CHAPTER

INTERNAL CONTROL

8 AND COSO c. Based upon the case facts, do you agree with the audi-
tors’ statement regarding their inability to detect frauds
involving collusion between client management and

FRAMEWORK outsider parties?

As highlighted in Chapter 6, part of understanding the entity and the

STANDARDS REFERENCED
IN THIS CHAPTER environ- ment is understanding the entity’s internal control. In this chapter,
we revisit that part of the audit process, planning the audit, and we discuss
CAS 315 –Identifying and
assessing the risks of the com- ponents of internal control, based upon the COSO (Committee of
mat erial misstatement Sponsoring Organizations of the Treadway Commission) framework, which
through understanding the will assist the auditor in developing that understanding of the client’s
entity and its environment
internal control.

LEARNING OBJECTIVES
After studying this chapter, you should be able to:
1 Describe the four primary objectives of effective internal control.
2 Contrast management’s responsibilities for maintaining controls with the auditor’s
responsibilities for evaluating and reporting on internal control.
3 Explain the five components of the COSO internal control framework and the 17
principles of effective control.
4 Understand the important risks and controls in small businesses.

Rogue Trader Circumvents Controls Causing

$7 Billion in Losses
The size of the trading losses at French bank Société Générale were staggering.
Jérôme Kerviel, a junior trader with a modest base salary of around $70 000, had
gambled more than the bank’s entire net worth in high-risk bets involving unautho-
rized trades related to European stock index funds.
Kerviel’s role was to make trades that bet whether European stock markets would rise or fall. Each
bet was supposed to be offset by a trade in the opposite direction to keep risk at a minimum, with
the bank making profit or loss based on the difference between the parallel bets. However, within
months of joining the trading desk, he began placing his bets all in one direction, rather than
hedging the trades as he was expected to do. One bet paid off handsomely after an attack on the
London transport system sent European markets into a dive. “Bingo, 500 000 euros,” Kerviel said
in an interview with investigators. This success led him to make even bolder bets.
Société Générale played up its use of computer systems to ward off risk. The bank’s equity-
derivatives unit had not experienced a major incident in 15 years. “We didn’t think it was possible,”
said one Société Générale executive discussing the losses. Unfortunately, Kerviel knew how to
mask his trades to avoid detection. He disguised his positions with fake trades, creating the
illusion that his positions were hedged.

246
 Keeping his trades hidden required constant vigilance. Kerviel needed to continue to delete
and re-enter fake trades to avoid detection. As a result, he regularly skipped holidays and rarely
took vacation. “It is one of the rules of controls: a trader who doesn’t take holidays is a trader who
doesn’t want his books to be seen by others,” Kerviel stated to investigators.
Finally, a fictitious trade made in the name of a German brokerage house triggered an alarm in
Société Générale’s systems. Under repeated questioning, Kerviel revealed that his bets had over
50 billion euros at risk for the bank. By the time the French bank unwound the bets, it had lost
4.9 billion euros (US$7.4 billion), nearly destroying the 145-year-old bank.
At Kerviel’s June 2010 trial, one of the bank’s former executives admitted that the bank failed
by creating an environment where there was “too much trust.” And, his former boss commented, “If
you’re not looking for anything, you don’t find anything.”

Sources: Adapted from Nicola Clark and Katrin Behnhold, “A Société Générale trader remains a mystery as his criminal
trial ends,” The New York Times, June 25, 2010. David Gauthier-Villars and Carrick Mollenkamp, “Portrait emerges of
rogue trader at French bank,” The Wall Street Journal, February 2–3, 2008, p. A1.

The vignette involving Société Générale demonstrates how deficiencies in internal

control can cause significant losses resulting in material misstatements in financial
statements. Financial reporting problems of companies such as Enron and Nortel
also exposed serious deficiencies in internal control. To address these concerns, Sec-
tion 404 of the Sarbanes-Oxley Act in the United States requires auditors of public
companies to assess and report on the effectiveness of internal control over financial
reporting, in addition to their report on the audit of financial statements. In Canada,
although public company management must attest to the quality of the company’s
internal controls, auditors are not required to provide assurance.
In this chapter and the next, we continue our discussion of planning the audit by
focusing on the role of internal controls. As highlighted in Figure 6-3, part of under-
standing the entity and its environment is an understanding of internal controls. In
this chapter we discuss the primary objectives of internal controls and explain man-
agement’s and the auditors’ responsibilities for internal controls. We then discuss an
internal control framework (COSO), which management and auditors use to assess
the design of internal controls and the effectiveness of those controls. In the next
chapter, we will discuss how auditors gather information to obtain an understanding
of internal control design and operation, which forms the basis for the preliminary
control risk assessment. The auditor then uses this preliminary assessment to plan
the audit.

INTERNAL CONTROL OBJECTIVES LO 1 Describe the four

A system of internal control consists of policies and procedures designed and primary objectives of
effective internal control.
imple- mented by management to mitigate risk and to provide reasonable
assurance that the company can achieve its objectives and goals. These policies Internal control—the policies
and procedures are often called controls, and collectively, they make up the and procedures instituted and
maintained by the management
entity’s internal control. When thinking about control, one quickly realizes that
of an entity in order to provide
risk and control are virtually insepa- rable. Management must first identify and reasonable assurance that
assess the risks and then manage and miti- gate those risks by the implementation management’s objectives are met.
of a strong system of internal control.
Management designs systems of internal control to accomplish the following four
broad objectives:
1. Strategic, high-level goals that support the mission of the entity.
2. Reliability of financial reporting.
3. Efficiency and effectiveness of operations.
4. Compliance with laws and regulations.

CHAPTER 8 I INTERNAL CONTROL AND COSO FRAMEWORK 247

 While this may sound rather technical, let’s think about management of your
personal internal control system.
• Do you review your credit card statements? If you do, that’s an internal control
to manage two types of risks—to ensure the accuracy of the transactions as well
as to detect fraudulent activities on the account statement.
• When you came to school today, did you lock the doors to your house? If you
did, that’s your “internal control” to safeguard your assets.
• Do you keep the PIN number for your debit card in place separate from the
card? If you do, that’s an internal control to reduce the risk of your funds being
stolen.
• Do you plan the possible shortest route to complete errands? That is a control
to promote efficiency and reduce the risk of wasting an important resource—
your time.
• Do you file your annual personal income tax returns on time? If you do, you are
in compliance with federal tax laws and reducing the risk of incurring fines and
penalties or missing a potential tax refund.

LO Contrast management’s business of cash, inventory, or other assets.

2
responsibilities for maintaining
controls with the auditor’s
responsibilities for evaluating
and reporting on internal
control.

Collusion—a cooperative
effort among employees or
management to defraud a
THE Reasonable Assurance
RESPONSIBI A company should develop internal controls that provide reasonable, but not abso-
lute, assurance that the financial statements are fairly stated. Management devel-
LITIES OF ops internal controls after considering both the costs and benefits of the controls.
MANAGEME Reasonable assurance is a high level of assurance that allows only a low likelihood
that material misstatements will not be prevented or detected on a timely basis by
NT AND THE internal control.
AUDITOR
Inherent Limitations
Management and the
Internal controls cannot be regarded as completely effective, regardless of the
auditor have
care fol- lowed in their design and implementation. Even if systems personnel
different
could develop, design, and program an ideal system, the effectiveness of the
responsibilities for
system would also depend on the competence and dependability of the people
internal controls.
using it. For example, assume that a procedure for counting inventory is carefully
Management, not the
developed and requires two employees to count independently. If neither of the
auditor, must
employees understands the instructions or if both are careless in doing the counts,
establish and
the count of inventory is likely to be incorrect. Even if the count is right,
maintain the entity’s
management might override the procedure and instruct an employee to increase
internal con- trols.
the count of quantities in order to improve reported earn- ings. Similarly, the
Also, in the case of
employees might decide to overstate the counts intentionally to cover up a theft
public companies,
of inventory by one or both of them. This collaborative effort among employees
management is
to defraud is called collusion.
required to publicly
report on the
operating
effectiveness of
internal controls over
financial reporting.
In the United States,
auditors of large
public companies are
required to provide
an audit opinion on
management’s report
of the effectiveness
of internal controls
over finan- cial
reporting. However,
auditors of
companies solely
listed on Canadian
securities exchanges
are not required to
issue an audit report
on the operating
effectiveness of
internal controls.
Two key concepts
underlie
management’s design
and implementation
of controls—
reasonable assurance
and inherent
limitations.
Management’s Reporting Responsibilities
For public companies in Canada, management is required to publicly report on the
operating effectiveness of those controls. The internal control framework used by
most public companies is the Committee of Sponsoring Organizations of the Tread-
way Commission (COSO) Internal Control—Integrated Framework. The COSO
framework is the internal control equivalent to generally accepted accounting pol-
icies (GAAP). In other words, it is the framework that is used to assess the effective-
ness of internal control over financial reporting. Management’s assessment of
internal control over financial reporting consists of two key aspects. First,
management must evaluate the design of internal control over financial reporting.
Second, management must test the operating effectiveness of those controls.

Auditor’s Responsibilities
Auditors are responsible for understanding the entity’s internal controls where they
are relevant to the audit, in order to achieve the auditors’ objective of identifying
the risks of material misstatement at the financial statement and assertion level.
Obtaining this understanding of internal control applies to all audits, even when
an auditor does not intend to place reliance on internal controls.

Relevant Controls Given that management’s internal control objectives

encompass more than financial reporting, not all controls are relevant to the audit.
Typically those controls related to reliability of financial reporting are relevant.
Operational controls, such as manufacturing quality control and employee
compliance with health and safety guidelines, would not normally be relevant to
the audit, except where the information produced is used to develop analytical
procedures or the information is required for disclosure in the financial statements.
For example, if the auditor is using production statistics as a basis for an
analytical procedure, the controls over the accuracy of the data would be relevant
(because the auditor is relying upon this information to develop the expectations
for the analytical procedure).
Auditors are also concerned with a client’s controls over the safeguarding of
assets and compliance with applicable laws and regulations if they have a mat-
erial effect on the financial statements. Controls affecting internal management
information, such as budgets and internal performance reports, can also be rele-
vant if the management information is used to develop expectations for analytical
procedures.

Entity-Level Controls and Transaction Controls When assessing control risk,

auditors are concerned with both entity-level and transaction controls. Entity-level
controls are those controls that are pervasive in nature and do not address particular Entity-level controls—controls
that are implemented for multiple
transac- tion cycles but may prevent or detect and correct misstatements in several
transaction cycles or for the
cycles. As you may recall from Chapter 4, they contribute to “tone at the top” and entire organization.
establish expectations in the control environment. Unlike transactions controls
(which we dis- cuss next), they are often less tangible but they form the foundation
on which other internal controls are built. Entity-level controls—such as controls
over management override, period-end reporting, hiring competent staff, and fraud-
risk controls—have an impact on all other control processes. If these entity-level
controls are weak or unreliable, the best designed transaction controls will not be
effective in preventing key risks such as management override. Transaction controls—controls
Unlike entity-level controls, transaction controls are specific controls designed that are implemented for
to prevent or detect and correct misstatements in classes of transactions, account bal- specific transaction risks and
are designed to specifically
ances, or disclosures and their related assertions. The accuracy of the results of the prevent or detect and correct
accounting system (the account balances) is heavily dependent upon the accuracy misstatements in classes of
of the inputs and processing (the transactions). For example, if products sold, units transactions, account balances,
shipped, or unit-selling prices are incorrectly billed to customers for sales, both sales or disclosures and their related
assertions.

Transaction-related audit
objectives and assertions—five
audit objectives that must be
met before the auditor can
conclude that the total for any
given class of transactions is
fairly stated; the assertions are
occurrence, completeness,
accuracy, cutoff, and
classification.
LO 3 Explain the five
components of the COSO
internal control framework
and the 17 principles of
effective control.
CAS
and accounts receivable will be misstated. If controls are adequate to ensure that
billings, cash receipts, sales returns and allowances, and charge-offs are correct, the
ending balance in accounts receivable is likely to be correct.
When understanding internal control and assessing control risk for a relevant
cycle or segment, auditors are primarily focused on risk at the assertion level and
are therefore concerned with the transaction-related audit objectives and asser-
tions, discussed in Chapter 4. However, the auditor must also gain an understand-
ing of controls over ending balances and presentation and disclosure. For example,
transaction-related audit objectives typically have no effect on two balance-related
objectives: valuation, and risks and obligations. That is because these assertions are
not related to the processing of transactions. Similarly, controls regarding informa-
tion included in the financial statement notes often do not come directly from the
accounting system but rely upon management identification. Relevant controls
in those instances could include approval and review by the audit committee or
the board.
COSO COMPONENTS OF
INTERNAL CONTROL
Internal control as defined by CAS 315 encompasses five components:
1. Control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. Monitoring.
These components, based upon COSO’s Internal Control—Integrated
Framework, are summarized in Figure 8-1. This framework serves as a useful guide
for manage- ment in designing its control system and for auditors in developing their
understand- ing of the entity’s internal control system and, ultimately, in assessing
the effectiveness of controls and determining control risk.
The COSO framework includes 17 broad principles for effective control of com-
ponents, as well as “points of focus” to provide greater understanding of each princi-
ple. We highlight some of those points when discussing the various principles. The
COSO principles apply across all types of entities. The five components with the
17 principles are summarized in Table 8-1.
Figure 8-1 Five Components of Internal Control
Control Risk
Specify Environment
financial Assessment
reporting
objectives
Control
Activities
Monitoring
Information
and Communication
 Table 8-1 COSO Components of Internal Control and Principles for Effective Control

Component
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Internal Control
Description of Component Principles for Effective Control
The set of standards, processes, and structures 1. Demonstrate commitment to integrity
and that provide the basis for internal control ethical values.
across the entity. The board of directors 2. Board of directors demonstrates
indepen and management establish the overall tone dence from management
and exercises regarding internal control and its importance. oversight
responsibility.
The control environment has a pervasive 3. Management, with board oversight,
estab impact on the overall system of control. lishes structure, authority, and
responsibility.
4. The organization demonstrates commitment
to competence.
5. The organization establishes and enforces
accountability.
The process of identification and analysis of 6. Specifies relevant objectives with
sufficient risks relevant to the preparation of financial clarity to enable
identification of risks. statements in conformity with an applicable 7. Identifies and
assesses risks.
financial reporting framework 8. Considers the potential for fraud in
assessing risk.
9. Identifies and assesses significant changes
that could impact internal control.
Actions established by policies and procedures 10. Selects and develops control activities.
to help ensure that management’s directives 11. Selects and develops general controls
over to mitigate risks to achieve its objectives are technology.
met. Control activities are performed at all 12. Deploys policies and
procedures. levels of the entity.
Information is necessary to carry out internal 13. Obtains or generates relevant, quality
control responsibilities. Communication is information.
the continued, iterative process of providing, 14. Communicates
internally. sharing, and obtaining necessary information 15. Communicates
externally. to design, implement, and conduct internal
control and to assess its effectiveness.
The activities used to ascertain whether the five 16. Selects, develops, and performs
ongoing and components of internal control to address separate evaluations.
the principles are present and functioning. 17. Evaluates and communicates
deficiencies.

Control Environment
The control environment is the foundation of effective internal control. It addresses
governance and management functions, as well as the attitudes, awareness, and Control environment—the
actions, policies, and procedures
actions of those charged with governance and management concerning internal that reflect the overall attitudes
control and its importance. Controls at this level are generally pervasive in nature. of top management, directors,
Although they will not directly prevent or detect and correct a material misstatement, and owners of an entity about
they provide the discipline and structure for all other components. If top management control and its importance to
the entity.
believes control is important, others in the organization will sense that and respond
by conscientiously observing the policies and procedures established. However, if it
is clear to members of the organization that control is not an important concern to top
management and is given “lip service” rather than meaningful support, it is almost
certain that control objectives will not be effectively achieved. Or, as in the case of
Société Générale (in our opening vignette), if management fails in its monitoring role
by placing too much trust in the system or the people operating the controls, then the
risk for fraud and error is high.
CONCEPT CHECK
C8-1 Which of the five categories of COSO internal controls is most important? Justify
your response.
C8-2 What are entitylevel controls and why are they so important?
AUDITING IN ACTION 8-1
Material Weaknesses at Penn West Petroleum—The Importance
of Corporate Culture
In 2014, Penn West Petroleum, one of the largest conventional
oil and natural gas producers in Canada, announced the
results of an independent internal review conducted by
forensic accountants hired by the audit committee, which
arose from certain accounting practices that came to the
attention of the new CFO (chief finan cial officer). In
determining why the accounting practices were undetected,
the audit committee identified the following material
weaknesses in the internal control over financial reporting:
• Control environment. Management concluded that the former
senior accounting management did not adequately establish
and enforce a strong culture of compliance and controls.
There was a lack of awareness or unwillingness of some
staff with knowl edge of improper practices to use the
company’s whistleblowing hotline or to take other actions
that could have brought to light the improper accounting
practices much sooner. Management concluded that this
material weakness was a factor that contrib uted to the
other weaknesses that were discovered.
• Lack of appropriate review of journal entries. The company
had journal entry policies requiring that the person
creating an entry be unable to approve the entry and
that each entry include appropriate documentation;
however, those polices were not followed.
• Management override. Senior accounting management
over rode the company’s accounting processes and
recorded incorrect amounts in the financial statements.
Lynn Turner, former chief accountant of the SEC, in
com menting on the weaknesses, noted: “It reflects very
poorly on the
governance of the company, the integrity of management, and
on the ability of the company itself to generate reliable
data on which to base investment decisions.”
As a result of these material weaknesses, the company
had to restate the first quarter of 2014, along with the
2013 and 2012 audited consolidated financial statements.
The restate ment did not mean “The sky is falling”—the
company was onside with all of its debt covenants, its
borrowing base had not been affected, and neither had
the value of its reserves changed. Further, the senior
accounting personnel responsible for the misstatements
were no longer with the company and Penn West had
taken several remedial actions to rectify the material
weaknesses. However, the inappropriate adjustments
boosted cash flow and netbacks (a measure of profitability
per barrel of oil), two key metrics that influence stock
price.
Following the announcement of the restatements, the
share price dropped significantly and several class action
lawsuits were filed. In the end, Penn West and the investors
settled on a
$53 million payout.
Sources: Claudia Cattaneo, “Rocked by accounting scandal, Penn
West has now turned the corner, CEO says,” Financial Post, November
2014. Penn West press release, CNW Newswire, September 18,
2014, accessed April 6, 2015, at http://business.financialpost.com/
commodities/energy/rocked-by-accounting-scandal-penn-west-has-
now-turned-the-corner-ceo-says. Daniel Healing, “Settlement revealed
to be $53 million in Penn West accounting scandal,” Calgary Herald,
February 17, 2016. David Milstead, “Penn West, WorldCom: The warn-
ing signs we may have missed,” The Globe and Mail, August 8, 2014.
Crystal Schlick, “Yedlin: Penn West tries to move forward with release
of audit,” Calgary Herald, September 27, 2014.

Principle 1: Demonstrate Commitment to Integrity and Ethical Values The

organiza- tion’s commitment to integrity and ethical values is demonstrated through
the tone set by management and the board of directors. Management and those in
charge of governance, through their activities, provide clear signals to employees
about what is important. For example, are profit plans and budget data set as “best
possible” plans or “most likely” targets? Can management be described as “fat and
bureaucratic,” “lean and mean,” “dominated by one or a few individuals,” or “just
right”? Does manage- ment have a poor attitude toward financial reporting and use
aggressive accounting to ensure budgets and goals are met? Understanding these and
similar aspects of man- agement’s philosophy and operating style give the auditor a
sense of its commitment to integrity and ethical values. As highlighted in Auditing in
Action 8-1, poor cor- porate culture or “tone at the top” is often the underlying cause
of all other internal control deficiencies.
The organization should have standards that guide its behaviour and a process
to communicate those standards of conduct throughout the organization, including
external partners and outsourced service providers. If there is a code of ethics, does
it establish what is right and wrong? The organization should also have in place a
process to evaluate the performance of individuals and teams against those standards
of conduct. In addition, the organization should address any deviations in an appro-
priate and timely manner, and periodically review trends and root causes to
determine whether policies should be modified, or if training and controls are
necessary.
Principle 2: Board of Directors Exercises Oversight Responsibility An effective board
of directors has the appropriate background and expertise, the outside directors are
independent of management, and its members are involved in and scrutinize man-
agement’s activities. To assist the board in its oversight responsibilities for financial
reporting and internal control, the board creates an audit committee. The major
exchanges (TSX, NYSE, AMEX, and NASDAQ) require that listed companies have
an audit committee composed entirely of independent directors who are financially
literate, and at least one member of the committee must have financial expertise.
The audit committee considers the potential for management override of inter-
nal controls and oversees management’s fraud-risk assessment process, as well as
antifraud programs and controls. The audit committee is also responsible for main-
taining ongoing communication with both external and internal auditors. This
allows the auditors and directors to discuss matters that might relate to such things
as the integrity or actions of management. In addition to those responsibilities, the
audit committee of public companies approves audit and non-audit services done
by auditors. The audit committee approval provides a safeguard to potential threats
to auditor independence.
The audit committee’s independence from management and knowledge of
finan- cial reporting issues are important determinants of its ability to effectively
evaluate internal controls and financial statements prepared by management. In
addition, open lines of communication with the entity’s external and internal
auditors enhance audit committee effectiveness.
Many privately held companies also create an effective audit committee. For
other privately held companies, governance may be provided by owners, partners,
trustees, or a committee of management, such as a finance or budget committee.
Individuals responsible for overseeing the strategic direction of the entity and the
accountability of the entity, including financial reporting and disclosure, are called
those charged with governance by auditing standards.
Principle 3: Management Establishes Structure, Authority, and Responsibility A
well-controlled entity has an organizational structure appropriate for its size and
oper- ating activities, and one that clearly defines the lines of responsibilities and
authority. Some key questions the auditors should address include the following:
• Are there adequate policies and procedures for authorization and approval of
transactions?
• Is there appropriate structure for assigning ownership of data, including who is
authorized to initiate and/or change transactions? Is ownership assigned to each
application and database?
• Is there appropriate segregation of incompatible activities both physically and
through access to IT infrastructure?
• Are outsourced service providers’ authority and responsibility limited by the
orga- nization’s guidelines?
• Are there appropriate policies for accepting new business, conflicts of business,
and security practices?
Principle 4: Commitment to Competence The most important aspect of any system
of controls is personnel. If employees are competent and trustworthy, other controls
can be absent, and reliable financial statements will still result. However,
incompetent or dishonest people can have the opposite effect regardless of the
number of controls present. Relevant standards for hiring, training, motivating,
evaluating, promoting, compensating, transferring, and terminating employment of
personnel are key indi- cators of the effectiveness of this principle. Another important
consideration is man- agement’s commitment to providing sufficient accounting and
financial personnel to keep pace with the growth and/or complexity of the business.
Principle 5: Organization Establishes and Enforces Accountability A well-controlled
organization should have a structure and tone at the top that establishes and enforces

Risk assessment—management’s
identification and analysis of
risks relevant to the
preparation of financial
statements in conformity with
an applicable financial
reporting framework.
individual accountability for internal control. Appropriate accountability mechanisms
would include performance measures, incentives, and rewards. Some key questions
auditors should address include the following:
• Does management set realistic financial targets and expectations for operations
personnel?
• Do the board and management act to reduce or remove incentives or temptations
that might prompt employees to engage in dishonest, illegal, or unethical acts?
Risk Assessment
Risk assessment involves a process for identifying and analyzing risks that might
pre- vent the organization from achieving its objectives. There are four underlying
princi- ples related to risk assessment: the organization should have clear objectives
in order to be able to identify and assess the risks relating to its objectives; it should
determine how the risks should be managed; the organization should consider the
potential for fraudulent behaviour; and it should monitor changes that could impact
internal con- trols. Specific risks related to information technology (IT) should be
considered, as these risks can lead to substantial losses. If IT systems fail,
organizations can be para- lyzed by the inability to retrieve information or by the use
of unreliable information caused by processing errors.
Risk assessment specifically related to financial reporting involves management’s
identification and analysis of risks relevant to the preparation of financial statements
in conformity with an applicable financial reporting framework. For example, if a
company frequently sells products at a price below inventory cost because of rapid
technology changes, it is essential for the company to incorporate adequate controls
to address the risk of overstating inventory. Once management identifies a risk, it
estimates the significance of that risk, assesses the likelihood of the risk occurring,
and develops specific actions that need to be taken to reduce the risk to an accept-
able level.
Management’s risk assessment differs from but is closely related to the auditor’s
risk assessment discussed in Chapter 7. While management assesses risks as a part of
designing and operating internal controls to minimize errors and fraud, auditors
assess risks to decide the evidence needed in the audit. If management effectively
assesses and responds to risks, the auditor will typically choose to accumulate less
evidence than when management fails to identify or respond to significant risks.
Principle 6: Organization Specifies Relevant Objectives In order to ensure that
the organization meets its objective of reliable external financial reporting, manage-
ment should consider whether its reporting objectives are consistent with the
relevant financial reporting framework and appropriate in the circumstances.
Management should also establish a materiality threshold for the purpose of iden-
tifying significant accounts; this threshold should take into consideration risks at
all locations. The organization’s accounting policies, procedures, and processes
should ensure that the financial statements reflect the transactions and events that
underlie them.
Principle 7: Identifies and Assesses Risks The organization should consider
both external and internal risks to the achievement of financial reporting
objectives. A risk assessment process would normally address such matters as the
following: changes in the operating environment; new or revamped information
systems; rapid growth; new business models, products, or activities; corporate
restructur- ing; expanded foreign operations; and new accounting pronouncements.
The risk identification process should involve the appropriate levels of management
with the necessary expertise. For example, the accounting department should be
made aware of changes in the operating environment so that it can consider the
impact on accounting policies.
Principle 8: Considers the Potential for Fraud in Assessing Risk As part of the
risk assessment process, the organization considers risks related to financial
reporting, management override, misappropriation of assets, and corruption. This
assessment should include an evaluation of incentives and pressures, opportunities,
attitudes, and rationalizations to commit fraud. The results of the fraud-risk
assessment should be discussed with the audit committee.
The assessment should consider the various ways that financial reporting fraud
could occur. Such factors could include:
• Management bias in selection of accounting policies;
• Degree of estimates and judgments in external reporting;
• Fraud schemes and scenarios common to the industry in which the
organization operates;
• Geographic regions;
• Incentives that may motivate fraudulent behaviour;
• Nature of technology and management’s ability to manipulate information;
• Unusual or complex transactions subject to significant management influ-
ence; and
• Vulnerability to management override and potential schemes to circumvent controls.
Table 8-2 presents some control features and describes how they could reduce
fraud risks.
Principle 9: Identifies and Assesses Significant Changes Change creates risk; there-
fore, management should implement processes that enable it to identify and evalu-
ate changes in the external and internal environment that could significantly impact
the system of internal control. When change occurs, such as the introduction of a
new business model or even a change in accounting framework (say, from ASPE to
IFRS), existing controls may no longer be effective. In addition to changes in
business models and accounting frameworks, changes in management can have a
significant impact. The auditor should ask, “Does the organization have processes to
consider changes in management and their respective attitudes and philosophies?”

Control Activities
Control activities—policies and
Control activities are the actions established by the policies and procedures to help procedures that help ensure the
ensure that management directives to mitigate risks are carried out. Control activities necessary actions to address
are performed at all levels of the entity, at various stages within business processes, risks in the achievement of the
entity’s objectives.

Table 8-2 Control Features That Could Reduce Fraud Risks

Control Feature How It Could Reduce Fraud Risks

Management and board promotion of a culture of honesty and high Creates an environment that reinforces acceptable
behaviour ethics through implementation of programs and controls that are and expectations of each
employee
based on core values
Audit committee oversight of management and internal auditors Assists in creating an effective “tone at the top” by
reinforcing
zero tolerance for fraud
Serves as a deterrent for management fraud by having a
direct reporting relationship with internal and external
auditors
Specific management responsibilities for managing risks of fraud Reduces perceived opportunities to commit and conceal fraud
Results in improved Improves internal controls by actively con
sidering risks and implementing controls to mitigate the risks
Articulated and effective fraudrisk management process Results in clear matching of controls to risks, and keeps risk
assessments, controls, and monitoring processes current
Effective general and application control activities that address specific Prevents unauthorized access to assets, helps to
detect risks of fraud, such as segregation of duties, passwords, and user potential unauthorized access to assets
 access rights that limit functions to those needed to complete
their jobs, and monitoring of exceptions such as unusual traffic on
networks
Manual controls—application
controls done by people.
Automated controls—application
controls done by computer.
Preventive controls—controls
designed to avoid errors or
irregularities.
Detective controls—controls that
identify errors or irregularities
after they have occurred so
corrective action can be taken.
Business process—the set of
manual and/or computerized
procedures that collect, record,
and process data and report
the resulting output; also
known as an “application
system.”
and over the technology environment. The three principles applicable to the
control activities component are:
1. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
2. The organization selects and develops general control activities over technology
to support the achievement of objectives.
3. The organization deploys control activities through policies that establish what is
expected and in procedures that put policies into action.
Control activities may be manual or automated. The effectiveness of manual
controls depends on both the competence of the people performing the controls and
the care they exercise when doing them. For example, when credit department person-
nel review exception reports that identify credit sales exceeding a customer’s authorized
credit limit, the auditor may need to evaluate the person’s ability to make the
assessment and test the accuracy of the exception report. When controls are enacted by
computers, they are called automated controls. These controls are performed on the
data within the IT application and have embedded checks on data validity, accuracy
and complete- ness of processing. Because of the nature of computer processing,
automated controls, if properly designed, lead to consistent operation of the controls.
Principle 10: Selects and Develops Control Activities Since an organization
develops control activities that are specifically designed to mitigate the risks for that
particular organization, control activities will vary among organizations. However,
the organiza- tion should have in place a process that maps controls to address each
risk related to the relevant financial statement assertion. Some key points to consider
when deter- mining if all risks are addressed:
• Are all relevant business processes, information technology, and locations where
control activities are needed (including outsourced service providers and other
business partners) considered?
• Are control activities related to the integrity of information sent to and received
from outsourced service providers considered?
• Are the controls performed by outsourced service providers adequate?
Transaction (or Application) Controls Transaction or application controls are
control activities implemented to mitigate transaction processing risk for specific
business processes, such as the processing of sales or cash receipts. The control
activities should be a combination of preventive and detective controls.
Preventive controls are designed to stop errors or fraud from occurring (e.g.,
supervisor review of journal entry/purchase order or automated input edit controls).
Detective controls identify errors or irregularities after they have occurred so correc-
tive action can be taken (e.g., reconciliations, validation of results). The controls can
be input controls that ensure the completeness, accuracy, and validity of the reference
data used in the processing (e.g., master price file), processing controls that prevent
and detect errors while transactions are being processed, and output controls that
focus on detecting errors after processing (e.g., reconciliations and reviews controls).
In gen- eral, preventative controls are considered to be more effective than detective
controls. A business process is a structured set of activities designed to produce
specified output. An individual business process, also called an application system, can
have dif- ferent types of control activities. An example of a business process or
application system would be a sales system, which processes sales transactions
initiated by media such as the internet, telephone, or a purchase order form received in
the mail. The sales system should have a range and variety of detective and
preventive controls, including manual control activities (such as requiring that large
sales be approved by the sales manager), computer-assisted control activities (such as
 requiring credit
manager review of a
credit exception
report prior to
releasing orders for
processing), or fully
automated control
activities (such as
having the information
system calculate sales
taxes due on the sale).
 Figure 8-2 Control Activities Overseeing Business Processes

Authorization

STOP! Without
authorization you
can’t proceed.

Documentation

Handshake Deal Documented Deal

VS

Physical Controls over Assets and Records

control panel

Segregation of Duties

I prepare the I take the

bank deposit money to the
documentation bank

Review

Are there
any errors?

Typical control activities of the business processes, as illustrated in Figure 8-2,

would include:
1. Proper authorization of transactions and activities.
2. Adequate documents and records.
 sheet and income statement accounts.

General authorization—
companywide policies for the
approval of all transactions
within stated limits.

Specific authorization—case
bycase approval of transactions
not covered by companywide
policies.

Chart of accounts—a listing

of all the entity’s accounts
that classifies transactions
into individual balance
 3. Physical and logical control the issuance of fixed price lists for the sale of products, credit limits for cus- tomers,
over assets and records. and fixed reorder points for making acquisitions.
4. Adequate segregation of Specific authorization applies to individual transactions. For certain transactions,
duties. management prefers to authorize each transaction. An example is the authorization
5. Independent checks of of a sales transaction by the sales manager for a used-car company.
performance, recorded data, The distinction between authorization and approval is also important. Authori-
and actual results. zation is a policy decision for either a general class of transactions or specific trans-
actions. Approval is the implementation of management’s general authorization
Proper decisions. An example of a general authorization is management setting a policy
Authorization of authorizing the ordering of inventory when less than a three-week supply is on hand.
Transactions and When a department orders inventory, the clerk responsible for maintaining the per-
Activities Every petual record approves the order to indicate that the authorization policy has been
transaction should be met. In other cases, the computer approves the transactions by comparing quantities
properly authorized of inventory on hand to a master file of reorder points and automatically submits
if controls are to be purchase orders to authorized suppliers in the vendor master file. In this case, the
satisfactory. computer is performing the approval function using preauthorized information con-
Authorization tained in the master files.
encompasses more
than transactions; it Adequate Documents and Records Documents and records are paper or electronic
also includes files on which transactions are entered and summarized. They include such diverse
authorization of items as sales invoices, purchase orders, subsidiary records, sales journals, and
new programs and employee time cards.
changes to Certain principles dictate the proper design and use of documents and records.
programs, since Documents should be:
this affects the way • Prenumbered or automatically numbered consecutively to facilitate control over
that transactions are missing records and to aid in locating records when they are needed at a later
processed. date. Prenumbered documents and records are important for the completeness
Authorization can assertion.
be either general or • Prepared at the time a transaction takes place, or as soon as possible thereafter, to
specific. Under minimize timing errors (the cutoff assertion).
general • Designed for multiple use, when possible, to minimize the number of different
authorization, forms. For example, a properly designed electronic shipping record can be the
management basis for releasing goods from storage to the shipping department, informing
establishes policies, billing of the quantity of goods to bill to the customer and the appropriate billing
and subordinates date, and updating the perpetual inventory records.
are instructed to • Constructed in a manner that encourages correct preparation. This can be done
implement these by providing internal checks within the form or record. For example, computer
general screen prompts may force online data entry of critical information before the
authorizations by record is electronically routed for authorizations and approvals. Similarly, screen
approv- ing all controls can validate the information entered, such as when an invalid general
transactions within ledger account number is automatically rejected because the account number
the limits set by the does not match the chart of accounts master file.
policy. General
authorization A control closely related to documents and records is the chart of accounts,
decisions include which classifies transactions into individual balance sheet and income statement
accounts.
The chart of accounts is helpful in preventing classification errors if it accurately safeguards.
describes which type of transactions should be in each account. As with other types of
assets, physical controls are
Physical Control Over Assets and Records If assets are left unprotected, they can
used to protect the computer
be sto- len. If records are not adequately protected, they can be duplicated, stolen,
facilities. Examples are locks
damaged, or lost. When a company is highly computerized, its computer equipment,
on doors to the computer
programs, and data files represent the records of the company that must be protected.
room and terminals, adequate
The most important type of protective measure for safeguarding physical assets and
storage space for software
records is the use of physical precautions. An example is the use of storerooms for
and data files to protect them
inventory to guard against theft. Fireproof safes and safety deposit vaults for the
from loss, and proper fire-
protection of assets such as currency and securities are other important physical
extinguishing systems. Backup and recovery procedures—actions that an organization
can take in the event of a loss of equipment, programs, or data—are also important.
For example, having a backup copy of programs and critical data files stored in a safe
remote location together with information systems recovery procedures is important
for maintaining business continuity.
Adequate Segregation of Duties These controls can reduce the opportunities for a
per- son to be in a position to perpetuate and conceal a fraud. Naturally, the extent of
segregation of duties depends heavily on the size of the organization. In many small
companies, it is not practical to segregate the duties to the extent suggested. In these
cases, the auditor will likely choose to not rely upon internal controls.
Separation of Custody of Assets From Accounting The reason for not permitting
the per- son who has temporary or permanent custody of an asset to account for that
asset is to protect the firm against theft. Indirect access, such as access to cheque
signature images, also must be separate. When one person performs both custody and
accounting functions, there is an excessive risk of that person’s disposing of or using
the asset for per- sonal gain and adjusting the records to hide the theft or use. If the
cashier, for example, receives cash and is responsible for data entry of cash receipts
and sales, it is possible for the cashier to take the cash received from a customer and
adjust the customer’s account by failing to record a sale or by recording a fictitious
credit to the account.
Separation of the Authorization of Transactions from the Custody of Related Assets Segregation of duties—
It is desirable to prevent persons who authorize transactions from having control over segregation of the following
activities in an organization:
the related assets, to reduce the likelihood of embezzlement. For example, the same
custody of assets, recording/data
per- son should not authorize the payment of a vendor’s invoice and also approve the entry, systems development/
disbursement of funds to pay the bill. acquisition and maintenance,
computer operations, reconciliation,
Separation of Operational Responsibility From Record-Keeping Responsibility To and authorization.
ensure unbiased information, record-keeping is typically included in a separate
accounting department under the controller. For example, if a department or division
oversees the creation of its own records and reports, it might change the results to
improve its reported performance. Similarly, in the case of accounting estimates,
there should be a segregation of duties between those committing the entity to the
underlying transac- tions and those responsible for making the accounting estimates.
Separation of Reconciliation From Data Entry Reconciliation involves comparing
information from two or more sources, or independently verifying the work that has
been completed by others. For example, preparation of a bank reconciliation by the
accounting manager independent of the accounts receivable or accounts payable per-
sonnel would detect unauthorized use or disbursements of cash.
Separation of IT Duties from User Departments As the level of complexity of IT
systems increases, the separation of authorization, record keeping, and custody often
becomes blurred. For example, sales agents may enter customer orders online. The
computer
control activities designed for the continuous internal verification of other controls.

Independent checks—internal

Application controls—controls
typically at the business
process level that apply to
processing transactions, such
as the inputting, processing,
and outputting of sales or
cash receipts.
Input controls—controls
designed by an organization
to ensure that the
information to be processed
by the computer is
authorized, accurate, and
complete.
authorizes those sales based on its comparison of customer credit limits to the master
file and posts all approved sales in the sales cycle journals. Therefore, the computer
plays a significant role in the authorization and record keeping of sales transactions.
To compensate for these potential overlaps of duties, it is important for companies to
separate major IT-related functions from key user department functions. In this
exam- ple, responsibility for designing and controlling accounting software programs
that contain the sales authorization and posting controls should be under the authority
of IT, whereas the ability to update information in the master file of customer credit
limits should reside in the company’s credit department outside the IT function.
Independent Checks of Performance, Recorded Data, and Actual Results The need for
careful and continuous review of the other controls, often referred to as independent
checks on performance or internal verification, arises because internal control tends
to change over time unless there is a mechanism for frequent review. Computerized
accounting systems can be designed so that many internal verification procedures
can be automated as part of the system, such as separate addition of subsidiary files
for agreement with general ledger totals.
In the case of manual reviews, an essential characteristic of the persons perform-
ing internal verification procedures is independence from the individuals originally
responsible for preparing the data. The least expensive means of internal verification
is the separation of duties in the manner previously discussed. For example, when the
bank reconciliation is performed by a person independent of the accounting records
and handling of cash, there is an opportunity for verification without incurring signif-
icant additional costs.
In addition to reviews that involve verification, controls that involve period
perfor- mance serve an important means of highlighting unexpected variations that
should be investigated and, if necessary, corrected. Effective reviews involve
relating different sets of data (operating, financial, internal, and external) to one
another. These types of reviews are very helpful in highlighting both potential errors
and fraud.
Software Application Controls In addition to the above-mentioned control activities,
application controls designed for each software application are intended to help a
company satisfy the transaction-related management assertions discussed in previous
chapters. Although the objectives for each category are the same, the procedures for
meeting the objectives vary considerably. Let’s examine each more closely.
Input controls are designed to ensure that the information entered into the com-
puter is authorized, accurate, and complete. They are critical because a large portion
of errors in IT systems result from data entry errors and, of course, regardless of the
quality of information processing, input errors result in output errors. Typical
controls developed for manual systems are still important in IT systems, such as:
• Management’s authorization of transactions;
• Adequate preparation of input source documents; and
• Competent personnel.
Controls specific to IT
include:
• Adequately designed input screens with preformatted prompts for transaction
information.
• Pull-down menu lists of available software options.
• Computer-performed validation tests of input accuracy, such as the validation of
customer numbers against customer master files.
• Online-based input controls for e-commerce applications where external parties,
such as customers and suppliers, perform the initial part of the transaction inputting.
• Immediate error correction procedures, to provide early detection and correction
 of input errors.
• Accumulatio
n of errors in
an error file
for
subsequent
follow-up by
data input
personnel.
 Table 8-3 Batch Input Controls

Control Definition Examples

Financial total Summary total of field amounts for all The total of dollars of all vendor
invoices records in a batch that represent a to be paid
meaningful total such as dollars or
amounts
Hash total Summary total of codes from all records The total of all vendor account
numbers in a batch that do not represent a for vendor invoices to
be paid meaningful total
Record count Summary total of physical records in a The total number of vendor invoices
to batch be processed

For IT systems that group similar transactions together into batches, the use of
financial batch totals, hash totals, and record count totals helps increase the accuracy
and completeness of input. Batch input controls are described in Table 8-3. For exam-
ple, the comparison of a record count calculated before data entry of the number of
vendor invoices to be entered and the number of vendor invoices processed by the
system would help determine if any invoices were omitted or entered more than once
during data entry.
Processing controls prevent and detect errors while transaction data are pro-
Processing controls—controls
cessed. General controls, especially controls related to systems development and designed to ensure that data
secu- rity, provide essential control for minimizing processing errors. Specific input into the system are
application processing controls are often programmed into software to prevent, accurately and completely
detect, and correct processing errors. Examples of processing controls are illustrated processed
in Table 8-4.
Output controls—controls
Output controls focus on detecting errors after processing is completed, rather designed to ensure that
than on preventing errors. The most important output control is review of the data for computergenerated data are
reasonableness by someone knowledgeable about the output. Users can often identify valid, accurate, complete, and
errors because they know the approximate correct amounts. Several common distributed only to authorized
people.
controls for detecting errors in outputs include the following:
• Reconcile computer-produced output to manual control totals.
• Compare the number of units processed to the number of units submitted for
processing.

Table 8-4 Processing Controls

Type of Processing Control Description Example

Validation test
the
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
Ensures that a particular type of Does the transaction code for
transaction is appropriate for processing of a recent
pur processing chase match
predetermined
inventory codes?
Determines that data submitted Has the file of payroll input
for processing are in the transactions been sorted
in correct order departmental order before
processing?
Checks the accuracy of Does the sum of net pay plus
processed data withholdings equal gross
pay for the entire payroll?
Determines whether data exceed Does employee’s gross pay
prespecified amounts exceed 60 hours or
$1999 for the week?
Determines that every field in a Are employee numbers, names,
record has been completed number of regular hours, num
ber of overtime hours,
depart ment numbers, etc.,
included for each
employee?

General controls—internal
controls for automated
information systems pertaining
to more than one transaction
cycle or group of accounts.
• Compare a sample of transaction output to input source documents.
• Verify dates and times of processing to identify any out-of-sequence processing.
For sensitive computer output, such as payroll cheques, control can be improved
by requiring employees to present employee identification before they receive their
cheques or by requiring the use of direct deposit into the employees’ pre-approved
bank accounts. Also, access to sensitive output stored in electronic files or transmitted
across networks, including the internet, is often restricted by requiring passwords,
user IDs, and encryption techniques (which we discuss in the next section).
CONCEPT CHECK
C8-3 What are control activities? Explain their role in the financial reporting process.
Principle 11: Selects and Develops General Controls Over Technology
Practically all organizations rely upon some sort of information technology to enable
reliable finan- cial reporting. For the application (transaction) controls to operate
effectively, the orga- nization must have effective general IT controls (normally called
general controls) over the internal control activities that are pervasive (they operate
across applications) and affect multiple classes of transactions or multiple groups of
accounts. General computer controls can be manual (such as IT budgets and contracts
with service pro- viders) or automated (embedded in the computer programs).
Because general controls often apply on an entity-wide basis and affect many
different software applications, auditors evaluate general controls for the company as
a whole. Application controls are likely to be effective when general controls are
effective.
Figure 8-3 illustrates the relationship between general controls and application
controls. The oval represents the general controls that provide assurance that all
appli- cation controls are effective. Effective general controls reduce the risks
identified in the boxes outside the general controls oval in Figure 8-3.
Figure 8-3 Relationship Between General and Application Controls
Risk of unauthorized change Risk of
to application software system crash

Cash Receipts
Application
Controls

Sales Payroll
Application Application
Controls Controls

Other
Cycle
Application
Controls

GENERAL CONTROLS

Risk of unauthorized Risk of unauthorized

master file update processing
 Figure 8-4 Components of the IT System

IT Systems

IT Infrastructure
Servers, networks, internet,
Wi-Fi, operating system
(O/S) and application
software, and data interface
Outsourced IT
Personal Computing IT Governance
Use of cloud off-site
Business use of mobile
service providers, software How the IT function is
devices and laptops;
as a service (SaaS), backup organized and managed
use of spreadsheet files and storage

Source: John White, “How to use COSO to assess IT controls,” Journal of Accountancy, May 1, 2014.

Information Technology System The IT system includes the IT infrastructure,

personal computing, outsourced IT, and IT governance. Figure 8-4 summarizes the
compo- nents of the IT system.
The type of IT system will vary based upon factors such as overall size, the func-
tions that are outsourced, and whether the organization has packaged off-the-shelf
programs or customized software. Packaged software will have fewer programming
errors, and normally cannot be altered, increasing the reliance on accuracy of pro-
gramming. The nature and organization of the IT infrastructure supporting the orga-
nization will affect the types of security controls that should be in place. As Auditing
in Action 8-2 illustrates, failure to design an adequate IT system can be quite costly.
We briefly discuss a few of the different types of IT systems below.
Local area networks (LANs)—
The use of networks that link equipment such as desktops, midrange computers, networks that connect computer
mainframes, workstations, servers, and printers is common for most businesses. equipment, data files, software,
Local area networks (LANs) link equipment within a single or small cluster of and peripheral equipment within
buildings and are used only within a company. LANs are often used to transfer data a local area, such as a single
building or a small cluster of
and pro- grams from one computer or workstation using network system software buildings, for intracompany use.
that allows

AUDITING IN ACTION 8-2

Technology Glitches Bungle Facebook’s IPO
The buildup surrounding Facebook, Inc.’s May 18, 2012, disruption, they noted that even though the mishap was blamed on
initial public offering set expectations high; however, the a computer malfunction, the underlying cause
opening days of trading led quickly to disappointment. Just
days before its debut, the company’s CFO decided to boost
the number of shares to be offered by 25 percent and
increased the opening offer price to
$38 per share, believing demand would be high. On opening
day, massive demand for the social network’s initial offering
Jyotsna.Ojha
actually led to a 30minute delay in the start of trading of 2018-02-22 14:34:22
the stock on the NASDAQ Stock Market. The technology glitch --------------------------------------------
left individual inves tors puzzled about whether their buy and
www.reuters.com); Andrew Tangel,
sell orders had actu ally been executed, when normally “NASDAQ Offers Brokerages $40
those acknowledgments are instantaneous. When U.S. Million for Facebook Glitches,” Los
regulators, including the SEC, initially examined the Angeles Times (June 6, 2012)
(HYPERLINK
"http://www.articles.latimes.com"
www.articles.latimes.com).
may have been programmer failure in designing the
systems to be robust enough to handle the volume of
orders. In May 2013, NASDAQ agreed to pay a $10
million penalty to the SEC related to the Facebook IPO,
and in April 2015, NASDAQ agreed to a set tlement of
$26.5 million for a class action lawsuit filed by retail
investors who suffered damages in the IPO.
Sources: Jacob Bunge, “Regulators probe role of ‘glitches’ in market
upheavals,” NASDAQ News, June 27, 2012, accessed September 1,
2017, at http://ih.advfn.com/p.php?pid=nmona&article=52915511;
John McCrank, “Nasdaq to settle Facebook IPO lawsuit for $26.5 mil-
lion”, April 23, 2015 (www.reuters.com); John McCrank and Jonathan
Spicer, “Facebook investors left guessing after NASDAQ glitch,”
Reuters (May 21, 2012) (www.reuters.com); Andrew Tangel,
“NASDAQ offers brokerages $40 million for Facebook glitches,” Los
Angeles Times, June 6, 2012 (www.articles.latimes.com).

Wide area networks (WANs)

— networks that connect Cloud computing environments— A computer resource deployment and procurement model that enables an
computer equipment, databases, organization to obtain IT resources and applications at an IT service centre shared with other organizations from any
software, and peripheral location via an internet connection.
equipment that reside in
many geographic locations,
such as client offices located
around the world

Database management
systems—hardware and
software systems that allow
clients
to establish and maintain
databases shared by multiple
applications

Enterprise resource planning

(ERP) systems—systems that
integrate numerous aspects of
an organization’s activities into
one accounting information
system

Service centre—an organization

that provides IT services for
companies on an outsourcing
basis.

Application service providers

(ASPs)—thirdparty entities that
manage and supply software
applications or softwarerelated
services to customers through
the internet.
all of the devices to when responsibility for purchasing equipment and software, maintenance,
function together. administration, and physical security resides with key user groups rather than with
Wide area networks a centralized IT function. Sometimes network security may be compromised when
(WANs) link networks consist of equipment with incompatible security features.
equipment in larger Database management systems allow clients to create databases that include
geographic regions, information that can be shared across multiple applications. In nondatabase systems,
including global each application has its own data file, whereas in database management systems,
operations. many applications share files. Clients implement database management systems to
In networks, reduce data redundancy, improve control over data, and provide better information
application software for decision making by integrating information throughout functions and depart-
and data files used to ments. For example, customer data, such as the customer’s name and address, can be
process transactions shared in the sales, credit, accounting, marketing, and shipping functions, resulting
are included on in consistent information for all users and significant cost reductions. Companies
several computers often integrate database management systems within the entire organization using
that are linked enterprise resource planning (ERP) systems that integrate numerous aspects of an
together. Access to organization’s activities into one accounting information system. ERP systems share
the application from data across accounting and nonaccounting business functions of the organization.
desktop computers or For example, customer order data may be used by accounting to record a sale, by
workstations is production to meet increased production demand, by purchasing to order additional
managed by network raw materials, and by human resources to arrange labour schedules.
server software or Controls often improve when data are centralized in a database management sys-
other interfaces with tem by eliminating duplicate data files. However, database management systems also
cloud computing can create internal control risks. Risks increase when multiple users, including indi-
technology. Even viduals outside of accounting, can access and update data files. To counter the risks
small companies can of unauthorized, inaccurate, and incomplete data files, companies must implement
have several proper database administration and access controls. With the centralization of data in
computer servers a single system, they must also ensure proper backup of data on a regular basis.
linked together on a Many clients outsource some or all of their IT needs to an independent organi-
network, while larger zation commonly referred to as a computer service centre, including application
companies may have service providers (ASPs) and cloud computing environments, rather than maintain
hundreds of servers an internal IT centre. Cloud computing is a computer resource deployment and pro-
in dozens of curement model that enables an organization to obtain IT resources and applications
locations networked from any location via an internet connection. Depending on the arrangement, all or
together. It is parts of an entity’s IT hardware, software, and data might reside in an IT service cen-
common for tre shared with other organizations and managed by a third-party vendor. The name
networks to consist cloud computing comes from the use of a cloud-shaped symbol in systems diagrams
of various to represent complex IT infrastructures.
combinations of Smaller companies often outsource their payroll function because payroll is rea-
equipment and sonably standard from company to company, and many reliable providers of payroll
procedures, which services are available. Companies also outsource their e-commerce systems to exter-
may not have nal website service providers, including those that offer cloud computing services as
standard security described above. Like all outsourcing decisions, companies decide whether to out-
options. Lack of source IT on a cost-benefit basis.
equipment When outsourcing to a computer service centre, the client submits input data,
compatibility across which the service centre processes for a fee; the service centre then returns the
a network may occur agreed-upon output and the original input. For payroll, the company submits data
from time records, pay rates, and TD1 tax forms to the service centre. The service should also be re-evaluated
centre returns payroll cheques, journals, and input data each week, and T4 tax regularly.
forms at the end of each year. The service centre is responsible for designing the When selecting and
computer system and providing adequate controls to ensure that the processing is designing general controls
reliable. for the IT system, the focus
Outsourcing can provide challenges from an internal control perspective. Man- is on the controls over
agement is responsible for the design and operating effectiveness of internal controls, organization and
and this includes controls that are outsourced to a service provider. When selecting management, security
a service provider, management needs to consider the ethics and integrity of service management, access con-
providers, as well as the design and functioning of their internal controls; these trols, and program
development and changes.
Organization and Management Controls These general controls represent the
control activities over the IT control environment. They include:
• IT governance structure;
• How IT risks are identified, mitigated, and managed;
• Segregation of duties; and
• Policies, procedures, and standards affecting areas such as data ownership, data
management, software ownership, privacy, the code of conduct with respect to
technology, and disaster recovery.
As highlighted in Figure 8-4, IT governance represents a key component of
the IT system. IT governance is the overall process that enables the organization
to provide information resources that meet business needs. It represents the
policies, practices, and procedures that help IT resources add value while
considering costs and benefits. In addition to adding value, the goal of IT
governance is to mitigate risk and prevent disastrous failures, such as information
systems implementations that make transac- tion processing cumbersome. IT
governance is a crucial subset of corporate gover- nance. The management
information system (MIS) should be viewed as a partner within the business
rather than an adversary or servant. The chief information officer (CIO) should
be a participant in executive meetings and the board of directors should be
involved with IT strategy (many boards have established an IT governance and
strategy subcommittee).
To respond to the risk of combining traditional custody, authorization, and
record-keeping responsibilities by having the computer perform those tasks, well- IT governance—the policies,
controlled organizations separate key duties within IT. Two important areas of segre- practices, and procedures that
gation of duties related to general controls are: help IT resources add value while
considering costs and benefits.
• Separation of systems development or acquisition and maintenance from In addition to adding value,
account- ing. Systems development or acquisition comprises activities that create the goal of IT governance
(or purchase) new methods of processing transactions, thus changing the way is to mitigate risk and
information is entered, displayed, reported, and posted against files or databases. prevent disastrous
failures.
Maintenance activities involve changes to these processes. These functions
should be monitored to ensure that only authorized programs and systems con-
sistent with management objectives are put into place. A programmer who could
enter data could enter transactions (e.g., a wage rate increase) and then suppress
the logs or other reports showing the transaction. Programmers thus should be
allowed to work only with test copies of programs and data so they can only make
software changes after proper authorization.
• Separation of computer operations from programming and accounting. Separa-
tion from authorization, from entry of transactions data, and from the ability to
change programs make it harder for personnel to suppress a trail of their activi-
ties. Personnel who have physical access to media or the capability to set access
rights could steal confidential information or give themselves the right to do

Encryption techniques—
computer programs that
change a standard message
or data
file into one that is coded,
then decoded using a
decryption program
Digital signatures—electronic
certificates that are used to
authenticate the validity of
individuals and companies
conducting business
electronically.
anything on the system (making such a person a “super-user”). A typical super-
user is the individual or team that manages security, passwords, and user access.
Such individuals could set up a new user account under an assumed name that
gives him or her access to all systems, with the potential to change the super-
user’s own wage rate or set up fictitious customers or suppliers.
Security Management and Access Control Security management includes control
activities regarding security over data, the IT infrastructure, and daily operations.
These control activities include controls over program acquisition, implementa-
tion, and maintenance. For instance, IT general controls should be in place to
ensure that backups of applications, databases, and operating systems are performed
at appropriate intervals and periodically tested for recoverability. Other controls
include the delivery of information services to users, the management of third-
party providers (e.g., Are they required to adhere to the organization’s security stan-
dards?), and the use of system software, security software, database management,
and utility programs.
Security controls include both physical controls and online access controls. Phys-
ical controls restrict access to hardware and software, and prevent improper use of
programs and data files. Common examples to physically restrict unauthorized use
include keypad entrances, badge-entry systems, security cameras, and security
person- nel. More sophisticated controls only allow physical and online access after
employee fingerprints are read or employee retinas are scanned and matched with an
approved database. Other physical controls include monitoring of cooling and
humidity to ensure that the equipment functions properly and installing fire-
extinguishing equip- ment to reduce fire damage.
Online access controls reduce the likelihood that unauthorized changes are
made to software applications and data files. The organization should implement
controls regarding issuance/removal and security of user passwords and IDs, inter-
net firewalls and remote-access controls, data encryptions, and access-privilege
controls.
Points to consider when assessing the effectiveness of security management
include the following:
• The system is able to identify authorized and unauthorized users.
• User profiles only permit access to what the user needs to know.
• The ability to change, modify, or delete data is restricted to those with authority.
Encryption techniques protect the security of electronic communication when
information is transmitted and when it is stored. Computerized encryption changes a
standard message or data file into one that is coded (encrypted), requiring the receiver
of the electronic message or user of the encrypted data file to use a decryption pro-
gram to decode the message or data. A public key encryption technique is often used,
where one key (the public key) is used for encoding the message and another key
(the private key) is used to decode the message. The public key is distributed to all
approved users of the e-commerce system. The private key is distributed only to
inter- nal users with the authority to decode the message.
To authenticate the validity of a trading partner conducting business electroni-
cally, companies may rely on external certification authorities, who verify the source
of the public key by using digital signatures. A trusted certification authority issues
a digital certificate to individuals and companies engaging in e-commerce. The
digital signature contains the holder’s name and its public key. It also contains the
name of the certification authority and the certificate’s expiration date and other
specified information. To guarantee integrity and authenticity, each signature is
digitally signed by the private key maintained by the certification authority.
The IT system should also ensure that there are controls regarding incident
tracking, system logging, and monitoring to identify potential security breaches. As
Auditing in Action 8-3 highlights, security breaches can be costly.
AUDITING IN ACTION 8-3
Cyberattacks: A New Reality
The 2017 “WannaCry” cyberattack, which involved 45 000
inci dents in 74 countries, demonstrates that the
susceptibility to hackers infiltrating client information systems
is significant. Hos pitals in the UK, a Spanish
telecommunication company, Euro pean soccer clubs, and
Brazil’s stateowned oil company are but a few of the
organizations affected by the ransomware attack. The
attack held the various organizations hostage by freezing
computers, encrypting data, and demanding money
through online bitcoin payments.
While the “WannaCry” attack had considerable impact, if
not for its quick shutdown, it could have been far worse.
Consider the effects of the 2014 cyberattack of Sony
Pictures. In addi tion to the cancellation of theatrical
release of The Interview, thousands of electronic documents
were stolen, internal data centres were erased, and 75
percent of the company’s servers were destroyed. Among the
stolen goods were five movies (that had been widely
released), contracts, salary and budget data, medical
records, and Social Security numbers.
The cyberattack also affected Sony’s financial and
account ing applications and caused Sony to miss its
stockmarket deadline for issuing its thirdquarter result.
Michael Lynton, CEO of Sony Entertainment, said that
Sony was “adequately pre pared” but could never have
predicted “an attack of this nature.” Others claim that Sony’s
disaster recovery plan was woefully inadequate—it had
few backups and no contingency plan to move operations
to another place. Further, some computer
experts suggest that Sony could have been better prepared
by encrypting all sensitive data, by keeping passwords
separate from passwordprotected documents, and by
keeping sensitive data separate from other data.
Along with the costs associated with lost productivity
and lost revenue, there were considerable costs
associated with restoring the IT systems. At the time it
announced that its earn ings report would be delayed,
Sony predicted the hack would cost $15 million “in
investigation and remediation costs.” How ever, the figure
was subsequently revised to $35 million.
Sources: Warwick Ashford, “Sony admits it was unprepared for
November’s cyber attack,” Computer Weekly.com, January 2, 2015,
accessed August 2, 2017, at: http://www.computerweekly.
c om /n e w s / 2 2 4 0 2 3 7 9 1 2 / S o n y - P i c t u r e s - a d m i t s - i t - w a s -
unprepared-for-Novembers-cyber-attack. Dan Heilman, “How Sony
used old tech to function after hack,” CIO Today, December 31,
2014, accessed August 2, 2017, at http://www.cio-today.com/
article/index.php?story_id=00100015QE3U. Tim Hornyak, “Hack
to cost Sony $35 million in IT repairs,” IT News, February 4, 2015,
accessed April 6, 2015, at https://www.networkworld.com/
article/2879814/data-center/sony-hack-cost-15-million-but-
earnings-unaffected.html. Adrienne LaFrance, “Global ransomware
attack stuns systems in up to 74 countries,” The Atlantic, May 12,
2017, accessed August 5, 2017 at https://www.theatlantic.com/
technology/archive/2017/05/a-massive-ransomware-attack-on-
the-nhs/526524/. Takashi Mochizuki and Megumi Fujikawa, “Sony
hacking attacks delay earnings report,” Wall Street Journal, January
23, 2015, accessed August 5, 2017, at http://www.wsj.com/
articles/sony-hacking-attacks-delay-earnings-report-1422008085.

Regarding communications with public networks, the organization should have secure data storage.
a firewall. A firewall is a system of hardware and software that monitors and
controls the flow of e-commerce communications by channelling all network
connections through controls that verify external users, grant access to authorized
users, deny access to unauthorized users, and direct authorized users to requested
programs or data. Firewalls are becoming increasingly sophisticated as the frequency
and severity of cyberattacks grow (as highlighted in Auditing in Action 8-3). The
firewall should have the following characteristics:
• Hides the structure of the network;
• Provides an audit trail of communication with public parties;
• Generates alarms when suspicious activity is suspected; and
• Defends itself and/or the organization’s network against attack.
Backup and disaster recovery planning enables the organization to continue
operations in the event of failure of part or all of its information systems. Some-
thing as simple as a hard drive crash can cause enormous problems if a com-
pany has not given careful thought to contingency procedures. Power failures, fire,
excessive heat or humidity, water damage, or even sabotage can have serious
conse- quences for businesses using IT. To prevent data loss during power outages,
many companies rely on battery backups or on-site generators. For more serious
disasters, organizations need detailed backup and contingency plans such as off-site
storage of critical software and data files or outsourcing to firms that specialize in

Firewall—a system of hardware and software that monitors and controls the flow of ecommerce
communications by channelling all network connections through a control gateway.
Pilot testing—a company’s
computer testing approach
that involves implementing a
new system in just one part
of the organization while
maintaining the old system at
other locations.
Parallel testing—a company’s
computer testing approach that
involves operating the old and
new system simultaneously.
Backup—copies of systems and
data that can be used to bring
failed system back online.
Disaster recovery plan (DRP)—
planning for potential information
technology disruptions. The
purpose of the DRP is to
enable the business to
continue operations in event
of failure of information
systems.
Backup and contingency plans should also identify alternative hardware that can
be used to process company data. Companies with small IT systems can purchase
replacement computers in an emergency and reprocess their accounting records by
using backup copies of software and data files. Larger companies often contract with
IT data centres that specialize in providing access to off-site computers and data stor-
age and other IT services for use in the event of an IT disaster.
Program Development and Change An organization needs to select control
activities regarding the acquisition and implementation of new applications, systems
develop- ment and quality assurance, and maintenance of existing applications as
well as pro- gram changes. For instance, does the organization have a formal systems
development methodology that ensures development (or modification) and testing of
IT solutions is separated from productions systems?
To ensure that the right software is implemented:
• Involve a team of both IT and non-IT personnel, including key users of
the software and internal auditors. This combination increases the
likelihood that information needs, as well as software design and
implementation con- cerns, are properly addressed. Involving users also
results in better accep- tance by key users.
• Test all software to ensure that the new software is compatible with existing
hardware and software and to determine whether the hardware and software
can handle the needed volume of transactions. Whether software is purchased
or developed internally, extensive testing of all software with realistic data is
critical. Companies typically use one or a combination of the following two test
approaches:
1. Pilot testing: A new system is implemented in one part of the organization
while other locations continue to rely on the old system.
2. Parallel testing: The old and new systems operate simultaneously in all
locations.
• Proper documentation of the system is required for all new and modified
software. After the software has been successfully tested and documented, it
is transferred to the librarian in a controlled manner to ensure that only
autho- rized software is ultimately accepted as the authorized version.
Principle 12: Deploys Policies and Procedures The policies and procedures for the
control activities should be spelled out in systems documentation (in a manual or on
the company intranet) to encourage consistent application. The organization should
review its policies periodically to ensure that they are still appropriate or identify if
they need to be revised.
CONCEPT CHECK
C8-4 What are general controls? Explain how they are similar to entitylevel
controls.
Accounting information and
communication systems—entity
systems that are used to
initiate, record, process, and
report the entity’s
transactions, events,
and conditions and to maintain
accountability for the related
assets.
Information and Communication
The purpose of an entity’s accounting information and communication systems
is to initiate, record, process, and report the entity’s transactions and to maintain
accountability for the related assets. The system includes the entity’s business pro-
cesses as well as the accounting system (accounting software, electronic spreadsheets,
and the policies and procedures to prepare periodic financial reports and period-end
financial statements).
Figure 8-5 summarizes the inputs, processes, and outputs of the accounting infor-
mation system.
 Figure 8-5 The Accounting Information System

Inputs • Transactions, events, and conditions

•Initiate, record, process, and report transactions and maintain

Business accountability (safeguard, classify, etc.) for related assets, liabilities,
Processes and equity
• Resolve incorrect processing of transactions
• Process and account for system overrides or bypasses to controls
• Transfer information from transaction processing systems to general
ledger
•Capture information for relevant events/conditions other than transactions
Accounting
(amortization, valuation of inventory, receivables, and other
Systems
estimates)
•Accumulate, record, process, summarize, and appropriately report other
information required to be disclosed in the financial statements
•Use of standard and other journal entries to record transactions,
estimates, and adjustments
Outputs • Financial statements (including disclosures)

Source: This chart is an extract from Guide to Using International Standards on Auditing in the Audits of Small and Medium-Sized Entities of the Small and
Jyotsna.Ojha
Medium Practices (SMP) Committee published by the International Federation of Accountants (IFAC) in 2010. Reproduced 2018-02-22with14:35:26
permission of IFAC.
--------------------------------------------
permission of IFAC. All rights reserved.
Contact HYPERLINK
As Figure 8-5 highlights, controls over the accounting systems are distinct from "mailto:Permissions@ifac.org"
the business processes, and include controls over the following: (1) the transfer of Permissions@ifac.org for permission to
business process information to the general ledger; (2) the capture of relevant events/ reproduce, store or transmit, or to
conditions, such as amortization, valuation of inventory and accounts receivable, and make other similar uses of these
other estimates that are not transaction based; (3) journal entries; and (4) the accu- extracts.
mulation and summation of other information that must be disclosed in the financial
statements. As mentioned in our earlier discussion of control activities, an important
control is the chart of accounts, which lists and classifies transactions into individual
balance sheet and income statement accounts.

Principle 13: Obtains or Generates Relevant, Quality Information An organization

must have established information requirements to support effective operations
of controls within the five components of internal controls. It should ensure that
its information systems generate information that is of sufficient quality to support
effective operation of control. Controls should be developed and implemented
related to:
• Completeness and accuracy of data;
• Capture of data at the necessary frequency;
• Provision of information when needed;
• Protection of sensitive data; and
• Retention of data to comply with relevant business, audit, and regulatory needs.
In addition to internally generated information, the organization should ensure
that information from external sources is appropriate, supported by evidence, and of
sufficient quality to support effective operation of the control.

Principle 14: Communicates Internally Communication within the organization

includes both formal and informal communication, such as policy manuals, news-
letters, job descriptions, and training sessions. Some key processes would include
training orientation for new employees or employees starting a new position, discuss-
ing the nature of the position’s responsibilities. The organization’s messaging should
reinforce the idea that internal control responsibilities must be taken seriously and

Monitoring—management’s
ongoing and periodic
assessment of the quality of
internal control performance
to determine
that controls are operating as
intended and modified when
needed.
critical information should be disseminated quickly. There also should be a process
for employees to communicate improprieties—often referred to as “whistleblowing.”
This process should be well communicated, allow for anonymity, and ensure that
actions taken by senior management, the board, and the audit committee to address
the improprieties are communicated.
Principle 15: Communicates Externally The organization should have in place
pro- cesses to communicate relevant and timely information to external parties,
including shareholders, members, partners, owners, regulators, customers, financial
analysts, and any other relevant stakeholder. The communication should be two-way
and should involve processes that track communications with customers, vendors,
reg- ulators, and other relevant stakeholders. Many organizations have separate com-
munications, such as a whistleblower hotline, to allow direct communication with
management and personnel. For instance, some municipalities have implemented
fraud and waste hotlines to provide staff and members of the public with a means to
report any observed or suspected fraud, waste, or misuse.
CONCEPT CHECK
C8-5 What are the accounting information and communication controls? How are they distinct
from business process controls?
Monitoring
Monitoring activities deal with ongoing or periodic assessment of the quality of
internal control performance to determine that controls are operating as intended
and that they are modified as appropriate for changes in conditions. Monitoring also
requires that deficiencies in internal control are reported and appropriate remedial
action is taken.
Principle 16: Selects, Develops, and Performs Ongoing and Separate
Evaluations Monitoring should include evaluation built into business/financial
reporting and performed on a real-time basis (ongoing), as well as separate
periodic evaluations. Information for assessment and modification comes from a
variety of sources, including studies of existing internal controls, internal auditor
reports, excep- tion reporting on control activities, reports by regulators (such as,
in the case of financial institutions, the Office of the Superintendent of Financial
Institutions), feedback from operating personnel, and complaints from customers
about billing charges.
For many companies, especially larger ones, a competent internal audit depart-
ment is essential for effective monitoring of internal controls, and the department
often performs the periodic reviews. For an internal audit function to be effective, it
is important that the internal audit staff be independent of both the operating and
accounting departments, and that it report directly to a high level of authority within
the organization, usually the audit committee of the board of directors.
CONCEPT CHECK
C8-6 How is management’s risk assessment relevant to the audit?
C8-7 What is the role of monitoring to support internal controls?
Principle 17: Evaluates and Communicates Deficiencies Internal control
deficien- cies need to be reported in a timely manner to those responsible for taking
corrective action, senior management, and the board of directors (or the audit
committee). For instance, results of internal audit activities should be reported to
senior management,
the audit committee, and the external auditor. Management should take adequate
and timely action to address deficiencies reported by the internal audit and other
monitoring activities.

UNDERSTANDING CONTROLS LO
4
Understand the
OF SMALL BUSINESSES important risks and
controls in small
Regardless of the size of the organization, the auditor is required to obtain an under- businesses.
standing of internal controls. However, the size of a company does have a significant
effect on the nature of internal control activities and the specific monitoring controls.
It is often difficult for a small business to establish adequate separation of duties.
Fur- ther, the entity is unlikely to have in-house expertise in systems and would place
more reliance on software and hardware suppliers for system support and
maintenance. Passwords may be in use but in simple form (for example, accounting
personnel may have a single password that allows access to all systems and
functions). Note that this would be a significant control deficiency.
While it is difficult for a small company to formalize all its policies, it is certainly
possible for a small company to implement some practical controls, such as a cul-
ture that values ethics; competent, trustworthy personnel with clear lines of authority;
proper procedures for authorization, execution, and recording of transactions; ade-
quate documents, records, and reports; physical controls over assets and records; and,
to a limited degree, checks on performance.
A major control available in a small company is the knowledge and concern of
the top operating person, who is frequently an owner–manager. Having knowledge
about and a personal interest in the organization and a close relationship with person-
nel (often called “executive controls”), the owner-manager can carefully evaluate the
competence of the employees and the effectiveness of the overall systems. An
import- ant owner–manager control is monitoring revenues and expenditures against
an estab- lished budget and other important performance indicators. Internal control
can also be significantly strengthened if the owner conscientiously performs such
duties as signing all cheques after carefully reviewing supporting documents,
reviewing bank reconciliations, examining accounts receivable statements sent to
customers, approv- ing credit, examining all correspondence from customers and
vendors, and approving the write-off of bad debts.

CONCEPT CHECK
C8-8 What is the key internal control risk at a small business, and how can a small
business owner deal with it?

SUMMARY

This chapter focused on internal controls, including internal controls related to computer-based
information systems, and the COSO framework. We use this framework as a basis for discussing MyLab Accounting
Make the grade with MyLab
the auditor’s responsibilities related to internal controls in the next chapter. To rely on a client’s Accounting: The questions,
internal controls to reduce planned audit evidence for audits of financial statements, the auditor exercises, and problems
must first obtain an understanding of each of the five components of internal control. Knowledge marked with a can be
about the design of the client’s control environment, risk assessment, control activities, informa- found on MyLab Accounting.
tion and communication, and monitoring activities, and the auditors’ evaluation of whether inter- You can practise them as
nal control components are effective lays the foundation of the auditor’s assessment of control risk often as you want, and most
at the financial statement level and at the assertion level. feature step-
by-step guided instructions to
help you find the right answer.