Internal Control and Section 404

1
Internal Control andSection 404

• Chapter 10

2
Internal Control Objectives

• Reliability of financial statements
• Efficiency and effectiveness of operations
• Compliance with laws and regulations
• Safeguarding of assets

3
Underlying Limitations

• Reasonable assurance
• Cost-benefit
• Inherent limitations
• collusion

4
Design of ICS

• Preventing material misstatements
• Detecting material misstatements
• Preventing misappropriation
• Detecting misappropriation
• SarbOx Management must assess and report on
  design
• How are transaction initiated, authorized,
  recorded, processed, and reported?
• Are there any weaknesses?

5
Operating Effectiveness of ICS

• Is the control operating as designed?
• Is the person operating the control qualified to
  do so effectively?
• Does the person have the necessary authority?
• How should management assess this?

• Inquiry
• Inspection of documents

• Reperformance
• Observation of operations

6
Managements Report on ICS

• Must describe design
• Must make assertions about effectiveness
• Must report material weaknesses
• A single weakness prevents claim that ICS is
  operating effectively
• Must be able to document basis for report
• Auditor will provide an opinion on the report
• Any weaknesses mean that auditors report will be
  adverse.

7
Understanding Internal Controls

• GAAS Fieldwork Standard requires it in every
  audit
• Must have a preliminary understanding to be able
  to plan the audit
• Testing is a separate issue
• If not a public company, testing is not required
• If public, SarbOX mandates testing for opinion on
  managements statement

8
Control Risk

• Part of Audit Risk Model (Chapter 9)
• Audit Risk risk that internal controls will
  FAIL to prevent or detect misstatement
• High CR means high risk controls will fail
• Low CR means low risk controls will fail
• If CR is high, auditor will not rely much on
  controls
• If CR is low, auditor can rely on ICS and reduce
  other types of testing

9
COSO Components of ICS

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring

10
Control Environment

• Reflects managements overall attitude toward
  controls
• Integrity and ethical values
• Commitment to competence
• Audit committee / Board of Directors
• Philosophy and operating style
• Organizational structure
• HR practices
• Environment sets the stage for all the rest!

11
Risk Assessment

• Managements identification of risks
• Economic
• Industry
• Regulatory
• Operating risks
• Analysis and management of risks
• Examples
• Oil companies in the Gulf of Mexico
• Smith Corona

12
Control Activities

• Policies and procedures to address risks
• Pertains to all four other areas
• Separation of duties
• Proper authorization
• Adequate documents and records
• Physical control over assets and records
• Independent checks

13
Separation of Duties

• A.k.a. segregation of duties
• Custody of assets versus records
• Custody of assets versus authorization
• Operations versus record-keeping
• IT versus users

14
Adequate Documentation

• Prenumbered documents
• Minimum time lag
• Clear and easily understood
• Chart of accounts
• Computerized controls
• Echo checks
• Reasonableness tests
• Password protection

15
Information and Communication

• Initiates, records, processes, and reports
• Transaction cycles
• Subsidiaries and controls
• Think of PERCV

16
Monitoring

• Need to ensure controls are working
• Monitoring now more pressing because of SarbOx
• Control needs change
• Personnel change
• Organizational structure changes

17
Documenting your understanding

• Narratives
• Flowcharts
• Pictures tell a thousand words!
• Questionnaires
• All no answers are weaknesses
• Look for mitigating controls elsewhere
• Be sure connections are made
• Insufficient by itself

18
Reading a Flowchart

• Top left to bottom right
• Try to keep one department or operator in one
  column
• Decision points give alternate paths
• Connectors are usually necessary

19
Common Flowchart Symbols

• Data enters system
• Process
• Document
• Multiple copies
• File

• Stored data file
• Disk storage
• Decision point
• Connector

Yes
?
No
A
Now lets look at page 417
20
Reporting

• Report on whether managements assessment of
  controls is fairly stated
• Usually unqualified
• Report on internal controls themselves
• Adverse if there are any material weaknesses
  present in the ICS

21
Understanding ICS

• Management must identify
• Significant accounts
• Significant assertions
• Significant processes and sub processes
• Control activities
• Evaluate with a CAVR matrix
• Completeness
• Accuracy
• Validity
• Restricted Access

22
Walkthrough

• Confirm process flow
• Confirm your understanding of design
• Confirm that your understanding is complete
• Evaluate the effectiveness of the design
• Confirm that controls are placed in operation
• Walkthrough does not involve testing!

23
Questions in the Walkthrough I

• Ask personnel about their understanding of the
  procedures they perform
• Determine whether personnel understand WHY they
  perform them
• Determine whether they understand an exception
  and how to deal with it

24
Questions in the Walkthrough II

• Determine whether the activity is done in a
  timely manner
• View documentation of a transaction flowing
  through the process
• Confirm that the personnel perform the procedure
  as outlined in the documentation

25
Auditing Alchemy

• Groups
• Handout
• Schedule for Thursday
• Deliverables
• Completed matrix
• Conclusions about anti-fraud programs and
  controls
• Points to deliver to the audit committee