Internal Controls From A to Z

Ordinary professionals making an Extraordinary impact

Internal Controls From A to Z

2 Internal Controls From A to Z | May 25, 2021

Joshua Bowen, CPA, CGMA, CAMSJoshua Bowen is a Member in Warren Averett’s Audit Division, serves on the Firm’s Audit BestPractice Leader Committee and is part of the Firm’s Financial Services and Public Sector IndustryGroups. He began his public accounting career in 2005 and has provided auditing, attestation andconsulting services to a variety of industries, including healthcare; however, he has focusedheavily on providing external and internal audits and Bank Secrecy Act (BSA)/Anti-MoneyLaundering (AML) compliance consulting to financial institutions. Each year, he performs multiplepresentations and trainings throughout the Southeast on topics ranging from current expectedcredit losses (CECL) to enterprise risk management (ERM) and internal auditing. He also leadsyoung professionals, selected by Firm leaders, to engage them in a “think-tank” environment topursue ideas and solutions that are innovative, meaningful, practical, actionable, creative andtransformative.

Professional and Community Affiliations and Accomplishments

•American Institute of Certified Public Accountants

•Alabama Society of Certified Public Accountants, Audit Committee Member and Advisory

Council Member, Montgomery Chapter

•Association of Certified Anti-Money Laundering Specialists, Alabama Chapter

•Georgia Bankers Association, Bank Accountant Section Board Member

•Risk Management Association

•Leadership Montgomery, Torchbearer Class X

•2019 Young Alumnus of the Year, Troy University, School of Accountancy

Education

Bachelor of Science in Accounting

Master of Business Administration

Troy University, Troy, AL


May I Take Your Order?

Considerations:

1. Risk assessment and impacts to strategy, financials, etc.

2. Understanding the environment (walkthrough)

3. Control testing to determine effectiveness

4. Risk appetite considerations

5. Determine if mitigating controls are necessary

6. Execute, rely, etc.


History of Internal Control: McKesson & Robbins


McKesson & Robbins Case (1939)

Broad, Samuel J.; Coates, Charles F.; Hurdman, F. H.; and American Institute of Accountants. Special Committee, "McKesson & Robbins case" (1939). AICPA Committees. 188. https://egrove.olemiss.edu/aicpa_comm/188


As a result, the SEC indicated interest in several broad questions related to auditing and accounting.

• Should it be the duty of auditors to make at least some spot checks of inventory, and some test by direct confirmation of accounts

receivable?

• Should auditors take independent steps to ascertain whether companies with whom their clients do business actually exist, or are in a

position to discharge their obligations to the client?

• To what extent should accountants go behind original documents which support the accounts, such as invoices, to prove their authenticity?

• What is the accountant’s responsibility with respect to fire insurance coverage on assets owned by his client?

• To what extent should accountants investigate the operation of the client’s system of internal check to assure themselves not

only that the system is adequate but that it is actually being followed?

• What is the difference between a balance-sheet examination and an audit, and should auditors disclose more fully in their certificates or

otherwise the scope of their examination, or any variations from what may be considered a standard examination?

• What reliance should the public be entitled to place on auditors’ reports for example, may they properly expect that the assets actually exist

or that fraud will have been disclosed?

• How closely should partners supervise the work of staff accountants; to what extent, if any, does the employment of temporary men in the

busy season reduce the effectiveness of auditing; to what extent does the pressure of time under which all staff men work in the busy

season reduce the effectiveness of auditing?

• To what extent should directors participate in the engagement of auditors, and discuss with them the scope of their work? When acting as

directors, do company officers consider themselves as employers or employees of the president?


Broad, Samuel J.; Coates, Charles F.; Hurdman, F. H.; and American Institute of Accountants. Special Committee, "McKesson & Robbins case" (1939). AICPA Committees. 188. https://egrove.olemiss.edu/aicpa_comm/188



Securities and Exchange Commission: Summary of Findings and Conclusions (12/5/1940)

United States. Securities and Exchange Commission, "In the matter of McKesson & Robbins, Inc., File No. 1-1435: Securities Exchange Act of 1934, Section 21 (a); Summary of findings and conclusions" (1940). Federal Publications. 107. https://egrove.olemiss.edu/acct_fed/107


McKesson & Robbins raised multiple issues, many directly related to internal controls:

• CPA responsibility to detect material fraud – even if it involves collusion

• Purpose of the study of internal control

• A CPA’s testing of internal controls should lead to a full knowledge of the manner that transactions are handled.

• SEC expanded the definition of internal controls beyond the accounting and financial functions.



American Institute of Accountants, 1936

“Those measures and methods adopted within the organization itself to safeguard the cash and other assets of the company as well as to check the clerical aspects of the book-keeping.”

American Institute of Accountants, 1949

“Internal control comprises the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies.”

Evolving Definition of Internal Controls


Committee of Sponsoring Organizations (COSO)


“Internal control is a process, effected by an entity’s board of directors, management,

and other personnel, designed to provide

reasonable assurance regarding the achievement of

objectives relating to operations, reporting, and

compliance.”

COSO’s Definition of Internal Controls


• Private sector initiative sponsored by five organizations

• Provides thought leadership through frameworks and guidance on

• Enterprise Risk Management (ERM)

• Internal control

• Fraud detection

• ERM Framework (issued in 2004 and updated in 2017)

• Establishes a standard with a common risk definition and framework that is readily usable by management in evaluating and improving an organization’s enterprise risk management processes


5 Sponsoring Organizations:


• Issued Internal Control – Integrated Framework in 1992

• Framework included:

• Definition of internal control

• Components of effective internal control

• Criteria to evaluate internal control

• Guidance for reporting publicly on internal controls over financial reporting (ICFR)

• AICPA adopted COSO’s five components of internal control

• Sarbanes-Oxley Act/SEC rules considered COSO’s framework suitable for evaluating the effectiveness of ICFR.



• COSO update the Internal Control – Integrated Framework in May 2013.

• The update modernized the Framework due to current business, regulatory environments and operations.

• The update included the following:

• Expectations relating to governance oversight

• Changes and greater complexities in businesses

• Ways in which markets and operations have become more globalized

• Demands and complexities in laws, rules, regulations, and standards

• Changes in and increased use of technology

• Expectations relating to competencies and accountabilities

• Expectations of users relating to the prevention and detection of fraud



Three categories of objectives:1. Operations2. Reporting3. Compliance

Five components1. Control environment2. Risk assessment3. Control activities4. Information & communication5. Monitoring activities

Four entity-organizational structures1. Entity-level2. Division3. Business unit4. Function

COSO Framework

COSO, Internal Control – Integrated Framework, Executive Summary, https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf


COSO Framework PrinciplesPrinciples Relating to the Control Environment Component

1 The organization demonstrates a commitment to integrity and ethical values.

2 The board of directors demonstrates independence from management and exercises oversight of the development and

performance of internal control.

3 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and

responsibilities in the pursuit of objectives.

4 The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with

objectives.

5 The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Principles Relating to the Risk Assessment Component

6 The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating

to objectives.

7 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for

determining how the risks should be managed.

8 The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9 The organization identifies and assesses changes that could significantly impact the system of internal control.


COSO Framework PrinciplesPrinciples Relating to the Control Activities Component

10 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of

objectives to acceptable levels.

11 The organization selects and develops general control activities over technology to support the achievement of

objectives.

12 The organization deploys control activities through policies that establish what is expected and procedures that put

policies into action.

Principles Relating to the Information and Communication Component

13 The organization obtains or generates and uses relevant, quality information to support the functioning of internal

control.

14 The organization internally communicates information, including objectives and responsibilities for internal control,

necessary to support the functioning of internal control.

15 The organization communicates with external parties regarding matters affecting the functioning of internal control.

Principles Relating to the Monitoring Activities Component

16 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the

components of internal control are present and functioning.

17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties

responsible for taking corrective action, including senior management and the board of directors, as appropriate.


Reality: there are control limitations:

• Human judgment

• External events

• Breakdowns

• Management override

• Collusion

A system of internal control cannot provide absolute assurance.

Control Limitations


Risk Assessment


COSO 2017 Enterprise Risk Management Framework

Source: COSO’s Enterprise Risk Management—Integrating with Strategy and Performance.


Three Lines of Risk Defense

3rd Line Independent assurance

2nd Line Oversee risk

1st Line Own and manage risk

Internal Audit

Test & verify

Independently

Compliance

Interpret &

develop

Monitor & report

Risk

Management

Design & facilitate

Inform & educate

Monitor &

report

Board of Directors / Audit CommitteePerform oversight

Executive Management CommitteeMonitor performance

Exte

rnal

Au

dit

Reg

ula

tors

Management

Department

Operations

Process and

Risk Owners

Product

Operations

Process and

Risk Owners

Finance

Operations

Process and

Risk Owners

Protect from downside eventsDeliver outcomes within expected ranges


Business Risk Assessment

1.

Understand Business

Objectives & Key Risk Indicators

2.

Develop Common Risk

Language

3.

Identify & Document

Meaningful Risks

4.

Assess & Aggregate Gross

Risks

5.

Identify Mitigating

Activities & Assess Residual

Risk

6.

Report & Monitor

Methodology

Infrastructure

Methodology

Common Language

Repeatable

Process

Current State vs.

Future State

Monitoring Process

Enabling Activities

Tools/Templates

Project Planning

Communication

Awareness/Training

Deliverables

Actionable

Information

Risk Register

Top Risks

Risk Mitigation

Strategies

Residual Risk

Analysis

Board Reporting

Internal Audit

Planning


Identifying Risk AreasSTRATEGIC

OPERATIONS

FINANCIAL

COMPLIANCE

Planning & Resource Allocation

Organizational Structure

Third-Party Relations/Vendor Management

Strategic Planning

Annual Budgeting

Forward Pricing

Forecasting

JVs/Alliances/Sub Contractors &

Partnerships

Arrangements (Outsourcing, Franchise,

etc.)

Governance

Board Performance

Tone at the Top

Control Environment

Corporate Social Responsibility

Market Dynamics

Competition

Pricing Pressures

Macro-Economic Factors

Customer & Platform Mix

Socio-Political Issues

Technological Advances

End User Perception

Product Availability

Major Initiatives

Vision & Direction

Planning & Execution

Personnel Development

Measurement & Monitoring

Technology Implementation

Business Acceptance of New Initiative

Communication & Investor Relations

Media Relations

Investor Relations

Crisis Communications

Employee Communications

Technology Enabled Communication

Channels

Government Relations

Cross-Functional Communication

Reputation Management

Mergers, Acquisitions & Divestitures

Valuation & Pricing

Due Diligence

Planning, Execution & Integration

Sales & Marketing

Marketing & Advertising

Research & Development

Sales & Pricing

Technology Enabled Sales

Customer Support

Credit Financing

Government & Commercial

Contracts Management

Pricing

Measurement

Tax Implications

Environmental

Natural Events

Terror & Malicious Acts

Health & Safety

Disaster Recovery

People/Human Resources

Culture

Recruiting & Retention

Development & Performance

Succession Planning

Compensation & Benefits

Labor Relations

Training

Information Technology

IT Management

IT Security/Access

IT Availability/Continuity

IT Integrity

IT Resources

IT Infrastructure

Cyber Incidents

Data Security & Privacy

Assets

Real Estate

Fixed Assets

Inventory

Intellectual Property Protection

Supply Chain

Master Planning & Forecasting

Subcontractor

Procurement & Vendor

Management

Materials Management & Inventory

Production

Distribution

Transportation & Logistics

Product Defects & Returns

Warranty

Accounting & Reporting

Accounting, Reporting & Disclosure

Reporting & Information Integrity

Internal Control/J-SOX

Liquidity Risk Management

Cash Management

Capital Funding

Working Capital Management

Credit & Collections (DSO)

Insurance

Pension Funding

Market

Interest Rate

Foreign Currency

Commodities

Derivatives

Tax

Tax Strategy & Planning

Tax Optimization

Transfer Pricing

Indirect Taxes

Sales & Use Tax

Capital Structure

Debt

Equity

Stock-Based Compensation

Regulatory

Trade

Government Contracts

Customs

Labor

Securities

Environment

Data Protection & Privacy

Product Quality/Safety

Health & Safety

Competitive Practices/Anti-Trade

Tax Compliance & Audit Management

Sales & Marketing

J-SOX

Credit Financing

Anti-Bribery

Legal

Contract

Liability

Intellectual Property

Anti-Corruption (FCPA)

Franchise Agreements

Code of Conduct

Ethics

Fraud


Determining a Common LanguageImpact

Extreme

Catastrophic impact on profitability where over xx% of EBITDA is lost

Loss of reputation or brand value that may take 3-5 years to recover

Loss of key alliances

Serious loss in market share

Events and problems will require significant Board and senior

management attention

Significant

Significant impact on profitability where over xx% of EBITDA is lost

Loss of reputation or brand value that may take 1-3 years to recover

Key alliances threatened

Serious loss in market share

Events and problems will require Board and senior management attention

Moderate

Moderate impact on profitability where over xx% of EBITDA is lost

Loss of reputation or brand value that involves widespread, adverse media

coverage and/or potentially involves litigation

Situation will require management attention

Low

Low impact on profitability where over xx% of EBITDA is lost

Loss of reputation or brand value that involves local adverse media

coverage

Consequences can be absorbed under normal operating conditions

Minimal

Insignificant impact on profitability where little or no EBITDA is lost ($x

million)

No potential impact on market share

Likelihood

Almost CertainEvent is expected to occur in most circumstances,

90% chance of occurrence in the next 12 months

or 4 times over the next 5 years

LikelyEvent will probably occur in most circumstances,

55% chance of occurrence in the next 12 months

or 3 times over the next 5 years

PossibleEvent should occur at some time, 25% chance of

occurrence in the next 12 months or two times

over the next five years

UnlikelyEvent should occur at some time, 10% chance of

occurrence in the next 12 months or once every

five years

RemoteEvent may occur in exceptional circumstances,

less than 5% chance of occurrence in the next 12

months or once over five years


Determining Risk Appetite

Likelihood

Imp

ac

t

Risk Category

Re

mo

te

Lik

ely

Alm

ost C

ert

ain

Po

ssib

le

Un

like

lyCatastrophic

Significant

Moderate

Low

Minimal

Extreme

High

Substantial

Minor

Insignificant


Risk Assessment Documentation

Gross Risk Residual Risk ERM

# Risk Description Impact LikelihoodGross Risk

ScoreMitigating Activities of Controls Impact Likelihood Score

Desired Risk

Level

1Risk of virus transmission due to

the lack of proper sanitation.Significant Likely Extreme

Policies and procedures

require that temperatures be

checked upon entering the

building, sitting areas must be

distanced by at least 6 feet,

masks must be worn in

common areas, and hand

sanitation units are placed

throughout the office.

Additionally, a 3rd-party will

provide sanitation fogging in

high traffic areas daily and

Company staff will sanitize

highly touched surfaces at

least 3 times daily.

Moderate Possible Substantial Minor

2

Due to supply and demand,

obtaining adequate supplies may

be limited or delayed.

Moderate Likely High

A local distillery is increasing

production and the company

recently signed an agreement

where sanitation supplies will

be purchased and placed in

stock.

Low Possible Minor Minor


Fraud Considerations


Red Flags for fraud:

• An employee with disbursement processing responsibilities who refuses to take more than a couple days vacation at a time.

• Control Issues – An employee who is over-controlling or overprotective of responsibilities.

• Behavioral changes indicating possible drug, alcohol, gambling addiction.

• Employee lifestyle changes: financial or significant debt issues, divorce, expensive cars/homes, etc.

• High employee turnover, especially in areas vulnerable to fraud.

• Wheeler/dealer type attitude.

• Suspicious or defensive behavior.

Fraud Red Flags

RATIONALIZATION(Justification)


2020 Report to the Nations

Source: 2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.; 2020-Report-to-the-Nations.pdf (acfepublic.s3-us-west-2.amazonaws.com)

https://acfepublic.s3-us-west-2.amazonaws.com/2020-Report-to-the-Nations.pdf


Control Considerations


Preventative controls prevent problems from occurring (PROACTIVE)

• Policies

• Training/Awareness• Fraud

• Hiring Practices (thorough background checks)

• Reasonable Performance Controls

• Mandatory Vacation/Job Rotation

• Solid IT Controls

• Ethics Policy

• Internal Audit

• Segregation of Duties

• Monitoring

• Adequate Documentation

• Physical safeguards

Preventative Controls


Detective controls identify problems after occurrence (REACTIVE)

• Data analytics

• Data-mining

• Benford’s Law

• Physical Inspection

• Benchmarking

• Reviews

• Quality Controls

• Reconciliations

• Whistleblower Policy/Hotline

Detective Controls


Corrective controls prevent recurrence of problems

• Revisit risk assessment process

• Submit corrective journal entries after discovering an error

• Review policies and procedures

• Changes to processes or personnel responsible

• Additional controls needed to prevent going forward

• Back-up data so it can be restored in the event of a crash or improper transaction

Corrective Controls

Risk assessments should be living documents!


Consideration of Control Design

What does the control owner do?

• Tell the story!

• Who, what, where/when, how?

Why do they do it?

• What risk is being addressed?

• Do the control activities address the risk?

What evidence supports that they

did it?

• Include examples of how control owners identify and resolve potential errors.


Control Design, Implementation & Operating Effectiveness – Evidence Considerations

How can management help improve

documentation and drive

efficiencies?

• Maintain evidence in support of the control outlining how a conclusion was reached (e.g., emails, notations on hard copies, minutes of meetings and how follow up items were identified and resolved)

• Document the basis for key judgments and how they were evaluated

• Consider inviting auditors to observe how specific elements of the control operate (e.g., observe meetings, etc.)

• Clearly define what is the process vs. what is the design of control

• Segregation of duties between preparer and reviewer with clearly assigned responsibilities

• Define what the control owner is expected to accomplish in the execution of each control activity

• Nature of review procedures including assessment of reasonableness of data, models and assumptions suggested by an outside expert (e.g., fair value estimates, etc.)

• Establish and define the precision for each review control and gather evidence to support consistent application of precision. Note! Various levels of precision could be used in the same control – be specific.


How to demonstrate that controls are working as designed:

1. Observation

• Seeing the physical control being performed by others to support inquiries of management and others or to ensure the control operates as expected.

2. Inquiry

• Seeking information of knowledgeable persons, both financial and nonfinancial, within the entity or outside the entity. This may range from formal written inquiries to informal oral inquiries. Evaluating and corroborating responses to inquiries is an integral part of the inquiry process.

• Note that inquiry alone is never sufficient as evidence to support a conclusion about the effectiveness of a control.

3. Reperformance

• Independent execution of procedures or controls that were originally performed as part of the entity’s internal control. (Note – An auditor cannot reperform management judgment.)

4. Inspection/examination

• Examining records or documents, whether internal or external, in paper form, electronic form, or other media, or a

physical examination of an asset to assess whether internal control measures have been executed.

Testing Operating Effectiveness of Controls


Internal Controls Over Financial Reporting


• Did the Company perform a risk assessment and evaluate the overall complexity of the ICFR and required efforts?

• Are the internal resources sufficient?

• Did the Company consider using outside experts?

• Are the ICFR trainings provided to employees (control preparers and control owners) sufficient?

• Does the Company anticipate re-design of controls and/or implementation of new controls and the extent of efforts required?

• Does the Company have an ICFR readiness plan?

• Does the Company clearly assign responsibilities for the ICFR readiness plan with defined milestones and reporting to senior management and the Audit Committee?

• Does the Company assign the responsibility for the timely implementation of the ICFR readiness plan to the appropriate level of senior management?

ICFR Readiness Assessment


State of ICFR: Now vs Future

Compliance Focused

• Significant portion of controls are manual controls (e.g., reconciliations)

• Few IT system controls

• Silo approach to control operations, low level of interaction between various divisions and members of management at various levels.

• Result - Deficiencies, if and when identified, are assessed and resolved

Continuous Improvement Model

• Significant level of connectivity between controls

• Significant use of IT systems controls

• Increased level of visibility for members of management at all levels to assess areas that need additional attention and respond proactively

• Result – Continuously re-assess current practices, processes and procedures, proactively identify best practices and self-correct in response to evolving internal and external factors


Management vs Auditing

Management Auditing Standards

Evaluating design of

controls to address risk

Understand “what could go wrong” and

design controls to address those risks

(continuous risk assessment required)

Obtain an understanding of the process, identify

the likely sources of misstatement, identify

control(s) management has in place to address

such risks, and test the design effectiveness of

such controls

Assessing level of

precision

Design controls that adequately address

the risk that a material misstatement

would not be prevented or detected in a

timely manner

Understand: (1) purpose of the controls, (2) level of

aggregation, (3) consistency of performance, (4)

correlation to relevant risks, (5) criteria for

investigation, and (6) predictability of expectations,

7) nature of review procedures performed.

Nature and extent of

evidence

Responsible for maintaining evidential

matter, including documentation, to

provide reasonable support for its

assessment

The auditor should obtain sufficient evidence of the

effectiveness of those controls that are important to

determining whether the company’s controls

sufficiently address the assessed risk of

misstatement to each relevant assertion as of the

date of management’s assessment

Assessing potential

contrary evidence

Is there anything we are aware of that

could suggest the results of financial

reporting was not complete and accurate

or the control was not effective? If so,

explicitly produce evidence to support the

conclusions reached

Due professional care requires the auditor to

exercise professional skepticism. Professional

skepticism is an attitude that includes a questioning

mind and a critical assessment of all relevant

evidence


ICFR Hot Topics for 2021

ICFR testing of design and operating effectiveness

Testing over completeness & accuracy of reports used in management’s control activities

Evaluation of whether management’s controls are responsive to risks identified by both management and the auditor

Auditing management’s estimates/judgments

Testing automated application controls, system/control configuration, report writers, and report parameters, etc.

Evaluating control deficiencies under COSO 2013 Framework and identification of compensating controls

Evaluation of management’s procedures around cybersecurity incidents


White Flag Considerations


• When it comes to internal controls, documentation is king

• Assess risk, at least annually, considering• Governance strategy, goals, objectives• Industry impacts• Regulatory implications• Economic impacts• Complexity of your organization• Residual risk and risk appetite

• Impacts of new accounting standards on operational and financial reporting controls (Leases, CECL, etc.)

• Estimates, judgements, modeling impacts

• Monitor corrective action plans, prior internal control findings

• Impacts of technology controls (ITGC) and application controls

• Think outside the box

• Know when to seek guidance

White Flag Considerations

Contact Me

Joshua Bowen, CPA, CGMA, CAMS

334.782.0607 (mobile)

334.260.2364 (office)

[email protected]

bowencpa

Internal Controls From A to Z

Documents

Transcript of Internal Controls From A to Z