Page 161 - Accounting Information Systems
P. 161
132 PART I Overview of Accounting Information Systems
procedures. Apart from their audience orientation, the two frameworks are essentially the same and inter-
changeable for SOX compliance purposes. The key elements of the SAS 78/COSO framework are pre-
sented in the following section.
SAS 78/COSO INTERNAL CONTROL FRAMEWORK
The SAS 78/COSO framework consists of five components: the control environment, risk assessment, in-
formation and communication, monitoring, and control activities.
The Control Environment
The control environment is the foundation for the other four control components. The control environ-
ment sets the tone for the organization and influences the control awareness of its management and
employees. Important elements of the control environment are:
The integrity and ethical values of management.
The structure of the organization.
The participation of the organization’s board of directors and the audit committee, if one exists.
Management’s philosophy and operating style.
The procedures for delegating responsibility and authority.
Management’s methods for assessing performance.
External influences, such as examinations by regulatory agencies.
The organization’s policies and practices for managing its human resources.
SAS 78/COSO requires that auditors obtain sufficient knowledge to assess the attitude and awareness
of the organization’s management, board of directors, and owners regarding internal control. The follow-
ing paragraphs provide examples of techniques that may be used to obtain an understanding of the control
environment.
1. Auditors should assess the integrity of the organization’s management and may use investigative
agencies to report on the backgrounds of key managers. Some of the ‘‘Big Four’’ public accounting
firms employ former FBI agents whose primary responsibility is to perform background checks on
existing and prospective clients. If cause for serious reservations comes to light about the integrity of
the client, the auditor should withdraw from the audit. The reputation and integrity of the company’s
managers are critical factors in determining the auditability of the organization. Auditors cannot func-
tion properly in an environment in which client management is deemed unethical and corrupt.
2. Auditors should be aware of conditions that would predispose the management of an organization to
commit fraud. Some of the obvious conditions may be lack of sufficient working capital, adverse
industry conditions, bad credit ratings, and the existence of extremely restrictive conditions in bank
or indenture agreements. If auditors encounter any such conditions, their examination should give
due consideration to the possibility of fraudulent financial reporting. Appropriate measures should be
taken, and every attempt should be made to uncover any fraud.
3. Auditors should understand a client’s business and industry and should be aware of conditions pecu-
liar to the industry that may affect the audit. Auditors should read industry-related literature and fa-
miliarize themselves with the risks that are inherent in the business.
4. The board of directors should adopt, as a minimum, the provisions of SOX. In addition, the following
guidelines represent established best practices.
Separate CEO and chairman. The roles of CEO and board chairman should be separate. Executive
sessions give directors the opportunity to discuss issues without management present, and an inde-
pendent chairman is important in facilitating such discussions.
Set ethical standards. The board of directors should establish a code of ethical standards from
which management and staff will take direction. At a minimum, a code of ethics should address
such issues as outside employment conflicts, acceptance of gifts that could be construed as bribery,
falsification of financial and/or performance data, conflicts of interest, political contributions,
