Chapter 7 Understanding Internal Control over Financial Reporting and Auditing Design Effectiveness Learning Objectives 1. Understand the value of effective internal control. 2. Learn the components and mechanisms of internal control. 3. Describe the internal control-related requirements imposed on management of public companies. 4. Analyze the relationship between management’s assertions, ICFR, and activities of an integrated audit. 5. Explain the approach and steps an auditor uses to understand a company’s ICFR and assess its design effectiveness. Audit Planning and Risk Assessment Exhibit 7-1 Authoritative Sources for this Chapter Sarbanes Oxley Act (SOX) Securities and Exchange Commission (SEC) Public Company Accounting Oversight Board (PCAOB) American Institute of CPAs (AICPA) Statements on Auditing Standards (SAS) International Auditing and Assurance Standards Board (IAASB) International Standards on Auditing (ISA) Committee of Sponsoring Organizations (COSO) Foreign Corrupt Practices Act, 1977 (FCPA) Auditors and ICFR Auditor has to understand the client’s Internal Control over Financial Reporting and assess the effectiveness of its design: An important part of planning To be able to select which controls to test in the audit and plan substantive audit procedures Corporate Accountants and ICFR Accountants inside a company need to understand Internal Control over Financial Reporting because good ICFR helps the company: use cost effective procedures manage costs of processing accounting information manage productivity of the company’s financial functions maintain an effective financial control system Definition of Internal Control over Financial Reporting Internal control over financial reporting is a subset of the entire system of internal control Two important sources of definitions PCAOB’s definition in AS 5 COSO’s definition in Internal Control Framework The COSO definition is broader than the PCAOB’s definition …this makes sense because the PCAOB defines the target of an audit, while COSO’s Internal Control Framework is for more general use PCAOB AS 5, Definition of Internal Control Internal control over financial reporting is a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that -- PCAOB AS 5 Definition (continued) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements Investor Confidence and Internal Control In the simplest terms, investors can have much more confidence in the reliability of a corporate financial statement if corporate management demonstrates that it exercises adequate control over bookkeeping, the sufficiency of books and records for the preparation of accurate financial statements, adherence to rules about the use of company assets and the possibility of misappropriation of company assets. (PCAOB Release 2004-001, p. 3) Concepts from COSO Definition Internal control is a process. It is a means to an end, not an end in itself. Internal control depends on people. It is not just policy manuals and forms, but people at every level of an organization. Internal control only provides reasonable assurance – not absolute assurance. Internal control objectives may address single or overlapping categories of internal control components. COSO Categories of Internal Control Reliability of financial reporting Directly relates to integrated audit goals Effectiveness and efficiency of operations Important to management Compliance with laws and regulations Less directly related to integrated audit goals Important to management Overview of the COSO IC Structure Control environment Risk assessment Control activities Information and communication Monitoring The PCAOB uses these same categories in As 12, Identifying and Assessing Risks of Material Misstatement. Control Environment “Tone at the top” Integrity and ethical values Commitment to competence Board of Directors or audit committee participation Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility Human resources policies Risk Assessment Risks defined: Anything that can keep an organization from achieving its objectives. Organization must set its objectives Organization must identify threats to achieving the objectives Guidance to risk assessment is in the COSO Enterprise Risk Management (ERM) Framework Risk can be From external and internal factors At entity and activity levels Risk Assessment Considerations Significance or degree of impact of the risk on the company Likelihood of the risk occurring or frequency with which it may occur Best ways to manage the risk Ways to Identify Risks Qualitative and quantitative approaches to identify higher-risk activities Period review of economic and industry factors Business planning conferences and meetings Forecasting Strategic planning External and Internal Sources of Risk External Technological developments Changing customer needs or expectations Competition New legislation and regulation Natural catastrophes Economic changes Internal Disruption in information systems processing Personnel: hiring, training, motivation Change in management responsibilities Entity’s activities and employee access to assets Unassertive or ineffective board or audit committee Circumstances Demanding Special Risk Assessment Attention Changed Operating Environment New Personnel New or Revamped Information Systems Rapid Growth New Technology New Lines, Products, Activities Corporate Restructurings Foreign Operations Control Activities Control activities defined: the policies and procedures that help ensure management directives are carried out Policies: establish what should be accomplished in carrying out management’s directives to address risk Procedures: the activities that should be followed to carry out the policies Categories of Control Activities Performance reviews Used to monitor the business, often on an ongoing basis Information processing Controls over use of IT to initiate, record, process and report transactions and other financial data General and Application controls Physical controls Over assets and access to information Segregation of duties Assigning different people responsibility for authorizing transactions, recording transactions and maintaining custody of assets Collusion is a threat to segregation of duties Information and Communication Quality of Information Content appropriate: Is the needed information available? Information timely: Is it available when required? Information current: Is the latest information available? Information accurate: Are the data correct? Information accessible: Can the information be obtained easily by the appropriate parties? Communication Tool for control related to ICFR Means of enabling achievement of the objectives of the business Monitoring Ongoing monitoring: those things that are a part of running the business Separate monitoring: activities conducted for the specific purpose of monitoring Tradeoff…the more ongoing monitoring exists the less separate monitoring may be needed COSO Guidance on Monitoring Internal Control Systems Monitoring is a normal state of affairs in the organization. Monitoring is a formal part of the organization. Someone has responsibility for developing monitoring procedures. Employees execute monitoring activities and make reports as a normal part of their jobs. Management assesses reports and take whatever action is needed. Management’s Responsibility for Internal Control Foreign Corrupt Practices Act, 1977 Requires management of public companies to maintain a system of control Sarbanes Oxley Act Section 302: management certification Section 404: management assessment, report and audit Dodd Frank Act Permanently exempts smaller public companies from the requirement of having ICFR audited; retains management requirement to assess ICFR and report SOX Section 302 Management Certification Specific officers or those with officer functions must sign Reviewed the SEC filing; annual or quarterly report SEC filing does not include anything material that is untrue SEC filing does not omit anything material that makes statements untrue Fair financial reporting Management is responsible for internal control Controls permit people within the company to prepare the SEC reports Have evaluated effectiveness of ICFR within 90 days prior and are presenting their conclusions Have told the auditor and audit committee about ICFR problems Have told the auditor and audit committee of management fraud Have reported any changes in internal control Have reported any events that occurred after the report date that may affect internal control SOX Section 404 Annual SEC filing must include an internal control report Report states management’s responsibility for internal control and producing financial information Report includes management’s assessment at fiscal year end about internal controls and procedures for financial reporting SEC Interpretive Release 2007: No requirement that management’s assessment be performed using the guidance in the Interpretive Release, but the guidance provides an acceptable way to perform the assessment of ICFR SOX Section 404, Audits of ICFR ICFR must be audited for all companies except those exempted by Dodd Frank Auditor must Be registered with PCAOB Attest to (audit) management’s report Follow PCAOB standards for an audit of ICFR Since SOX requires that the financial statement and ICFR audit be one integrated engagement, the same auditor must do both Background to an Audit of ICFR Objective of an integrated audit report on ICFR and the financial statements Opinion on the fairness of the financial statements Opinion on the effectiveness of ICFR Opinions can be in a combined or separate reports If the auditor disagrees with management’s assessment this is added to the audit report Auditor must audit the financial statements to audit ICFR Auditor uses information and conclusions from each part of the audit in the other part of the audit Approach to an Integrated Audit Identify what would make the financial statements materially misstated. Focus on management’s assertions in understanding the accounting system Identify …important controls….that address significant risks…associated with management’s assertions Assess whether the controls are designed effectively so that, if operating effectively, they can prevent or detect material misstatements Test operating effectiveness of controls Perform substantive procedures Assertions defined… Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur. ISA 315 Management’s Assertions PCAOB uses 5 AICPA and IAASB use 13 Auditors have to cover the important concepts in the assertions, but otherwise can express them however they choose …it is easy to see how both sets of assertions cover the same concepts…. PCAOB Assertions: AS 15, Audit Evidence Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. AICPA and IAASB, 13 Assertions Classes of Transactions and Events Occurrence Completeness Accuracy Cutoff Classification Account Balances Existence Rights and Obligations Completeness Valuation and Allocation Presentation and Disclosure Occurrence, Rights, Obligations Completeness Classification and Understandability Accuracy and Valuation Difference between 5 and 13… The AICPA and IAASB use additional terms: Accuracy, Cutoff, Classification, Understandability Explanations to consider: If an item posted is not accurate – including being posted in the wrong period or to the wrong account --it either did not occur as shown or the balance is incomplete If a disclosure is not accurate it cannot meet the requirements for the presentation and disclosure assertion Proper classification is a part of the presentation and disclosure assertion If an item is not understandable it cannot be properly described under the presentation and disclosure assertion Reminder: Use of Management Assertions Auditor identifies Significant accounts and disclosures Relevant assertions for those accounts and disclosures Auditor considers risks that might cause the assertions to be wrong Auditor looks for ICFR controls in place to prevent or detect any misstatements resulting from the risks Auditor assesses whether controls are designed so that they can be effective if they operate properly Audit continues with Selecting controls to test; considering whether to always rely on controls in financial statement audit Deciding how controls tests should be performed Deciding on substantive procedures needed Time Periods Covered by Audit Procedures For an audit opinion that ICFR is effective it must be effective at fiscal year end ICFR must be effective at and for a period of time prior to fiscal year end so that the auditor has confidence in the conclusion To rely on ICFR in the financial statement audit, the auditor must test ICFR for the entire period of reliance If ICFR was not effective throughout the entire financial period, this affects the financial statement audit procedures Even in an integrated audit, the auditor may choose not to rely on ICFR for an account, and consequently only test related controls at fiscal year end Evidence Related to ICFR Making inquiries of appropriate management, supervisory, and staff personnel Inspecting company documents Observing the application of specific controls Tracing transactions through the information system relevant to financial reporting Walkthroughs – a set of procedures performed together; an efficient way to understand ICFR and assess design effectiveness Walkthroughs Tracing a transaction from origination until it is reflected in the company’s financial records Includes inquiry and observation steps Information from a walkthrough: Who performs the control? Or, if automated, what system What is performed and why? What is the management assertion? When is the activity performed, including how often? What evidence is produced showing that the control occurred? How are problems or exceptions investigated and resolved? Examples of Walkthrough Inquiries What do you do when you find an error? What are you looking for to determine if there is an error? What kinds of errors have you found? What happens as a result of finding errors? How are errors resolved? Have you ever been asked to override the process or controls? Is so, what happened and why did it occur? Audit Documentation Audit documentation is the written record of the auditor’s work. Information included in documentation: Planning and performance of the work Procedures performed Evidence obtained Conclusions reached Professional judgment is used to decide how extensive audit documentation must be AS 3 Documentation Requirements Demonstrate that the engagement complied with the standards of the PCAOB Support the auditor’s conclusions concerning every relevant financial statement assertion Nature, timing, extent and results of procedures performed – means: what was done, when, by whom, outcomes, reviewer, date of review Demonstrate that the underlying accounting records agreed or reconciled with the financial statements Characteristics that Cause More Documentation An audit task that is difficult to understand or interpret An audit task that requires a lot of judgment An audit task that is very important to the audit A management assertion that has a lot of risk Required Documentation of Contradicting Issues AS 3.8: In addition to the documentation necessary to support the auditor’s final conclusions, audit documentation must include information the auditor has identified relating to significant findings or issues that is inconsistent with or contradicts the auditor’s final conclusions. The relevant records to be retained include, but are not limited to, procedures performed in response to the information, and records, documentation, consultations on, or resolutions of, differences in professional judgment among members of the engagement team or between the engagement team and others consulted. Documentation of the Company’s ICFR SEC requires management to have significant documentation to support its conclusions about ICFR Form of documentation varies depending on company characteristics (size, complexity, etc.) Management can rely on documents it uses day-today or develop specific ICFR documentation Auditor may use company’s documentation to advance understanding of the company and ICFR assessment ICFR Documentation Techniques Used Flowcharts Process models Narrative descriptions Job descriptions Samples of transaction documents and forms, procedures manuals, organization charts Questionnaires and checklists Information in Management’s ICFR Documentation The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements Information about how significant transactions are initiated, authorized, recorded, processed, and reported Information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties Controls over the safeguarding of assets The results of management’s testing and evaluation of ICFR Entity Level Controls Pervasive controls; those that exist at the organization or company level, but have an impact on controls at the process, transaction, or application level Examples Controls related to the control environment Controls over management override The company’s risk assessment process Centralized processing and controls Controls over shared service environments Controls to monitor other controls Period-end financial reporting process controls Policies that address significant business control and risk management practices Three Categories of Entity-Level Controls 1. Have an important, but indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis 2. Monitor the effectiveness of other controls; might identify breakdowns in lower-level controls but not at a level of precision that would sufficiently address the risk of material misstatements 3. Operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions Indicators of Audit Committee Function Oversight of external financial reporting Oversight of internal control over financial reporting Independence of audit committee members from management Clarity of responsibilities Interaction with independent and internal auditors Interaction with chief financial officer, chief accounting officer Interaction with other key members of financial management Questions asked of management and the auditor Understanding of critical accounting policies Understanding of accounting estimate judgments Responsiveness to issues raised by the auditor (AS 2.57-58) Anti-Fraud Controls Must be included in design of ICFR Discussed previously related to Fraud Triangle Controls that prevent, deter, and detect fraud Controls restraining misappropriation of assets Risk assessment processes Codes of ethics or conduct Adequacy of internal audit Adequacy of procedures for handling complaints and accepting confidential communications on accounting and auditing matters Auditor evaluates all controls specifically directed at the risk of fraud Inquiries of management, audit committee, internal auditors is an important audit procedure IT Impact on the Company and Auditor AS 12 identifies need for auditors to consider manual and automated systems when understanding the company and assessing risks Nature and extent of IT affects the risks and therefore controls needed and audit steps IT might affect initiation, recording, processing and reporting of financial information Alternatively, manual steps might affect approvals, reviews of transactions, reconciliations and follow up of reconciling items IT Impact on Controls Needed Benefits of IT to Internal Control Consistent application of rules and complex calculations Timeliness, availability and accuracy of information Facilitates additional analysis of information Enhances monitoring ability Reduces risk that controls will be circumvented Controls are used for applications, databases and operating systems Risks of IT to Internal Control Possibility of consistently incorrect processing Possibility of processing the wrong data Unauthorized access and changes to data and programs Failure to change systems or programs as intended Inappropriate manual intervention Potential loss of data Period End Financial Reporting Process Must be considered in every ICFR audit Is always considered a significant process so the auditor must consider controls Procedures that are a part of the period end financial reporting process that the auditor evaluates Entering transaction totals into the general ledger Selecting and applying accounting policies Initiating, authorizing, recording and processing journal entries into the general ledger Recording recurring and nonrecurring adjustments to the financial statements Preparing financial statements and related disclosures Timing of Period End ICFR Audit Procedures Audit tests of ICFR are performed while the process is occurring. The client closes its books and prepares its financial statements after fiscal year end. Period end financial reporting procedures occur and are tested after fiscal year end, even though the management report and auditor’s opinion are as of fiscal year end. Significant Accounts and Disclosures Auditor must determine what amount is material to the financial statements; qualitative characteristics also impact materiality Auditor can then identify significant accounts and the relevant assertions for the accounts Relevant assertions are those that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated PCAOB Risk Assessment standards (2010) states that relevance stems from inherent risk Classes of Transactions One account may have different major classes of transactions and relevant assertions may differ for the classes For example, cash sales and sales on account include different relevant assertions Another approach for identifying and understanding major classes of transactions is grouping them: Routine transactions Non-routine transactions Estimating transactions Understanding Likely Sources of Misstatement After identifying material accounts and disclosures, any major classes of transactions and relevant assertions the auditor must understand likely sources of misstatement From AS 2.74: Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported Identify the points with the process at which a misstatement – including a misstatement due to fraud – could arise Last Steps of Understanding After identifying likely sources of misstatement… Auditor identifies controls management has implemented in the system that are intended to prevent each type of potential misstatement Auditor also identifies controls specifically intended to prevent or detect unauthorized acquisition, use or disposal of assets that could cause a material financial statement misstatement IT is an integral part of the analysis – not a separate audit step IT Related to Likely Sources of Misstatement Factors that impact the need for specialized IT knowledge include: Chapter 7-42 Learning Objective #5 Appendix A: Specifics of IT General Controls IT general controls (ITGC): IT policies and procedures that apply throughout the entire company Application controls are usually programmed controls that are specific to a single process or activity Entity-level vs. transaction-level controls are not the same as IT general controls and IT application controls Relationship Among Different Control Types Big Picture: Organization of ITGC Internal control environment Software acquisition Hardware acquisition Network technology acquisition Program development Program changes Computer operations Access to programs and data Software and interface controls Contingency controls Human resources Physical facilities controls IT Control Environment Policies Licensing agreements Passwords Use of company resources, Internet, and e-mail Physical control over portable resources Social engineering issues Control breakdowns Use of third-party providers Segregation of Duties Monitoring Acquisitions and Changes Software: plans, approval, company strategy, compatibility, cost effectiveness Hardware and Network Technology: authorization and approval, fit with needs, security Program Development and Changes: project initiation, analyses and design, construction, testing and quality assurance, data conversion, documentation and training Computer Operations Policies and procedures, includes organizational structure Batch processing and end user computing Batch: scheduling and planning functions “End user: authorized access Backup management, sophistication varies Data center controls Physical access, climate controls, lock up, passwords Capacity planning and performance issue management Short and long term planning, expected service level Recovery Appropriate plan, tested and updated as needed Access and Interface Access to Programs and Data Password complexity and security Privacy policies Security in place and tested Security measures monitored Software and Interface Controls Denial of service attacks Intrusion detection controls Cookie policies and detection Contingency Controls Backup Procedures Procedures for control breakdowns: incident detection, reaction, damage limitation, analysis, recovery, future monitoring Data backup procedures: full backups, incremental backups, storage mediums – physical or electronic, reconstruction of data Service interruption, disaster and recovery Backup or alternate power source Redundant computer processing system Identified responsible individual Human Resources Hiring policies: recruiting, verifying information, testing, interviewing Should address candidate ability and integrity Training: cross training, job rotations, mandatory vacations, ongoing training Termination policies and controls Immediately revoking computer access and physical access Change passwords and codes Send files to another manager Physical Facilities Protected environment Climate control Fire suppression and evacuation Inconspicuous location Limited access Limited access to network administration offices Lock up of critical equipment Physically secure portable equipment, programming to limit unauthorized access Store least possible amount of data on portable equipment Appendix B: Enterprise Risk Management Enterprise Risk Management (ERM) framework September 2004, COSO ERM: a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives ERM and Internal Control ERM addresses the environment within which controls function Internal control is encompassed within and an integral part of enterprise risk management. Enterprise risk management is broader than internal control, expanding and elaborating on internal control to form a more robust conceptualization focusing more fully on risk. Categories of ERM Objectives Strategic objectives Operations objectives Reporting objectives Compliance objectives Components of ERM Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring Appendix C: ICFR in Smaller Public Companies Dodd Frank Act (2010) removed the requirement for smaller public companies to have ICFR audited, but management must still perform the assessment and issue the report required by SOX 404 Guidance on ICFR geared to smaller companies COSO, 2006 Guidance for Smaller Public Companies COSO, 2009 Guidance on Monitoring Internal Control Systems SEC Interpretive Release (Release 33-8810) AS 5 (replaced AS 2) PCAOB Staff Views, Guidance for Auditors of Smaller Public Companies Common Characteristics of Smaller Companies Fewer business lines Less complex business processes Less complex financial reporting system More centralized accounting functions Extensive involvement by senior management Fewer levels of management with wide spans of control SEC Interpretive Release Fundamentals required of management to assess ICFR effectiveness are not different for smaller companies Identify risks Determine whether controls are in place that address the risks Evaluate the operating effectiveness of the controls How the ICFR assessment activities are accomplished may differ Differences in Process Management can judge whether all aspects of ITGC are relevant to financial reporting risks Only evaluate those that are important Documentation of controls and evidence selected can vary based on management’s’ judgment of importance Limited documentation may be created just for assessment Emphasis placed on role of on-going monitoring PCAOB Guidance Directed toward auditors not companies Includes characteristics of smaller companies that are important considerations for auditors Use of entity-level controls to achieve control objectives Risk of management override Implementation of segregation of duties and alternative controls Use of information technology (IT) Maintenance of financial reporting competencies Nature and extent of documentation