Monday, May 5, 2008

certificates

http://wserver.scc.losrios.edu/~burbagg/CPALinks.html



Sacramento City College

Professor Greg Burbage's Information and Links For
Certifications in Accounting, Finance and Business Plus Licensing and Educational InformationCPA ABA ABV AFE ATA ATP AVA AES CCSA CBA CB CBM CDFA CFA CFE CFSA CFM CFP CrFA CFC CFFA CFD CFE CFS CGAP CGFM CHFP CISA CISM CITP CIA CM CMA CM&AA CPP CPEA CPFO CQA CRP CTP CVA ECS EA FCPA PFS
What do the 45 acronyms CPA, CMA, CFM, etc. mean?
NEW: Link to 16 AAFM international financial certifications at bottom of page.
-
Certified Public Accountant Information:
Summary of requirements of becoming a California CPA.
California State Board of Accountancy - California CPA requirements, application and testing.
California Society of CPAs - CPA continuing education, ethics and more. NOTE CalCPA candidates and student members get first year dues for free and discounts on CPA review courses by Becker, Kaplan and Phillip.
Learn about the revised subject content of the new computerized CPA exam from the AICPA.
More about the new Computer Based Test (CBT) from the Journal of Accountancy.
Exam functionality and tools are demonstrated by using the Uniform CPA Exam Tutorial.
A summary of the process of applying for the CPA exam by CPA Training Center.com The ABCs of the CPA Exam!
Each of the 50 states and 4 jurisdictions of the U.S. has its own specific CPA requirements.The exams are identical but the education and experience requirements differ somewhat.Links to all 54 Boards of Accountancy are listed with the National Association of State Boards of Accountancy.
Other Professional Certifications and Organizational Links - Alphabetical by Certification Name:
Accredited Business Accountant (ABA) Accreditation Council for Accountancy and Taxation
Accredited in Business Valuation (ABV) American Institute of Certified Public Accountants
Accredited Financial Examiner (AFE) Society of Financial Examiners
Accredited Tax Advisor (ATA) Accreditation Council for Accountancy and Taxation
Accredited Tax Preparer (ATP) Accreditation Council for Accountancy and Taxation
Accredited Valuation Analyst (AVA) National Association of Certified Valuation Analysts
Automated Examination Specialist (AES) Society of Financial Examiners
Certification in Control Self-Assessment (CCSA) Institute of Internal Auditors
Certified Bank Auditor (CBA) BAI Center for Certification
Certified Bookkeeper (CB) American Institute of Professional Bookkeepers
Certified Business Manager (CBM) Association of Professionals in Business Management
Certified Divorce Financial Analyst (CDFA) Institute for Divorce Financial Analysts
Chartered Financial Analyst (CFA) CFA Institute
Certified Financial Examiner (CFE) Society of Financial Examiners
Certified Financial Services Auditor (CFSA) Institute of Internal Auditors
Certified in Financial Management (CFM) Institute of Management Accountants
Certified Financial Planner (CFP) Certified Financial Planner Board of Standards
Certified Forensic Accountant (Cr.FA) American College of Forensic Examiners Institute
Certified Forensic Consultant (CFC) American College of Forensic Examiners Institute
Certified Forensic Financial Analyst (CFFA) National Association of Certified Valuation Analysts
Certified Fraud Deterrence Analyst (CFD) National Association of Certified Valuation Analysts
Certified Fraud Examiner (CFE) Association of Certified Fraud Examiners
Certified Fraud Specialist (CFS) Association of Certified Fraud Specialists
Certified Government Auditing Professional (CGAP) Institute of Internal Auditors
Certified Government Financial Manager (CGFM) Association of Government Accountants
Certified Healthcare Financial Professional (CHFP) Healthcare Financial Management Association
Certified Information Systems Auditor (CISA) Information Systems Audit and Control Association
Certified Information Security Manager (CISM) Information Systems Audit and Control Association
Certified Information Technology Professional (CITP) American Institute of CPAs
Certified Internal Auditor (CIA) Institute of Internal Auditors
Certified Management Accountant (CMA) Institute of Management Accountants
Certified Manager (CM) Institute of Certified Professional Managers
Certified Merger and Acquisition Advisor (CM&AA) Alliance of Merger & Acquisition Advisors
Certified Payroll Professional (CPP) American Payroll Association
Certified Professional Environmental Auditor (CPEA) Board of Environmental, Health & Safety Auditor Certifications
Certified Public Finance Officer (CPFO) Government Finance Officers Association
Certified Quality Auditor (CQA) American Society for Quality
Certified Risk Professional (CRP) BAI Center for Certification
Certified Treasury Professional (CTP) Association for Financial Professionals
Certified Valuation Analyst (CVA) National Association of Certified Valuation Analysts
Elder Care Specialist (ECS) Accreditation Council for Accountancy and Taxation
Enrolled Agent (EA) National Association of Enrolled Agents
Forensic Certified Public Accountant (FCPA) Forensic CPA Society
Personal Financial Specialist (PFS) American Institute of CPAs
Various skills certifications in over 600 areas by Brainbench
Exam Review Courses and Study Aids:
Become a member of the CSCPA and get discounts on Becker, Kaplan or Phillip review courses.
Becker Educational - Specializing in in-class CPA, CMA & CFM review courses at hundreds of locations worldwide.
Bisk Education - Online and self-study review courses for CPA exam.
Flash Point CPA Review - NEW! Buy Flash cards or download over 500+ CPA Review Questions for each part at reasonable prices.
Gleim Publications - Online and self-study review courses and study aids for CPA, CMA, CFM, CIA and EA exams.
Kaplan CPA Complete Learning Systems - Review courses for CPA, CFP and other international accounting related certifications.
Keir Educational Resources - Self-study aids for CFP exam, securities and insurance licensing.
Lambers Review Courses - Online and self-study review courses and study aids for CPA, CMA, CFM, CIA, CFP and EA exams.
MicroMash - Review courses and study aids for CPA, CMA, CFM, CFA, CIA and CISA exams.
Roger Philipp CPA Review - Online and Live CPA review courses.
The Tutorial Group - Flash cards for CPA, CMA, CFM and EA exams.
Wiley Publishing - CPA and CIA exam review books.
Yaeger CPA Review - Home study, cram webinar and cram audio CPA review materials
Leading colleges and universities across the country are joining the IMA community to offer the CMA Learning System as a noncredit in-class course to help you prepare for the CMA exam.
Also look at each certifying organization's home page for information about study materials.
Other Important Accounting Related Organizations:
AAA - American Accounting Association
ACUA - Association of College and University Auditors
FASAB - Federal Accounting Standards Advisory Board
FASB - Financial Accounting Standards Board
GAO - U S General Accounting Office
GASB - Governmental Accounting Standards Board
IASB - International Accounting Standards Board
IFAC - Internationl Federation of Accountants
SEC - U S Securities and Exchange Commission

Top of Page
Organizations and their Related Certifications - Alphabetical by Organization:
Accreditation Council for Accountancy and Taxation (ACAT): - Accredited Business Accountant/Accredited Business Advisor (ABA) - Accredited Tax Advisor (ATA) - Accredited Tax Prepare (ATP) - Elder Care Specialist (ECS)
Alliance of Merger & Acquisition Advisors (AM&AA): - Certified Merger and Acquisition Advisor (CM&AA)
American College of Forensic Examiners Institute (ACFEI): - Certified Forensic Accountant (Cr.FA) - Certified Forensic Cosultant (CFC)
American Institute of Certified Public Accountants (AICPA): - Accredited in Business Valuation (ABV) - Certified Information Technology Professional (CITP) - Certified Public Accountant (CPA) - Personal Financial Specialist (PFS)
American Institute of Professional Bookkeepers (AIPB): - Certified Bookkeeper (CB)
American Payroll Association (APP): - Certified Payroll Professional (CPP)
American Society for Quality (ASQ): - Certified Quality Auditor (CQA)
Association of Certified Fraud Examiners (ACFE): - Certified Fraud Examiner (CFE)
Association of Certified Fraud Specialists (ACFS): - Certified Fraud Specialist (CFS)
Association for Financial Professionals (AFP): - Certified Treasury Professional (CTP)
Association of Government Accountants (AGA): - Certified in Governmental Financial Management (CGFM)
Association for Investment Management and Research (AIMR): - Chartered Financial Analyst (CFA)
Association of Professionals in Business Management (APBM): - Certified Business Manager (CBM)
BAI Center for Certification (BAI): - Certified Bank Auditor (CBA) - Certified Risk Professional (CRP)
Board of Environmental, Health & Safety Auditor Certifications (BEAC): - Certified Professional Environmental Auditor (CPEA)
California Society of Certified Public Accountants (CSCPA): - Certified Public Accountant (CPA) in California
California State Board of Accountancy (CBOA): - Certified Public Accountant (CPA) in California
Certified Financial Planner Board of Standards (CFPBS): - Certified Financial Planner (CFP)
Forensic CPA Society (FCPAS): - Forensic Certified Public Accountant (FCPA)
Government Finance Officers Association (GFOA): - Certified Public Finance Officer (CPFO)
Healthcare Financial Management Association (HFMA): - Certified Healthcare Financial Professional (CHFP)
Information Systems Audit and Control Association (ISACA): - Certified Information Systems Analyst (CISA) - Certified Information Security Manager (CISM)
Institute for Certified Professional Managers (ICPM): - Certified Manager (CM)
Institute for Divorce Financial Analysts (IDFA): - Certified Divorce Financial Analyst (CDFA)
Institute of Internal Auditors (IIA): - Certification in Control Self-Assessment (CCSA) - Certified Financial Services Auditor (CFSA) - Certified Government Auditing Professional (CGAP) - Certified Internal Auditor (CIA)
Institute of Management Accountants (IMA): - Certified in Financial Management (CFM) - Certified Management Accountant (CMA)
National Association of Certified Valuation Analysts (NACVA): - Accredited Valuation Analyst (AVA) - Certified Forensic Financial Analyst (CFFA) - Certified in Fraud Deterrence (CFD) - Certified Valuation Analyst (CVA)
National Association of Enrolled Agents (NAEA): - Enrolled Agent (EA)
Society of Financial Examiners (SOFE): - Accredited Financial Examiner (AFE) - Automated Examination Specialist (AES) - Certified Financial Examiner (CFE)
International Certifications:
AAFM - The American Academy of Financial Management offers 16 separate financial certifications recognized worldwide.
Financial Accounting Managerial Accounting More Financial Accounting Notes Professional Certifications Business & Miscellaneous Links Governmental Links About Me Just For Fun Page Burbage Home Page

Top of Page
page hits since 02/23/07

Tuesday, April 1, 2008

COBIT

COBIT

From Wikipedia, the free encyclopedia

The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

Contents [show]
1 Overview
2 Release history
2.1 COBIT Version 4
2.2 COBIT Version 4.1
3 COBIT product family (version 4.0)
3.1 Executive Summary
3.2 Framework
3.3 Control Objectives
3.4 IT Assurance Guide (formerly Audit Guidelines)
3.5 Implementation Tool Set
3.6 Management Guidelines
4 COBIT structure
4.1 Plan and Organize
4.2 Acquire and Implement
4.3 Delivery and Support
4.4 Monitor and Evaluate
5 COBIT and other standards
5.1 COBIT and ISO/IEC 17799:2005
5.2 COBIT and Sarbanes Oxley
5.3 COBIT and other international standards
6 References
7 See also



Overview
COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

COBIT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.

Recently, ISACA has released Val IT, which correlates the COBIT processes to senior management processes required to get good value from IT investments.


Release history
COBIT has had four major releases:

In 1996, the first edition of COBIT was released.
In 1998, the second edition added "Management Guidelines".
In 2000, the third edition was released.
In 2003, an on-line version became available.
In December 2005, the fourth edition was initially released
In May 2007, the current 4.1 revision was released.

COBIT Version 4
COBIT Version 4 significantly improved on COBIT 3 by consolidating most of the separate books into a single volume for ease of use. New subsections for each process include:

cross-references of inputs and outputs to and from other COBIT processes (which can help rationalize finger-pointing)
activities for each process, with a RACI diagram for each activity (showing what the CFO, CEO, IT Service Manager, Development Manager, etc. should do or be involved in)

COBIT Version 4.1
COBIT Version 4.1 is now available from ISACA web site. The major changes are:

support for "Maturity Model"
simplified descriptions of "Goals"
cascading of processes and (bidirectional) relations between the "Business", the "IT Goals", and the "IT Processes"
Please note that the summary below is based on COBIT version 4.0, which had major changes from the former COBIT version 3.2.


COBIT product family (version 4.0)
The complete COBIT package is a set consisting of six publications:

Executive Summary
Framework
Control Objectives
IT Assurance Guide (formerly Audit Guidelines)
Implementation Tool Set
Management Guidelines

Executive Summary
Sound business decisions are based on timely, relevant and concise information. Specifically designed for time-pressed senior executives and managers, the COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Also included is a synopsis of the Framework, which provides a more detailed understanding of these concepts and principles, while identifying COBIT's four domains (Planning and Organization, Acquisition and Implementation, Delivery and Support, Monitoring) and 34 IT processes


Framework
A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven information criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, information and infrastructure) are important for the IT processes to fully support business,


Control Objectives
The key to maintaining profitability in a technologically changing environment is how well you maintain control.[citation needed] COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 214 specific and detailed control objectives throughout the 34 IT processes.


IT Assurance Guide (formerly Audit Guidelines)
To achieve your desired goals and objectives you must constantly and consistently audit your procedures. Audit Guidelines outline and suggest actual activities to be performed corresponding to each of the 34 high-level control objectives, while substantiating the risk of control objectives not being met. Audit Guidelines are an invaluable tool for information systems auditors in providing management assurance and/or advice for improvement.


Implementation Tool Set
An Implementation Tool Set, which contains Management Awareness and IT Control Diagnostics, and Implementation Guide, FAQs, case studies from organizations currently using COBIT, and slide presentations that can be used to introduce COBIT into organizations. The new Tool Set is designed to facilitate the implementation of COBIT, relate lessons learned from organizations that quickly and successfully applied COBIT in their work environments, and lead management to ask about each COBIT process: Is this domain important for our business objectives? Is it well performed? Who does it and who is accountable? Are the processes and control formalized?


Management Guidelines
To ensure a successful enterprise, you must effectively manage the union between business processes and information systems. The new Management Guidelines are composed of Maturity Models, to help determine the stages and expectation levels of control and compare them against industry norms; Critical Success Factors, to identify the most important actions for achieving control over the IT processes; Key Goal Indicators, to define target levels of performance; and Key Performance Indicators, to measure whether an IT control process is meeting its objective. These Management Guidelines will help answer the questions of immediate concern to all those who have a stake in enterprise success.


COBIT structure
COBIT covers four domains:

Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate

Plan and Organize
The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain.

HIGH LEVEL CONTROL OBJECTIVES
Plan and Organize
PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects


Acquire and Implement
The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.

HIGH LEVEL CONTROL OBJECTIVES
Acquire and Implement
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes


Delivery and Support
The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.

HIGH LEVEL CONTROL OBJECTIVES
Deliver and Support
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations


Monitor and Evaluate
The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.

HIGH LEVEL CONTROL OBJECTIVES
Monitor and Evaluate
ME1 Monitor and Evaluate IT Processes
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance


COBIT and other standards

COBIT and ISO/IEC 17799:2005
COBIT was released and used primarily by the IT community, and has become the internationally accepted framework for IT governance and control. ISO/IEC 17799:2005 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area while ISO/IEC 17799 is deeply focused in the area of security.

The table below describes the inter-relation of the two standards as well as how ISO/IEC 17799 can be integrated with COBIT.




COBIT DOMAIN 1 2 3 4 5 6 7 8 9 10 11 12 13
Plan and Organize - + - - + + + + - - 0 . .
Acquire and Implement + 0 0 - 0 + . . . . . . .
Deliver and Support - + 0 + + . + 0 0 0 + 0 0
Monitor and Evaluate - 0 - 0 . . . . . . . . .

(+) Good match (more than two ISO/IEC 17799:2005 objectives were mapped to a COBIT process)
(0) Partly match (one or two ISO/IEC 17799:2005 objectives were mapped to a COBIT process)
(-) No or minor match (no ISO/IEC 17799:2005 objective was mapped to a COBIT process)
(.) Does not exist

COBIT and Sarbanes Oxley
Public companies that are subject to the U.S. Sarbanes-Oxley Act of 2002 are encouraged to adopt COBIT and/or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) "Internal Control - Integrated Framework." In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.

COSO Internal Control - Integrated Framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. The two frameworks have different audiences. COSO is useful for management at large, while COBIT is useful for IT management, users, and auditors. COBIT is specifically focused on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains.


COBIT and other international standards
For more international standards, see ISACA CobiT Mappings. COBIT is also addressed by the Information Security Forum in its Standard of Good Practice and other documents.



References
ISACA Custodians of COBIT
COBIT User Forum The main COBIT User Group
Two Views of Internal Controls: COBIT and the ITCG
CobiTCampus CobiT education provided by ISACA

See also
Information Technology Infrastructure Library
Health Insurance Portability and Accountability Act
Information Quality Management
IT Governance
The Standard of Good Practice
Information Security Management System
Val IT - Value from IT Investments

Monday, March 31, 2008

Current Research Questions on Internal Control over Financial Reporting Under Sarbanes-Oxley

Current Research Questions on Internal Control over Financial Reporting Under Sarbanes-Oxley
Lessons for Auditors

By Jian Zhang and Kurt Pany

FEBRUARY 2008 - The Sarbanes-Oxley Act (SOX) of 2002’s requirements regarding internal control over financial reporting requirements for management and auditors have had a profound effect on both public companies and public accounting firms. While SOX has resulted in the public disclosure of numerous internal control deficiencies, the cost of compliance has also been widely questioned. Attempts to better understand the law’s overall effect have resulted in copious amounts of research.

What follows is a brief summary of certain recent research findings that relate directly to the audit of internal control over financial reporting. Only limited references to the studies discussed are provided below; the Sidebar provides a more detailed list of references. Certain topics that the authors subjectively feel to be of lesser interest (e.g., the relationship of internal control reporting to a lower cost of capital; changes in investors’ wealth and wealth redistribution; and material weakness disclosure related to the quality of accounting accruals) were not included.

Background

In response to the high-profile business failures at Enron and WorldCom, in July 2002 Congress passed SOX. The law’s aim was to reinforce investor confidence and protect investors by improving the accuracy and reliability of corporate disclosures. SOX introduced challenging internal control performance and reporting requirements under its section 302 and section 404.

SOX section 302 requires the principal executive officer and the principal financial officer to certify and sign annual and quarterly reports submitted to the SEC, including certifying that those officers are responsible for establishing and maintaining internal controls. SOX section 404 requires that annual reports filed by registrants include an assessment of the effectiveness of the company’s internal controls and an auditor’s report on that assessment. After the law was passed, the SEC and the Public Company Accounting Oversight Board (PCAOB) created detailed guidance for internal control reporting in the form of Auditing Standard 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (2004). Specifically, the auditor’s report under AS2 ordinarily included two opinions: one on management’s assessment of internal control, and one on the effectiveness of internal control. (In July 2007, the SEC approved AS5, which replaced AS2. The audit report under AS5 eliminates the separate opinion on management’s assessment. The PCAOB considered the opinion on management’s assessment redundant with the opinion on internal control itself.)

The discussion below focuses on material weaknesses and situations in which auditors have identified a material weakness and have issued an adverse opinion relating to internal control. This is the bulk of the research available on internal control reporting. Modified audit reports can also be issued because of an inadequate management assessment of internal control, restrictions on the scope of audits, referral to the report of other auditors, subsequent events, and the inclusion of additional information in management’s report on internal control.

Ideally, reports on internal control not only result in improvements, they also provide financial statement users with an early warning about potential future problems that could result from weak controls, as well as the possibility that past financial results may have to be restated. Because capital markets operate on the principle that the vast majority of companies present reliable and complete financial data for making investment decisions, good internal control is considered an important factor in achieving good-quality financial reporting. Material weaknesses in internal control provide warnings about potential future financial statement problems.

SOX’s internal control requirements quickly became controversial, because companies complained about the costs involved and the perceived redundancy between the auditor’s and management’s tests of controls. While the SEC originally estimated average costs of the internal control provisions at less than $100,000, actual costs have been higher. Estimates have varied significantly. On the high end, Charles River Associates (now CRA International) found that it cost $7.8 million on average for a company to implement section 404. Investment News (May 16, 2007) estimated first-year total compliance costs at $4.51 million per company in 2004, a number that decreased to $2.9 million in 2006. Note that individual company estimates are ordinarily made by management, a group generally predisposed against SOX (78% of 200 companies in the survey reported by Investment News said that section 404 compliance costs still outweigh any benefits).

Continuing high compliance costs led the PCAOB to consider ways that would reduce the costs and procedures related to auditors’ internal control reporting. In May 2005, the PCAOB emphasized that auditors should apply a “top-down” approach that relied upon the results of a risk assessment performed by the auditors. The risk-assessment results should identify controls to test by starting at the top—company-level controls and the financial statements—and linking to significant accounts, relevant assertions, and, finally, to the significant underlying processes in which other important controls exist. Subsequently, both the SEC and the PCAOB issued standards aimed at controlling costs related to internal control reporting while attempting to retain effective reporting.

Research Questions: Magnitude of the Problem

How many companies disclose material weaknesses in internal control? Glass Lewis & Co. found that 1,118 U.S. companies and 90 foreign companies—one of every 12 companies with U.S. listed securities—filed a total of 1,342 material weakness disclosures in 2006. Furthermore, 97 U.S. companies voluntarily disclosed significant deficiencies in 2006, down from 116 in 2005 (see “The Materially Weak,” Yellow Card Trend Alert, February 27, 2007). This total includes both SEC registrants currently required to have integrated audits, and those not so required. Companies that were required to disclose section 404 material weaknesses in 2006 reported 35% fewer material weaknesses than in 2005, while companies voluntarily disclosing such weaknesses reported 20% more. Exhibit 1, using data from the Glass Lewis & Co. study, shows material-weakness disclosures by stock exchange. Compliance Week added to the analysis, finding that while the number of companies that cannot meet filing deadlines may have risen in the second year of SOX compliance, fewer companies reported problems with internal controls.

How many companies have received an adverse opinion on internal control? Glass Lewis & Co. reports that in 2005, the first year of SOX section 404 audits, 16% of companies received adverse opinions from independent auditors. In 2006, the second year, 11% of companies received adverse opinions.

Do companies that disclose material weaknesses in internal control differ systematically from those that do not? A number of studies have reported relatively comparable results as to the nature of companies that reported material weaknesses. While subject to many exceptions, on average, they are younger, smaller in size, growing more rapidly, and less profitable than companies that do not report material weaknesses. Research also finds that they often have more-complex structures (e.g., involve multiple segments and foreign currency), and are more likely to be audited by a large national firm. (Some of the research findings relied on multiple regression analysis.)

Research Questions: Cause and Effect

What specific issues have resulted in material weaknesses? Although researchers summarize material weaknesses in varying manners, Exhibit 2 provides a summary of the accounting, internal control, and other issues most commonly resulting in material weaknesses. During 2006, improper accounting for stock options was the most frequent accounting issue, as contrasted to lease accounting in 2005. Nonroutine transactions (the PCAOB’s examples include taking physical inventory, calculating depreciation expense, and adjusting for foreign currencies) were the most frequent internal control issues in both years. In addition, the period-end closing process also frequently represented a material weakness.

How likely is it that companies reporting material weaknesses will restate their financial statements due to accounting errors? Restatements for accounting errors occur when material errors existing in financial statements are not detected by either internal controls or external auditors prior to the issuance of the financial statements. Internal control plays an important role in preventing material errors (and restatements) from occurring.

Glass Lewis & Co. (“The Errors of Their Ways,” Yellow Card Trend Alert, February 27, 2007) reported that, of a total of 1,420 restatements made by U.S. companies in 2006, 685 also disclosed material weakness within one year (either before or after) of restatement. Of those 685 companies the material weakness was disclosed as follows:

277 before the restatement;
297 after the restatement;
111 both before and after restatement.
The reported data are consistent with the “Special Comment” by Moody’s Investors Service (“The Second Year of Section 404 Reporting on Internal Control,” May 2006), which concluded that material weakness reports are often lagging indicators of financial statement problems, undermining their usefulness to users of financial statements.

Similar findings were reported by Audit Analytics, which performed an analysis of nearly 3,000 filings and found that material year-end adjustments and restatements of financial statements served as predictors of a material weakness.

Do identified material weaknesses increase the cost of audits and delay audit reports? The limited research available suggests that the answer in both cases is yes: when material weaknesses are identified, the cost of an audit increases, as does the time to complete the audit. Companies with control deficiencies in personnel, inadequate segregation of duties, and problems with the closing process experience longer delays.

Research Questions: Investor Impact

Do investors care about material weaknesses in internal control? One might expect the answer of “some do and some don’t,” and there is undoubtedly some validity to this position. Yet, researchers need a more objective way to address questions about whether the disclosure of particular information (such as a material weakness) matters to investors. Researchers examine whether the information in question affects the market price of a company’s stock. They calculate the difference between the actual return for a stock and the market as a whole around the date on which the information becomes publicly available, and determine whether there is an abnormal return for the security.

In the case of a material weakness, that information may become available through a number of means, although most frequently it is through SEC forms 8-K, 10-Q, or 10-K, depending in part upon the timing. One would expect a negative market reaction to such information, because it would generally represent an unexpected internal control deficiency.

Recent studies generally conclude that, on average, the initial disclosure of a material weakness in internal control results in a negative stock market reaction. Thus, by this measure, stockholders do care about material weaknesses and punish companies that have them.

Does an adverse audit opinion result in a negative market reaction? This question is more difficult to address with the method used in the preceding question. Given that a material weakness is generally disclosed by management prior to the auditor issuing an adverse opinion on internal control, one would not expect the stock market to be “surprised” by such an adverse opinion. If the audit report is the first disclosure of the material weakness, however, one would expect a market reaction. One study (Lopez, Vandervelde, and Wu, “An Auditor’s Internal Control Report, An Experiment Investigation of Relevance,” unpublished working paper, University of South Carolina, 2006) concluded that, at least for the participants in their study, the auditor’s opinion on the effectiveness of internal controls is value-relevant. They conclude that the assessed stock price for companies receiving an adverse opinion on the effectiveness of internal controls is significantly less than for companies receiving an unqualified opinion.

Does the stock market react to the details (characteristics) of material weakness disclosures? During his tenure as SEC Chief Accountant, Donald Nicolaisen stated that not all material weaknesses are likely to be viewed as equally significant. Consistent with this statement, Moody’s Investor Service published a report in 2004 that proposed material weaknesses could be classified into “Category A,” which relates to controls over specific account balances or transaction-level processes, or “Category B,” which relates to company-level controls such as the control environment or the financial reporting process. Moody’s believes that auditors can effectively “audit around” Category A material weaknesses by performing additional substantive procedures in the area where the material weaknesses exist. Thus, for companies with Category A material weakness, there is ordinarily no negative reaction, assuming management takes corrective action to address the material weakness in a timely manner. On the other hand, Category B material weaknesses may result in a negative reaction (e.g., a decrease in stock price or bond rating). This is mainly due to a belief that auditors may not be able to effectively audit around problems that have a pervasive effect on a company’s financial reporting.

Can investors distinguish between different types of material weakness, as Moody’s suggests? Several studies have found that the Moody’s distinction appears to be accepted by investors. For example, one study (J.S. Hammersley, L.A. Myers, and C. Shakespeare, “Market Reactions to Internal Control Weakness Disclosures,” Review of Accounting Studies, forthcoming) examined the stock price reaction to management’s disclosure of internal control weaknesses required under SOX section 302. The study found that some characteristics of internal control weaknesses—their severity, management’s conclusion regarding the effectiveness of controls, their auditability, and the specificity of disclosures—are informative. Of the 57 types of weaknesses identified, the following five were considered less auditable than others:

Internal control weaknesses that are red flags for fraud or that allow fraud to occur;
Insufficient documentation to support transactions or adjusting entries;
Inadequate lines of communication between management and accounting staff and auditors that prevent transactions from being recorded correctly;
Problems with financial statement closing procedures;
Lack of key personnel (CFO or controller), and evidence that management overrode internal controls.
These items generally correspond to the categories proposed by Moody’s. The study also found that the information content of internal control weakness disclosures (the size of the market reaction) depends upon the severity of internal control weakness.

What the Current Research Indicates

These available research on audits of internal control of financial reporting in the wake of SOX can be summarized with a few conclusions:

Approximately 11% of companies received adverse opinions on internal control in 2006, down from 16% in 2005.
Companies that disclose material weakness are younger, smaller in size, growing rapidly, but less profitable. In addition, these companies have relatively more-complex capital structures.
Stock options, lease accounting, nonroutine transactions, and the period-end closing process have frequently been the source of material weaknesses.
Companies with material weaknesses frequently find the need to restate earnings. Disclosure of the material weakness often occurs subsequent to the restatement.
The existence of material weaknesses often results in more expensive and time-consuming audits.
The stock price of companies with material weaknesses generally falls after the disclosure.
Investors distinguish between an account-specific material weaknesses, which may be auditable, and a company-level material weakness, which may not. Investors react more negatively to company-level material weakness disclosures.

--------------------------------------------------------------------------------
Jian Zhang, PhD, is an assistant professor in the college of business at San Jose State University, San Jose, Calif.
Kurt Pany, CPA, PhD, is a professor of accountancy in the W.P. Carey School of Business at Arizona State University, Tempe, Ariz.

Wednesday, March 19, 2008

What is IASB and IASC

http://www.iasplus.com/restruct/whatis.htm#iasc

Tuesday, February 12, 2008

How to define the risk in the risk based audit

In this post I will provide the reader with plain and straight forward understanding of the risk assessment process. I have divided risk assessment process into six phases, each phase require a different method of understanding and implementation.

First
Categorize the activities in the company based on the core process functionalities, for example: (Cash management process, General Accounting, Sa
les etc).


Second
Identify all risks that your organization might face. You can identify the risks from several internal and external sources such as: (the org policy and procedures, website, senior management inputs, the employees interviews, lows and regulations, etc).

Third
Then you need to trace these risks with processes in your organization defined in step one.

By finishing this phase you will have a table include all risks in your org connected to one or more of the processes in the org.
The logic behind this is to define the responsible party in the organization who will manage and control each risk, and will be considered accountable for the impact of this risk in the organization if not controlled properly.
However, if the risk isn't connected to any one of the processes in the organization this indicates that this risk either doesn’t affect the company or its process has been missed.

After that we need to find a tool to measure the impact of these risks on the organizations processes, this is called the risk assessment, it will be explained in the following phase.

Fourth
Assess the risks means convert it into a measurable amount, thus we should develop a measurement tool to be used in the assessment process. This tool should include all possible qualitative (subjective) factors and quantitative (numerical) factors that have effect on the risks.

Examples on some factors that migh be considered when assessing any process's risk:

A. Monetary or Financial factors: (this is an objective factor) usually assessed by weighting the amount of money involved in the process such as: (cash outflow and inflow in the process, amount of expenses paid by the process, total amount of asset involved in the process, revenue generated by the process, etc.).

The numerical weight might be ranged from 5 to 1 based on the size of the financial factors of all processes, i.e. the bigger amount of the financial factor the higher the risk thus the higher weight.

Example if we apply one factor:
Amount of asset invested on the process Weight
0m-1m 1

1m-2m 2
2m-3m 3
3m-4m 4

4m-5m 5

Note: multiple financial factors might be involved to assess the weights by build in a matrix.


B. Level of operational control, (this is a subjective factor) usually assessed by weighting the efficiency and effectiveness of internal controls applied in the process, such as: (organizational structures, clarity of policy and procedures, etc), thus a scale ranged from strong to week is the best to be applied.
Example if we apply one factor:

Policy and procedures required and applied Weight Strong 1
Moderate 2

Week 3

Note: multiple factors can by applied concurrently, and more scale can be used as well.

C. Degree of Compliance required with regard to external rules and regulation. (Subjective). Scale from High to low can be used

D. Previous audit result. It is an objective factor. The numerical weight might be ranged from 5 to 1 based on the report result for example 5 is given for non satisfactory report, 3 for satisfied expect report and 1 for satisfied report.

E. Finally, whether it’s a core process in the company or it’s a supported process. (this is an objective factor). Usually assessed by weighting the magnitude of the process in the company, for example 5 is assigned for the core processes and 4 for the second level processes and so on.


To calculate the rate of each risk “defined in the second step above” on the organization; do the following:

  • Each one of the above factors will have a weight (25%, 20%, 15%, 20% and 20% respectively).
  • Multiply this weight with the risk assessment result you obtained after assessing each factor to determine the rating for each risk:

The result in the RATING will be used to:

  • Prioritize the risk magnitude and importance in the organization,
  • Manage these risks by determining the required level of internal control to mitigate these risks into an accepted level by the senior management of the organization.
  • Determine the impact of the risk on the organization by estimating the possibility of occurrence for each risk, this will be explained in the Fifth step.

Fifth
In order to have more details analysis per risk, we can add the possibility of occurrence for each risk within the process it self“It is the likelihood that the impacts of that risk will happen in the real situation and will have an effect on the company activities and increase the uncertainty of achieving the company objectives.To measure this, give the possibility of occurrence for each risk a degree of possibility such as “certainly will occur, likely, not likely, rare, and will not occur”




You can use the result of this table to draw a chart representing each risk location on the company risk appetite line


Sixth
After applying the control, the remaining risk that has not be covered by the control is the residual risk.

Saturday, June 23, 2007



Credit control
Credit occurs when the company grants its client to use its services or products before he compensates the company for this usage.

Elements of the credit control process
- Company strategy.
- Client credit worithness.
- Credit control function.

Overall company strategy/business plan determines the company intent regarding the credit policy, it might use a tight credit control policy or it might go for loss one. However, the clients' segmentation mechanism will affect the credit department functionality in the company.



Customer credit worthiness included many activities which depended on the size of the credit and the company services/product.

Function of the credit control
Following is an example of the credit control in the telecom industry

Telecom Credit Control Process main functions:-
A. Credit policy
B. Monitoring
C. Action
D. Credit control system

Credit policy
1. Credit control policy should be documented and approved by the senior management;

2. Credit control policy should include the concept of classifying the customers into sub segments or categories such as (Individual, Corporate, usage, method of payment, VIP, etc); and the justification behind such classification.

3. Monitoring concept should be determined in the policy:
- Whether it is based on prescribed credit limit or based upon the usage;
- Virtual credit limit (changed based on a certain criteria),
- If there is no credit limit is used, another concept should be applaied for example, the limit or risk of the customer is based on his usage behavior and payments history)

4. Action techniques that are used to monitor the credit policy should be documented, and it should include the disconnection process, timeframe of executions for the disconnection, type of disconnection, and whether it is e manual or automated.

5. Reconnection process. (threshold to reconnect the line).

6. Authority to override the credit control policy.

7. Credit control system business rules should be in line with the credit policy


Risks in the credit control policy
1. No credit control policy and procedures.
2. Credit control policy is not inline with over all company strategy (tight credit control policy or wide credit control policy)
3. No proper segregation of credit control function in the company (management conflict)
4. No credit limit or any concept to monitor customer. Or inaccurate/proper credit limit/concept.
5. Customer life value are not considered in the credit control mechanism
6. Customer are being monitored manually
7. Authority for credit policy override is not determined.
8. Customer exceeded their predetermined credit limit/concept without being disconnected.
9. No proper customer classification into segment, and no justification for current segmentation.
10. System business rule are not inline with credit policy. The following general control should be applied which included:
- User access right to the system;
- Segregation of duties;
- Business rule update mechanism
11. Management reporting in the credit is not comprehensive.