Internal Control Systems

8/11/2019 Internal Control Systems

1/25

Internal Control Systems

ACC 444Enterprise Process Analysis

1

Management Blues

In most companies, top level management and ownerscant possibly oversee every detailed aspect of theirbusiness

So what do they worry about most? Things that canpossibly go wrongsuch as:

assets being stolen

errors in capturing, processing and reporting criticalfinancial and non-financial information

operating inefficiencies;

non-compliance with established policies


2/25



2

INTRODUCTION

Additionally, from the AIS perspective, controlrisks have increased in the last few years because:

a) There are computers and servers everywhere,and information is available to an unprecedented

number of workers.b) Distributed computer networks make data

available to many users, and these networks areharder to control than centralized mainframesystems.

c) Wide area networks are giving customers andsuppliers access to each others systems anddata, making confidentiality a major concern.


3/25



3

OVERVIEW OF CONTROL CONCEPTS

Internal controlis the process implemented by management to providereasonable assurancethat the following control objectives areachieved:

Assets (including data) are safeguarded.

Records accurately and fairly reflect company assets.

Accurate and reliable information is provided. Financial reports are prepared in accordance with GAAP.

Operational efficiency is promoted and improved.

Adherence to prescribed managerial policies is encouraged.

The organization complies with applicable laws and regulations. Internal controls perform three important functions:

Preventive controls

Detective controls

Corrective controls


4/25



4

SOX

In the late 1990s and early 2000s, a series of multi-million-dollaraccounting frauds made headlines.

The impact on financial markets was substantial, andCongress responded with passage of the Sarbanes-Oxley

Actof 2002(aka, SOX).

a) Applies to publicly held companies and their auditors

The intent of SOX is to: Prevent financial statement fraud

Make financial reports more transparent

Protect investors

Strengthen internal controls in publicly-held companies

Punish executives who perpetrate fraud

SOX has had a material impact on the way boards of directors,management, and accountants operate.


5/25



5

SOX

Important aspects of SOX include:

Creation of the Public Company Accounting Oversight Board (PCAOB)to oversee the auditing profession.

New rules for auditors

New rules for audit committees

New rules for management New internal control requirements

After the passage of SOX, the SEC (Securities & Exchange Commission)further mandated that:

Management must evaluate and report on the companys internalcontrols, using a recognized control framework (the most likely

framework is the COSO model discussed later). External auditors must also report on the state of the companysinternal controls.


6/25



6

CONTROL FRAMEWORKS

A number of frameworks have been developed to help companies developgood internal control systems. Three of the most important are:

The COBIT frameworka) Also know as the Control Objectives for Information and Related

Technologyframework.

b) A framework of generally applicable information systems security and

control practices for IT control. The COSO internal control framework

a) Defines internal controls.

b) Provides guidance for evaluating and enhancing internal control systems.

c) Widely accepted as the authority on internal controls.

COSOs Enterprise Risk Management framework (ERM)

a) An enhanced corporate governance document.b) Takes a risk-based, rather than controls-based, approach to the

organization.

c) Oriented toward future and constant change.

d) Incorporates rather than replaces COSOs internal control framework


7/25



7

CONTROL FRAMEWORKS

COSOs Internal Control Framework

The Committee of Sponsoring Organizations (COSO)is a private sector group consisting of:

a) The American Accounting Associationb) The AICPA

c) The Institute of Internal Auditors

d) The Institute of Management Accountants

e) The Financial Executives Institute


8/25



8

CONTROL FRAMEWORKS

In 1992, COSO issued the InternalControl Integrated Framework:

Defines internal controls.

Provides guidance for evaluatingand enhancing internal control

systems.

Widely accepted as the authorityon internal controls.

Incorporated into policies, rules,and regulations used to control

business activities.

In 2012, COSO updated the original framework to consider changes inbusiness, operating, and regulatory environments


9/25



9


10/25



15

ERM FRAMEWORK

COSO developed a modelto illustrate the elementsof ERM.

The ERM model is three-

dimensional.

Means that each of theeight risk and controlelements are applied to

the four objectives in theentire company and/orone of its subunits.


11/25



17

Internal Environment

Factors that influence the control environment:

Managements philosophy, operating style, & risk appetite(managements attitude towards internal controls & risks)

The Board of Directors (competent, active & involved; majorityindependent; audit committee composed of independent directors only)

Commitment to integrity, ethical values & competence (management

practicing & preaching honesty, punishing dishonesty) Organizational structure (appropriate reporting relationships)

Methods of assigning authority and responsibility (clearly defined roles &responsibilities)

Human resource standards (for hiring, compensating, training,evaluating, promoting, discharging, etc.)

External influences (pressures from outside; eg., regulations, wall streetexpectations, etc.)


12/25



18

INTERNAL CONTROL SYSTEMS

TO BE CONTINUED..


13/25



19

OBJECTIVE SETTING

Objective setting is the secondERM component.

It must precede many of theother six components.

For example, you must setobjectives before you candefine events that affect yourability to achieve objectives


14/25



21

EVENT IDENTIFICATION

Events are:

Incidents or occurrences thatemanate from internal orexternal sources

That affect implementation of

strategy or achievement ofobjectives.

Impact can be positive,negative, or both.

Events can range fromobvious to obscure.

Effects can range frominconsequential to highlysignificant.

By their nature, eventsrepresent uncertainty


15/25



23

RISK ASSESSMENT AND RISK RESPONSE

COSO indicates there are twotypes of risk:

Inherent risk (i.e., before controlsare implemented)

Residual risk (i.e., after controls

are implemented) Companies should:

Assess inherent risk

Develop a response

Then assess residual risk

Four ways to respond to risk: Reduce it

Accept it

Share it

Avoid it


16/25

RISK ASSESSMENT AND RISKRESPONSE PROCESS

Identifythe eventsor threats

that confront the company

Estimate the likelihood or

probability of each event occurring

Estimate the impact of potential

loss from each threat

Identify set of controls to

guard against threat

Estimate costs and benefits

from instituting controls

Reduce risk by implementing set of

controls to guard against threat

Is it

cost-beneficial

to protect

system

Avoid,

share, oraccept

risk

Yes

No


17/25



26

CONTROL ACTIVITIES

The sixth component ofCOSOs ERM model.

Control activitiesarepolicies, procedures, and rulesthat provide reasonable

assurance that managementscontrol objectives are met andtheir risk responses are carriedout.


18/25



27

CONTROL ACTIVITIES

Generally, control procedures fall into one of thefollowing categories:

Proper authorization of transactions and activities

Segregation of duties

Project development and acquisition controls

Change management controls

Design and use of documents and records

Safeguard assets, records, and data

Independent checks on performance


19/25



28

Incompatible Duties

Incompatible duties that should be segregated:a) Authorizationapproving transactions and decisions.

b) RecordingPreparing source documents; maintainingjournals, ledgers, or other files; preparing reconciliations; andpreparing performance reports.

c) CustodyHandling cash, maintaining an inventory storeroom,receiving incoming customer checks, writing checks on theorganizations bank account.

If any two of the preceding functions are the responsibility of one

person, then problems can arise.

Also, when two or more people collude, then segregation of dutiesbecomes ineffective and controls are overridden.


20/25



32

Segregation of Duties - Examples

At most movie theaters, one employee isresponsible for issuing tickets and collecting cashwhile another employee collects those ticketswhen you enter the theater. How does thispractice provide segregation of duties that helpsthe theater ensure all sales are properlyaccounted for?


21/25



34

CONTROL ACTIVITIES

Authority and responsibility must be divided clearly among thefollowing functions:

Systems administration

Network management

Security management

Change management

Users

Systems analysts

Programming

Computer operations

Information systems library

Data control

It is important that different people perform the precedingfunctions.


22/25



35

CONTROL ACTIVITIES

Adequate Documentation

Documentation allows management to verify that assignedresponsibilities were completed correctly.

How is this achieved in a non-paper environment?

What types of problems can arise from inadequate documentation?

Example

Many restaurants issue customer checks with prenumbered sequencecodes and food servers use them to write up customer orders. Servers

turn in all checks that were not used at the end of their shift. Howdoes this policy provide documentation that helps the restaurantensure that all sales transactions have been properly accounted for?


23/25



36

INFORMATION AND COMMUNICATION

The seventh component of COSOs ERMmodel.

The primary purpose of the AIS is togather, record, process, store,summarize, and communicate informationabout an organization.

So accountants must understand how: Transactions are initiated

Data are captured in orconverted to machine-readableform

Computer files are accessed andupdated

Data are processed Information is reported to

internal and external parties


24/25



38

MONITORING

The eighth component ofCOSOs ERM model.

Monitoring can beaccomplished with a

series of ongoing eventsor by separateevaluations.


25/25



41

INHERENT LIMITATIONS OF INTERNALCONTROL SYSTEMS

Internal control systems have inherent limitations, including:

They are susceptible to errors and poor decisions.

They can be overridden by management or by collusion of twoor more employees.

Internal control objectives are often at odds with each other. EXAMPLE: Controls to safeguard assets may also reduce

operational efficiency.

Internal Control Systems

Documents