Transcript Slide 1

An Evidential Reasoning Approach to
Sarbanes-Oxley Mandated Internal Control
Assessment
Lili Sun, Rutgers University
Rajendra Srivastava, The University of Kansas
David Vun Kannon
Theodore Mock, The University of Southern California
Miklos Vasarhelyi, Rutgers University
1
Developing The Next Generation
Of Internal Control Tools Using CA
• First generation of 404 implementation:
– Focus on documentation of controls
– Filling gaps in COSO framework
– Highly labor intensive
• Second generation of 404 implementation:
– More cost efficient and effective
– More systematic assessment of controls
– Focus on identifying material control weaknesses and
audit automatically rather than manually
2
Evidential Reasoning: Systematic,
Higher Value IC Assessment Tool
• Evidential reasoning: a process of risk assessment where several
assertions when combined together inform about the effectiveness
of an internal control procedure and the overall internal control
system.
• Decompose risk assessment into individual evidence level.
• Provide a rigorous algorithm to aggregate human beliefs.
• Provides systematic way to represent the interrelationships among
multiple key components for the evaluation of IC.
• Help discipline Auditors’ thought process in estimating risk
• Serve as a decision aid for auditors.
3
Create A Systematic Representation Of
KPMG Model Of Risk Assessment
• Financial reporting model
–
–
–
–
Parent company
Subsidiary
Financial statement
Significant accounts
• Business process model
–
–
–
–
–
Business process
Objective
Risk
Control
Evaluation procedures
4
Generic Evidential Reasoning
Model Of Internal Control
Assurance
Financial reporting Model
Business Process Model
The system of
IC/FR for Account j
on BS is effective
Process j is
protected from
IC risk i.
The system of
IC for Process i is
effective.
Control n is
effective.
Control k
Control i
A1: IC/FR for
the consolidated
entity is
&
effective
IC/FR for
subsidiary i
is effective
&
IC/FR for
Account i
on BS is
effective
&
IC for
Process j
is
effective
&
Process j
is
protected
from IC
risk j.
OR
Control
m is
effective.
Control j
Control
environment
5
Application of Evidential Reasoning
Approach into A Real Case
Evidence No. 1 from IC
compliance testing
0.00
The following control functions effectively: “The loan
servicing system interfaces directly to the general ledger
and is reconciled on a monthly basis”. (unknown)
A1: The IC over “Net
loans” account is effective
0.00 0.91 0.09
0.42 0.25 0.33
&
0.00 0.91 0.09
&
WA 0.42 0.25 0.33
&
& 0.00 0.91 0.09
WA 0.65 0.13 0.44
The IC is effective in controlling the risk
that “Inappropriate loans are added to
the institution's portfolio”.
The IC over “Underwriting”
process is effective.
&
& wa
&
Evidence No. 4 from IC
compliance testing
The following control functions effectively: “All lending
limits for different types of loans and guidelines for
setting interest rates are approved by the Board of
Directors”. (effective)
0.94 0.00 0.06
&
WA 0.98 0.00 0.02
The following control functions effectively: “A loan documentation
checklist is completed for each file by the credit officer and
independently reviewed by additional credit personnel for accuracy and
completeness prior to booking on the loan system”. (effective)
&
1.00
The following control functions effectively:
“Payment clearing account is reconciled on a
daily basis to ensure proper posting of loan
payments received”. (ineffective)
0.98
0.70
The following control functions effectively: “Document
deficiencies are tracked and reviewed by management on a
monthly basis”. (effective)
The following control functions effectively: “Exception reports
flagging accounts and loan files with missing information and
documentation are generated, researched and reviewed by the
loan documentation unit.”. (effective)
0.00
0.10
0.02
0.20
Evidence No. 5 from IC
compliance testing
0.98
0.00
0.02
Evidence No. 6 from IC
compliance testing
0.98
The IC is effective in controlling the risk
that “Lack of appropriate loan
documentation maintained and
inaccurate setup of the loan on the loan
system”.
0.00
Evidence No. 3 from IC
compliance testing
The following control functions effectively: “Risk Management
Committee monitors the percentage of loans that are overridden
and reviews the key indicator business summary to discern trends
on the loan portfolio”. (effective)
0.89 0.00 0.11
&
WA 0.98 0.00 0.02
0.10
The following control functions effectively: “Loan
servicing management compare any manually entered
payments into the loan system to source
documentation.” (effective)
The following control functions effectively: “Credit
committee requires a unanimous decision or the loan
application is rejected without recourse”. (effective)
0.94 0.00 0.06
0.98 0.00 0.02
0.90
Evidence No. 2 from IC
compliance testing
0.00
The IC is effective in controlling the
risk that “Loan payments and payoffs
are inappropriately applied”.
The IC over “Payments and
Payoffs” process is effective.
{e,~e}
~e
e
The following control functions effectively: “On a daily basis,
loan operations reviews the loan application system for
missing payments”.(material weakness)
0.00
0.02
Evidence No. 7 from IC
compliance testing
0.98
0.00
0.02
Evidence No. 8 from
IC compliance testing
0.98
0.00
0.02
Evidence No. 9 from IC
compliance testing
0.98
0.00
0.02
Evidence No. 10 from IC
compliance testing
0.98
0.00
0.02
6
Automate The Aggregation Of
Control Evaluations
• Input:
– auditors’ evaluation on the effectiveness of individual control
procedure
• Output:
– Quantitative assessment of control effectiveness on multiple
layers of the hierarchy: from the individual control level to the
overall financial statement level
• Evidential reasoning a useful decision aid for KPMG
auditors because of its:
–
–
–
–
Clarity
Practicability of use
Completeness
Adaptability
7
Continuing Work
• Validate model against a real audit case
• Explore issues related to the application of
the proposed approach
– Refine the quantitative representation of
internal control effectiveness.
– How to better elicit belief inputs from auditors.
8