Internal Controls From A to Z
Transcript of Internal Controls From A to Z
2 Internal Controls From A to Z | May 25, 2021
Joshua Bowen, CPA, CGMA, CAMSJoshua Bowen is a Member in Warren Averett’s Audit Division, serves on the Firm’s Audit BestPractice Leader Committee and is part of the Firm’s Financial Services and Public Sector IndustryGroups. He began his public accounting career in 2005 and has provided auditing, attestation andconsulting services to a variety of industries, including healthcare; however, he has focusedheavily on providing external and internal audits and Bank Secrecy Act (BSA)/Anti-MoneyLaundering (AML) compliance consulting to financial institutions. Each year, he performs multiplepresentations and trainings throughout the Southeast on topics ranging from current expectedcredit losses (CECL) to enterprise risk management (ERM) and internal auditing. He also leadsyoung professionals, selected by Firm leaders, to engage them in a “think-tank” environment topursue ideas and solutions that are innovative, meaningful, practical, actionable, creative andtransformative.
Professional and Community Affiliations and Accomplishments
•American Institute of Certified Public Accountants
•Alabama Society of Certified Public Accountants, Audit Committee Member and Advisory
Council Member, Montgomery Chapter
•Association of Certified Anti-Money Laundering Specialists, Alabama Chapter
•Georgia Bankers Association, Bank Accountant Section Board Member
•Risk Management Association
•Leadership Montgomery, Torchbearer Class X
•2019 Young Alumnus of the Year, Troy University, School of Accountancy
Education
Bachelor of Science in Accounting
Master of Business Administration
Troy University, Troy, AL
3 Internal Controls From A to Z | May 25, 2021
May I Take Your Order?
Considerations:
1. Risk assessment and impacts to strategy, financials, etc.
2. Understanding the environment (walkthrough)
3. Control testing to determine effectiveness
4. Risk appetite considerations
5. Determine if mitigating controls are necessary
6. Execute, rely, etc.
5 Internal Controls From A to Z | May 25, 2021
McKesson & Robbins Case (1939)
Broad, Samuel J.; Coates, Charles F.; Hurdman, F. H.; and American Institute of Accountants. Special Committee, "McKesson & Robbins case" (1939). AICPA Committees. 188. https://egrove.olemiss.edu/aicpa_comm/188
6 Internal Controls From A to Z | May 25, 2021
As a result, the SEC indicated interest in several broad questions related to auditing and accounting.
• Should it be the duty of auditors to make at least some spot checks of inventory, and some test by direct confirmation of accounts
receivable?
• Should auditors take independent steps to ascertain whether companies with whom their clients do business actually exist, or are in a
position to discharge their obligations to the client?
• To what extent should accountants go behind original documents which support the accounts, such as invoices, to prove their authenticity?
• What is the accountant’s responsibility with respect to fire insurance coverage on assets owned by his client?
• To what extent should accountants investigate the operation of the client’s system of internal check to assure themselves not
only that the system is adequate but that it is actually being followed?
• What is the difference between a balance-sheet examination and an audit, and should auditors disclose more fully in their certificates or
otherwise the scope of their examination, or any variations from what may be considered a standard examination?
• What reliance should the public be entitled to place on auditors’ reports for example, may they properly expect that the assets actually exist
or that fraud will have been disclosed?
• How closely should partners supervise the work of staff accountants; to what extent, if any, does the employment of temporary men in the
busy season reduce the effectiveness of auditing; to what extent does the pressure of time under which all staff men work in the busy
season reduce the effectiveness of auditing?
• To what extent should directors participate in the engagement of auditors, and discuss with them the scope of their work? When acting as
directors, do company officers consider themselves as employers or employees of the president?
McKesson & Robbins Case (1939)
Broad, Samuel J.; Coates, Charles F.; Hurdman, F. H.; and American Institute of Accountants. Special Committee, "McKesson & Robbins case" (1939). AICPA Committees. 188. https://egrove.olemiss.edu/aicpa_comm/188
7 Internal Controls From A to Z | May 25, 2021
McKesson & Robbins Case (1939)
Securities and Exchange Commission: Summary of Findings and Conclusions (12/5/1940)
United States. Securities and Exchange Commission, "In the matter of McKesson & Robbins, Inc., File No. 1-1435: Securities Exchange Act of 1934, Section 21 (a); Summary of findings and conclusions" (1940). Federal Publications. 107. https://egrove.olemiss.edu/acct_fed/107
8 Internal Controls From A to Z | May 25, 2021
McKesson & Robbins raised multiple issues, many directly related to internal controls:
• CPA responsibility to detect material fraud – even if it involves collusion
• Purpose of the study of internal control
• A CPA’s testing of internal controls should lead to a full knowledge of the manner that transactions are handled.
• SEC expanded the definition of internal controls beyond the accounting and financial functions.
McKesson & Robbins Case (1939)
9 Internal Controls From A to Z | May 25, 2021
American Institute of Accountants, 1936
“Those measures and methods adopted within the organization itself to safeguard the cash and other assets of the company as well as to check the clerical aspects of the book-keeping.”
American Institute of Accountants, 1949
“Internal control comprises the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies.”
Evolving Definition of Internal Controls
11 Internal Controls From A to Z | May 25, 2021
“Internal control is a process, effected by an entity’s board of directors, management,
and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and
compliance.”
COSO’s Definition of Internal Controls
12 Internal Controls From A to Z | May 25, 2021
• Private sector initiative sponsored by five organizations
• Provides thought leadership through frameworks and guidance on
• Enterprise Risk Management (ERM)
• Internal control
• Fraud detection
• ERM Framework (issued in 2004 and updated in 2017)
• Establishes a standard with a common risk definition and framework that is readily usable by management in evaluating and improving an organization’s enterprise risk management processes
Committee of Sponsoring Organizations (COSO)
5 Sponsoring Organizations:
13 Internal Controls From A to Z | May 25, 2021
• Issued Internal Control – Integrated Framework in 1992
• Framework included:
• Definition of internal control
• Components of effective internal control
• Criteria to evaluate internal control
• Guidance for reporting publicly on internal controls over financial reporting (ICFR)
• AICPA adopted COSO’s five components of internal control
• Sarbanes-Oxley Act/SEC rules considered COSO’s framework suitable for evaluating the effectiveness of ICFR.
Committee of Sponsoring Organizations (COSO)
14 Internal Controls From A to Z | May 25, 2021
• COSO update the Internal Control – Integrated Framework in May 2013.
• The update modernized the Framework due to current business, regulatory environments and operations.
• The update included the following:
• Expectations relating to governance oversight
• Changes and greater complexities in businesses
• Ways in which markets and operations have become more globalized
• Demands and complexities in laws, rules, regulations, and standards
• Changes in and increased use of technology
• Expectations relating to competencies and accountabilities
• Expectations of users relating to the prevention and detection of fraud
Committee of Sponsoring Organizations (COSO)
15 Internal Controls From A to Z | May 25, 2021
Three categories of objectives:1. Operations2. Reporting3. Compliance
Five components1. Control environment2. Risk assessment3. Control activities4. Information & communication5. Monitoring activities
Four entity-organizational structures1. Entity-level2. Division3. Business unit4. Function
COSO Framework
COSO, Internal Control – Integrated Framework, Executive Summary, https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf
16 Internal Controls From A to Z | May 25, 2021
COSO Framework PrinciplesPrinciples Relating to the Control Environment Component
1 The organization demonstrates a commitment to integrity and ethical values.
2 The board of directors demonstrates independence from management and exercises oversight of the development and
performance of internal control.
3 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
4 The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with
objectives.
5 The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Principles Relating to the Risk Assessment Component
6 The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating
to objectives.
7 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.
8 The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9 The organization identifies and assesses changes that could significantly impact the system of internal control.
17 Internal Controls From A to Z | May 25, 2021
COSO Framework PrinciplesPrinciples Relating to the Control Activities Component
10 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
11 The organization selects and develops general control activities over technology to support the achievement of
objectives.
12 The organization deploys control activities through policies that establish what is expected and procedures that put
policies into action.
Principles Relating to the Information and Communication Component
13 The organization obtains or generates and uses relevant, quality information to support the functioning of internal
control.
14 The organization internally communicates information, including objectives and responsibilities for internal control,
necessary to support the functioning of internal control.
15 The organization communicates with external parties regarding matters affecting the functioning of internal control.
Principles Relating to the Monitoring Activities Component
16 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the
components of internal control are present and functioning.
17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior management and the board of directors, as appropriate.
18 Internal Controls From A to Z | May 25, 2021
Reality: there are control limitations:
• Human judgment
• External events
• Breakdowns
• Management override
• Collusion
A system of internal control cannot provide absolute assurance.
Control Limitations
20 Internal Controls From A to Z | May 25, 2021
COSO 2017 Enterprise Risk Management Framework
Source: COSO’s Enterprise Risk Management—Integrating with Strategy and Performance.
21 Internal Controls From A to Z | May 25, 2021
Three Lines of Risk Defense
3rd Line Independent assurance
2nd Line Oversee risk
1st Line Own and manage risk
Internal Audit
Test & verify
Independently
Compliance
Interpret &
develop
Monitor & report
Risk
Management
Design & facilitate
Inform & educate
Monitor &
report
Board of Directors / Audit CommitteePerform oversight
Executive Management CommitteeMonitor performance
Exte
rnal
Au
dit
Reg
ula
tors
Management
Department
Operations
Process and
Risk Owners
Product
Operations
Process and
Risk Owners
Finance
Operations
Process and
Risk Owners
Protect from downside eventsDeliver outcomes within expected ranges
22 Internal Controls From A to Z | May 25, 2021
Business Risk Assessment
1.
Understand Business
Objectives & Key Risk Indicators
2.
Develop Common Risk
Language
3.
Identify & Document
Meaningful Risks
4.
Assess & Aggregate Gross
Risks
5.
Identify Mitigating
Activities & Assess Residual
Risk
6.
Report & Monitor
Methodology
Infrastructure
Methodology
Common Language
Repeatable
Process
Current State vs.
Future State
Monitoring Process
Enabling Activities
Tools/Templates
Project Planning
Communication
Awareness/Training
Deliverables
Actionable
Information
Risk Register
Top Risks
Risk Mitigation
Strategies
Residual Risk
Analysis
Board Reporting
Internal Audit
Planning
23 Internal Controls From A to Z | May 25, 2021
Identifying Risk AreasSTRATEGIC
OPERATIONS
FINANCIAL
COMPLIANCE
Planning & Resource Allocation
Organizational Structure
Third-Party Relations/Vendor Management
Strategic Planning
Annual Budgeting
Forward Pricing
Forecasting
JVs/Alliances/Sub Contractors &
Partnerships
Arrangements (Outsourcing, Franchise,
etc.)
Governance
Board Performance
Tone at the Top
Control Environment
Corporate Social Responsibility
Market Dynamics
Competition
Pricing Pressures
Macro-Economic Factors
Customer & Platform Mix
Socio-Political Issues
Technological Advances
End User Perception
Product Availability
Major Initiatives
Vision & Direction
Planning & Execution
Personnel Development
Measurement & Monitoring
Technology Implementation
Business Acceptance of New Initiative
Communication & Investor Relations
Media Relations
Investor Relations
Crisis Communications
Employee Communications
Technology Enabled Communication
Channels
Government Relations
Cross-Functional Communication
Reputation Management
Mergers, Acquisitions & Divestitures
Valuation & Pricing
Due Diligence
Planning, Execution & Integration
Sales & Marketing
Marketing & Advertising
Research & Development
Sales & Pricing
Technology Enabled Sales
Customer Support
Credit Financing
Government & Commercial
Contracts Management
Pricing
Measurement
Tax Implications
Environmental
Natural Events
Terror & Malicious Acts
Health & Safety
Disaster Recovery
People/Human Resources
Culture
Recruiting & Retention
Development & Performance
Succession Planning
Compensation & Benefits
Labor Relations
Training
Information Technology
IT Management
IT Security/Access
IT Availability/Continuity
IT Integrity
IT Resources
IT Infrastructure
Cyber Incidents
Data Security & Privacy
Assets
Real Estate
Fixed Assets
Inventory
Intellectual Property Protection
Supply Chain
Master Planning & Forecasting
Subcontractor
Procurement & Vendor
Management
Materials Management & Inventory
Production
Distribution
Transportation & Logistics
Product Defects & Returns
Warranty
Accounting & Reporting
Accounting, Reporting & Disclosure
Reporting & Information Integrity
Internal Control/J-SOX
Liquidity Risk Management
Cash Management
Capital Funding
Working Capital Management
Credit & Collections (DSO)
Insurance
Pension Funding
Market
Interest Rate
Foreign Currency
Commodities
Derivatives
Tax
Tax Strategy & Planning
Tax Optimization
Transfer Pricing
Indirect Taxes
Sales & Use Tax
Capital Structure
Debt
Equity
Stock-Based Compensation
Regulatory
Trade
Government Contracts
Customs
Labor
Securities
Environment
Data Protection & Privacy
Product Quality/Safety
Health & Safety
Competitive Practices/Anti-Trade
Tax Compliance & Audit Management
Sales & Marketing
J-SOX
Credit Financing
Anti-Bribery
Legal
Contract
Liability
Intellectual Property
Anti-Corruption (FCPA)
Franchise Agreements
Code of Conduct
Ethics
Fraud
24 Internal Controls From A to Z | May 25, 2021
Determining a Common LanguageImpact
Extreme
Catastrophic impact on profitability where over xx% of EBITDA is lost
Loss of reputation or brand value that may take 3-5 years to recover
Loss of key alliances
Serious loss in market share
Events and problems will require significant Board and senior
management attention
Significant
Significant impact on profitability where over xx% of EBITDA is lost
Loss of reputation or brand value that may take 1-3 years to recover
Key alliances threatened
Serious loss in market share
Events and problems will require Board and senior management attention
Moderate
Moderate impact on profitability where over xx% of EBITDA is lost
Loss of reputation or brand value that involves widespread, adverse media
coverage and/or potentially involves litigation
Situation will require management attention
Low
Low impact on profitability where over xx% of EBITDA is lost
Loss of reputation or brand value that involves local adverse media
coverage
Consequences can be absorbed under normal operating conditions
Minimal
Insignificant impact on profitability where little or no EBITDA is lost ($x
million)
No potential impact on market share
Likelihood
Almost CertainEvent is expected to occur in most circumstances,
90% chance of occurrence in the next 12 months
or 4 times over the next 5 years
LikelyEvent will probably occur in most circumstances,
55% chance of occurrence in the next 12 months
or 3 times over the next 5 years
PossibleEvent should occur at some time, 25% chance of
occurrence in the next 12 months or two times
over the next five years
UnlikelyEvent should occur at some time, 10% chance of
occurrence in the next 12 months or once every
five years
RemoteEvent may occur in exceptional circumstances,
less than 5% chance of occurrence in the next 12
months or once over five years
25 Internal Controls From A to Z | May 25, 2021
Determining Risk Appetite
Likelihood
Imp
ac
t
Risk Category
Re
mo
te
Lik
ely
Alm
ost C
ert
ain
Po
ssib
le
Un
like
lyCatastrophic
Significant
Moderate
Low
Minimal
Extreme
High
Substantial
Minor
Insignificant
26 Internal Controls From A to Z | May 25, 2021
Risk Assessment Documentation
Gross Risk Residual Risk ERM
# Risk Description Impact LikelihoodGross Risk
ScoreMitigating Activities of Controls Impact Likelihood Score
Desired Risk
Level
1Risk of virus transmission due to
the lack of proper sanitation.Significant Likely Extreme
Policies and procedures
require that temperatures be
checked upon entering the
building, sitting areas must be
distanced by at least 6 feet,
masks must be worn in
common areas, and hand
sanitation units are placed
throughout the office.
Additionally, a 3rd-party will
provide sanitation fogging in
high traffic areas daily and
Company staff will sanitize
highly touched surfaces at
least 3 times daily.
Moderate Possible Substantial Minor
2
Due to supply and demand,
obtaining adequate supplies may
be limited or delayed.
Moderate Likely High
A local distillery is increasing
production and the company
recently signed an agreement
where sanitation supplies will
be purchased and placed in
stock.
Low Possible Minor Minor
28 Internal Controls From A to Z | May 25, 2021
Red Flags for fraud:
• An employee with disbursement processing responsibilities who refuses to take more than a couple days vacation at a time.
• Control Issues – An employee who is over-controlling or overprotective of responsibilities.
• Behavioral changes indicating possible drug, alcohol, gambling addiction.
• Employee lifestyle changes: financial or significant debt issues, divorce, expensive cars/homes, etc.
• High employee turnover, especially in areas vulnerable to fraud.
• Wheeler/dealer type attitude.
• Suspicious or defensive behavior.
Fraud Red Flags
RATIONALIZATION(Justification)
29 Internal Controls From A to Z | May 25, 2021
2020 Report to the Nations
Source: 2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.; 2020-Report-to-the-Nations.pdf (acfepublic.s3-us-west-2.amazonaws.com)
30 Internal Controls From A to Z | May 25, 2021
2020 Report to the Nations
Source: 2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.; 2020-Report-to-the-Nations.pdf (acfepublic.s3-us-west-2.amazonaws.com)
32 Internal Controls From A to Z | May 25, 2021
Preventative controls prevent problems from occurring (PROACTIVE)
• Policies
• Training/Awareness• Fraud
• Hiring Practices (thorough background checks)
• Reasonable Performance Controls
• Mandatory Vacation/Job Rotation
• Solid IT Controls
• Ethics Policy
• Internal Audit
• Segregation of Duties
• Monitoring
• Adequate Documentation
• Physical safeguards
Preventative Controls
33 Internal Controls From A to Z | May 25, 2021
Detective controls identify problems after occurrence (REACTIVE)
• Data analytics
• Data-mining
• Benford’s Law
• Physical Inspection
• Benchmarking
• Reviews
• Quality Controls
• Reconciliations
• Whistleblower Policy/Hotline
Detective Controls
34 Internal Controls From A to Z | May 25, 2021
Corrective controls prevent recurrence of problems
• Revisit risk assessment process
• Submit corrective journal entries after discovering an error
• Review policies and procedures
• Changes to processes or personnel responsible
• Additional controls needed to prevent going forward
• Back-up data so it can be restored in the event of a crash or improper transaction
Corrective Controls
Risk assessments should be living documents!
35 Internal Controls From A to Z | May 25, 2021
Consideration of Control Design
What does the control owner do?
• Tell the story!
• Who, what, where/when, how?
Why do they do it?
• What risk is being addressed?
• Do the control activities address the risk?
What evidence supports that they
did it?
• Include examples of how control owners identify and resolve potential errors.
36 Internal Controls From A to Z | May 25, 2021
Control Design, Implementation & Operating Effectiveness – Evidence Considerations
How can management help improve
documentation and drive
efficiencies?
• Maintain evidence in support of the control outlining how a conclusion was reached (e.g., emails, notations on hard copies, minutes of meetings and how follow up items were identified and resolved)
• Document the basis for key judgments and how they were evaluated
• Consider inviting auditors to observe how specific elements of the control operate (e.g., observe meetings, etc.)
• Clearly define what is the process vs. what is the design of control
• Segregation of duties between preparer and reviewer with clearly assigned responsibilities
• Define what the control owner is expected to accomplish in the execution of each control activity
• Nature of review procedures including assessment of reasonableness of data, models and assumptions suggested by an outside expert (e.g., fair value estimates, etc.)
• Establish and define the precision for each review control and gather evidence to support consistent application of precision. Note! Various levels of precision could be used in the same control – be specific.
37 Internal Controls From A to Z | May 25, 2021
How to demonstrate that controls are working as designed:
1. Observation
• Seeing the physical control being performed by others to support inquiries of management and others or to ensure the control operates as expected.
2. Inquiry
• Seeking information of knowledgeable persons, both financial and nonfinancial, within the entity or outside the entity. This may range from formal written inquiries to informal oral inquiries. Evaluating and corroborating responses to inquiries is an integral part of the inquiry process.
• Note that inquiry alone is never sufficient as evidence to support a conclusion about the effectiveness of a control.
3. Reperformance
• Independent execution of procedures or controls that were originally performed as part of the entity’s internal control. (Note – An auditor cannot reperform management judgment.)
4. Inspection/examination
• Examining records or documents, whether internal or external, in paper form, electronic form, or other media, or a
physical examination of an asset to assess whether internal control measures have been executed.
Testing Operating Effectiveness of Controls
39 Internal Controls From A to Z | May 25, 2021
• Did the Company perform a risk assessment and evaluate the overall complexity of the ICFR and required efforts?
• Are the internal resources sufficient?
• Did the Company consider using outside experts?
• Are the ICFR trainings provided to employees (control preparers and control owners) sufficient?
• Does the Company anticipate re-design of controls and/or implementation of new controls and the extent of efforts required?
• Does the Company have an ICFR readiness plan?
• Does the Company clearly assign responsibilities for the ICFR readiness plan with defined milestones and reporting to senior management and the Audit Committee?
• Does the Company assign the responsibility for the timely implementation of the ICFR readiness plan to the appropriate level of senior management?
ICFR Readiness Assessment
40 Internal Controls From A to Z | May 25, 2021
State of ICFR: Now vs Future
Compliance Focused
• Significant portion of controls are manual controls (e.g., reconciliations)
• Few IT system controls
• Silo approach to control operations, low level of interaction between various divisions and members of management at various levels.
• Result - Deficiencies, if and when identified, are assessed and resolved
Continuous Improvement Model
• Significant level of connectivity between controls
• Significant use of IT systems controls
• Increased level of visibility for members of management at all levels to assess areas that need additional attention and respond proactively
• Result – Continuously re-assess current practices, processes and procedures, proactively identify best practices and self-correct in response to evolving internal and external factors
41 Internal Controls From A to Z | May 25, 2021
Management vs Auditing
Management Auditing Standards
Evaluating design of
controls to address risk
Understand “what could go wrong” and
design controls to address those risks
(continuous risk assessment required)
Obtain an understanding of the process, identify
the likely sources of misstatement, identify
control(s) management has in place to address
such risks, and test the design effectiveness of
such controls
Assessing level of
precision
Design controls that adequately address
the risk that a material misstatement
would not be prevented or detected in a
timely manner
Understand: (1) purpose of the controls, (2) level of
aggregation, (3) consistency of performance, (4)
correlation to relevant risks, (5) criteria for
investigation, and (6) predictability of expectations,
7) nature of review procedures performed.
Nature and extent of
evidence
Responsible for maintaining evidential
matter, including documentation, to
provide reasonable support for its
assessment
The auditor should obtain sufficient evidence of the
effectiveness of those controls that are important to
determining whether the company’s controls
sufficiently address the assessed risk of
misstatement to each relevant assertion as of the
date of management’s assessment
Assessing potential
contrary evidence
Is there anything we are aware of that
could suggest the results of financial
reporting was not complete and accurate
or the control was not effective? If so,
explicitly produce evidence to support the
conclusions reached
Due professional care requires the auditor to
exercise professional skepticism. Professional
skepticism is an attitude that includes a questioning
mind and a critical assessment of all relevant
evidence
42 Internal Controls From A to Z | May 25, 2021
ICFR Hot Topics for 2021
ICFR testing of design and operating effectiveness
Testing over completeness & accuracy of reports used in management’s control activities
Evaluation of whether management’s controls are responsive to risks identified by both management and the auditor
Auditing management’s estimates/judgments
Testing automated application controls, system/control configuration, report writers, and report parameters, etc.
Evaluating control deficiencies under COSO 2013 Framework and identification of compensating controls
Evaluation of management’s procedures around cybersecurity incidents
44 Internal Controls From A to Z | May 25, 2021
• When it comes to internal controls, documentation is king
• Assess risk, at least annually, considering• Governance strategy, goals, objectives• Industry impacts• Regulatory implications• Economic impacts• Complexity of your organization• Residual risk and risk appetite
• Impacts of new accounting standards on operational and financial reporting controls (Leases, CECL, etc.)
• Estimates, judgements, modeling impacts
• Monitor corrective action plans, prior internal control findings
• Impacts of technology controls (ITGC) and application controls
• Think outside the box
• Know when to seek guidance
White Flag Considerations
Contact Me
Joshua Bowen, CPA, CGMA, CAMS
334.782.0607 (mobile)
334.260.2364 (office)
bowencpa