Section D. Internal Controls 15% - PowerPoint PPT Presentation

1 / 107
About This Presentation
Title:

Section D. Internal Controls 15%

Description:

Section D. Internal Controls 15% 1. Risk assessment, controls, and risk management a. Internal control structure and management philosophy b. Internal control ... – PowerPoint PPT presentation

Number of Views:371
Avg rating:3.0/5.0
Slides: 108
Provided by: zcheerCom
Category:

less

Transcript and Presenter's Notes

Title: Section D. Internal Controls 15%


1
Section D. Internal Controls 15
1. Risk assessment, controls, and risk
management a. Internal control structure and
management philosophy b. Internal control
policies for safeguarding and assurance c.
Internal control risk d. Implications of the
Sarbanes-Oxley Act of 2002 e. U.S. Foreign
Corrupt Practices Act internal control
requirements f. COSO Internal Control
Framework 2. Internal auditing a. Responsibility
and authority of the internal audit functions b.
Types of audits conducted by internal auditors
2
Section D. Internal Controls 15
3. Systems controls and security measures a.
General accounting system controls b. Application
and transaction controls c. Network controls d.
Flowcharting to assess controls e. Backup
controls f. Disaster recovery procedures
3
D.1. Risk assessment, controls, and risk
management
  • a. Internal control structure and management
    philosophy
  • b. Internal control policies for safeguarding and
    assurance
  • c. Internal control risk
  • d. Implications of the Sarbanes-Oxley Act of 2002
  • e. U.S. Foreign Corrupt Practices Act internal
    control
  • requirements
  • f. COSO Internal Control Framework

4
Risk and Control Environment
  • a. Internal control structure and
  • management philosophy
  • c. Internal control risk
  • f. COSO Internal Control Framework

5
Risks
  • Unforeseen obstacles to pursuit of objectives

6
Risks
  • Unforeseen obstacles to pursuit of objectives
  • Originate within/outside
  • Examples
  • Hacker breaking into universitys information
    systems
  • CEO bribing member of Congress to introduce
    legislation
  • Foreign government overthrown ? assets in country
    expropriated

7
Risks
  • Unforeseen obstacles to pursuit of objectives
  • Originate within/outside
  • Examples
  • Accounts payable clerk establishes fictitious
    vendors
  • Spiking interest rates ? long-term capital
    projects unprofitable
  • New technology ? premier products obsolete
  • Government regulations reduced ? new competitors

8
Risk assessment
  • Identifying vulnerabilities(??) of organization
  • Systems of internal control involve tradeoffs
    between cost, benefit
  • No system 100 effective
  • Risk can be mitigated, not eliminated

9
Risk assessment
  • Identifying vulnerabilities(??) of organization
  • Systems of internal control involve tradeoffs
    between cost, benefit
  • No system 100 effective
  • Risk can be mitigated, not eliminated

10
Risk management
  • Designing, operating internal controls that
    mitigate identified risks

11
Risk
  • Combination of
  • Severity of consequences
  • Likelihood of occurrence
  • Expected value of loss due to risk exposure
    stated numerically

12
Risk
  • Combination of
  • Expected value of loss due to risk exposure
    stated numerically
  • Severity of consequences x Likelihood of
    occurrence
  • Event Consequences
    Likelihood
  • Minor penetration Annoyance
    90
  • Unauthorized Public embarrassment
  • viewing of internal Loss of customer
    8
  • databases confidence
  • Unauthorized PR crisis, Customer
    2
  • alteration of internal defection
  • databases

13
AICPA audit risk model
  • Inherent risk (IR) susceptibility of objectives
    to obstacles arising from nature of objective
  • Control risk (CR) controls will fail to prevent
    obstacle from interfering with objective
    achievement
  • Detection risk (DR) obstacle to objective will
    not be detected before loss occurs
  • Total risk (TR) IR x CR x DR

14
AICPA audit risk model
  • Inherent risk (IR) susceptibility of objectives
    to obstacles arising from nature of objective
  • Control risk (CR) controls will fail to prevent
    obstacle from interfering with objective
    achievement
  • Detection risk (DR) obstacle to objective will
    not be detected before loss occurs
  • Total risk (TR) IR x CR x DR

15
AICPA audit risk model
  • Inherent risk (IR) susceptibility of objectives
    to obstacles arising from nature of objective
  • Control risk (CR) controls will fail to prevent
    obstacle from interfering with objective
    achievement
  • Detection risk (DR) obstacle to objective will
    not be detected before loss occurs
  • Total risk (TR) IR x CR x DR

16
System of internal control
  • Help manage risks
  • SMA 2A, Management Accounting Glossary
  • The whole system of controls (financial and
    otherwise) established by management to carry on
    the business of the enterprise in an orderly and
    efficient manner, to ensure adherence to
    management policies, safeguard the assets. And
    ensure as far as possible the completeness and
    accuracy of the records.

17
System of internal control
  • Proper design, operation is managements
    responsibility
  • Sarbanes-Oxley, Section 404 requires publicly
    traded companies to issue report stating
  • Management takes responsibility for establishing,
    maintaining firms system of internal controls
  • System has functioned effectively over reporting
    period

18
PCAOB Approach
  • PCABO
  • Governed by SEC
  • Issued Auditing Standards
  • Requires
  • Express an opinion on both internal control and
    fair presentation of financial report

19
Components of Internal control
20
Internal control- COSO Framework
  • Internal control is broadly defined as a
    process, effected by an entitys board of
    directors, management, and other personnel,
    designed to provide reasonable assurance
    regarding the achievement of objectives.

21
Internal control- COSO Framework
  • objectives in the following categories
  • Effectiveness and efficiency of operations (??)
  • Reliability of financial reporting (??)
  • Compliance with applicable laws and regulation
    (??)

22
COSO Framework
Category
Control Environment 1.Organizational
structure 2.Policies 3.Objectives,
goals 4.Management philosophy, operating
style 5.Assignment philosophy, operating style
??
??
??
Monitoring
?? 2
?? 4
Component
Information Communication
?? 1
?? 3
Control Activities
Risk Assessment
Control Environment
23
COSO Framework
IC Framework
ERM Framework
24
Control environment
  • Components
  • 1. Organizational structure
  • Lines of reporting, authority designed so
    incompatible duties not combined in same job
    function
  • Independent checks on performance facilitated

25
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • Stated principles require/guide/restrict action
  • Promote conduct of authorized activities
  • Provide satisfactory degree of assurance
  • Procedures-detailed steps for carrying out

26
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • Stated principles require/guide/restrict action
  • Promote conduct of authorized activities
  • Provide satisfactory degree of assurance
  • Procedures-detailed steps for carrying out

27
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • 3.Objectives, goals
  • Realistic, achievable goals that do not tempt
    management to cross ethical boundaries

28
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • 3.Objectives, goals
  • Realistic, achievable goals that do not tempt
    management to cross ethical boundaries

29
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • 3.Objectives, goals
  • 4.Management philosophy, operating style
  • Manifests in everyday actions
  • Financial reporting
  • Accounting estimates
  • Selection of accounting principles

30
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • 3.Objectives, goals
  • 4.Management philosophy, operating style
  • Integrity, ethical values affect all aspects of
    control
  • Ethical behavior results from standards, way
    theyre transmitted, how theyre reinforced

31
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • 3.Objectives, goals
  • 4.Management philosophy, operating style
  • Creates better risk management atmosphere
  • Removing incentives for dishonest/illegal/unethica
    l behavior
  • Setting example in own behavior

32
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • 3.Objectives, goals
  • 4.Management philosophy, operating style
  • 5.Assignment philosophy, operating style
  • Improve by proper design of organizational
    structure
  • Lines of reporting can reinforce proper internal
    control

33
Control environment
  • Components
  • 1.Organizational structure
  • 2.Policies
  • 3.Objectives, goals
  • 4.Management philosophy, operating style
  • 5.Assignment philosophy, operating style
  • Improve by proper design of organizational
    structure
  • Lines of reporting can reinforce proper internal
    control

34
Board of directors
  • Required by most publicly held corporations
  • Inside members officers, employees
  • Outside members non-employees who hold stock
  • Governing authority of corporation
  • Responsible for establishing overall corporate
    policy

35
Board of directors
  • Fiduciary duty (????) to organization,
    shareholders

36
Board of directors
  • Fiduciary duty (????) to organization,
    shareholders
  • Exercise reasonable care in performance of duties
  • Informed about, conversant(??) with
    pertinent(???) information
  • Attend meetings
  • Analyze financial statements

37
Board of directors
  • Fiduciary duty (????) to organization,
    shareholders
  • Exercise reasonable care in performance of duties
  • Informed about, conversant(??) with
    pertinent(???) information
  • Attend meetings
  • Analyze financial statements
  • Owe duty of loyalty
  • Prohibits dealing with corporation unless full
    disclosure made
  • Usurping corporate opportunity w/o giving entity
    right of first refusal

38
Directors typically responsible for
  • 1) Select and remove officers
  • 2) Determine the capital structure
  • 3) Add, amend, or repeal bylaws
  • 4) Initiate fundamental changes MA
  • 5) Declare dividends
  • 6) Set compensation of officers

39
Audit committee
  • Subcommittee of board of directors
  • Helps keep external auditors independent of
    management
  • Assigned selection, compensation, oversight
  • Required by many stock exchanges
  • Crucial that composed of only outside directors

40
Audit committee
  • Subcommittee of board of directors
  • Helps keep external auditors independent of
    management
  • Assigned selection, compensation, oversight
  • Required by many stock exchanges
  • Crucial that composed of only outside directors

41
Audit committee
  • Maintains control environment by approving
    charter, overseeing work of internal audit
    activity
  • Insulates external, internal auditors from
    influences that may compromise independence,
    objectivity

42
Audit committee
  • Maintains control environment by approving
    charter, overseeing work of internal audit
    activity
  • Insulates external, internal auditors from
    influences that may compromise independence,
    objectivity

43
Importance of HR
44
Personnel
  • Hiring standards
  • Emphasize education. Past achievements, evidence
    of integrity, ethics
  • Display commitment to employ competent,
    trustworthy people

45
Personnel
  • Hiring standards
  • Training policies
  • Impart to employees
  • Knowledge of roles, responsibilities
  • Expectations about conduct, performance

46
Personnel
  • Hiring standards
  • Training policies
  • Competence
  • Knowledge, abilities necessary to complete
    required tasks

47
Personnel
  • Hiring standards
  • Training policies
  • Competence
  • Promotions
  • Periodic performance appraisals reflect
    commitment to rewarding competence

48
Control Procedures
  • Internal control policies for safeguarding and
    assurance

49
Control activities
  • Ensure managements directives executed
  • Include requisite steps to respond to risks that
    threaten attainment of objectives
  • Suitably designed to prevent/detect unfavorable
    conditions
  • Operate effectively

50
Control activities
  • Types of control activities
  • Preventive
  • Locked the door
  • Separate the duties
  • Detective
  • Petty cash count
  • Physical inventory count

51
Control procedures
  • Manage/limit risk in accordance w/ risk
    assessments
  • Control areas
  • 1.Segregation of duties, basic functional
    responsibilities
  • 2.Independent checks, verification
  • 3.Safeguarding controls
  • 4.Prenumbered forms
  • 5.Specific document flow

52
Segregation of duties
  • Assigning different employees to prevent employee
    acting alone from committing error/concealing
    fraud
  • Types of segregated functional responsibilities
  • Authority to transactions
  • Recording of transactions
  • Custody of assets affected by transactions
  • Periodic reconciliation of existing assets to
    recorded amounts

53
Segregation in three business cycles
  • Purchase-payable cycle
  • Authority to execute transaction is vested in
    purchasing department
  • Recording the transaction is done by accounts
    payable
  • Custody of assets is vested in warehouse
  • Periodic reconciliation of assets to records is
    performed by inventory control

54
Segregation in three business cycles
  • Sales-receivable cycle
  • Authority to execute transaction is vested in
    sales department
  • Recording the transaction is done by accounts
    receivable
  • Custody of assets is vested in warehouse
  • Periodic reconciliation of assets to records is
    performed by G/L

55
Segregation in three business cycles
  • Payroll cycle
  • Authority to execute transaction is vested in HR
    department
  • Recording the transaction is done by payroll
    department
  • Payroll department belongs to Financial
    department
  • If belongs to HR department, HR hiring group and
    HR payroll group should be separated
  • HR hiring group charges hiring, termination, and
    salary rate
  • Custody of assets is vested in treasurer
  • Periodic reconciliation of assets to records is
    performed by G/L

56
Independent checks, verifications
  • Reconciliation of recorded accountability w/
    assets performed by part of organization either
  • 1.Unconnected w/ original transaction
  • 2.Without custody of assets involved

57
Independent checks, verifications
  • Comparison revealing assets disagreeing w/
    recorded accountability provide evidence of
    unrecorded/improperly recorded transactions
  • Converse not necessarily true
  • Frequency of comparisons depends on nature,
    amount of assets involved, cost of comparison

58
Safeguarding controls
  • Limit access to assets to authorized personnel
  • Direct physical access
  • Indirect access through preparing/processing
    documents authorizing use/disposition

59
Safeguarding controls
  • Example
  • 1) Lockbox system
  • 2) Deposit cash receipts

60
Safeguarding controls
  • Example
  • 1) Lockbox system
  • 2) Deposit cash receipts
  • 3) Approval credit memos
  • 4) Write offs of uncollectible AR
  • 5) Prohibit non-IT personnel access computer
    operation

61
Sequentially prenumbered forms
  • Basis for strong internal controls

62
Sequentially prenumbered forms
  • Basis for strong internal controls
  • All hardcopies can be accounted for
  • Ascertain date, use, person who filled out
  • Missing documents can be flagged
  • Detect unrecorded, unauthorized transactions
    during reconciliation
  • Achievable in paperless environment

63
Sequentially prenumbered forms
  • Basis for strong internal controls
  • All hardcopies can be accounted for
  • Ascertain date, use, person who filled out
  • Missing documents can be flagged
  • Detect unrecorded, unauthorized transactions
    during reconciliation
  • Achievable in paperless environment
  • Additional procedures ensure personnel do not
    receive documents inappropriate to duties

64
Specific document flow
  • Pre-numbered document flow
  • Additional procedures ensure personnel do not
    receive documents inappropriate to duties

65
Compensating controls
  • Replace normal controls when cannot be feasibly
    implemented
  • Ex. In finance, investment cycle
  • 2 people perform each function
  • Provide oversight
  • Periodic communications with board
  • Oversight by committee of board
  • Internal audits reconciliation of securities
    portfolio w/ recorded information

66
Compensating controls
  • Replace normal controls when cannot be feasibly
    implemented
  • Ex. In finance, investment cycle
  • 2 people perform each function
  • Provide oversight
  • Periodic communications with board
  • Oversight by committee of board
  • Internal audits reconciliation of securities
    portfolio w/ recorded information

67
Fraud
  • Intentional
  • Pressures, incentives to engage in wrongdoing,
    opportunity
  • Examples
  • Fraudulent financial reporting
  • Misappropriation of assets
  • Internal control designed to prevent
  • Concealment aspects ? controls cannot give
    absolute assurance against

68
Fraud
  • Intentional
  • Pressures, incentives to engage in wrongdoing,
    opportunity
  • Examples
  • Fraudulent financial reporting
  • Misappropriation of assets
  • Internal control designed to prevent
  • Concealment aspects ? controls cannot give
    absolute assurance against

69
Legal Aspects of Internal Control
  • Implications of the Sarbanes-Oxley Act of 2002
  • U.S. Foreign Corrupt Practices Act internal
    control requirements

70
Foreign Corrupt Practices Act
  • Enacted 1977 with origins in Watergate
    investigations
  • Prevent secret payments of corporate funds for
    purposes that congress has determined contrary to
    public policy
  • Amends Securities Exchange Act of 1934
  • Prohibits domestic concern from
    offering/authorizing corrupt payments to foreign
    official/political party/official/candidate for
    foreign political office

71
Foreign Corrupt Practices Act
  • Enacted 1977 with origins in Watergate
    investigations
  • Prevent secret payments of corporate funds for
    purposes that congress has determined contrary to
    public policy
  • Amends Securities Exchange Act of 1934
  • Only political payments to foreign officials
    prohibited
  • FCPA doesnt address business owners/corporate
    officers

72
Foreign Corrupt Practices Act
  • Enacted 1977 with origins in Watergate
    investigations
  • Prevent secret payments of corporate funds for
    purposes that congress has determined contrary to
    public policy
  • Amends Securities Exchange Act of 1934
  • Only political payments to foreign officials
    prohibited
  • FCPA doesnt address business owners/corporate
    officers

73
Foreign Corrupt Practices Act
  • Corrupt payments are for inducing recipient to
    act/refrain from acting so domestic concern might
    obtain/retain business
  • Offer/promise of bribe prohibited, even if not
    consummated
  • Not prohibited if recipient has no discretion in
    carrying out governmental function
  • Payments allowed under written law of foreign
    country not prohibited

74
System of internal accounting control
  • Public companies must make, keep books, records,
    accounts in reasonable detail that accurately,
    fairly reflect transactions, disposition of
    assets
  • Provide reasonable assurance

75
System of internal accounting control
  • Provide reasonable assurance
  • 1.Transactions executed in accordance w/
    managements general/specific authorization
  • 2.Transactions recorded as necessary
  • 3.Access to assets permitted only in accordance
    w/ managements general/specific authorization
  • 4.Recorded accountability for assets compared
    with existing assets at reasonable intervals,
    appropriate action taken w/ respect to differences

76
Implications of FCPA of 1977
  • Extend beyond anti-bribery provisions
  • All American businesses, business people involved
  • Management particularly affected
  • Internal control responsibility not new
  • Potential for civil, criminal liabilities added
    burden

77
Written code of ethics
  • Necessity
  • Communicated, monitored by internal auditors for
    compliance
  • Might include explanation of FCPA, its penalties
  • May require written representations from
    employees that they have read, understood
    provisions

78
Sarbanes-Oxley Act of 2002
  • Response to financial reporting scandals of large
    public companies
  • Contains provisions that impose new
    responsibilities on public companies, their
    auditors
  • Applies to issuers of publicly traded securities
    subject to federal securities law

79
Sarbanes-Oxley Act of 2002
  • Response to financial reporting scandals of large
    public companies
  • Contains provisions that impose new
    responsibilities on public companies, their
    auditors
  • Applies to issuers of publicly traded securities
    subject to federal securities law

80
Sarbanes-Oxley Act of 2002
  • Requires each member of audit committee,
    including at least one financial expert, be
    independent member of issuers board of directors
  • Independent director is not affiliated with,
    receives no compensation from issuer
  • Audit committee directly responsible for
    appointing, compensating, overseeing work of
    public accounting firm employed by issuer
  • Reports directly to audit committee, not to
    management

81
Section 404
  • Requires management to establish, document
    internal control procedures
  • Include report on companys internal control over
    financial reporting in annual report

82
Internal control report
  • 1.Statement of managements responsibility for
    internal control
  • 2.Managements assessment of effectiveness of
    internal control as of end of most recent fiscal
    year
  • 3.Identification of framework evaluating
    effectiveness of internal control

83
Internal control report
  • 4.Statement whether significant changes in
    controls were made after evaluation, including
    corrective actions
  • 5.Statement that external auditor issued
    attestation report on managements assessment
  • Audit opinions expressed
  • Internal control
  • Financial statements

84
External auditor
  • Attests to, reports on managements assessment
  • Evaluates whether structure, procedures
  • 1.Include records accurately, fairly reflecting
    firms transactions
  • 2.Provide reasonable assurance transactions
    recorded to permit statements to be prepared in
    accordance w/ GAAP

85
External auditor
  • Attests to, reports on managements assessment
  • Evaluates whether structure, procedures
  • Report describes material weaknesses in internal
    control
  • Evaluation not subject of separate engagement, in
    conjunction w/ audit of financial statements

86
End
87
D.2. Internal Auditing
  • a. Responsibility and authority of the internal
    audit function
  • b. Types of audits conducted by internal auditors

88
The Internal audit function
  • Growth, complexity led to growth in field
  • Internal audit activity (IAA) basic to governance
  • Some stock exchanges require all companies to
    have IAA
  • Foreign Corrupt Practices Act
  • Detailed, accurate accounting records
  • Reasonably effective system of internal control

89
The internal audit function
  • The institute of internal Auditors (IIA)
  • Maintain professional standards for the practice
    worldwide
  • IIA definition of internal auditing
  • Internal auditing is an independent, objective
    assurance and consulting activity designed to add
    value and improve an organizations operations.
    It helps an organization accomplish its
    objectives by bringing a systematic, disciplined
    approach to evaluate and improve the
    effectiveness of risk management, control, and
    governance processes.

90
The internal audit function
  • IIAs Standards
  • Practice Advisories

91
The internal audit function
  • IIAs Standards
  • Guidance for the conduct of internal auditing
  • Organizational
  • Individual
  • Practice Advisories

92
The internal audit function
  • IIAs Standards
  • Guidance for the conduct of internal auditing
  • Organizational
  • Individual
  • Practice Advisories
  • Concise, timely guidance
  • Code of ethics
  • Standards
  • Promoting good practices

93
The internal audit function
  • Organizationally independent
  • Attribute of internal audit department as whole
  • Objective attitude
  • Attribute of auditors themselves

94
The internal audit function
  • Chief executive officer (CEO)
  • Chief audit executive (CAE)
  • Unhindered access to board of directors

95
The internal audit function
  • Charter
  • Purpose, authority, responsibility of IAA
  • IAAs position
  • Access to records, personnel, physical properties
  • Define scope of activities

96
The scope of internal auditing
  • Three principal functions
  • 1.Maintenance of internal control system
  • 2.Improving efficiency of operations
  • 3.Conduct of audit of financial statements

97
The scope of internal auditing
  • Three principal functions
  • 1.Maintenance of internal control system
  • 2.Improving efficiency of operations
  • 3.Conduct of audit of financial statements

98
The scope of internal auditing
  • Internal audit specific tasks
  • Improvement of risk management, control systems
  • Adequacy, effectiveness of controls
  • Reliability, integrity
  • Effectiveness, efficiency
  • Safeguarding of assets
  • Compliance
  • Adequate control criteria
  • Fraud
  • External auditor

99
Incidents
  • Fraud
  • Illegal acts
  • Material weaknesses, significant deficiencies in
    internal control
  • Significant penetrations of information security
    systems

100
Compliance auditing
  • Assess compliance in specific areas
  • Management response to regulatory body reviews

101
Operational auditing
  • The comprehensive review of the varied functions
    within an enterprise to appraise the efficiency
    and economy of operations and the effectiveness
    with those functions achieve their objectives

102
Operational auditing
  • Thorough examination of department, division,
    function, etc.
  • Appraise managerial organization, performance,
    techniques
  • Organizational objectives have been achieved
  • Efficiency, effectiveness, economy
  • Report ? existing/absence of problems

103
Operational auditing
  • Organizational objectives have been achieved
  • Efficiency, effectiveness, economy
  • Report ? existing/absence of problems

104
Operational auditing
  • Basic tools
  • Financial analysis
  • Observation of departmental activities
  • Questionnaire interviews of departmental employees

105
Operational auditing
  • Extension of financial audit
  • Reviewing purchasing policies
  • Appraising compliance with policies, procedures
  • Appraising safety standards, equipment
    maintenance
  • Reviewing production controls, scrap reporting
  • Reviewing facilities adequacy

106
Internal auditing procedures
  • Inquiries
  • Examine documentation
  • Observe
  • Reperform

107
END
Write a Comment
User Comments (0)
About PowerShow.com