© Jerry L. Turner 2006 Jerry L Turner The University of Memphis An Efficient Approach to Identification and Documentation of Critical Accounting Application.

Slides:



Advertisements
Similar presentations
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Advertisements

Auditing Concepts.
Supplement E T he Changing Nature of Journals and Ledgers.
Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.
Audit Documentation PCAOB Auditing Standard no.3.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit
Recordkeeping & Accounting
Sales & Cash Receipts Transactions By David N. Ricchiute
Chapter 11 Auditing the Purchasing Process McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Chapter 7 Revenue and Collection Cycle “What at first was plunder assumed the softer name of revenue.” Thomas Paine McGraw-Hill/IrwinCopyright © 2008 by.
Nature of an Integrated Audit
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Auditing the Purchasing Process
Auditing the Purchasing Process
Chapter 13 Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons Auditing Human Resources Processes: Personnel and Payroll in Service Industries.
Auditing Internal Control over Financial Reporting
Auditing Internal Control over Financial Reporting
1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting
Considering Internal Control
Internal Control in a Financial Statement Audit
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Internal Control in a Financial Statement Audit
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Introduction to Transaction Processing and Documentation Techniques COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson,
Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.
Audit Strategy and Audit Program
AUDITING THE REVENUE CYCLE AND RELATED ACCOUNTS
Auditing the Revenue Process
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 11-1 Expense and Liability Recognition Expenses are outflows.
 2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood Chapter 10 Electronic Data Processing Systems.
Chapter 6 Internal Control in a Financial Statement Audit Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
5 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Audit Responsibilities and Objectives Chapter 5.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
AUDITING SALES AND CASH RECEIPTS
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Copyright © 2007 Pearson Education Canada 1 Chapter 11: Overall Audit Plan and Audit Program.
Copyright © 2007 Pearson Education Canada 1 Chapter 15: Audit of Cash Balances.
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
The Causeway Company uses the following procedures to process the cash received from credit sales. The mailroom receives checks and remittance advices.
18-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing the Revenue Process Chapter Ten.
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
Audit of the Sales and Collection Cycle. Identify the accounts and the classes of transactions in the sales and collection cycle. Describe the business.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
Auditing Concepts.
Problem 9-3, Page 473 Key Control, Control Test Evaluation
Internal Control in a Financial Statement Audit
Revenue and Collection Cycle
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Audit Responsibilities and Objectives
Defining Internal Control
CAS 300 – Planning an audit of financial statements
Problem 5-26, page 126 The following are two balance-related audit objectives in the audit of accounts payable. All accounts payable included on the list.
Problem 5-26, page 126 The following are two balance-related audit objectives in the audit of accounts payable. All accounts payable included on the list.
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

© Jerry L. Turner 2006 Jerry L Turner The University of Memphis An Efficient Approach to Identification and Documentation of Critical Accounting Application Controls

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Section 404 requires an assessment by management of the effectiveness of the internal control structure and procedures for financial reporting Requires each independent auditor to attest to, and report on, the assessment made by the management of the issuer

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Internal control systems must be documented Relevant internal controls must be identified and tested.

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Congress assumed that existing documentation would be an adequate basis for management of public companies to report on internal accounting controls

© Jerry L. Turner 2006 Background—Auditors Prior to SAS No. 55 (1988), auditors documented systems and identified internal controls with extensive flowcharts, extensive internal control checklists, or both

© Jerry L. Turner 2006 Traditional Flowcharts Portray systems as a chronological sequence of processing steps representing transaction flows Usually include superfluous information Difficult to maintain because of complexity Ineffective in identifying existing controls Ineffective at identifying where controls should exist but were not present

© Jerry L. Turner 2006 Traditional Flowchart Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006 Internal Control Questionnaires Tend to be boilerplate in nature Not very effective at relating controls to audit objectives Frequently in a yes/no format where yes is good, no is bad

© Jerry L. Turner 2006 Internal Control Questionnaire Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006 Move to Focus on Assertions Subsequent to SAS No. 55, auditors began organizing internal control documentation by audit objective to enable risk-based audits Prompted auditors to replace flowcharts with more easily prepared (cheaper?) narratives organized by control objectives corresponding to financial statement assertions

© Jerry L. Turner 2006 Narrative Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006 Background—Companies System documentation has many forms, depending on the functional group involved in preparation Usually related to system design, such as physical and logical data flow diagrams Extremely detailed and generally not effective for other purposes, such as identification of critical internal controls

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Management is to provide to the auditor documentation based on relevant assertions about each significant account –Existence or occurrence, –Completeness, –Valuation or allocation, –Rights and obligations, and –Presentation and disclosure

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 SOX notes that documentation might take many forms, such as paper, electronic files, or other media Can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 For each significant process related to an assertion, both management and the independent auditor should –understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported; –identify the points within the process at which a misstatement—including a misstatement due to fraud—related to each relevant financial statement assertion could arise;

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 –identify the controls implemented to address these potential misstatements; and –identify the controls implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Individual controls must be linked clearly with the significant accounts and assertions to which they relate In addition to specific controls in isolation, combinations of controls also should be considered in assessing whether the objectives of the control criteria have been achieved.

© Jerry L. Turner 2006 Existing Documentation Methods Neither efficient nor effective in complying with the requirements of SOX Documentation typically begins with the source of accounting information, e.g. a transaction, and creates data flows from that activity to an end-point in the general ledger

© Jerry L. Turner 2006 Consider a Leaf on a Tree

© Jerry L. Turner 2006 A More Effective Approach Is consistent with a risk-based approach to auditing Identifies the critical files in the financial reporting process from the hundreds or thousands of files in a computer-based accounting system Identifies the critical processes that impact data contained in those critical files

© Jerry L. Turner 2006 A More Effective Approach Allows identification of controls related to those processes, based on management assertions about financial statement account balances Is useful for both company management and independent auditors Allows identification of controls that may be monitored effectively with continuous auditing techniques

© Jerry L. Turner 2006 Continuous Auditing Several reasons for resistance to implementation of continuous auditing –Technology –Cost –Different objectives for company and auditor SOX has aligned objectives with integrated audit approach

© Jerry L. Turner 2006 When Can Errors Occur? When data is entered into a system When data is transferred from one document or electronic file to a different document or electronic file When data changes form through aggregation or other process When data is deleted

© Jerry L. Turner 2006 Three Steps to an Effective Approach First, identify the significant accounts that affect the financial statements Then, for each significant account, identify the critical data path (CDP), beginning from the general ledger or terminal database table and proceeding backwards through each relevant file or database table until data origination

Critical Data Path (CDP) General Ledger Account File A File B Transaction or Allocation Document 1 Interface with other systems/applications E-commerce Web interfaces EDI Non-integrated systems/applications

© Jerry L. Turner 2006 Three Steps to an Effective Approach Second, identify the process or processes that affect accounting data as it moves from entry to general ledger or terminal database table A process can affect data in three ways: it can –add new data to the CDP –transform data already existing in the CDP –delete data from the CDP

© Jerry L. Turner 2006 Ad Hoc and Other Processes Error correction procedures may allow addition, deletion or manipulation of data, but occur outside normal processing Management override or circumvention of normal controls Journal entries needed as part of financial reporting process (accruals, allocations, etc.)

General Ledger Account File A File B P7—Normal process P5—Normal process P3—Normal process P1—Normal process Transaction or Allocation Document 1 P8— Error correction Management override Journal entries P6— Error correction Management override P4— Error correction Management override P2— Error correction Management override Interface with other systems/applications E-commerce Web interfaces EDI Non-integrated systems/applications

© Jerry L. Turner 2006 Three Steps to a New Approach For each CDP, critical controls for each of the five assertions affected by each process must be identified and documented A critical control might be the first and/or the last control in a process over a specific management assertion.

© Jerry L. Turner 2006 Three Steps to a New Approach A CDP may require more than one critical control over an assertion as the data is transformed or aggregated Also may require identification of additional files and processes outside the CDP, e.g. verify that a subsidiary ledger balance used as a control is correct

© Jerry L. Turner 2006 Three Steps to a New Approach As critical controls are identified, each should be referenced to a separate control summary sheet The summary sheet should be organized by management assertion and document the critical control or controls for each assertion Each control should be referenced to audit program tests of that control

© Jerry L. Turner 2006 Examples Recording of customer payments Additions to inventory

Remittance Advice Customer Check Cash Receipt Control Listing CR1—Cash Receipt Transaction File Customer Check CRP2—Manually input cash receipts from Cash Receipt Control Listing General Ledger Accounts Receivable File or Database Table Credit Remittance Advice Copy of Cash Receipt Control Listing To Cashier Recording of Customer Payments CRP3—Master File update run Aggregate amounts Update existing balance CRP4— Error correction Management override Journal entries CRP1—Manually prepare cash receipt control listing Record Customer ID Invoice number Date Check number Check amount

Critical Control Summary CRP1—Manually prepare cash receipt control listing CategoryAssertionCritical Control(s)Audit Procedure(s) Existence or Occurrence  All receipts represent valid payments-on-account  All remittances must be accompanied by a valid remittance advice Completeness  All payments-on-account are recorded  All payments received are listed on a cash receipt control listing Rights and Obligations  Payments are made to the correct entity  Payments are deposited only in company accounts All pay-to-the-order-of notations are examined on all checks received  All payments are endorsed with “For Deposit Only” to the company account Valuation  Correct amounts are recorded on the cash receipt control listing  Cash and checks received are totaled and total compared to total on cash receipt control listing Presentation or DisclosureN/A

Additions to Inventory

© Jerry L. Turner 2006 Discussion