Internal ontrol and raud etection
Transcript of Internal ontrol and raud etection
Internal Control and Fraud Detection:
A Practical Guide
Internal Control and Fraud Detection: A Practical Guide
Copyright © 2020 by
DELTACPE LLC
All rights reserved. No part of this course may be reproduced in any form or by any means, without
permission in writing from the publisher.
The author is not engaged by this text or any accompanying lecture or electronic media in the
rendering of legal, tax, accounting, or similar professional services. While the legal, tax, and accounting
issues discussed in this material have been reviewed with sources believed to be reliable, concepts
discussed can be affected by changes in the law or in the interpretation of such laws since this text
was printed. For that reason, the accuracy and completeness of this information and the author's
opinions based thereon cannot be guaranteed. In addition, state or local tax laws and procedural rules
may have a material impact on the general discussion. As a result, the strategies suggested may not
be suitable for every individual. Before taking any action, all references and citations should be
checked and updated accordingly.
This publication is designed to provide accurate and authoritative information in regard to the subject
matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,
accounting, or other professional service. If legal advice or other expert advice is required, the services
of a competent professional person should be sought.
—-From a Declaration of Principles jointly adopted by a committee of the American Bar Association
and a Committee of Publishers and Associations.
Course Description
The introduction of Sarbanes-Oxley (SOX) Act law fueled rapid growth in the organizational importance
of internal control systems. Appropriate interpretation and implementation of the internal control
framework is vital for every organization. This course incorporates and reflects up-to-date guidance
from the PCAOB, the AICPA, the ACFE, and the principles of 2013 COSO Framework. The course not
only addresses the theoretical concept of the internal control systems but also provides readers with
the practical guidance they need to assume a role in the design, implementation, maintenance and
evaluation of a comprehensive framework of internal controls for their organizations.
Specifically, the course presents the principles of internal control to help readers understand the
nature and context of control, such as limitations of internal controls, the most recognized controls
frameworks (e.g. COSO Framework, Green Book), and some common and important control
procedures. It also includes steps on how to identify risks and controls, advice on how to assess the
adequacy of controls, a discussion of how to reach a fair assessment, and documentation requirements
for evidences of effective controls. In addition, the course discusses requirements related to
performing an integrated audit: SAS 130 and AS No. 2201. Although these auditing rules are
mandatory for external auditors and not for management, management should give consideration to
following the approach described in these requirements.
No discussion of internal controls would be complete without an examination of fraud prevention and
detection. All organizations are subject to fraud risks. Fraud is now so common that its occurrence is
no longer remarkable, only its scale. The course offers the essential tools for designing and
implementing programs and controls to prevent and detect fraud. It focuses on the causes of fraud,
fraud risk factors, some of the more common types of fraud, fraud symptoms, and fraud preventive
and detective techniques, along with some recent cases in corporate fraud. It explains the differences
between forensic accounting and auditing. It also includes the ACFE Fraud Prevention Checkup to help
organizations identify major gaps and fix them before it is too late.
This course includes an illustration of potential internal controls weaknesses involving accounting and
financial reporting cycles, along with examples of compensating controls. It provides sample audit
programs of key processes. It also incorporates appendixes including: an example of management
internal control report, a SOX Section 404 management compliance checklist, financial reporting
controls and information systems checklist for each key cycle (e.g. revenue, inventory, financing), and
a computer applications checklist.
Field of Study Auditing Level of Knowledge Overview Prerequisite None Advanced Preparation None
Table of Contents
INTRODUCTION .............................................................................................. 1
LEARNING OBJECTIVES.................................................................................... 3
PART I. The Principles of Internal Control ..................................................... 4
Internal Control Systems.............................................................................. 4
The Definition of Internal Control ............................................................................... 4
Limitations of Internal Controls .................................................................................. 5
Internal Control Frameworks ....................................................................... 6
2013 COSO Framework ............................................................................................... 6
Overview .......................................................................................................................... 6
Components of Internal Control ........................................................................................ 7
The Control Environment ...................................................................................................................... 8
Risk Assessment .................................................................................................................................... 9
Identify Risks .....................................................................................................................................................11
Assess Risks ......................................................................................................................................................11
Respond to Risks ...............................................................................................................................................11
Relevance to Sarbanes-Oxley Compliance ........................................................................................................12
Control Activities ................................................................................................................................. 13
Information & Communication Systems Support ............................................................................... 15
Monitoring .......................................................................................................................................... 16
The GAO Green Book................................................................................................ 17
Overview .........................................................................................................................17
Framework Principles .......................................................................................................19
Control Framework − 17 Principles ..................................................................................................... 19
Control Framework with GAO’s Attributes ......................................................................................... 20
Part I − Section 1 Review Questions ........................................................... 23
Types of Controls ....................................................................................... 25
Directive Controls..................................................................................................... 25
Preventive Controls .................................................................................................. 25
Detective Controls .................................................................................................... 26
Corrective Controls................................................................................................... 27
The Concepts of ICFR ................................................................................. 28
Integrating Controls over Information Systems .......................................... 29
IT General Controls................................................................................................... 29
IT Application Controls ............................................................................................. 30
Considerations Specific to Smaller Entities ................................................. 33
Cost-Benefit Relationships ......................................................................... 35
Benefit-Cost Analysis ................................................................................................ 35
Cost-Effectiveness Analysis ....................................................................................... 36
Part I − Section 2 Review Questions .......................................................... 37
PART II. Management Assessment of Internal Controls .............................. 38
0Understanding the Sarbanes-Oxley Act Rules .......................................... 39
Enhanced Financial Disclosures (Section 404)............................................................ 39
Overview .........................................................................................................................39
Management’s Internal Control Report ............................................................................41
The Role of Independent Public Accountant......................................................................44
Corporate Responsibility (Section 302) ..................................................................... 45
Other Key Principles ................................................................................................. 46
Auditor Independence .....................................................................................................46
The Role of the Audit Committee .....................................................................................47
Disclosures in Periodic Reports .........................................................................................48
Corporate and Criminal Fraud Accountability ....................................................................48
Identification of Risks and Controls ............................................................ 49
Step 1: Selecting the Control Framework .................................................................. 49
Step 2: Defining Control Objectives .......................................................................... 51
Step 3: Addressing and Monitoring Risks .................................................................. 53
General Concerns .............................................................................................................53
Anti-Fraud Considerations ................................................................................................54
Assessment Criteria .........................................................................................................55
Step 4: Establishing Controls..................................................................................... 57
Part II − Section 1 Review Questions .......................................................... 60
Assessment of the Adequacy of Controls ................................................... 61
Determining Key Controls ......................................................................................... 62
Evaluating the Effectiveness of Controls ................................................................... 63
The Design of Controls .....................................................................................................63
The Operating Effectiveness of Controls ...........................................................................65
Evaluation of Control Deficiencies ............................................................. 69
Step 1: Understanding the Nature of the Deficiency .................................................. 69
Step 2: Assessing the Likelihood of Misstatements ................................................... 70
Step 3: Considering Compensating Controls .............................................................. 71
Step 4: Determining Classification of Deficiencies ..................................................... 72
Step 5: Reporting Assessment Results ...................................................................... 73
Documentation of Effective Controls ......................................................... 74
Identification of Control Gaps .................................................................... 77
Illustration of Potential Internal Control Weaknesses and Compensating
Controls: Accounting and Financial Reporting ............................................ 81
Part II − Section 2 Review Questions .......................................................... 83
PART III. Audit of ICFR Integrated with Audit of Financial Statements ........ 84
Audit Objectives and Scope ....................................................................... 84
Relevant Standards .................................................................................... 86
Auditing Standard No. 2201 ...................................................................................... 86
Statement on Auditing Standards 130 ...................................................................... 86
Planning the Audit ..................................................................................... 87
Part III − Section 1 Review Questions ......................................................... 89
Using a Top-Down Approach ...................................................................... 90
The Key Concepts ..................................................................................................... 90
Sample Audit Programs ............................................................................................ 93
Cash in Bank ....................................................................................................................93
Trade Accounts and Notes Receivable ..............................................................................96
Inventory .........................................................................................................................98
Fixed Assets ................................................................................................................... 100
Prepaid Expenses and Deferred Charges ......................................................................... 101
Accounts Payable ........................................................................................................... 103
Stockholders’ Equity ...................................................................................................... 105
Sales and Other Types of Income .................................................................................... 107
Expense Items ................................................................................................................ 108
Assessing the Risk of Fraud ...................................................................... 110
Characteristics of Financial Statement Fraud .......................................................... 110
Types of Fraud ............................................................................................................... 110
Fraud Risk Factors .......................................................................................................... 111
Brainstorming Sessions .......................................................................................... 111
Fraud Risk Assessment ................................................................................................... 113
Collect Information ........................................................................................................................... 113
Identify and Assess Fraud Risks ......................................................................................................... 114
Respond to the Fraud Risk Assessment ............................................................................................. 114
Testing Controls ....................................................................................... 115
Testing Design Effectiveness ................................................................................... 115
Testing Operating Effectiveness .............................................................................. 115
Relationship of Risk to the Evidence Obtained ........................................................ 116
Evaluating Control Deficiencies ................................................................ 117
Examples of Significant Deficiencies and Material Weaknesses ............................... 119
Scenario A – Significant Deficiency ................................................................................. 120
Scenario B – Material Weakness ..................................................................................... 120
Responding to Misstatements Caused by Fraud ....................................... 121
Reporting Audit Results ........................................................................... 122
Types of Audit Opinions ......................................................................................... 122
Audit Matters......................................................................................................... 124
Critical Audit Matters ..................................................................................................... 124
Key Audit Matters .......................................................................................................... 125
Other Considerations ............................................................................... 127
Considerations Specific to Smaller, Less Complex Entities ....................................... 127
Considerations of Financial Information Systems .................................................... 128
Management Written Representations ................................................................... 130
Communication of Certain Matters......................................................................... 131
Use of the Work of Internal Auditors or Others ....................................................... 131
Part III − Section 2 Review Questions ....................................................... 132
PART IV. Fraud Prevention and Detection ................................................ 134
Fraud Awareness ..................................................................................... 134
Basics of Fraud ....................................................................................................... 134
Definition of Fraud ......................................................................................................... 134
Fraud Triangle ................................................................................................................ 135
Opportunity ....................................................................................................................................... 136
Pressure/Incentive ............................................................................................................................ 137
Rationalization................................................................................................................................... 138
The Evolution of Fraud ................................................................................................... 140
Types of Fraud ....................................................................................................... 141
Occupational (Corporate) Fraud ..................................................................................... 141
Corruption ......................................................................................................................................... 144
Asset Misappropriation ..................................................................................................................... 144
Risk Factors Relating to Misstatements Arising from Misappropriate of Assets ............................................144
Financial Statement Fraud ................................................................................................................ 146
Risk Factors Relating to Misstatements Arising from Fraudulent Financial Reporting ...................................147
Procurement and Contractor Frauds ............................................................................... 150
False Claims and False Statements .................................................................................. 151
Part IV − Section 1 Review Questions ...................................................... 152
Forensic Accounting and Auditing ............................................................ 154
Fraud and Perpetrators ............................................................................ 156
The Fraud Symptoms .............................................................................................. 156
Indicators of Financial Crime .......................................................................................... 157
Red Flags of Employee Behavior ....................................................................................................... 157
Red Flags of Organizational Behavior ................................................................................................ 158
Recent Cases in Corporate Fraud ............................................................................ 159
Fraud Prevention and Detection .............................................................. 162
Fraud Risk Assessment ........................................................................................... 162
Techniques for Fraud Prevention ............................................................................ 165
The ACFE Fraud Prevention Checkup .............................................................................. 172
Interpreting the Entity’s Score ........................................................................................ 176
The Use of Technology for Fraud Detection ............................................................ 176
Data Mining ................................................................................................................... 176
Forensic Computing ....................................................................................................... 178
Part IV − Section 2 Review Questions ...................................................... 179
Appendix A: Example of Management Report ............................................ 180
Appendix B: Section 404 Management Compliance Checklist ..................... 181
Appendix C: Financial Reporting Controls and Information Systems Checklist −
Medium to Large Business .......................................................................... 183
Part 1. Internal Control Assessment Questionnaires ................................ 184
Control Environment .............................................................................................. 184
Significant Account Balances and Transaction Cycles .............................................. 189
Revenue Cycle ............................................................................................................... 189
Revenue and Accounts Receivable .................................................................................................... 190
Cash Receipts .................................................................................................................................... 192
Purchasing Cycle ............................................................................................................ 193
Purchases and Accounts Payable ...................................................................................................... 193
Cash Disbursements .......................................................................................................................... 194
Inventory ....................................................................................................................... 195
Financing ....................................................................................................................... 197
Investments ....................................................................................................................................... 197
Debt ................................................................................................................................................... 198
Property, Plant, and Equipment ..................................................................................... 199
Payroll Cycle .................................................................................................................. 200
Part 2. Financial Information System Checklist......................................... 201
End-User Computing .............................................................................................. 201
Procedures and Controls over End-User Computing ................................................ 202
Information Processed by Outside Computer Service Organizations ........................ 204
Part 3. Assessing Segregation of Duties and the Risk of Management Override
................................................................................................................ 205
Lack of Segregation of Duties.................................................................................. 205
Management Override ........................................................................................... 205
Part 4. Interpret Results ........................................................................... 206
Appendix D: Computer Applications Checklist − Medium to Large Business 208
Computer Hardware ................................................................................ 208
Computer Software ................................................................................. 208
Computer Control Environment ............................................................... 209
Outside Computer Service Organizations ................................................. 211
Glossary ...................................................................................................... 212
Index .......................................................................................................... 215
Review Question Answers .......................................................................... 216
Part I − Section 1 Review Questions ......................................................... 216
Part I − Section 2 Review Questions ......................................................... 218
Part II − Section 1 Review Questions ........................................................ 218
Part II − Section 2 Review Questions ........................................................ 220
Part III − Section 1 Review Questions ....................................................... 222
Part III − Section 2 Review Questions ....................................................... 223
Part IV − Section 1 Review Questions ...................................................... 225
Part IV − Section 2 Review Questions ...................................................... 228
1
INTRODUCTION Management’s ability to fulfill its financial reporting responsibilities depends in part on the design and
effectiveness of the processes and controls it has put in place over accounting and financial reporting.
Without such controls, it would be extremely difficult for most business organizations to prepare
reliable financial reports. Effective internal control over financial reporting has become a legal
obligation. This course incorporates and reflects up-to-date guidance from the PCAOB, the AICPA, the
ACFE, and the principles of 2013 COSO Framework, and is divided into four parts:
Part I − The Principles of Internal Control. Internal control comprises the plans, methods, policies,
and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity. Without
adequate internal controls, management has little assurance that its goals and objectives will be
achieved. Part I provides an overview of the internal control framework and how it relates to the
achievement of basic management objectives. For example, it addresses the five components of
internal controls outlined in the 2013 COSO Framework. It explains some common control procedures
and the significance of the internal controls over financial reporting. The application of information
technology controls is highlighted, as well as the internal control limitations and cost-benefit
relationship.
Part II − Management Assessment of Internal Control. The Sarbanes–Oxley (SOX) Act Section 404
requires management’s development and monitoring of procedures and controls for making their
required assertion about the adequacy of internal controls over financial reporting, as well as the
required attestation by an external auditor of management’s assertion. Statement on Auditing
Standards (SAS) 130 requires the auditor to examine and report directly on the effectiveness of
internal control over financial reporting. There is no longer an option to examine and report on
management’s assertion about the effectiveness of internal control over financial reporting. Thus,
managers in both public entities and nonpublic entities have been increasingly aware of their
responsibility for internal controls.
Part II provides practical guidance that helps readers design, implement, maintain, and evaluate
controls specifically related to accounting and financial reporting. It includes steps on how to identify
risks and controls, advice on how to assess the adequacy of controls, a discussion of how to reach a
fair assessment, and documentation requirements of effective controls, along with an illustration of
potential internal control weaknesses and a SOX Section 404 management compliance checklist.
Part III − Audit of ICFR Integrated with Audit of Financial Statements. Part III includes requirements
and considerations related to performing an integrated audit (audit of internal control over financial
reporting integrated with an audit of financial statements). It highlights the key procedures required
external auditors to attest to management's disclosures regarding the effectiveness of its internal
control, such as audit planning, the use of top-down approach, assessment of fraud risk, testing
controls, and evaluation and communication of deficiencies. It also addresses other matters related to
smaller and less complex entities, management written representations, and use of the work of others,
2
along with examples of significant deficiencies and material weaknesses. Although management is not
required to adopt the same methodology as the external auditor, there are advantages in using a
similar approach. These requirements/procedures explain how the external auditor will review and
evaluate management’s assessment process. It is also important if management is going to minimize
audit fees by maximizing reliance on management testing.
Part IV − Fraud Prevention and Detection. Fraud, a heavy economic and moral burden on society, is
a global scourge that harms the reputations of all industries and costs trillions of dollars in worldwide
damages each year. All organizations are subject to fraud risks. Therefore, no discussion of internal
controls would be complete without an examination of fraud prevention and detection. Fraud
perpetrators tend to display behavioral warning signs when engaging in their crimes. Additionally, the
typical fraudster has similar characteristics. Recognizing the red flags and understanding the profile of
fraudsters are important elements in the fight against fraud because prevention starts with being well
informed. The more individuals and organizations know about fraud, the less likely they are to be
victimized.
Part IV focuses on the causes of fraud, fraud risk factors, some of the more common types of fraud
and fraud symptoms, and fraud prevention and detection techniques, along with some recent cases in
corporate fraud. It explains the differences between forensic accounting and auditing. It also includes
the ACFE Fraud Prevention Checkup to help organizations identify major gaps and fix them before it is
too late.
3
LEARNING OBJECTIVES After completing this section, you will be able to:
• Identify the functions and limitations of internal control
• Recognize the COSO principles of internal control
• Identify some common and important control procedures
• Distinguish between the IT general controls and application controls
• Recognize the implication and significance of the Sarbanes-Oxley Act
• Recognize key procedures involved in identifying risks and controls
• Identify key considerations for identifying and evaluating control deficiencies
• Recognize the requirements of management documentation of controls
• Identify factors in assessing the maturity level of a company’s internal control structure
• Identify the audit objectives, scope, and procedures applied to the integrated audit
• Recognize fraud considerations in a financial statement audit
• Identify the most common schemes and fraud symptoms
• Recognize techniques to prevent and detect fraud
4
PART I. The Principles of Internal Control
Part I addresses the following key principles to help you understand the nature and context of control:
• Control should respond quickly to evolving risks arising from factors within the organization and
to changes in the environment. (Types of Controls, Integration of Controls to Information Systems)
• Controls provide reasonable but not absolute assurance that the organization’s goals and
objectives will be achieved. (Limitation of Internal Controls)
• Control can help minimize the occurrence of errors and breakdowns but cannot provide absolute
assurance that they will not occur. (Limitations of Internal Controls)
• The system of control must include procedures for reporting promptly to appropriate levels of
management to ensure that corrective action being undertaken. (Internal Control Systems)
• The costs of control must be balanced against the benefits, including the risks it is designed to
manage (Cost-Benefit Relationships)
• Management is required to assess its system of ICFR using a recognized framework. Most have
selected the COSO framework, which is recognized as appropriate by the SEC and PCAOB (2013
COSO Framework)
Internal Control Systems
The Definition of Internal Control
Internal controls are a coordinated set of policies and procedures that reflect a comprehensive
strategy for achieving the following management objectives:
1. Reliable and comprehensive financial and other information
2. Compliance with laws, regulations, policies, plans and procedures
3. Efficient and effective operation and use of resources
4. Safeguarding of assets
5
In other words, internal controls are the varied techniques employed by management to achieve
management objectives and to meet management responsibilities. The comprehensiveness of an
entity’s internal control framework can be assessed based on the following features:
• Creating a favorable control environment
• Continually identifying and assessing risk
• Establishing effective control policies and procedures
• Effectively communicating information
• Monitoring the effectiveness of controls and corrective actions of issues identified
Most people wish to “cut to the chase” and go directly to a description of specific internal control
procedures. However, attempting to understand specific control procedures without first
understanding the overall framework of internal controls is like attempting to learn how to run before
walking. In both cases, the results are likely to be short-term frustration along with a long-term lack of
progress. The comprehensive control frameworks discussed in the following sections are powerful and
practical tools that give readers the flexibility they need to design, implement, maintain, and evaluate
controls to meet the ever-changing circumstances of a rapidly evolving environment.
Limitations of Internal Controls
Reasonable assurance refers to the fact that internal controls — even when they are appropriately
designed and operating effectively — cannot provide absolute assurance of achieving control
objectives. Reasonable assurance is a high level of assurance, but it is not absolute. For example,
internal control can provide reasonable assurance that:
• Certain management objectives implicit in internal control are achieved
• Transactions are recorded as necessary to permit preparation of financial statements in
conformity with the United States generally accepted accounting principles (GAAP)
Because of inherent limitations, however, internal controls cannot be designed to eliminate all fraud.
Inherent limitations include:
1. The consideration that control be cost-effective
2. An error in the design of control
3. The possibility that a person responsible for exercising control could abuse that authority (e.g.
management overridden)
4. The potential for human error (e.g. human judgment in decision making)
5. Circumvention of controls through collusion with parties outside the entity or with employees
of the entity
6. The fact that most controls do not tend to be directed at transactions of unusual nature
7. Procedures may become inadequate due to changes in conditions
8. Manipulations by management with respect to transactions or estimates and judgments
6
It recognizes that even with an effective system of internal control; there is a possibility that material
misstatements, including misstatements due to management fraud, may occur and not be prevented
or detected on a timely basis.
Internal Control Frameworks
Several models exist which provide a basis for the design and objective assessment of the effectiveness
of control. Such models also provide criteria by which the effectiveness of the system of internal
control can be judged. This course focuses on two models currently accepted internationally which are
the 2013 COSO Framework and the GAO Green Book.
2013 COSO Framework
Overview
In 1992, the Committee of Sponsoring Organizations of Treadway Commission (COSO) released its
Internal Control – Integrated Framework as a leading framework for designing, implementing, and
conducting internal control and assessing the effectiveness of internal control. Internal control is
defined by COSO as follows:
“Internal control is a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives relating
to operations, reporting, and compliance.”
In 2013, the COSO introduced its updated Internal Control - Integrated Framework (2013 COSO
Framework). The updated framework was evolutionary, and it was intended to maintain the original
framework while revising it for the many changes since 1992 that have occurred in business, operating
environments, legislation, globalization and technology.
The 2013 COSO Framework describes the role of controls to effect principles, but the Framework does
not prescribe controls to be selected, developed, and deployed for effective internal control. It
specifically noted that an organization’s selection of controls to effect relevant principles and
associated components is a function of management judgment based on factors unique to the entity.
It also states that a major deficiency in a component or principle cannot be mitigated to an acceptable
level by the presence and functioning of other components and principles. However, understanding
and considering how controls effect multiple principles can provide persuasive evidence supporting
management’s assessment of whether components and relevant principles are present and
functioning.
There are 3 categories of objectives in the 2013 framework:
7
1. Operations Objectives: These objectives relate to reviewing the company’s operations for
effectiveness and efficiency, including performance goals and safeguards against loss.
2. Reporting Objectives: These objectives relate to reporting of financial and non-financial, both
internally and externally. They can include reliability, timeliness, transparency, or other items
required by regulators, standards or the company’s own policies.
3. Compliance Objectives: There relate to the regulations and laws governing the company.
The most significant change made was the codification of the 17 principles that support the effective
design, implementation, and operation of the associated components and represent requirements
necessary to establish an effective internal control system. These principles are presented in “Control
Framework − 17 Principles” section.
Components of Internal Control
As mentioned previously, an entity’s internal control consists of five components under the COSO
Framework
Source: COSO, Internal Control - Integrated Framework: Executive Summary, 2013
These five components are linked together, thus forming an integrated system that can react
dynamically to changing conditions. The internal control system is intertwined with the entity’s
operating activities and is most effective when controls are built into the entity’s infrastructure,
becoming part of the very essence of the entity.
In summary, internal control is the responsibility of all employees. Entities must ensure that the system
of internal control is integrated into operational activities. Internal control should increase the
likelihood of detecting fraud, reduce unjustified spending, abuses or mistakes, prevent inappropriate
8
activities and strengthen compliance with regulations. Each component of internal control is discussed
below.
The Control Environment
The control environment is the most important of the five elements; the effectiveness of the other
four elements ultimately will depend upon it. It is sometimes referred to as the “tone at the top” of
the entity, meaning the integrity, ethical values, and competence of the management. Therefore, the
control environment is considered the foundation for the other components of internal control
because it provides discipline and structure by setting the tone/culture of an organization and
influencing control consciousness. It includes human resource policies and practices relative to hiring,
orientation, training, evaluating, counseling, promoting, compensating, and remedial actions.
“Tone at the Top” is the attitude of the management toward maintaining integrity and ethical values,
as demonstrated through their directives and behavior. Without a strong tone at the top to support
an internal control system, the control objectives cannot be properly defined, and as a result, the entity
may encounter obstacles such as:
• The entity’s risk identification may be incomplete
• Risk responses may be inappropriate
• Control activities may not be appropriately designed or implemented
• Information and communication may fail
• The results of monitoring may not be understood or acted upon to remediate deficiencies
The factors to consider in assessing the control environment include:
• Integrity and ethical values, including:
o Management’s actions to eliminate or mitigate incentives and temptations on the part of
personnel to commit dishonest, illegal, or unethical acts;
o Policy statements; and
o Code of conduct.
• Commitment to competence, including management’s consideration of competence levels for
specific tasks and how those levels translate into necessary skills and knowledge.
• Board of directors or audit committee participation, including interaction with internal and
external (independent) auditors.
• Management’s philosophy and operating style, such as management’s attitude and actions
regarding financial reporting, as well as management’s approach to taking and monitoring
risks.
• The entity’s organizational structure (i.e., the form and nature of organizational units).
• Assignment of authority and responsibility, including fulfilling job responsibilities.
9
• Human resource policies and practices, including those relating to hiring, orientation, training,
evaluating, counseling, promoting, and compensating employees.
In summary, the auditor will seek to understand the attitude, awareness, and actions concerning the
control environment on the part of management and the directors. For example, an auditor usually
evaluates whether:
• Management, with the oversight of those charged with governance, has created and
maintained a culture of honesty and ethical behavior, and
• The strengths in the control environment elements collectively provide an appropriate
foundation for the other components of internal control and whether those other components
are not undermined by deficiencies in the control environment
The auditor must concentrate on the substance of controls rather than their form because controls may
be established but not acted upon. For example, management may adopt a code of ethics but condone
violations of the code.
Control Environment Tips
• A code of conduct is approved and communicated companywide
• Policies and procedures regarding conflict of interests are established
• Ethical issues are discussed with employees
• Proper and timely actions are taken to address conflict of interest
• Job descriptions, limits to authority, performance standards, accountability, control activities, and
reporting relationships are clarified, documented, up-to-date, and communicated
• The principle of segregation of duties is adhered to the design of internal control systems
• Adequate training and guidance are provided to ensure that employees are acquainted with the
policies and procedures
• Appropriate disciplinary action is in place to address the violation of policies and procedures
Risk Assessment
Risk assessment is a process for identifying and assessing risks that may prevent organizations from
achieving objectives. It is critical to develop appropriate plans to limit the possible negative
consequences of these risks and to determine which employees are responsible for implementation
of the adopted plans. The entity systematically, at least once a year, must analyze the risks associated
with activities. In general, the risk assessment process includes the following key elements:
10
Risk assessment is the responsibility of all employees in the entity. The establishment and
development of risk assessment in the entity is the responsibility of the head of the entity (e.g. CEO)
and the heads of organizational units in the entity (e.g. managers). The fundamental elements of risk
assessment are the evaluation of significant risks and the implementation of suitable risk responses.
Risk responses include:
1. Acceptance or tolerance of a risk
2. Avoidance or termination of a risk
3. Risk transfer or sharing via insurance, a joint venture or other arrangement
4. Reduction or mitigation of risk via internal control procedures or other risk prevention
activities
The following diagram lists the key steps to assess risks.
Risk Assessment Process
Steps are discussed in the following sections.
Risk Assessment Key Elements
Objectives
Definition of Risk
Roles and responsibilities
Prioritization and respose of
risks
Implementation of the measures
taken
Reporting and monitoring
activities
Identify RisksDevelop
assessment criteria
Assess risksEvaluate risk interactions
Prioritize risks
Respond to Risks
Assess Risks
11
Identify Risks
Risk can be defined as the possibility that an event will occur and adversely affect the achievement of
objectives. Events can have either a positive or a negative impact. An event with a positive impact
represents an opportunity. An event with a negative impact on achieving an objective represents a
risk. In other words, an event affects the company’s objectives and creates the condition for risk only
if it has a negative impact. For example, the failure of a supplier to provide materials for production is
an event. The risk is not meeting production deadlines causing late deliveries to customers.
Uncertainty is not knowing what will happen in the future. The greater the uncertainty, the greater
the risk. An organization must understand the sources of uncertainty because risk is about knowledge.
When management lacks knowledge, there is greater uncertainty. The risk identification process
precedes the assessment process, thus allowing management to create a list of risks (opportunities as
well).
Assess Risks
An effective risk identification process produces a key business risk universe or register linked to
business objectives and value drivers. Details of how to assess risks are discussed in “Step 3: Addressing
and Monitoring Risks” section in Part II of this course.
Respond to Risks
Management should design overall risk responses based on the significance of the risk and defined
risk tolerance. There are four fundamental choices:
1. Acceptance - No action is taken to respond to the risk based on the insignificance of the
risk.
2. Avoidance - Action is taken to stop the operational process or the part of the operational
process causing the risk.
3. Reduction - Action is taken to reduce the likelihood or magnitude of the risk.
4. Sharing - Action is taken to transfer or share risks across the entity or with external parties,
such as insuring against losses. Other examples include lease agreements, waivers,
disclaimers, tickets, and warning signs.
When risk response actions do not allow the organization to operate within the defined risk tolerances,
management should revise the risk responses or reconsider the risk tolerances through the periodic
risk assessments.
Acceptance Avoidance Reduction Sharing
12
Risk Assessment Tips
• Senior executives set the basis for how risk is viewed and addressed, including risk management
philosophy and risk appetite, integrity and ethical values, and the environment in which they
operate (tone at the top)
• Objectives must exist before management can identify potential events affecting their
achievement
• A clear link between objectives, risks and selected strategic initiatives is established
• Perspectives/inputs are gathered from all level of employees to increase risk culture and
ownership and enhance the organization’s ability to understand, identify, and manage risks
• The assessment of the risk in terms of impact and likelihood is reliable and relevant
• Formal risk response and risk measures are developed and documented
• Key questions for management to ask include:
− What could happen? List risks, incidents or accidents that might happen by systematically working
through each competition, activity or stage of the event to identify what might happen at each
stage.
− How and why it can happen? List the possible causes and scenarios or description of the risk,
incident or accident.
− What constitutes a material risk to our company?
− How much risk are we willing to accept?
− What is the likelihood of them happening?
− What will be the consequences if they do happen?
Relevance to Sarbanes-Oxley Compliance
Although the Sarbanes-Oxley (SOX) Act of 2002 does not require companies to adopt enterprise risk
management (ERM), implementation of ERM facilitates compliance with applicable SOX requirements.
For example, it will assist certifying officers with the discharge of their Section 302 quarterly
certification and Section 404 annual assessment responsibilities. Moreover, since both the Securities
and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB)
promoted a risk-based approach to evaluating internal control over financial reporting in accordance
with Section 404, ERM can provide benefits from a SOX compliance perspective. Specifically, ERM
enables companies to maintain their disclosure process through a process-based chain of
accountability, involving unit managers and process owners who communicate issues requiring action
and possible disclosure. ERM also provides executives and directors with more confidence that the
internal control structure is sustainable. ERM focuses on business risk and internal controls to preserve
and create enterprise value. The emphasis is on ‘risk strategy’. A company can support SOX compliance
and also identify new risks before they emerge, thereby managing risks proactively and strategically
across the enterprise.
13
Control Activities
Control activities are the policies and procedures designed by management to help ensure that the
organization’s objectives and goals are not negatively impacted by internal or external risks.
Examples of specific control activities include those relating to the following:
Authorization. Every transaction must be authorized and carried out by people acting within the scope
of their authority. This will help prevent invalid transactions.
Physical controls, which involve: 1) physical security of assets, such as adequate safeguards over the
access to assets and records 2) authorization for access to computer programs and files 3) periodic
counting and comparison with amounts shown on control records (e.g. comparing the results of cash,
security, and inventory counts with accounting records)
Segregation of duties, which is designed to reduce the opportunities to allow any person to be in a
position both to perpetrate and to conceal errors or irregularities (fraud) in the normal course of his
or her duties, involves assigning different people the responsibilities of authorizing transactions,
recording transactions, maintaining custody of assets, and reconciliation:
• Authorization: The process of reviewing and approving transactions, such as verifying daily
balancing reports, approving purchase orders and timesheet.
• Record Keeping: The process of creating and maintaining records of revenues, expenditures,
and inventories, such as preparing cash receipts or billings, purchase requisitions, and
maintaining inventory records.
• Custody: Having access to or control over any physical assets, including cash, check,
equipment, supplies or materials.
• Reconciliation: The process of verifying the processed transactions to ensure that they are
valid, properly authorized and recorded on a timely basis, and following up on any
discrepancies identified. Examples of this control mechanism include conducting physical
inventory counts, comparing fund collected to accounts receivable postings, comparing cash
collection to deposits, reconciling department revenues and expenditures to management
reports.
Authorization Record Keeping
Reconciliation Custody
Segregation of Duties
14
For instance, the various functions involved in the purchase of supplies should be segregated as
follows:
Segregation of duties concept should also apply to software development, and the following functions
should be separated:
1. Identification of Requirements (or Change Request)
2. Authorization of Approval (e.g. IT Governance Board or Manager)
3. Design and Development (e.g., Developer)
4. Review, Inspection and Approval (e.g., another Developer or Tester)
5. Implementation in Production (e.g. System Administrator)
Performance reviews, including comparisons of actual performance with budgets, forecasts, and
prior-period results (e.g. comparing internal data with external sources of information, review of
functional performance).
Information processing. Controls relating to information processing are generally designed to verify
accuracy, completeness, and authorization of transactions. Specifically, controls may be classified as
general controls or application controls. The former might include controls over data center
operations, systems software acquisition and maintenance, and access security; the latter apply to the
processing of individual applications and are designed to ensure that transactions that are recorded
are valid, authorized, and complete.
Periodic reconciliation/verification. Accounting records should be compared periodically to ensure
that they faithfully reflect the underlying facts. For example, cash reported in the accounting records
should be reconciled to the cash balances reported on the bank statement. General ledger accounts
should be reconciled to related amounts reported in subsidiary ledgers. Moreover, management
should periodically compare data contained in the accounting records to what those data represent.
Purchasing Department
•Issuing a purchase orderto the vendor based onan approved requisitionform (authorization)
Receiving Department
• Verifying that theordered goods have beenreceived by preparing areceiving report (custody)
Accounting Department
•Preparing checks andrecording the transactionin the accounting recordupon the review andmatch of the requisition,purchase order, and thereceieving report andinvoices (record keeping,reconciliation)
15
Analytical review is a process of determining the reasonableness of financial data by comparing the
data’s behavior with other financial/nonfinancial data. This review attempts to compare what is
reported to what is reasonably expected. For example:
1. Identifying fuel credit card usage that is abnormally high compared to others in a similar role
2. Calculating expected mileage for a particular amount of fuel charged and then comparing it to
typical or expected travel patterns
A basic premise underlying the application of analytical procedures is that plausible relationships
among data may reasonably be expected to exist and continue in the absence of known conditions to
the contrary. Variability in these relationships can be explained by, for example, unusual events or
transactions, business or accounting changes, misstatements, or random fluctuations. Analytical
review is a very effective way to ensure adequate control in cases where it is not practical to segregate
incompatible duties (e.g. small entities).
These control activities discussed above can be divided into four categories, which will be discussed
later:
1. Directive controls
2. Preventive controls
3. Detective controls
4. Corrective controls
Information & Communication Systems Support
The information system generally consists of the methods and records established to record, process,
summarize, and report transactions and to maintain accountability of related assets, liabilities, and
equity. ‘Information quality’ usually has the following characteristics:
• Reliable and accurate
• Useful and clear
• Complete
• Understandable
• Accessible
• Timely
Information should be delivered quickly in and outside the entity and aimed at strengthening ethical
values, policies, authorizations, responsibilities and reporting obligations.
Communication involves providing an understanding of individual roles and responsibilities pertaining
to internal control. Examples of internal communication include:
1. Management clearly defines the lines of communication through policy manuals and
organization charts
16
2. Management has communicated the types of information required to achieve objectives and
address risks
3. All internal control documents and related reports will be available to all staff in an appropriate
method based on confidentially and relevance to job responsibilities
4. The appropriate information delivery system has been determined (e.g. email, written memo,
staff meetings, etc.) for changes and update
Information and Communication Tips
• There are clear communication and reporting lines enabling people to discharge their
responsibilities effectively
• The information systems are aligned to the corporate strategic and operational initiatives
• Employees receive regular, reliable and easily accessible management information on budget
execution, use of resources and progress of their strategic and operational plans
• Channels to report inadequacies are in place
• Feedback mechanisms are established to ensure that adequate communication channel is across
the organization
• There is timely and appropriate follow-up action by management resulting from communications
from outside the organization
Monitoring
Monitoring is management’s process of assessing the quality of internal control performance over
time. Accordingly, management must assess the design and operation of controls on a timely and
ongoing basis and take necessary corrective actions. Examples of monitoring controls include:
• Internal audits
• Management reviews
• Audit committee activities
• Disclosure committee activities
• Self-assessment reviews
Monitoring may involve:
1. Separate evaluations (e.g., regular management and supervisory review activities)
2. The use of internal auditors, and
3. The use of communications from outside parties (e.g., complaints from customers and
regulator comments).
In general, monitoring activities should address the following issues:
• Are controls in place and operating effectively?
• Is the system working as designed?
17
• Are exceptions and problems identified and resolved promptly?
• Are the controls periodically reviewed?
Monitoring Tips
• Ongoing monitoring processes are integrated with the daily carrying out of activities and
operations
• Scoreboards are developed, used and monitored
• Quality control evaluations are conducted annually (or upon regulatory requirements)
• Identification of change in the business environment, regulatory requirements, practices,
activities, processes, and procedures that may require changes to internal control systems is in
place
• Action plans are developed, implemented and followed up
• The internal audit function is in place to independently assess the adequacy and effectiveness of
risk, control and governance processes
• Reviews and audits are conducted by external auditors
The GAO Green Book
Overview
In 2014, the Government Accountability Office (GAO) revised the Green Book, Standards for Internal
Control in the Federal Government, to adapt the 17 underlying principles from the COSO revision of its
2013 COSO Framework for a government environment. The updated Green Book aligns the 17
principles to the existing internal control framework and identifies attributes that support the design
and implementation of each of the principles. It includes requirements for establishing an effective
internal control system, including specific documentation requirements. The Green Book is structured
as follows:
• Section 1: An overview of the fundamental concepts of internal control
• Section 2: A discussion of internal control components, principles, and attributes; how these
relate to an entity’s objectives; and the three categories of objectives
• Section 3: A discussion of the evaluation of the entity’s internal control system’s design,
implementation, and operation
• Section 4: Additional considerations that apply to all components in an internal control system
The Green Book may be adopted by the state, local, and quasi-governmental entities, as well as not-
for-profit organizations, as a framework for an internal control system. It fulfills a requirement of the
18
Federal Managers’ Financial Integrity Act (FMFIA) for GAO to issue internal controls standards and
requires federal agency executives to periodically review and annually report on the agency’s internal
control systems. Green Book standards address the policies and procedures for federal agencies to
help ensure effective use of resources in meeting their mission, goals, objectives, and strategic plan
by:
1. Providing managers criteria for designing, implementing, and operating an effective internal
control system
2. Defining the standards through components and principles and explains why they are integral
to an entity’s internal control system
3. Clarifying what processes management considers part of internal control
The COSO 2013 Framework and the Green Book standards are very similar since the GAO leveraged
off the COSO 2013 Framework in creating its own standards for government environment, with few
adjustments. Although the COSO 2013 Framework and the Green Book Framework are very similar,
some differences do exist between these standards. The following table lists the key difference
between COSO and the Green Book:
Key Differences: Requirements
COSO Framework Green Book
− Each of the 5 components and relevant principles are present and functioning
− Addresses deficiencies in general terms
− Documentation is a matter of judgment
− Each of the 5 components, 17 principles, and relevant attributes are effectively designed, implemented, and operating
− Addresses deficiencies in design, operation, and implementation
− Specifies minimum documentation requirements
Key Differences: Overall Tone and Approach
COSO Framework Green Book
− Accommodates global operations
− Additional details and narrative
− IT general controls
− Focus on the organization’s responsibilities for internal controls
1. Accommodates government operations
2. Direct and indexed
3. IT general and application controls
4. Focus on management’s responsibilities for internal controls
Source: Association of Local Government Auditors, Standards for Internal Control in the Federal Government: The
“Green Book” Presentation, 2017
Successful application of the 17 underlying COSO principles can help a federal entity improve
accountability and achieve its objectives related to operations, reporting, and compliance through the
implementation of an effective internal control system. An effective internal control system allows an
entity to adapt to shifting environments, evolving demands, changing risks, and new priorities. Most
states have enacted statutes to address the internal controls of its agencies, and many have adopted
the Green Book standards into their own state-wide guidance for their agencies to follow in developing
19
and maintaining an effective internal control system. The standards are effective beginning with fiscal
year 2016 and the FMFIA reports covering that year. The Green Book framework principles are
discussed in the following section.
The American Institute of CPAs (AICPA) accepts the Green Book and the 2013 COSO framework as a
source to measure the effectiveness of an entity’s system of controls, and to assess control risk as well
as report on controls.
Framework Principles
OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal
Control, directs agencies to implement policies and procedures consistent with the Green Book. In
2016, the OMB Director issued the following new guidance intended to improve the efficiency and
effectiveness of the government:
“The policy changes in this Circular modernize existing efforts by requiring agencies to implement an
Enterprise Risk Management (ERM) practices in coordination with the strategic planning and strategic
review process established by the Government Performance and Results Modernization Act (GPRAMA),
and the internal control processes required by FMFIA and Government Accountability Office (GAO)’s
Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus
corrective actions towards key risks.”
Control Framework − 17 Principles
While there are different ways to present internal control, the Green Book approaches internal control
through a hierarchical structure of five components and 17 principles in accordance with the 2013
COSO Framework. The following five components represent the highest level of the hierarchy of
standards for internal control in the federal government:
Framework Principles
The Control
Environment
It is the foundation for an
internal control system. It
provides the discipline and
structure to help an entity
achieve its objectives.
1. Demonstrate commitment to integrity
and ethical values
2. Exercise oversight responsibility
3. Establish structure, authority, and
responsibility
4. Demonstrate commitment to
competence
5. Enforce accountability
Risk
Assessment
This component assesses the
risks facing the entity as it seeks
to achieve its objectives. The
assessment provides the basis
6. Define objectives and risk tolerances
7. Identify, analyze, and respond to risks
8. Assess fraud risk
20
for developing appropriate risk
responses.
9. Identify, analyze, and respond to
significant change
Control
Activities
The actions management
establishes through policies and
procedures to achieve
objectives and respond to risks
in the internal control system,
which includes the entity’s
information system.
10. Design control activities to achieve
objectives
11. Design control activities for the entity’s
information systems
12. Implement control activities through
written policies
Information
and
Communication
The quality information that
management and personnel
communicate and use to
support the internal control
system.
13. Use quality relevant information
14. Communicate internally
15. Communicate externally
Monitoring
Activities
Activities management
establishes and operates to
assess the quality of
performance over time and
promptly resolve the findings of
audits and other reviews.
16. Establish and perform monitoring
activities
17. Identify and remediate deficiencies
in a timely manner
The Green Book contains additional information in the form of attributes. These attributes are
intended to help organize the application material management may consider when designing,
implementing, and operating the associated principles. The GAO’s attributes for each of these 17
principles are listed in the following section.
Control Framework with GAO’s Attributes
Source: GAO, Standards for Internal Control in the Federal Government
Control Framework: 17 Principles with Attributes
Control Environment
1. Demonstrate commitment to integrity and ethical values
• Tone at the Top
• Standards of Conduct
• Adherence to Standards of Conduct
2. Exercise oversight responsibility
• Oversight Structure
21
• Oversight for the Internal Control System
• Input for Remediation of Deficiencies
3. Establish structure, authority, and responsibility
• Organizational Structure
• Assignment of Responsibility and Delegation of Authority
• Documentation of the Internal Control System
4. Demonstrate commitment to competence
• Expectations of Competence
• Recruitment, Development, and Retention of Individuals
• Succession and Contingency Plans and Preparation
5. Enforce accountability
• Enforcement of Accountability
• Consideration of Excessive Pressures
Risk Assessment
6. Define objectives and risk tolerances
• Definitions of Objectives
• Definitions of Risk Tolerances
7. Identify, analyze, and respond to risks
• Identification of Risks
• Analysis of Risks
• Response to Risks
8. Assess fraud risk
• Types of Fraud
• Fraud Risk Factors
• Response to Fraud Risks
9. Identify, analyze, and respond to significant change
• Identification of Change
• Analysis of and Response to Change
Control Activities
10. Design control activities to achieve objectives
• Response to Objectives and Risks
22
• Design of Appropriate Types of Control Activities
• Design of Control Activities at Various Levels
• Segregation of Duties
11. Design control activities for an entity’s information systems
• Design of the Entity’s Information System
• Design of Appropriate Types of Control Activities
• Design of Information Technology Infrastructure
• Design of Security Management
• Design of Information Technology Acquisition, Development, and Maintenance
12. Implement control activities through written policies
• Documentation of Responsibilities through Policies
• Periodic Review of Control Activities
Information and Communication
13. Use quality relevant information
• Identification of Information Requirements
• Relevant Data from Reliable Sources
• Data Processed into Quality Information
14. Communicate internally
• Communication throughout the Entity
• Appropriate Methods of Communication
15. Communicate externally
• Communication with External Parties
• Appropriate Methods of Communication
Monitoring Activities
16. Establish and perform monitoring activities
• Establishment of a Baseline
• Internal Control System Monitoring
• Evaluation of Results
17. Identify and remediate deficiencies in a timely manner
• Reporting
• Evaluation
• Corrective action
23
Part I − Section 1 Review Questions
1. Internal controls are critical. However, they cannot be designed to provide reasonable assurance
in which of the following scenarios?
A. All transactions are executed in accordance with management's authorization
B. All fraud will be eliminated in accordance with management’s authorization
C. Access to assets is permitted only in accordance with management's authorization
D. The recorded assets accounts are compared with the existing assets at reasonable intervals
2. Which of the following components of internal control includes an assignment of authority and
responsibility?
A. Monitoring
B. Control environment
C. Risk assessment
D. Control activities
3. Which of the following components of internal control includes the development and use of
training policies that communicate prospective roles and responsibilities to employees?
A. Monitoring
B. Control environment
C. Risk assessment
D. Control activities
4. Proper segregation of duties will reduce the opportunities which allow persons to be in positions
to both ____________
A. Journalize entries and prepare financial statements
B. Record cash receipts and cash disbursements
C. Establish internal control and authorize transactions
D. Perpetrate and conceal errors and fraudulent acts
5. Effective internal control calls for the separation of certain functions. Which of the following
functions should be separated?
A. Authorization, execution, and payment
B. Authorization, recording, and custody
24
C. Custody, execution, and reporting
D. Authorization, payment, and recording
6. What is a basic premise underlying analytical procedures?
A. These procedures cannot replace tests of balances and transactions
B. Statistical tests of financial information may lead to the discovery of material misstatements
in the financial statements
C. The study of financial ratios is an acceptable alternative to the investigation of unusual
fluctuations
D. Plausible relationships among data may reasonably be expected to exist and continue in the
absence of known conditions to the contrary
25
Types of Controls
The control activities serve as mechanisms for and are a part of managing the achievement of
objectives. Key benefits of implementing internal control are increased efficiency of operations and
management of risks. Management will also be supported by:
• Applying standardized procedures, rules, and regulations;
• Protecting an entity’s current assets;
• Providing reliable financial reporting;
• Assuring compliance with laws and regulations;
• Eliminating income or resource losses;
• Promoting goal-oriented and accurate decision making;
• Identifying and preventing fraud
Control activities can be split into the following categories.
Each category is discussed in the following sections.
Directive Controls
Directive controls are designed to encourage the events necessary for the achievement of objectives.
In particular, directive controls guide employees to help achieve the desired objectives of the
department. For example, a job description or the setting of targets is considered as a directive control
- it provides employees with guidance as to what is expected of them. A personnel policy or a code of
ethics also provides guidance on the conduct expected of all employees.
Preventive Controls
While detecting errors and frauds once they occur is essential to any industry, it is obviously best to
prevent them before they happen. Preventive controls are designed to prevent the occurrence of
failures, inefficiencies, errors, and weaknesses. Preventative controls are proactive controls, in place
during the activity or during the execution of employees' duties. Preventive controls should be focused
on areas where the likelihood and/or impact of errors and fraud are highest. Although preventive
controls cannot guarantee that errors and fraud will not be committed, they serve as the first line of
defense to minimize the risk. If effective preventive controls are in place and well-known to potential
fraud perpetrators, they serve as strong deterrents to discourage those who may be tempted to
Directive Controls
Preventive Controls
Detective Controls
Corrective Controls
26
commit fraud. Fear of getting caught is always a strong deterrent. Examples of controls to prevent
irregularities include:
1. Implementing procedures and controls (e.g. anti-fraud strategy, standards of conduct)
2. Providing fraud-awareness trainings
3. Conducting employee background checks
4. Implementing access control (e.g. limiting access to IT systems)
5. Implementing policies that provide for appropriate segregation of duties
6. Authorization and approval
7. Leaving a lot of space of the checks that a check is more difficult to tamper with more
characters
8. Securing the check stock in a locked area with restricted access
9. Implementing automated controls such as transactions limits, system edit checks, data
matching (eligibility verification),
10. Conducting predictive analytics
Detective Controls
The risk of fraud can never be eliminated entirely. There are always people who are motivated to
commit fraud, and an opportunity can arise for overriding a control or collusion with others. Detective
controls are designed to detect and correct failures, inefficiencies, errors, and weaknesses. They
operate after an event has occurred or an output has been produced. However, they should reduce
the risk of undesirable consequences because they enable remedial action to be taken. Detective
controls must be adaptable, flexible, and continuously changing to address the various changes in risks.
Sometimes it is more effective to detect and address certain types of fraud after it occurs rather than
trying to prevent it before it occurs.
Detective controls are most effective for areas where the likelihood of fraud is low but the potential
impact is severe. Such controls can also help assess the effectiveness of preventive controls. Examples
of detective controls include:
1. Surprise audits in high fraud risk and/or high errors areas 2. Reviewing performance 3. Reconciling accounting transactions to supporting documentation at random intervals 4. Conducting ad hoc audits and analyses 5. Performing bank reconciliations 6. Reviewing documents for policy compliance and/or unusual transactions 7. Inspecting goods received 8. Monitoring critical data and related trends to identify unusual variance 9. Performing data analysis and ratio analysis to identify any abnormal trends or patterns 10. Implementing automated system flags (e.g. disbursement over a certain dollar amount,
excessive number of purchasing card transactions to a single vendor).
27
The following graphic encompasses control activities to prevent, detect, and respond to errors,
irregularities, and fraud risks. These control activities are interdependent and mutually reinforcing.
For example, a surprise inventory count as detective activities also serves as deterrents because they
create the perception of controls and the possibility of punishment which discourages fraudulent
behavior. Response efforts can inform preventive activities. For instance, the results of investigations
can also be used to enhance applicant screenings and fraud indicators.
Note that the circle for prevention in the figure is larger because preventative activities generally offer
the most cost-efficient use of resources in that they enable managers to avoid a costly and inefficient
“pay-and-chase” model. Besides, preventive controls are stronger than detective controls because
they prevent mistakes and other undesirable events from occurring. Detective controls are important
too, but they detect mistakes or other events after they have occurred, helping less to recover from
the undesirable event. For example, monitored access to a fuel pump is a preventive control. When
this control operates properly, it should prevent inappropriate usage of fuel for personal or other
unauthorized purposes. Periodic reconciliation of fuel usage as a detective control should also be in
place. However, if a mistake or theft of fuel occurs due to the failure of preventive control (e.g.
collusion, overridden), the fuel is already gone by the time that the reconciliation identifies the loss.
Therefore, preventive controls are stronger controls for reducing errors and fraud.
Corrective Controls
Corrective controls are designed to correct the circumstances arising from the undesired events. They
help organizations recover from loss or damage. For instance, the design of contractual terms and
conditions enables the recovery of excess payments. Insurance may be considered as a form of
corrective control, as it facilitates the financial recovery in relation to the occurrence of a risk.
Detection
Response
Prevention
28
The Concepts of ICFR
One of the key responsibilities of every public company management is to prepare timely and reliable
information. Effective internal control over financial reporting (ICFR) substantially reduces the risk of
such misstatements and inaccuracies in a company’s financial statements, and it has become a legal
obligation. Since 1977, federal law has required public companies to establish and maintain a system
of internal control that provides reasonable assurance regarding the reliability of financial reporting
and the preparation of financial statements in accordance with GAAP. The Sarbanes-Oxley Act of 2002
added more requirements which are discussed later in the “Management Internal Control Report”
section.
ICFR is a process designed and maintained by management to provide reasonable assurance regarding
U.S. GAAP. Therefore, ICFR is defined more narrowly than the general term "internal control," which
includes controls associated with the effectiveness and efficiency of operations and compliance with
laws and regulations that are not directly related to the financial statements. For example, controls to
improve safety or streamline manufacturing processes are not considered part of ICFR.
A company's ICFR is influenced significantly by its board of directors, management and other personnel
and encompasses those processes and procedures to:
1. Maintain records in reasonable detail that accurately and fairly reflect the transactions and
dispositions of the assets of the company
2. Prepare financial statements and footnote disclosures for external purposes and to provide
reasonable assurance that receipts and expenditures are appropriately authorized
3. Prevent or promptly detect unauthorized acquisition, use or disposition of the company's
assets that could have a material effect on the financial statements
ICFR has inherent limitations. ICFR is a process that involves human diligence and compliance and is
subject to lapses in judgment and breakdowns resulting from human failures. ICFR also can be
circumvented by collusion or improper management override. Because of such limitations, there is a
risk that ICFR will not prevent, or detect and correct material misstatements on a timely basis.
The following internal and external events and circumstances may be relevant to the risk of preparing
financial statements that are not in conformity with GAAP (or another comprehensive basis of
accounting):
• Changes in operating and regulatory environment, including competitive pressures.
• Changes in personnel. The risks accompanying personnel changes increase when changes 1)
are numerous 2) involve high-level staff or 3) involve employees in highly sensitive positions
• Rapid growth that can result in a breakdown in controls.
• New technology in information systems and production processes.
29
• New lines, products, or activities. Risk may result from staff’s inexperience with the new
processes or from staff’s unfamiliarity with applicable regulations
• Corporate restructuring that might result in changes in supervision and segregation of job
functions.
• Expanded foreign operations.
• Accounting pronouncements requiring adoption of new accounting principles
It should be noted that the role of ICFR is to support the integrity and reliability of the company's
external financial reporting processes. It is not intended to provide any assurances about the
company's operating performance, its future results, or the quality of its business model.
Integrating Controls over Information Systems
Controls over information systems are often an integral part of an entity’s internal control. The
effectiveness of internal controls is frequently dependent on the effectiveness of information systems
controls. Effective information system controls increase the likelihood that an entity will achieve the
following information processing objectives:
• Completeness: Transactions are recorded and not understated.
• Accuracy: Transactions are recorded at the correct amount in the right account (and on a
timely basis) at each stage of processing.
• Validity: Recorded transactions represent economic events that actually occurred and were
executed according to prescribed procedures.
There are two main types of control activities: general and application control activities.
IT General Controls
IT general controls represent the basis of the IT control structure and have the following
characteristics:
• Function as the policies and procedures that apply to all or most of an entity’s information
systems
• Create the environment for proper operation of application controls
• Govern the design, security, and use of computer programs and the security of data files
throughout the organization’s IT infrastructure.
30
Thus, they support the assertions ensuring that key financial reports are reliable. General controls
consist of a combination of hardware, software, and manual procedures that build an overall control
environment. Examples of IT general controls include:
1. The control environment shapes the corporate culture or tone at the top. It represents
management’s attitude as to the importance of the establishment and maintenance of a
strong internal control system, such as having:
• Organizational units clearly defined to perform the necessary functions
• Qualified and properly trained personnel
• Policies and procedures including a code of ethical conduct available to employees
• Mandatory employee security awareness training
2. Change management procedures are designed to ensure the changes meet business
requirements and are authorized.
3. Physical security ensures the physical security of IT from individuals and from environmental
risks. For example, access to facilities is restricted to authorized staff and requires appropriate
identification and authentication.
4. Logical security, the process of ensuring authorized access to systems, usually includes:
• A formal security policy
• Information access management (e.g. controlled use of administrative privileges, account
monitoring and control, and controlled access based on the need to know)
• Segregation of duties (e.g. separation of the duties performed by analysts, programmers
and operators)
• Preventative controls for unauthorized access via public networks such as firewalls,
intrusion detection and vulnerability assessments
5. Hardware/software configuration, installation, testing, and protection. For example,
computer hardware is physically secure and checked for equipment malfunction.
6. Backup and disaster recovery procedures are in place to enable continued processing despite
adverse conditions.
IT Application Controls
Application controls have the following features:
Control Environment
Change Management
Physical Security
Logical Security
Hardware/ Software Controls
Disaster Recovery/
Backup
31
• Incorporated directly into computer applications to achieve validity, completeness, accuracy,
and confidentiality of transactions and data during application processing.
• Specific controls unique to each computerized application, such as accounts payable, payroll,
inventory control, purchasing order processing or general ledger.
• Designed to ensure that only authorized data are completely and accurately processed by that
application, from input through output.
• Including controls over input, processing, output, master file, interface, and data management
system controls.
Examples of IT application controls include:
1. Input controls check data for accuracy and completeness when they enter the system. Specific
input controls include:
• Input authorization (e.g. users and workstation identification, source documents)
• Batch controls and balancing (e.g. total amount, total items, hash totals)
• Error reporting and handling (e.g. reject by transaction or by batch)
The following table lists examples of input controls.
Input Authorization
Signatures on Source Document
Signatures provide evidence of proper review and authorization
Access Control
Authorization:
• The user is required to complete a “System Authorization Access Request” form which defines the role (creator vs. approver) and rights (e.g., modify, delete, and/or view data) that the system is restricted to authorized users based on their functions and responsibilities.
• The form is reviewed and approved by the appropriate level of management prior to access being granted.
Monitoring:
• The access report should be reviewed regularly to ensure that only authorized employees have access to the system.
• Current level of access should reflect the user’s current job functions.
Security Awareness and Education:
• All employees should receive appropriate training and regular updates to promote security awareness and compliance with security policies.
• For new employees, this training should occur before access to the information system is granted.
32
Password Security
• All system-level passwords (e.g., Window Administrator, Application Administrator) should be changed at least a quarterly basis
• All user-level passwords (e.g., email, desktop computer) should be changed at least every six months
• All users must have a unique user ID and password
• Strong password policy should be implemented and it should contain at least 8-10 characters, special characters, and lower and upper case characters.
Workstation Security
• Workstations should be restricted to only authorized personnel
• Screen lock or logout should be implemented prior to leaving the area to prevent unauthorized access
• Enable a password-protected screen saver with a short timeout period to ensure that workstations that left unsecured will be protected
• Unauthorized software is not allowed to be installed
• Remove access should only be approved by the appropriate level of management and may be monitored by IT Department
• Mobile computing devices (e.g., laptop and tablet) may not be removed prior to management’s approval and should be logged and monitored by IT Department
Batch Control
Total Monetary Amount
The total monetary value of items processed equals the total monetary value of the batch document
Total Item The total number of items included on each batch agrees with the total number of items processed
Total Document The total number of documents in the batch equals the total number of documents processed
Hash Total Sum of assigned numerical values computed as a verification device for records process to identify whether a record has been lost or omitted from processing
Input Error Handling
Reject Only Transactions with Errors
If errors are detected, they must be rectified, and the records taken back for further processing.
Reject the Whole Batch with Errors
Accept Batches and Flag Error Transactions
2. Processing controls ensure complete and accurate data during updating. These types of controls
usually include:
33
• Data validation checks (e.g. sequence check, limit check, range check, duplicate check, table
lookups)
• Processing controls (e.g. limit checks, run-to-run totals)
• Data file control procedures (e.g. parity checking, version usage, transaction logs)
The following table lists examples of processing controls.
Sequence
Check
Any out-of-sequence or duplicated control numbers are rejected or
noted on an exception report for follow-up purposes
Limit Check Data should not exceed the predetermined amount or data would be
rejected or further verification/authorized is required
Range Check Data should be within a predetermined range of values or it should be
rejected
Completeness
Check
A field should always contain data and not be blank. The file must be
complete before the record is accepted for processing
Existence
Check
Data entered agrees with valid predetermined criteria. For example, a
valid transaction code must be entered in the transaction code field
Duplicate
Check
New transactions are matched to those previously inputted to ensure
that they have not already been entered. For example, a vendor invoice
should not be paid twice
3. Output controls ensure that the results of computer processing are accurate, complete, and
properly distributed, including:
• Balancing and Reconciling: Output should be balanced routinely to the control totals.
• Report Distribution: Output reports should be distributed according to authorized distribution
parameters and schedules.
• Report Retention: A record retention schedule should be applied firmly. Any governing legal
regulations should be included in the policy.
• Output Error Handling: Error report should be timely and delivered to the originating
department for review and correction.
Considerations Specific to Smaller Entities
The size and complexity of the company, and its business processes and structure, may affect how the
entity achieves many of its control objectives. Most smaller companies have less complex operations.
34
Additionally, some larger, complex companies may have less complex units or processes. Factors that
might indicate less complex operations include:
• Less complex business processes and financial reporting systems
• Extensive involvement by senior management in the day-to-day activities of the business
• Fewer levels of management
• Fewer business lines
• More centralized accounting functions
Therefore, a smaller, less complex entity, or even a larger, less complex entity might achieve its control
objectives differently from a more complex entity. For instance, a smaller, less complex entity may
have fewer employees in the accounting function, limiting opportunities to segregate duties and
leading the entity to implement different controls to achieve its control objectives.
Lack of segregation of duties is an example of a common control design deficiency among small
entities. They cannot afford the additional human resources needed for proper segregation. However,
the lack of segregation of duties is not automatically a material weakness, or even a reportable
condition, depending on the compensating controls that are in place. For example, a company’s
accounting department may be so small that it is not possible to segregate duties between the person
in charge of the accounts payable and the person that is responsible for the bank statements
reconciliation. In this case, there are no checks and balances on the accounts payable person. The risk
is that they could be writing checks to a personal account, and then passing on them during the bank
reconciliation process. There is no one to raise the red flag that personal checks are being written on
the organization’s account. Compensating controls could make up for this apparent breach in the
internal control system. Here are some examples of compensating controls in this situation:
1. All checks are hand-signed by an officer, rather than using a signature plate that is in the
control of the person that prepared the checks.
2. Bank reconciliation may be reviewed by the person’s manager.
3. A periodic report of all checks that are cleared at the bank could be prepared by the bank and
forwarded to an officer for review.
In some situations, particularly in smaller, less complex entities, an entity might use a third party to
aid with certain financial reporting functions. When assessing the competence of the personnel
responsible for an entity’s financial reporting and associated controls, management should consider
the combined competence of company personnel and other parties that assist with functions related
to financial reporting.
Finally, controls over management override are important for effective internal control over financial
reporting for all companies. It may be particularly important at smaller companies because of the
increased involvement of senior management in performing controls and the period-end financial
reporting process. For smaller companies, the controls that address the risk of management override
35
might be different from those at a larger company. For example, a smaller company might rely on
more detailed oversight by the audit committee to focus on the risk of management override.
Cost-Benefit Relationships
Although every organization is susceptible to errors and fraud, it is not cost-effective to try to eliminate
all risks. If the estimated costs of designing, implementing, and monitoring the controls (such as tools
and personnel), exceeds the estimated impact of the risk, such controls may not be cost-effective to
implement. That is, internal control should be based on a systematic and risk-oriented approach to
ensure that there are adequate individual controls in areas with high risk and that they are not
excessive in areas with low risk. Before deciding to adopt a control, management should consider:
1. The potential benefits the control will provide (e.g. reducing the likelihood or impact of a fraud
risk)
2. The possible consequences of not implementing it
The GAO identified two approaches for considering the benefits and costs of control activities including
“Benefit-Cost Analysis”, and “Cost-Effectiveness Analysis”.
Benefit-Cost Analysis
Benefit-cost analysis should be conducted when designing and implementing control activities. Based
on benefit-cost analysis, the organization may decide not to implement certain control activities if the
estimated benefits do not exceed the costs. For example:
• A property and casualty insurance company may set threshold limits on the total of losses paid
plus those reserved on large policies to identify fraud that may be occurring, instead of relying
solely on the identification of fraudulent individual claim.
• Managers may decide not to conduct payment-recapture audits to recover improper
payments if it is likely that the costs incurred to identify and recover the overpayments will be
greater than the expected recoveries.
Design decisions involve the acceptance of some degree of risk. The cost of control must always be
balanced against the benefit of controlling the risk. It is possible to reach a position where the
incremental cost of additional control is greater than the benefit derived from controlling the risk.
36
The following table provides a sample assessment of internal control about the benefit-cost factor.
Benefit-Cost Factor
Assessment of Internal Control and the Cost-Benefit Factor
Rating 1
The overall cost of the internal control system (identification, measurement,
correction) is inferior to the potential losses derived from the risks, considering the
probability of occurrence.
Rating 2
The cost of the internal control system (with regards to identification and
measurement) is inferior to the potential losses derived from the related risks,
considering the probability of loss; however, costs associated with the correction
process can cause overall costs to exceed losses.
Rating 3
The cost of the internal control system in relation to measurement and correction
exceeds the potential losses derived from the related risks, taking into account the
probability of loss.
Rating 4
The cost of the internal control system (identification, measurement, correction)
exceeds the potential losses derived from the related risks, taking into account the
probability of loss.
Rating 5
The cost of the internal control system (with regards to identification and
measurement) exceeds the potential losses derived from the related risks, taking
into account the probability of loss; however, costs associated with the correction
process can cause overall costs to exceed losses.
Source: The IIA, Evaluating Internal Control Systems A Comprehensive Assessment Model (CAM) of Enterprise
Risk Management, 2014
Cost-Effectiveness Analysis
While an analysis can help organizations determine whether benefits of a control activity exceed its
costs, the organization may face challenges in monetizing certain benefits and costs. For example,
controls may result in additional benefits, such as the value of deterred fraud. In these circumstances,
a cost-effectiveness analysis, a methodology for determining the cost to achieve a particular objective,
expressed in nonmonetary terms, can be applied. In general, evaluation of the controls’ cost-
effectiveness comes after the assessment of the design and performance. Its main purpose is to
determine how reasonable the overall balance between the effectiveness of controls and the cost of
control is.
It should be noted that “more” is not “better” in the case of internal controls. Not only may the cost
of excessive or redundant controls exceed the benefits, but the perception of excessiveness or
redundancy may have a serious negative effect on how employees view controls in general, and that
could adversely affect the overall control environment.
37
Part I − Section 2 Review Questions
7. Which of the following is an example of a detective control?
A. Fraud awareness training
B. Surprise audits
C. Background checks
D. Data matching
8. Which of the following is a common control design deficiency among small entities?
A. Access controls
B. Preventive controls
C. Segregation of duties
D. Detective controls
38
PART II. Management Assessment of Internal
Controls
Readers who are responsible for their company’s Sarbanes-Oxley Act (SOX Act) Section 404 program
can obtain the following benefits from Part II, which is focused on achieving success at the lowest
possible total cost, including external auditor fees:
• An understanding of the requirements of the SOX Act
• Steps on how to identify risks and controls
• Advice on how to assess the adequacy of controls
• A discussion of how to reach a fair assessment that does not mislead investors regarding the
condition of internal controls and reliability of financial statements
• An explanation of documentation of evidence of effective controls
• An illustration of potential internal control weaknesses and compensating controls:
accounting and financial reporting
• A checklist to help management assess the efficiency of their program
Although there are many ways to identify, assess, and classify internal control deficiencies, the
following steps provide a reasonable approach:
Understanding of the
SOX Rules
• Section 404
• Section 302
• Other Key Principles
Identification of Risks
and Controls
Key Actions:
Step 1: Selecting the Control Framework
Step 2: Defining Control Objectives
Step 3: Addressing and Monitoring Risks
• General Concerns
• Anti-Fraud Considerations
• Assessment Criteria
Step 4: Establishing Controls
39
Assessment of the
Adequacy of Controls
Key Concepts:
1. Determining Key Controls
2. Evaluating the Effectiveness of Controls
• The Design of Controls
• The Operating Effectiveness of Controls
Evaluation of Control
Deficiencies
Key Actions
Step 1: Understanding the Nature of the Deficiency
Step 2: Assessing the Likelihood of Misstatement
Step 3: Considering Compensating Controls
Step 4: Determining Classification of Deficiencies
Step 5: Reporting Assessment Results
Documentation of
Evidence of Effective
Controls
Purpose and Requirements of Management
Documentation
Identification of
Control Gap An internal controls maturity analysis
Understanding the Sarbanes-Oxley Act Rules
Enhanced Financial Disclosures (Section 404)
Overview
In the past, a company's internal controls were considered in the context of planning the audit. They
were not required to be reported publicly, except in response to the Securities and Exchange
Commission (SEC) Form 8-K requirements when related to a change in auditor. The Public Company
Accounting Reform and Investor Protection Act of 2002, commonly called Sarbanes-Oxley (SOX),
drastically changed the situation and brought the concept of internal control over financial reporting
(ICFR) to the forefront for audit committees, management, auditors, and users of financial statements.
The SOX Act has brought the most extensive reform that the U.S. financial markets have seen since
the enactment of the Securities Act of 1933 and the Securities Exchange Act of 1934. The SOX Act sets
enhanced standards for all U.S. public company boards, management and public accounting firms.
Section 404 of the SOX Act, Management Assessment of Internal Controls (Section 404) may be the
most challenging aspect of the SOX Act. It requires most publicly registered companies and their
40
external auditors to issue certain reports at the end of every fiscal year. These reports must be included
in the company's annual report filed with the SEC:
1. Management's internal control report on its assessment of the effectiveness of the
company's ICFR. Details are discussed in “Management Internal Control Report” section.
2. Independent auditor's report on ICFR, including the auditor's opinions on:
• Whether management's assessment is fairly stated in all material respects (i.e., whether
the auditor concurs with management's conclusions about the effectiveness of internal
control, over financial reporting),
• The effectiveness of the company's ICFR
The independent auditor's opinions on the financial statements and ICRF may be issued in a
combined report or separate reports. Details are discussed in “Role of Independent Public
Accountant” section.
Many organizations have provided guidance on Section 404 and management’s annual assessment of
its system of ICFR. For example:
• The PCAOB provided an updated standard for auditors in 2007: AS 5, An Audit of Internal
Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements. It
is also known as AS No. 2201 upon the adoption of the reorganization of PCAOB auditing
standards.
• The SEC provided its own Commission Guidance Regarding Management’s Report on Internal
Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of
1934 in 2007. This guidance is not mandatory for management, but following it provides a safe
harbor.
• Each of the major certified public accounting (CPA) firms (e.g. PwC, KPMG) and other providers
of audit services have published extensive and valuable guidance, generally consistent with
PCAOB and SEC guidance.
In summary, Section 404 requires management to develop and monitor procedures and controls for
making their required assertion regarding the adequacy of ICFR, as well as the required attestation by
an external auditor, regarding management’s assertion.
How to Prepare for an Audit?
Communication and cooperation with the auditor are the key elements for a successful audit. Here
are some examples of what you can do to enhance the audit process and the resulting product:
• Understand the audit purpose to provide relevant information upon request
• Direct the auditor to the right person if you are not the best source of requested information
41
• Supply requested information on a timely basis
• Share any internal control concerns you have with the auditor
• Ask questions if you don’t understand why certain activities have been included, or excluded
• Review the preliminary test results and begin thinking about possible corrective actions
• Review the draft report and make suggestions for any changes or enhancements before, or
during, the exit conference
Each auditor that requests information should be able to explain the audit’s purpose and objectives,
allowing you to understand the reasons for the requests and questions in order to provide accurate
answers. If you have any questions about the information being requested, you can always discuss
those concerns with the auditor.
Management’s Internal Control Report
It is management’s responsibility to ensure the organization complies with the requirements of
Sections 404. That is, management is responsible for designing and implementing the system of ICFR,
for evaluating the effectiveness of ICFR with sufficient evidence, and for issuing an internal control
report on that assessment. Section 404 also requires that management’s evaluation of internal
controls be based on a suitable, recognized control framework that is established by experts using
“due process”. A process includes the broad distribution of the framework for public comment. Most
companies have selected the COSO framework, which is recognized by the SEC and PCAOB. A number
of companies use the Control Objectives for Information and related Technology (COBIT) framework
as a supplement to COSO for IT controls. COBIT was developed by the Information Systems Audit and
Control Association’s IT Governance Institute and is widely used by IT audit professionals in the U.S.
and overseas.
The SEC has issued principle-based interpretative guidance to further clarify management’s
responsibilities:
Principle Implications to Management
Management should evaluate the design of
the controls that it has implemented to
determine whether there is a reasonable
possibility that a material misstatement in the
financial statements would not be prevented
or detected in a timely manner
Management applies a top-down, risk-based
approach that promotes efficiency by focusing
on those “key controls” that are needed to
prevent or detect material misstatement in
the financial statements
Management should gather and analyze
evidence about the operation of the controls
Management aligns the nature and extent of
the evaluation procedures with those areas of
42
being evaluated based on its assessment of
the risk associated with those controls
financial reporting that pose the greatest risk
of control failure
Although the nature of a company’s evaluation/testing activities depends largely on the circumstances
of the company and the significance of the control, the following are controls that require
management’s assessment (testing) include:
• Controls over initiating, authorizing, recording, processing and reconciling account balances,
classes of transactions, and disclosure and related assertions included in the financial
statements
• Controls related to the initiating and processing of non-routine and nonsystematic
transactions (such as accounts required judgments and estimates)
• Controls related to the selection and application of appropriate accounting policies
• Controls related to the prevention, identification and detection of fraud
• Controls, including general IT controls, on which other significant controls are dependent
• Each significant control in a group of controls that function together to achieve a control
objective or financial reporting assertion
• Controls over the period-end financial reporting process, including controls over procedures
used to enter transactions totals into the general ledger, initiate, authorize, record and process
journal entries in the general ledger; and record recurring and non-recurring adjustments to
the financial statements
Note: Inquiry alone generally will not provide an adequate basis for management’s assessment.
Pursuant to the SEC’s rules on Section 404, the internal control report must include the following
information:
1. Statement of management's responsibility for establishing and maintaining adequate ICFR.
2. Statement identifying the framework used by management to evaluate the effectiveness of
ICFR.
3. An identification of the criteria against which ICFR is measured.
4. Management's assessment of the effectiveness of the company's ICFR as of the end of the
company's most recent fiscal year, including an explicit statement as to whether that internal
control is effective and disclosing any material weaknesses identified by management in that
control.
5. The date as of which management’s assessment about ICFR is made.
6. Statement that the registered public accounting firm that audited the financial statements
included in the annual report has issued an attestation report on management's internal
control assessment.
Management's internal control report must indicate that ICFR is either:
43
• Effective − ICFR is effective (i.e., no material weaknesses in ICFR existed as of the assessment
date); or
• Ineffective − Internal control is not effective because one or more material weaknesses
existed as of management's assessment date.
Details about how to evaluate control effectiveness are discussed in “Evaluation of Control
Deficiencies” section.
Neither the SEC nor the PCAOB has issued a standard or illustrative management report on ICFR.
However, the AICPA (SAS 130) provides an example of a management report (with no material
weaknesses reported) containing the reporting elements described in Appendix A. Note that SAS 130
adheres closely to AS No. 2201. Specifically, the illustrative management report containing the six
reporting elements described above.
Management is required to state whether the company's ICFR is effective. A negative assurance
statement, such as "nothing has come to management's attention to suggest internal control is
ineffective" is not acceptable. Management may not express a qualified conclusion, such as stating
that internal control is effective except to the extent certain problems have been identified. If
management is unable to assess certain aspects of internal control that are material to overall control
effectiveness, management must conclude that ICFR is ineffective. Although management cannot
issue a report with a scope limitation, under specific conditions newly acquired businesses or certain
other consolidated entities may be excluded from the assessment.
Appendix B provides a checklist to help management assess the efficiency of their program.
Exhibit A presents an example of a management’s report on ICFR with material weaknesses from Hertz
Global Holdings Inc.’s Form 10-K.
Exhibit A: Hertz Global Holdings, Inc. − Controls and Procedures
Management’s Report on Internal Control over Financial Reporting
Management is responsible for establishing and maintaining adequate internal control over financial
reporting, as such term is defined in Exchange Act Rule 13a-15(f) and 15d-15(f).
A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of our annual or
interim financial statements will not be prevented or detected on a timely basis. Because of its
inherent limitations, internal control over financial reporting may not prevent or detect
misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the
risk that controls may become inadequate because of changes in conditions, or that the degree of
compliance with the policies or procedures may deteriorate.
44
Management, including our new Chief Executive Officer and our Chief Financial Officer, assessed the
effectiveness of our internal control over financial reporting as of December 31, 2014. In making this
assessment, management used the criteria set forth by the Committee of Sponsoring Organizations of
the Treadway Commission (“COSO”) in Internal Control - Integrated Framework (2013). Based on this
assessment, management has concluded that we did not maintain effective internal control over
financial reporting as of December 31, 2014 due to the fact that there are material weaknesses in our
internal control over financial reporting as discussed below.
The Role of Independent Public Accountant
The PCAOB, together with the SEC, is responsible for the rules governing the roles and actions of the
CPA firms. Specifically, the PCAOB has established professional standards that apply to financial audits
and attestation engagements for issuers (generally, publicly traded companies with a reporting
obligation under the Securities Exchange Act of 1934). The auditor must perform specified work in
relation to management’s assessment in accordance with AS No. 2201.
Before the SOX Act was passed, the auditor was required to obtain an understanding of internal control
sufficient to plan the audit of the financial statements. If material weaknesses were identified, they
ordinarily were reported only to management and the audit committee. Section 404 requires the
auditor to perform an independent audit of ICFR and to issue a report including two opinions — one
on management's assessment and one on the effectiveness of ICFR. Auditors are also responsible for
assessing the risk that errors and fraud may cause the financial statements to contain material
misstatements. They should design the audit to provide reasonable assurance that material errors and
fraud are detected. To fulfill these responsibilities, the auditor must obtain an understanding of
whether the entity has a process for:
• Identifying business risks relevant to financial reporting objectives
• Estimating the significance of the risks
• Assessing the likelihood of their occurrence
• Deciding about actions to address those risks
The auditor usually considers at least:
1. Whether the risk is a risk of fraud;
2. Whether the risk is related to recent significant economic, accounting, or other developments;
3. The complexity of transactions;
4. Whether the risk involves significant transactions with related parties;
5. The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and
6. Whether the risk involves significant transactions that are outside the normal course of
business for the entity
45
If the auditor has determined that a significant risk exists, the auditor should obtain an understanding
of the entity’s controls, including control activities relevant to that risk. Then, the auditor evaluates
whether such controls have been properly designed and implemented to mitigate such risks.
Corporate Responsibility (Section 302)
Section 302 requires a company's principal executive and financial officers (e.g. CEO and CFO) to certify
each quarterly and annual report. They are required to certify that:
1. They have reviewed the report, believe that the report does not contain untrue statements
and does not omit material facts, and the financial statements and other financial information
included in the report are fairly presented in all material respects
2. They:
• Are responsible for establishing and maintaining disclosure controls and procedures;
• Have designed such disclosure controls and procedures to ensure that they are aware of
material information;
• Have evaluated the effectiveness of the company's disclosure controls and procedures;
and
• Have presented in the report their conclusions about the effectiveness of the disclosure
controls and procedures
3. They have disclosed to the auditors and audit committee:
• All significant deficiencies in the design or operation of internal controls which could
adversely affect the issuer's ability to record, process, summarize, and report financial
data and have identified for the issuer's auditors any material weaknesses in internal
controls; and
• Any fraud, whether material or not, that involves management or other employees who
have a significant role in the company's internal controls.
4. They have indicated whether there have been significant changes in ICFR or in other factors
that could significantly affect internal controls after the date of their evaluation, including any
corrective actions with regard to significant deficiencies and material weaknesses.
Disclosure controls and procedures typically include, but are broader than, ICFR. For instance,
disclosure controls extend to controls over disclosure included in SEC annual and interim reports
outside the financial statements. They also encompass controls to monitor compliance with laws and
regulations, other than those that directly affect the financial statements.
In summary, section 302 deals with management’s quarterly certification of not only financial
reporting controls, but also disclosure controls and procedures.
The following table summarizes the SOX requirements for ICFR and disclosure controls and
procedures:
46
Management Must SOX Section 404 SOX Section 302
Conclude as to integrity of public information
Financial statements
All material financial and nonfinancial information included in public reports, including financial statements
Timely assess controls and procedures
Annually Quarterly
Conduct review as of Year-end Quarter- or year-end
Document evaluations for auditor to attest
Annually None
Evaluate impact of change Quarterly Quarterly
Comply with Sections 404 and 302 through common and interfacing processes
Subset of disclosure controls and procedures
Includes internal control over financial reporting
Report to the public Internal control report Officers’ certification
Source: Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, 2007
Other Key Principles
Auditor Independence
Section 201 prohibits most “consulting” services outside the scope of practice of auditors. These
services are prohibited even if pre-approved by the client’s audit committee. Prohibited services
include:
1. Bookkeeping or other services related to the accounting records or financial statements
of the audit client;
2. Design and implementation of financial information systems;
3. Appraisal or valuation services (including fairness opinions and contribution-in-kind
reports);
4. Actuarial services;
5. Internal audit outsourcing services;
6. Services that provide any management or human resources;
7. Broker or dealer, investment adviser, or investment banking services;
8. Legal and expert services unrelated to the audit; and
9. Any other service that the PCAOB determines, by regulation, is impermissible
A registered CPA firm (firm) may engage in any non-audit service, including tax services, which is not
described in any of 1 through 9 for an audit client, only if the activity is approved in advance by the
audit committee.
47
It is unlawful for a firm to perform for its client any audit service, if a chief executive officer, controller,
chief financial officer, chief accounting officer, or any person serving in an equivalent position for the
issuer, was employed by that firm and participated in any capacity in the audit of that client during the
1-year period preceding the date of the initiation of the audit.
The Role of the Audit Committee
Although Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 do not assign specific responsibilities
to audit committees, Sections 301 and 407 establish broad standards for and disclosures regarding
audit committees as discussed below.
Section 301 establishes certain general standards with which audit committee members are required
to comply. These standards are:
• Audit committee members may not accept consulting, advisory, or other compensatory fees
from the issuer and its subsidiaries, except for board of director fees.
• Audit committee members must also not be an affiliated person of the issuer and its
subsidiaries.
• Audit committees must be directly responsible for the appointment, compensation, retention,
and oversight of all registered public accounting firms that prepare or issue audit reports or
perform other audit, review, or attest services for the issuer.
• Audit committees must establish procedures for receiving, retaining, and addressing
complaints received by the issuer related to accounting, internal controls, and auditing.
• Audit committees must have the authority to engage independent counsel, as they deem
necessary. Issuers must provide the audit committee with appropriate funding to enable it to
fulfill its responsibilities.
Also, the SOX Act requires that auditors (public accounting firms) timely report to the audit committee
of the following issues:
1. All critical accounting policies and practices to be used;
2. All alternative treatments of financial information within GAAP that have been discussed with
management officials of the client, ramifications of the use of such alternative disclosures and
treatments, and the treatment preferred by the audit client; and
3. Other material written communications between the firm and the management of the client,
such as any management letter or schedule of unadjusted differences
Section 407 requires an issuer to disclose in its annual report whether it has at least one audit
committee financial expert serving on its audit committee, and if so, whether the expert is
independent of management. An issuer that does not have an audit committee financial expert must
disclose this fact and explain why.
48
Because ICFR is a subset of disclosure controls and procedures, the audit committee should inquire as
to:
• Whether any material changes could either affect or potentially affect ICFR, and
• Whether any significant deficiencies or potential significant deficiencies have come to
management’s attention.
These inquiries should be integrated with the committee’s role in the quarterly evaluation of
disclosure controls and procedures. Additionally, the audit committee should also work with the
chairman of the disclosure committee, CEO, and the CFO to evaluate the processes for:
1. Identifying important financial reporting issues
2. Presenting such issues to the responsible parties on a timely basis
3. Ensuring such issues are fairly presented in conformity with U.S. GAAP
All auditing services and non-audit services, provided by the auditor should be preapproved by the
audit committee.
Disclosures in Periodic Reports
To enhance the accuracy of financial reports, each financial report that contains financial statements,
and that is required to be prepared in accordance with (or reconciled to) GAAP, should reflect all
material correcting adjustments that have been identified. Besides, public companies should comply
with the following rules:
• Off-Balance Sheet Transactions: All quarterly and annual financial reports filed with the SEC
must disclose all material off-balance sheet transactions, arrangements, obligations (including
contingent obligations), and other relationships of the issuer with unconsolidated entities.
Disclosure must be made on significant aspects relating to financial condition, liquidity, capital
expenditures, resources, and components of revenue and expenses.
• Pro Forma Figures: Pro forma financial information in any report filed with the SEC or in any
public release cannot contain false or misleading statements or omit material facts necessary
to make the financial information not misleading.
Corporate and Criminal Fraud Accountability
Securities laws can penalize anyone found to have destroyed, altered, hid or falsified records or
documents to impede, obstruct or influence an investigation conducted by any federal agency, or in
bankruptcy, with fines or up to 20 years imprisonment, or both. Moreover, the SOX Act requires the
SEC to promulgate rules and regulations on the retention of any and all materials related to an audit,
including communications, correspondence and other documents created, sent or received in
49
connection with an audit or review. Violating the requirement or the rules that will be developed will
result in a fine, or up to 10 years imprisonment, or both.
The SOX Act also created a new 25-year felony for defrauding shareholders of publicly traded
companies. This measure is a broad, generalized provision that criminalizes the knowing execution or
attempted execution of any scheme or artifice to defraud persons in connection with securities of
publicly traded companies or to obtain their money or property in connection with the purchase or
sale of such securities. It is intended to give prosecutors flexibility to protect shareholders and
prospective shareholders against any frauds that inventive criminals may devise.
Identification of Risks and Controls
Step 1: Selecting the Control Framework
Management’s ability to fulfill the financial reporting responsibilities depends on the design and
effectiveness of the processes and controls in place over financial reporting. Management can use the
following published frameworks or criteria to design, implement, evaluate, monitor and report on the
effectiveness of ICFR:
1. The AICPA expressly accepts Internal Control—Integrated Framework (2013 COSO framework)
as suitable and available criteria for management to use to develop, maintain, and report on
the effectiveness of its ICFR, and for auditors to provide an independent assessment of the
same.
The PCAOB also accepts the 2013 COSO framework for use in integrated audits of SEC
registrants. This framework is widely accepted and used by SEC registrants and accounting
firms.
2. The GAO’s Standards for Internal Control in the Federal Government (the Green Book) is
leveraged off the 2013 COSO framework.
3. Criteria for ICFR that are available publicly in published frameworks or criteria that are
available only to specified parties. For example, this could include terms of a contract or
criteria issued by an industry association that are available only to those in the industry.
If management selects another framework, management should ensure that the framework exhibits
all of the following characteristics:
50
• Relevance. Criteria are relevant to ICFR.
• Objectivity. Criteria are free from bias.
• Measurability. Criteria permit reasonably consistent measurements, qualitative or
quantitative, of ICFR.
• Completeness. Criteria are complete when the evaluation of the effectiveness of ICFR
prepared in accordance with the criteria does not omit relevant factors that could reasonably
be expected to affect decisions of the intended users made based on management’s report
on ICFR
The 2013 COSO framework includes principles that are suitable for all entities. It presumes that all
principles are relevant because they have a significant bearing on the presence and functioning of an
associated component.
Statutory Internal Control Requirement
Federal law-enforcement officials discovered that a number of large American corporations were
illegally paying bribes to foreign officials to facilitate their conduct of business oversee. Investigation
disclosed that management’s failure to understand or take responsibility for corporate internal
controls created the environment within which such illegal activities could flourish. To prevent a
recurrence of such illegal activities, they assigned to corporate management direct legal
responsibility for the maintenance of adequate internal controls. Congress codified the requirement
that public companies have internal controls in the Foreign Corrupt Practices Act of 1977 (“FCPA”).
The FCPA requires public companies to “devise and maintain” a system of internal accounting
controls sufficient to provide reasonable assurance that:
• Transactions are executed in accordance with management’s general or specific
authorization;
• Transactions are recorded as necessary (1) to permit preparation of financial statements in
conformity with GAAP or any other criteria applicable to such statements, and (2) to
maintain accountability for assets;
• Access to assets is permitted only in accordance with management’s general or specific
authorization; and
• The recorded accountability for assets is compared with the existing assets at reasonable
intervals and appropriate action is taken with respect to any differences.
Source: Section 13(b)(2) of the Securities Exchange Act of 1934
Relevance Objectivity Measurability Completeness
51
Step 2: Defining Control Objectives
Control objectives address the risks that the controls are intended to mitigate. In the context of ICFR,
a control objective generally relates to a relevant assertion for a significant class of transactions,
account balance, or disclosure. It addresses the risk that the controls in a specific area will not provide
reasonable assurance that a misstatement or omission in that relevant assertion is prevented, or
detected and corrected, on a timely basis. These assertions are management representations
embodied in the components of the financial statements. They are then used to articulate relevant
financial reporting process risks when evaluating processes.
Whenever management issues financial reports, management is really making the following
assertions:
Existence or Occurrence: Assertions about existence or occurrence are concerned with whether assets
or liabilities of the entity exist at a particular date and whether recorded transactions have truly
occurred during a specified period. For example, management asserts that finished goods inventories
in the balance sheet are available for sale.
Completeness: Assertions pertaining to completeness apply to whether all transactions and accounts
that should be included in the financial statements are actually included. For example, management
asserts that all purchases of goods and services are recorded and are included in the financial
statements.
Rights and Obligations: Assertions relating to rights and obligations are concerned with whether the
entity has legal title to assets and whether the recorded liabilities are in fact obligations of the entity.
For example, management asserts that amounts capitalized for leases in the balance sheet represent
the cost of the entity’s rights to leased property and that corresponding lease liability represents an
obligation of the entity.
Valuation or Allocation: Assertions about valuation or allocation are concerned with whether asset,
liability, revenue, and expense components have been included in the financial statements at
appropriate amounts. For example, management asserts that property is recorded at historical cost
and that such cost is systematically allocated to the appropriate accounting period.
Presentation and Disclosure: Assertions about presentation and disclosure apply to with whether
particular components of the financial statements are properly described, disclosed, and classified.
Existence or Occurrence
CompletenessRight and Obligation
Valuation or Allocation
Presentation and
Disclosure
52
For example, management asserts that obligations classified as long-term liabilities in the balance
sheet will not mature within one year.
Examples of Control Objective
Financial Reporting
• Ensure the substance of transactions backing the accounting entries
• Ensure completeness of accounting records
• Ensure accuracy of accounting entries (precision, ratification, valuation, classification)
• Ensure completeness and timeliness of financial information for management needs
Invoicing
• Sales invoices are accurate
• A sales invoice is generated for every shipment or work order
• Sales are recorded in the proper period
Accounts Payable
• Payments are authorized and supported by sufficient documents
• Disbursement activity is being properly recorded in the right accounting period
• Duplicate invoices are continuously and automatically monitored prior to the process of
a check run
• Unused checks are adequately controlled and safeguarded
Depreciation of Fixed Assets
• Depreciation expenses are valid
• All depreciation expenses are recorded
• Depreciation and amortization expenses are correctly calculated and timely recorded
• Depreciation expenses are recorded in the proper period
• Depreciation expenses are accurately allocated
In setting up effective internal control, management should utilize the cycle approach, which first
stratifies internal control into broad areas of activity and then identifies specific classes of transactions.
Accordingly, the following cycles should be considered:
• Revenue Cycle: revenue and accounts receivable (order processing, credit approval, shipping,
invoicing, and recording) and cash receipts.
• Expenditure Cycle: purchasing, receiving, accounts payable, payroll, and cash disbursements.
• Production or Conversion Cycle: inventories; cost of sales; and property, plant, and
equipment.
• Financing Cycle: notes receivable and investments, notes payable, debt, leases, other
obligations, and equity accounts.
• External Reporting: accounting principles and preparation of financial statements.
53
The objectives of financial reporting are converted into financial reporting assertions. These assertions
are then used to articulate relevant financial reporting process risks when evaluating processes.
Step 3: Addressing and Monitoring Risks
General Concerns
As discussed earlier, management’s objectives are to ensure 1) effectiveness, 2) efficiency, 3)
compliance with laws and regulations, and 4) proper financial reporting. To implement an effective
internal control framework, management should identify potential risks that could hinder it from fully
achieving any of these four objectives. Specifically, management is responsible to design control
activities to ensure that the organization’s objectives and goals are not negatively impacted by internal
or external risks.
According to the Protiviti Risk Model, the primary sources of risk include:
1. Environment risk arises when external forces, such as competitor’s action, change in market
prices and industry regulations, and customer wants, can adversely affect the organization’s
performance or its business model.
2. Process risk arises when internal processes do not achieve the objectives they were designed
to achieve in supporting the organization’s business model. For example, poorly performing
processes may cause inefficient operations and dissatisfied customers. Moreover, they fail to
protect significant financial, physical, customers, and employee/supplier assets from
unacceptable losses, misappropriation or misuses.
3. Information for decision-making risk arises when information used to support business
decisions is inaccurate, out of date, incomplete, or late to the decision-making process.
These three groupings of risk provide a broad foundation on which more specific categories of risk can
be identified.
Environment Risk
•Uncertainties affectingthe the viability of theorganization's businessmodel.
Process Risk
• Uncertainties affectingthe execution of thebusiness model, whichoften arise internallywithin the organization'sbusiness processes.
Information for Decision-Making Risk
•Uncertainties affectingthe relevance andreliability of informationsupportingmanagement's decisionsto protect and enhanceorganization value.
54
Source: Protiviti, Guide to Enterprise Risk Management
Risks relevant to financial reporting include external and internal events and circumstances that may
occur and adversely affect an entity's ability to initiate, authorize, record, process, and report financial
data consistent with the assertions of management in the financial statements.
Management should also consider inherent risk of an error, which could lead to a material
misstatement that is at least reasonably possible. Inherent risk is an essential aspect of assessing the
significance of risk. COSO defines inherent risk as:
“The risk to an entity in the absence of any actions management might take to alter either the risks
likelihood or impacts.”
The following are some example of situations that commonly are considered to involve inherent risk:
• Cash: The more easily an asset can be converted to personal use, the more likely it is to be
stolen. Thus, the presence of cash receipts indicates special risks since cash is considered one
of the most liquid assets of an organization.
• Complexity: Complexity (e.g. systems, procedures) increases the risks that an activity is not
carried out properly in accordance with policies or regulations.
• Prior Issues: A past finding of control weaknesses is often a predictor of future problems.
Specifically, a pattern of control weaknesses usually indicates a heightened level of risk.
Anti-Fraud Considerations
Management should evaluate whether the company's controls sufficiently address identified risks of
material misstatement due to fraud (e.g. fraudulent financial reporting, misappropriation of assets,
and corruption) and they should evaluate any controls intended to address the risk of management
override of other controls. Controls that might address these risks include
• Controls over significant, unusual transactions, particularly those that result in late or unusual
journal entries
• Controls over journal entries and adjustments made in the period-end financial reporting
processes
• Controls over related party transactions
• Controls related to significant management estimates
• Controls that mitigate incentives for, and pressures on, management to falsify or
inappropriately manage financial results
In addition, management should evaluate the effectiveness of the anti-fraud program to ensure that
it contains the following key elements:
1. Code of conduct/ethics
2. Hotline/whistleblower program
55
3. Hiring and promotion (i.e., background checks)
4. Investigation and remediation of identified fraud
5. Oversight by the audit committee and board
6. Risk assessment
The SEC’s and PCAOB’s underlying premise is that the absence of fraud does not necessarily mean that
fraud risk does not exist. The presumption is that most companies face some degree of fraud risk.
Thus, companies of all sizes should have controls to prevent and detect management override.
Common weaknesses of a company’s anti-fraud model include:
• It is often narrowly focused on industry fraud risk (e.g. retail shrinkage, healthcare/Medicare
fraud, and similar matters);
• It is frequently reliant on “silo” management techniques in which the responsibility for
managing fraud resides in a “silo” separate from all other key organizational functions; and
• It leaves the responsibility to mitigate fraud to middle managers who maintain autonomy and
are not held accountable except for third-party fraud.
Assessment Criteria
To formulate effective risk responses, management must assess (prioritize) critical risks. Using the
organization’s priority of risks enables senior management and the board to focus on key risks. The
prioritization is accomplished by risk mapping. Risk mapping is a way of representing the resulting
qualitative and quantitative evaluations of the probability of risk occurrence, and the impact on the
organization if a particular risk is experienced
Commonly used factors of the assessment criteria include:
Likelihood. Likelihood indicates the possibility that a given event will occur. Likelihood can be
expressed using qualitative terms (e.g. almost certain, likely, possible, unlikely, rare), as a frequency,
or as a percent probability. When using numerical values, whether a percentage or frequency, the
relevant period should be specified such as annual frequency or the more relative probability over the
life of the asset. The higher the probability of occurrence, the greater the likelihood. The following
table illustrates the likelihood scale.
Likelihood ImpactPrioritizing
Risks
56
The Likelihood of the Risk Event Occurring
Rating Annual Frequency Probability
5 Frequently Occur several times per
year
Almost
certain
>90-100% chance of
occurrence over life of asset
or project
4 Likely Arise once per year Likely >50-90% chance of occurrence
over life of asset or project
3 Possible Arise over a five-year
period Possible
>25-50% chance of occurrence
over life of asset or project
2 Unlikely Occur over a five- to ten-
year period Unlikely
>10-25% chance of occurrence
over life of asset or project
1 Rare Arise once in 100 years Rare 0-10% chance of occurrence
over life of asset or project
Impact. Impact (or consequence) refers to the extent to which a risk event might affect the
organization. Impact assessment criteria may include strategic, financial, reputational, regulatory,
safety, security, environmental, employee, customer, supplier, and operational impacts. The greater
the significance of the impact, the more severe the risk. The following table illustrates the loss or
damage impact scale.
Rating
The Loss or Damage Impact of the Risk Event Occurring
(in terms of the objectives of the organization)
5 Catastrophic Most objectives may not be achieved, or several
severely affected
4 Major Most objectives threatened, or one severely affected
3 Moderate Some objectives affected, considerable effort to rectify
2 Minor Easily remedied, with some effort the objectives can be
achieved
1 Negligible Very small impact, rectified by normal processes
As potential future events are identified, they are plotted on a grid or map according to their impact
on the achievement of business objectives and the likelihood of their occurrence.
Key questions for management to ask include:
• What could happen? List risks, incidents or accidents that might happen by systematically
working through each activity to identify what might happen at each stage.
• How and why it can happen? List the possible causes and scenarios or descriptions of the
risk, incident or accident.
• What constitutes a material risk to our company?
57
• How much risk are we willing to accept?
• What is the likelihood of them happening?
• What will be the consequences if they do happen?
Step 4: Establishing Controls
Management designs entity-level control activities, transaction control activities, or both depending
on the level of precision needed so that the entity meets its objectives and addresses related risks. In
addition, the cost-benefit relationship is a primary criterion that should be considered in designing
internal control.
Entity-level controls are designed to provide reasonable assurance that appropriate controls are
operating throughout the organization. Such controls have a pervasive effect on the organization’s
system of internal control. Entity-level controls may include controls related to the organization’s risk
assessment process, control environment, service organizations, management override, and
monitoring. Entity-level controls include:
• Controls related to the control environment;
• Controls over management override
• Risk assessment process
• Centralized processing and controls, including shared service environment
• Controls to monitor results of operations
• Controls to monitor other controls, including activities of the internal audit function, those
charged with governance, and self-assessment programs
• Controls over the period-end financial reporting process; and
• Programs and controls that address significant business risks
Transaction control activities are actions built directly into operational processes to support the
organization in achieving its objectives and addressing related risks. “Transactions” tends to be
associated with financial processes (e.g., payables transactions), while “activities” is more generally
applied to operational or compliance processes. For the purposes of this standard, “transactions”
covers both definitions. Management may design a variety of transaction control activities for
operational processes, which may include verifications, reconciliations, authorizations and approvals,
physical control activities, and supervisory control activities
When choosing between entity-level and transaction control activities, management evaluates the
level of precision needed for the operational processes to meet the organization’s objectives and
address related risks. In determining the necessary level of precision for a control activity,
management evaluates the following:
1. Purpose of the control activity - A control activity that functions to prevent or detect generally
is more precise than a control activity that merely identifies and explains differences.
58
2. Level of aggregation - A control activity that is performed at a more granular level generally is
more precise than one performed at a higher level. For example, an analysis of obligations by
budget object class normally is more precise than an analysis of total obligations for the
organization.
3. Consistency of performance - A control activity that is performed routinely and consistently
generally is more precise than one performed sporadically.
4. Correlation to relevant operational processes - A control activity that is directly related to an
operational process generally is more likely to prevent or detect than a control activity that is
only indirectly related
For companies with numerous locations, entity-level controls must operate effectively. Inadequate
entity-level controls may be an indicator that the control environment is ineffective. Entity-level
controls vary in nature and precision:
1. Some entity-level controls, such as certain environment controls, have an important but
indirect effect on the likelihood that a misstatement will be prevented, or detected and
corrected on a timely basis. Such controls could affect the other controls the auditor selected
for testing and the nature, timing, and extent of procedures the auditor performs on other
controls.
2. Some entity-level controls monitor the effectiveness of other controls. Such controls might be
designed to identify possible breakdowns in lower-level controls, but not at a level of precision
that would, by themselves, sufficiently address the assessed risk that misstatement to a
relevant assertion will be prevented or detected on a timely basis. These controls, when
operating effectively, might allow the auditor to reduce the testing of other controls.
3. Some entity-level controls might be designed to operate at a level of precision that would
adequately prevent or detect on a timely basis misstatements to one or more relevant
assertions. If an entity-level control sufficiently addresses an assessed risk of misstatement,
the auditor need not test additional controls relating to that risk.
It should be noted that activities in each of the five control components can be found at both the
entity-level and the activity level. For example:
• Control Environment activities include the organization’s code of conduct (an entity-level
control) as well as employee candidate background checks (performed at the activity level).
• Risk Assessment includes assessing the risk of an unassertive audit committee (entity-
level) or the existence of excess inventory.
• Control Activities include top-level reviews performed as part of the corporate close
process (entity-level) as well as bank reconciliations (activity level).
59
• Information and Communication includes information on warranty claims used to
calculate the warranty reserve as part of the financial close process (entity-level), and
communicating to employees the performance expectations (activity level).
• Monitoring includes the internal audit activity (entity-level), as well as the direct
supervision of payroll staff (activity level).
Source: The IIA, SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners
In summary, management must design, implement and maintain control activities to ensure the
reliability of its financial reporting. Typically, such controls are categorized as:
1. Segregation of duties
2. Access control
3. Authorization
4. Properly designed procedures
5. Security over assets and records
6. Periodic verification and reconciliation
7. Analytical review
60
Part II − Section 1 Review Questions
9. According to the Sarbanes-Oxley Act, public accounting firms are allowed to provide which of the
following non-audit services to their clients?
A. Tax services pre-approved by the audit committee
B. Internal audit outsourcing services
C. Investment banking or advisory services
D. Management or human resources services
10. The Sarbanes-Oxley Act imposes all of the following provisions EXCEPT?
A. The penalties (i.e., prison time and fines) for corporate fraud were increased
B. At least one audit committee member should be a financial expert
C. The company’s auditors assume responsibility for the financial statements
D. The company adopts a code of ethics for senior financial officers
11. The AICPA and the PCAOB accept which of the following frameworks as suitable criteria for
auditors to provide an independent assessment of an entity’s ICFR?
A. 2013 COSO Framework
B. Green Book
C. GAAS
D. U.S. GAAP
12. Which of the following statements best describes entity-level controls?
A. Actions built directly into operational processes to support the entity in achieving its objectives
and addressing related risks
B. Controls that have a pervasive effect on an entity’s internal control system and may pertain to
multiple components
C. Controls over transaction processing within an information system
D. Controls over the input of data into computer software systems
61
Assessment of the Adequacy of Controls
Effective internal control reduces the risk of asset loss and helps ensure that plan information is
complete and accurate, financial statements are reliable, and the plan’s operations are conducted in
accordance with the provisions of applicable laws and regulations. To determine if an internal control
system is effective, management assesses the design, implementation, and operating effectiveness of
the five components and 17 principles. If a principle or component is not effective, or the components
are not operating together in an integrated manner, then an internal control system cannot be
effective. In other words, an effective internal control system has:
1. Each of the five components of internal control effectively designed, implemented, and
operating and
2. The five components operating together in an integrated manner.
The following are some general characteristics of satisfactory plan ICFR:
• Policies and procedures that provide for appropriate segregation of duties to reduce the
likelihood that deliberate fraud can occur
• Personnel qualified to perform their assigned responsibilities
• Sound practices to be followed by personnel in performing their duties and functions
• A system that ensures proper authorization and recordation procedures for financial
transactions
Further Considerations
The SEC has published interpretive guidance providing more granular guidance on the following
topics relating to the control assessment process:
1. Identifying financial reporting risks and controls
• Identifying financial reporting risks
• Identifying controls that adequately address financial reporting risks
• Consideration of entity-level controls
• Role of general information technology controls
• Evidential matter to support the assessment
2. Evaluating evidence of the operating effectiveness of ICFR
• Determining the evidence needed to support the assessment
• Implementing procedures to evaluate evidence of the operation of ICFR
• Evidential matter to support the assessment
3. Multiple location considerations
62
Determining Key Controls
While the prevention of fraud (or at least its detection) is important to all companies, only the risk of
fraud that results in a material misstatement of the financials must be included in the Sarbanes-Oxley
Act (SOX) Section 404 assessment. Therefore, careful identification of key controls helps both
management and auditors allocate time and resources effectively to ensure that critical controls are
in place and assessed.
An overly conservative approach, where too many controls are defined as key, will result in excessive
time and resources devoted to testing controls that are not critical to SOX Section 404 assessment.
Since the determination of key controls is so critical to management’s internal control assessment, the
auditor should be kept informed of management’s decisions as to what controls are key. Some
common characteristics of key and non-key control are demonstrated below:
Key Control Non-Key Control
• Provides reasonable assurance that material
errors will be prevented or timely detected
• The only control that covers the risk of material
misstatement
• It is highly improbable that other control could
detect the control absence, if it fails
• Covers more than one risk or support a whole
process execution
• Provides assurance over financial assertions
• It can fail without affecting a whole process
• Has an indirect effect on the risk of material
misstatement
• Does not involve significant transactions
• Could be evaluated under a Control Self-
Assessment program
Due to differences in systems, procedures, business environments and models, sound professional
judgment is required during the identification process. The identification of key controls should take
into account the risk of fraud, including the override by management of controls. Examples of key
controls include:
• Segregation of duties over the expenditure cycle (e.g. Purchasing, Receiving, Disbursing)
• Access controls
• Purchase order approval
• Authorization and review of invoices
• Three-way match
• Maintenance of sufficient supporting documentation
• Safeguarding of unused checks
• Maintenance of vendor master file
• Reconciliation of vendor statements
• Reconciliation of accounts
63
There are two approaches of determining key controls within business processes.
Approach A Approach B
This approach lists risks that may prevent the
financial assertions from being satisfied. Then, the
controls that address those risks are identified. The
benefit of this approach is that it is relatively straight
forward, familiar to most experienced auditors, and
suggested in the SEC guidance.
This approach looks at the material transactions
that flow into the significant accounts and
identifies the controls that assure they are
completely and accurately processed and
recorded, and that only valid transactions are
processed
Source: The IIA, SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners
Approach A starts with the significant general ledger accounts by location, defines the relevant
financial assertions for each, and then lists all the risks to achievement of the assertions. Finally, the
key controls are identified. For example, the process may begin with cash and identify existence as
one of the assertions to be achieved. The bank reconciliation is identified as the key control that
addresses that assertion. Although Approach A is adopted more frequently by companies, the risk of
this approach is that the list of risks may not be complete.
Approach B provides more assurance that all the controls are addressed; however, it is more complex.
Both approaches have value. Management should make a choice consistent with the experience and
training of the individuals managing the project, after consultation with the external auditor. The
process of identifying key controls should be top-down regardless of approaches taken.
In summary, companies and external auditors have often tested controls that are not key under the
definition (e.g. prevent or detect material errors). Controls that are not likely to result in material error
should not be considered “key” and do not need to be within management’s scope for SOX Section
404. To reduce the cost of testing (both management and auditors) by limiting the number of key
controls, management should adopt a top-down, risk-based approach that focuses on controls that
will prevent or detect material errors.
Evaluating the Effectiveness of Controls
The Design of Controls
The evaluation of design effectiveness addresses whether the system of internal control is suitably
designed to prevent or detect on a timely basis, material misstatements in significant accounts and
disclosures. This evaluation should include:
1. Entity-level controls (including the assessment of the five components of internal control)
2. Specific transaction-level control activities related to all relevant assertions
64
Since not all controls provide the same level of assurance, management should consider the following
factors when evaluating the level of assurance provided by a given control:
• The nature of the control
• How the control is applied
• The consistency with which it is applied, and who applies it
The degree of assurance over internal control will vary based on several factors, including those listed
below:
Less Assurance Greater Assurance
• Manual control
• Complex control (requires many steps,
multiple calculations, etc.)
• Control is performed by a junior,
inexperienced person
• Detective control (detects a potential
problem after a transaction is executed)
• Automated control
• Simple controls (single step, single
calculations, etc.)
• Control is performed by an experienced
manager
• Preventive control (prevents a problem)
Source: PwC, Sarbanes-Oxley Act: Section 404 Practical Guidance for Management
According to PwC, Sarbanes-Oxley Act: Section 404 Practical Guidance for Management, when
assessing design effectiveness, management should focus on:
• The alignment between the controls and the business and audit risks identified (i.e., whether
the business processes and related controls appear to be effective in achieving management’s
stated objectives and managing its risks)
• Whether the controls satisfy the information processing objectives and the relevant financial
statement assertions
• Frequency of the control – whether the control will detect or prevent the risk identified on a
timely basis (i.e., in some cases, a detective control may be adequate, but in other cases, an
entity should ensure adequate preventative controls are in place)
• Knowledge and experience of the people involved in performing the controls
• Segregation of duties relevant to the process being controlled
• Timeliness in addressing issues and exceptions that result from the control activity
• Reliability of the information used in the performance of the control
• Period covered by the control
In particular, when assessing the design effectiveness of transaction-level control activities,
management should consider:
1. The results of the entity-level controls assessment
2. The results of the assessment of general IT controls
65
3. The nature of the identified financial reporting risks or assertions
4. The effectiveness of all five control components
5. The nature and types of errors and omissions identified that could occur, and the effectiveness
of the controls in mitigating the risk of these errors and omissions
6. The extent of change in the business and its expected effect on internal controls
As a practical consideration, management may opt to test and evaluate the design effectiveness of
entry-level controls first because the results of this evaluation will impact the nature, extent, and
timing of additional procedures that may be necessary at these locations.
The Operating Effectiveness of Controls
To demonstrate effective ICFR, management should determine whether the company’s controls are
operating effectively. This requires testing the controls, which must include each of the five
components of internal control over all relevant assertions for all significant accounts and disclosures
at each individually important location and over the specific risk areas at other locations.
To facilitate review and approval by the various interested parties, formal test plans should document
the key elements of the test and the results. PwC recommends that test plans should cover all controls
that are selected for testing and should specify the following key elements:
Key controls to be tested – Normally management will summarize the controls to be tested at the
financial statement assertion level. Management should focus its evaluation of the operation of
controls on areas posing the highest ICFR risk.
Nature of tests to be used – Tests should be categorized as inquiry, observation, examination, or re-
performance. The more significant the account, disclosure, or business process and the more
significant the risk, the more important it is to ensure that the evidence extends beyond one testing
technique. The nature of the control also influences the nature of the tests of controls that should be
performed. The relative level of assurance by nature of test is illustrated in the following chart.
Re-performance Re-performance of the specific application of the control provides the
highest degree of assurance.
Examination Examination of evidence often is used to determine whether manual
controls (e.g., the follow-up of exception reports) are being performed.
Observation Observation of the control provides a higher degree of assurance and
may be an acceptable technique for assessing automated controls.
Inquiry Inquiry of a control’s effectiveness does not, by itself, provide sufficient
evidence of whether a control is operating effectively.
Extent of testing – The extent of the testing of a particular control will vary depending on many factors,
including whether control is automated or manual. For automated control, the number of items tested
Level of
Assurance
66
can be minimal (one to a few items), assuming that general computer controls have been tested and
found to be effective. When testing automated controls, management must:
1. Ensure general computer controls are effective and
2. Have performed a detailed review of the controls within the company’s computer
applications (e.g., a pre- implementation or a post-implementation review).
Most manual controls will be tested through a combination of inquiry, observation, examination or re-
performance. Management may need to consider the following factors when deciding the extent of
testing.
Factors to Consider When Deciding the Extent of Testing
• The type of control (manual or automated) and the frequency with which it
operates
• The nature and materiality of misstatements that the control is intended to
prevent or detect
• The risk of management override
• The evidence of the operation of the control from prior year(s)
• The judgment required to operate the control
• Whether there have been changes in the volume or nature of transactions that
might adversely affect control design or operating effectiveness;
• Whether the account has a history of errors;
• The effectiveness of entity-level controls, especially controls that monitor other
controls;
• The competence of the personnel who perform the control or monitor its
performance and whether there have been changes in key personnel who
perform the control or monitor its performance
• The complexity of the control and the significance of the judgments that must be
made in connection with its operation.
Timing of procedures – The plans should specify when the testing should be performed and the time
span that the tests cover, including update testing planned from the interim testing date to year-end.
Description of the test – The plans should specify the procedures to be performed and the assertions
supported.
Key administrative items – The plans should identify who will perform the test, when the test will be
performed, what evidence will be reviewed, and where the control is performed.
Documentation – The plans should describe the documentation required.
67
Exceptions – The plans should describe how exceptions will be investigated and addressed and when
additional testing should be performed.
Some of the techniques available include:
Technique Description
Traditional Testing
of Controls
• Performance of walkthroughs, which confirm the adequacy of the
documentation as well as the design of the controls to meet the control
objectives.
• Inquiry, examination, and inspection of related documents to confirm
that the control appears to be performed consistently as documented.
• Re-performance of a sample of transactions to confirm that the control
is being performed effectively.
Continuous
Auditing
It includes the testing of transactions throughout the period. This is
generally assisted with software that selects the transactions to be
reviewed.
Continuous
Monitoring
• This technique generally relies on software to monitor transactions
and not only identify transactions for testing, but especially to test 100
percent of the processed transactions for compliance with selected
parameters.
• An example would be a test that identifies purchase orders issued in
excess of approved requisitions. The software would report exceptions
for assessment as they occur. This technique merits attention and
consideration as it may reduce the cost of annual testing, after an initial
investment in development
Management Self-
Assessment
There are many varieties of this technique, including management’s daily
interaction with its controls as discussed in the SEC guidance. Management
needs to consult with testing experts to ensure that the results of any self-
assessment provide reasonable, objective evidence that the controls are
operating as assessed. The risk is that the individuals performing the
assessment may not have direct knowledge of the operation of the control
or may not perform a rigorous assessment that verifies the consistency of
the control’s execution.
Source: The IIA, SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners
Management needs to evaluate and act timely upon the results of its testing. For example, when
management determines that controls are not functioning properly, they should be amended or
eliminated, or actions should be taken to improve compliance. Even when controls operate effectively,
68
management may still need to consider the possibility that the controls could be redundant. Or that
the costs of the controls may exceed their benefit. Details were discussed in the “Cost-Benefit
Relationships” section.
What areas should a company test within each of the remaining four components of internal
control (i.e., excluding control activities)?
As part of management’s Section 404 assessment, it must document, test, and evaluate the five
components of internal control. Examples of testing procedures may include:
Control Environment
• Evaluate the “tone at the top” through inquiry, observation, focus groups, and surveys
• Obtain an understanding of, observe, and evaluate the process for handling exceptions to the
company’s code of conduct
• Review the documented authorization levels and assess their reasonableness compared to the
positions and responsibilities of the individuals
• Examine job descriptions for key financial reporting positions and evaluate whether employee
understanding of roles and responsibilities is consistent with the description
Risk Assessment
• Review management’s process for evaluating risks, including assessing the likelihood of
occurrence and determining needed actions
• Evaluate whether management adequately addresses how it will identify and analyze significant
estimates recorded in the financial statements
Information and Communication
• Evaluate senior management’s and the board’s involvement in the development of the strategic
plan for information systems, including appropriate allocation of resources
• Obtain an understanding of the process for updating the accounting policy manual for new
pronouncements and how updates are distributed to the appropriate individuals
• Inquire as to the extent to which outside parties have been made aware of the entity’s ethical
standards and observe the process for addressing complaints from outside parties
Monitoring
• Obtain an understanding of the monthly financial statement analysis process and observe how
significant or unusual items are investigated and resolved
• Evaluate the effectiveness of the internal audit function and the process for reporting and
following-up on identified internal control deficiencies
69
Additionally, management must test its anti-fraud programs, and the company must evaluate the
effectiveness of the audit committee
Source: PwC, Sarbanes-Oxley Act: Section 404 Practical Guidance for Management
Evaluation of Control Deficiencies
Step 1: Understanding the Nature of the Deficiency
In general, deficiencies may be identified through many sources, including:
• Management through its assessment of ICFR
• Management in a self-assessment process
• Internal Audit in the scope of its work
• External auditors in the scope of their work
• Service organization SAS 70 reports
• Regulatory inspections
A control deficiency exists when the design or operation of a control does not allow management or
personnel, in the normal course of performing their assigned functions, to achieve control objectives
and address related risks. Identification of risks is discussed in the “Step 3: Addressing and Monitoring
Risks” section.
Companies may have control deficiencies in the design and implementation of control or its operation:
Design — When evaluating the design of internal controls, management determines if controls
individually and in combination with other controls are capable of achieving an objective and
addressing related risks. A deficiency in design exists when:
Control Deficiency
Design
Implementation
Operating Effectiveness
70
1. A control necessary to meet a control objective is missing, or
2. An existing control is not properly designed so that even if the control operates as designed,
the control objective would not be met.
Implementation — When evaluating implementation, management determines if the control exists
and if the entity has placed the control into operation. A deficiency in implementation exists when a
properly designed control is not implemented correctly in the internal control system.
Operating Effectiveness — In evaluating operating effectiveness, management determines if controls
were applied at relevant times during the period under evaluation, the consistency with which they
were applied, and by whom or by what means they were applied. If substantially different controls
were used at different times during the period under evaluation, management evaluates operating
effectiveness separately for each unique control system. A deficiency in operating effectiveness exists
when a properly designed control does not operate as designed, or when the person performing the
control does not possess the necessary authority or competence to perform the control effectively.
Step 2: Assessing the Likelihood of Misstatements
Significant judgment goes into evaluating whether deficiencies in controls rise to the level of a material
weakness. Management must consider the following factors when evaluating control deficiencies:
1. Likelihood of a misstatement — Including consideration of factors such as:
• The nature of the financial statement accounts, disclosures, and assertions involved;
• The susceptibility of the related assets or liability to loss or fraud (that is, greater
susceptibility increases risk);
• The subjectivity, complexity, or extent of judgment required to determine the amount
involved (that is greater subjectivity, complexity, or judgment, like that related to an
accounting estimate, increases risk);
• The cause and frequency of known or detected exceptions for the operating effectiveness
of a control;
• The interaction or relationship of the control with the other controls (that is, the
interdependence or redundancy of the control);
• The interaction of the deficiencies;
• The possible future consequences of the deficiency.
2. Related magnitude of a potential misstatement — the following factors may impact the
magnitude:
• The financial statement amounts or the total of transactions exposed to the deficiency;
• The volume of activity in the account balance or class of transactions exposed to the
deficiency that has occurred in the current period or that is expected in future periods.
71
Deficiencies for which there is only a remote likelihood of occurrence cannot rise to the level of a
significant deficiency or material weakness. Therefore, evaluation of the magnitude of a potential
misstatement (Step 2) is not required. The following exhibit illustrates these concepts.
Internal Control Deficiencies
Type Likelihood Magnitude
Control Deficiency Remote and/or Inconsequential
Significant Deficiency More than
Remote and
More than inconsequential (but less than
material)
Material Weakness More than
Remote and Material to financial statements
Step 3: Considering Compensating Controls
Compensating controls may be used where formal controls are inadequate in containing risk or are
not used in practice. The SEC defines compensating controls as:
“Controls that serve to accomplish the objective of another control that did not function properly,
helping to reduce risk to an acceptable level. To have a mitigating effect, the compensating control
should operate as a level of precision that would prevent or detect a misstatement that was material.”
Examples of compensating controls related to the purchases include:
• Prior authorization and approval: Requisition is required from the appropriate level of
management approval
• Properly designed records: Requisition forms are pre-numbered
• Periodic verification and reconciliation: Used and unused requisition forms are regularly
reconciled to ensure that all these forms are properly accounted for
Management should evaluate the effect of compensating controls when evaluating whether a
deficiency, or a combination of deficiencies, is a material weakness. For this purpose, the
compensating controls must be operating effectively. If management believes there are compensating
controls in place that could address the financial statement assertion or risk resulting from the
deficiency, management should consider and validate whether:
1. The compensating control is effective
2. The compensating control would identify an error and address the assertion
The SEC states that compensating controls are not considered when determining whether a control
deficiency exists. Control deficiency must be considered individually and in isolation of the
72
performance of other controls. Compensating controls are appropriately considered when evaluating
whether a significant deficiency or a material weakness exists.
Step 4: Determining Classification of Deficiencies
Based on an assessment of the likelihood and magnitude of a misstatement (Step 2) resulting from an
internal control deficiency, management should determine if the deficiency represents a significant
deficiency or a material weakness:
• A significant deficiency is a deficiency (i.e., control deficiency), or a combination of
deficiencies, that is less severe than a material weakness yet important enough to merit
attention by those having financial reporting oversight responsibility.
• A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there
is a reasonable possibility that a material misstatement will not be prevented or detected on
a timely basis. Each category is summarized in the following table.
The Hierarchy of ICFR Deficiencies
Material Weakness
A significant deficiency or combination of significant deficiencies that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. Material weaknesses existing at the fiscal year-end assessment date will be reported publicly.
Significant Deficiency A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
Control Deficiency Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
The SEC provided the following examples of control deficiencies that may be considered at least a
significant deficiency in ICFR:
• Controls over the selection and application of accounting policies that conform with U.S. GAAP
• Anti-fraud programs and controls
• Controls over significant routine and nonsystematic transactions
• Controls over the period-end financial reporting process
The SEC and PCAOB listed the following indicators of control deficiencies that are regarded as signs of
material weaknesses in internal control:
1. Restatement of previously issued financial statements to reflect the correction of a
misstatement due to error or fraud.
73
2. Identification by the auditor of a material misstatement in the financial statements in the
current period that was not initially identified by the company’s internal control over financial
reporting. (This would be a strong indicator of a material weakness even if management were
to subsequently correct the misstatement.)
3. Oversight of the company’s external financial reporting and internal control over financial
reporting by the company’s audit committee is ineffective.
4. The internal audit function or the risk assessment function is ineffective at a company for
which such a function needs to be effective for the company to have effective monitoring or
risk assessment component, such as for very large or highly complex companies.
5. For complex entities in highly regulated industries, an ineffective regulatory compliance
function. This relates solely to those aspects of the ineffective regulatory compliance function
in which associated violations of laws and regulations could have a material effect on the
reliability of financial reporting.
6. Identification of fraud of any magnitude on the part of senior management.
7. Significant deficiencies that have been communicated to management and the audit
committee remain uncorrected after some reasonable period of time.
8. An ineffective control environment.
Since a significant deficiency can be a combination of internal control deficiencies, and a material
weakness can be a combination of significant deficiencies, management must accumulate all internal
control deficiencies for evaluation in the aggregate, considering whether there is a concentration of
deficiencies over a particular business process, account, or assertion. For example, assume a particular
location has four internal control deficiencies in relation to revenue processing. Although none of
these deficiencies may individually be a significant deficiency, they could potentially rise to this level
when aggregated. The assessment of the interaction of deficiencies with each other is essentially a
search for patterns. That is, could the deficiencies affect the same financial statement accounts and
assertion?
Step 5: Reporting Assessment Results
Management is required to report significant deficiencies to the external auditor. Both management
and the external auditor are required to report significant deficiencies to the audit committee. If a
material weakness exists as of the assessment date, management is required to conclude that ICFR is
not effective and to disclose all material weaknesses that may have been identified. The SEC Chief
Accountant has stated publicly that he expects management's report to disclose the nature of any
material weakness in sufficient detail to enable investors and other financial statement users to
understand the weakness and evaluate the circumstances underlying it. The “Management Internal
Control Report” section discusses information that should be included management’s report on ICFR
as required by SOX 404.
74
For purposes of SEC reporting, if a single material weakness in ICFR exists, then ICFR is not effective,
regardless of the effectiveness of the rest of the controls. It is important to understand that a material
weakness in ICFR does not necessarily mean that the company’s financial statements are misstated;
rather, it means that there is a reasonable possibility that the company’s controls would not have
prevented or detected a material misstatement on a timely basis.
Documentation of Effective Controls
Documentation is required for the effective design, implementation, and operating effectiveness of an
entity’s internal control system. Management is responsible to develop and maintain documentation
of its internal control system. Documentation also provides a means to retain organizational
knowledge and mitigate the risk of having that knowledge limited to a few personnel, as well as a
means to communicate that knowledge as needed to external parties, such as external auditors.
Management’s documentation may take various forms, for example, entity policy manuals, accounting
manuals, narrative memoranda, flowcharts, decision tables, procedural write-ups, or completed
questionnaires. The level and nature of documentation vary based on the size, nature and complexity
of the company. However, the IIA suggests that management needs to establish documentation that:
1. Enables a reasonably knowledgeable individual — this person does not have to be an expert
with experience in the area, but should have some knowledge of the company or its business
— to understand the process.
2. Provides context for the key controls so that a reasonable person would understand their
function.
3. Details the operation of key controls, such as identifying who is performing the control, when
the control is operating and at what frequency, how the control is performed, what evidence
exists that the control was performed, and which reports are used in the operation of the
control. It is valuable to agree with the external auditor on the quality standards to be
established for control documentation.
4. Overall, enables a reasonable person to have a basis upon which to assess the design of the
controls: Are the controls identified and documented sufficiently to either prevent or detect a
material misstatement?
To accomplish the objectives listed above, management should include the following information
when documenting controls:
• If management determines that a principle is not relevant, management supports that
determination with documentation that includes the rationale of how, in the absence of that
75
principle, the associated component could be designed, implemented, and operated
effectively.
• Management develops and maintains documentation of its internal control system.
• Management documents in policies the internal control responsibilities of the organization.
• Management evaluates and documents the results of ongoing monitoring and separate
evaluations to identify internal control issues.
• Management evaluates and documents internal control issues and determines appropriate
corrective actions for internal control deficiencies on a timely basis.
• Management completes and documents corrective actions to remediate internal control
deficiencies on a timely basis.
Control documentation also serves as a basis for management’s assessment about ICFR.
Documentation of the design of controls, including changes to those controls, is evidence that controls
are:
1. Identified
2. Capable of being communicated to those responsible for their performance
3. Capable of being monitored and evaluated by the entity
According to the SEC, evidential matter, including documentation, must support the assessment of
both the design of internal controls and the testing processes. Such evidential matter should provide
reasonable support:
• For the evaluation of whether the control is designed to prevent or detect material
misstatements or omissions
• For the conclusion that the tests were appropriately planned and performed
• That the results of the tests were appropriately considered
In other words, the evidential matter must provide reasonable support for management’s assessment
of ICFR. The SEC indicates that “reasonable support” for an assessment forms the basis for
management’s assessment including documentation of the methods and procedures it utilizes to
gather and evaluate evidence. Also, documentation of the design of key controls is an integral part of
that support.
Management should use judgment in determining the extent of documentation that is needed. For
example, in smaller companies, management’s daily interaction with its controls may provide the basis
for its assessment in specific are. In this case, management may have limited documentation created
specifically for the assessment of ICFR. In addition, the evidential matter varies depending on the
assessed level of risk. Management should consider both the materiality of the financial reporting
element and its susceptibility to a material misstatement when determining the evidence needed to
support the assessment of a given financial reporting element.
76
The documentation supporting management’s assessment does not need to include the entire
population of controls that exists within a process that impacts financial reporting. The documentation
should be focused on those controls that management concludes are adequate to address the
identified financial reporting risks.
The following table summarizes examples of items that management should ensure are available to
support its assessment.
Examples of Items to be Included in Management’s Documentation
Scoping
• Identification of significant/individually important locations (including
quantitative metrics and specific risks)
• Identification of significant accounts and disclosures (including materiality)
• Identification of significant processes and sub-processes
• Coverage analysis
Process Flow
• Mapping of significant accounts to processes and relevant assertions
• Flowcharts or narratives describing processes, sub-processes, and controls
over relevant assertions, including the period-end financial reporting
process
Control
Environment
• Board minutes
• Human Resource policies and procedures manuals
• Job descriptions
• Employee files
• Personnel listings
• Employee turnover statistics
• Operating reports „ Organization charts
• Assessment of Audit Committee effectiveness
Risk
Assessment
• Company objectives and associated risks to achievement
• Reports submitted to the Board of Directors and/or Audit Committee
• Risk analyses and assessment
• Disclosure Committee minutes
• Fraud risk assessment
Monitoring
• Internal Audit reports
• Internal Audit workpapers
• Self-assessments
Antifraud
Programs and
Controls
• Code of Conduct
• Confirmations of Code of Conduct
• Reports on hotline complaints „ Procedures for resolving complaints
• Logs of reported incidents
77
Information
and
Communication
• Financial reporting procedures manual
• Accounting policies and procedures
• Organizational structures indicating the lines of reporting and
communication relevant to financial reporting
• Company policies related to distribution of information
Management’s
Evaluation of
Design
• Management’s conclusion on design effectiveness
• Identified deficiencies, if any, and impact on evaluation
Testing of
Operating
Effectiveness
• Testing selections, rationale for selection, and identification of key controls
for testing
• Details of tests
• Management’s conclusion on operating effectiveness
• Identified exceptions, if any, and impact on evaluation
Evaluating
Deficiencies in
Internal
Control Over
Financial
Reporting
• Control deficiencies, significant deficiencies, and material weaknesses
from all sources (Internal Audit, external auditor, etc.)
• Compensating controls
• Results of aggregation of deficiencies
• Management’s report on its assessment of the effectiveness of internal
control over financial reporting
Source: PwC, Sarbanes-Oxley Act: Section 404 Practical Guidance for Management
Identification of Control Gaps
The most effective way to meet the legal requirements (e.g. Section 404) depends on the size, nature
and complexity of the organization, including the quality of business processes and internal control
systems. Thus, it is recommended that an evaluation of the controls and procedures be made by
developing an internal control “maturity analysis”. An internal controls maturity analysis allows
management to evaluate how the company’s existing control structure impacts the level of effort
required to meet its control reporting requirements. Moreover, the level of maturity affects the level
of sources required by management and the external auditor to meet SOX 404 requirements, which
would require a level of at least “monitored” for significant controls. According to Protiviti, there are
five maturity levels that a company’s internal controls framework can be categorized into, each with
unique characteristics.
78
The following table lists details of each level to help management evaluate the sufficiency of a
company’s internal controls in a given area with Section 404 implication.
Capability
Level Capability Description Capability Attributes Section 404 Implications
Optimizing
Continuous Improvement
• Continuously improving
controls enterprise-
wide
• Best practices
identified and shared
• World-class financial
reporting processes
• Organized efforts to
remove inefficiency
• External and internal
change monitored
for impact on control
structure
• Internal controls −
Integrated
framework fully
implemented
• Entity-level analytics
fully operational
• Faster decisions on
improving controls
• Controls preventive
and systems-based
Managed
Quantitative
• Risks managed
quantitatively
enterprise-wide
• “Chain of
accountability”
• Control process
performance
standards
established and
managed
• Rigorous estimation
methodologies and
analysis
• Process risks are
managed
quantitatively and
aggregated at
corporate level
• Process-based self-
assessment applied
• Controls
effectiveness
continuously
assessed and
validated
• Process owners
report to
management
• Internal audit plans
aligned
• Entity-level analytics
and monitoring
controls emerging
• Primary effort
directed to high-risk
areas
Initial Repeatable Defined Managed Optimizing
79
Defined
Qualitative/Quantitative
• Policies, process and
standards defined and
institutionalized
• “Chain of certification”
• Internal control
uniform across the
entity’s processes
• Transaction flows
documented
• Risk of fraud, errors
and omissions
sourced
• Control processes for
mitigating risk better
documented and
integrated
• All groups
accountable to use
organization’s control
standards
• Remaining known
gaps closed
• Control reports not
very robust
• Assurance lacking
that all deviations
from control
standards detected
Repeatable
Intuitive
• Process established and
repeating; reliance on
people continues
• Controls
documentation lacking
• Common control
framework
• Increased controls
awareness
• Basic policies and
control processes
established
• Process activities are
repeating but not
necessarily
documented
• Quality people
assigned to support
control activities
• Some control gaps
identified and fixed
• Communication is
lacking
• Limited monitoring
controls and activities
• Control structure still
not sustainable
Initial
Ad Hoc/Chaotic
• Control is not a priority
• Unstable environment
leads to dependency on
heroics
• Reliance on
individual initiative
• “Just do it”
• Ad hoc disclosure
activities
• Policies not
articulated
• Few process
activities are defined
• Institutional
capability lacking
• Overemphasis on
detective controls
• Controls are not
periodically
evaluated for
deficiencies
• Success depends on
manual efforts and
validation by
seasoned managers
• Gaps result when key
people leave
Source: Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, 2007
At the Initial State, there is a general lack of policies and formal processes since control is fragmented.
There is not much accountability at this state due to the absence of a clearly designated owner of a
risk. The company highly depends on its people. Thus, the company has difficulty replicating the
80
procedures if any one of its key people leaves. This stage is not sustainable because of the high
potential for error and the significant inefficiencies with high costs.
At the Repeatable State, although the company’s capabilities are improved (e.g. basic policies and
control, increased controls awareness), accountability is an issue since reporting is not rigorous
enough to hold people accountable for results. However, the increased process discipline and
established guidelines make the “repetition”. In general, this state is still considered high cost because
of an over-reliance on people and a lack of process documentation.
At the Defined State, processes and transaction flows are documented, and the key controls are
identified. Known control gaps are closed. However, there is no assurance that all existing gaps are
identified since process owners are not self-assessing their processes against established management
control standards. A disclosure creation process is documented and implemented. Controls awareness
and an increased focus on improving efficiency are taking place.
At the Managed State, quantitative performance measures provide management the basis for
determining whether mitigating controls are functioning as intended. For example, the operating
effectiveness of control activities is assessed quarterly. Process owners self-assess the controls and
report the results to management. Internal audit plans are aligned with management expectations.
The appropriate efficiencies are driven into the processes.
At the Optimizing State, the entire company is focused on continuous improvements as organized
efforts are made to remove inefficiencies with formal cost/benefit analysis. Best practices are
identified and shared across the company. Continuing self-assessments result in continued
improvements in the control structure. Process owners apply technology to maintain the
documentation of controls policies, processes, and reports. The company fully aligns its policies,
processes, people, technology and knowledge to achieve fair and transparent reporting. This stage
achieves the most ongoing efficiencies in the design and operation of the processes.
In summary, companies can use this process maturity continuum to identify the gaps based on the
level of capability management desires to achieve. Then, management can decide where on the
continuum the company needs to be. For example, when the financial reporting process is at the
Defined State, management needs to decide at what state it wants this process to be and by when.
81
Illustration of Potential Internal Control
Weaknesses and Compensating Controls:
Accounting and Financial Reporting
Source: Government Finance Officers Association, Evaluating Internal Controls: A Local Government Manger’s
Guide
The Books, Records and Reports Cycle
I. Overall Objectives
A. All posting of transactions from the books of original entry to the general or subsidiary ledgers or
between funds and accounts within these ledgers and all adjustments, deductions or write-offs
should be in accordance with the governing board’s and management’s general and/or specific
authorizations B. All transactions recorded within the books of original entry should be analyzed and summarized
(where appropriate), and accurately posted to the correct general or subsidiary ledger accounts,
in the correct time period C. All adjustments, deductions or write-offs of account balances should be calculated, summarized
and recorded in the correct period D. All postings to the general ledger or subsidiary ledgers or transfers between ledger accounts or
adjustments to general ledger balances should be supported by and referenced to adequate,
authorized documentation or by entries in the books of original entry
II. Potential Weaknesses
A. Existence or occurrence
• Inaccurate summarization or posting to the general or subsidiary ledgers, or incorrect transfer
between accounts
• Inaccurate calculation, summarization of account adjustment, deduction or write-off
• Ledger postings or transfers or adjustment unsupported by journal voucher or books of
original entry
• Inadequate records for fixed assets
B. Rights and obligations
• Unauthorized posting or transfer between accounts or adjustment to account balances
C. Allocation
82
• Posting or transfer to the wrong fund, program unit or ledger account
• Posting or transfer made in the wrong time period
• Account adjustment, deduction or write-off posted to the wrong account or fund
• Account adjustment, deduction or write-off recorded in the wrong period
III. Compensating Controls
A. Prior authorization and approval
• Assigned authorization levels for standard and nonstandard journal entries and adjustments
of accounts
• Policy statements and procedure manuals that specify how, when and by whom posting,
adjustments to accounts and transfers are to be made
B. Properly designed records
• A formal requirement for all nonstandard journal entries to be supported by adequate
documentation
• Use of the chart of accounts as applicable for each fund
• Maintenance of control accounts within the general ledger
• Maintenance of sufficiently detailed records for fixed assets
C. Security of assets and records
• Restriction of access to books of original entry, journals, the general ledger and subsidiary
ledgers
D. Segregation of incompatible duties
• Regular independent review of journal entries and supporting documentation
E. Periodic reconciliations
• Regular reconciliation of control accounts to the related subsidiary records
F. Analytical review
• Regular extraction of fund trial balances and prompt investigation of any unusual items
83
Part II − Section 2 Review Questions
13. What is the process maturity level for the company’s internal control over financial reporting if the
chain of accountability is established and the process risks are managed quantitatively?
A. Defined
B. Optimizing
C. Repeatable
D. Managed
14. What type of control is often used by operatives where formal controls are inadequate in
containing risk or are not used in practice?
A. Directive control
B. Corrective control
C. Entity-level control
D. Compensating control
15. Which of the following statement is TRUE regarding management’s documentation of internal
controls?
A. The documentation supporting assessment must include the entire population of controls
B. The use of policy manual is the only acceptable form of evidence
C. Control documentation serves as a basis for management’s assessment about ICFR
D. The documentation provides definite support that the tests were properly performed
84
PART III. Audit of ICFR Integrated with Audit of
Financial Statements
Audit Objectives and Scope
Effective internal control over financial reporting (ICFR) provides reasonable assurance regarding the
reliability of financial reporting and the preparation of financial statements for external purposes. If
one or more material weaknesses exist, the company's ICFR cannot be considered effective. A properly
conducted audit of ICFR integrated with an audit of financial statements (integrated audit) should
reveal internal control weaknesses that could have such a major impact on the financial reporting
process. The following standards establish requirements and provide direction that applies when an
auditor is engaged to perform an integrated audit:
• Auditing Standard No. 2201 (public entities)
• Statement of Auditing Standards No. 130 (nonpublic entities)
The objectives of the auditor in an audit of ICFR are to:
1. Obtain reasonable assurance about whether material weaknesses exist as of the date specified
in management’s assessment about the effectiveness of ICFR (as of date); and
2. Express an opinion on the effectiveness of ICFR in a written report, and communicate with
management and those charged with governance (audit committee), based on the auditor’s
findings.
In general, an audit includes obtaining an understanding of ICFR for the primary purpose of
determining the nature, extent and timing of subsequent audit procedures to be performed.
Therefore, to achieve the objectives, auditors should design tests of controls to obtain
• Sufficient appropriate audit evidence to support the auditor’s opinion on ICFR as of the date
specified in management’s assessment about ICFR and
• Sufficient appropriate audit evidence to support the auditor’s control risk assessments for
purposes of the audit of financial statements
85
One of the auditor's primary concerns is whether a specific control affects financial statement
assertions since much of the audit work required to form an opinion consists of gathering evidence
about the assertions in the financial statements. If, during the audit, the auditor identifies a deficiency,
the auditor should determine the effect of the deficiency, if any, on the nature, timing, and extent of
substantive procedures to be performed to reduce audit risk in the audit of the financial statements
to an acceptably low level.
This chapter addresses the following key auditing procedures required by the standards:
• Planning the Audit
• Using a Top-Down Approach
• Assessing the Risk of Fraud
• Testing Controls
• Evaluating Control Deficiencies
• Responding to Misstatements Caused by Fraud
• Reporting Audit Results
What Public Companies Are NOT Required to Have an ICFR Audit?
In general, large public companies that file annual reports with the SEC are required to include in
their annual report an opinion from the company’s financial statement auditor on the effectiveness
of the company’s ICFR. Several types of companies, however, are exempt from this requirement.
These exempt companies include:
1. Investment companies. Mutual funds, and other types of investment companies, are essentially
pools of securities. Such funds do not themselves engage in any business activities.
2. Non-accelerated filers. Companies that file reports with the SEC, but have a public float (that is,
securities available for public trading) of less than $75 million are referred to as non-accelerated
filers because they are not subject to the same filing deadlines as larger (accelerated) filers.
3. Emerging growth companies. During the five years following its first registered public sale of
common stock, a company that has total annual revenue of less than $1 billion is an emerging
growth company (“EGC”). Such a company loses its EGC status if it becomes a “large accelerated
filer” (generally this requires an aggregate worldwide public float of at least $700 million) or if
it issues more than $1 billion of nonconvertible debt in a three-year period.
Source: Center for Audit Quality, Guide to Internal Control Over Financial Reporting, 2013
86
Relevant Standards
Auditing Standard No. 2201
In 2007, the SEC voted unanimously in favor of Auditing Standard 5 (AS No. 5) to increase the accuracy
of financial reports while reducing unnecessary costs, especially for smaller public companies. It
superseded PCAOB Auditing Standard 2, and with it, the PCAOB has attempted to reduce the overall
effort required to comply with Section 404. AS No. 5 establishes requirements and provides directions
that apply when an auditor is engaged to perform an audit of management’s assessment of the
effectiveness of ICFR that is integrated with an audit of the financial statements.
AS No. 5 is mandatory for external auditors, but not for management. However, management needs
to understand AS No. 5 since it explains how the external auditor will review and evaluate
management’s assessment process. It is also important if management is going to minimize audit fees
by maximizing reliance on management testing.
Upon the adoption of the reorganization of PCAOB auditing standards, AS No. 5 is referred to as AS
No. 2201.
Statement on Auditing Standards 130
As part of its Attestation Clarity Project, the Auditing Standards Board (ASB) has published SAS 130, An
Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial
Statements. SAS 130 provides guidance that applies only when an auditor is engaged to perform an
audit of internal control over financial reporting (ICFR) integrated with an audit of financial statements.
When drafting SAS 130, the ASB intended to adhere as closely as possible to AT section 501 and PCAOB
AS No. 5.
SAS 130 also amends various sections in SAS 122, Statements on Auditing Standards: Clarification and
Recodification. Generally Accepted Auditing Standards (GAAS) still apply to the audit of financial
statements but are to be adapted as necessary in the circumstances when applied to an integrated
audit. Auditors should use SAS 130 as a guideline to ensure quality performance of an integrated audit.
SAS 130 includes the following changes:
• The auditor is required to examine and report directly on the effectiveness of ICFR. There is
no longer an option to examine and report on management’s assessment about the
effectiveness of ICFR.
• The term significant account or disclosure used in AT section 501 has been changed to
significant class of transactions, account balance, or disclosure to align with terminology used
in existing GAAS.
87
• It clarifies that the risk factors the auditor is required to evaluate in the identification of
significant classes of transactions, account balances, and disclosures and their relevant
assertions are the same in the audit of ICFR as in the audit of the financial statements.
• The SAS allows, as does AT section 501, the auditor to use the work of internal auditors and
others in obtaining evidence about the effectiveness of ICFR.
The following sections discuss the key procedures involved in the integrated audit.
Planning the Audit
The auditor should properly plan the audit of ICFR and properly supervise any assistants. When
planning an integrated audit, the auditor should evaluate whether the following matters are important
to the company's financial statements and ICFR and, if so, how they will affect the auditor's
procedures:
• Knowledge of the company's ICFR obtained during other engagements performed by the
auditor;
• Matters affecting the industry in which the company operates, such as financial reporting
practices, economic conditions, laws and regulations, and technological changes;
• Matters relating to the company's business, including its organization, operating
characteristics, and capital structure;
• The extent of recent changes, if any, in the company, its operations, or its ICFR;
• The auditor's preliminary judgments about materiality, risk, and other factors relating to the
determination of material weaknesses;
• Control deficiencies previously communicated to the audit committee/ or management;
• Legal or regulatory matters of which the company is aware;
• The type and extent of available evidence related to the effectiveness of the company's ICFR;
• Preliminary judgments about the effectiveness of ICFR;
• Public information about the company relevant to the evaluation of the likelihood of material
financial statement misstatements and the effectiveness of the company's ICFR;
• Knowledge about risks related to the company evaluated as part of the auditor's client
acceptance and retention evaluation; and
• The relative complexity of the company's operations.
To develop an understanding of internal control, the internal auditor must become familiar with the
operating unit or area being audited, including knowledge about the design of relevant controls and
whether they have been placed in operation. Reviewing the entity's descriptions of inventory policies
and procedures helps the auditor understand their design.
88
Appendix C includes the questionnaires and checklists that help you document your understanding of
the control environment and how internal control over the following cycles:
1. Revenue
2. Purchasing
3. Inventory
4. Financing
5. Property, Plant, and Equipment
6. Payroll
89
Part III − Section 1 Review Questions
16. In an audit of financial statements, what is an auditor's primary consideration regarding internal
control?
A. Whether the control reflects management's philosophy and operating style
B. Whether the control affects management's financial statement assertions
C. Whether the control provides adequate safeguards over access to assets
D. Whether the control enhances management's decision-making processes
17. SAS 130 applies to which of the following type of audits?
A. A forensic examination
B. An integrated audit
C. Agreed upon procedures for compliance
D. A performance audit
18. To obtain an understanding of a manufacturing entity's internal control concerning inventory
balances, what would an auditor most likely do?
A. Review the entity's descriptions of inventory policies and procedures
B. Perform test counts of inventory during the entity's physical count
C. Analyze inventory turnover statistics to identify slow-moving and obsolete items
D. Analyze monthly production reports to identify variances and unusual transactions
90
Using a Top-Down Approach
The Key Concepts
The top-down approach describes the auditor’s sequential thought process in identifying risks and the
controls to test, not necessarily the order in which the auditor will perform the audit procedures. A
top-down approach involves:
• Beginning at the financial statement level
• Using the auditor’s understanding of the overall risks to ICFR
• Focusing on entity-level controls
• Working down to significant classes of transactions, account balances, and disclosures, and
their relevant assertions
• Directing attention to class of transactions, accounts, disclosures, and assertions that present
a reasonable possibility of material misstatement of the financial statements
• Verifying the auditor’s understanding of the risks in the entity’s processes
• Selecting controls for testing that sufficiently address the assessed risks of material
misstatement to each relevant assertion
Key concepts of the top-down approach are discussed below.
Identification of Significant Accounts and Disclosures. To identify significant accounts and disclosures
and their relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors
related to the financial statement line items and disclosures. Risk factors relevant to the identification
of significant accounts and disclosures and their relevant assertions include:
• Size and composition of the account;
• Susceptibility to misstatement due to errors or fraud;
• Volume of activity, complexity, and homogeneity of the individual transactions processed
through the account or reflected in the disclosure;
• Nature of the account or disclosure;
• Accounting and reporting complexities associated with the account or disclosure;
• Exposure to losses in the account;
• Possibility of significant contingent liabilities arising from the activities reflected in the account
or disclosure;
• Existence of related party transactions in the account; and
• Changes from the prior period in account or disclosure characteristics
Understanding of Likely Sources of Misstatement. To further understand the likely sources of
potential misstatements, and as a part of selecting the controls to test, the auditor should:
91
1. Understand the flow of transactions related to the relevant assertions, including how these
transactions are initiated, authorized, recorded, processed, and reported.
2. Identify the points within the entity’s processes at which a misstatement, including a
misstatement due to fraud, could arise that, individually or in combination with other
misstatements, would be material (for example, points at which information is initiated,
transferred, or otherwise modified).
3. Identify the controls that management has implemented to address these potential
misstatements.
4. Identify the controls that management has implemented over the prevention, or timely
detection and correction, of unauthorized acquisition, use, or disposition of the entity’s assets
that could have a material effect on the financial statements.
Because of the degree of judgment necessary, the auditor should either directly perform the
procedures or supervise the work of the internal auditors or others who provide direct assistance to
the auditor.
Period-end Financial Reporting Process. Because of its importance to financial reporting and the
auditor's opinions on ICFR and the financial statements, the auditor must evaluate the period-end
financial reporting process. The period-end financial reporting process includes the following:
• Procedures used to enter transaction totals into the general ledger;
• Procedures related to the selection and application of accounting policies;
• Procedures used to initiate, authorize, record, and process journal entries in the general
ledger;
• Procedures used to record recurring and nonrecurring adjustments to the annual and
quarterly financial statements; and
• Procedures for preparing annual and quarterly financial statements and related disclosures.
• Because the annual period-end financial reporting process normally occurs after the "as-of"
date of management's assessment, those controls usually cannot be tested until after the as-
of date.
As part of evaluating the period-end financial reporting process, the auditor should assess:
1. Inputs, procedures performed, and outputs of the processes the company uses to produce its
annual and quarterly financial statements;
2. The extent of IT involvement in the period-end financial reporting process;
3. Who participates from management;
4. The locations involved in the period-end financial reporting process;
5. The types of adjusting and consolidating entries; and
6. The nature and extent of the oversight of the process by management, the board of directors,
and the audit committee.
92
The auditor should obtain sufficient evidence of the effectiveness of those quarterly controls that are
important to determine whether the company's controls sufficiently address the assessed risk of
misstatement to each relevant assertion as of the date of management's assessment. However, the
auditor is not required to obtain sufficient evidence for each quarter individually.
Control Environment. Because of its importance to effective ICFR, the auditor must evaluate the
control environment at the company. The factors to consider in assessing the control environment
include:
• Integrity and ethical values, including:
− Management’s actions to eliminate or mitigate incentives and temptations on the part of
personnel to commit dishonest, illegal, or unethical acts;
− Policy statements; and
− Code of conduct.
• Commitment to competence, including management’s consideration of competence levels for
specific tasks and how those levels translate into necessary skills and knowledge.
• Board of directors or audit committee participation, including interaction with internal and
external (independent) auditors. (e.g. whether the Board or audit committee understands and
exercises oversight responsibility over financial reporting and internal control)
• Management’s philosophy and operating style, such as management’s attitude and actions
regarding financial reporting, as well as management’s approach to taking and monitoring
risks. (e.g. whether management's philosophy and operating style promote effective ICFR)
• The entity’s organizational structure (i.e., the form and nature of organizational units).
• Assignment of authority and responsibility, including fulfilling job responsibilities.
• Human resource policies and practices, including those relating to hiring, orientation, training,
evaluating, counseling, promoting, and compensating employees.
In obtaining an understanding of the control environment, the auditor seeks to understand the
attitude, awareness, and actions concerning the control environment on the part of management and
the directors. For this purpose, the auditor must concentrate on the substance of controls rather than
their form because controls may be established but not acted upon. For example, management may
adopt a code of ethics but condone violations of the code.
Risk Assessment. The following principles are relevant to the auditor’s evaluation of whether the
entity’s risk assessment is present and functioning in the design, implementation, and operation of
ICFR to achieve the entity’s financial reporting objectives:
1. The entity specifies financial reporting objectives with sufficient clarity to enable the
identification and assessment of risks related to these objectives.
93
2. The entity identifies risks to the achievement of financial reporting objectives across the entity
and analyzes risks as a basis for determining how the risks need to be managed
3. The entity considers the potential for fraud in assessing risks to the achievement of financial
reporting objectives.
4. The entity identifies and assesses changes that could significantly impact ICFR.
Control Activities Relevant to the Audit of ICFR. The following principles are relevant to the auditor’s
evaluation of whether the entity’s control activities relevant to the audit of ICFR are present and
functioning in the design, implementation, and operation of ICFR to achieve the entity’s financial
reporting objectives:
1. The entity selects and develops control activities that contribute to the mitigation of risks to
the achievement of financial reporting objectives to acceptable levels.
2. The entity selects and develops general control activities over technology to support the
achievement of financial reporting objectives.
3. The entity deploys control activities through policies that establish what is expected and
procedures that put policies into action.
Control activities relevant to the audit of ICFR include those related to each significant class of
transactions, account balance, and disclosure, and its relevant assertions:
• Existence or occurrence
• Completeness
• Valuation or allocation
• Rights and obligations
• Presentation and disclosure
The definition of each assertion is included in the “Step 2: Defining Control Objectives” section.
In summary, the effectiveness of a risk-based audit depends on whether the auditor identifies the risks
of material misstatement and has an appropriate basis for assessing those risks. Therefore, both the
PCAOB and the AICPA require the auditor to assess the risks of material misstatement at the financial
statement level and the assertion level. The assessment enhances the effectiveness of audit
procedures by assisting the auditor to determine the scope of testing.
The following section includes sample audit programs containing detailed audit objectives and
procedures for key processes.
Sample Audit Programs
Cash in Bank
I. Audit Objectives:
94
A. Determine that cash recorded in books exists and is owned by the company (Existence and Right).
B. Determine that cash transactions are recorded in the correct accounting period at appropriate
values, i.e., that there is a proper cut-off of cash receipts and disbursements (Completeness and
Valuation).
C. Determine that balance sheet amounts include items in transit as well as cash on deposit with
third parties (Completeness).
D. Determine that cash is properly classified in the balance sheet and that relevant disclosures are
presented in the financial statement notes (Presentation and Disclosure).
II. Procedures:
A. Perform analytical procedures to identify obvious discrepancies or errors before conducting tests
of details. These types of procedures include:
• Comparing cash balances with forecasts and budgets. For example, when cash
balances greatly exceed or fall below expectations for the year, it should alert the
auditor for items to look for during the tests of details.
• Reviewing company policies regarding minimum cash balances and the investment
of surplus cash.
B. With respect to the bank reconciliations prepared by accounting personnel:
• Verify that proper segregation of duties between custodian and accounting and
approving personnel exist.
• Trace book balances to general ledger control totals.
• Compare ending balances per the bank statements to the ending balances on the
bank reconciliation.
• Verify the mathematical and clerical accuracy including checking extensions.
• Trace deposits in transit and outstanding checks to subsequent months’ bank
statements which are intercepted before accounting personnel have access to them.
• Inspect canceled checks for dates of cancellation in order to identify checks which
were not recorded in the proper accounting period.
• Ascertain that checks listed as outstanding are in fact: (1) recorded in the proper time
period, and (2) checks that have not cleared. Scrutinize data when outstanding
checks have cleared to see if the books have been held open to improve ratios.
• Identify and investigate checks that are: (1) above limits prescribed by management,
(2) drawn to “bearer,” and (3) drawn payable to cash.
• Determine if unusual reconciling and long outstanding items are followed up and
proper disposition of such items is made.
• If balances have been confirmed with banks, compare confirmed balances with bank
balances per the year-end bank statements.
95
C. With respect to listings of cash investments:
• Trace book balances to general ledger control accounts.
• Verify the accuracy of all extensions and footings.
• Consider confirming balances directly with bank personnel.
• Obtain and inspect passbooks and certificates of deposit.
• Recalculate income derived from cash investments and trace the income amounts to
the books of original entry. Also, reconcile for reasonableness interest revenue
amounts to the amount of cash investments.
• Consider using a custodian to maintain physical custody for safekeeping and to guard
against forgeries.
D. Prepare a bank transfer schedule which identifies:
• Name of disbursing bank
• Check number
• Dollar amount
• Date disbursement is recorded in books
• Name of receiving bank
• Date receipt is recorded in books
• Date receipt is recorded by bank
E. Perform cut-off test wherein transactions for the last few days of the year and the first few days
of the next year are scrutinized.
F. Inspect bank statements in order to identify obvious erasures or alterations.
G. Inspect debit and credit memos and trace them to the bank statements.
H. Read financial statements and investment certificates for appropriate classification of cash
balances.
I. With respect to cash on hand (i.e., petty cash funds):
• Determine the identity of all funds
• Select funds to be counted and list currency and coins by denomination; account for
vouchers, stamps, and checks; trace fund balances to general ledger control
accounts.
J. Investigate the reasons for delays in deposits.
K. Note unusual activity in inactive accounts since it may be indicative of cash being hidden.
L. In a cash-basis entity, reconcile sales with cash receipts.
M. List unusual cash receipts (e.g., currency receipts).
N. Examine third party endorsements by reviewing canceled checks.
96
Trade Accounts and Notes Receivable
I. Audit Objectives:
A. Determine that the trade accounts and notes receivable represent bona fide receivables and are
valued properly (Existence and Valuation).
B. Determine that the allowances for doubtful accounts are adequate and reasonable (Valuation).
C. Determine the propriety of disclosures pertaining to pledging, assigning, and discounting of
receivables (Presentation and Disclosure).
D. Determine the correctness of the recorded interest income that is attributable to accounts and
notes receivable (Completeness).
E. Determine that receivables are properly classified in the balance sheet (Presentation and
Disclosure).
II. Audit Procedures:
A. Scan general ledger accounts in order to identify significant and unusual transactions.
B. Compare opening general ledger balances with closing general ledger balances of the prior period.
C. Perform analytical procedures by evaluating the relationships between: (1) receivables and sales
and (2) notes receivable and interest income attributable thereon.
D. With respect to the aged trial balance prepared by accounting personnel:
• Verify extensions and footings.
• Trace the total of the aged trial balance to the general ledger control total.
• Trace selected entries on the aging schedule to respective accounts in the subsidiary
ledger.
• Trace selected subsidiary ledger balances to the aging schedule.
• Verify extensions and footings in subsidiary ledger accounts
• Investigate negative (i.e., credit) balances.
E. Consider confirmation of account balances with customers:
• Select accounts for positive confirmation.
• Select accounts for negative confirmation.
• Control confirmation requests by mailing in internal audit department envelopes and
with the return address of the internal audit department. Consider using a post office
box to ensure that unauthorized individuals cannot tamper with responses.
• After 14 days, mail second requests to all those not replying to a positive request.
• Investigate all accounts for which envelopes are returned as undeliverable.
• Reconcile differences reported by customers.
• Review accounts of significant customers not replying to a second request by
examining subsequent receipts and supporting documentation (i.e., remittance
97
advices, invoices, and/or shipping documents) in order to corroborate that the
amounts represent bona fide receivables for goods or services
• Prepare a schedule summarizing the receivable confirmations.
F. Examine cash receipts in subsequent periods in order to identify receivables which have not been
recorded previously.
G. With respect to trade notes receivable, prepare or verify schedules and analyses which detail the
following:
• Makers of the notes
• Dates the notes were made
• Due dates of the notes
• Original terms of repayment
• Any collateral
• Applicable interest rates
• Balances at the end of the prior accounting period
• Additions and repayments of principal
H. Inspect notes and confirm notes receivable discounted with banks.
I. Identify collateral and verify that such amounts are not recorded as assets.
J. Verify the accuracy of interest income, accrued interest, and unearned discount by recalculating
such amounts.
K. Read pertinent documents, including the minutes of board meetings, in order to identify situations
in which receivables have been pledged as collateral, assigned, or discounted and verify that such
situations are disclosed in the financial statements.
L. Obtain evidence pertaining to related-party transactions which need to be disclosed in the
financial statements.
M. With respect to the analysis of the allowance for doubtful accounts prepared by accounting
personnel:
• Ascertain that write-offs have in fact been authorized
• Ascertain the reasonableness of the allowance by reviewing the estimating
procedures
• Perform analytical procedures by comparing:
▪ Accounts receivable to credit sales
▪ Allowance for doubtful accounts to accounts receivable totals
▪ Sales to sales returns and allowances
▪ Doubtful accounts expense to net credit sales
▪ Accounts receivable to total assets —Notes receivable totals to accounts
receivable totals
• Consider differences between the book and tax basis for doubtful accounts expense.
98
Inventory
I. Audit Objectives:
A. Determine that inventory quantities properly include products, materials, and supplies on hand,
in transit, in storage, and out on consignment to others (Existence, Completeness, and Valuation
or Allocation).
B. Determine that inventory items are priced consistently in accordance with United States GAAP
(Valuation or Allocation).
C. Determine that inventory listings are accurately compiled, extended, footed, and summarized and
determine that the totals are properly reflected in the accounts (Existence, Completeness, and
Valuation or Allocation).
D. Determine that excess, slow-moving, obsolete, and defective items are reduced to their net
realizable value (Valuation or Allocation).
E. Determine that the financial statements include disclosure of any liens resulting from the pledging
or assignment of inventories (Presentation and Disclosure).
II. Audit Procedures:
A. Review management’s instructions pertaining to inventory counts and arrange to have sufficient
internal audit personnel present to observe the physical count at major corporate locations. Keep
in mind that all locations should be counted simultaneously in order to prevent substitution of
items.
B. At each location where inventory is counted:
• Observe the physical inventory count, record test counts, and write an overall
observation memo.
• Determine that prenumbered inventory tags are utilized.
• Test the control of inventory tags.
• Test shipping and receiving cut-offs.
• Discuss obsolescence and overstock with operating personnel.
• Verify that employees are indicating on inventory tags obsolete items.
• Note the condition of inventory.
• Note pledged or consigned inventory.
• Determine if any inventory is at other locations and consider confirmation or
observation, if material.
• Determine that inventory marked for destruction is actually destroyed and is
destroyed by authorized personnel.
C. Follow up all points that might result in a material adjustment.
99
D. Trace recorded test counts to the listings obtained from management, list all exceptions, and value
the total effect.
E. Trace the receiving and shipping cut-offs obtained during the observation to the inventory records,
accounts receivable records, and accounts payable records. Also trace inventory to production and
sales.
F. Obtain a cut-off of purchases and sales subsequent to the audit date and trace to accounts
receivable, accounts payable, and inventory records.
G. Note any sharp drop in market value relative to book value.
H. “Red flag” excessive product returns which might be indicative of quality problems. Returned
merchandise should be warehoused apart from finished goods until quality control has tested the
items. Are returns due to the salesperson overstocking the customer? Returns should be
controlled as to actual physical receipt, and the reasons for the returns should be noted for
analytical purposes.
I. Trace for possible obsolete merchandise that is continually carried on the books. For example, the
author had a situation in which a company continued to carry obsolete goods on the books even
though it wrote off only a small portion of similar goods.
J. With respect to price tests of raw materials:
• Ascertain management’s inventory pricing procedures
• Schedule, for a test of pricing, all inventory items in excess of a prescribed limit and
sample additional items
• Inspect purchase invoices and trace to journal entries
• Inquire and investigate whether trade discounts, special rebates, and similar price
reductions have been reflected in inventory prices
• Determine and test treatment of freight and duty costs
• If standard costs are utilized:
▪ Determine whether such costs differ materially from actual costs on a first-in,
first-out basis.
▪ Investigate variance accounts and compute the effect of the balances in such
accounts on inventory prices.
▪ Ascertain the policy and practice as to changes in standards.
▪ With respect to changes during the period, investigate the effect on inventory
pricing.
▪ If process costs are used, trace selected quantities per the physical inventory
to the departmental cost of production reports and determine that quantities
have been adjusted to the physical inventory as of the date of the physical
counts.
K. With respect to work-in-process and finished goods:
• Ascertain the procedures used in pricing inventory and determine the basis of pricing
100
• Review tax returns to determine that the valuation methods conform to those
methods used for financial statement purposes
• On a test basis, trace unit costs per the physical inventory to the cost accounting
records and perform the following:
▪ Obtain, review, and compare the current-period and prior period’s trial
balances or tabulations of detailed components of production costs for the
year; note explanations for apparent inconsistencies in classifications and
significant fluctuations in amounts; ascertain that the cost classifications
accumulated as production costs and absorbed in inventory are in conformity
with United States GAAP.
▪ Review computations of unit costs and costs credited against inventory and
charged to cost of sales.
▪ Review activity in the general ledger control accounts for raw materials,
supplies, and work-in-process and finished goods inventories and investigate
any significant and unusual entries or fluctuations.
▪ Review labor and overhead allocations to inventory and cost of sales, compare
to actual labor and overhead costs incurred, and ascertain that variances
appear reasonable in amount and have been properly accounted for.
▪ Trace who obtains the funds received from the sale of scrap.
Fixed Assets
I. Audit Objectives:
A. Determine that fixed assets exist (Existence or Occurrence).
B. Determine that fixed assets are owned by the entity (Rights and Obligations).
C. Determine that fixed asset accounts are recorded at historical cost (Valuation or Allocation).
D. Determine that depreciation is calculated and recorded in conformity with generally accepted
accounting principles (Valuation or Allocation).
E. Determine that relevant disclosures are made in the financial statements (Presentation and
Disclosure).
II. Audit Procedures:
A. With respect to the schedule of fixed assets prepared by accounting personnel:
• Trace beginning balances to prior-year schedules
• Trace ending balances to general ledger control accounts
• Verify that additions are recorded at historical cost
• Examine supporting documentation for asset additions, retirements, and dispositions:
purchase contracts, canceled checks, invoices, purchase orders, receiving reports,
retirement work orders, sale contracts, bills of sale, bills of lading, trade-in agreements
101
• Verify that depreciation methods, estimated useful lives, and estimated salvage values
are in accordance with United States generally accepted accounting principles (GAAP)
• Identify fully depreciated assets carried in the property records to obtain assurance
that such assets are still utilized (i.e., that they have not been discarded or
abandoned).
• Recalculate gains and losses on dispositions of fixed assets in accordance with
methods that are in conformity with United States GAAP
B. Determine that additions, retirements, and dispositions have been authorized by management.
C. Analyze repairs and maintenance accounts to ascertain the propriety of classification of
transactions.
D. Tour facilities in order to physically inspect fixed assets. A lack of cleanliness and orderliness infer
the possible existence of internal control problems.
E. To verify ownership, examine:
• Personal property tax returns
• Tide certificates
• Insurance policies
• Invoices
• Purchase contracts
F. Examine lease agreements and ascertain that the accounting treatment is in conformity with
United States GAAP
G. Examine support for rentals under operating leases to determine whether leases should be
capitalized in conformity with United States GAAP
H. Ascertain that obsolete assets are given proper accounting recognition. Trace salvage receipts to
source.
I. Perform analytical procedures by comparing:
• Dispositions of fixed assets to replacements
• Depreciation and amortization expenses to the cost of fixed assets
• Accumulated depreciation to the cost of fixed assets.
J. Read: (1) minutes of board meetings, (2) note agreements, and (3) purchase contracts to identify
situations in which assets have been pledged as collateral.
Prepaid Expenses and Deferred Charges
I. Audit Objectives:
A. Determine that balances represent proper charges against future operations and can reasonably
be realized through future operations or are otherwise in conformity with United States GAAP
(Valuation or Allocation).
102
B. Determine that additions during the audit period are proper charges to these accounts and
represent actual cost (Existence or Occurrence and Valuation or Allocation).
C. Determine that amortization or write-offs against revenues in the current period and to date have
been determined in a rational and consistent manner (Valuation or Allocation).
D. Determine that material items have been properly classified and disclosed in the financial
statements (Presentation and Disclosure).
II. Audit Procedures:
A. Obtain or prepare a schedule of the prepaid and deferred items.
B. Perform analytical procedures by comparing current-period amounts to those of the prior period
and comparing actual amounts to budgeted amounts; investigate significant fluctuations.
C. With respect to prepaid insurance:
• Obtain a schedule of insurance policies, coverage, total premiums, prepaid premiums,
and expense as of the audit date; note that some companies maintain an insurance
register
• Verify the clerical and mathematical accuracy of schedules or insurance registers
• Trace schedule or register totals to trial balances and general ledger control accounts
• Inspect policies on hand and check details of schedules or registers
• Vouch significant premiums paid during the audit period
• Obtain confirmation directly from insurance brokers of premiums and other
significant and relevant data
• Determine if premiums are being financed and, if so, if the related liabilities and fiancé
costs have been recorded.
• Verify that proper accounting treatment is applied to advance or deposit premiums,
as well as dividend or premium credits
• Test check calculations of prepaid premiums and investigate and determine the
disposition of major differences.
• Determine whether all significant insurable risks have been considered.
D. With respect to prepaid taxes:
• Obtain or prepare an analysis of prepaid taxes, including taxes charged directly to
expense accounts
• Verify the mathematical and clerical accuracy of the analysis
• Trace amounts on the analysis to the trial balance and pertinent general ledger control
accounts
• Examine tax bills and receipts or other data which corroborate prepaid taxes
• Ascertain that prepaid tax accounts have been accounted for consistently in
conformity with United States GAAP.
103
E. With respect to other major items:
• Review deferred expenses such as moving costs and determine:
▪ What procedures are used to evaluate the future usefulness of the asset
▪ How these assets will benefit the future
• Test the amortization of material prepaid or deferred items and trace to the income
statement and general ledger accounts
• Inspect relevant documents
Accounts Payable
I. Audit Objectives:
A. Determine that accounts payable in fact exist (Existence or Occurrence).
B. Determine that accounts payable represent authorized obligations of the entity (Existence or
Occurrence).
C. Determine that accounts payable are properly classified in the financial statements (Presentation
and Disclosure).
D. Determine that recorded accounts payable are complete (Completeness).
E. Determine that appropriate disclosures are included in the financial statements (Presentation and
Disclosure).
II. Audit Procedures:
A. With respect to the schedule of accounts payable prepared by accounting personnel:
• Verify mathematical accuracy of extensions and footings
• Trace totals to general ledger control accounts
• Trace selected individual accounts to the accounts payable subsidiary ledger
• Trace individual account balances in the subsidiary ledger to the accounts payable
schedule
• Investigate accounts payable which are in dispute
• Investigate any debit balances
• Read minutes of board meetings to ascertain the existence of pledging agreements
B. Prepare a trend line of invoices (e.g., by year and by month or by year and by quarter) in order to
determine the reasonableness of amounts. Special attention should be paid to invoices dated just
before year end and quarter-end dates.
C. Run a basic test for duplicate invoice payments (e.g., searching for any pairs of invoices which have
the same vendor number, invoice number and amount) and potential error invoices (e.g.,
searching for same vendor number, same invoice number, but different amounts)
104
D. Consider confirming accounts payable if there is: (1) poor internal control structure, or (2)
suspicion of misstatement.
E. Search for unrecorded liabilities by:
• Examining receiving reports and matching them with invoices
• Inspecting unprocessed invoices
• Inspecting vendor’s statements for unrecorded invoiced amounts
• Examine cash disbursements made in the period subsequent to year-end and examine
supporting documentation in order to ascertain the appropriate cut-off for recording
purposes.
F. With respect to obligations for payroll tax liabilities:
• Examine payroll tax deposit receipts
• Examine cash disbursements in the period subsequent to year-end to identify deposits
that relate to prior period
• Reconcile general ledger control totals to payroll tax forms
• Trace liabilities for amounts withheld from employee checks to payroll registers,
journals, and summaries
• Perform analytical procedures by comparing: Payroll tax expense to liabilities for
payroll taxes, liability to accrued payroll taxes
• Reconcile calendar year payroll returns to fiscal year financial statements for payroll
amounts
G. Reconcile vendor statements with accounts payable accounts.
H. Compare vendor invoices with purchase requisitions, purchase orders, and receiving reports for
price and quantity.
I. Investigate unusually large purchases.
J. With respect to accrued expenses:
• Consider the existence of unasserted claims
• Obtain schedule of accrued expenses from accounting personnel
• Recalculate accruals after verifying the validity of assumptions utilized
• Perform analytical procedures by comparing current- and prior period accrued
expenses
• Ascertain that accrued expenses are paid within a reasonable time after year-end
• Inquire of management and indicate all details of contingent or known liabilities
arising from product warranties, guarantees, contests, advertising promotions, and
dealer “arrangements or promises”
• Determine liability for expenses in connection with pending litigation:
▪ Inquire of management
▪ Confirm in writing with outside legal counsel
105
Stockholders’ Equity
I. Audit Objectives:
A. Determine that all stock transactions (including transactions involving warrants, options, and
rights) have been authorized in accordance with management’s plans (All Assertions Are
Addressed).
B. Determine that equity transactions are properly classified in the financial statements
(Presentation and Disclosure).
C. Determine that equity transactions have been recorded in the proper time period at the correct
amounts (Existence or Occurrence, Completeness, and Presentation and Disclosure).
D. Determine that equity transactions are reflected in the financial statements in accordance with
generally accepted accounting principles (Presentation and Disclosure).
II. Audit Procedures:
A. With respect to each class of stock, identify:
• Number of shares authorized
• Number of shares issued
• Number of shares outstanding
• Par or stated value
• Privileges
• Restrictions
B. With respect to the schedule of equity transactions prepared by accounting personnel:
• Trace opening balances of the current year to the balance sheet and ledger accounts
as of the prior year’s balance sheet date
• Account for all proceeds from stock issues by re-computing sales prices and relevant
proceeds
• Verify the validity of the classification of proceeds between capital stock and
additional paid-in capital
• Reconcile ending schedule balances with general ledger control totals
• Verify that equity transactions are not in conflict with the requirements of the
corporate charter (or articles of incorporation), or with the applicable statutes of the
state of incorporation
C. Account for all stock certificates that remain unissued at the end of the accounting period.
D. Examine stock certificate books or confirm stock register.
E. With respect to schedules of stock options and related stock option plans prepared by accounting
personnel, verify:
106
• The date of the plan
• Class and number of shares reserved for the plan
• The accounting method used for determining option prices
• The names of individuals entitled to receive stock options
• The names of individuals to whom options have been granted
• The terms relevant to options that have been granted
• That measurement of stock options granted is in accordance with generally accepted
accounting principles
F. With respect to stock subscriptions receivable:
• Ascertain that execution of such transactions is approved by appropriate personnel
• Verify that stock subscriptions receivable are properly classified in the financial
statements
G. With respect to treasury stock:
• Verify the validity of treasury stock acquisitions by examining canceled checks and
other corroborating documentation
• Inspect treasury stock certificate records in order to ascertain their existence
• Reconcile treasury stock totals to general ledger control accounts
H. With respect to retained earnings:
• Trace the opening balance in the general ledger to the ending balance in the general
ledger of the prior period
• Analyze current-year transactions and obtain corroborating documentation for all or
selected transactions
• Verify that current-year net income or loss has been reflected as a current-year
transaction
• With respect to dividends declared and or paid:
▪ Ascertain the authorization of such dividends by reading the minutes of board
meetings
▪ Examine canceled checks in support of dividend payments
▪ Verify the accuracy of dividend declarations and payments by recalculating
such dividends
▪ Ascertain that prior-period adjustments have been given proper accounting
recognition in accordance with generally accepted accounting principles
▪ Apply other appropriate procedures to determine the existence of restrictions
on or appropriations of retained earnings
I. Ascertain that the financial statements include adequate disclosure of:
• Restrictions on stock
• Stock subscription rights
107
• Stock reservations
• Stock options and warrants
• Stock repurchase plans or obligations
• Preferred dividends in arrears
• Voting rights in the event of preferred dividend arrearages
• Liquidation preferences
• Other relevant items
Sales and Other Types of Income
I. Audit Objectives:
A. Determine that proper income recognition is afforded ordinary sales transactions (Existence or
Occurrence, Rights and Obligations, Valuation or Allocation, and Presentation and Disclosure).
B. Determine that sales transactions have been recorded in the proper time period (Existence or
Occurrence, Completeness, and Presentation and Disclosure).
C. Determine that all types of revenues are properly classified and disclosed in the financial
statements (Valuation or Allocation and Presentation and Disclosure).
II. Audit Procedures:
A. Trace sales and cash receipts journal totals to relevant general ledger control accounts.
B. Trace sales and cash receipts journal entries to applicable subsidiary ledger accounts.
C. Verify the mathematical accuracy of footings and extensions in sales and cash receipts journals.
D. Perform analytical procedures by:
• Comparing current- and prior-period sales, returns and allowances, discounts, and
gross profit percentages
• Comparing the current period items referred to above to anticipated results (i.e.,
budgeted amounts)
• Compare company statistics (e.g., gross profit percentage) to industry standards
• Investigate any significant or unexplained fluctuations
E. With respect to consignment shipments to others:
• Examine applicable consignment agreements
• Verify that consignment transactions are afforded proper accounting treatment in
accordance with generally accepted accounting principles
F. Determine if sales are appropriately recognized as revenues by meeting the following criteria
(through a sample testing):
• Delivery has occurred or services have been rendered
• The sales price is fixed or determinable
108
• Collectability is reasonably assured
G. Ascertain that sales to related parties are accounted for at arm’s length terms.
H. Evaluate expected/actual returns before and after year-end and compare it to past returns at this
time period.
I. Verify that sales returns are properly authorized and actually returned by examining receiving
reports, credit memos, and entries in the accounting records.
J. Perform sales and inventory cut-off tests at the end of the fiscal year.
K. Verify by recalculation that the following have been properly recorded and disclosed:
• Dividend income
• Interest income
• Gains on dispositions of marketable securities
• Gains on dispositions of fixed assets
• Increases in investment accounts reflecting the equity method of accounting
• Other or miscellaneous income accounts
Expense Items
I. Audit Objectives:
A. Determine that expenses are recorded in the proper time period (Existence or Occurrence and
Completeness).
B. Determine that expenses have been properly classified and disclosed in the financial statements
(Presentation and Disclosure).
C. Determine that expense items are recognized in accordance with generally accepted accounting
principles (Valuation or Allocation).
II. Audit Procedures:
A. Trace cash disbursements journal totals to relevant general ledger control accounts.
B. Trace cash disbursements journal items to relevant subsidiary ledgers (e.g., payroll subledger).
C. Verify the mathematical accuracy of footings and extensions of relevant journals.
D. Perform analytical procedures by:
• Comparing current- and prior-period expense items
• Comparing the current-period expense items to anticipated results (i.e., budgeted
amounts)
• Compare the current-period expense items to industry standards
• Relate various expense items to gross sales or revenue by means of percentages
• Investigate any significant or unexplained fluctuations
• Vouch bills on a sampling basis
109
E. Consider analyzing the following accounts, which are often subject to intentional or unintentional
misstatement:
• Depreciation and amortization
• Taxes:
▪ Real estate
▪ Personal property
▪ Income
▪ Payroll
• Rent
• Insurance
• Bad debts
• Interest
• Professional fees
• Officers’ salaries
• Directors’ fees
• Travel and entertainment
• Research and development
• Charitable contributions
• Repairs and maintenance
F. With respect to payroll:
• Search for fictitious employees
• Determine improper alterations of amounts
• Verify that proper tax deductions are taken
• Examine time cards and trace to payroll records in order to verify the proper recording
of employee hours.
• Verify the accuracy of pay rates by obtaining a list of authorized pay rates from the
personnel department.
• Review the adequacy of internal controls relating to hiring, overtime, and retirement.
• Determine if proper payroll forms exist such as W-4s and I-9s.
110
Assessing the Risk of Fraud
Characteristics of Financial Statement Fraud
Types of Fraud
The difference between error and fraud depends on whether the underlying action/intend resulting
in financial statement misstatement is intentional or unintentional. Fraud refers to intentional
misstatements or omissions of financial statement amounts or disclosures—for example,
misinterpretation, mistakes, and use of incorrect accounting estimates. Error, on the other hand,
refers to unintentional acts.
The auditor is primarily concerned with fraud that causes a material misstatement in the financial
statements. Two types of intentional misstatements are relevant to the auditor:
SAS 99 provides further explanations as discussed below:
Fraudulent Financial Reporting. Misstatements arising from fraudulent financial reporting are
intentional misstatements or omissions of amounts or disclosures in financial statements designed to
deceive financial statement users where the effect causes the financial statements not to be
presented, in all material respects, in conformity with GAAP.
Fraudulent financial reporting may be accomplished by the following:
1. Manipulation, falsification, or alteration of accounting records or supporting documents from
which financial statements are prepared
2. Misrepresentation in or intentional omission from the financial statements of events,
transactions, or other significant information
3. Intentional misapplication of accounting principles relating to amounts, classification, manner
of presentation, or disclosure
Fraudulent financial reporting need not be the result of a grand plan or conspiracy. It may be that
management representatives rationalize the appropriateness of a material misstatement, for
example, as an aggressive rather than indefensible interpretation of complex accounting rules, or as a
Types of Misstatements
Fraudulent Financial Reporting
Misappropriation of Assets
111
temporary misstatement of financial statements, including interim statements, expected to be
corrected later when operational results improve.
Misappropriation of Assets. Misstatements arising from misappropriation of assets (sometimes
referred to as theft or defalcation) involve the theft of an entity's assets where the effect of the theft
causes the financial statements not to be presented, in all material respects, in conformity with GAAP.
Misappropriation of assets can be accomplished in various ways, including embezzling receipts,
stealing assets, or causing an entity to pay for goods or services that have not been received.
Misappropriation of assets may be accompanied by false or misleading records or documents, possibly
created by circumventing controls.
Fraud Risk Factors
Because of the characteristics of fraud, the auditor is advised to exercise professional judgment.
Accordingly, the auditor should have a questioning mind and critically assess evidence obtained
throughout the conduct of the audit. When obtaining reasonable assurance, the auditor is responsible
for maintaining professional skepticism throughout the audit. Auditors may consider the following
fraud risks derived from SAS 99 appendixes.
• Risk Factors Relating to Misstatements Arising From Misappropriate of Assets
• Risk Factors Relating to Misstatements Arising From Fraudulent Financial Reporting
Brainstorming Sessions
Auditors must consider all the potential fraud risk factors which might be relevant for their client. This
should be done through team brainstorming sessions, and the auditor can then develop procedures
to address identified fraud risk. The brainstorming sessions reinforce the importance of professional
skepticism and set the tone for the engagement. Audit team members should brainstorm about:
• How and where the financial statements might be susceptible to material misstatement due
to fraud;
• How management could perpetrate and conceal fraudulent financial reporting;
• How an entity’s assets could be misappropriated;
• The need to emphasize professional skepticism throughout the audit;
• The risk of management override of internal controls, and
• How the audit team might respond to the susceptibility of the financial statements to material
misstatement caused by fraud.
With reference to management override, SAS 99 states that:
112
“Management has a unique ability to perpetrate fraud because it frequently is in a position to directly
or indirectly manipulate accounting records and present fraudulent financial information. Fraudulent
financial reporting often involves management override of controls that otherwise may appear to be
operating effectively. Management can either direct employees to perpetrate fraud or solicit their help
in carrying it out. In addition, management personnel at a component of the entity may be in a position
to manipulate the accounting records of the component in a manner that causes a material
misstatement in the consolidated financial statements of the entity. Management override of controls
can occur in unpredictable ways.”
When applying professional judgment to assess fraud risks during the brainstorming sessions, the
following risk attributes should be considered by the auditor:
Risk Attributes of Fraud in Financial Statement
Attribute Consideration
The Type of Risk Whether the risk involves fraudulent financial reporting or
misappropriation of assets.
The Significance
of the Risk
Whether the risk is of a magnitude that could lead to result in a possible
material misstatement of the financial statements.
The Likelihood of
the Risk
The likelihood will result in a material misstatement in the financial
statements.
The Pervasiveness
of the Risk
Whether the potential risk is pervasive to the financial statements as a
whole or specifically related to a particular accounting assertion,
financial statement accounts or types of transactions.
Brainstorming sessions are critical because they are intended to aid auditors in linking fraud risk factors
to risk assessment and foster the development of appropriate audit responses. The American
Accounting Association identified the following top seven brainstorming practices that significantly
improve brainstorming quality:
1. Sessions are led by partner or forensic specialist.
2. An information technology audit specialist attends the primary brainstorming session.
3. The engagement’s primary session is held pre-planning or early in planning.
4. The discussion of how management might perpetrate fraud is robust.
5. The discussion about audit response to fraud risk is detailed.
6. The level of manager contribution to the session is high.
7. The level of partner contribution to the session is significant.
113
Fraud Risk Assessment
Auditors will detect fraud through a multiple-phase approach. The auditor collects information related
to the risk of material misstatement, applies such information to brainstorming sessions to identify
fraud risk factors, and synthesizes this information to develop a fraud risk assessment.
Collect Information
There are numerous ways, such as interviews, survey/questionnaire, and anonymous feedback
mechanisms, to collect information related to the risk of material misstatement. Fraud interview is
one of the effective methods to gather such information. The auditor needs to have effective
communication skills. The following interview techniques are essential for achieving high-quality fraud
interviews as recommended by Grant Thornton, LLP and Marine Corps Nonappropriated Funds Audit
Service:
Interviews with Management and Employees
Audit team members interview both managers and employees to gather information about fraud risks,
assist with evaluating controls, and obtain information about potential fraudulent activities. This
strategy provides employees the opportunities to raise any concerns they might have regarding
management fraud. When conducting employee and management interviews, auditors should use
care and good judgment in any discussions about fraud with all personnel and not insinuate that fraud
is present or imply that an employee or manager is under suspicion of fraud.
Setting the Tone for Discussion
An important consideration when preparing for a fraud interview session is to set the proper tone for
the discussion. Because of the sensitive nature of a discussion of fraud and the potential for interview
participants to become shy or refrain from voicing their opinions, it is a good idea to indicate that the
interview session is required by AICPA, SAS 122, Consideration of Fraud in a Financial Statement Audit,
and that no one is suspected of or being accused of fraud when conducting a financial statement audit.
Asking Follow-Up Questions
When conducting fraud interview sessions, it is critical to keep an open mind and to ask follow-up
questions. Many frauds have been allowed to continue too long because of the failure to ask the next
question. Responses to interview questions may be less complete than expected. If so, requests for
additional clarification or amplification are often necessary. Other times, responses may be different
from what was expected or about areas other than what was asked. In those situations, rather than
continue to the next question from a pre-determined list, it is important to probe further. The person
being interviewed may feel uncomfortable providing information directly that could lead to
uncovering a potential issue. But with sufficient diligence in following up on responses, the auditor is
114
more likely to fully identify suspect situations or irregularities. This is not possible without listening
fully to responses and responding with relevant follow-up questions.
Identify and Assess Fraud Risks
Judgments about the risk of material misstatement caused by fraud may have an overall effect on the
audit in the following ways:
• Assignment and supervision of personnel: The knowledge and skill of auditors should be
assigned according to the assessed level of risk. The extent of supervision should reflect the
auditor’s assessment of risks of material misstatement due to fraud and the competencies of
auditors.
• Accounting principles: The auditor should be more skeptical about management’s selection
and application of accounting principles, practices, and methods, especially those related to
subjective measurements and complex transactions.
• Unpredictability of auditing procedures: The auditor should incorporate an element of
unpredictability in the selection of the nature, timing and extent of auditing procedures.
Auditors should also consider potential inherent fraud risks such as:
1. Incentives, pressures, and opportunities
2. Risk of management’s override of controls
3. Population of fraud risks:
− Fraudulent financial reporting
− Asset misappropriation
− Corruption
4. Regulatory and legal misconduct
5. Reputation risk
6. Risk of information technology
Respond to the Fraud Risk Assessment
Once a fraud risk assessment is established, the auditor should develop a response to the risk
assessment such as altering the staffing of the engagement, or modifying the nature, extent, and
timing of specific auditing procedures. Additional auditing procedures may be required to address
the risk of material misstatement due to fraud arising from management override of internal controls.
Examples of these procedures include:
• Test the effectiveness of controls over the preparation and posting of journal entries and
adjustments;
115
• Determine if the characteristics of fraudulent journal entries or adjustments are present (e.g.,
unusual and unrelated accounts being used; containing round numbers, and recorded at the
end of period);
• Understand the nature and complexity of the accounts, and
• Understand the basis of nonstandard journal entries.
It is important to keep in mind that the assessment of the risk of material misstatement caused by
fraud is not a one-time assessment, but rather should be ongoing throughout the conduct of the audit.
Accordingly, on an ongoing basis, the auditor should watch out for the following:
• Discrepancies in the accounting records;
• Conflicting or missing evidential matter, and
• Problematic or unusual relationships between management and the auditor
The auditor should also:
1. Evaluate whether analytical procedures in the substantive testing and overall review stages of
the audit indicate previously unrecognized risks of material misstatement caused by fraud,
and
2. At or near the end of fieldwork, evaluate the accumulated results of audit tests to determine
the effect on the auditor’s earlier risk assessment.
Testing Controls
Testing Design Effectiveness
The auditor should test the design effectiveness of controls by determining whether the company's
controls, if they are operated as prescribed by persons possessing the necessary authority and
competence to perform the control effectively, satisfy the company's control objectives and can
effectively prevent or detect errors or fraud that could result in material misstatements in the financial
statements.
Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate
personnel, observation of the company's operations, and inspection of relevant documentation.
Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.
Testing Operating Effectiveness
The auditor should test the operating effectiveness of control by determining whether the control is
operating as designed and whether the person performing the control possesses the necessary
116
authority and competence to perform the control effectively. In designing test procedures, the auditor
should consider such matters as:
• The significance of the risk
• The likelihood that a material misstatement will occur
• The characteristics of the class of transactions, account balance, or disclosure involved
• The nature of specific controls used by the organization, in particular, whether they are
manual or automated
• Whether the auditor expects to obtain audit evidence to determine if the organization’s
controls are effective in preventing or detecting material misstatement.
Inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a
control.
Relationship of Risk to the Evidence Obtained
For each control selected for testing, the evidence necessary to persuade the auditor that the control
is effective depends upon the risk associated with the control. The risk associated with a control
consists of the risk that the control might not be effective and, if not effective, the risk that a material
weakness would result in. As the risk associated with the control being tested increases, the evidence
that the auditor should obtain also increases.
Although the auditor must obtain evidence about the effectiveness of controls for each relevant
assertion, the auditor is not responsible for obtaining sufficient evidence to support an opinion about
the effectiveness of each control. Rather, the auditor's objective is to express an opinion on the
company's ICFR overall. This allows the auditor to vary the evidence obtained regarding the
effectiveness of individual controls selected for testing based on the risk associated with individual
control. Factors that affect the risk associated with a control include:
• The nature and materiality of misstatements that the control is intended to prevent or detect;
• The inherent risk associated with the related account(s) and assertion(s);
• Whether there have been changes in the volume or nature of transactions that might
adversely affect control design or operating effectiveness;
• Whether the account has a history of errors;
• The effectiveness of entity-level controls, especially controls that monitor other controls;
• The nature of the control and the frequency with which it operates;
• The degree to which the control relies on the effectiveness of other controls (e.g., the control
environment or information technology general controls);
117
• The competence of the personnel who perform the control or monitor its performance and
whether there have been changes in key personnel who perform the control or monitor its
performance;
• Whether the control relies on performance by an individual or is automated (i.e., an
automated control would generally be expected to be lower risk if relevant information
technology general controls are effective); and
A less complex company or business unit with simple business processes and centralized
accounting operations might have relatively simple information systems that make greater use
of off-the-shelf packaged software without modification. In the areas in which off-the-shelf
software is used, the auditor's testing of information technology controls might focus on the
application controls built into the pre-packaged software that management relies on to
achieve its control objectives and the IT general controls that are important to the effective
operation of those application controls.
• The complexity of the control and the significance of the judgments that must be made in
connection with its operation.
Generally, the conclusion that control is not operating effectively can be supported by less
evidence than is necessary to support the conclusion that control is operating effectively.
When the auditor identifies deviations from the company's controls, he or she should determine the
effect of the deviations on his or her assessment of the risk associated with the control being tested
and the evidence to be obtained, as well as on the operating effectiveness of the control.
The evidence provided by the auditor's tests of the effectiveness of controls depends upon the mix of
the nature, timing, and extent of the auditor's procedures. Further, for individual control, different
combinations of the nature, timing, and extent of testing may provide sufficient evidence in relation
to the risk associated with the control.
Evaluating Control Deficiencies
The auditor must evaluate the severity of each control deficiency that comes to his or her attention to
determine whether the deficiencies, individually or in combination, are material weaknesses as of the
date of management's assessment. In planning and performing the audit, however, the auditor is not
required to search for deficiencies that, individually or in combination, are less severe than a material
weakness. The severity of a deficiency depends on:
1. Whether there is a reasonable possibility that the company's controls will fail to prevent or
detect a misstatement of an account balance or disclosure; and
118
2. The magnitude of the potential misstatement resulting from the deficiency or deficiencies.
The severity of a deficiency does not depend on whether a misstatement actually has occurred but
rather on whether there is a reasonable possibility that the company's controls will fail to prevent or
detect a misstatement.
Risk factors affect whether there is a reasonable possibility that a deficiency, or a combination of
deficiencies, will result in a misstatement of an account balance or disclosure. The factors include, but
are not limited to, the following:
• The nature of the financial statement accounts, disclosures, and assertions involved;
• The susceptibility of the related asset or liability to loss or fraud;
• The subjectivity, complexity, or extent of judgment required to determine the amount
involved;
• The interaction or relationship of the control with other controls, including whether they
are interdependent or redundant;
• The interaction of the deficiencies;
• The possible future consequences of the deficiency;
• The importance of controls, such as the following, to the financial reporting process (if
applicable)
− General monitoring controls (such as oversight of management)
− Controls over the prevention and detection of fraud
− Controls over the selection and application of significant accounting policies
− Controls over significant transactions with related parties
− Controls over significant transactions outside the entity’s normal course of business
− Controls over the period-end financial reporting process (such as controls over
nonrecurring journal entries)
The evaluation of whether a control deficiency presents a reasonable possibility of misstatement can
be made without quantifying the probability of occurrence as a specific percentage or range. Auditors
should consider the following factors:
• A deficiency in ICFR on its own may not be sufficiently important to constitute a material
weakness. However, a combination of deficiencies affecting the same significant class of
transactions, account balance, or disclosure; relevant assertion; or component of ICFR may
increase the risks of misstatement to such an extent to give rise to a material weakness. A
combination of deficiencies that affect the same significant class of transactions, account
balance, or disclosure; relevant assertion; or component of ICFR also may collectively result in
a significant deficiency.
• Factors that affect the magnitude of the misstatement that might result from a deficiency or
deficiencies in controls include, but are not limited to, the following:
1. The financial statement amounts or total of transactions exposed to the deficiency; and
119
2. The volume of activity in the account balance or class of transactions exposed to the
deficiency that has occurred in the current period or that is expected in future periods.
• The auditor should evaluate the effect of compensating controls when determining whether
a control deficiency or combination of deficiencies is a material weakness. To have a mitigating
effect, the compensating control should operate at a level of precision that would prevent or
detect a misstatement that could be material.
• When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also
should determine the level of detail and degree of assurance that would satisfy prudent
officials in the conduct of their own affairs that they have reasonable assurance that
transactions are recorded as necessary to permit the preparation of financial statements in
conformity with generally accepted accounting principles. If the auditor determines that a
deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of
their own affairs from concluding that they have reasonable assurance that transactions are
recorded as necessary to permit the preparation of financial statements in conformity with
GAAP, then the auditor should treat the deficiency, or combination of deficiencies, as an
indicator of a material weakness.
Indicators of Material Weakness
Indicators of material weaknesses in ICFR include:
• Identification of fraud, whether or not material, on the part of senior management;
• Restatement of previously issued financial statements to reflect the correction of a material
misstatement;
• Identification by the auditor of a material misstatement of financial statements in the current
period in circumstances that indicate that the misstatement would not have been detected by
the company's ICFR; and
• Ineffective oversight of the company's external financial reporting and ICFR by the company's
audit committee
Examples of Significant Deficiencies and Material
Weaknesses
If a material weakness exists as of the assessment date, management is required to conclude that ICFR
is not effective and to disclose all material weaknesses that may have been identified. The SEC Chief
Accountant has stated publicly that he expects management's report to disclose the nature of any
material weakness in sufficient detail to enable investors and other financial statement users to
understand the weakness and evaluate the circumstances underlying it. The SEC provided the
following scenarios to illustrate how to evaluate the significance of internal control deficiencies in
various situations.
120
Scenario A – Significant Deficiency
The company processes a significant number of routine intercompany transactions on a monthly basis.
Individual intercompany transactions are not material and primarily relate to balance sheet activity,
for example, cash transfers between business units to finance normal operations. A formal
management policy requires monthly reconciliation of intercompany accounts and confirmation of
balances between business units. However, there is not a process in place to ensure performance of
these procedures. As a result, detailed reconciliations of intercompany accounts are not performed
on a timely basis. Management does perform monthly procedures to investigate selected large-dollar
intercompany account differences. In addition, management prepares a detailed monthly variance
analysis of operating expenses to assess their reasonableness.
Based only on these facts, the auditor should determine that this deficiency represents a significant
deficiency for the following reasons: The magnitude of a financial statement misstatement resulting
from this deficiency would reasonably be expected to be more than inconsequential, but less than
material, because individual intercompany transactions are not material, and the compensating
controls operating monthly should detect a material misstatement. Furthermore, the transactions are
primarily restricted to balance sheet accounts. However, the compensating detective controls are
designed only to detect material misstatements. The controls do not address the detection of
misstatements that are more than inconsequential but less than material. Therefore, the likelihood
that a misstatement that was more than inconsequential, but less than material, could occur is more
than remote.
Scenario B – Material Weakness
During its assessment of internal control over financial reporting, management of a financial institution
identifies deficiencies in:
• The design of controls over the estimation of credit losses (a critical accounting estimate);
• The operating effectiveness of controls for initiating, processing, and reviewing
adjustments to the allowance for credit losses; and
• The operating effectiveness of controls designed to prevent and detect the improper
recognition of interest income.
Management and the auditor agree that, in their overall context, each of these deficiencies individually
represent a significant deficiency. In addition, during the past year, the company experienced a
significant level of growth in the loan balances that were subjected to the controls governing credit
loss estimation and revenue recognition, and further growth is expected in the upcoming year.
Based only on these facts, the auditor should determine that the combination of these significant
deficiencies represents a material weakness for the following reasons:
121
1. The balances of the loan accounts affected by these significant deficiencies have increased
over the past year and are expected to increase in the future.
2. This growth in loan balances, coupled with the combined effect of the significant deficiencies
described, results in a more than remote likelihood that a material misstatement of the
allowance for credit losses or interest income could occur.
Therefore, in combination, these deficiencies meet the definition of a material weakness.
Responding to Misstatements Caused by Fraud
If the auditor determines that the effect of the misstatement caused by fraud is immaterial, the
implications should be evaluated. If the auditor believes that the effect of the misstatement caused
by fraud is material, or is unable to determine the materiality of the misstatement, the following
actions should be considered:
• Undertake to obtain additional evidential matter to ascertain whether material fraud has
occurred, or is likely to have occurred, and if so, its related effects on the financial statements
as well as the auditor’s report;
• Evaluate the possible effects on other aspects of the audit;
• Discuss the matter and the approach for further investigation with an appropriate level of
management that is at least one level above those involved, and with senior management,
and the audit committee, and
• Determine whether it is appropriate to advise the auditee to consult with its legal counsel.
The auditor should notify an appropriate level of management if the auditor determines that there is
evidence of fraud, even if the fraud is inconsequential.
The auditor should notify those charged with governance (e.g. audit committee) if the auditor
determines that there is fraud:
• Involves senior management, and
• Results in material misstatement in the financial statements
When the auditor concludes that identified fraud risk factors have continuing internal control
implications, the auditor should assess such factors for significant deficiencies and material
weaknesses that require communication to senior management or those charged with governance.
The auditor is permitted to disclose to non-client personnel about fraud under the following
circumstances:
1. Permitted by law or regulatory requirements;
122
2. A predecessor auditor communicates with a successor auditor pursuant to the provisions of
AU 315, Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement;
3. Responding to a subpoena, and
4. Required to notify a funding agency or other specified agency pursuant to requirements for
the audits of entities that receive governmental financial assistance
Under AU 240, the auditor is required to document the following.
• The details of the required brainstorming.
• The procedures performed to identify and assess the risks of material misstatement caused
by fraud.
• Specific risks of material misstatement caused by fraud that the auditor identified as well as a
description of the auditor’s response thereto.
• The basis for the conclusion, if the auditor has not identified in a particular circumstance
improper revenue recognition as a risk of material misstatement caused by fraud.
• The results of the procedures to further address the risk of management override of internal
controls.
• Other conditions and results of analytical procedures that led the auditor to believe that
additional audit procedures were necessary, as well as any further responses the auditor
considered necessary.
• The nature of the communications concerning fraud made to management, and those charged
with governance.
Reporting Audit Results
Types of Audit Opinions
The auditor is required to evaluate management's assessment and to express an opinion on that
assessment. Also, the auditor must independently audit and report on the effectiveness of ICFR. The
content of the auditor's report on ICFR is prescribed by the auditing standards, and although there are
many nuances to the auditor's reporting, the most common external auditor reports are likely to be:
1. Unqualified opinions on both management's assessment and the effectiveness of ICFR. An opinion
that management's assessment is fairly stated in all material respects, along with an opinion that
ICFR is effective in all material respects as of the assessment date.
2. Unqualified opinion on management's assessment that ICFR is ineffective and adverse opinion on
the effectiveness of ICFR. An opinion that management's assessment (that ICFR is not effective) is
123
fairly stated in all material respects, along with an opinion that ICFR is ineffective because of one
or more material weaknesses.
When one or more material weaknesses exist as of the assessment date, the auditor must express
an adverse opinion on the effectiveness of the company's ICFR. The auditor will still render an
unqualified opinion on management's assessment if management properly reported the material
weakness and concluded in its assessment that ICFR was ineffective.
3. If the auditor disagrees with management about whether a material weakness exists (i.e., the
auditor concludes a material weakness exists but management does not), the auditor will render
an adverse opinion on management's assessment. When expressing an adverse opinion on the
effectiveness of ICFR, the auditor should provide specific information about the nature of the
material weakness and its actual and potential effect on the company's financial statements. The
PCAOB has also stated that it expects disclosure sufficient to allow users to understand the
weakness and its actual and potential implications on the financial statements.
The following table summarizes the most likely reporting scenarios:
Most Likely Reporting Scenarios - ICFR
Auditor’s Report
Management’s Report
Management’s Assessment
Effectiveness of ICR(2)
Financial Statement
No material weakness identified
Effective Unqualified Unqualified Unqualified
Material weakness identified by management and the auditor
Not Effective Unqualified Adverse Unqualified(1)
Material weakness identified by the auditor, not by management (3)
Effective Adverse Adverse Unqualified
(1) Presumes the auditor is able to perform sufficient procedures to conclude that the financial
statements are fairly stated
(2) ICFR
(3) In this situation, management and the auditor disagree on whether a control deficiency constitutes
a material weakness.
4. Disclaimer of opinion. A disclaimer of opinion is a report stating that because of restrictions on
the scope of the auditor's work, the auditor is unable to, and does not, express an opinion on
management's assessment or the effectiveness of ICFR. A disclaimer may be issued in situations
where the auditor believes management's assessment process is inadequate or where there are
restrictions on the scope of the auditor's work. In a disclaimer situation, the auditor's report must
also disclose, any material weaknesses that have been identified.
124
If management simply decides to forgo the required testing or documentation needed to form a
sufficient basis for management's assessment, the auditor is precluded from rendering an opinion,
because management, did not fulfill its responsibilities. In these instances, the auditor either
disclaims an opinion both on management's assessment and on the effectiveness of ICFR, or
withdraws from the engagement.
Audit Matters
Critical Audit Matters
AS 3101 The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an
Unqualified Opinion requires auditors to communicate critical audit matters in the auditor’s report.
The standard generally applies to audits conducted under PCAOB standards. However, communication
of critical audit matters is NOT required for audits of brokers and dealers reporting under Exchange
Act Rule 17a-5; investment companies under the Investment Company Act; emerging growth
companies, and employee stock purchase, savings, and similar plans.
A critical audit matter is defined as
“Any matter arising from the audit of the financial statements that was communicated or required to
be communicated to the audit committee and that:
− Relates to accounts or disclosures that are material to the financial statements; and
− Involved especially challenging, subjective, or complex auditor judgment.”
Since AS 3101 is principles-based, it does not specify any matters that would always constitute critical
audit matters. The PCAOB expects that, in most audits to which the critical audit matter requirements
apply, there will be at least one critical audit matter. However, there also may be audits in which the
auditor determines there are no critical audit matters.
To determine whether there are any critical audit matters in the audit of the current period's financial
statements, auditors should take into account, alone or in combination, the following factors, as well
as other factors specific to the audit:
• The auditor's assessment of the risks of material misstatement, including significant risks;
• The degree of auditor judgment related to areas in the financial statements that involved the
application of significant judgment or estimation by management;
• The nature and timing of significant unusual transactions and the extent of audit effort and
judgment related to these transactions;
• The degree of auditor subjectivity in applying audit procedures to address the matter or in
evaluating the results of those procedures;
125
• The nature and extent of audit effort required to address the matter, including the extent of
specialized skill or knowledge needed or the nature of consultations outside the engagement
team regarding the matter; and
• The nature of audit evidence obtained regarding the matter.
Examples of critical audit matters include revenue recognition (e.g. contract modification, multiple
performance obligations), real estate valuation, impairment analysis, accounting for acquisitions, and
the valuation allowance for deferred tax assets. According to SEC’s EDGAR system and the PCAOB, the
most frequently communicated critical audit matters include goodwill and other intangible assets,
revenue recognition, taxes, and business combinations.
Exhibit B presents an example of an auditor’s report on critical audit matters from Microsoft’s Form
10-K.
The requirements related to critical audit matters are effective for audits of fiscal years ending on or
after June 30, 2019, for large accelerated filers ; and for fiscal years ending on or after December 15,
2020, for all other companies to which the requirements apply.
Key Audit Matters
In May 2019, the ASB issued SAS 134, Auditor Reporting and Amendments, Including Amendments
Addressing Disclosures in the Audit of Financial Statements resulting in significant changes to the
auditor’s reporting model. SAS 134 replaces AU 700, 705 and 706 and introduces a new section 701.
AU 701, Communicating Key Audit Matters in the Independent Auditor’s Report discusses the auditor’s
responsibility to communicate key audit matters in the auditor’s report when the auditor is engaged
to do so. Key audit matters are defined as
“Those matters that, in the auditor's professional judgment, were of most significance in the audit of
the financial statements of the current period. Key audit matters are selected from matters
communicated with those charged with governance.”
Under AU 701, when determining key audit matters, auditors should take into account the following:
• Areas of higher assessed risk of material misstatement, or significant risks identified;
• Significant auditor judgments relating to areas in the financial statements that involved
significant management judgment (e.g estimates with high uncertainty); and
• The effect on the audit of significant events or transactions that occurred during the period.
Both SAS 134 and GAAS does NOT require the communication of key audit matters.
Section 705 prohibits the auditor from communicating key audit matters when the auditor expresses
an adverse opinion or disclaims an opinion.
126
SAS 134 is effective for audits of financial statements for periods ending on or after December 15,
2020. Early implementation is not permitted.
The frameworks for determining a critical audit matter and key audit matter are similar and begin with
those matters communicated or required to be communicated to the audit committee. For example,
key audit matters are selected from matters communicated with those charged with governance.
Critical audit matters are matters arising from the audit of the financial statements that were
communicated or required to be communicated to the audit committee.
Exhibit B: Microsoft − Critical Audit Matters
The following are excerpts from Microsoft’s 2019 Form 10-K
Critical Audit Matter Description
The Company recognizes revenue upon transfer of control of promised products or services to
customers in an amount that reflects the consideration the Company expects to receive in exchange
for those products or services. The Company offers customers the ability to acquire multiple licenses
of software products and services, including cloud-based services, in its customer agreements through
its volume licensing programs.
Significant judgment is exercised by the Company in determining revenue recognition for these
customer agreements, and includes the following:
• Determination of whether products and services are considered distinct performance obligations
that should be accounted for separately versus together, such as software licenses and related
services that are sold with cloud-based services.
• Determination of stand-alone selling prices for each distinct performance obligation and for
products and services that are not sold separately.
• The pattern of delivery (i.e., timing of when revenue is recognized) for each distinct performance
obligation.
• Estimation of variable consideration when determining the amount of revenue to recognize (e.g.,
customer credits, incentives, and in certain instances, estimation of customer usage of products
and services).
Given these factors, the related audit effort in evaluating management’s judgments in determining
revenue recognition for these customer agreements was extensive and required a high degree of
auditor judgment.
How the Critical Audit Matter Was Addressed in the Audit
Our principal audit procedures related to the Company’s revenue recognition for these customer
agreements included the following:
127
• We tested the effectiveness of internal controls related to the identification of distinct
performance obligations, the determination of the timing of revenue recognition, and the
estimation of variable consideration.
• We evaluated management’s significant accounting policies related to these customer
• We selected a sample of customer agreements and performed the following procedures:
• Obtained and read contract source documents for each selection, including master agreements,
and other documents that were part of the agreement.
• Tested management’s identification of significant terms for completeness, including the
identification of distinct performance obligations and variable consideration.
• Assessed the terms in the customer agreement and evaluated the appropriateness of
management’s application of their accounting policies, along with their use of estimates, in the
determination of revenue recognition conclusions.
• We evaluated the reasonableness of management’s estimate of stand-alone selling prices for
products and services that are not sold separately.
• We tested the mathematical accuracy of management’s calculations of revenue and the
associated timing of revenue recognized in the financial statements.
Other Considerations
Considerations Specific to Smaller, Less Complex Entities
Testing Design Effectiveness. A smaller, less complex company might achieve its control objectives
differently from a larger, more complex organization. For example, a smaller, less complex company
might have fewer employees in the accounting function, limiting opportunities to segregate duties and
leading the company to implement alternative controls to achieve its control objectives. In such
circumstances, the auditor should evaluate whether those alternative controls are effective.
Testing Operating Effectiveness. In some situations, particularly in smaller companies, a company
might use a third party to assist with certain financial reporting functions. When assessing the
competence of personnel responsible for a company's financial reporting and associated controls, the
auditor may take into account the combined competence of company personnel and other parties
that assist with functions related to financial reporting.
Relationship of Risk to the Evidence Obtained. A smaller, less complex company or unit might have
less formal documentation regarding the operation of its controls. In those situations, testing controls
through inquiry combined with other procedures, such as observation of activities, an inspection of
128
less formal documentation, or re-performance of certain controls, might provide sufficient evidence
about whether the control is effective.
Considerations of Financial Information Systems
Cybersecurity risks and controls are within the scope of the financial statement auditor’s concern only
if they affect financial statements and company assets to a material extent. That is, systems and
applications house financial statement-related data. Accordingly, the financial statement and ICFR
audit responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire
IT platform but only address systems and controls related to the financial reporting process. The
Center for Audit Quality (CAQ) Alert #2014-3: Cybersecurity and the External Audit provides the
following graphic depicting the typical access path to an IT system. According to CAQ, cyber incidents
usually first occur through the perimeter and internal network layers, which tend to be further
removed from the application, database, and operating systems that are typically included in access
control testing of systems that affect the financial statements.
IT is an important component of any risk assessment. IT risks include threats to data integrity, threats
from hackers to system security, viruses, or unauthorized access to data, and theft of financial and
sensitive information. Therefore, the auditor is required to obtain an understanding of specific risks to
a company's ICFR resulting from the information systems. The PCAOB identifies examples of such risks
including:
• Reliance on systems or programs that are inaccurately processing data, processing inaccurate
data, or both
• Unauthorized access to data that might destroy data or improper changes to data, including
the recording of unauthorized or non- existent transactions or inaccurate recording of
transactions (particular risks might arise when multiple users access a common database)
Perimeter Network
Internal Network
Operating System
Database
Application
129
• The possibility of IT personnel gaining access privileges beyond those necessary to perform
their assigned duties, thereby breaking down segregation of duties
• Unauthorized changes to data in master files
• Unauthorized changes to systems or programs
• Failure to make necessary changes to systems or programs
• Inappropriate manual intervention
• Potential loss of data or inability to access data as required
In the audit of the financial statements and ICFR, the auditor is required to obtain a sufficient
understanding of the internal control units or areas, including knowledge about the design of controls
and whether they have been placed in operation. In a company’s IT environment, auditors usually
focus their attention on IT systems and controls, and how they affect the company's flow of
transactions. IT controls (e.g. general controls, application controls) relate to the security
(confidentiality, integrity, and availability) of an organization’s information and systems, as well as its
overall financial objectives including completeness, accuracy, validity, and authorization. Specifically,
auditors are required to obtain an understanding of automated controls used by the company,
including:
1. IT controls that are important to the effective operation of the automated controls
2. The reliability of data and reports used in the audit that was produced by the company
Upon gaining an understanding of controls, the auditor assesses the effectiveness of IT controls;
whether the controls are properly designed, implemented, and operated effectively. For example, the
auditor may review access and changes to systems and data that could impact the financial statements
and the effectiveness of ICFR.
A smaller, less complex entity or component with simple business processes and centralized
accounting operations might have relatively simple information systems that make greater use of off-
the-shelf packaged software without modification. In the areas where off-the-shelf software is used,
the auditor’s testing of IT controls might focus on the application controls built into the prepackaged
software that management relies on to achieve its control objectives and the IT general controls that
are important to the effective operation of those application controls.
Understand the IT environment
Assess the IT risks of material
misstatement
Identify systems and IT controls to be
reviewed
Evaluate IT controls design operating
effectiveness
General Audit Process: IT Controls
Review
130
Appendix D provides a computer application checklist. It may be used to document your understanding
of the way computers are used in the information and communication systems of a medium to large
business.
Management Written Representations
In an audit of ICFR, the auditor should obtain written representations from management –
1. Acknowledging management's responsibility for establishing and maintaining effective ICFR;
2. Stating that management has performed an evaluation and made an assessment of the
effectiveness of the company's ICFR and specifying the control criteria;
3. Stating that management did not use the auditor's procedures performed during the audits of
ICFR or the financial statements as part of the basis for management's assessment of the
effectiveness of ICFR;
4. Stating management's conclusion, as set forth in its assessment, about the effectiveness of
the company's ICFR based on the control criteria as of a specified date;
5. Stating that management has disclosed to the auditor all deficiencies in the design or
operation of ICFR identified as part of management's evaluation, including separately
disclosing to the auditor all such deficiencies that it believes to be significant deficiencies or
material weaknesses in ICFR;
6. Describing any fraud resulting in a material misstatement to the company's financial
statements and any other fraud that does not result in a material misstatement to the
company's financial statements but involves senior management or management or other
employees who have a significant role in the company's ICFR;
7. Stating whether control deficiencies identified and communicated to the audit committee
during previous engagements have been resolved, and specifically identifying any that have
not; and
8. Stating whether there were, subsequent to the date being reported on, any changes in ICFR
or other factors that might significantly affect ICFR, including any corrective actions taken by
management with regard to significant deficiencies and material weaknesses.
The failure to obtain written representations from management, including management's refusal to
furnish them, constitutes a limitation on the scope of the audit. When the scope of the audit is limited,
the auditor should either withdraw from the engagement or disclaim an opinion. Further, the auditor
should evaluate the effects of management's refusal on his or her ability to rely on other
representations, including those obtained in the audit of the company's financial statements.
131
Communication of Certain Matters
The auditor should communicate in writing to management and those charged with governance (audit
committee) significant deficiencies and material weaknesses identified during the integrated audit,
including those that were remediated during the integrated audit and those that were previously
communicated but have not yet been remediated.
If the auditor concludes that the oversight of the entity’s financial reporting and ICFR by the audit
committee (or similar subgroups with different names) is ineffective, the auditor should communicate
that conclusion in writing to the board of directors or other similar governing body.
The auditor also should consider whether there are any deficiencies, or combinations of deficiencies,
that have been identified during the audit that are significant deficiencies and must communicate such
deficiencies, in writing, to the audit committee.
The auditor also should communicate to management, in writing, all deficiencies in ICFR (i.e., those
deficiencies in ICFR that are of a lesser magnitude than material weaknesses) identified during the
audit and inform the audit committee when such a communication has been made. When making this
communication, the auditor does not need to repeat information about such deficiencies that have
been included in previously issued written communications, whether those communications were
made by the auditor, internal auditors, or others within the organization.
Use of the Work of Internal Auditors or Others
In an audit of ICFR, the external auditor may use the work of the internal audit function in obtaining
audit evidence or use internal auditors to provide direct assistance under the direction, supervision,
and review of the external auditor. For purposes of the audit of ICFR, however, the auditor also may
use the work performed by, or receive direct assistance from, others. Others include entity personnel
(in addition to internal auditors) and third parties working under the direction of management or those
charged with governance that provides evidence about the effectiveness of ICFR. In an integrated
audit, the auditor also may use the work of internal auditors or others to obtain evidence supporting
the assessment of control risk for purposes of the financial statement audit.
As the risk associated with a control increases, the need for the auditor to directly perform work on
the control increases (for example, for controls that address specific fraud risks, use of the work of the
internal audit function or others would be limited, if it could be used at all).
132
Part III − Section 2 Review Questions
19. When obtaining an understanding of an entity's control environment, why should an auditor
concentrate on the substance of controls rather than their form?
A. The auditor may believe that the controls are inappropriate for that particular entity
B. The board of directors may not be aware of management's attitude toward the control
environment
C. Management may establish appropriate controls but not act on them
D. The controls may be so ineffective that the auditor may assess control risk at the maximum
level
20. Which of the following approaches is required by both the PCAOB and the AICPA in determining
the scope of testing for financial audits?
A. A methodical approach
B. An inclusive approach with all team members participating in the decision
C. A risk-based approach
D. A democratic approach with all team members voting on the scope of testing
21. Which of the following factors is most important concerning an auditor's responsibility to detect
errors and fraud?
A. The susceptibility of the accounting records to intentional manipulations, alterations, and the
misapplication of accounting principles.
B. The probability that unreasonable accounting estimates result from unintentional bias or
intentional attempts to misstate the financial statements.
C. The possibility that management fraud, defalcations, and the misappropriation of assets may
indicate the existence of illegal acts.
D. The risk that mistakes, falsifications, and omissions may cause the financial statements to
contain material misstatements.
22. An auditor tests an entity's policy of obtaining credit approval before shipping goods to customers
in support of which of the following management's financial statement assertions?
A. Valuation or allocation.
B. Completeness.
C. Existence or occurrence.
D. Rights and obligations
133
23. What is the type of opinion the auditor will render on management's assessment if the auditor
disagrees with management about whether a material weakness exists?
A. Adverse opinion
B. Qualified opinion
C. Disclaimer of opinion
D. Unqualified opinion
134
PART IV. Fraud Prevention and Detection
Fraud Awareness
Basics of Fraud
Definition of Fraud
Fraud is a broad term that refers to a variety of offenses involving dishonesty or fraudulent act. In
general, the purpose of fraud may be monetary gain or other benefits. Consequently, fraud includes
any intentional or deliberate act to deprive another of property or money by deception or other unfair
means. Depending on the industry, there could be several definitions of fraud. It is important to adopt
the most appropriate definition to be used by auditors and organizations when performing a fraud risk
assessment.
Definition of Fraud Source Description
Generally Accepted Government Auditing
Standards (GAGAS)
Fraud involves obtaining something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors’ professional responsibility.
Generally Accepted Auditing Standards
(GAAS)
• Fraud: An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a material misstatement in financial statements that are the subject to an audit.
• Fraud Risk Factors: Events or conditions that indicate an incentive or pressure to perpetrate fraud, provide an opportunity to commit fraud, or indicate attitudes or rationalizations to justify a fraudulent action.
The Association of Certified Fraud
Examiners (ACFE)
• Fraud: Any intentional act or omission designed to deceive others and resulting in the victim suffering a loss and/or perpetrator achieving a gain.
• Occupational Fraud: The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.
135
International Professional Practices
Framework (IPPF)
Any illegal acts are characterized by deceit, concealment, or violation of trust. These acts are not dependent on threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
Fraud can mean many things and result from many varied relationships between offenders and
victims. The Chartered Institute of Management Accountants identifies the following common
example of fraud:
• Crimes by individuals against consumers, clients or other businesspeople, e.g.
misrepresentation of the quality of goods; pyramid trading schemes •
• Employee fraud against employers, e.g. payroll fraud; falsifying expense claims; thefts of cash,
assets or intellectual property; false accounting
• Crimes by businesses against investors, consumers and employees, e.g. financial statement
fraud; selling counterfeit goods as genuine ones; not paying over tax or National Insurance
contributions paid by staff
• Crimes against financial institutions, e.g. using lost and stolen credit cards; check frauds;
fraudulent insurance claims
• Crimes by individuals or businesses against the government, e.g. grant fraud; social security
benefit claim frauds; tax evasion
• Crimes by professional criminals against major organizations, e.g. major counterfeiting rings;
mortgage frauds; ‘advance fee’ frauds; corporate identity fraud; money laundering
• E-crime by people using computers and technology to commit crimes, e.g. phishing;
spamming; copyright crimes; hacking; social engineering frauds.
Fraud Triangle
To fight fraud, one must not only realize that it occurs, but also how and why it occurs. In 1950, Donald
R. Cressey, a criminologist, examined why people commit fraud resulting in the development of the
three elements of the fraud triangle as the most widely accepted model used to explain why people
commit fraud. For fraud to occur, all three elements including opportunity, pressure, and
rationalization must be present at the same time according to Cressey. Although organizations have
limited control over the fraudster’s pressure and rationalizations, proactive steps can be taken to
significantly reduce the opportunities to commit fraud.
136
Each element is discussed in the following sections.
Opportunity
Opportunity is the ability to commit fraud or to conceal it. Thus, fraud is more likely in an organization
where there is:
1. Weak internal control system;
2. Poor security over assets;
3. Weak ethical culture;
4. Little fear of exposure and likelihood of detection;
5. Lack of consequence of perpetrators;
6. Ineffective anti-fraud programs;
7. Poor supervision;
8. Lack of training, and
9. Unclear policies regarding acceptable behavior
Research has shown that some employees are totally honest, some are totally dishonest, but that
many are swayed by opportunity. Although the opportunity is often the most challenging to spot, it is
fairly easy to control through improvements to internal controls and changes to policies and
procedures. Organizations must establish processes, procedures and controls that do not put
employees in a position to commit fraud. For example, an employee may see an opportunity to write
a check payable to himself if he has access to blank checks. However, the check may be identified
during the reconciliation of the bank statement that the employee would be caught. Although an
opportunity to steal presents, there is no opportunity to steal without being caught. If the control
environment is weak where segregation of duties is not in place (e.g. the same employee reconciles
Opportunity
Rationlization
The Fraud Triange
Pressure
137
the bank statement), the employee has a perceived opportunity to commit fraud under this
circumstance.
Opportunity often occurs because the fraudster knows what the auditor will do, the when, what, and
how much of the auditor’s procedures. For example, if the fraudster expects that the auditor always
tests only large transactions in June, the fraudster can commit the fraud on small transactions in other
months. In assessing the risk of fraud committed due to the opportunity, organizations should
consider the following questions:
What is new?
Sometimes it can take a while for new contracts and operations to evolve and for controls to be put in place. Opportunists can quickly take advantage of poor control supervision.
For example, the transaction from developing a system to operating it brings the opportunity to pass off development costs as operating costs, because the normal level of operating costs is not yet known.
What is remote?
Many frauds occur in an organization’s remote operations. Opportunists can take advantage of less stringent supervision and controls in an environment of limited resources resulting in poor segregation of duties.
For example, because there is often less value at remote locations, organizations tend to put less effort on internal audits and review.
Is a transaction complex?
Complex transactions, in which no one fully understands the nature of the contract and the payments, are susceptible to fraud.
For example, a fraudster can put through charges that may not comply with the contract, or with the legitimate parties’ intentions.
Where are the controls weak?
Managers should pay attention to the following areas:
• Regularly found to be non-compliant
• Control processes being reduced
• Lack of segregation of duties
• History of complaints, such as violation of policies and procedures, taking short-cuts when obtaining approvals, or making regular and/or unusual adjustments and arrangements
Is urgency frequently used as an excuse?
Many frauds and improper transactions occur under the guise of urgency, where the initiator has the opportunity to circumvent approvals and quotation requirements.
Source: The PwC Global Economic Crime Survey 2016 - Fighting Fraud in the Public Sector
Pressure/Incentive
Pressure is what causes a person to commit fraud. In simple terms, motivation is typically based on
greed or need. Although many people are faced with the opportunity to commit fraud, only a minority
of the greedy or needy do so. According to the Chartered Institute of Management Accounts, in
138
general, greed is the number one cause for fraud along with problems with debt and gambling.
Personality and temperament, including how frightened people are about the consequences of taking
risks, also influence their decisions. Some people with good principles fall into negative behavior
patterns and develop tastes for fast life, which tempt them to commit fraud. Others are motivated
only when faced with personal and/or professional ruin. The ACFE lists the following examples of
pressures that commonly lead to fraud:
• Living beyond one’s means
• High bills or personal debt
• Personal financial losses
• Family or peer pressure
• Unexpected financial needs
• Substance abuse or additions
• Need to meet productivity targets at work
In assessing the risk of fraud committed due to pressure or motive, organizations should consider the
following questions:
What is of greatest value?
A person’s motive or incentive to commit fraud is determined by the value of what they are intended to obtain. Liquid assets are usually considered the most valuable.
For example, chairs are not very liquid as 1) they are hard to move, 2) resale value is low, and 3) the crime is generally difficult to repeat. However, laptop computers and other IT equipment are liquid as 1) they are easily transportable and usually generic in appearance, and 2) there is a ready resale market.
What value could the crime bring to the perpetrator, relative to the risk they must take?
Taking a pen is low value and less likely to be done on a material scale. However, using information to perpetrate identify fraud can be valuable, as can kickbacks from large tendering contracts. Therefore, the higher value, the greater the risk someone is willing to take.
Source: The PwC Global Economic Crime Survey 2016 - Fighting Fraud in the Public Sector
Rationalization
A justification of fraudsters’ crime to make the act acceptable is known as rationalization which must
occur before the crime takes place. Rationalization is usually detected by observing the fraudster’s
comments or attitudes. In general, people rationalize fraudulent actions as:
• Necessary − especially when it is done for the business
• Harmless − because the victim is large enough to absorb the impact
• Justified − because the victim deserved it or because I was mistreated
There are two aspects of rationalization:
139
1. The fraudster concludes that the gain to be realized from fraudulent activities outweighs the
possibility for detection.
2. The fraudster needs to justify committing the fraud. Justification can relate to job
dissatisfaction or perceived entitlement, or saving one’s family, possessions, or status.
Rationalization is personal to the individual and more difficult to combat, although ensuring that the
company has a strong ethical culture and clear values should help. Moreover, management may
reduce rationalization through its actions, for example, by implementing fair work and pay practices,
equitable and consistent treatment of employees, and tone at the top.
The ACFE identified the following common excuses given by fraudsters to explain their corrupt
conduct:
• Everyone else does it.
• We have always done it.
• It was the only way we could compete.
• We thought our anti-corruption programs were sufficient.
• We did not know the conduct would be considered a bribe.
• It was not a bribe; it was part of conducting business.
• Bribery is part of the culture in the county.
In assessing the risk of fraud committed due to rationalization, organizations should consider the
following questions:
Do people feel undervalued?
People who commit fraud will often claim that they felt entitled because they had not received recognition from their work or there was an expectation that they would do more.
Is there an attitude of everyone does it?
Some fraudsters perceive that everyone takes advantage of the government and so they can too. This usually occurs with respect to relatively minor issues as leave, expense and allowance. The person does not think of it as an economic crime but a benefit that everyone takes.
Are there people who would seek revenue?
Social policy agencies can be targeted for cybercrime as a protest of government policy.
Source: The PwC Global Economic Crime Survey 2016 - Fighting Fraud in the Public Sector
140
The Evolution of Fraud
Although Cressey’s classic fraud triangle applies to most fraud cases, it does not explain all situations.
There have been significant social changes since Cressey’s study in the 1950s:
Social Changes: Then & Now
The 1950s The 2000s
• Straight-line reporting authority
• Manual processes
• Dual responsibility
• Single suppliers
• Local or regional service area
• Step-up salary structure
• Matrixed organizations
• Automation
• Autonomous authority
• Multiple vendors and global trading partners
• Global reach
• Performance-based pay Source: Crowe Horwath LLP
Many anti-fraud experts believe that the fraud triangle could be enhanced by incorporating the
element of capability since personal traits and abilities play a major role in whether fraud will actually
occur. This fourth element transforms Cressey’s model from a triangle into a diamond:
Source: The ACFE − Fighting Fraud in the Government
According to David Wolfe and Dana Hermanson, The Fraud Diamond: Considering the Four Elements
of Fraud, “Opportunity opens the doorway to fraud, and incentive and rationalization can draw the
person toward it. But the person must have the capability to recognize the open doorway as an
opportunity and to take advantage of it by walking through, not just once, but time and time again.
Accordingly, the critical question is, who could turn an opportunity for fraud into reality?” Wolf and
Hermanson observed the following six common traits for committing fraud, especially those that
involve large sums of money or last a long time:
141
Common Traits Associated with the Capability Trait Description
Functional Authority within the
Organization
The person’s position or function might provide the ability to create or exploit an opportunity to commit fraud. For example, a person in a position of authority has more influence over particular situations.
Sufficient intelligence to Understand and Exploit a Situation
The person has the capacity to understand and exploit control weaknesses and to use position or authorized access to the greatest advantage.
Strong Ego and Personal Confidence
The person is confident that he will not be caught or believes that if he is caught, he can talk his way out of trouble. The common personality types include someone who is driven to succeed at all costs, self-absorbed, and often narcissistic. According to the Diagnostic and Statistical Manual of Mental Disorders, those with a personality disorder believe they are superior or unique and that they are likely to have an inflated view of their own accomplishments and abilities.
Strong Coercive Skills The person is persuasive and can coerce others to commit or conceal fraud. An individual with a persuasive personality can successfully convince others to go along the fraud or loo the other way.
Effective at Being Deceptive
Successful fraud requires effective and consistent lies. The individual must be able to lie convincingly and keep track of the story in order to avoid detection.
High Tolerance for Stress
The person is good at dealing with the stress that comes from committing fraudulent acts.
Types of Fraud
Occupational (Corporate) Fraud
Though the term “corporate fraud” is subject to different interpretations, it has been defined internally
within the Department of Justice to include the following conduct:
1. Falsification of corporate financial information including, for example:
• False/fraudulent accounting entries,
• Bogus trades and other transactions designed to artificially inflate revenue,
• Fraudulently overstating assets, earnings and profits or
• Understating/concealing liabilities and losses, and
• False transactions designed to evade regulatory oversight
2. Self-dealing by corporate insiders including, for example:
142
• Insider trading,
• Kickbacks,
• Misuse of corporate property for personal gain, and
• Individual tax violations related to any such self-dealing
3. Fraud in connection with an otherwise legitimately-operated mutual or hedge fund including,
for example:
• Late trading,
• Certain market-timing schemes,
• Falsification of net asset values, and
• Other fraudulent or abusive trading practices by, within, or involving a mutual or hedge
fund
4. Obstruction of justice designed to conceal either of the above-noted types of criminal conduct,
particularly when the obstruction impedes the inquiries of the SEC, other regulatory agencies,
and/or law enforcement agencies.
The ACFE defines corporate fraud (also referred to as occupational fraud) as:
“The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication
of the employing organization’s resources or assets.”
Expanding on this definition, the ACFE further breaks down corporate fraud into four major key
elements which all fraudulent activities have in common:
1. Is clandestine (i.e., conducted with secrecy);
2. Violates the perpetrator’s fiduciary duties to the victim organization;
3. Is committed for the purpose of direct or indirect financial benefit to the perpetrator; and
4. Costs the employing organization assets, revenue, or reserves.
According to the ACFE Report to the Nations 2020 Global Study on Occupational Fraud and Abuse,
asset misappropriations are by far the most common, occurring in 86% of the cases in the report.
However, they are also the least costly, causing a median loss of $100,000. Corruption schemes are
the next most common form of occupational fraud; 43% of the cases involved some form of corrupt
act. These schemes resulted in a median loss to the victim organizations of $200,000. The least
common but most costly form of occupational fraud is financial statement fraud, which occurred in
10% of the cases and caused a median loss of $954,000. The report also identifies the most common
occupational fraud schemes in various industries:
Industry Cases Most Common Fraud Schemes
Banking and financial services 386 1. Corruption
2. Cash on hand
143
3. Cash larceny, Financial statement fraud,
Noncash, and Skimming
Government and public
administration 189
1. Corruption
2. Billing
3. Expense reimbursements, Noncash, and
Payroll
Manufacturing 177
1. Corruption
2. Noncash, and Billing
3. Expense reimbursements
Health care 145
1. Corruption
2. Billing
3. Noncash
Energy 89
1. Corruption
2. Noncash
3. Billing
Note: According to the ACFE, noncash misappropriations refer to any scheme in which an employee steals or
misuses noncash assets of the victim organization (e.g., employee steals inventory from a ware- house or
storeroom; employee steals or misuses confidential customer information)
The three primary fraud categories within ACFE’s Occupational Fraud and Abuse Classification System
are summarized below.
ACFE: Occupational Fraud and Abuse Classification System
Categories Examples
Corruption
• Conflicts of Interest (e.g. Purchasing and Sales Schemes)
• Bribery (e.g. Invoice Kickbacks, Bid Rigging)
• Illegal Gratuities
• Extortion (e.g. Blackmail)
Asset
Misappropriation
• Theft of Cash on Hand
• Theft of Cash Receipts (e.g. Skimming, Cash Larceny)
• Fraudulent Disbursements (e.g. Billing, Payroll, and Expense Reimbursement Schemes, and Check Tampering)
• Inventory (e.g. Asset Requisitions & Transfers, False Sales & Shipping, Purchasing & Receiving)
Financial Statement
Fraud
• Net Income Overstatements (e.g. Timing Differences, Fictitious Revenues, Concealed Liabilities & Expenses, Improper Asset Valuations)
• Net Income Understatements (e.g. Understated Revenues, Overstated Liabilities & Expenses, Improper Disclosures)
Each category is discussed below.
144
Corruption
Corruption is a form of dishonest or unethical conduct by an employee who misuses his or her
influence in a business transaction to gain personal benefit. Corruption includes many activities, such
as conflict of interest and bribery. Corruption, a common scheme in the government entities, results
in higher prices charged to and in lower quality delivered to the government. Corruption is often an
off-book fraud that there is little financial statement evidence available to prove the crime occurred.
Corrupted employees do not have to manipulate financial records to conceal their crime; they simply
receive cash payments under the table or accept illegal political contributions. As a result, these types
of crimes are often uncovered through tips or complaints from third parties, often via hotline. A set
of circumstances as listed below can be an indicator that something may go wrong.
• Abnormal cash payments;
• Pressure exerted for payments to be made urgently or ahead of schedule;
• Private meeting with contractors or companies hoping to tender for contracts;
• Lavish gifts being received;
• An individual insists on dealing with specific contractors himself or herself/
• Make unexpected or illogical decisions accepting projects or contracts;
• The unusually smooth process of cases where an individual does not have the expected level of knowledge or expertise;
• Agree contracts not favorable to the organization either because of the terms or the time period;
• Unexplained preference for certain contractors during the tendering or contracting processes;
• Bypass normal tendering or contracting procedures;
• Invoices being agreed to in excess of the contract without reasonable causes, and
• Missing documents or records regarding meetings or decisions.
The ACFE research identified the following top red flags in corruption cases:
1. Living beyond one’s means
2. Unusually close association with vendor/customer
3. Financial difficulties
Asset Misappropriation
Asset misappropriation is a scheme in which an employee steals or misuses the employing
organization’s resources (e.g., theft of company cash, false billing schemes, or inflated expense
reports).
Risk Factors Relating to Misstatements Arising from Misappropriate of Assets
The following are examples as listed in SAS 99 Appendix 3, of risk factors relating to misstatements
arising from misappropriation of assets.
Incentives/Pressures
145
A. Personal financial obligations may create pressure on management or employees with access to
cash or other assets susceptible to theft to misappropriate those assets.
B. Adverse relationships between the entity and employees with access to cash or other assets
susceptible to theft may motivate those employees to misappropriate those assets. For example,
adverse relationships may be created by the following:
• Known or anticipated future employee layoffs
• Recent or anticipated changes to employee compensation or benefit plans
• Promotions, compensation, or other rewards - -inconsistent with expectations
Opportunities
a. Certain characteristics or circumstances may increase the susceptibility of assets to
misappropriation. For example, opportunities to misappropriate assets increase when there are
the following:
1. Large amounts of cash on hand or processed
2. Inventory items that are small in size, of high value, or in high demand
3. Easily convertible assets, such as bearer bonds, diamonds, or computer chips
4. Fixed assets that are small in size, marketable, or lacking observable identification of
ownership
b. Inadequate internal control over assets may increase the susceptibility of misappropriation of
those assets. For example, misappropriation of assets may occur because there is the following:
1. Inadequate segregation of duties or independent checks
2. Inadequate oversight of senior management expenditures, such as travel and other
reimbursements
3. Inadequate management oversight of employees responsible for assets, for example,
inadequate supervision or monitoring of remote locations
4. Inadequate job applicant screening of employees with access to assets
5. Inadequate recordkeeping with respect to assets
6. Inadequate system of authorization and approval of transactions (for example, in purchasing)
7. Inadequate physical safeguards over cash, investments, inventory, or fixed assets
8. Lack of complete and timely reconciliations of assets
9. Lack of timely and appropriate documentation of transactions, for example, credits for
merchandise returns
10. Lack of mandatory vacations for employees performing key control functions
11. Inadequate management understanding of information technology, which enables
information technology employees to perpetrate a misappropriation
12. Inadequate access controls over automated records, including controls over and review of
computer systems event logs.
Attitudes/Rationalizations
146
Risk factors reflective of employee attitudes/rationalizations that allow them to justify
misappropriations of assets, are generally not susceptible to observation by the auditor. Nevertheless,
the auditor who becomes aware of the existence of such information should consider it in identifying
the risks of material misstatement arising from misappropriation of assets. For example, auditors may
become aware of the following attitudes or behavior of employees who have access to assets
susceptible to misappropriation:
• Disregard for the need for monitoring or reducing risks related to misappropriations of assets
• Disregard for internal control over misappropriation of assets by overriding existing controls
or by failing to take appropriate remedial action on known internal control deficiencies
• Behavior indicating displeasure or dissatisfaction with the company or its treatment of the
employee
• Changes in behavior or lifestyle that may indicate assets have been misappropriated
• The belief by some government or other officials that their level of authority justifies a certain
level of compensation and personal privileges
• Tolerance of petty theft
Financial Statement Fraud
Financial statement fraud is a scheme in which an employee intentionally causes a misstatement or
omission of material information in the organization’s financial reports. Common methods of
fraudulent financial statement manipulation include recording fictitious revenues, concealing
liabilities or expenses and artificially inflating reported assets. The most common financial statement
fraud schemes alleged by the SEC include:
• Revenue recognition
• Manipulation of expenses
• Improper disclosures
• Manipulation of liabilities
• Manipulation of assets
• Manipulation of reserves
Specifically, the most common revenue recognition schemes include:
1. Fictitious revenue
2. Premature revenue (timing schemes)
3. Recognition of inappropriate amount of revenue from swaps, round tripping, or barter
arrangements
COSO suggested the following procedures to reduce the possibility of fraudulent financial reporting:
• Establish an organizational environment and tone that contributes to the integrity of the
financial reporting process;
• Identify and understand the factors that can lead to fraudulent financial reporting;
147
• Assess the risk of fraudulent financial reporting that these factors can cause within the
organization, and
• Design and implement internal controls that provide reasonable assurance that fraudulent
financial reporting will be prevented.
Risk Factors Relating to Misstatements Arising from Fraudulent Financial
Reporting
The following are examples as listed in SAS 99 Appendix 2, of risk factors relating to misstatements
arising from misappropriation of assets.
Incentives/Pressures
A. Financial stability or profitability is threatened by economic, industry, or entity operating
conditions, such as (or as indicated by):
1. High degree of competition or market saturation, accompanied by declining margins
2. High vulnerability to rapid changes, such as changes in technology, product obsolescence, or
interest rates
3. Significant declines in customer demand and increasing business failures in either the industry
or overall economy
4. Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent
5. Recurring negative cash flows from operations or an inability to generate cash flows from
operations while reporting earnings and earnings growth
6. Rapid growth or unusual profitability, especially compared to that of other companies in the
same industry
7. New accounting, statutory, or regulatory requirements
B. Excessive pressure exists for management to meet the requirements or expectations of third
parties due to the following:
1. Profitability or trend level expectations of investment analysts, institutional investors,
significant creditors, or other external parties (particularly expectations that are unduly
aggressive — or unrealistic), including expectations created by management in, for example,
overly optimistic press releases or annual report messages
2. Need to obtain additional debt or equity financing to stay competitive—including financing of
major research and development or capital expenditures
3. Marginal ability to meet exchange listing requirements or debt repayment or other debt
covenant requirements
4. Perceived or real adverse effects of reporting poor financial results on significant pending
transactions, such as business combinations or contract awards
5. A need to achieve financial targets required in bond covenants
148
6. Pressure for management to meet the expectations of legislative or oversight bodies or to
achieve political outcomes, or both
C. Information available indicates that management or the board of directors’ personal financial
situation is threatened by the entity’s financial performance arising from the following:
1. Significant financial interests in the entity
2. Significant portions of their compensation (for example, bonuses, stock options, and earn-out
arrangements) being contingent upon achieving aggressive targets for stock price, operating
results, financial position, or cash flow
3. Personal guarantees of debts of the entity
D. There is excessive pressure on management or operating personnel to meet financial targets setup
by those charged with governance or management, including sales or profitability incentive goals.
Opportunities
A. The nature of the industry or the entity’s operations provides opportunities to engage in
fraudulent financial reporting that can arise from the following:
1. Significant related-party transactions not in the ordinary course of business or with related
entities not audited or audited by another firm
2. A strong financial presence or ability to dominate a certain industry sector that allows the
entity to dictate terms or conditions to suppliers or customers that may result in inappropriate
or non-arm’s-length transactions
3. Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective
judgments or uncertainties that are difficult to corroborate
4. Significant, unusual, or highly complex transactions, especially those close to period end that
pose difficult “substance over form” questions
5. Significant operations located or conducted across international borders in jurisdictions where
differing business environments and regulations exist
6. Significant bank accounts or subsidiary or branch operations in tax-haven jurisdictions for
which there appears to be no clear business justification
7. Use of business intermediaries for which there appears to be no clear business justification
B. There is ineffective monitoring of management as a result of the following:
1. Domination of management by a single person or small group (in a nonowner-managed
business) without compensating controls
2. Oversight by those charged with governance over the financial reporting process and internal
control is not effective.
C. There is a complex or unstable organizational structure, as evidenced by the following:
1. Difficulty in determining the organization or individuals that have controlling interest in the
entity
149
2. Overly complex organizational structure involving unusual legal entities or managerial lines of
authority
3. High turnover of senior management, counsel, or those charged with governance
D. Internal control components are deficient as a result of the following
1. Inadequate monitoring of controls, including automated controls and controls over interim
financial reporting (where external reporting is required)
2. High turnover rates or employment of staff in accounting, information technology, or the
internal audit function who are not effective
3. Ineffective accounting and information systems, including situations involving significant
deficiencies or material weaknesses in internal control
4. Weak controls over budget preparation and development and compliance with law or
regulation
Attitudes/Rationalizations
• Ineffective communication, implementation, support, or enforcement of the entity’s values or
ethical standards by management or the communication of inappropriate values or ethical
standards
• Nonfinancial management’s excessive participation in or preoccupation with the selection of
accounting principles or the determination of significant estimates
• Known history of violations of securities laws or other laws and regulations, or claims against the
entity, its senior management, or those charged with governance alleging fraud or violations of
laws and regulations
• Excessive interest by management in maintaining or increasing the entity’s stock price or earnings
trend
• A practice by management of committing to analysts, creditors, and other third parties to achieve
aggressive or unrealistic forecasts
• Management failing to correct known significant deficiencies or material weaknesses in internal
control on a timely basis
• An interest by management in employing inappropriate means to minimize reported earnings for
tax-motivated reasons
• Low morale among senior management
• The owner-manager makes no distinction between personal and business transactions
• Dispute between shareholders in closely held entity
• Recurring attempts by management to justify marginal or inappropriate accounting on the basis
of materiality
• The relationship between management and the current or predecessor auditor is strained, as
exhibited by the following:
− Frequent disputes with the current or predecessor auditor on accounting, auditing, or
reporting matters
150
− Unreasonable demands on the auditor, such as unreasonable time constraints regarding the
completion of the audit or the issuance of the auditor’s report
− Restrictions on the auditor that inappropriately limit access to people or information or the
ability to communicate effectively with those charged with governance
− Domineering management behavior in dealing with the auditor, especially involving attempts
to influence the scope of the auditor’s work or the selection or continuance of personnel
assigned to or consulted on the audit engagement
Procurement and Contractor Frauds
In addition to occupational frauds discussed above, procurement and contractor frauds are two of the
most costly types of government fraud. One example of procurement fraud is when a company uses
bribes to win a contract even when it did not submit the lowest or best bid. Examples of contractor
fraud include billing the government for incomplete work, inflating the cost of labor or supplies, and
issuing kickbacks. Both criminal and civil charges can be brought against contractors who are accused
of procurement fraud under the False Claims Act. Some of the common examples of procurement
fraud are listed below:
• The receiving slip indicates that a full order was delivered while suppliers intentionally ship an
incomplete order;
• Good inventory is intentionally marked as scrap so that it can be discarded and then resold for
gain;
• The companies overstate their financial revenues to appear more financially solvent than they
really are to gain a competitive advantage during contract bidding, and
• The companies fail to state any current or legal issues that may impact the award of their
contract;
• The companies provide inflated qualifications of their staff performing the work.
Although red flags do not indicate guilt or innocence but merely provide possible warning signs of
fraud, recognizing red flags listed below is an important element in preventing and detecting fraud.
The following examples of unusual activities display the signs of potential irregularities:
• Purchase orders are created after hours (e.g., weekends, evening, holidays);
• An initial low bid is awarded followed by multiple change orders;
• A losing bidder is hired by the winning bidder, which may suggest that the winning bidder did not have the qualifications to perform the work, and
• Close social relationships are formed between suppliers and government personnel
To proactively react to procurement fraud, management should utilize procurement systems to
generate exception reports regularly in order to identify and follow up on certain unusual activities
such as:
151
• Unauthorized approvals;
• Payments made within a week;
• Similar invoices;
• Purchase orders made during non-office hours; and
• Multiple purchase orders to the same vendor
False Claims and False Statements
False claims usually pertain to Social Security, defense contractors, healthcare company fraud, or other
instances in which a company or individual attempts to be paid by the government for an invalid
reason. The False Claims Act imposes liability on individuals and companies (typically federal
contractors) who defraud government programs. This law is the federal government’s primary
litigation tool in fighting fraud against the government. It also includes a qui tam provision that allows
people who are not affiliated with the government (as whistleblowers) to file actions on behalf of the
government and receive a portion (usually 15-25%) of any recovered damages. As of 2012, over 70%
of all federal government actions under the False Claims Act were initiated by whistleblowers. The
government recovered $38.9 billion under the False Claims Act between 1987 and 2013. About $27.2
billion or 70% was from qui tam cases bought by whistleblowers.
Business Owners Associated Fraud
Most business owners associate business fraud with the misappropriations of cash. However, business
fraud comes in many other forms including:
Average Loss*
Medical Insurance Claims Fraud $3,177,000
False Financial Statements 1,239,000
Credit Card Fraud 1,126,000
Check Fraud 624,000
Inventory Theft 346,000
Bid Rigging/price Fixing 342,000
False Invoices and Phantom Vendors 256,000
Diversion of Sales 180,000
Expense Account Abuse 141,000
Purchases for Personal Use 63,000
Conflict of Interest 38,000
Kickbacks 35,000
Payroll Fraud 26,000
*Based on the results of a recent survey of 5,000 U.S. companies that have experienced fraud in their
business.
152
Part IV − Section 1 Review Questions
24. Which of the following is considered to be a fraud risk factor?
A. A lack of opportunity
B. Incentive
C. Financial stability
D. Prosecution
25. An employee who made a false claim for reimbursement of inflated business expenses believes
that his behavior was harmless because the financial loss to the agency was immaterial. Which of
the fraud triangle elements best explains his action?
A. Opportunity
B. Capability
C. Rationalization
D. Pressure
26. Which of the following would be an example of self-dealing by corporate insiders?
A. Insider trading
B. Understating/concealing liabilities and losses
C. Falsification of net asset values
D. Late trading
27. Which of the following is a category of fraud consisting of extortion, conflict of interest, and
bribery?
A. False claims
B. Corruption
C. Financial statement fraud
D. Payroll scheme
28. According to ACFE Report to the Nations, which of the following types of fraud occurs most often?
A. Financial statement fraud
B. Asset misappropriation
C. Obstruction of justice
D. Self-dealing by corporate insiders
153
29. According to ACFE Report to the Nations, which of the following industries has the greatest number
of fraud cases?
A. Technology
B. Services (professional)
C. Banking and financial services
D. Retail
30. Most business owners associate fraud with misappropriation of cash. What is another form of
fraud?
A. Litigation support and pre-employment screening
B. Business valuations
C. Economic losses due to negative economic conditions
D. Inventory theft
154
Forensic Accounting and Auditing
Forensic accounting is an accounting specialty that integrates accounting, auditing, and investigative
skills in order to support or resolve allegations of fraud. Forensic Accounting encompasses both
litigation support (expert witness testimony, presentation of supporting documents showing fraud,
etc.) and investigative accounting. It focuses on both the evidence of economic transactions and
reporting, and the legal framework that allows such evidence to be suitable for establishing
accountability and/or valuation. Forensic Accounting engagements include transaction reconstruction;
bankruptcy; family law issues; asset identification and valuation; fraud examination/detection; and
many other issues.
A forensic accountant is used in a number of situations, including, but not limited to the following:
• Business valuations: A forensic accountant evaluates the current value of a business for
various personal or legal matters.
• Personal injury and fatal accident claims: A forensic accountant may help to establish lost
earnings (i.e., those earnings that the plaintiff would have accrued except for the actions of
the defendant) by gathering and analyzing a variety of information and then issuing a report
based on the outcome of the analyses
• Professional negligence: A forensic accountant helps to determine if a breach of professional
ethics or other standards of professional practice has occurred. (e.g., failure to apply generally
accepted auditing standards by a CPA when performing an audit). In addition, the forensic
accountant may help to quantify the loss.
• Insurance claims evaluations: A forensic accountant may prepare financial analyses for an
insurance company of claims, business income losses, expenses, and disability, liability or
workmen’s compensation insurance losses.
• Arbitration: A forensic accountant is sometimes retained to assist with alternative dispute
resolution (ADR) by acting as a mediator to allow individuals and businesses to resolve
disputes in a timely manner with a minimum of disruption.
• Partnership and corporation disputes: A forensic accountant may be asked to help settle
disputes between partners or shareholders. Detailed analyses are often necessary for many
records spanning a number of years. Most of these disputes relate to compensation and
benefit issues.
• Civil and criminal actions concerning fraud and financial irregularities: These investigations
are usually performed by the forensic accountant for police forces. A report is prepared to
assist the prosecutor’s office.
• Fraud and white-collar crime investigations: These types of investigations can be prepared
on behalf of police forces as well or for private businesses. They usually result from such
155
activities as purchasing/kickback schemes, computer fraud, labor fraud, and falsification of
inventory. The investigation by the forensic accountant often involves fund tracing, asset
identification, and recovery.
Auditing is performed either by an employee (internal audit) or by an outside accounting firm (external
audit). Internal audits examine operational evidence to ensure that the prescribed company operating
procedures have been followed. External audits examine the assets and records of a company, leading
to the expression of a professional opinion by the outside CPA, which gives credibility to the financial
reports presented by the company. A key component of an audit is the review of internal control
weaknesses. Fraud examination differs from auditing as shown in the following table.
Auditing vs. Fraud Examination
Issue Auditing Fraud examination
Timing
Recurring
Audits are conducted on a
regular, recurring basis.
Nonrecurring
Fraud examinations are nonrecurring.
They are conducted only with sufficient
predication.
Scope
General
The scope of the audit is an
examination of financial data.
Specific
The fraud examination is conducted to
resolve specific allegations.
Objective
Opinion
An audit is generally
conducted for the purpose of
expressing an opinion on the
financial statements or related
information.
Affix blame
The fraud examination’s goal is to
determine whether fraud has occurred or
is occurring and to determine who is
responsible.
Relationship
Non-adversarial
The audit process is non-
adversarial in nature.
Adversarial
Fraud examinations, because they involve
efforts to affix blame, are adversarial in
nature.
Methodology
Audit techniques
Audits are conducted by
examining financial data and
obtaining corroborating
evidence.
Fraud examination techniques
Fraud examinations are conducted by (1)
document examination; (2) review of
outside data such as public records; and
(3) interviews.
Standard
Professional skepticism
Auditors are required to
approach audits with
professional skepticism.
Proof
Fraud examiners approach the resolution
of a fraud by attempting to establish
sufficient proof to support or refute a
fraud allegation.
Source: Fraud Examiners Manual, Association of Certified Fraud Examiners, 2010.
156
Fraud and Perpetrators
The Fraud Symptoms
To detect fraud, managers, auditors, employees, and examiners must learn to recognize symptoms
and pursue them until they obtain evidence that proves fraud is or is not occurring. Unfortunately,
many symptoms of fraud go unnoticed, or recognized symptoms are not vigorously pursued. If
symptoms were vigorously pursued, many frauds could be detected earlier. Symptoms of fraud include
six groups:
1. Accounting Anomalies: Because accounting records are often manipulated to conceal fraud,
anomalies, and problems with accounting documents—either electronic or paper journals,
ledgers, or financial statements—are excellent symptoms of fraud.
2. Internal Control Weaknesses: One of the main purposes of internal control procedures is to
safeguard assets. When controls are absent or weak (or overridden), they facilitate fraud being
perpetrated.
3. Analytical Anomalies: These are relationships, records, or actions that are too unusual or
unrealistic to be believed. They include transactions or events that happen at odd times or places,
activities that are performed by, or involve, people who would not normally participate in them,
as well as peculiar procedures and policies. Other anomalies that should be scrutinized carefully
include amounts that are too large or too small, that occur too often or too rarely, or that result
in excesses or shortages.
4. Lifestyle Symptoms: Once perpetrators meet the financial needs that motivated them to commit
fraud, they usually continue to steal and then use the money to enhance their lifestyles. They may
Fraud Symptoms
Accounting Anomalies
Internal Control
Weaknesses
Analytical Anomalies
Lifestyle Symptoms
Unusual Behaviors
Tips and Complaints
157
buy expensive cars or other personal items, take extravagant trips, remodel their homes or
purchase more expensive ones, or buy expensive jewelry or clothes.
5. Unusual Behaviors: When people commit crimes (especially first-time offenders, as many
perpetrators are), they are engulfed by feelings of fear and guilt. These emotions express
themselves in unusual behavior. It is not one particular behavior that often signals fraud; rather,
it is a pattern of changes in behavior. People who are accommodating become intimidating and,
people who are belligerent become easy to work with, and so forth.
6. Tips and Complaints: People who are in the best position to detect fraud are usually those closest
to the perpetrator—family members, friends, co-workers, managers, and others, not the auditors
or fraud examiners. These individuals often provide tips or complaints that suggest that fraud is
being committed. Although such complaints and tips are often legitimate, they can also be
motivated by a desire to get even, or by frustration or personal vendettas, or by numerous other
reasons.
Possible indicators of management fraud include:
• Lack of compliance with company directives and procedures.
• Payments made to trade creditors which are supported by copies instead of original
invoices.
• Consistently late reports.
• Higher commissions which are not based on increased sales.
• Managers who habitually assume the duties of their subordinates.
• Managers who handle matters not within the scope of their authority.
Indicators of Financial Crime
Source: Adapted from “Investigative Methods in Forensic Accounting” an online article by Tom
O'Connor.
Understanding and recognizing the behavioral red flags displayed by fraud perpetrators can help
organizations detect fraud and mitigate losses.
Red Flags of Employee Behavior
1. Overworking: Financial criminals are sophisticated and know that the typical suspects of misdeeds
in organizations are likely to be those who miss work a lot, call in sick, go home early, and so forth.
Hence, the financial criminal (also by inclination) tends to work long and hard, staying after hours,
volunteering for extra duties, or in short, attempting to appear as a superstar in the organization.
This is called the protective behavior pattern.
158
2. Over-personalized Business Matters: A financial criminal will become extremely upset over little
things that touch on or threaten their scam or fraud, and this may be something as minor as a
change in office location, or something like another employee dealing with a vendor that only they
think they should be dealing with. They may also not have kind words to say about top
management (calling them corrupt) because (a) they want to be perceived as a powerbroker or
dealmaker, and (b) they plan to claim, if caught, that the kind of thing they did was nothing
compared to what goes on at the top.
3. Antisocial Loner Personality: The criminal may or may not have this personality to begin with, but
criminologists say that something about the “unshareable” aspects of financial crime may cause
the person to become a loner. Their relationships with co-workers can be characterized as cold
and impersonal since all they are inquisitive about is how co-workers do their job so they can learn
about any system controls that are in place throughout the organization.
4. Inappropriate Lifestyle Change: Few financial criminals can resist the urge to spend some of their
ill-gained loot, and their lifestyle, assets, travel, or offshore bank accounts will just not add up to
the salary they're making. They are driven by money and ego, and if given the chance, will jump
at almost every opportunity to make more money, and to boast and brag about knowing such
opportunities.
Red Flags of Organizational Behavior
1. Unrealistic Performance Compensation Packages: The organization will rely almost exclusively,
and to the detriment of employee retention, on executive pay systems linked to the organization's
profit margins or share price.
2. Inadequate Board Oversight: There is no real involvement by the Board of Directors, Board
appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the
second cousin to corruption) are overlooked.
3. Unprofitable Offshore Operations: Foreign operation facilities that should be closed down are
kept barely functioning because this may be where top management fraudsters have used bribes
to secure a "safe haven" in the event of need for swift exit.
4. Poor Segregation of Duties: The organization does not have sufficient controls on who has budget
authority, who can place requisitions, or who can take customer orders, and who settles or
reconciles these things when the expenses, invoices, or receipts come in.
5. Poor Computer Security: The organization doesn't seem to care about computer security, has
slack password controls, hasn't invested in antivirus, firewalls, IDS, log files, data warehousing,
data mining, or the budget and personnel assigned to internet security. Simultaneously, the
organization seems over-concerned with minor matters, like whether employees are downloading
music, chatting, playing games, or viewing porn.
159
6. Low Morale, High Staff Turnover, and Whistleblowers: Low morale and staff shortages go hand-
in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key
positions, and complaints take the form of whistleblowing.
Recent Cases in Corporate Fraud
Source: www.irs.gov/compliance/criminal-investigation
The following examples of IRS criminal investigation are excerpt from IRS Criminal Investigation
Press Releases.
Case I: January 15, 2020 - Federal grand jury in San Antonio indicts former Air Force employee,
Ashburn, VA-based Quantadyn Corporation, and its owner for alleged bribery and government
contract fraud scheme
Ruben Rosalez, Acting Special Agent in Charge of the Internal Revenue Service-Criminal
Investigation (IRS-CI), Houston Field Office announced today, a federal judge unsealed a grand jury
indictment charging a software engineering company called Quantadyn Corporation (Quantadyn);
one of its owners, Herndon, VA, resident David Joseph Bolduc, Jr.; San Antonio resident Keith Alan
Seguin, and Atlanta, GA, area resident Rubens Wilson Fiuza Lima for their roles in a bribery and
government contract fraud scheme that spanned more than a decade and impacted contract
awards worth hundreds of millions of dollars.
The indictment alleges the defendants carried out their contract fraud scheme from 2006 to 2018.
Specifically, Bolduc and Quantadyn paid more than $2.3 million in bribes to Seguin, a civilian
employee of the 502 Trainer Development Squadron at Randolph Air Force Base in San Antonio,
who was intimately involved in the government contract process. In return, Seguin used his position
to steer lucrative government contracts and sub-contracts to Quantadyn for aircraft and close-air-
support training simulators. The indictment further alleges that a portion of the bribe money paid
to Seguin was laundered through Fiuza Lima's business, Impex, Inc., for a ten percent fee.
The three-count indictment charges Bolduc, Quantadyn, Seguin and Fiuza Lima with one count of
conspiracy to defraud the U.S., one count of conspiracy to commit wire fraud, and one count of
conspiracy to commit money laundering. Upon conviction, Bolduc, Seguin and Fiuza Lima would
face terms of imprisonment up to five years for conspiracy to defraud the U.S., up to 20 years for
conspiracy to commit wire fraud, and up to 20 years for conspiracy to commit money laundering.
They would also face up to $1,000,000 in fines, and Quantadyn would face up to $1,500,000 in fines.
All of the defendants would be ordered to pay restitution if convicted.
"Government contracts are designed to support the missions of the United States armed forces and
are vital to our people. It is not a slush fund for thieves and fraudsters," said IRS-CI Acting Special
160
Agent in Charge Rosalez. "Those who illegally target our nation's tax dollars for personal financial
gain, as in this case, will be prosecuted and face the consequences of their actions."
"DCIS, the Pentagon's investigative arm, will aggressively pursue allegations of fraud and corruption
impacting the Department of Defense (DoD)," stated Michael Mentavlos, Special Agent in Charge,
Southwest Field Office. "Along with our Law Enforcement partners, DCIS is committed to
safeguarding the integrity of taxpayer resources and will exhaust all appropriate criminal, civil, and
administrative actions against those individuals that choose to defraud the government, DoD, and
ultimately the taxpayer."
"Allegations related to the exploitation of major federal procurement vehicles will always be an
investigative priority. The General Services Administration, Office of Inspector General, with our law
enforcement partners, will continue to work diligently to protect the integrity of federal
acquisitions, and other critical GSA programs that are designed to benefit its customers, including
the warfighter," stated GSA-OIG Special Agent in Charge Willemin, Greater Southwest and Rocky
Mountain Investigations Division.
"The collaboration between GSA-OIG, DCIS, U.S. Army CID, IRS-CI, AFOSI, and the U. S. Attorney's
Office of the Western District of Texas, has been significant and we are looking forward to seeing
the final results of the hard work put forth by all agencies involved," said AFOSI Special Agent in
Charge Holmstrand.
Initial appearances are expected to occur this week before a U.S. Magistrate Judge in San Antonio
(Seguin), Alexandria, VA (Bolduc), and Atlanta (Fiuza Lima).
It is important to note that an indictment is merely a charge and should not be considered as
evidence of guilt. The defendants are presumed innocent until proven guilty in a court of law.
Case II: December 20, 2019 - Sonoma county CEO pleads guilty to charges stemming from $25-65
million student loan repayment services scam
SAN FRANCISCO – Brandon Frere pleaded guilty today to wire fraud and money laundering charges
in connection with a multi-million-dollar scheme to use deceptive sales tactics to convince people
to enroll in his companies' student loan repayment services programs.
Frere, of Sonoma County, owned and operated three companies—American Financial Benefits
Center (AFBC), the Financial Education Benefits Center (FEBC), and Ameritech Financial
(Ameritech)—all based in Rohnert Park, Calif. According to his plea agreement, between January of
2014 and November of 2018, Frere used the companies to market student loan document
preparation services for borrowers who wished to apply for programs through the Department of
Education. Frere targeted potential customers who were seeking federal loan forgiveness, loan
consolidation, and reduced-payment programs. When Frere's companies sold consumers
"document preparation" services, they also sold them a purportedly optional membership in a
161
"financial education benefits program." The so-called benefits program provided the opportunity to
customers to sign up for services such as LifeLock identity theft protection and roadside assistance.
Frere admitted he instructed his employees to follow misleading sales scripts and to employ
deceptive sales tactics so that people would enroll for services without fully understanding what
they were paying for. For example, when initially enrolling consumers in the document preparation
service and signing them up for the financial education benefits program, Frere hid the fees for the
financial education benefits program and described the benefits program in a way that made it seem
like the cost of the program was included in the document preparation services. Further, Frere
admitted he instructed enrollment associates not to present the benefits program as an optional or
additional service to the document preparation service; this way, consumers would purchase the
benefits packages without knowing they were doing so.
In sum, Frere instructed his employees (1) to make false statements concerning the companies'
ability to deliver fixed payments for the life of student loans and loan forgiveness under alternative
repayment plans; (2) to engage in enrollment practices that improperly inflated a consumers' family
size to reduce their prospective payments under federal alternative repayment plans (and therefore
make it appear to the consumer that their monthly payments would be lower than what they would
have been if the family size were not inflated); and (3) to hide the monthly fees that consumers
would pay for a purportedly optional financial education benefits program while leading victims to
believe that the benefits program was already included in the document preparation service. Frere
admitted for the purposes of sentencing that the amount of losses attributable to his scheme was
no less than $25,000,000 and up to $65,000,000.
Moreover, Frere admitted that in order to conceal the proceeds of his wire fraud scheme, in 2015,
he began transferring to overseas bank accounts that he controlled large sums of the funds that he
had received through the scheme. He continued this process in August 2017, after he became
involved in litigation with the Federal Trade Commission ("FTC") and became concerned the FTC or
a court might be able to seize the proceeds of his fraud. The FTC filed a civil complaint in February
2018 against Frere and his companies in federal court in Oakland. (Federal Trade Commission v.
American Financial Benefits, et al., Case No. CV 18-00806-SBA).
Frere was arrested December 5, 2018, at SFO as he attempted to board a flight to Cancun, Mexico.
He is now free on bond pending sentencing. Judge Illston scheduled Frere's sentencing for March
27, 2020 at 11 a.m.
Frere was charged by information on October 1, 2019 with one count of wire fraud, in violation of
18 U.S.C. § 1343, and one count of money laundering, in violation of 18 U.S.C. § 1956(a)(2)(B). Frere
pleaded guilty to both counts. Frere faces a maximum sentence of 20 years in prison, for each count.
In addition, with respect to the fraud count, Frere faces a fine of $250,000, or the greater of twice
the gross gain or twice the gross loss from the fraud. With respect to the money laundering count,
Frere faces a fine of $500,000, or the greater of twice the gross gain or twice the value of the money
162
instruments involved. In addition, restitution, supervised release, and additional fines may be
ordered. However, any sentence following conviction will be imposed by the court only after
consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of
a sentence, 18 U.S.C. § 3553.
Fraud Prevention and Detection
Fraud Risk Assessment
It is important to understand the difference between enterprise-wide risk assessments and fraud risk
assessment. Both approaches contain similarities; however, the objectives, outcomes, and benefits to
an organization differ.
Enterprise-wide Risk Assessment Fraud Risk Assessment
Focus on assessing, managing, and
monitoring risks related to the
achievement of an organization’s
objectives.
Focus on identifying and
addressing an organization’s
vulnerabilities to internal and
external fraud
A fraud risk assessment is a critical component of an organization’s larger enterprise risk management
(ERM) program because it:
• Serves as a tool that assists management and internal auditors in systematically identifying
where and how fraud may occur and who may be in a position to commit fraud;
• Reviews potential exposures which represents an essential step in alleviating the board’s and
senior management’s concerns about fraud risks and their ability to meet organizational goals,
and
• Concentrates on fraud schemes and scenarios to determine the presence of internal controls
and whether or not the controls can be circumvented.
As discussed earlier, COSO revised its 1992 Internal Control — Integrated Framework in 2013 to
incorporate 17 principles. The publication, Fraud Risk Management Guide (guide), is intended to be
supportive of and consistent with the 2013 Framework and can serve as best practices guidance for
organizations to follow in addressing this new fraud risk assessment principle. The guide’s five fraud
risk management principles fully support, are entirely consistent with, and parallel the 2013 COSO
Framework’s 17 internal control principles:
163
COSO Framework Components and Principle Fraud Risk Management Principles C
on
tro
l En
viro
nm
en
t
1. The organization demonstrates a
commitment to integrity and ethical values
2. The board of directors demonstrates
independence from management and
exercises oversight of the development
and performance of internal control
3. Management establishes, with board
oversight, structures, reporting lines, and
appropriate authorities and
responsibilities in the pursuit of objectives
4. The organization demonstrates a
commitment to attract, develop, and
retain competent individuals in alignment
with objectives
5. The organization holds individuals
accountable for their internal control
responsibilities in the pursuit of objectives
1) The organization establishes and
communicates a Fraud Risk Management
Program that demonstrates the
expectations of the board of directors and
senior management and their
commitment to high integrity and ethical
values regarding managing fraud risk.
Ris
k A
sses
smen
t
6. The organization specifies objectives with
sufficient clarity to enable the
identification and assessment of risks
relating to objectives
7. The organization identifies risks to the
achievement of its objectives across the
entity and analyzes risks as a basis for
determining how the risks should be
managed
8. The organization considers the potential
for fraud in assessing risks to the
achievement of objectives
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control
2) The organization performs comprehensive
fraud risk assessments to identify specific
fraud schemes and risks, assess their
likelihood and significance, evaluate
existing fraud control activities, and
implement actions to mitigate residual
fraud risks.
164
Co
ntr
ol A
ctiv
itie
s 10. The organization selects and develops
control activities that contribute to the
mitigation of risks to the achievement of
objectives to acceptable levels
11. The organization selects and develops
general control activities over technology
to support the achievement of objectives
12. The organization deploys control activities
through policies that establish what is
expected and procedures that put policies
into place
3) The organization selects, develops, and
deploys preventive and detective fraud
control activities to mitigate the risk of
fraud events occurring or not being
detected in a timely manner.
Info
rmat
ion
& C
om
mu
nic
atio
n
13. The organization obtains or generates and
uses relevant, quality information to
support the functioning of internal control
14. The organization internally communicates
information, including objectives and
responsibilities for internal control,
necessary to support the functioning of
internal control
15. The organization communicates with
external parties regarding matters
affecting the functioning of internal
control
4) The organization establishes a
communication process to obtain
information about potential fraud and
deploys a coordinated approach to
investigation and corrective action to
address fraud appropriately and in a timely
manner.
Mo
nit
ori
ng
Act
ivit
ies
16. The organization selects, develops, and
performs ongoing and/or separate
evaluations to ascertain whether the
components of internal control are
present and functioning
17. The organization evaluates and
communicates internal control
deficiencies in a timely manner to those
parties responsible for taking corrective
action, including senior management and
the board of directors, as appropriate
5) The organization selects, develops, and
performs ongoing evaluations to ascertain
whether each of the five principles of fraud
risk management is present and
functioning and communicates Fraud Risk
Management Program deficiencies in a
timely manner to parties responsible for
taking corrective action, including senior
management and the board of directors.
Source: COSO, Fraud Management Risk Management Guide: Executive Summary, 2016
165
Techniques for Fraud Prevention
It's not sufficient just to detect and investigate fraud. Your company must have a strategy to fight
fraud. A well-rounded anti-fraud program will have taken measures that will prevent fraud. Once this
is implemented, everything else will fall into place. Here is how you can develop strategies that will
work for you. One of the biggest challenges for the fraud examiner is to persuade management that
the risks of fraud cannot be underestimated. Those who have not suffered from fraud previously will
be unaware of the risks and costs. Management may simply think in terms of the direct financial costs
but need to be encouraged to look further. These include:
• Consequential loss
• Legal and investigative costs
• Regulatory fines
• Management time
• Increased insurance premiums
• Loss of key staff and customers
• Increased cost of/inability to raise new finance
Fraud can never be eliminated from business entirely, simply because collusion can always overcome
normal organizational controls. Combating fraud needs a different and fresh approach that should
cover all aspects of the fraud cycle:
• Fraud deterrence and prevention
• Fraud detection
• Fraud investigation
An approach is recommended that includes the following components:
• Establish the right culture
• Establish a whistle-blowing policy
• Identify the risks
• Implement effective controls
• Increase awareness of the risks
• Plan for the worst
• Recruit the right people
• Search for suspicious transactions
According to ACFE, increasing the perception of detection may well be the most effective fraud
prevention method. Controls, for example, do little good in forestalling internal theft and fraud if their
presence is not known by those at risk. In the audit profession, this means letting employees,
managers, and executives know that auditors are actively seeking out information concerning internal
theft.
166
Recruitment
Before a company opens its doors to new employees, managers should stop and ask themselves "Do I
really know this person well enough to trust them with my money, confidential information, and above
all my reputation?" Many companies believe that their recruitment procedures will deal with this
question. A study revealed that:
• 30% of employees admitted to lying while applying for jobs;
• 18% of employees think it is necessary to exaggerate on their curriculum vitae;
• 34% of managers do not check the background of applicants; and
• 36% of organizations state that untruths on curriculum vitae (CVs) cost them significant time
and money.
Companies should check each new candidate thoroughly. The more senior the position, the more
thorough this checking should be. Senior staff has more opportunity to commit fraud as they are in
positions of trust and tend to have the ability to authorize payments and approve contracts. They are
also more likely to commit frauds that can permanently damage their organization.
On-Going Process
Vetting is not only for new employees. It should be an on-going process across the whole workforce.
For example:
• What if an individual commenced employment many years ago when vetting was less
rigorous?
• What if an individual's circumstances have changed such that they now find themselves under
severe financial pressures?
When staff with more than ten years of service is responsible for one-third of all frauds, you can easily
see why it is important to adopt continual vetting procedures. Here are the Do's and Don'ts as part of
their hiring process:
Do Don't
• Ask all potential employees to
complete a detailed application form
• Rely only on a curriculum vitae provided by
the applicant
• Look for gaps in employment history • Limit checks to, say, the last ten years only
• Request written references and check
by telephone
• Accept "to whom it may concern"
reference letters
• Check all qualifications • Accept copy certificates
• Carry out in-depth due diligence in
relation to senior employees
• Assume a previous employer has carried
out full and proper due diligence
167
• If possible, obtain details of criminal
records
• Accept verbal representations at face value
• Carry out checks on temporary and
contract staff as well
Codes of Conduct
The aim of a corporate policy is to demonstrate to both employees and the outside world that the
company is taking the threat of dishonesty, fraud, and theft seriously. By issuing a detailed policy, it
clearly sets out what is considered to be dishonest and warns any potential wrongdoers that the
consequences of being caught will be serious. The effect therefore will be to deter any potential
wrongdoers thus resulting in reduced losses from any wrongdoing and reduced costs in respect of
investigating any wrongdoing.
There should be a general policy statement on ethics and the company's attitude toward dishonesty,
fraud, and theft. Other matters that should be considered include:
• Does the policy make a distinction between fraud committed by employees, suppliers,
customers etc.?
• Is the policy communicated to all staff (e.g., when they are recruited, induction training,
extranet etc.)?
• Is staff required to confirm that they understand the policy and that they have complied with
it in all respects?
• Does the policy make it clear that it applies to all staff including directors?
• Does the policy apply to all subsidiaries, including those abroad?
Definition of Fraud
The policy should include a clear definition of what is regarded as fraud or theft. For example:
• Does the policy set out the company's attitude toward client entertaining and gifts and what
action needs to be undertaken on receipt of these?
• Does the policy quantify what constitutes fraud or dishonesty? For example, an overstatement
of expenses by $1 might not be considered to be fraud, but continuously over-claiming
expenses by $1 might be considered dishonest.
• Does the policy distinguish between the seriousness of different offenses?
• Does the policy include a statement in respect to the misstatement of financial statements or
destruction of accounting records?
• Does the policy include a statement in respect to conflicts of interest?
• What policies are in place to inform customers/suppliers that a code of conduct is in
operation?
Whistleblowing Policy
168
When appointed to carry out investigations, the first point of call are members of the staff. The reason
for this is that they are the "eyes and ears" of a company. They know exactly what frauds are going on
and who is doing it. They are an extremely valuable resource that companies are failing to utilize. What
makes things worse is that if used properly they could have stopped the fraud much earlier. An even
better source of information for the investigator is an ex-employee as they have less to lose by blowing
the whistle. For those current members of staff that do blow the whistle, the consequences can be
disastrous. Far from being hailed as corporate heroes and saving the business from potential financial
ruin, three out of four whistleblowers are sidelined or their careers blighted by their honest actions.
Employers should be encouraging whistleblowers to come forward as the quicker a business can spot
fraud, the better. Not only does early detection diminish the damage to a firm's reputation, but it
wastes less of management's time, and ultimately costs the business less. This is why having a robust
whistleblowing policy in place is good practice. Having such a policy might also discourage potential
whistleblowers from approaching the press as a first resort. In addition, businesses need to engender
a culture in which employees believe their concerns will be taken seriously, and that the protection
afforded by the law and policies is real.
Increase Awareness of Risks
Fraud examiners have a wealth of experience that has been obtained through investigation. One of
the positive steps that they can take is to pass this experience back to company management and staff
through an education process. Most employees and management will be unaware of the risks faced
by their organization. Without knowing what the risks are, they will be unable to take corrective action.
The methods that the fraud examiner can take to increase awareness of the risks faced by companies
include:
• Lectures to management and staff on general fraud awareness.
• Presentation of case studies.
• Use of the company intranet.
• Articles in company magazines.
Implement Controls
Once a fraud examiner has carried out the above steps, she will then be in a position to implement
specific controls to prevent fraud. If the right candidates have been recruited and the company has an
effective code of conduct and whistleblowing process, the need for effective controls will be less
urgent. The opposite is true if the company has not recruited the right candidates or established a
code of conduct and whistleblowing policy. In fact, without having dealt with the issues referred to
above, a company will find that implementing effective controls may not have the desired effect as
staff will work out how to defeat these controls.
The fraud examiner will first want to identify the high-risk areas. This can be achieved through a
workshop attended by management and staff from different areas of the business (e.g., accounting,
169
warehouse, operations, marketing, etc.). Each will have a different perspective that may be counter to
another attendees' perspective. Having identified the risk areas (e.g. procurement of IT equipment
etc.), the fraud examiner will want to review the following:
• Lack of segregation of duties
• Lack of physical safeguards
• Lack of independent checks
• Lack of authorization
• Overriding of existing controls
• Ineffectiveness of existing controls
• Inadequacy of the accounting system
Data Mining
Data is a fundamental element in any organization's ability to manage its business. It is collected from
a wide variety of sources, stored on many different systems, and is regularly used for marketing and
sales activities. However, the use of this data in fraud detection is frequently overlooked.
The likelihood of identifying potentially fraudulent activity can be significantly enhanced through the
regular application of data mining tools and techniques, although these are not foolproof and must be
run in conjunction with other activities designed to reduce the threat of fraud.
Technology as a Tool
People commit frauds, but as technology plays an increasingly important role in business life, the
fraudster often leaves warning signals of his activity in an organization's systems.
Each transaction will leave a trail. Increasingly, in order to enhance the way an organization does
business, databases have been developed to store huge amounts of transactional and standing data
from accounting, sales, purchasing, and payroll functions. This is used for marketing, forecasting, and
reporting but rarely for detecting and predicting fraud. Also, this data can be a key factor in developing
and implementing a fraud risk management strategy.
Use of Spreadsheets
Data mining in its simplest form may take the form of a "sorted" Excel spreadsheet where the fraud
examiner is trying to identify the largest suppliers or customers. A further development of this is to
track expenditure with the largest suppliers over time. This can be achieved using pivot tables in Excel
followed by the charting function. Charting expenditure over time identified a single payment of over
a specified limit to a particular supplier. Further investigation may reveal that it may have been paid
to a fictitious company.
Use of Databases
170
The next stage in data mining is the use of databases to run complex queries. Microsoft Access is an
extremely powerful tool which many fraud examiners will be able to use. More complex databases
exist for larger enterprises. These may require specialist knowledge. However, they can analyze large
amounts of data and produce complex queries that can be automated. The following chart illustrates
that data mining has identified a series of transactions just above $50,000, which is the authorization
limit for the company.
Databases can also be used to identify suspicious transactions around points in time.
Fraud Response Plan
When fraud comes to light, the actions taken in the first few hours, days, or weeks will be key in limiting
the damage that is done to the company. It is no good "making it up as you go along" and "proper
planning prevents poor performance.” The plan should identify at least one individual to whom fraud
or suspicion of fraud should be reported. Those concerned should then receive proper training and
guidance on what to do once the fraud has been reported.
These individuals should always be contactable (i.e., 24/7) as a fraud can come to light at any time.
Employees will need to know whom to contact and how to contact them. Also, many frauds are now
conducted on an international scale and company operations may be carried out abroad. In a move to
make businesses efficient, multi-shifts means there is 24-hour production in some businesses.
The individuals chosen to sit on the fraud response team will need to have appropriate seniority and
independence - they should not be in a position where a conflict of interest could arise.
After the initial report of fraud, the company may consider creating a larger group that would be
responsible for managing the investigation or other response. If this is the case, then plans will have
to be put into place to contact the other members of the group to discuss next steps. The plan should
therefore consider:
171
• What constitutes a fraud which requires the attention of the larger group?
• Who makes the decision as to whether the larger group should be consulted?
• When should the group meet and report by?
Powers of the Group
The powers of the group should be set out in writing so that it is clear they have the power to act. The
powers should be sufficient to ensure that they can carry out their role without hindrance or delay,
both internally or externally. The group may need to consult the board of directors and should have
the ability to do so directly.
Responsibilities of the Group
The outcome of an investigation may vary depending on the size of the fraud, who was involved, or
how it was perpetrated. The group will therefore have to make an initial assessment as to what action
would be desirable. The group will have to take action to:
• Suspend or dismiss the persons involved
• Prevent further losses
• Recovery of any losses incurred
• Pursue criminal action
The group may also have to consider what should be communicated and to whom. It will be almost
impossible to keep the details of the fraud from other members of staff. Once staff becomes aware of
the fraud, it will then spread to the press, investors, unions, customers, and suppliers. Therefore, the
group will have to determine:
• Whether the PR department has been briefed on how to respond to press enquiries.
• At what stage investors will be informed.
• Whether unions should be regularly briefed.
• How suppliers will be informed if one of their employees is involved.
If the company has insurance coverage, the insurance company will need to be informed at an early
stage to ensure that coverage applies and that, if it wishes, it can involve its own professional advisors
in the investigation process.
Whom to Contact for Assistance
At some stage during the investigation process, it is likely that outside assistance will be required. At
the lowest level, this may be a locksmith who is required to change office locks on a Sunday night.
Details of any individual or entity that is likely to be able to assist should be obtained before it is
required - this includes contact details out of normal working hours.
Contact with the Police
172
Companies have historically wanted to avoid informing the police as they are afraid of any adverse
publicity. Once reported to the police, directors believe that they will lose control of the investigation.
This may have been true in the past but the police are now better equipped to investigate fraud. There
are also positive aspects to reporting fraud to the police. It sends a very strong sign to the workforce
and can act as a strong deterrent to any potential fraudsters. If they think that the company will
prosecute them, they could then lose everything else, including family and friends. The company will
therefore have to determine what its attitude toward reporting offenses to the police is. It will have
to separately establish its obligations in relation to regulators.
The ACFE Fraud Prevention Checkup
Source: Association of Certified Fraud Examiners ( www.acfe.com )
One of the ACFE’s most valuable fraud prevention resources, the ACFE Fraud Prevention Checkup is a
simple yet powerful test of your company’s fraud health. Test fraud prevention processes designed to
help you identify major gaps and fix them before it is too late.
The checkup should ideally be a collaboration between objective, independent fraud specialists (such
as Certified Fraud Examiner) and people within the organization who have extensive knowledge about
its operations. Internal auditors bring extensive knowledge and a valuable perspective to such an
evaluation. At the same time, the perspective of an independent and objective outsider is also
important, as is the deep knowledge and experience of fraud that full-time fraud specialists provide.
The purpose of the checkup is to identify major gaps in your fraud prevention processes, as indicated
by low point scores in particular areas. Even if you score 80 points out of 100, the missing 20 could be
crucial fraud prevention measures that leave you exposed to major fraud. Therefore, there is no
passing grade other than 100 points.
ENTITY:
DATE OF CHECKUP:
1. Fraud risk oversight
To what extent has the entity established a process for oversight of fraud risks by the board of
directors or others charged with governance (e.g., an audit committee)?
Score: From 0 (process not in place) to 20 points (process fully implemented, tested within the past
year and working effectively).
2. Fraud risk ownership
To what extent has the entity created “ownership” of fraud risks by identifying a member of senior
management as having responsibility for managing all fraud risks within the entity and by explicitly
173
communicating to business unit managers that they are responsible for managing fraud risks within
their part of the entity?
Score: From 0 (process not in place) to 10 points (process fully implemented, tested within the past
year and working effectively).
3. Fraud risk assessment
To what extent has the entity implemented an ongoing process for regular identification of the
significant fraud risks to which the entity is exposed?
Score: From 0 (process not in place) to 10 points (process fully implemented, tested within the past
year and working effectively).
4. Fraud risk tolerance and risk management policy
To what extent has the entity identified and had approved by the board of directors its tolerance
for different types of fraud risks? For example, some fraud risks may constitute a tolerable cost of
doing business, while others may pose a catastrophic risk of financial or reputational damage to the
entity. The entity will likely have a different tolerance for these risks.
To what extent has the entity identified and had approved by the board of directors a policy on how
the entity will manage its fraud risks? Such a policy should identify the risk owner responsible for
managing fraud risks, what risks will be rejected (e.g., by declining certain business opportunities),
what risks will be transferred to others through insurance or by contract, and what steps will be
taken to manage the fraud risks that are retained.
Score: From 0 (processes not in place) to 10 points (processes fully implemented, tested within the
past year and working effectively).
5. Process level anti-fraud controls/ re-engineering
To what extent has the entity implemented measures, where possible, to eliminate or reduce
through process re-engineering each of the significant fraud risks identified in its risk assessment?
Basic controls include segregation of duties relating to authorization, custody of assets and
recording or reporting of transactions. In some cases it may be more cost-effective to re-engineer
business processes to reduce fraud risks rather than layer on additional controls over existing
processes. For example, some fraud risks relating to receipt of funds can be eliminated or greatly
reduced by centralizing that function or outsourcing it to a bank’s lockbox processing facility, where
stronger controls can be more affordable.
To what extent has the entity implemented measures at the process level designed to prevent, deter
and detect each of the significant fraud risks identified in its risk assessment? For example, the risk
174
of sales representatives falsifying sales to earn sales commissions can be reduced through effective
monitoring by their sales manager, with approval required for sales above a certain threshold.
Score: From 0 (processes not in place) to 10 points (processes fully implemented, tested within the
past year and working effectively).
6. Environment level anti-fraud controls
Major frauds usually involve senior members of management who are able to override process-level
controls through their high level of authority. Preventing major frauds therefore requires a very
strong emphasis on creating a workplace environment that promotes ethical behavior, deters
wrongdoing and encourages all employees to communicate any known or suspected wrongdoing to
the appropriate person. Senior managers may be unable to perpetrate certain fraud schemes if
employees decline to aid and abet them in committing a crime. Although “soft” controls to promote
appropriate workplace behavior are more difficult to implement and evaluate than traditional
“hard” controls, they appear to be the best defense against fraud involving senior management.
To what extent has the entity implemented a process to promote ethical behavior, deter
wrongdoing and facilitate two-way communication on difficult issues? Such a process typically
includes:
– Having a senior member of management who is responsible for the entity’s processes to
promote ethical behavior, deter wrongdoing and communicate appropriately on difficult issues. In
large public companies, this may be a full- time position such as ethics officer or compliance officer.
In smaller companies, this will be an additional responsibility held by an existing member of
management.
– A code of conduct for employees at all levels, based on the entity’s core values, which gives
clear guidance on what behavior and actions are permitted and which ones are prohibited. The code
should identify how employees should seek additional advice when faced with uncertain ethical
decisions and how they should communicate concerns about known or potential wrongdoing
affecting the entity.
– Training for all personnel upon hiring and regularly thereafter concerning the code of
conduct, seeking advice and communicating potential wrongdoing.
– Communication systems to enable employees to seek advice where necessary prior to
making difficult ethical decisions and to express concern about known or potential wrongdoing
affecting the entity. Advice systems may include an ethics or compliance telephone help line or
e- mail to an ethics or compliance office/officer. The same or similar systems may be used to enable
employees (and sometimes vendors, customers and others) to communicate concerns about known
or potential wrongdoing affecting the entity. Provision should be made to enable such
communications to be made anonymously, though strenuous efforts should be made to create an
175
environment in which callers feel sufficiently confident to express their concerns openly. Open
communication makes it easier for the entity to resolve the issues raised, but protecting callers from
retribution is an important concern.
– A process for promptly investigating where appropriate and resolving expressions of
concern regarding known or potential wrongdoing, then communicating the resolution to those
who expressed the concern. The entity should have a plan that sets out what actions will be taken
and by whom to investigate and resolve different types of concerns. Some issues will be best
addressed by human resources personnel, some by general counsel, some by internal auditors and
some may require investigation by fraud specialists. Having a pre- arranged plan will greatly speed
and ease the response and will ensure appropriate persons are notified where significant potential
issues are involved (e.g., legal counsel, board of directors, audit committee, independent auditors,
regulators, etc.)
– Monitoring of compliance with the code of conduct and participation in the related training.
Monitoring may include requiring at least annual confirmation of compliance and auditing of such
confirmations to test their completeness and accuracy.
– Regular measurement of the extent to which the entity’s ethics/compliance and fraud
prevention goals are being achieved. Such measurement typically includes surveys of a statistically
meaningful sample of employees. Surveys of employees’ attitudes towards the entity’s
ethics/compliance activities and the extent to which employees believe management acts in
accordance with the code of conduct provide invaluable insight into how well those items are
functioning.
– Incorporation of ethics/compliance and fraud prevention goals into the performance
measures against which managers are evaluated and which are used to determine performance
related compensation.
Score: From 0 (process not in place) to 30 points (process fully implemented, tested within the past
year and working effectively).
7. Proactive fraud detection
To what extent has the entity established a process to detect, investigate and resolve potentially
significant fraud? Such a process should typically include proactive fraud detection tests that are
specifically designed to detect the significant potential frauds identified in the entity’s fraud risk
assessment. Other measures can include audit “hooks” embedded in the entity’s transaction
processing systems that can flag suspicious transactions for investigation and/or approval prior to
completion of processing. Leading edge fraud detection methods include computerized e-mail
monitoring (where legally permitted) to identify use of certain phrases that might indicate planned
or ongoing wrongdoing.
176
Score: From 0 (process not in place) to 10 points (process fully implemented, tested within the past
year and working effectively).
ADD ALL SCORES FOR THE TOTAL SCORE (Out of a possible 100 points):
Interpreting the Entity’s Score
A brief fraud prevention checkup provides a broad idea of the entity’s performance with respect to
fraud prevention. The scoring necessarily involves broad judgments, while more extensive evaluations
would have greater measurement data to draw upon. Therefore, the important information to take
from the checkup is the identification of particular areas for improvement in the entity’s fraud
prevention processes. The precise numerical score is less important and is only presented to help
communicate an overall impression.
The desirable score for an entity of any size is 100 points since the recommended processes are
scalable to the size of the entity. Most entities should expect to fall significantly short of 100 points in
an initial fraud prevention checkup. That is not currently considered to be a material weakness in
internal controls that represents a reportable condition under securities regulations. However,
significant gaps in fraud prevention measures should be closed promptly in order to reduce fraud
losses and reduce the risk of future disaster.
The Use of Technology for Fraud Detection
Data Mining
An automated fraud detection is a form of data mining and it is evolving with technology. It helps a
company identify concealed patterns, such as numeric, time, name, and geographic patterns that may
indicate fraud. During the past five or so years, surveys of senior professionals in the areas of audit,
risk management, compliance, and fraud detection have consistently indicated that increased use of
technology is considered to be a critical factor, especially when organizations deal with a large number
of transactions on a daily basis. Leveraging sophisticated data mining techniques allow management
to identify and respond quickly to red flags and reduce the risk of fraud escalation by implementing
risk and control data analytics to regularly monitor transactions.
To be effective, data mining relies on the source data to be accurate, consistent, and integrated. Data
mining looks both to confirm anticipated patterns and to uncover new patterns. Anything unusual,
hidden, or unexpected should be investigated. However, over time, data mining results may change
due to changing economic and political factors. Therefore, they should be updated accordingly and
reviewed by management for reasonableness. Data mining techniques are commonly used in the areas
of:
• Accounts payable and vendors
177
• Travel and entertainment transactions
• Purchasing card activities
• Expense reimbursement
• Payroll transactions
• General ledger
Data mining involves software examining a database to identify patterns, relationships, and trends to
assist in management decision making. Instead of relying on sampling, data mining enables a company
to analyze large volumes of transactions using advanced technology and procedures to identify:
• Suspicious transactions (e.g. duplicate payments)
• Unusual relationships (e.g. vendor bank account matches to employee bank account)
• Irregular trends over periods of time (e.g. vendor favoritism)
The following table demonstrates how data mining can be proactively applied to prevent and detect
payable frauds.
Data Mining in Payable Fraud Prevention and Detection
Approach Examples
Rules
Flag improper transactions based on known abuses:
• Duplicate payments
• Split payments
• Duplication of address for two or more vendors
• Discrepancy between invoice and purchase order
• Above average payments to a vendor
• Above average voided checks to a vendor
Anomaly
Detection
Detect individual and aggregated abnormal behaviors:
• Abnormal invoice volume activity (e.g. rapid increase in invoice volume)
• Dramatic change of price
• Invoices made before purchase orders
• Invoices not match purchase orders
• Invoices to prohibited vendors
• Rounded-amount invoices
• Invoices just below approval amounts
• Gaps in check numbers
• Vendors with many cancelled or returned checks or a regular pattern of canceled checks
Predictive
Models
Predictive assessment against known fraud cases:
• The use of residential address or PO Box by the vendor
• Vendors with the same or similar addresses, or no address
• Accounts payable credits and voided check matching
• Vendor and employee cross check by address, tax ID number, phone number, and bank routing number
178
Link Analysis
Knowledge discovery through associated link analysis:
• Association to known fraud
• Collusive relationships
• Suspicious referrals
• Linked suspicious address or phone numbers
Forensic Computing
In many respects, advances in technology have enabled criminals to commit crimes more quickly and
successfully. For example, by capturing database information it is easy to steal people’s identity and
financial data. The automation of the payroll system has enabled corrupt employees to create false
identities to receive paychecks. Deleting a computer file does not necessarily remove the information.
Also, data stored on one computer may exist in many locations such as on a backup tape, tablet or
smartphone. Such devices serve as a tape recorder, documenting and storing the evidence of a crime.
The following lists some of the basic tools for data detective work.
Tool Purpose
Network sniffer
(hardware)
Allows the user to "recreate" the crime by keeping a record of
packet sessions across networks.
Portable disk duplicator
and/or duplication
software
Preserves the original crime scene by allowing investigators to
copy hard drives in the field and the lab for later analysis.
Chain-of-custody
documentation
hardware
Digitally records every mouse click of the investigative process to
make court testimony more credible.
Case management
software Helps link seemingly unrelated pieces of evidence.
179
Part IV − Section 2 Review Questions
31. When a forensic accountant investigates an activity such as purchasing/kickback schemes,
computer fraud, labor fraud, or falsification of inventory, what activity is he/she performing?
A. A personal injury and fatal accident claim investigation
B. Professional negligence investigation
C. Arbitration activity
D. A fraudulent white-collar crime investigation
32. Which of the following statements is TRUE for a fraud examination?
A. The timing is recurring
B. The scope is general
C. The relationship is adversarial
D. The goal is to examine with professional skepticisms
33. How is auditing different than fraud examination?
A. Auditing is conducted to resolve specific allegations.
B. Auditing is involved in efforts to affix blame and is adversarial in nature.
C. Auditing is performed on a regular recurring basis.
D. Auditing is conducted by the examination of documents and the review of outside data such
as public records.
34. Which of the following tools helps link seemingly unrelated pieces of evidence.
A. Network sniffer (hardware)
B. Portable disk duplicator and/or duplication software
C. Case management software
D. Chain-of-custody documentation hardware
180
Appendix A: Example of Management
Report Source: The AICPA, Statement on Auditing Standards No. 130
The following is an illustrative management report with no material weaknesses reported.
Management’s Report on Internal Control Over Financial Reporting
ABC Company’s internal control over financial reporting is a process effected by those charged with
governance, management, and other personnel, designed to provide reasonable assurance regarding
the preparation of reliable financial statements in accordance with [applicable financial reporting
framework, such as accounting principles generally accepted in the United States of America]. An
entity’s internal control over financial reporting includes those policies and procedures that (1) pertain
to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions
and dispositions of the assets of the entity; (2) provide reason- able assurance that transactions are
recorded as necessary to permit preparation of financial statements in accordance with [applicable
financial reporting framework, such as accounting principles generally accepted in the United States of
America], and that receipts and expenditures of the entity are being made only in accordance with
authorizations of management and those charged with governance; and (3) provide reasonable
assurance regarding prevention, or timely detection and correction, of unauthorized acquisition, use,
or disposition of the entity’s assets that could have a material effect on the financial statements.
Management of ABC Company is responsible for designing, implementing, and maintaining effective
internal control over financial reporting. Management assessed the effectiveness of ABC Company’s
internal control over financial reporting as of December 31, 20XX, based on [identify criteria]. Based
on that assessment, management concluded that, as of December 31, 20XX, ABC Company’s internal
control over financial reporting is effective, based on [identify criteria].
Internal control over financial reporting has inherent limitations. Internal control over financial
reporting is a process that involves human diligence and compliance and is subject to lapses in
judgment and breakdowns resulting from human failures. Internal control over financial reporting also
can be circumvented by collusion or improper management override. Because of its inherent
limitations, internal control over financial reporting may not prevent, or detect and correct,
misstatements. Also, projections of any assessment of effectiveness to future periods are subject to
the risk that controls may become inadequate because of changes in conditions, or that the degree of
compliance with the policies or procedures may deteriorate.
ABC Company
Report signers, if applicable
Date
181
Appendix B: Section 404 Management
Compliance Checklist Source: The Institute of Internal Auditors, SARBANES-OXLEY SECTION 404: A Guide for Management by Internal
Controls Practitioners
The IIA provides the following checklist that helps management teams ensure their Section 404
program is efficient.
1. Has operating management taken ownership of their processes and documentation, rather than
leaving it to the Section 404 team or the internal auditing function?
2. Does operating management update all process and control documentation promptly throughout
the year and not just when testing starts? Is there an effective change management process in
place, including the timely assessment of process changes for their potential impact on key
controls?
3. Is operating management committed to assess and remediate all control deficiencies promptly?
In situations where remediation is not justified based on management’s assessment of risk and
cost, is management committed to communicating that decision promptly so the effect on
management’s overall assessment of controls can be identified and discussed with senior
management?
4. Has a top-down, risk-based approach been used to identify the key controls? Is management
confident that all identified key controls are truly key? Has the design of the related processes
been reviewed to determine if changes can result in fewer and more effective controls, relying
more on automated controls or on higher-level controls (e.g., detailed reconciliations and flux
analyses)? The fewer the controls to test, the lower the cost.
5. Is management of the Section 404 program at a sufficiently high level within the organization to:
• Influence operating management relative to completion of their responsibilities?
• Communicate effectively with executive management the program’s progress and potential
issues?
• Negotiate as needed with the external auditor (e.g., to increase reliance on management
testing, agree on key controls early, and address concerns as they arise)?
6. Is the use of internal resources optimized, including the use of internal auditors to perform testing
or to validate testing performed by management staff?
7. Has overall staffing been optimized, reducing reliance on more expensive external consultants and
testers?
8. Has reliance by the external auditor on management testing been optimized?
182
9. Does the external auditor follow a top-down, risk-based approach as required by AS No. 2201?
10. Is there a detailed project plan:
a. That includes a walk-through of all significant processes early in the year, preferably in the first
quarter?
b. With testing scheduled in such a way that all key controls are tested by mid-year, with
additional testing to update the results scheduled closer to year-end? This enables the
external auditor to start their walkthroughs and testing early, providing time for management
to address and remediate any deficiencies identified in either management or external auditor
testing.
c. That includes all key activities required to complete the program, such as fraud risk
assessment, consideration of any end-user computing issues, assessment of SAS 70 reports
from service providers, etc.?
d. Detailing all required resources, including specialists (e.g., for IT or tax processes and controls),
so they can be scheduled early?
e. With regular reporting to senior management that focuses on key metrics and issues, such as:
• Progress against timetables, highlighting steps that are or may be behind schedule?
• Percentage of key controls tested compared to their scheduled completion level?
• Number and percentage of key controls that are failing?
• Number of failed controls that are potentially significant to the Section 404 assessment
• The number of failed controls where remediation will not be completed within 30 days,
so senior management can focus on a timely completion?
• The number of key controls where remediation and retesting may not be completed with
sufficient time for the external auditor to retest (these are likely to be open deficiencies
at year-end)? Costs to date and projected through the end of the year?
• Potential resource issues?
• Other issues, such as coordination and concerns raised by the external auditor
11. Has there been communication and coordination with all service providers to ensure that a SAS
70 type II report will be available at the appropriate time, and that early warning is provided of
potential deficiencies being identified during the SAS 70 audit?
12. Finally, is the Section 404 program itself assessed for effectiveness on a continuing basis, to ensure
it is improved as the organization learns from experience and benefits from changes in regulations
or their interpretation?
183
Appendix C: Financial Reporting Controls
and Information Systems Checklist −
Medium to Large Business Appendix C includes the questionnaires and checklists that help you document your understanding of
the control environment and how internal control over the following cycles:
1. Revenue
2. Purchasing
3. Inventory
4. Financing
5. Property, Plant, and Equipment
6. Payroll
The processes, documents, and controls listed in Appendix C are typical for medium to large business
entities but are by no means all-inclusive. The preponderance of ‘‘No’’ or ‘‘N/A’’ responses may
indicate that the entity uses other processes, documents, or controls in their information and
communication systems. You should consider supplementing this questionnaire with a memo or
flowchart to document significant features of the client’s system that are not covered by this
questionnaire. They should help you in planning a primarily substantive approach. To assess control
risk below the maximum, you will need to design tests of controls and then test specific controls to
determine the effectiveness of their design and operation.
Templates (Part 3) of assessing segregation of duties and the risk of management override are also provided in Appendix C. You can also find a checklist (Part 4) that guides you on how to interpret the results.
184
Part 1. Internal Control Assessment
Questionnaires
Control Environment
In the space provided below, indicate whether you strongly agree, somewhat agree, some-what
disagree, strongly disagree or have no opinion with the following statements. Use a rating scale of 1-
5, where: 5= strongly agree, 4= somewhat agree, 3 = somewhat disagree, 2=strongly disagree, and 1
= no opinion.
Your answers should be based on:
• Your previous experience with the entity
• Inquiries of appropriate management, supervisory, and staff personnel
• Inspection of documents and records
• Observation of the entity’s activities and operations
Control Environment Factors Rating
Integrity and Ethical Values
1. Management has high ethical and behavioral standards.
2. The company has a written code of ethical and behavioral standards that is comprehensive and periodically acknowledged by all employees.
3. If a written code of conduct does not exist, the management culture emphasizes the importance of integrity and ethical values.
4. Management reinforces its ethical and behavioral standards.
5. Management appropriately deals with signs that problems exist (e.g., defective products or hazardous waste) even when the cost of identifying and solving the problem could be high.
6. Management has removed or reduced incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. For example, there is generally no:
• Pressure to meet unrealistic performance targets.
• High-performance-dependent rewards.
• Upper and lower cutoffs on bonus plans.
7. Management has provided guidance on the situations and frequency with which intervention of established controls is appropriate.
185
8. Management overrides of established controls is appropriately documented, explained and investigated.
9. Management intervention is documented and explained appropriately.
Commitment to Competence
10. Management has appropriately considered the knowledge and skill levels necessary to accomplish financial reporting tasks.
11. Employee job descriptions, including specific duties, reporting responsibilities, and constraints have been clearly established and effectively communicated to employees.
12. Employees with financial reporting tasks generally have the knowledge and skills necessary to accomplish those tasks.
13. The department adequately compensates employees in order to attract qualified individuals.
14. There are clear criteria for hiring and promoting.
15. Employee performance evaluation techniques have been implemented to identify incompetent or ineffective employees.
Board of Directors and Audit Committee
16. The board of directors is independent from management.
17. The board constructively challenges management’s planned decisions.
18. Directors have sufficient knowledge and industry experience and time to serve effectively.
19. The board regularly receives the information they need to monitor management’s objectives and strategies.
20. The audit committee reviews the scope of activities of the internal and external auditors annually.
21. The audit committee meets privately with the chief financial and/or accounting officers, internal auditors and external auditors to discuss the
• Reasonableness of the financial reporting process
• System of internal control
• Significant comments and recommendations
• Management’s performance
22. The board takes steps to ensure an appropriate ‘‘tone at the top.’’
23. The board or committee takes action as a result of its findings.
186
Management’s Philosophy and Operating Style
24. Management moves carefully, proceeding only after carefully analyzing the risks and potential benefits of accepting business risks.
25. Management is generally cautious or conservative in financial reporting and tax matters.
26. There is relatively low turnover of key personnel (e.g., operating, accounting, data processing, internal audit).
27. There is no undue pressure to meet budget, profit, or other financial and operating goals.
28. Management views the accounting and internal audit function as a vehicle for exercising control over the entity’s activities.
29. Operating personnel review and ‘‘sign off’’ on reported results.
30. Senior managers frequently visit subsidiary or divisional operations.
31. Group or divisional management meetings are held frequently.
Organizational Structure
32. The entity’s organizational structure facilitates the flow of information upstream, downstream, and across all business activities.
33. Responsibilities and expectations for the entity’s business activities are communicated clearly to the executives in charge of those activities.
34. There is adequate supervision and monitoring of decentralized operations.
35. Accounting and information technology departments are centralized.
36. The executives in charge have the required knowledge, experience, and training to perform their duties.
37. Those in charge of business activities have access to senior operating management.
Assignment of Authority and Responsibility
38. Authority and responsibility are delegated only to the degree necessary to achieve the company’s objectives.
39. Job descriptions, for at least management and supervisory personnel, exist.
40. Job descriptions contain specific references to control related responsibilities.
41. Proper resources are provided for personnel to carry out their duties.
187
42. Personnel understand the entity’s objectives and know how their individual actions interrelate and contribute to those objectives.
43. Personnel recognize how and for what they will be held accountable.
Human Resource Policies and Practices
44. The entity generally hires the most qualified people for the job.
45. Hiring and recruiting practices emphasize educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior.
46. Recruiting practices include formal, in-depth employment interviews.
47. Prospective employees are told of the entity’s history, culture and operating style.
48. The entity provides training opportunities, and employees are well-trained.
49. Promotions and rotation of personnel are based on periodic performance appraisals.
50. The turnover of key personnel is relatively low.
51. Methods of compensation, including bonuses, are designed to motivate personnel and reinforce outstanding performance.
52. Management does not hesitate to take disciplinary action when violations of expected behavior occur.
B. Other Internal Control Components with a Pervasive Effect on the Organization
Risk Assessment
1. Special action is taken to ensure new personnel understand their tasks.
2. Management appropriately considers the control activities performed by personnel who change jobs or leave the company.
3. Management assesses how new accounting and information systems will impact internal control.
4. Management reconsiders the appropriateness of existing control activities when new accounting and information systems are developed and implemented.
5. Employees are adequately trained when accounting and information systems are changed or replaced.
188
6. Accounting and information system capabilities are upgraded when the volume of information increases significantly.
7. Accounting and data processing personnel are expanded as needed when the volume of information increases significantly.
8. The entity has the ability to forecast reasonably operating and financial results.
9. Management keeps abreast of the political, regulatory, business, and social culture of areas in which foreign operations exist.
General Control Activities
10. The entity prepares operating budgets and cash flow projections.
11. Operating budgets and projections lend themselves to effective comparison with actual results.
12. Significant variances between budgeted or projected amounts and actual results are reviewed and explained.
13. The company has adequate safekeeping facilities for custody of the accounting records such as fireproof storage areas and restricted access cabinets.
14. The entity has a suitable record retention plan.
15. The entity has adequate controls to limit access to computer programs and data files.
16. Periodically, personnel compare counts of assets to amounts shown on control records.
17. There is adequate segregation of duties among those responsible for authorizing transactions, recording transactions, and maintaining custody of assets.
Information and Communication Systems Support
18. Management receives the information they need to carry out their responsibilities.
19. Information is provided at the right level of detail for different levels of management.
20. Information is available on a timely basis.
21. Information is accurate that correct data is recorded and reported.
22. Information is accessible which can be easily obtained by appropriate parties.
189
23. Information with accounting significance (for example, slow-paying customers) is transmitted across functional lines in a timely manner.
Monitoring
24. Customer complaints about billings are investigated for their under-lying causes.
25. Communications from bankers, regulators, or other outside parties are monitored for items of accounting significance.
26. Management responds appropriately to auditor recommendations on ways to strengthen internal controls.
27. Employees are required to ‘‘sign off ’’ to evidence the performance of critical control functions.
28. The internal auditors are independent of the activities they audit.
29. Internal auditors have adequate training and experience.
30. Internal auditors document the planning and execution of their work by such means as audit programs and working papers.
31. Internal audit reports are submitted to the board of directors or audit committee.
Significant Account Balances and Transaction Cycles
Revenue Cycle
This checklist may be used on any audit engagement of a medium to large company when the revenue
cycle is significant. Normally, the revenue cycle is significant in most audit engagements.
The purpose of this checklist is to document your understanding of controls for significant classes of
transactions. Your knowledge of the revenue cycle should be sufficient for you to understand:
• How cash and credit sales are initiated
• How credit limits are established and maintained
• How cash receipts are recorded
• How sales and cash receipts are processed by the accounting system
• The accounting records and supporting documents involved in the processing and reporting
of sales, accounts receivable, and cash receipts
• The processes used to prepare significant accounting estimates and disclosures
190
Revenue and Accounts Receivable
A. Initiating Sales Transactions Rating
N/A No Yes
1. Credit limits are clearly defined. c. d. e.
2. Credit limits are clearly communicated. f. g. h.
3. The credit of prospective customers is investigated before it is extended to them.
i. j. k.
4. Credit limits are periodically reviewed. l. m. n.
5. The people who perform the credit function are independent of:
• Sales
• Billing
• Collection
• Accounting
o. p. q.
6. Credit limits and changes in credit limits are communicated to persons responsible for approving sales orders on a timely basis.
r. s. t.
7. The company has clearly defined policies and procedures for acceptance and approval of sales orders.
u. v. w.
8. Pre-numbered sales orders are used and accounted for. x. y. z.
9. Pre-numbered shipping documents are used to record shipments. aa. bb. cc.
10. Shipping document information is verified prior to shipment. dd. ee. ff.
11. The people who perform the shipping function are independent of:
• Sales
• Billing
• Collection
• Accounting
gg. hh. ii.
12. All shipping documents are accounted for. jj. kk. ll.
13. Pre-numbered credit memos are used to document sales returns. mm. nn. oo.
14. All credit memos are approved and accounted for. pp. qq. rr.
15. Credit memos are matched with receiving reports for returned goods.
ss. tt. uu.
16. Cash sales are controlled by cash registers or pre-numbered cash receipts forms.
vv. ww. xx.
17. Someone other than the cashier has custody of the cash register tape compartment.
yy. zz. aaa.
191
18. Someone other than the cashier takes periodic readings of the cash register and balances the cash on hand.
bbb. ccc. ddd.
B. Processing Sales Transactions
19. Information necessary to prepare invoices (e.g., prices, discount policies) is clearly communicated to billing personnel on a timely basis.
eee. fff. ggg.
20. Pre-numbered invoices are prepared promptly after goods are shipped.
hhh. iii. jjj.
21. Quantities on the invoices are compared to shipping documents. kkk. lll. mmm.
22. The prices on the invoices are current. nnn. ooo. ppp.
23. The people who perform the billing function are independent of:
• Sales
• Credit
• Collection
qqq. rrr. sss.
24. Invoices are mailed to customers on a timely basis. ttt. uuu. vvv.
25. Invoices are posted to the general ledger on a timely basis. www. xxx. yyy.
26. Standard journal entries are used to record sales. zzz. aaaa. bbbb.
27. Invoices are posted to the sales and accounts receivable subsidiary ledgers or journals on a timely basis.
cccc. dddd. eeee.
28. Credit memos are posted to the general ledger on a timely basis. ffff. gggg. hhhh.
29. Credit memos are posted to the sales and accounts receivable subsidiary ledgers or journals on a timely basis.
iiii. jjjj. kkkk.
30. Procedures exist for determining proper cut-off of sales at month-end.
llll. mmmm. nnnn.
31. The sales and accounts receivable balances shown in the general ledger are reconciled to the sales and accounts receivable subsidiary ledgers on a regular basis.
oooo. pppp. qqqq.
C. Estimates and Disclosures for Sales Transactions
32. The accounting system generates a monthly aging of accounts receivable.
rrrr. ssss. tttt.
33. The people who prepare the aging are independent of:
• Billing
• Collection
uuuu. vvvv. wwww.
34. Management uses the accounts receivable aging to investigate, write off, or adjust delinquent accounts receivable.
xxxx. yyyy. zzzz.
192
35. Management uses the accounts receivable aging and other information to estimate an allowance for doubtful accounts.
aaaaa. bbbbb. ccccc.
36. The person responsible for financial reporting identifies significant concentrations of credit risk.
ddddd. eeeee. fffff.
Cash Receipts
A. Initiating Cash Receipts Transactions Rating
N/A No Yes
1. The entity maintains records of payments on accounts by customer.
ggggg. hhhhh. iiiii.
2. Someone other than the person responsible for maintaining accounts receivable opens the mail and lists the cash receipts.
jjjjj. kkkkk. lllll.
3. Cash receipts are deposited intact. mmmmm. nnnnn. ooooo.
4. Cash receipts are deposited in separate bank accounts when required.
ppppp. qqqqq. rrrrr.
5. People who handle cash receipts are adequately bonded. sssss. ttttt. uuuuu.
6. Local bank accounts used for branch office collections are subject to withdrawal only by the home office.
vvvvv. wwwww. xxxxx.
B. Processing Cash Received on Account
7. Cash receipts are posted to the general ledger on a timely basis. yyyyy. zzzzz. aaaaaa.
8. Cash receipts are posted to the accounts receivable subsidiary ledger on a timely basis.
bbbbbb. cccccc. dddddd.
9. Standard journal entries are used to post cash receipts. eeeeee. ffffff. gggggg.
10. The people who enter cash receipts to the accounting system are independent of the physical handling of collections.
hhhhhh. iiiiii. jjjjjj.
11. Timely bank reconciliations are prepared or reviewed by someone independent of the cash receipts function.
kkkkkk. llllll. mmmmmm.
193
Purchasing Cycle
This checklist may be used on any audit engagement of a medium to large business where the
purchasing cycle is significant. Normally, the purchasing cycle is significant for most businesses.
The purpose of this checklist is to document your understanding of controls for significant classes of
transactions. Your knowledge of the purchasing cycle should be sufficient for you to understand:
• How purchases are initiated and goods received
• How cash disbursements are recorded
• How purchases and cash disbursements are processed by the financial reporting information
system
• The accounting records and supporting documents involved in the processing and reporting
of purchases, accounts payable, and cash disbursements
• The processes used to prepare significant accounting estimates and disclosures
Purchases and Accounts Payable
A. Initiating Purchases and Receipt of Goods Rating
N/A No Yes
1. All purchases over a predetermined amount are approved by management.
nnnnnn. oooooo. pppppp.
2. Non-routine purchases (for example, services, fixed assets, or investments) are approved by management.
qqqqqq. rrrrrr. ssssss.
3. A purchase order system is used, pre-numbered purchase orders are accounted for, and physical access to purchase orders is controlled.
tttttt. uuuuuu. vvvvvv.
4. Open purchase orders are periodically reviewed, wwwwww. xxxxxx. yyyyyy.
5. The purchasing function is independent of:
• Receiving
• Invoice processing
• Cash disbursements
zzzzzz. aaaaaaa. bbbbbbb.
6. All goods are inspected and counted when received. ccccccc. ddddddd. eeeeeee.
7. Pre-numbered receiving reports, or a log, are used to record the receipt of goods.
fffffff. ggggggg. hhhhhhh.
8. The receiving reports or log indicate the date the items were received.
iiiiiii. jjjjjjj. kkkkkkk.
9. The receiving function is independent of: lllllll. mmmmmmm. nnnnnnn.
194
• Purchasing
• Invoice processing
• Cash disbursements
B. Processing Purchases
10. Invoices from vendors are matched with applicable receiving reports.
ooooooo. ppppppp. qqqqqqq.
11. Invoices are reviewed for proper quantity and prices, and mathematical accuracy.
rrrrrrr. sssssss. ttttttt.
12. Invoices from vendors are posted to the general ledger on a timely basis.
uuuuuuu. vvvvvvv. wwwwwww.
13. Invoices from vendors are posted to the accounts payable subsidiary ledger on a timely basis.
xxxxxxx. yyyyyyy. zzzzzzz.
14. The invoice processing function is independent of:
• Purchasing
• Receiving
• Cash disbursements
aaaaaaaa. bbbbbbbb. cccccccc.
15. Standard journal entries are used to post accounts payable. dddddddd. eeeeeeee. ffffffff.
16. Accounts payable account per the general ledger is reconciled periodically to the accounts payable subsidiary ledger.
gggggggg. hhhhhhhh. iiiiiiii.
17. Statements from vendors are reconciled to the accounts payable subsidiary ledger.
jjjjjjjj. kkkkkkkk. llllllll.
C. Disclosures
18. Management has the information to identify vulnerability due to concentrations of suppliers (SOP 94-6).
mmmmmmmm. nnnnnnnn. oooooooo.
Cash Disbursements
A. Initiating Cash Disbursements Rating
N/A No Yes
1. All disbursements except those from petty cash are made by check. pppppppp. qqqqqqqq. rrrrrrrr.
2. All checks are recorded. ssssssss. tttttttt. uuuuuuuu.
3. Supporting documentation such as invoices and receiving reports are reviewed before the checks are signed.
vvvvvvvv. wwwwwwww. xxxxxxxx.
4. Supporting documents are canceled to avoid duplicate payment. yyyyyyyy. zzzzzzzz. aaaaaaaaa.
195
B. Processing Cash Disbursements
5. Cash disbursements are posted to the general ledger on a timely basis.
bbbbbbbbb. ccccccccc. ddddddddd.
6. Cash disbursements are posted to the accounts payable subsidiary ledger on a timely basis.
eeeeeeeee. fffffffff. ggggggggg.
7. Standard journal entries are used to post cash disbursements. hhhhhhhhh. iiiiiiiii. jjjjjjjjj.
8. Timely bank reconciliations are prepared or reviewed by the owner or manager or someone independent of the cash receipts function.
kkkkkkkkk. lllllllll. mmmmmmmmm.
Inventory
This checklist may be used on any audit engagement of a medium to large business where inventory
is a significant transaction cycle.
The purpose of this checklist is to document your understanding of controls for significant classes of
transactions. Your knowledge of the inventory cycle should be sufficient for you to understand:
• How costs are capitalized to inventory
• How cost is relieved from inventory
• How inventory costs and cost of sales are processed by the accounting system
• The procedures used to take the physical inventory count
• The accounting records and supporting documents involved in the processing and reporting
of inventory and cost of sales
• The processes used to prepare significant accounting estimates and disclosures
A. Capturing Capitalizable Costs Rating
N/A No Yes
1. Management prepares production goals and schedules based on sales forecasts.
2. The company budgets its planned inventory levels.
3. All releases from storage of raw materials, supplies, and purchased parts inventory are based on approved requisition documents.
4. Labor costs are reported promptly and in sufficient detail to allow for the proper allocation to inventory.
5. The entity uses a cost accounting system to accumulate capitalizable costs.
196
6. The cost accounting system distinguishes between costs that should be capitalized for GAAP purposes and those that should be capitalizable for tax purposes.
7. For standard cost systems:
• Standard rates and volume are periodically compared to actual and revised accordingly.
• Significant variances are investigated.
8. The cost accounting system interfaces with the general ledger.
9. Transfers of completed units from production to custody of finished goods inventory are based on approved completion reports that authorize the transfer.
10. The people responsible for maintaining detailed inventory records are independent from the physical custody and handling of inventories.
11. Production cost budgets are periodically compared to actual costs, and significant differences are explained.
B. Inventory Records
12. The entity maintains adequate inventory records of prices and amounts on hand.
13. Withdrawals from inventory are based on prenumbered finished inventory requisitions, shipping reports, or both.
14. Additions to and withdrawals from inventory are posted to the inventory records and the general ledger.
15. Standard journal entries are used to post inventory transactions to the inventory records and the general ledger.
16. Inventory records are periodically reconciled to the general ledger.
17. Inventory records are reconciled to a physical inventory count.
C. Physical Inventory Counts
18. Inventory is counted at least once a year
19. Physical inventory counters are giver adequate instructions.
20. Inventory count procedures are sufficient to provide an accurate count, including steps to ensure:
• Proper cut-off
• Identification of obsolete items
• All items are counted once and only once
D. Estimates and Disclosures
197
21. Management is able to identify excess, slow-moving, or obsolete inventory.
22. Excess, slow-moving, or obsolete inventory is periodically written off.
23. Management can identify inventory subject to rapid technological obsolescence that may need to be disclosed under ASC 275.
Financing
This checklist may be used on any audit engagement of a medium to large business where investments
or debt are a significant transaction cycle.
The purpose of this checklist is to document your understanding of controls for significant classes of
transactions. Your knowledge of the financing cycle should be sufficient for you to understand
• How investment decisions are authorized and initiated
• How financing is authorized and captured by the accounting system
• How management classifies investments as either trading, available-for-sale, or held to
maturity
• How investment and debt transactions are processed by the accounting system
• The accounting records and supporting documents involved in the processing and reporting
of investments and debt
• The processes used to prepare significant accounting estimates, disclosures, and presentation
Investments
A. Authorization and Initiation Rating
N/A No Yes
37. Investment transactions are authorized by management. nnnnnnnnn. ooooooooo. ppppppppp.
38. The company has established policies and procedures for determining when board of director approval is required for investment transactions.
qqqqqqqqq. rrrrrrrrr. sssssssss.
39. Management and the board assess and understand the risks associated with the entity’s investment strategies.
ttttttttt. uuuuuuuuu. vvvvvvvvv.
40. Investments are registered in the name of the company. wwwwwwwww. xxxxxxxxx. yyyyyyyyy.
41. At acquisition, investments are classified as trading, available-for-sale, or held-to-maturity.
zzzzzzzzz. aaaaaaaaaa. bbbbbbbbbb.
B. Processing
198
42. Investment transactions are posted to the general ledger on a timely basis.
cccccccccc. dddddddddd. eeeeeeeeee.
43. Account statements received from brokers are reviewed for accuracy.
ffffffffff. gggggggggg. hhhhhhhhhh.
44. Discounts and premiums are amortized regularly using the interest method.
iiiiiiiiii. jjjjjjjjjj. kkkkkkkkkk.
45. Procedures exist to determine the fair value of trading and available for-sale securities.
llllllllll. mmmmmmmmmm. nnnnnnnnnn.
46. The general ledger is periodically reconciled to account statements from brokers or physical counts of securities on hand.
oooooooooo. pppppppppp. qqqqqqqqqq.
C. Disclosures
47. Management identifies investments with off-balance-sheet credit risk for proper disclosure.
rrrrrrrrrr. ssssssssss. tttttttttt.
48. Management distinguishes between derivatives held or issued for trading purposes and those held or issued for purposes other than trading.
uuuuuuuuuu. vvvvvvvvvv. wwwwwwwwww.
49. The entity accumulates the information necessary to make disclosures about derivatives.
xxxxxxxxxx. yyyyyyyyyy. zzzzzzzzzz.
Debt
A. Authorization and Initiation Rating
N/A No Yes
1. Financing transactions are authorized by management. aaaaaaaaaaa. bbbbbbbbbbb. ccccccccccc.
2. The company has established policies and procedures for determining when board of director approval is required for financing transactions.
ddddddddddd. eeeeeeeeeee. fffffffffff.
3. Management and the board assess and understand all terms, covenants, and restrictions of debt transactions.
ggggggggggg. hhhhhhhhhhh. iiiiiiiiiii.
B. Processing and Documentation
4. Debt transactions are posted to the general ledger on a timely basis. jjjjjjjjjjj. kkkkkkkkkkk. lllllllllll.
5. Any premiums or discount are amortized using the interest method. mmmmmmmmmmm. nnnnnnnnnnn. ooooooooooo.
6. The company maintains Up-to-date files of all notes payable. ppppppppppp. qqqqqqqqqqq. rrrrrrrrrrr.
C. Disclosure
199
7. Procedures exist to determine the fair value of notes payable for proper disclosure.
sssssssssss. ttttttttttt. uuuuuuuuuuu.
8. Management reviews their compliance with debt covenants on a timely basis.
vvvvvvvvvvv. wwwwwwwwwww. xxxxxxxxxxx.
Property, Plant, and Equipment
This checklist may be used on any audit engagement where fixed assets are a significant transaction
cycle.
The purpose of this checklist is to document your understanding of controls for significant classes of
transactions. Your knowledge of the property, plant, and equipment cycle should be sufficient for you
to understand:
• How fixed asset transactions are authorized and initiated. (Additional information on the
acquisition of fixed assets is documented on the Accounting Systems and Control Checklist for
the Purchasing Cycle.)
• How fixed assets transactions and depreciation are processed by the accounting system.
• The accounting records and supporting documents involved in the processing and reporting
of fixed assets and depreciation.
• The processes used to prepare significant accounting estimates and disclosures. Interpreting
Results
A. Authorization and Initiation Rating
N/A No Yes
1. Fixed asset acquisitions and retirements are authorized by management.
yyyyyyyyyyy. zzzzzzzzzzz. aaaaaaaaaaaa.
B. Processing and Documentation
2. The company maintains detailed records of fixed assets and the related accumulated depreciation.
bbbbbbbbbbbb. cccccccccccc. dddddddddddd.
3. Responsibilities for maintaining the fixed asset records are segregated from the custody of the assets.
eeeeeeeeeeee. ffffffffffff. gggggggggggg.
4. The general ledger and detailed fixed asset records are updated for fixed asset transactions on a timely basis.
hhhhhhhhhhhh. iiiiiiiiiiii. jjjjjjjjjjjj.
5. A process exists for the timely calculation of depreciation expense for both book and tax purposes.
kkkkkkkkkkkk. llllllllllll. mmmmmmmmmmmm.
200
6. The general ledger and detailed fixed asset records are updated for depreciation expense on a timely basis.
nnnnnnnnnnnn. oooooooooooo. pppppppppppp.
7. The general ledger is periodically reconciled to the detailed fixed asset records.
qqqqqqqqqqqq. rrrrrrrrrrrr. ssssssssssss.
C. Disclosure and Estimation
8. Management identifies events or changes in circumstances that may indicate fixed assets have been impaired (FAS 121).
tttttttttttt. uuuuuuuuuuuu. vvvvvvvvvvvv.
9. Management assesses and understands the risk of specialized equipment becoming subject to technological obsolescence (ASC 275).
wwwwwwwwwwww. xxxxxxxxxxxx. yyyyyyyyyyyy.
Payroll Cycle
This checklist may be used on any audit engagement of a medium to large business where the payroll
cycle is significant.
The purpose of this checklist is to document your understanding of controls for significant classes of
transactions. Your knowledge of the payroll cycle should be sufficient for you to understand:
• How the time worked by employees is captured by the accounting system.
• How salaries and hourly rates are established.
• How payroll and the related withholdings are calculated.
• The accounting records and supporting documents involved in the processing and reporting
of payroll.
A. Initiating Payroll Transactions Rating
N/A No Yes
1. Wages and salaries are approved by management. zzzzzzzzzzzz. aaaaaaaaaaaaa. bbbbbbbbbbbbb.
2. Salaries of senior management are based on written authorization of the board of directors.
ccccccccccccc. ddddddddddddd. eeeeeeeeeeeee.
3. Bonuses are authorized by the board of directors. fffffffffffff. ggggggggggggg. hhhhhhhhhhhhh.
4. Employee benefits and perks are granted in accordance with management’s authorization.
iiiiiiiiiiiii. jjjjjjjjjjjjj. kkkkkkkkkkkkk.
5. Senior management benefits and perks are authorized by the board of directors.
lllllllllllll. mmmmmmmmmmmmm. nnnnnnnnnnnnn.
6. Proper authorization is obtained for all payroll deductions. ooooooooooooo. ppppppppppppp. qqqqqqqqqqqqq.
201
7. Access to personnel files is limited to those who are independent of the payroll or cash functions.
rrrrrrrrrrrrr. sssssssssssss. ttttttttttttt.
8. Wage and salary rates and payroll deductions are reported promptly to employees who perform the pay-roll processing function.
uuuuuuuuuuuuu. vvvvvvvvvvvvv. wwwwwwwwwwwww.
9. Changes in wage and salary rates and payroll deductions are reported promptly to employees who perform the payroll processing function.
xxxxxxxxxxxxx. yyyyyyyyyyyyy. zzzzzzzzzzzzz.
10. Adequate time records are maintained for employees paid by the hour.
aaaaaaaaaaaaaa. bbbbbbbbbbbbbb. cccccccccccccc.
11. Time records for hourly employees are approved by a supervisor. dddddddddddddd. eeeeeeeeeeeeee. ffffffffffffff.
B. Processing Payroll
12. Payroll is calculated using authorized pay rates, payroll deductions, and time records.
gggggggggggggg. hhhhhhhhhhhhhh. iiiiiiiiiiiiii.
13. Payroll registers are reviewed for accuracy. jjjjjjjjjjjjjj. kkkkkkkkkkkkkk. llllllllllllll.
14. Standard journal entries are used to post payroll transactions to the general ledger.
mmmmmmmmmmmmmm. nnnnnnnnnnnnnn. oooooooooooooo.
15. Payroll cost distributions are reconciled to gross pay. pppppppppppppp. qqqqqqqqqqqqqq. rrrrrrrrrrrrrr.
16. Payroll information such as hours worked is periodically compared to production records.
ssssssssssssss. tttttttttttttt. uuuuuuuuuuuuuu.
17. Net pay is distributed by persons who are independent of personnel, payroll preparation, time-keeping, and check preparation functions.
vvvvvvvvvvvvvv. wwwwwwwwwwwwww. xxxxxxxxxxxxxx.
18. The responsibility for custody and follow-up of unclaimed wages is assigned to someone who is independent of personnel, payroll processing, and cash disbursement functions.
yyyyyyyyyyyyyy. zzzzzzzzzzzzzz. aaaaaaaaaaaaaaa.
19. Procedures are in place to estimate the fair value of stock-based compensation plans.
bbbbbbbbbbbbbbb. ccccccccccccccc. ddddddddddddddd.
Part 2. Financial Information System Checklist
End-User Computing
End-user computing occurs when the user is responsible for the development and execution of the
computer application that generates the information used by that same person. For example, an
202
accounting clerk prepares a spreadsheet which shows amortization of premiums or discounts, and the
information from the spreadsheet is the source of a journal entry.
The Computer Applications Checklist—Medium to Large Business was used to document your
understanding of computer applications operated by the company’s IT department.
You should obtain an understanding of any spreadsheet application, database, or separate computer
system that has been developed by end users to:
• Process significant accounting information outside of the IT-operated accounting application.
For example, a spreadsheet accumulates invoices for batch processing.
• Make significant accounting decisions. For example, a spreadsheet application that ages
accounts receivable and helps in determining write-offs.
• Accumulate footnote information. For example, a database of customers provides information
about the location of customers for possible concentration of credit risk disclosures.
In the space provided below, describe how end user computing is used in the following cycles:
1. Revenue
2. Purchasing
3. Inventory
4. Financing
5. Property, Plant, and Equipment
6. Payroll
Describe:
• The person or department who performs the computing
• A general description of the application and its type (e.g., spreadsheet)
• The source of the information used in the application
• How the results of the application are used in further processing or decision making
Procedures and Controls over End-User Computing
Answer the following questions relating to procedures and controls over end-user computing related
to the following cycles:
203
1. Revenue
2. Purchasing
3. Inventory
4. Financing
5. Property, Plant, and Equipment
6. Payroll
Cycle Reviewed Rating
N/A No Yes
1. End-user applications have been adequately tested before use.
2. The application has an appropriate level of built-in controls, such as edit checks, range tests, or reasonableness checks.
3. Access controls limit access to the end user application.
4. A mechanism exists to prevent or detect the use of incorrect versions of data files.
5. The output of the end-user applications is reviewed for accuracy or reconciled to the source information.
204
Information Processed by Outside Computer Service
Organizations
The Computer Applications Checklist—Medium to Large Business Computer Applications was used to
document your understanding of the client’s use of an outside computer service organization to
process entity-wide accounting information such as the general ledger. In this section you will
document your understanding of how the entity uses an outside computer service organization to
process information relating to the following cycles:
1. Revenue
2. Purchasing
3. Inventory
4. Financing
5. Property, Plant, and Equipment
6. Payroll
In the space below, describe the cycle information processed by the out-side computer service bureau.
Discuss:
• The general nature of the application
• The source documents used by the service organization
• The reports or other accounting documents produced by the service organization
• The nature of the service organization’s responsibilities. Do they merely record entity
transactions and process related data, or do they have the ability to initiate transactions on
their own?
• Controls maintained by the entity to prevent or detect material misstatement in the input or
output.
205
Part 3. Assessing Segregation of Duties and the
Risk of Management Override
Lack of Segregation of Duties
In the space provided below, assess risk due to a lack of segregation of duties for the company, based
on the completion of Part I and II of this form. Your comments should address:
• The person with incompatible responsibilities and the nature of those responsibilities.
• Any mitigating factors or controls, such as direct management oversight.
• The risk that material misstatements might occur as a result of a lack of segregation of duties,
and the type of those misstatements.
• How substantive procedures will be designed to limit the risk of those misstatements to an
acceptable level.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Management Override
Even in effectively controlled entities—those with generally high levels of integrity and control
consciousness-a manager might be able to override controls. The term ‘management override’ means:
Overruling prescribed policies or procedures for illegitimate purposes with the intent
of personal gain or enhanced presentation of an entity’s financial condition or
compliance status.
Management might override the control system for many reasons: to increase reported revenue, to
boost market value of the entity prior to sale, to meet sales or earnings projections, to bolster bonus
pay-outs tied to performance, to appear to cover violations of debt covenant agreements, or to hide
lack of compliance with legal requirements. Override practices include deliberate misrepresentations
to bankers, lawyers, accountants, and vendors, and intentionally issuing false documents such as sales
invoices.
An active, involved board of directors can significantly reduce the risk of management override.
206
Management override is different from management intervention, which is the over-rule of prescribed
policies or procedures for legitimate purposes. For example, management intervention is usually
necessary to deal with nonrecurring and nonstandard transactions or events that otherwise might be
handled by the system.
In the space below, assess the risk of management override for this company. You should consider the
risk that management override possibilities exist, the risk that management will take advantage of
those possibilities, and any evidence that management has engaged in override practices. If the risk of
management override is greater than low, indicate how planned audit procedures will reduce this risk
to an acceptable level.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Part 4. Interpret Results
You should consider the collective effect of the strengths and weaknesses in various control
components. Management’s strengths and weaknesses may have a pervasive effect on internal
control. For example, management controls may mitigate a lack of segregation of duties. However,
human resource policies and practices directed toward hiring competent financial and accounting
personnel may not mitigate a strong bias by management to overstate earnings.
1. Areas That May Allow for Control Risk to Be Assessed Below the Maximum
Based on the completion of sections I through IV of this form you may have become aware of certain
accounts, transactions, and assertions where it may be possible and efficient to plan a control risk
assessment below the maximum. In the area below, document those accounts, transactions, and
assertions and the related tests of controls.
Test of Controls
Accounts, Transactions, and Assertions Working Paper Reference
________________________________ ______________________
________________________________ ______________________
________________________________ ______________________
207
2. Areas of Possible Control Weakness
Based on the completion of sections I through IV of this form, you may have become aware of certain
areas that may indicate possible control weaknesses, not including those areas relating to segregation
of duties and management override which were assessed and documented in sections III and IV.
In the space provided below, document those areas of possible weakness and the impact the identified
weakness will have on the audit. Discuss:
• The nature of the identified possible weakness
• Any mitigating factors or controls, such as direct management oversight
• The risk that material misstatements might occur as a result of the weakness and the type of
those misstatements
• How substantive procedures will be designed to reduce the risk of those misstatements to an
acceptable level.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
208
Appendix D: Computer Applications
Checklist − Medium to Large Business
This questionnaire may be used to document your understanding of the way computers are used in
the information and communication systems of a medium to large business.
Computer Hardware
Describe the computer hardware for the entity, and its configuration. Consider:
• The make and model of company’s main processing computer(s)
• Input and output devices
• Storage means and capabilities
• Local area networks
• Stand-alone microcomputers
You may wish to attach a separate page to this checklist to document the entity’s computer hardware.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Computer Software
Describe the entity’s main software packages and whether they are unmodified, commercially
available packages, or were developed or modified in-house. (End-user computing applications will be
considered only for significant account balances and transaction cycles. See the Financial Reporting
Information Systems and Control Checklist— Medium to Large Business.)
• Operating system
• Access control
• General accounting Network
• Database management Communications
• Utilities
• Other
209
Computer Control Environment
In the space provided below, indicate whether you strongly agree, somewhat agree, some-what
disagree, or strongly disagree with the following statements. Use a rating scale of 1-5, where: 5=
strongly agree, 4= somewhat agree, 3 = somewhat disagree, 2=strongly disagree, and 1 = no opinion.
The answers should be based on:
• The previous experience with the entity
• Inquiries of appropriate management, supervisory, and staff personnel
• Inspection of documents and records
• Observation of the entity’s activities and operations
This questionnaire may be used to document an auditor’s understanding of the way computers are
used in the information and communication systems of a medium to large business.
Acquisition of Hardware Rating 1. The company has a coherent management plan for the purchase and
continued investment in computer hardware.
2. The computer hardware is sufficient to meet the company’s needs.
3. The company’s computer hardware is safely and properly installed.
4. The company has standard, regular hardware maintenance procedures.
Acquisition of Software 5. The company has a coherent management plan for the purchase of
and continued investment in computer software.
6. The company researches software products to determine whether they meet the needs of the intended users.
7. The company’s application programs are compatible with each other.
8. The company obtains recognized software from reputable sources.
9. Company policy prohibits the use of unauthorized programs introduced by employees.
10. Company policy prohibits the downloading of untested software from sources such as dial-up bulletin boards.
11. The company uses virus protection software to screen for virus infections.
Program Development
12. Users are involved in the design and approval of systems.
210
13. Users review the completion of various phases of the application.
14. New programs are thoroughly tested.
15. Users are involved in the review of tests of the program.
16. Adequate procedures exist to transfer programs from development to production libraries.
Program Changes
17. Users are involved in the design and approval of program changes.
18. Program changes are thoroughly tested.
19. Users are involved in the review of tests of the program changes.
20. Adequate procedures exit to transfer changed programs from development to production libraries.
Logical Access 21. Management has identified confidential and sensitive data for which
access should be restricted.
22. Procedures are in place to restrict access to confidential and sensitive data.
23. Procedures are in place to reduce the risk of unauthorized transactions being entered into processing.
24. The use of utility programs is controlled or monitored carefully.
25. Procedures are in place to detect unauthorized changes to programs supporting the financial statements.
26. Programmer access to production programs, live data files, and job control language is controlled.
27. Operator access to source code and individual elements of data files is controlled.
28. Users have access only to defined programs and data files.
Physical Security 29. The company has established procedures for the periodic back-up of
files.
30. Back-up procedures include multiple generations.
31. Back-up files are stored in a secure, off-site location.
32. Physical access devices (i.e., card-key or combination lock systems) are used to restrict entrance to the computer room.
33. Terminated or transferred employees’ access codes to the computer room are cancelled in a timely manner.
Computer Operations 34. Operations management reviews lists of regular and unscheduled
batch jobs.
211
35. Job control instruction sets are menu-driven.
36. Jobs are executed only from the operator’s terminal.
Outside Computer Service Organizations
This section should be used to document your understanding of how the company uses an outside
computer service organization to process significant accounting information. Guidance on auditing
entities that use computer service organizations is contained in AU section 324, Service Organizations
().
1. List the name of the service organization and the general types of services it provides.
____________________________________________________________________
____________________________________________________________________
2. Are the general ledger and other primary accounting records processed by an outside service
organization? Yes No
If yes, describe the source documents provided to the service organization, the reports and
other documentation received from the organization, and the controls maintained by the user
over input and output to prevent or detect material misstatement.
____________________________________________________________________
____________________________________________________________________
3. List the type and date of the most recent service auditor report.
____________________________________________________________________
____________________________________________________________________
212
Glossary
Application Controls Controls that are incorporated directly into computer applications for the
purposes of validity, completeness, accuracy, and confidentiality of transactions and data during
application processing; application controls include controls over input, processing, output, master
file, interface, and data management system controls.
Auditing A systematic process of objectively obtaining and evaluating evidence regarding assertions
about economic actions and events to ascertain the degree of correspondence between those
assertions and established criteria and communicating the results to interested users.
Control Activities The policies, procedures, techniques, and mechanisms that enforce management’s
directives to achieve the entity’s objectives and address related risks.
Control Objective The aim or purpose of specified controls; control objectives address the risks related
to achieving an entity’s objectives.
Data Mining A tool under which the data in a data warehouse are processed to identify key factors
and trends in historical patterns of business activity.
Deficiency When the design, implementation, or operation of a control does not allow management
or personnel, in the normal course of performing their assigned functions, to achieve control
objectives and address related risks.
Detective Control An activity that is designed to discover when an entity is not achieving an objective
or addressing a risk before the entity’s operation has concluded and corrects the actions so that the
entity achieves the objective or addresses the risk.
Entity-level Control Controls that have a pervasive effect on an entity’s internal control system; entity-
level controls may include controls related to the entity’s risk assessment process, control
environment, service organizations, management override, and monitoring.
Error Refers to unintentional misstatements or omissions of financial statement amounts or
disclosures—for example, misinterpretation, mistakes, and use of incorrect accounting estimates.
Fraud, on the other hand, refers to acts that are intentional.
External Audit An audit performed by an auditor engaged in public practice leading to the expression
of a professional opinion which lends credibility to the assertion under examination.
Forensic Accounting A science (i.e., a department of systemized knowledge) dealing with the
application of accounting facts gathered through auditing methods and procedures to resolve legal
problems.
213
Forensic Accountant An integral part of the legal team, helping to substantiate allegations, analyze
facts, dispute claims, and develop motives.
Forensic Audit An examination of evidence regarding an assertion to determine its correspondence to
established criteria carried out in a manner suitable to the court. An example would be a forensic audit
of sales records to determine the quantum of rent owing under a lease agreement, which is the subject
of litigation.
Forensic Investigation The utilization of specialized investigative skills in carrying out an inquiry
conducted in such a manner that the outcome will have application to a court of law. A forensic
investigation may be grounded in accounting, medicine, engineering or some other discipline.
Fraud In contrast to error, an illegal act (a crime) committed intentionally.
General Controls The policies and procedures that apply to all or a large segment of an entity’s
information systems; general controls include security management, logical and physical access,
configuration management, segregation of duties, and contingency planning.
Green Book The commonly used name for Standards for Internal Control in the Federal Government.
Internal Audit An audit performed by an employee who examines operational evidence to determine
whether prescribed operating procedures have been followed.
Internal Control A process is effected by an entity’s oversight body, management, and other personnel
that provides reasonable assurance that the objectives of an entity will be achieved.
Internal Control System An internal control system is a continuous built-in component of operations,
effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s
objectives will be achieved.
Preventive Control An activity that is designed to prevent an entity from failing to achieve an objective
or addressing a risk.
Public Company Accounting Oversight Board (PCAOB) (www.pcaobus.com) Established in 2002 as a
result of the Sarbanes-Oxley Act, a private sector, non-profit corporation set up to oversee the audits
of public companies and ensure that accountancy firms should no longer derive non-audit revenue
streams, such as consultancy, from their audit clients.
Reasonable Assurance A high degree of confidence, but not absolute confidence.
Sarbanes-Oxley (SOX) Act Wide-ranging U.S. corporate reform legislation, coauthored by the
Democrat in charge of the Senate Banking Committee, Paul Sarbanes, and Republican Congressman
Michael Oxley. It is legislation to ensure internal controls or rules to govern the creation and
documentation of corporate information in financial statements. It establishes new standards for
corporate accountability and penalties for corporate wrongdoing.
214
Segregation of Duties The separation of the authority, custody, and accounting of an operation.
The Association of Certified Fraud Examiners (CFEs) Established in 1988, the 25,000-member
professional organization dedicated to educating qualified individuals (Certified Fraud Examiners),
who are trained in the highly specialized aspects of detecting, investigating, and deterring fraud and
white-collar crime. Each member of the Association designated a Certified Fraud Examiner (CFE) has
earned certification after an extensive application process and upon passing the uniform CFE
Examination.
Transaction Control Activities Actions built directly into operational processes to support the entity
in achieving its objectives and addressing related risks
215
Index
2013 COSO framework, 17, 49 Asset Misappropriation, 143 Control Activities, 21, 22 Control Environment, 20 Data mining, 177 Detective controls, 26 Fraud Triangle, 135 Green Book, 49 ICFR, 86
Information and Communication, 22 Monitoring Activities, 22 Preventive controls, 25 Public Company Accounting Oversight Board
(PCAOB), 213 Risk Assessment, 21, 44 SAS 130, 86 SEC, 45, 48 Segregation of duties, 62
216
Review Question Answers
Part I − Section 1 Review Questions
1. Internal controls are critical. However, they cannot be designed to provide reasonable assurance
in which of the following scenarios?
A. Incorrect. Internal control forms and other internal control procedures can be devised to make
sure that transactions are executed in accordance with management's authorization.
B. Correct. Internal control can provide reasonable assurance that certain management
objectives implicit in internal control are achieved. Such objectives include the other answer
choices. Internal control can also provide reasonable assurance that transactions are
recorded as necessary to permit preparation of financial statements in conformity with U.S.
GAAP or any other applicable criteria and to maintain accountability for assets. Because of
inherent limitations, however, internal control cannot be designed to eliminate all fraud.
C. Incorrect. Authorization forms can be designed to ensure limited access to assets. There are
two types of authorization to be considered: general authorization and specific authorization.
D. Incorrect. The internal control checklist can be developed to assure that recorded
accountability for assets is compared with the existing assets at reasonable intervals.
2. Which of the following components of internal control includes an assignment of authority and
responsibility?
A. Incorrect. Monitoring assesses the quality of internal control over time.
B. Correct. The control environment sets the tone of an organization. It includes human
resource policies and practices relative to hiring, orientation, training, evaluating,
counseling, promoting, compensating, and remedial actions. Assignment of authority and
responsibility should be considered when assessing the control environment.
C. Incorrect. Risk assessment is the identification and analysis of relevant risks.
D. Incorrect. Control activities are the policies and procedures that help ensure that management
directives are carried out. They include performance reviews, information processing, physical
controls, and segregation of duties.
3. Which of the following components of internal control includes the development and use of
training policies that communicate prospective roles and responsibilities to employees?
A. Incorrect. Monitoring assesses the quality of internal control over time.
217
B. Correct. The control environment sets the tone of an organization. It includes human
resource policies and practices relative to hiring, orientation, training, evaluating,
counseling, promoting, compensating, and remedial actions.
C. Incorrect. Risk assessment is the identification and analysis of relevant risks.
D. Incorrect. Control activities are the policies and procedures that help ensure that management
directives are carried out. They include performance reviews, information processing, physical
controls, and segregation of duties.
4. Proper segregation of duties will reduce the opportunities which allow persons to be in positions
to both ____________
A. Incorrect. Accountants typically journalize entries and prepare financial statements.
B. Incorrect. Accountants may record both cash receipts and cash disbursements as long as they
do not have custody of cash.
C. Incorrect. Management establishes internal control and ultimately has the responsibility to
authorize transactions.
D. Correct. Segregation of duties is a category of the control activities component of internal
control. Segregating responsibilities for authorization, recording, and asset custody reduces
an employee's opportunity to perpetrate an error or fraud and subsequently conceal it in
the normal course of his/her duties.
5. Effective internal control calls for the separation of certain functions. Which of the following
functions should be separated?
A. Incorrect. Payment is a form of execution (operational responsibility).
B. Correct. One person should not be responsible for all phases of a transaction, i.e., for
authorization of transactions, recording of transactions, and custodianship of the related
assets. These duties should be performed by separate individuals to reduce the
opportunities to allow any person to be in a position both to perpetrate and conceal errors
or fraud in the normal course of his/her duties.
C. Incorrect. Custody of assets and execution of related transactions are often not segregated.
D. Incorrect. Payments must be recorded when made. These two functions are not separable.
6. What is a basic premise underlying analytical procedures?
A. Incorrect. For some assertions, analytical procedures alone may provide the auditor with the
level of assurance (s)he desires.
B. Incorrect. Analytical procedures, such as simple comparisons, do not necessarily require
statistical testing.
218
C. Incorrect. The objective of analytical procedures, such as ratio analysis, is to identify significant
differences for evaluation and possible investigation.
D. Correct. A basic premise underlying the application of analytical procedures is that plausible
relationships among data may reasonably be expected to exist and continue in the absence
of known conditions to the contrary. Variability in these relationships can be explained by,
for example, unusual events or transactions, business or accounting changes,
misstatements, or random fluctuations.
Part I − Section 2 Review Questions
7. Which of the following is an example of a detective control?
A. Incorrect. Fraud awareness training will help employees identify fraudulent situations before
they happen.
B. Correct. Surprise audits are detective controls that help identify eliminate the chance of a
cover-up during a fraud or mismanagement investigation.
C. Incorrect. Background checks help to identify potential employees with questionable
employment histories.
D. Incorrect. Data matching ensures that the data is correct based on inputs and outputs.
8. Which of the following is a common control design deficiency among small entities?
A. Incorrect. Manual controls describe a type of controls and are more prevalent with small
business than automated controls. They are not necessarily considered as a design deficiency
for small entities.
B. Incorrect. Preventive controls describe a type of control and are not a control design
deficiency.
C. Correct. Lack of segregation of duties is common with small business as they lack the
resources to properly segregate roles to prevent/reduce opportunities for fraud.
D. Incorrect. Detective controls describe a type of control and tend to be used to offset the lack
of segregation of duties most small businesses experience.
Part II − Section 1 Review Questions
9. According to the Sarbanes-Oxley Act, public accounting firms are allowed to provide which of the
following non-audit services to their clients?
219
A. Correct. A registered CPA firm may engage in any non-audit service, such as tax services, but
the activity must be approved in advance by the audit committee.
B. Incorrect. The SOX Act prohibits most “consulting” services outside the scope of practice of
auditors, including internal audit outsourcing services. Such services are prohibited even if
pre-approved by the client’s audit committee.
C. Incorrect. Most consulting services such as investment banking or advisory service outside the
scope of practice of auditor are not allowed by the SOX Act.
D. Incorrect. Management or human resources services are also banned by the SOX Act.
10. The Sarbanes-Oxley Act imposes all of the following provisions EXCEPT?
A. Incorrect. The SOX Act created a new 25-year felony for defrauding shareholders of publicly
traded companies. This measure is a broad, generalized provision that criminalizes the
knowing execution or attempted execution of any scheme or artifice to defraud persons in
connection with securities of publicly traded companies or to obtain their money or property
in connection with the purchase or sale of such securities.
B. Incorrect. The SOX Act requires that each member of the audit committee, including at least
one who is a financial expert, be an independent member of the issuer’s board of directors.
C. Correct. It is management’s responsibility to ensure the organization is in compliance with
the requirements of the SOX Act. Specifically, management is responsible for designing and
implementing the system of ICFR, for evaluating the effectiveness of ICFR with sufficient
evidence, and for issuing an internal control report on that assessment. The company’s
auditors cannot assume responsibility for the financial statements.
D. Incorrect. Under SOX Section 406, the SEC is mandated to issue rules adopting a code of ethics
for senior financial officers.
11. The AICPA and the PCAOB accept which of the following frameworks as suitable criteria for
auditors to provide an independent assessment of an entity’s ICFR?
A. Correct. The AICPA expressly accepts 2013 COSO framework as suitable and available criteria
for management to use to develop, maintain, and report on the effectiveness of its internal
controls over financial reporting, and for auditors to provide an independent assessment of
the same. The PCAOB also accepts the 2013 COSO framework for use in integrated audits of
SEC registrants. This framework is widely accepted and used by SEC registrants and
accounting firms.
B. Incorrect. The Green Book is adopted by state, local, and quasi-governmental entities, as well
as not-for-profit organizations, as a framework for an internal control system.
220
C. Incorrect. Generally Accepted Government Auditing Standards provide the foundation for
government auditors to lead by example in the areas of independence, transparency,
accountability, and quality through the audit process.
D. Incorrect. US GAAP pertains to generally accepted accounting principles in the U.S., criteria for
accounting and financial reporting.
12. Which of the following statements best describes entity-level controls?
A. Incorrect. Actions built directly into operational processes to support the entity in achieving
its objectives and addressing related risks are transaction level controls.
B. Correct. Controls that have a pervasive effect on an entity’s internal control system and may
pertain to multiple components such as risk assessment process and control monitoring
activities are entity-level controls. Entity-level controls including controls in place to provide
assurance that appropriate controls exist.
C. Incorrect. Controls over transaction processing within an information system are transaction
level controls and, more specifically, application controls over processing of information.
D. Incorrect. Controls over the input of data into computer software systems are transaction level
controls, and, more specifically, application controls over input of data into information
systems.
Part II − Section 2 Review Questions
13. .What is the process maturity level for the company’s internal control over financial reporting if
the chain of accountability is established and the process risks are managed quantitatively?
A. Incorrect. The characteristics of defined process include policies, process and standards
defined and “chain of certification” instead of chain of accountability.
B. Incorrect. The characteristics of an optimizing process included best practices identified and
shared, world-class financial reporting processes and organized efforts to remove inefficiency.
C. Incorrect. At the repeatable level, basic policies and control processes are established. Process
activities are repeating but not necessarily documented. Chain of accountability is not
necessarily formalized.
D. Correct. At the managed level, a company’s process risks are managed quantitatively and
aggregated at corporate level. In addition, process-based self-assessment are applied to
enforce chain of accountability.
221
14. What type of control is often used by operatives where formal controls are inadequate in
containing risk or are not used in practice?
A. Incorrect. Directive control provides guidance to employees to help achieve the desired
objectives of the department.
B. Incorrect. Corrective control identifies the flows in the process and determines the actions to
be taken to correct the problems.
C. Incorrect. Entity-level control has a pervasive effect on an entity’s internal control system;
entity-level controls may include controls related to the entity’s risk assessment process,
control environment, service organizations, management override, and monitoring
D. Correct. Compensating control serves to accomplish the objective of another control that
did not function properly, helping to reduce risk to an acceptable level.
15. Which of the following statement is TRUE regarding management’s documentation of internal
controls?
A. Incorrect. The documentation supporting management’s assessment does not need to include
the entire population of controls that exists within a process that impacts financial reporting.
The documentation should be focused on those controls that management concludes are
adequate to address the identified financial reporting risks.
B. Incorrect. Management’s documentation may take various forms, for example, entity policy
manuals, accounting manuals, narrative memoranda, flowcharts, decision tables, procedural
write-ups, or completed questionnaires. The level and nature of documentation vary based on
the size, nature and the complexity of the company.
C. Correct. Documentation of controls, including changes to controls, is evidence that controls
are identified, capable of being communicated to those responsible for their performance,
and capable of being monitored and evaluated by the entity. Thus, control documentation
serves as a basis for management’s assessment about ICFR.
D. Incorrect. According to the SEC, evidential matter, including documentation, must support the
assessment of both the design of internal controls and the testing processes. Such evidential
matter should provide reasonable support not definite support: 1) For the evaluation of
whether the control is designed to prevent or detect material misstatements or omissions. 2)
For the conclusion that the tests were appropriately planned and performed. 3) That the
results of the tests were appropriately considered
222
Part III − Section 1 Review Questions
16. In an audit of financial statements, what is an auditor's primary consideration regarding internal
control?
A. Incorrect. Management's philosophy and operating style is just one factor in the control
environment of internal control.
B. Correct. An auditor's primary concern is whether a specific control affects financial
statement assertions. Much of the audit work required to form an opinion consists of
gathering evidence about the assertions in the financial statements. These assertions are
management representations embodied in the components of the financial statements.
Controls relevant to an audit are individually or in combination likely to prevent or detect
material misstatements in financial statement assertions.
C. Incorrect. Restricting access to assets is only one of many physical controls which constitute
the control activities of internal control.
D. Incorrect. Many controls concerning management's decision-making process are not relevant
to an audit. Decision-making is one of the key managerial functions not subject to an audit.
17. SAS 130 applies to which of the following type of audits?
A. Incorrect. A forensic examination is a special purpose audit with a focus on a known or
suspected act of fraud rather than a general focus on reporting on ICFR.
B. Correct. An integrated audit has a focus on reporting on ICFR and reporting on the financial
statements taken as a whole.
C. Incorrect. Agreed upon procedures for compliance do not have a focus on reporting on ICFR.
They consist of auditors performing specific procedures on the subject matter.
D. Incorrect. A performance audit does not have a focus on reporting on ICFR. It provides findings
or conclusions based on an evaluation of sufficient, appropriate evidence against criteria.
18. To obtain an understanding of a manufacturing entity's internal control concerning inventory
balances, what would an auditor most likely do?
A. Correct. The auditor should obtain a sufficient understanding of the internal control units or
areas to plan the audit, including knowledge about the design of relevant controls and
whether they have been placed in operation. Reviewing the entity's descriptions of
inventory policies and procedures helps the auditor understand their design.
B. Incorrect. Performing test counts of inventory is a test of details (a substantive test).
223
C. Incorrect. Analysis of inventory turnover statistics is an analytical procedure performed as a
substantive test.
D. Incorrect. Analysis of monthly production reports to identify variances and unusual
transactions is an analytical tool, not a primary step at the initial stage of the audit.
Part III − Section 2 Review Questions
19. When obtaining an understanding of an entity's control environment, why should an auditor
concentrate on the substance of controls rather than their form?
A. Incorrect. The appropriateness of particular controls is not the main focus at this stage of the
audit. The control environment, which is the foundation for the other components of internal
control, provides discipline and structure by setting the tone of an organization and influencing
control consciousness.
B. Incorrect. Whether the board is aware of management's attitude is not relevant to whether
management's actions are consistent with the established controls.
C. Correct. In obtaining an understanding of the control environment, the auditor seeks to
understand the attitude, awareness, and actions concerning the control environment on the
part of management and the directors. For this purpose, the auditor must concentrate on
the substance of controls rather than their form because controls may be established but
not acted upon. For example, management may adopt a code of ethics but condone
violations of the code.
D. Incorrect. The effectiveness of particular controls is not the primary emphasis at this stage of
the audit. The control environment includes human resource policies and practices relative to
hiring, orientation, training, evaluating, counseling, promoting, compensating, and remedial
actions
20. Which of the following approaches is required by both the PCAOB and the AICPA in determining
the scope of testing for financial audits?
A. Incorrect. Adopting a methodical approach involves performing audit procedures in a
systematic way. However, it is not the mandated approach to determining the scope of testing
for financial audits.
B. Incorrect. Although the standards may imply an inclusive approach with all team members
participating the decision, such approach is not required by the PCAOB or the AICPA.
C. Correct. The effectiveness of a risk-based audit depends on whether the auditor identifies
the risks of material misstatement and has an appropriate basis for assessing those risks.
224
Therefore, both the PCAOB and the AICPA require the auditor to assess the risks of material
misstatement at the financial statement level and the assertion level. The assessment
enhances the effectiveness of an audit procedures by assisting the auditor to determine the
scope of testing.
D. Incorrect. Neither the PCAOB nor the AICPA requires all team members to vote on the scope
of testing.
21. Which of the following factors is most important concerning an auditor's responsibility to detect
errors and fraud?
A. Incorrect. The susceptibility of the accounting records to fraud is but one of the many factors
that must be considered in the risk assessment. Many internal and external events and
circumstances may be relevant to the risk of preparing financial statements that are not in
conformity with United States GAAP (or another comprehensive basis of accounting).
B. Incorrect. Unreasonable accounting estimates may result from unintentional bias or
intentional attempts to misstate the financial statements. But there are numerous internal
and external events and circumstances that need to be considered
C. Incorrect. The auditor should always recognize the possibility that management fraud,
defalcations, and the misappropriation of assets may indicate the existence of illegal acts. This
is only one of the many factors that must be considered in the risk assessment, such as the
possibility of executed transactions that remain unrecorded.
D. Correct. An auditor should assess the risk that errors and fraud may cause the financial
statements to contain material misstatements. (S)he should then design the audit so as to
provide reasonable assurance that material errors and fraud are detected.
22. An auditor tests an entity's policy of obtaining credit approval before shipping goods to customers
in support of which of the following management's financial statement assertions?
A. Correct. The proper approval of credit provides assurance that the account receivable is
collectible; thus, it is related to the valuation assertion that accounts receivable are recorded
at net realizable value.
B. Incorrect. Completeness concerns whether all transactions and accounts have been
represented.
C. Incorrect. Existence or occurrence concerns whether assets or liabilities exist and whether
recorded transactions have occurred.
D. Incorrect. Rights and obligations assertions relate to whether assets are the rights of the entity
and obligations are liabilities of the entity at a given date.
225
23. What is the type of opinion the auditor will render on management's assessment if the auditor
disagrees with management about whether a material weakness exists?
A. Correct. If the auditor concludes a material weakness exists but management does not, the
auditor will render an adverse opinion on management's assessment. The PCAOB has also
stated that it expects disclosure sufficient to allow users to understand the weakness and
its actual and potential implications on the financial statements.
B. Incorrect. A departure from GAAP may justify a qualified opinion. Management may not
express a qualified conclusion, such as stating that internal control is effective except to the
extent certain problems have been identified.
C. Incorrect. A disclaimer of opinion is a report stating that because of restrictions on the scope
of the auditor's work, the auditor is unable to, and does not, express an opinion on
management's assessment or on the effectiveness of internal control over financial reporting.
D. Incorrect. An unqualified opinion is twofold : (1) An opinion that management's assessment
is fairly stated in all material respects, along with an opinion that internal control over financial
reporting is effective in all material respects as of the assessment date. and (2) an opinion that
management's assessment (that internal control over financial reporting is not effective) is
fairly stated in all material respects, along with an opinion that internal control over financial
reporting is ineffective because of one or more material weaknesses.
Part IV − Section 1 Review Questions
24. Which of the following is considered to be a fraud risk factor?
A. Incorrect. Opportunity is a risk factor but the lack of opportunity would reduce the risk.
B. Correct. Incentive is considered to be a risk factor. Pressure is also considered to be a risk
factor.
C. Incorrect. While financial stability may be a motive to commit fraud, it is not a risk factor.
D. Incorrect. Prosecuting employees who commit fraud may be a deterrent, but it is not a risk
factor.
25. An employee who made a false claim for reimbursement of inflated business expenses believes
that his behavior was harmless because the financial loss to the agency was immaterial. Which of
the fraud triangle elements best explains his action?
226
A. Incorrect. Opportunity is the ability to commit fraud or to conceal it. Examples of opportunity
include weak internal control, poor supervision, and lack of training. None of these situation
is identified in this case.
B. Incorrect. There are six common traits of capability including functional authority within the
organization, sufficient intelligence to exploit a situation, strong ego and coercive skills, good
liar, and high tolerance for stress. None of these traits are present in this case.
C. Correct. Rationalization is the ability for a person to justify a fraud which involves a person
reconciling his/her behavior, such as stealing, with some common excuses. In this case, the
employee justified stealing by using the excuse that the financial loss was minimal to the
agency so that his action was harmless.
D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud,
such as living beyond one’s means, high personal debt, and peer pressure. None of these
factors are identified in this case.
26. Which of the following would be an example of self-dealing by corporate insiders?
A. Correct. Insider trading is an example of self-dealing by corporate insiders. Martha Stewart
was convicted for such crime in 2002.
B. Incorrect. Understating/concealing liabilities and losses is an example of falsification of
corporate financial information. This is most often done to report inflated profits.
C. Incorrect. Falsification of net asset values would be an example of fraud in connection with an
otherwise legitimately-operated mutual or hedge fund.
D. Incorrect. Late trading is an example of fraud in connection with an otherwise legitimately-
operated mutual or hedge fund.
27. Which of the following is a category of fraud consisting of extortion, conflict of interest, and
bribery?
A. Incorrect. False claims usually pertain to Social Security, defense contractors, healthcare
company fraud, or other instances in which a company or individual attempts to be paid by
the government for an invalid reason.
B. Correct. Corruption is a scheme involves an employee that misuses his or her influence in a
business transaction in a way that violates his or her duty to the employer to gain a direct
or indirect benefit. Such scheme involves extortion, conflict of interest or bribery.
C. Incorrect. Financial statement fraud is a scheme in which an employee intentionally causes a
misstatement or omission of material information in the entity’s financial reports, such as
fictitious revenues, understating reported expense, or artificially inflated reported assets.
227
D. Incorrect. Payroll scheme is a fraudulent disbursement scheme in which an employee causes
his or her employer to issue a payment by making false claims for compensation.
28. According to ACFE Report to the Nations, which of the following types of fraud occurs most often?
A. Incorrect. Based on the Report to the Nations, fraudulent financial statements only accounts
for 10% of fraud litigation.
B. Correction. Based on the Report to the Nations, asset misappropriation accounts for about
86% of fraud case.
C. Incorrect. Corporate fraud obstruction of justice schemes are designed to conceal the
previously noted criminal conduct (accounting fraud and self-dealing schemes), particularly
when that obstruction impedes the regulatory inquiries of the SEC or other regulatory bodies.
D. Incorrect. Those that commit corporate fraud by utilizing self-dealing by corporate insider type
schemes typically do so because they forget that even though they are executives of the
corporation, the corporation does not belong to them.
29. According to ACFE Report to the Nations, which of the following industries has the greatest number
of fraud cases?
A. Incorrect. Although technology has higher median loss ($150,000) than banking and financial
services ($100,000), it does not have high fraud cases (66 cases) like the banking and financial
services (386).
B. Incorrect. Services (professional) is one of the industries that has the lowest number of fraud
cases.
C. Correct. Banking and financial services has the greatest number of cases in ACFE report; 386
of total 2,504 real cases of occupational fraud.
D. Incorrect. Retail has 91 of total 2,504 cases according to the ACFE report.
30. Most business owners associate fraud with misappropriation of cash. What is another form of
fraud?
A. Incorrect. Litigation support and pre-employment screening are investigative services offered
by forensic accountants.
B. Incorrect. Business valuations are not a fraudulent activity. Its goal is to determine the current
value of a business for various personal or legal matters.
228
C. Incorrect. Economic losses and information losses that are due to economic downturns are
unforeseeable events and not necessarily the result of misappropriations or fraudulent
activities.
D. Correct. Inventory theft is usually attributed to employees who are intentionally
misappropriating cash or other assets from their employers through a variety of fraudulent
activities such as collusion and falsifying records and documents as well as a number of other
fraudulent schemes.
Part IV − Section 2 Review Questions
31. When a forensic accountant investigates an activity such as purchasing/kickback schemes,
computer fraud, labor fraud, or falsification of inventory, what activity is he/she performing?
A. Incorrect. A forensic accountant that helps to establish lost earnings by gathering, analyzing a
variety of information, and then issuing a report on the basis of outcome analysis is evaluating
a personal injury or fatal accident claim.
B. Incorrect. A forensic accountant who helps to determine if a breach of professional ethics or
other standards of professional practice has been violated is engaged in evaluating
professional negligence.
C. Incorrect. A forensic accountant retained to assist with alternative dispute resolution by acting
as a mediator to resolve in a timely manner and with a minimum of disruption is engaged in
arbitration.
D. Correct. The type of investigation by a forensic accountant that often involves fund tracing,
asset identification, and recovery on behalf of police forces is termed a fraud and white-
collar crime investigation.
32. Which of the following statements is TRUE for a fraud examination?
A. Incorrect. Fraud examinations are non-recurring; audits are conducted on a recurring basis.
B. Incorrect. Fraud examinations are specific in scope; auditing of financial data is general in
scope.
C. Correct. Fraud examinations are adversarial in order to affix the blame; audits are non-
adversarial in nature.
D. Incorrect. Auditing standards attempt to approach audits with professional skepticism. Fraud
examiners attempt to establish sufficient proof to support or refute a fraud allegation.
229
33. How is auditing different than fraud examination?
A. Incorrect. In an audit, the scope is a general examination of financial data.
B. Incorrect. Audits are generally conducted for the purpose of expressing an opinion on the
financial statements or related information.
C. Correct. Fraud examinations are nonrecurring. They are only conducted with sufficient
predication. Audits are conducted on a recurring basis.
D. Incorrect. Audits are conducted by examining inside financial data and obtaining corroborating
evidence.
34. Which of the following tools helps link seemingly unrelated pieces of evidence.
A. Incorrect. Network sniffer (hardware) allows user to "recreate" the crime by keeping a record
of packet sessions across networks.
B. Incorrect. Portable disk duplicator and/or duplication software preserves the original crime
scene by allowing investigators to copy hard drives in the field and the lab for later analysis.
C. Correct. One of the greatest challenges that many organizations face in managing fraud
revolves around control over the sheer volume of incidents and volume of data. Case
management software assists fraud examiners in linking seemingly unrelated pieces of
evidence.
D. Incorrect. Chain-of-custody documentation hardware videotapes every mouse click of the
investigative process to make court testimony more credible.