Transcript AN EFFICIENT APPROACH TO IDENTIFICATION AND …

An Efficient Approach to Identification
and Documentation of Critical Accounting
Application Controls
Jerry L Turner
The University of Memphis
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
• Section 404 requires an assessment by
management of the effectiveness of the
internal control structure and procedures
for financial reporting
• Requires each independent auditor to
attest to, and report on, the assessment
made by the management of the issuer
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
• Internal control systems must be
documented
• Relevant internal controls must be
identified and tested.
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
• Congress assumed that existing
documentation would be an adequate
basis for management of public
companies to report on internal
accounting controls
© Jerry L. Turner 2006
Background—Auditors
• Prior to SAS No. 55 (1988), auditors
documented systems and identified internal
controls with extensive flowcharts, extensive
internal control checklists, or both
© Jerry L. Turner 2006
Traditional Flowcharts
• Portray systems as a chronological sequence of
processing steps representing transaction flows
• Usually include superfluous information
• Difficult to maintain because of complexity
• Ineffective in identifying existing controls
• Ineffective at identifying where controls should
exist but were not present
© Jerry L. Turner 2006
Traditional Flowchart
Source: Whittington/Pany: Principles of Auditing
© Jerry L. Turner 2006
Internal Control Questionnaires
• Tend to be boilerplate in nature
• Not very effective at relating controls to
audit objectives
• Frequently in a yes/no format where yes
is good, no is bad
© Jerry L. Turner 2006
Internal Control Questionnaire
Source: Whittington/Pany: Principles of Auditing
© Jerry L. Turner 2006
Move to Focus on Assertions
• Subsequent to SAS No. 55, auditors began
organizing internal control documentation by
audit objective to enable risk-based audits
• Prompted auditors to replace flowcharts with
more easily prepared (cheaper?) narratives
organized by control objectives corresponding
to financial statement assertions
© Jerry L. Turner 2006
Narrative
Source: Whittington/Pany: Principles of Auditing
© Jerry L. Turner 2006
Background—Companies
• System documentation has many forms,
depending on the functional group involved in
preparation
• Usually related to system design, such as
physical and logical data flow diagrams
• Extremely detailed and generally not effective
for other purposes, such as identification of
critical internal controls
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
• Management is to provide to the auditor
documentation based on relevant
assertions about each significant account
– Existence or occurrence,
– Completeness,
– Valuation or allocation,
– Rights and obligations, and
– Presentation and disclosure
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
• SOX notes that documentation might take
many forms, such as paper, electronic files, or
other media
• Can include a variety of information, including
policy manuals, process models, flowcharts,
job descriptions, documents, and forms
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
• For each significant process related to an
assertion, both management and the
independent auditor should
– understand the flow of transactions, including how
transactions are initiated, authorized, recorded,
processed, and reported;
– identify the points within the process at which a
misstatement—including a misstatement due to
fraud—related to each relevant financial statement
assertion could arise;
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
– identify the controls implemented to address
these potential misstatements; and
– identify the controls implemented over the
prevention or timely detection of
unauthorized acquisition, use, or disposition
of the company's assets
© Jerry L. Turner 2006
Sarbanes-Oxley Act of 2002
• Individual controls must be linked clearly
with the significant accounts and
assertions to which they relate
• In addition to specific controls in
isolation, combinations of controls also
should be considered in assessing
whether the objectives of the control
criteria have been achieved.
© Jerry L. Turner 2006
Existing Documentation Methods
• Neither efficient nor effective in
complying with the requirements of SOX
• Documentation typically begins with the
source of accounting information, e.g. a
transaction, and creates data flows from
that activity to an end-point in the
general ledger
© Jerry L. Turner 2006
Consider a Leaf on a Tree
© Jerry L. Turner 2006
A More Effective Approach
• Is consistent with a risk-based approach to
auditing
• Identifies the critical files in the financial
reporting process from the hundreds or
thousands of files in a computer-based
accounting system
• Identifies the critical processes that impact
data contained in those critical files
© Jerry L. Turner 2006
A More Effective Approach
• Allows identification of controls related to those
processes, based on management assertions
about financial statement account balances
• Is useful for both company management and
independent auditors
• Allows identification of controls that may be
monitored effectively with continuous auditing
techniques
© Jerry L. Turner 2006
Continuous Auditing
• Several reasons for resistance to
implementation of continuous auditing
– Technology
– Cost
– Different objectives for company and auditor
• SOX has aligned objectives with
integrated audit approach
© Jerry L. Turner 2006
When Can Errors Occur?
• When data is entered into a system
• When data is transferred from one document or
electronic file to a different document or
electronic file
• When data changes form through aggregation or
other process
• When data is deleted
© Jerry L. Turner 2006
Three Steps to an Effective Approach
• First, identify the significant accounts that
affect the financial statements
• Then, for each significant account, identify the
critical data path (CDP), beginning from the
general ledger or terminal database table and
proceeding backwards through each relevant
file or database table until data origination
© Jerry L. Turner 2006
Critical Data Path (CDP)
General
Ledger
Account
File
A
File
B
Document 1
Interface with other
systems/applications
• E-commerce
• Web interfaces
• EDI
• Non-integrated
systems/applications
Transaction or
Allocation
Three Steps to an Effective Approach
• Second, identify the process or processes that
affect accounting data as it moves from entry
to general ledger or terminal database table
• A process can affect data in three ways: it can
– add new data to the CDP
– transform data already existing in the CDP
– delete data from the CDP
© Jerry L. Turner 2006
Ad Hoc and Other Processes
• Error correction procedures may allow addition,
deletion or manipulation of data, but occur
outside normal processing
• Management override or circumvention of
normal controls
• Journal entries needed as part of financial
reporting process (accruals, allocations, etc.)
© Jerry L. Turner 2006
General
Ledger
Account
P7—Normal process
File
A
P8—
• Error correction
•Management override
•Journal entries
P6—
• Error correction
•Management override
P5—Normal process
File
B
P4—
• Error correction
•Management override
P3—Normal process
Document 1
P1—Normal process
Interface with other
systems/applications
• E-commerce
• Web interfaces
• EDI
• Non-integrated
systems/applications
P2—
• Error correction
•Management override
Transaction or
Allocation
Three Steps to a New Approach
• For each CDP, critical controls for each of the
five assertions affected by each process must
be identified and documented
• A critical control might be the first and/or the
last control in a process over a specific
management assertion.
© Jerry L. Turner 2006
Three Steps to a New Approach
• A CDP may require more than one critical
control over an assertion as the data is
transformed or aggregated
• Also may require identification of additional
files and processes outside the CDP, e.g. verify
that a subsidiary ledger balance used as a
control is correct
© Jerry L. Turner 2006
Three Steps to a New Approach
• As critical controls are identified, each should
be referenced to a separate control summary
sheet
• The summary sheet should be organized by
management assertion and document the
critical control or controls for each assertion
• Each control should be referenced to audit
program tests of that control
© Jerry L. Turner 2006
Examples
• Recording of customer payments
• Additions to inventory
© Jerry L. Turner 2006
Recording of Customer Payments
General Ledger
Accounts
Receivable File or
Database Table
Credit
CRP4—
• Error correction
• Management override
•Journal entries
CRP3—Master File update run
• Aggregate amounts
• Update existing balance
CR1—Cash Receipt
Transaction File
CRP2—Manually input cash
receipts from Cash Receipt
Control Listing
Remittance Advice
To
Cashier
Customer Check
Copy of Cash
Receipt Control
Listing
Cash Receipt
Control Listing
Remittance
Advice
Customer Check
CRP1—Manually prepare cash
receipt control listing
• Record
• Customer ID
• Invoice number
• Date
• Check number
• Check amount
Critical Control Summary
CRP1—Manually prepare cash receipt control listing
Category
Assertion
Critical Control(s)
Existence or Occurrence
All receipts represent
valid payments-on-account
All remittances must be
accompanied by a valid
remittance advice
Completeness
All payments-on-account
are recorded
All payments received are
listed on a cash receipt
control listing
Rights and Obligations
Payments are made to the
correct entity
All pay-to-the-order-of
notations are examined on
all checks received
Payments are deposited
only in company accounts
All payments are endorsed
with “For Deposit Only” to
the company account
Valuation
Correct amounts are
recorded on the cash
receipt control listing
Cash and checks received
are totaled and total
compared to total on cash
receipt control listing
Presentation or Disclosure
N/A
Audit Procedure(s)
Additions to Inventory
General Ledger
Inventory Account
or Database Table
INV4—
 Error correction
 Management override
 Journal entries
General Ledger
Accounts Payable
Account or
Database Table
Credit
Debit
INV3—
 Calculate cost of individual
inventory items received
 Quantity received from
receiving report
 Unit cost from open
invoice file
 Aggregate cost of inventory
received
 Update General Ledger total
AP4—
 Error correction
 Management override
 Journal entries
AP3—
 Aggregate total of Open Invoice File
 Update General Ledger total
AP2—Electronic vendor invoice
entry
 Assign unique ID number
 See AP1 for items recorded
Receiving Report
File or Database
Table
INV1—Manual
entry of quantities
received
Open Invoice
File or Database
Table
INV2—Electronic
entry of quantities
received
Hardcopy
Vendor Invoice
AP1—Manual vendor invoice entry
 Assign unique ID number
 Record
 vendor ID
 Purchase order number
 invoice number
 date
 quantity by inventory item
 unit price by inventory item
 invoice total
Discussion
© Jerry L. Turner 2006