Chapter 9-1. Chapter 9-2 Chapter 9: Introduction to Internal Control Systems Introduction 1992 COSO Report Updates on Risk Assessment & 2013 Update Examples.

Chapter 9-1

Chapter 9-2

Chapter 9: Introduction to Internal Control

Systems

Introduction

1992 COSO Report

Updates on Risk Assessment & 2013 Update

Examples of Control Activities

2011 COBIT, Version 5

Types of Controls

Evaluating Controls

Chapter 9-3

Introduction – Fraud (Ch 11) &

Errors

Errors

Errors may be the result of many factors Distractions – Concurrent tasks, work

environment, personal situations,

Complexity – It’s easier to complete a simple task than a hard one.

Limitations – Fatigue, cognitive limitations, etc.

Chapter 9-4

Definition Policies, plans, and procedures Implemented to protect a firms assets

People Involved Board of directors Management Other key personnel

Internal Control Systems

Chapter 9-5

Provides reasonable assurance Effectiveness and efficiency of operations Reliability of financial reporting Protection of Assets Compliance with applicable laws and regulations

Important Guidance Statement on Auditing Standard No. 94 Sarbanes-Oxley Act of 2002

Internal Control Systems

Chapter 9-6

Risk Control Strategies

Avoidance- Avoidance- Policy, Training and Education, or Technology

Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.)

MitigationMitigation – reducing the impact through planning and preparation

Acceptance – doing nothing if the cost of protection does not justify the expense of the control

6

Chapter 9-7

Internal Control System Objectives

Safeguard assets

Check the accuracy and reliability of accounting data

Promote operational efficiency

Enforce prescribed managerial policies

Chapter 9-8

Information System Goals – CIA Triangle

Confidentiality Integrity

Availability

Chapter 9-9

CIA Triangle

Confidentiality – Insuring that information is accessible only by those who are properly authorized

Integrity – Insuring that data has not be modified without authorization

Availability – Insuring that systems are operational when needed for use

Chapter 9-10

Background Informationon Internal Controls

Chapter 9-11

Background Informationon Internal Controls

Chapter 9-12

Background Informationon Internal Controls

Chapter 9-13

1992 COSO Report

Defines internal control and components

Presents criteria to evaluate internal control systems

Provides guidance for public reporting on internal controls

Offers materials to evaluate an internal control system

Chapter 9-14

Control Environment Management’s oversight , integrity, and ethical

principles Attention and direction by board of directors Management’s philosophy and operating style Method of assigning authority and responsibility Method of organizing and developing employees

Components of Internal Control – COSO 1992

Chapter 9-15

Risk Assessment Identify organizational risks Analyze potential of risks (cost and occurrence) Cost-benefit analysis

Control Activities Policies and procedures Manual and automated

Components of Internal Control – COSO 1992

Chapter 9-16

Information and Communication Inform employees Roles and responsibilities Importance of good working relationships

Monitoring Evaluation of internal controls Initiate corrective action when necessary

Components of Internal Control – COSO 1992

Chapter 9-17

2004 COSO Enterprise Risk Management Framework

Emphasizes enterprise risk management

Includes COSO (1992) control components

Three new components Objective setting Event identification Risk response

Chapter 9-18

2004 COSO Enterprise Risk Management

Framework

Chapter 9-19

Objective Setting Strategic – high level goals and mission Operations – day-to-day efficiency, performance,

and profitability Reporting – internal and external Compliance – laws and regulations

Components of Internal Control – COSO 2004

Chapter 9-20

Event Identification and Risk Response Identify threats Analyze risks Implement cost-effective countermeasures Additional considerations

Risk tolerance Cost-benefit trade-offs

Components of Internal Control – COSO 2004

Chapter 9-21

COSO 2013 Objectives

Update Content - Reflect changes in business & operating environments

Broaden Application - Expand operations and reporting objectives

Clarify Requirements - Articulate principles to facilitate effective internal control

Chapter 9-22

COSO 1992, 2004, 2013

23

Environments changes... …have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in business

Demands and complexities in laws, rules, regulations, and standards

Expectations for competencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detecting fraud

COSO Cube (2013 Edition)

Update considers changes in business and operating environments

24

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

Update articulates principles of effective internal control

1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability

6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change

10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures

13.Uses relevant information14.Communicates internally15.Communicates externally

16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies

25

Update describes important characteristics of principles, e.g.,

• Points of focus may not be suitable or relevant, and others may be identified

• Points of focus may facilitate designing, implementing, and conducting internal control

• There is no requirement to separately assess whether points of focus are in place

Control Environment 1. The organization demonstrates a commitment to integrity and ethical values.

Points of Focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner

Chapter 9-26

Chapter 9-27

Risk Assessment Worksheet

Chapter 9-28

Study Break #4

Which of the following is not one of the three additional components that was added in the 2004 COSO Report?

A. Objective setting

B. Risk assessment

C. Event identification

D. Risk response

Chapter 9-29

Examples of Control Activities

Good Audit Trail

Sound Personnel Policies and Practices

Separation of Duties

Physical Protection of Assets

Reviews of Operating Performance

Chapter 9-30

Good Audit Trail

Use of Audit Trail Follow path of data recorded in transaction Initial source documents to final disposition of

data Data on reports back to source documents

Purpose of Audit Trail Verify accuracy of recorded transactions Detect errors and irregularities

Chapter 9-31

Sound Personnel Policies

Chapter 9-32

Separation of Duties

Purpose Structure of work assignments One employee’s work checks the work of another

Separate Related Activities Authorizing transactions Recording transactions Maintaining custody of assets

Chapter 9-33

Physical Protection of Assets

Inventory Controls Stored in safe location with limited access Utilization of Receiving Report

Document Controls Protecting valuable organizational documents Corporate charter, major contracts, blank

checks, and SEC registration statements

Chapter 9-34

Physical Protection of Assets

Cash Control Most susceptible to theft and human error

Fidelity bond coverage

Use checks for cash disbursements

Deposit the daily cash receipts intact

Chapter 9-35

Reviews of Operating Performance

Internal Audit Function Reports to Audit Committee of Board of Directors Independent of other subsystems Enhances objectivity

Duties of Internal Auditors Operational audits Regular reviews of internal control systems

Chapter 9-36

Study Break #5

Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees?

A. Analysis, authorizing, transactions

B. Custody, monitoring, detecting

C. Recording, authorizing, custody

D. Analysis, recording, transactions

Chapter 9-37

Control Objectives for Information and related Technology (COBIT) Strategic alignment Realization of expected benefits of IT Continual assessment of IT investment Determine risk appetite Measure and assess performance of IT resources

2011 COBIT, Version 5

Chapter 9-38

COBIT and Val IT Integration

Chapter 9-39

Types of Controls

Preventive Controls Prevent problems from occurring

Detective Controls Alert managers when preventive controls fail

Corrective controls Solve or correct a problem

Chapter 9-40

Evaluating Controls

Requirements of Sarbanes-Oxley Act Statement of management responsibility for

internal control structure Assessment of effectiveness of internal control

structure Attestation of auditor on accuracy of

management’s assessment

Chapter 9-41

Cost-Benefit Analysis

Chapter 9-42

Risk assessments are tricky

Choose between two treatments for 600 people affected by a deadly disease

"Saves 200 lives“

Chapter 9-43

Risk assessments are tricky

Choose between two treatments for 600 people affected by a deadly disease

"400 people will die"

Chapter 9-44

A Risk Matrix

Chapter 9-45

Chapter 9

Chapter 9-46

The Risk Management Process

Identify IT Assets

Assess IT Risks

Identify IT Controls

Document IT Controls

monitor

Chapter 9-47

Risk Management – Asset Identification

Software

Data

Cash

Inventory

Facilities

Processes

People

Hardware

Chapter 9-48

Assets Valuation - What do we stand to lose?

Assets: People, Data, Hardware, Software, Facilities, (Procedures)

Valuation Methods Criticality to the organization’s success Revenue generated Profitability Cost to replace Cost to protect Embarrassment/Liability 48