Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest Internal Control and Fraud Prevention Chapter 1 Introduction to Internal Control and Fraud Prevention 100 Background

100 Background

100.1 In recent years, there has been an increased level of interest in internal control. This heightened interest stems from a number of factors,including:

• Increasing concern about fraud.

• Increasing concern of investors, lenders, and regulatory agencies about corporate governance and the role of management in internalcontrol over financial reporting.

• Confusion about the role of auditors, management, and other parties in preventing and detecting fraud.

• Increasing use of a risk­based approach to auditing, which takes into account the relationship between risks and controls.

• Increasing dependence of organizations on technology for initiating, recording, processing, and reporting transactions.

100.2 In 2006, the Auditing Standards Board (ASB) issued a group of auditing standards, collectively referred to as the Risk AssessmentStandards, that were subsequently reformatted and recodified by SAS No. 122, Statements on Auditing Standards: Clarification andRecodification. One of the overall objectives of the standards was to promote the auditor's use of the audit risk model by requiring a greaterunderstanding of the entity and its environment, including internal controls, to identify the risks of material misstatement in the financial statementsand the actions of the entity to mitigate those risks. The risk­based approach and its relationship to the assessment of internal controls overfinancial reporting has been further addressed in the following, which apply to public companies (“issuers”) or their auditors:

• SEC Interpretive Release, Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting UnderSection 13(a) or 15(d) of the Securities Exchange Act of 1934.

• PCAOB Auditing Std. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, asamended.

These documents, which apply to management's evaluation of internal control over financial reporting and the independent auditor's integratedaudit of internal control and the financial statements, respectively, generally prescribe a “top­down, risk­based approach” to evaluating andauditing internal control over financial reporting. Chapter 7 discusses evaluating internal control over financial reporting, including evaluationsconducted under Sarbanes­Oxley, in further depth.

100.3 Of particular note is the number of committees, commissions, and other interested parties and groups that have studied, opined on,legislated, or in some way influenced the accounting literature, audit and reporting requirements, laws, and other guidelines that impact internalcontrol. To name just a few within the United States, they include:

• Cohen Commission.

• National Commission on Fraudulent Financial Reporting (Treadway Commission).

1

• Committee of Sponsoring Organizations (COSO).

• American Institute of Certified Public Accountants (AICPA).

• Foreign Corrupt Practices Act.

• Federal Sentencing Guidelines.

• Federal Deposit Insurance Corporation Improvement Act.

• Securities and Exchange Commission (SEC).

• U.S. General Accounting Office (GAO).

• Public Company Accounting Oversight Board (PCAOB).

100.4 While these commissions and groups were often responding to issues relating to internal control, the activities and scrutiny of these partiesalso led to media focus and additional interest in internal control. No matter how one looks at it, internal control continues to be a hot topic.

Why All the Attention on Internal Control?

100.5 As mentioned beginning at paragraph 100.1, there are several reasons for the increased focus on internal control. First, there is acontinuing belief among many individuals and groups that effective internal control is what ultimately safeguards a business' assets from fraud,illegal acts, or other transgressions of company management, employees, or third parties. Unfortunately, many of the aforementionedcommittees, commissions, etc., and their reports and other guidance stem directly from the business and/or audit failures and excesses of thepast, including the Enron and Worldcom scandals, and more recently AIG and Madoff. Because of the frequency of such events and the hugedollar amounts of resulting losses, the public, the business community, the media, and their representatives have demanded more scrutiny ofwhat they see as the failures of internal control.

100.6 In July 2002, in response to major corporate failures, President Bush signed into law the Sarbanes­Oxley Act of 2002 (the Act). Althoughthe Act generally only applies to public companies and their auditors, it further emphasizes the importance of internal control. Section 404 of theAct requires each annual report of a public company to contain an internal control report that—

• States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financialreporting.

• Contains an assessment, as of the end of the company's fiscal year, of the effectiveness of the internal control structure and procedures ofthe company for financial reporting.

In addition, auditors of certain public companies are required to issue an opinion on the effectiveness of internal control over financial reporting.Auditors are further required by PCAOB Auditing Std. No. 5 to modify their report on internal control if elements of management's report oninternal control are incomplete or improperly presented.

100.7 Another factor influencing the interest level in internal control is the increasing influence of shareholders, especially institutionalshareholders, of publicly held companies on boards of directors and top management. These parties, as well as lenders, have changed thetypical attitudes toward corporate governance. Previously, top executives such as chief executive officers (CEOs) and senior managementtended to dominate the handling of corporate affairs. With the increasing activism by shareholder groups and, specifically, the clout of blocks of

2

institutional investors, CEOs and top management now have to answer to more outside members of the board of directors who represent theinterests of the shareholders. CEOs can no longer pack the board of directors with loyal supporters who would not question the goals andstrategies set forth by management.

100.8 In addition to the requirements related to internal control reporting discussed at paragraph 100.6, the Sarbanes­Oxley Act of 2002 alsoincludes requirements that restrict certain activities of public company executives and provide for disclosures of other executive activities.Furthermore, the Act requires increased oversight by each member of the company's audit committee. The emphasis in these requirements is onindependence and public awareness.

100.9 Auditors implementing a risk­based approach to auditing are also focusing more attention on internal control. With this approach, the auditoridentifies risks that might affect the client's financial statements, looks at controls that might mitigate those risks, and designs audit proceduresbased on an evaluation of those risks and controls.

100.10 The complexity of business processes has also impacted how auditors and other parties view internal control. In today's environment, itis difficult to understand, evaluate, and test an entity's business processes without looking at the information technology (IT) that supports thosebusiness processes. Today, businesses are becoming increasingly dependent on technology for initiating, recording, processing, and reportingbusiness transactions. This is especially true in the e­business arena, where Internet­based transactions and commerce results in the completeautomation and integration of business processes. The AICPA acknowledges the many challenges that auditors face relating to IT in AU­C 315,Understanding the Entity and its Environment and Assessing the Risk of Material Misstatement. AU­C 315 describes the effects IT may have oninternal control, the risks to internal control, procedures performed, and the auditor's understanding of internal control and assessment of controlrisk. Chapter 5 of this Guide discusses IT controls.

100.11 This focus on internal control, corporate performance and governance, and business processes, together with the guidance on internalcontrol issued by various commissions and other groups, has caused internal and external auditors and other practitioners, as well as thoseresponsible for internal control in business organizations, to look more broadly at the concept of internal control. As discussed in section 201,the Foreign Corrupt Practices Act (FCPA), enacted in 1977, contained a provision mandating that companies maintain adequate internalaccounting control. While the internal control provisions of the FCPA were not the primary focus of the Act, they did have an effect on corporategovernance by focusing corporate board attention on internal control issues. Prior to the FCPA, documenting the effectiveness of a company'sinternal control may not have been a high priority of management. Instead, evaluation of internal control was relegated to external auditorsassessing internal control relating to financial reporting as part of their audits. Another initiative that has focused management's attention on theimportance of internal control is the Federal Sentencing Guidelines, first issued in 1991. Federal judges generally use these guidelines whendeciding how to penalize organizations for criminal acts. These Guidelines have forced organizations to consider whether they have effectivecontrols since they are potential mitigating factors for sentencing. By looking at the internal control framework developed by COSO, as well asother frameworks, it is clear that the concept of internal control is much broader than internal accounting control.

The Need for Guidance

100.12 With the enhanced level of interest in internal control in recent years and new requirements placed on auditors, management, and otherparties, those individuals responsible for internal control and auditors face a number of challenges, including:

• Management must accept a greater responsibility for internal control. Management's responsibilities are now enumerated more clearly inthe auditing literature, the COSO internal control framework (that is, the report titled Internal Control—Integrated Framework updated byCOSO in 2013—see paragraph 101.18), and other guidance such as the Foreign Corrupt Practices Act. Under the Sarbanes­Oxley Act,discussed at paragraph 100.6, responsibilities have increased dramatically for public companies, including their management and auditcommittees. Similarly, the responsibilities placed on CPAs are clearer and have also increased.

• Organizations must have adequate controls to mitigate ever­increasing fraud risks.

• Auditors must have a greater understanding of internal control to ensure that their audits will be effective in light of businesses' increasingdependence on technology.

• Auditors (internal and external) now have an increasing opportunity to provide services relating to internal control.

100.13 One source of confusion relating to internal control is that the term has different meanings to different people, and those differences canlead to misunderstandings and miscommunications about expectations, goals, and results. The meaning of the term internal control is discussedin section 101.

100.14 In addition to terminology and conceptual differences, another factor affecting how accountants and others involved in providing services

3

relating to internal control is the varying nature of the services. These services are discussed in section 102.

Key Issues Addressed in This Guide

100.15 This Guide provides answers to the following questions:

• What is internal control?

• What types of services may be performed relating to internal control?

• What frameworks or criteria may be used for evaluating internal control?

• How does the COSO internal control framework apply in an evaluation of internal control?

• What categories of controls exist and which are of primary importance for different engagements?

• How does safeguarding of assets fit into the COSO internal control framework?

• What other frameworks may be used for evaluating internal control?

• What is the role of corporate governance in internal control?

• What is fraud in general and what are the different types of fraud?

• What types of controls are needed to prevent fraud or to detect fraud in a timely manner?

• What are the issues surrounding evaluation of information technology (IT) controls and how does IT fit into the COSO and otherframeworks?

• What is the concept of reasonable assurance relating to internal control?

• What are the process and considerations for evaluating internal control over financial reporting for nonpublic organizations, as well aspublic companies that are subject to the provisions of Sarbanes­Oxley?

Use of the guidance provided by the Release in management's evaluation and assessment of internal control over financial reporting underSec. 404 of the Sarbanes­Oxley Act of 2002 is voluntary. The SEC has also amended Rules 13a­15(c) and 15d­15(c) of the SecuritiesExchange Act of 1934. The amended rules note that there are many different ways to conduct an evaluation that will satisfy the evaluationrequirement of the Rules.

Companies with market capitalization of less than $75 million are referred to as nonaccelerated filers. As discussed beginning at paragraph703.35, section 989G of the Dodd­Frank Wall Street Reform and Consumer Protection Act (the Dodd­Frank Act) issued in July 2010 added

1

2

section 404(c) to the Sarbanes­Oxley Act to exempt non­accelerated filers from the requirements of Section 404(b), which requires anindependent auditor's attestation report on the effectiveness of an entity's internal control over financial reporting. (A management report oninternal control is still required.) In addition, the Jumpstart Our Business Startups Act (JOBS Act) issued in April 2012 exempts emerging growthcompanies from the requirement for an audit of internal control over financial reporting and delays the adoption of certain accounting standardsand the possible application of other PCAOB auditing standards. (The SEC staff has published frequently asked questions to provide guidanceon implementing certain provisions of the JOBS Act. The FAQs can be found at www.sec.gov/spotlight/jobs­act.shtml.)

References in this Guide to “business,” “corporation,” “organization,” and “company” generally refer to various types of entities, includingpublic and nonpublic companies and corporations, nonprofit organizations, and governments.

© 2015 Thomson Reuters/PPC. All rights reserved.

3

END OF DOCUMENT ­

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest Internal Control and Fraud Prevention Chapter 1 Introduction to Internal Control and Fraud Prevention 101 What Is Internal Control?

101 What Is Internal Control?

101.1 Because internal control is an abstract concept, it is difficult to reach consensus from all stakeholders about what internal control is. It islikely that parties such as auditors, other practitioners, members of management, the media, and the public will have different viewpoints on thetopic. Also, the meaning of the term internal control has changed over time.

Historical Viewpoint

101.2 Some individuals point to the enhanced level of interest in financial reporting that began during the Industrial Revolution in the late 19thcentury as the reason for more attention to the concept of internal control. Because of the need for capital to finance growth, there was increasedfocus on financial reporting on companies' financial condition and results of operations. Investors and creditors were especially interested inbeing able to assess the stability of companies and the soundness of their investments. During this time, early accountants referred to two termsrelating to internal control:

• Internal Check. This term referred to procedures or processes designed to segregate duties. During this period, preventing fraud wasespecially challenging because most business transactions used cash as the primary exchange medium.

• Internal Accounting Control. This term was used to bring a narrower focus to the broader concept of internal control. The term internalaccounting control referred to controls that would be important in a financial statement audit.

101.3 Auditors first gave attention to the concept of internal control with the acknowledgment that it was inefficient and unnecessary to test orverify all accounts and transactions that were included in the financial statements. There was the recognition that by placing some degree ofreliance on the processes that entities used in accounting for transactions and events and assembling such information into financial statements,more efficient and effective audits or other examinations could be achieved. The term internal control was first used to refer to these processes,but the first real definition of the term internal control was issued by the accounting profession in 1949, in response to the McKesson & Robbinsscandal. While the McKesson & Robbins business fraud raised a number of key issues, several of the issues directly related to internalcontrol, including:

• The extent of the responsibility of CPAs to detect material fraud (even if such fraud involves collusion).

• The purpose of the study of internal control.

101.4 In Accounting Standards Release (ASR) No. 19, Report on Investigation of the Securities and Exchange Commission in the Matter ofMcKesson & Robbins, Inc., issued by the Securities and Exchange Commission (SEC), the SEC criticized the public accounting profession withrespect to how the study of internal control was practiced. It noted that “the necessity for a comprehensive knowledge of the client's system ofinternal check and control cannot be overemphasized,” especially because of the use of testing and sampling procedures in financial statementaudits. In addition to calls for more vigilance, inquisitiveness, and analysis of evidence by auditors, the SEC noted that the CPA's examination ofinternal control should not be limited to particular accounting functions, but should lead to a full knowledge of the manner in which the transactionsare handled. Clearly, the SEC was urging the accounting profession to provide guidance on the appropriate level of inquiry relating to internalcontrol.

101.5 Thus, as part of the repercussion of the McKesson & Robbins fraud and another fraud involving a company called Drayer­Hanson, theAICPA provided its first definition of internal control. This first study of internal control, issued in 1949, was titled Internal Control—Elements of aCoordinated System and Its Importance to Management and the Independent Public Accountant. The profession's first attempt at defining internalcontrol was as follows:

4

Internal control comprises the plan of organization and all of the coordinate methods and measures adopted within a business tosafeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourageadherence to prescribed managerial policies.

101.6 Additionally, in response to the SEC's comments after the McKesson & Robbins scandal, the definition noted that a system of internalcontrol extends beyond those matters that relate directly to the functions of the accounting and financial departments. While this 1949 definition ofinternal control was quite broad, it failed to provide guidance to CPAs on what aspects of internal control should be considered when performingfinancial statement audits.

101.7 The 1949 definition was only the accounting profession's first attempt at defining internal control. Numerous subsequent definitions wereput forth by the AICPA's Committee on Auditing Procedure in Statement on Auditing Procedure (SAP) Nos. 29 and 33, and the AuditingStandards Board in Statement on Auditing Standards (SAS) No. 1. By the 1970s, the profession's perspectives on internal control were affectedby the activities, recommendations, and/or legislation of the Cohen Commission, the Foreign Corrupt Practices Act (FCPA), and the TreadwayCommission, among other groups. In 1988, in response to criticism of the profession in the wake of the bank and savings and loan failures of the1980s, the AICPA issued nine SASs. These SASs are often referred to as the “expectation gap” SASs. They included SAS No. 55,Consideration of the Internal Control Structure in a Financial Statement Audit. Additional information on these commissions and events that led tothe passage of SAS No. 55 and other auditing standards related to internal control are discussed in more detail in Chapter 2.

101.8 Historically, the concept of internal control has often times been confusing. Note that Merriam­Webster's Collegiate® Dictionary, EleventhEdition provides various definitions of the term control. Among the definitions are “uses such as a control group for an experiment” and “being onewho controls (for example, a controller, or having a controlling interest in a business).” Also, the term could mean “to exercise restraining ordirecting influence over” or “to have power over.” Perhaps more relevant is the definition “to reduce the incidence or severity of . . . to innocuouslevels.” Based on the definitions of internal control developed by COSO and those included in the accounting literature, it appears that internalcontrol is viewed as a means (or actions taken) to achieve the results desired (a state of being in control). Even the dictionary definition of controlrecognizes that there are limitations to internal control. It refers to reducing the incidence or severity of a given event or consequence to“innocuous levels.” The concept of reasonable assurance is discussed in section 201.

COSO's 1992 Internal Control Framework

101.9 In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a four­volume report titled InternalControl—Integrated Framework (referred to throughout this Guide as the 1992 Framework or COSO Framework). The 1992 Framework—

• defined internal control,

• described the components of effective internal control,

• provided criteria against which internal control could be evaluated, and

• presented guidance that organizations could follow when reporting publicly on internal controls over financial reporting.

101.10 COSO's 1992 Framework was the most widely accepted internal control framework, certainly for U.S. companies. The AICPAincorporated the COSO framework and its five components of internal control into the auditing literature. COSO's 1992 Framework also hasserved as the most commonly used basis for assessing internal control under other types of engagements. Furthermore, as noted in section 200,under SEC rules relating to the Sarbanes­Oxley Act, COSO's 1992 Framework was considered to be a suitable internal control framework formanagement to base its evaluation of the effectiveness of internal control over financial reporting.

101.11 According to the 1992 Framework, COSO defined internal control as “. . . a process, effected by an entity's board of directors,management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives . . . .” in one of thefollowing categories:

• Efficiency and effectiveness of operations.

• Reliability of financial reporting.

• Compliance with applicable laws and regulations.

5

While the 1992 Framework placed internal control in those broad categories, the primary focus of the 1992 Framework was on controls overfinancial reporting. Specifically, for internal control relating to financial reporting to be considered effective, the 1992 Framework stated that theboard of directors and management must have reasonable assurance that the organization is preparing published financial statements in areliable manner.

101.12 To understand why the 1992 Framework focused primarily on internal control over financial reporting, it is helpful to look at the origins ofCOSO and COSO's membership. Remember that COSO refers to the Committee of Sponsoring Organizations of the Treadway Commission.As discussed in more detail in section 201, the National Commission on Fraudulent Financial Reporting, known as the Treadway Commission,was created for the purpose of identifying causes of fraudulent financial reporting and making recommendations for reducing its incidence. TheTreadway Commission was created by the joint sponsorship of the AICPA, the American Accounting Association (AAA), the FinancialExecutives Institute (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (known at that time as the NationalAssociation of Accountants).

101.13 In 1987, the Treadway Commission issued a report that made a number of observations and recommendations related to internalcontrols, including:

• Noting that there were several different interpretations and concepts relating to internal control.

• Stressing the importance of certain aspects of internal control.

• Recommending management reports on the effectiveness of internal control.

• Challenging the sponsoring organizations to work together in integrating various internal control concepts and definitions and to develop acommon reference point.

101.14 In addition, in its 1987 Report on the National Commission on Fraudulent Financial Reporting, the Treadway Commission determined thatfailures in internal control were major factors in almost 50% of the cases of fraudulent financial reporting that it researched.

101.15 As discussed in more detail in section 201, each of the sponsoring organizations of the Treadway Commission appointed a representativeto the group known as the Committee of Sponsoring Organizations (COSO). The focus of COSO on fraudulent financial reporting was influencednot only by the findings of the Treadway Commission and its charge to COSO to develop integrated guidance on internal control—themembership of COSO itself also impacted the direction taken by COSO. Specifically, there was a strong bias toward accounting and finance­related issues due to the orientation of COSO. The AICPA was the largest and most influential organization among the sponsoring organizations,and a major accounting firm, Coopers & Lybrand (now PricewaterhouseCoopers) was selected to author the resulting work product (the 1992Framework). The strong influence of entities with a public accounting focus could be expected to center the COSO framework's attention on thepart of internal control that pertains to financial reporting. However, it was not just the AICPA, Coopers & Lybrand, and other public accountingcontributors that focused on internal control over financial reporting. Many of the sponsoring organizations had a similar interest. And, asmentioned at paragraph 101.12, COSO's predecessor, the Treadway Commission, was initially formed to report on fraudulent financial reporting.

101.16 The AICPA carried significant influence among the sponsoring organizations because of its size, monetary backing, and professionalreputation. Other sponsoring organizations did not have the same advantages in terms of size, resources, prestige, and influence. The AICPA'sinfluence in Washington government circles was felt by representatives of the SEC and the U.S. General Accounting Office (GAO) relating toaccounting and auditing issues. In addition, many of the private sector contributors to COSO (e.g., controllers, chief financial officers, internalauditors, accounting professors, etc.) carried with them the experiences they gained when many of them began or spent part of their careers inpublic accounting.

101.17 Additionally, at the time that COSO was developing its framework, the SEC was recommending that SEC registrants be required to reporton the effectiveness of internal control. This was the second attempt by the SEC to require such reporting, partially in response to therecommendation of the Treadway Commission and also in response to the financial failures of many banks, savings and loans, and otherfinancial institutions. Subsequently, in 2002, the Sarbanes­Oxley Act was passed (see paragraph 100.6) and the AICPA issued SAS No. 99,Consideration of Fraud in a Financial Statement Audit, which was effective for audits of financial statements for periods beginning on or afterDecember 15, 2002.

Present Perspective—COSO's 2013 Framework

101.18 Since the issuance of COSO's 1992 Framework as discussed beginning in paragraph 101.9, there have been dramatic changes in

business and operating environments, making businesses more complex, technologically driven, and global. In addition, stakeholders havecalled for greater transparency and accountability about an entity's internal control. For those reasons, COSO undertook a project to update the1992 Framework.

101.19 As discussed more fully in section 201, in May 2013, COSO issued an updated framework, Internal Control—Integrated Framework(2013 Framework), to help entities design, implement, and evaluate internal control in light of the current business and regulatory environmentsand operations. As noted in paragraph 201.25, the 2013 Framework retains many familiar aspects of the 1992 Framework, including thedefinition of internal control, the three general categories of objectives that internal control is focused towards, and the five components of internalcontrol. However, the 2013 Framework reflects the consideration of the many changes in business and operating environments that haveoccurred over the years since the 1992 Framework was issued, including:

• Expectations relating to governance oversight.

• Changes and greater complexities in businesses.

• The ways in which markets and operations have become more globalized.

• Demands and complexities in laws, rules, regulations, and standards.

• Changes in and increased use of technology.

• Expectations relating to competencies and accountabilities.

• Expectations of users relating to the prevention and detection of fraud.

101.20 According to COSO, the 2013 Framework and supporting documents are intended to (a) clarify the requirements of effective internalcontrol, (b) update the context for applying internal control to reflect changes in business and operating environments, and (c) broaden theapplication of the COSO framework by expanding the operations and reporting objectives. It provides broadly accepted and practical criteria forestablishing internal control and for assessing its effectiveness by addressing matters such as the definition of internal control; the requirementsfor effective internal control (including both components and relevant principles); and the approach users may follow when designing,implementing, and conducting internal control and assessing its effectiveness.

101.21 While the 2013 Framework is geared to the achievement of any of an organization's objectives in the areas of operations, compliance, orreporting, COSO published a concurrent document, Internal Control over External Financial Reporting: A Compendium of Approaches andExamples (Compendium), that provides additional direction on how the 2013 Framework can be applied when preparing external financialstatements. (As noted elsewhere, this Guide focuses primarily on objectives and controls relevant to financial reporting.) The Compendium isdiscussed further in section 201, as well as in other chapters of this Guide.

Sarbanes­Oxley Act of 2002 and COSO

101.22 To comply with Section 404 of the Sarbanes­Oxley Act, the SEC requires that a public company's annual report include an internal controlreport from management that includes, among other things, a statement identifying the framework used by management to conduct the requiredevaluation of the effectiveness of the company's internal control over financial reporting. The SEC specifies that management must base itsevaluation of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework that isestablished by a body or group that has followed due­process procedures. The SEC has indicated in the past that the COSO 1992 Frameworksatisfies the criteria for an acceptable evaluation framework. Although the SEC has not explicitly endorsed the 2013 Framework, nor has itprovided a particular deadline when it will require companies to transition to the 2013 Framework, the SEC announced that it will monitor thetransition for issuers using the 1992 Framework to evaluate whether and if any staff or SEC actions will become necessary or appropriate atsome point in the future. SEC staff has also indicated that the longer issuers continue to use the 1992 Framework, the more likely they are toreceive questions from the staff about whether the issuer's use of the 1992 Framework satisfies the SEC's requirement to use a suitable,recognized framework (particularly after December 14, 2014, when COSO will consider the 1992 Framework to have been superseded by the2013 Framework).

6

This well known business fraud occurred in the 1930s. After the New York Stock Exchange suspended trading of the company's stock in1938, the Securities and Exchange Commission investigated and found widespread fraud, including fictitious inventory, accounts receivable, andother assets. For more information on the McKesson & Robbins case, refer to Accounting Standards Release (ASR) No. 19, Report onInvestigation of the Securities and Exchange Commission in the Matter of McKesson & Robbins, Inc., issued by the SEC.

The Committee on Auditing Procedure was the precursor to the Auditing Standards Executive Committee, which codified the SAPs into thefirst Statement on Auditing Standards (SAS). The successor to the Auditing Standards Executive Committee is the Auditing Standards Board.

COSO considers the 1992 Framework superseded after December 15, 2014.

© 2015 Thomson Reuters/PPC. All rights reserved.

4

5

6

END OF DOCUMENT ­

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest Internal Control and Fraud Prevention Chapter 1 Introduction to Internal Control and Fraud Prevention 102 CPA Services Relating to Internal Control

102 CPA Services Relating to Internal Control

Types of Services

102.1 CPAs provide a variety of services relating to internal control. The following are examples of services relating to internal controls that CPAsmay provide:

• Consideration of internal control in connection with an audit of the financial statements and communication of internal control relatedmatters.

• Report on internal control in connection with an audit of a governmental entity or a nonprofit organization under the Yellow Book.

• Opinion about the effectiveness of internal control under the AICPA attestation standards.

• Report on the internal control of a service organization under SSAE No. 16.

• Report on the results of internal audit assistance services.

• Consulting engagements on implementation of measures to reduce the risk of fraud.

• Consulting engagements on the design or improvement of internal control, including assisting or advising management with the evaluationof internal control, done in connection with Sarbanes­Oxley.

102.2 Professional Standards Depending on the type of service, different professional standards apply to the various engagements. Theseprofessional standards include:

• AICPA Code of Professional Conduct.

• Statements on Auditing Standards.

• Statements on Standards for Attestation Engagements.

• PCAOB Auditing Standards.

• Government Auditing Standards (the Yellow Book).

• Statements on Standards for Consulting Services.

102.3 The types of services relating to internal control and the professional standards that apply are discussed beginning at paragraph 102.4.Consulting engagements are discussed in greater depth in section 103.

Consideration of Internal Control in Connection with an Audit of Financial Statements

102.4 The primary service most CPAs provide relating to internal control is the understanding of internal control in order to assess the risk ofmaterial misstatement in the financial statements and to design the nature, timing, and extent of further audit procedures in connection with anaudit of financial statements of a nonpublic company. AU­C 315 describes the auditor's responsibilities for the understanding of internal control.

102.5 In addition, in a financial statement audit, the auditor may issue certain other reports and communications relating to internal control, suchas—

• Communication of internal control related matters as required by professional standards.

• Management letters.

• Special reports for audits of governmental entities and nonprofit organizations under Government Auditing Standards (the Yellow Book).

102.6 Communication of Internal Control Related Matters as Required by Professional Standards For nonpublic entities, AU­C 265,Communicating Internal Control Related Matters Noted in an Audit, requires the auditor to communicate, in writing, to management and thosecharged with governance certain deficiencies in internal control that were identified in the audit. AU­C 265 defines, and provides guidance forevaluating, deficiencies in internal control that are categorized as a control deficiency, significant deficiency, and material weakness. Whenevaluating and categorizing deficiencies, the auditor should consider deficiencies individually and in combination with other deficiencies affectingthe same significant account balance or disclosure, relevant assertion, or component of internal control. This is because multiple controldeficiencies that affect the same financial statement account balance or disclosure, relevant assertion, or component of internal control increasethe likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness even though they are individuallyinsignificant. For each audit, auditors are specifically required to communicate in writing to those charged with governance significant deficienciesand material weaknesses that were identified. In addition, AU­C 265 states that the auditor should communicate, in writing or orally, otherdeficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in theauditor's professional judgment, are of sufficient importance to merit management's attention. If other deficiencies in internal control arecommunicated orally, the auditor should document the communication. Such communication should be made no later than 60 days following thereport release date. PPC's Guide to Internal Control Communications provides extensive guidance on fulfilling the auditor's responsibilities.

102.7 AU­C 260, The Auditor's Communication With Those Charged with Governance, provides guidance on communication with those chargedwith governance in connection with a financial statement audit of nonpublic companies. According to AU­C 260, the auditor's objectives are to (a)communicate clearly with those charged with governance; (b) clearly communicate the auditor's responsibilities relative to the financial statementaudit and an overview of the planned scope and timing of the audit; (c) obtain information relevant to the audit from those charged withgovernance; (d) provide timely observations to those charged with governance resulting from the audit that are significant and relevant to theirresponsibility to oversee the financial reporting process; and (e) promote effective two­way communication between the auditor and thosecharged with governance. As part of those requirements, the auditor might also communicate that an audit of financial statements includesconsideration of internal control over financial reporting as a basis for designing audit procedures, but not for the purpose of expressing anopinion on the effectiveness of the entity's internal control over financial reporting. The auditor may wish to communicate the approach to internalcontrol for the audit, including, when applicable, whether an opinion will be expressed on the effectiveness of internal control over financialreporting.

102.8 Management Letters In addition to the communication of significant deficiencies and material weaknesses required by AU­C 265, manyauditors also issue management letters, which provide suggestions for improvements in the internal control, organization, or efficiency that arenoted during the audit.

102.9 As discussed beginning at paragraph 102.6, AU­C 265 requires auditors to communicate, in writing or orally, other deficiencies in internalcontrol identified during the audit that have not been (a) communicated to management by other parties and (b) are of sufficient importance tomerit management's attention. In addition, when communicating such matters orally, the standard requires auditors to document the

communication. While this Guide does not contain detailed communication guidance, it is included in PPC's Guide to Management LetterComments: Operations and Controls. That Guide also contains examples of management letter comments that may be helpful to auditors whencommunicating such matters to management.

102.10 Special Requirements and Reports under Government Auditing Standards Government Auditing Standards (the Yellow Book)requires auditors of certain recipients of federal awards and assistance, such as state and local governmental entities and nonprofitorganizations, to expand the scope of audit work and issue reports on internal control in conjunction with the audit. These reporting requirementsextend the communications required by auditing standards. PPC's Guide to Single Audits provides detailed guidance and illustrations for thosetypes of reports.

Engagements to Provide an Opinion on the Effectiveness of Internal Control Over Financial Reporting

102.11 Integrated Audit of Internal Control and the Financial Statements—Nonpublic Entities SSAE No. 15 (AT 501), An Examination ofan Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, establishes standards andprovides guidance to CPAs performing an examination of an entity's internal control over financial reporting (internal control) in the context of anintegrated audit (an audit of an entity's financial statements and an examination of its internal control). Among other things, SSAE No. 15converges the standards CPAs use for reporting on an nonpublic entity's internal control with PCAOB Auditing Std. No. 5, An Audit of InternalControl That is Integrated with an Audit of Financial Statements, discussed beginning at paragraph 102.20.

102.12 SSAE No. 15 applies only to examinations of the design and operating effectiveness of an entity's internal control that are integrated withan audit of the entity's financial statements. Therefore, an SSAE No. 15 engagement cannot be performed unless the financial statements arealso being audited.

102.13 SSAE No. 15 (AT 501.18) states that the examination of internal control over financial reporting should be integrated with the audit of thefinancial statements and be planned to accomplish the objectives of both audits simultaneously. The objective of an examination of internalcontrol is to express an opinion on the effectiveness of the entity's internal control over financial reporting based on reasonable assuranceobtained about whether material weaknesses exist. The objective of an audit of the financial statements is to express an opinion on whether thestatements conform to GAAP. Although those two objectives are not identical, the CPA should design tests of controls to obtain sufficientevidence to support the opinion on internal control and to support the control risk assessments for purposes of auditing the financial statements.

102.14 In evaluating the effectiveness of internal control, the CPA cannot conclude that internal control is effective if there is a materialweakness. Thus, an examination of internal control in accordance with SSAE No. 15 involves (a) obtaining an understanding of the internalcontrol over financial reporting, (b) performing procedures to test the design and operating effectiveness of internal control to detect deficiencies,and (c) evaluating those deficiencies to determine whether they indicate one or more material weaknesses in internal control.

102.15 Auditors who are engaged to examine the effectiveness of internal control under SSAE No. 15 should communicate in writing significantdeficiencies and material weaknesses to management and those charged with governance.

102.16 Upcoming Changes to AT 501. The Attestation Recodification Task Force of the AICPA's Auditing Standards Board (ASB) has beenworking on a comprehensive project to clarify and redraft the attestation standards in much the same way it clarified the auditing standards,which culminated in the issuance of SAS No. 122, Statements on Auditing Standards: Clarification and Recodification, in October 2011. Theproject is a two­phased approach:

• Revision of the general attestation standards, which are currently contained in AT 20, AT 50, AT 101, and AT 201 (referred to as the generalsections); and

• Revision of the subject‐matter specific guidance now codified in AT 301­801 (referred to as the subject‐matter sections).

102.17 In July 2013, the ASB issued an exposure draft, Attestation Standards: Clarification and Recodification, which would supersede AT 20through 201. In January 2014, it issued another exposure draft, Subject­Matter Specific Attestation Standards: Clarification and Recodification,which would supersede AT 301, Forecasts and Projections; AT 401, Pro Forma Financial Information; and AT 601, Compliance Attestation. InSeptember 2014, the ASB issued a proposed revision to the subject­matter section on service organizations, Proposed Statement on Standardsfor Attestation Engagements Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control OverFinancial Reporting: Clarification and Recodification, which would supersede AT 801.

102.18 Once all of the standards have been exposed and finalized, it is anticipated that the Board will issue one final clarified SSAE that willsupersede most of the current guidance in the attestation standards. The most recent discussions by the Board indicate that they plan to vote toballot for issuance the final SSAE by the end of 2015 and that the effective date would not be earlier than for reports issued after May 1, 2017.Future editions of this Guide will update the status of this project. Practitioners can monitor the status of the project atwww.aicpa.org/interestareas/frc/auditattest/pages/attestclarityproject.aspx.

102.19 AT 501 addresses an examination of internal control that is integrated with an audit of financial statements. In October 2015, the ASBissued Statement on Auditing Standards No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit ofFinancial Statements, that will supersede AT 501 effective for integrated audits for periods ending on or after December 15, 2016. Future editionsof this Guide will be updated for SAS No. 130. Furthermore, the ASB is considering the addition of a generic internal control attestation standardto provide guidance to practitioners engaged to perform a stand­alone examination of an entity's internal control over financial reporting,operations, or compliance. In connection with the migration of AT 501 to the auditing standards, the ASB is considering a number of changes tothe current guidance.

102.20 Integrated Audit of Internal Control and the Financial Statements—Public Companies The Sarbanes­Oxley Act of 2002established the Public Company Accounting Oversight Board (PCAOB) under the supervision of the SEC to set auditing, quality control, ethics,independence, and other standards relating to the preparation of audit reports for auditors of public companies. As noted at paragraph 100.6, theAct also established requirements related to management's assessment of internal control. The PCAOB adopted the generally accepted auditingstandards of the AICPA that existed as of April 15, 2003, as interim standards for audits of public companies. It has also issued 18 AuditingStandards, including Auditing Std. No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of FinancialStatements. That Standard establishes requirements and provides guidance for auditors that are engaged to perform an audit ofmanagement's assessment of the effectiveness of internal control over financial reporting that is integrated with the audit of the financialstatements of a public company. The Standard requires the auditor to express an opinion on the effectiveness of the company's internal controlover financial reporting.

102.21 Auditing Std. No. 5 provides guidance for auditors to comply with the internal control reporting requirements of Section 404 and SECrules. The effective dates of the Section 404 requirements for management to report on the effectiveness of internal control and the related auditof internal control by the organization's independent auditors are as follows:

• Companies with market capitalization over $75 million and that have filed at least one annual report with the SEC, referred to asaccelerated filers, were required to comply with the internal control report rules for fiscal years ending on or after November 15, 2004.

• Companies that are not accelerated filers are required to provide management's report on internal control over financial reporting for fiscalyears ending on or after December 15, 2007. However, as discussed beginning at paragraph 703.35, section 989G of the Dodd­Frank WallStreet Reform and Consumer Protection Act (the Dodd­Frank Act) issued in July 2010 exempted non­accelerated filers from the Section404(b) requirement for an auditor's attestation report on internal control over financial reporting.

• New equity issuers that meet the definition of an emerging growth company are exempted by the Jumpstart Our Business Startups Act(JOBS Act), issued in April 2012, from the requirement for an audit of internal control over financial reporting. The JOBS Act also delays theadoption of certain accounting standards and the possible application of other PCAOB auditing standards for such companies. (Emerginggrowth companies are discussed further at paragraph 703.35.)

PPC's Guide to PCAOB Audits provides in­depth guidance to CPAs who are performing integrated audits of both a company's financialstatements and management's assessment of the effectiveness of internal control over financial reporting.

102.22 Other Public Company Guidance CPAs involved in Section 404 engagements should be aware of the following developments andguidance that may affect such services or management's assessment and evaluation of internal control over financial reporting:

• Rule on Pre­approval of Non­audit Services Related to Internal Control Over Financial Reporting. The PCAOB has issued a rule thatrequires the auditor seek pre­approval from the audit committee to perform permissible non­audit services related to internal control overfinancial reporting. The auditor is required to (a) describe the scope of the services in writing and (b) discuss and document the potentialeffects of the services on the firm's independence with the audit committee.

• Rule on Communication with Audit Committees Concerning Independence. The PCAOB rule requires a registered accounting firm to do thefollowing before accepting an initial engagement:

•• Describe, in writing, to the audit committee all relationships between the firm or its affiliates and the potential audit client orpersons in a financial reporting oversight role that may reasonably be thought to bear on independence.

•• Discuss with the audit committee the potential effects of the relationships on the firm's independence, should it be appointedauditor.

7

•• Document the substance of the discussion.

The rule also requires the accounting firm to perform these items, as well as confirm that the firm is independent in compliance with thePCAOB's Rule 3520, at least annually.

• The June 5, 2003, SEC Final Rule, Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure inExchange Act Periodic Reports (Release No. 33­8238), which can be accessed at www.sec.gov/rules/final/33­8238.htm.

• SEC staff Frequently Asked Questions on Management's Report on Internal Control Over Financial Reporting and Certification ofDisclosure in Exchange Act Periodic Reports (the SEC Staff FAQ) issued in June, 2004, and revised on October 6, 2004, and September24, 2007, which can be accessed at www.sec.gov/info/accountants/controlfaq1004.htm.

• The May 16, 2005, SEC Commission and Staff guidance to clarify certain aspects of how management should apply Section 404, includingthe May 16, 2005, SEC Commission Statement on Implementation of Internal Control Reporting Requirements (Press Release No. 2005­74),which can be accessed at www.sec.gov/news/press/2005­74.htm, and the SEC's Staff Statement on Management's Report on InternalControl Over Financial Reporting (SEC May 16, 2005, Staff Statement), which can be accessed atwww.sec.gov/info/accountants/stafficreporting.htm.

• The July 2006 SEC concept release covering matters about which the SEC was considering providing additional guidance formanagement's assessment of and reporting on internal control over financial reporting, Concept Release Concerning Management'sReports on Internal Control over Financial Reporting (Release No. 34­54122), which can be accessed atwww.sec.gov/rules/concept/2006/34­54122.pdf.

• The June 20, 2007, Interpretation, Commission Guidance Regarding Management's Report on Internal Control over Financial Reportingunder Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (Release No. 33­8810), which can be accessed atwww.sec.gov/rules/interp/2007/33­8810.pdf. The Interpretation states that the May 16, 2005, Commission and Staff Statements remainsrelevant.

• The June 20, 2007, Amendments to Rules Regarding Management's Report on Internal Control over Financial Reporting (SEC ReleaseNo. 33­8809), which can be accessed at www.sec.gov/rules/final/2007/33­8809.pdf.

• The August 3, 2007, SEC Final Rule, Definition of the Term Significant Deficiency (Release No. 33­8829), which can be accessed atwww.sec.gov/rules/final/2007/33­8829.pdf.

• Handbook for Small Business. The SEC has issued a brochure entitled Sarbanes­Oxley Section 404—A Guide for Small Business,designed to help make a small business's first internal control assessment easier. The brochure refers to, and briefly summarizes, theSEC's June 2007 interpretive guidance discussed in section 703 of this Guide.

• PCAOB Staff Guidance on Auditing Internal Control in Smaller Public Companies. The PCAOB's Staff Views—An Audit of Internal ControlThat Is Integrated with an Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies, does not establish newrequirements but discusses how Auditing Std. No. 5 may be applied to audits of smaller, less complex companies. Relevant aspects of thedocument, which can be accessed at http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf, are discussedthroughout this Guide.

• PCAOB Release No. 2009­006. This release, Report on the First­year Implementation of Auditing Standard No. 5, “An Audit of InternalControl over Financial Reporting That Is Integrated with an Audit of Financial Statements,” identifies instances where the auditors failed toadequately asses risk. Release No. 2009­006 can be accessed at http://pcaobus.org/Inspections/Documents/09­24_AS5_4010_Report.pdf.

• PCAOB Staff Audit Practice Alerts. The PCAOB periodically issues Staff Audit Practice Alerts that address new, emerging, or othernoteworthy matters that affect how auditors conduct audits under existing PCAOB standards and laws. The Alerts are not rules of theBoard. Some of the Alerts that affect internal control matters include the following:

•• Staff Audit Practice Alert No. 3, Audit Considerations in the Current Economic Environment, assists auditors in identifyingmatters related to the economic environment (i.e., the financial and economic crisis and recession that began in 2007 or 2008),such as events affecting the economy, credit, and liquidity, that might affect audit risk and require additional audit focus. The Alertnotes that the economic environment may require auditors to pay additional audit attention to internal controls, including entity­levelcontrols such as controls related to the control environment and the entity's risk assessment process. In addition, it specificallymentions the need to evaluate whether the entity's controls sufficiently address fraud risks and the risk of management override ofcontrols. The Alert can be downloaded at http://pcaobus.org/Standards/QandA/12­05­2008_APA_3.pdf.

•• Staff Audit Practice Alert No. 9, Assessing and Responding to Risk in the Current Economic Environment, also discussesmatters related to the economic environment that might affect audits. Among other things, Staff Audit Practice Alert No. 9 remindsauditors that internal controls over disclosures that are qualitative, judgmental, or complex are (a) different from controls over theprocessing and reporting of routine historical transactions, (b) more likely to be manual controls rather than automated controls, and(c) may require significant judgment in the operation of the control, all of which can affect the risk associated with the control. TheAlert can be accessed at http://pcaobus.org/Standards/QandA/12­06­2011_SAPA_9.pdf.

•• Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control over Financial Reporting, also discusses certainrequirements in PCAOB standards relating to audits of internal control. The Practice Alert was issued as a result of frequentdeficiencies relating to audits of internal control found in PCAOB inspections. The Alert can be located athttp://pcaobus.org/Standards/QandA/10­24­2013_SAPA_11.pdf.

•• Staff Audit Practice Alert No. 12, Matters Related to Auditing Revenue in an Audit of Financial Statements, notes instances whenauditors relied on controls over revenue to reduce their substantive testing when such reliance was not supported. The PracticeAlert can be located at http://pcaobus.org/Standards/QandA/9­9­14_SAPA_12.pdf.

• CAQ Alerts on Smaller Company Reporting Issues. The AICPA's Center for Audit Quality (CAQ) periodically issues Alerts on variousaccounting and reporting matters. Among those are Alerts issued in late 2008 related to management's internal control assessment, theinternal control audit report required by the Sarbanes­Oxley Act (SOX), and reporting issues about which the SEC staff frequently issuescomment letters to smaller companies requesting additional information. All CAQ alerts may be accessed atwww.thecaq.org/resources/alerts.

• CAQ Tips on Internal Control Audits. This nonauthoritative report is intended to help firms that have not yet performed an integrated audit offinancial statements and internal control over financial reporting (ICFR). [Paragraph 703.35 discusses exemptions to section 404(b) of theSarbanes­Oxley Act for (a) issuers that are not accelerated filers and (b) emerging growth companies from the requirement for an audit ofinternal control over financial reporting.] The report is based on feedback from a CAQ task force of auditors experienced in performingintegrated audits. The report, CAQ Lessons Learned—Performing and Audit of Internal Control in an Integrated Audit, presents anddiscusses 21 “lessons learned” and can be accessed at www.thecaq.org/docs/default­document­library/caq­lessons­learned.pdf?sfvrsn=0.

• COSO Guidance on Internal Control Monitoring. In February 2009, COSO issued guidance on internal control monitoring. The guidanceconsists of Volume I, “Guidance” (presentation of fundamental principles on effective monitoring); Volume II, “Application” (techniques forimplementation of the fundamental principles); and Volume III, “Examples” (case studies of internal control monitoring). COSO's monitoringguidance is discussed in more detail beginning at paragraph 201.72.

• PCAOB Forums on Auditing in the Small Business Environment. The PCAOB periodically hosts Forums on Auditing in the Small BusinessEnvironment for registered accounting firms and public companies in the small business community to learn more about the work of theBoard. As part of the forum, the staff of the SEC also provides an update of financial reporting issues facing smaller issuers. One suchforum was held in Miami, Florida on December 1, 2010. Among other things, the PCAOB discussed auditing internal control and IT controlsin smaller public companies. A listing of past forums, agendas, and presentation slides may be accessed athttp://pcaobus.org/Featured/Pages/ForumArchive.aspx. Also, the SEC periodically posts slides used in the forum presentations thatcontain detailed speaker notes.

The PCAOB has also enhanced its outreach functions by establishing an Office of Outreach and Small Business Liaison. The office will beresponsible for planning and conducting small business forums, along with forums directed to smaller broker­dealers and their auditors. Theoffice is also charged with seeking input from the small business community on issues related to the work of the PCAOB. The Office ofOutreach and Small Business Liaison can be reached at (202) 591­4135 or outreach@pcaobus.org.

• COSO's 2013 Framework. As discussed further in section 201, COSO issued its updated Internal Control—Integrated Framework (2013Framework) in May 2013. The 2013 Framework replaces COSO's 1992 Framework on internal control and provides broadly accepted andpractical criteria for establishing internal control and for assessing its effectiveness. The 2013 Framework addresses matters such as thedefinition of internal control; the requirements for effective internal control (including both components and relevant principles); and theapproach users may follow when designing, implementing, and conducting internal control and assessing its effectiveness. Section 201provides an overview of the 2013 Framework.

• COSO's Compendium of Approaches and Examples. In May 2013, COSO also issued Internal Control over External Financial Reporting:Compendium of Approaches and Examples. The Compendium illustrates how organizations apply various aspects of the principles in the2013 Framework in the design and implementation of internal control over external financial reporting. Section 201 discusses theCompendium in further detail.

• COSO's Illustrative Assessment Tools. In May 2013, COSO also issued Illustrative Tools for Assessing Effectiveness of a System ofInternal Control. The Illustrative Tools includes scenarios and templates to assist users in evaluating COSO's internal control principles andcomponents under the 2013 Framework. Sections 201 and 708 discuss the Illustrative Tools in further detail.

• COSO Thought Papers. COSO issues a variety of thought papers to help organizations implement enterprise risk management (ERM).COSO's ERM framework and various thought papers are further discussed beginning at paragraph 201.76.

Reporting on the Internal Control of a Service Organization

102.23 Service organizations are entities that process transactions for other entities and, thus, constitute part of a user's internal control. Serviceorganizations provide services that are part of a user entity's information system. The services are part of an entity's information system if theyaffect any of the following:

• Significant classes of transactions.

• The automated and manual procedures by which the transactions are initiated, authorized, recorded, processed, and reported from theiroccurrence to their inclusion in the financial statements.

• The related electronic or manual accounting records, supporting information, and specific accounts in the financial statements involved ininitiating, recording, processing, and reporting the entity's transactions.

• How the entity's information system captures other events and conditions that are significant to the financial statements.

• The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates anddisclosures.

102.24 Organizations that only execute another's transactions at the latter's specific authorization, like a bank that processes a customer'schecks or a stockbroker that executes a requested trade, are not considered service organizations. Partnerships and joint ventures are notconsidered service organizations for their equity participants.

102.25 In a service organization engagement performed under SSAE No. 16 (AT 801), Reporting on Controls at a Service Organization, theservice organization develops a description of its relevant processes and related controls (called management's description of the serviceorganization's system) and engages an auditor (a service auditor) to apply procedures and report on the controls identified therein. SSAE No. 16(AT 801) establishes standards for a service auditor's examination to report on internal controls at a service organization that are likely to berelevant to user entities' internal control over financial reporting. The AICPA has coined the term service organization control (SOC)reports to refer to three types of engagements that involve examining and reporting on internal controls at a service organization. An engagementperformed under SSAE No. 16 (AT 801) is also referred to as a SOC 1 report or SOC 1 engagement. In addition, paragraph 102.30 discussestwo additional types of service organization engagements, in this case—performed under AT 101, which were christened SOC 2 and 3 reports orengagements. The AICPA Guide, Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities' InternalControl Over Financial Reporting (AICPA SOC 1 Guide), provides guidance to service auditors applying SSAE No. 16. It discusses the needs ofuser auditors, explains how the service auditor obtains and evaluates evidence regarding the service organizations' controls relevant to usertransactions, and provides guidance regarding the information to be presented. [While certain aspects of SSAE No. 16 are discussed throughoutthis Guide, a detailed discussion of its requirements and the guidance in the related AICPA SOC 1 Guide is beyond this Guide's scope.However, PPC's Practice Aids for Reporting on Controls at Service Organizations contains detailed guidance, real life examples, and a completeset of practice aids for performing service organization engagements. To order, call (800) 431­9025.]

102.26 In a SOC 1 engagement, there are two general types of reports that service auditors provide on service organizations' internal controls forthe benefit of user entities and their auditors:

• A Type 1 report, which provides opinions on the fair presentation of management's description of the service organization's system and thesuitability of design of such controls.

• A Type 2 report, which provides the same information as a Type 1 report, plus an opinion on whether the controls operated effectively.

102.27 In both cases, the service auditor's report is accompanied by management's description of the service organization's system of internalcontrol relevant to user entities and management's written assertions about the matters on which the service auditor opines. Written assertionsare required in service organization engagements.

102.28 The goal of a SOC 1 engagement is to provide a user auditor with information to use when planning the audit of a user entity's financialstatements or as a basis for assessing control risk below the maximum for specific financial statement assertions in such audits (when a Type 2engagement is performed). Practitioners may provide other types of services on a service organization's internal controls. For instance, apractitioner can examine and report on the effectiveness of the service organization's internal control under SSAE No. 15 (AT 501) as discussedbeginning at paragraph 102.11. Or, an auditor of a public company can examine and report on the effectiveness of the service organization'sinternal control under Auditing Standard No. 5 as discussed beginning at paragraph 102.20. These are extensive examinations that deal withtesting and reporting on whether internal control over financial reporting is effective based on criteria such as those included in COSO's 2013Framework. These engagements, however, are based on a service organization's own internal controls over financial reporting, not on thecontrols applied to user entities' transactions.

102.29 SSAE No. 16 (AT 801) also does not apply in the following circumstances:

• When the practitioner is asked to examine and report on controls over subject matter other than financial reporting.

•• Controls over the security, availability, processing integrity, confidentiality, or privacy of information the service organizationprocesses for user entities (see paragraph 102.30).

8 9

10

11

•• Controls over compliance with laws and regulations. In that case, the practitioner should follow AT 601, Compliance Attestation, ifhe or she is reporting on an entity's own compliance with specified requirements or on its controls over compliance with specifiedrequirements; otherwise, he or she should follow AT 101.

• When management of the service organization is not responsible for the design of the controls (for example, when the controls aredesigned by the user entity). In this case, management of the service organization will generally not be in a position to assert that the systemis suitably designed and, therefore, will be unable to provide an assertion related to the suitability of the design. (As an alternative, thepractitioner may perform either an agreed­upon procedures engagement under AT 201, Agreed Upon Procedures Engagements, or anexamination of the operating effectiveness of the controls under AT 101.)

• When the practitioner is engaged to report on a service provider's controls to achieve the compliance control objectives relevant to SECrules 38a­1 and 206(4)­7. These engagements are done under AT 101 and SOP 07­2.

• When the practitioner is engaged to examine and report on a user entity's transactions or balances maintained by a service organization.However, the practitioner may be able to perform the engagement under AT 101.

• When the practitioner is engaged to perform and report the results of agreed­upon procedures related to controls or balances of a userentity maintained by a service organization. However, the practitioner may be able to perform this engagement under AT 201.

102.30 CPAs are also increasingly asked to report on other types of controls at service organizations. The increase in the number of cloudcomputing facilities, which provide user entities with on­demand network access to a shared pool of computing resources, including networks,servers, storage, applications and services, has created an increased demand for such reports by CPAs. For reports on controls over thesecurity, availability, processing integrity, confidentiality, or privacy of information the service organization processes for user entities, thepractitioner may be able to perform an engagement under AT 101, Attest Engagements. If the service is intended for user auditors, a serviceauditor can provide a SOC 2 report (analogous to a SOC 1 report) using the AICPA Guide, Reporting on Controls on a Service OrganizationRelevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2). If the service is intended for general use, the report isa standard form of an AT 101 report (called a SOC 3 report). Criteria for such services are provided by AICPA Technical Practice Aids, TSP 100.A detailed discussion of these types of engagements is beyond the scope of this Guide.

Consulting on Internal Control

102.31 A CPA may be engaged to analyze and make recommendations on a client's internal control but not provide assurance as to itseffectiveness. Also, a CPA might assist or advise management when evaluating the effectiveness of internal control. (See also the discussionbeginning at paragraph 102.32.) Section 103 discusses these consulting services under Statements on Standards for Consulting Services.Chapter 7 provides an approach for evaluating the effectiveness of internal control performed under the direction of management thatincorporates the matters discussed in Chapters 1 through 6, as well as those where a CPA assists or advises management with an evaluationperformed in connection with Sarbanes­Oxley. Guidance on consulting services is also provided in PPC's Guide to Small Business ConsultingEngagements.

Internal Audit Assistance Services

102.32 A CPA may be engaged to provide internal audit assistance services for a client that is either too small or chooses not to employ its owninternal auditors. Such a service may involve the analysis or tests of internal control that internal auditors typically apply. It can also includemonitoring of internal control, including ongoing and separate evaluations. Depending on the nature of the services, the engagements may bestructured as agreed­upon procedures engagements under the attestation standards or as consulting engagements. PPC's Guide toNontraditional Engagements provides guidance on performing and reporting on agreed­upon procedures engagements, and PPC's Guide toSmall Business Consulting Engagements provides guidance on consulting engagements.

102.33 However, ET 1.295.150 of the AICPA Code of Professional Conduct restricts the internal audit assistance services CPAs can provide fortheir nonpublic audit, review, compilation, or other attest service clients. CPAs may assist those clients in performing financial and operationalinternal audit activities, provided the CPA is satisfied that the client accepts its responsibility for designing, implementing, and maintaining theinternal control system and directing the internal audit function, including the management thereof. Under the guidance, however, independence isconsidered to be impaired if the client outsources the management of the internal audit function to the CPA. ET 1.295.150 provides additional

requirements and guidance regarding internal audit assistance services (see the discussion beginning at paragraph 103.33). CPAs contemplatingproviding internal control services to nonpublic attest clients should carefully consider the requirements of ET 1.295.150. In addition, since a CPAcannot issue an audit report if he or she is not independent, the Sarbanes­Oxley Act goes beyond stating that independence is impaired andstrictly prohibits auditors from providing internal audit outsourcing services to their public company audit clients.

102.34 Monitoring Activities ET 1.295.150.07­.10 provides requirements for considering whether internal audit services result in performingongoing monitoring procedures, which are a responsibility of management and thus would impair independence. In addition, ET 1.295.150.08adds further clarity on the performance of separate evaluations of internal control. Monitoring activities are discussed further beginning atparagraph 103.31.

While a detailed discussion of the other PCAOB standards is beyond the scope of this Guide, it is important to note that such standards havehad little impact on Auditing Std. 5 and an auditor's integrated audit of internal control and the financial statements. Nevertheless, this Guideincorporates all relevant changes to Auditing Std. No. 5 made as a result of the issuance of those standards.

Service auditors can also perform agreed­upon procedures relating to the controls at a service organization. If the results of such proceduresare reported on separately, the engagement is governed by the standards for agreed­upon procedures engagements as discussed in Chapter 2of PPC's Guide to Nontraditional Engagements. However, if the agreed­upon procedures are referenced in the service auditor's report, suchstandards would not apply.

As discussed beginning at paragraph 102.16, the Attestation Recodification Task Force of the AICPA's Auditing Standards Board (ASB) hasbeen working on a comprehensive project to clarify and redraft the attestation standards. In September 2014, the ASB issued an exposure draftto revise AT 801. The Board plans to issue one final clarified SSAE that will supersede most of the current guidance in the attestation standards.The most recent discussions by the Board indicate that they plan to vote to ballot for issuance the final SSAE by the end of 2015 and that theeffective date would not be earlier than for reports issued after May 1, 2017. Future editions of this Guide will update the status of this project.Practitioners can monitor the status of the project at www.aicpa.org/interestareas/frc/auditattest/pages/attestclarityproject.aspx.

AU­C 402, Audit Considerations Relating to an Entity Using a Service Organization, provides guidance to auditors engaged to audit thefinancial statements of an entity that uses a service organization. AU­C 402 is discussed further beginning at paragraph 501.51.

Although AT 101 allows practitioners to provide an attest engagement without obtaining a written assertion, SSAE No. 16 requires one inservice organization engagements. It also prohibits circumventing that requirement by having the practitioner perform the engagement under AT101 (AT 801.10).

© 2015 Thomson Reuters/PPC. All rights reserved.

7

8

9

10

11

END OF DOCUMENT ­

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest Internal Control and Fraud Prevention Chapter 1 Introduction to Internal Control and Fraud Prevention 103 ENGAGEMENTS ADVISING OR ASSISTING MANAGEMENT ON INTERNAL CONTROL

103 ENGAGEMENTS ADVISING OR ASSISTING MANAGEMENT ON INTERNALCONTROL

Introduction

103.1 This section discusses engagement considerations for CPAs who will provide consulting services to advise or assist management oninternal control over financial reporting. Chapter 7 provides an overview of the process of evaluating the effectiveness of internal control overfinancial reporting and is focused toward those CPAs who will be assisting or advising management. This section includes the following matters:

• Relevant AICPA standards relevant to services pertaining to internal control consulting.

• Independence considerations.

• Pre­acceptance activities.

• Client acceptance considerations.

• Proposal letters.

• Documentation of the engagement understanding with the client through engagement letters or other means.

103.2 Section 102 discusses other services that a CPA may provide pertaining to internal controls. A detailed discussion of the engagementprocess for those services is beyond the scope of this Guide. As noted in section 102, Thomson Reuters provides various PPC guides on thoseservices.

AICPA Code of Professional Conduct

103.3 The AICPA Code of Professional Conduct (Code), once called the code of ethics, applies to all professional services a CPA provides. Italso applies to other people in the CPA's firm. ET 0.200.20.04 of the AICPA Code of Professional Conduct states—

A member shall not knowingly permit a person whom the member has the authority or capacity to control, to carry out on his or herbehalf, either with or without compensation, acts that, if carried out by the member, would place the member in violation of the rules.Further, a member may be held responsible for the acts of all persons associated with the member in public practice whom themember has the authority or capacity to control.

Thus, a CPA cannot avoid the rules by having an uncertified member of the firm perform acts the CPA would be barred from performing.

103.4 All CPAs should follow the rules in the Code. While the Code explicitly applies to members of the AICPA, the vast majority of state boardsof accountancy have also adopted the AICPA's Code or have created their own. When specific types of standards have been established toaddress specific types of services, the CPA should also refer to those standards, but the Code still applies. No specific standards conflict withthe Code, but they generally are more restrictive and call for specific types of procedures or reports.

103.5 The Code includes two conceptual frameworks: one for members in public practice and one for members in business. The guidance isdivided into the following parts:

• Part 1 applies to members in public practice.

• Part 2 applies to members in business.

• Part 3 applies to other members (such as retired or unemployed members).

The remainder of this section discusses selected aspects of the Code, including independence, which might apply to a CPA's services oninternal control.

Standards for Consulting Services

103.6 Statement on Standards for Consulting Services (SSCS) No. 1, Consulting Services: Definitions and Standards, applies to all consultingservices. The Statement applies to most services where a CPA advises or assists a client with their evaluation of internal controls that do notinvolve providing an opinion on or attest to the effectiveness or internal controls. This section provides an overview of the Standard.

103.7 A significant aspect of the Statement is the broad definition of consulting services. The standards apply to a wide range of services, fromproviding informal advice to formal engagements. The standards are intended to help ensure that these services are conducted in theprofessional manner that is expected of CPAs.

103.8 ET 1.310.001, Compliance with Standards Rule, of the AICPA Code of Professional Conduct requires members to comply with thestandards.

103.9 Because of their authority under the Code, the Statement on Standards for Consulting Services affects consulting practice in the sameway that Statements on Auditing Standards (SASs) affect auditing practice. The authority of the Consulting Services (CS) executive committeeto issue enforceable standards is established in the AICPA bylaws.

103.10 ET 1.310.001.01 of the Code of Professional Conduct provides as follows:

A member who performs auditing, review, compilation, management consulting, tax, or other professional services shall comply withstandards promulgated by bodies designated by Council.

Under this rule, duly promulgated technical standards in all functional areas apply where appropriate to all AICPA members.

103.11 Definitions SSCS No. 1 provides several definitions that affect AICPA practitioners:

• Consulting Services Practitioner. Any AICPA member holding out as a CPA while engaged in the performance of a consulting service for aclient, or any other individual who is carrying out a consulting service for a client on behalf of any Institute member or member's firm holdingout as a CPA.

• Consulting Process. The analytical approach and process applied in a consulting service.

103.12 Consulting Services SSCS No. 1 defines consulting services as “professional services that employ the practitioner's technical skills,education, observations, experiences, and knowledge of the consulting process.” SSCS No. 1 groups consulting services into six categories:

• Consultations.

• Advisory services.

• Implementation services.

• Transaction services.

• Staff and other support services.

• Product services.

General Standards

103.13 The following general standards are stated in ET 1.300.001, General Standards Rule, of the Code and apply to all AICPA members:

• Professional Competence. Undertake only those professional services that the member or the member's firm can reasonably expect to becompleted with professional competence.

• Due Professional Care. Exercise due professional care in the performance of professional services.

• Planning and Supervision. Adequately plan and supervise the performance of professional services.

• Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to anyprofessional services performed.

103.14 SSCS No. 1 adds three additional general standards for consulting services:

• Client Interest. Serve the client interest by seeking to accomplish the objectives established by the understanding with the client whilemaintaining integrity and objectivity.

• Understanding with Client. Establish with the client a written or oral understanding about the responsibilities of the parties and the nature,scope, and limitations of services to be performed, and modify the understanding if circumstances require a significant change during theengagement. ET 1.295, Nonattest Services, of the Code requires written documentation of the understanding with the client for nonattestservices for an attest client. (See paragraphs 103.15, 103.30, and 103.60 for additional discussion.)

• Communication with Client. Inform the client of (a) conflicts of interest that may occur pursuant to ET 1.100.001, Integrity and ObjectivityRule, of the Code of Professional Conduct, (b) significant reservations concerning the scope or benefits of the engagement, and (c)significant engagement findings or events.

103.15 Understanding with Client To reach an appropriate understanding with the client, the practitioner may wish to consider matters such asthe following before undertaking the consulting service.

• Objectives of the consulting services.

• Nature of the services to be performed.

• Scope of services, including areas of client operations to be addressed and limitations or constraints, if any.

• Respective roles, responsibilities, and relationships of the consultant, the client, and other parties to the consulting service to be performed.

• The anticipated approach, including major tasks and activities to be performed and, if appropriate, methods to be used.

• The manner in which the status of the work and results are to be communicated.

• Work schedule.

• Fee arrangements.

103.16 SSCS No. 1 emphasizes that the CPA's responsibility to the client for a consulting service is defined primarily by the understanding withthe client. The understanding may establish constraints or scope limitations on the practitioner's performance of consulting services. Forexample, based on an agreement with the client regarding limitations on the work performed, the practitioner can accept an engagement eventhough the engagement omits certain work the practitioner believes is appropriate.

103.17 If the nonattest engagement is for an attest client, ET 1.295.040, General Requirements for Performing Nonattest Services, of theAICPA's Code of Professional Conduct requires documentation of the understanding with the client regarding the objectives of the engagement,the services to be performed, the client's acceptance of its responsibilities, the practitioner's responsibilities, and any limitations of theengagement. The form of the documentation is left to the judgment of the practitioner (e.g., an accepted proposal letter, engagement letter, or aninternal workpaper memorandum). See additional discussion at paragraph 103.30.

103.18 Although a written understanding with the client is not specifically required for nonattest clients, the authors strongly suggest adocumented understanding. Even for a consultation, a letter or memo outlining the discussion with the client may be useful. For consultingservices other than informal consultations, the authors believe that a practitioner normally should document the understanding with the client in anaccepted proposal letter, a confirmation letter, or an engagement letter. In many cases, an engagement letter may be preferable since it normallydocuments and confirms the consultant's latest understanding of the engagement objectives, scope, nature, and responsibilities. In either oral orwritten communication, the practitioner should not explicitly or implicitly guarantee results. These matters are further discussed in the paragraphsbeginning with 103.60.

103.19 Any significant change in the services to be performed should also be documented by written modification.

103.20 Communication with Client SSCS No. 1 requires the practitioner to inform the client of:

• Conflicts of interest that may occur pursuant to ET 1.110.010, Conflicts of Interest for Members in Public Practice, of the Code ofProfessional Conduct.

• Significant reservations concerning the scope or benefits of the engagement.

• Significant engagement findings or events.

SSCS No. 1 does not preclude oral communication of these matters. The practitioner's professional judgment determines which communicationsshould be written and which may be oral.

103.21 ET 1.110.010, indicates that a conflict of interest may occur if a member performs a professional service for a client or employer and themember or his or her firm has a relationship with another person, entity, product, or service that could, in the member's professional judgment, beviewed by the client, employer, or other appropriate parties as impairing the member's objectivity. If the member believes that the professionalservice can be performed with objectivity, and the relationship is disclosed to and consent is obtained from such client, employer, or otherappropriate parties, the guidance shall not operate to prohibit the performance of the professional service. For example, a practitioner may have arelationship with a vendor whose products are recommended in an advisory service engagement. The authors recommend that notification of theclient of a potential perceived conflict of interest be in writing and that written consent to the consulting services in light of the conflict of interestbe obtained.

103.22 Communication of significant reservations is required when the practitioner believes that work appropriate for the particular engagementhas been curtailed by the client. The practitioner may accept the engagement in this situation, if the responsibilities of the practitioner and the

client are clear in the established understanding with the client. However, the practitioner should be certain to communicate his or herreservations about the scope of work or the benefits to be derived from the limited work. Whenever responsibilities for a project are dividedbetween the practitioner and client personnel or others, the practitioner is well­advised to communicate the portions for which he or she is notaccepting responsibility.

103.23 Communication of significant engagement findings or events is required and normally includes the major facts and assumptions uponwhich the results are based. Support for any quantified potential benefits is generally disclosed. Interim communication with the client on lengthyor complex engagements is often helpful.

Independence Considerations

103.24 ET 1.200.001 indicates that “a member in public practice shall be independent in the performance of professional services as required bystandards promulgated by bodies designated by Council.” The Code includes examples of specific circumstances concerning financial interestsand employee or equivalent relationships that impair independence. Also, the guidance indicates that CPAs should consult the rules of their stateboard of accountancy, state CPA society, and, as applicable, the PCAOB, SEC, Department of Labor, GAO, and any organization that issues orenforces standards of independence that would apply to the member's engagement. (See paragraph 103.39 for a discussion of public companyconsiderations.) In addition to the AICPA's Code of Professional Conduct, a variety of independence­related resources are available to theauditor. The AICPA offers a webpage on its site that provides resources, publications, and recent developments on the topic of professionalethics. The website can be found at www.aicpa.org/InterestAreas/ProfessionalEthics/Pages/ProfessionalEthics.aspx. The AICPA alsoissues an Independence and Ethics Developments Audit Risk Alert that addresses recent developments in independence and ethics, andprovides information that assists auditors with their understanding of independence rules. The publication can be ordered at www.cpa2biz.com.

103.25 Conceptual Framework for AICPA Independence Standards The Conceptual Framework for members in public practice (ET1.000.010) and business (ET 2.000.010) should be used by CPAs when making decisions on independence matters that are not explicitlyaddressed by the AICPA Code of Professional Conduct. The Conceptual Framework describes the risk­based approach to analyzingindependence matters that is used by PEEC when it develops standards. Under that approach, the CPA consultant's relationship with a client isevaluated to determine it poses an unacceptable risk to the CPA's independence. Risk is unacceptable if the relationship would compromise (orwould be perceived as compromising to an informed third party having knowledge of all relevant information) the CPA consultant's professionaljudgment when rendering an attest service to the client. Under the risk­based approach, steps are taken to prevent circumstances that threatencompromising such judgments. Chapter 2 of PPC's Guide to Small Business Consulting provides further discussion of the conceptualframework. The Guide may be ordered by calling your Thomson Reuters representative at (800) 431­9025 or from the PPC website attax.thomsonreuters.com.

103.26 Performance of Nonattest Services Historically, CPAs have provided consulting services for attest clients and have performedconsulting engagements that involve both attest and nonattest services. (See paragraph 103.39 for public company considerations.) The AICPACode of Conduct defines an attest engagement as “an engagement that requires independence as set forth in AICPA” professional standards.Examples of such engagements include:

• Audits or reviews of historical financial statements.

• Examinations of or agreed­upon procedures applied to prospective financial statements.

• Other examinations or reviews under the AICPA attestation standards.

Technically, compilations of historical financial statements or prospective financial information are attest engagements (although they are notassurance engagements). However, a practitioner may compile historical or prospective financial statements for an entity with respect to whichhe or she is not independent. AR­C 80.22 and AT 301.23 state that the accountant's report should be modified to indicate the lack ofindependence in a separate paragraph. The accountant is not precluded from disclosing the reason(s) for independence, but, if such a disclosureis made, all reasons should be disclosed. Thus, as a practical matter, the independence rules should be considered for compilations as well asother attest engagements.

103.27 ET 1.295, Nonattest Services ET 1.295, Nonattest Services, of the AICPA Code of Professional Conduct affects consultingengagements performed for attest clients. According to ET 1.295, before a member or his or her firm who performs attest services (which requireindependence) for a client performs nonattest services (including consulting services) for that same client, the member should determine whetherthe requirements of ET 1.295 have been met (see paragraphs beginning at paragraph 103.30). If the requirements have not been met, thepractitioner's independence with regard to the attest services is considered impaired. Note that other authoritative bodies, such as a member'sstate board(s) of accountancy, may apply more restrictive requirements. Violation of those requirements would constitute a violation of ET 1.295.

103.28 Exception to Impairment Rule. Where the requirements of the guidance have not been met (either during the period of the attest

12

13

engagement or the period covered by the financial statements), independence is considered impaired unless all of the following conditions aremet:

• the nonattest services were provided prior to being engaged to perform the attest engagement (termed by the guidance as the period ofengagement).

• the nonattest services related to periods prior to the period covered by the financial statements.

• the financial statements for the period to which the nonattest services relate were audited by another firm (or in the case of a reviewengagement, reviewed by another firm).

For example, the practitioner performs nonattest services in the beginning of Year 2 that relate to Year 1. The financial statements for Year 1 wereaudited by another firm. Later in Year 2 the practitioner is engaged to provide an attest service for the Year 2 financial statements. Because all therequirements are met, the practitioner's independence is not considered impaired. (The AICPA has provided an Independence Toolkit atwww.aicpa.org/interestareas/privatecompaniespracticesection/qualityservicesdelivery/keepingup/pages/pcpsindependencetoolkit.aspxthat includes The Plain English Guide to Independence, FAQs, and other resources.)

103.29 Communications That Do Not Create An Impairment. During an attest engagement, the practitioner will often communicate withmanagement about issues related to the engagement. The discussions listed are considered a normal part of an attest engagement and wouldtherefore not be subject to the guidance:

• The client's selection and application of accounting standards or policies and financial statement disclosure requirements.

• Whether the client's accounting and financial reporting methods are appropriate.

• Adjusting journal entries proposed by the practitioner.

• The form or content of the financial statements.

The practitioner is cautioned to consider whether the level of involvement constitutes a separate nonattest service. Practitioners should be awarethat ET 1.295.010.06 explicitly states that activities such as financial statement preparation, cash to accrual conversions, and reconciliations areconsidered outside the scope of an attest engagement and are therefore nonattest services that would be subject to the general requirements ofthe Code. (See discussion beginning at paragraph 103.38.)

103.30 General Requirements to Perform Nonattest Services for an Attest Client There are three general requirements that a practitionershould meet prior to performing nonattest services for an attest client:

• Establish an Understanding with the Client about the Nonattest Services Engagement. To help prevent any type of misunderstanding withthe client, ET 1.295.040 states that, before performing nonattest services, the accountant should establish and document in writing his or herunderstanding with the client (board of directors, audit committee, or management, as appropriate in the circumstances) regarding thefollowing:

•• Objectives of the engagement (that is, those of the nonattest services).

•• Services to be performed.

•• Client's acceptance of its responsibilities.

•• Member's responsibilities.

•• Any limitations of the engagement.

The requirement to establish an understanding with the client should be met or the accountant's independence with regard to attest servicesis impaired. In addition, failure to comply with the requirement to document that understanding is a violation of ET 1.310.001, ComplianceWith Standards Rule. The form of the documentation is left to the judgment of the practitioner (e.g., an accepted proposal letter, engagementletter, or an internal workpaper memorandum). The documentation requirement does not apply to routine activities such as providing adviceand responding to technical questions.

• Ensure that Management Responsibilities Are Not Assumed. Under the guidance, independence is considered to be impaired if anaccountant (or his or her firm) assumes management responsibilities. However, the accountant may assist management in thoseresponsibilities.

• Determine That the Client Agrees to Perform Certain Functions. The accountant should be sure that the client is in a position to make aninformed judgment on the results of the nonattest services and that the client understands its responsibilities to—

a. Assume all management responsibilities.

b. Oversee the service by designating an individual, preferably within senior management who possesses suitable skill,knowledge, and/or experience. The member should assess and be satisfied that such an individual understands the services to beperformed sufficiently to oversee them. However, the individual is not required to possess the expertise to perform or reperform theservices.

c. Evaluate the adequacy and results of the services performed.

d. Accept responsibility for the results of the services.

In cases where the client is unable or unwilling to assume all of these responsibilities, the accountant's performance of the nonattestservices would impair independence.

103.31 General Activities That Impair Independence Certain activities performed as part of a nonattest service are considered to bemanagement responsibilities and, therefore, impair independence regardless of whether the accountant complies with the other requirements ofET 1.295 of the AICPA Code of Professional Conduct. In addition, if an accountant assumes a management responsibility for an attest client, themanagement participation threat created would be so significant that no safeguards could reduce the threat to an acceptable level. The guidancelists common nonattest service activities and notes whether they are or are not considered to impair independence. The guidance specificallystates that performance of the following activities, which are considered to be management responsibilities, would impair an accountant'sindependence if performed for an attest client:

• Setting policies or strategic direction for the client.

• Directing or accepting responsibility for the actions of the client's employees, except to the extent permitted when using internal auditorsunder the audit or attest standards.

• Exercising authority on behalf of a client, such as authorizing, executing, or consummating a transaction, or having the authority to do so.

• Preparing source documents, in electronic or other form, that evidence the occurrence of a transaction.

• Having custody of client assets.

• Deciding which of the accountant's or other third parties' recommendations should be implemented or prioritized.

• Reporting to those in charge of governance on behalf of management.

• Serving as a client's stock transfer or escrow agent, registrar, or general counsel.

• Accepting responsibility for the management of a client's project.

• Accepting responsibility for the preparation and fair presentation of the client's financial statements in accordance with the applicablefinancial reporting framework.

• Accepting responsibility for designing, implementing, or maintaining internal controls.

• Performing ongoing evaluations of the client's internal control as part of its monitoring activities.

In addition, ET 1.295.150, Internal Audit, affects internal audit assistance services, including certain internal control services.

103.32 ET 1.295 provides specific examples of nonattest services and their impact on independence. One of the example services indicated inthe guidance is business risk consulting. ET 1.295.125, Business Risk Consulting, indicates that the following would not impair independence forsuch services:

• Provide assistance in assessing the client's business risks and control processes.

• Recommend a plan for making improvements to a client's control processes and assist in implementing these improvements.

The following services will impair independence:

• Make or approve business risk decisions.

• Present business risk considerations to the board or others on behalf of management.

103.33 Internal Audit Assistance Services ET 1.295.150, Internal Audit, addresses internal audit assistance services (including certaininternal control services) by clarifying that a member's independence will not be impaired if the CPA performs the engagement under theattestation standards or, generally, performs separate evaluations of the client's controls. (However, see the discussion beginning with paragraph103.35.) In addition, independence is not impaired if the CPA is satisfied that the client accepts its responsibility for designing, implementing andmaintaining internal control and directing and managing the internal audit function. Thus, the CPA should ensure that management—

• Designates an individual, or individuals, who possesses suitable skill, knowledge, and/or experience, preferably within senior management,to be responsible for the internal audit function.

• Determines the scope, risk, and frequency of the services to be performed by the CPA.

• Evaluates the findings and results of the CPA's services.

• Evaluates the adequacy of the audit procedures performed and the resulting findings by, among other things, obtaining reports from theCPA.

The CPA should be satisfied that those charged with governance are informed about the respective roles and responsibilities of the CPA andmanagement.

103.34 The guidance states that a member's independence is impaired if he or she in effect manages the client's internal audit activities. Someactivities that impair independence include—

• Performing ongoing monitoring activities of internal control.

• Performing separate evaluations on the effectiveness of a significant control such that the practitioner is, in effect, performing routineoperations that are built into the client's business process.

• Having client management rely on the practitioner's work as the primary basis for the client's assertions on the design or operatingeffectiveness of internal controls.

• Determining which recommendations for control improvement should be implemented.

• Reporting to the board of directors or audit committee on behalf of management or the individual responsible for internal audit.

• Approving or being responsible for the overall internal audit work plan.

• Being listed as an employee in client directories or publications or allowing oneself to be referred to as being in charge of the client's internalaudit function.

103.35 Monitoring Activities. ET 1.295.150.07­.10 provides the requirements for considering whether internal audit services may result inperforming ongoing monitoring procedures, which are a responsibility of management and thus would impair independence. (Monitoring activitiesunder the COSO framework are discussed in section 304). The guidance states that, among other things, a practitioner's independence would beimpaired if the practitioner assists the client in performing financial and operational internal audit activities, unless the practitioner takesappropriate steps to be satisfied that the client understands and accepts its responsibility for designing, implementing, and maintaining internalcontrol and for directing the internal audit function, including the management thereof. Accordingly, any outsourcing of the internal audit function tothe practitioner whereby the practitioner, in effect, manages the internal audit activities of the client would impair independence. The guidance alsostates that a practitioner who performs ongoing evaluations of internal control for a client would be considered to be accepting responsibility formaintaining the client's internal control. Accordingly, the management participation threat created by a practitioner performing ongoing evaluationsof internal control is so significant that no safeguards could reduce the threat to an acceptable level.

103.36 On the other hand, ET 1.295.150.08 states that separate evaluations to determine whether the client's internal controls are present andfunctioning effectively that are not ongoing evaluations (and do not involve the assumption of other management responsibilities) would generallynot create a significant threat to independence. For example, a member may assess whether performance is in compliance with management'spolicies and procedures, identify opportunities for improvement, and develop recommendations for improvement or further action for managementconsideration and decision making. However, a practitioner would need to be satisfied that management (a) designates appropriate individuals to

oversee the services, (b) determines the scope, risk, and frequency of the services, (c) evaluates the findings and results, and (d) evaluates theadequacy of the services performed and findings.

103.37 In addition, the guidance notes that members should use judgment in determining if otherwise permitted internal audit services performedmay result in a significant management participation threat to independence. Members should consider factors such as the significance ofcontrols being tested, the scope or extent of the controls tested in relation to the overall financial statements, and the frequency of the internalaudit services. If the member deems there is a significant threat, safeguards should be applied to eliminate or reduce the threat to an acceptablelevel. If this cannot be done, independence would be impaired.

103.38 Other Considerations for Nonattest Services ET 1.295 also addresses two additional issues:

• Financial Statement Preparation, Cash­to­accrual Conversions, and Reconciliations. The guidance provides specific examples of servicesthat are nonattest services. Financial statement preparation, cash­to­accrual conversions, and reconciliations are specifically listed asseparate services that would be outside the scope of an attest engagement. Said another way, these services would be considerednonattest services even if performed in conjunction with an attest service, and would require the practitioner to comply with the requirementsof ET 1.295 with respect to such services.

• The Cumulative Effect on Independence When Providing Nonattest Services. ET 1.295.020 highlights how providing multiple nonattestservices to a client could increase the significance of the threats to independence.

103.39 Sarbanes­Oxley Considerations Auditors of public companies that are required to issue a report on the effectiveness of internal controlover financial reporting should not perform internal control consulting services related to financial reporting for those clients. As discussedbeginning at paragraph 703.34, Section 404 of Sarbanes­Oxley sets forth the requirement for management to assess internal control overfinancial reporting and report annually on that assessment. Furthermore, auditors of certain public companies are required to issue an opinion onthe effectiveness of internal control over financial reporting. While accelerated filers currently are required to comply with all aspects of thoseinternal control reporting rules, non­accelerated filers and certain other filers (see paragraph 703.35) are exempt from the requirements for anauditor's opinion on the effectiveness of internal control over financial reporting. The Sarbanes­Oxley Act of 2002 also prohibits an audit firm fromproviding their public company audit clients any internal audit services that will be subject to audit procedures during the audit of the financialstatements. However, the SEC has stated that auditors may make recommendations for internal control improvements when conducting attestservices and that they may assist in documenting internal controls if management is actively involved.

Pre­acceptance Activities—Understanding the Industry and Client

103.40 For any potential rendering of services, including assisting or advising a client on internal control, the consultant should consideraccumulating information about the potential client company and its industry. At the pre­proposal stage, a minimum level of such information willbe necessary for the consultant to become familiar with general aspects of the potential client's operations and the specific area that is the focusof the potential engagement so that a sound proposal can be prepared. The consultant will probably obtain more background data about thecompany at other stages of the engagement. For example, section 704 of this Guide discusses the need to obtain a preliminary understanding ofthe business and risks.

103.41 Industry Background Knowledge of the clients' industry places the business in perspective with its environment. It may also explainwhy the organization does something in a certain way. For example, if the consultant learns that the industry has been using a certain accountingprocedure for 50 years, client personnel may resist any change from a familiar, long­standing procedure with which they are comfortable.Industry research may also show some very good reasons why the system is still in place. The consultant can take such factors intoconsideration when developing recommendations during the engagement. Some of the industry factors that might be considered are:

• Products and services of the industry.

• Technological trends.

• Growth or decline in the industry.

• Industry­wide sales volumes and profit margins.

• Industry competitive conditions such as oligopoly, monopoly, or nearly perfect competition.

• Effects of foreign competition.

• Effects of governmental or union influence.

• Influence of industry associations, standards groups, etc.

• Industry­wide subsidies or tax advantages.

• The size and strength of the client within the industry.

103.42 Company Background The background of the company gives the consultant a feeling for the characteristics of the organization.Company background factors include: ideas, attitudes, and opinions of key management personnel, the company's goals and operating style,why certain employees are where they are, and how the company has grown over the years. Knowledge of these factors will help the consultantunderstand the current position and future direction of the business. Items peculiar to the company that might be examined are:

• Management and employee attitudes: How do they harmonize in the area under study?

• Patterns of growth over the years and expectations for the future.

• The products and services important to the client's future.

• Sales volume and profit margin trends.

• Expansion or curtailment of any segment of the business over the years.

• Involvement in mergers, spin­offs, or purchases of other companies.

• Effects of industry characteristics (e.g., competition, government intervention, unions, etc.) on the client.

• Effect of technology on the client.

• Past and present goals and objectives.

• Long­range plans.

Client Acceptance

103.43 The exact point of the formal decision to accept the client and pursue the engagement may be required by firm policy at a predeterminedpoint, or it may be allowed to vary to allow for flexibility in dealing with the variety of circumstances that occur in practice. However, before a

proposal is presented to a prospective client, a formal client acceptance decision should be made.

103.44 Factors That Affect Client Acceptance An overriding consideration in the client acceptance decision is a CPA firm's desire to avoidassociation with a client that has a poor or questionable reputation for honesty or business ethics. A CPA firm should not accept work from aclient that would be detrimental to the firm's image. For this reason, it is desirable to do a background check on the client using sources such asthe following:

• Dun & Bradstreet (D&B).

• Better Business Bureau.

• Chamber of Commerce.

• Local credit associations.

• Professionals serving the client (e.g., auditors, bankers, attorneys, etc.).

103.45 Also, a variety of online sources of background information are available to assist the firm in obtaining information about the prospectiveclient and its management. Such service providers, a few of which are summarized in Exhibit 1­1, allow the firm to search for bankruptcyrecords, litigation history, Dun & Bradstreet reports, corporate filings, corporate affiliations, and newspapers or trade publications containinginformation on prospective clients and their management. These searches can be performed from the office at a relatively low cost. However, it isa good idea to check with legal counsel prior to performing a background check to determine if there are any federal, state, or local laws thatrequire permission from, or disclosure to, the prospective client. Of course, if the prospective client is well known to the CPA firm, there may beno need for a background check.

Exhibit 1­1

SOURCES OF BACKGROUND INFORMATION

INFORMATION SOURCE HOW TO CONTACT

Credit Rating Services

Dun & Bradstreet Corporation www.dnb.com

Equifax www.equifax.com

Experian www.experian.com

Moody's Investors Services www.moodys.com

National Association of Credit Management(NACM)

www.nacm.org

Standard & Poor's www.standardandpoors.com

TransUnion www.transunion.com

Online Database Services

Access Information www.access­information.com

CLEAR http://clear.thomsonreuters.com

ProQuest www.proquest.com

Hoovers www.hoovers.com

LexisNexis www.lexisnexis.com

PUBLICDATA.com www.publicdata.com

Standard & Poor's www.standardandpoors.com

General Business Information

AT&T Information www.anywho.com

National White Pages www.switchboard.com

____________________

103.46 Professional standards do not mandate any specific checking or communications before accepting a consulting client. Thus, the extent ofchecking is a firm policy decision. The authors recommend that when a CPA firm has not dealt with a client before, the firm at least check withone source for credit evaluation, e.g., Dun & Bradstreet, and one source for reputation, e.g., professionals serving the potential client.

103.47 Before accepting a client and making a proposal, a CPA firm should also realistically consider the likelihood of obtaining the engagement.This consideration includes, but extends well beyond, an evaluation of the firm's competence to successfully complete the engagement. A CPAfirm should not accept every opportunity to present a proposal. In some cases, the prospective client may have already selected a consultant,but should go through the motions of obtaining several proposals to satisfy internal or external requirements. Careful consideration of clientmotivations will improve the firm's success rate in obtaining and completing engagements.

103.48 Impact on Attest Services If the firm is considering providing consulting services to an attest client, the firm should consider the impactof the new services on the attest services as noted in the paragraphs beginning at paragraph 103.26. Certain consulting services could impairthe firm's independence and prevent the firm from performing attest services.

103.49 Client Acceptance Form A CPA firm may have an existing client acceptance policy and form that is suitable for accounting, auditing,tax, or consulting services. While it is not necessary to adopt a form unique to consulting engagements, the authors have prepared a form that issuitable for a new small business consulting practice.

103.50 The “Engagement Acceptance Form—Consulting Engagement” presented at ICF­CX­20 is designed to document compliance with afirm's policy on the acceptance of new client engagements.

Proposals

103.51 Proposals can vary widely between engagements, but each proposal should generally include:

• A definition of the problem and the expected benefits of the engagement with a proper description of the respective roles of the client andthe firm.

• The proposed engagement plan and approach.

• An estimate of fees and billing arrangements.

103.52 The proposal is based on the information developed during the initial client contact and preliminary planning procedures. The proposalshould clearly describe the specific objectives of the engagement. Objectives that are vague or unclear may lead to misunderstandings with staffand clients. The proposal should set forth the client's needs and the specific services the firm will provide to meet those needs. In addition, theproposal should cite the expected benefits. However, the role of the client in achieving the expected benefits should be clearly stated in theproposal.

103.53 Basic Content of the Proposal In addition to the definition of the problem and expected benefits, the following specific matters should becovered individually in the proposal:

• Scope and role.

• Approach.

• Personnel.

• Fee arrangements.

• Firm qualifications.

• Deliverables.

• Exclusions and disclaimers.

Documentation of the Engagement Understanding with the Client

103.54 The authors recommend that, in all circumstances, some form of written documentation that describes the terms of the engagement besent to the client. This is good business practice and also demonstrates compliance with the requirement in SSCS No. 1, Paragraph 7, to reachan understanding with the client about the nature, scope, and limitations of the engagement as noted at paragraph 103.15. The following forms ofdocumentation may be appropriate, depending on the circumstances:

• Confirming letter.

• Accepted proposal.

• Engagement letter.

• Memo (for brief informal consultations).

103.55 SSCS No. 1, Paragraph 7, also states that consultants should modify their understanding with the client if circumstances require asignificant change during the engagement.

103.56 As noted in the paragraphs beginning with 103.26, if the engagement is for an attest client, 1.295.040 of the AICPA's Code of ProfessionalConduct requires written documentation of the understanding with the client regarding the objectives of the services, the services to beperformed, responsibilities of the client (including client acceptance of those responsibilities) and the practitioner, and any engagement limitations.The form of the documentation is left to the judgment of the practitioner (e.g., an accepted proposal letter, engagement letter, or an internalworkpaper memorandum).

103.57 Confirming Letter In some cases, only an oral proposal presentation may be made to the client. This often occurs when the firm haspreviously conducted small business consulting engagements for the client. In those cases, a formal written proposal may not be presented eventhough the oral presentation includes all the points that would ordinarily be covered in a written proposal.

103.58 In such cases, a confirming letter should be addressed to the client setting forth the essential points of the agreement reached. Also, ifmodifications to the proposed engagement arise, based on discussions with the client, a confirming letter documenting the revisions should besubmitted.

103.59 Accepted Proposal When a written proposal is accepted by a client, the proposal letter itself becomes the engagement record.Naturally, if there are later modifications of the proposed engagement, these changes should also be documented. In most cases, a confirmingletter documenting the revisions is sufficient, and a revised proposal is not necessary.

103.60 Engagement Letter While the understanding with the client can be documented in various ways as noted above, it may be preferablethat an engagement letter be obtained—along with the notification of any significant reservations (see paragraph 103.22) about the engagement.The engagement letter reflects the latest understanding of the objective of the engagement, services to be rendered, roles and responsibilities,and any limitations. The authors believe the engagement letter should contain the elements discussed at paragraph 103.53 and state that theengagement offers no assurance on the effectiveness of internal controls, the financial statements, or any other matter. The authors also believethe letter should state that fraud might not be detected by the procedures, but that any fraud discovered will be brought to the attention ofmanagement. Finally, they believe the engagement letter should state that the deliverable is a written report of observations andrecommendations to improve internal control, or other pertinent services that were established with the client. The “Engagement Letter DraftingForm—Internal Control Consulting Engagement” at ICF­CX­21 can be used to draft engagement letters on internal control consulting

engagements.

Quality Control Standards

103.61 Consultants may wonder whether the AICPA's quality control standards apply to consulting services, i.e., services performed under theAICPA's Statement on Standards for Consulting Services. The short answer is “No.” However, the consultant should consider the requirementsof the AICPA's quality control standards if any consulting services include a component to which the AICPA's audit, attestation, or accountingand review standards apply.

103.62 SQCS No. 8, A Firm's System of Quality Control (QC 10), establishes standards and provides guidance for a CPA firm's responsibilitiesfor its system of quality control over a firm's accounting and auditing practice. The standard places an unconditional obligation on the firm toestablish a QC system designed to provide reasonable assurance that the firm complies with professional standards and legal and regulatoryrequirements, and that it issues reports that are appropriate in the circumstances. PPC's Guide to Quality Control provides guidance andpractice aids to assist firms in developing, implementing, and maintaining a system of quality control. The Guide may be ordered by calling yourThomson Reuters representative at (800) 431­9025 or from the PPC website at tax.thomsonreuters.com.

103.63 QC 10.13 defines an accounting and auditing practice as:

A practice that performs engagements covered by this section, which are audit, attestation, compilation, review, and any otherservices for which standards have been promulgated by the AICPA Auditing Standards Board (ASB) or the AICPA Accounting andReview Services Committee (ARSC) under the “General Standards Rule” (ET 1.300.001) or the “Compliance With Standards Rule”(ET 1.310.001) of the AICPA Code of Professional Conduct. Although standards for other engagements may be promulgated byother AICPA technical committees, engagements performed in accordance with those standards are not encompassed in thedefinition of an accounting and auditing practice.

103.64 Accordingly, services performed under the AICPA's consulting and valuations standards are not covered by the AICPA's quality controlstandards, but the quality control requirements would apply to the portion of a consulting engagement to which SASs, SSARSs, or SSAEs apply.

The SEC's independence rules for practitioners are more restrictive than those established by the AICPA. The authors recommend thatpractitioners with public attest clients, or with clients that may be considering going public, read the SEC's and PCAOB's independence rules.The SEC's website is www.sec.gov and the PCAOB's website is http://pcaobus.org.

A practitioner is required to assess the cumulative effect on independence when providing multiple nonattest services. See the discussion at103.38 about other considerations for nonattest services.

© 2015 Thomson Reuters/PPC. All rights reserved.

12

13

END OF DOCUMENT ­

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest Internal Control and Fraud Prevention Chapter 1 Introduction to Internal Control and Fraud Prevention 104 PPC's Guide to Internal Control and Fraud Prevention and Other PPC Resources

104 PPC's Guide to Internal Control and Fraud Prevention and Other PPCResources

Who is This Guide For?

104.1 This Guide provides comprehensive, practical guidance on internal control and fraud prevention. It is designed to be used by CPAs inpublic practice and others who are involved with internal control, including:

• Consultants who provide services relating to (a) assisting public company management perform their assessment of internal control overfinancial reporting, (b) evaluating or improving internal control of nonpublic companies, or (c) making recommendations for improving controlsto reduce the risk of fraud.

• Auditors of financial statements.

• Internal auditors.

• Accounting and finance professionals in industry who are involved in developing, implementing, evaluating, and monitoring, internal controlin their organizations.

Other Thomson Reuters Resources Relating to Internal Control and Fraud Prevention

104.2 Thomson Reuters maintains an extensive library of PPC products relating to attestation services that involve consideration of, or specificreporting on, internal control. Additionally, fraud investigations, professional standards, and other issues relating to fraud are addressed in aseparate PPC publication. Other PPC resources relating to internal control and fraud prevention include the following:

• PPC's Guide to Audits of Nonpublic Companies.

• PPC's Guide to PCAOB Audits.

• PPC's Guide to Nontraditional Engagements.

• PPC's Guide to Small Business Consulting Engagements.

• PPC's Guide to Audits of Financial Institutions.

• PPC's Guide to Auditor's Reports.

• PPC's Guide to Risk Assessment.

• PPC's Guide to Audits of Local Governments.

• PPC's Guide to Single Audits.

104.3 PPC's SMART Practice Aids—Internal Control guides auditors through a top­down, risk­based approach for efficiently and effectivelyevaluating internal control over financial reporting. This internal control evaluation tool helps auditors:

• Obtain and document an understanding of internal control.

• Evaluate system design.

• Prepare internal control test plans, if desired.

• Assess control risk.

104.4 In addition, PPC's Practice Aids for Reporting on Controls of Service Organizations provides a complete set of practice aids CPAs mayuse when providing services in connection with the effectiveness of internal controls at a service organization. Included in those practice aids areprocedures for common types of service organizations, including payroll processing and information technology processing organizations. PPC'sPractice Aids for Reporting on Controls of Service Organizations—SOC 2 Engagements provides a complete set of practice aids CPAs may usewhen providing services in connection with an engagement to perform and report on an examination of controls related to security, availability,processing integrity, confidentiality, and privacy at a service organization. These products can be ordered by calling Thomson Reuters at (800)431­9025 or online at tax.thomsonreuters.com.

© 2015 Thomson Reuters/PPC. All rights reserved.

END OF DOCUMENT ­

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest Internal Control and Fraud Prevention Chapter 1 Introduction to Internal Control and Fraud Prevention 105 Overview of This Guide

105 Overview of This Guide

105.1 As previously noted, this Guide is designed for CPAs in public practice and others who are involved with internal control. It is organized toprovide guidance and tools relating to internal control, the COSO and other control frameworks, IT control issues, fraud prevention techniques,evaluations performed in connection with the Sarbanes­Oxley Act, and other considerations surrounding the various types of services that relateto internal controls. The following paragraphs provide a brief summary of the topics discussed in each of the following chapters.

Criteria for Evaluating Internal Control

105.2 Chapter 2 of the Guide discusses COSO's 2013 Framework as well as other basic frameworks including the Criteria of Control Committeereport Guidance on Control (CoCo Report) issued by the Canadian Institute of Chartered Accountants (CICA), the Turnbull Report Framework,the Internal Auditing Standards Board Framework, and other frameworks. These other frameworks include the COBIT framework, the InformationTechnology Control Guidelines produced by CICA, and SysTrust and WebTrust Services. Chapter 2 also provides an overview of COSO'senterprise risk management framework that was introduced in 2004. Furthermore, Chapter 2 discusses thought papers issued by COSO thataddress various elements of an organization's enterprise risk management efforts.

Organizational Level Control Issues

105.3 Chapter 3 of the Guide discusses COSO's 2013 Framework in more detail. It describes the key elements of four of the five internal controlcomponents included in the 2013 Framework: control environment, risk assessment, monitoring, and communication. It also describes the rolesof senior management and the board of directors and/or audit committee in the control environment. In addition, it provides examples that illustratethe features of effective organization level components.

Functional Level Control Issues

105.4 Chapter 4 of the Guide discusses issues relating to information systems, including strategic and integrated systems and informationquality. In addition, this chapter provides guidance on control activities, including types of control activities, policies and procedures, riskassessment, and issues for small and mid­sized entities. It also includes examples of control activities.

Information Technology Issues

105.5 Chapter 5 discusses how information technology (IT) fits into both the COSO's 2013 Framework and the COBIT framework. Key topicsinclude controls that allow IT to support business processes; control objectives relating to planning and organization, acquisition andimplementation, delivery and support, and monitoring business processes; security issues; and special considerations for specific types of ITsystems.

Fraud Prevention

105.6 Chapter 6 discusses a variety of approaches for preventing fraud. It discusses the conditions that generally must exist for fraud to occurand some ways to mitigate those conditions. It also discusses a variety of common asset misappropriation schemes and specific controls thatmay be implemented to help prevent those types of fraud. In addition, Chapter 6 discusses issues relating to outsider fraud.

Evaluation of Internal Controls

105.7 Chapter 7 explains how internal controls can be evaluated and how the CPA can assist in an evaluation project. It details a step­by­stepprocess for evaluating internal control of nonpublic companies, along with additional requirements when assisting management with itsassessment of the effectiveness of internal control over financial reporting performed in connection with the requirements of Sarbanes­Oxley.Chapter 7 discusses many of the forms and checklists that can be used to apply the guidance included in the Guide.

Forms and Checklists

105.8 This section includes tools that will help users evaluate internal control and use the fraud prevention techniques discussed in this Guide.

These tools provide a step­by­step process to help users plan and perform these evaluations, as well as to document the procedures performed,evidence obtained, and the conclusions reached.

© 2015 Thomson Reuters/PPC. All rights reserved.

END OF DOCUMENT ­

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.