Section D. Internal Controls 15%

1
Section D. Internal Controls 15
1. Risk assessment, controls, and risk
management a. Internal control structure and
management philosophy b. Internal control
policies for safeguarding and assurance c.
Internal control risk d. Implications of the
Sarbanes-Oxley Act of 2002 e. U.S. Foreign
Corrupt Practices Act internal control
requirements f. COSO Internal Control
Framework 2. Internal auditing a. Responsibility
and authority of the internal audit functions b.
Types of audits conducted by internal auditors
2
Section D. Internal Controls 15
3. Systems controls and security measures a.
General accounting system controls b. Application
and transaction controls c. Network controls d.
Flowcharting to assess controls e. Backup
controls f. Disaster recovery procedures
3
D.1. Risk assessment, controls, and risk
management

• a. Internal control structure and management
  philosophy
• b. Internal control policies for safeguarding and
  assurance
• c. Internal control risk
• d. Implications of the Sarbanes-Oxley Act of 2002
• e. U.S. Foreign Corrupt Practices Act internal
  control
• requirements
• f. COSO Internal Control Framework

4
Risk and Control Environment

• a. Internal control structure and
• management philosophy
• c. Internal control risk
• f. COSO Internal Control Framework

5
Risks

• Unforeseen obstacles to pursuit of objectives

6
Risks

• Unforeseen obstacles to pursuit of objectives
• Originate within/outside
• Examples
• Hacker breaking into universitys information
  systems
• CEO bribing member of Congress to introduce
  legislation
• Foreign government overthrown ? assets in country
  expropriated

7
Risks

• Unforeseen obstacles to pursuit of objectives
• Originate within/outside
• Examples
• Accounts payable clerk establishes fictitious
  vendors
• Spiking interest rates ? long-term capital
  projects unprofitable
• New technology ? premier products obsolete
• Government regulations reduced ? new competitors

8
Risk assessment

• Identifying vulnerabilities(??) of organization
• Systems of internal control involve tradeoffs
  between cost, benefit
• No system 100 effective
• Risk can be mitigated, not eliminated

9
Risk assessment

• Identifying vulnerabilities(??) of organization
• Systems of internal control involve tradeoffs
  between cost, benefit
• No system 100 effective
• Risk can be mitigated, not eliminated

10
Risk management

• Designing, operating internal controls that
  mitigate identified risks

11
Risk

• Combination of
• Severity of consequences
• Likelihood of occurrence
• Expected value of loss due to risk exposure
  stated numerically

12
Risk

• Combination of
• Expected value of loss due to risk exposure
  stated numerically
• Severity of consequences x Likelihood of
  occurrence
• Event Consequences
  Likelihood
• Minor penetration Annoyance
  90
• Unauthorized Public embarrassment
  
• viewing of internal Loss of customer
  8
• databases confidence
• Unauthorized PR crisis, Customer
  2
• alteration of internal defection
• databases

13
AICPA audit risk model

• Inherent risk (IR) susceptibility of objectives
  to obstacles arising from nature of objective
• Control risk (CR) controls will fail to prevent
  obstacle from interfering with objective
  achievement
• Detection risk (DR) obstacle to objective will
  not be detected before loss occurs
• Total risk (TR) IR x CR x DR

14
AICPA audit risk model

• Inherent risk (IR) susceptibility of objectives
  to obstacles arising from nature of objective
• Control risk (CR) controls will fail to prevent
  obstacle from interfering with objective
  achievement
• Detection risk (DR) obstacle to objective will
  not be detected before loss occurs
• Total risk (TR) IR x CR x DR

15
AICPA audit risk model

• Inherent risk (IR) susceptibility of objectives
  to obstacles arising from nature of objective
• Control risk (CR) controls will fail to prevent
  obstacle from interfering with objective
  achievement
• Detection risk (DR) obstacle to objective will
  not be detected before loss occurs
• Total risk (TR) IR x CR x DR

16
System of internal control

• Help manage risks
• SMA 2A, Management Accounting Glossary
• The whole system of controls (financial and
  otherwise) established by management to carry on
  the business of the enterprise in an orderly and
  efficient manner, to ensure adherence to
  management policies, safeguard the assets. And
  ensure as far as possible the completeness and
  accuracy of the records.

17
System of internal control

• Proper design, operation is managements
  responsibility
• Sarbanes-Oxley, Section 404 requires publicly
  traded companies to issue report stating
• Management takes responsibility for establishing,
  maintaining firms system of internal controls
• System has functioned effectively over reporting
  period

18
PCAOB Approach

• PCABO
• Governed by SEC
• Issued Auditing Standards
• Requires
• Express an opinion on both internal control and
  fair presentation of financial report

19
Components of Internal control
20
Internal control- COSO Framework

• Internal control is broadly defined as a
  process, effected by an entitys board of
  directors, management, and other personnel,
  designed to provide reasonable assurance
  regarding the achievement of objectives.

21
Internal control- COSO Framework

• objectives in the following categories
• Effectiveness and efficiency of operations (??)
• Reliability of financial reporting (??)
• Compliance with applicable laws and regulation
  (??)

22
COSO Framework
Category
Control Environment 1.Organizational
structure 2.Policies 3.Objectives,
goals 4.Management philosophy, operating
style 5.Assignment philosophy, operating style
??
??
??
Monitoring
?? 2
?? 4
Component
Information Communication
?? 1
?? 3
Control Activities
Risk Assessment
Control Environment
23
COSO Framework
IC Framework
ERM Framework
24
Control environment

• Components
• 1. Organizational structure
• Lines of reporting, authority designed so
  incompatible duties not combined in same job
  function
• Independent checks on performance facilitated

25
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• Stated principles require/guide/restrict action
• Promote conduct of authorized activities
• Provide satisfactory degree of assurance
• Procedures-detailed steps for carrying out

26
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• Stated principles require/guide/restrict action
• Promote conduct of authorized activities
• Provide satisfactory degree of assurance
• Procedures-detailed steps for carrying out

27
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• 3.Objectives, goals
• Realistic, achievable goals that do not tempt
  management to cross ethical boundaries

28
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• 3.Objectives, goals
• Realistic, achievable goals that do not tempt
  management to cross ethical boundaries

29
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• 3.Objectives, goals
• 4.Management philosophy, operating style
• Manifests in everyday actions
• Financial reporting
• Accounting estimates
• Selection of accounting principles

30
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• 3.Objectives, goals
• 4.Management philosophy, operating style
• Integrity, ethical values affect all aspects of
  control
• Ethical behavior results from standards, way
  theyre transmitted, how theyre reinforced

31
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• 3.Objectives, goals
• 4.Management philosophy, operating style
• Creates better risk management atmosphere
• Removing incentives for dishonest/illegal/unethica
  l behavior
• Setting example in own behavior

32
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• 3.Objectives, goals
• 4.Management philosophy, operating style
• 5.Assignment philosophy, operating style
• Improve by proper design of organizational
  structure
• Lines of reporting can reinforce proper internal
  control

33
Control environment

• Components
• 1.Organizational structure
• 2.Policies
• 3.Objectives, goals
• 4.Management philosophy, operating style
• 5.Assignment philosophy, operating style
• Improve by proper design of organizational
  structure
• Lines of reporting can reinforce proper internal
  control

34
Board of directors

• Required by most publicly held corporations
• Inside members officers, employees
• Outside members non-employees who hold stock
• Governing authority of corporation
• Responsible for establishing overall corporate
  policy

35
Board of directors

• Fiduciary duty (????) to organization,
  shareholders

36
Board of directors

• Fiduciary duty (????) to organization,
  shareholders
• Exercise reasonable care in performance of duties
• Informed about, conversant(??) with
  pertinent(???) information
• Attend meetings
• Analyze financial statements

37
Board of directors

• Fiduciary duty (????) to organization,
  shareholders
• Exercise reasonable care in performance of duties
• Informed about, conversant(??) with
  pertinent(???) information
• Attend meetings
• Analyze financial statements
• Owe duty of loyalty
• Prohibits dealing with corporation unless full
  disclosure made
• Usurping corporate opportunity w/o giving entity
  right of first refusal

38
Directors typically responsible for

• 1) Select and remove officers
• 2) Determine the capital structure
• 3) Add, amend, or repeal bylaws
• 4) Initiate fundamental changes MA
• 5) Declare dividends
• 6) Set compensation of officers

39
Audit committee

• Subcommittee of board of directors
• Helps keep external auditors independent of
  management
• Assigned selection, compensation, oversight
• Required by many stock exchanges
• Crucial that composed of only outside directors

40
Audit committee

• Subcommittee of board of directors
• Helps keep external auditors independent of
  management
• Assigned selection, compensation, oversight
• Required by many stock exchanges
• Crucial that composed of only outside directors

41
Audit committee

• Maintains control environment by approving
  charter, overseeing work of internal audit
  activity
• Insulates external, internal auditors from
  influences that may compromise independence,
  objectivity

42
Audit committee

• Maintains control environment by approving
  charter, overseeing work of internal audit
  activity
• Insulates external, internal auditors from
  influences that may compromise independence,
  objectivity

43
Importance of HR
44
Personnel

• Hiring standards
• Emphasize education. Past achievements, evidence
  of integrity, ethics
• Display commitment to employ competent,
  trustworthy people

45
Personnel

• Hiring standards
• Training policies
• Impart to employees
• Knowledge of roles, responsibilities
• Expectations about conduct, performance

46
Personnel

• Hiring standards
• Training policies
• Competence
• Knowledge, abilities necessary to complete
  required tasks

47
Personnel

• Hiring standards
• Training policies
• Competence
• Promotions
• Periodic performance appraisals reflect
  commitment to rewarding competence

48
Control Procedures

• Internal control policies for safeguarding and
  assurance

49
Control activities

• Ensure managements directives executed
• Include requisite steps to respond to risks that
  threaten attainment of objectives
• Suitably designed to prevent/detect unfavorable
  conditions
• Operate effectively

50
Control activities

• Types of control activities
• Preventive
• Locked the door
• Separate the duties
• Detective
• Petty cash count
• Physical inventory count

51
Control procedures

• Manage/limit risk in accordance w/ risk
  assessments
• Control areas
• 1.Segregation of duties, basic functional
  responsibilities
• 2.Independent checks, verification
• 3.Safeguarding controls
• 4.Prenumbered forms
• 5.Specific document flow

52
Segregation of duties

• Assigning different employees to prevent employee
  acting alone from committing error/concealing
  fraud
• Types of segregated functional responsibilities
• Authority to transactions
• Recording of transactions
• Custody of assets affected by transactions
• Periodic reconciliation of existing assets to
  recorded amounts

53
Segregation in three business cycles

• Purchase-payable cycle
• Authority to execute transaction is vested in
  purchasing department
• Recording the transaction is done by accounts
  payable
• Custody of assets is vested in warehouse
• Periodic reconciliation of assets to records is
  performed by inventory control

54
Segregation in three business cycles

• Sales-receivable cycle
• Authority to execute transaction is vested in
  sales department
• Recording the transaction is done by accounts
  receivable
• Custody of assets is vested in warehouse
• Periodic reconciliation of assets to records is
  performed by G/L

55
Segregation in three business cycles

• Payroll cycle
• Authority to execute transaction is vested in HR
  department
• Recording the transaction is done by payroll
  department
• Payroll department belongs to Financial
  department
• If belongs to HR department, HR hiring group and
  HR payroll group should be separated
• HR hiring group charges hiring, termination, and
  salary rate
• Custody of assets is vested in treasurer
• Periodic reconciliation of assets to records is
  performed by G/L

56
Independent checks, verifications

• Reconciliation of recorded accountability w/
  assets performed by part of organization either
• 1.Unconnected w/ original transaction
• 2.Without custody of assets involved

57
Independent checks, verifications

• Comparison revealing assets disagreeing w/
  recorded accountability provide evidence of
  unrecorded/improperly recorded transactions
• Converse not necessarily true
• Frequency of comparisons depends on nature,
  amount of assets involved, cost of comparison

58
Safeguarding controls

• Limit access to assets to authorized personnel
• Direct physical access
• Indirect access through preparing/processing
  documents authorizing use/disposition

59
Safeguarding controls

• Example
• 1) Lockbox system
• 2) Deposit cash receipts

60
Safeguarding controls

• Example
• 1) Lockbox system
• 2) Deposit cash receipts
• 3) Approval credit memos
• 4) Write offs of uncollectible AR
• 5) Prohibit non-IT personnel access computer
  operation

61
Sequentially prenumbered forms

• Basis for strong internal controls

62
Sequentially prenumbered forms

• Basis for strong internal controls
• All hardcopies can be accounted for
• Ascertain date, use, person who filled out
• Missing documents can be flagged
• Detect unrecorded, unauthorized transactions
  during reconciliation
• Achievable in paperless environment

63
Sequentially prenumbered forms

• Basis for strong internal controls
• All hardcopies can be accounted for
• Ascertain date, use, person who filled out
• Missing documents can be flagged
• Detect unrecorded, unauthorized transactions
  during reconciliation
• Achievable in paperless environment
• Additional procedures ensure personnel do not
  receive documents inappropriate to duties

64
Specific document flow

• Pre-numbered document flow
• Additional procedures ensure personnel do not
  receive documents inappropriate to duties

65
Compensating controls

• Replace normal controls when cannot be feasibly
  implemented
• Ex. In finance, investment cycle
• 2 people perform each function
• Provide oversight
• Periodic communications with board
• Oversight by committee of board
• Internal audits reconciliation of securities
  portfolio w/ recorded information

66
Compensating controls

• Replace normal controls when cannot be feasibly
  implemented
• Ex. In finance, investment cycle
• 2 people perform each function
• Provide oversight
• Periodic communications with board
• Oversight by committee of board
• Internal audits reconciliation of securities
  portfolio w/ recorded information

67
Fraud

• Intentional
• Pressures, incentives to engage in wrongdoing,
  opportunity
• Examples
• Fraudulent financial reporting
• Misappropriation of assets
• Internal control designed to prevent
• Concealment aspects ? controls cannot give
  absolute assurance against

68
Fraud

• Intentional
• Pressures, incentives to engage in wrongdoing,
  opportunity
• Examples
• Fraudulent financial reporting
• Misappropriation of assets
• Internal control designed to prevent
• Concealment aspects ? controls cannot give
  absolute assurance against

69
Legal Aspects of Internal Control

• Implications of the Sarbanes-Oxley Act of 2002
• U.S. Foreign Corrupt Practices Act internal
  control requirements

70
Foreign Corrupt Practices Act

• Enacted 1977 with origins in Watergate
  investigations
• Prevent secret payments of corporate funds for
  purposes that congress has determined contrary to
  public policy
• Amends Securities Exchange Act of 1934
• Prohibits domestic concern from
  offering/authorizing corrupt payments to foreign
  official/political party/official/candidate for
  foreign political office

71
Foreign Corrupt Practices Act

• Enacted 1977 with origins in Watergate
  investigations
• Prevent secret payments of corporate funds for
  purposes that congress has determined contrary to
  public policy
• Amends Securities Exchange Act of 1934
• Only political payments to foreign officials
  prohibited
• FCPA doesnt address business owners/corporate
  officers

72
Foreign Corrupt Practices Act

• Enacted 1977 with origins in Watergate
  investigations
• Prevent secret payments of corporate funds for
  purposes that congress has determined contrary to
  public policy
• Amends Securities Exchange Act of 1934
• Only political payments to foreign officials
  prohibited
• FCPA doesnt address business owners/corporate
  officers

73
Foreign Corrupt Practices Act

• Corrupt payments are for inducing recipient to
  act/refrain from acting so domestic concern might
  obtain/retain business
• Offer/promise of bribe prohibited, even if not
  consummated
• Not prohibited if recipient has no discretion in
  carrying out governmental function
• Payments allowed under written law of foreign
  country not prohibited

74
System of internal accounting control

• Public companies must make, keep books, records,
  accounts in reasonable detail that accurately,
  fairly reflect transactions, disposition of
  assets
• Provide reasonable assurance

75
System of internal accounting control

• Provide reasonable assurance
• 1.Transactions executed in accordance w/
  managements general/specific authorization
• 2.Transactions recorded as necessary
• 3.Access to assets permitted only in accordance
  w/ managements general/specific authorization
• 4.Recorded accountability for assets compared
  with existing assets at reasonable intervals,
  appropriate action taken w/ respect to differences

76
Implications of FCPA of 1977

• Extend beyond anti-bribery provisions
• All American businesses, business people involved
• Management particularly affected
• Internal control responsibility not new
• Potential for civil, criminal liabilities added
  burden

77
Written code of ethics

• Necessity
• Communicated, monitored by internal auditors for
  compliance
• Might include explanation of FCPA, its penalties
• May require written representations from
  employees that they have read, understood
  provisions

78
Sarbanes-Oxley Act of 2002

• Response to financial reporting scandals of large
  public companies
• Contains provisions that impose new
  responsibilities on public companies, their
  auditors
• Applies to issuers of publicly traded securities
  subject to federal securities law

79
Sarbanes-Oxley Act of 2002

• Response to financial reporting scandals of large
  public companies
• Contains provisions that impose new
  responsibilities on public companies, their
  auditors
• Applies to issuers of publicly traded securities
  subject to federal securities law

80
Sarbanes-Oxley Act of 2002

• Requires each member of audit committee,
  including at least one financial expert, be
  independent member of issuers board of directors
• Independent director is not affiliated with,
  receives no compensation from issuer
• Audit committee directly responsible for
  appointing, compensating, overseeing work of
  public accounting firm employed by issuer
• Reports directly to audit committee, not to
  management

81
Section 404

• Requires management to establish, document
  internal control procedures
• Include report on companys internal control over
  financial reporting in annual report

82
Internal control report

• 1.Statement of managements responsibility for
  internal control
• 2.Managements assessment of effectiveness of
  internal control as of end of most recent fiscal
  year
• 3.Identification of framework evaluating
  effectiveness of internal control

83
Internal control report

• 4.Statement whether significant changes in
  controls were made after evaluation, including
  corrective actions
• 5.Statement that external auditor issued
  attestation report on managements assessment
• Audit opinions expressed
• Internal control
• Financial statements

84
External auditor

• Attests to, reports on managements assessment
• Evaluates whether structure, procedures
• 1.Include records accurately, fairly reflecting
  firms transactions
• 2.Provide reasonable assurance transactions
  recorded to permit statements to be prepared in
  accordance w/ GAAP

85
External auditor

• Attests to, reports on managements assessment
• Evaluates whether structure, procedures
• Report describes material weaknesses in internal
  control
• Evaluation not subject of separate engagement, in
  conjunction w/ audit of financial statements

86
End
87
D.2. Internal Auditing

• a. Responsibility and authority of the internal
  audit function
• b. Types of audits conducted by internal auditors

88
The Internal audit function

• Growth, complexity led to growth in field
• Internal audit activity (IAA) basic to governance
• Some stock exchanges require all companies to
  have IAA
• Foreign Corrupt Practices Act
• Detailed, accurate accounting records
• Reasonably effective system of internal control

89
The internal audit function

• The institute of internal Auditors (IIA)
• Maintain professional standards for the practice
  worldwide
• IIA definition of internal auditing
• Internal auditing is an independent, objective
  assurance and consulting activity designed to add
  value and improve an organizations operations.
  It helps an organization accomplish its
  objectives by bringing a systematic, disciplined
  approach to evaluate and improve the
  effectiveness of risk management, control, and
  governance processes.

90
The internal audit function

• IIAs Standards
• Practice Advisories

91
The internal audit function

• IIAs Standards
• Guidance for the conduct of internal auditing
• Organizational
• Individual
• Practice Advisories

92
The internal audit function

• IIAs Standards
• Guidance for the conduct of internal auditing
• Organizational
• Individual
• Practice Advisories
• Concise, timely guidance
• Code of ethics
• Standards
• Promoting good practices

93
The internal audit function

• Organizationally independent
• Attribute of internal audit department as whole
• Objective attitude
• Attribute of auditors themselves

94
The internal audit function

• Chief executive officer (CEO)
• Chief audit executive (CAE)
• Unhindered access to board of directors

95
The internal audit function

• Charter
• Purpose, authority, responsibility of IAA
• IAAs position
• Access to records, personnel, physical properties
• Define scope of activities

96
The scope of internal auditing

• Three principal functions
• 1.Maintenance of internal control system
• 2.Improving efficiency of operations
• 3.Conduct of audit of financial statements

97
The scope of internal auditing

• Three principal functions
• 1.Maintenance of internal control system
• 2.Improving efficiency of operations
• 3.Conduct of audit of financial statements

98
The scope of internal auditing

• Internal audit specific tasks
• Improvement of risk management, control systems
• Adequacy, effectiveness of controls
• Reliability, integrity
• Effectiveness, efficiency
• Safeguarding of assets
• Compliance
• Adequate control criteria
• Fraud
• External auditor

99
Incidents

• Fraud
• Illegal acts
• Material weaknesses, significant deficiencies in
  internal control
• Significant penetrations of information security
  systems

100
Compliance auditing

• Assess compliance in specific areas
• Management response to regulatory body reviews

101
Operational auditing

• The comprehensive review of the varied functions
  within an enterprise to appraise the efficiency
  and economy of operations and the effectiveness
  with those functions achieve their objectives

102
Operational auditing

• Thorough examination of department, division,
  function, etc.
• Appraise managerial organization, performance,
  techniques
• Organizational objectives have been achieved
• Efficiency, effectiveness, economy
• Report ? existing/absence of problems

103
Operational auditing

• Organizational objectives have been achieved
• Efficiency, effectiveness, economy
• Report ? existing/absence of problems

104
Operational auditing

• Basic tools
• Financial analysis
• Observation of departmental activities
• Questionnaire interviews of departmental employees

105
Operational auditing

• Extension of financial audit
• Reviewing purchasing policies
• Appraising compliance with policies, procedures
• Appraising safety standards, equipment
  maintenance
• Reviewing production controls, scrap reporting
• Reviewing facilities adequacy

106
Internal auditing procedures

• Inquiries
• Examine documentation
• Observe
• Reperform

107
END