Chapter 8-1. Chapter 8-2 Chapter 8 Introduction to Internal Control Systems Introduction Internal Control Systems Definition Framework Preventive,

Chapter 8-1

Chapter 8-1

Chapter 8-2

Chapter 8-2

Chapter 8Introduction to Internal Control

Systems

Introduction

Internal Control Systems Definition Framework

Preventive, Detective, and Corrective Controls

Control Activities within an Internal Control System

Cost-Benefit Concept for Developing Controls

Chapter 8-3

Chapter 8-3

Introduction

An organization’s financial resources canbe protected from loss, waste, or theft by

developing an internal control system

implementing it within its AIS

An internal control system

ensures reliable data processing

promotes operational efficiency

Chapter 8-4

Chapter 8-4

Internal Control

An internal control system consists ofvarious methods designed and implemented

several measures planned and executed

Chapter 8-5

Chapter 8-5

It aims to achieve four main objectives:to safeguard assets

to check the accuracy and reliability of accounting data

to promote operational efficiency

to encourage adherence to prescribed managerial policies

Internal Control

Chapter 8-6

Chapter 8-6

Describes the policies, plans, and procedures implemented by a firm to protect its assets. people involved include: board of directors management other personnel

provides reasonable assurance of: effectiveness and efficiency, reliability of financial reporting, and compliance with applicable laws

and regulations

Internal Control

Chapter 8-7

Chapter 8-7

Objectives of the Internal Control Structure

The objectives of the Control Structure are:Safeguarding assets

Checking the accuracy and reliabilityof accounting data

Promoting operational efficiency

Encouraging adherence toprescribed managerial policies

Chapter 8-8

Chapter 8-8

Background Informationon Internal Controls

The key laws, professional guidance, and reports that focus on internal controls are:

Foreign Corrupt Practices Act 1977

Treadway Commission Report 1977

SAS No. 55 1988

Committee of Sponsoring Organizations (COSO) Report 1992

SAS No. 78 1995

Control Objectives for Business and IT (COBIT) 1995

Information Federation for Information Processing 2001

Chapter 8-9

Chapter 8-9

Background Informationon Internal Controls

SAD No. 94 2001

Sarbanes-Oxley Act, Section 404 2002

Committee of Sponsoring Organizations (COSO) Report 2004

CobiT, Version 4.0 2005

Chapter 8-10

Chapter 8-10

Foreign Corrupt Practices Act

In 1977 the Foreign Corrupt PracticesAct (FCPA) makes

it illegal for publicly owned corporations to bribe foreign officials

board members and managers personally liable if illegal payments are made

only applies to publicly owned corporations

Chapter 8-11

Chapter 8-11

Provisions of the Foreign Corrupt Practices Act

The FCPA requires that publicly held companies design and implement a system of control procedures

The control system must provide assurance that:assets are accounted for appropriatelytransactions are in conformity to GAAP access to assets is properly controlledperiodic comparisons of existing assets to the accounting records are made

Chapter 8-12

Chapter 8-12

Background of Internal Controls

The Treadway Commission Report recommended: a common definition for internal control guidance for judging the effectiveness of internal

control methods to improve internal control

Chapter 8-13

Chapter 8-13

Background of Internal Controls

Results of The Committee of Sponsoring Organizations (COSO) in 1992 defines internal control and describes its

components presents criteria to evaluate internal control

systems provides guidance for public reporting on

internal controls offers materials to evaluate an internal control

system

Chapter 8-14

Chapter 8-14

The International Federation for Information Processing in 2001 sponsored conference “Integrity and Internal Control in Information Systems” (ISACF) encouraged IT and Internal control specialist: to work together to develop reliable systems which would enable managers to have more confidence in the integrity of their information systems and the data generated from those systems

.

Background of Internal Controls

Chapter 8-15

Chapter 8-15

Components of Internal Control According to the 1992

COSO Report

Control Environment

Risk Assessment

Control Activities

Information andCommunication

Monitoring

Chapter 8-16

Chapter 8-16

The Control Environment

The Control Environment establishes the tone of a company, influences the control awareness of the employees.

Factors included within the control environment are:Integrity, ethical values and competence of employeesManagement philosophy and operating styleAssignment of authority and responsibilityThe attention and direction provided by theboard of directors

Chapter 8-17

Chapter 8-17

Risk Assessment

Risk assessment involvesrecognition that every organization facesrisks to its successrecognition that the sources are internal and external identification, analysis and actionto achieve the company’s goalsuse of cost-benefit analysis

Chapter 8-18

Chapter 8-18

Control Activities

Control activities:

are the policies and procedures that ensure management directives are carried out, protection of the assets of the firm

include a combination of manual controls automated controls.

Chapter 8-19

Chapter 8-19

Can be categorized as approvals authorizations verifications reconciliations reviews of operating performance segregation of duties

Control Activities

Chapter 8-20

Chapter 8-20

Information and Communication

Management’s responsibility to make sure the accounting system,

collects

measures

processes

communicates to individuals inside and outside the firm

Chapter 8-21

Chapter 8-21

Information and Communication

Communication helps personnelunderstand their roles and responsibilities to internal control by the use of:

policies and procedures manuals training sessions for new employees refreshers training for continuing

employees

Chapter 8-22

Chapter 8-22

Monitoring

Monitoring is the process that assesses the qualityof internal control performance over time

involves evaluating the design and operation of controls on a timely basis,

initiating corrective action when specific controls are not functioning properly.

Chapter 8-23

Chapter 8-23

2004 COSO Enterprise Risk Management

Framework

Stra

tegic

Operat

ions

Repor

ting

Compli

ance

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

Business

Unit

Subsidiary

Entity L

evel

Division

Chapter 8-24

Chapter 8-24

2004 Framework added elements to 1992 COSO

Objective setting

Event identification

Risk response

Chapter 8-25

Chapter 8-25

Objective Setting

Enterprise’s objectives are viewed from these four perspectives:

• Strategic; high level goals and mission• Operations; day to day goals• Reporting; internal and external• Compliance; with laws and regulations

Chapter 8-26

Chapter 8-26

Event Identification and Risk Response

Identify threats

Analyze the risks

Implement cost-effective countermeasures

Chapter 8-27

Chapter 8-27

Control Procedures Analysis

Control Procedures can be classified asPreventive Controls to prevent some potential problem from

occurring when an activity is performedDetective Controls – alert us when preventive controls have failed

Corrective controls to remedy problems discovered through

detective controls

Chapter 8-28

Chapter 8-28

Interrelationship of Preventive and Detective

Controls

Preventive and detective control procedures

should not be treated as mutually exclusive.

are interrelated

Chapter 8-29

Chapter 8-29

Control Activities

Within an Internal Control System arethe following features

a good Audit Trail

sound personnel policies and competent employees

separation of duties

physical protection of assets

internal reviews of controls by internal audit subsystem

Timely Performance Reports

Chapter 8-30

Chapter 8-30

Good Audit Trail

An audit trail enables auditors and accountants

to follow the transaction data from the initial source documents to the final disposition in a financial

report and vice-versa

to detect, in the processing data errors and irregularities

Chapter 8-31

Chapter 8-31

Sound Personnel Policies

Examples of sound personnel policies are:Specific hiring procedures

Training programs

Good supervision

Fair and equitable guidelines foremployees’ salary increases

Chapter 8-32

Chapter 8-32

Sound Personnel Policies

Rotation of certain key employees in different jobs

Enforced vacations

Insurance coverage on those employees who handle liquid assets

Regular performance reviews

Chapter 8-33

Chapter 8-33

Separation of Duties

Segregating activities and responsibilities of employees allows different people to perform various tasks of a specific transaction

The main functions that should be kept separate are custody of assets recording transactionsauthorizing transactions

Chapter 8-34

Chapter 8-34

Physical Protection of Assets

Protection of assets is

keeping a company’s assets in a safe physical location

minimizing the risk of damage to the assets or

avoiding theft by employeesor outsiders

Chapter 8-35

Chapter 8-35

Physical Protection of Assets

Examples of accounting control procedure

a voucher system protects against unauthorized cash disbursements.

a petty cash fund is used for small expenditures where writing a check would be inefficient.

cash receipts deposited intact each day

Chapter 8-36

Chapter 8-36

Internal Reviews of Controls

Internal auditors report to high-level management or to the board of directors in order to remain independent and objective as a separate subsystem

perform periodic reviews on each department to evaluate their efficiency and effectiveness make recommendations of ways cost of control procedures can be reduced

Chapter 8-37

Chapter 8-37

Timely Performance Reports

Performance reports provide information to management on efficiency of the internal controls and effectiveness of the internal controls

These reports should provide timely feedback tomanagement on the success of the internal controls or failure of the internal controls

Chapter 8-38

Chapter 8-38

Cost-Benefit Concept for Developing Controls

A cost-benefit analysis should be conducted to make sure that the benefitsof planned controls exceed the cost of implementingthem in the system

controls are considered cost-effective when their anticipated benefits exceed their anticipated costs

an ideal control is a control procedure that reducesto practically zero the risk of an undetected error or irregularity.

Chapter 8-39

Chapter 8-39

Cost Benefit Analysis

The benefits of additional control procedures

result from risk of loss reductions.

should include a measure of loss the exposure (potential loss associated with a

control problem) and risk (probability that the control problem will

occur).

are calculated as Expected loss = risk X exposure

Chapter 8-40

Chapter 8-40

Copyright

Copyright 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without theexpress written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 8-41

Chapter 8-41

Chapter 8