Internal Control Audit and Compliance Documentation and Testing Under the New COSO Framework

Internal Control Audit and Compliance provides complete guidance toward the latest framework established by the Committee of Sponsoring Organizations (COSO). With clear explanations and expert advice on implementation, this helpful guide shows auditors and accounting managers how to document and test internal controls over financial reporting with detailed sections covering each element of the framework. Each section highlights the latest changes and new points of emphasis, with explicit definitions of internal controls and how they should be assessed and tested. Coverage includes easing the transition from older guidelines, with step-by-step instructions for implementing the new changes. The new framework identifies seventeen new principles, each of which are explained in detail to help readers understand the new and emerging best practices for efficiency and effectiveness.

The revised COSO framework includes financial and non-financial reporting, as well as both internal and external reporting objectives. It is essential for auditors and controllers to understand the new framework and how to document and test under the new guidance. This book clarifies complex codification and provides an effective strategy for a more rapid transition.

• Understand the new COSO internal controls framework
• Document and test internal controls to strengthen business processes
• Learn how requirements differ for public and non-public companies
• Incorporate improved risk management into the new framework

The new framework is COSO's first complete revision since the release of the initial framework in 1992. Companies have become accustomed to the old guidelines, and the necessary procedures have become routine – making the transition to align with the new framework akin to steering an ocean liner. Internal Control Audit and Compliance helps ease that transition, with clear explanation and practical implementation guidance.

LYNFORD GRAHAM, CPA, has more than 30 years of public accounting experience in audit practice and in various national firm policy development groups. He is a visiting professor of accountancy and executive-in-residence at Bentley University, Waltham, MA. He currently maintains an active consultancy practice in statistical audit sampling, litigation support, and audit methodologies, and develops numerous training seminars for conferences and firms.

Preface xi

Acknowledgments xv

Chapter 1: What We All Share 1

Need for Control Criteria 1

Overview of the COSO Internal Control Integrated Framework 2

Holistic, Integrated View 3

Revised COSO Internal Controls Framework 6

What We Must Do 8

Basic Scoping and Strategies for Maintenance 11

Where We Depart 12

Triangle of Efficiency 13

Controls versus Processes 14

The Debate Continues 18

Organization of This Book 18

Appendix 1A: COSO 17 Principles 20

Chapter 2: Setting the Scope of Your Documentation Project: Identifying the Core 21

Start with Business Objectives 21

After the Initial Year 24

Mapping the Entity to the Financial Statements: Ins and Outs 25

Consider Risks, Not Just Quantitative Measures 27

Inherent and Control Risk 28

Overstatement and Understatement 28

Does “In Scope” Imply Extensive Testing? 37

A Consolation 39

Be Careful Out There! 40

Appendix 2A: Summary of Scoping Inquiries 42

Chapter 3: The Risk Assessment Component 45

Risk Assessment Principles in COSO 46

Cost Control 46

Basics 47

Likelihood, Magnitude, Velocity, and Persistence 48

Separate Assessments of Inherent and Control Risks 50

Role of Assertions 51

Assertions 52

Principles 6 and 7: Specify Suitable Objectives; Identify and Analyze Risk 56

Identifying Risks 59

External Sources of Risk Information 60

Internal and External Reporting Risks 61

Compliance Risks 61

Disclosed Material Weaknesses in Risk Assessment 62

Principle 8: Assess Fraud Risk 62

Auditor Responsibility to Detect Fraud 65

Antifraud Controls for Management to Consider 66

Ties to Other Principles and Components 66

Principle 9: Identify and Assess Significant Change 66

Gathering Information to Support the Risk Assessment and Consider Change 68

Appendix 3A: SAS No. 99 Exhibit: Management Antifraud Programs and Controls 72

Attachment 1: AICPA “CPA’s Handbook of Fraud and Commercial Crime Prevention” Code of Conduct 87

Attachment 2: Financial Executives International Code of Ethics Statement 91

Appendix 3B: Understanding Fraud Risk Assessment 93

Chapter 4: Control Environment 99

Principle 1: Commitment to Integrity and Ethical Values 100

Principle 2: Board of Directors (Governance) Demonstrates Independence from Management and Exercises Oversight of the Development and Performance of Internal Control 104

Principle 3: Management Establishes, with Board Oversight, Structures, Reporting Lines, and Appropriate Authorities and Responsibilities in the Pursuit of Objectives 109

Principle 4: Commitment to Attract, Develop, and Retain Competent Individuals in Alignment with Objectives 110

Principle 5: The Organization Holds Individuals Accountable for Their Internal Control Responsibilities in the Pursuit of Objectives 113

Appendix 4A: Understanding and Awareness of Control Responsibilities 117

Chapter 5: Control Activities 120

Principle 10: Selects and Develops Control Activities to Mitigate Risk and Achieve Objectives 120

Principle 11: Selects and Develops General Controls over Technology 132

Principle 12: Deploys through Policies and Procedures 141

Summing Up 143

Appendix 5A: Linking Common Control Activities and Assertions 146

Appendix 5B: Linkage of Principles to Controls, Policies, and Procedures 158

Chapter 6: Information and Communication 165

Principle 13: Generates Relevant Information 166

Principle 14: Communicates Internally 168

Principle 15: Communicates Externally 170

Chapter 7: Monitoring 173

Principle 16: Select, Develop, and Perform Ongoing and/or Separate Evaluations 174

Principle 17: Evaluate and Communicate Deficiencies as Appropriate 176

Chapter 8: Evidence and Testing 179

Sufficient Evidence 179

Gathering Information 187

Testing and Sampling 194

Nonsampling Situations 202

Confusion of Sample Size Guidance in Practice Today 203

Information Technology General Controls 204

Testing Security and Access 205

Appendix 8A: Sample Size Tutorial 211

Chapter 9: Developing Questionnaires and Conducting Interviews 217

Surveys of Employees 219

Conducting Interviews 224

Management Inquiries: Sample Questions 234

Appendix 9A: Sample Practice Aids 239

Chapter 10: Assessing the Severity of Identified Controls Deficiencies 248

It’s Inevitable 248

Alignment of Public and Private Company Standards for Assessing Deficiency Severity 251

Control Deficiencies and Definitions 252

Key Factors When Assessing the Severity of a Deficiency 263

Conditions Indicating Control Deficiencies 270

Examples of Evaluating the Severity of Deficiencies 277

Overall Assessment 281

Appendix 10A: A Framework for Evaluating Control Exceptions and Deficiencies 283

Appendix 10B: Assessing the Potential Magnitude of a Control Deficiency 299

Chapter 11: Reporting Requirements 302

Nonpublic Entity Reporting 302

Public Company Annual and Quarterly Reporting Requirements 304

Reporting on Management’s Responsibilities for Internal Control 309

Required Company and Auditor Communications 312

Reporting the Remediation of Weaknesses 314

Coordinating with the Independent Auditors and Legal Counsel 315

Appendix 11A: Illustrative AICPA Report on Internal Controls 316

Chapter 12: Project Management and Tools Assessment Design 318

Project Management 318

Structuring the Project Team 319

Tools Assessment Design 325

Features of a Good Tools Solution 326

Value of a Pilot Project 331

Coordinating with the Independent Auditors 334

Chapter 13: Illustrative Forms and Templates 337

Historical Perspective 338

2013 Framework Examples 340

Appendix 13A: Information-Gathering Form—Principle Focused 348

Appendix 13B: Information Gathering Form—Revenue 350

Appendix 13C: Walk-through Documentation Form 353

Appendix 13D: Information Technology General Controls Assessment Form 355

Appendix 13E: Documentation of Financial Reporting Software and Spreadsheets 364

Appendix 13F: Sampling Form for Tests of Controls 368

Appendix 13G: Summary of Internal Control Deficiencies 371

Appendix 13H: Control Environment Component Evaluation Summary 372

Chapter 14: Summing Up 373

About the Author 375

Index 377

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.