Internal Control Audit and Compliance

Оглавление

Graham Lynford. Internal Control Audit and Compliance

Preface

Acknowledgments

Chapter 1. What We All Share

Need for Control Criteria

Overview of the COSO Internal Control Integrated Framework

Holistic, Integrated View

Revised COSO Internal Controls Framework

What We Must Do

Basic Scoping and Strategies for Maintenance

Where We Depart

Triangle of Efficiency

Controls versus Processes

The Debate Continues

Organization of This Book

Appendix 1A. COSO 17 Principles

Chapter 2. Setting the Scope of Your Documentation ProjectIdentifying the Core

Start with Business Objectives

After the Initial Year

Mapping the Entity to the Financial Statements: Ins and Outs

Consider Risks, Not Just Quantitative Measures

Inherent and Control Risk

Overstatement and Understatement

Does “In Scope” Imply Extensive Testing?

A Consolation

Be Careful Out There!

Appendix 2A. Summary of Scoping Inquiries

Chapter 3. The Risk Assessment Component

Risk Assessment Principles in COSO

Cost Control

Basics

Likelihood, Magnitude, Velocity, and Persistence

Separate Assessments of Inherent and Control Risks

Role of Assertions

Assertions

Principles 6 and 7: Specify Suitable Objectives; Identify and Analyze Risk

Identifying Risks

External Sources of Risk Information

Internal and External Reporting Risks

Compliance Risks

Disclosed Material Weaknesses in Risk Assessment

Principle 8: Assess Fraud Risk

Auditor Responsibility to Detect Fraud

Antifraud Controls for Management to Consider

Ties to Other Principles and Components

Principle 9: Identify and Assess Significant Change

Gathering Information to Support the Risk Assessment and Consider Change

Appendix 3A. SAS No. 99 Exhibit: Management Antifraud Programs and Controls

Guidance to Help Prevent, Deter, and Detect Fraud

Preface

Introduction

Creating a Culture of Honesty and High Ethics

Appendix. Attachment 1: AICPA “CPA's Handbook of Fraud and Commercial Crime Prevention” Code of Conduct

Appendix. Attachment 2: Financial Executives International Code of Ethics Statement

Appendix 3B. Understanding Fraud Risk Assessment

Some Common Fraud Risk Areas and Schemes

Fraud Triangle

Detecting Fraud

Chapter 4. Control Environment

Principle 1: Commitment to Integrity and Ethical Values

Principle 2: Board of Directors (Governance) Demonstrates Independence from Management and Exercises Oversight of the Development and Performance of Internal Control

Principle 3: Management Establishes, with Board Oversight, Structures, Reporting Lines, and Appropriate Authorities and Responsibilities in the Pursuit of Objectives

Principle 4: Commitment to Attract, Develop, and Retain Competent Individuals in Alignment with Objectives

Principle 5: The Organization Holds Individuals Accountable for Their Internal Control Responsibilities in the Pursuit of Objectives

Appendix 4A. Understanding and Awareness of Control Responsibilities

Chapter 5. Control Activities

Principle 10: Selects and Develops Control Activities to Mitigate Risk and Achieve Objectives

Principle 11: Selects and Develops General Controls over Technology

Principle 12: Deploys through Policies and Procedures

Summing Up

Appendix 5A. Linking Common Control Activities and Assertions

Appendix 5B. Linkage of Principles to Controls, Policies, and Procedures

Chapter 6. Information and Communication

Principle 13: Generates Relevant Information

Principle 14: Communicates Internally

Principle 15: Communicates Externally

Chapter 7. Monitoring

Principle 16: Select, Develop, and Perform Ongoing and/or Separate Evaluations

Principle 17: Evaluate and Communicate Deficiencies as Appropriate

Chapter 8. Evidence and Testing

Sufficient Evidence

Gathering Information

Testing and Sampling

Nonsampling Situations

Confusion of Sample Size Guidance in Practice Today

Information Technology General Controls

Testing Security and Access

Appendix 8A. Sample Size Tutorial

Sample Size Formula

Decision Rule for Results

Using a Table to Determine Sample Sizes

Computer-Determined Sample Sizes

Cautions about Deviations

Chapter 9. Developing Questionnaires and Conducting Interviews

Surveys of Employees

Conducting Interviews

Management Inquiries: Sample Questions

Appendix 9A. Sample Practice Aids

Sample Letter to Employees in Advance of Employee Survey

Sample Employee Survey of Corporate Culture and Personnel Policies

Guidance on the Evaluation of Employee Survey Results

Sample Inquiries for Walk-throughs and Transaction Controls

Chapter 10. Assessing the Severity of Identified Controls Deficiencies

It's Inevitable

Alignment of Public and Private Company Standards for Assessing Deficiency Severity

Control Deficiencies and Definitions

Key Factors When Assessing the Severity of a Deficiency

Conditions Indicating Control Deficiencies

Examples of Evaluating the Severity of Deficiencies

Overall Assessment

Appendix 10A. A Framework for Evaluating Control Exceptions and Deficiencies

Version 3, December 20, 2004

Introduction and Purpose

Guiding Principles

Terminology

Appendix 10B. Assessing the Potential Magnitude of a Control Deficiency

Example Facts

Chapter 11. Reporting Requirements

Nonpublic Entity Reporting

Public Company Annual and Quarterly Reporting Requirements

Reporting on Management's Responsibilities for Internal Control

Required Company and Auditor Communications

Reporting the Remediation of Weaknesses

Coordinating with the Independent Auditors and Legal Counsel

Appendix 11A. Illustrative AICPA Report on Internal Controls

Chapter 12. Project Management and Tools Assessment Design

Project Management

Structuring the Project Team

Tools Assessment Design

Features of a Good Tools Solution

Value of a Pilot Project

Coordinating with the Independent Auditors

Chapter 13. Illustrative Forms and Templates

Historical Perspective

2013 Framework Examples

Chapter 13A. Information-Gathering Form – Principle Focused

Information-Gathering Form – Principle Focused

Appendix 13B. Information Gathering Form – Revenue

Appendix 13C. Walk-through Documentation Form

Appendix 13D. Information Technology General Controls Assessment Form

Part 1. IT Control Environment

Part 2: Access and Security General Controls

Part 3: Change Controls and New Systems Development General Controls

Part 4: Operations and Maintenance General Controls

Appendix 13E. Documentation of Financial Reporting Software and Spreadsheets

Appendix 13F. Sampling Form for Tests of Controls86

Appendix 13G. Summary of Internal Control Deficiencies

Appendix 13H. Control Environment Component Evaluation Summary

Chapter 14. Summing Up

About the Author

Index

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

Internal Control Audit and Compliance

Documentation and Testing Under the New COSO Framework

.....

Table 1.1 is an example template that maps identified entity controls to the 2013 guidance. You may wish to experiment with different approaches to this mapping before settling on one that makes the most sense for your organization, based on where you are and where you want to go. Depending on the component, subcomponent, and number of controls to be mapped, some matrices may be more effectively developed with the principles and points of focus across the top or down the side. While consistency in format is helpful, an unwieldy mapping format is not. Depending on the number of controls likely to be associated with a principle or related point of focus, it may be worthwhile to split the assessment into subsets (by component, by principles, or by other units, such as financial statement captions) that are more manageable. No one design will be perfect for all entities and industries. The important thing is that all currently identified key controls are mapped and that all principles and points of focus are arrayed so that potential gaps can be identified.

Table 1.1 Mapping Controls to the 2013 COSO Framework

.....