2

0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
1
INTERNAL CONTOLS, IMPACT
ON AUDIT PROCESS &
DOCUMENT RETENTION
Presented by:
J oe Van Vynckt, CPA
J ason Bakke, CPA, CCIFP

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
2
Objectives:
Understand how information technology and
virtual desktopscan impact a companys
internal control environment
Understand how technology advancements and
paperless transaction processing / storage
impact the financial statement audit by CPAs
Review document retention suggestions for both
corporate governance and IRS requirements

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
3
Internal Controls:
How does information technology impact the
Company's control environment

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
4
WHY INTERNAL CONTROLS MATTER:
Internal controls are the processes, methods
and measures used by an organization to:
Monitor assets
Prevent fraud
Minimize errors
Verify correctness and reliability of management data
Promote operational efficiency
Ensure the established managerial policies are
followed
Source: Dictionary of Accounting Terminology

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
5
WHY INTERNAL CONTROLS MATTER:
Not just an accounting term! Should not be viewed
that way by management
Internal control effects all aspects of the business,
including:
Ensuring protection over business assets and information
Protecting future growth
Safety of your employees
Creating reliable information to make effective and accurate
business decisions
Remaining competitive
Holding employees accountable

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
6
WHY INTERNAL CONTROLS MATTER:
Examples:
Segregation of duties
Authorization and documentation of transactions
Supervision and reviewof personnel or operations
Account reconciliation
Contract administration:
Managing bid process & budgeting
Change order management
J ob costing and reporting procedures
Billing and collection policies
Security policies:
physical assets locks, GPS, cameras
data / systems passwords, permissions and access logs

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
7
WHY INTERNAL CONTROLS MATTER:
Internal Control Weaknesses Commonly Seen in
the Construction Industry:
Failure to comply with established policies
Paid invoices lack proper authorization
Unreconciled accounts / unresolved discrepancies
Lack of segregation of duties
Long-term contract reporting discrepancies: accurate
and timely financial information is not available for
use by management or operations personnel
Change order management: failure to obtain proper
approval, documentation, resulting in lost revenue
Lack of control over equipment: use, utilization and
reporting

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
8
WHY INTERNAL CONTROLS MATTER:
Why do CPAs spend so much time evaluating the
design and implementation of our clients
internal control?
We have tofor good reason!
Understanding the control environment is one of the
best ways to determine the risks of financial
misstatement or misappropriation of assets
(theft/fraud)
As a result of control structure, we may:
Verify controls and procedures have been properly designed,
implemented and are effective
Target our audit procedures to areas perceived as higher risk
or lacking more effective internal controls

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
9
WHY INTERNAL CONTROLS MATTER:
Company owners and senior management should
have the same attitude as the CPAs:
Evaluate: Understand your companys internal
control structure to better identify risks of
misstatement (either intentional or inadvertent) or
theft/fraud
Design: Identify opportunities to continually improve
the control environment and control policies
Verify: Ensure policies and procedures are
implemented and being followed

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
10
How do technological
advancements impact
internal controls?

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
11
Internal Control Concepts:
Traditional vs. Technological
Regardless of the platform, internal control concepts are
largely the same; however they operate very differently
depending on the level of technologic integration of the
IT system.
Committee of Sponsoring Organizations (COSO) breaks
down risk management and internal controls into 5
interrelated components:
Control Environment
Risk Assessment
Control Activities / Policies
Information and Communication
Monitoring

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
12
Internal Control Concepts:
Traditional vs. Technological
1) CONTROL ENVIRONMENT:
Often referred to as the Tone at the Top
The integrity, ethics and competence of the companys people
Management's philosophy and operating style
Method to assign authority and responsibility and develop its
people
Attention and direction provided by the ownership and/or board
The control environment is the foundation for all other
components of internal control, providing discipline and
structure.
In a highly technological environment, greater emphasis on data
security and systems practices.

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
13
Internal Control Concepts:
Traditional vs. Technological
2) RISK ASSESSMENT:
The identification and analysis of relevant risks to the organization.
Will form the basis to determine how risks should be managed
Both internal and external
Considerations should include:
Inherent risks:
Nature
Complexity and level of judgment needed
Susceptibility to fraud
The effect of a risk on the organization
Existence of previous issues
Mitigating factors that already exist

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
14
Internal Control Concepts:
Traditional vs. Technological
Traditional:
Design: Emphasis on personnel policies and
manual documentation
Workflow Physical transfer of paper from
initiator to approver to processor(s)
Transaction approval - form of signature / initials
by party responsible for approval
Verification - Visual by individual responsible
transaction process
Asset security Physical observation and locks
Equipment and payroll reporting Manual
timecards and approval; data entry as
administrative function. Batches post weekly to
job costing
LTC reporting project managers maintain off-
line cost estimates and submit updated
information to acctg. on monthly basis
Segregation of duties policies enforced by
internal audit or re-verification
3) CONTROL ACTIVITES:
Policies and procedures that help ensure that management
directives are carried out
Technological:
Design: Emphasis on system controls, permissions
and paperless workflow
Workflow Requests and messages automatically
queued to required reviewer
Transaction approval - form of electronic signature
or other system authorization
Verification System will not allow further
processing unless proper approval exist
Asset security GPS, bar-coding & physical security
Equipment and payroll reporting employee and
equipment time captured on-site or electronically,
approved within the system, single-entry, available in
job cost system immediately.
LTC reporting project managers maintain costs,
estimates & quantities on the enterprise system.
Information available for management and reporting
immediately
Segregation of duties policies enforced by system
permissions, passwords and IT audit or verification

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
15
Internal Control Concepts:
Traditional vs. Technological
Traditional:
Timing Information and reporting
generally available on a periodic basis
(weekly or monthly)
Company-standard, multi-use
reports Everyone gets the same
information. Not necessarily the
information they need or use
Distribution Physical or by e-mail
Communication Action Itemsand
other communication require initiation
from someone else.
4) INFORMATION AND COMMUNICATION:
Addresses the needs of the organization to identify, capture, and communicate
information to the right people.
Enable operations and support personnel to carry out their responsibilities
Enable management to make informed business decisions
External reporting bank, surety, project owners or investors
Technological:
Timing Information and reporting
generally available real-time. As
accurate as the data in the system
Tailored Reports Personnel receive
the information they need to function:
Dashboard
Custom report generation
Distribution On desktop, pda, etc
Communication System-generated
reminders or communication based on
events, levels or system parameters

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
16
Internal Control Concepts:
Traditional vs. Technological
Traditional:
Personnel Reliance Personnel are
expected and relied upon to enforce
system of procedures and controls
Internal Audit Either formal or
informal, re-verification by 3
rd
party that
procedures are being followed
Evaluation of efficacy how
effectively does the control or procedure
mitigate the risk identified?
5) MONITORING:
Technological:
System Design
Account permissions and limitations
Password management
IT and Controls Audit
Verification that the IT system design is
intact and operating as planned
Internal audit of non-IT processes,
procedures and controls
Evaluation of efficacy how
effectively does the control or
procedure mitigate the risk identified?

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
17
Impact on Audit
Process:
How does technological advances / paperless
transaction processing / storage impact the audit of
the financial statements by CPAs.

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
18
AUDIT IMPACT:
CPAS are required to understand the Companys
internal control structure and processes,
including:
Administration over information technology
Segregation of IT duties
Systems development
Physical and online security
Hardware controls

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
19
AUDIT IMPACT:
Impact of IT on the Audit Process:
If effective IT controls are in place, may reduce
substantive testing
Control testing Parallel Simulation, Embedded Audit
Module
If ineffective IT controls are in place, may increase
risk of material misstatement
Systematic errors vs. random errors
Increase substantive testing
Internal control deficiencies in the IT function can lead
to communication to those charged with governance.

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
20
Document Retention

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
21
DOCUMENT RETENTION IRS Requirements:
IRS has determined that electronic imaging and other
electronic data storage systems constitute adequate records
under internal revenue code (sec. 6001)
Recordkeeping Requirements - IRS
reasonable controls to ensure the integrity, accuracy, and reliability
of the electronic storage system
reasonable controls to prevent and detect the unauthorized
creation, alteration or deletion of records
an inspection and quality assurance program, including periodic
checks of electronically stored books and records;
a retrieval system that includes an indexing system
the ability to reproduce legible and readable hardcopies
Source: IRS Rev. Proc. 97-22

2
0
1
0

L
a
r
s
o
n
A
l
l
e
n

L
L
P
22
DOCUMENT RETENTION General Guidelines: