LYNFORD GRAHAM, CPA, has more than 30 years of public accounting experience in audit practice and in various national firm policy development groups. He is a visiting professor of accountancy and executive-in-residence at Bentley University, Waltham, MA. He currently maintains an active consultancy practice in statistical audit sampling, litigation support, and audit methodologies, and develops numerous training seminars for conferences and firms.

Ease the transition to the new COSO framework with practical strategy
Internal Control Audit and Compliance provides complete guidance toward the latest framework established by the Committee of Sponsoring Organizations (COSO). With clear explanations and expert advice on implementation, this helpful guide shows auditors and accounting managers how to document and test internal controls over financial reporting with detailed sections covering each element of the framework. Each section highlights the latest changes and new points of emphasis, with explicit definitions of internal controls and how they should be assessed and tested. Coverage includes easing the transition from older guidelines, with step-by-step instructions for implementing the new changes. The new framework identifies seventeen new principles, each of which are explained in detail to help readers understand the new and emerging best practices for efficiency and effectiveness.
The revised COSO framework includes financial and non-financial reporting, as well as both internal and external reporting objectives. It is essential for auditors and controllers to understand the new framework and how to document and test under the new guidance. This book clarifies complex codification and provides an effective strategy for a more rapid transition.
* Understand the new COSO internal controls framework
* Document and test internal controls to strengthen business processes
* Learn how requirements differ for public and non-public companies
* Incorporate improved risk management into the new framework
The new framework is COSO's first complete revision since the release of the initial framework in 1992. Companies have become accustomed to the old guidelines, and the necessary procedures have become routine - making the transition to align with the new framework akin to steering an ocean liner. Internal Control Audit and Compliance helps ease that transition, with clear explanation and practical implementation guidance.

Preface xi
Acknowledgments xv
Chapter 1: What We All Share 1
Need for Control Criteria 1
Overview of the COSO Internal Control Integrated Framework 2
Holistic, Integrated View 3
Revised COSO Internal Controls Framework 6
What We Must Do 8
Basic Scoping and Strategies for Maintenance 11
Where We Depart 12
Triangle of Efficiency 13
Controls versus Processes 14
The Debate Continues 18
Organization of This Book 18
Appendix 1A: COSO 17 Principles 20
Chapter 2: Setting the Scope of Your Documentation Project: Identifying the Core 21
Start with Business Objectives 21
After the Initial Year 24
Mapping the Entity to the Financial Statements: Ins and Outs 25
Consider Risks, Not Just Quantitative Measures 27
Inherent and Control Risk 28
Overstatement and Understatement 28
Does "In Scope" Imply Extensive Testing? 37
A Consolation 39
Be Careful Out There! 40
Appendix 2A: Summary of Scoping Inquiries 42
Chapter 3: The Risk Assessment Component 45
Risk Assessment Principles in COSO 46
Cost Control 46
Basics 47
Likelihood, Magnitude, Velocity, and Persistence 48
Separate Assessments of Inherent and Control Risks 50
Role of Assertions 51
Assertions 52
Principles 6 and 7: Specify Suitable Objectives; Identify and Analyze Risk 56
Identifying Risks 59
External Sources of Risk Information 60
Internal and External Reporting Risks 61
Compliance Risks 61
Disclosed Material Weaknesses in Risk Assessment 62
Principle 8: Assess Fraud Risk 62
Auditor Responsibility to Detect Fraud 65
Antifraud Controls for Management to Consider 66
Ties to Other Principles and Components 66
Principle 9: Identify and Assess Significant Change 66
Gathering Information to Support the Risk Assessment and Consider Change 68
Appendix 3A: SAS No. 99 Exhibit: Management Antifraud Programs and Controls 72
Attachment 1: AICPA "CPA's Handbook of Fraud and Commercial Crime Prevention" Code of Conduct 87
Attachment 2: Financial Executives International Code of Ethics Statement 91
Appendix 3B: Understanding Fraud Risk Assessment 93
Chapter 4: Control Environment 99
Principle 1: Commitment to Integrity and Ethical Values 100
Principle 2: Board of Directors (Governance) Demonstrates Independence from Management and Exercises Oversight of the Development and Performance of Internal Control 104
Principle 3: Management Establishes, with Board Oversight, Structures, Reporting Lines, and Appropriate Authorities and Responsibilities in the Pursuit of Objectives 109
Principle 4: Commitment to Attract, Develop, and Retain Competent Individuals in Alignment with Objectives 110
Principle 5: The Organization Holds Individuals Accountable for Their Internal Control Responsibilities in the Pursuit of Objectives 113
Appendix 4A: Understanding and Awareness of Control Responsibilities 117
Chapter 5: Control Activities 120
Principle 10: Selects and Develops Control Activities to Mitigate Risk and Achieve Objectives 120
Principle 11: Selects and Develops General Controls over Technology 132
Principle 12: Deploys through Policies and Procedures 141
Summing Up 143
Appendix 5A: Linking Common Control Activities and Assertions 146
Appendix 5B: Linkage of Principles to Controls, Policies, and Procedures 158
Chapter 6: Information and Communication 165
Principle 13: Generates Relevant Information 166
Principle 14: Communicates Internally 168
Principle 15: Communicates Externally 170
Chapter 7: Monitoring 173
Principle 16: Select, Develop, and Perform Ongoing and/or Separate Evaluations 174
Principle 17: Evaluate and Communicate Deficiencies as Appropriate 176
Chapter 8: Evidence and Testing 179
Sufficient Evidence 179
Gathering Information 187
Testing and Sampling 194
Nonsampling Situations 202
Confusion of Sample Size Guidance in Practice Today 203
Information Technology General Controls 204
Testing Security and Access 205
Appendix 8A: Sample Size Tutorial 211
Chapter 9: Developing Questionnaires and Conducting Interviews 217
Surveys of Employees 219
Conducting Interviews 224
Management Inquiries: Sample Questions 234
Appendix 9A: Sample Practice Aids 239
Chapter 10: Assessing the Severity of Identified Controls Deficiencies 248
It's Inevitable 248
Alignment of Public and Private Company Standards for Assessing Deficiency Severity 251
Control Deficiencies and Definitions 252
Key Factors When Assessing the Severity of a Deficiency 263
Conditions Indicating Control Deficiencies 270
Examples of Evaluating the Severity of Deficiencies 277
Overall Assessment 281
Appendix 10A: A Framework for Evaluating Control Exceptions and Deficiencies 283
Appendix 10B: Assessing the Potential Magnitude of a Control Deficiency 299
Chapter 11: Reporting Requirements 302
Nonpublic Entity Reporting 302
Public Company Annual and Quarterly Reporting Requirements 304
Reporting on Management's Responsibilities for Internal Control 309
Required Company and Auditor Communications 312
Reporting the Remediation of Weaknesses 314
Coordinating with the Independent Auditors and Legal Counsel 315
Appendix 11A: Illustrative AICPA Report on Internal Controls 316
Chapter 12: Project Management and Tools Assessment Design 318
Project Management 318
Structuring the Project Team 319
Tools Assessment Design 325
Features of a Good Tools Solution 326
Value of a Pilot Project 331
Coordinating with the Independent Auditors 334
Chapter 13: Illustrative Forms and Templates 337
Historical Perspective 338
2013 Framework Examples 340
Appendix 13A: Information-Gathering Form--Principle Focused 348
Appendix 13B: Information Gathering Form--Revenue 350
Appendix 13C: Walk-through Documentation Form 353
Appendix 13D: Information Technology General Controls Assessment Form 355
Appendix 13E: Documentation of Financial Reporting Software and Spreadsheets 364
Appendix 13F: Sampling Form for Tests of Controls 368
Appendix 13G: Summary of Internal Control Deficiencies 371
Appendix 13H: Control Environment Component Evaluation Summary 372
Chapter 14: Summing Up 373
About the Author 375
Index 377