© Jerry L. Turner 2006 Jerry L Turner The University of Memphis An Efficient Approach to Identification and Documentation of Critical Accounting Application Controls

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Section 404 requires an assessment by management of the effectiveness of the internal control structure and procedures for financial reporting Requires each independent auditor to attest to, and report on, the assessment made by the management of the issuer

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Internal control systems must be documented Relevant internal controls must be identified and tested.

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Congress assumed that existing documentation would be an adequate basis for management of public companies to report on internal accounting controls

© Jerry L. Turner 2006 Background—Auditors Prior to SAS No. 55 (1988), auditors documented systems and identified internal controls with extensive flowcharts, extensive internal control checklists, or both

© Jerry L. Turner 2006 Traditional Flowcharts Portray systems as a chronological sequence of processing steps representing transaction flows Usually include superfluous information Difficult to maintain because of complexity Ineffective in identifying existing controls Ineffective at identifying where controls should exist but were not present

© Jerry L. Turner 2006 Traditional Flowchart Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006 Internal Control Questionnaires Tend to be boilerplate in nature Not very effective at relating controls to audit objectives Frequently in a yes/no format where yes is good, no is bad

© Jerry L. Turner 2006 Internal Control Questionnaire Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006 Move to Focus on Assertions Subsequent to SAS No. 55, auditors began organizing internal control documentation by audit objective to enable risk-based audits Prompted auditors to replace flowcharts with more easily prepared (cheaper?) narratives organized by control objectives corresponding to financial statement assertions

© Jerry L. Turner 2006 Narrative Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006 Background—Companies System documentation has many forms, depending on the functional group involved in preparation Usually related to system design, such as physical and logical data flow diagrams Extremely detailed and generally not effective for other purposes, such as identification of critical internal controls

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Management is to provide to the auditor documentation based on relevant assertions about each significant account –Existence or occurrence, –Completeness, –Valuation or allocation, –Rights and obligations, and –Presentation and disclosure

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 SOX notes that documentation might take many forms, such as paper, electronic files, or other media Can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 For each significant process related to an assertion, both management and the independent auditor should –understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported; –identify the points within the process at which a misstatement—including a misstatement due to fraud—related to each relevant financial statement assertion could arise;

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 –identify the controls implemented to address these potential misstatements; and –identify the controls implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets

© Jerry L. Turner 2006 Sarbanes-Oxley Act of 2002 Individual controls must be linked clearly with the significant accounts and assertions to which they relate In addition to specific controls in isolation, combinations of controls also should be considered in assessing whether the objectives of the control criteria have been achieved.

© Jerry L. Turner 2006 Existing Documentation Methods Neither efficient nor effective in complying with the requirements of SOX Documentation typically begins with the source of accounting information, e.g. a transaction, and creates data flows from that activity to an end-point in the general ledger

© Jerry L. Turner 2006 Consider a Leaf on a Tree

© Jerry L. Turner 2006 A More Effective Approach Is consistent with a risk-based approach to auditing Identifies the critical files in the financial reporting process from the hundreds or thousands of files in a computer-based accounting system Identifies the critical processes that impact data contained in those critical files

© Jerry L. Turner 2006 A More Effective Approach Allows identification of controls related to those processes, based on management assertions about financial statement account balances Is useful for both company management and independent auditors Allows identification of controls that may be monitored effectively with continuous auditing techniques

© Jerry L. Turner 2006 Continuous Auditing Several reasons for resistance to implementation of continuous auditing –Technology –Cost –Different objectives for company and auditor SOX has aligned objectives with integrated audit approach

© Jerry L. Turner 2006 When Can Errors Occur? When data is entered into a system When data is transferred from one document or electronic file to a different document or electronic file When data changes form through aggregation or other process When data is deleted

© Jerry L. Turner 2006 Three Steps to an Effective Approach First, identify the significant accounts that affect the financial statements Then, for each significant account, identify the critical data path (CDP), beginning from the general ledger or terminal database table and proceeding backwards through each relevant file or database table until data origination

Critical Data Path (CDP) General Ledger Account File A File B Transaction or Allocation Document 1 Interface with other systems/applications E-commerce Web interfaces EDI Non-integrated systems/applications

© Jerry L. Turner 2006 Three Steps to an Effective Approach Second, identify the process or processes that affect accounting data as it moves from entry to general ledger or terminal database table A process can affect data in three ways: it can –add new data to the CDP –transform data already existing in the CDP –delete data from the CDP

© Jerry L. Turner 2006 Ad Hoc and Other Processes Error correction procedures may allow addition, deletion or manipulation of data, but occur outside normal processing Management override or circumvention of normal controls Journal entries needed as part of financial reporting process (accruals, allocations, etc.)

General Ledger Account File A File B P7—Normal process P5—Normal process P3—Normal process P1—Normal process Transaction or Allocation Document 1 P8— Error correction Management override Journal entries P6— Error correction Management override P4— Error correction Management override P2— Error correction Management override Interface with other systems/applications E-commerce Web interfaces EDI Non-integrated systems/applications

© Jerry L. Turner 2006 Three Steps to a New Approach For each CDP, critical controls for each of the five assertions affected by each process must be identified and documented A critical control might be the first and/or the last control in a process over a specific management assertion.

© Jerry L. Turner 2006 Three Steps to a New Approach A CDP may require more than one critical control over an assertion as the data is transformed or aggregated Also may require identification of additional files and processes outside the CDP, e.g. verify that a subsidiary ledger balance used as a control is correct

© Jerry L. Turner 2006 Three Steps to a New Approach As critical controls are identified, each should be referenced to a separate control summary sheet The summary sheet should be organized by management assertion and document the critical control or controls for each assertion Each control should be referenced to audit program tests of that control

© Jerry L. Turner 2006 Examples Recording of customer payments Additions to inventory

Remittance Advice Customer Check Cash Receipt Control Listing CR1—Cash Receipt Transaction File Customer Check CRP2—Manually input cash receipts from Cash Receipt Control Listing General Ledger Accounts Receivable File or Database Table Credit Remittance Advice Copy of Cash Receipt Control Listing To Cashier Recording of Customer Payments CRP3—Master File update run Aggregate amounts Update existing balance CRP4— Error correction Management override Journal entries CRP1—Manually prepare cash receipt control listing Record Customer ID Invoice number Date Check number Check amount

Critical Control Summary CRP1—Manually prepare cash receipt control listing CategoryAssertionCritical Control(s)Audit Procedure(s) Existence or Occurrence  All receipts represent valid payments-on-account  All remittances must be accompanied by a valid remittance advice Completeness  All payments-on-account are recorded  All payments received are listed on a cash receipt control listing Rights and Obligations  Payments are made to the correct entity  Payments are deposited only in company accounts All pay-to-the-order-of notations are examined on all checks received  All payments are endorsed with “For Deposit Only” to the company account Valuation  Correct amounts are recorded on the cash receipt control listing  Cash and checks received are totaled and total compared to total on cash receipt control listing Presentation or DisclosureN/A

Additions to Inventory

© Jerry L. Turner 2006 Discussion