Controls

Process of exercising a restraining or guiding influence over the activities of an object, organism, or systemExist everywhereOperationalized in many ways

Control philosophy

Controls permeate, not dominateControls are everybody's, not the accountant’sControls are part of the operationControls are built into the system

Internal Control Systems

Internal control in a businessThe methods a business uses to

safeguard assets, provide accurate, reliable information,promote and improve operational efficiency,

and encourage adherence to prescribed

managerial policies

Controls in the external reporting world

Objective of IC

To reduce likelihood that a threat will come to pass and result in a loss to the organization.

Threat, likelihood, exposure

COSO

Internal Control—as defined by the professional organizations most directly involved

Internal control is a process, effected by an entity’s board of directors, management

and other personnel, to provide reasonable assurance regarding the

achievement management’s objectives in the following categories:

Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and

regulations

Components of IC

Control environmenttone at the top

Risk assessmentidentification and analysis of risks

Control activitiespolicies and procedures

Information and communicationprocessing info for people to do their jobs

Monitoringassess quality of internal control over time

Enterprise risk management

ERM is a process, effected by an entity’s board of directors, management

and other personnel, Applied in strategy setting and across the enterprise,

designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Moves from emphasis on risks relating to financial reporting and compliance to emphasis on ALL risks of the business

Commitment to integrity and ethics

Management’s philosophy and styleOrganizational structureAudit committee and the board (function)Methods of assigning responsibilityHuman resources policies and practicesExternal influences

The Control Environment

C&L overheads on Control Environment—

Risk Assessment—COSO

Determine threats to the companyEstimate probability of threat occurringEstimate exposure from each threatIdentify set of controls to guard against threatEstimate costs and benefits of implementing controlsEvaluate whether to put controls in placeImplement controlsIterate

Risk Assessment—ERM

Objective setting What does the enterprise wish to do?

Event identification What could go wrong

Risk assessment Likelihood of event, exposure, cost/benefit

Risk response Avoid, reduce, share, accept…

Events/Threats(negative)

Business threats (economic, environmental, social, political…)Internal or externalOccurs at wrong time, wrong sequence, wrong actors,

wrong place…

Information threatsRecording/Processing/Reporting

Tools for identifying

Risk Assessment & Response

Calculate expected lossDetermine costs of controlsBenefit = reduction in expected loss Consider special reasons for investing in control even when

cost > benefit

Risk appetiteAvoid, accept, share, reduce

Control Activities

Authorization of transactionsSegregation of incompatible dutiesIndependent checks on performanceSafeguarding assets and informationDesign and use of adequate recordsManagement and review of activities

Lots of ways to look at these…

Segregation of duties—computer system

Systems analystProgrammerComputer operatorTesting groupAIS library

Data, programsManagement control of IS

Access and safeguarding—computer system

Data protection controlsPhysical and logical

Lock rooms, require passwordsData transmission, Internet

PreventiveLabeling, librarians, data dictionariesBackup…

Uninterruptible power sourcesDisaster recovery

Project controls

Project development and implementation controls include:Team that knows why this is being done, individuals responsibleProject plan, timeline, schedule, budgetGood RFP, good specificationsCheck references—groups and individualsSunk costs are sunk

Communication and information

Accounting (information) system(s)AIS objectives related to communication & information

Record all, valid transactionsClassifyValuationPeriodicity Presentation and disclosure

Monitoring

Effective supervisionResponsibility accountingInternal auditingFraud controls

Overall considerations

Means to an endSystem - with goals, interrelated componentsManagement’s responsibilityRequires competence, honesty, ethical behaviorReasonable assurance, not perfectionCost-benefit

Some basics of SOX

Sarbanes-Oxley Act of 2002Creates Public Company Accounting Oversight Board…

gives PCAOB rights of the 1934 Securities Act5 member board, two current or former CPAs,

three notSEC oversees the board

Identifies specific rules and procedures that the PCAOB must require/adhere to

PCAOB duties

Register public accounting firmsEstablish rules for auditing, independence, ethics, etc. for

prep of audit reportsThe SEC will recognize GAAP from bodies that meet some

requirements and meet the SEC approval—Board may qualify, FASB does qualify

Partner/staff rotation

Partners rotate 5 on, 5 offThe CEO, Controller, CFO, Chief Accounting Officer or person

in an equivalent position cannot have been employed by the company's audit firm during the 1-year period preceding the audit.

Prohibited services

Auditor may not do:Bookkeeping or services related to financial statementsAIS design or implementationInternal audit outsourcingManagement or HR functionsLegal or expert services unrelated to auditOthers…

Ok services

Pre-approved by the audit committeeDisclosed to stockholders

Pre-approval waived ifAggregate is < 5% of total revenuesNot recognized as non-audit at the time of engagementPromptly brought to attention of audit committee

Audit committees

Must be independent directorsResponsible for appointment, compensation and oversight of

“registered” public accounting firms working for the company

Oversee all complaints regarding accounting, controls and auditing

At least one “financial expert”

What is a financial expert? (McGladrey)

An understanding of financial statements and GAAPAn ability to assess application of GAAP for estimates,

accruals and reserves  Experience preparing, auditing, analyzing or evaluating

financial statements that represent a breadth and level of complexity of accounting issues for the registrant's financial statements, or experience actively supervising one or more persons engaged in such activities  

An understanding of internal controls and procedures for financial reporting  

An understanding of audit committee functions

Responsibility for reports

CEO and CFO must certify the “appropriateness of the financial statements and disclosures…fairly present…operations and financial position”—Section 302

Restatements due to noncompliance with financial reporting requirements require disgorgement of profits by CEO and CFO

Miscellaneous

Reflect all correcting adjustmentsDisclose off-balance sheet transactionsNo personal loans to directors or executivesDesignated transactions reported within 2 business daysStudy SPEs

Reflect the “economics” of off-balance sheet transactions

Section 404—management assessment of IC

Each annual report includes an internal control reportState responsibility of mgmtAssessment of effectiveness of structure and proceduresAuditor attests to management’s assessment

Not a separate engagement

Section 404—some detail

Management makes an assessment of IC design and effectiveness

Auditor makes an assessment of IC design and effectivenessDesign—do the controls exist, for relevant assertions and

significant accountsEffectiveness—do the controls work, for relevant

assertions and significant accounts (inquiries and observations; review documents; compare supporting documents; walkthroughs; etc)

Report on management assessment; report on IC; report on financial statements

Likely Reporting Scenarios

Mgmt’sReport

Auditor’s Report

Mgmt’s Report

IC Effective

FS

No Material Weakness Effective Unqual. Unqual. Unqual.

Material weakness, identified by mgmt & auditor

Not Effective

Unqual. Adverse Unqual.

Material weakness, not identified by mgmt, but by auditor

Effective Adverse Adverse Unqual.

Material Weakness

Deficiencies can exist in design or effectivenessDeficiencies can be:

Control—would not prevent or detect misstatements in ordinary course of business

Significant—one or more control deficiencies A control deficiency that adversely affects the

company’s ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles

Must be reported to committeeMaterial—one or more significant deficiencies

A significant deficiency that, alone or with others, results in more than a remote likelihood that a material misstatement of the financials will not be prevented or detected

Must be reported publicly

IC deficiencies

Type Likelihood Magnitude

Control deficiency

Remote And/or

Inconsequential

Significant deficiency

More than remote

And More than inconsequential

Material weakness

More than remote

And Material to financial statements

Remote

Immaterial

Probable

MaterialMATERIAL

WEAKNESS

Factors to consider

Likelihood of misstatement:Susceptibility to fraudCause and frequency of exceptions to ICNature of accountsInteraction with other controls

Magnitude of misstatement:Financial statement amountsAmount of transactionsVolume of transactions/activity

Indicators of potential material weakness

Weak control environmentFraud of any magnitude in managementIdentification of material misstatement caught by auditors,

but not by firmIneffective oversight by audit committeeCommunicated deficiencies not corrected by management

Examples of material weakness

Financial close process—often related to staffing, training, time

IT general controls—pervasive problemsInventory process—particularly related to end-of periodAccount reconciliations—all accounts are analyzed and

reconciled to the supporting schedulesHandout from Accounting Horizons

Controls

Over Financial Reporting—404Relate to prep of external FS, fairly presented in

conformity with GAAPSafeguarding assetsAddress likelihood of fraud

Over Disclosure Procedures—302Information required to be disclosed is recorded,

processed, summarized, reported within prescribed time period

Ensure information is communicated to executive management timely for disclosure requirements

Management certifications

302—CEO and CFO certify periodic SEC filings—fairness of FS and operating effectiveness of disclosure controls and procedures

404—Management’s assessment of IC with auditor attestation –annual assessment and reporting by both mgmt and auditor on the effectiveness of IC over financial reporting

906—CEO and CFO: financial reporting certification and criminal penalties—all SEC reports with financials, fairness of FS and compliance with requirements of SEA of 1934

Group question

Walkthroughs must be done by the auditor him/herself. It is not permissible to use an internal auditor or other third-party to perform this task.

Several commenters objected to this prohibition on using the work of internal auditors for walkthroughs. They described situations in which internal auditors would be better able to effectively perform walkthroughs because internal auditors understood the company's business and controls better than did the auditors who would be forced to do the walkthroughs.

What is your response to the commenters?

IC in a computerized environment

Concepts of control do not changeObjectivesFramework (COSO)Structure (environment, plan, procedures)

Implementation will changeMore focus on system (imbedded) controlsContinuous rather than periodic controls

Random v. systematic errors

Categories of IC in a computerized environment

General Controls – pervasive, relate to the entire systemControl environment must be managed well to

enhance effectiveness of application controls

Application Controls – specific, relate to individual portions of the system—or types of transactionsPrevent, detect, correct errors in input,

processing, output

General Controls

System reliabilitySeparation of incompatible functionsAccessBackup and recoveryManagement of the IS function

Adopting an IS mindset

System Reliability

System reliability is defined as:“A system that operates without material error, fault or

failure during a specified time in a specified environment.”

Principles to achieve system reliability

a. Security. The system is protected against unauthorized access (both physical and logical).

b. Availability. The system is available for operation and use as committed or agreed.

c. Processing integrity. System processing is complete, accurate, timely, and authorized.

d. Confidentiality. Information designated as confidential is protected from unauthorized disclosure.

e. Privacy. Personal information obtained as a result of e-commerce is collected,used, disclosed, and retained as committed or agreed.

Criteria for implementing principles

Policies. The entity has defined and documented its policies relevant to the particular principle.

Communications. The entity has communicated its defined policies to authorized users.

Procedures. The entity uses procedures to achieve its objectives in accordance with its defined policies.

Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.

Security

Security is a management issue, not a technology issueRedundancy—Defense in depthControl categories—apply to manual and computer

PreventiveDetectiveCorrective

Electronization of business

Redesign of internal processes is often implemented to conduct e-business, and is often the result of conducting e-business.

Sometimes is an imperative for survival.Does not directly provide a competitive advantage.Can be used to more effectively implement a basic

strategy.

What makes electronization of business successful

The degree to which e-business activities fit and support the organization’s overall business strategy (understanding strategy is a method to do this)

The ability to guarantee that e-business processes satisfy the three key characteristics of any business transaction (encryption is a method to do this)ValidityIntegrityPrivacy

Characteristics

Validityauthenticate identity of other (both) parties,

so the contract is enforceableIntegrity

ensure that the information exchanged has not been altered

Privacyensure that confidentiality is maintained

Encryption—Plaintext, ciphertext, hashThere are two principal types of encryption systems:

Single-key systems: Same key is used to encrypt and decrypt the message (symmetric)

Simple, fast, and efficientExample: the Data Encryption Standard (DES)

algorithmPublic Key Infrastructure (PKI): Uses pair of keys, one to

encrypt and one to decrypt (asymmetric):Public key is available to all who want itPrivate key is kept secret and known only by

the owner of that pair of keys.

MD5 (or a similar program) creates a “digest”, which is undecipherable, but invariant for a given text stream

Digital Signatures and Digests Digital signature: A method of uniquely identifying the sender of a

message.Digital certificate: third party verification that the owner of a

private/public key pair is who the signature says it isDigest: A digital digital summary.

If any individual character in the original document changes, the value of the digest also changes. It does not provide the information, just knowledge that the information has/ has not changed

IS perspective for Business

security training

consciousness of the folks involvedfamiliarity breeds slackers

segregation of duties becomes more difficult

hard to restrict accesschanging data/programs is common

development control

mission critical v. personal usesUse of Spreadsheets—see reading for today for copious detail

ContractErin buy from

Sally

Contract-Erin buy from

SallyDES Key DES KeyEncrypted Contract

Contract is private

Public Key-Sally Encrypted Key

Private Key-Sally

Only Sallycan read

MD5

Hash Digest-1

Encrypted HashPublic Key

-ErinPrivate Key

-Erin

Hash Digest-1

MD5

Hash Digest-2

Compare

Must be from Erin

Erin’s computer

Internet orNetwork

Sally’s computer

ERIN SALLY

Digital Signature

Contract is unaltered

General Controls—audit firm list

Company level controlsMonitoring, planning, assessment—Definition of IT roles,

Assessment of significant IT activities outside the IT function…

Change controlsApproval, separation of duties, policies—Testing & QA of

changes, authorization of changes, separate developers from production environment

OperationsPolicies, roles—Formal backup policies, operational

policies and procedures well definedSecurity

Review, access, data/system—periodic review of access, policies for admitting new users/user access, review of exception logs

Key application controls

Batch totals -aid in computer environment, often embedded in the process

Source data controls – pre-numbered, turnaround, computer-readable

Online data entrypreformatpromptaccuracy (completeness)

More application controls

Input validationedit programsequence checksvalidity check

File maintenancereconcile master with other datadata security

Output controlsuser reviewreconcile batch totalsbursting documents—control over distribution, logical and

physicalerror logs

Goal oriented—explicit

Tie controls to goalsOperationsInformation

Create control plansEvaluate the usefulness of controlsFormal method