An Efficient Approach to Identification
and Documentation of Critical Accounting
Application Controls

Jerry L Turner
The University of Memphis

© Jerry L. Turner 2006


Sarbanes-Oxley Act of 2002
• Section 404 requires an assessment by
management of the effectiveness of the
internal control structure and procedures
for financial reporting
• Requires each independent auditor to
attest to, and report on, the assessment
made by the management of the issuer
© Jerry L. Turner 2006


Sarbanes-Oxley Act of 2002
• Internal control systems must be
documented
• Relevant internal controls must be
identified and tested.

© Jerry L. Turner 2006


Sarbanes-Oxley Act of 2002

• Congress assumed that existing
documentation would be an adequate
basis for management of public
companies to report on internal
accounting controls

© Jerry L. Turner 2006


Background—Auditors
• Prior to SAS No. 55 (1988), auditors
documented systems and identified internal
controls with extensive flowcharts, extensive
internal control checklists, or both

© Jerry L. Turner 2006


Traditional Flowcharts
• Portray systems as a chronological sequence of
processing steps representing transaction flows
• Usually include superfluous information
• Difficult to maintain because of complexity
• Ineffective in identifying existing controls
• Ineffective at identifying where controls should
exist but were not present
© Jerry L. Turner 2006


Traditional Flowchart


Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006


Internal Control Questionnaires
• Tend to be boilerplate in nature
• Not very effective at relating controls to
audit objectives
• Frequently in a yes/no format where yes
is good, no is bad

© Jerry L. Turner 2006


Internal Control Questionnaire

Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006


Move to Focus on Assertions
• Subsequent to SAS No. 55, auditors began
organizing internal control documentation by
audit objective to enable risk-based audits
• Prompted auditors to replace flowcharts with
more easily prepared (cheaper?) narratives
organized by control objectives corresponding

to financial statement assertions

© Jerry L. Turner 2006


Narrative

Source: Whittington/Pany: Principles of Auditing

© Jerry L. Turner 2006


Background—Companies
• System documentation has many forms,
depending on the functional group involved in
preparation
• Usually related to system design, such as
physical and logical data flow diagrams
• Extremely detailed and generally not effective
for other purposes, such as identification of
critical internal controls
© Jerry L. Turner 2006


Sarbanes-Oxley Act of 2002
• Management is to provide to the auditor
documentation based on relevant
assertions about each significant account
– Existence or occurrence,
– Completeness,

– Valuation or allocation,
– Rights and obligations, and
– Presentation and disclosure
© Jerry L. Turner 2006


Sarbanes-Oxley Act of 2002
• SOX notes that documentation might take
many forms, such as paper, electronic files, or
other media
• Can include a variety of information, including
policy manuals, process models, flowcharts, job
descriptions, documents, and forms

© Jerry L. Turner 2006


Sarbanes-Oxley Act of 2002
• For each significant process related to an
assertion, both management and the
independent auditor should
– understand the flow of transactions, including how
transactions are initiated, authorized, recorded,
processed, and reported;
– identify the points within the process at which a
misstatement—including a misstatement due to
fraud—related to each relevant financial statement
assertion could arise;
© Jerry L. Turner 2006



Sarbanes-Oxley Act of 2002
– identify the controls implemented to address
these potential misstatements; and
– identify the controls implemented over the
prevention or timely detection of
unauthorized acquisition, use, or disposition
of the company's assets

© Jerry L. Turner 2006


Sarbanes-Oxley Act of 2002
• Individual controls must be linked clearly
with the significant accounts and
assertions to which they relate
• In addition to specific controls in
isolation, combinations of controls also
should be considered in assessing
whether the objectives of the control
criteria have been achieved.
© Jerry L. Turner 2006


Existing Documentation Methods
• Neither efficient nor effective in
complying with the requirements of SOX
• Documentation typically begins with the
source of accounting information, e.g. a
transaction, and creates data flows from

that activity to an end-point in the
general ledger
© Jerry L. Turner 2006


Consider a Leaf on a Tree

© Jerry L. Turner 2006


A More Effective Approach
• Is consistent with a risk-based approach to
auditing
• Identifies the critical files in the financial
reporting process from the hundreds or
thousands of files in a computer-based
accounting system
• Identifies the critical processes that impact
data contained in those critical files

© Jerry L. Turner 2006


A More Effective Approach
• Allows identification of controls related to those
processes, based on management assertions
about financial statement account balances
• Is useful for both company management and
independent auditors
• Allows identification of controls that may be

monitored effectively with continuous auditing
techniques

© Jerry L. Turner 2006


Continuous Auditing
• Several reasons for resistance to
implementation of continuous auditing
– Technology
– Cost
– Different objectives for company and auditor

• SOX has aligned objectives with
integrated audit approach
© Jerry L. Turner 2006


When Can Errors Occur?
• When data is entered into a system
• When data is transferred from one document or
electronic file to a different document or
electronic file
• When data changes form through aggregation or
other process
• When data is deleted

© Jerry L. Turner 2006



Three Steps to an Effective Approach
• First, identify the significant accounts that
affect the financial statements
• Then, for each significant account, identify the
critical data path (CDP), beginning from the
general ledger or terminal database table and
proceeding backwards through each relevant
file or database table until data origination

© Jerry L. Turner 2006


Critical Data Path (CDP)
General
Ledger
Account

File
A

File
B

Document 1

Interface with other
systems/applications
• E-commerce
• Web interfaces
• EDI

• Non-integrated
systems/applications

Transaction or
Allocation