SAS No. 109AICPA issued SAS No. 109

SAS No. 109
AICPA issued SAS No. 109, “Understanding the Entity and Its Environment, and Assessing the Risks of Material Misstatement,” in 2006, once again showing the importance placed on COSO and its perceived value in evaluating internal controls. In it, financial auditors are required to evaluate internal controls, especially those related to IT, those that are an integral part of information systems (IS), and those related to the “entity and its environment.” SAS No. 109 is effective with fiscal years beginning on or after 15 December 2006.
In SAS No. 109, appendix B adds guidance on how to apply the standard and uses the COSO model to develop audit procedures, applicable questions and other information useful for developing audit procedures to comply with this standard.
In practice, financial audits need to include someone capable of complying with this standard, and that is most likely going to be an IT auditor or Certified Information Systems AuditorTM (CISA®). Therefore, it is important for the IT auditor to understand the COSO model and, most of all, to be able to apply it in a financial audit in evaluating internal controls.
COSO Model of Internal Controls
COSO defines internal controls as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations.” The COSO Model of Internal Controls uses five elements of internal controls: control environment, risk assessment, information and communication, control activities, and monitoring.
Control Environment
What is the risk of material misstatement occurring within the current entity and its environment?
The control environment element is a view of internal controls from the entity’s perspective, including both the environment it creates for business processes and controls internally, and the influences of its environment on its ability to establish and/or maintain an effective system of internal controls. Some of the ways the control environment can be evaluated regarding the risks associated with the control environment include:
• Communication and enforcement of integrity and ethical values • Commitment to competence
• Participation of those charged with governance
• Management’s philosophy and style
• Organizational structure
• Assignment of authority and responsibility • Human resource policies and practices
• Industry factors
Thinking about this element of the COSO model and auditors’ obligations to comply with SAS No. 109 is valuable to financial auditors. Financial auditors are required to gain an understanding of the “entity and its environment” to ascertain the risk of material misstatement associated with that aspect of the financial statements, and the COSO model is extremely valuable as a tool to comply with this standard.
Risk Assessment
Has the entity made an effective effort to identify areas of risk that would allow a material misstatement to occur?
The risk assessment aspect of COSO, in general, refers to the entity’s ability to properly assess risks and, for major (“significant”) risks, mitigate them to an acceptable level using controls. Some of the various ways in which risks could be introduced to the entity and, therefore, areas where controls and/or procedures should be developed to affect the entity’s system of controls positively include:
• Changes in operating environment
• New personnel
• New or revamped information systems
• Rapid growth
• New information technology employed
• New business models, products or activities
• Corporate restructurings
• Expanded foreign operations
• New accounting pronouncements
If the entity’s management and/or board are not active in assessing and mitigating risks, this aspect of the control system would be defective to some degree.
Information and Communication
Does the entity have sufficient controls to ensure the timely and proper notification of a material misstatement if and when one occurs?
The financial reporting information not only should have reliability, but should also be communicated in a timely manner and accurately to managers and decision makers. Therefore, in general, this aspect of controls deals with effective communication and relay of information from the financial reporting systems, and the controls that make those activities effective. Some of the various ways in which information and communication can be evaluated regarding the risks associated with those activities include:
• Systems to support the identification, capture and exchange of information in a form and time frame that enable personnel to carry out their responsibilities
• Financial reporting information
• Internal control information
• Internal communication
• External communication
Control Activities
Are there sufficient controls that, in the aggregate, effectively mitigate the risk of a material misstatement in the financial statements to an acceptable level?
The control activities are the actual controls themselves. Some of the various ways to evaluate control activities include: • General controls:
– Policies and procedures related to the service/product provided
– Controls over support (especially computer systems and operations, networks, etc.)
– Changes to systems associated with core business processes
– Environmental security
– Application development, maintenance and documentation