Internal Control Over Financial Reporting

1. Internal controls exist to mitigate risk to the achievement of objectives. A

control becomes a key control when it is one of the most effective controls the
organization has in mitigating relevant risks.

2. Internal control is a process related to the achievement of the organizations

objectives. Organizations identify the risks to achieving those objectives and
implement various controls to mitigate those risks.

3. If internal controls are not enforced they are useless and can lead to waste
and fraud. Monitoring provides evidence on whether internal controls are
enforced.

4. An organizations response to fraud helps set the control environment. If an

organization is too lenient in its treatment of employees who committed fraud,
the control environment will be seen as weaker than if the treatment were
harsher.

5. Entity-level controls typically have an important, but indirect, effect on the

likelihood that a misstatement will be detected or prevented on a timely basis.

6. The economic financial crisis has highlighted the importance of an

organizations risk assessment process as some have suggested that the crisis
resulted, in part, from poor risk management. Auditors should be alert to
changes in their clients risk assessment process.

7. Internal control is a continuous process that addresses objectives relating to

operating effectiveness and efficiency, compliance with policies and procedures,
and reliability of financial reporting.

8. Virtually all recent financial frauds were associated with organizations that
had weaknesses in the control environment. These include companies such as
WorldCom, Enron, Adelphia, and companies caught in the financial crisis,
such as Lehman Brothers, Merrill Lynch, and Citi.

9. Compensation plans are developed to influence the actions of top

management. However, as noted in the HealthSouth example, the
compensation program, or the threat of withholding compensation, can
significantly influence those who are entrusted to carry out company policies in
the best interests of the companys shareholders.

10. COSO has developed additional guidance for smaller companies in

implementing internal controls to meet Sarbanes-Oxley Section 404 reporting
requirements.

11. Auditors can, and are expected to, evaluate an organizations ethical climate
and the potential effect of that climate on the preparation of the financial
statements.
12. Enron had one of the best written codes of ethics. However, the board
routinely waived conflict of interest requirements, which allowed the
companys treasurer to set up special-purpose entities whose sole aim was to
either inflate Enrons earnings or hide Enrons losses.

13. Three companies with major financial reporting frauds Enron, WorldCom,
and HealthSouth all had ineffective internal audit functions.

14. Internal auditors should meet periodically in executive sessions with the
audit committee. The internal audit department is often described as the last
line of defense within an organization. For that reason, budgets for the
internal audit function and the appointment of the chief audit executive should
be approved by the audit committee.

15. Auditors think very carefully about management competence and must
adjust the audit for areas they see as problems. As an example, during the
evaluation phase of internal control of a publicly traded organization, the
external auditors met privately with the audit committee and expressed
concerns about the competence of the CFO. After further analysis, the audit
committee recommended to the full board and management that the
organization hires a new CFO.

16. Most accounting programs focus on transaction processing, but the key
component of internal control requires a systematic approach to the so-called
softer controls, which are more subjective to evaluate.

17. Controls should be specific to each organization. There is no one set of

prescribed controls to be used by all organizations. Management should
identify and implement the most cost-effective controls to address significant
risks.

18. Control activities are also designed to reduce risks associated with
ineffective operations or lack of compliance with regulatory or company
policies. Risks and controls associated with operations and compliance need to
be considered because they may have financial statement ramifications.

19. Year-end journal entries and estimates are almost always high risk. The
risk varies inversely with the quality of the control environment.

20. Segregation of duties is designed to protect against the risk that an

individual could both perpetrate and cover up fraud. Small organizations often
do not have sufficient personnel to fully segregate all important functions and
should consider other mitigating controls such as supervisory review.

21. Authorization limits and requirements are often built into computer
systems. It therefore becomes very important to determine (a) who has the
ability to approve and enter the authorizations and (b) who has access and the
ability to change the authorizations.
22. Documentation of controls is often thought of as existing on paper.
However, the documentation can be either paper or electronic. Auditors and
managers have to adapt to the nature of client systems and computerization.

23. Reconciliation need to be performed on a timely basis. When properly

implemented (including the investigation and rectification of differences),
reconciliations are one of the most effective control activities within an
organization.

24. Reconciliations are an important control because they mitigate the risk
related to incorrect processing as well as the risk of fictitious transactions.

25. Lowes, a large home-repair, building, and lumber retailer, has relationship
with many vendors. Lowes has a hotline where a vendor can communicate
directly with the internal audit department if there has been any inappropriate
action by a purchasing agent of the company, e.g., a suggestion of a kickback
if a large order is placed.

26. Monitoring is an important component of internal control. Identification of

control failures must be accompanied by management action to determine the
root cause of the problem to assure that corrective action is taken.

27. Computer applications are computer programs and include all of the
attendant procedures to accomplish a particular processing task such as
payroll, purchasing, or sales.

28. A client should have a risk management plan for information technology
(IT). The auditor should begin an audit of computerized processing by reviewing
the risk management plan for IT.

29. Control over program changes is usually something that internal audit
addresses on a frequent basis.

30. Nearly all organizations depend on their IT functions to facilitate financial

reporting. If those processes are not executed properly, there can be
devastating consequences for the organization.

31. In order to effectively implement access controls, the organization must

identify all users who should have access to the organizations computer
programs or data and then identify specific actions that each individual can
take regarding a program or data. Care must be taken to update the table of
authorizations on a frequent basis.

32. Societe Generale, in one of the largest bank frauds, lost over $7 billion
because of unauthorized trades by a bond trader who was able to cover up the
authorized trades through various journal entries. The fraudster had access to
records that bond traders would not normally have access to because he had
formerly worked in the accounting department. The IT security department
failed to cancel his accounting authorizations when he changed jobs, thus
creating a problem with incompatible duties.
33. The security of the Internet will becomes an increasingly important
computer security and continuity issue in the years to come as the nature of
processing changes with significant increases in mobile access to potentially
sensitive data.

34. Every organization must be able to answer customer or supplier questions

on a regular basis. Thus, an audit trail is really a management efficiency tool.

35. Some companies have developed continuous auditing approaches that

consider what can go wrong in processing a transaction and then perform
testing to see if any such error occurred. Examples of organizations that have
implemented continuous monitoring can be found at
www.oversightsystems.com.

36. When computer processing is an integral part of internal controls, many

companies can achieve greater efficiency through a continuous audit approach
that provides assurance on the continued operation of controls rather than
individual tests of controls once a year.

37. Managements process of determining the continued effectiveness of

internal control should be a normal part of the control process. It should not
be an add-on that is performed once a year to meet regulatory reporting
requirements.

38. Although the internal control reporting requirement is only for large
publicly held companies, the best practice of public reporting on internal
control has carried over to large privately held companies as well. Those
companies need to reassure their stakeholders, including lender, suppliers and
other creditors, that they have control processes in place sufficient to achieve
the broad internal control objectives.

39. Management considers a number of factors, including the likelihood that a

control failure will result in a material misstatement in the accounts, the
importance of the information to an external user, and the pervasiveness of a
control failure in judging whether a control deficiency is a material weakness or
a significant deficiency.

40. Internal auditors can assist management in its assessment of internal

controls over financial reporting.

41. Whether a control deficiency is classified as a material weakness does not

depend on whether a misstatement in the financial statements actually
occurred.

42. When an external auditor points out material weaknesses, it is negligent of

those charged with governance not to address the control deficiencies.

43. If the auditor correctly determines that internal controls are effective, there
is less risk that an individual account balance is misstated.
44. Managements assessment of internal controls for the purpose of external
reporting under SOX is similar to the process used by the external auditor and
consists of both tests of controls and monitoring activities.

45. The assertions provide both the framework for the assessment of the
adequacy of internal controls and the direction the auditor should take in
testing both the controls and the validity of processing.

46. Understanding the assertions helps the auditor identify the underlying
population from which to sample transactions. If the auditor is testing the
assertion that all recorded transactions exist, the auditor always samples from
the population of recorded items.

47. A risk based approach makes a great deal of sense as long as the auditor
is honest in evaluating the risk associated with transactions or account
balances and has a justifiable basis for reducing risk. One of the reasons
Arthur Andersen & Co. failed is because many of its audit partners viewed risk
analysis as a way of reducing work and increasing the profitability of audits.
Often, the risk analysis had no relationship to the actual risk that existed.

48. Dual purpose testing, i.e., tests of proper recording of transactions and
testing of internal controls at the same time, is an efficient way to implement
an integrated audit.

49. The auditors risk assessment can, and should, be performed on each class
of transactions. Thus, an auditor might assess control risk as high on sales
and receivables, but might assess control risk as low on inventory and
purchases.

50. The auditor can gain assurance of effective control operation through either
tests of control operation through either tests of controls or tests of the clients
monitoring process.

51. Inquiry alone is not sufficient to support a conclusion about the operating
effectiveness of a control.

52. If there are account balances that are not material (either individually or
when aggregated into a line item on the balance sheet or income statement),
and there is little risk of misstatement, the auditor does not need to test the
controls related to the test the controls related to the account balances.

53. Audit firms may have specific guidelines for determining sample sizes
necessary for testing controls. These guidelines may consider how frequently a
control operates. For example, sample sizes would be larger for controls that
operate daily as opposed to those that operate only weekly or monthly.

54. PricewaterhouseCoopers issued an adverse report on AIG Inc., in 2007

because of control weaknesses regarding financial instruments.
55. The PCAOBs requirement is that documentation must be able to be
interpreted by an auditor not connected to the engagement and, therefore, that
it stand on its own in support of the audit conclusions.

56. Most larger public accounting firms use laptops connected to a network to
facilitate the sharing and review of audit work, including the important
elements of internal controls.