Internal Control Audit and Compliance. Graham Lynford

      Cover image: © iStock.com/kentoh

      Cover design: Wiley

      Copyright © 2015 by John Wiley & Sons, Inc. All rights reserved.

      Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

      Published simultaneously in Canada.

      No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

      Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

      For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

      Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

       Library of Congress Cataloging-in-Publication Data:

      Graham, Lynford.

      Internal control audit and compliance: documentation and testing under the new COSO framework / Lynford Graham.

      1 online resource. – (Wiley corporate F&A series)

      Includes index.

      Description based on print version record and CIP data provided by publisher; resource not viewed.

      ISBN 978-1-118-99621-8 (cloth); ISBN 978-1-118-99647-8 (ebk); ISBN 978-1-118-99630-0 (ebk) 1. Auditing, Internal. I. Title.

      HF5668.25

      657.458 – dc 3

      2014035947

      Preface

      Much has been learned in the decade since corporations, other entities, and auditors started re-reading the 1992 COSO Internal Controls Framework document to understand their mandates to document and assess internal controls. We have been through a version of the guidance targeted to smaller public companies (2006) and special guidance for unscrambling what is meant by Monitoring (2009). In 2013 we were presented with the updated Framework that will replace that prior COSO literature after December 15, 2014, and serve as our basis for going forward. Many entities that began the COSO process in 2002-2003 have not made major changes in their approach since that time. The revised Framework provides an excellent opportunity to re-examine past practices and seek improvements and efficiencies, since some level of change is likely to be necessary anyway.

      It is likely that the COSO Internal Controls Framework will be around in some form throughout our working lives. Some still fail to embrace its goals and others work hard to find ways to try to change the laws and standards or short-cut the required assessment procedures. Still others are starting to recognize some of the benefits that can be realized from effective controls and more orderly and automated processes.

      This book will look back on some of the “lessons learned” as experienced by entities and auditors. We will examine some of the academic and professional literature that provides wider insight than can be obtained from solely one entity's experience. As we face the new Framework, we will consider efficient approaches to migrate entities from current approaches to the new guidance with a minimum of disruption and effort. As with any process, the assessment benefits from periodic reconsideration and improvements, and this book can assist in implementing more effective solutions in that update process.

      We are now into the second and for some the third round of staff and management changes over the controls documentation and assessment project. In the natural order of things, systems are known to deteriorate over time. From my observation, that is a real challenge to all entities – “how to keep the music playing.” Internal control pioneers in the early 2000s period had a lot to learn and not much time to learn it. Many of those warriors have now moved on, up, or out. How do we properly train new team members in the use of our developed tools and also fully explain the concepts we are trying to achieve? If approached as a paint-by-numbers exercise, the end product may look acceptable (from a distance) but still not meet the main objective. Controls “101” remains a requested topic on the speaker circuit for the benefit of new project members and helps fill the gaps in understanding by those already involved in projects. This book will also try to provide some history and context from which to understand not just how to do the tasks, but to understand why they are being done and how to make the project more meaningful and valuable to the entity – and in that process, facilitate working with the independent auditors in an efficient and effective way.

      This volume is meant to supplement, not replace, the COSO Framework documents. An investment in the actual Framework is worthwhile and undoubtedly at some point with some Principle or Point of Focus, you will need to dig as deep as possible into the Approaches and Examples to find a nugget you can use in crafting your assessment of how the Principle is being met. This volume cannot possibly (or legally) reproduce all the potential COSO reference material you may wish to refer to as your project proceeds.

      Some suggestions, based on first readers' comments as to how to get the most out of this volume include:

      • Use the material in this volume first to get the lay-of-the-land and understand the concepts underlying the revised Framework.

      • Use the guidance here to make an initial mapping of the current state of your assessment to what COSO 2013 is seeking.

      • Look at the suggested tools in this volume and in the illustrative templates in the COSO template