Lynford Graham

Internal Control Audit and Compliance: Documentation and Testing Under the New COSO Framework - Wiley Corporate F&A Lynford Graham

Marc Notes: Ease the transition to the new COSO framework with practical strategy. 'Internal Control Audit and Compliance' provides complete guidance toward the latest framework established by the Committee of Sponsoring Organizations (COSO). Table of Contents: Preface xiAcknowledgments xvChapter 1: What We All Share 1Need for Control Criteria 1Overview of the COSO Internal Control Integrated Framework 2Holistic, Integrated View 3Revised COSO Internal Controls Framework 6What We Must Do 8Basic Scoping and Strategies for Maintenance 11Where We Depart 12Triangle of Efficiency 13Controls versus Processes 14The Debate Continues 18Organization of This Book 18Appendix 1A: COSO 17 Principles 20Chapter 2: Setting the Scope of Your Documentation Project: Identifying the Core 21Start with Business Objectives 21After the Initial Year 24Mapping the Entity to the Financial Statements: Ins and Outs 25Consider Risks, Not Just Quantitative Measures 27Inherent and Control Risk 28Overstatement and Understatement 28Does "In Scope" Imply Extensive Testing? 37A Consolation 39Be Careful Out There! 40Appendix 2A: Summary of Scoping Inquiries 42Chapter 3: The Risk Assessment Component 45Risk Assessment Principles in COSO 46Cost Control 46Basics 47Likelihood, Magnitude, Velocity, and Persistence 48Separate Assessments of Inherent and Control Risks 50Role of Assertions 51Assertions 52Principles 6 and 7: Specify Suitable Objectives; Identify and Analyze Risk 56Identifying Risks 59External Sources of Risk Information 60Internal and External Reporting Risks 61Compliance Risks 61Disclosed Material Weaknesses in Risk Assessment 62Principle 8: Assess Fraud Risk 62Auditor Responsibility to Detect Fraud 65Antifraud Controls for Management to Consider 66Ties to Other Principles and Components 66Principle 9: Identify and Assess Significant Change 66Gathering Information to Support the Risk Assessment and Consider Change 68Appendix 3A: SAS No. 99 Exhibit: Management Antifraud Programs and Controls 72Attachment 1: AICPA "CPA's Handbook of Fraud and Commercial Crime Prevention" Code of Conduct 87Attachment 2: Financial Executives International Code of Ethics Statement 91Appendix 3B: Understanding Fraud Risk Assessment 93Chapter 4: Control Environment 99Principle 1: Commitment to Integrity and Ethical Values 100Principle 2: Board of Directors (Governance) Demonstrates Independence from Management and Exercises Oversight of the Development and Performance of Internal Control 104Principle 3: Management Establishes, with Board Oversight, Structures, Reporting Lines, and Appropriate Authorities and Responsibilities in the Pursuit of Objectives 109Principle 4: Commitment to Attract, Develop, and Retain Competent Individuals in Alignment with Objectives 110Principle 5: The Organization Holds Individuals Accountable for Their Internal Control Responsibilities in the Pursuit of Objectives 113Appendix 4A: Understanding and Awareness of Control Responsibilities 117Chapter 5: Control Activities 120Principle 10: Selects and Develops Control Activities to Mitigate Risk and Achieve Objectives 120Principle 11: Selects and Develops General Controls over Technology 132Principle 12: Deploys through Policies and Procedures 141Summing Up 143Appendix 5A: Linking Common Control Activities and Assertions 146Appendix 5B: Linkage of Principles to Controls, Policies, and Procedures 158Chapter 6: Information and Communication 165Principle 13: Generates Relevant Information 166Principle 14: Communicates Internally 168Principle 15: Communicates Externally 170Chapter 7: Monitoring 173Principle 16: Select, Develop, and Perform Ongoing and/or Separate Evaluations 174Principle 17: Evaluate and Communicate Deficiencies as Appropriate 176Chapter 8: Evidence and Testing 179Sufficient Evidence 179Gathering Information 187Testing and Sampling 194Nonsampling Situations 202Confusion of Sample Size Guidance in Practice Today 203Information Technology General Controls 204Testing Security and Access 205Appendix 8A: Sample Size Tutorial 211Chapter 9: Developing Questionnaires and Conducting Interviews 217Surveys of Employees 219Conducting Interviews 224Management Inquiries: Sample Questions 234Appendix 9A: Sample Practice Aids 239Chapter 10: Assessing the Severity of Identified Controls Deficiencies 248It's Inevitable 248Alignment of Public and Private Company Standards for Assessing Deficiency Severity 251Control Deficiencies and Definitions 252Key Factors When Assessing the Severity of a Deficiency 263Conditions Indicating Control Deficiencies 270Examples of Evaluating the Severity of Deficiencies 277Overall Assessment 281Appendix 10A: A Framework for Evaluating Control Exceptions and Deficiencies 283Appendix 10B: Assessing the Potential Magnitude of a Control Deficiency 299Chapter 11: Reporting Requirements 302Nonpublic Entity Reporting 302Public Company Annual and Quarterly Reporting Requirements 304Reporting on Management's Responsibilities for Internal Control 309Required Company and Auditor Communications 312Reporting the Remediation of Weaknesses 314Coordinating with the Independent Auditors and Legal Counsel 315Appendix 11A: Illustrative AICPA Report on Internal Controls 316Chapter 12: Project Management and Tools Assessment Design 318Project Management 318Structuring the Project Team 319Tools Assessment Design 325Features of a Good Tools Solution 326Value of a Pilot Project 331Coordinating with the Independent Auditors 334Chapter 13: Illustrative Forms and Templates 337Historical Perspective 3382013 Framework Examples 340Appendix 13A: Information-Gathering Form--Principle Focused 348Appendix 13B: Information Gathering Form--Revenue 350Appendix 13C: Walk-through Documentation Form 353Appendix 13D: Information Technology General Controls Assessment Form 355Appendix 13E: Documentation of Financial Reporting Software and Spreadsheets 364Appendix 13F: Sampling Form for Tests of Controls 368Appendix 13G: Summary of Internal Control Deficiencies 371Appendix 13H: Control Environment Component Evaluation Summary 372Chapter 14: Summing Up 373About the Author 375Index 377Biographical Note: LYNFORD GRAHAM, CPA, has more than 30 years of public accounting experience in audit practice and in various national firm policy development groups. He is a visiting professor of accountancy and executive-in-residence at Bentley University, Waltham, MA. He currently maintains an active consultancy practice in statistical audit sampling, litigation support, and audit methodologies, and develops numerous training seminars for conferences and firms. Jacket Description/Flap: Prior to 1992 when the National Commission on Fraudulent Financial Reporting published "Internal Control--Integrated Framework," there were no broad set of criteria against which to evaluate the effectiveness of the auditing entity in controlling its risk of filing materially false financial information and preventing other types of fraud. The COSO Framework filled that void."Internal Control Audit and Compliance" offers auditors, controllers, and accounting managers a comprehensive guide to the latest framework established by the Committee of Sponsoring Organizations (COSO). Written by Lynford Graham--a noted expert on the topic--this important resource offers clear explanations and expert advice on implementation and shows how to document and test internal controls over financial reporting. The COSO internal control framework identifies five components of internal control: control environment; risk assessment; control procedures; information and communication; and monitoring. Each component has a relationship with and can influence the functioning of every other component, operating in an almost organic way. While these five components remain unchanged, the level of detailed guidance over the years has increased due to the more recent widespread implementation of the framework in the business environment and a desire to have more consistency in the application of COSO principles. "Internal Control Audit and Compliance" includes detailed information covering each element of the revised framework and puts the emphasis on the latest changes. The author includes explicit definitions of internal controls and shows how they should be assessed and tested. The updated COSO framework also includes financial and non-financial reporting, as well as both internal and external reporting objectives, and "Internal Control Audit and Compliance" clarifies complex codification. The newly revised framework identifies seventeen new principles, each of which are explained in detail to help clarify the new and emerging best practices that are designed to enhance efficiency and effectiveness. To ease the transition from the older and outdated guidelines, Graham reveals an effective strategy for incorporating the new framework into day-to-day operations and offers step-by-step guidance for implementing the new changes. Publisher Marketing: Ease the transition to the new COSO framework with practical strategy"Internal Control Audit and Compliance" provides complete guidance toward the latest framework established by the Committee of Sponsoring Organizations (COSO). With clear explanations and expert advice on implementation, this helpful guide shows auditors and accounting managers how to document and test internal controls over financial reporting with detailed sections covering each element of the framework. Each section highlights the latest changes and new points of emphasis, with explicit definitions of internal controls and how they should be assessed and tested. Coverage includes easing the transition from older guidelines, with step-by-step instructions for implementing the new changes. The new framework identifies seventeen new principles, each of which are explained in detail to help readers understand the new and emerging best practices for efficiency and effectiveness. The revised COSO framework includes financial and non-financial reporting, as well as both internal and external reporting objectives. It is essential for auditors and controllers to understand the new framework and how to document and test under the new guidance. This book clarifies complex codification and provides an effective strategy for a more rapid transition. Understand the new COSO internal controls frameworkDocument and test internal controls to strengthen business processesLearn how requirements differ for public and non-public companiesIncorporate improved risk management into the new frameworkThe new framework is COSO's first complete revision since the release of the initial framework in 1992. Companies have become accustomed to the old guidelines, and the necessary procedures have become routine - making the transition to align with the new framework akin to steering an ocean liner. "Internal Control Audit and Compliance" helps ease that transition, with clear explanation and practical implementation guidance.

Contributor Bio:  Graham, Lynford Lynford Graham is a Certified Public Accountant with more than 25 years of public accounting experience in audit practice and in national policy development groups. He is currently a consultant on professional accounting and auditing matters and an author. Dr. Graham is a member of the American Institute of Certified Public Accountants (AICPA), and a recent past member of the Auditing Standards Board. He chaired the AICPA's Audit Risk Guide Task Force ("Assessing and Responding to Audit Risk in a Financial Statement Audit") and was the U. S. representative to the International Auditing and Assurance Standards Board (IAASB) Materiality Task Force (ISA 320 and 450). He previously served as a member of the AICPA's Materiality and Audit Risk Task Force (SAS 47); was a founding member of the AICPA's Information Technology Section, serving on its Executive Committee; and was a member of the AICPA's Statistical Sampling Subcommittee during the development of SAS 39 on Audit Sampling. He drafted the 2007 revision of the AICPA Audit Guide, "Audit Sampling," Previously he chaired the Educator-Practitioner Case Development Task Force for the annual AICPA Education Conference and served on the Executive Committee of the Pre-Certification Education Committee. He is a former partner and the national director of audit policy for BDO Seidman, LLP. There Dr. Graham was responsible for the development and implementation of audit policy and software, as well as Assurance Services Learning and Education programs, and was the firm's sampling coordinator. He served on several international BDO Seidman task forces developing audit software, audit methodology, sampling approaches, and audit automationtechniques. Dr. Graham was responsible for BDO Seidman's implementationof audits of internal control under PCAOB AS 2 and participated with professional groups in developing industry-wide guidance on audits of internal control. Prior to joining BDO Seidman LLP, Dr. Graham was an associate professor of accounting and information systems and a graduate faculty fellow at Rutgers University in Newark, New Jersey, where he taught primarily financial accounting courses. Prior to joining Rutgers, he was a national accounting & SEC consulting partner for Coopers & Lybrand, responsible for their technical issues research function and database, auditing research, and sampling techniques. A Certified Fraud Examiner and a member of the Association of Certified Fraud Examiners, Dr. Graham has provided consulting guidance on matters of internal control and statistical and audit methods, including inventory sampling problems, fraud investigations, litigation consulting, cost reimbursement studies and loan reviews. He has also worked with a variety of government agencies on the development and implementation of audit regulations. Throughout his career he has maintained an active profile in the academic as well as the business community. A member of the American Accounting Association (AAA), he served as vice chairman of the Auditing Section and as a member of numerous committees and task forces. Dr. Graham had a leadership role in the development of Coopers & Lybrand's award winning "Excellence in Audit Education" materials, widely used in university audit courses in the 1990s. He is the past auditing section chair for the Mid-Atlantic Section of the AAA. In 2002 he received the DistinguishedService Award of the Auditing Section of the AAA. His numerous academic and business publications span a variety of topical areas, including information systems, internal controls, expert systems, audit risk, audit planning, fraud, sampling, analytical procedures, audit judgment, and international accounting and auditing. Dr. Graham holds an MBA in Industrial Management and a PhD in Business and Applied Economics, both from the University of Pennsylvania (Wharton School). He is also coeditor of the "Accountant's Handbook 11th Edition" (JohnWiley & Sons, 2007) as well as coauthor or editor of many other audit and accounting books and publications.