requires companies registered with the SEC to “A fundamental aspect of management’s do the following: stewardship responsibility is to provide 1. Keep records that fairly and shareholders with reasonable assurance that reasonably reflect the transactions of the business is adequately controlled. the firm and its financial position. Additionally, management has a responsibility to furnish shareholders and potential investors 2. Maintain a system of internal control with reliable financial information on a timely that provides reasonable assurance that basis.” - SEC the organization’s objectives are met
History 4. Committee of Sponsoring Organizations -
1992 1. SEC Acts of 1933 and 1934 - sponsoring organizations included Financial - due to stock market crash of 1929 and Executives International (FEI), the Institute of worldwide financial fraud by Ivar Kruegar Management Accountants (IMA), the American - required publicly traded companies to be Accounting Association (AAA), AICPA, and the audited by an independent auditor (i.e., CPA) IIA - required all companies that report to the SEC - formed to address the series of S&L scandals to maintain a system of internal control that is of the 1980s evaluated as part of the annual external audit - formerly known as Treadway, named after its - SEC Act of 1933 chair (1) require that investors receive - focus on an effective model for internal financial and other significant controls from management perspective information concerning securities being - AICPA adopted the COSO model into auditing offered for public sale; and standards and published SAS No. 78— (2) prohibit deceit, misrepresentations, Consideration of Internal Control in a Financial and other fraud in the sale of securities. Statement Audit - SEC Act of 1934 created the Securities and Exchange 5. Sarbanes-Oxley Act of 2002 (July 30) Commission (SEC), empowered with broad - In general, the law supports efforts to increase authority over all aspects of the securities public confidence in capital markets by seeking industry, which included authority regarding to improve corporate governance, internal auditing standards. controls, and audit quality. - In particular, SOX requires management of 2. Copyright Law – 1976 public companies to implement an adequate management is held personally liable system of internal controls over their financial for violations (e.g., software piracy) if “raided” reporting process. This includes controls over by the software police (a U.S. marshal transaction processing systems that feed data accompanied by software vendors’ association to the financial reporting systems. representatives), and sufficient evidence of impropriety is found.
Auditing in CIS Environment Ocate, Lurysa
Objectives - reveal specific types of errors by 1. To safeguard assets of the firm. comparing actual occurrences to preestablished 2. To ensure the accuracy and reliability of standards. accounting records and information. 3. Corrective Controls 3. To promote efficiency in the firm’s - taken to reverse the effects of operations. detected errors and fix the problem 4. To measure compliance with management’s * For any detected error, there may be more prescribed policies and procedures. than one feasible corrective action, but the best course of action may not always be obvious Modifying Principles *Error correction should be viewed as a serves are guide for designers and auditors of separate control step that should be taken internal control systems cautiously. 1. Management Responsibility -establishment and maintenance of a Statement on Auditing Standards No. 109 systemin of internal control (SOX made it a law) - current authoritative document for 2. Methods of Data Processing specifying internal control objectives and - internal control system should achieve techniques the four broad objectives regardless of the data - based on the COSO framework processing method used - describes the complex relationship 3. Limitations between the firm’s internal controls, the a. possibility of error auditor’s assessment of risk, and the planning of b. circumvention audit procedures c. management override - provides guidance to auditors in their d. changing conditions application of the COSO framework when 4. Reasonable Assurance assessing the risk of material misstatement. - reasonableness means that the cost of achieving improved control should not COSO Internal Control Framework outweigh its benefits. 1. The Control Environment -foundation of 4 other control Models components The PDC Model - sets the tone for the organization 1. Preventive Control - influences the control awareness - designed to reduce the frequency of Elements: occurrence of undesirable events a. integrity and ethical values of management - force compliance with b. structure of organization prescribed/desired actions c. participation of BOD and audit committee - e.g., a well-designed data entry screen d. management’s operating style e. management’s method of assessing perf. 2. Detective Controls f. procedure of delegating responsibilities - devices, techniques, and procedures g. external influences e.g., regulatory agencies designed to identify and expose undesirable h. policies for managing Human Resources events that elude preventive controls.
Auditing in CIS Environment Ocate, Lurysa
Examples of techniques to understand C.E 2. Risk Assessment a. Auditors should assess the integrity of the - changes in the operating environment organization’s management and may use - new personnel who have diff. understanding investigative agencies to report on the - new / reengineered information system backgrounds of key managers - significant growth of strains existing in IC b. Auditors should be aware of conditions that - implementation of new technology would predispose the management of an - introduction of new product lines/activities organization to commit fraud. - organizational restructuring c. Auditors should understand a client’s - entering foreign markets business and industry and should be aware of - adoption of new accounting principles conditions peculiar to the industry that may affect the audit. 3. Information and Communication d. The board of directors should adopt, as a - consists of the records and methods minimum, the provisions of SOX. used to initiate, identify, analyze, classify, and - Separate CEO and chairman. record the organization’s transactions and to - Set ethical standards. account for the related assets and liabilities. - Establish an independent audit Effective accounting info system will: committee. a. identifies and record all valid fin. transactions audit subcommittees: b. provides timely information compensation comm c. accurately measures financial value of trans. Excessive use of short-term stock options to compensate directors and executives may result 4. Monitoring in decisions that influence stock prices at the the quality of internal control design expense of the firm’s long-term health. and operation can be assessed. nomination comm a. gathers evidence of control adequacy The board nominations committee should have by testing controls a plan to maintain a fully staffed board of b. communicates control strengths and directors with capable people as it moves weaknesses to management. forward for the next several years. The c. internal auditors make specific committee must recognize the need for recommendations for improvements to independent directors and have criteria for controls. determining independence. Ongoing monitoring: access to outside professionals a. integrating special computer modules All committees of the board should have access into the information system that capture key to attorneys and consultants other than the data and/or permit tests of controls to be corporation’s normal counsel and consultants. conducted as part of routine operations; Under the provisions of SOX, the audit Embedded modules thus allow management committee of an SEC reporting company is and auditors to maintain constant surveillance entitled to such representation independently. over the functioning of internal controls. b. judicious use of management reports; Timely reports allow managers in
Auditing in CIS Environment Ocate, Lurysa
functional areas such as sales, purchasing, - It enables external (and internal) auditors to production, and cash disbursements to oversee verify selected transactions by tracing them and control their operations. from the financial statements to the ledger accounts, to the journals, to the source 5. Control Activities documents, and back to their original source. policies and procedures used to ensure that appropriate actions are taken to deal with e. Access Control ensure that only authorized the organization’s identified risks. personnel have access to the firm’s assets. Physical Controls * The access controls needed to protect a. Transaction Authorization to ensure that all accounting records will depend on the material transactions processed by the technological characteristics of the accounting information system are valid and in accordance system. with management’s objectives. General authority – day to day acts f. Independent Verification to identify errors Specific authorization – nonroutine and misrepresentations by an individual who is not directly involved with the transaction or b. Segregation of duties to minimize task being verified. incompatible functions - assess performance of individuals Obj. 1 The authorization for a - integrity of the trans processing syste transaction is separate from the processing of - correctness of data the transaction. *Supervision takes place while the activity is Obj. 2 Responsibility for asset custody being performed, by a supervisor with direct should be separate from the record-keeping responsibility for the task. responsibility. *The timing of verification depends on the Obj. 3 The organization should be technology employed in the accounting system structured so that a successful fraud requires and the task under review. collusion between two or more individuals with incompatible responsibilities. E.g., no individual IT Controls should have sufficient access to accounting a. Application Controls to ensure the validity, records to perpetrate a fraud. completeness, and accuracy of financial transactions; application-specific c. Supervision in small organizations or in Examples: functional areas that lack sufficient personnel, • A cash disbursements batch balancing routine management must compensate for the absence that verifies that the total payment to vendors of segregation controls with close supervision. reconciles with the total postings to the For this reason, supervision is often called a accounts payable subsidiary ledger. compensating control • An account receivable check digit procedure that validates customer account numbers on d. Accounting Records consist of source sales transactions. documents, journals, and ledgers. • A payroll system limit check that identifies 2 reasons for audit trail: and flags employee timecard records with - The audit trail helps employees respond to reported hours worked in excess of the customer inquiries by showing the current predetermined normal limit status of transactions in process.
Auditing in CIS Environment Ocate, Lurysa
b. General Controls are not application-specific but, rather, apply to all systems - other names are General Computer Controls and Information Technology Controls - general controls are needed to support the functioning of application controls, and both are needed to ensure accurate financial reporting.