Upload
bear-coopor
View
222
Download
0
Embed Size (px)
Citation preview
8/11/2019 Internal Control Systems
1/25
Internal Control Systems
ACC 444Enterprise Process Analysis
1
Management Blues
In most companies, top level management and ownerscant possibly oversee every detailed aspect of theirbusiness
So what do they worry about most? Things that canpossibly go wrongsuch as:
assets being stolen
errors in capturing, processing and reporting criticalfinancial and non-financial information
operating inefficiencies;
non-compliance with established policies
8/11/2019 Internal Control Systems
2/25
Internal Control Systems
ACC 444Enterprise Process Analysis
2
INTRODUCTION
Additionally, from the AIS perspective, controlrisks have increased in the last few years because:
a) There are computers and servers everywhere,and information is available to an unprecedented
number of workers.b) Distributed computer networks make data
available to many users, and these networks areharder to control than centralized mainframesystems.
c) Wide area networks are giving customers andsuppliers access to each others systems anddata, making confidentiality a major concern.
8/11/2019 Internal Control Systems
3/25
Internal Control Systems
ACC 444Enterprise Process Analysis
3
OVERVIEW OF CONTROL CONCEPTS
Internal controlis the process implemented by management to providereasonable assurancethat the following control objectives areachieved:
Assets (including data) are safeguarded.
Records accurately and fairly reflect company assets.
Accurate and reliable information is provided. Financial reports are prepared in accordance with GAAP.
Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
The organization complies with applicable laws and regulations. Internal controls perform three important functions:
Preventive controls
Detective controls
Corrective controls
8/11/2019 Internal Control Systems
4/25
Internal Control Systems
ACC 444Enterprise Process Analysis
4
SOX
In the late 1990s and early 2000s, a series of multi-million-dollaraccounting frauds made headlines.
The impact on financial markets was substantial, andCongress responded with passage of the Sarbanes-Oxley
Actof 2002(aka, SOX).
a) Applies to publicly held companies and their auditors
The intent of SOX is to: Prevent financial statement fraud
Make financial reports more transparent
Protect investors
Strengthen internal controls in publicly-held companies
Punish executives who perpetrate fraud
SOX has had a material impact on the way boards of directors,management, and accountants operate.
8/11/2019 Internal Control Systems
5/25
Internal Control Systems
ACC 444Enterprise Process Analysis
5
SOX
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB)to oversee the auditing profession.
New rules for auditors
New rules for audit committees
New rules for management New internal control requirements
After the passage of SOX, the SEC (Securities & Exchange Commission)further mandated that:
Management must evaluate and report on the companys internalcontrols, using a recognized control framework (the most likely
framework is the COSO model discussed later). External auditors must also report on the state of the companysinternal controls.
8/11/2019 Internal Control Systems
6/25
Internal Control Systems
ACC 444Enterprise Process Analysis
6
CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies developgood internal control systems. Three of the most important are:
The COBIT frameworka) Also know as the Control Objectives for Information and Related
Technologyframework.
b) A framework of generally applicable information systems security and
control practices for IT control. The COSO internal control framework
a) Defines internal controls.
b) Provides guidance for evaluating and enhancing internal control systems.
c) Widely accepted as the authority on internal controls.
COSOs Enterprise Risk Management framework (ERM)
a) An enhanced corporate governance document.b) Takes a risk-based, rather than controls-based, approach to the
organization.
c) Oriented toward future and constant change.
d) Incorporates rather than replaces COSOs internal control framework
8/11/2019 Internal Control Systems
7/25
Internal Control Systems
ACC 444Enterprise Process Analysis
7
CONTROL FRAMEWORKS
COSOs Internal Control Framework
The Committee of Sponsoring Organizations (COSO)is a private sector group consisting of:
a) The American Accounting Associationb) The AICPA
c) The Institute of Internal Auditors
d) The Institute of Management Accountants
e) The Financial Executives Institute
8/11/2019 Internal Control Systems
8/25
Internal Control Systems
ACC 444Enterprise Process Analysis
8
CONTROL FRAMEWORKS
In 1992, COSO issued the InternalControl Integrated Framework:
Defines internal controls.
Provides guidance for evaluatingand enhancing internal control
systems.
Widely accepted as the authorityon internal controls.
Incorporated into policies, rules,and regulations used to control
business activities.
In 2012, COSO updated the original framework to consider changes inbusiness, operating, and regulatory environments
8/11/2019 Internal Control Systems
9/25
Internal Control Systems
ACC 444Enterprise Process Analysis
9
8/11/2019 Internal Control Systems
10/25
Internal Control Systems
ACC 444Enterprise Process Analysis
15
ERM FRAMEWORK
COSO developed a modelto illustrate the elementsof ERM.
The ERM model is three-
dimensional.
Means that each of theeight risk and controlelements are applied to
the four objectives in theentire company and/orone of its subunits.
8/11/2019 Internal Control Systems
11/25
Internal Control Systems
ACC 444Enterprise Process Analysis
17
Internal Environment
Factors that influence the control environment:
Managements philosophy, operating style, & risk appetite(managements attitude towards internal controls & risks)
The Board of Directors (competent, active & involved; majorityindependent; audit committee composed of independent directors only)
Commitment to integrity, ethical values & competence (management
practicing & preaching honesty, punishing dishonesty) Organizational structure (appropriate reporting relationships)
Methods of assigning authority and responsibility (clearly defined roles &responsibilities)
Human resource standards (for hiring, compensating, training,evaluating, promoting, discharging, etc.)
External influences (pressures from outside; eg., regulations, wall streetexpectations, etc.)
8/11/2019 Internal Control Systems
12/25
Internal Control Systems
ACC 444Enterprise Process Analysis
18
INTERNAL CONTROL SYSTEMS
TO BE CONTINUED..
8/11/2019 Internal Control Systems
13/25
Internal Control Systems
ACC 444Enterprise Process Analysis
19
OBJECTIVE SETTING
Objective setting is the secondERM component.
It must precede many of theother six components.
For example, you must setobjectives before you candefine events that affect yourability to achieve objectives
8/11/2019 Internal Control Systems
14/25
Internal Control Systems
ACC 444Enterprise Process Analysis
21
EVENT IDENTIFICATION
Events are:
Incidents or occurrences thatemanate from internal orexternal sources
That affect implementation of
strategy or achievement ofobjectives.
Impact can be positive,negative, or both.
Events can range fromobvious to obscure.
Effects can range frominconsequential to highlysignificant.
By their nature, eventsrepresent uncertainty
8/11/2019 Internal Control Systems
15/25
Internal Control Systems
ACC 444Enterprise Process Analysis
23
RISK ASSESSMENT AND RISK RESPONSE
COSO indicates there are twotypes of risk:
Inherent risk (i.e., before controlsare implemented)
Residual risk (i.e., after controls
are implemented) Companies should:
Assess inherent risk
Develop a response
Then assess residual risk
Four ways to respond to risk: Reduce it
Accept it
Share it
Avoid it
8/11/2019 Internal Control Systems
16/25
RISK ASSESSMENT AND RISKRESPONSE PROCESS
Identifythe eventsor threats
that confront the company
Estimate the likelihood or
probability of each event occurring
Estimate the impact of potential
loss from each threat
Identify set of controls to
guard against threat
Estimate costs and benefits
from instituting controls
Reduce risk by implementing set of
controls to guard against threat
Is it
cost-beneficial
to protect
system
Avoid,
share, oraccept
risk
Yes
No
8/11/2019 Internal Control Systems
17/25
Internal Control Systems
ACC 444Enterprise Process Analysis
26
CONTROL ACTIVITIES
The sixth component ofCOSOs ERM model.
Control activitiesarepolicies, procedures, and rulesthat provide reasonable
assurance that managementscontrol objectives are met andtheir risk responses are carriedout.
8/11/2019 Internal Control Systems
18/25
Internal Control Systems
ACC 444Enterprise Process Analysis
27
CONTROL ACTIVITIES
Generally, control procedures fall into one of thefollowing categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
8/11/2019 Internal Control Systems
19/25
Internal Control Systems
ACC 444Enterprise Process Analysis
28
Incompatible Duties
Incompatible duties that should be segregated:a) Authorizationapproving transactions and decisions.
b) RecordingPreparing source documents; maintainingjournals, ledgers, or other files; preparing reconciliations; andpreparing performance reports.
c) CustodyHandling cash, maintaining an inventory storeroom,receiving incoming customer checks, writing checks on theorganizations bank account.
If any two of the preceding functions are the responsibility of one
person, then problems can arise.
Also, when two or more people collude, then segregation of dutiesbecomes ineffective and controls are overridden.
8/11/2019 Internal Control Systems
20/25
Internal Control Systems
ACC 444Enterprise Process Analysis
32
Segregation of Duties - Examples
At most movie theaters, one employee isresponsible for issuing tickets and collecting cashwhile another employee collects those ticketswhen you enter the theater. How does thispractice provide segregation of duties that helpsthe theater ensure all sales are properlyaccounted for?
8/11/2019 Internal Control Systems
21/25
Internal Control Systems
ACC 444Enterprise Process Analysis
34
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among thefollowing functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Information systems library
Data control
It is important that different people perform the precedingfunctions.
8/11/2019 Internal Control Systems
22/25
Internal Control Systems
ACC 444Enterprise Process Analysis
35
CONTROL ACTIVITIES
Adequate Documentation
Documentation allows management to verify that assignedresponsibilities were completed correctly.
How is this achieved in a non-paper environment?
What types of problems can arise from inadequate documentation?
Example
Many restaurants issue customer checks with prenumbered sequencecodes and food servers use them to write up customer orders. Servers
turn in all checks that were not used at the end of their shift. Howdoes this policy provide documentation that helps the restaurantensure that all sales transactions have been properly accounted for?
8/11/2019 Internal Control Systems
23/25
Internal Control Systems
ACC 444Enterprise Process Analysis
36
INFORMATION AND COMMUNICATION
The seventh component of COSOs ERMmodel.
The primary purpose of the AIS is togather, record, process, store,summarize, and communicate informationabout an organization.
So accountants must understand how: Transactions are initiated
Data are captured in orconverted to machine-readableform
Computer files are accessed andupdated
Data are processed Information is reported to
internal and external parties
8/11/2019 Internal Control Systems
24/25
Internal Control Systems
ACC 444Enterprise Process Analysis
38
MONITORING
The eighth component ofCOSOs ERM model.
Monitoring can beaccomplished with a
series of ongoing eventsor by separateevaluations.
8/11/2019 Internal Control Systems
25/25
Internal Control Systems
ACC 444Enterprise Process Analysis
41
INHERENT LIMITATIONS OF INTERNALCONTROL SYSTEMS
Internal control systems have inherent limitations, including:
They are susceptible to errors and poor decisions.
They can be overridden by management or by collusion of twoor more employees.
Internal control objectives are often at odds with each other. EXAMPLE: Controls to safeguard assets may also reduce
operational efficiency.