Auditing (Annotated)

Welcome to Becker's
on demand CPE course!
• This course contains review questions with feedback to ensure learning.
• Upon completing this on demand course, you will be instructed to take a final exam.
• Once you have successfully completed the final exam (70% or higher), your CPE certificate will
be immediately awarded for you to view, print, or download.
• This on demand course will allow you to print the course slides and glossary.
• Enjoy the show!
The copyright in this material is owned by Becker Professional Education Corporation, or where specifically indicated, by the original creator of the material. None of this material may be
© Becker Professional Education Corporation. All rights reserved. copied, reproduced, republished, or displayed in any form or by any means, including, but not limited to, electronic, mechanical, photocopying, or otherwise, without the prior written permission
of Becker Professional Education Corporation or the copyright owner.
The Impact of
Sarbanes-Oxley
on Internal
Controls
Auditing
© 2022 Becker Professional Education Corporation. All rights reserved. copied, reproduced, republished, or displayed in any form or by any means, including, but not limited to, electronic, mechanical, photocopying, or otherwise, without the prior written permission
Learning After completing this course, the learner should be able to:
objectives
Recognize the purpose and definition of internal control
Recognize the objectives of a system of internal controls, the five

Program level: components of internal control, and the three dimensions of the
Basic internal control relationship
Field of study: Identify the principles that underlie the five components of internal
control
Auditing
Recognize the different categories of internal control over

Program prerequisite: information systems
None
Define and recognize deficiencies in internal control
Advance preparation:
Recognize the roles and responsibilities related to internal control
None
Recognize the effects of Sarbanes-Oxley on internal control
Program This course will be an overview of:
content The Committee of Sponsoring Organizations (COSO) of the Treadway
Commission Study established internal control to be a process with five
interrelated components. Learn how the far-reaching COSO principles enable
compliance with the stringent requirements of the watershed Sarbanes-Oxley
Act of 2002 .
Review the Internal Control framework as developed in the COSO study.
Understand how the COSO ICF enables compliance with the requirements of
the Sarbanes-Oxley Act.
Summarize the Act's effects on the components of an entity's internal control

system.
• Summarize the Act's effect on the control environment, including the audit
committee's role and the rules governing public accounting firms;
• Discuss the Act's effect on risk assessment and how it is important to the
management certification of the internal control system;
• Describe the Act's effect on control activities, focusing on the assessment,
documentation, testing, and materiality of control activities; and
• Summarize the Act's effect on monitoring, information, and communication.
Major topic/
concept index Chapter 1 Slides 8 – 26 Chapter 2 Slides 27 – 38 Chapter 3 Slides 39 – 71 Chapter 4 Slides 72 – 80
Internal controls based How COSO principles The control Controls over
on the COSO study enable compliance with environment, risk information systems
• Introduction and Sarbanes-Oxley assessment, and control • General and
definitions • The five components activities application controls
• Objectives • The relationship of • Definitions • Information and
• Fundamental the components • Information and communication
concepts of the communication • Internal and external
definition • Monitoring communications
• The control
environment
• Management's
philosophy and
operating style
• Integrity and ethical
values
• Commitment to
competence
• Risk assessment
• Financial reporting
and compliance
objectives
• Managing change
• Control activities
© Becker Professional Education Corporation. All rights reserved. copied, reproduced, republished, or displayed in any form or by any means, including, but not limited to, electronic, mechanical, photocopying, or otherwise, without the prior written permission 5
Major topic/
concept index Chapter 5 Slides 81 – 92 Chapter 6 Slides 93 – 103 Chapter 7 Slides 104 – 110
Monitoring activities Evaluation methodology Roles and

responsibilities
• Monitoring activities • Evaluation • Roles and
and separate methodology responsibilities
evaluations • The internal control • Management, internal
• Who performs the system's auditors, other entity
evaluation documentation personnel and
• The evaluation • Deficiencies external responsible
process parties
Chapter 8 Slides 111 – 144 Chapter 9 Slides 145 – 155

Effect of Sarbanes- Effect of Sarbanes-
Oxley on control Oxley on risk
environment assessment
• Control environment • Introduction
overview • Categories of
• The audit committee objectives
and board of directors
• Disclosures
• Overseeing the audit
and the public
accounting firm
Major topic/
concept index Chapter 10 Slides 156 – 159 Chapter 11 Slides 160 – 174 Chapter 12 Slides 175 – 187
Effect of Sarbanes- Effect of Sarbanes- Effect of Sarbanes-Oxley
Oxley on control Oxley on information on monitoring
activities and communication • Greater significance
• Concept of control • Focusing on under SOX
activities operations objective • Surveillance of
• Weakness threshold • SOX requirements changes in systems
in the internal control • Corporate that might affect
system responsibility for internal controls
financial reports • Setting up the
• Improper influence monitoring
on conduct of audits process/following up
on corrective actions
• Follow-up on reports
to and investigations
by the audit committee
1
Internal controls
based on the
COSO study
Internal controls based on the COSO study
The COSO study

The COSO (Committee of Sponsoring Organizations) of the Treadway
Commission Study, Internal Control—Integrated Framework, was originally
issued in 1992 in four volumes:
• Framework
The primary report on the theory of internal control
• Evaluation Tools
An exposition on evaluating internal control based on the theory and
definitions in the study
The COSO study (continued)

• Reporting to External Parties
A discussion of management's statements on internal control
• Executive Summary
A summary designed to convey the basic elements to CEOs and other
executives in the organization

In 1994, COSO reissued the study, combining the Executive Summary,
Framework, and Reporting to External Parties volumes into one volume
that includes a new section: Addendum to "Reporting to External Parties."
In 2013, COSO released an updated Internal Control framework.
• The 2013 framework retained the definition of "internal control" and

much of the framework remains unchanged.
• However, the 2013 framework includes "enhancements and

clarifications" meant to assist users in implementing, reviewing, and
evaluating internal controls.
"Internal Control—Integrated Framework: Framework and Appendices." Committee of Sponsoring Organizations of the Treadway Commission. May 2013.

– There are principles (17 in total) associated with each component.
– The 2013 framework reflects major business changes since 1992.
– The compendium includes examples to assist users with

implementation.
COSO sponsors
The professional organizations with the greatest interest in internal control:
• The American Accounting Association (AAA)

The academic community of the accounting profession.
• The American Institute of Certified Public Accountants (AICPA)

The principal professional society of certified public accountants.
COSO sponsors (continued)

• Financial Executives International (FEI)
The organization of chief financial officers (formerly the Financial
Executives Institute).
• The Institute of Internal Auditors (IIA)

The international organization of internal auditors.
• The Institute of Management Accountants (IMA)

The professional organization of chief accounting officers and
accountants in industry and not-for-profit entities.
The definition
The COSO study defines internal control as:
A process, effected by an entity's board of directors, management and
other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
Internal control is a process

The COSO study's recognition of internal control as a process established
the view of the internal control system as an organized structure.
Internal control is effected by the board of

directors, management, and other personnel
The internal control system is defined in terms of organizational activities—
not just accounting activities.
The internal control system is an integral part of the entity and it either
functions or fails the same way that other aspects of the organization either Other
Management
successfully function or fail. Personnel
Internal
Control
Board of Directors
The objectives
The objectives of the internal control system are:
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
Key point: These objectives and their order are critical to understanding what
this definition means to an organization.
Effectiveness and efficiency of operations

When an organization is effective, it is serving its clients/customers well.
Efficiency is related to the profitable operation of the entity. It is the proper

management of the financial resources of the entity and the economic
application of resources to the objectives of the organization.
Key point: Effectiveness is doing the right thing and efficiency is doing the right
thing the right way.
Reliability of financial reporting

Reliable financial reporting implicitly requires accurate accounting records,
proper timing and classification, and all the other aspects of financial
reporting controls that we have traditionally considered.
Key point: The objective states financial reporting is more than just the
published financial statements.
Compliance with applicable laws and

regulations
The organization must comply with the laws and regulations that apply to it.
The potential cost of noncompliance can be significant not only in
financial terms but in terms of harm to reputation.
Professional organizations re-examined their standards and statements.
• The AICPA incorporated the concepts of the COSO study into some of
the Statements on Auditing Standards. SASs 104–111 included the
COSO concepts.
Note: Note that Clarified Auditing Standards have replaced the Statements of
Auditing Standards.
Compliance with applicable laws and regulations

(continued)
The AICPA also revised its Statements of Standards for Attestation
Engagements (SSAEs) to include two statements on attestation:
• SSAE 10 (AT 501)

Reporting on an Entity's Internal Control Over Financial Reporting 2
• SSAE 10 (AT 601)

Compliance Attestation (agreed-upon procedures for examination of the
adequacy of internal control over compliance with laws and regulations)
Note: Note that SSAE 18 supersedes SSAE 10.
Compliance with applicable laws and regulations

(continued)
The objectives in the COSO definition are consistent with the scope of
audit work in the Institute of Internal Auditors' (IIA) Statement on Internal
Auditing Standards (SIAS) 1, Control: Concepts and Responsibilities,
which states that "internal auditing examines and evaluates planning,
organizing, and directing processes to determine whether reasonable
assurance exists that goals and objectives will be achieved" and "internal
control includes all the entity's systems, processes, operations, functions,
and activities."
The COSO definition strongly supports internal auditors in establishing a

full scope of audit work within the entity.
Fundamental concepts of the definition

A process
Internal control is a process. It is a means to an end, not an end in itself.
When management and auditors look at internal controls, they must look at
the controls' effects (e.g., the control establishes accountability).
Fundamental concepts of the definition (continued)

People
• People enable the internal control system.
• Manuals and forms are not the internal control system.
• Manuals and forms are tools used by people.
• Employees support the internal control system when they understand

the system's benefits to their personal interests and then to the
organization.
• Without proper education and motivation, the organization's employees

cannot and will not enable the internal control system to work.
Fundamental concepts of the definition (continued)

Reasonable assurance
• Internal control can be expected to provide only reasonable

assurance, not absolute assurance, to an entity's management and
board.
• There is no way to obtain absolute assurance that the objectives of

control are attained. No one should expect internal controls to either
guarantee that the objectives are reached or that undesirable
conditions cannot occur.
• Internal control will not prevent failures caused by poor management

judgment or changing economic conditions.
Objectives
Internal control is geared to the achievement of objectives.
Every entity has a mission. The entity then establishes its objectives and
then the strategies for accomplishing those objectives.
2
How COSO
principles enable
compliance with
Sarbanes-Oxley
Compliance with Sarbanes-Oxley
The five components

The COSO study states that internal control consists of five interrelated
components that are derived from the way management runs the entity
and that are integrated with the management process.
The five components are
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Existing control activities
The five components (continued)
Objectives
Existing Control Activities
Monitoring
Info. & Communication

Components
Risk Assessment
Control Environment
The five components (continued)

• These components are interactive, working together to produce a total
control system. As the business and its environment change, the
internal controls should be dynamic and also able to change.
• The COSO study presents a structural model of internal control,

emphasizing the relationship between the objectives and the internal
control components.
The relationship of the components

The COSO framework also illustrates the relationship of the objectives of
control and the components of control.
• The operations (efficiency and effectiveness) objective, financial

reporting objective, and compliance objective all have monitoring
components.
• This interrelationship applies to all of the objectives and components.
The relationship of the components (continued)

There is a third dimension to the relationship: the organization structure.
• The control process not only exists within each operating unit of the
organization but also within entities associated with the organization.
Objectives
Units/Activities
Units/Activities
Existing Control Activities
Units/Activities
Monitoring
Units/Activities
Info. & Communication
Components Units/Activities
Risk Assessment
Organization
Control Environment

Each component is supported by principles as outlined in the revised
2013 framework.
• These principles represent the "fundamental concepts associated with

components" and are applicable to all objectives, sub-objectives, and
entities.
• There are 17 principles, discussed in the context of the component each

supports.

The control environment is the foundation for the internal control system.
• Without the control environment, the other components will collapse like a
house built without a foundation.
• Integrity, ethical values, and competence are included in the control

environment.
• When a proper control environment is in place, a risk assessment is made.
A risk is any condition, event, or factor that might prevent the organization
from achieving its objectives.
• Objectives must be clearly stated if the risks to their attainment are to be

identified.
Key point: In 2004, COSO published another document, Enterprise Risk

Management—Integrated Framework, which provides guidance on the
process used by management to identify and manage risk across the
enterprise.
The framework includes three additional internal control components:
objective setting, event identification, and risk response. This framework
does not supersede or amend the Internal Control framework, but rather
provides a broader concept by focusing on risk.
In 2017, the framework was revised to strengthen the emphasis on the

integration of ERM with strategy and performance. The updated framework
consists of five interrelated components:
1.Governance and Culture
2. Strategy and Objective-Setting
3. Performance
4. Review and Revision
5. Information, Communication, and Reporting
Monitoring
Control Activities
Risk Assessment
Control Environment

• When the risks are known, control activities are established to either
prevent or detect the risks.
• Monitoring mechanisms are established to receive and evaluate the

output of the control activities.
– Monitoring includes not only evaluation of control activity output, but

also the ongoing appraisal of the performance and capabilities of the
control system itself.
– The results of both aspects' monitoring function produce a flow of

information.

• Information is disseminated through channels of communication in
the organization.
• The communication channels must reach every level of the internal Monitoring
control structure so the information can reach the levels that can
react to and address the specific control issue.
Control Activities
Risk Assessment
Control Environment
3
The control
environment, risk
assessment, and
control activities
The control environment, risk assessment,
and control activities
The control environment

The core of any business is its people: their individual attributes, including
integrity, ethical values, and competence, and the environment in which
they operate.
People are the engine that drives the entity, and the foundation on which
everything rests.
The control environment is the foundation of the internal control system.
The internal control system is based on people, not things.
Key point: The system can be circumvented by individuals or groups of

individuals who have low integrity or lack the ethical values to do what is right.
The control environment (continued)

The technical competence of employees is also important.
• People with the right educational background must be hired, and they
must be trained to perform their assigned duties within the entity that
employs them.
Key point: The COSO study refers to this as "a commitment to competence."
The control environment There are five principles associated with the control environment
component.
(continued)
1. "The organization demonstrates a commitment to integrity and ethical
values.
2. The board of directors demonstrates independence from management

and exercises oversight of the development and performance of
internal control.
3. Management establishes, with board oversight, structures, reporting

lines, and appropriate authorities and responsibilities in the pursuit of
its objectives.
4. The organization demonstrates a commitment to attract, develop, and

retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal

control responsibilities in pursuit of objectives."

People and internal controls
• People are the critical aspect of the internal control system.
• Controls influence people's actions; controls do not assure compliance.
Key point: People should be positively influenced to comply with the internal
control system and not dominated by threats for negative behavior.
The quality of the control environment is affected by:
• Management's philosophy and operating style.
• Integrity and ethical values.
• Commitment to competence.

Management's philosophy and operating style
• Management's philosophy and operating style are critical to the control

environment.
• Management's philosophy and operating style affect the way an entity is

managed and dictate the types of risks the entity takes.
• Management's attitudes toward financial reporting, data processing and

accounting, and the entity's people all impact the internal control
system.

Integrity and ethical values
• Management's demonstration of integrity and ethical values is critical to

the quality of the internal control system.
• Management's operating style and its regard for the people in the
organization are irrevocably entwined with the question of integrity and
ethical values.
• Employees may hear top management make the highest statements

about integrity and ethics, but see otherwise.
Key point: Management should expect no higher level of integrity than it shows
by its own actions.

Commitment to competence
• People must be competent to perform their duties.
• Competence flows from education and training.
• Education and training are not the same.
– Education is conceptual and deals in broad theory (no matter how

specific it seems when the tests are put in front of you).
– Training is specific to the entity.
Risk assessment
The second component is risk assessment. Risks come from both external
and internal sources.
Risk assessment is the basis for determining how risks will be managed.
Prevention and detection mechanisms can be put in place only after the
risks have been identified and the likelihood of occurrence and the
probable impact determined.
The organization needs mechanisms to identify and deal with the special
risks associated with change, as economic, industry, regulatory, and
operating conditions are constantly changing.
Risk assessment (continued)

There are four principles associated with the risk assessment
component.
1. "The organization specifies objectives with sufficient clarity to enable

the identification and assessment of risks relating to objectives.
2. The organization identifies risks to the achievement of its objectives

across the entity and analyzes risks as a basis for determining how the
risks should be managed.
3. The organization considers the potential for fraud in assessing risks to

the achievement of objectives.
4. The organization identifies and assesses changes that could

significantly impact the system of internal control."

A key aspect of risk assessment is to first establish objectives.
• Risk assessment is identifying and analyzing the events and conditions

(risks) that may prevent the achievement of the entity's objectives.
• Through proper assessment, the entity can determine how to reduce or

eliminate the impact of those risks.
• Risk assessment begins with the original objectives of control— Risk Assessment
operational, financial, and compliance objectives.

Operational objectives
• Operational objectives are generally established internally.
• Internally created standards help to define desired operational efficiency

and effectiveness.
• The objectives are usually affected by internal factors.
• They may be affected by external factors such as new government

regulations or natural disasters.

Financial reporting objectives
• The financial reporting objectives are established outside the entity.
• The numbers are a measure of the success or failure of the entity's

performance, but the objectives in reliable financial reporting relate to
GAAP, which are the measurement and disclosure standards set
outside the entity.

Compliance objectives
• Compliance objectives are set outside the entity.
• The ability to meet the compliance standards is within the control of the
entity, so the entity sets its objectives based on the externally
established standards. These standards include:
– Fair credit practices
– Occupational safety and health
– Environmental protection
– Family medical leave
– Americans with disabilities, etc.

Managing change
• All elements of change constitute risks to the achievement of the entity's

objectives. Managing change is an extremely important aspect of risk
assessment and it is critical to an entity having effective internal control.
• Change management is a forward-looking process used to identify

change conditions and specify when management should take action.

Example
• Changed operating circumstances may affect companies either from the

regulatory or economic environment of the entity. For example, the entity is
now subject to more stringent land-use planning laws.
• New personnel: For example, the company has a new CEO or it has hired
replacement workers for employees who are on strike. These new employees
might not understand the control system or the organization's "corporate
culture" and may act in ways that are contradictory to the entity's objectives.
• New or revamped information systems when installed under pressure may
result in changes in the control system. For example, previously effective
controls may either not be present in the new system or may not function in
the same way.
• Rapid growth may cause existing systems to fail because they were not
designed to handle the volume of transactions that the rapid growth has
created or the new employees that the increased growth requires.

Example (continued)
• New technology: When new technology is added to existing production

processes or information systems, the existing controls may no longer function
as intended and may require revamping or redesigning if the control system is
to function properly.
• New lines, products, and activities: When new products are added, the
existing controls may not be adequate to meet the changes in the organization
and the changes in personnel brought about by the changes.
• Organizational restructuring: When downsizing occurs, the company may
eliminate positions that have been part of the control system, and the controls
that are lost will need to be replaced. A corporate merger may result in the
merging of like operations, the reduction of some staffs, and the shifting of
employees to new locations and new positions.
• Foreign operations: When a company expands its operations to other
countries, it will often have new and unique risks that it did not face prior to its
embarking on non-U.S. activities. The business climate and the cultural
differences between the foreign country and the present corporate structure
can result in a breakdown of controls, a failure of the information system, or
the entity having new and different regulatory requirements that must be met.
Control activities
After the risk assessment has been made, the entity turns to developing
control activities.
Control activities are the policies and procedures that help ensure that
management directives are carried out.
Control activities provide the means to prevent the occurrence of identified

risk events or, if they cannot be prevented, to detect them as early as
possible.
They help ensure that necessary actions are taken to address the risks to
achieving the entity's objectives.
Key point: Management identifies risks that could stand in the way of achieving
objectives—the risk assessment. Then, management establishes control
activities—policies, procedures, and practices—to guard against those risks.
Control activities (continued)

Example
Control activities are the policies and procedures that people perform to ensure
that management's directives related to risk are carried out. Typical control
activities include:
• Authorizations
• Approvals
• Verifications
• Reconciliations
• Reviews of operating performance
• Security of assets, and
• Segregation of duties.

Control activities occur at all levels of the organization and in all functions.
They include a range of activities as diverse as approvals, authorizations,
certifications, reconciliations, reviews of operating performance, security of
assets, and segregation of duties.
Control activities come in many forms, including:
• Preventive controls and detective controls
• Manual controls and computer controls
• Managerial and supervisory controls

Control activities can be carried out through: Key point: The COSO study gives particular
attention to the effect of automated systems and
the role of systems development in assuring
• Top-level reviews by senior management's attention to operating proper control.
results;
• Direct functional management or activity management;
• Information processing checks, edits, and embedded routines;
• Physical controls, such as locked facilities;
• Performance indicators with measurement checks; and
• Segregation of duties.
Because more and more operating and decision-support systems are
computerized, there is a great need to assure that proper controls are
built into computer systems as they are developed.

The control activities component is supported by three principles.
• "The organization selects and develops control activities that contribute

to the mitigation of risks to the achievement of objectives to acceptable
levels.
• The organization selects and develops general control activities over

technology to support the achievement of objectives.
• The organization deploys control activities through policies that establish

what is expected and in procedures that put policies into action."

The COSO study discusses control activities from four perspectives.
1. Types of control activities
2. Integration with risk assessment
3. Controls over information systems
4. Entity-specific controls

No universal set of control activities can be applied to every organization.
The control activities must fit the organization's resources, history,
complexity, and culture.
• A number of controls will apply to all entities—for example, keeping

cash and unissued checks locked up.
• Some controls will apply to most entities—for example, segregation of

incompatible duties and dual controls of investment securities.
• After a certain foundation of basic controls, the control activities begin to

take on the specific character of the entity that is implementing them.
Key point: Control activities will not work if they do not fit the organization.
The entity must
• Create controls that work in its circumstances.
• Enforce those controls.
• Change those controls as its circumstances change.

Types of control activities
• Controls can be viewed in a number of different ways.
– The types of controls.
– The objectives of the controls.
– The personnel that perform those controls.
• The COSO study divides control activities by the level of personnel that
provide those controls and indicates that this division is just one of a
number of ways that control activities can be viewed.

• Top-level reviews
– Top-level reviews include activities such as the following:
 Budget to actual reviews
 Tracking of initiatives such as market thrusts
 Cost containment or reduction programs
 Oversight of joint ventures
 Financing plans (capital expansion versus debt financing)
– The analysis and follow-up by management are the control activity.

• Functional and activity controls
Functional and activity management-level controls include divisional,

departmental, and branch-level controls.
– These controls are adapted to the nature of the organization's

activities and possibly the geographic scope of operations.
– These controls tend to be more micro than macro in nature, such as

detailed statistics, production reports, and other summarizations
such as aging of receivables and regulatory reports.

• Information processing controls
Information processing controls are at a very detailed level, such as

error edits, limit tests, file totals, check digits in account and part
numbers, and error condition scanning and reporting. New system
development contains its own control activities to assure that the system
will have proper controls when it is in operation.
• Physical controls
Physical controls include physical security over assets, as well as

periodic counts and reconciliations to control records including the use
of safes, padlocks, cameras, and/or guards at entrances, etc.

• Performance indicators
– Performance indicators are techniques that
 Compare different sets of data.
 Make analyses of the relationships.
 Take investigative and corrective actions.
– The data used for performance indicators may include both

operational and financial data.
Example: Performance indicators
• Percentage returns • Past-due accounts

• Variances from purchase price • New accounts or customers
• Order cancellations • Rejection rates

– These indicators are yardsticks used to measure actual performance
to targets. Deviations from the targets should trigger inquiry.
 If the results are negative, how will they be corrected and when
will the entity return to predicted performance?
 If the results are positive, how can the entity capitalize on

positive trends and are those trends sustainable?

• Policies and procedures
Policies and procedures are critical to making any controls work.

A policy establishes what should be done and serves as the basis
for the second element, the procedure, which is how it will be
carried out.

Integration with risk assessment
Control activities must be integrated with risk assessment and, by

definition, with the organization's objectives.
4
Controls over
information systems
Controls over information systems
General and application controls

The COSO study discusses controls over information systems in four
areas: general controls, application controls, the relationship between
general and application controls, and evolving issues.
The general controls and the application controls ensure complete,

accurate, and valid information.
General controls include:
• Data center operations
• System software acquisition, implementation, and maintenance
• Access security (physical and logical access)
• Development and maintenance of application software
General and application controls (continued)

Application controls govern the processing application (e.g., payroll,
accounts receivable, general ledger). They ensure complete and accurate
processing, authorization, and validity of data. Interfaces between
applications require special controls to ensure the following:
• Outputs from one application to another are properly distributed.
• All inputs from other applications are received.
• Inputs received are complete.
Key point: The relationship between general and application controls is a

constant activity. The general controls support application controls and both are
necessary to have complete and accurate information processing.
Information and communication

Surrounding the risk assessment and control activities are information
and communication systems. These systems let the entity's people
capture and exchange the information they need to conduct, manage, and
control the entity's operations.
Relevant information must be identified, captured, and communicated in a

form and time frame that enable the entity's people to fulfill their
responsibilities. The information may
• Be either operational, financial, or compliance oriented.
• Originate either inside or outside the organization.
• Be used in decision making either inside the organization or for external

reporting purposes.
Information and communication (continued)

Providing the right information in a timely fashion and assuring that it is
accurate are key objectives of internal control. The right information must
be communicated to enable people to carry out their responsibilities.
A proper organizational control system provides
• The right amount of the right information.
• At the right time.
• To the right people.
Key point:
• The difference between data and information is usefulness.
• Information is derived from data, but not all data is information because not
all data is useful in its current form.

The information and communication component is supported by three
principles.
• "The organization obtains or generates and uses relevant, quality

information to support the functioning of internal control.
• The organization internally communicates information, including

objectives and responsibilities for internal control, necessary to support
the functioning of internal control.
• The organization communicates with external parties regarding matters

affecting the functioning of internal control."

The following issues must be considered in dealing with the information
and communication component of the control structure:
• Information must be part of the entity's strategic and integrated systems,

and attention must be given to the quality of information.
• Information comes from inside and outside the organization and is used
for almost every imaginable purpose to guide the entity's strategic and
tactical decision making, and to measure performance.

Communication refers to the channels through which information passes, INTERNAL COMMUNICATIONS
as well as the sources of the information. Internal communications move in Production
two planes, vertical and horizontal, and in both directions on each of those
planes. Senior management must hear from the troops, just as the lower
levels must listen to management. The sales department must hear from
Engineering
the production department, and engineering from marketing. Any time one
Upper Management
Sales
portion of an entity fails to listen or to send its message, the risk that the
entity will not achieve its objectives increases.
Middle Management
Lower Management
Marketing

External communications originate from a number of sources
including customers, suppliers, regulators, and stakeholders.
External communications take many forms and go to a number
of destinations; they may be both oral and written.
5
Monitoring
activities
Monitoring activities
Monitoring activities and separate evaluations

Monitoring is a process that assesses the quality of the internal control
system's performance over time.
The purpose of the monitoring activity is to assure the ongoing quality of

the internal control system.
This function monitors the internal control system itself.
Monitoring is the capstone component covering all the other components.
The communication of exceptions and other issues that originate in risk

analysis and control procedures are dealt with in discussions of other
components.

(continued)
The monitoring activities component is supported by two principles.
• "The organization selects, develops, and performs ongoing and/or

separate evaluations to ascertain whether the components of internal
control are present and functioning.
• The organization evaluates and communicates internal control

deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management and the board of
directors, as appropriate."

(continued)
The COSO study divides monitoring into three major subjects.
Monitoring is accomplished through ongoing monitoring activities and

separate evaluations or a combination of the two approaches.
Ongoing monitoring activities
• Ongoing monitoring activities are built into the normal, recurring

activities of the entity.
Example
Regular managerial Carrying out regular management activities provides insight on the extent that managers and
activities supervisory personnel are aware of the timeliness and accuracy of information from the system
External feedback Communication from external parties corroborates internal information and indicates problems

(continued)
Example (continued)
Data recorded by Data from information systems is compared with physical assets, as in counts of finished goods.
information systems These routines test both the protection of the assets and the quality of the information system that
accounts for them
Internal feedback (e.g., separation of duties): Appropriate organizational structure provides oversight of control
functions and feedback on any deficiencies.

(continued)
Note: Recall that an effective internal control
system is one in which all the relevant
Separate evaluations components and principles are present and
functioning.
Separate evaluations or reviews may be internal self-assessments by
division or department personnel, may be internal audits, or may be
special reviews conducted by consultants or external auditors.
Reporting deficiencies
• A "deficiency" in internal controls is a "shortcoming in a component(s)

and relevant principle(s) that reduces the likelihood of an entity
achieving its objectives."
• If the reduction in likelihood is severe, the deficiency may be a major

deficiency.

(continued)
Audit findings
Internal and external auditors offer their assessment of the design and
performance of the internal control system, identify potential weaknesses
in the system, and make recommendations for improvements in the
system.
Training seminars and planning sessions
Training and planning seminars and other meetings provide management

with feedback on the effectiveness of the internal control system.

(continued)
Code of conduct compliance statements
• Periodic statements by personnel on whether they understand and

comply with the code of conduct are a form of feedback on the entity's
communication of its value systems.
• Periodic inquiries of operating and financial personnel on whether

certain control procedures are carried out on the prescribed frequency
and whether they understand the procedure's purpose provide feedback
on the internal control system.
Monitoring activities and separate Separate evaluations

evaluations (continued) A separate evaluation is a look at the internal control system solely as
an examination of the system.
• For the internal auditor, this separate evaluation is an audit of the

internal control system without worrying about the operation being
controlled.
• The separate evaluation is not the regular audit of the operation.

The study refers to this evaluation as a "fresh look."
In discussing separate evaluations, the COSO study focuses on the

following items:
• Scope and frequency of evaluation
The scope and frequency of evaluations depend on the risk being

controlled and the importance of the controls in reducing that risk.

(continued)
Key point: The higher the risk, the more frequently the evaluation should be
conducted.
Who performs the evaluation

The CEO may instruct division managers to conduct tests within their
areas using line managers.
The internal auditors may perform this study either as part of their regular
work or as a special project.
External auditors may perform the work as agreed-upon procedures.
The internal and external auditors may perform the evaluation jointly.
The evaluation process

Evaluation is a process, not a series of random, mechanical tests.
The evaluator must:
• Understand the entity's activities and the components of the internal

control system;
• Determine how the system actually functions; and
• Analyze the design of the internal control system and the results of
the tests performed on the system.
6
Evaluation
methodology
Evaluation methodology
Effective internal control

Effective internal control provides reasonable assurance that an entity is
meeting its objectives. That is, an effective system of controls reduces the
risk of not achieving an objective.
Requirements
• To be effective, all five components of internal control and the relevant

principles must be present, functioning, and operating together in an
integrated manner.
• Present
" 'Present' refers to the determination that components and relevant
principles exist in the design and implementation of the system of
internal control to achieve specified objectives."
Effective internal control (continued)

• Functioning
Functioning refers to the determination that components and relevant
principles continue to exist in the conduct of the system of internal
control to achieve specified objectives.
• Operating together
– "'Operating together' refers to the determination that all five

components collectively reduce, to an acceptable level, the risk of
not achieving an objective."
– The components are necessarily interdependent and linked.
Methodology
Checklists, questionnaires, and flowchart techniques can be used, as well
as quantitative techniques.
Some entities compare their internal control systems with those of similar
organizations as a form of benchmarking; however, the many cautions
about the entity-specific nature of controls must be observed.
The internal control system's documentation

Documentation varies according to the size and complexity of the entity.
• Larger organizations have written manuals, formal organizational charts,

written job descriptions, operating instructions, information flowcharts, etc.
• Smaller organizations will have considerably less documentation.
Many controls are undocumented, but they are regularly performed and
highly effective.
These controls must be tested just like the formal ones.
The evaluator may choose to document the evaluation process.
All this documentation will be more substantive when the organization is

making a formal statement on internal controls.

(continued)
Key point: The COSO study provides an outline of an action plan for
performing an evaluation of the internal control system. The study suggests an
outline that includes the following:
• Deciding on the evaluation's scope based on the categories of objectives,

internal control components, and activities to be addressed
• Identifying the ongoing monitoring activities that routinely provide comfort that
internal control is effective
• Analyzing the control evaluation work performed by internal auditors and

considering control-related findings of external auditors
• Prioritizing by unit, component, or otherwise the higher-risk areas that

warrant immediate attention

(continued)
Key point: The COSO study provides an outline of an action plan for
performing an evaluation of the internal control system. The study suggests an
outline that includes the following:
• Based on the prioritization, developing an evaluation program with short-term

and long-term segments
• Bringing together the parties who will carry out the evaluation (together,
they consider not only scope and time frames, but also methodology, tools to
be used, input from internal and external auditors and regulators, means of
reporting findings, and expected documentation.)
• Monitoring progress and reviewing findings
• Determining that necessary follow-up actions are taken and modifying

subsequent evaluation segments as necessary
Internal control deficiencies

Deficiencies in internal control are broadly defined as conditions worthy of
attention.
• They represent either perceived, potential, or real shortcomings in the

internal control system or opportunities to strengthen it.
• Deficiencies decrease the likelihood that an entity will achieve its

objectives.
• Many sources help identify deficiencies including
– Monitoring activities or other components.
– Information from external parties.
• Management may determine how deficiencies should be reported by

following its reporting directives. Directives outline procedures for
deficiencies, including protocol and follow-up.
Internal control deficiencies (continued)

A major deficiency is an internal control deficiency (or combination there Alert: If there is a major deficiency, the
of) that "severely reduces" the likelihood that the entity can achieve its organization cannot conclude that it has met the
requirements of an effective system of control.
objectives.
• A major deficiency exists if management determines that components

and/or principles are not
– Present and functioning.
– Operating together.
• Mitigation
A major deficiency in a component or relevant principle cannot be
mitigated by another component or principle that is present and
functioning.

Judging severity
• Management exercises judgment in determining the severity of a

deficiency (and thus a major deficiency).
• Regulators and/or standard-setting bodies may also enumerate criteria

for identifying major deficiencies.
What should be reported?
• When an error or discrepancy is reported, it may be a simple, isolated

error or it may be a flaw in the internal control system.
• If the process of researching the error discloses an internal control

system weakness, that must be reported.

Who should receive the report?
• Most information generated during normal operations is reported upward

one level from the point of discovery or origination.
• Alternative channels should exist for sensitive information such as illegal

and improper acts.
• The internal control system deficiency findings should be reported one

level higher than the level at which corrective action will take place.
• This procedure provides support to the person making the correction

and a monitoring of the change itself.
7
Roles and
responsibilities
Roles and responsibilities
Internal parties
"Everyone in an organization has some responsibility for internal control."
• Management
• Boards of directors, including committees
• Internal auditors
• Other internal parties
• External parties
Management
The CEO, the division and department managers, and the senior financial
officers have a specific responsibility for the financial activities and the
controllership of the organization. Their activities cut across the entity's
operational and geographic lines.
Board of directors
The board of directors and its committees are critically involved.
• The board has stewardship responsibilities to the shareholders and

oversight responsibilities to the entity.
• In some cases, such as banking, they are liable for civil monetary
penalties and even confiscation of their personal assets for failure to
perform their responsibilities.
Internal auditors
Internal auditors have a special role in the internal control system.
The internal auditor's professional standards require the auditor to examine

the internal control system.
The internal auditor's charter spreads across the entire organization and
the auditor reports those findings to senior management and the board's
audit committee.
Other entity personnel

All personnel in the organization have a responsibility to the organization
and to themselves to assure that the internal control system functions
properly.
External responsible parties

Responsibility for the internal control system is not limited to inside the
organization. There are external parties who are not part of the entity's
internal control system; however, they do affect it.
External auditors
• Independent certified public accountants play an important role in

meeting an organization's financial reporting objectives.
• They also impact their client's ability to achieve operational and

compliance objectives.
Legislators and regulators

Legislators affect the internal control systems of many entities because of
the laws they pass, including:
• Foreign Corrupt Practices Act of 1977
• Single Audit Act of 1984
• Crime Control Act of 1990
• FDIC Improvement Act of 1991
Parties interacting with the entity

Parties interacting with the entity include customers, vendors, potential
suppliers, financial analysts, bond rating agencies, and the news media.
• Financial analysts and bond rating agencies make their own evaluations
of the entity, including financial data, the entity's actions in response to
conditions in the economy, and the entity's potential for success or failure.
• The news media, especially the financial press, makes similar analyses.
Key point: Management should consider the input of these sources in

addition to the information it receives from internal information sources.
8
Effect of Sarbanes-
Oxley on control
environment
Effect of Sarbanes-Oxley on control environment
The control environment

There is no single component where the Sarbanes-Oxley Act has more
effect than the control environment.
• The issues of ethical conduct and corporate structure that are mandated
by the Act require a number of issues that are only suggested by
COSO.
• In addition, the Act incorporates requirements that are not included in

COSO.
People and internal controls

People are the critical aspect of the internal control system.
• People put the internal control system and its control mechanisms in
place.
• The designing of the internal control system is not just an intellectual

exercise.
• The designers of the internal control system must be aware that the
system will be operated by people and that people will be affected by it.

Title III, Corporate Responsibility, of the Sarbanes-Oxley Act contains a
number of requirements that will make it imminently clear that managers
and boards will not have the "flexibility" to abandon the code of ethics,
engage in "creative" accounting practices that ignore GAAP, intimidate or
suborn auditors, gag their employees, or engage in insider trading without
very clear registration of their activities—unless, of course, they want to
avail themselves of government housing for extended periods.

(continued)
When considering the Act's requirements within the five components, it is
also necessary to consider them in light of the objectives of the internal
control system. The Act's requirements that will result in accurate and
unbiased financial reporting start with:
• Executive responsibility for financial statements;
• Required examinations of the internal controls leading to the preparation

of the statements;
• Qualifications of the "financial expert" member of the audit committee

(now called the audit committee financial expert);
• Audit committee engagement of the independent accountants; and
• Whistle-blowing provisions and investigation requirements.
Integrity and ethical values

Section 406 requires that all issuers have a code of ethics for senior
financial officers and that any changes or waivers be reported on the 8-K
filing. In addition, filing must be made on the issuer's Form 10-K, 10-KSB,
20-F, or 40-F.
The final rule provides that the code of ethics shall be written standards
and shall promote:
• Honest and ethical conduct, including the ethical handling of actual or

apparent conflicts of interest between personal and professional
relationships;
• Avoidance of conflicts of interest, including disclosure to an appropriate

person or persons identified in the code of any material transaction or
relationship that reasonably could be expected to give rise to such a
conflict;
Integrity and ethical values (continued)

• Full, fair, accurate, timely, and understandable disclosure in reports and
documents that a company files with, or submits to, the Commission
and in other public communications made by the company;
• Compliance with applicable governmental laws, rules, and regulations;
• The prompt internal reporting to an appropriate person or persons

identified in the code of violations of the code; and
• Accountability for adherence to the code.
The audit committee

Changes to the structure and responsibilities for the audit committee
resulting from Sarbanes-Oxley are considerable. They represent a
significant shift in the boardroom of many companies.
Organizational Structure
Shareholders
Board of Audit
Directors Committee
The audit committee (continued)

Structure of the audit committee
• The audit committee must be composed of outside directors

(Section 301-3).
• Members cannot receive compensation in any form other than

their board and committee fees.
• At least one member must be a financial expert (Section 407).

Section 407 provides that a "financial expert" shall have:
– An understanding of generally accepted accounting principles

and financial statements;
– The ability to assess the general application of such principles

in connection with the accounting for estimates, accruals, and
reserves;
The audit committee (continued)

– Experience preparing, auditing, analyzing, or evaluating financial
statements that present a breadth and level of complexity of
accounting issues that are generally comparable to the breadth and
complexity of issues that can reasonably be expected to be raised
by the registrant's financial statements, or experience actively
supervising one or more persons engaged in such activities;
– An understanding of internal controls and procedures for financial

reporting; and
– An understanding of audit committee functions.
Board membership
The final rule, Standards Relating to Listed Company Audit Committees,
contains amendments to Exchange Act Rule 10A-3 defining qualifications for
members of the audit committee. There are two criteria determining
independence: compensation and affiliation.
• Compensation
– A director cannot receive any consulting, advisory, or other fees from

the issuer or subsidiary other than director and committee fees.
– The prohibition on payments applies to spouses, children, or

stepchildren sharing the home or to firms where the member has a
beneficial interest such as law, accounting, consulting, investment,
financial advisory firms, and payments to an entity (including limited
partnerships) where the audit committee member is a member or officer.
Board membership (continued)

• Affiliation
Rules include indirect payments: payments to an entity in which the
member is a partner, member, officer such as a managing director
occupying a comparable position or executive officer, or occupies a
similar position (except limited partners, non-managing members, and
those occupying similar positions who, in each case, have no active role
in providing services to the entity) and which provides accounting,
consulting, legal, investment banking, or financial advisory services to
the issuer or any subsidiary.
Key point: The final rule specifies that the prohibition covers accounting,
consulting, legal, investment banking, or financial advisory services.
Other commercial relationships are not covered by the final rule.
The audit committee's responsibility for

handling complaints and whistle-blowing
In addition to the new structure and the duty of overseeing the audit
process, the audit committee is also required to receive, investigate, and
keep records of complaints on a number of issues under their purview
(Section 301-4). Specifically, the section reads:
(4) Complaints—Each audit committee shall establish procedures for—
• The receipt, retention, and treatment of complaints received by the

issuer regarding accounting, internal accounting controls, or auditing
matters; and
• The confidential, anonymous submission by employees of the issuer of

concerns regarding questionable accounting or auditing matters.
The audit committee's responsibility for handling

complaints and whistle-blowing (continued)
Key point:
• The audit committee should develop the policies and procedures that best fit
the structure and function of the company.
• The SEC final rules do not provide any specific procedures or mechanisms
for reporting because the nature and complexity of registered issuers is too
diverse to support a "one size fits all" approach.
The audit committee's responsibility for handling

complaints and whistle-blowing (continued)
Shareholders
Board of Audit
Directors Committee
CEO
Whistle-blowing
CFO
Rank-and-File
Organization
Section 301-5: Engaging advisers

This provision is closely related to the provisions of Section 806, which
creates protection of whistle-blower employees who report fraud, assist in
an investigation, or testify in any investigation of allegations of fraud.
Section 806 specifically protects the employee who reports "any conduct
which the employee reasonably believes constitutes a violation of ... any
rule or regulation of the Securities and Exchange Commission, or any
provision of federal law... ." The section prohibits discharge, demotion,
suspension, threat, harassment, or any other discrimination against a
"whistleblower." To perform these duties, the committee will need help.
Sarbanes-Oxley makes provision for that assistance in Section 301-5:
Authority to engage advisers
Each audit committee shall have the authority to engage independent

counsel and other advisers, as it determines necessary to carry out its
duties.
Section 301-5: Engaging advisers (continued)

Shareholders
Board of Audit Advisers or

Directors Committee Counsel
CEO
Whistle-blowing
CFO
Rank-and-File
Organization
Section 301-6: Funding the audit committee

activities and advisers
Section 301-6 requires that the company must provide necessary
resources to support audit committee activities and advisers:
(6) Funding—Each issuer shall provide for appropriate funding, as

determined by the audit committee, in its capacity as a committee of the
board of directors, for payment of compensation—
• To the registered public accounting firm employed by the issuer for the
purpose of rendering or issuing an audit report; and
• To any advisers employed by the audit committee under paragraph (5).
Disclosures concerning the audit committee

The names of the members of the audit committee and the fact that they
are independent (or any reasons why they are not) must be shown in the
annual report.
It must be stated whether they are a standing committee, the number of

meetings held in the fiscal year, and the functions performed by the
committee.
The fact that the audit committee has an "audit committee financial expert"
member must be cited and whether that member is independent or the
absence of such a member explained—however, the name of that member
must be disclosed.
If the company does not have an audit committee but the board of
directors acts as the audit committee, that fact is stated.
Other disclosures about the audit committee are

required in the proxy statement:
First, the audit committee must provide a report disclosing whether the
audit committee has reviewed and discussed the audited financial
statements with management and discussed certain matters with the
independent auditors.
Second, issuers must disclose whether the audit committee is governed

by a charter, and, if so, include a copy of the charter as an appendix to the
proxy statement at least once every three years.
Finally, the issuer must disclose whether the members of the audit
committee are independent.
Other disclosures about the audit committee are

required in the proxy statement (continued):
Key point: The disclosure rules for the audit committee will continue to
evolve and these should not be viewed as hard and fast rules. Regularly
monitor the SEC website (www.sec.gov) for changes and new developments.
Overseeing the audit and the public accounting

firm
The duties of the audit committee (Section 301-2) include hiring the
accounting firm and approving in advance any and all services provided by
the accounting firm. The services provided by the accounting firm are in a
very narrowly defined range.
The audit committee has the responsibility for seeing that the accounting
firm abides by the rules in its dealing with the company.
Overseeing the audit and the The committee must understand the list of prohibited activities. Section 201
lists eight specific activities and provides that the PCAOB can specify
public accounting firm others in the future. This section is now §10A(g) of the Securities
(continued) Exchange Act of 1934.
• (g) Prohibited Activities—Except as provided in subsection (h), it shall

be unlawful for a registered public accounting firm (and any associated
person of that firm, to the extent determined appropriate by the
Commission) that performs for any issuer any audit required by this title
or the rules of the Commission under this title or, beginning 180 days
after the date of commencement of the operations of the Public
Company Accounting Oversight Board established under section 101
of the Sarbanes-Oxley Act of 2002 (in this section referred to as the
"Board"), the rules of the Board, to provide to that issuer,
contemporaneously with the audit, any non-audit service, including
those listed on the following slide.
Overseeing the audit and the – Bookkeeping or other services related to the accounting records or
financial statements of the audit client;
public accounting firm
(continued) – Financial information systems design and implementation;
– Appraisal or valuation services, fairness opinions, or contribution-in-kind

reports;
– Actuarial services;
– Internal audit outsourcing services;
– Management functions or human resources;
– Broker or dealer, investment adviser, or investment banking services;
– Legal services and expert services unrelated to the audit; and
– Any other service that the Board determines, by regulation, is

impermissible.
Overseeing the audit and the public accounting firm

(continued)
• When the accounting firm is engaged to perform functions other than
the audit, these services must be approved in advance by the audit
committee—not management and not the board as a whole.
The engagement may be for tax services or any activity not included
in the prohibited list subject to certain limitations.
Overseeing the audit and the public accounting firm (continued)

(h) Preapproval Required for Non-Audit Services —A registered public accounting firm
may engage in any non-audit service, including tax services, that is not described in
any of paragraphs (1) through (9) of subsection (g) for an audit client, only if the
activity is approved in advance by the audit committee of the issuer, in accordance
with subsection (i).
• There is language in Section 201 to cover the engagement of the public accounting
firm for work other than the audit or tax work on a de minimis basis when it has
not been preapproved by the audit committee:
– The work cannot be on the list of prohibited activated activities.
– The cost of non-audit services cannot exceed 5 percent of all fees paid to the
auditor.
– It must be reported to the audit committee promptly and approved by the

committee before completion of the audit.

(continued)
• Approval may be by the committee or by a member of the committee
who has been empowered by the committee to handle such approvals
between meetings.

(continued)
(B) De Minimus Exception—The preapproval requirement under
subparagraph (A) is waived with respect to the provision of non-audit
services for an issuer, if—
• The aggregate amount of all such non-audit services provided to the

issuer constitutes not more than 5 percent of the total amount of
revenues paid by the issuer to its auditor during the fiscal year in which
the non-audit services are provided;
• Such services were not recognized by the issuer at the time of the
engagement to be non-audit services; and
• Such services are promptly brought to the attention of the audit

committee of the issuer and approved prior to the completion of the
audit by the audit committee or by one or more members of the audit
committee who are members of the board of directors to whom authority
to grant such approvals has been delegated by the audit committee.

(continued)
Reporting
• The accounting firm must report to the audit committee, not to

management and not to the board of directors as a whole.
• The required communications do not differ greatly from the

communications that have been required by previous Statements
on Auditing Standards (SASs) except that the reporting to the audit
committee is exclusive.

(continued)
(k) Reports to Audit Committees—Each registered public accounting firm
that performs for any issuer any audit required by this title shall timely
report to the audit committee of the issuer—
• All critical accounting policies and practices to be used;
• All alternative treatments of financial information within generally

accepted accounting principles that have been discussed with
management officials of the issuer, ramifications of the use of such
alternative disclosures and treatments, and the treatment preferred by
the registered public accounting firm; and
• Other material written communications between the registered public

accounting firm and the management of the issuer, such as any
management letter or schedule of unadjusted differences.

(continued)
Shareholders
Board of Audit Advisers or

Directors Committee Counsel
CEO
Whistle-blowing
CFO
Public Accounting
Firm
Rank-and-File
Organization

(continued)
• Because the audit committee oversees the audit relationship, it should
monitor certain employment practices that are covered by Section 206
of the Act.
• The committee should make inquiries of management and any potential

accounting firm to obtain a positive (written) assurance that none of the
cited positions are occupied by prohibited individuals.

(continued)
(l) Conflicts of Interest—It shall be unlawful for a registered public
accounting firm to perform for an issuer any audit service required by this
title, if a chief executive officer, controller, chief financial officer, chief
accounting officer, or any person serving in an equivalent position for the
issuer, was employed by that registered independent public accounting
firm and participated in any capacity in the audit of that issuer during the
one-year period preceding the date of the initiation of the audit.
• The final rule issued by the SEC made it clear that the employment of
former members of the audit engagement team is a conflict only if the
employment begins within the one year preceding the initiation of the
audit and if that individual was assuming a "financial reporting oversight
role" in the company.

(continued)
• (d) One-Year Cooling Off Period. The rules deem an accounting firm to
be not independent with respect to an audit client if a former member of
the audit engagement team begins employment in a "financial reporting
oversight role" at that issuer if the individual had been a member of the
audit engagement team within the one-year period preceding the
initiation of the audit. A "financial reporting oversight role" is a role in
which a person is in a position to or does influence the contents of
financial statements or anyone who prepares them. Such persons
include directors, chief executive officers, chief financial officers, chief
accounting officers, controllers, and others.
9
Effect of
Sarbanes-Oxley
on risk assessment
Effect of Sarbanes-Oxley on risk assessment
Overview
The assessment of the control system required to support the Section 404
certification begins with an examination of the risk assessment.
• This leads to development of control activities, the information and

communication channels, and the monitoring processes.
Key point: If the risk assessment is not properly conducted, none of the other
steps can be successful.
Overview (continued)
Risk assessment is the process of identifying and analyzing the events
and conditions (risks) that may prevent the achievement of the entity's
objectives.
A proper assessment will enable the entity to:
• Determine how to eliminate the impact of those risks through risk

avoidance; or
• If unavoidable, how to reduce risks through the use of effective control

activities.
Categories of objectives
Objectives are related to the original objectives of control: operational,
financial, and compliance objectives.
Risk assessment begins with these internally generated objectives and the
risks to their achievement.
Risks can be either internal or external.
Title III of the Act, Corporate Responsibility, contains a number of

requirements that make it clear that managers and boards will not have
the "flexibility" to abandon the code of ethics, engage in "creative"
accounting practices that ignore GAAP, intimidate or suborn auditors, gag
their employees, or engage in insider trading without very clear registration
of their activities.
Categories of objectives (continued)

The Act requirements are designed to promote accurate and unbiased
financial reporting and include:
• Executive responsibility for financial statements;
• Required examinations of the internal controls leading to the preparation of

the statements (Title IV, Enhanced Financial Disclosure);
• Qualifications of the "financial expert" member of the audit committee

(Title IV, Enhanced Financial Disclosure);
• Audit committee engagement of the independent accountants; and
• Whistle-blowing provision and investigation requirements (Section 806), etc.

Until the introduction of the Sarbanes-Oxley audit environment, there was
a close working relationship between the public accounting firm and
management regarding the understanding of the processes providing
internal controls.
Many control procedures were simply the way every organization does
things. For example:
• The petty cash funds were maintained under lock and key in the
custody of designated individuals who were accountable for any
shortages; however, there were no written rules.

• Bank statements were reconciled promptly upon receipt by
someone who did not make entries to the general ledger control
account, sign checks, prepare or transport deposits, have access to
the account through the internet connection, or otherwise control the
account.
The reconciliation was reviewed by a designated senior financial
manager and reconciling items were cleared promptly; however,
there may not have been any written rules.

The final rules specify that the framework on which management's
assessment of the issuer's internal control over financial reporting is based
must be a suitable, recognized, control framework that is established by a
body or group that has followed due-process procedures, including the
distribution of the framework for public comment.
While there are a number of frameworks in existence, the most widely

recognized framework that meets the Sarbanes-Oxley ( SOX) definition is
the COSO framework.
There is an evaluation methodology illustrated by the COSO study that can

be used as a general model; however, the specifics of that model will
generally require modification.
Entities should focus more on their thought processes than the adoption of
standardized evaluation models.

Before adopting evaluation methodologies, organizations should focus on:
• The requirement to get serious about documenting the control system;
• The need to document it in a formal manner and completely;
• The requirement that management clearly document the control system

on a stand-alone basis; and
• The fact that the public accounting firm independently must assess the
design and operating effectiveness of the system—this is differentiated
from the environment in which the public accounting firm performed its
procedures and offered recommendations on control deficiencies.

The original COSO evaluation model carried an implication that
management and the public accounting firm could undertake a mutual
effort to document and test controls to achieve a complementary or
non-duplicating role.
• The documentation of controls was urged by COSO as a highly

desirable undertaking but not stated as mandatory.
• There was no language in the COSO Evaluation Tools volume

prescribing the frequency of review and testing; however, the
Sarbanes-Oxley Act has established clear mandates regarding the
timing of these procedures (complete annual changes within quarter).
Key point: The level of complexity and detail in the illustrative model in the
COSO Evaluation Tools volume does not rise to the level of the Act's standard.
It should be viewed solely as an example.

The risk assessment component of the COSO methodology now
considers the liability issue as it never did in its original development.
• The liability of the organization in terms of fines and sanctions from

governmental agencies, potential delisting of its securities, and
stockholder actions is a potent concern.
• The executive managers and members of the board must consider their
personal liabilities to governmental actions and suits by stockholders
and others.
10
Effect of
Sarbanes-Oxley
on control activities
Effect of Sarbanes-Oxley on control activities
Concept of control activities

The concept of control activities in Sarbanes-Oxley correlates well with the
definitions expressed in COSO's original framework document.
One difference
The emphasis SOX places on the management certification and

accountants' attestation.
The terms we are concerned with are:
• Key controls;
• Material weaknesses;
• Significant deficiencies; and
• Reportable events.
Weakness threshold in the internal control

system
One challenging issue that seems to raise many questions:
To what level would a weakness in the internal control system be

considered serious enough to cause a citation in the management
statement and/or the accountants' attestation?
• To answer this question, when going through the process of

assessment, documentation, and testing of the internal control system,
look at a control and ask:
─ "If this control fails, would it result in a condition that should be cited
in the Section 302 officers' statement or generate a qualified
auditor's opinion in the attestation?"
Weakness threshold in the internal control system

(continued)
If the answer is yes, it should be flagged as a key control.
• When new systems are implemented or major system changes are

made, key controls should be flagged. This will provide a significant
aid in quick checks on the controls that could result in violations of the
Act.
• This should not be viewed as a silver-bullet solution to compliance with

the Act. The assessment, documentation, and testing of the internal
control system required annually is not simply a check on key controls,
although it should obviously give the greatest attention to those
controls.
• The question of what raises a control to the level of what is being

defined here as a key control is the conundrum of the day.
11
Effect of
Sarbanes-Oxley
on information and
communication
Effect of Sarbanes-Oxley on information and
communication
Focusing on operations objective

In the COSO framework, the elements of information and communication
focused on the operations objective: Improvement of the effectiveness and
efficiency of the entity.
The information gathered from internal and external sources would move
through identified communication channels to identify weaknesses, provide
monitoring data, and generally improve the entity or prevent deterioration.
communication
SOX requirements
Sarbanes-Oxley (SOX) makes it the law that the company must secure
and act upon such information.
SOX defines requirements for record keeping related to that information.
Complaints under Section 301-4 must flow to the audit committee.
The flow of information concerning conditions in the internal control

system must flow to the certifying officers (CEO and CFO) as required in
Section 302(a)(4)(B).
Key point: The important concepts are identifying the correct information and
ensuring that it gets from its origination to its intended destination while
ensuring its integrity.
communication
Section 301-4
(4) Complaints—Each audit committee shall establish procedures for—
The receipt, retention, and treatment of complaints received by the issuer

regarding accounting, internal accounting controls, or auditing matters; and
The confidential, anonymous submission by employees of the issuer of

concerns regarding questionable accounting or auditing matters.
• This provision is closely related to the provisions of Section 806, which

creates protection of whistle-blower employees who report fraud, assist
in an investigation, or testify in any investigation of allegations of fraud.
communication
Section 301-4 (continued)

• Section 806 specifically protects the employee who reports any conduct
that the employee reasonably believes constitutes a violation of various
sections of the Securities and Exchange Act or rules or regulations of
the SEC.
• The section prohibits discharge, demotion, suspension, threat,

harassment, or any other discrimination against a "whistleblower."
• Section 301-4 requires the company define and communicate the

methodology for notifying employees that they are expected to make
such reports, how the reports are to be made, and how they are
protected when they make reports.
communication
Section 301-4 (continued)
Key point: To ensure the process works most effectively and efficiently, the
company should have forms and routing mechanisms whenever possible.
The instructions should be contained in company procedures manuals
and the company's code of ethics.
communication
Corporate responsibility for financial reports

Regulations Required—The Commission shall, by rule, require, for each
company filing periodic reports under section 13(a) or 15(d) of the Securities
Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive
officer or officers and the principal financial officer or officers, or persons
performing similar functions, certify in each annual or quarterly report filed or
submitted under either such section of such Act that—
• The signing officer has reviewed the report;
• Based on the officer's knowledge, the report does not contain any untrue
statement of a material fact or omit to state a material fact necessary in
order to make the statements made, in light of the circumstances under
which such statements were made, not misleading;
communication
Corporate responsibility for financial reports

(continued)
• Based on such officer's knowledge, the financial statements, and other
financial information included in the report, fairly present in all material
respects the financial condition and results of operations of the issuer as
of, and for, the periods presented in the report;
• The signing officers—
– Are responsible for establishing and maintaining internal controls;
– Have designed such internal controls to ensure that material

information relating to the issuer and its consolidated subsidiaries
is made known to such officers by others within those entities,
particularly during the period in which the periodic reports are being
prepared; .... (Emphasis added)
communication
Section 303: Improper influence on conduct of

audits
Section 303 defines prohibitions against improper influences on the
auditors. It is important to note the reach of this provision.
• The definition of "officer or director of an issuer, or any other person"

includes anyone in the organization plus customers, vendors,
contractors, and others.
• What constitutes "influence" is defined with a number of examples.
communication
Section 303: Improper influence on conduct of audits

(continued)
Excerpt
"It shall be unlawful…for any officer or director of an issuer, or any other

person acting under the direction thereof, to take any action to fraudulently
influence, coerce, manipulate, or mislead any independent public or
certified accountant engaged in the performance of an audit of the financial
statements of that issuer for the purpose of rendering such financial
statements materially misleading. In addition to being a requirement of the
law, the CEO and CFO have a vested interest in seeing that the channels
of communication are open for this information."
• The burden for false reporting falls on the CEO and CFO; they'll want
to be sure that information on problems is reported immediately when
discovered and corrective action is immediate.
• Penalties are severe: possible loss of employment, fines, and prison

sentences.
communication

(continued)
These managers should ensure that:
• All responsible staff members know the need for prompt reporting of any
germane information on problems in the control system.
• Policies and procedures are published and provided to all current staff
members in affected positions and all future incumbents in such
positions.
communication

(continued)
The procedures should include that:
• The criteria for reporting are clearly described (what constitutes a

reportable condition);
• The form of reporting is described (what information will be needed to

facilitate action on the report);
• The method of reporting is described (paper forms, intranet, e-mail, etc.);
• The reporting point is defined (where the report should be directed); and
• The timeliness of reporting is stressed (the importance of reporting

relative to quarter- and year-ends and the need for time to complete
corrective action).
communication

(continued)
Key point: Don't forget future incumbents
• Initial implementation led to training seminars, memos, staff meetings, etc.
• Inevitably, turnover occurs.
• The new people in the positions do not get the word and the process falls apart.
• There is a danger that the CEO and CFO will find themselves in trouble.
communication

(continued)
To fulfill the requirement of the law, it is important that the organization:
• Identify the personnel (positions) who would be able to observe control

breakdowns.
• Require that those positions report breakdowns just as any other legal
compliance requirement (requirement should be written into job
descriptions).
communication

(continued)
Management should recognize that outside sources may provide
important information that relates to the company's Sarbanes-Oxley
compliance.
• The company's outside counsel may bring information to the senior

executives under direct requirements of the Act and under rules of the
American Bar Association (ABA) adopted in August 2003.
• The company should also be aware that the bank's counsel is permitted
under these rules of the ABA to breach confidentiality if the attorney has
evidence that the company or its employees are about to commit
financial fraud.
Key point: The company can no longer go to counsel, ask for an opinion on the
legality of an action, and then ignore that advice in the belief that the attorney is
irrevocably bound to confidentiality.
12
Effect of
Sarbanes-Oxley
on monitoring
Effect of Sarbanes-Oxley on monitoring
Greater significance under SOX

Monitoring takes on greater significance under Sarbanes-Oxley:
• Surveillance of changes in operating and accounting systems that might

affect the internal controls of the company and call for interim
assessment, documentation, and testing of the internal control system
• Follow-up on corrective actions undertaken on identified weaknesses in

the control system that must be completed in the current period
• Follow-up on reports to and investigations by the audit committee
• Surveillance by the audit committee of the regulatory review of the

public accounting firm conducted under Section 104 of the Sarbanes-
Oxley Act
Surveillance of changes in systems that might

affect internal controls
Surveillance of changes in operating and accounting systems that might
affect the internal controls of the company and call for interim
assessment, documentation, and testing of the internal control system.
• The SEC modified the original language of Sarbanes-Oxley that

required quarterly assessment, documentation, and testing of the
internal control system.
• As the cost of SOX compliance became far greater than originally

envisioned, the SEC determined that a more practical approach was to
perform the full process annually and to perform the effort quarterly
where relevant changes occur.
• This approach created a more manageable workload in general;

however, it required the entity to have a monitoring system able to
identify those changes that require interim assessment, documentation,
and testing of those portions of the internal control system.
Surveillance of changes in systems that might affect

internal controls (continued)
• The timing of those efforts is important as well. The assessment must
be made and any corrective action taken and completed before the
close of the reporting quarter.
Key point: If the full process—i.e., assessment, documentation, testing, corrective

action—is not completed by the quarter-end, a reportable condition is created for
the company and the auditor's attestation report.
Setting up the monitoring process/following up

on corrective actions
Several items should be considered in setting up the monitoring process:
• New computer systems
• New accounting systems (noncomputerized)
• Organizational realignments
• Significant new product launches
• Significant new physical locations (factories, etc.)
• Major economic changes, particularly in multinational organizations that

affect the company's asset values or accounting estimates
• Significant new laws or regulations affecting the company's operations
Setting up the monitoring process/following up on

corrective actions (continued)
The monitoring process should have a checklist of key items and identified
individuals to perform the monitoring duties. There should be an affirmative
report from the assigned individuals that they have checked for possible
changes and have found none, or reporting on what was found and the
results of assessment, documentation, and testing.

Follow-up on corrective actions undertaken on identified weaknesses in
the control system that must be completed in the current period.
• When problems arise, management must be sure that prompt

corrective action is taken by management.
• This is especially true if the problem is a significant or material

weakness in the system of internal control.
• The speed of corrective action is critical to the reporting of control

weaknesses in the management statement and the auditor's
attestation.
• A material weakness that is not corrected at the end of a reporting

period must be disclosed.

Key point:
• The company's monitoring process must include close attention to the

prompt completion of corrective action on all discovered weaknesses in
the internal control system, especially material weaknesses.
• Material weaknesses must be reported to the audit committee and the

public accounting firm whether or not they are corrected.
Follow-up on reports to and investigations by

the audit committee
The audit committee must have channels of communication and the
record-keeping systems in place to receive information and see that
investigations take place on reports of problems in the control system.
To ensure that these reports and investigations are addressed to

conclusion, there must be provisions in the process for follow-up.
Follow-up on reports to and investigations by the audit

committee (continued)
Audit committee members are not full-time employees of the company
and normally do not have a full-time staff to support them. This might
become an obstacle to effective monitoring and follow-up.
• The committee may choose to use the head of internal audit or the
company's in-house counsel to assist with the monitoring of the reports
and investigations.
• The audit committee may retain outside consultants to perform special

investigations and/or analyses.

Surveillance by the audit committee of the regulatory review of the
public accounting firm conducted under Sarbanes-Oxley Section 104.
• Another issue of monitoring that falls to the audit committee is

surveillance of the regulatory reviews conducted on the company's
public accounting firm.
– These are public record, unlike peer reviews conducted prior to

Sarbanes-Oxley.
– The reports will be public record and, if not furnished by the public
accounting firm upon request, can be obtained from the PCAOB or
the SEC.

– The audit committee should have this item on its agenda so that the
review is obtained annually (tri-annually for smaller public
accounting firms).
– In addition, the committee should have this as an item on the due

diligence checklist if a change in public accounting firm is being
considered.

• As an added issue, the audit committee should see that the
engagement and review partners at the public accounting firm are being
rotated every five years as required by Section 203 of the Act.
Key point: The public accounting firm should take care of this issue; however,
the audit committee should monitor to ensure that the CPA firm is in compliance.
Thank you.
Thanks for viewing this
on demand course!
• You are now eligible to take the final exam.
• Once you have successfully completed the final exam (70% or higher),
your CPE certificate will be immediately awarded for you to view, print,
or download.

Auditing (Annotated)

Uploaded by

Copyright:

Available Formats

You might also like

Auditing (Annotated)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing (Annotated)

Uploaded by

Copyright:

Available Formats

Welcome to Becker's

on demand CPE course!

• This course contains review questions with feedback to ensure learning.

• Enjoy the show!

Recognize the objectives of a system of internal controls, the five

Recognize the different categories of internal control over

Recognize the effects of Sarbanes-Oxley on internal control

Review the Internal Control framework as developed in the COSO study.

Summarize the Act's effects on the components of an entity's internal control

Monitoring activities Evaluation methodology Roles and

Chapter 8 Slides 111 – 144 Chapter 9 Slides 145 – 155

The COSO study

The COSO study (continued)

The COSO study (continued)

In 2013, COSO released an updated Internal Control framework.

• The 2013 framework retained the definition of "internal control" and

• However, the 2013 framework includes "enhancements and

The COSO study (continued)

– The 2013 framework reflects major business changes since 1992.

– The compendium includes examples to assist users with

• The American Accounting Association (AAA)

• The American Institute of Certified Public Accountants (AICPA)

COSO sponsors (continued)

• The Institute of Internal Auditors (IIA)

• The Institute of Management Accountants (IMA)

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.

• Compliance with applicable laws and regulations.

Internal control is a process

Internal control is effected by the board of

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.

• Compliance with applicable laws and regulations.

Effectiveness and efficiency of operations

Efficiency is related to the profitable operation of the entity. It is the proper

Reliability of financial reporting

Compliance with applicable laws and

Professional organizations re-examined their standards and statements.

Compliance with applicable laws and regulations

• SSAE 10 (AT 501)

• SSAE 10 (AT 601)

Note: Note that SSAE 18 supersedes SSAE 10.

Compliance with applicable laws and regulations

The COSO definition strongly supports internal auditors in establishing a

Fundamental concepts of the definition

Internal control is a process. It is a means to an end, not an end in itself.

Fundamental concepts of the definition (continued)

• People enable the internal control system.

• Manuals and forms are not the internal control system.

• Manuals and forms are tools used by people.

• Employees support the internal control system when they understand

• Without proper education and motivation, the organization's employees

Fundamental concepts of the definition (continued)

• Internal control can be expected to provide only reasonable

• There is no way to obtain absolute assurance that the objectives of

• Internal control will not prevent failures caused by poor management

The five components

The five components are