GUIDE TO INTERNAL CONTROL OVER FINANCIAL …

[Pages:24]GUIDE TO INTERNAL CONTROL

OVER FINANCIAL REPORTING

ABOUT THE CENTER FOR AUDIT QUALITY

The Center for Audit Quality (CAQ) is an autonomous public policy organization dedicated to enhancing investor confidence and public trust in the global capital markets. The CAQ fosters high-quality performance by public company auditors; convenes and collaborates with other stakeholders to advance the discussion of critical issues that require action and intervention; and advocates policies and standards that promote public company auditors' objectivity, effectiveness, and responsiveness to dynamic market conditions. Based in Washington, DC, the CAQ is affiliated with the American Institute of CPAs.

Please note that this publication is intended as general information and should not be relied upon as being definitive or all-inclusive. As with all other CAQ resources, this is not authoritative, and readers are urged to refer to relevant rules and standards. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The CAQ makes no representations, warranties, or guarantees about, and assumes no responsibility for, the content or application of the material contained herein. The CAQ expressly disclaims all liability for any damages arising out of the use of, reference to, or reliance on this material. This publication does not represent an official position of the CAQ, its board, or its members.

GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING

GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING

CONTENTS

02 INTRODUCTION

04 KEY ICFR CONCEPTS

04 INTERNAL CONTROL

04

INTERNAL CONTROL OVER FINANCIAL REPORTING

06 REASONABLE ASSURANCE

07 THE CONTROL ENVIRONMENT

07 CONTROL ACTIVITIES

07 SEGREGATION OF DUTIES

08 IT GENERAL CONTROLS

09

ENTITY-LEVEL AND PROCESS-LEVEL CONTROLS

09

PREVENTIVE AND DETECTIVE CONTROLS

CENTER FOR AUDIT QUALITY |

11 SCALING ICFR TO THE COMPANY 11 ICFR DEFICIENCIES

12 ICFR ROLES AND RESPONSIBILITIES

12 MANAGEMENT

13

MANAGEMENT REPORTING ON THE EFFECTIVENESS OF ICFR

13 INDEPENDENT AUDITORS

13 AUDIT COMMITTEES

15

WHAT ICFR MEANS FOR COMPANIES, INVESTORS, AND MARKETS

1

GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING

INTRODUCTION

Preparing reliable financial information is a key responsibility of the management of every public company. The ability to effectively manage the company's business requires access to timely and accurate information that informs decision making. Moreover, investors must be able to place confidence in a company's financial reports if the company wants to raise capital in the public securities markets.

Management's ability to fulfill its financial reporting responsibilities depends in part on the design and operating effectiveness of the controls and safeguards it has put in place over accounting and financial reporting. Without such controls, it would be extremely difficult for most business organizations--especially those with numerous locations, operations, and processes--to prepare timely and reliable financial reports for management, investors, lenders, and other users. While no practical control system can absolutely assure that financial reports will never contain material misstatements, an effective system of internal control over financial reporting (ICFR) can substantially reduce the risk of such misstatements in a company's financial statements.

THE CENTER FOR AUDIT QUALITY HAS PREPARED THIS GUIDE TO PROVIDE

THE PUBLIC WITH AN OVERVIEW OF ICFR.

Congress codified the requirement that public companies have internal accounting controls in the Foreign Corrupt Practices Act of 1977 (FCPA). This federal law requires public companies to establish and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles (GAAP). The Sarbanes-Oxley Act of 2002 (SOX) added a requirement, applicable to most public companies, that management annually assess the effectiveness of the company's ICFR

2

CENTER FOR AUDIT QUALITY |

GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING

and report the results to the public. SOX also enhanced audit committee oversight responsibility related to ICFR and requires most large public companies to engage their independent auditor to audit the effectiveness of the company's ICFR.

The Center for Audit Quality has prepared this guide to provide the public with an overview of ICFR. The guide explains what public company ICFR is and describes management's responsibility for implementing effective ICFR. It also discusses the responsibilities of the audit committee to oversee ICFR and of the independent auditor to audit the effectiveness of the company's ICFR. ?

THE STATUTORY INTERNAL ACCOUNTING CONTROL REQUIREMENT

The FCPA requires public companies to "devise and maintain" a system of internal accounting controls sufficient to provide reasonable assurance that1

+ transactions are executed in accordance with management's general or specific authorization;

+ transactions are recorded as necessary (1) to permit preparation of financial statements in conformity with GAAP or any other criteria applicable to such statements, and (2) to maintain accountability for assets;

+ access to assets is permitted only in accordance with management's general or

specific authorization; and

+ the recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken regarding any differences. ?

1 Section 13(b)(2)(B) of the Securities Exchange Act of 1934.

CENTER FOR AUDIT QUALITY |

3

GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING

KEY ICFR CONCEPTS

INTERNAL CONTROL

ICFR is one element of the broader concept of internal control. The latter is defined by the Committee on Sponsoring Organizations (COSO) of the Treadway Commission--an initiative of several groups with an interest in effective internal control--which provides a framework to assist companies in structuring and evaluating controls that address a broad range of risks. Released in 1992 and updated in 2013, that framework defines internal control as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance."2

INTERNAL CONTROL OVER FINANCIAL REPORTING

ICFR refers to the controls specifically designed to address risks related to financial reporting. In simple terms, a public company's ICFR consists

ICFR IS ONE ELEMENT OF THE BROADER

CONCEPT OF INTERNAL CONTROL.

of the controls that are designed to provide reasonable assurance that the company's financial statements are reliable and prepared in accordance with GAAP.

Misstatements in a financial statement may occur, for example, due to mathematical errors, misapplication of GAAP, or intentional misstatements (fraud). A system of ICFR should address these possibilities. The risk of fraudulent

2 COSO's Internal Control ? Integrated Framework ?2014 COSO. All rights reserved. Used by permission. See Executive Summary, page 3.

4

CENTER FOR AUDIT QUALITY |

GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING

EFFECTIVE ICFR PROVIDES REASONABLE

ASSURANCE THAT CORPORATE RECORDS ARE NOT INTENTIONALLY OR UNINTENTIONALLY

MISSTATED.

financial reporting is a key consideration in the design and operation of public company ICFR. For example, market expectations for revenues, earnings, or other targets may create pressures on management to meet these thresholds. Effective ICFR provides reasonable assurance that corporate records are not purposefully misstated in response to those pressures. ICFR should therefore be designed and implemented with the risk of fraud in mind and tailored to the particular circumstances of the company.

Financial reporting often requires sophisticated decision making and the application of informed judgment. The following three items, for example, all require management to make judgments regarding assumptions and the likelihood of future events:

+ accounting areas such as estimating allowances for credit losses,

+ valuing illiquid securities, and

+ determining whether intangible assets are impaired.

In these kinds of reporting areas, there is typically a range of acceptable outcomes, rather than a single "correct" result to be measured and recorded. Controls cannot remove the need for judgment or eliminate the variations in reporting inherent in situations in which a range of

THE COSO FRAMEWORK'S FIVE INTEGRATED COMPONENTS OF INTERNAL CONTROL3

1. Control Environment -- The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control, including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.

2. Risk Assessment -- Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of the objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked

Continued on page 6

3 COSO's Internal Control ? Integrated Framework ?2014 COSO. All rights reserved. Used by permission. See Executive Summary, pages 4-5.

CENTER FOR AUDIT QUALITY |

5

GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING

THE COSO FRAMEWORK'S FIVE INTEGRATED COMPONENTS OF INTERNAL CONTROL Continued from page 5

at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

3. Control Activities -- Control activities are the actions established through policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

4. Information and Communication -- Information is necessary for the entity to carry out

internal control responsibilities to support the achievement of objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information, and provides information to external parties in response to requirements and expectations.

5. Monitoring Activities -- Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate. ?

acceptable judgments is possible. Controls can, however, be designed and implemented to address the process by which accounting judgments are made and thereby provide reasonable assurance that the financial reports are presented in accordance with GAAP.

REASONABLE ASSURANCE

No system of ICFR can provide absolute assurance that the financial statements are free of misstatements. Internal control systems

are operated by individuals, and individuals make mistakes. Further, while maintaining a system of ICFR that provides reasonable assurance regarding the reliability of financial reporting is a legal requirement for most public companies, cost considerations may affect the design of control systems. For these reasons, it is impossible to create a control system that will prevent or detect, on a timely basis, all potential misstatements. In addition, intentional misconduct, such as fraud, collusion, or management override, may prevent controls from

6

CENTER FOR AUDIT QUALITY |

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download