1 an evidential reasoning approach to sarbanes-oxley mandated internal control assessment lili sun,...
TRANSCRIPT
1
An Evidential Reasoning Approach to Sarbanes-Oxley Mandated Internal Control
Assessment
Lili Sun, Rutgers University
Rajendra Srivastava, The University of Kansas
David Vun Kannon
Theodore Mock, The University of Southern California
Miklos Vasarhelyi, Rutgers University
2
Developing The Next Generation Of Internal Control Tools Using CA
• First generation of 404 implementation: – Focus on documentation of controls– Filling gaps in COSO framework– Highly labor intensive
• Second generation of 404 implementation: – More cost efficient and effective– More systematic assessment of controls– Focus on identifying material control weaknesses and
audit automatically rather than manually
3
Evidential Reasoning: Systematic, Higher Value IC Assessment Tool
• Evidential reasoning: a process of risk assessment where several assertions when combined together inform about the effectiveness of an internal control procedure and the overall internal control system.
• Decompose risk assessment into individual evidence level.• Provide a rigorous algorithm to aggregate human beliefs.• Provides systematic way to represent the interrelationships among
multiple key components for the evaluation of IC.• Help discipline Auditors’ thought process in estimating risk• Serve as a decision aid for auditors.
4
Create A Systematic Representation Of KPMG Model Of Risk Assessment
• Financial reporting model– Parent company– Subsidiary– Financial statement– Significant accounts
• Business process model – Business process– Objective– Risk– Control– Evaluation procedures
5
Generic Evidential Reasoning Model Of Internal Control
Assurance
A1: IC/FR for the consolidated
entity is effective OR&&& &
IC/FR for subsidiary i is effective
The system of IC/FR for Account j
on BS is effective
IC/FR for Account i on BS is effective
IC for Process j is effective
The system of IC for Process i is
effective.
Process j is
protected from IC
risk j.
Process j is protected from
IC risk i.
Control j
Control i
Control k
Control environment
Control m is
effective.
Control n is effective.
Financial reporting Model Business Process Model
6
Application of Evidential Reasoning Approach into A Real Case
e ~e {e,~e}
0.00 0.90 0.10
0.00 0.00 1.00
0.00 0.91 0.09 & 0.00 0.91 0.09 0.98 0.00 0.020.42 0.25 0.33 WA 0.42 0.25 0.33
0.70 0.10 0.20& 0.00 0.91 0.09WA0.65 0.13 0.44
0.98 0.00 0.02
& 0.94 0.00 0.06wa 0.98 0.00 0.02
0.98 0.00 0.02& 0.89 0.00 0.11WA 0.98 0.00 0.02
0.98 0.00 0.02
0.98 0.00 0.02
& 0.94 0.00 0.06 0.98 0.00 0.02WA 0.98 0.00 0.02
0.98 0.00 0.02
&
&
The IC over “Payments and Payoffs” process is effective.
The IC over “Underwriting” process is effective.
The IC is effective in controlling the risk that “Loan payments and payoffs
are inappropriately applied”.
The IC is effective in controlling the risk that “Inappropriate loans are added to
the institution's portfolio”.
The IC is effective in controlling the risk that “Lack of appropriate loan documentation maintained and inaccurate setup of the loan on the loan system”.
A1: The IC over “Net loans” account is effective
The following control functions effectively: “Loan servicing management compare any manually entered payments into the loan system to source documentation.” (effective)
&
The following control functions effectively: “On a daily basis, loan operations reviews the loan application system for missing payments”.(material weakness)
The following control functions effectively: “The loan servicing system interfaces directly to the general ledger and is reconciled on a monthly basis”. (unknown)
The following control functions effectively: “Payment clearing account is reconciled on a daily basis to ensure proper posting of loan payments received”. (ineffective)
The following control functions effectively: “All lending limits for different types of loans and guidelines for setting interest rates are approved by the Board of Directors”. (effective)
The following control functions effectively: “Credit committee requires a unanimous decision or the loan application is rejected without recourse”. (effective)
The following control functions effectively: “Risk Management Committee monitors the percentage of loans that are overridden and reviews the key indicator business summary to discern trends on the loan portfolio”. (effective)
The following control functions effectively: “A loan documentation checklist is completed for each file by the credit officer and independently reviewed by additional credit personnel for accuracy and completeness prior to booking on the loan system”. (effective)
The following control functions effectively: “Document deficiencies are tracked and reviewed by management on a monthly basis”. (effective)
The following control functions effectively: “Exception reports flagging accounts and loan files with missing information and documentation are generated, researched and reviewed by the loan documentation unit.”. (effective)
&
&
Evidence No. 1 from IC compliance testing
Evidence No. 2 from IC compliance testing
Evidence No. 3 from IC compliance testing
Evidence No. 4 from IC compliance testing
Evidence No. 5 from IC compliance testing
Evidence No. 6 from IC compliance testing
Evidence No. 7 from IC compliance testing
Evidence No. 8 from IC compliance testing
Evidence No. 9 from IC compliance testing
Evidence No. 10 from IC compliance testing
7
Automate The Aggregation Of Control Evaluations
• Input:– auditors’ evaluation on the effectiveness of individual control
procedure• Output:
– Quantitative assessment of control effectiveness on multiple layers of the hierarchy: from the individual control level to the overall financial statement level
• Evidential reasoning a useful decision aid for KPMG auditors because of its:– Clarity– Practicability of use– Completeness– Adaptability
8
Continuing Work
• Validate model against a real audit case
• Explore issues related to the application of the proposed approach– Refine the quantitative representation of
internal control effectiveness.– How to better elicit belief inputs from auditors.