Professional Documents
Culture Documents
05 Internal Controls Presentation
05 Internal Controls Presentation
05 Internal Controls Presentation
1990 2000
WorldCom
Enron
Tyco
Adelphia
Xerox
Government Regulation
In July 2002, Congress passed the
Sarbanes-Oxley Public Company
Accounting Reform and Investor
Protection Act.
Board of Audit
Directors Committee
Auditing Standards
Auditing standards serve as
guidelines for and measures of
the quality of the auditor’s
performance.
Auditing
PCAOB Standards
Board
Public Nonpublic
Companies Companies
GAAS
Statements on Auditing Standards
(SAS)—Interpretations of GAAS
PCAOB adopted, on an
interim basis, GAAS and
SAS. Standards issued
by PCAOB are called
Auditing Standards (AS).
Organizations That Affect the
Public Accounting Profession
American Institute of Securities and
Certified Public Exchange
Accountants (AICPA) Commission (SEC)
Privity
Near Privity
Reasonably
Foreseen Foreseeable
3rd Parties 3rd Parties
Common Law—Third Parties
Auditor's Liability to 3rd Parties for Negligence
Credit Alliance (1985)
Security Pacific
Ultramares Business Credit, Inc. Rusch Factors, H. Rosenblum,
(1931) (1992) Inc. (1968) Inc. (1983)
If an auditor has
acted with
knowledge and
intent to deceive a
third party, he or
she can be held
liable for fraud.
Fraud
Third Party
Must Prove
Sarbanes-Oxley Act
of 2002
Securities Act of 1933
Generally regulates the disclosure of
information in a registration statement for a new
public offering of securities.
Third Party
Must Prove
Creation of PCAOB
RICO provides
for civil and
criminal
sanctions for
certain illegal
acts.
Criminal Liability
Gross
Fraud
Negligence
Approaches to Minimizing
Legal Liability
Firm Level
Professional Level 1. Institute sound
1. Establish stronger quality control and
auditing and review procedures.
attestation standards. 2. Ensure
2. Update Code of independence.
Professional Conduct 3. Follow sound client
and sanction acceptance and
members who do not retention procedures.
comply. 4. Be alert to risk
3. Educate users. factors.
5. Perform and
document work
diligently.
Sarbanes-Oxley Act of 2002
Creation of PCAOB
LIKELIHOOD
Management’s Assessment
Process
Management must:
1. Design and implement an effective system of internal control.
This process involves determining whether a necessary
control is missing or an existing control is not properly
designed.
2. Develop an ongoing assessment process for the internal
controls in place. Management must assess the likelihood
that failure of a control could result in a misstatement.
3. Management must decide which business units to include in
the assessment process.
Management’s Documentation
Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.
LO# 7
O S O
C
Performing an Audit of Internal
Control over Financial Reporting
Evaluate management’s
assessment process.
The auditor typically obtains his or her understanding of
management’s assessment process through inquiry of
management and others.
Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.
Evaluate management’s
assessment process.
Transaction Authorization
• used to ensure that employees are
carrying out only authorized
transactions
• general (everyday procedures) or
specific (non-routine transactions)
authorizations
Physical Controls
Segregation of Duties
• In manual systems, separation between:
– authorizing and processing a transaction
– custody and recordkeeping of the asset
– subtasks
• In computerized systems, separation between:
– program coding
– program processing
– program maintenance
Physical Controls
Supervision
• a compensation for lack of segregation;
some may be built into computer
systems
Accounting Records
• provide an audit trail
Physical Controls
Access Controls
• help to safeguard assets by restricting
physical access to them
Independent Verification
• reviewing batch totals or reconciling
subsidiary accounts with control
accounts
Physical Controls in IT Contexts
Transaction Authorization
• The rules are often embedded within
computer programs.
– EDI/JIT: automated re-ordering of inventory
without human intervention
Physical Controls in IT Contexts
Segregation of Duties
• A computer program may perform many
tasks that are deemed incompatible.
• Thus the crucial need to separate program
development, program operations, and
program maintenance.
Physical Controls in IT Contexts
Supervision
• The ability to assess competent
employees becomes more challenging
due to the greater technical knowledge
required.
Physical Controls in IT Contexts
Accounting Records
• ledger accounts and sometimes source
documents are kept magnetically
– no audit trail is readily apparent
Physical Controls in IT Contexts
Access Control
• Data consolidation exposes the organization
to computer fraud and excessive losses from
disaster.
Physical Controls in IT Contexts
Independent Verification
• When tasks are performed by the computer
rather than manually, the need for an
independent check is not necessary.
• However, the programs themselves are
checked.