<<

. 47
( 82 .)



>>

of Internal Control

In view of legislative action”for example, the Foreign Corrupt Practices Act, the
Federal Deposit Insurance Corporation Improvement Act, the Sarbanes-Oxley
Act, the Securities and Exchange Commission final rules, and private sector ini-
tiatives of the self-regulatory organizations”the board of directors will rely in-
creasingly on the audit committee for assurance that management is complying
with the internal accounting control provisions of the act, and the New York Stock
Exchange listing standards. To assist the committee with its task, this chapter ex-
amines the meaning of internal control, the recent developments regarding the re-
sponsibilities for such controls, and the role of the audit committee.


MEANING OF INTERNAL CONTROL
Definition and Basic Concepts
In October 1987, the National Commission on Fraudulent Financial Reporting
concluded:

An element within the company of overriding importance in preventing fraudulent fi-
nancial reporting is the tone set by top management that influences the corporate en-
vironment within which financial reporting occurs. To set the right tone, top
management must identify and assess the factors that could lead to fraudulent finan-
cial reporting; all public companies should maintain internal controls that provide
reasonable assurance that fraudulent financial reporting will be prevented or subject
to early detection”this is a broader concept than internal accounting controls”and
all public companies should develop and enforce effective, written codes of corpo-
rate conduct. As a part of its ongoing assessment of the effectiveness of internal con-
trols, a company™s audit committee should annually review the program that
management establishes to monitor compliance with the code. The Commission also
recommends that its sponsoring organizations cooperate in developing additional, in-
tegrated guidance on internal controls.1




1
National Commission on Fraudulent Financial Reporting, Report of the National Commission on
Fraudulent Financial Reporting (Washington, DC: NCFFR, 1987), p. 11.


235
236 Monitoring the System of Internal Control


Such recommendations reaffirm the congressional legislation dealing with the in-
ternal accounting control provision of the Foreign Corrupt Practices Act, which is
designed to reduce the incidence of fraudulent financial reporting.
In April 1988, the Auditing Standards Board of the AICPA published its defi-
nition of internal control structure:

An entity™s internal control structure consists of the policies and procedures estab-
lished to provide reasonable assurance that specific entity objectives will be
achieved. Although the internal control structure may include a wide variety of
objectives and related policies and procedures, only some of these may be relevant
to an audit of the entity™s financial statements. Generally, the policies and procedures
that are relevant to an audit pertain to the entity™s ability to record, process, summa-
rize, and report financial data consistent with the assertions embodied in the finan-
cial statements. Other policies and procedures, however, may be relevant if they
pertain to data the auditor uses to apply auditing procedures. For example, policies
and procedures pertaining to nonfinancial data that the auditor uses in analytical pro-
cedures, such as production statistics, may be relevant in an audit.2

Furthermore, the Auditing Standards Board stated that an entity™s internal con-
trol structure consists of these elements:

• The control environment
• The accounting system
Control procedures3


The Board defined these three elements in this way:

Control environment The collective effect of various factors on establishing, en-
hancing, or mitigating the effectiveness of specific policies and procedures. Such
factors include (1) management philosophy and operating style, (2) organizational
structure, (3) the function of the board of directors and its committees, (4) methods
of assigning authority and responsibility, (5) management control methods, (6) the
internal audit function, (7) personnel policies and practices, and (8) external influ-
ences concerning the entity.
Accounting system The methods and records established to identify, assemble, an-
alyze, classify, record, and report an entity™s transactions and to maintain account-
ability for the related assets and liabilities.
Control procedures The policies and procedures in addition to the control envi-
ronment and accounting system that management has established to provide reason-
able assurance that specific entity objectives will be achieved.4



2
Statement on Auditing Standards No. 55, “Consideration of the Internal Control Structure in a Finan-
cial Statement Audit” (New York: AICPA, 1988), par. 6.
3
Ibid., par. 8.
4
Ibid., par. 67.
Meaning of Internal Control 237


In September 1992, the Committee of Sponsoring Organizations (COSO) of
the Treadway Commission issued its final report, Internal Control-Integrated
Framework. COSO defines and describes internal control as functioning to:

1. Establish a common definition serving the needs of different parties.
2. Provide a standard against which business and other entities”large or small,
in the public or private sector, for profit or not”can assess their control sys-
tems and determine how to improve them.
Internal control is broadly defined as a process, effected by an entity™s board
of directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations5

An executive summary of COSO™s four-volume report is presented in Appendix I
on this book™s website, which contains the five interrelated components of inter-
nal control.
In June 1994, COSO published an addendum, which stated in part: The new
addendum “encourages managements that report to external parties on controls
over financial reporting to also cover controls over safeguarding of assets against
unauthorized acquisition, use or disposition.” Those controls, according to the ad-
dendum, should be “designed to provide reasonable assurance regarding preven-
tion or timely detection of unauthorized acquisition, use or disposition of the
entity™s assets that could have a material effect on the financial statements.”6
COSO provided the illustrative report shown in Exhibit 8.1.
As discussed in Appendix F on this book™s website, the Federal Deposit Insur-
ance Corporation Improvement Act of 1991 requires that management and the in-
dependent auditors report on the internal control structure over financial reporting
and compliance with specified laws and regulations. In response, the Auditing
Standards Board has issued two Statements on Standards for Attestation Engage-
ments: SSAE No. 2, “Reporting on an Entity™s Internal Control Structure over
Financial Reporting,” and SSAE No. 3, “Compliance Attestation.” More specifi-
cally, SSAE No. 2 deals with the independent auditor™s report on management™s

5
Committee of Sponsoring Organizations of the Treadway Commission, Internal Control-Integrated
Framework (New York: AICPA, 1992), p. 1. For additional reading, see Statement on Auditing Stan-
dards No. 78, “Consideration of Internal Control in a Financial Statement Audit: An Amendment to
SAS No. 55” (New York: AICPA, 1995) and copies of the four-volume COSO report, which may be
obtained from the AICPA. Also see Thomas P. Kelley, “The COSO Report: Challenge and Counter-
challenge,” Journal of Accountancy 175, No. 2 (February 1993), pp. 10“18. For a good discussion on
internal control, see Wanda A. Wallace, Handbook of Internal Accounting Controls, 2nd ed. (Engle-
wood Cliffs, NJ: Prentice-Hall, 1991); and Michael W. Maher, David W. Wright, and William R. Kin-
ney, Jr., “Assertions-Based Standards for Integrated Internal Control,” Accounting Horizons 4, No. 4
(December 1990), pp. 1“8.
6
Committee of Sponsoring Organizations of the Treadway Commission, Addendum to “Reporting to
External Parties” (New York: AICPA, 1994), p. 1.
238 Monitoring the System of Internal Control



Exhibit 8.1 Illustrative Report: Reporting to External Parties

XYZ Company maintains a system of internal control over financial reporting anda over
safeguarding of assets against unauthorized acquisition, use or disposition which is de-
signed to provide reasonable assurance to the Company™s management and board of direc-
tors regarding the preparation of reliable published financial statements and such asset
safeguarding. The system contains self-monitoring mechanisms, and actions are taken to
correct deficiencies as they are identified. Even an effective internal control system, no mat-
ter how well designed, has inherent limitations”including the possibility of the circum-
vention or overriding of controls”and therefore can provide only reasonable assurance
with respect to financial statement preparation and such asset safeguarding. Further, be-
cause of changes in conditions, internal control system effectiveness may vary over time.
The Company assessed its internal control system as of December 31, 20XX in relation to
criteria for effective internal control over financial reporting described in “Internal Con-
trol”Integrated Framework” issued by the Committee of Sponsoring Organizations of the
Treadway Commission. Based on this assessment, the Company believes that, as of De-
cember 31, 20XX, its system of internal control over financial reporting anda over safe-
guarding of assets against unauthorized acquisition, use or disposition met those criteria.


Source: Committee of Sponsoring Organizations of the Treadway Commission, Addendum to
“Reporting to External Parties” (New York: AICPA, 1994), p. 7. Copyright (c) 1994 by the American
Institute of Certified Public Accountants, Inc. Reprinted with permission.
a
In circumstances where all controls over safeguarding of assets against unauthorized acquisition,
use or disposition fall within the category of controls over financial reporting, “and” may be changed
to “including.”




assertion regarding the effectiveness of the entity™s internal control structure.
When management presents its assertion in a separate report that will accompany
the independent auditor™s report, the form of report is as shown in Exhibit 8.2.
With respect to SSAE No. 3 and management™s assertion in a separate report
that will accompany the independent auditor™s report, the form of the report is
illustrated in Exhibit 8.3.


RESPONSIBILITY FOR THE SYSTEM OF INTERNAL CONTROL
Management Certification
As described in Chapter 2, Section 302(a) of the Sarbanes-Oxley Act of 2002 and
the SEC™s final rule requires a registrant™s chief executive officer (CEO) and chief
financial officer (CFO) to certify each quarterly and annual report. Moreover, the
SEC rule requires registrants to maintain disclosure controls and procedures and
assess their effectiveness; included are internal controls over financial reporting
and compliance controls to ensure adherence to SEC disclosure requirements.7

7
This CEO and CFO certification is in addition to the certification required under Section 906(a) of
the Act. This criminal provision requires that the CEO and CFO certification accompany each periodic
report that includes financial statements.
Responsibility for the System of Internal Control 239



Exhibit 8.2 Independent Accountant™s Report, SSAE No. 2

[Introductory paragraph]
We have examined management™s assertion [identify management™s assertion, for example,
that W Company maintained an effective internal control over financial reporting as of De-
cember 31, 20XX] included in the accompanying [title of management report].
[Scope paragraph]
Our examination was made in accordance with standards established by the American In-
stitute of Certified Public Accountants and, accordingly, included obtaining an under-
standing of the internal control over financial reporting, testing, and evaluating the design
and operating effectiveness of the internal control and such other procedures as we con-
sidered necessary in the circumstances. We believe that our examination provides a rea-
sonable basis for our opinion.
[Inherent limitations paragraph]
Because of inherent limitations in any internal control, misstatements due to error or fraud
may occur and not be detected. Also, projections of any evaluation of the internal control
over financial reporting to future periods are subject to the risk that the internal control
may become inadequate because of changes in conditions, or that the degree of compliance
with the policies or procedures may deteriorate.
[Opinion paragraph]
In our opinion, management™s assertion [identify management™s assertion, for example,
that W Company maintained an effective internal control over financial reporting as of De-
cember 31, 20XX] is fairly stated, in all material respects, based upon [identify stated or es-
tablished criteria]


Source: Statement on Standards for Attestation Engagements No. 2, “Reporting on an Entity™s
Internal Control Structure Over Financial Reporting” (New York: AICPA, 1993), par. 51. See also
Professional Standards, U.S. Auditing Standards/Attestation Standards, Vol. 1, AT Sec. 400.46. For
further reference, see Joseph Takacs, “Attestation Engagements on Internal Control Structure over
Financial Reporting,” CPA Journal 63, No. 8 (August 1993), pp. 48“53. This standard has been
recodified as Section 501 of SSAE No. 10.




Internal Control Reporting
As noted in Chapter 2, Section 404(a) of the Sarbanes-Oxley Act requires the
SEC to issue rules requiring annual reports to contain an assessment of the effec-
tiveness of internal control over financial reporting. Additionally, Section 404(b)
of the act requires the Public Company Accounting Oversight Board to issue stan-
dards for independent auditors to attest to management™s report on internal control.
Recognizing that the Federal Deposit Insurance Corporation Improvement Act of
1991 requires managements of many insured depository institutions to report on
the effectiveness of internal control over financial reporting as well as the inde-
pendent auditors™ report on management™s assertions, the forthcoming standards
are more likely to reflect the current auditing standards, which are consistent with
the COSO report.
240 Monitoring the System of Internal Control



Exhibit 8.3 Independent Accountant™s Report, SSAE No. 3

[Introductory paragraph]
We have examined management™s assertion about [name of entity]™s compliance with [list
specific compliance requirements] during the [period] ended [date] included in the ac-
companying [title of management report]. Management is responsible for [name of en-
tity]™s compliance with those requirements. Our responsibility is to express an opinion on
management™s assertion about the entity™s compliance based on our examination.
[Scope paragraph]
Our examination was made in accordance with standards established by the American In-
stitute of Certified Public Accountants and, accordingly, included examining, on a test

<<

. 47
( 82 .)



>>