internal controls, impact on audit process and document retention (3)

8/11/2019 Internal Controls, Impact on Audit Process and Document Retention (3)

1/22

2010LarsonAllenLLP

1

INTERNAL CONTOLS, IMPACT

ON AUDIT PROCESS &

DOCUMENT RETENTION

Presented by:

Joe Van Vynckt, CPAJason Bakke, CPA, CCIFP


2/22

2010LarsonAllenLLP

2

Objectives: Understand how information technology and

virtual desktops can impact a companys

internal control environment Understand how technology advancements and

paperless transaction processing / storage

impact the financial statement audit by CPAs Review document retention suggestions for both

corporate governance and IRS requirements


3/22

2010LarsonAllenLLP

3

Internal Controls:

How does information technology impact theCompany's control environment


4/22

2010LarsonAllenLLP

4

WHY INTERNAL CONTROLS MATTER:

Internal controls are the processes, methods

and measures used by an organization to:

Monitor assets

Prevent fraud

Minimize errors

Verify correctness and reliability of management data Promote operational efficiency

Ensure the established managerial policies are

followed

Source: Dictionary of Accounting Terminology


5/22

2010LarsonAllenLLP

5


Not just an accounting term! Should not be viewed

that way by management

Internal control effects all aspects of the business,

including:

Ensuring protection over business assets and information

Protecting future growth

Safety of your employees

Creating reliable information to make effective and accurate

business decisions

Remaining competitive

Holding employees accountable


6/22

2010LarsonAllenLLP

6


Examples:

Segregation of duties

Authorization and documentation of transactions

Supervision and review of personnel or operations

Account reconciliation

Contract administration:

Managing bid process & budgeting Change order management

Job costing and reporting procedures

Billing and collection policies

Security policies: physical assets locks, GPS, cameras

data / systems passwords, permissions and access logs


7/22

2010LarsonAllenLLP

7


Internal Control Weaknesses Commonly Seen inthe Construction Industry:

Failure to comply with established policies Paid invoices lack proper authorization

Unreconciled accounts / unresolved discrepancies

Lack of segregation of duties

Long-term contract reporting discrepancies: accurateand timely financial information is not available foruse by management or operations personnel

Change order management: failure to obtain proper

approval, documentation, resulting in lost revenue Lack of control over equipment: use, utilization and

reporting


8/22

2010LarsonAllenLLP

8


Why do CPAs spend so much time evaluating thedesign and implementation of our clients

internal control? We have tofor good reason! Understanding the control environment is one of the

best ways to determine the risks of financial

misstatement or misappropriation of assets(theft/fraud)

As a result of control structure, we may: Verify controls and procedures have been properly designed,

implemented and are effective Target our audit procedures to areas perceived as higher risk

or lacking more effective internal controls


9/22

2010LarsonAllenLLP

9


Company owners and senior management should

have the same attitude as the CPAs:

Evaluate: Understand your companys internalcontrol structure to better identify risks of

misstatement (either intentional or inadvertent) or

theft/fraud

Design: Identify opportunities to continually improve

the control environment and control policies

Verify: Ensure policies and procedures are

implemented and being followed


10/22

2010L

arsonAllenLLP

10

How do technological

advancements impactinternal controls?


11/22

2010LarsonAllenLLP

11

Internal Control Concepts:

Traditional vs. Technological Regardless of the platform, internal control concepts are

largely the same; however they operate very differentlydepending on the level of technologic integration of the

IT system.

Committee of Sponsoring Organizations (COSO) breaksdown risk management and internal controls into 5interrelated components: Control Environment

Risk Assessment

Control Activities / Policies

Information and Communication

Monitoring


12/22

2010LarsonAllenLLP

12


Traditional vs. Technological1) CONTROL ENVIRONMENT:

Often referred to as the Tone at the Top

The integrity, ethics and competence of the companys people

Management's philosophy and operating style

Method to assign authority and responsibility and develop its

people

Attention and direction provided by the ownership and/or board

The control environment is the foundation for all other

components of internal control, providing discipline andstructure.

In a highly technological environment, greater emphasis on data

security and systems practices.


13/22

2010LarsonAllenLLP

13


Traditional vs. Technological2) RISK ASSESSMENT:

The identification and analysis of relevant risks to the organization.

Will form the basis to determine how risks should be managed

Both internal and external

Considerations should include:

Inherent risks: Nature

Complexity and level of judgment needed

Susceptibility to fraud

The effect of a risk on the organization Existence of previous issues

Mitigating factors that already exist


14/22

2010LarsonAllenLLP

14


Traditionalvs.

Technological

Traditional:Design: Emphasis on personnel policies and

manual documentation

Workflow Physical transfer of paper frominitiator to approver to processor(s)

Transaction approval - form of signature / initialsby party responsible for approval

Verification - Visual by individual responsibletransaction process

Asset security Physical observation and locks

Equipment and payroll reporting Manualtimecards and approval; data entry asadministrative function. Batches post weekly to

job costing LTC reporting project managers maintain off-

line cost estimates and submit updatedinformation to acctg. on monthly basis

Segregation of duties policies enforced byinternal audit or re-verification

3) CONTROL ACTIVITES:

Policies and procedures that help ensure that management

directives are carried outTechnological:Design: Emphasis on system controls, permissions

and paperless workflow Workflow Requests and messages automatically

queued to required reviewer

Transaction approval - form of electronic signatureor other system authorization

Verification System will not allow furtherprocessing unless proper approval exist

Asset secur ity GPS, bar-coding & physical security

Equipment and payroll reporting employee andequipment time captured on-site or electronically,approved within the system, single-entry, available in

job cost system immediately. LTC reporting project managers maintain costs,

estimates & quantities on the enterprise system.Information available for management and reportingimmediately

Segregation of duties policies enforced by systempermissions, passwords and IT audit or verification


15/22

2010LarsonAllenLLP

15

n erna on ro oncep s:

Traditionalvs.

Technological

Traditional: Timing Information and reporting

generally available on a periodic basis(weekly or monthly)

Company-standard, multi-usereports Everyone gets the sameinformation. Not necessarily theinformation they need or use

Distribution Physical or by e-mail

Communication Action Items andother communication require initiationfrom someone else.

4) INFORMATION AND COMMUNICATION:Addresses the needs of the organization to identify, capture, and communicate

information to the right people.

Enable operations and support personnel to carry out their responsibilities Enable management to make informed business decisions

External reporting bank, surety, project owners or investors

Technological: Timing Information and reporting

generally available real-time. Asaccurate as the data in the system

Tailored Reports Personnel receivethe information they need to function:

Dashboard

Custom report generation

Distribution On desktop, pda, etc

Communication System-generatedreminders or communication based onevents, levels or system parameters


16/22

2010LarsonAllenLLP

16

n erna on ro oncep s:

Traditionalvs.

Technological

Traditional:

Personnel Reliance Personnel areexpected and relied upon to enforce

system of procedures and controls

Internal Audit Either formal or

informal, re-verification by 3

rd

party thatprocedures are being followed

Evaluation of efficacy how

effectively does the control or proceduremitigate the risk identified?

5) MONITORING:

Technological:

System Design Account permissions and limitations

Password management

IT and Controls Audit Verification that the IT system design is

intact and operating as planned Internal audit of non-IT processes,

procedures and controls

Evaluation of efficacy how

effectively does the control or

procedure mitigate the risk identified?


17/22

2010LarsonAllenLLP

17

Impact on Audit

Process:

How does technological advances / paperless

transaction processing / storage impact the audit of

the financial statements by CPAs.


18/22

2010LarsonAllenLLP

18

AUDIT IMPACT:

CPAS are required to understand the Companys

internal control structure and processes,

including: Administration over information technology

Segregation of IT duties

Systems development Physical and online security

Hardware controls


19/22

2010LarsonAllenLLP

19

AUDIT IMPACT:

Impact of IT on the Audit Process:

If effective IT controls are in place, may reduce

substantive testing Control testing Parallel Simulation, Embedded Audit

Module

If ineffective IT controls are in place, may increase

risk of material misstatement Systematic errors vs. random errors

Increase substantive testing

Internal control deficiencies in the IT function can lead

to communication to those charged with governance.


20/22

2010

LarsonAllenLLP

20

Document Retention


21/22

2010LarsonAllenLLP

21

DOCUMENT RETENTION IRS Requirements:

IRS has determined that electronic imaging and otherelectronic data storage systems constitute adequate recordsunder internal revenue code (sec. 6001)

Recordkeeping Requirements - IRS reasonable controls to ensure the integrity, accuracy, and reliability

of the electronic storage system

reasonable controls to prevent and detect the unauthorizedcreation, alteration or deletion of records

an inspection and quality assurance program, including periodicchecks of electronically stored books and records;

a retrieval system that includes an indexing system

the ability to reproduce legible and readable hardcopies

Source: IRS Rev. Proc. 97-22


22/22

2010LarsonAllenLLP

22

DOCUMENT RETENTION General Guidelines:

internal controls, impact on audit process and document retention (3)

Documents