internal controls, impact on audit process and document retention (3)
TRANSCRIPT
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
1/22
2010LarsonAllenLLP
1
INTERNAL CONTOLS, IMPACT
ON AUDIT PROCESS &
DOCUMENT RETENTION
Presented by:
Joe Van Vynckt, CPAJason Bakke, CPA, CCIFP
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
2/22
2010LarsonAllenLLP
2
Objectives: Understand how information technology and
virtual desktops can impact a companys
internal control environment Understand how technology advancements and
paperless transaction processing / storage
impact the financial statement audit by CPAs Review document retention suggestions for both
corporate governance and IRS requirements
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
3/22
2010LarsonAllenLLP
3
Internal Controls:
How does information technology impact theCompany's control environment
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
4/22
2010LarsonAllenLLP
4
WHY INTERNAL CONTROLS MATTER:
Internal controls are the processes, methods
and measures used by an organization to:
Monitor assets
Prevent fraud
Minimize errors
Verify correctness and reliability of management data Promote operational efficiency
Ensure the established managerial policies are
followed
Source: Dictionary of Accounting Terminology
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
5/22
2010LarsonAllenLLP
5
WHY INTERNAL CONTROLS MATTER:
Not just an accounting term! Should not be viewed
that way by management
Internal control effects all aspects of the business,
including:
Ensuring protection over business assets and information
Protecting future growth
Safety of your employees
Creating reliable information to make effective and accurate
business decisions
Remaining competitive
Holding employees accountable
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
6/22
2010LarsonAllenLLP
6
WHY INTERNAL CONTROLS MATTER:
Examples:
Segregation of duties
Authorization and documentation of transactions
Supervision and review of personnel or operations
Account reconciliation
Contract administration:
Managing bid process & budgeting Change order management
Job costing and reporting procedures
Billing and collection policies
Security policies: physical assets locks, GPS, cameras
data / systems passwords, permissions and access logs
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
7/22
2010LarsonAllenLLP
7
WHY INTERNAL CONTROLS MATTER:
Internal Control Weaknesses Commonly Seen inthe Construction Industry:
Failure to comply with established policies Paid invoices lack proper authorization
Unreconciled accounts / unresolved discrepancies
Lack of segregation of duties
Long-term contract reporting discrepancies: accurateand timely financial information is not available foruse by management or operations personnel
Change order management: failure to obtain proper
approval, documentation, resulting in lost revenue Lack of control over equipment: use, utilization and
reporting
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
8/22
2010LarsonAllenLLP
8
WHY INTERNAL CONTROLS MATTER:
Why do CPAs spend so much time evaluating thedesign and implementation of our clients
internal control? We have tofor good reason! Understanding the control environment is one of the
best ways to determine the risks of financial
misstatement or misappropriation of assets(theft/fraud)
As a result of control structure, we may: Verify controls and procedures have been properly designed,
implemented and are effective Target our audit procedures to areas perceived as higher risk
or lacking more effective internal controls
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
9/22
2010LarsonAllenLLP
9
WHY INTERNAL CONTROLS MATTER:
Company owners and senior management should
have the same attitude as the CPAs:
Evaluate: Understand your companys internalcontrol structure to better identify risks of
misstatement (either intentional or inadvertent) or
theft/fraud
Design: Identify opportunities to continually improve
the control environment and control policies
Verify: Ensure policies and procedures are
implemented and being followed
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
10/22
2010L
arsonAllenLLP
10
How do technological
advancements impactinternal controls?
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
11/22
2010LarsonAllenLLP
11
Internal Control Concepts:
Traditional vs. Technological Regardless of the platform, internal control concepts are
largely the same; however they operate very differentlydepending on the level of technologic integration of the
IT system.
Committee of Sponsoring Organizations (COSO) breaksdown risk management and internal controls into 5interrelated components: Control Environment
Risk Assessment
Control Activities / Policies
Information and Communication
Monitoring
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
12/22
2010LarsonAllenLLP
12
Internal Control Concepts:
Traditional vs. Technological1) CONTROL ENVIRONMENT:
Often referred to as the Tone at the Top
The integrity, ethics and competence of the companys people
Management's philosophy and operating style
Method to assign authority and responsibility and develop its
people
Attention and direction provided by the ownership and/or board
The control environment is the foundation for all other
components of internal control, providing discipline andstructure.
In a highly technological environment, greater emphasis on data
security and systems practices.
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
13/22
2010LarsonAllenLLP
13
Internal Control Concepts:
Traditional vs. Technological2) RISK ASSESSMENT:
The identification and analysis of relevant risks to the organization.
Will form the basis to determine how risks should be managed
Both internal and external
Considerations should include:
Inherent risks: Nature
Complexity and level of judgment needed
Susceptibility to fraud
The effect of a risk on the organization Existence of previous issues
Mitigating factors that already exist
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
14/22
2010LarsonAllenLLP
14
Internal Control Concepts:
Traditionalvs.
Technological
Traditional:Design: Emphasis on personnel policies and
manual documentation
Workflow Physical transfer of paper frominitiator to approver to processor(s)
Transaction approval - form of signature / initialsby party responsible for approval
Verification - Visual by individual responsibletransaction process
Asset security Physical observation and locks
Equipment and payroll reporting Manualtimecards and approval; data entry asadministrative function. Batches post weekly to
job costing LTC reporting project managers maintain off-
line cost estimates and submit updatedinformation to acctg. on monthly basis
Segregation of duties policies enforced byinternal audit or re-verification
3) CONTROL ACTIVITES:
Policies and procedures that help ensure that management
directives are carried outTechnological:Design: Emphasis on system controls, permissions
and paperless workflow Workflow Requests and messages automatically
queued to required reviewer
Transaction approval - form of electronic signatureor other system authorization
Verification System will not allow furtherprocessing unless proper approval exist
Asset secur ity GPS, bar-coding & physical security
Equipment and payroll reporting employee andequipment time captured on-site or electronically,approved within the system, single-entry, available in
job cost system immediately. LTC reporting project managers maintain costs,
estimates & quantities on the enterprise system.Information available for management and reportingimmediately
Segregation of duties policies enforced by systempermissions, passwords and IT audit or verification
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
15/22
2010LarsonAllenLLP
15
n erna on ro oncep s:
Traditionalvs.
Technological
Traditional: Timing Information and reporting
generally available on a periodic basis(weekly or monthly)
Company-standard, multi-usereports Everyone gets the sameinformation. Not necessarily theinformation they need or use
Distribution Physical or by e-mail
Communication Action Items andother communication require initiationfrom someone else.
4) INFORMATION AND COMMUNICATION:Addresses the needs of the organization to identify, capture, and communicate
information to the right people.
Enable operations and support personnel to carry out their responsibilities Enable management to make informed business decisions
External reporting bank, surety, project owners or investors
Technological: Timing Information and reporting
generally available real-time. Asaccurate as the data in the system
Tailored Reports Personnel receivethe information they need to function:
Dashboard
Custom report generation
Distribution On desktop, pda, etc
Communication System-generatedreminders or communication based onevents, levels or system parameters
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
16/22
2010LarsonAllenLLP
16
n erna on ro oncep s:
Traditionalvs.
Technological
Traditional:
Personnel Reliance Personnel areexpected and relied upon to enforce
system of procedures and controls
Internal Audit Either formal or
informal, re-verification by 3
rd
party thatprocedures are being followed
Evaluation of efficacy how
effectively does the control or proceduremitigate the risk identified?
5) MONITORING:
Technological:
System Design Account permissions and limitations
Password management
IT and Controls Audit Verification that the IT system design is
intact and operating as planned Internal audit of non-IT processes,
procedures and controls
Evaluation of efficacy how
effectively does the control or
procedure mitigate the risk identified?
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
17/22
2010LarsonAllenLLP
17
Impact on Audit
Process:
How does technological advances / paperless
transaction processing / storage impact the audit of
the financial statements by CPAs.
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
18/22
2010LarsonAllenLLP
18
AUDIT IMPACT:
CPAS are required to understand the Companys
internal control structure and processes,
including: Administration over information technology
Segregation of IT duties
Systems development Physical and online security
Hardware controls
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
19/22
2010LarsonAllenLLP
19
AUDIT IMPACT:
Impact of IT on the Audit Process:
If effective IT controls are in place, may reduce
substantive testing Control testing Parallel Simulation, Embedded Audit
Module
If ineffective IT controls are in place, may increase
risk of material misstatement Systematic errors vs. random errors
Increase substantive testing
Internal control deficiencies in the IT function can lead
to communication to those charged with governance.
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
20/22
2010
LarsonAllenLLP
20
Document Retention
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
21/22
2010LarsonAllenLLP
21
DOCUMENT RETENTION IRS Requirements:
IRS has determined that electronic imaging and otherelectronic data storage systems constitute adequate recordsunder internal revenue code (sec. 6001)
Recordkeeping Requirements - IRS reasonable controls to ensure the integrity, accuracy, and reliability
of the electronic storage system
reasonable controls to prevent and detect the unauthorizedcreation, alteration or deletion of records
an inspection and quality assurance program, including periodicchecks of electronically stored books and records;
a retrieval system that includes an indexing system
the ability to reproduce legible and readable hardcopies
Source: IRS Rev. Proc. 97-22
-
8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)
22/22
2010LarsonAllenLLP
22
DOCUMENT RETENTION General Guidelines: