WO2009091613A2 - Method and system for auditing internal controls - Google Patents

Method and system for auditing internal controls Download PDF

Info

Publication number
WO2009091613A2
WO2009091613A2 PCT/US2009/000374 US2009000374W WO2009091613A2 WO 2009091613 A2 WO2009091613 A2 WO 2009091613A2 US 2009000374 W US2009000374 W US 2009000374W WO 2009091613 A2 WO2009091613 A2 WO 2009091613A2
Authority
WO
WIPO (PCT)
Prior art keywords
internal
control
risk
presenting
further adapted
Prior art date
Application number
PCT/US2009/000374
Other languages
French (fr)
Other versions
WO2009091613A3 (en
Inventor
L. Scott Spradling
Stephen W. Lindsey
Original Assignee
Thomson Reuters Global Resources
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Reuters Global Resources filed Critical Thomson Reuters Global Resources
Priority to AU2009205677A priority Critical patent/AU2009205677A1/en
Priority to CA2711935A priority patent/CA2711935C/en
Priority to EP09702141A priority patent/EP2248079A4/en
Publication of WO2009091613A2 publication Critical patent/WO2009091613A2/en
Publication of WO2009091613A3 publication Critical patent/WO2009091613A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/06Asset management; Financial planning or analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the present invention relates to the provision of and tools to assist in the provision of professional services, specifically including auditing services, preparing financial statement, conducting internal and external audits of internal controls and practices. More particularly, the present invention relates to computer- implemented tools, resources, and processes for assisting in these efforts.
  • GAAS Generally accepted auditing standards
  • GAAP Generally accepted accounting principles
  • IFRS International Financial Reporting Standards
  • SEC Securities and Exchange Commission
  • SOX Sarbanes-Oxley Act
  • COSO Committee Of Sponsoring Organizations
  • the COSO framework provide a generally recognized appropriate industry/professional standard for performing evaluation of internal controls, including five elements or factors to be considered when evaluating internal controls: 1) control environment; 2) risk assessment, 3; information and communication; 4) monitoring, and 5) control activities.
  • GAAP and GAAS provide guidelines by which auditors should conduct audits, there is a significant amount of leeway and many variables that leave to the professional and his or her assessments determining the set of procedures required under the particular set of circumstances. This may also depend on the purpose and the intended audience to receive and interpret/rely on the report, and whether the entity being audited is public or non- public or governmental.
  • SOX 404 Associated with audits, as well as in-house efforts to establish and maintain internal control practices, SOX 404 requires public companies to (i) establish, maintain, and assess their internal control over financial reporting and (ii) obtain an opinion of their independent auditors as to the effectiveness of their internal control.
  • One overriding goal of internal control over financial reporting is to promote the preparation of reliable financial statements. Assessing internal control practices is essential to identify material weaknesses and risks that may cause a material misstatement in the financial statements.
  • the SEC in its Statement on Management's Report on Internal Control Over
  • Risk-based testing requires management to prioritize areas of the company's financial statements according to relative levels of risk of misstatement.
  • the risk-based approach requires extensive testing of related controls.
  • the SEC guided management to identify controls related to each relevant area of a company's financial statements and to design appropriate documentation and testing procedures relative to each such area's risk level.
  • the SEC provided that testing programs should be designed to assess those internal controls that affect the reliability of financial reporting and lead to "reasonable assurance" of reliability and not absolute assurance. Accordingly, testing programs need not test every step but must be sufficient to support a conclusion that the process meets the control objective.
  • SEC guides that testing programs should focus on the objective of controls in determining the overall effectiveness, rather than individual steps. Where a control deficiency is uncovered through testing and assessment, a quantitative analysis is performed to determine its level of significance.
  • PCAOB directs its guidance to professionals involved in providing audits.
  • PCAOB guidance provides that auditors should integrate the internal control audit with the financial statements audit; exercise judgment to tailor audits to specific risks; use a top-down approach that begins with company-level controls to identify for further testing only the accounts and processes that are relevant to internal control over financial reporting; use risk assessment to remove accounts and processes that represent a remote risk of material misstatement.
  • the PCAOB guides auditors to review and assess whether client systems of internal financial controls provide reasonable assurance that financial statements do not contain material misstatements.
  • PCAOB guides auditors to take a "top-down" approach in audits of internal controls, meaning that auditors should first concentrate on company-level controls and then on significant accounts and to examine significant processes and before individual controls.
  • the PCAOB guides auditors to use a risk -based approach in auditing internal controls to reduce costs while increasing audit effectiveness by focusing efforts on areas of higher risk.
  • the present invention addresses the shortcomings of the prior art and provides, among other things, a powerful computer-implemented tool to assist in auditing internal controls and for generating procedures, conducting audits, preparing financial statements, and coordinating documents and other work product. More particularly, the present invention relates to a system of creating and generating auditing procedures, and assessing internal controls, in response to identified risks and risk assessments. [0010] In one respect, the invention provides a professional services audit tool that includes an application that performs a variety of functions such as completing certain audit planning processes/forms (including assessing risks related to the financial statements being audited and assessing internal controls), offering a top- down and risk-based approach to assessing internal controls.
  • the internal control assessment invention may be used in combination with other auditing tools and programs, e.g., Thomson Corporation's PPC SMART e-Practice suite of products.
  • the present invention utilizes efforts and data collected in performing risk assessments to help assess design deficiencies and overall effectiveness of internal controls.
  • the present invention provides test procedures to assist the auditor, internal or external, in assessing internal controls.
  • the present invention may be integrated with audit tools, such as
  • the tool allows auditors to apply a "how to, risk-based, top-down" process for efficiently evaluating internal control over financial reporting and, where desired, testing only the minimum number of controls necessary to support reduced control risk assessments and limit substantive testing.
  • the tool may be an integrated component of audit solutions, such as the SMART e- Practice Aid suite, allowing the auditor to optimize the overall audit planning process. [0012] Since the process delivered by this tool is based on the extensive experience of recognized experts in the internal control field, the tool provides auditors with increased confidence in evaluating internal control and identifying control risks.
  • the auditor as described in the present invention is intended to include every person who may use the program to assess risk facing an enterprise and internal controls implemented to alleviate such risks.
  • the applications in the context of auditing cover, for example, the following categories: accounting, audit & attest; compilation and review; non-profit organizations; governments; specialized industries; and bookkeeping services.
  • audit procedures are created using a logic system based primarily on the input of assertions associated with Risk of Material Misstatement (RMM), but include such other facts as fraud risks.
  • RMM Risk of Material Misstatement
  • the present invention associates such identified risks with internal control components, audit areas, transaction classes, and internal control items and presents the risks to the user involved in assessing and testing internal controls.
  • assert means representations that are embodied in components being audited.
  • the present invention is intended to be medium-neutral, being equally capable as a desktop program, a web-enabled program, a web-based program, and any variation thereof, being broad enough to include all future mediums.
  • the present invention provides a computer- implemented method for assessing a plurality of internal financial control items.
  • the method includes: (a) presenting the plurality of internal financial control items; (b) processing an input set associated with at least some of the plurality of internal financial control items; and (c) generating a set of assessment information based on the processed input set.
  • the method may further include one or more of: (d) prior to presenting, automatically grouping and presenting a subset of the plurality of internal financial control items based on a user input related to an assessment of risk; (e) prior to presenting, automatically presenting a previously identified risk associated with one or both of an audit area and a transaction class associated with a subset of the plurality of internal financial control items; (g) receiving a user test input designating an internal financial control item for testing and presenting a set of test procedures associated with the designated internal financial control item; (h) documenting assessments with the set of test procedures; (i) receiving from a user a plurality of inputs representing user assessment of the effectiveness of internal financial control items and presenting a summary of the effectiveness assessments; (j) receiving a set of user
  • the present invention provides a system for assessing risks associated with internal financial controls.
  • the system includes: a computer having an associated memory, display, and input device and adapted to execute code; a graphical user interface adapted to operate on the computer and adapted to present a plurality of internal financial control items, the graphical user interface further adapted to receive user inputs related to the set of internal financial control items via the input device; and a code set adapted to be executed on the computer and adapted to process the user inputs to generate a set of assessment information based on the received user inputs.
  • the present invention provides a computer- implemented method for assessing a plurality of internal control items.
  • the method includes: (a) automatically grouping and presenting a subset of internal control items based on an assessment of risk associated with one or more internal control items included in the subset of internal control items; (b) processing a set of inputs associated with at least some of the subset of internal control items; and (c) generating a set of assessment information based on the processed set of inputs.
  • the internal control items may relate to one or more of compliance, operational, financial, and regulatory controls.
  • the present invention builds on existing practice aids to provide an integrated audit planning and risk assessment approach to engagements.
  • the invention provides an audit tool that allows auditors to complete audit planning documentation, identify and capture audit risks affecting the engagement, provide a risk-based approach to presenting internal controls information to users integrated with and responsive to auditor risk assessments, customize aspects with user- friendly GUI and drag and drop functionality, and produce tailored practice aids for the engagement.
  • the present invention may be used to automate the audit planning and internal control assessment process, optimize judgments, improve linkage between audit risk and internal controls, increase audit effectiveness and reduce risk, and increase consistency across audit engagements.
  • FIG. 1 depicts an exemplary system embodiment of the present invention
  • Fig. 2 depicts a flowchart illustrating one embodiment of the present invention
  • FIG. 3A depicts a screen shot illustrating exemplary functionality for use in conjunction with the present invention
  • FIG. 3B depicts a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention
  • Fig. 4 depicts a screen shot illustrating exemplary control environment functionality for use in conjunction with the present invention
  • Fig. 5 depicts a screen shot illustrating exemplary control environment functionality for presenting internal control items grouped by control component in conjunction with the present invention
  • Fig. 6 depicts a screen shot illustrating exemplary control environment functionality for presenting control deficiency functionality in conjunction with the present invention
  • Fig. 7 depicts a screen shot illustrating exemplary control environment functionality for presenting control deficiency functionality in conjunction with the present invention
  • FIG. 8 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention
  • FIG. 9 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention.
  • Fig. 10 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention
  • Fig. 11 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention
  • Fig. 12 a screen shot illustrating exemplary system documentation and evaluation related to accounts receivable audit area for use in conjunction with the present invention
  • Figs. 13 a screen shot illustrating exemplary system documentation and evaluation related to accounts receivable audit area for use in conjunction with the present invention
  • Fig. 14 a screen shot illustrating exemplary system documentation and evaluation related to general computer controls activities for use in conjunction with the present invention
  • Fig. 15 a screen shot illustrating exemplary summary of design effectiveness functionality for use in conjunction with the present invention
  • Fig. 16 a screen shot illustrating exemplary summary of design effectiveness functionality for use in conjunction with the present invention
  • Fig. 17 a screen shot illustrating exemplary test procedures functionality for use in conjunction with the present invention
  • Fig. 18 a screen shot illustrating exemplary exception summary functionality for use in conjunction with the present invention
  • Fig. 19 a screen shot illustrating exemplary control risk assessment functionality for use in conjunction with the present invention
  • Fig. 20 a screen shot illustrating exemplary diagnostics functionality for use in conjunction with the present invention.
  • the invention provides a professional services audit tool that includes an application that performs a variety of functions such as completing certain audit planning processes/forms (including assessing risks related to the financial statements being audited), offering a tailored set of audit programs based on the assessed risks, allowing users to further tailor the suggested audit programs, and rendering these audit programs in a helpful format, e.g., Thomson Corporation's PPC SMART e-Practice Aids format.
  • a helpful format e.g., Thomson Corporation's PPC SMART e-Practice Aids format.
  • each user also must own and have a valid license installed of an associated "practice aid," e.g., Thomson's e-Practice Aid product.
  • the practice aid corresponds to one of eleven audit types, also referred to herein as "titles.”
  • An exemplary list of audit types or titles that are supported by the Risk Assessment system of the present invention includes: Guide to Audits of Nonpublic Companies; Guide to PCAOB Audits (i.e., audits of publicly-traded companies); Guide to Audits of Nonprofit Organizations; Guide to Audits of Local Governments; Guide to Audits of Employee Benefit Plans; Guide to Construction Contractors; Guide to Dealerships; Guide to Audits of Financial Institutions; Guide to Homeowners' Associations and Other Common Interest Realty Associations; Guide to HUD Audits; and Guide to Single Audits (audits that comply with government and non-profit "single audit" rules, regulations and guidelines).
  • controls or control procedures shall refer to internal control procedures, including internal accounting control procedures, including the procedures that management has adopted or devised to provide management with some degree of assurance that the objectives of the accounting information system will be achieved.
  • a control risk is the risk that a material misstatement will not be detected or prevented by the entity's internal control on a timely basis.
  • COSO refers to Committee of Sponsoring Organizations of the Treadway Commission, which issued a report titled Internal Control — Integrated Framework (the COSO Report).
  • the COSO Report has increasingly become a widely accepted framework for sound internal control among U.S. entities.
  • Identified risk refers to a risk discovered in an engagement that could result in material misstatement of the financial statements.
  • Internal Control refers to a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, specifically in the following categories: Efficiency and effectiveness of operations; Reliability of financial reporting; and Compliance with applicable laws and regulations.
  • Objectives are goals of the audit intended to mitigate the Control Risks. A single Objective could mitigate one or more Control Risks.
  • Test Procedures or Tests of Controls refers to those activities performed by the auditor during the control testing stage that gather evidence as to the operational effectiveness of internal control procedures upon which the auditor has planned reliance.
  • a transaction class represents a class of transaction within a Financial Reporting Cycle.
  • a system 100 for implementing an internal control assessment and testing program and providing a tool that creates and generates procedures based on risk assessments and assertions identified during an audit.
  • the system 100 comprises a central side 102, a remote audit work station 104 and a local client-side facility 106.
  • a user 108 such as a professional conducting an audit, may use a mobile or local device, such as a wireless-enabled notebook computer 1 10 to connect to the central side 102 and/or the client side 106 via communication links.
  • This configuration is one of many and is not limiting as to the invention.
  • user 108 may use the application fully self-contained within a desktop environment, e.g., as shown within 104, and may utilize a local database 119, such as SQL 2005 or above or SQL Express or other suitable database.
  • the communication links may be a combination of wireless, LAN, WLAN, ISDN, X.25, DSL, and ATM type networks, for example.
  • the user notebook 110 may comprise a typical combination of hardware and software including system memory 1 12, operating system 114, application programs 116, graphical user interface (GUI) 1 18, processor 120, and storage 122 which may contain electronic information 124 such as forms, practice aids, titles, data, procedures and the like.
  • GUI graphical user interface
  • the operating system 114 shall be suitable for use with the internal control assessment functionality described herein, for example, Microsoft Windows Vista (business, enterprise and ultimate editions), Windows 2000 with SP4 or Windows XP Professional with SP2.
  • the risk assessment invention may be browser-based and/or may include custom integration with Microsoft Office applications, e.g., Outlook, Word and Excel.
  • Application programs 116 may include, for example, Microsoft Office 2007, Office XP with SP2, or Office 2003 with SP1 applications.
  • the software and related tools, procedures, forms and data used to implement the internal control assessment and testing processes may be accessed by the machine 110 via the Internet or it may be loaded onto the machine via CD-ROM or other media or a combination of such means.
  • an exemplary central side 102 may comprise a central server and database 126, user interface peripherals such as drives (not shown) monitor 128, keyboard 130, and printer 132.
  • the central server and database 126 may be used to communicate remotely, or locally for that matter, with the user's machine 110 and may load, pass, receive information and instructions, such as software executable on the machine 110 and data, forms, titles, guides, procedures and the like for storing and using locally by the user on machine 110.
  • a communication link 103 may be established between central side 102 and user workstation 104 for updating data and software used by the user during auditing processes.
  • the central side 102 may also include one or more application servers 134 and other devices to help facilitate the exchange of software and data between the user 108 and the central side 102.
  • the central side 102 may be associated with a professional services company, such as an accounting firm, in the business of conducting audits.
  • the local client-side facility 106 is illustrated for exemplary purposes only as including a server 136 or the like to provide a communication link 105 between the user machine 110 and the client-side system as required, if at all, in the auditing process.
  • the client-side facility 106 may include a network 142 of computers 140, such as over a LAN, WLAN, Ethernet, token ring, FDDI ring or other communications network infrastructure.
  • the client-side facility may also include a database 138 or other data storage component.
  • the user 108 In conducting an audit of a company associated with facility 106, the user 108, in one optional manner, may access data and/or the network 142 as necessary to review documents and processes of the company to prepare assessments and identify control risks associated with company operations.
  • the user 108 inputs data, calls upon audit tools, such as titles and procedures stored locally or remotely at the central side 102.
  • the system 100 may be Internet or (World Wide) WEB-based, desktop-based, or application WEB-enabled.
  • the present invention supports a "disconnected use" of the software in that the software may be designed so that a user 108 does not write back to the central server database 126 and/or the local database 119 until the user chooses to "save" or store the changes. Prior to saving changes, the user 108 may work in short-term memory. This feature has the benefit of allowing the user 108 to perform "what if scenarios and examine results of these scenarios.
  • the internal control assessment invention may be invoked as part, e.g., software module, of an over all audit suite of audit practice software tools, e.g., Thomson's SMART e-Practice Aids.
  • the internal control module may be integrated within the suite of tools and call on data or assessments, such as risk assessment, contained in a collective database or associated with the other modules.
  • the internal control assessment module obtains and documents a user's understanding of internal control through narratives and selection of controls from a database of controls. The user may select controls to test and generate test procedures or programs. Another aspect of the invention allows a user to evaluate design and operating deficiencies in the internal controls implemented by the entity being audited.
  • an audit engagement new or existing, is selected as an initial part of an audit process.
  • the "planning" tab of an exemplary "SMART e-Practice Aids” solution is selected to gain access to multiple functions, including the "Internal Control" function.
  • Audit areas and transaction classes are terms and items of the audit that are common across the suite and information collected and assessments made in conducting other functions of the suite may be used by the internal controls function as well.
  • Figure 3A also represents an assessment of risks associated with the accounts receivable and sales audit area and identifies assertions related thereto.
  • Figure 3B depicts a significant transaction classes screen under the internal control module's understanding controls and evaluate design feature.
  • Fig. 4 depicts a screen shot illustrating exemplary control environment functionality for use in conjunction with the present invention.
  • the following internal control components are derived from COSO: control environment; risk assessment; information and communication; monitoring; and control activities, as represented on the left side of the screen. From this screen, a user may click on "view control activities" button to view the list of internal control items grouped by objective, in this case objective "a" as shown on Figure 4.
  • Fig. 5 depicts a screen shot illustrating exemplary control environment functionality for presenting internal control items grouped by control component and objective. From this screen, a user may be presented, as will be seen hereinafter, with an exclamation point to indicate the existence of a risk associated with one or more of internal control component, objective, audit area, transaction class, internal control item, for example. As shown in Figure 5, a user may make an assessment of design effectiveness and log or enter the assessment using the box provided. The user may also indicate one or more control items for testing using the appropriate boxes provided next to each presented internal control item, e.g., CLC100-CLC112. [0054] Fig. 6 depicts a screen shot illustrating the rest of the exemplary control environment screen.
  • Figure 6 presents to a user a button for invoking the control deficiency evaluation and aggregation worksheet function for use in conducting the audit, testing and evaluation of internal controls.
  • a box is provided for receiving user inputs related to the various items as indicated, for example logging assessed and identified design or control implementation deficiencies. Logged deficiencies are then aggregated and presented to the user using the control deficiency evaluation and aggregation worksheet depicted at Figure 7.
  • Fig. 8 is a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention.
  • a user is presented with transaction classes, e.g., process orders, shipping and invoicing, sales returns and adjustments, etc., as grouped by audit area, e.g., cash, accounts receivable, inventory, property, etc.
  • Transaction classes e.g., process orders, shipping and invoicing, sales returns and adjustments, etc.
  • audit area e.g., cash, accounts receivable, inventory, property, etc.
  • Audit areas include line items that appear on financial statements and are also associated with a risk assessment operation of the audit.
  • exclamation marks represent and indicate previously identified risks, such as in performing the risk assessment operation of an audit, and are helpful in driving a risk-based approach to control risk assessment.
  • the system of the present invention drives a risk-based approach to the assessment and testing and evaluation processes.
  • Fig. 10 is a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention.
  • a user may add a transaction class by clicking on the add button.
  • a window presents to the user for receiving user input and selection to define/select an additional transaction class.
  • Figure 11 shows the results of the "add” process of Figure 9, in which "process online orders" was added as a transaction class and associated with the accounts receivable audit area. This process is under, as shown in the navigation bar, the COSO derived control component - Control activities.
  • Figure 12 depicts a screen and functionality associated with the system documentation and evaluation function and as shown related to accounts receivable audit area. This is also under the Control activities internal control component. From this screen, and as shown in Figure 13, a user may reveal internal control items associated with and grouped by assertion and objective. This is also under the processing orders transaction class so the internal control items are also associated and grouped by transaction class. Further, this is under the accounts receivable audit area so the internal control items are also associated and grouped by audit area. As shown, the user is presented with boxes for logging deficiencies during the assessment process. The user inputs are aggregated in the summary of design deficiencies and design effectiveness summary as well as the previously discussed worksheet of Figure 7.
  • an exclamation mark indicates the existence of a known risk associated with the audit area and transaction class shown.
  • a user may indicate an assessment of design effectiveness, may indicate a desire to test certain of the listed control items and input other information, including selection of the control item as a "key control.”
  • the system may optionally define certain of the control items as "key control" items and this pre-selection may be overridden by the user or the system may not permit such an override.
  • the system drives a risk-based approach to the internal control assessment process.
  • Figure 14 provides a screen shot illustrating exemplary system documentation and evaluation related to general computer controls category under the control activities internal control component. This permits the user to input how information technology is implemented in the internal controls of the entity being audited and works largely as described hereinabove.
  • Figure 15 depicts an exemplary summary of design effectiveness evaluation screen and associated functionality. As shown, there are five control components with one, control activities, highlighted. As shown audit areas and transaction classes are associated with the control component and indications of risk are presented to the user. Thus, the system drives a risk-based approach to the assessment of the internal controls. As shown, there are six assertions related to the accounts receivable audit area. The users previous inputs related to design effectiveness are displayed on the summary as are indications of the controls previously selected for testing. Figure 16 illustrates additional functionality associated with this screen and as previously discussed that is available to the user. [0061] Figure 17 illustrates exemplary screen for presenting test procedures associated with certain control items, RE172 and RE157, to the user. Assertions are also displayed.
  • Figure 18 is a screen shot illustrating an exemplary exception summary.
  • the user may use the system to note exceptions to implementation of certain internal control items and may use the summary to present the exceptions previously input for further consideration in the assessment process. As shown, a user may add additional exceptions into the system using the "add exception" button and window.
  • Figure 19 is a screen shot illustrating exemplary control risk assessment page and functionality. As shown, under the control component "control activities" and audit area “accounts receivable", the user is presented with a list of assertions associated with therewith. As shown, a user may click on one of the noted exceptions to retrieve further explanation to aid in the assessment process. Control risk assessment pull downs are provide to collect the user's assessment of control risk associated with these areas.
  • Fig. 20 is a screen shot illustrating exemplary diagnostics functionality and screen to present errors, inconsistencies and other issues relevant to the assessment process.
  • FIG. 2 is a flowchart illustrating an embodiment of a risk assessment and audit process related to and that may be used in conjunction with the internal control system of the invention.
  • a computer-implemented process 200 for assessing risks associated with an audit is shown.
  • the process 200 includes the step 202 of presenting to a user a plurality of audit items and a set of risk levels associated with the plurality of audit items.
  • Presenting step 202 may further comprise presenting a plurality of prompts designed to elicit a set of responses from a user/auditor wherein the set of user responses are associated with a set of risks associated with the audit.
  • the set of risk levels may be associated with a set of assertions associated with the plurality of audit items.
  • Step 204 is processing a set of responses received from the user in response to the items presented in step 202.
  • step 206 the process automatically generates a suggested audit approach that is based at least in part on the processing step 204.
  • the process 200 may optionally include one or more of the following steps.
  • the process includes determining a set of procedures that are based at least in part on the responses from step 204.
  • the set of procedures are presented to the user based at least in part on the suggested audit approach of step 206.
  • the process may also include step 212 whereby a user is presented a set of at least two audit approaches comprising the suggested audit approach and an alternative audit approach from which the user may select.
  • the suggested audit approach may be one of basic, limited or extended.
  • each response in the set of responses may be a selected risk level from the set of risk levels representing different levels of risk.
  • the presenting step 206 may include presenting an electronic audit form associated with the audit being performed by a user.
  • the electronic form may comprise the plurality of audit items and the set of risk levels.
  • the automatically generating step 206 may further include determining a set of procedures based at least in part on the set of user responses and the suggested audit approach may include presenting the set of procedures.
  • the process 200 may also include step 214 of editing the determined set of procedures from the generating step 206 to result in a customized set of procedures.
  • the process 200 may also include step 216 of presenting a set of electronic documents associated with the suggested audit approach.
  • the process 200 may be performed in a variety and combination of environments and architectures, including Internet/WWW-based applications, desktop applications, and WWW-enabled applications.
  • a user 108 at a remote workstation 110 may have executing thereon software so that the user is not writing back to the central server database 126 until the user 108 chooses to save changes made. Until the changes are saved, the user is working in short-term memory and the user has the ability to perform "what if scenarios.
  • assertion means representations that are embodied in components being audited. For example, Statement on Auditing Standard No. 106, Audit Evidence (SAS No. 106), issued by the American Institute of Certified Public Accountants (AICPA), provides that assertions used by the auditor fall into the following categories: a. Assertions about classes of transactions and events for the period under audit:
  • SAS No. 106 provides that the auditor may use these relevant assertions as described above or may express them differently provided aspects described above have been covered.
  • Standard setting bodies other than the AICPA also refer to other assertions in grouping that are similar to but that may differ from the grouping in SAS No. 106. Assertions may be in the following six groupings: existence or occurrence, completeness, rights and obligations, valuation and allocation, accuracy and classification, and cutoff.
  • the invention provides a system for using a risk-based approach to assess control risks associated with internal financial controls.
  • the system in one embodiment, includes a computer, such as shown in Figure 1 , having an associated memory, display, and input device.
  • a graphical user interface is used to present a user with various groupings of internal financial control items.
  • the graphical user interface receives inputs from the user that are related to the internal financial control items, audit areas, transaction classes, design deficiencies, assessments, exception and testing.
  • the system may be set up to automatically and respectively group and present to a user subsets of internal financial control items with internal control components, such as control environment, risk assessment, information and communication, monitoring, and control activities.
  • the system can associate previously identified risks with an internal financial control item and/or an internal control component and may present an indication of the existence of an associated risk and a risk description associated with the indicated risk as described above.
  • the system may also group subsets of internal financial control items with transaction classes and audit areas and present the groupings to the user.
  • the system may group transaction classes with audit areas and group subsets of internal financial control items with audit areas and/or transaction classes and present the groupings to the user.
  • the present invention may receive user test inputs designating an internal financial control item for testing and present a set of test procedures associated with the designated internal financial control item for use by the user.
  • the system may document assessments with the set of test procedures and process inputs representing user assessment of the effectiveness of internal financial control items.
  • the present invention may include code to filter internal financial control items based on a key control status and present a grouping of internal control items based on the key control status designation.
  • the internal control items may relate to one or more of compliance, operational, financial, and regulatory controls.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Development Economics (AREA)
  • Technology Law (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Game Theory and Decision Science (AREA)
  • Human Resources & Organizations (AREA)
  • Operations Research (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention provides a computer-implemented method and system for assessing internal controls. The method includes: presenting internal control items; processing an input set associated with at least some of the internal control items; and (c) generating a set of assessment information based on the processed input set. The method may further include one or more of: (d) prior to presenting, automatically grouping and presenting a subset of the plurality of internal financial control items based on a user input related to an assessment of risk; (e) prior to presenting, automatically presenting a previously identified risk associated with one or both of an audit area and a transaction class associated with a subset of the plurality of internal financial control items; (g) receiving a user test input designating an internal financial control item for testing and presenting a set of test procedures associated with the designated internal financial control item; (h) documenting assessments with the set of test procedures; and (i) receiving from a user a plurality of inputs representing user assessment of the effectiveness of internal financial control items and presenting a summary of the effectiveness assessments.

Description

METHOD AND SYSTEM FOR AUDITING INTERNAL CONTROLS
FIELD OF THE INVENTION
[0001] The present invention relates to the provision of and tools to assist in the provision of professional services, specifically including auditing services, preparing financial statement, conducting internal and external audits of internal controls and practices. More particularly, the present invention relates to computer- implemented tools, resources, and processes for assisting in these efforts.
BACKGROUND OF THE INVENTION [0002] As companies continue to strive for efficiency, consistency and flexibility, computers and software executed on computers are increasingly relied upon to automate, semi-automate, enhance, quicken and make reliable and uniform business processes. This is true even in fields of professional service providers, such as financial auditors, and fields in which standardized procedures and documents govern acceptable and "best" practices. For instance, organizations, such as FASAB (Federal Accounting Standards Advisory Board), FASB (Financial Accounting Standards Board), AICPA (American Institute of Certified Public Accountants), IASB (International Accounting Standards Board), the SEC, and PCAOB (Public Company Accounting Oversight Board) promulgate rules and regulations, e.g., GAAS (generally accepted auditing standards), GAAP (generally accepted accounting principles), and IFRS (International Financial Reporting Standards), that govern the way companies are reviewed for integrity of financial accounting and operation. GAAS is principally comprised of ten auditing standards developed by AICPA that establish general standards (3) and standards related to field work (3) and reporting (4), including whether the report is in accordance with GAAP, and related interpretations. In addition, the SEC (Securities and Exchange Commission) provides guidance and laws, such as Sarbanes-Oxley Act ("SOX") and other laws and regulations provide guidance and requirements for compliance in reporting and other aspects concerning integrity of business operation and management. [0003] In addition, in light of Sarbanes Oxley and other laws governing corporate governance and reporting, the Committee Of Sponsoring Organizations (COSO) has published, e.g., for use by audit professionals in auditing financial statements or corporate compliance officers, a framework for evaluating internal controls used by corporations that are required to report to the Securities Exchange Commission or similar agency. The COSO framework provide a generally recognized appropriate industry/professional standard for performing evaluation of internal controls, including five elements or factors to be considered when evaluating internal controls: 1) control environment; 2) risk assessment, 3; information and communication; 4) monitoring, and 5) control activities. [0004] In the field of auditing, although GAAP and GAAS provide guidelines by which auditors should conduct audits, there is a significant amount of leeway and many variables that leave to the professional and his or her assessments determining the set of procedures required under the particular set of circumstances. This may also depend on the purpose and the intended audience to receive and interpret/rely on the report, and whether the entity being audited is public or non- public or governmental. Whether public or non-public, investors, banks, and other persons of interest rely on financial accounting information when determining whether to invest in a company, grant a loan to a company, merge with a company, etc. Standards are intended to promote best practices and uniformity, and therefore reliability, in the auditing process so that the resulting report may be viewed as unbiased, accurate and trustworthy.
[0005] Companies, such as Thomson Corporation, provide tools, resources and services to assist accountants and auditors. For instance, Thomson PPCs e- Practice Aids is a series of titles or Guides that give guidance and provide materials and procedures consistent with standards, e.g., PPCs Guide To Audit Of Nonpublic Companies, 25th Edition, January 2007. Auditors may rely on the Guides or titles in conducting audits. Electronic tools, for instance Thomson's e-Tools, and electronic versions of guides, Thomson e-Practice Aids, help auditors take their tools and resources with them when conducting field work or may make them accessible from remote locations or at least electronically. Computers are also helpful in collecting client data and capturing assessment data. What is needed is an integrated system for conducting audits and for processing collected and risk related assessment data to determine and generate and present a suggested audit approach and set of procedures consistent with relevant standards and guides. [0006] Associated with audits, as well as in-house efforts to establish and maintain internal control practices, SOX 404 requires public companies to (i) establish, maintain, and assess their internal control over financial reporting and (ii) obtain an opinion of their independent auditors as to the effectiveness of their internal control. One overriding goal of internal control over financial reporting is to promote the preparation of reliable financial statements. Assessing internal control practices is essential to identify material weaknesses and risks that may cause a material misstatement in the financial statements. The SEC, in its Statement on Management's Report on Internal Control Over
Financial Reporting, provided guidance in the area of internal controls. This SEC Guidance stated that management and auditors must use reasoned judgment and a top-down, risk-based approach to compliance with SOX 404. In addition, the SEC provided that the internal control audit and the financial statement audit should be integrated and that internal controls over financial reporting should be tailored to reflect the nature and size of the company. Also, the SEC recommended frequent dialogue between a company and its auditors to promote improved internal controls and improved financial reports. The SEC Guidance also recommended customizing internal control testing programs and stated that a "risk-based" approach to internal control testing should be used.
[0007] Risk-based testing requires management to prioritize areas of the company's financial statements according to relative levels of risk of misstatement. The risk-based approach requires extensive testing of related controls. In taking a "top-down" approach, the SEC guided management to identify controls related to each relevant area of a company's financial statements and to design appropriate documentation and testing procedures relative to each such area's risk level. However, the SEC provided that testing programs should be designed to assess those internal controls that affect the reliability of financial reporting and lead to "reasonable assurance" of reliability and not absolute assurance. Accordingly, testing programs need not test every step but must be sufficient to support a conclusion that the process meets the control objective. SEC guides that testing programs should focus on the objective of controls in determining the overall effectiveness, rather than individual steps. Where a control deficiency is uncovered through testing and assessment, a quantitative analysis is performed to determine its level of significance.
[0008] While the SEC guidelines are directed primarily to management, the
PCAOB directs its guidance to professionals involved in providing audits. PCAOB guidance provides that auditors should integrate the internal control audit with the financial statements audit; exercise judgment to tailor audits to specific risks; use a top-down approach that begins with company-level controls to identify for further testing only the accounts and processes that are relevant to internal control over financial reporting; use risk assessment to remove accounts and processes that represent a remote risk of material misstatement. The PCAOB guides auditors to review and assess whether client systems of internal financial controls provide reasonable assurance that financial statements do not contain material misstatements. PCAOB guides auditors to take a "top-down" approach in audits of internal controls, meaning that auditors should first concentrate on company-level controls and then on significant accounts and to examine significant processes and before individual controls. This steers the audit toward areas of higher risk and away from those not likely to have a material impact on financial statements. The PCAOB guides auditors to use a risk -based approach in auditing internal controls to reduce costs while increasing audit effectiveness by focusing efforts on areas of higher risk.
SUMMARY OF THE INVENTION
[0009] The present invention addresses the shortcomings of the prior art and provides, among other things, a powerful computer-implemented tool to assist in auditing internal controls and for generating procedures, conducting audits, preparing financial statements, and coordinating documents and other work product. More particularly, the present invention relates to a system of creating and generating auditing procedures, and assessing internal controls, in response to identified risks and risk assessments. [0010] In one respect, the invention provides a professional services audit tool that includes an application that performs a variety of functions such as completing certain audit planning processes/forms (including assessing risks related to the financial statements being audited and assessing internal controls), offering a top- down and risk-based approach to assessing internal controls. The internal control assessment invention may be used in combination with other auditing tools and programs, e.g., Thomson Corporation's PPC SMART e-Practice suite of products. The present invention utilizes efforts and data collected in performing risk assessments to help assess design deficiencies and overall effectiveness of internal controls. The present invention provides test procedures to assist the auditor, internal or external, in assessing internal controls.
[0011] The present invention may be integrated with audit tools, such as
Thomson's SMART e-Practice Aids-Risk Assessment software, and may be linked with audit sources such as Checkpoint. The tool allows auditors to apply a "how to, risk-based, top-down" process for efficiently evaluating internal control over financial reporting and, where desired, testing only the minimum number of controls necessary to support reduced control risk assessments and limit substantive testing. The tool may be an integrated component of audit solutions, such as the SMART e- Practice Aid suite, allowing the auditor to optimize the overall audit planning process. [0012] Since the process delivered by this tool is based on the extensive experience of recognized experts in the internal control field, the tool provides auditors with increased confidence in evaluating internal control and identifying control risks.
[0013] The auditor as described in the present invention is intended to include every person who may use the program to assess risk facing an enterprise and internal controls implemented to alleviate such risks. The applications in the context of auditing cover, for example, the following categories: accounting, audit & attest; compilation and review; non-profit organizations; governments; specialized industries; and bookkeeping services. [0014] In conjunction with the use of the present invention, audit procedures are created using a logic system based primarily on the input of assertions associated with Risk of Material Misstatement (RMM), but include such other facts as fraud risks. In one manner, when one or more or a particular combination of assertions are evaluated to be "high," the present invention associates such identified risks with internal control components, audit areas, transaction classes, and internal control items and presents the risks to the user involved in assessing and testing internal controls. The term "assertion" as used herein means representations that are embodied in components being audited. [0015] The present invention is intended to be medium-neutral, being equally capable as a desktop program, a web-enabled program, a web-based program, and any variation thereof, being broad enough to include all future mediums. [0016] In one embodiment, the present invention provides a computer- implemented method for assessing a plurality of internal financial control items. The method includes: (a) presenting the plurality of internal financial control items; (b) processing an input set associated with at least some of the plurality of internal financial control items; and (c) generating a set of assessment information based on the processed input set. The method may further include one or more of: (d) prior to presenting, automatically grouping and presenting a subset of the plurality of internal financial control items based on a user input related to an assessment of risk; (e) prior to presenting, automatically presenting a previously identified risk associated with one or both of an audit area and a transaction class associated with a subset of the plurality of internal financial control items; (g) receiving a user test input designating an internal financial control item for testing and presenting a set of test procedures associated with the designated internal financial control item; (h) documenting assessments with the set of test procedures; (i) receiving from a user a plurality of inputs representing user assessment of the effectiveness of internal financial control items and presenting a summary of the effectiveness assessments; (j) receiving a set of user inputs adapted to designate at least some of the plurality of internal financial control items as having a key control status; (k) assigning and presenting a set of defaults designating at least some of the plurality of internal financial control items as having a key control status and allowing a user to change key control status designation; and (I) filtering internal financial control items based on a key control status designation assigned to a subset of the plurality of internal financial control items and presenting the subset of the plurality of internal financial control items having the key control status designation.
[0017] In another embodiment, the present invention provides a system for assessing risks associated with internal financial controls. The system includes: a computer having an associated memory, display, and input device and adapted to execute code; a graphical user interface adapted to operate on the computer and adapted to present a plurality of internal financial control items, the graphical user interface further adapted to receive user inputs related to the set of internal financial control items via the input device; and a code set adapted to be executed on the computer and adapted to process the user inputs to generate a set of assessment information based on the received user inputs.
[0018] In another embodiment, the present invention provides a computer- implemented method for assessing a plurality of internal control items. The method includes: (a) automatically grouping and presenting a subset of internal control items based on an assessment of risk associated with one or more internal control items included in the subset of internal control items; (b) processing a set of inputs associated with at least some of the subset of internal control items; and (c) generating a set of assessment information based on the processed set of inputs. The internal control items may relate to one or more of compliance, operational, financial, and regulatory controls.
[0019] The present invention builds on existing practice aids to provide an integrated audit planning and risk assessment approach to engagements. The invention provides an audit tool that allows auditors to complete audit planning documentation, identify and capture audit risks affecting the engagement, provide a risk-based approach to presenting internal controls information to users integrated with and responsive to auditor risk assessments, customize aspects with user- friendly GUI and drag and drop functionality, and produce tailored practice aids for the engagement. To a large extent the present invention may be used to automate the audit planning and internal control assessment process, optimize judgments, improve linkage between audit risk and internal controls, increase audit effectiveness and reduce risk, and increase consistency across audit engagements. These and other objects and benefits of the present invention are made more apparent with the aid of the following description and figures.
BRIEF DESCRIPTION OF THE DRAWINGS
[0020]
[0021] In order to facilitate a full understanding of the present invention, reference is now made to the accompanying drawings, in which like elements are referenced with like numerals. These drawings should not be construed as limiting the present invention, but are intended to be exemplary and for reference, and are as follows:
[0022] Fig. 1 depicts an exemplary system embodiment of the present invention; [0023] Fig. 2 depicts a flowchart illustrating one embodiment of the present invention;
[0024] Fig. 3A depicts a screen shot illustrating exemplary functionality for use in conjunction with the present invention;
[0025] Fig. 3B depicts a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention;
[0026] Fig. 4 depicts a screen shot illustrating exemplary control environment functionality for use in conjunction with the present invention;
[0027] Fig. 5 depicts a screen shot illustrating exemplary control environment functionality for presenting internal control items grouped by control component in conjunction with the present invention;
[0028] Fig. 6 depicts a screen shot illustrating exemplary control environment functionality for presenting control deficiency functionality in conjunction with the present invention;
[0029] Fig. 7 depicts a screen shot illustrating exemplary control environment functionality for presenting control deficiency functionality in conjunction with the present invention;
[0030] Fig. 8 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention;
[0031] Fig. 9 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention;
[0032] Fig. 10 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention;
[0033] Fig. 11 a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention; [0034] Fig. 12 a screen shot illustrating exemplary system documentation and evaluation related to accounts receivable audit area for use in conjunction with the present invention;
[0035] Figs. 13 a screen shot illustrating exemplary system documentation and evaluation related to accounts receivable audit area for use in conjunction with the present invention;
[0036] Fig. 14 a screen shot illustrating exemplary system documentation and evaluation related to general computer controls activities for use in conjunction with the present invention; [0037] Fig. 15 a screen shot illustrating exemplary summary of design effectiveness functionality for use in conjunction with the present invention; [0038] Fig. 16 a screen shot illustrating exemplary summary of design effectiveness functionality for use in conjunction with the present invention; [0039] Fig. 17 a screen shot illustrating exemplary test procedures functionality for use in conjunction with the present invention;
[0040] Fig. 18 a screen shot illustrating exemplary exception summary functionality for use in conjunction with the present invention; [0041] Fig. 19 a screen shot illustrating exemplary control risk assessment functionality for use in conjunction with the present invention; and [0042] Fig. 20 a screen shot illustrating exemplary diagnostics functionality for use in conjunction with the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT [0043] The present invention will now be described in more detail with reference to exemplary embodiments as shown in the accompanying drawings. While the present invention is described herein with reference to the exemplary embodiments, it should be understood that the present invention is not limited to such exemplary embodiments. Those possessing ordinary skill in the art and having access to the teachings herein will recognize additional implementations, modifications, and embodiments, as well as other applications for use of the invention, which are fully contemplated herein as within the scope of the present invention as disclosed and claimed herein, and with respect to which the present invention could be of significant utility. [0044] In one respect, the invention provides a professional services audit tool that includes an application that performs a variety of functions such as completing certain audit planning processes/forms (including assessing risks related to the financial statements being audited), offering a tailored set of audit programs based on the assessed risks, allowing users to further tailor the suggested audit programs, and rendering these audit programs in a helpful format, e.g., Thomson Corporation's PPC SMART e-Practice Aids format. In one manner, to use the application, each user also must own and have a valid license installed of an associated "practice aid," e.g., Thomson's e-Practice Aid product. In this example, the practice aid corresponds to one of eleven audit types, also referred to herein as "titles." An exemplary list of audit types or titles that are supported by the Risk Assessment system of the present invention includes: Guide to Audits of Nonpublic Companies; Guide to PCAOB Audits (i.e., audits of publicly-traded companies); Guide to Audits of Nonprofit Organizations; Guide to Audits of Local Governments; Guide to Audits of Employee Benefit Plans; Guide to Construction Contractors; Guide to Dealerships; Guide to Audits of Financial Institutions; Guide to Homeowners' Associations and Other Common Interest Realty Associations; Guide to HUD Audits; and Guide to Single Audits (audits that comply with government and non-profit "single audit" rules, regulations and guidelines). One advantage of this embodiment of the invention is that it enables a user to obtain a greater understanding of the entity under audit or review and its environment, review internal control, perform a more rigorous risk assessment, provide linkage of assessed risks of material misstatement (RIMM) to the user's audit procedures at the assertion level, and meet new and expanded documentation requirements. [0045] As used herein , controls or control procedures shall refer to internal control procedures, including internal accounting control procedures, including the procedures that management has adopted or devised to provide management with some degree of assurance that the objectives of the accounting information system will be achieved. A control risk is the risk that a material misstatement will not be detected or prevented by the entity's internal control on a timely basis. COSO refers to Committee of Sponsoring Organizations of the Treadway Commission, which issued a report titled Internal Control — Integrated Framework (the COSO Report). The COSO Report has increasingly become a widely accepted framework for sound internal control among U.S. entities. Identified risk refers to a risk discovered in an engagement that could result in material misstatement of the financial statements. Internal Control refers to a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, specifically in the following categories: Efficiency and effectiveness of operations; Reliability of financial reporting; and Compliance with applicable laws and regulations. Objectives are goals of the audit intended to mitigate the Control Risks. A single Objective could mitigate one or more Control Risks. Test Procedures or Tests of Controls refers to those activities performed by the auditor during the control testing stage that gather evidence as to the operational effectiveness of internal control procedures upon which the auditor has planned reliance. A transaction class represents a class of transaction within a Financial Reporting Cycle.
[0046] Referring now to Fig. 1 , a system 100 is shown for implementing an internal control assessment and testing program and providing a tool that creates and generates procedures based on risk assessments and assertions identified during an audit. The system 100 comprises a central side 102, a remote audit work station 104 and a local client-side facility 106. In this example, a user 108, such as a professional conducting an audit, may use a mobile or local device, such as a wireless-enabled notebook computer 1 10 to connect to the central side 102 and/or the client side 106 via communication links. This configuration is one of many and is not limiting as to the invention. For example, in one alternative configuration user 108 may use the application fully self-contained within a desktop environment, e.g., as shown within 104, and may utilize a local database 119, such as SQL 2005 or above or SQL Express or other suitable database. The communication links may be a combination of wireless, LAN, WLAN, ISDN, X.25, DSL, and ATM type networks, for example. The user notebook 110 may comprise a typical combination of hardware and software including system memory 1 12, operating system 114, application programs 116, graphical user interface (GUI) 1 18, processor 120, and storage 122 which may contain electronic information 124 such as forms, practice aids, titles, data, procedures and the like. The operating system 114 shall be suitable for use with the internal control assessment functionality described herein, for example, Microsoft Windows Vista (business, enterprise and ultimate editions), Windows 2000 with SP4 or Windows XP Professional with SP2. Also, the risk assessment invention may be browser-based and/or may include custom integration with Microsoft Office applications, e.g., Outlook, Word and Excel. Application programs 116 may include, for example, Microsoft Office 2007, Office XP with SP2, or Office 2003 with SP1 applications. The software and related tools, procedures, forms and data used to implement the internal control assessment and testing processes may be accessed by the machine 110 via the Internet or it may be loaded onto the machine via CD-ROM or other media or a combination of such means. The system requirements in one embodiment may require the machine 110 to be compatible with minimum threshold levels of processing capabilities, e.g., Intel Pentium III, speed, e.g., 500 MHz, and other parameters. [0047] For purposes of discussion, an exemplary central side 102 may comprise a central server and database 126, user interface peripherals such as drives (not shown) monitor 128, keyboard 130, and printer 132. The central server and database 126 may be used to communicate remotely, or locally for that matter, with the user's machine 110 and may load, pass, receive information and instructions, such as software executable on the machine 110 and data, forms, titles, guides, procedures and the like for storing and using locally by the user on machine 110. A communication link 103 may be established between central side 102 and user workstation 104 for updating data and software used by the user during auditing processes. The central side 102 may also include one or more application servers 134 and other devices to help facilitate the exchange of software and data between the user 108 and the central side 102. The central side 102 may be associated with a professional services company, such as an accounting firm, in the business of conducting audits. [0048] The local client-side facility 106 is illustrated for exemplary purposes only as including a server 136 or the like to provide a communication link 105 between the user machine 110 and the client-side system as required, if at all, in the auditing process. The client-side facility 106 may include a network 142 of computers 140, such as over a LAN, WLAN, Ethernet, token ring, FDDI ring or other communications network infrastructure. The client-side facility may also include a database 138 or other data storage component. In conducting an audit of a company associated with facility 106, the user 108, in one optional manner, may access data and/or the network 142 as necessary to review documents and processes of the company to prepare assessments and identify control risks associated with company operations. In conducting and completing the audit engagement, the user 108 inputs data, calls upon audit tools, such as titles and procedures stored locally or remotely at the central side 102. [0049] The system 100 may be Internet or (World Wide) WEB-based, desktop-based, or application WEB-enabled. Also, the present invention supports a "disconnected use" of the software in that the software may be designed so that a user 108 does not write back to the central server database 126 and/or the local database 119 until the user chooses to "save" or store the changes. Prior to saving changes, the user 108 may work in short-term memory. This feature has the benefit of allowing the user 108 to perform "what if scenarios and examine results of these scenarios.
[0050] With reference to Figures 3A and 3B, the internal control assessment invention may be invoked as part, e.g., software module, of an over all audit suite of audit practice software tools, e.g., Thomson's SMART e-Practice Aids. The internal control module may be integrated within the suite of tools and call on data or assessments, such as risk assessment, contained in a collective database or associated with the other modules. The internal control assessment module obtains and documents a user's understanding of internal control through narratives and selection of controls from a database of controls. The user may select controls to test and generate test procedures or programs. Another aspect of the invention allows a user to evaluate design and operating deficiencies in the internal controls implemented by the entity being audited. In this manner, the user may assess control risks within the entity's internal control practices. [0051] As a prelude, an audit engagement, new or existing, is selected as an initial part of an audit process. At Figure 3A, the "planning" tab of an exemplary "SMART e-Practice Aids" solution is selected to gain access to multiple functions, including the "Internal Control" function. Audit areas and transaction classes are terms and items of the audit that are common across the suite and information collected and assessments made in conducting other functions of the suite may be used by the internal controls function as well. Figure 3A also represents an assessment of risks associated with the accounts receivable and sales audit area and identifies assertions related thereto. Figure 3B depicts a significant transaction classes screen under the internal control module's understanding controls and evaluate design feature. [0052] Fig. 4 depicts a screen shot illustrating exemplary control environment functionality for use in conjunction with the present invention. The following internal control components are derived from COSO: control environment; risk assessment; information and communication; monitoring; and control activities, as represented on the left side of the screen. From this screen, a user may click on "view control activities" button to view the list of internal control items grouped by objective, in this case objective "a" as shown on Figure 4.
[0053] Fig. 5 depicts a screen shot illustrating exemplary control environment functionality for presenting internal control items grouped by control component and objective. From this screen, a user may be presented, as will be seen hereinafter, with an exclamation point to indicate the existence of a risk associated with one or more of internal control component, objective, audit area, transaction class, internal control item, for example. As shown in Figure 5, a user may make an assessment of design effectiveness and log or enter the assessment using the box provided. The user may also indicate one or more control items for testing using the appropriate boxes provided next to each presented internal control item, e.g., CLC100-CLC112. [0054] Fig. 6 depicts a screen shot illustrating the rest of the exemplary control environment screen. In particular, Figure 6 presents to a user a button for invoking the control deficiency evaluation and aggregation worksheet function for use in conducting the audit, testing and evaluation of internal controls. A box is provided for receiving user inputs related to the various items as indicated, for example logging assessed and identified design or control implementation deficiencies. Logged deficiencies are then aggregated and presented to the user using the control deficiency evaluation and aggregation worksheet depicted at Figure 7. [0055] Fig. 8 is a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention. At this screen, as invoked by clicking on the button on the left hand side of the navigation bar, a user is presented with transaction classes, e.g., process orders, shipping and invoicing, sales returns and adjustments, etc., as grouped by audit area, e.g., cash, accounts receivable, inventory, property, etc. Audit areas include line items that appear on financial statements and are also associated with a risk assessment operation of the audit. As shown, exclamation marks represent and indicate previously identified risks, such as in performing the risk assessment operation of an audit, and are helpful in driving a risk-based approach to control risk assessment. For instance, and as shown in Figure 9, by hovering a cursor over the exclamation mark or associated audit area or transaction class, a user is presented with the yellow box indicating the existence of a risk or by clicking a user is presented with, in this case, a pop-up window providing a description of the risk identified. By presenting the user with the information during the internal control assessment process, the system of the present invention drives a risk-based approach to the assessment and testing and evaluation processes.
[0056] Fig. 10 is a screen shot illustrating exemplary significant transaction classes functionality for use in conjunction with the present invention. As shown, a user may add a transaction class by clicking on the add button. A window presents to the user for receiving user input and selection to define/select an additional transaction class. Figure 11 shows the results of the "add" process of Figure 9, in which "process online orders" was added as a transaction class and associated with the accounts receivable audit area. This process is under, as shown in the navigation bar, the COSO derived control component - Control activities.
[0057] Figure 12 depicts a screen and functionality associated with the system documentation and evaluation function and as shown related to accounts receivable audit area. This is also under the Control activities internal control component. From this screen, and as shown in Figure 13, a user may reveal internal control items associated with and grouped by assertion and objective. This is also under the processing orders transaction class so the internal control items are also associated and grouped by transaction class. Further, this is under the accounts receivable audit area so the internal control items are also associated and grouped by audit area. As shown, the user is presented with boxes for logging deficiencies during the assessment process. The user inputs are aggregated in the summary of design deficiencies and design effectiveness summary as well as the previously discussed worksheet of Figure 7. Also as shown, an exclamation mark indicates the existence of a known risk associated with the audit area and transaction class shown. [0058] From the screen of Figure 13, a user may indicate an assessment of design effectiveness, may indicate a desire to test certain of the listed control items and input other information, including selection of the control item as a "key control." The system may optionally define certain of the control items as "key control" items and this pre-selection may be overridden by the user or the system may not permit such an override. Again, by using a key control status associated with certain of the more critical control items, the system drives a risk-based approach to the internal control assessment process.
[0059] Figure 14 provides a screen shot illustrating exemplary system documentation and evaluation related to general computer controls category under the control activities internal control component. This permits the user to input how information technology is implemented in the internal controls of the entity being audited and works largely as described hereinabove.
[0060] Figure 15 depicts an exemplary summary of design effectiveness evaluation screen and associated functionality. As shown, there are five control components with one, control activities, highlighted. As shown audit areas and transaction classes are associated with the control component and indications of risk are presented to the user. Thus, the system drives a risk-based approach to the assessment of the internal controls. As shown, there are six assertions related to the accounts receivable audit area. The users previous inputs related to design effectiveness are displayed on the summary as are indications of the controls previously selected for testing. Figure 16 illustrates additional functionality associated with this screen and as previously discussed that is available to the user. [0061] Figure 17 illustrates exemplary screen for presenting test procedures associated with certain control items, RE172 and RE157, to the user. Assertions are also displayed. The system may also provide the user with the ability to document results of test procedures and log the results into the system and generate associated work product and reports. Figure 18 is a screen shot illustrating an exemplary exception summary. The user may use the system to note exceptions to implementation of certain internal control items and may use the summary to present the exceptions previously input for further consideration in the assessment process. As shown, a user may add additional exceptions into the system using the "add exception" button and window.
[0062] Figure 19 is a screen shot illustrating exemplary control risk assessment page and functionality. As shown, under the control component "control activities" and audit area "accounts receivable", the user is presented with a list of assertions associated with therewith. As shown, a user may click on one of the noted exceptions to retrieve further explanation to aid in the assessment process. Control risk assessment pull downs are provide to collect the user's assessment of control risk associated with these areas. Fig. 20 is a screen shot illustrating exemplary diagnostics functionality and screen to present errors, inconsistencies and other issues relevant to the assessment process.
[0063] Figure 2 is a flowchart illustrating an embodiment of a risk assessment and audit process related to and that may be used in conjunction with the internal control system of the invention. A computer-implemented process 200 for assessing risks associated with an audit is shown. The process 200 includes the step 202 of presenting to a user a plurality of audit items and a set of risk levels associated with the plurality of audit items. Presenting step 202 may further comprise presenting a plurality of prompts designed to elicit a set of responses from a user/auditor wherein the set of user responses are associated with a set of risks associated with the audit. Further, the set of risk levels may be associated with a set of assertions associated with the plurality of audit items. Also, the set of risk levels may include at least a first risk level and a second risk level of different degrees of risk. Step 204 is processing a set of responses received from the user in response to the items presented in step 202. In step 206 the process automatically generates a suggested audit approach that is based at least in part on the processing step 204.
[0064] Still with reference to Figure 2, the process 200 may optionally include one or more of the following steps. In step 208, the process includes determining a set of procedures that are based at least in part on the responses from step 204. At step 210, the set of procedures are presented to the user based at least in part on the suggested audit approach of step 206. The process may also include step 212 whereby a user is presented a set of at least two audit approaches comprising the suggested audit approach and an alternative audit approach from which the user may select. In addition, the suggested audit approach may be one of basic, limited or extended. In the process 200, each response in the set of responses may be a selected risk level from the set of risk levels representing different levels of risk. The presenting step 206 may include presenting an electronic audit form associated with the audit being performed by a user. The electronic form may comprise the plurality of audit items and the set of risk levels. The automatically generating step 206 may further include determining a set of procedures based at least in part on the set of user responses and the suggested audit approach may include presenting the set of procedures. The process 200 may also include step 214 of editing the determined set of procedures from the generating step 206 to result in a customized set of procedures. The process 200 may also include step 216 of presenting a set of electronic documents associated with the suggested audit approach.
[0065] The process 200 may be performed in a variety and combination of environments and architectures, including Internet/WWW-based applications, desktop applications, and WWW-enabled applications. In one exemplary architecture, a user 108 at a remote workstation 110 may have executing thereon software so that the user is not writing back to the central server database 126 until the user 108 chooses to save changes made. Until the changes are saved, the user is working in short-term memory and the user has the ability to perform "what if scenarios. [0066] As used herein, the term assertion means representations that are embodied in components being audited. For example, Statement on Auditing Standard No. 106, Audit Evidence (SAS No. 106), issued by the American Institute of Certified Public Accountants (AICPA), provides that assertions used by the auditor fall into the following categories: a. Assertions about classes of transactions and events for the period under audit:
/. Occurrence. Transactions and events that have been recorded have occurred and pertain to the entity.
H. Completeness. All transactions and events that should have been recorded have been recorded.
///. Accuracy. Amounts and other data relating to recorded transactions and events have been recorded appropriately. iv. Cutoff. Transactions and events have been recorded in the correct accounting period. v. Classification. Transactions and events have been recorded in the proper accounts. b. Assertions about account balances at the period end:
/. Existence. Assets, liabilities, and equity interests exist.
/7. Rights and obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
///. Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded. iv. Valuation and allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. c. Assertions about presentation and disclosure:
/. Occurrence and rights and obligations. Disclosed events and transactions have occurred and pertain to the entity. //. Completeness. All disclosures that should have been included in the financial statements have been included.
///. Classification and understandability. Financial information is appropriately presented and described and disclosures are clearly expressed. iv. Accuracy and valuation. Financial and other information are disclosed fairly and at appropriate amounts.
[0067] SAS No. 106 provides that the auditor may use these relevant assertions as described above or may express them differently provided aspects described above have been covered. Standard setting bodies other than the AICPA also refer to other assertions in grouping that are similar to but that may differ from the grouping in SAS No. 106. Assertions may be in the following six groupings: existence or occurrence, completeness, rights and obligations, valuation and allocation, accuracy and classification, and cutoff. [0068] As shown in the various figures, the invention provides a system for using a risk-based approach to assess control risks associated with internal financial controls. The system, in one embodiment, includes a computer, such as shown in Figure 1 , having an associated memory, display, and input device. Many aspects of the invention are best implemented in software code and executed by the computer. A graphical user interface is used to present a user with various groupings of internal financial control items. The graphical user interface receives inputs from the user that are related to the internal financial control items, audit areas, transaction classes, design deficiencies, assessments, exception and testing. [0069] The system may be set up to automatically and respectively group and present to a user subsets of internal financial control items with internal control components, such as control environment, risk assessment, information and communication, monitoring, and control activities. The system can associate previously identified risks with an internal financial control item and/or an internal control component and may present an indication of the existence of an associated risk and a risk description associated with the indicated risk as described above. The system may also group subsets of internal financial control items with transaction classes and audit areas and present the groupings to the user. The system may group transaction classes with audit areas and group subsets of internal financial control items with audit areas and/or transaction classes and present the groupings to the user.
[0070] The present invention may receive user test inputs designating an internal financial control item for testing and present a set of test procedures associated with the designated internal financial control item for use by the user. The system may document assessments with the set of test procedures and process inputs representing user assessment of the effectiveness of internal financial control items. The present invention may include code to filter internal financial control items based on a key control status and present a grouping of internal control items based on the key control status designation. Although largely discussed in terms of financial internal controls, the internal control items may relate to one or more of compliance, operational, financial, and regulatory controls.
[0071] The present invention is not to be limited in scope by the specific embodiments described herein, It is fully contemplated that other various embodiments of and modifications to the present invention, in addition to those described herein, will become apparent to those of ordinary skill in the art from the foregoing description and accompanying drawings. Thus, such other embodiments and modifications are intended to fall within the scope of the following appended claims. Further, although the present invention has been described herein in the context of particular embodiments and implementations and applications and in particular environments, those of ordinary skill in the art will appreciate that its usefulness is not limited thereto and that the present invention can be beneficially applied in any number of ways and environments for any number of purposes. Accordingly, the claims set forth below should be construed in view of the full breadth and spirit of the present invention as disclosed herein.

Claims

WHAT IS CLAIMED IS:
1. A computer-implemented method for assessing a plurality of internal financial control items, the method comprising:
(a) presenting the plurality of internal financial control items; (b) processing an input set associated with at least some of the plurality of internal financial control items; and (c) generating a set of assessment information based on the processed input set.
2. The method of claim 1 wherein the processing step includes processing at least one input from the input set that designates an internal financial control item for testing and the generating step includes presenting test procedures associated with the designated internal financial control item.
3. The method of claim 1 wherein the presenting step includes first automatically and respectively grouping subsets of the plurality of internal financial control items with a plurality of internal control components, the plurality of internal control components comprising control environment, risk assessment, information and communication, monitoring, and control activities.
4. The method of claim 3 wherein the presenting step includes presenting the subsets of internal financial control items based on an input representing a selection from among the plurality of internal control components.
5. The method of claim 3 wherein the plurality of internal control components are comprised of COSO components.
6. The method of claim 3 wherein the processing step includes processing at least one input designating a design deficiency associated with an internal control objective associated with one of the plurality of internal control components and the generating step includes generating an indication of design deficiency.
7. The method of claim 3 further comprising: associating a previously identified risk with one or both of an internal financial control item and an internal control component; and presenting an indication of the existence of an associated risk and a risk description associated with the indicated risk.
8. The method of claim 1 wherein the presenting step further comprises: prior to presenting, automatically and respectively grouping subsets of the plurality of internal financial control items with one or both of a plurality of transaction classes and a plurality of audit areas and presenting one or both of the plurality of transaction classes and the plurality of audit areas.
9. The method of claim 1 wherein the presenting step further comprises: prior to presenting, automatically and respectively grouping a plurality of transaction classes with a plurality of audit areas and selectively presenting the set of audit areas and transaction classes; and prior to presenting, automatically grouping subsets of the plurality of internal financial control items with one or both of the plurality of audit areas and the plurality of transaction classes.
10. The method of claim 9 wherein the presenting step further comprises: prior to presenting, further grouping the subsets of the plurality of internal financial control items based on one or both of assertion and objective.
11. The method of claim 9 further comprising: associating a previously identified risk with one or more of audit area, transaction class, and internal financial control item; and presenting an indication of the existence of an associated risk and a risk description associated with the indicated risk.
12. The method of claim 1 further comprising: automatically grouping and presenting a subset of the plurality of internal financial control items based on a user input related to an assessment of risk, whereby the method provides a risk based approach to risk assessment.
13. The method of claim 1 further comprising: prior to the presenting step, automatically presenting a previously identified risk associated with one or both of an audit area and a transaction class associated with a subset of the plurality of internal financial control items.
14. The method of claim 1 further comprising: receiving a user test input designating an internal financial control item for testing; and presenting a set of test procedures associated with the designated internal financial control item.
15. The method of claim 14 further comprising documenting assessments associated with the set of test procedures.
16. The method of claim 1 further comprising: receiving from a user a plurality of inputs representing user assessment of the effectiveness of internal financial control items; and presenting a summary of the effectiveness assessments.
17. The method of claim 16 wherein the effectiveness assessments relate to one* or more of internal financial control items, audit areas, transaction classes, assertions, exceptions, and internal control components.
18. The method of claim 16 further comprising: grouping the effectiveness assessments by one or all of audit area, assertion, and transaction class and presenting the grouped effectiveness assessments.
19. The method of claim 16 wherein the plurality of user inputs includes at least one input representing a conclusion of internal control design effectiveness.
20. The method of claim 16 wherein at least one user assessment represents a design deficiency and the presenting step includes presenting a design deficiency summary.
21. The method of claim 16 wherein at least one user assessment represents an exception related to an internal financial control item and the presenting step includes presenting an exception summary.
22. The method of claim 1 further comprising: receiving a set of user inputs adapted to designate at least some of the plurality of internal financial control items as having a key control status.
23. The method of claim 1 further comprising: assigning and presenting a set of defaults designating at least some of the plurality of internal financial control items as having a key control status; and allowing a user to change key control status designation.
24. The method of claim 1 further comprising: filtering internal financial control items based on a key control status designation assigned to a subset of the plurality of internal financial control items; and presenting the subset of the plurality of internal financial control items having the key control status designation.
25. The method of claim 1 further comprising: generating work product associated with the execution of the assessment method.
26. The method of claim 1 further comprising: performing a diagnostics operation to identify one or more of errors in data, inconsistencies in responses and inputs, omissions, incomplete procedures or responses, and reminders to user to consider internal control deficiencies identified.
27. The method of claim 1 wherein the presenting step comprises presenting a plurality of prompts designed to elicit responses and being associated with a set of risks associated with one or more of the plurality of internal control items.
28. The method of claim 1 wherein the method is at least in part carried out using one or more of an Internet-based application, an Internet-enabled application, and a desktop application.
29. The method of claim 1 wherein the method is conducted as part of an audit process, a financial statement audit, or as part of a separate audit, assessment, implementation, or maintenance of internal control.
30. A system for assessing risks associated with internal financial controls, the system comprising: a computer having an associated memory, display, and input device and adapted to execute code; a graphical user interface adapted to operate on the computer and adapted to present a plurality of internal financial control items, the graphical user interface further adapted to receive user inputs related to the set of internal financial control items via the input device; and a code set adapted to be executed on the computer and adapted to process the user inputs to generate a set of assessment information based on the received user inputs.
31. The system of claim 30 wherein the graphical user interface is adapted to present a set of prompts designed to elicit user inputs.
32. The system of claim 30 wherein the code set is further adapted to present by the graphical user interface a set of procedures based at least in part on the user inputs.
33. The system of claim 30 wherein the user inputs represent responses to risks associated with the plurality of internal financial control items.
34. The system of claim 30 further comprising a risk code set adapted to identify and present via the graphical user interface risks associated with at least some of the plurality of internal financial control items.
35. The system of claim 30 further comprising an exception code set adapted to enable a user to identify exceptions associated with at least some of the internal financial control items.
36. The system of claim 30 wherein the code set is further adapted to process at least one input from the input set that designates an internal financial control item for testing and the graphical user interface is further adapted to present test procedures associated with the designated internal control item.
37. The system of claim 30 wherein the code set is further adapted to automatically and respectively group subsets of the plurality of internal financial control items with a plurality of internal control components, the plurality of internal control components comprising control environment, risk assessment, information and communication, monitoring, and control activities.
38. The system of claim 37 wherein the graphical user interface is further adapted to present the subsets of internal financial control items based on receiving a user input designating one of the plurality of internal control components.
39. The system of claim 37 wherein the codes set is further adapted to process at least one input designating a design deficiency associated with an internal control objective associated with one of the plurality of internal control components and to generate an indication of design deficiency.
40. The system of claim 37 wherein the code set is further adapted to associate a previously identified risk with one or both of an internal financial control item and an internal control component and wherein the graphical user interface is further adapted to present an indication of the existence of an associated risk and a risk description associated with the indicated risk.
41. The system of claim 30 wherein the code set is further adapted to automatically and respectively group subsets of the plurality of internal financial control items with one or both of a plurality of transaction classes and a plurality of audit areas and the graphical user interface is further adapted to present one or both of the plurality of transaction classes and the plurality of audit areas.
42. The system of claim 30 wherein the code set is further adapted to automatically and respectively group a plurality of transaction classes with a plurality of audit areas and to automatically group subsets of the plurality of internal financial control items with one or both of the plurality of audit areas and the plurality of transaction classes, and the graphical user interface is further adapted to selectively present the set of audit areas and transaction classes and the grouped subsets of the plurality of internal financial control items.
43. The system of claim 42 wherein the code set is further adapted to group the subsets of the plurality of internal financial control items based on one or both of assertion and objective.
44. The system of claim 42 wherein the code set is further adapted to associate a previously identified risk with one or more of audit area, transaction class, and internal financial control item and wherein the graphical user interface is further adapted to present an indication of the existence of an associated risk and a risk description associated with the indicated risk.
45. The system of claim 30 wherein the code set and the graphical user interface are respectively further adapted to automatically group and present a subset of the plurality of internal financial control items based on a user input related to an assessment of risk, whereby the system provides a risk based approach to risk assessment.
46. The system of claim 30 wherein the graphical user interface is further adapted to automatically present a previously identified risk associated with one or both of an audit area and a transaction class associated with a subset of the plurality of internal financial control items.
47. The system of claim 30 wherein the graphical user interface is further adapted to receive a user test input designating an internal financial control item for testing and present a set of test procedures associated with the designated internal financial control item.
48. The system of claim 47 wherein the graphical user interface is further adapted to receive user inputs associated with documenting assessments associated with the set of test procedures.
49. The system of claim 30 wherein the graphical user interface is further adapted to receive from a user a plurality of inputs representing user assessment of the effectiveness of internal financial control items and present a summary of the effectiveness assessments.
50. The system of claim 49 wherein the effectiveness assessments relate to one or more of internal financial control items, audit areas, transaction classes, assertions, exceptions, and internal control components.
51. The system of claim 49 wherein the code set and graphical user interface are respectively further adapted to group the effectiveness assessments by audit area and present the grouped effectiveness assessments.
52. The system of claim 49 wherein the plurality of user inputs includes at least one input representing a conclusion of internal control design effectiveness.
53. The system of claim 49 wherein at least one user assessment represents a design deficiency and wherein the graphical user interface is further adapted to present a design deficiency summary.
54. The system of claim 49 wherein at least one user assessment represents an exception related to an internal financial control item and wherein the graphical user interface is further adapted to present an exception summary.
55. The system of claim 30 wherein the graphical user interface is further adapted to receive a set of user inputs adapted to designate at least some of the plurality of internal financial control items as having a key control status.
56. The system of claim 30 wherein the code set and graphical user interface are respectively further adapted to assign and present a set of defaults designating at least some of the plurality of internal financial control items as having a key control status and to receive and process user inputs changing key control status designation.
57. The system of claim 30 wherein the code set is further adapted to filter internal financial control items based on a key control status designation assigned to a subset of the plurality of internal financial control items and the graphical user interface is further adapted to present the subset of the plurality of internal financial control items having the key control status designation.
58. The system of claim 30 wherein the code set is further adapted to generate work product associated with processed user assessments of internal financial control items.
59. The system of claim 30 wherein the code set is further adapted to perform a diagnostics operation to identify one or more of errors in data, inconsistencies in responses and inputs, omissions, incomplete procedures or responses, and reminders to user to consider internal control deficiencies identified.
60. The system of claim 30 wherein at least some of the code executed by the computer is one or more of Internet-based, Internet-enabled, and a desktop application.
61. The system of claim 30 wherein the assessment information is generated as part of an audit process, a financial statement audit, or as part of a separate audit, assessment, implementation, or maintenance of internal control.
62. A computer program for assessing risks associated with internal financial controls and embodied in a computer-readable medium configured for execution on a computer having an associated memory, display, and input device, the computer program comprising: a graphical user interface adapted to operate on the computer and adapted to present a plurality of internal financial control items, the graphical user interface further adapted to receive user inputs related to the set of internal financial control items via the input device; and a code set adapted to be executed on the computer and adapted to process the user inputs to generate a set of assessment information based on the received user inputs.
63. The computer program of claim 62 comprising a risk code set adapted to identify and present via the graphical user interface risks associated with at least some of the plurality of internal financial control items.
64. The computer program of claim 62 further comprising an exception code set adapted to enable a user to identify exceptions associated with at least some of the internal financial control items.
65. The computer program of claim 62 wherein the code set is further adapted to process at least one input from the input set that designates an internal financial control item for testing and the graphical user interface is further adapted to present test procedures associated with the designated internal control item.
66. The computer program of claim 62 wherein the code set is further adapted to automatically and respectively group subsets of the plurality of internal financial control items with a plurality of internal control components, the plurality of internal control components comprising control environment, risk assessment, information and communication, monitoring, and control activities.
67. The computer program of claim 66 wherein the graphical user interface is further adapted to present the subsets of internal financial control items based on receiving a user input designating one of the plurality of internal control components.
68. The computer program of claim 66 wherein the codes set is further adapted to process at least one input designating a design deficiency associated with an internal control objective associated with one of the plurality of internal control components and to generate an indication of design deficiency.
69. The computer program of claim 66 wherein the code set is further adapted to associate a previously identified risk with one or both of a control item and a control component and wherein the graphical user interface is further adapted to present an indication of the existence of an associated risk and to present a risk description associated with the indicated risk.
70. The computer program of claim 62 wherein the code set is further adapted to automatically and respectively group subsets of the plurality of internal financial control items with one or both of a plurality of transaction classes and a plurality of audit areas and the graphical user interface is further adapted to present one or both of the plurality of transaction classes and the plurality of audit areas.
71. The computer program of claim 62 wherein the code set is further adapted to automatically and respectively group a plurality of transaction classes with a plurality of audit areas and to automatically group subsets of the plurality of internal financial control items with one or both of the plurality of audit areas and the plurality of transaction classes, and the graphical user interface is further adapted to selectively present the set of audit areas and transaction classes and the grouped subsets of the plurality of internal financial control items.
72. The computer program of claim 71 wherein the code set is further adapted to group the subsets of the plurality of internal financial control items based on one or both of assertion and objective.
73. The computer program of claim 71 wherein the code set is further adapted to associate a previously identified risk with one or more of audit area, transaction class, and internal financial control item and wherein the graphical user interface is further adapted to present an indication of the existence of an associated risk and to present a risk description associated with the indicated risk.
74. The computer program of claim 62 wherein the code set and the graphical user interface are respectively further adapted to automatically group and present a subset of the plurality of internal financial control items based on a user input related to an assessment of risk, whereby the program provides a risk based approach to risk assessment.
75. The computer program of claim 62 wherein the graphical user interface is further adapted to automatically present a previously identified risk associated with one or both of an audit area and a transaction class associated with a subset of the plurality of internal financial control items.
76. The computer program of claim 62 wherein the graphical user interface is further adapted to receive a user test input designating an internal financial control item for testing and present a set of test procedures associated with the designated internal financial control item.
77. The computer program of claim 62 wherein the graphical user interface is further adapted to receive from a user a plurality of inputs representing user assessment of the effectiveness of internal financial control items and present a summary of the effectiveness assessments, and wherein the effectiveness assessments relate to one or more of the group consisting of: internal financial control items, audit areas, transaction classes, assertions, exceptions, internal control components, and conclusions of internal control design effectiveness.
78. The computer program of claim 77 wherein the code set and graphical user interface are respectively further adapted to group the effectiveness assessments by one or both of audit area and transaction class and to present the grouped effectiveness assessments.
79. The computer program of claim 77 wherein at least one user assessment represents one or both of a design deficiency and an exception and wherein the graphical user interface is further adapted to present one or both of a design deficiency summary and an exception summary.
80. The computer program of claim 62 wherein the graphical user interface is further adapted to receive a set of user inputs adapted to designate at least some of the plurality of internal financial control items as having a key control status.
81. The computer program of claim 62 wherein the code set and graphical user interface are respectively further adapted to assign and present a set of defaults designating at least some of the plurality of internal financial control items as having a key control status and to receive and process user inputs changing key control status designation.
82. The computer program of claim 62 wherein the code set is further adapted to filter internal financial control items based on a key control status designation assigned to a subset of the plurality of internal financial control items and the graphical user interface is further adapted to present the subset of the plurality of internal financial control items having the key control status designation.
83. A computer-implemented method for assessing a plurality of internal control items, the method comprising:
(a) automatically grouping and presenting a subset of internal control items based on an assessment of risk associated with one or more internal control items included in the subset of internal control items; (b) processing a set of inputs associated with at least some of the subset of internal control items; and
(c) generating a set of assessment information based on the processed set of inputs.
84. The method of claim 83 wherein the grouping and presenting step includes presenting a previously identified risk associated with an audit area associated with the subset of internal control items.
85. The method of claim 83 wherein the grouping and presenting step includes presenting a previously identified risk associated with a transaction class associated with the subset of internal control items.
86. The method of claim 83 further comprising: receiving a user test input designating an internal control item for testing; and presenting a set of test procedures associated with the designated internal control item.
87. The method of claim 86 further comprising documenting assessments associated with the set of test procedures.
88. The method of claim 83 further comprising: receiving from a user a plurality of inputs representing user assessment of the effectiveness of internal control items; and presenting a summary of the effectiveness assessments.
89. The method of claim 88 wherein the effectiveness assessments relate to one or more of internal control item, assertion, audit area, transaction class, and internal control component.
90. The method of claim 89 further comprising: presenting design effectiveness exceptions against at least some of the subset of internal control items.
91. The method of claim 90 further comprising: grouping the effectiveness assessments by one or both of audit area and transaction class and presenting the grouped effectiveness assessments.
92. The method of claim 90 wherein the internal control items relate to one or more of compliance, operational, financial, and regulatory controls.
PCT/US2009/000374 2008-01-18 2009-01-20 Method and system for auditing internal controls WO2009091613A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2009205677A AU2009205677A1 (en) 2008-01-18 2009-01-20 Method and system for auditing internal controls
CA2711935A CA2711935C (en) 2008-01-18 2009-01-20 Method and system for auditing internal controls
EP09702141A EP2248079A4 (en) 2008-01-18 2009-01-20 Method and system for auditing internal controls

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/009,337 US8504452B2 (en) 2008-01-18 2008-01-18 Method and system for auditing internal controls
US12/009,337 2008-01-18

Publications (2)

Publication Number Publication Date
WO2009091613A2 true WO2009091613A2 (en) 2009-07-23
WO2009091613A3 WO2009091613A3 (en) 2010-01-14

Family

ID=40877157

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2009/000374 WO2009091613A2 (en) 2008-01-18 2009-01-20 Method and system for auditing internal controls

Country Status (5)

Country Link
US (1) US8504452B2 (en)
EP (1) EP2248079A4 (en)
AU (1) AU2009205677A1 (en)
CA (1) CA2711935C (en)
WO (1) WO2009091613A2 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090240606A1 (en) * 2008-03-24 2009-09-24 Honeywell International, Inc Internal Process Audit Surveillance System
US20100125471A1 (en) * 2008-11-17 2010-05-20 Microsoft Corporation Financial journals in financial models of performance servers
US8972511B2 (en) * 2012-06-18 2015-03-03 OpenQ, Inc. Methods and apparatus for analyzing social media for enterprise compliance issues
USD733732S1 (en) * 2013-05-14 2015-07-07 Microsoft Corporation Display screen with graphical user interface
JP5787017B1 (en) * 2014-09-17 2015-09-30 富士ゼロックス株式会社 Information processing apparatus and information processing program
US20160117466A1 (en) * 2014-10-27 2016-04-28 Jay P. Singh System and method for risk management
US10353542B2 (en) * 2015-04-02 2019-07-16 Facebook, Inc. Techniques for context sensitive illustrated graphical user interface elements
US11189290B2 (en) * 2019-12-04 2021-11-30 International Business Machines Corporation Interactive selection and modification
BE1026945B1 (en) * 2019-12-20 2020-07-29 Certam Bedrijfsrevisoren Bvba COMPUTER-IMPLEMENTED METHOD OF PERFORMING BUSINESS AUDITS

Family Cites Families (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995008810A1 (en) 1993-09-20 1995-03-30 Empower Information Technology Pty Limited Auditing system
US6311166B1 (en) * 1996-07-25 2001-10-30 Price Waterhouse World Firm Services Bv Method for analyzing effectiveness of internal controls in a model of an accounting system
US6009442A (en) 1997-10-08 1999-12-28 Caere Corporation Computer-based document management system
US6820094B1 (en) 1997-10-08 2004-11-16 Scansoft, Inc. Computer-based document management system
US6810404B1 (en) 1997-10-08 2004-10-26 Scansoft, Inc. Computer-based document management system
US6009422A (en) * 1997-11-26 1999-12-28 International Business Machines Corporation System and method for query translation/semantic translation using generalized query language
US6314415B1 (en) 1998-11-04 2001-11-06 Cch Incorporated Automated forms publishing system and method using a rule-based expert system to dynamically generate a graphical user interface
US6993502B1 (en) 1999-11-11 2006-01-31 Cch Incorporated Transaction tax collection system and method
US20040093293A1 (en) * 2002-11-07 2004-05-13 Cheung Timothy Man Yau SAM rating matrix system and method thereof
US7158962B2 (en) 2002-11-27 2007-01-02 International Business Machines Corporation System and method for automatically linking items with multiple attributes to multiple levels of folders within a content management system
US20040267660A1 (en) 2003-02-21 2004-12-30 Automated Financial Systems, Inc. Risk management system
WO2004086180A2 (en) 2003-03-21 2004-10-07 Computer Associates Think, Inc. Auditing system and method
US20050166139A1 (en) 2003-06-10 2005-07-28 Pittman John S. System and method for managing legal documents
US20040260591A1 (en) 2003-06-17 2004-12-23 Oracle International Corporation Business process change administration
US20040260628A1 (en) * 2003-06-17 2004-12-23 Oracle International Corporation Hosted audit service
WO2005017802A2 (en) 2003-08-15 2005-02-24 Providus Software Solutions, Inc. Risk mitigation and management
US20050060382A1 (en) 2003-09-15 2005-03-17 Alex Spector On-Demand Electronic Documents Processing and Sharing
US20050065839A1 (en) * 2003-09-22 2005-03-24 Debra Benson Methods, systems and computer program products for generating an aggregate report to provide a certification of controls associated with a data set
US20050091184A1 (en) 2003-10-24 2005-04-28 Praveen Seshadri Personalized folders
US7137099B2 (en) 2003-10-24 2006-11-14 Microsoft Corporation System and method for extending application preferences classes
US20050138031A1 (en) * 2003-12-05 2005-06-23 Wefers Wolfgang M. Systems and methods for assigning task-oriented roles to users
CA2560277A1 (en) 2004-03-19 2005-09-29 Oversight Technologies, Inc. Methods and systems for transaction compliance monitoring
WO2005106721A1 (en) 2004-05-05 2005-11-10 80-20 Software Pty. Limited Corporate control management software
US7370273B2 (en) 2004-06-30 2008-05-06 International Business Machines Corporation System and method for creating dynamic folder hierarchies
US20060129441A1 (en) 2004-07-10 2006-06-15 Movaris Inc. Apparatus, method, and system for documenting, performing, and attesting to internal controls for an enterprise
US20060059026A1 (en) 2004-08-24 2006-03-16 Oracle International Corporation Compliance workbench
US20060047561A1 (en) 2004-08-27 2006-03-02 Ubs Ag Systems and methods for providing operational risk management and control
GB0419607D0 (en) 2004-09-03 2004-10-06 Accenture Global Services Gmbh Documenting processes of an organisation
US20060074739A1 (en) 2004-09-20 2006-04-06 Oracle International Corporation Identifying risks in conflicting duties
US20060074980A1 (en) 2004-09-29 2006-04-06 Sarkar Pte. Ltd. System for semantically disambiguating text information
US20060089861A1 (en) 2004-10-22 2006-04-27 Oracle International Corporation Survey based risk assessment for processes, entities and enterprise
US20060106686A1 (en) 2004-11-12 2006-05-18 Oracle International Corporation Audit procedures and audit steps
US20060212373A1 (en) 2005-03-15 2006-09-21 Calpine Energy Services, L.P. Method of providing financial accounting compliance
US8688507B2 (en) 2005-03-21 2014-04-01 Oversight Technologies, Inc. Methods and systems for monitoring transaction entity versions for policy compliance
US7523053B2 (en) 2005-04-25 2009-04-21 Oracle International Corporation Internal audit operations for Sarbanes Oxley compliance
WO2006116610A2 (en) 2005-04-26 2006-11-02 Npsox.Com Llc Sarbanes-oxley compliance system
US20060247965A1 (en) 2005-04-29 2006-11-02 Griffith Wm P Method of defining and monitoring processes
US7359897B2 (en) 2005-06-02 2008-04-15 Toshiba Corporation System and method for document management and retrieval
US7447650B1 (en) * 2005-12-22 2008-11-04 Avalion Consulting, Llc Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company
US7885841B2 (en) 2006-01-05 2011-02-08 Oracle International Corporation Audit planning
US7467045B2 (en) 2006-01-20 2008-12-16 Schlumberger Technology Corporation Method for assessment of uncertainty and risk
US20080077530A1 (en) * 2006-09-25 2008-03-27 John Banas System and method for project process and workflow optimization
US8036980B2 (en) * 2007-10-24 2011-10-11 Thomson Reuters Global Resources Method and system of generating audit procedures and forms
US8050988B2 (en) * 2007-10-24 2011-11-01 Thomson Reuters Global Resources Method and system of generating audit procedures and forms

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of EP2248079A4 *

Also Published As

Publication number Publication date
US8504452B2 (en) 2013-08-06
EP2248079A4 (en) 2013-01-09
CA2711935C (en) 2023-08-22
EP2248079A2 (en) 2010-11-10
WO2009091613A3 (en) 2010-01-14
AU2009205677A1 (en) 2009-07-23
CA2711935A1 (en) 2009-07-23
US20090187437A1 (en) 2009-07-23

Similar Documents

Publication Publication Date Title
CA2711935C (en) Method and system for auditing internal controls
US8050988B2 (en) Method and system of generating audit procedures and forms
US8005709B2 (en) Continuous audit process control objectives
US7899693B2 (en) Audit management workbench
US10423928B2 (en) Method and system of generating audit procedures and forms
Curtis et al. Business information systems: Analysis, design and practice
US7941353B2 (en) Impacted financial statements
US10453029B2 (en) Business process for ultra transactions
US7523053B2 (en) Internal audit operations for Sarbanes Oxley compliance
US8296167B2 (en) Process certification management
US20040260591A1 (en) Business process change administration
US20040260628A1 (en) Hosted audit service
US20060059026A1 (en) Compliance workbench
US7523068B2 (en) Centralized payment processing system
US20050209899A1 (en) Segregation of duties reporting
US20060074739A1 (en) Identifying risks in conflicting duties
US8036980B2 (en) Method and system of generating audit procedures and forms
US8473389B2 (en) Methods and systems of purchase contract price adjustment calculation tools
KR102416998B1 (en) Appatus for automatically collecting and classification tax related documents and method thereof
Kader et al. Maintenance of accounting information system at private banking sectors in Bangladesh
Amini Robotic process automation: Implementation within an organization
AU2019204258A1 (en) Method and system for auditing internal controls
US20070156472A1 (en) Systems and methods for testing internal control effectiveness
Adesina et al. Achievement of Assurance, Monitoring and Risk Assessment through Continuous Auditing for Effective and Efficient Management
Kociolek Air Force: Enhanced Enterprise Risk Management and Internal Control Assessments Could Improve Accountability over Mission Critical Assets

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09702141

Country of ref document: EP

Kind code of ref document: A2

WWE Wipo information: entry into national phase

Ref document number: 2711935

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2009205677

Country of ref document: AU

Ref document number: 586804

Country of ref document: NZ

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2009205677

Country of ref document: AU

Date of ref document: 20090120

Kind code of ref document: A

REEP Request for entry into the european phase

Ref document number: 2009702141

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2009702141

Country of ref document: EP