Question

Download and review the Guide to Internal Control Over Financial Reporting from the Center for Audit Quality:

Using short paragraphs answer the following questions.

1. What did the Foreign Corrupt Practices Act (FCPA) of 1977 codify concerning internal controls?

2. The FCPA requires public companies to...? (There are 4 requirements!)

3. Name the 4 recommended Internal Control Activities.

4. Are there set Internal Controls for Financial Reporting, or can they (or should they) be scaled to the company?

5. What is considered a deficiency in Internal Controls for Financial Reporting? Is is ALWAYS a material weakness?

6. Who in the company is responsible for the design, implementation, & monitoring of internal controls? What does SOX Section 404(a) say about this?

7. What is the responsibility of Independent Auditors under SOX Section 404(b)?

8. What is the responsibility of the Audit Committee under SOX?

Answer 1

PART -1

The Foreign Corrupt Practices Act (FCPA) of 1977 codify concerning internal controls states the requirement that public companies have internal accounting controls in the Foreign Corrupt Practices Act of 1977 (FCPA). This federal law requires public companies to establish and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles (GAAP).

PART-2

The FCPA requires public companies to “devise and maintain” a system of internal accounting controls sufficient to provide reasonable assurance that:-

1. transactions are executed in accordance with management’s general or specific authorization;
2. transactions are recorded as necessary (1) to permit preparation of financial statements in conformity with GAAP or any other criteria applicable to such statements, and (2) to maintain accountability for assets;
3. + access to assets is permitted only in accordance with management’s general or specific authorization; and
4. + the recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken regarding any differences.

PART-3

Internal Control Activities

• segregation of duties,
• information technology (IT) general controls,
• entity-level and process-level controls.
• preventive and detective controls.

PART-4

YES,THEY SHOULD BE SCALED TO THE COMPANY

The design, implementation, and evaluation of controls need to be tailored to the reporting risks of the company. These risks may be influenced by the size of the company. Designing and maintaining effective ICFR becomes more challenging as the size of a business and the scope of its activities increase. At the same time, smaller companies may face challenges as a result of limitations in qualified resources.The risk of management override of controls can be greater in a smaller company in which officials have more direct involvement with operations and with the recording of transactions. In addition, a small company may not have sufficient personnel to fully implement segregation of duties across all processes.

PART-5

A deficiency in ICFR exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

NO, IT IS NOT ALWAYS A MATERIAL WEAKNESS.

A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.

The determination as to whether a deficiency in ICFR represents a material weakness depends on

1. the likelihood of a misstatement occurring as a result of the deficiency;

2. whether the magnitude of the potential misstatement that is reasonably possible to have occurred or could occur in the future as a result of the deficiency, was or could be material to the financial statements; and

3. whether management’s controls in the ordinary course of business would have timely prevented or detected a misstatement had it become material

PART 6

Management of the company is responsible for the design, implementation, and monitoring of ICFR.

SOX 404(a) says about,

• (with certain exceptions) principal executive and financial officers of all public companies to annually assess the effectiveness of ICFR
• also requires (with certain exceptions) all public companies to annually assess the effectiveness of ICFR and report the results. Management is required, in its quarterly reports, to state its responsibility for establishing and maintaining ICFR and disclose any changes to ICFR that have materially affected, or are reasonably likely to materially affect, the company’s ICFR.1

part-7

Section 404(b) of SOX requires most large public companies to have their independent auditor report on the effectiveness of ICFR. Under AS 2201, the ICFR audit and the financial audit are integrated; that is, both audits are performed as a single, mutually reinforcing process. Like management’s assessment, the ICFR audit should follow a topdown, risk-based approach that considers the entire system of ICFR but focuses greater attention on the controls over financial reporting areas most susceptible to material misstatement.

part-8

The audit committee’s activities usually include

• review of the assessment of financial reporting risks,
• review of management’s planned responses to the identified financial reporting risks,
• discussion with management of control deficiencies18 and their potential impact on financial reporting,
• evaluation of the quality of financial reporting and related disclosures
• the audit committee also is responsible for hiring and overseeing the activities of the independent auditor.