INTERNAL CONTROLS GUIDANCE FOR PRIVATE, GOVERNMENT, AND NONPROFIT ENTITIES LYNFORD GRAHAM, CPA, PhD, CFE JOHN WILEY & SONS, INC www.ebook3000.com This book is printed on acid-free paper Copyright  2008 by John Wiley & Sons, Inc All rights reserved Published by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada Wiley Bicentennial Logo: Richard J Pacifico No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201 748-6011, fax 201 748-6008, or online at http://www.wiely.com/go/permissions Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages For general information on our other products and services please contact our Customer Care Department within the United States at 877-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002 Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books For more information about Wiley products, visit our Web site at http://www.wiley.com Library of Congress Cataloging-in-Publication Data: Graham, Lynford Internal controls : guidance for private, government, and nonprofit entities / Lynford Graham p cm ISBN 978-0-470-08948-4 (cloth) Auditing, Internal Managerial accounting I Title HF5668.25.G724 2008 658.15 1—dc22 2007020133 Printed in the United States of America 10 www.ebook3000.com ABOUT THE AUTHOR LYNFORD GRAHAM CPA, PhD, CFE Lynford Graham is a Certified Public Accountant with more than 25 years of public accounting experience in audit practice and in national policy development groups He is currently a consultant on professional accounting and auditing matters and an author Dr Graham is a member of the American Institute of Certified Public Accountants (AICPA), and a recent past member of the Auditing Standards Board He chaired the AICPA’s Audit Risk Guide Task Force (“Assessing and Responding to Audit Risk in a Financial Statement Audit”) and was the U.S representative to the International Auditing and Assurance Standards Board (IAASB) Materiality Task Force (ISA 320 and 450) He previously served as a member of the AICPA’s Materiality and Audit Risk Task Force (SAS 47); was a founding member of the AICPA’s Information Technology Section, serving on its Executive Committee; and was a member of the AICPA’s Statistical Sampling Subcommittee during the development of SAS 39 on Audit Sampling He drafted the 2007 revision of the AICPA Audit Guide, Audit Sampling Previously he chaired the Educator-Practitioner Case Development Task Force for the annual AICPA Education Conference and served on the Executive Committee of the Pre-Certification Education Committee He is a former partner and the national director of audit policy for BDO Seidman, LLP There Dr Graham was responsible for the development and implementation of audit policy and software, as well as Assurance Services Learning and Education programs, and was the firm’s sampling coordinator He served on several international BDO Seidman task forces developing audit software, audit methodology, sampling approaches, and audit automation techniques Dr Graham was responsible for BDO Seidman’s implementation of audits of internal control under PCAOB AS and participated with professional groups in developing industry-wide guidance on audits of internal control Prior to joining BDO Seidman LLP, Dr Graham was an associate professor of accounting and information systems and a graduate faculty fellow at Rutgers University in Newark, New Jersey, where he taught primarily iii www.ebook3000.com iv ABOUT THE AUTHOR financial accounting courses Prior to joining Rutgers, he was a national accounting & SEC consulting partner for Coopers & Lybrand, responsible for their technical issues research function and database, auditing research, and sampling techniques A Certified Fraud Examiner and a member of the Association of Certified Fraud Examiners, Dr Graham has provided consulting guidance on matters of internal control and statistical and audit methods, including inventory sampling problems, fraud investigations, litigation consulting, cost reimbursement studies and loan reviews He has also worked with a variety of government agencies on the development and implementation of audit regulations Throughout his career he has maintained an active profile in the academic as well as the business community A member of the American Accounting Association (AAA), he served as vice chairman of the Auditing Section and as a member of numerous committees and task forces Dr Graham had a leadership role in the development of Coopers & Lybrand’s award winning “Excellence in Audit Education” materials, widely used in university audit courses in the 1990s He is the past auditing section chair for the Mid-Atlantic Section of the AAA In 2002 he received the Distinguished Service Award of the Auditing Section of the AAA His numerous academic and business publications span a variety of topical areas, including information systems, internal controls, expert systems, audit risk, audit planning, fraud, sampling, analytical procedures, audit judgment, and international accounting and auditing Dr Graham holds an MBA in Industrial Management and a PhD in Business and Applied Economics, both from the University of Pennsylvania (Wharton School) He is also coeditor of the Accountant’s Handbook 11th Edition (John Wiley & Sons, 2007) as well as coauthor or editor of many other audit and accounting books and publications www.ebook3000.com CONTENTS Preface vii An Introduction First Steps: A Pilot Project The Five Components of the Controls Framework 27 Appendix 3A Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees 69 Documenting Internal Controls Using a Framework 71 Appendix 4A Sample Control Objectives for Major Cycles 86 Setting the Scope of Your Documentation Project: Identifying the Core 99 Establishing a Basis for Controls Effectiveness: Testing Controls 109 Appendix 6A Sample Size Tutorial 124 Appendix 6B Conducting Interviews: Gathering Internal Control Information 128 Assessing Design Effectiveness and Operating Effectiveness 137 Appendix 7A A Framework for Evaluating Control Exceptions and Deficiencies 160 Fraud Risks and Entity Self-Defense 179 v www.ebook3000.com vi CONTENTS Appendix 8A Management Antifraud Programs and Controls: An Element of The Control Environment 193 Appendix Instructions for the Controls Design Assessment Case Study 219 Part Narrative of Controls Design 223 Contribution to Cash Cycle Template—CCS 225 Part Contribution to Cash Cycle with Control Procedures—CCS 229 Part Contribution to Cash Cycle—Completed—CCS 233 Index 239 www.ebook3000.com PREFACE A mountain of words has been written about internal controls and fraud following the revelations at the turn of this new century regarding Enron, WorldCom, Tyco, Global Crossings, and others Nevertheless, it is hard for many smaller, nonpublic entities to relate to these happenings, since they not form subsidiaries to keep transactions off the face of their financial statements, use stock options to compensate executives “silently,” or design compensation and incentive packages that seem sufficient to finance an empire but are immaterial to the overall business However, the issue of internal controls and fraud does affect each and every business and organization, from the smallest to the largest, from the Women’s Club to family businesses to the large private enterprise with many branches and international subsidiaries Wherever an owner values the entity that he or she has worked to develop or has pride in the service and mission of their not-for-profit, the value of giving some attention to internal controls exists This book was written to address the need of entities and their auditors to understand practical internal controls principles design and implementation issues, not necessarily just the requirements of reporting on internal controls due to regulation or public company legislation, such as the Sarbanes-Oxley Act of 2002 (SOX) Nevertheless, we should not dismiss the importance of that legislation and what it can teach us about the elements and importance of controls There are lessons in Sarbanes-Oxley for all of us Beginning in 2007, private companies, not-for-profit entities, and governments that prepare audited financial statements will be receiving a closer scrutiny of their internal controls by their auditors Identified gaps in controls design and findings that controls are not working effectively require the auditor to prepare a written communication of these matters to management and those charged with governance, such as a board or committee with oversight responsibility Many more control issues will be identified in the future than have been identified in the past Common organizational control gaps in smaller entities include the lack of controls documentation, the lack of accounting expertise, and the inability to properly accrue for expenses vii www.ebook3000.com viii PREFACE and prepare financial statements More and more oversight groups, private equity lenders, bankers, and regulators are asking that these communications be made explicitly and are asking that they be informed of such issues For many of these entities, it is simply a matter of self-protection They need to know if such risks exist, so they can decide how to address them The management and the auditors of failed organizations are often challenged as to why such information was not shared on a timely basis Oral communications are quickly forgotten Such information, clearly articulated and communicated, might have signaled the condition leading to the business failure and led to remedial actions This book will expand your understanding internal controls, the use of a framework like COSO from which to understand and assess controls, and common internal control problems Based on the observations and 25-plus years of practical experience of the author, it will provide cost-effective suggestions for mitigating or remediating these common problems Private companies and their auditors will benefit from an increased awareness of how internal controls can improve operations and expand profits, and provide more time for management to attend to important matters, such as growing the business Not-for-profit entities will better understand how they can fulfill their mission statements and protect themselves against the scandals that have affected (and sometimes destroyed) others Government entities will benefit from practical ideas that will help them demonstrate their stewardship of funds in meeting their mission and mitigate the risk of fraud and waste so common in environments where controls are an afterthought And yes, public company auditors, internal auditors, and management can benefit from the information and tools presented in this book in their mission of compliance with the changing rules in their regulated environment While the specific rules and requirements in that environment are subject to change, the fundamental principles of controls and best practices should endure Auditors may also find the content here to be instructive as they develop a more robust understanding of the internal control framework and gather an appreciation of what they need to versus what audited entities are expected to under the new auditing standards When asides in the book are directed to auditors, these comments are generally marked in a box While I not intend to bludgeon the reader with SOX discussions, the rich environment that came from the implementation of the requirements for accelerated filer public companies to report on internal controls in 2004 www.ebook3000.com PREFACE ix make it instructive to borrow some observations from that process Readers required to comply with Public Company Accounting Oversight Board reporting requirements on internal control will need to consult Auditing Standard No and may need also to consult with other materials and SEC guidance focused on the SOX requirements www.ebook3000.com AN INTRODUCTION BUT HOW DOES ALL THAT RELATE TO ME? There has been so much press lately about the required public company reporting of internal controls that some people believe that internal controls pertain only to public companies That is a misperception, since this issue has been and will continue to be relevant for all enterprises Writings in the auditing literature that predate the birth of all the potential readers of this work address issues of internal control And, after all, how would Scrooge and Marley in Charles Dickens’s A Christmas Carol have prevailed in taking ownership of the business had there not been a “discrepancy in the accounts”? The issues here transcend time and cultures The myth has also developed that internal controls have to be expensive and complicated That argument is perhaps more a consequence of the semichaotic 2004 public company implementations of internal control reporting requirements than the true costs of implementing effective internal controls themselves This topic is discussed more at the end of this chapter Of course, designing and implementing an iron-clad system of controls might be a very expensive proposition Ian Fleming’s (James Bond) Goldfinger dreamed of penetrating Fort Knox, but most businesses are not likely to yield such a large reward worthy of such a complicated effort And in a business where the doors are wide open to all who choose to enter and create mischief, such extremes are not necessary Many who choose to take advantage so because it is easy and because we business owners and managers make it so easy for them to so Let’s speak facts A 2006 published survey on fraud, published by the Association of Certified Fraud Examiners (ACFE), noted some statistics about www.ebook3000.com 227 Small size of business and few employees invites fraud risk Lack of access and program change controls could invite fraud or accidental destruction or corruption of the data Segregation of Duties—Donor setup and collections are properly segregated Information Systems Controls—Data is complete and accurate, changes to software or options are controlled, electronic transmissions are controlled, access to related programs is limited IT General Controls—Access and Security, Program Changes Occurrence, Completeness, Accuracy Part CONTRIBUTION TO CASH CYCLE WITH CONTROL PROCEDURES —CCS 229 230 Failure to collect all receipts could impair entity viability Fraud could impair entity’s ability to attract donors Potential Risks Deposits made every Monday, or more frequently if a large amount received during banking days; deposits made by bookkeeper or by director (in bookkeeper absence) No instances of unexplained loss or deposit delays Most contributions are by check Weekly cash and large cash receipts from fundraisers are precounted by at least persons working together before transfer to the bookkeeper for deposit Statements to donors act as a control on completeness and accuracy Control Procedures Long-established procedures re normal transactions Planning to create a procedures and accounting manual next year New bookkeeper seems generally competent, but seems unsure how to handle unusual transactions (special rental receipts, sale of investments or property) Occurrence/Existence, Bank account used to control cash safety Completeness Monthly bank reconciliations performed Locked cash box and locked cash repository Occurrence, Completeness, Accuracy, Cutoff Assertions Financial Reporting and Failure to properly Accuracy, Monitoring—Postings classify information Classification, to the general ledger impairs organization’s Cutoff are recorded use of data accurately and in the correct period Physical SafeFailure to protect cash guards—Adequate could result in fraud physical controls over and loss to the entity cash receipts are maintained Cash Collection and Application—All cash receipts are deposited and recorded completely, accurately, and timely Control Objective Assessment 231 Information Systems Controls—Data are complete and accurate; changes to software or options are controlled; electronic transmissions are controlled; access to related programs is limited Bookkeeper cannot access cash box contribution drop Functions of financial recording, donor records, and cash deposits centralized with bookkeeper Reconcilations are not performed Statements sent twice yearly to donors requesting statements No complaints regarding statements sent to donors Lack of access and IT General Controls: Computer (not password protected) is in an program change Access and Security, office that is generally locked at night; controls could invite Program Changes lack of accounting knowledge by those fraud or accidental with daytime access; no custom settings destruction or on NFP software package; no changes in corruption of the data software or versions this year Occurrence, Completeness, Accuracy Failure to record Accuracy, properly could Completeness frustrate donors and reduce pledges Could invite fraud if not accurately maintained and reconciled for completeness Segregation of Small size of business Duties—Donor setup and few employees and collections are invite fraud risk properly segregated Donor File Maintenance—Changes to the donor master files and related tables (i.e., pledges) are properly authorized, accurate, and recorded timely Part CONTRIBUTION TO CASH CYCLE —COMPLETED —CCS 233 234 Potential Risks Occurrence, Completeness, Accuracy, Cutoff Assertions Physical Safeguards— Failure to protect Occurrence/ Adequate physical cash could result Existence, controls over cash in fraud and loss to Completeness receipts are maintained the entity Cash Collection and Failure to collect all Application—All cash receipts could receipts are deposited impair entity and recorded viability Fraud completely, accurately, could impair and timely entity’s ability to attract donors Control Objective Assessment Bank account used to control Procedures observed during cash safety Monthly bank audit period and when on reconciliations performed premises Bank Locked cash box and locked reconciliation for cash repository December reviewed Control objective achieved Deposits made every Monday, Walk-through confirms or more frequently if a large in-operation See WP W-3 amount received during Control objective not banking days; deposits achieved: failure to ensure made by bookkeeper or by that the amount counted director (in bookkeeper was the amount deposited absence) No instances of There are no observed unexplained loss or deposit controls over the deposit delays Most contributions process are by check Weekly cash and large cash receipts from fundraisers are precounted by at least persons working together before transfer to the bookkeeper for deposit Statements to donors act as a control on completeness and accuracy Control Procedures 235 Financial Reporting and Monitoring—Postings to the general ledger are recorded accurately and in the correct period Failure to properly classify information impairs organization’s use of data Accuracy, Classification, Cutoff Long-established procedures Director and treasurer have renormal transactions limited accounting Planning to create a knowledge, but most procedures and accounting transactions are simple manual next year New Board member (Mr Smith) bookkeeper seems generally provides monitoring and competent, but seems oversight and can answer unsure how to handle more sophisticated unusual transactions (special accounting questions Some rental receipts, sale of issues (detail) discussed with investments or property) independent auditors (who, when) this year after internal discussion and recommendations developed.Treasurer compiles annual statements from the bookkeeping records.Control objective partially achieved: need more readily accessible accounting expertise No observed monitoring of routine or unusual contribution transactions 236 Potential Risks Segregation of Duties— Donor setup, invoicing, and collections are properly segregated Accuracy, Completeness Assertions Small size of business Occurrence, and few employees Completeness, invite fraud risk Accuracy Donor File Maintenance— Failure to record Changes to the donor properly could master files and related frustrate donors tables (i.e., pledges) are and reduce properly authorized, pledges Could accurate, and recorded invite fraud if not timely accurately maintained and reconciled for completeness Control Objective Bookkeeper cannot access cash box contribution drop Functions of financial recording, donor records, and cash deposits centralized with bookkeeper Reconciliations are not performed Statements sent twice yearly to donors requesting statements No complaints regarding statements sent to donors Control Procedures Observed bookkeeper role when on premises Control objective not achieved: bookkeeper responsible for accounting, deposits, and donor records, creating risk of fraud by lack of effective design Check contributions are also not appropriately controlled Observed records that donor summaries were sent Confirmed by telephone with donors that statements were received and were accurate See WP W-4 Control objective not achieved since donor records are not reconciled to total receipts Assessment 237 Information Systems Controls—Data are complete and accurate; changes to software or options are controlled; electronic transmissions are controlled; access to related programs is limited Lack of access and program change controls could invite fraud or accidental destruction or corruption of the data IT General Controls— Access and Security, Program Changes Computer (not password protected) is in an office that is generally locked at night; lack of accounting knowledge by those with daytime access; no custom settings on NFP software package; no changes in software or versions this year Observed office being locked when on premises (dates) Examined software and noted version was the same as prior year See WP W-5 Control objective not achieved: access is not appropriately limited INDEX Accounting expertise auditor’s evaluation of, 38 control deficiency, 37–39, 44, 106, 140, 149–151 Accounting manuals, 101, 153 Accuracy assertions, 56, 57 American Institute of Certified Public Accountants (AICPA) Achilles’ Heel of Fraud Prevention, 46, 129 Assessing and Responding to Audit Risk in a Financial Statement, 80, 159 Attestation Standards, AT 501, 5, 14, 15, 25, 76, 139, 146, 154 Audit Sampling Guide, 123, 125, 126 Auditing Standards Board See Auditing Standards Board and consistency of standards, 10 COSO guidance, 111 CPA’s Handbook of Fraud and Commercial Crime Prevention, 213–217 independent auditor rules, 11 Management Antifraud Programs and Controls, 45, 193–218 Management Override of Internal Controls, 46, 129 publications, ordering, 18 Statements of Auditing Standards (SAS) See Statements of Auditing Standards Understanding SAS No 112 and Evaluating Control Deficiencies, 159 “As of” reporting requirement, 15, 16, 146, 147, 158 Assertions accuracy, 56, 57 completeness, 56, 57, 105 and deficiencies, 158, 159 and development of control objectives, 84, 87 effectiveness of controls, 116–118, 133, 134 existence, 56, 57, 158 financial statement, 56, 57, 163, 167, 176 and matrices, use of, 80–82 occurrence, 105 and sample size, 124 transaction, 84, 85 Assessment of controls, 139, 140 See also Monitoring; Testing of controls Association of Certified Fraud Examiners (ACFE), fraud survey, 1–3, 114, 181 Attestation Standard AT 501, 5, 14, 15, 25, 76, 139, 146, 154 Audit committee and fraud prevention, 208–210 independence, 36, 37 and internal auditors, 212 oversight function, 36, 207–209, 213 recommendations of Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, 36, 37, 69, 70 responsibilities, 210, 211 and testing control environment, 121 Auditing standards, 17, 18 See also Statements of Auditing Standards Auditing Standards Board, 3, See also Statements of Auditing Standards Auditors accounting guidance, 38 assisting clients with internal controls, 24, 25, 73, 106, 111, 151 auditing standards, 3, control deficiencies, reporting to management, 4, 109, 111, 139, 151 and control environment, 36–38 239 control objectives, assessment of, 109 coordinating with, cost considerations, 13, 14 fraud detection, 183, 184 fraud prevention, 211, 212 implementation of internal controls, confirmation of, 111, 112 independence, 3, 4, 7, 11, 24, 25, 36–38, 66, 67, 106, 111, 151, 212 private businesses, 11 and project plan development, 24, 25 reporting significant findings to, 66, 67 testing of controls See Testing of controls understanding of internal controls, 109, 110 Automated controls auditor reliance on, 158 consistency of, 138 control activities, 60, 66 deficiencies, 145, 155, 156, 158, 172 ITGC controls, 158, 172 and monitoring, 65 reliance on other controls, 145 and testing controls, 66, 121, 122 Balance sheet and “as of” reporting date, 15, 16, 146 assertions, 56, 57 and business processes, identifying, 47 mapping entity to financial statements, 102 Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, 36, 37, 69, 70 Board of directors ethics policies, 34 fraud prevention, 208–210 independence, 36, 37 240 Board of directors (continued ) not-for-profit organizations, 2, 36 responsibilities, 18 and risk assessment, 32 Budgets, 23, 24, 50 Business characteristics, 148, 149 Business processes, 4, 40, 47–52 Canada, Guidance on Control, 18 Cash disbursements approval procedures, 50 and business processes, identifying, 47 control objectives, 52, 54, 86–89 and fraud, 185 management overrides, 22 monitoring, 67 narrative description, 51 as pilot project, 20, 21 severity of deficiencies, 67 software, control features of, 60 Certified fraud examiners (CFEs), 120, 121, 179, 213 Chief financial officer (CFO), 19, 20, 210 Chief information officer (CIO), 20 Close process, 51, 97, 106 Commitments and contingencies, control objectives, 93, 94 Committee of Sponsoring Organizations (COSO), 6, Framework See COSO Framework Guidance for Smaller Public Companies, 75 Internal Controls over Financial Reporting— Guidance for Smaller Public Companies, 18 reports, obtaining, 18 templates for controls documentation, 75 Communication See Information and communication Compensation, 33, 38, 39 Competency in accounting and financial reporting, 35, 37–39, 44, 140, 149–151 Completeness assertions, 56, 57, 105 Consultants availability of, 10, 11 INDEX and project plan development, 19, 24, 25 software selection, 76 as source of control objectives, 55 testing controls, 113 use of, 110 Consumer privacy, 187 Contingencies, 93, 94, 141 Control activities assertions, use of, 55–57 business processes, identifying, 47–51 as component of COSO Framework, 19, 28, 46 control objectives, 52, 53, 55 deficiencies, 151 See also Control deficiencies documentation, 51, 52, 153 and pilot project, 20 procedures manual, 153 and risk assessment, 40, 53–55, 81 Control attributes, 53, 54 See also Control objectives Control deficiencies accounting expertise, 37–39, 44, 106, 149–151 aggregating, 158, 159 and “as of” reporting date, 15, 16, 146, 147, 158 assessment of, factors effecting, 143–149 automated controls, 138, 145, 155, 156 competence, lack of, 35, 37–39, 44, 106, 149–151 control design, 22, 109, 137–140, 143, 144 controls performance, 154 correcting, 16 design deficiencies, 22, 137–140, 143, 144, 152 documentation, 72, 138, 151, 153, 154 examples of, 149–154 exceptions See Exceptions framework for evaluating, 142, 143, 160–178 identifying, 21, 38, 138, 151 information technology, 61 ITGC controls, 122, 146, 147, 157, 158 level of control, 144, 145 magnitude of, 10 manual controls, 154, 155 material weakness See Material weakness misstatements, 147, 148 monitoring process, 66, 67 objectives and timing of controls, 145–147 operations, 22, 116, 151, 152 overall assessment, 158, 159 pilot project findings, 21 reporting to management, 4, 109, 111, 139, 151 risk environment, 148, 149 severity of, 21, 35, 67, 138–149, 154–158 significant deficiencies, 4, 106, 139–142, 151, 158, 159, 175 software tools, 79 Control design assessment case study, 219–237 auditor assessment of, 109 automated controls, 121, 122, 138 and controls assessment, 137, 138 deficiencies, 22, 137–140, 143, 144, 152 and fraud, 139 need for documenting controls, 110, 111 Control environment accounting competence, 37–39, 44 and assessment of control deficiencies, 145 auditor independence See Auditors as component of COSO Framework, 19, 28 difficulty assessing, 32–34 ethics, 34–36 and fraud, 194 See also Fraud and human resources, 38, 39, 71 management style, 34, 35, 39 and procedures manual, 153 as project priority, 22 testing of controls, 120, 121 Control objectives and assessment of control deficiencies, 145–147 auditor responsibilities, 109 Control Objectives for Information Technology (COBIT), 60 and controls design, 110 and COSO Framework, 52–54 customizing, 83–85 and design deficiencies, 137 examples, 54, 86–98 government entities, 55 matrix, use of, 80 pilot project, 21 INDEX and risk assessment, 53, 54 sources of, 55 understanding, 12–16 and use of spreadsheet templates, 75 Control Objectives for Information Technology (COBIT), 60 Controls framework, need for, 16, 17 See also COSO Framework COSO Framework 1992 report, 6, 17, 18, 21, 29, 31, 38, 52, 54, 60, 75, 80, 81, 86, 111 2006 report, 18, 21, 53, 54, 60, 75, 80, 81, 86, 111 components of, 18, 19, 27–29 control activities, 19, 28 See also Control activities control environment, 19, 28 See also Control environment control objectives, 52, 53 See also Control objectives deficiencies See Control deficiencies diagrams, use of, 29–32 fraud, 193 information and communication, 19, 28, 57–59 Internal Control—Integrated Framework, 17 internal control components, 144 internal control defined, 18, 19 monitoring, 19, 28 See also Monitoring overview, 18, 19, 27–29 risk assessment, 19, 28 See also Risk assessment use of, 17 Costs auditor considerations, 13, 14 benefits of documentation, 153 implementation of internal controls, 1, 4, 5, 25 management of, 6, Cutoff assertion, 56, 57, 84 Disaster planning, 64 Documentation assertions, use of, 55 auditor guidance, 73 benefits of, 73, 74, 153 business processes, 47–51 checklists, 71 close process, 106 controls and procedures, 3, cost management, 6, deficiencies, detecting, 138 expansion of, 101, 102 flowcharts, 71 importance of in monitoring, 66 in-house, advantages of, 110, 111 inadequate, 151, 153, 154 information gathering, 82, 83 matrices, 71, 80–83 methods of documenting, 71 minimum requirements, 112, 113 and monitoring, 72 narratives, 51, 52, 71 objectives as starting point, 99 procedures manuals, 71 purpose of, 71, 72 scope of, determining, 99–107 software for, 75–77 spreadsheets, use of, 74, 75 templates, use of, 74, 102, 103 Effectiveness of controls assertions, 116–118, 133, 134 assurance level, 117, 118 design effectiveness See Control design overall assessment, 158, 159 testing See Testing of controls Employees and fraud prevention, 202–205 See also Fraud Ethics CPA’s Handbook of Fraud and Commercial Crime Prevention, code of conduct, 213–217 ethical environment, 34–36 FEI Code of Ethics Statement, 217, 218 and fraud prevention, 200–202 Excel spreadsheets, 58, 74, 79 Exceptions defined, 140, 141 framework for evaluating, 160–178 and severity of deficiencies, 139 See also Control deficiencies unexpected, 154, 155 Existence assertions, 56, 57, 158 241 Federal Accounting Standards Advisory Board (FASAB), 43 Financial Accounting Standards Board (FASB), 43 FAS No 5, Accounting for Contingencies, 141 Financial Executives International (FEI), Code of Ethics Statement, 217, 218 Financial reporting Auditing Standard No 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, 2, 5, 25, 99, 138, 140–142, 160–162, 164, 165, 167–169, 171–175, 177 communications, role of, 58 competency in accounting and financial reporting, 35, 37–39, 44 controls design and implementation scenario, 13, 14 controls documentation, 71, 72 See also Documentation deficiencies, 140, 149–151 Internal Controls over Financial Reporting— Guidance for Smaller Public Companies, 18 not-for-profit organizations, 41 risk assessment, 40, 41 software, 58 Financial statements assertions, 56, 57, 163, 167, 176 mapping entity to, 102, 103 preparation of, 106 sample, 48, 49 scope of documentation, 100–103 Fixed assets risk assessment, 104 sample control objectives, 91, 92 Focus groups, 120, 128, 130, 131 A Framework for Evaluating Control Exceptions and Deficiencies, 143, 160–178 Fraud antifraud programs and controls, 192–218 and control deficiencies, 148, 149, 157 242 Fraud (continued ) controls, 45, 46 defining, 179 detecting, 183, 184 discipline, 205, 206 employee training, 204, 205 equipment, 186, 187 examples of, 188–192 external, 180 by family members, 180, 181 fraud triangle, 114, 115, 182, 183 government entities, 3, 179 hotlines, use of, 182 and identity theft, 186, 187 and importance of testing controls, 109, 110 and ineffective controls design, 139 intent, 179 internal, 180 inventory schemes, 186, 187 and material misstatement, 179, 183, 197 motivation, 114, 182, 183 not-for-profit organizations, 2, 3, 40, 41, 139, 179 opportunity, 114, 182 payroll schemes, 185, 186 prevention, 187, 188 purchasing and cash disbursement schemes, 185 rationalization, 114, 115, 183 reasons for, 35 recoveries, 181 response to, 181, 182 risk, identifying and measuring, 206, 207 risk, mitigating, 207 risk assessment, 53, 54 risk management, 44–46 sales and cash receipts schemes, 184, 185 small businesses, 179 statistics, 1–3, 181 suspicion of, 135 and workplace environment, 202, 203 Generally Accepted Accounting Principles (GAAP) and control deficiencies, 140 disclosure of significant financial risks, 40 industry practices, 43 and risk assessment, 43, 44 Government Accountability Office (GAO), Financial Auditing Manual, 55 INDEX Government entities accounting principles, 43 control objectives, 55 county budget, sample, 50 documentation, 72 fraud, 3, 148, 149, 179 need for internal controls, reporting on internal controls, 154 Governmental Accounting Standards Board (GASB), 43 Human resources (HR) and control environment, 38, 39 procedure manuals, 71 Identity theft, 186, 187 Income statement assertions, 56 Information and communication as component of COSO Framework, 19, 28, 57, 58 financial reporting, 58 flow of information, 58, 59 and information technology See Information technology (IT) Information Systems Audit and Control Association, 60 Information technology (IT) access and security controls, 61, 123, 157, 158 backups, 64 change controls, 62 control components, 61–64 and COSO Framework, 28, 29, 60, 61 general controls, 121–123, 146, 147, 157, 158 operations, 63, 64 passwords, 28, 61, 122, 129, 148, 157, 186 as project priority, 22 risk assessment, 41, 42, 64 systems development, 62, 63 Information technology general controls (ITGC), 121–123 “as of” date for reporting on internal controls, 146, 147 deficiencies, 122, 146, 147, 157, 158 evaluating deficiencies, 169–172 material weaknesses, 146, 147, 157, 158, 169–172 Institute of Internal Auditors (IIA), Standards for the Professional Practice of Internal Auditing, 211 Internal Revenue Service (IRS) documentation government entities, 72 not-for-profit organizations, 72, 153 International Federation of Accountants (IFA), 76 International Standards of Auditing and COSO Framework, 18 ISA, 315, 28, 76 ISA, 330, 28, 76 Interviews conducting, 128–135 focus groups, 120, 128, 130, 131 testing control environment, 120, 121 IT Control Objectives for Sarbanes Oxley, 60 IT Governance Institute, 60 Management and fraud prevention, 210, 211 MBWA (Management By Walking Around), 113, 115 monitoring activities, 113–116 overriding internal controls, 22, 46, 129 reports, 58, 59 responsibility for documentation, 111 Material misstatement and fraud, 179, 183, 197 and ITGC deficiencies, 147 likelihood of, 117, 147, 148, 155, 168, 174, 177 and material weakness, 167, 174, 177 potential for, notifying management of, 66 and purpose of control objectives, 54 and risk assessment, 104, 106 and severity of deficiency, 67 Material weakness accounting expertise, 149, 151 aggregated significant deficiencies, 158, 159, 175 communicating to management, 4, 109, 139, 149, 151 defined, 140–142 and effectiveness of controls, 46 financial reporting, 106 INDEX information technology general controls, 146, 147, 157, 158, 169–172 lack of documentation, 72 overall assessment, 158, 159 and severity of deficiencies, 67, 139, 140, 146, 155, 156 software tools, 79 Matrices, use of, 71, 80–83, 86, 187 Contribution to Cash Evaluation Matrix— Completed, 220, 234–237 Contribution to Cash Evaluation Matrix— Template, 219, 226, 227 Contribution to Cash Evaluation Matrix—with Control Procedures, 219, 230, 231 Monitoring as component of COSO Framework, 19, 28, 64, 113 controls, evidence of, 67, 68 controls and processes, 65 and design deficiencies, 137 documentation, need for, 72 evidence of, 154 and fraud prevention, 105, 207, 208 and information and communications, 64 purpose of, 66 significant findings, informing independent auditors of, 66 small businesses, 65, 66 software, 64, 65 and testing of controls, 113–116 Not-for-profit organizations accounting standards, 43–44 board members, selection of, 36 and competency in financial reporting, 35 control matrices, use of, 82 documentation, need for, 72 and financial reporting risks, 41 financial statement, sample, 48, 49 and fraud, 40, 41, 139, 179–192 IRS scrutiny, 72, 153 need for internal controls, 2–3 and Sarbanes-Oxley controls, 74 scandals, 2, 40 software considerations, 76–80 as target for fraud, 148, 149 testing controls, 109–123 whistleblower protection, 182 Occurrence assertions, 105 Operations control deficiencies, 22, 116, 151, 152 information technology controls, 63, 64 Outsourced functions, 20, 82 Passwords, 28, 61, 122, 129, 148, 157, 186 Payroll as pilot project, 20, 21 sample control objectives, 90, 91 Periodic close as business process, 51 documentation, 106 sample control objectives, 97 Pilot project control objectives, 53 preliminary team, 19–22 selecting area for, 20 use of, 21 Private businesses accounting principles, 43, 44 AICPA guidance, 143 auditor assistance, 111 benefits of documentation, 10, 11 factors to consider, 11, 12 importance of effective control design, 139 independent auditor rules, 11 need for internal controls, 2, Procedures manual, 71, 73, 153 Procrastination, 9, 10 Project plan, 23–25 Project team, 19–22 Public Company Accounting Oversight Board (PCAOB) Auditing Standard No 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, 2, 5, 25, 99, 138, 140–142, 160–162, 164, 165, 167–169, 171–175, 177 Auditing Standard No 5, 5, 11, 14, 15, 25, 142 and consistency of standards, 10 243 and costs of implementing requirements, 4, Reasonable person test, 141, 148, 155, 158 Reliance on controls, 14–16, 22, 113, 122, 146 Remote likelihood, 141, 142, 165, 174, 177, 178 Report to the Nation on Occupational Fraud and Abuse (2006), 1–3, 114, 181 Reporting on internal controls “as of” date, 15, 16, 146, 147, 158 and Attestation Standard, 501, 25 and auditor understanding of internal controls, 111 design, implementation, and effectiveness, 14, 15 formats and tools for, 74–80 government entities, 154 and identifying business processes, 47 and information technology, 60 and need for interviews and surveys, 133, 134 and risk assessment, 99 Sarbanes-Oxley requirements, 4, 11, 74, 143 and scope of documentation, 99, 101 and scope of project, 23 time period, 15 Resources, 10, 11, 23, 24 Revenues control objectives, 86–88 and identifying business processes, 47 revenue cycle as pilot project, 20 and scope of documentation, 100–103 Risk assessment accounting principles, 43, 44 and auditor understanding of internal controls, 109, 110 business process, 40, 41 as component of COSO Framework, 19, 28 continuing, 106, 107 control activities, 40, 53–55 economic risk, 42, 43 financial reporting risks, 40, 41 fraud, 44–46 244 Risk assessment (continued ) income overstatement and understatement, 105 information technology, 41, 42, 64 and project scope, 23, 24 resources, identifying, 24 and scope of documentation, 101, 104, 105 and severity of control deficiencies, 148, 149 worksheet, 81 Sampling AICPA Audit Sampling guide, 123 assurance level, 117, 118 information technology general controls (ITGC), 122, 123 principles of, 116, 117 sample size tutorial, 124–127 sample sizes, setting, 118–120, 134 Sarbanes-Oxley Act of, 2002 (SOX) and “as of” reporting, 15, 16 See also “As of” reporting requirement and consolidation of business processes and controls, 50 and COSO Framework, 16, 27, 74 See also COSO Framework costs of implementation, 4, and information technology, 60 reluctance to comply with, 10 reporting requirements, 4, 11, 74, 143 and severity of deficiencies, 143 software for documentation compliance, 76, 78 SEC v Livent, 157 Securities and Exchange Commission (SEC) and COSO Framework, 18 and costs of implementing requirements, 4, independent director rules, 36 Self-assessment, 12 Significant deficiencies, 3, 4, 72, 79, 106, 109, 139–142, 145, 146, 151, 155, 158 aggregated, 158, 159, 175, 177 Six-step approach, 12 INDEX Small businesses accounting expertise, 149, 151 accounting principles, 44 control objectives, 54 monitoring function and control activities, 65, 113, 115, 116 public companies, 18, 75 Software access and security, 157, 158 See also Passwords availability of, 10 controls documentation, 74–76 controls embedded in, 121 and financial reporting, 58 legacy systems and upgrading, 62 limitations of, 11, 12 and monitoring function, 64, 65 MS Project, 24 and new systems development, 62, 63 project plan management, 24 selection criteria, 25, 76–80 systems development, 62, 63 SOX See Sarbanes-Oxley Act of 2002 (SOX) Spreadsheets Excel, 58, 74, 79 problems with, 58 templates for documenting controls, 74, 75 use of in determining scope of documentation, 102, 103 Statements of Auditing Standards SAS No 39, Audit Sampling, 124 SAS No 55, Consideration of Internal Control in a Financial Statement Audit, 27, 28, 179 SAS No 99, Consideration of Fraud in a Financial Statement Audit, 44, 45, 182, 192, 193 SAS No 103, Audit Documentation, 73 SAS No 109, Understanding the Entity, 73, 76 SAS No 111, amendment to Audit Sampling, 124 SAS No 112, Communicating Internal Control Related Matters Identified in an Audit, 38, 106, 111, 149 Statements of Financial Accounting Standards SFAS No 90, Regulated Enterprises—Accounting for Abandonments and Disallowances of Plant Costs, 44 SFAS No 93, Recognition of Depreciation by Not-for-Profit Entities, 44 Stock options, 16, 33, 35, 94 Surveys, 120, 121 Templates, use of, 58, 74, 75, 79, 102, 103 Testing of controls auditor considerations, 15 auditor understanding of internal controls, 109, 110 automated controls, 121, 122 control environment, 120, 121 and controls design, 110, 111 and costs, deficiencies, detecting, 138 documentation, 112, 113 effectiveness, 14, 116 implementation of controls, confirmation of, 111, 112 information technology general controls, 121–123 infrequently operating controls, 119, 120 and monitoring activities, 113–116 and potential magnitude of misstatement, 147, 148 reliance See Reliance on controls sampling, 116–120, 126 See also Sampling unexpected results, 106 Treadway Commission, 17 See also Committee of Sponsoring Organizations (COSO) United Kingdom, Turnbull Report, 18 Valuation assertions, 56, 57 Walk-throughs, 112, 121, 122 Whistle-blower protection, 182 Word templates, 74, 75, 79, 86 ... Cataloging-in-Publication Data: Graham, Lynford Internal controls : guidance for private, government, and nonprofit entities / Lynford Graham p cm ISBN 978-0-470-08948-4 (cloth) Auditing, Internal Managerial accounting... failure and led to remedial actions This book will expand your understanding internal controls, the use of a framework like COSO from which to understand and assess controls, and common internal. .. legislation and what it can teach us about the elements and importance of controls There are lessons in Sarbanes-Oxley for all of us Beginning in 2007, private companies, not -for- profit entities, and governments