An Evidential Reasoning Approach to SarbanesOxley Mandated Internal Control Assessment

1
An Evidential Reasoning Approach to
Sarbanes-Oxley Mandated Internal Control
Assessment
Lili Sun, Rutgers University Rajendra
Srivastava, The University of Kansas David Vun
Kannon Theodore Mock, The University of Southern
California Miklos Vasarhelyi, Rutgers University
2
Developing The Next Generation Of Internal
Control Tools Using CA

• First generation of 404 implementation
• Focus on documentation of controls
• Filling gaps in COSO framework
• Highly labor intensive
• Second generation of 404 implementation
• More cost efficient and effective
• More systematic assessment of controls
• Focus on identifying material control weaknesses
  and audit automatically rather than manually

3
Evidential Reasoning Systematic, Higher Value IC
Assessment Tool

• Evidential reasoning a process of risk
  assessment where several assertions when combined
  together inform about the effectiveness of an
  internal control procedure and the overall
  internal control system.
• Decompose risk assessment into individual
  evidence level.
• Provide a rigorous algorithm to aggregate human
  beliefs.
• Provides systematic way to represent the
  interrelationships among multiple key components
  for the evaluation of IC.
• Help discipline Auditors thought process in
  estimating risk
• Serve as a decision aid for auditors.

4
Create A Systematic Representation Of KPMG Model
Of Risk Assessment

• Financial reporting model
• Parent company
• Subsidiary
• Financial statement
• Significant accounts
• Business process model
• Business process
• Objective
• Risk
• Control
• Evaluation procedures

5
Generic Evidential Reasoning Model Of Internal
Control Assurance
Financial reporting Model
Business Process Model
The system of IC/FR for Account j on BS is
effective
Process j is protected from IC risk i.
The system of IC for Process i is effective.
Control k
Control i
A1 IC/FR for the consolidated entity is
effective
IC/FR for subsidiary i is effective
IC/FR for Account i on BS is effective
IC for Process j is effective
Process j is protected from IC risk j.
OR
Control j
Control environment
6
Application of Evidential Reasoning Approach into
A Real Case
7
Automate The Aggregation Of Control Evaluations

• Input
• auditors evaluation on the effectiveness of
  individual control procedure
• Output
• Quantitative assessment of control effectiveness
  on multiple layers of the hierarchy from the
  individual control level to the overall financial
  statement level
• Evidential reasoning a useful decision aid for
  KPMG auditors because of its
• Clarity
• Practicability of use
• Completeness
• Adaptability

8
Continuing Work

• Validate model against a real audit case
• Explore issues related to the application of the
  proposed approach
• Refine the quantitative representation of
  internal control effectiveness.
• How to better elicit belief inputs from auditors.