Internal Control Strategies
eBook - ePub

Internal Control Strategies

A Mid to Small Business Guide

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Internal Control Strategies

A Mid to Small Business Guide

Book details
Book preview
Table of contents
Citations

About This Book

Praise for Internal Control Strategies A Mid to Small Business Guide "Internal Control Strategies is an excellent field guide for the implementation and maintenance of efficient and effective internal control systems. The book provides a practical approach to interpreting guidance from oversight agencies and integrating it with industry practice in a real-world environment. This handbook is an essential tool for managers and professionals going through the day-to-day struggle of managing auditor expectations and permitting business to proceed in the most efficient manner."
-Michael Rodriguez, former senior manager of finance, Qualcomm Incorporated "Internal Control Strategies is the clearest path forward for middle-market SEC registrants and their independent registered public accounting firms as they streamline the SOX 404 compliance process in 2008 and beyond."
-Stephen G. Austin, MBA, CPA, Managing Firm Partner, Swenson Advisors, LLP, Regional PCAOB Accounting Firm "Clearly written and practical, Internal Control Strategies is a must-read for every chief audit, finance, or compliance executive."
-Jeff Miller, Partner-in-Charge, Business Risk Services, Squar, Milner, Peterson, Miranda & Williamson, LLP "As a CFO of small to mid-sized publicly traded and privately held companies, one is usually faced with the challenge of developing and implementing the right levels of internal controls and compliance within the restrictions of limited financial and human resources. Internal Control Strategies presents the relevant topics in a clear and concise manner, allowing the reader to understand the internal control framework and specific underlying requirements quickly. The author's vast experience with SOX compliance ensures a targeted and pragmatic approach for the successful implementation of internal controls. Her recommendations are 'to the point' and eliminate some of the guesswork we all have experienced while working towards SOX compliance." -Robert S. Stefanovich, Chief Financial Officer, Novalar Pharmaceuticals, Inc. The SEC requires all publicly traded companies to attest to theeffectiveness of their internal controls. Is your business ready? Internal Control Strategies: A Mid to Small Business Guide clearly explains the latest PCAOB, SEC, and COSO guidance, providing you with an effective tool and reference guide for successful implementation of sections 302 and 404 of the Sarbanes-Oxley Act. Extremely knowledgeable and insightful, author Julie Harrer brings practical clarity to this complex topic, leading you step by step in addressing the challenges associated in bringing your business in compliance with SOX.

Frequently asked questions

Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Internal Control Strategies by Julie Harrer in PDF and/or ePUB format, as well as other popular books in Business & Managerial Accounting. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley
Year
2008
ISBN
9780470437612
Edition
1
Topic
Business
Subtopic
Managerial Accounting
Index
Business
1
Understanding the SECā€™s Guidance for Management
Key Topics:
ā€¢ The purpose of internal control over financial reporting
ā€¢ The SECā€™s recommendations for internal control evaluations
ā€¢ Guidance for managementā€™s reporting considerations
ā€¢ Rule amendments and other SEC guidance related to internal control over financial reporting

PURPOSE OF INTERNAL CONTROL OVER FINANCIAL REPORTING

As most people involved with Section 404 already know, the overall purpose of internal controls over financial reporting is to prepare reliable, materially accurate financial statements. The rationale of Section 404 is to identify any material weaknesses that have more than a remote likelihood of leading to a material misstatement in a companyā€™s financial statements and ultimately to produce more reliable reporting. Since only material weaknesses need to be disclosed, the focus of Section 404 is on issues that could cause material errors in the financial statements.
Public companies have been required to establish and maintain internal accounting controls since the enactment of the Foreign Corrupt Practices Act of 1977. Now under Section 404 of the Sarbanes-Oxley Act (SOX), public companies must attest to the effectiveness of their internal controls over financial reporting when they file their annual report. Although laws on internal controls are not new, Section 404 was meant to spotlight the connection between strong internal controls and reliable financial statements.
Effective internal controls can also help to deter or detect fraudulent financial reporting practices and perhaps reduce any adverse effects. Internal controls are not meant to prevent or detect every instance of fraud, especially when there is collusion of two or more people. However, Section 404 has increased awareness and put structures in place to help reduce the risk of fraud in financial reporting.
After the Sarbanes-Oxley Act (SOX), including the infamous Section 404, was enacted in 2002, the Securities and Exchange Commission (SEC) adopted final rules implementing the requirements of Section 404(a) in June 2003. The final rules did not prescribe any specific method or set of procedures for management to follow in performing its evaluation of internal control over financial reporting (ICFR). From an optimistic viewpoint, this gave public companies some flexibility for their assessment of internal control. In reality, the lack of guidance caused many companies confusion on what constituted ā€œreasonable supportā€ for their assessments. In the absence of specific guidance, management relied on Auditing Standard No. 2 (AS No. 2) and other guidance for auditors to help guide their own SOX programs.
Finally in June 2007, the SEC issued the first guidance for management in an attempt to enable public companies to conduct a more effective and efficient evaluation of ICFR. Further, under the SECā€™s rule amendments, auditors would express only a single opinion on the effectiveness of the companyā€™s internal controls in the attestation report rather than expressing separate opinions on the effectiveness of the companyā€™s ICFR and on managementā€™s assessment.
Also in 2007, the Public Company Accounting Oversight Board (PCAOB) issued a new auditing standard to supersede AS No. 2. Although much more robust, the PCAOBā€™s new Auditing Standard No. 5 complements the SECā€™s guidance for management and supports the SEC amendments.
The SEC gives companies the option to follow its new guidance for compliance with Section 404. Managers may choose to rely on the interpretive guidance as an alternative to what is provided in existing auditing standards for two key reasons:
1. The rule would give managers who follow the interpretive guidance comfort that they have conducted a sufficient ICFR evaluation.
2. Elimination of the auditorsā€™ opinion on managementā€™s assessment in the auditorsā€™ attestation report should significantly lessen the pressures that managers have felt to look to auditing standards for guidance.

The SEC has high hopes for its guidance and rule amendments, believing they will promote competition and capital formation in the U.S. marketplace. The amendments should also increase efficiencies with the effort and resources associated with an evaluation of ICFR, facilitate more efficient allocation of resources within a company, and be scalable depending on the size of the company.
These claims may in fact be true. Although the information in the SECā€™s guidance for management is not novel, the SEC states, ā€œThe guidance sets forth an approach by which management can conduct a top-down, risk-based evaluation of internal control over financial reporting. An evaluation that complies with this interpretive guidance is one way to satisfy the evaluation requirements.ā€1 However, the SECā€™s guidance for management is very general and may create more confusion that efficiency.
The SEC believes it is impractical to prescribe a single methodology that meets the needs of every company and that management must bring its own experience and informed judgment to bear in order to design an evaluation process that meets company needs and provides reasonable assurance for its assessment. This guidance is intended to allow management the flexibility to design such an evaluation process.
Just as in the PCAOBā€™s standards, the SEC identified the Internal Controlā€”Integrated Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as an example of a suitable framework on which management can base its assessment of internal control. The SEC also states that while the COSO framework identifies the components and objectives of an effective system of internal control, it does not set forth an approach for management to follow in evaluating the effectiveness of a companyā€™s ICFR. It distinguishes between the COSO framework as a definition of what constitutes an effective system of internal control and guidance on how to evaluate ICFR.
The SEC points out the establishment and maintenance of internal accounting controls has been required of public companies since the enactment of the Foreign Corrupt Practices Act of 1977. Section 404 of SOX reemphasizes the important relationship between the maintenance of effective ICFR and the preparation of reliable financial statements.
The SEC and its staff issued guidance in May 2005 emphasizing that management, not the auditors, is responsible for determining the appropriate nature and form of internal controls for the company as well as their evaluation methods and procedures. Certain concepts from the May 2005 Staff Guidance have been incorporated into this new guidance for management, and the May 2005 Staff Guidance remains relevant. For more information on the May 2005 Guidance from the SEC, see Chapter 3.
The SEC advises management to conduct an evaluation of its internal controls that is sufficient to provide it with a reasonable basis for its annual assessment. Exchange Act Section 13(b)(7) defines ā€œreasonable assuranceā€ and ā€œreasonable detailā€ as ā€œsuch level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.ā€ The SEC believes ā€œreasonablenessā€ is not an ā€œabsolute standard of exactitude for corporate records.ā€ In addition, the SEC recognizes that ā€œreasonablenessā€ is an objective standard, and there is a range of judgments that an issuer might make as to what is ā€œreasonableā€ in implementing Section 404. Hence, the term ā€œreasonableā€ in the context of Section 404 implementation does not imply a single conclusion or methodology, but a full range of appropriate conduct, conclusions, or methodologies upon which an issuer may reasonably base its decisions.
Keeping in line with the PCAOBā€™s AS No. 5, the SECā€™s guidance for management is organized around two broad principles:
1. Management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner.
2. Managementā€™s evaluation of evidence about the operation of its controls should be based on its assessment of risk.

This guidance addresses a number of the common areas of concern that have been identified over the past two years by companies of all sizes. For example, the guidance:
ā€¢ Explains how to vary approaches for gathering evidence to support the evaluation based on risk assessments
ā€¢ Explains the use of ā€œdaily interaction,ā€ self-assessment, and other ongoing monitoring activities as evidence in the evaluation
ā€¢ Explains the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment
ā€¢ Provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas
ā€¢ Allows for management and auditors to have different testing approaches

To accomplish these goals, the SECā€™s guidance for management is broken into two sections:
1. The Evaluation Process
ā€¢ Identifying Financial Reporting Risks and Controls
ā€¢ Evaluating Evidence of the Operating Effectiveness of ICFR
ā€¢ Multiple Location Considerations
2. Reporting Considerations
ā€¢ Evaluation of Control Deficiencies
ā€¢ Expression of Assessment of Effectiveness of ICFR by Management
ā€¢ Disclosures about Material Weaknesses
ā€¢ Impact of a Restatement of Previously Issued Financial Statements on Managementā€™s Report on ICFR
ā€¢ Inability to Assess Certain Aspects of ICFR

EVALUATION PROCESS

The objective of an evaluation of ICFR is to provide management with a reasonable basis for its annual assessment of internal control as of the end of the fiscal year. To meet this objective, management should identify the risks to reliable financial reporting, evaluate whether the controls are designed with a reasonable possibility of addressing those risks, and evaluate evidence about the operation of the controls. The evaluation process will vary from company to company, but the SEC guidance uses the top-down, risk-based approach, which is widely regarded as the most efficient and effective.

Identifying Financial Reporting Risks and Controls

According to the SEC, the identification of financial reporting risks typically begins with evaluating how the requirements of generally accepted accounting principles (GAAP) apply to the companyā€™s business, operations, and transactions. Management should use its knowledge and understanding of the business and its processes to consider the sources and potential likelihood of errors in financial reporting and identify those errors that could result in a material misstatement to the financial statements. Risk factors to consider could include:
ā€¢ Internal and external risks that impact the business, including the nature and extent of any changes in those risks
ā€¢ Errors in the initiation, authorization, processing, and recording of transactions and other adjustments that are reflected in financial reporting elements
ā€¢ The vulnerability of the entity to fraudulent activity (i.e., fraudulent financial reporting, misappropriation of assets, and corruption)

Identifying Controls that Adequately Address Financial Reporting Risks The determination of whether an individual control, or a combination of controls, adequately addresses a financial reporting risk involves judgments about the likelihood and potential magnitude of misstatements that could arise from the risk. Controls are not adequate to address financial reporting risk if they are designed to allow a reasonable possibility that a material misstatement of the companyā€™s financial statements would not be prevented or detected on a timely basis. Judgments about the characteristics of controls, such as the level of expertise needed to operate them or their complexity, will affect the evaluation of risks that controls will fail to operate as designed.

Consideration of Entity-Level Controls Some entity-level controls are designed to operate at the process, transaction, or application level and might adequately prevent or detect a material misstatement in the financial statements. However, some entity-level controls may be designed to identify possible breakdowns in lower-level controls but not in a manner that would, by itself, sufficiently address an identified financial reporting risk. The more indirect the relationship to a financial reporting element, the less effective a control may be in preventing or detecting a misstatement. It is unlikely that management would identify only indirect, entity-level controls as adequately addressing a financial reporting risk identified for a financial reporting element.

Role of General Information Technology Controls Only those general information technology (IT) controls that are necessary to adequately address financial reporting risks should be evaluated for managementā€™s assessment of internal control. Although general IT controls usually would not directly prevent or detect a material misstatement in the financial statements, automated or IT-dependent controls rely on effective general IT controls to operate properly.

Evidential Matter to Support the Assessment As part of its evaluation of ICFR, management is required to maintain reasonable support for its assessment. The form and extent of the documentation will vary depending on the size, nature, and complexity of the company, but should include documentation of the design of the controls management has placed in operation to adequately address the financial reporting risks. Documentation of the design of controls supports other objectives of an effective system of internal control, such as providing evidence that controls and changes to those controls have been identified, communicated to those responsible for their performance, and are capable of being monitored by the company.

Evaluating Evidence of the Operating Effectiveness of ICFR

The SEC states that evidence about the effective operation of controls may be obtained both from direct testing of controls and ongoin...

Table of contents

  1. Title Page
  2. Copyright Page
  3. Preface
  4. Chapter 1 - Understanding the SECā€™s Guidance for Management
  5. Chapter 2 - The PCAOBā€™s Auditing Standard No. 5
  6. Chapter 3 - SECā€™s Guidance on a Risk-Based Approach
  7. Chapter 4 - Highlights of the PCAOBā€™s May 2005 Policy Statement
  8. Chapter 5 - Starting at the Top: Using Entity-Level Controls to Create Efficiencies
  9. Chapter 6 - Minimizing Excess through Proper Scoping and Planning Practices
  10. Chapter 7 - Advantageous Project Management Techniques
  11. Chapter 8 - Streamlining Documentation
  12. Chapter 9 - Economical Testing Techniques
  13. Chapter 10 - Methods for Remediation Madness
  14. Chapter 11 - Taking the Mystery Out of Evaluating Deficiencies
  15. Chapter 12 - Common Areas of Concern and How to Address Them
  16. Appendix A - Simplified Sample Entity-Level Control Matrices
  17. Appendix B - COSOā€™s Internal Controls Checklist for Entity-Level Controls
  18. Appendix C - Standardized Period-End Process Control Matrix
  19. Appendix D - PCAOB Staff Question-and-Answer Index
  20. Appendix E - SEC Office of the Chief Accountant Frequently Asked Questions Index
  21. Appendix F - Summary of Changes Made to Auditing Standard No. 2 and the Related ...
  22. Index