonable assurance
– not absolute assurance.
 Internal control objectives may address single or
overlapping categories of internal control
components.
COSO Categories of Internal Control
 Reliability of financial reporting
 Directly relates to integrated audit goals
 Effectiveness and efficiency of operations
 Important to management
 Compliance with laws and regulations
 Less directly related to integrated audit
goals
 Important to management
Overview of the COSO IC Structure
 Control environment
 Risk assessment
 Control activities
 Information and communication
 Monitoring
The PCAOB uses these same categories in As 12, Identifying and Assessing
Risks of Material Misstatement.
Control Environment
 “Tone at the top”
 Integrity and ethical values
 Commitment to competence
 Board of Directors or audit committee participation
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resources policies
Risk Assessment
 Risks defined: Anything that can keep an
organization from achieving its objectives.
 Organization must set its objectives
 Organization must identify threats to achieving the
objectives
 Guidance to risk assessment is in the COSO
Enterprise Risk Management (ERM) Framework
 Risk can be
 From external and internal factors
 At entity and activity levels
Risk Assessment Considerations
 Significance or degree of impact of the
risk on the company
 Likelihood of the risk occurring or
frequency with which it may occur
 Best ways to manage the risk
Ways to Identify Risks
 Qualitative and quantitative approaches to identify
higher-risk activities
 Period review of economic and industry factors
 Business planning conferences and meetings
 Forecasting
 Strategic planning
External and Internal Sources of Risk
 External
 Technological developments
 Changing customer needs or expectations
 Competition
 New legislation and regulation
 Natural catastrophes
 Economic changes
 Internal
 Disruption in information systems processing
 Personnel: hiring, training, motivation
 Change in management responsibilities
 Entity’s activities and employee access to assets
 Unassertive or ineffective board or audit committee
Circumstances Demanding Special Risk Assessment Attention








Changed Operating Environment
New Personnel
New or Revamped Information Systems
Rapid Growth
New Technology
New Lines, Products, Activities
Corporate Restructurings
Foreign Operations
Control Activities
 Control activities defined: the policies and
procedures that help ensure management directives
are carried out
 Policies: establish what should be accomplished in
carrying out management’s directives to address
risk
 Procedures: the activities that should be followed to
carry out the policies
Categories of Control Activities
 Performance reviews
 Used to monitor the business, often on an ongoing basis
 Information processing
 Controls over use of IT to initiate, record, process and report transactions
and other financial data
 General and Application controls
 Physical controls
 Over assets and access to information
 Segregation of duties
 Assigning different people responsibility for authorizing transactions,
recording transactions and maintaining custody of assets
 Collusion is a threat to segregation of duties
Information and Communication
 Quality of Information
 Content appropriate: Is the needed information available?
 Information timely: Is it available when required?
 Information current: Is the latest information available?
 Information accurate: Are the data correct?
 Information accessible: Can the information be obtained
easily by the appropriate parties?
 Communication
 Tool for control related to ICFR
 Means of enabling achievement of the objectives of the
business
Monitoring
 Ongoing monitoring: those things that are
a part of running the business
 Separate monitoring: activities conducted
for the specific purpose of monitoring
 Tradeoff…the more ongoing monitoring
exists the less separate monitoring may
be needed
COSO Guidance on Monitoring Internal Control Systems
 Monitoring is a normal state of affairs in the
organization.
 Monitoring is a formal part of the organization.
 Someone has responsibility for developing
monitoring procedures.
 Employees execute monitoring activities and make
reports as a normal part of their jobs.
 Management assesses reports and take whatever
action is needed.
Management’s Responsibility for Internal Control
 Foreign Corrupt Practices Act, 1977
 Requires management of public companies to maintain
a system of control
 Sarbanes Oxley Act
 Section 302: management certification
 Section 404: management assessment, report and audit
 Dodd Frank Act
 Permanently exempts smaller public companies from the
requirement of having ICFR audited; retains
management requirement to assess ICFR and report
SOX Section 302 Management Certification
 Specific officers or those with officer functions must sign
 Reviewed the SEC filing; annual or quarterly report
 SEC filing does not include anything material that is untrue
 SEC filing does not omit anything material that makes statements untrue
 Fair financial reporting
 Management is responsible for internal control
 Controls permit people within the company to prepare the SEC reports
 Have evaluated effectiveness of ICFR within 90 days prior and are
presenting their conclusions
 Have told the auditor and audit committee about ICFR problems
 Have told the auditor and audit committee of management fraud
 Have reported any changes in internal control
 Have reported any events that occurred after the report date that may
affect internal control
SOX Section 404
 Annual SEC filing must include an internal control
report
 Report states management’s responsibility for internal
control and producing financial information
 Report includes management’s assessment at fiscal
year end about internal controls and procedures for
financial reporting
 SEC Interpretive Release 2007: No requirement that
management’s assessment be performed using the guidance in
the Interpretive Release, but the guidance provides an
acceptable way to perform the assessment of ICFR
SOX Section 404, Audits of ICFR
 ICFR must be audited for all companies except
those exempted by Dodd Frank
 Auditor must
 Be registered with PCAOB
 Attest to (audit) management’s report
 Follow PCAOB standards for an audit of ICFR
 Since SOX requires that the financial statement and
ICFR audit be one integrated engagement, the
same auditor must do both
Background to an Audit of ICFR
 Objective of an integrated audit report on ICFR
and the financial statements
 Opinion on the fairness of the financial statements
 Opinion on the effectiveness of ICFR
 Opinions can be in a combined or separate reports
 If the auditor disagrees with management’s assessment
this is added to the audit report
 Auditor must audit the financial statements to audit
ICFR
 Auditor uses information and conclusions from each part
of the audit in the other part of the audit
Approach to an Integrated Audit
 Identify what would make the financial statements materially
misstated.
 Focus on management’s assertions in understanding the
accounting system
 Identify
 …important controls….that address significant
risks…associated with management’s assertions
 Assess whether the controls are designed effectively so that, if
operating effectively, they can prevent or detect material
misstatements
 Test operating effectiveness of controls
 Perform substantive procedures
Assertions defined…
 Assertions are representations by
management, explicit or otherwise, that
are embodied in the financial statements,
as used by the auditor to consider the
different types of potential misstatements
that may occur.
ISA 315
Management’s Assertions
 PCAOB uses 5
 AICPA and IAASB use 13
 Auditors have to cover the important
concepts in the assertions, but otherwise
can express them however they choose
 …it is easy to see how both sets of
assertions cover the same concepts….
PCAOB Assertions: AS 15, Audit Evidence
 Existence or occurrence – Assets or liabilities of the company
exist at a given date, and recorded transactions have occurred
during a given period.
 Completeness – All transactions and accounts that should be
presented in the financial statements are included.
 Valuation or allocation – Asset, liability, equity, revenue, and
expense components have been included in the financial
statements at appropriate amounts.
 Rights and obligations – The company holds or controls rights
to the assets, and liabilities are obligations of the company at
a given date.
 Presentation and disclosure – The components of the financial
statements are properly classified, described, and disclosed.
AICPA and IAASB, 13 Assertions
 Classes of Transactions and Events
 Occurrence
 Completeness
 Accuracy
 Cutoff
 Classification
 Account Balances
 Existence
 Rights and Obligations
 Completeness
 Valuation and Allocation
 Presentation and Disclosure
 Occurrence, Rights, Obligations
 Completeness
 Classification and Understandability
 Accuracy and Valuation
Difference between 5 and 13…
 The AICPA and IAASB use additional terms:
 Accuracy, Cutoff, Classification, Understandability
 Explanations to consider:
 If an item posted is not accurate – including being posted in
the wrong period or to the wrong account --it either did not
occur as shown or the balance is incomplete
 If a disclosure is not accurate it cannot meet the
requirements for the presentation and disclosure assertion
 Proper classification is a part of the presentation and
disclosure assertion
 If an item is not understandable it cannot be properly
described under the presentation and disclosure assertion
Reminder: Use of Management Assertions
 Auditor identifies
 Significant accounts and disclosures
 Relevant assertions for those accounts and disclosures
 Auditor considers risks that might cause the assertions to be wrong
 Auditor looks for ICFR controls in place to prevent or detect any
misstatements resulting from the risks
 Auditor assesses whether controls are designed so that they can be
effective if they operate properly
 Audit continues with
 Selecting controls to test; considering whether to always rely on controls
in financial statement audit
 Deciding how controls tests should be performed
 Deciding on substantive procedures needed
Time Periods Covered by Audit Procedures
 For an audit opinion that ICFR is effective it must be effective
at fiscal year end
 ICFR must be effective at and for a period of time prior to
fiscal year end so that the auditor has confidence in the
conclusion
 To rely on ICFR in the financial statement audit, the auditor
must test ICFR for the entire period of reliance
 If ICFR was not effective throughout the entire financial period,
this affects the financial statement audit procedures
 Even in an integrated audit, the auditor may choose not to rely
on ICFR for an account, and consequently only test related
controls at fiscal year end
Evidence Related to ICFR
 Making inquiries of appropriate management,
supervisory, and staff personnel
 Inspecting company documents
 Observing the application of specific controls
 Tracing transactions through the information system
relevant to financial reporting
 Walkthroughs – a set of procedures performed
together; an efficient way to understand ICFR and
assess design effectiveness
Walkthroughs
 Tracing a transaction from origination until it is
reflected in the company’s financial records
 Includes inquiry and observation steps
 Information from a walkthrough:
 Who performs the control? Or, if automated, what system
 What is performed and why? What is the management assertion?
 When is the activity performed, including how often?
 What evidence is produced showing that the control occurred?
 How are problems or exceptions investigated and resolved?
Examples of Walkthrough Inquiries
 What do you do when you find an error?
 What are you looking for to determine if there is an
error?
 What kinds of errors have you found?
 What happens as a result of finding errors?
 How are errors resolved?
 Have you ever been asked to override the process or
controls? Is so, what happened and why did it occur?
Audit Documentation
 Audit documentation is the written record of the
auditor’s work.
 Information included in documentation:
 Planning and performance of the work
 Procedures performed
 Evidence obtained
 Conclusions reached
 Professional judgment is used to decide how
extensive audit documentation must be
AS 3 Documentation Requirements
 Demonstrate that the engagement complied with the
standards of the PCAOB
 Support the auditor’s conclusions concerning every
relevant financial statement assertion
 Nature, timing, extent and results of procedures
performed – means: what was done, when, by whom,
outcomes, reviewer, date of review
 Demonstrate that the underlying accounting records
agreed or reconciled with the financial statements
Characteristics that Cause More Documentation
 An audit task that is difficult to understand or
interpret
 An audit task that requires a lot of judgment
 An audit task that is very important to the audit
 A management assertion that has a lot of risk
Required Documentation of Contradicting Issues
 AS 3.8: In addition to the documentation necessary to support
the auditor’s final conclusions, audit documentation must include
information the auditor has identified relating to significant
findings or issues that is inconsistent with or contradicts the
auditor’s final conclusions. The relevant records to be retained
include, but are not limited to, procedures performed in
response to the information, and records, documentation,
consultations on, or resolutions of, differences in professional
judgment among members of the engagement team or
between the engagement team and others consulted.
Documentation of the Company’s ICFR
 SEC requires management to have significant
documentation to support its conclusions about ICFR
 Form of documentation varies depending on
company characteristics (size, complexity, etc.)
 Management can rely on documents it uses day-today or develop specific ICFR documentation
 Auditor may use company’s documentation to
advance understanding of the company and ICFR
assessment
ICFR Documentation Techniques Used





Flowcharts
Process models
Narrative descriptions
Job descriptions
Samples of transaction documents and forms,
procedures manuals, organization charts
 Questionnaires and checklists
Information in Management’s ICFR Documentation
 The design of controls over relevant assertions related to all
significant accounts and disclosures in the financial statements
 Information about how significant transactions are initiated,
authorized, recorded, processed, and reported
 Information about the flow of transactions to identify the points
at which material misstatements due to error or fraud could
occur
 Controls designed to prevent or detect fraud, including who
performs the controls and the related segregation of duties
 Controls over the safeguarding of assets
 The results of management’s testing and evaluation of ICFR
Entity Level Controls
 Pervasive controls; those that exist at the organization or
company level, but have an impact on controls at the process,
transaction, or application level
 Examples
 Controls related to the control environment
 Controls over management override
 The company’s risk assessment process
 Centralized processing and controls
 Controls over shared service environments
 Controls to monitor other controls
 Period-end financial reporting process controls
 Policies that address significant business control and risk management
practices
Three Categories of Entity-Level Controls
 1. Have an important, but indirect effect on the
likelihood that a misstatement will be detected or
prevented on a timely basis
 2. Monitor the effectiveness of other controls; might
identify breakdowns in lower-level controls but not
at a level of precision that would sufficiently
address the risk of material misstatements
 3. Operate at a level of precision that would
adequately prevent or detect on a timely basis
misstatements to one or more relevant assertions
Indicators of Audit Committee Function











Oversight of external financial reporting
Oversight of internal control over financial reporting
Independence of audit committee members from management
Clarity of responsibilities
Interaction with independent and internal auditors
Interaction with chief financial officer, chief accounting officer
Interaction with other key members of financial management
Questions asked of management and the auditor
Understanding of critical accounting policies
Understanding of accounting estimate judgments
Responsiveness to issues raised by the auditor (AS 2.57-58)
Anti-Fraud Controls
 Must be included in design of ICFR
 Discussed previously related to Fraud Triangle
 Controls that prevent, deter, and detect fraud
 Controls restraining misappropriation of assets
 Risk assessment processes
 Codes of ethics or conduct
 Adequacy of internal audit
 Adequacy of procedures for handling complaints and accepting
confidential communications on accounting and auditing matters
 Auditor evaluates all controls specifically directed
at the risk of fraud
 Inquiries of management, audit committee, internal auditors is an
important audit procedure
IT Impact on the Company and Auditor
 AS 12 identifies need for auditors to consider
manual and automated systems when understanding
the company and assessing risks
 Nature and extent of IT affects the risks and
therefore controls needed and audit steps
 IT might affect initiation, recording, processing and
reporting of financial information
 Alternatively, manual steps might affect approvals,
reviews of transactions, reconciliations and follow up
of reconciling items
IT Impact on Controls Needed
 Benefits of IT to Internal Control
 Consistent application of rules and complex calculations





Timeliness, availability and accuracy of information
Facilitates additional analysis of information
Enhances monitoring ability
Reduces risk that controls will be circumvented
Controls are used for applications, databases and operating systems
 Risks of IT to Internal Control
 Possibility of consistently incorrect processing
 Possibility of processing the wrong data
 Unauthorized access and changes to data and programs
 Failure to change systems or programs as intended
 Inappropriate manual intervention
 Potential loss of data
Period End Financial Reporting Process
 Must be considered in every ICFR audit
 Is always considered a significant process so the auditor must consider
controls
 Procedures that are a part of the period end financial
reporting process that the auditor evaluates
 Entering transaction totals into the general ledger
 Selecting and applying accounting policies
 Initiating, authorizing, recording and processing journal entries into
the general ledger
 Recording recurring and nonrecurring adjustments to the financial
statements
 Preparing financial statements and related disclosures
Timing of Period End ICFR Audit Procedures
 Audit tests of ICFR are performed while the process
is occurring.
 The client closes its books and prepares its financial
statements after fiscal year end.
 Period end financial reporting procedures occur and
are tested after fiscal year end, even though the
management report and auditor’s opinion are as of
fiscal year end.
Significant Accounts and Disclosures
 Auditor must determine what amount is material to
the financial statements; qualitative characteristics
also impact materiality
 Auditor can then identify significant accounts and
the relevant assertions for the accounts
 Relevant assertions are those that have a
reasonable possibility of containing a misstatement
that would cause the financial statements to be
materially misstated
 PCAOB Risk Assessment standards (2010) states that
relevance stems from inherent risk
Classes of Transactions
 One account may have different major classes of
transactions and relevant assertions may differ for
the classes
 For example, cash sales and sales on account include
different relevant assertions
 Another approach for identifying and
understanding major classes of transactions is
grouping them:
 Routine transactions
 Non-routine transactions
 Estimating transactions
Understanding Likely Sources of Misstatement
 After identifying material accounts and disclosures,
any major classes of transactions and relevant
assertions the auditor must understand likely sources
of misstatement
 From AS 2.74:
 Understand the flow of transactions, including how
transactions are initiated, authorized, recorded,
processed, and reported
 Identify the points with the process at which a
misstatement – including a misstatement due to fraud –
could arise
Last Steps of Understanding
 After identifying likely sources of misstatement…
 Auditor identifies controls management has
implemented in the system that are intended to
prevent each type of potential misstatement
 Auditor also identifies controls specifically intended
to prevent or detect unauthorized acquisition, use or
disposal of assets that could cause a material
financial statement misstatement
 IT is an integral part of the analysis – not a
separate audit step
IT Related to Likely Sources of Misstatement
Factors that impact the need for specialized IT
knowledge include:
Chapter 7-42
Learning Objective #5
Appendix A: Specifics of IT General Controls
 IT general controls (ITGC): IT policies and
procedures that apply throughout the entire
company
 Application controls are usually programmed
controls that are specific to a single process or
activity
 Entity-level vs. transaction-level controls are not the
same as IT general controls and IT application
controls
Relationship Among Different Control Types
Big Picture: Organization of ITGC
 Internal control environment
 Software acquisition
 Hardware acquisition
 Network technology acquisition
 Program development
 Program changes
 Computer operations
 Access to programs and data
 Software and interface controls
 Contingency controls
 Human resources
 Physical facilities controls
IT Control Environment
 Policies
 Licensing agreements
 Passwords
 Use of company resources, Internet, and e-mail
 Physical control over portable resources
 Social engineering issues
 Control breakdowns
 Use of third-party providers
 Segregation of Duties
 Monitoring
Acquisitions and Changes
 Software: plans, approval, company strategy,
compatibility, cost effectiveness
 Hardware and Network Technology: authorization
and approval, fit with needs, security
 Program Development and Changes: project
initiation, analyses and design, construction, testing
and quality assurance, data conversion,
documentation and training
Computer Operations
 Policies and procedures, includes organizational structure
 Batch processing and end user computing
 Batch: scheduling and planning functions
 “End user: authorized access
 Backup management, sophistication varies
 Data center controls
 Physical access, climate controls, lock up, passwords
 Capacity planning and performance issue management
 Short and long term planning, expected service level
 Recovery
 Appropriate plan, tested and updated as needed
Access and Interface
 Access to Programs and Data
 Password complexity and security
 Privacy policies
 Security in place and tested
 Security measures monitored
 Software and Interface Controls
 Denial of service attacks
 Intrusion detection controls
 Cookie policies and detection
Contingency Controls
 Backup Procedures
 Procedures for control breakdowns: incident detection,
reaction, damage limitation, analysis, recovery, future
monitoring
 Data backup procedures: full backups, incremental
backups, storage mediums – physical or electronic,
reconstruction of data
 Service interruption, disaster and recovery
 Backup or alternate power source
 Redundant computer processing system
 Identified responsible individual
Human Resources
 Hiring policies: recruiting, verifying information,
testing, interviewing
 Should address candidate ability and integrity
 Training: cross training, job rotations, mandatory
vacations, ongoing training
 Termination policies and controls
 Immediately revoking computer access and physical
access
 Change passwords and codes
 Send files to another manager
Physical Facilities








Protected environment
Climate control
Fire suppression and evacuation
Inconspicuous location
Limited access
Limited access to network administration offices
Lock up of critical equipment
Physically secure portable equipment, programming to limit
unauthorized access
 Store least possible amount of data on portable equipment
Appendix B: Enterprise Risk Management
 Enterprise Risk Management (ERM) framework
 September 2004, COSO
 ERM: a process, effected by an entity’s board of
directors, management and other personnel,
applied in a strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives
ERM and Internal Control
 ERM addresses the environment within which controls
function
 Internal control is encompassed within and an
integral part of enterprise risk management.
Enterprise risk management is broader than internal
control, expanding and elaborating on internal
control to form a more robust conceptualization
focusing more fully on risk.
Categories of ERM Objectives




Strategic objectives
Operations objectives
Reporting objectives
Compliance objectives
Components of ERM








Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
Appendix C: ICFR in Smaller Public Companies
 Dodd Frank Act (2010) removed the requirement
for smaller public companies to have ICFR audited,
but management must still perform the assessment
and issue the report required by SOX 404
 Guidance on ICFR geared to smaller companies
 COSO, 2006 Guidance for Smaller Public Companies
 COSO, 2009 Guidance on Monitoring Internal Control Systems
 SEC Interpretive Release (Release 33-8810)
 AS 5 (replaced AS 2)
 PCAOB Staff Views, Guidance for Auditors of Smaller Public Companies
Common Characteristics of Smaller Companies






Fewer business lines
Less complex business processes
Less complex financial reporting system
More centralized accounting functions
Extensive involvement by senior management
Fewer levels of management with wide spans of
control
SEC Interpretive Release
 Fundamentals required of management to assess
ICFR effectiveness are not different for smaller
companies
 Identify risks
 Determine whether controls are in place that address
the risks
 Evaluate the operating effectiveness of the controls
 How the ICFR assessment activities are accomplished
may differ
Differences in Process
 Management can judge whether all aspects of ITGC
are relevant to financial reporting risks
 Only evaluate those that are important
 Documentation of controls and evidence selected
can vary based on management’s’ judgment of
importance
 Limited documentation may be created just for
assessment
 Emphasis placed on role of on-going monitoring
PCAOB Guidance
 Directed toward auditors not companies
 Includes characteristics of smaller companies that
are important considerations for auditors
 Use of entity-level controls to achieve control objectives
 Risk of management override
 Implementation of segregation of duties and
alternative controls
 Use of information technology (IT)
 Maintenance of financial reporting competencies
 Nature and extent of documentation
Download