Module 1 Week(s) 1 (5/10-5/15) Topics Current Trends & Major Issues in Internal Auditing Required Readings Assignments in Bb “Related Article Readings” folder (if applicable) Due Module 1 VT Discussion (Due Thursday) Module 1 Quiz (Due Friday) Anderson et al

Subject:BusinessPrice:18.89 Bought3

Share With

Module 1 Week(s) 1 (5/10-5/15) Topics Current Trends & Major Issues in Internal Auditing Required Readings Assignments in Bb “Related Article Readings” folder (if applicable) Due Module 1 VT Discussion (Due Thursday) Module 1 Quiz (Due Friday) Anderson et al. - CHs 1-3 Module 1 VT Reply to Discussion (Due Saturday) Assignments in Bb “Related Article Readings” folder (if applicable) 2 2 (5/16-5/22) Risk Assessments Module 2 VT Discussion (Due Thursday) Module 2 Quiz (Due Friday) Anderson et al. - CHs 4-5 Module 2 VT Reply to Discussion (Due Saturday) Assignments in Bb “Related Article Readings” folder (if applicable) 3 3 (5/23-5/29) Internal Control Activities Module 3 VT Discussion (Due Thursday) Module 3 Quiz (Due Friday) Anderson et al. - CHs 6-7 Module 3 VT Reply to Discussion (Due Saturday) Start Comprehensive Final Case (Due the last Friday of class) Assignments in Bb “Related Article Readings” folder (if applicable) 4 4 (5/30-6/5) Fraud and the Internal Audit Module 4 VT Discussion (Due Thursday) Module 4 Quiz (Due Friday) Anderson et al. - CHs 8-9 Module 4 VT Reply to Discussion (Due Saturday) Continue Comprehensive Final Case (Due the last Friday of class) Assignments in Bb “Related Article Readings” folder (if applicable) 5 5 (6/6-6/12) Audit Evidence and Data Analysis Module 5 VT Discussion (Due Thursday) Module 5 Quiz (Due Friday) Anderson et al. - CHs 10-11 Module 5 VT Reply to Discussion (Due Saturday) Continue Internal Control Case (Due the last Friday of class) Assignments in Bb “Related Article Readings” folder (if applicable) 6 Module 6 VT Discussion (Due Thursday) Module 6 Quiz (Due Friday) 6 (6/13-6/19) The Engagement Process Module 6 VT Reply to Discussion (Due Saturday) 7 7 (6/20-6/25) Anderson et al. - CHs 12-13 Continue Internal Control Case (Due the last Friday of class) Assignments in Bb “Related Article Readings” folder (if applicable) Module 7 VT Discussion (Due Thursday) Module 7 Quiz (Due Friday) The Engagement Process Continued Anderson et al. - CHs 14-15 Final draft of Comprehensive Final Case (Due Friday) Module 7 VT Reply to Discussion (Due Saturday) ISSUES IN ACCOUNTING EDUCATION Vol. 25, No. 4 2010 pp. 709–720 American Accounting Association DOI: 10.2308/iace.2010.25.4.709 Sunshine Center: An Instructional Case Evaluating Internal Controls in a Small Organization Sandra K. Fleak, Keith E. Harrison, and Laurie A. Turner ABSTRACT: Management and auditors face increased responsibilities to evaluate internal control and assess the risk of fraud. This case provides the opportunity to evaluate internal controls and the possibility of fraud in a very small not-for-profit child care center, a setting that is easy to understand. The first goal of the case is to identify internal control weaknesses by applying the COSO internal control framework in an environment that lacks many aspects of internal control. Interactions among the five components of the COSO framework provide the basis for analyzing internal control. The case requires students to consider possible misappropriation of funds using the fraud triangle. A secondary goal of the case is to introduce financial reporting for a not-for-profit organization as a means of accountability. Keywords: internal control; COSO framework; fraud; not-for-profit organization; financial reporting. CASE Crisis de jour! Our director is not cooperating. And, where is the money going? I would like to be able to act rather than react. We must keep the place open! S arah, chair of the Sunshine Center Committee, and the Committee’s secretary, Olivia, talked almost daily about the operations of the Sunshine Center. “At least the children seem happy and well cared for,” Sarah reminded Olivia. “Yes,” Olivia agreed, “but if we cannot pay the bills and keep our help, we will not be open long to serve them. Rev. Andrew thinks everything will work out, but I am not so sure.” Background The Sunshine Center ?Center? opened several years earlier when the church allowed a member to provide child care services and pay rent to use the church facilities. The church’s administrative board reluctantly approved this arrangement, but the board specifically stated the church would provide no oversight of the child care program or financial subsidy. Board members wanted to be clear that the church had no implied oversight or liability should something go wrong at the Center. Sandra K. Fleak and Keith E. Harrison are both Professors, and Laurie A. Turner is an Assistant Professor, all at Truman State University. The authors thank two anonymous reviewers and Kent St. Pierre ?editor? for insightful and helpful comments. Published Online: November 2010 709 710 Fleak, Harrison, and Turner Although the Sunshine Center established a satisfied clientele, two years ago the Center’s founder decided to cease child care operations for personal reasons. The Center met a community need for child care, and Rev. Andrew, the pastor of the church, was convinced that the church should keep the Sunshine Center open as an outreach ministry. Some administrative board members were concerned about taking on the financial responsibility for the child care facility when the church budget was already stretched. Others were concerned that closing the Center would cause ill will for the church in the community. Rev. Andrew strongly asserted that the child care facility would be financially self-supporting, even though he had no data to support his claim. Swayed by Rev. Andrew’s position, the administrative board reluctantly agreed to integrate the Sunshine Center into church activities with the stipulation that child care finances be kept completely separate from the church budget. The board expected the Center to pay rent to the church for the use of facilities and utilities. The administrative board formed a committee composed of four church members that met periodically to monitor Sunshine Center activities. The first Sunshine Center Committee ?Committee? included four church members with Rev. Andrew as an ex officio member, none of whom had child care management experience. The Committee hired Barb, a mother of four children, as the director of the Sunshine Center, even though she had no previous employment experience as a teacher, child care provider, or manager. Recent Operations Presently, the Sunshine Center facility accommodates a maximum of 20 children at one time, although more children enroll and attend part-time. Sometimes, especially during school vacations, daily attendance is less than 20. Hours are from 7:00 a.m. until 6:00 p.m. each weekday, with lunch and snacks provided for the children. The fee is $85 per week per child, with payment due at the beginning of each week. However, fee payments often trickle in during the week as the services are provided. Each day, three employees operate the Sunshine Center—the salaried director, one full-time employee, and one part-time employee. The Sunshine Center Committee In the past, the Sunshine Center Committee met once each month. At each meeting, Barb gave a brief description of monthly activities, including the theme of decorations, games, and activities, but she never presented a financial report. Whenever Committee members questioned the lack of a budget and financial information, Rev. Andrew always replied, “This is a ministry, not a business.” Asserting that there were no financial problems, Rev. Andrew frequently pointed out, “The Sunshine Center fulfills a real community need.” Further, he emphasized that as a church member, Barb could be trusted. In response, Committee members dropped their request for financial information. As busy people with their own careers and families, they accepted the reports about the child care ministry but became increasingly frustrated with the limited information that did not allow them to exercise oversight. At the beginning of the second year of operations under church control, all four members of the Committee indicated they would not continue on the Sunshine Center Committee. The church administrative board appointed two new members—Sarah and Olivia. Sarah, a stay-at-home mother, was new in the community and cheerfully willing to help with church activities. Olivia, a recently retired elementary school teacher, had time for volunteer activities. Sarah agreed to chair the Sunshine Center Committee and Olivia agreed to be secretary. Rev. Andrew continued as an ex officio member. The board sought, but did not find, additional church members willing to serve on the Committee. Issues in Accounting Education American Accounting Association Volume 25, No. 4, 2010 Sunshine Center: An Instructional Case Evaluating Internal Controls 711 The Sunshine Crisis Soon after Sarah and Olivia became involved, the Sunshine Center stopped paying rent and utilities to the church. Barb began complaining to the Committee that she was barely able to meet payroll and purchase supplies or food for the children’s lunches and snacks. She told the Committee that many parents were behind in paying their obligations to the Center. Sensing that a crisis was looming, Sarah and Olivia decided they must become more active in their oversight of the Center to make the Center viable. They were confident that financially sound operations would allow the Center to meet a growing community need for child care. Further, if they could demonstrate to fellow church members and the administrative board that the Center was a success, they believed others would be willing to support the Center and participate on the oversight committee. Sarah and Olivia decided to learn more about Sunshine Center operations and activities. They interviewed parents and were pleased to find that parents were happy with the child care program. Through interviews and observations, they found all employees did an excellent job supervising children’s activities. They discovered that Barb was involved in every facet of operations. In addition to working directly with the children, Barb collected the fees paid by parents, supervised the activities of the Center, purchased supplies and food using charge accounts at local stores, paid all the Center’s bills, prepared snacks and meals for the children, and kept all records. Sarah and Olivia quickly determined that Barb’s immersion in the Center was cause for concern. Barb’s salary as director was slightly over minimum wage with no fringe benefits, and her days were long and frustrating. It was clear to Sarah and Olivia that Barb found the work stressful. The Center’s cash flow problems added to the stress. Sarah and Olivia were particularly troubled by Barb’s lack of previous experience in a comparable job, with no knowledge about business processes and controls. To understand the cash flow problems, Sarah and Olivia decided they should review a financial summary of past activities along with the Center’s budget. Ready to accomplish that goal, the two Committee members arranged to meet Barb at the Center. Although they were astounded when Barb indicated that the Center had no financial reports or budget, Olivia suggested that they could construct financial statements from canceled checks and bank statements. Barb told Sarah and Olivia that the checks and bank records were at her home and she would make them available the next day. However, Barb did not provide the bank records or checks as she promised. After repeated attempts to get the bank records, with no success, Sarah and Olivia became suspicious. After a particularly tense confrontation, Barb tearfully admitted to Sarah and Olivia that she no longer had the information because she had destroyed the bank records, unaware that such information should be kept. Sarah and Olivia then asked to see the check register, which Barb promised to provide. A few days later, Sarah and Olivia examined the check register that Barb finally gave them and found a record of checks and deposits for only the previous 12 weeks. Barb had calculated no cash balances. When asked how she knew the cash balance, Barb replied that she called the bank weekly to find the account balance. Sarah and Olivia were stunned and immediately set up a meeting with Rev. Andrew. They told him about the lack of financial records. Both women forcefully asserted that Barb should be terminated. Rev. Andrew reacted more calmly and defended Barb’s behavior, emphasizing Barb’s good qualities in dealing with the children and parents. Since Barb was talented in supervising the children, and the parents liked her, he thought those strengths overcame her weakness at record keeping. He suggested that Barb could be taught the business skills necessary to run the Center. Though unconvinced, Sarah and Olivia chose to avoid a disagreement with Rev. Andrew and a Issues in Accounting Education Volume 25, No. 4, 2010 American Accounting Association 712 Fleak, Harrison, and Turner further confrontation with Barb. They reluctantly agreed to retain Barb as director of the Sunshine Center, but they were resolute that she must run a financially viable operation. Certain that she would receive no additional historical financial information from Barb, Olivia worked to reconstruct Sunshine Center finances from the sketchy information in the check register. She soon discovered the check register showed no checks recording Barb’s salary. Olivia also decided she should gather more information about the Center’s cash collection process. Olivia began visiting the Center daily to collect the cash receipts that she immediately deposited in the Sunshine Center bank account. She thought that Barb provided a receipt whenever a parent paid the weekly fee. Initially, Olivia noted no discrepancy between the cash that Barb turned over to her and the receipt stubs in the receipt book. But, within a few days, Olivia noticed the cash collected did not match the number of children she observed at the Center during the week. When Olivia asked Barb if there was additional cash that had been collected, Barb reached into a desk drawer and handed Olivia currency that totaled $100. Barb explained that she failed to put the cash in the normal place when the parent paid. Olivia was uncomfortable with this situation and thought it prudent to investigate further. She scanned the weekly attendance record and the receipt book. She noted no cash receipt for a family she personally knew, even though their children were listed as attending that week. When contacted by Olivia, the family showed her a receipt for the payment, even though none appeared in the Center’s receipt book. Although uncomfortable about confronting Barb, Sarah and Olivia knew they needed to speak with her about the Center’s cash collection procedures and her salary. Especially, they needed more details concerning the $100. When questioned, Barb confessed that the Sunshine Center had a past due Food Market grocery bill that she was paying with cash from daily receipts. Sarah and Olivia next visited the Food Market office where they learned that the Center indeed had an outstanding bill of approximately $1,000. The unpaid Sunshine Center bill had been almost $1,500 earlier in the year. Within the same week, a letter from the IRS arrived at the church office. The letter included a notification that the Sunshine Center failed to file a payroll tax return. Again, Sarah and Olivia questioned Barb. Upset, Barb responded that she made all the tax deposits but did not know reports needed to be filed. Within a few days, Barb notified Rev. Andrew that she would be leaving the Sunshine Center in two weeks. She stated that her departure was due to the additional stress from dealing with Sarah and Olivia and the Center’s financial problems. Sarah and Olivia were neither surprised nor disappointed by Barb’s decision, but Rev. Andrew tried to convince Barb to reconsider. During the final two weeks that Barb was director of the Sunshine Center, she told parents that she was starting a child care service in her home. Parents related that Barb said, “The church has lots of money but just will not support this Center adequately. That is the reason I am leaving.” Discussion Questions Overview 1. 2. What do you think is the primary problem at the Sunshine Center? Why is accountability important to the Sunshine Center Committee? The director? Clients of the Sunshine Center? Church members? Internal Control 3. The Committee of Sponsoring Organizations of the Treadway Commission ?COSO? internal control framework ?COSO 1992? is an excellent tool for understanding and implementing internal control. How is internal control defined in the COSO framework? Issues in Accounting Education American Accounting Association Volume 25, No. 4, 2010 Sunshine Center: An Instructional Case Evaluating Internal Controls 4. 5. 6. 7. 713 Internal control may need to be applied selectively in a small organization. What are the components of the COSO framework, and what components do you think should be used at the Sunshine Center? One factor of the control environment component is “integrity and ethical values.” In what ways were integrity and ethical values slighted by Barb? The Sunshine Center Committee? Rev. Andrew? The church’s administrative board? What constraints are encountered in designing internal control procedures for an organization such as the Sunshine Center? What are the weaknesses in the Center’s internal control? Make recommendations for changing the accounting and reporting system. Additionally, what constitutes a minimum set of records for a small organization like the Center? Fraud 8. Identify the elements of the fraud triangle. Which elements of the fraud triangle do you see in this case? 9. What types of fraudulent activities could Barb have perpetrated? Do you think it is possible that Barb did not commit fraud? Why? 10. How would you determine if a misappropriation of funds occurred? Looking Forward 11. What are the primary strengths of the Sunshine Center for its clients? 12. What must happen for this child care program to remain a viable ministry of the church? Financial Reporting (Optional) 13. Determine the appropriate GAAP financial reporting for a not-for-profit child care center and identify the financial statement captions for a not-for-profit entity. 14. Suppose Rev. Andrew came to you and said, “I have found a donor who will provide enough money to pay all of the Center’s back bills. We simply must estimate the amount of money needed to bring the Center back to financial health.” What are potential sources of information for determining or estimating the Center’s current financial position? REFERENCES Committee of Sponsoring Organizations of the Treadway Commission ?COSO?. 1992. Internal Control—Integrated Framework. New York, NY: COSO. Issues in Accounting Education Volume 25, No. 4, 2010 American Accounting Association Module Two: Sunshine Center Questions 1, 2, 5, & 7 Presented by Group 6: Emma Brandt Yafei Chang Sara Marichal Evan Ouellette Question 1: What do you think is the primary problem at the Sunshine Center? ? ? ? Lack of structure, culture, and accountability/governance within the organization primarily as a result of Rev. Andrew and Barb’s behaviors. ERM Framework explains: “An organization’s mission, vision, and core values de?ne what it strives to be and how it wants to conduct business (Anderson et al, page 60). ERM Framework’s 23 Principles: ? ? Can the church be to blame here? Were there attempts to correct the issues? ? ? Were these principles accomplished? No, the church is not to blame. Many attempts were made by parents/community members. An article presented by Laura Cowan on Forbes highlights eight common reasons why small businesses fail, and the Sunshine Center nails six of them. Question 2: Why is accountability important to the Sunshine Center Committee? The director? Clients of the Sunshine Center? Church members? Question 5: One factor of the control environment component is “integrity and ethical values.” In what ways were integrity and ethical values slighted by... ? ? ? ? Barb The Sunshine Center Committee Reverend Andrew The church’s administration board Question 7: What are the weaknesses in the Center’s internal control? Make recommendations for changing the accounting and reporting system. Additionally, what constitutes a minimum set of records for a small organization like the Center? Weaknesses:• ? Lack of Segregation of duties ? Lack of communication ? Little oversight ? Lack of knowledge in accounting procedures Recommendations ? ? ? Provide training on accounting procedures or hire people with this knowledge Hire someone to help with running business to increase separation of duties Meet once a week to discuss financials specifically Minimum Record Requirements ? Client Files ? Tax and Financial Files ? Employee Files ? Business Plans References Krow, S. (2017, November 21). List of Files for a Small Business to Keep. Small Business - Chron.com. Retrieved 19 May 2021 from https://smallbusiness.chron.com/list-files-small-business-keep-57541.html. Cowan, L. (2019, October 24). Eight Common Reasons Small Businesses Fail. Forbes. Retrieved on May 19th, 2021 from: https://www.forbes.com/sites/ellevate/2019/10/24/eight-common-reasons-small-business es-fail/?sh=bcd293b4fbb5 Anderson, U., Head, M., Ramamoorti, S., Riddle, C., Salamasick, M., Sobel, P. (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition. [VitalSource Bookshelf e-book version] Retrieved from: https://bookshelf.vitalsource.com/#/books/978-0-89413-988-8/ Acct 605 Module 3 Case KnowledgeLeader Practice Case: Cost-Effective Approaches to Validating ICFR In the United States, Sarbanes-Oxley legislation put responsibility for the design, maintenance, and effective operation of internal control squarely on the shoulders of senior management, specifically, the CEO and CFO. To comply with this legislation, the SEC requires the CEO and CFO of publicly traded companies over a certain size to opine on the design adequacy and operating effectiveness of ICFR as part of the annual filing process (see p. 39 of https://www.sec.gov/Archives/edgar/data/55772/000005577219000027/kbal10k06302019q4.htm #sBA6E0FD951D85033890BE014EE12FA27 for example of ICFR for public traded companies) with the SEC, as well as report substantial changes in ICFR, if any, on a quarterly basis. Organizations have been able to successfully apply the COSO Framework in their efforts to comply with Section 404 of Sarbanes-Oxley, despite encountering significant unanticipated costs. In an effort to reduce the cost to comply with Section 404 of Sarbanes-Oxley, many organizations are evaluating and pursuing more cost effective approaches to validating their system of ICFR. Utilize the KnowledgeLeader website and perform the following: a. Authenticate to the KnowledgeLeader website using your username and password. b. Perform research and identify alternative approaches to more cost-effectively validate an organizations operating effectiveness of their ICFR. c. Prepare a VT video discussing the above requirements. Your initial video posting should be between 2-3 minutes and use a minimum of three sourced. Cite sources and references. Your video can be a voice over PowerPoint presentation or use your webcam to record your presentation. Additionally, you will need to respond to two classmates’ posts. In those responses, you are to add examples or questions that further the discussion, and cite a minimum of one source (other than the textbook or corporate annual report) within each response. You should use APA format for the citation and reference for each response. Each written response to a classmate should be between 100-200 words. Or you can record a voice/video 1 minute comment. You MUST leave a "comment" at the beginning of your VT video detailing which videos I can find your responses to your classmates to receive credit. CASE STUDIES Case Study 1 Auditing Entity-Level Controls LEARN ING OB J ECTIVES Describe why entity-level controls are a critical component of a system of internal controls. Understand how to use the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 17 basic internal control principles to evaluate entity-level controls. Define the different levels of internal control in an organization. Compare and contrast the differences between entity-level controls at the governance level and management-oversight level. Describe a top-down framework that can be used for assessing entity-level controls. Assess the overall design adequacy of entity-level controls. Apply a top-down approach to determine the nature and extent of testing at the process level and transaction level. Describe how entity-level controls may be found within the five internal control components in COSO’s Internal Control – Integrated Framework. Design and conduct tests of entity-level controls. As discussed in chapter 6, “Internal Control,” entity-level controls are very broadly focused and often deal with the organizational environment or atmosphere. They are designed to mitigate risks that exist at the organizationwide level, including those that arise internally as well as externally. Entity-level controls also serve to support, complement, and reinforce process-level and transaction-level controls. Additionally, these controls have a pervasive effect on the achievement of many business objectives. Adequately designed and effectively operating entity-level and process-level controls work in unison and serve as an organization’s defense against the risks that threaten the achievement of business objectives. Chapter 13, “Conducting the Assurance Engagement,” goes on to say that while it is important to understand the process-level tasks and controls, it is also important to understand how the entity-level controls may influence the performance of a process. Weaknesses in entity-level controls can allow the circumvention of well-designed controls within a process. For example, if organizationwide policies tend to be informal and inconsistently enforced, then policies specific to the process subject to audit might be undermined and may not be as relevant or as important to understanding the process as they otherwise would be. Similarly, if there is little entity-level commitment to attracting, training, and developing competent employees in key areas requiring decision-making abilities and complex judgments, the testing approach may need to Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA Page 1 CASE STUDIES Case Study 1: Auditing Entity-Level Controls be altered as less reliance can be placed on controls performed at the process level by individuals unable to perform complex or highly judgmental tasks. Management typically completes its own assessment or a series of assessments of the organization’s entitylevel controls at periodic intervals (for example, annually or quarterly). Such assessments are based on tests conducted around the time of the assessment, as well as other tests that may have been completed in connection with separate assessments (such as assessments of an ERM program, a compliance program, or certain IT general controls). Management considers the results of its entity-level control assessments when evaluating and opining on the organization’s overall system of internal controls. Likewise, the internal audit function must consider management’s results as well as their own independent assessment of entity-level controls when developing an internal audit plan and designing tests of process-level and transaction-level controls. Since an assessment of an organization’s entity-level controls is made at periodic intervals, it typically will not be necessary to perform an assessment of the effectiveness of entity-level controls on each engagement. However, the internal auditor should consider the results of the entity-level controls assessment when planning individual engagements to ensure the approach to testing process-level and transaction-level controls is effective and efficient. IMPORTANCE OF ENTITY-LEVEL CONTROLS It should be intuitive that not all controls are created equal. For example, as discussed in chapter 13, a variety of actions make up a process. All may have a role in achieving the final result, but only a few are truly critical to the outcome; that is, their absence would make it difficult to achieve the desired result. These critical actions are referred to as key controls. Similarly, controls at the organizational level may impact the system of internal controls differently than the more tactical controls at the process level or transaction level. Therefore, it is important to understand how such controls, particularly those that operate across the entire organization (that is, entity-level controls), may impact the system of internal controls. One of the most widely publicized and well known examples of entity-level controls breaking down is Enron Corporation. While Enron was known to have sophisticated controls and risk management capabilities supporting many of its detailed processes, breakdowns in controls at the board and senior management levels contributed to one of the most significant company failures in history. A closer look at what went wrong at Enron, as well as with some other highly publicized financial failures, can provide a glimpse into the importance of strong entity-level controls. Exercise 1: Research Enron Corporation (U.S.A.), WorldCom (U.S.A.), Wells Fargo (U.S.A.), Volkswagen (Germany), and Barings Bank (England). Be prepared to answer the following questions: What were the primary causes for each of these failures? Which of those causes appear to represent entity-level control breakdowns? What actions by the board or management may have prevented these breakdowns from occurring? After answering the questions in the exercise above, it should be clear why it is so important for organizations to establish a strong entity-level control environment. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA Page 2 CASE STUDIES Case Study 1: Auditing Entity-Level Controls HISTORICAL AND CURRENT PERSPECTIVES ON ENTITY-LEVEL CONTROLS Most types of entity-level controls have been in existence for many years. Many such controls are intuitive and would be implemented by organizations whether required by regulations or not (for example, establishing governance bodies and implementing a code of ethics). Others have become commonplace in reaction to frauds or other scandals (for example, whistleblower hotlines). Regardless of the reasons behind establishing and implementing such controls, until the creation of control models there was not a recognition that certain types of controls have a profound influence on the effectiveness of all other controls and, as such, the effectiveness of the overall system of internal controls. As discussed in chapter 6, all controls are designed to mitigate risk either at the enterprise level or at the operational level within an organization. The original COSO Internal Control – Integrated Framework, issued in 1992, used the terms “entity level” and “activity level” (“business process” in the 2013 revised Framework) respectively to describe these controls. While this framework established definitions and context for controls at the entity level, there was little practical guidance developed to assist organizations in conducting a comprehensive evaluation of the design adequacy or operating effectiveness of such controls. Generally, there was little guidance developed from other sources over the next 10 to 12 years. In 2006, COSO published the guide Internal Control over Financial Reporting – Guidance for Smaller Public Companies, in which the terminology for these concepts was changed to “entitywide” and “process level” respectively. This publication defined entitywide controls as controls that occur at the entity level of 1 a company and have a pervasive influence across the organization. Entitywide controls may exist in any of the five components of internal control. Other important points this COSO guidance included were: Management considers entitywide controls that are pervasive across the company when evaluating whether controls are sufficient to address identified risks. Management then makes informed decisions as to which processes need additional controls. There are 20 basic principles representing the fundamental concepts that are important in achieving effective internal control. It should be noted that, while this former COSO guidance tended to focus on internal control over financial reporting, these principles apply to the other control categories (operational efficiency and effectiveness and compliance with applicable laws and regulations) as well. In 2011, COSO began a revision of the 1992 Framework, which, after several exposures and revisions, was issued in 2013. One of the major changes in the revised Framework was the inclusion of 17 basic principles representing concepts considered critical to implement the control elements. These 17 principles were derived from the 20 principles found in the 2006 Internal Control over Financial Reporting – Guidance for Smaller Public Companies. Exercise 2: Go to COSO’s website (www.coso.org) and review the Executive Summary of the 2013 revised COSO’s Internal Control – Integrated Framework, which is available at no cost. Review the 17 principles. Consider, and be prepared to discuss, why each of these 17 principles is important when evaluating the effectiveness of entitywide—that is, entity-level—controls. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA Page 3 CASE STUDIES Case Study 1: Auditing Entity-Level Controls The increase in large-scale financial failures, scandals, and bankruptcies since 2002 was the catalyst for several countries to pass or expand regulations to help restore investor confidence. These regulations focused in part on improving the reliability of internal control over financial reporting. Many required affected organizations to adopt an internal control framework, and, as such, provided heightened focus on the importance of entity-level controls. For example, in the United States, both the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) specifically mentioned the importance of conducting control evaluations at the entity level. The PCAOB’s Auditing Standard No. 5 (AS5) refers to such controls as entity-level controls. AS5 stated that “Some entity-level controls: …such as certain control environment controls, have an important, but indirect, effect on the likelihood that a misstatement will be detected or prevented…might affect the other controls…and the nature, timing, and extent of [testing].” …monitor the effectiveness of other controls…identify possible breakdowns in lower-level controls, but not at a level of precision…address the risk of misstatement…might allow the auditor to reduce testing of other controls.” …might be designed to operate at a level of precision that would adequately prevent or detect…misstatements…. If [it] sufficiently addresses the assessed risk of misstatement…need not test additional controls relating to that risk .”2 AS5 goes on to state that “Entity-level controls include: Controls related to the control environment; Controls over management override; The company’s risk assessment process; Centralized processing and controls, including shared service environments; Controls to monitor results of operations; Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; Controls over the period-end financial reporting process; and 3 Policies that address significant business control and risk management practices.” However, application-oriented guidance continued to be sparse and, therefore, these evaluations tended to follow a checklist approach and were not linked directly with lower-level control evaluations. As a result, the benefits of effective entity-level controls were not fully realized in the first few years after issuance of these regulations. Exercise 3: Research internal control regulations from your home country and two other countries. Determine which of these regulations; Specifically mention entity-level controls and their role in the system of internal control. Provide a definition of entity-level controls. Provide guidance regarding how to evaluate such controls. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA Page 4 CASE STUDIES Case Study 1: Auditing Entity-Level Controls DEFINITIONS OF DIFFERENT LEVELS OF CONTROLS It should be clear that controls operate at different levels in the organization. Since there are no widely recognized definitions related to these control levels, the authors developed definitions that capture concepts that are applicable to any system of internal controls and are consistent with what has been taught throughout the textbook. The definitions are: Entity-Level Controls: Controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. Examples of entity-level controls include, but are not limited to: Code of ethics. Risk management policies and procedures. Fraud prevention and detection program. Human resources policies and procedures. Management’s control deficiency escalation process. Variance analyses. IT general controls. Governance Controls: Entity-level controls established by the board and senior management (for example, the CEOs) to: 1. Establish the control culture and expectations of the organization. Examples include: Audit committee oversight of internal controls. Senior management’s attitude toward financial reporting. The board and senior management’s risk appetite. 2 . Prescribe guidance that pervasively supports strategic objectives and affects the overall system of internal controls. Examples include: Code of Ethics and compliance policies. Organization-level risk assessment. IT policies. Monitoring business units’ performance. Management-Oversight Controls: Entity-level controls established by management (for example, business unit and line management) to mitigate risks threatening the business unit and to provide assurance that business unit objectives are achieved. These controls are generally consistent in nature among business units but may vary in their execution from one business unit to another. Examples include: Monthly analyses of budget versus actual results. IT physical and environmental controls. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA Page 5 CASE STUDIES Case Study 1: Auditing Entity-Level Controls Business unit-level risk committees and activities. Certain period-end controls. Process-Level Controls: Non-entity-level controls established by process owners to mitigate the risks threatening the process and to provide assurance that process objectives are achieved. These controls are generally consistent in nature across processes but may vary in their execution from one process to another. Examples include: Reconciliations of key accounts. Physical verifications of assets (such as inventory counts). Process employee supervision and performance evaluations. Process-level risk assessments. Monitoring/oversight of specific transactions. Transaction-Level Controls: Non-entity-level controls implemented to mitigate the risks threatening the execution of individual transactions and to provide assurance that transaction objectives are achieved. These controls are generally consistent in nature among different types of transactions but may vary in their execution from one transaction type to another. Examples include: Authorizations. Documentation (such as source documents). Segregation of duties. IT application controls (input, processing, output). As defined above, entity-level controls consist of two different types of controls—governance controls and management-oversight controls. Some current literature refers to these types of controls as indirect and direct controls, and while those characteristics typically are consistent with the nature of governance and management-oversight controls, those descriptions do not encompass the source of such controls and, as such, the authors prefer the definitions provided above. Process-level and transaction-level controls are not entity-level controls, but rather operate at a lower level within the organization. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA Page 6 CASE STUDIES Case Study 1: Auditing Entity-Level Controls EXHIBIT CS 1-1 TOP-DOWN VIEW OF ENTERPRISE RISK MANAGEMENT Inherent Risk (Gross Risk) Entity-Level Controls Governance Controls & Management-Oversight Controls Process-Level Controls Transaction-Level Additional Mitigating & Compensating Controls Residual Risk (Net Risk) Residual Risk Should Be