Presentation is loading. Please wait.

Presentation is loading. Please wait.

BA 427 – Assurance and Attestation Services

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "BA 427 – Assurance and Attestation Services"— Presentation transcript:

1 BA 427 – Assurance and Attestation Services
Lecture 3 Internal Controls: Background and Concepts

2 Internal Controls COSO’s internal controls framework
Sarbanes-Oxley requirements NYSE corporate governance listing requirements Documenting internal controls

3 COSO – Integrated Framework
COSO: Committee of Sponsoring Organizations of the Treadway Commission AICPA IIA IMA AAA FEI

4 COSO – Integrated Framework
In 1992, COSO issued a landmark report identifying a framework for internal controls. This framework was given near regulatory status by the PCAOB in its Auditing Statement No. 2. The framework is not without its detractors.

5 COSO – Integrated Framework
What is internal control? Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:

6 COSO – Integrated Framework
The three categories of internal control: Effectiveness and efficiency of operations. Includes performance and profitability goals, and safeguarding of resources. Reliability of financial reporting. External reporting of all sorts Compliance with applicable laws and regulations.

7 COSO – Integrated Framework
The internal control system is intertwined with the entity’s operating activities and exists for fundamental business reasons. Internal control is most effective when controls are built into the entity’s infrastructure and are a part of the essence of the enterprise.

8 COSO – Integrated Framework
When can controls be judged effective? Controls are effective when management and the board have reasonable assurance that: Effectiveness and efficiency of operations management understands the extent to which the entity’s objectives are being achieved. Reliability of financial reporting. published financial statements are reliable. Compliance with laws and regulations. applicable laws and regulations are being complied with.

9 COSO – Integrated Framework
Internal controls consist of five interrelated components: The Control Environment Risk Assessment Control Activities Information and Communication Monitoring

10 COSO – Integrated Framework
The Control Environment 1. Integrity and ethical values. 2. Commitment to competence. 3. Participation by the Board 4. Management’s operating style 5. Organizational structure 6. Assignment of authority and responsibility 7. Human resource policies and practices

11 COSO – Integrated Framework
Risk Assessment 1. Changes in operating environment 2. New personnel or corporate restructurings 3. New or revamped information systems 4. Rapid growth 5. New technology 6. New business models, products, activities 7. Expanded foreign operations 8. New accounting pronouncements

12 COSO – Integrated Framework
Control Activities The policies and procedures that help ensure management directives are carried out. Control activities occur throughout the organization, at all levels and in all functions. Approvals and authorizations Verifications Reconciliations Reviews of operating performance Security of assets Segregation of duties

13 COSO – Integrated Framework
Information and Communication Information systems produce reports that contain operational, financial and compliance-related information. Effective communication must flow down, across and up the organization. Also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

14 COSO – Integrated Framework
Monitoring A process that assesses the quality of the internal control system’s performance over time. Monitoring is accomplished through Ongoing monitoring activities Separate evaluations

15 COSO – Integrated Framework
Ongoing monitoring activities Occurs in the course of operations. Includes regular management and supervisory activities, and other actions personnel take in performing their duties.

16 COSO – Integrated Framework
Separate evaluations The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

17 COSO – Integrated Framework
Roles and Responsibilities for Controls: The Board of Directors Management Internal auditors Other personnel in the organization External auditors

18 COSO – Integrated Framework
Roles and Responsibilities for Controls: The Board of Directors Governance, guidance and oversight. Effective board members are objective, capable and inquisitive. Management The CEO is ultimately responsible and should assume ownership of the system. The CEO, more than anyone else, sets the “tone at the top.” The CEO provides leadership and direction.

19 COSO – Integrated Framework
Roles and Responsibilities for Controls: Internal auditors Internal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Because of organizational position and authority in an entity, an internal audit function often plays a significant monitoring role.

20 COSO – Integrated Framework
Roles and Responsibilities for Controls: Other personnel in the organization Internal control should be an explicit or implicit part of everyone’s job description. All personnel are responsible for communicating problems upward. External auditors Bring an independent and objective view. Contribute to internal controls directly through the financial statement audit. Contribute indirectly by providing information useful to management and the Board.

21 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 301 The audit committee shall be directly responsible for the appointment, compensation, and oversight of the work of the independent auditors. The auditors shall report directly to the audit committee. Each member of the audit committee must be independent.

22 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 301 The audit committee shall establish procedures for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters. The audit committee shall establish procedures for the confidential, anonymous submission by employees of the company of concerns regarding questionable accounting or auditing matters.

23 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 301 The audit committee shall have the authority to engage independent counsel and other advisers. The audit committee shall determine the appropriate funding necessary for payment of compensation for the independent audit and for work performed by other advisors hired by the audit committee.

24 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 302 The CEO and CFO must certify, in each annual or quarterly report, that the signing officers reviewed the report; the report does not contain any material misstatements, and does not omit any facts necessary to make the statements not misleading; the financial statements fairly present in all material respects the financial condition and results of operations of the company;

25 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 302: the signing officers must certify that they are responsible for establishing and maintaining internal controls; have designed internal controls to ensure that material information relating to the company is made known to such officers; have evaluated the effectiveness of the company’s internal controls within 90 days prior to the report; have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation.

26 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 302: The CEO and CFO must certify, in each annual or quarterly report, that The signing officers have disclosed to the company’s auditors and the audit committee all significant deficiencies in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial data, and have identified for the company’s auditors any material weaknesses in internal controls.

27 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 302: The CEO and CFO must certify, in each annual or quarterly report, that The signing officers have disclosed to the company’s auditors and the audit committee any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls.

28 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 302: The CEO and CFO must certify, in each annual or quarterly report, that The signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses

29 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 303: It shall be unlawful for any officer or director of the company, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead the independent auditors for the purpose of rendering the financial statements materially misleading.

30 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 304: If a company is required to restate the financial statements due to material noncompliance, as a result of misconduct, with any financial reporting requirement under the securities laws, the CEO and CFO must reimburse the company for any bonus or other incentive-based or equity-based compensation received within 12 months of the issuance of the statements, and any profits realized from the sale of company stock within this same 12 months.

31 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 406: The SEC shall issue rules to require companies to disclose whether or not (and if not, the reason therefore) the company has adopted a code of ethics for senior financial officers. The SEC shall issue rules that require companies to promptly disclose any change in or waiver of the code of ethics for senior financial officers.

32 Sarbanes-Oxley requirements
Title III – Corporate Responsibility 407: The SEC shall issue rules that require companies to disclose whether or not (and if not, the reasons therefore) the audit committee is comprised of at least one member who is a financial expert, as defined by the SEC.

33 NYSE Corporate Governance Rules
These are the rules that companies must comply with to be listed on the NYSE. These rules became effective in 2003, strengthening the NYSE’s existing corporate governance requirements. Other exchanges have their own rules, in many cases similar to the NYSE. However, the NYSE probably has the most stringent rules.

34 NYSE Corporate Governance Rules
Listed companies must have a majority of independent directors. The board must affirmatively determine that each director has no material relationship with the company. A director who is an employee, or whose immediate family member is an executive officer of the company, is not independent until three years after the end of the employment relationship.

35 NYSE Corporate Governance Rules
Listed companies must have a majority of independent directors. A director who received, or whose immediate family member receives, more than $100,000 per year in direct compensation from the company, other than director and committee fees and pension or other deferred compensation from prior service, is not independent until three years after he or she ceases to receive more than $100,000 per year.

36 NYSE Corporate Governance Rules
Listed companies must have a majority of independent directors. A director who is affiliated with or employed by, or whose immediate family member is affiliated with or employed in a professional capacity by, a present or former internal or external auditor of the company is not independent until three years after the end of the employment or auditing relationship.

37 NYSE Corporate Governance Rules
Listed companies must have a majority of independent directors. A director who is employed, or whose immediate family member is employed, as an executive officer of another company where any of the listed company’s present executives serve on that company’s compensation committee is not independent until three years after the end of such service or employment relationship.

38 NYSE Corporate Governance Rules
Listed companies must have a majority of independent directors. A director who is an executive officer or an employee, or whose immediate family member is an executive officer, of a company that makes payments to, or receives payments from, the listed company for property or services in an amount which, in any single year, exceeds the greater of $1 million, or 2% of such other company’s revenues, is not independent until three years after falling below such threshold.

39 NYSE Corporate Governance Rules
The non-management directors of the board must meet at regularly scheduled executive sessions without management.

40 NYSE Corporate Governance Rules
Listed companies must have a nominating/corporate governance committee composed entirely of independent directors. This committee must have a written charter that addresses: The committee’s purpose and responsibilities. An annual performance evaluation of the committee.

41 NYSE Corporate Governance Rules
Listed companies must have a compensation committee composed entirely of independent directors. This committee must have a written charter that addresses: The committee’s purpose and responsibilities. An annual performance evaluation of the committee.

42 NYSE Corporate Governance Rules
Listed companies must have an audit committee. The committee must consist of at least three members. Each member of the audit committee must be independent. Each member of the audit committee must be financially literate, or become financially literate.

43 NYSE Corporate Governance Rules
The audit committee must have a written charter that addresses the committee’s purpose an annual performance evaluation of the committee the duties of the committee must include obtaining and reviewing at least annually a report by the independent auditors describing the accounting firm’s internal quality-control procedures, recent issues raised by peer reviews, and all relationships between the independent auditor and the company.

44 NYSE Corporate Governance Rules
The audit committee must discuss the company’s annual financial statements and quarterly statements with management and the independent auditor, including M.D.&A. The audit committee must discuss the company’s earnings press releases and financial information and earnings guidance provided to analysts. The audit committee must discuss policies with respect to risk assessment and risk management.

45 NYSE Corporate Governance Rules
The audit committee must meet separately, periodically, with management, with internal auditors, and with the independent auditors. The audit committee must review with the independent auditor any audit problems or difficulties and management’s response. The audit committee must set clear hiring policies for employees or former employees of the independent auditors.

46 NYSE Corporate Governance Rules
Each listed company must have an internal audit function. This function can be outsourced to a third-party service provider other than the company’s independent auditor.

47 NYSE Corporate Governance Rules
Listed companies must adopt and disclose corporate governance guidelines. These guidelines must address Director qualification standards Director responsibilities Director access to management and independent advisors Director compensation, orientation, and continuing education Management succession Annual performance evaluation of the board

48 NYSE Corporate Governance Rules
Listed companies must adopt and disclose a code of business conduct and ethics for directors, officers, and employees, and promptly disclose any waivers of the code for directors or executive officers. At a minimum, this code should address Conflicts of interest Confidentiality Fair dealing Protection and proper use of company assets Compliance with laws, rules and regulations

49 Documenting Internal Controls
Who relies on documentation of controls? Management accountants Internal auditors External auditors Systems development teams Alternative methods of documentation: Questionnaires Narrative Flowcharts

50 Documenting Internal Controls
External auditors Non-public companies (and all companies pre-SOX): On all engagements, the auditor should obtain an understanding of internal control sufficient to plan the audit. The auditor is not obligated to search for internal control weaknesses, or to test controls unless the auditor plans to rely on controls. Public companies under SOX: The auditor must attest to and report on management’s assessment of internal control.

51 Documenting Internal Controls
Flowcharting Encourages rigor of the analysis and thorough understanding of the system The flow is top down and left to right Time-consuming to prepare

Download ppt "BA 427 – Assurance and Attestation Services"

Similar presentations

Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Certifying the Accuracy of SEC Filings and Update on the Sarbanes-Oxley Act of 2002, NYSE and Nasdaq Proposals.

Certifying the Accuracy of SEC Filings and Update on the Sarbanes-Oxley Act of 2002, NYSE and Nasdaq Proposals.
Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.

Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.
Sarbanes-Oxley Act of 2002. 2 Benefits of Act Three quarters of the financial executives in the Oversight Systems survey said that their company had realized.

Sarbanes-Oxley Act of Benefits of Act Three quarters of the financial executives in the Oversight Systems survey said that their company had realized.
Internal Control.

Internal Control.
8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.

8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Audit Planning and Analytical Procedures Chapter 8.

Audit Planning and Analytical Procedures Chapter 8.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Section 404 Audits of Internal Control and Control Risk

Section 404 Audits of Internal Control and Control Risk
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Similar presentations

Ads by Google