Turner presentation

36 530 0
Turner presentation

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

An Efficient Approach to Identification and Documentation of Critical Accounting Application Controls Jerry L Turner The University of Memphis © Jerry L Turner 2006 Sarbanes-Oxley Act of 2002 • Section 404 requires an assessment by management of the effectiveness of the internal control structure and procedures for financial reporting • Requires each independent auditor to attest to, and report on, the assessment made by the management of the issuer © Jerry L Turner 2006 Sarbanes-Oxley Act of 2002 • Internal control systems must be documented • Relevant internal controls must be identified and tested © Jerry L Turner 2006 Sarbanes-Oxley Act of 2002 • Congress assumed that existing documentation would be an adequate basis for management of public companies to report on internal accounting controls © Jerry L Turner 2006 Background—Auditors • Prior to SAS No 55 (1988), auditors documented systems and identified internal controls with extensive flowcharts, extensive internal control checklists, or both © Jerry L Turner 2006 Traditional Flowcharts • Portray systems as a chronological sequence of processing steps representing transaction flows • Usually include superfluous information • Difficult to maintain because of complexity • Ineffective in identifying existing controls • Ineffective at identifying where controls should exist but were not present © Jerry L Turner 2006 Traditional Flowchart Source: Whittington/Pany: Principles of Auditing © Jerry L Turner 2006 Internal Control Questionnaires • Tend to be boilerplate in nature • Not very effective at relating controls to audit objectives • Frequently in a yes/no format where yes is good, no is bad © Jerry L Turner 2006 Internal Control Questionnaire Source: Whittington/Pany: Principles of Auditing © Jerry L Turner 2006 Move to Focus on Assertions • Subsequent to SAS No 55, auditors began organizing internal control documentation by audit objective to enable risk-based audits • Prompted auditors to replace flowcharts with more easily prepared (cheaper?) narratives organized by control objectives corresponding to financial statement assertions © Jerry L Turner 2006 Continuous Auditing • Several reasons for resistance to implementation of continuous auditing – Technology – Cost – Different objectives for company and auditor • SOX has aligned objectives with integrated audit approach © Jerry L Turner 2006 When Can Errors Occur? • When data is entered into a system • When data is transferred from one document or electronic file to a different document or electronic file • When data changes form through aggregation or other process • When data is deleted © Jerry L Turner 2006 Three Steps to an Effective Approach • First, identify the significant accounts that affect the financial statements • Then, for each significant account, identify the critical data path (CDP), beginning from the general ledger or terminal database table and proceeding backwards through each relevant file or database table until data origination © Jerry L Turner 2006 Critical Data Path (CDP) General Ledger Account File A File B Document Interface with other systems/applications • E-commerce • Web interfaces • EDI • Non-integrated systems/applications Transaction or Allocation Three Steps to an Effective Approach • Second, identify the process or processes that affect accounting data as it moves from entry to general ledger or terminal database table • A process can affect data in three ways: it can – add new data to the CDP – transform data already existing in the CDP – delete data from the CDP © Jerry L Turner 2006 Ad Hoc and Other Processes • Error correction procedures may allow addition, deletion or manipulation of data, but occur outside normal processing • Management override or circumvention of normal controls • Journal entries needed as part of financial reporting process (accruals, allocations, etc.) © Jerry L Turner 2006 General Ledger Account P7—Normal process File A P8— • Error correction •Management override •Journal entries P6— • Error correction •Management override P5—Normal process File B P4— • Error correction •Management override P3—Normal process Document P1—Normal process Interface with other systems/applications • E-commerce • Web interfaces • EDI • Non-integrated systems/applications P2— • Error correction •Management override Transaction or Allocation Three Steps to a New Approach • For each CDP, critical controls for each of the five assertions affected by each process must be identified and documented • A critical control might be the first and/or the last control in a process over a specific management assertion © Jerry L Turner 2006 Three Steps to a New Approach • A CDP may require more than one critical control over an assertion as the data is transformed or aggregated • Also may require identification of additional files and processes outside the CDP, e.g verify that a subsidiary ledger balance used as a control is correct © Jerry L Turner 2006 Three Steps to a New Approach • As critical controls are identified, each should be referenced to a separate control summary sheet • The summary sheet should be organized by management assertion and document the critical control or controls for each assertion • Each control should be referenced to audit program tests of that control © Jerry L Turner 2006 Examples • Recording of customer payments • Additions to inventory © Jerry L Turner 2006 Recording of Customer Payments General Ledger Accounts Receivable File or Database Table Credit CRP4— • Error correction • Management override •Journal entries CRP3—Master File update run • Aggregate amounts • Update existing balance CR1—Cash Receipt Transaction File CRP2—Manually input cash receipts from Cash Receipt Control Listing Remittance Advice To Cashier Customer Check Copy of Cash Receipt Control Listing Cash Receipt Control Listing Remittance Advice Customer Check CRP1—Manually prepare cash receipt control listing • Record • Customer ID • Invoice number • Date • Check number • Check amount Critical Control Summary CRP1—Manually prepare cash receipt control listing Category Assertion Critical Control(s) Existence or Occurrence All receipts represent valid payments-on-account All remittances must be accompanied by a valid remittance advice Completeness All payments-on-account are recorded All payments received are listed on a cash receipt control listing Rights and Obligations Payments are made to the correct entity All pay-to-the-order-of notations are examined on all checks received Payments are deposited only in company accounts All payments are endorsed with “For Deposit Only” to the company account Valuation Correct amounts are recorded on the cash receipt control listing Cash and checks received are totaled and total compared to total on cash receipt control listing Presentation or Disclosure N/A Audit Procedure(s) Additions to Inventory Discussion © Jerry L Turner 2006 [...]... allocation, – Rights and obligations, and – Presentation and disclosure © Jerry L Turner 2006 Sarbanes-Oxley Act of 2002 • SOX notes that documentation might take many forms, such as paper, electronic files, or other media • Can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms © Jerry L Turner 2006 Sarbanes-Oxley Act of 2002 •... been achieved © Jerry L Turner 2006 Existing Documentation Methods • Neither efficient nor effective in complying with the requirements of SOX • Documentation typically begins with the source of accounting information, e.g a transaction, and creates data flows from that activity to an end-point in the general ledger © Jerry L Turner 2006 Consider a Leaf on a Tree © Jerry L Turner 2006 A More Effective... relevant financial statement assertion could arise; © Jerry L Turner 2006 Sarbanes-Oxley Act of 2002 – identify the controls implemented to address these potential misstatements; and – identify the controls implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets © Jerry L Turner 2006 Sarbanes-Oxley Act of 2002 • Individual controls... Principles of Auditing © Jerry L Turner 2006 Background—Companies • System documentation has many forms, depending on the functional group involved in preparation • Usually related to system design, such as physical and logical data flow diagrams • Extremely detailed and generally not effective for other purposes, such as identification of critical internal controls © Jerry L Turner 2006 Sarbanes-Oxley Act... critical files © Jerry L Turner 2006 A More Effective Approach • Allows identification of controls related to those processes, based on management assertions about financial statement account balances • Is useful for both company management and independent auditors • Allows identification of controls that may be monitored effectively with continuous auditing techniques © Jerry L Turner 2006 Continuous... has aligned objectives with integrated audit approach © Jerry L Turner 2006 When Can Errors Occur? • When data is entered into a system • When data is transferred from one document or electronic file to a different document or electronic file • When data changes form through aggregation or other process • When data is deleted © Jerry L Turner 2006 Three Steps to an Effective Approach • First, identify... CDP – delete data from the CDP © Jerry L Turner 2006 Ad Hoc and Other Processes • Error correction procedures may allow addition, deletion or manipulation of data, but occur outside normal processing • Management override or circumvention of normal controls • Journal entries needed as part of financial reporting process (accruals, allocations, etc.) © Jerry L Turner 2006 General Ledger Account P7—Normal... specific management assertion © Jerry L Turner 2006 Three Steps to a New Approach • A CDP may require more than one critical control over an assertion as the data is transformed or aggregated • Also may require identification of additional files and processes outside the CDP, e.g verify that a subsidiary ledger balance used as a control is correct © Jerry L Turner 2006 Three Steps to a New Approach... assertion and document the critical control or controls for each assertion • Each control should be referenced to audit program tests of that control © Jerry L Turner 2006 Examples • Recording of customer payments • Additions to inventory © Jerry L Turner 2006 Recording of Customer Payments General Ledger Accounts Receivable File or Database Table Credit CRP4— • Error correction • Management override •Journal... amounts are recorded on the cash receipt control listing Cash and checks received are totaled and total compared to total on cash receipt control listing Presentation or Disclosure N/A Audit Procedure(s) Additions to Inventory Discussion © Jerry L Turner 2006

Ngày đăng: 30/11/2016, 22:32

Mục lục

  • An Efficient Approach to Identification and Documentation of Critical Accounting Application Controls

  • Sarbanes-Oxley Act of 2002

  • Slide 3

  • Slide 4

  • Background—Auditors

  • Traditional Flowcharts

  • Traditional Flowchart

  • Internal Control Questionnaires

  • Internal Control Questionnaire

  • Move to Focus on Assertions

  • Narrative

  • Background—Companies

  • Slide 13

  • Slide 14

  • Slide 15

  • Slide 16

  • Slide 17

  • Existing Documentation Methods

  • Consider a Leaf on a Tree

  • A More Effective Approach

  • Slide 21

  • Continuous Auditing

  • When Can Errors Occur?

  • Three Steps to an Effective Approach

  • Critical Data Path (CDP)

  • Slide 26

  • Ad Hoc and Other Processes

  • Slide 28

  • Three Steps to a New Approach

  • Slide 30

  • Slide 31

  • Examples

  • Slide 33

  • Slide 34

  • Slide 35

  • Discussion

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan