For Wizard Kim - W2D
tkrmaslatwbha81
Chapter4-6.docx4. Control Environment Chapter Summary
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization, the parameters enabling the board of directors to carry out its oversight responsibilities, the organizational structure and assignment of authority and responsibility, the process for attracting, developing, and retaining competent individuals, and, the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.
Principles relating to the Control Environment component
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight for the
development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with the objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Principles
Approaches
1. The organization demonstrates a commitment to integrity and ethical values.
Establishing Standards of Conduct Leading by Example on Matters of Integrity and Ethics
· Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct
· Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct
2. The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control.
Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of Directors Establishing Policies and Practices for Meetings between the Board of Directors and Management
· Identifying and Reviewing Board of Director Candidates
· Reviewing Management's Assertions and Judgments
Principles Approaches
· Obtaining an External View
· Considering Whistle-Blower Information about
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Financial Statement Errors and Irregularities
Defining Roles and Reporting Lines and Assessing Them for Relevance Defining Authority at Different Levels of Management
· Maintaining Job Descriptions and Service-Level Agreements
· Defining the Role of Internal Auditors
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with the objectives.
Establishing Required Knowledge, Skills, and Expertise Linking Competence Standards to Established Policies and Practices in Hiring, Training, and Retention Decisions
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Financial Reporting Roles
Defining and Confirming Responsibilities Developing Balanced Performance Measures, Incentives, and Rewards
· Evaluating Performance Measures for Intended Influence
· Linking Compensation and Other Rewards to Performance Demonstrates Commitment to Integrity and Ethical Values Principle 1. The organization fn 7 demonstrates a commitment to integrity and ethical values. Points of Focus The following points of focus highlight important characteristics relating to this principle:
· Sets the Tone at the Top—The board of directors and management at all levels of the organization demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
· Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners.
· Identifying and Delivering on Financial Reporting–Related Training as Needed
· Selecting Appropriate Outsourced Service Providers
· Evaluating Competence and Behavior
· Evaluating the Capacity of Finance Personnel
· Developing Alternate Candidates for Key
· Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity's expected standards of conduct.
· Addresses Deviations in a Timely Manner—Deviations of the entity's expected standards of conduct are identified and remedied in a timely and consistent manner. Approaches and Examples for Applying the Principle Approach: Establishing Standards of Conduct Sets the Tone at the Top • Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner Senior management, with guidance from the board of directors, defines and communicates expected standards of conduct for the organization, including any specific to those responsible for preparing external financial reporting. Such standards contain key provisions reflecting legal, ethical, and other expectations in the conduct of business and financial reporting, and articulate management's philosophy and guidance for avoiding moral hazards in the pursuit of objectives. They also leverage established professional codes of conduct, such as those associated with financial and managerial accounting, legal, information technology, or other professional organizations. To instill a common understanding of the company's standards, management develops various means for:
· Communicating and reinforcing the accountability for responsible conduct of all personnel
· Permeating standards of conduct throughout the organization, including guidelines for application to high-risk issues and geographies
· Setting the expectation that personnel raise issues or questions relating to the application of the defined standards
· Making explicit the consequences for deviations from standards of conduct at any level in the organization
· Ensuring that new and existing employees are trained on the entity's standards of conduct and continuing education, and providing appropriate briefings to third parties engaging in business with the company
· Developing performance evaluation processes and incentives (and service-level agreements as necessary) that promote the right behavior in pursuit of objectives
· Providing staff with ethics training opportunities to ensure that all employees have the knowledge to identify and deal with dilemmas Example: Defining, Communicating, and Regularly Updating the Code of Business Conduct and Ethical Standards The senior management of Zanzibar Co., a publicly traded company, has created, maintains, and distributes the company's code of business conduct and ethical standards to all employees and external parties acting on behalf of the company, and has posted it on the company website. The code of conduct is available in all relevant languages for ease of access and understanding by all within the global organization. The company requires all employees to complete periodic interactive web-based training sessions on various aspects of the code and ethical standards.
Furthermore, Zanzibar Co. provides a supplier code of conduct to its vendors as part of its service-level agreements, which provide a basis for evaluation alongside product/service delivery evaluation.
These documents emphasize that every individual is responsible for maintaining an ethical environment and reporting any ethical breaches. Service-level agreements and contracts with external parties include the relevant language to specify the company's expected standards of conduct and serve as a basis for evaluating adherence. The code also specifically sets out the expectation of reporting and resolving issues by providing clear information on how to ask a policy question or report a violation through an independent third party.
Senior management and the board of directors annually review and discuss any changes needed to the code or how it is administered, considering external and internal factors, including the coverage of the company's key risk areas, any known compliance issues, and results of monitoring activities. For instance, over time, Zanzibar Co. has added provisions to address new, applicable laws and has provided more guidance on what constitutes an appropriate gift or entertainment.
Approach: Leading by Example on Matters of Integrity and Ethics
• Sets the Tone at the Top • Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner
The CEO and key members of management at various levels in the organization articulate and demonstrate the importance of integrity and ethical values across the organization. The various forms and mechanisms used to
do this
may include:
Communications from senior management that support the expected standards of conduct and that stay consistent as they permeate the organization Day-to-day actions and decision making at all levels of the organization that are consistent with the expected standards of conduct
Interactions with suppliers, customers, and other external parties that reflect fair and honest dealings Performance appraisals and incentives that reinforce expected standards of behavior consistent with the entity's objectives at all levels of the organization Timely inquiries and investigations into any alleged conduct that is inconsistent with the entity's standards of conduct
Corrective action when deviations from expected standards of conduct occur
While this approach can be synonymous with that of establishing standards of conduct when both operate effectively, history has shown instances where organizations define and communicate honorable standards of conduct, yet management does not internalize or exhibit these standards in its conduct, and therefore sets a different tone than what is expected.
Example: Using a Company Newsletter to Reinforce Expectations of Integrity and Ethics
Aerospacial S.A., a small supplier to the aerospace industry, uses its monthly newsletter to employees, outsourced service providers, business partners, and other external parties to emphasize the importance of exercising sound integrity and ethical values. Each edition of the newsletter contains a section related to ethical decision making and consequences of violations of the code. The newsletter draws attention to the multitude of resources available to discuss and resolve ethical issues; it also reports what actions are taken by senior
management when the code is violated at any level of the organization. The newsletter illustrates the open dialogue and resolution of issues that is actively promoted by senior management.
Examples of ethical dilemmas are provided, along with suggested resolutions. The newsletter points out that reports of violations originate from a variety of sources, including employees, managers, the company's anonymous hotline, and external parties. Responses range from no action (in cases where the violation is shown not to have occurred) to various levels of discipline, including dismissal.
Finally, the newsletter reminds all Aerospacial S.A. employees—from senior management to entry-level—that as part of their annual performance review they must certify that they have read the company's mission statement and code of conduct and that they comply with policies at all times.
Approach: Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct
Sets the Tone at the Top
Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
Addresses Deviations in a Timely Manner
The board of directors and senior management evaluate adherence to the company's standards of conduct. This is accomplished in a variety of ways, which may include:
· Assessing results from training and ethics certification processes
· Considering anomalies in key performance indicators and internal analytical reviews of operational and financial information that could be a potential indicator of fraudulent financial reporting or other misconduct
· Considering the results from ongoing and separate evaluations of internal control, which include evaluations of internal control at outsourced service providers and business partners who provide information necessary to produce external financial reporting
· Analyzing issues and trends from hotlines and help lines made available within the organization that could indicate potential fraud occurrences and other ethical concerns
· Requesting feedback from meetings held with outsourced service providers and business partners when obtaining financial information or information that impacts the entity's internal control over external financial reporting Example: Conducting Ethics Audits The not-for-profit organization Partners for Development conducts scheduled audits to determine whether employees are receiving, understanding, and applying the board approved standards of conduct. A completeness check is performed to verify that every employee has received and attested to these standards or otherwise provided a specific explanation that is then reviewed and addressed by senior management and the board. The audits also include non-employees and consultants from the organization's IT service provider. The standards consist of three documents: the code of ethics and standards of personal conduct, the compliance policy statement, and the expected standards of conduct. Partners for Development's purpose in conducting these audits is to determine if there are any shortcomings in understanding or instances of non-compliance and to use those findings to assess and correct any deficiencies in the organization's new-hire orientation, communications, training, and employee review processes. Upholding
the organization's standards of conduct is intended to help safeguard against or escalate any instances of fraud, management override, or other illicit transactions and support complete, accurate, and reliable financial reporting to the organization's government sponsors.
Example: Evaluating Misconduct Reported through an Anonymous Hotline
All-World Food Distributors provides an anonymous hotline for employees to report potential fraud and other ethical concerns. The entity engages a third-party service provider to administer the hotline to provide the comfort of anonymity for its employees. This service immediately reports any potentially illegal acts or financial reporting improprieties directly to the company's legal department and audit committee. Issues and trends are analyzed and conclusions are reported to the audit committee of the board.
Approach: Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct
Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct • Addresses Deviations in a Timely Manner
Senior management develops and consistently follows a prescribed process and standard to promptly investigate, report, and take action to correct any violations to the standards of conduct occurring at any level of the organization, including outsourced service providers and business partners. The process may include:
· Having individuals who are independent of the alleged matter conduct the investigation (Note, however, where the deviation is deemed significant—due to the seriousness or pervasiveness of the allegation, degree of management involvement, regulatory interest, etc.—it may be necessary to have a board-led investigation, with a special committee that is independent of management.)
· Applying criteria to prioritize deviations (e.g., monetary value, patterns, trends, reputation impact)
· Investigating occurrences of possible violations to ensure a thorough understanding of issues and circumstances
· When applicable, assessing the financial statement impact and determining what internal controls over external financial reporting may have failed to detect the matter
· Developing appropriate support documentation and reporting
· Identifying and communicating with anyone under investigation (or after thorough investigation in instances of alleged fraud), and following up on any corrective actions taken to remedy the matter in a consistent and timely basis and according to prescribed company guidelines
· Restricting access to sensitive information regarding the allegation to individuals authorized to handle the investigation
· Informing the board of deviations in the application of the standards and any waivers that may have been granted or that are being considered
· Determining how and when the violation will be communicated and if it will be made public
· Communicating to all company personnel that appropriate investigation and corrective actions have been taken
· Depending on the nature and pervasiveness of the deviation that has occurred, establishing remediation activities as needed to make retrospective corrections and forward-looking improvements Remediation may address accounting corrections needed, process control enhancements, systems development or enhancements, accountability reinforcement, training, revisions to the standards of conduct, providing
management, personnel or third parties with increased awareness of the importance of applying the standards, and other actions. The board reviews and approves the adequacy of remediation measures and progress reports.
Example: Taking Action when Deviations Occur
Best Fit Shoes has established policies and procedures to address serious improprieties or illegal acts by employees, such as theft or bribing a new supplier to secure a contract. The policy empowers the legal department to initiate the investigation together with the internal audit department or an external third party in order to understand, document, and report the facts of the alleged matter for evaluation and assessment.
Best Fit's policy clearly states that if such an illegal act or impropriety is confirmed, the company will terminate the employee, revoke all access privileges, and file formal charges with appropriate authorities. The policy also requires the human resources manager to document the situation and its resolution, analyze the root cause of the breach, and implement any additional remedial steps to avoid similar occurrences in the future. Progress reports are regularly provided to the audit committee.
During one instance, facilitation payments were made to obtain certain contracts, the policy was immediately applied, and an investigation was launched. The audit committee was notified and regularly presented with progress updates and the proposed corrective actions for approval.
Footnotes (Demonstrates Commitment to Integrity and Ethical Values):
fn 7 The term "organization" is used to collectively capture the board of directors, management, and other entity personnel as reflected in the definition of internal control.
5. Risk Assessment Chapter Summary
Every entity faces a variety of risks from both external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.
Principles relating to the Risk Assessment component
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal
control.
Principles
Approaches
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Identifying Financial Statement Accounts, Disclosures, and Assertions
· Specifying Financial Reporting Objectives
· Assessing Materiality
· Reviewing and Updating Understanding of Applicable Standards
· Considering the Range of Entity Activities Applying a Risk Identification Process Assessing Risks to Significant Financial Statement Accounts
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
· Meeting with Entity Personnel
· Assessing the Likelihood and Significance of Identified Risks
· Considering Internal and External
Factors
Principles Approaches
Evaluating Risk Responses
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Circumvent or Override Controls
· Considering Fraud Risk in the Internal Audit Plan
· Reviewing Incentives and
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Relating to Significant Change
· Considering Change through Succession
· Considering CEO and Senior Executive Changes Specifies Relevant Objectives Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Points of Focus The following points of focus highlight important characteristics relating to this principle:
· Complies with Applicable Accounting Standards—Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.
· Considers Materiality—Management considers materiality in financial statement presentation.
· Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions. Approaches and Examples for Applying the Principle Approach: Identifying Financial Statement Accounts, Disclosures, and Assertions • Complies with Applicable Accounting Standards • Considers Materiality • Reflects Entity Activities
Conducting Fraud Risk
Assessments Considering Approaches to
Pressures Related to Compensation Programs
Assessing Change in the External
Environment Conducting Risk Assessments
Management specifies objectives relating to the preparation of financial statements, including disclosures, and identifies significant financial statement accounts based on the risk of material omission and misstatement (which includes consideration of materiality). Management identifies for each account and disclosure relevant assertions, underlying transactions and events, and processes supporting these financial statement accounts. The entity uses financial statement assertions relevant to its financial statement accounts and disclosures.
Example: Linking Accounts, Assertions, and Risks
As part of its risk assessment, the management of A-Middle Equipment, a 900-person manufacturer of heavy- duty transmission equipment, uses the following financial reporting assertions:
· Existence
· Completeness
· Rights and obligations
· Valuation or allocation
· Presentation and disclosure A-Middle's management considers the level of materiality when reviewing the company's activities and interim reports and determining whether all significant risks and accounts have been captured. This information is used as a guideline in focusing on detailed risks within each financial statement line item and disclosure. Further, management also considers non-financial disclosures reported in the company's 10-K. This approach is illustrated on the following page.
Approach: Specifying Financial Reporting Objectives
• Complies with Applicable Accounting Standards Considers Materiality Reflects Entity Activities
Management specifies a high-level financial reporting objective that forms the basis for all other sub- objectives. In specifying objectives, management has documented objectives that are specific, measurable, attainable, relevant, and time-bound (SMART). Management, as part of internal control, assesses whether the objectives are consistent with accounting principles that are relevant for that entity and appropriate in the circumstances.
Example: Specifying Objectives
Management and the board of directors of H2O To Go, a bottled water company, set as the entity's broad external financial reporting objective to prepare reliable financial statements in accordance with US Generally
Accepted Accounting Principles (GAAP). Management subsequently specified the suitable financial reporting objectives and sub-objectives for all significant accounts and activities of H2O To Go's worldwide business, including sales, purchasing, and treasury. These objectives and sub-objectives include accounting policies, financial statement assertions, and qualitative characteristics relating to its accounts and activities. For instance, management has specified objectives relating to:
· Sales existence and completeness financial statement assertions for all sales transactions recorded during the period fn 11
· Purchasing completeness and accuracy of financial statement assertions for all purchasing transactions recorded during the period
· Treasury valuation and allocation financial statement assertions for all investments held and recorded as of period end Annually, finance management reviews these objectives and sub-objectives for ongoing relevance and suitability with respect to the company's accounts and activities. Where changes are expected to occur—for instance, the adoption of a newly published accounting standard or guidance or new commercial event or trend—appropriate management communicates the need to reconsider these objectives to those responsible for the objective-setting process. Example: Assessing the Suitability of Specified Objectives The management of Valley Services, a supplier of high-end home theatre systems, set as the entity's broad financial reporting objective to prepare reliable financial statements in accordance with International Financial Reporting Standards (IFRS). This objective was cascaded into various areas of Valley Services business, including sales. Within the sales process, management accepts deposits from one frequent customer, Hall Electronics, which relate to the purchase of several home theater systems. Valley Services sets aside the theater systems in its inventory until Hall Electronics requests delivery, usually within thirty days. Valley Service must either refund to Hall Electronics the cash or provide a replacement home theater system if a system is damaged or lost prior to delivery. Management had previously established a policy where revenue was recognized upon payment for goods, regardless of whether the goods were delivered. In assessing the suitability of the objectives specified for financial reporting, the controller, Alex Robertson, determined that this policy may not be in accordance with IFRS. Consequently, he requested senior management to review this policy in conjunction with the objective- setting process. In addition, he advised the internal audit group, which then monitored the resolution of this matter. Approach: Assessing Materiality Complies with Applicable Accounting Standards • Considers Materiality Reflects Entity Activities Management assesses materiality of significant accounts, considering both quantitative and qualitative factors. In conducting this assessment, management may consider factors such as:
Who uses the financial statements (i.e., creditors, stockholders, suppliers, employees, customers, regulators)
· Size of financial statement elements (i.e., current assets, current liabilities, total assets, total revenues, net income) and financial statement measures (i.e., financial position, financial performance, and cash flows)
· Uniqueness of the transaction(s)
· Difficulty in valuing the balance or specific transactions
· Trends (i.e., earnings, revenues, cash flows) Example: Assessing Materiality for a Private Company Financial Statement The management of Bottomer Holdings, a private owner and renter of residential apartments, recently installed coin-operated laundry facilities in several of its buildings. A contractor installed and maintains the machines and will be paid a monthly amount plus a percentage of revenue earned through laundry services. Looking at this new source of potential revenue relative to the income statement, Bottomer Holdings considered the effect on its total revenues and net income and has now concluded that the laundry revenue is expected to generate $150,000 to $200,000 of revenue per year. Management has considered the overall materiality of this account using the quantitative measure of $500,000. Management also considered other qualitative factors and determined that this new source of income would:
· Not change a loss into income—the company has been profitable over the past five years.
· Not impact compliance with loan covenants and other contractual agreements—none of the mortgages on the buildings would require changes in loan repayment rates based on higher income levels.
· Not impact management's compensation, including on-site property management staff—the additional income would have an insignificant impact on the management bonus plan. Based on the assessment, management has concluded that the new source of income is not material to the overall financial statement presentation. Accordingly, in specifying its external reporting objectives, management has incorporated this new source of revenue into its overall revenue objectives as determined by Generally Accepted Accounting Principles but has not set out new, unique objectives for laundry-related revenue. Approach: Reviewing and Updating Understanding of Applicable Standards • Complies with Applicable Accounting Standards Considers Materiality Reflects Entity Activities Management reviews publications from professional bodies for updates in accounting pronouncements relevant to the business. Periodically, management presents to the audit committee an analysis of changes released or emerging issues that may significantly impact financial reporting and notes any significant differences from accounting policies of similar entities. For entities that have multiple reporting obligations, such as statutory reporting in international locations, management assesses the requirements relative to the respective divisions or operating units. Example: Reviewing Financial Accounting Policies Celia Mendez is the controller of a $100 million biotechnology company. She reviews its accounting principles by considering:
· Policies selected that are acceptable according to the applicable standards (US GAAP)
· Situations where multiple acceptable alternatives are available and the rationale for selecting one policy over another
· Differences in its accounting policies from those of its peers Management discusses significant accounting policies with the audit committee on an annual basis. Example: Reviewing and Updating Understanding of Applicable Standards The management of Middle Ocean Inc., an $800 million industrial products company, regularly reviews the publications from professional bodies for updates in accounting pronouncements relevant to its business. The controller, Sandy Wong, and the CFO, Fred Jazbowski, also subscribe to and review periodic email updates on standards that may be of interest. Each quarter Ms. Wong presents to the company's audit and disclosure committees, which consist of key management members, her analysis of any changes that will immediately impact financial reporting, and any emerging issues that may impact financial reporting in the future. As part of her standard procedures and before any change is implemented, Ms. Wong also communicates to these two committees what impact any updated or new standard will have on the company's financial statements, systems, and processes. Example: Reviewing and Updating Statutory Reporting Requirements Fred DeQuincy is the local controller of an international subsidiary of a multi-billion-dollar consumer products company. In his annual reviews of the accounting principles used for statutory reporting, Mr. DeQuincy considers the following:
· Consistency with the company's consolidated accounting standards
· Required differences as a result of the adherence to different standards
· Where differences are required, the alternatives that are available and the rationale for selecting one policy over another
· Where differences are required, identifying the policies selected by other companies within an identified peer group Once he has completed his review, Mr. DeQuincy communicates the differences and the rationale for selection to the corporate controller. Approach: Considering the Range of Entity Activities Complies with Applicable Accounting Standards Considers Materiality • Reflects Entity Activities Management, with the oversight of the audit committee, considers the range of the entity's activities to assess whether all material activities are appropriately captured in the financial statements. Management considers whether the presentation and disclosure of the financial statements enable the intended users to understand these material transactions and events. Example: Considering the Range of Assessment Activities
Build Free Co. produces large-building products. The management of Build Free reviews its financial statements on a quarterly basis. The purpose is twofold:
· To ensure all significant activities are included
· To analyze its various business units for new and discontinued product developments and changes in the company's markets, ensuring that they are conveyed appropriately in the financial statements In addition, the audit committee discusses with management how any significant activities that it is aware of will be included in the financial statements. Footnotes (Approaches and Examples for Applying the Principle): fn 11 For purposes of this example, not all relevant financial statement assertions have been included. Identifies and Analyzes Risks Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Points of Focus The following points of focus highlight important characteristics relating to this principle:
· Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—The organization identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives.
· Analyzes Internal and External Factors—Risk identification considers both internal and external factors and their impact on the achievement of objectives.
· Involves Appropriate Levels of Management—The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management.
· Estimates Significance of Risks Identified—Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
· Determines How to Respond to Risks—Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. Approaches and Examples for Applying the Principle Approach: Applying a Risk Identification Process • Includes Entity, Division, Operating Unit, and Functional Levels Analyzes Internal and External Factors • Involves Appropriate Levels of Management Estimates Significance of Risks Identified Determines How to Respond to Risks
Management includes a risk identification process that identifies risks of material omission and misstatement and the likelihood of occurrence of the risks to relevant financial statement assertions for each significant account and disclosure. In preparing this analysis, management considers the business processes and business units supporting financial statement accounts and disclosures. The process of identifying the supporting business units includes discussions with each business unit or process leader. It also includes identifying the information technology systems that support those business processes that are relevant to the external financial reporting objectives.
Example: Analyzing Risk across Functions
Lionel Tetrault is the CFO of Shark Tank Co., a firearms manufacturer. He convenes a working session of the department heads of marketing, production, information technology, human resources, and administration to perform a risk analysis by functional department. Risks are rated from 1 (least risk) to 5 (most risk) based on potential impact on financial reporting and likelihood of occurrence. After the discussion sessions, the participants document the results in a table that outlines each specific risk together with the rating and factors contributing to the rating.
For example, the risk of material omission and misstatement due to revenue recognition was rated as 4 (medium-high). Contributing to this assessment was consideration of the likelihood and impact of the organization failing to:
· Transfer ownership on specific sales in accordance with revenue recognition accounting standards for goods sold on consignment
· Account for complex sales promotions and discounts completely and accurately
· Update IT systems to account for complex revenue transactions that could lead to inappropriate recognition of revenue Approach: Assessing Risks to Significant Financial Statement Accounts Includes Entity, Division, Operating Unit, and Functional Levels • Analyzes Internal and External Factors Involves Appropriate Levels of Management • Estimates Significance of Risks Identified Determines How to Respond to Risks Management identifies risks to the achievement of financial reporting objectives by considering risk factors related to each significant financial statement account and the associated financial statement assertions. The process of identifying and analyzing risk considers both quantitative and qualitative factors, including the following:
· Impact on Financial Statement Accounts—The potential impact on financial reporting objectives is measured quantitatively. Each account is assessed in relation to its respective category, such as total assets or revenues. Management also qualitatively assesses the potential for certain accounts to be understated. Considering the quantitative and qualitative characteristics, management categorizes accounts as high, medium, and low, based on their impact on the financial statements. Where risks vary by sub-account, management considers risk at that level.
· Account Characteristics—Management considers internal factors such as volume of transactions through an account, judgment required, and complexity of accounting principles. Management also
considers external factors such as economic, competitive, and industry conditions; the regulatory and political environment; any new regulations affecting the account; and changes in technology, supply sources, customer demands, or creditor requirements.
· Business Process Characteristics—Management identifies business processes that generate transactions in each of the financial statement accounts, considering factors such as complexity of the process, centralization versus decentralization, IT systems supporting the process, changes made or new processes added, and interaction with external parties such as vendors, creditors, shareholders, or customers.
· Fraud Risk—For susceptible accounts, management assesses the risk of misstatements due to fraud. fn 12
· Entity-Wide Factors—Management considers internal entity-wide factors such as the nature of the company's activities, employees’ access to assets, number and quality of personnel and levels of training provided, changes in information systems, and organizational changes (e.g., changes in senior personnel or responsibilities). These factors are considered in relation to their effect on account characteristics, business process characteristics, and fraud risk. Example: Assessing Risks to Significant Financial Statement Accounts The management of Bachmann Tools, a hand tool importer, manufacturer, and distributor, identifies risks to the achievement of financial reporting objectives by considering risk factors related to each significant financial statement account and disclosure item. The criteria used for assessing risk are similar to those shown above in Approach: Assessing Risks to Significant Financial Statement Accounts. Management also links each account balance to financial statement assertions. The resulting risk assessment is illustrated below. (Note: Additional detail underlying the risk assessment would typically be present supporting this analysis. For purposes of this example the summary of the assessment is provided.)
Financial As % Impac Statement of t on Account/Disclosur Total F/S fn s Characteristic Risk e 13 s
BALANCE SHEET
ASSETS
Cash & Cash Equivalents Accounts Receivable Prepaid Expenses
Inventory
Property & Equipment Intangible Assets
Total Assets LIABILITIES
Accounts Payable Accrued Expenses Warranty Long-Term Debt
6% M H M HM
Overal Relevant l Assertions fn 14 Rating E C V/ R& P&
AOD
H✓✓✓✓✓
H✓✓✓✓✓ 4%LM L LLL✓✓✓✓✓ 35%HM M ML M✓✓✓✓✓
15%H L L LLL✓✓✓✓✓
10%HM M MMM✓✓✓✓✓ 100 %
25%HH L ML M✓✓✓✓✓ 15%HM M HL H✓✓✓✓✓ 15%HM M ML M✓✓✓✓✓ 10%HL L LLM✓✓✓✓✓
Account Business Frau Entitywid
Characteristic Process d
e Factors
30% H H H HL
Financial As % Impac Account Business Frau Entitywid Overal Relevant
Statement of t on Account/Disclosur Total F/S fn
e 13
Total Liabilities 65% SHAREHOLDER S' EQUITY Common Stock
Characteristic Process d
e Factors
l Assertions fn 14 Rating E C V/ R& P&
AOD
s
Characteristic Risk s
5%MM
M LLL✓✓✓✓✓ L LLM✓✓✓✓✓
H HMH✓✓✓ M MMH✓✓✓
H HMH✓✓✓
Retained Earnings
30%HL
Total Liabilities 100 and Equity % INCOME STATEMENT REVENUES
Product Sales Repair Services Total Revenue 100
85%HH 15%HH
Cost of Goods
OPERATING EXPENSES Compensation & Related Benefits Marketing & Selling Expenses G&A Expense
%
40%HH
28%HH
7%MM 3%LM
H ML
L LL L LL
M✓✓ ✓ M✓✓ ✓
Depreciation & Amortization2%LM Total Operating Expenses 40% OTHER EXPENSES Interest Income/(Expense) 5% L Income Taxes Expense 5%LM Net income 10% Total, as percent 100 of Revenue %
Example: Using Risk Ratings
L✓✓ ✓ M LLL✓
L
M LLM✓✓ ✓ H ML H✓✓ ✓
The management of Sure Health Care has developed a rating system to show general measures and trends of relevant risks. It now uses the ratings to determine which processes require more in-depth attention. The relevance of the financial reporting assertions for the related accounts is also considered. Management reviews the identified risks and provides a rating based on the inherent and residual risks to the entity; it updates these ratings periodically.
The information technology managers of Sure Health Care meet with finance personnel every month to discuss process, changes, and projects in each functional area relating to financial reporting. The meetings are used to update team members and discuss issues or changes to the processes. Additionally, management meets with outside legal counsel every quarter to discuss the effects of any external regulatory changes that may impact financial reporting.
The ratings are as follows:
· High—Critical processes that require in-depth documentation, including a matrix to describe identified risks and controls that mitigate these risks. Process maps and narratives are also developed to describe the flow of transactions and to identify control points. Controls are identified as preventive or detective, and manual or computer-based. Policies and procedures that guide employees in applying control activities are identified.
· Medium—Processes for which management prepares process documentation that includes a matrix to describe identified risks and controls that mitigate the risks. Process maps and narratives are developed where applicable at a high level. Policies and procedures are identified and documented, but in less formal, summary form.
· Low—Processes that require minimal process documentation, which identify policies and procedures and applicable controls. Approach: Meeting with Entity Personnel • Includes Entity, Division, Operating Unit, and Functional Levels Analyzes Internal and External Factors • Involves Appropriate Levels of Management Estimates Significance of Risks Identified Determines How to Respond to Risks Key finance personnel meet regularly with:
· Executive management to identify initiatives, commitments, and activities affecting risks to financial reporting
· Information technology personnel to monitor changes in information technology that may affect risks related to financial reporting
· Human resources staff to identify and assess how changes in personnel and movement in positions may affect competencies needed for internal control over external financial reporting
· Legal counsel to stay abreast of legal and regulatory changes
· Other members of the entity as areas of focus are identified by executive management Example: Analyzing Risk for Information Technology McFayden Inc. is a spirits distillation and distribution company with a dedicated information technology department. Risk assessment is driven by the number and complexity of applications that support the financial reporting process. This approach helps the company establish which information systems management relies on for financial reporting. Prior to implementing new systems, and whenever significant changes to existing systems are planned, McFayden Inc. takes the following steps:
· IT personnel meet with the business process owners to consider IT process–related risks. At these meetings, IT personnel learn how application data is used in the financial reporting process, identify risks of inaccurate or incomplete processing, and consider existing general computer controls in determining whether computer application controls or related user controls need to be enhanced.
· Relevant IT staff, along with business process owners, map the related applications to the operating systems, databases, and supporting IT processes, and consider inherent risks and what improvements are needed.
· IT personnel with relevant experience review opportunities to automate manual controls to improve efficiency.
· IT discusses activities with finance personnel. Approach: Assessing the Likelihood and Significance of Identified Risks Includes Entity, Division, Operating Unit, and Functional Levels Analyzes internal and External Factors Involves Appropriate Levels of Management • Estimates Significance of Risks Identified • Determines How to Respond to Risks Management analyzes the significance of identified risks based on the likelihood of the risk occurring and the inherent risk of a material omission and misstatement to the entity's external financial reporting objectives. Based on the outcomes of the analysis, management determines how to manage the risks to a tolerable level. Example: Identifying and Responding to Risk A social service organization with significant amounts of federal funding and operations in several foreign countries prepares an annual risk assessment of its financial reporting processes in each country. Risk factors considered include the following:
· Size of program and growth/downsizing
· Nature of funding in the country and types of program (federal or local)
· Nature of transactions
· Quality and timeliness of reporting (program and accounting)
· Quality of management and turnover (finance and program)
· Results of prior year's internal, external, and statutory audits
· Perception of country's political, social, and economic environment
· Oversight provided by funding sources in the countries The risk assessment is prepared by the CFO, Gerald Timewell, and the COO, Inga Karran, with input from many others within the organization. The resulting assessment, for financial reporting purposes, considers the above risk factors in determining the significance of risks of material omission and misstatement related to the financial reporting assertions. For instance, management increased the assessed risk relating to existence of federal funding revenue from moderate to high after considering that there is:
· Uncertainty over the ongoing viability of funding programs in some foreign countries
· Irregular timing of funding payments in some foreign countries
· Weaknesses noted in a recent internal audit review
Based on this risk assessment, Mr. Timewell and Ms. Karran develop preliminary positions on the risk response. These determinations are key inputs into determining required control activities.
Example: Using Benchmark Data to Assess Significance and Response to Risk
A pet food retailer, Best Bits, uses benchmarking techniques to assess losses in physical inventory from theft. The "shrink percentage" calculated is defined as the value of lost physical inventory divided by net sales. The amount of physical loss is determined through a physical inventory count process.
The company is currently examining ways to enhance its risk response decisions to reduce the significance of the risk by altering either likelihood or impact. Given the company's current level of losses (1.6%), accepting the risk would not be acceptable, and management elects to implement control activities that reduce the likelihood of losses and can detect losses sooner.
Best Bits management also notes the level of losses other companies incur due to shrinkage. The figure below shows the shrinkage for several other similar companies within a benchmark group. Best Bits’ losses are noted underneath for comparison.
Using the data provided in this analysis, management believes that a loss rate target of 1.3% is suitable for the company (e.g., top of quartile 2) and additional control activities are developed within the receiving and shipping process (as part of the Control Activities component). Further, management accelerates the frequency of physical inventory counts to quarterly to improve the accuracy of financial reporting.
Approach: Considering Internal and External Factors
Includes Entity, Division, Operating Unit, and Functional Levels • Analyzes Internal and External Factors Involves Appropriate Levels of Management • Estimates Significance of Risks Identified
Determines How to Respond to Risks
Management considers external factors that may impact the ability to achieve financial reporting objectives, such as:
· Economic changes
· Natural or human-caused catastrophes or environmental changes
· New standards
· Changes to laws and regulations
· Changing customer demands
· Technological developments Management considers internal factors that may impact the entity's ability to achieve its financial reporting objectives, such as:
· Use of capital resource determinations
· Change in management responsibilities
· Personnel hiring and training considerations
· Employee accessibility to assets
· Internal information technology changes Where these factors are noted, management also considers—in conjunction with the Information and Communication principles—whether some form of internal and/or external communications are needed. Example: Analyzing Risks from External Factors As CEO of global technology company World Find, Derek Burtnyk makes time for a quarterly discussion on emerging financial accounting standards with each of the company's regional controllers. These discussions focus on potential and announced changes occurring within each jurisdiction, and whether these would require changes to the company's technology systems. Based on the insights gathered from those discussions, Mr. Burtnyk provides feedback to the various department leaders of World Find. In turn, the department heads use this information to identify additional information requirements and potential technology changes. In one instance, World Find determined that the accounting requirements for a new value-added tax in one jurisdiction could impact operations in that jurisdiction as well as two other jurisdictions that interact with it. Based on this assessment, management commenced a project to further refine the assessment of the risks related to the accounting of the new commodity tax, which then served as a basis for how to respond to those specific risks. Example: Considering Changes in Information Systems Paula Wing is the CEO of a specialty resin company with operations in nine countries. She continually reviews risks to the company by leading monthly staff meetings at which she asks senior managers to comment on any new risks identified, including those related to changes in systems, personnel processes, or activities. Ms. Wong discusses any insights she has on risks facing the company, including those that impact financial reporting. As a team, Ms. Wong and the senior managers develop the needed risk responses. Approach: Evaluating Risk Responses Includes Entity, Division, Operating Unit, and Functional Levels Analyzes Internal and External Factors Involves Appropriate Levels of Management
Estimates Significance of Risks Identified • Determines How to Respond to Risks
Management considers a variety of risk responses—avoid, accept, reduce, share—when evaluating whether risks are reduced to an acceptable level. In this process, management may consider unique risks related to financial reporting or a combination of risks. Management may also consider how risk responses impacting the five components of internal control interact to reduce risk to an acceptable level.
Example: Considering Risk Response in a Revenue Process
Bailey Campbell, the controller for Center Bay Packaging, assesses the risk relating to completeness of revenue. The company has grown over the past five years and now has annual revenues in excess of $50 million. Currently, Center Bay relies on a paper-based bill-of-lading system. Delivery is deemed to have occurred when the bill of lading is signed by the customer as evidence that the goods have been received.
Ms. Campbell has noted instances in the past year where shipping documentation was not provided to the finance department in a timely manner, sometimes as late as two weeks after the shipment was completed. These delays have resulted in misstatement of revenue. Ms. Campbell has determined that the risk related to revenue completeness needs to be further reduced, and so she has decided to implement a bar-code scanner shipping system to track and capture shipments and revenue.
Footnotes (Approaches and Examples for Applying the Principle):fn 12 As noted in Principle 8, identifying and analyzing fraud risks are integral parts of the risk assessment process.
fn 13 Note: Each heading used in this table is explained above in Approach: Assessing Risks to Significant Financial Statement Accounts.
fn 14 Existence, Completeness, Valuation or Allocation, Rights and Obligations, and Presentation and Disclosure Assesses Fraud Risk
Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Points of Focus
The following points of focus highlight important characteristics relating to this principle:
· Considers Various Types of Fraud—The assessment of fraud risk considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
· Assesses Incentive and Pressures—The assessment of fraud risk considers incentives and pressures.
· Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity's reporting records, or to committing other inappropriate acts.
· Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
Approaches and Examples for Applying the Principle
Approach: Conducting Fraud Risk Assessments
• Considers Various Types of Fraud
Assesses Incentive and Pressures
• Assesses Opportunities
• Assesses Attitudes and Rationalizations
Management conducts a comprehensive fraud risk assessment to identify the various ways that fraud and misconduct can occur, considering:
· The degree of estimates and judgments in external financial reporting
· Methodology for recording and calculating certain accounts (e.g., inventory)
· Fraud schemes and scenarios that are common to the industry sectors and markets in which the entity operates
· Geographic regions where the entity does business
· Incentives that may motivate fraudulent behavior
· Nature of automation
· Unusual or complex transactions subject to significant management influence
· Last-minute transactions
· Vulnerability to management override and potential schemes to circumvent existing control activities From these considerations, management makes an informed assessment of specific areas where fraud might exist and the likelihood of their occurrence and potential impact. Example: Assessing Fraud Risk David Kates, the chief compliance officer at a global retail operation, annually conducts a fraud risk assessment. In doing so, he interviews management at all the international locations about fraud issues. He analyzes:
· Historical fraud activities, including theft of inventory and the processes in place to identify and record such theft
· The methodology used for recording and calculating inventory and shrinkage
· Whistle-blower reports
· The number of manual entries versus automated entries recorded
· The number of late entries due to subjective estimates With this information, Mr. Kates forms a preliminary view of the potential fraud activities, which he discusses with management of each jurisdiction in order to consider implications and what control activities can reduce the risk of fraud. He also has discussions with human resources personnel and reviews information in the staff files. He uses his historical knowledge and staff information to assess the attitude of the local management toward the tolerance of fraud and to determine whether local management may rationalize fraudulent activities, including corruption. After completing his fraud risk assessment, Mr. Kates submits a report to the audit committee for its consideration in management oversight.
Approach: Considering Approaches to Circumvent or Override Controls
• Considers Various Types of Fraud Assesses Incentive and Pressures • Assesses Opportunities Assesses Attitudes and Rationalizations
In identifying and evaluating the presence of entity-wide controls that address fraud, management considers how individuals might circumvent or override controls intended to prevent or detect fraud. Entity personnel, including management, may intentionally override in a number of ways, which may include:
· Recording fictitious business events or transactions
· Changing the timing of recognition of legitimate transactions (particularly those recorded close to the end of an accounting period)
· Establishing or reversing reserves to manipulate results
· Altering records and terms related to significant or unusual transactions Example: Maintaining Oversight The audit committee of Marker's Medical Supply Company takes the issue of management override of controls very seriously. Consequently, every quarter the committee reviews the fraud risk assessment process. In doing so, the members of the audit committee:
· Maintain an appropriate level of skepticism
· Discuss management's assessment of fraud risks
· Use the code of conduct to assess financial reporting culture
· Ensure the entity has a robust whistle-blower program
· Develop a broad information and feedback network In addition, the audit committee asks the chief audit executive about:
· What fraud risks are being monitored by the internal audit team on a periodic or regular basis
· What specific procedures internal audit performs to address management override of internal controls
· Whether anything has occurred that would lead internal audit to change its assessment of the risk of management override of internal controls With this information in hand, the audit committee discusses with the full board and senior management any concerns that need added management focus. Approach: Considering Fraud Risk in the Internal Audit Plan • Considers Various Types of Fraud Assesses Incentive and Pressures Assesses Opportunities Assesses Attitudes and Rationalizations
The chief audit executive incorporates results of the fraud risk assessment into the internal audit plan. He or she reviews and confirms that the internal audit plan addresses relevant risks.
Example: Identifying and Analyzing Risk of Material Omission and Misstatement Due to Fraud
Divisional controllers at Maxwell's, a 24,000-employee consumer products company with locations in several countries, work with business unit leaders to identify and assess potential fraud risks. These risks are prioritized and categorized into various components, including risks of inventory theft, manipulation of data and bias in the development of accounting estimates, and other potential means of overriding controls. Internal audit reviews the resulting fraud risks and provides its point of view. In addition, the company meets with its external auditor to discuss the fraud risks to determine if there are others that should be under consideration. Business unit management plans responses and then selects and develops controls to mitigate these fraud risks. fn 15
Approach: Reviewing Incentives and Pressures Related to Compensation Programs
Considers Various Types of Fraud • Assesses Incentive and Pressures Assesses Opportunities Assesses Attitudes and Rationalizations
Management considers how personnel may rationalize behavior regarding evaluations, compensation, or employment. The board and management review the entity's compensation programs and performance evaluation process to identify potential incentives and pressures for employees to commit fraud. This review considers how meeting, or not meeting, financial reporting targets potentially impacts an individual's evaluation, compensation, and continued employment.
Example: Analyzing Compensation Structure
The compensation committee of the board of directors of Schmidt Auto, a global automotive supplier, annually reviews the executive officer compensation packages with the audit committee, chairperson, and chief auditor. To determine the incentives to management, the following items are discussed:
· Thresholds for significant changes in compensation
· Mix of total compensation versus incentive compensation
· Structure of compensation compared with industry peers
· Mix of long-term compensation compared with short-term incentives After these discussions for Schmidt Auto's last fiscal year, the board determined that the CFO's incentive compensation, 80% of which was based on the current year's net revenue, was too high and focused too much on the short term. The compensation committee subsequently reduced the incentive compensation, with 40% derived from current year's net revenue. Footnotes (Approaches and Examples for Applying the Principle): fn 15 This example is continued in Chapter 6, Monitoring Activities, to illustrate how monitoring activities may assess whether controls to effect principles in the risk assessment are deployed as intended (see page 149).
6. Control Activities Chapter Summary
Control activities are the actions established through policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.
Principles relating to the Control Activities component
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.
Principles
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
Approaches
Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities
Implementing or Monitoring Control Activities when Outsourcing to a Third Party
Considering the Types of Control Activities Considering Alternative Control Activities
to the Segregation of Duties Identifying Incompatible Functions
Using Risk and Control Matrices to Document Technology Dependencies
Evaluating End-User Computing Implementing or Monitoring Control
Activities when Outsourcing IT Functions to
a Third Party Configuring the IT Infrastructure to Support
Restricted Access and Segregation of Duties Configuring IT to Support the Complete,
Accurate, and Valid Processing of
Transactions and Data Administering Security and Access Applying a System Development Life Cycle
over Packaged Software
Principles Approaches
Applying a System Development Life Cycle over Software Developed In-House
12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.
Developing and Documenting Policies and Procedures Deploying Control Activities through Business Unit or Functional Leaders
Conducting Regular and Ad Hoc Assessments of Control Activities
Selects and Develops Control Activities Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable levels.
Points of Focus
The following points of focus highlight important characteristics relating to this principle.
· Integrates with Risk Assessment—Control activities help ensure that risk responses that address and mitigate risks are carried out.
· Considers Entity-Specific Factors—Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities.
· Determines Relevant Business Processes—Management determines which relevant business processes require control activities.
· Evaluates a Mix of Control Activity Types—Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.
· Considers at What Level Activities Are Applied—Management considers control activities at various levels in the entity
· Addresses Segregation of Duties—Management segregates incompatible duties, and where such segregation is not practical, selects and develops alternative control activities. Approaches and Examples for Applying the Principle Approach: Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities • Integrates with Risk Assessment • Considers Entity Specific Factors • Determines Relevant Business Processes Evaluates a Mix of Control Activity Types Considers at What Level Activities are Applied
Addresses Segregation of Duties
Once risks have been identified and mapped to relevant financial statements assertions, management determines relevant business processes and selects and develops control activities to address each risk. Management involves relevant stakeholders to identify the appropriate control activities. This includes those individuals responsible for the risks in their areas, finance personnel responsible for financial reporting, and other control experts, such as internal auditors or others who have relevant specialized knowledge. A centralized group responsible for financial reporting or control activities periodically reviews the risk control matrices to help ensure that the entity's financial reporting risks are being addressed.
The selection and development of control activities is achieved through various methods, and may include the following:
· Using matrices to map identified risks to control activities
· Holding workshops to identify appropriate control activities for each identified risk
· Using an inventory of control activities, tailoring them as appropriate Management considers the segregation of duties and a mix of transaction control activities and business process reviews. Management considers using automated controls whenever the systems in place make it possible. These are supplemented by manual control activities where automated controls are not available. Example: Using Workshops to Map Identified Risks to Control Activities A multi-million-dollar consumer products company, Prescott International, holds a number of workshops to select and develop appropriate control activities for each identified risk relating to financial statement assertions for revenue recognition. The meetings are attended by employees from various departments—credit, shipping, billing, and customer service—who review the list of activities and link them to risks identified in the company's risk assessment. After these workshops, Prescott International is able to select and develop policies and procedures appropriate to its business. The controller reviews the matrix of control activities and risks in order to identify any potential risks not previously noted, recommend additional control activities if necessary, and remove unnecessary control activities. Example: Using a Risk and Controls Matrix to Map Risks to Control Activities A multi-million-dollar manufacturer of sporting goods equipment, Go Rite Sports, develops a matrix in conjunction with its risk assessment process. The matrix sets out:
· Financial reporting objectives and relevant assertions
· Identified risks
· Control activities Matters such as general ledger maintenance, accruals, management estimates and reserves, period-end close and consolidation procedures, financial statement preparation, and regulatory filings and disclosures are all considered when building the matrix. The risks and controls are described in sufficient detail in the matrix to allow Go Rite's management and others to evaluate whether, if implemented and operating as intended, these actions can sufficiently mitigate the financial reporting risks. As part of this evaluation, management reviews the type of control activity (e.g., preventive versus detective, manual versus automated) to determine if the mix is appropriate. The following illustration is an excerpt of one of Go Rite's risk and control matrices with accompanying flowchart. fn 16
Extract of Procure to Pay Business Process Flowchart
Extract of Procure to Pay Risk and Controls Matrix
Contro Financial F/S Control l Risk(s) Assertion Level
Frequenc y of Control
Multiple times per day
Control Description
During the purchase order (PO) creation the system performs edit checks (autopopulate d fields, format checks and use of drop-down lists) of the relevant data fields and auto- populates vendor and item details using the
Manual/Automate Preventiv
Informatio n Processing Objective (note 2)
s (note 1)
A Orders are V not
accurate
d/ IT Dependent Manual
Automated
e/ Detective
Transactio n Level
Preventive A,V
Contro Financial l Risk(s)
F/S Control Assertion Level s (note 1)
Frequenc y of Control
Control Description
vendor and item master file respectively. The system populates price in the purchase order from the approved master file based on the product entered.
The system blocks POs not using an approved vendor and items from the related master file. Blocked POs are included in the PO exception report that is reviewed daily by the purchasing manager who works with the purchasing agent to either correct or cancel the PO. Manually entered PO prices outside those specified in the approved master file must be
Manual/Automate d/ IT Dependent Manual
Preventiv Informatio e/ n Detective Processing
Objective (note 2)
B Orders are from an
unapprove d vendor
E/O
Transactio n Level
Multiple times per day
Automated
Preventive A,V
C Order prices are
inaccurate
V
Transactio n Level
Multiple times per day
Manual
Preventive A,V
Contro Financial l Risk(s)
F/S Control Assertion Level s (note 1)
Frequenc y of Control
Control Description
reviewed and approved in the system by the purchasing manager for processing to continue. Rejected POs are canceled in the system. Purchase orders (POs) must be approved by the appropriate buyer who is in charge of signing the PO. The buyer reviews the PO for various items, including any items out of policy, such as excessive price discounts, inaccurate calculations, and amounts over the purchasing agents authorization limits, etc. The system performs a three-way match by comparing pertinent data (e.g., price, quantity)
Manual/Automate d/ IT Dependent Manual
Preventiv Informatio e/ n Detective Processing
Objective (note 2)
D Orders are inaccurate
or not valid
V, E/O
Transactio n Level
Multiple times per day
Manual
Preventive A,V
E Invoice processing
is inaccurate or not valid
V, E/O, R&O
Transactio n Level
Multiple times per day
Automated
Preventive A,V
Contro Financial F/S Control
Frequenc Control y of Description Control
between the purchase order, invoice, and receiving document. As part of the three-way match the mathematical accuracy of the incoming invoice is checked. Invoice processing is blocked when differences exceed a predetermine d threshold. Blocked invoices are included in the matching exception report that is reviewed daily by the payables manager who investigates and resolves the issue.
Manual/Automate Preventiv
Informatio n Processing Objective (note 2)
l Risk(s)
Assertion Level s (note 1)
d/ IT Dependent Manual
e/ Detective
Note 1: E/O = Existence/Occurrence; C = Completeness; V = Valuation/Allocation; R&O = Rights and Obligations
Note 2: C = Completeness; A = Accuracy; V = Validity
Example: Using an Inventory of Risks and Control Activities
Indigo Brewing is a large global beer brewing company. It has created a standard inventory of risk and control activities that it uses as a basis for all its brewing subsidiaries. It created the inventory by customizing a generic inventory of brewing industry risks and control activities that it obtained from Risk Reverse Inc. with Indigo entity-specific considerations. Some of the entity-specific considerations include:
· Standard company-wide configurations for its enterprise resource planning (ERP) system
· Business performance reviews required of every business unit by corporate finance
· A baseline set of control activities to comply with Sarbanes-Oxley requirements Following Indigo's recent acquisition of another brewery in China, management used the standard risk and control inventory to develop and select the necessary control activities. It customized this list based on the unique circumstances in the region and to suit the newly merged company, giving the functional leaders responsibility for addressing these risks by implementing control activities in their specific areas. Approach: Implementing or Assessing Control Activities when Outsourcing to a Third Party • Integrates with Risk Assessment • Considers Entity Specific Factors • Determines Relevant Business Processes Evaluates a Mix of Control Activity Types Considers at What Level Activities are Applied Addresses Segregation of Duties The organization outsources some of its operations to a third party, which may or may not issue a "report on controls at a service organization" following an appropriate local or international standard. Although the organization may rely on an outsourced service provider to conduct processes, policies, and procedures on behalf of the entity, management retains ultimate responsibility for designing, implementing, and conducting an effective and efficient system of internal control. Management obtains an understanding of the service organization's activities and whether those activities impact significant classes of transactions, accounts, or disclosures in the company's reporting process. In determining the significance of the service organization's processes to the financial statements, the entity considers the following factors:
· The significance of the transactions or information processed by the service organization to the entity's financial statements
· The risk of material omission and misstatement associated with the assertions affected by the processes of the service organization, including whether the activities involve assets that are susceptible to loss or misappropriation
· The nature and complexity of the services provided by the service organization and whether they are highly standardized and used extensively by many organizations or unique and used only by a few
· The extent to which the entity's processes and control activities interact with those of the service organization
· The entity's control activities that are applied to the transactions affected by the service organization's activities
· The terms of the contract between the entity and the service organization, and the degree to which authority is delegated to the service organization If management determines that the service organization's processes are significant to internal control over external financial reporting, then it:
· Identifies the specific control activities performed by the service organization that are relevant to financial statement assertions, and/or
· Selects and develops control activities internally over the activities performed by the service organization. If a report on controls at a service organization is available, management can use it to determine what financially significant processes are covered, whether appropriate control activities are in place, and what control activities are required in its own organization to address external financial reporting risks. If an appropriate report does not exist, management can use the entity's own resources, such as internal audit, to review the control activities and ensure that any external financial reporting risks are mitigated by the combination of its own control activities and those of the service organization. Example: Obtaining a Report on Controls at a Service Organization from a Service Payroll Provider Green Grow Now is a 250-person company that packages and distributes organic produce. It uses a third-party service, Jennssen Inc., to process payroll, which is considered significant to the company's financial reporting because employee costs are a large part of Green Grow Now's expenses. Jennssen Inc. engages a service auditor to audit its control activities over transaction initiation, processing, and recording, and to issue an SSAE 16 (SOC1) fn 17 report on controls. When Green Grow Now obtains the report, it assesses whether the described control objectives and control activities performed by Jennssen impact internal control over external financial reporting related to the existence, completeness, and valuation of payroll expense. Green Grow Now considers the test results in the report and whether any exceptions have been identified. It also considers the period covered by the report and concludes that it needs additional evidence of the operation of control activities for the period not covered. The management communicates directly with Jennssen to inquire about any changes to its processes; Jennssen confirms in writing that no changes have been made. Based on this information, Green Grow Now concludes that no further action is needed. It also reviews the control activities that it is expected to have in place in its own organization (as specified by the user control activities in the SSAE 16 report) to verify they are implemented and operating as intended. Example: Implementing or Assessing Control Activities when a Report on Controls at a Service Organization is Not Available Funnell Medi-Quip is a 500-person medical equipment manufacturer that decides to outsource its treasury function to a service organization, Oxford Financial Experts. A report on control activities is not available. The management of Funnell Medi-Quip evaluates the nature of the control activities of Oxford Financial Experts and its own control activities over Oxford. The management team determines that the risk of material omission and misstatement associated with the financial statement assertions affected by the processes of the Oxford is high. Funnell Medi-Quip concludes that additional information is needed to evaluate the design and operating effectiveness of Oxford's control activities. The management team performs tests at Oxford, using the internal audit group to verify that the control activities are implemented and operating as intended. Funnell also tests its own user control activities. Approach: Considering the Types of Control Activities
Integrates with Risk Assessment
Considers Entity Specific Factors Determines Relevant Business Processes • Evaluates a Mix of Control Activity Types • Considers at What Level Activities are Applied Addresses Segregation of Duties
Once risks have been identified and mapped to relevant financial statement assertions, management determines relevant business processes and selects and develops control activities to address each risk. Management considers using automated controls whenever the systems in place make it possible. These are supplemented by manual control activities when automated controls are not available. Management also considers a mix of transaction control activities and business performance reviews. In its selection and development of control activities, management considers the likelihood that a control might fail to operate effectively. In assessing the risk of failure, management assesses various factors, which may include:
· The type of control (i.e., manual or automated) and the frequency with which it operates
· The complexity of the control
· The risk of management override
· The degree of judgment required to operate the control
· The competence of the personnel who perform the control
· Any changes in key personnel who perform the control
· The nature and materiality of misstatements that the control is intended to prevent or detect
· The degree to which the control relies on the effectiveness of other controls (e.g., general technology controls)
· The evidence of the operation of the control from prior years Certain financial reporting elements, such as those involving significant accounting estimates, related party transactions, or critical accounting policies, will generally have higher risk for both material omission and misstatement to the financial reporting element and control failure. In these situations a combination of control activities is usually selected and developed by management to adequately address the risks of a financial reporting element. Example: Balancing the Types of Control Activities During initial compliance efforts, EJ's Corporation faced uncertainty in determining how many controls were needed to achieve management's objectives. Amid such uncertainty duplicate control activities were deployed. EJ's management is re-evaluating its existing controls to:
· Determine whether duplicate control activities can be eliminated
· Identify opportunities to implement preventive control activities earlier in the business process and balance with downstream detective control activities
· Where possible, automate controls and eliminate manual control activities In balancing its control activities within the processing of journal entries in the financial reporting cycle, EJ's Corporation focuses on the following preventive control activities:
Restricted Access—Ensuring that different people initiate, approve, and record key transactions such as manual journal entries.
Authorization, Approval, Verification—Clearly defining lines of responsibility and expectations with written job descriptions. Setting limits for the authorization of journal entries by job function in excess of a specified limit; controlling access to the general ledger software program through passwords, access codes, and program permission; and requiring a senior-level individual to review supporting documents to verify that journal entries are appropriate, valid, and in agreement with the company's policies.
The following detective control activities complement these control activities:
· Reconciliation—Performing regular, independent comparison of different sets of data to identify and investigate any discrepancies
· Monitoring and Performance Reviews—Regularly comparing reported results to budgets, forecasts, prior periods, and other benchmarks to identify unexpected results or unusual relationships that require additional follow-up. Example: Evaluating Preventive versus Detective Control Activities As part of its regular assessment of control activities, Mountain High University reviews the mix of preventive and detective control activities and finds a high proportion of detective control activities. This high proportion of detective control activities is resulting in the processing of transactions to be slow, labor intensive, and error prone as a considerable amount of time is spent fixing errors that occurred earlier in the process. To address the problems management implements more preventive controls earlier in the process, through automated controls, such as edit checks and automated data verification, and review and approval controls at transaction initiation to reduce the number of errors that need to be detected and corrected after transactions are processed. Example: Setting the Threshold for Business Performance Reviews The senior management of Zephyr Corp., a multinational consumer products company, reviews the monthly and quarterly income statement and balance sheet analysis in order to prevent or detect on a timely basis material omission and misstatements to one or more financial statement assertions. This analysis compares the current year results against prior year actual results, the current year budget, and the latest forecast. It also includes key performance indicators such as gross margin, accounts receivable, inventory turnover days, and return on equity. To begin the analysis, the CFO of each of the company's five business units reviews the balance sheet and income statement in detail to identify and explain any variances from budget and prior year actual results over a predetermined threshold (which varies by business unit). The threshold, which ranges from 5% to 10% of pre- tax income, has been developed by senior management to help detect potentially material differences considering the following factors:
· Significance of the business unit in relation to the group
· The nature of assets and liabilities and transactions executed at the business unit, including significant transactions or initiatives undertaken outside the normal course of business
· Specific risks associated with the business unit
· Degree of centralization of processes and financial reporting applications
· The effectiveness of the control environment at the business unit
· Results of past monitoring activities by the company
· Potential for error to exist at the business unit The analysis is then submitted to Zephyr's corporate center for review. Senior management hold monthly meetings with the representatives from each business unit (usually a business unit CFO) to understand why
there are significant differences that are exceeding predefined thresholds and to determine whether corrective action is necessary.
Example: Controlling Significant Accounting Estimates
Finance management at the Judge Mint Company (JMC) is responsible for preparing accounting estimates relating to the valuation of trade receivables on a monthly and quarterly basis. Management estimates the underlying allowance for uncollectible receivables considering:
· Historical percentages of uncollectible receivables to total receivables
· Historical collections and write-offs relating to customers with specific receivables outstanding at period end
· Judgments relating to customers’ ability and intent to pay Management's assessment of customers’ ability and intent to pay outstanding receivables is subjective and susceptible to error. Accordingly, management selects, develops, and deploys a mix of control activities to help mitigate this valuation risk, including the following:
· The treasurer periodically reviews existing customers’ historical financial and credit information as provided by Dun & Bradstreet to identify any changes in the customers’ ability to pay.
· Automated preventive controls are embedded within JMC's ERP system support generation of sub- ledger reporting, including historical aging, collection, and write-off of receivables by customer, which provides a level of consistency for the completeness and accuracy of reporting used in making estimates.
· Specific adjustments proposed by accounting personnel who are knowledgeable about customers must be supported by analyses including reasons for such adjustments (e.g., communications, disputes, payments, write-offs).
· The assistant controller approves proposed adjustments to the calculated preliminary estimate for specific uncollectible receivables based on review of supporting analyses and information.
· The controller assesses the reasonableness of the final estimate by reviewing the rationale supporting the selection of the historical percentage used to calculate the preliminary estimate and the rationale supporting any material adjustments, and considering the consistency with her knowledge of industry, business, and customer trends/events. Example: Automating Balance Sheet Reconciliations Gentry Co., a large decentralized industrial products company, has identified the account reconciliations part of the financial reporting process as a critical control activity for reducing the risk of material omission and misstatement in the financial statements. The number of accounts in the company's books has increased significantly over the years as new processes and transactions have been added, other entities have been formed or acquired, and the number of employees has grown. Today, a large volume of accounts are reconciled manually on a monthly basis, but this is a time-consuming process that is prone to error. Gentry Co. is considering implementing account reconciliation software, which would help automate the process and allow Jeremy Brewster, who is responsible for the process, to spend more time on the more subjective and complex areas of account reconciliation. Gentry has identified the following benefits that would arise out of using an automated account reconciliation tool:
A continuous controls monitoring framework would be able to identify significant and material reconciling items, allowing management to quickly respond to potential issues.
· Adjusting entries would be identified and efficiently recorded, followed by a review by Mr. Brewster.
· Labor and cost would be reduced.
· Automation would integrate seamlessly with ledgers, sub-ledgers, and other financial systems.
· Exception management would reduce exposure to risk by establishing an action plan for all exception items.
· Reconciliation processes would be integrated into the email system, automating workflow.
Gentry determine which reconciliations will be automated and which will continue to be manual. The factors considered favorable to automation include low complexity of transactions, absence of significant judgments and estimates, low number of manual journal entries and adjustments, low susceptibility of transactions to fraud, and high-volume, low-dollar value of transactions, combined with low degree of variation against the expected account balance.
Approach: Considering Alternative Control Activities to the Segregation of Duties
Integrates with Risk Assessment Considers Entity Specific Factors Determines Relevant Business Processes Evaluates a Mix of Control Activity Types Considers at What Level Activities are Applied • Addresses Segregation of Duties
Where resource or other constraints compromise the ability to appropriately segregate duties, management considers alternative control activities, such as timely periodic management reviews of reports that are prepared in sufficient detail for misstatements to be identified.
Example: Using Alternative Control Activities when Access to Purchasing Transactions Are Not Segregated fn 18
Luther Optical is a multi-million-dollar designer, manufacturer, and distributor of consumer and industrial optical products. There are two staff members in the purchasing department, each of whom is authorized to prepare, authorize, and issue purchase orders up to $5,000. Because no one reviews these purchase orders before they are sent to vendors, there is a risk that unintentional errors or intentional fraudulent acts will result in inventory valuation errors, obsolescence, or shortages due to diverted shipments. To reduce this risk to an acceptable level, management relies on a combination of control activities carried out by other staff members. These include, but are not limited to, the following:
· An inventory clerk documents and tracks all inventory levels, reducing the risk of obsolescence.
· An inventory receiving clerk evaluates, documents, and reports to management unusual inventory movement, such as excessive ordering that could lead to obsolescence.
· A payables clerk matches invoices to purchase orders and receiving reports before amounts are paid, reducing the risk of errors resulting from diverted shipments.
· A controller reviews exception reports of all inventory purchases with a price more than 10% above
Co. decides to implement a partial automated process. It uses both qualitative and quantitative factors to
current average costing.
Approach: Identifying Incompatible Functions
Integrates with Risk Assessment Considers Entity Specific Factors Determines Relevant Business Processes Evaluates a Mix of Control Activity Types Considers at What Level Activities are Applied • Addresses Segregation of Duties
Using automated tools, organization charts, process flowcharts, or other means by which activities are documented, management identifies incompatibilities in functions that are needed to appropriately segregate duties. These incompatible functions are considered when developing or revising the policies for granting access to assets and systems. The policies are regularly updated to reflect changing responsibilities and activities.
Example: Manually Assessing Incompatible Functions Across an Entity
Finansis Corporation is a manufacturer of bicycles that recently implemented an enterprise resource planning system but continues to use its legacy procurement application. Management has identified a risk that personnel perform incompatible functions across the entity's financial reporting systems, and in turn, have inappropriate access to those systems. The CFO, Steve Wu, has formed a task force of representatives from finance, accounting, operations, internal audit, compliance, and IT to review process flowcharts and procedure manuals and to assess the financial reporting risks of the same person being able to perform two incompatible functions (e.g., bill creation and payments). The task force has now created a matrix of incompatible functions across the financial reporting processes and assessed any business justification for the incompatibility. If the business justification is deemed valid, the task force evaluates the sufficiency of alternative controls selected, developed, and deployed. If the justification is found not valid or not existing, the task force develops a recommendation for the controller to implement a policy for segregating the functions.
Senior finance, operations, IT, internal audit, and compliance management have reviewed and approved the task force's recommendations. Commensurate with the policy changes, IT has updated access rights across the various systems. Control activities were selected and deployed to help ensure that the segregation of duties is maintained, including policies and procedures for user management and IT's review and approval of access requests. The policies also include the segregation of duties as criteria in the annual review of access rights performed by user management for each financial reporting relevant system.
Example: Using Automated Tools to Enforce the Segregation of Incompatible Functions
Frencorp is a multi-billion-dollar public industrial products manufacturer. Recently it installed and configured a governance, risk, and compliance access management application. The purpose is to assess sensitive access and segregation-of-duty risks and conflicts during the development of security roles and the assignment of those roles to end users. The application allows Frencorp to define processes and transactions that should not be combined in a security role or assigned to the same end user. It prevents the assignment of any access that is deemed incompatible.
Furthermore, the application routinely scans security roles and end-user access, generates reports of access risks and conflicts, and routes the reports to the appropriate people for review. If a user requires access to conflicting transactions, the application recommends a mitigating control activity. Frencorp management's review of the access risks and conflicts reports and mitigating control activity decisions are logged in the application.
Footnotes (Approaches and Examples for Applying the Principle):
fn 16 Note that this is an illustrative matrix and flowchart and does not represent a complete list of all financial risks and control activities in a typical purchasing and payables process.
fn 17 An independent auditor's report on the design and operating effectiveness of controls at a service organization
fn 18 This example is likely to be most relevant for smaller entities or the smaller sub-units of larger entities.
Selects and Develops General Controls over Technology Principle 11. The organization selects and develops general control activities over technology
to support the achievement of objectives.
Points of Focus
The following points of focus highlight important characteristics relating to the principle:
· Determines Dependency between the Use of Technology in Business Processes and Technology General Controls—Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.
· Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
· Establishes Relevant Security Management Process Control Activities—Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity's assets from external threats.
· Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. Approaches and Examples for Applying the Principle Approach: Using Risk and Control Matrices to Document Technology Dependencies • Determines Dependency between the Use of Technology in Business Processes and Technology General Controls
Establishes Relevant Technology Infrastructure Control Activities
Establishes Relevant Security Management Process Control Activities Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities
Management documents the underlying technology that supports control activities in risk and control matrices, flow charts, or narratives. Using this information, management can document the linkage between control activities and technology. Management should understand which aspects of technology (infrastructure, security, technology acquisition, development, and maintenance processes) are important to the continued, proper operation of the technology and any associated automated controls. Management also develops an understanding of how various applications and technologies interface with each other.
Example: Using a Walkthrough to Understand Technology Dependencies
A global publicly traded information services organization, Signal Corp., recently acquired a privately held newspaper chain. During the due diligence process, Signal Corp. determined that the management of the newspaper chain did not have a good understanding of which applications were critical to the integrity and reliability of its financial information. To assess this linkage, the internal audit department of Signal Corp. performed a walkthrough of each of the newspaper chain's significant financial processes and documented in a process flow diagram all the applications that supported these processes. These included the automated controls and any controls that depended on system-generated reports.
The walkthrough covered each major class of transactions. The internal audit team asked the relevant personnel of the newspaper chain about all significant aspects of the process.
Approach: Evaluating End-User Computing
• Determines Dependency between the Use of Technology in Business Processes and Technology General Controls
• Establishes Relevant Technology Infrastructure Control Activities • Establishes Relevant Security Management Process Control Activities • Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities
Management understands the use of end-user computing, which includes spreadsheets, that supports its financially significant processes and associated control activities. Management assesses the risks of a misstatement resulting from an error in one of these end-user computing applications. Based on the level of risk, management selects and develops general control activities over the technology covering the relevant processes over:
· Technology infrastructure
· Security management
· End-user computing development and maintenance
· Completeness and accuracy controls between the end-user computing system and other systems For high-risk end-user computing applications, management considers converting to an IT-supported application.
Example: Evaluating Financial Close End-User Spreadsheet Control Activities
Smythe & Smythe International recently evaluated the use of spreadsheets in its financial close process. In doing so, it identified that the spreadsheets supporting the calculation of LIFO (last-in, first-out) adjustment and the fair values of goodwill, intangible assets, and debt were of high risk, based on their susceptibility to error and significance to the financial statements.
Smythe & Smythe also classified the spreadsheets as high in complexity because they included the use of macros and multiple supporting spreadsheets to which cells and values were interlinked. The spreadsheets were used either as the basis for journal entries into the general ledger (LIFO reserve) or as financial statement disclosures (fair value of goodwill, intangible assets, and debt).
The company considered the security, maintenance, and update risks of the spreadsheets and then selected and developed the following control activities: fn 19
· Input Control—Input data is reconciled to source documentation to cover its completeness and accuracy.
· Access Control—File-level access to the spreadsheets on a central server is limited to approved users, and a password is required to access the LIFO reserve spreadsheet.
· Version Control—Standard naming conventions and directory structures are in place so only current and approved versions of the spreadsheets are used.
· Calculation Testing—When changes to formulas are made they are tested against a manual calculation for accuracy. All spreadsheet formulas are checked for accuracy at least once a year.
· Overall Analytics—Analytical business process reviews using pre-established thresholds based on operating income and working capital function as a detective control to find errors in any of the spreadsheets. Approach: Implementing or Assessing Control Activities when Outsourcing IT Functions to a Third Party • Determines Dependency between the Use of Technology in Business Processes and Technology General Controls • Establishes Relevant Technology Infrastructure Control Activities • Establishes Relevant Security Management Process Control Activities • Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities Management outsources certain aspects of its IT infrastructure to an outside service provider, which may or may not have a "report on controls at a service organization" following an appropriate local or international standard. If a report is available, management uses it to determine what financially significant IT processes are covered, whether appropriate controls are in place at the service organization, and what controls are required in its own organization to mitigate risks to external financial reporting to an acceptable level. If an appropriate report does not exist, management uses internal resources (e.g., internal audit) to review the controls at the third party, verifying that the combination of the company's controls and those at the service organization mitigate risks to external financial reporting to an acceptable level. Example: Obtaining a Report on Controls at a Service Organization from a Cloud-Based Service Provider E-Book Frontier, a retailer of electronic books, has outsourced its enterprise resource planning (ERP) application to a cloud-based service provider (CSP). To prepare for its initial public offering, the company
began to develop and implement a system of internal control in support of its anticipated external financial reporting objectives. E-Book Frontier uses the ERP application to support its revenue, inventory, purchasing, and payables processes, so it supports a number of financial statement line items and their associated assertions.
To that end, the management of E-Book Frontier assessed the risks associated with the business processes outsourced to the ERP cloud service provider and determined a number of control activities and information requirements that needed to be addressed. E-Book Frontier management obtained a Statement on Standards for Attestation Engagements (SSAE) No. 16 (SOC 1) report on internal controls prepared by a third-party service auditor. As part of developing and deploying internal controls across the end-to-end business processes managed in part by the CSP, E-Book Frontier incorporated the review of the audit report as a control activity. In performing its review, management noted the following:
· The scope of the report included certain application controls and technology general controls that were evaluated for both design and operating effectiveness. The controls relating to the customized configuration for the organization were not addressed in the service auditor's report. Management evaluated the impacted business process and related financial reporting risks and selected and developed additional actions and control activities to address these risks.
· The tests of controls covered a time period that correlated with ten months of the company's fiscal year, resulting in a gap of the last two months. Based on management's analysis on the relevance and risk of the related controls, E-Book Frontier determined that corroborative inquiry with the CSP would be adequate for the gap period. To evaluate the continued operation of the CSP controls, management interviewed key CSP personnel to assess whether any changes in the controls or known failures had occurred since the date of the report. Management reviewed the results of the tests of controls and the service auditor's opinion on the operating effectiveness of the controls to determine whether each control objective was achieved. Two exceptions were noted in the report, and management reviewed the additional information related to these that was provided by the CSP in the unaudited portion of the report. They concluded that one exception was not relevant to their organization. For the second exception, additional procedures were needed. The second exception related to evidence of customer approval of program changes; management evaluated the sufficiency of E-Book Frontier's controls over approval of changes requested to be performed by the CSP. In addition, it requested a report of all changes for the past six months from the CSP and verified that the report of all changes was complete and accurate. It then compared the list of changes and noted no variances from its internal records. Based on these additional procedures, management concluded that the exceptions did not result in a deficiency of their system of internal control. Approach: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties Determines Dependency between the Use of Technology in Business Processes and Technology General Controls Establishes Relevant Technology Infrastructure Control Activities • Establishes Relevant Security Management Process Control Activities Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities The applications, databases, operating systems, and networks that support financially significant processes are configured to support restricted access to financial applications and data consistent with the organization's
policies and procedures. The configuration includes a means to authenticate users or systems and enforce restricted access, as well as key parameters, such as minimum password length and the aging of passwords.
Example: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties
Woodlawn Wireless Telecommunications, which has a number of applications critical to its financial reporting process, was recently cited for poor infrastructure security controls by its internal audit group. Specifically, the setup of key security parameters, such as password length and complexity, was not consistently applied across these applications, and in many cases they were below industry standards for good practices. To correct the situation, Woodlawn developed a four-step approach:
· Create a three-tier risk rating of the importance of an application and its data to the reliability of the financial-reporting process.
· Develop policies for the settings of key security parameters for all financially relevant technology in use at the company for each risk rating level.
· Assess the importance of each application and its associated infrastructure to the reliability of financial reporting and assign it a risk rating.
· Implement procedures to put in place and monitor compliance with the policies for each application consistent with its associated rating. Approach: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data Determines Dependency between the Use of Technology in Business Processes and Technology General Controls • Establishes Relevant Technology Infrastructure Control Activities Establishes Relevant Security Management Process Control Activities Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities Management selects and develops control activities so that transaction processing, whether batch or real-time, is complete, accurate, and valid. Processing is actively checked for problems, either through a manual review of system status and logs or by automated programs with alarms. Timely corrective action is taken when problems are identified. Critical financial data and programs are regularly backed up and procedures are in place to completely and accurately do a restore. The restoration process is regularly tested to help ensure the backup and restoration processes work properly. Example: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data In the data center of Sullivan Financial Services, the IT operations staff monitors the batch and real-time processing of applications (including all financially significant applications) for errors using automated software. The scheduling software on the mainframe application checks for various problems with batch jobs, including data errors and programs that don't complete properly or that run out of order. The operators are alerted to any of these issues and alert the appropriate business process owner based on standard documented procedures. For applications that process in real time, software is also used to automatically monitor for errors, such as incomplete, inaccurate, or invalid record transfers between systems. When a possible error is detected, the software attempts to resend the record without error. If the error persists, an email alert is sent to an operator
who corrects the error following standard documented procedures. Financial management is notified of any errors in a weekly report. The weekly report is reviewed to determine if any accounting record adjustments are required due to the system problems. The controller reviews and approves any changes. (Note: this could be considered a process-level control.)
Approach: Administering Security and Access
Determines Dependency between the Use of Technology in Business Processes and Technology General Controls
Establishes Relevant Technology Infrastructure Control Activities • Establishes Relevant Security Management Process Control Activities Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities
Financial management establishes policies that define appropriate access rights to be consistent with job functions, including segregation of duties, for financially significant applications and processes. New access requests or changes to access are reviewed against the policy by the functional owner of the IT resource (i.e., application, database, operating system, or network). The owner of the IT resource periodically recertifies access to ensure it is commensurate with policy. Problem reports, such as excessive improper logins, are regularly reviewed, and follow-up actions are taken when issues are identified.
Example: Establishing Logical Security
The management team of a compensation and benefits consultancy reviews logical security controls to prevent unauthorized access to its financial reporting systems as follows:
· User Accounts—Formal user account setup and maintenance procedures are in place to request, establish, issue, suspend, change, and delete user accounts.
· Authentication Controls—Authentication standards establish minimum requirements for password length and a finite number of login attempts. Only unique user IDs are used to promote accountability and auditability.
· Privileged Accounts—The use of privileged ("super-user") accounts is limited to two-system and application administrators who are responsible for IT security management and therefore deemed appropriate. These accounts are monitored by management for improper use.
· Application Reviews—The configuration settings for who has access to data related to critical applications and systems are periodically reviewed. Any violations detected are reported to management and corrective action is taken.
· Security Reviews—Applications and systems generate security logs, enabling user activity to be monitored and security violations to be reported to management. Approach: Applying a System Development Life Cycle over Packaged Software Determines Dependency between the Use of Technology in Business Processes and Technology General Controls Establishes Relevant Technology Infrastructure Control Activities Establishes Relevant Security Management Process Control Activities
• Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities
Management considers many factors when selecting new packaged software, including functionality, application controls, security features, and data conversion requirements. Management utilizes competent internal resources or hires a third-party vendor to implement the software, following the organization's requirements.
Management follows a defined change-control process to implement system upgrades or patches. This includes assessing the nature of the upgrade or patch and whether it is appropriate to implement. If deemed appropriate, the patch or upgrade is system and user tested in an environment that mirrors production before being implemented. Key stakeholders, such as the functional users, finance, and IT, sign off on the change before it is implemented. Appropriate documentation is maintained to provide evidence that the changes have been made.
Example: Managing Changes to Packaged Software
FabFun Toys is a manufacturer of plastic toys. For several years it has been using packaged general ledger software, and it has developed a set procedure for managing vendor announcements of software upgrades, which is as follows:
· Obtain a description of the change, the rationale for it, the impact on the company's security environment, and implications for user interfaces.
· Outline steps for a back-out plan should the upgrade not perform as expected.
· Develop a plan to test that the edit and validation rules work properly, desired system functions operate as expected and produce the desired results, undesired processing results are prevented, and existing technical capabilities, including control activities critical to external financial reporting, continue to work properly.
· Execute the tests and document the results.
· Maintain a change control log.
· Obtain approval from financial and operational management and end users of the test results prior to releasing the upgrade into production. Approach: Applying a System Development Life Cycle over Software Developed In-House Determines Dependency between the Use of Technology in Business Processes and Technology General Controls Establishes Relevant Technology Infrastructure Control Activities Establishes Relevant Security Management Process Control Activities • Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities Management follows a full system development life cycle (SDLC) covering problem fixes to major implementations. The SDLC covers a number of process steps and control activities, including the following:
· Initiation, Authorization, Tracking, and Analysis—Changes are captured in a change control or development specification. The change's progress is tracked and authorization to proceed is made by the appropriate stakeholders. The possible impact to internal controls over financial reporting is assessed, and changes are approved by relevant financial stakeholders.
· Design and Construction—Programming standards are followed during the design phase and procedures are put in place to provide version control.
· Testing and Quality Assurance—Testing is performed before going live to check if the change meets the specification and has not caused any unintended changes to the existing software. The amount and type of testing varies based on the nature of the change (size, complexity, etc.) and includes unit, system, integration, and user acceptance testing, as appropriate.
· Data Conversion—When applicable, data is converted completely, accurately, and validly from the previous technology.
· Program Implementation and Go-Live Authorization—The change is approved by the relevant stakeholders before going live, and only the approved version of the software is implemented.
· Documentation and Training—End-user and IT support documentation and training are created and updated as needed. Example: Managing Changes to Custom Software Summer Run Co. provides material-based solutions for electronic, acoustical, thermal, and coated metal applications. IT has recently decided to significantly modify inventory management software, which is considered a financially significant application. To do so, the company must rely on the only two developers on staff to develop, test, and migrate the software to production. Because Summer Run does not have an automated code promotion utility to control versions and migrations to the production environment, the IT manager, James Robb, takes the following steps:
· Identifies and analyzes risk resulting from the required changes
· Assigns changes to developers so that each works on specific tasks only
· Assigns to the developer not working on a particular change the responsibility for testing the change and migration to production
· Reviews any significant changes
· Locks versions following user acceptance testing to prohibit further change prior to release Mr. Robb also relies on these manual controls to manage the code version and migration:
· Creating a manual log listing the version of the code copied to the development environment, along with date and time, and manually tracking the migration to test and then to production.
· Separating the review of all version control procedures prior to moving the code to production from those performed by the individual responsible for the IT functions. Example: Varying Control Activities in an SDLC Based on Risk The multi-billion-dollar telecommunications organization, Brassen Systems, uses an SDLC to update and maintain more than 200 applications. The changes vary from large and complex development initiatives to simple report changes. Brassen seeks to match the degree and rigor of control activities to the range of risks of these changes. The organization assigns the level of risk to one of four categories based on several factors, including the length, level of effort, possible risks to financial processing and control activities, and complexity of the change. Level 1 changes (the most risky) are required to go through twenty quality gates, or control points, before implementation, while Level 4 changes (the least risky) are required to go through only ten gates. All changes that may affect financial processing and control activities are required to be reviewed by someone in the finance department before being implemented.
Footnotes (Approaches and Examples for Applying the Principle):
fn 19 Note that not all these control activities are technology general controls only. The first and last bullets could be considered business process–level controls; however the entire list is included to illustrate a more complete consideration of spreadsheets.
