Transcript Blue Red-Lines Background

Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Control and Accounting
Information Systems
Chapter
Acct 316 Acct 316 Acct 316
7
UAA – ACCT 316
Accounting Information Systems
Dr. Fred Barbee
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 316 Acct 316 Acct 316
Introduction to Internal
Control
Internal Control . . .
Can an information system operate
without internal controls?
Acct 316 Acct 316 Acct 316
Perhaps.
Will the organization attain its
objectives?
Perhaps.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Why Internal Control?
Acct 316 Acct 316 Acct 316
Why Controls . . .
To Ensure system goals are
achieved
Acct 316 Acct 316 Acct 316
To Lessen the risk of unwanted
outcomes
Controls . . .
Acct 316 Acct 316 Acct 316
What are the goals that
internal control is designed
to achieve?
What are the typical business
risks that the organization
should try to avoid?
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 316 Acct 316 Acct 316
What are the goals that internal control is
designed to help achieve?
Question
Internal Control Goals
The National Commission on
Fraudulent Financial Reporting
Acct 316 Acct 316 Acct 316
Appointed
The Committee of Sponsoring
Organizations (COSO)

To study internal control
Internal Control Goals
COSO entity objectives . . .
 Operations
Acct 316 Acct 316 Acct 316
- relating to effective and
efficient use of an entity’s resources.
 Financial
Reporting - relating to
preparation of reliable financial reports.
 Compliance
- relating to the entity’s
compliance with applicable laws and
regulations.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 316 Acct 316 Acct 316
What are the typical business risks that an
organization should try to avoid?
Question
What is Risk?
The dictionary defines risk as . . .
Acct 316 Acct 316 Acct 316
Hazard; peril; exposure to
loss or injury.
What is an exposure?
Exposure . . .
. . . the potential financial effect of
an event multiplied by its probability
of occurrence.
Potential
Financial
Effect of an
Event
Probability
of
Occurrence
Exposure
Risk Analysis
THREAT
*
EXPOSURE
*
RISK
=
EXPECTED
LOSS
Risk Analysis
Internal Controls
THREAT
* EXPOSURE
*
RISK
= EXPECTED
LOSS
Controls . . .
An exposure consists of the potential
financial effect of an event multiplied
by its probability of occurrence.
Potential
Financial
Effect of an
Event
$5,000,000
Probability
of
Occurrence
X
5%
Exposure
=
$250,000
Direct Material Variances
An example of a control system in
accounting
AQ X AP
AQ X SP
Rate
Variance
SQ X SP
Quantity
Variance
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Common Business Exposures
Acct 316 Acct 316 Acct 316
Common Business Exposures
Erroneous
Record
Keeping
Unacceptable
Accounting
Business
Exposures
Business
Interruptions
Erroneous
Management
Decisions
Common Business Exposures
Fraud and
Embezzlement
Statutory
Sanctions
Business
Exposures
Excessive
Costs
Loss/Destruction
Of Resources
Competitive
Disadvantage
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 316 Acct 316 Acct 316
What are the legal responsibilities of
management?
Or, what are we
supposed to
do?
The SEC . . .
Acct 316 Acct 316 Acct 316
The establishment and
maintenance of a system of
internal controls is an
important management
obligation.
The SEC . . .
Acct 316 Acct 316 Acct 316
A fundamental aspect of
management’s stewardship
responsibility is to provide
shareholders with reasonable
assurance that the business is
adequately controlled.
The SEC . . .
Acct 316 Acct 316 Acct 316
Additionally, management has a
responsibility to furnish
shareholders and potential
investors with reliable financial
information on a timely basis.
Legal Responsibilities
Acct 316 Acct 316 Acct 316
Management
is legally
responsible
for establishing
and maintaining an
adequate system
of internal
control.
The SEC . . .
Acct 316 Acct 316 Acct 316
An adequate system of internal
control is necessary to
management’s discharge of
these obligations.
Acct 316 Acct 316 Acct 316
OK, so what if
management doesn’t do
this. What then?
Enter . . .
The
Foreign
Corrupt
Practices
Act
FCPA Legal Requirement
Acct 316 Acct 316 Acct 316
Make and keep
books,
records, and
accounts
that, in reasonable detail, accurately
and fairly reflect the transactions of
the registrant and the disposition of
its assets.
FCPA Legal Requirement
Design and maintain
Acct 316 Acct 316 Acct 316
a system of internal accounting
controls
sufficient to provide reasonable
assurances
that certain specified objectives
are met.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
The Internal Control Structure . . .
Acct 316 Acct 316 Acct 316
What is Internal
Control?
Standards of Field Work
Acct 316 Acct 316 Acct 316
The Field Work standards are so
named because they pertain
primarily to the conduct of the
audit at the client’s
place of business;
that is, in the field.
Second Standard of Field
Work
Acct 316 Acct 316 Acct 316
A sufficient understanding of
the internal control structure
is to be obtained to plan the
audit and to determine the
nature, timing, and extent of
tests to be performed.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Defining Internal
Acct 316 Acct 316 Acct 316
Reviewing the
Control
Literature
1949 Committee on
Auditing Procedure
Acct 316 Acct 316 Acct 316
A system of internal control should be
designed to achieve objectives that are
both
operational and
accounting in nature.
Defining Internal Control
The 1958 definition was the first to
differentiate between
Acct 316 Acct 316 Acct 316
accounting controls and
administrative controls,
A distinction that is very important to
independent auditors.
In 1963, chapter 5 of Statement on
Auditing Procedure No. 33 attempted to
clarify the distinction between
administrative and accounting controls,
stating that the independent auditor is
primarily concerned with the latter when
applying generally accepted auditing
standards.
After 1963, there continued to be
confusion concerning the scope of the
auditor’s responsibility as it related to
safeguarding of assets and the reliability
of financial statements.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
So . . . What is Internal Control?
Acct 316 Acct 316 Acct 316
Cohen Commission Report
Acct 316 Acct 316 Acct 316
Published annual reports should
contain a report in which
corporate management discloses
the condition of the company’s
internal control system.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Internal Control
Acct 316 Acct 316 Acct 316
Some Recent
Additions
Internal Control . . .
Acct 316 Acct 316 Acct 316
Information Systems
Audit and Control
Foundation –
Control Objectives
for Information and
Related Technology
COBIT
COBIT
Audience:
Management; Users; IS Auditors
Focus:
Information Technology
Responsibility: Management
Size:
187 Pages – 4 Documents
Internal Control Viewed as:
Acct 316 Acct 316 Acct 316
A set of processes including
policies, procedures, practices,
and organizational structure.
www.isaca.org/bkr_cbt3.htm
Internal Control Objectives
Effective & efficient operations
Confidentiality
Acct 316 Acct 316 Acct 316
Integrity & availability of information
Reliable financial reporting
Compliance with laws and regulations
Internal Control . . .
Acct 316 Acct 316 Acct 316
Institute of Internal
Auditors Research
Foundation’s
Systems Auditability
and Control (SAC)
Systems Auditability and Control
Audience:
Internal Auditors
Focus:
Information Technology
Responsibility: Management
Size:
1,193 pages in 12 modules
Internal Control Viewed as . . .
Set of processes, subsystems,
and people.
Acct 316 Acct 316 Acct 316
www.theiia.org
Internal Control Objectives
Effective & efficient operations
Reliable financial reporting
Acct 316 Acct 316 Acct 316
Compliance with laws and regulations
Internal Control . . .
Acct 316 Acct 316 Acct 316
The Committee of
Sponsoring
Organizations of the
Treadway Commission
Internal Control –
Integrated Framework
COSO
Audience:
Management
Focus:
Overall Entity
Responsibility: Management
Size:
353 pages in 4 volumes
COSO
Internal control viewed as a
process.
Acct 316 Acct 316 Acct 316
www.coso.org
COSO
Internal control objectives:
Effective and efficient operations
Acct 316 Acct 316 Acct 316
Reliable financial reporting
Compliance with laws and
regulations
Internal Control . . .
Acct 316 Acct 316 Acct 316
American Institute of
Certified Public
Accountants –
Consideration of the
Internal Control
Structure in a Financial
Statement Audit
(SAS 55)
SAS 55 & SAS 78
Audience:
External Auditors
Focus:
Financial Statement
Responsibility: Management
Size:
63 pages in 2 documents
SAS 55/78
Internal control viewed as a
process.
Acct 316 Acct 316 Acct 316
www.aicpa.org
SAS 55/78
Internal control objectives:
Effective and efficient operations
Acct 316 Acct 316 Acct 316
Reliable financial reporting
Compliance with laws and
regulations
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
National Commission on Fraudulent Financial
Reporting
Acct 316 Acct 316 Acct 316
The Treadway
Commission
Treadway Commission
Emphasized the importance of
internal control. Specifically . . .
Acct 316 Acct 316 Acct 316
The control environment;
Codes of conduct;
Audit committees; and
The internal audit function
Treadway Commission
Acct 316 Acct 316 Acct 316
The commission reaffirmed the
Cohen Commission’s call for
management reports on the
effectiveness of its internal
controls.
COSO Report . . .
Acct 316 Acct 316 Acct 316
COSO’s final report “Internal Control
– Integrated Framework” was issued
in September 1992
4 volumes
453 pages
Thousands of hours of work
COSO Report . . .
Acct 316 Acct 316 Acct 316
Provides a common definition of
internal control to meet the needs of
diverse users.
Provides a framework against which
entities can assess and improve their
internal control systems.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Internal Control . . .
Acct 316 Acct 316 Acct 316
The COSO
Definition
COSO
Internal control is a process,
effected by an entity’s board of
directors, management, and
other personnel,
COSO
designed to provide reasonable
assurance regarding the
achievement of objectives in the
following categories:
COSO
Effectiveness and efficiency of
operations
Reliability of financial reporting
Compliance with applicable laws
and regulations.
COSO
Key Concepts
Internal control is a process. It is a means
to an end, not an end in itself.
Internal control is effected by people. It’s
not merely policy manuals and forms, but
people at every level of an organization.
COSO
Key Concepts
Internal control can be expected to
provide only reasonable assurance, not
absolute assurance, to an entity’s
management and board.
Internal control is geared to the
achievement of objectives in one or more
overlapping categories.
COSO
It consists of several interrelated
components, with
integrity,
ethical values;
competence, and
the control environment,
serving as the foundation for the other
components.
COSO
Coso’s Components
1.
Control Environment
2.
Risk Assessment
3.
Control Activities
4.
Information & Communication
5.
Monitoring
COSO Integrated Framework
Acct 316 Acct 316 Acct 316
Control Environment
Commitment to integrity and ethical
values;
Acct 316 Acct 316 Acct 316
Management’s philosophy and
operating style;
Organizational structure
The audit committee of the board of
directors.
Control Environment
Methods of assigning authority and
responsibility.
Acct 316 Acct 316 Acct 316
Human resources policies and
practices
External influences
COSO Integrated Framework
Acct 316 Acct 316 Acct 316
Risk Assessment
Identification of risks
Acct 316 Acct 316 Acct 316
Analysis of risks
Management of risks
Typical Sources of Risk
Clerical and Operational employees
Acct 316 Acct 316 Acct 316
Computer programmers
Managers and Accountants
Former Employees
Customers and Suppliers
Typical Sources of Risk
Competitors
Acct 316 Acct 316 Acct 316
Outside persons
Acts of Nature
Types of Risks
Unintentional Errors
Deliberate Errors (Fraud)
Acct 316 Acct 316 Acct 316
Unintentional Losses of Assets
Thefts of Assets
Breaches of Security
Acts of violence and Natural
Disasters
Factors That Increase Risk
Exposure
Frequency
Vulnerability
Acct 316 Acct 316 Acct 316
Size of the potential loss
Problem Conditions Affecting
Risk Exposures
Collusion
Computer Crime
Acct 316 Acct 316 Acct 316
Lack of Enforcement
COSO Integrated Framework
Acct 316 Acct 316 Acct 316
Control Activities
Proper authorization of transactions
and activities
Acct 316 Acct 316 Acct 316
Control Activities
Acct 316 Acct 316 Acct 316
Proper authorization of transactions
and activities
Segregation of duties
Segregation of Duties
Authorization
Recording
Must Be Separate
Custody
Control Activities
Acct 316 Acct 316 Acct 316
Proper authorization of transactions
and activities
Segregation of duties
Design and use of adequate
documents and records
Control Activities
Acct 316 Acct 316 Acct 316
Proper authorization of transactions
and activities
Segregation of duties
Design and use of adequate
documents and records
Adequate safeguards of assets &
records
Control Activities
Acct 316 Acct 316 Acct 316
Proper authorization of transactions
and activities
Segregation of duties
Design and use of adequate
documents and records
Adequate safeguards of assets &
records
Independent checks on performance.
COSO Integrated Framework
Acct 316 Acct 316 Acct 316
Information and Communication
Identify, assemble, analyze, classify,
record and report transactions
Acct 316 Acct 316 Acct 316
Maintain accountability for assets
and liabilities
Open and well-defined lines of
communication
COSO Integrated Framework
Acct 316 Acct 316 Acct 316
Monitoring
Effective supervision
Responsibility accounting
Acct 316 Acct 316 Acct 316
Internal auditing
COSO Integrated Framework
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Internal Control . . .
Acct 316 Acct 316 Acct 316
Classifications
Preventive, Detective, and Corrective Controls
Input
Process
Output
Sensor
Corrective
Controls
Benchmark
Detective and
Corrective
Controls
Control Classifications
By Objectives
Administrative
By Settings
General
Accounting
Application
Input
Processing
Output
By Risk Aversion
Corrective
Preventive
By System Architectures
Manual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
Detective
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Internal Control . . .
Acct 316 Acct 316 Acct 316
Some Common
Grounds
Some Common Ground
A system of internal control is not
an end in itself.
Acct 316 Acct 316 Acct 316
It is, rather, a means to an end.
Internal control is a system
Clearly defined goals
Interrelated components acting in
concert to achieve those goals.
Some Common Ground
Acct 316 Acct 316 Acct 316
Establishing a viable internal control
system in management’s
responsibility.
The strength of any internal control
system is largely a function of the
people who operate it.
Some Common Ground
Acct 316 Acct 316 Acct 316
Internal control cannot be expected
to provide 100% assurance that the
organization will reach its objectives.
Internal control is not “free;” it has a
cost associated with it.