Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

Assessment of Execution Risks: Revenue Cycle

Generic execution risks for each of the two revenue cycle transactions:

1.Delivering goods/services: Unauthorized

sale/service permitted Authorized sale/service

did not occur, occurred late, or was duplicated unintentally

Wrong type of product/service

Wrong quantity/quality Wrong

customer/address

Assessment of Execution Risks: Revenue Cycle

Generic execution risks for each of the two revenue cycle transactions:

2. Collecting cash: Cash not collected or

collected late Wrong amount of

cash collected

Assessment of Execution Risks: Acquisition Cycle

Generic execution risks for each of the two acquisition cycle transactions:

1. Receiving goods/services: Unauthorized

goods/services received Expected receipt of

goods/services did not occur, occurred late, or was duplicated unintentionally

Wrong type of product or service received

Wrong quantity/quality Wrong supplier

Assessment of Execution Risks: Acquisition Cycle

Generic execution risks for each of the two acquisition cycle transactions:

2. Making payment: Unauthorized

payment Cash not paid, paid

late, or duplicate payment

Wrong amount paid Wrong supplier paid

Assessment of Execution Risks: Revenue & Acquisition Cycles

Understanding and assessing execution risks – 5 steps:

Step 1. Achieve understanding of the processes

Step 2. Identify the at-risk goods/services provided and cash received

Step 3. Restate generic risk to describe the execution risk more precisely for process under study - exclude irrelevant/immaterial risks

Assessment of Execution Risks: Revenue & Acquisition Cycles

Understanding and assessing execution risks – 5 steps:

Step 4. Assess the significance of remaining risks

Step 5. Identify factors that contribute to each significant risk – use events in the process to systematically identify factors

What control activities could be implemented to mitigate the risks?

Assessment of Information Systems Risks

2 categories of information systems risks: Recording risks Updating risks


The process of recording and updating information – both a risk and a control Risk - information will be

recorded incorrectly, perhaps resulting in transaction errors and incorrect financial statements

Control – when information is correct because recorded information is used to control transactions


Recording risks: Risks that event

information is not captured accurately in an organization’s information system

Errors in recording can cause substantial losses

Recording events late can cause opportunity losses

In the acquisition cycle, recording errors can result in overpaying bills or loss of credit from failure to pay


Recording risks: Revenue/acquisition cycles

- generic recording risks Event recorded never

occurred Event not recorded,

recorded late, or duplication of recording

Wrong product/service recorded

Wrong quantity/price recorded

Wrong external/internal agent recorded

Wrong recording of other data


Recording risks: Identifying recording

risks – 3 stepsStep 1. Achieve an

understanding of the process under study - identify the events

Step 2. Review events - identify where data are recorded in a source document or a transaction file


Recording risks: Identifying recording risks

– 3 steps Step 3. For each event

where data are recorded in a source document or transaction record: Consider the preceding generic recording risks

Restate each generic risk to describe the risk more precisely for the particular event under consideration

Exclude any risks that are irrelevant or immaterial


Updating risks: Risks that summary

fields in master records are not properly updated

Update failures can be costly

Errors in updates can reduce the effectiveness of controls over the general ledger balances for assets and liabilities


Updating risks: Generic risks

Update of master record omitted or unintended duplication of update

Update of master record occurred at the wrong time

If updates are scheduled, users need to know and schedule needs to be followed

Summary field updated by wrong amount

Wrong master record updated


Identifying pdating risks:

3 stepsStep 1. Identify

recording risks Step 2. Identify the

events that include update activity and the summary fields in updated master files


Identifying update risks: 3 steps

Step 3. For each event in updated master file

Consider the preceding generic update risks

Restate each generic risk to describe the update risk more precisely for the particular event under consideration

Exclude any update risks that are irrelevant or immaterial

Recording and Updating in the General Ledger System

The General_Ledger File stores reference and summary data about the general ledger accounts.

The process of updating a general ledger account is sometimes referred to as “posting.”


Risks in recording and updating information in a general ledger system:

Risks Wrong general ledger

account recorded Wrong amounts

debited/credited General ledger master

record not updated at all, updated late, or updated twice

Wrong general ledger master record updated



Important to internal control: Policy for updating general

ledger accounts should be well understood.

Often, general ledger balances are updated after a batch of transactions, not with each transaction



Important to internal control: Employees need to

know: Under the batch process, general ledger account balances are temporarily out of date

When updates are made


Controlling risks: Identify significant risks

of losses or errors Consider ways to control

the risks Accountants, external

auditors, or internal auditors evaluate existing controls and suggest additional controls where warranted

Control Activities The policies and

procedures to address risks to achievement of the organization’s objectives

Manual or automated May be implemented at

various levels of the organization.

4 types of controls: Workflow controls Input controls General controls Performance reviews

Control Activities

Workflow controls: Used to control a

process as it moves from one event to the next

Exploit linkages between events

Focus on: Responsibilities for

events Sequence of events Flow of information

between events in a business process

Control Activities

Workflow controls: Segregation of duties Use of information from

prior events to control activities

Required sequence of events

Follow-up on events Sequence of prenumbered Recording of internal

agent(s) accountable for an event in a process

Limitation of access to assets and information

Reconciliation of records with physical evidence of assets

Control Activities

1. Segregation of duties: Organizations make an

effort to segregate: Authorization of events Execution of events Recording of event

data Custody of resources

associated with the event

The overview activity diagram is best suited to understanding and documenting segregation of duties

Control Activities

2. Use of information about prior events:

Information about prior events can come from documents or computer records.

2 examples of information from computer files: Checking summary data

in master files to authorize events

Transaction records may help control events - similar to using documents before approving an invoice

Control Activities

3. Required sequence of events:

Often, organizations - Have policies requiring

a process to follow a particular sequence

Require a sequence of events without having prior recorded information to rely on

Control Activities

4. Follow-up on events:Organizations: Need automated or manual

way to review transactions not yet concluded

Should have “open” item or aging reports to identify events needing follow up

Can design/use routine reports to flag unfinished business

Can querying a database for status reports

Control Activities

5. Prenumbered documents:

Provide an opportunity to control events

Prenumbered documents created during one event are accounted for in a later event

Checking the sequence of prenumbered documents helps ensure that all events are executed and recorded appropriately

Control Activities

6. Recording of internal agent(s) accountable for an event in a process:

Important Clear job descriptions

and specific instructions from supervisors

Recording employee ID number at the time the event

Safeguarding of assets through use of with serial numbers, recordkeeping, and identification of custodian of the assets

Control Activities

7. Limitation of access to assets and information:

Safeguards Access to assets only

for employees needing them for assigned duties

Physical assets stored in secure locations

Employees badges for access

Alarms Password required for

access to data

Control Activities

8. Reconciliation of records with physical evidence of assets:

Ensures that recorded event and master file data correspond to actual assets

Differs from the use of documents to control events – reconciliation: Is broader Usually involves data

about multiple events Occurs after the events

have been executed and recorded

Control Activities

Input controls: Used to control input of

data into computer systems Drop-down or look-up

menus Record-checking of data

entered Confirmation of data

entered Referential integrity

controls Format checks to limit data Validation rules to limit the

data Defaults from data entered

in prior sessions

Control Activities

Input controls: Restriction against

leaving a field blank Field established as a

primary key Computer-generated

values entered in records Batch control totals taken

before data entry compared to printouts after data entry

Review for errors before posting

Exception reports

Control Activities

General controls: Broader controls that apply

to multiple processes Help workflow and input

controls be effective Organized into four

categories: Information systems (IS)

planning Organizing the

information technology (IT) function

Identifying and developing IS solutions

Implementing and operating accounting systems

Control Activities

Performance reviews: Measure performance by

comparing actual data with budgets, forecasts, or prior-period data

Include analyzing data, identifying problems, and taking corrective action

Ensure events support broader long-term goals

Typically involve comparing actual results to plans, standards, and prior performance

Control Activities

Performance reviews: Often result in taking

corrective action Require an information

system (AIS in particular) that records and stores information about standards and actual outcomes

Requires reports that allow for meaningful analysis of actual results

Control Activities

Performance reviews: And master records

Related in two ways: Planned standards and budget figures (reference data) are typically recorded during file maintenance activities in master records

Summary data stored in master records are often used to implement corrective action

Summary fields in master records can also help in reviewing performance

KEYTERMS

Application controls Control activities Control environment Execution risk General controls Information system

risks Input controls

KEYTERMS

Internal controls Performance reviews Recording risks Risk assessment Segregation of duties Update risks Workflow controls

Documents

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES