Internal Control

    Internal Control Tools and Resources 

    Internal Control is comprised of the following interrelated components: the control environment, risk assessment, control activities and information and communication monitoring. This center will provide information and resources related to these areas.

    COSO's Internal Control - Integrated Framework

    Pieces of a puzzle represent the COSO internal control - integrated frameworkCOSO Proposed Internal Control - Integrated Framework
    The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the Internal Control -- Integrated Framework (IC-IF) back in 1992. The organization has now proposed an updated framework and issued an exposure draft.

    COSO Sheds Light on Managing Cloud Risks
    Before an organization even contracts with a cloud-computing service provider, management should begin control-related activities to guard against the related risks, according to new guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO has developed a detailed analysis of how to use enterprise risk management to mitigate the risks cloud computing presents.

    The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
    The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was jointly sponsored by five major professional associations in the United States. The Commission, wholly independent of each of the sponsoring organizations, contains representatives from industry, public accounting, investment firms, and NYSE.

    SAS No. 115 Toolkit

    Tools for SAS No. 115This toolkit provides guidance on the implementation of SAS No. 115 and tools to assist you in educating and communicating the impact of SAS No. 115 with your clients. While these tools and resources were developed to support you in the implementation and communication of SAS No. 115 in your firm and with your clients, they are not meant to replace the guidance and direction outlined in SAS No. 115 and in the Risk Alert on SAS No. 115. Please refer to the AICPA’s Communicating Internal Control Related Matters Identified in an Audit - SAS No. 115.

    Frequently Asked Questions
    The FAQs document is intended to address the most common practitioner questions related to applying SAS No. 115. In addition, it provides links to additional resources that may help you in understanding and applying SAS No. 115.

    SAS No. 115 Newsletter/Web site Template
    This document is designed for practitioners to communicate the impact of SAS No. 115 to their clients via the member’s newsletter, Web site, or other marketing communications.

    SAS No. 115 Educate Your Client Communication Letter
    This template document is designed for practitioners to update and educate each client directly on the new SAS No. 115 requirements.

    SAS No. 115 Overview PowerPoint
    This presentation provides an overview of SAS No. 115, the impact to a client’s audit, and definitions and examples of significant deficiencies and material weaknesses. The presentation is designed for use by practitioners to educate their staff and clients about SAS No. 115 and can be tailored to address specific client issues.

    SAS No. 115 Sample Findings Accumulation Worksheet
    This sample template document is designed for practitioners use to accumulate their findings in implementing SAS 115.

    Considerations in Risk-Based Auditing
    Considerations in Risk-Based Auditing is a strategic overview intended to provide readers with detailed, practical, specific and non-authoritative guidance when implementing the technology-related aspects of the eight Statements of Auditing Standards (SAS 104 through SAS 111).

    Additional Resources

    Stack of books for additional internal control resourcesIT Control Objectives for Sarbanes-Oxley
    The IT Governance Institute released a research document focusing on Sarbanes-Oxley, using COSO as the overall framework on which the supplementary IT guidance was based, and COBIT as the initial IT controls baseline to develop a control objective template.

    Performing an Audit of Internal Control in an Integrated Audit 
    The AICPA’s Center for Audit Quality (CAQ) recently issued a publication entitled, CAQ Lessons Learned - Performing an Audit of Internal Control in an Integrated Audit (Lessons Learned), which was developed by a task force consisting of professionals from various member firms.

    Segregation of Duties
    Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business.

    How CAATTs Identifies Potentially Fraudulent Activities
    Fraud happens! Maybe it is accomplished by someone in the accounting department making a journal entry to affect revenue recognition for certain transactions. Or, perhaps it occurs when someone enters transactions for fictitious customers or vendors, or alters timecards. While auditors do not have a specific requirement to detect all fraud, we can turn to the auditing standards for guidance.

    Copyright © 2006-2015 American Institute of CPAs.