Internal Control Audit and Compliance WileyCorporateF&ASeries TheWileyCorporateF&Aseriesprovidesinformation,tools,andinsightstocorporateprofessionals responsibleforissuesaffectingtheprofitabilityoftheircompany,fromaccountingandfinanceto internalcontrolsandperformancemanagement. Foundedin1807,JohnWiley&SonsistheoldestindependentpublishingcompanyintheUnited States.WithofficesinNorthAmerica,Europe,Asia,andAustralia,Wileyisgloballycommittedto developingandmarketingprintandelectronicproductsandservicesforourcustomers’professional andpersonalknowledgeandunderstanding. Internal Control Audit and Compliance Documentation and Testing Under the New COSO Framework LYNFORD GRAHAM Coverimage:©iStock.com/kentoh Coverdesign:Wiley Copyright©2015byJohnWiley&Sons,Inc.Allrightsreserved. PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey. PublishedsimultaneouslyinCanada. Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinany formorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise, exceptaspermittedunderSection107or108ofthe1976UnitedStatesCopyrightAct,without eitherthepriorwrittenpermissionofthepublisher,orauthorizationthroughpaymentofthe appropriateper-copyfeetotheCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers, MA01923,(978)750-8400,fax(978)646-8600,orontheWebatwww.copyright.com. RequeststothepublisherforpermissionshouldbeaddressedtothePermissionsDepartment, JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax (201)748-6008,oronlineatwww.wiley.com/go/permissions. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbest effortsinpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttothe accuracyorcompletenessofthecontentsofthisbookandspecificallydisclaimanyimplied warrantiesofmerchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedor extendedbysalesrepresentativesorwrittensalesmaterials.Theadviceandstrategiescontained hereinmaynotbesuitableforyoursituation.Youshouldconsultwithaprofessionalwhere appropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyother commercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orother damages. Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,please contactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidethe UnitedStatesat(317)572-3993orfax(317)572-4002. Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Some materialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorin print-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedinthe versionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.For moreinformationaboutWileyproducts,visitwww.wiley.com. LibraryofCongressCataloging-in-PublicationData: Graham,Lynford. Internalcontrolauditandcompliance:documentationandtestingunderthenewCOSO framework/LynfordGraham. 1onlineresource.–(WileycorporateF&Aseries) Includesindex. DescriptionbasedonprintversionrecordandCIPdataprovidedbypublisher;resourcenot viewed. ISBN978-1-118-99621-8(cloth);ISBN978-1-118-99647-8(ebk); ISBN978-1-118-99630-0(ebk)1.Auditing,Internal.I.Title. HF5668.25 657.458—dc3 2014035947 PrintedintheUnitedStatesofAmerica 10 9 8 7 6 5 4 3 2 1 Contents Preface xi Acknowledgments xv Chapter1:WhatWeAllShare 1 NeedforControlCriteria 1 OverviewoftheCOSOInternalControlIntegratedFramework 2 Holistic,IntegratedView 3 RevisedCOSOInternalControlsFramework 6 WhatWeMustDo 8 BasicScopingandStrategiesforMaintenance 11 WhereWeDepart 12 TriangleofEfficiency 13 ControlsversusProcesses 14 TheDebateContinues 18 OrganizationofThisBook 18 Appendix1A:COSO17Principles 20 Chapter2:SettingtheScopeofYourDocumentationProject: IdentifyingtheCore 21 StartwithBusinessObjectives 21 AftertheInitialYear 24 MappingtheEntitytotheFinancialStatements:InsandOuts 25 ConsiderRisks,NotJustQuantitativeMeasures 27 InherentandControlRisk 28 OverstatementandUnderstatement 28 Does“InScope”ImplyExtensiveTesting? 37 AConsolation 39 BeCarefulOutThere! 40 Appendix2A:SummaryofScopingInquiries 42 v ◾ vi Contents Chapter3:TheRiskAssessmentComponent 45 RiskAssessmentPrinciplesinCOSO 46 CostControl 46 Basics 47 Likelihood,Magnitude,Velocity,andPersistence 48 SeparateAssessmentsofInherentandControlRisks 50 RoleofAssertions 51 Assertions 52 Principles6and7:SpecifySuitableObjectives;Identify andAnalyzeRisk 56 IdentifyingRisks 59 ExternalSourcesofRiskInformation 60 InternalandExternalReportingRisks 61 ComplianceRisks 61 DisclosedMaterialWeaknessesinRiskAssessment 62 Principle8:AssessFraudRisk 62 AuditorResponsibilitytoDetectFraud 65 AntifraudControlsforManagementtoConsider 66 TiestoOtherPrinciplesandComponents 66 Principle9:IdentifyandAssessSignificantChange 66 GatheringInformationtoSupporttheRiskAssessmentand ConsiderChange 68 Appendix3A:SASNo.99Exhibit:ManagementAntifraud ProgramsandControls 72 Attachment1:AICPA“CPA’sHandbookofFraudandCommercial CrimePrevention”CodeofConduct 87 Attachment2:FinancialExecutivesInternationalCodeofEthics Statement 91 Appendix3B:UnderstandingFraudRiskAssessment 93 Chapter4:ControlEnvironment 99 Principle1:CommitmenttoIntegrityandEthicalValues 100 Principle2:BoardofDirectors(Governance)Demonstrates IndependencefromManagementandExercisesOversight oftheDevelopmentandPerformanceofInternalControl 104 Principle3:ManagementEstablishes,withBoardOversight, Structures,ReportingLines,andAppropriateAuthorities andResponsibilitiesinthePursuitofObjectives 109 ◾ Contents vii Principle4:CommitmenttoAttract,Develop,andRetain CompetentIndividualsinAlignmentwithObjectives 110 Principle5:TheOrganizationHoldsIndividualsAccountablefor TheirInternalControlResponsibilitiesinthePursuitofObjectives 113 Appendix4A:UnderstandingandAwarenessofControl Responsibilities 117 Chapter5:ControlActivities 120 Principle10:SelectsandDevelopsControlActivitiestoMitigate RiskandAchieveObjectives 120 Principle11:SelectsandDevelopsGeneralControlsover Technology 132 Principle12:DeploysthroughPoliciesandProcedures 141 SummingUp 143 Appendix5A:LinkingCommonControlActivitiesandAssertions 146 Appendix5B:LinkageofPrinciplestoControls,Policies, andProcedures 158 Chapter6:InformationandCommunication 165 Principle13:GeneratesRelevantInformation 166 Principle14:CommunicatesInternally 168 Principle15:CommunicatesExternally 170 Chapter7:Monitoring 173 Principle16:Select,Develop,andPerformOngoingand/or SeparateEvaluations 174 Principle17:EvaluateandCommunicateDeficienciesas Appropriate 176 Chapter8:EvidenceandTesting 179 SufficientEvidence 179 GatheringInformation 187 TestingandSampling 194 NonsamplingSituations 202 ConfusionofSampleSizeGuidanceinPracticeToday 203 InformationTechnologyGeneralControls 204 TestingSecurityandAccess 205 Appendix8A:SampleSizeTutorial 211 ◾ viii Contents Chapter9:DevelopingQuestionnairesandConducting Interviews 217 SurveysofEmployees 219 ConductingInterviews 224 ManagementInquiries:SampleQuestions 234 Appendix9A:SamplePracticeAids 239 Chapter10:AssessingtheSeverityofIdentifiedControls Deficiencies 248 It’sInevitable 248 AlignmentofPublicandPrivateCompanyStandardsforAssessing DeficiencySeverity 251 ControlDeficienciesandDefinitions 252 KeyFactorsWhenAssessingtheSeverityofaDeficiency 263 ConditionsIndicatingControlDeficiencies 270 ExamplesofEvaluatingtheSeverityofDeficiencies 277 OverallAssessment 281 Appendix10A:AFrameworkforEvaluatingControlExceptions andDeficiencies 283 Appendix10B:AssessingthePotentialMagnitudeofaControl Deficiency 299 Chapter11:ReportingRequirements 302 NonpublicEntityReporting 302 PublicCompanyAnnualandQuarterlyReportingRequirements 304 ReportingonManagement’sResponsibilitiesforInternalControl 309 RequiredCompanyandAuditorCommunications 312 ReportingtheRemediationofWeaknesses 314 CoordinatingwiththeIndependentAuditorsandLegalCounsel 315 Appendix11A:IllustrativeAICPAReportonInternalControls 316 Chapter12:ProjectManagementandToolsAssessmentDesign 318 ProjectManagement 318 StructuringtheProjectTeam 319 ToolsAssessmentDesign 325 FeaturesofaGoodToolsSolution 326 ValueofaPilotProject 331 CoordinatingwiththeIndependentAuditors 334