Chapter 8 Introduction to Internal Control Systems

1
Chapter 8Introduction to Internal Control Systems
Presentation Outline
1. Introduction 2. Internal Control Systems
Definition and Frameworks 3. Preventive,
Detective, and Corrective Controls 4. Control
Activities Within An Internal Control System 5.
Cost-Benefit Concept for Developing Controls
2
INTERNAL CONTROL SYSTEMS DEFINITION AND
FRAMEWORKS

• Internal Control is a process, implemented by an
  entitys board of directors, management and other
  personnel, designed to provide reasonable
  assurance regarding the achievement of the
  following objectives
• Safeguard assets, including preventive or
  detective, on a timely basis, the unauthorized
  acquisition, use of disposition of material
  company assets
• Ensure the reliability and accuracy of accounting
  data.
• Maintaining records in sufficient detail to
  accurately and fairly reflect company assets
• Providing accurate and reliable information
• Providing reasonable assurance that financial
  reporting is prepared in accordance with GAAP
• Promote and improve operational efficiency,
  including making sure company receipts and
  expenditures are made in accordance with
  management and directors authorizations
• Encourage adherence to prescribed managerial
  policies
• Comply with applicable laws and regulations

3
Foreign Corrupt Practices Act

• In 1977 the FCPA was passed after the Securities
  and Exchange Commission became aware of foreign
  bribes paid by publicly-held companies to secure
  export sales.
• These bribes were made possible due to lax
  internal controls.
• The goal of the FCPA was to heighten awareness in
  a sound internal control structure.
• The FCPA requires that publicly-held companies
  design and implement a system of control
  procedures that provide reasonable assurance
  that
• assets are accounted for appropriately
• transactions are in conformity to GAAP
• access to assets is properly controlled
• periodic comparisons of existing assets to the
  accounting records are made

4
Committee of Sponsoring Organizations

• As a result of the FCPA, a study was done by The
  Treadway Commission to examine the causes of
  fraudulent financial reporting and give
  recommendations to reduce its occurrence.
• The Committee of Sponsoring Organizations (COSO)
  was formed to develop a common definition for
  internal control and provide guidance for judging
  its effectiveness.

• According to the COSO, internal control......
• is a process. It is a means to an end, not an
  end in itself.
• is affected by people at every level of the
  organization.
• cannot be expected to provide more than
  reasonable assurance.
• is geared to the achievement of the entitys
  objectives in all areas, not just financial
  reporting.
• consists of interrelated components.

5
Sarbanes-Oxley Act

• In response to the wave of corporate accounting
  scandals including Enron, WorldCom, Xerox, Tyco,
  and others, Congress passed the Sarbanes-Oxley
  Act of 2002 (SOX), which may be the most sweeping
  piece of legislation to impact financial
  reporting and the accounting profession since the
  SEC Acts of 1933 and 1934. Impacts of SOX
• 1. Public Company Accounting Oversight Board
  (PCAOB).
• SOX created a five-member PCAOB which sets and
  enforces auditing, quality control, ethics,
  independence, and other standards relating to
  audit reports.
• 2. New rules for auditors (Section 201 Services
  Outside the Scope of Practice of Auditors)
• Auditors must report information such as critical
  accounting policies and practices, alternative
  GAAP treatments, and auditor-management
  disagreements to the companys audit committee.
• SOX prohibits auditors from performing non-audit
  services such as bookkeeping, information systems
  design and implementation, internal audit
  outsourcing services, management functions, and
  human resource services.
• SOX prohibits audit firm providing services to
  companies whose top management was the auditors
  of the company in the proceeding 12 months.

6
Sarbanes-Oxley Act

• 3. New rules for audit committees
• Audit committee members must be on the companys
  board of directors and be independent of the
  company.
• The audit committee hires, compensates, and
  oversees the auditors, who report directly to
  them.
• 4. New rules for management (Section 302
  Corporate Responsibility for Financial Reports)
• SOX requires the CEO and CFO to certify that
  financial statements and disclosures are fairly
  presented, were reviewed by management, and are
  not misleading.
• If management willfully and knowingly violates
  the certification, they can be imprisoned for up
  to 20 years and fined up to 5,000,000
• 5. New internal control requirements (Section
  404 Management Assessment of Internal Controls)
• SOX requires companies to issue a report
  accompanying the financial statements that states
  management is responsible for establishing and
  maintaining an adequate internal control
  structure and appropriate control procedures.
• Management must assess the companys internal
  controls and attest to their accuracy, note of
  significant defects or material noncompliance
  found during their internal control tests.
• The companys auditor must attest to as well as
  report on the managements internal control
  assessment and describe the scope of the
  auditors internal control tests.

7
Components of Internal ControlCOSOs Enterprise
Risk Management (ERM) Framework

• Five interrelated components of COSOs internal
  control model
• Control Environment
• Risk Assessment
• Control Activities
• Information Communication
• Monitoring

• Which of the following is not a component of
  internal control?
• Control risk.
• Monitoring.
• Information and communication.
• The control environment.

8
1. Control Environment

• The Control Environment establishes the tone of a
  company, influencing the control awareness of the
  companys employees.
• Factors included within the control environment
  are
• Management philosophy and operating style
• Integrity and ethical values
• Competence of employees and commitment to
  competence
• The attention and direction of the Board of
  Directors and Audit Committee
• Organizational Structure
• Assignment of authority and responsibility

• Which of the following factors are included in an
  entitys control environment?
• Audit Committee Integrity and Organizational
• Participation Ethical Values
  Structure
• Yes Yes No
• Yes No Yes
• No Yes Yes
• Yes Yes Yes

9
2. Risk Assessment

• Identify threats
• Estimate the likelihood of threat occurring
• Estimate exposure - potential dollar loss
• Expected Loss Risk/Likelihood Exposure
• Identify controls to protect from the threats
• Estimate costs/benefits
• Determine cost/benefit effectiveness

• Type of Risks/Treats
• Unintentional errors
• Deliberate errors (fraud)
• Unintentional losses of assets
• Thefts of assets
• Breaches of security
• Acts of violence

• Factors that Increase Risk Exposure
• Frequency - the more frequent an occurrence of a
  transaction the greater the exposure to risk.
• Vulnerability - liquid and/or portable assets
  contribute to risk exposure.
• Size of the potential loss - the higher the
  monetary value of a loss, the greater the risk
  exposure.

10
COST-BENEFIT CONCEPT FOR DEVELOPING CONTROLS

• An ideal control is a control procedure that
  reduces to practically zero the risk of an
  undetected error or irregularity.
• A cost-benefit analysis should be conducted in
  order to make sure that the benefits of planned
  controls exceed the cost of incorporating them in
  the system.
• Costs of controls include one time costs,
  recurring costs, additional losses caused by
  control failure and opportunity cost.

• Internal control can provide only reasonable
  assurance of achieving an entitys control
  objectives. The likelihood of achieving those
  objectives is affected by which limitation
  inherent to internal control?
• The auditors primary responsibility is the
  detection of fraud.
• The board of directors is active and independent.
• The cost of internal control should not exceed
  its benefits.
• Management monitors internal control.

11
3. Control Activities

• Control policies and procedures must be
  established and executed to help ensure that the
  actions identified by management as necessary to
  address risks are effectively carried out.

12
4. Information and Communication

• Surrounding the control activities are
  information and communication systems that enable
  the organization to capture and exchange the
  information needed to conduct, manage, and
  control its operations.
• The term information refers to the accounting
  system, which includes that methods and records
  used to record, process, summarize, and report a
  companys transactions and maintain
  accountability for assets, liabilities and
  equity.
• Communication refers to providing a companys
  personnel with an understanding of their roles
  and responsibilities pertaining to internal
  control over financial reporting.

13
5. Monitoring

• The entire process must be monitored, and
  modified as necessary so the system can react
  dynamically and change as conditions warrant.
• Monitoring of performance is done by
• Internal audit
• Responsibility accounting
• Supervision

14
TYPES OF CONTROL PROCEDURES

• Control Procedures may be classified according to
  their intended uses (functions) in a system
• Preventive Controls - designed to prevent some
  potential problem from occurring when an activity
  is performed
• Examples hiring qualified personnel,
  appropriately segregating duties, controlling
  physical access to assets, facilities, and
  information
• Detective Controls - discover the occurrence of
  adverse events such as operational inefficiency.
• Examples duplicate checking of calculations and
  preparing bank reconciliations and monthly trial
  balances
• Corrective controls - designed to remedy problems
  discovered through detective controls.
• Examples maintaining backup copies of
  transaction files and master files and adhering
  to procedures for correcting data entry errors

15
CONTROL ACTIVITIES WITHIN AN INTERNAL CONTROL
SYSTEM

• Good Audit Trail
• Sound Personnel Policies and Practices
• Segregation of Duties
• Physical Protection of Assets
• Internal Reviews of Controls
• Timely Performance Reports

16
1. Good Audit Trail

• An audit trail enables auditors and accountants
  within the organization to follow the path of
  transaction data from source documents to
  ultimate disposition in a financial report and
  vice-versa.
• Without a good audit trail, it is more likely
  that errors and irregularities in processing data
  will not be detected.
• To establish its audit trail, a company needs
• A chart of accounts that describes the purpose of
  each ledger account
• A complete description of the types of source
  documents and the correct procedures to prepare
  and approve the data for these documents
• A comprehensive description of the authority and
  responsibilities each individual is assigned.

17
2. Sound Personnel Policies and Practices

• Examples of sound personnel policies are
• specific hiring procedures
• supervision
• rotating of duties for key employees
• enforced vacations
• regular performance reviews
• proper training
• fidelity bond coverage on those employees who
  handle liquid assets.

18
3. Segregation of Duties

• Segregating activities and responsibilities of a
  companys employees allows different people to
  perform various tasks of a specific transaction.
• The main functions that should be kept separate
  are custody of assets, recording transactions,
  and authorizing transactions.

• Proper segregation of duties reduces the
  opportunities to allow persons to be in positions
  both to
• Journalize entries and prepare financial
  statements.
• Record cash receipts and cash disbursements.
• Establish internal control and authorize
  transactions.
• Perpetrate and conceal errors and fraudulent acts.

• Proper segregation of functional responsibilities
  to achieve effective internal control calls for
  separation of the functions of
• Authorization, execution, and payment.
• Authorization, recording, and custody.
• Custody, execution, and reporting.
• Authorization, payment, and recording.

19
3. Segregation of Duties

• The Gardner Company, a client of your firm, has
  come to you with the following problem It has
  three clerical employees, who must perform the
  following functions
• Maintain the general ledger
• Maintain the accounts payable ledger
• Maintain the accounts receivable ledger
• Prepare checks for signature
• Maintain the disbursements journal
• Issue credits on returns and allowances
• Reconcile the bank account
• Handle and deposit cash receipts
• Assuming equal abilities among the three
  employees, the company asks you to assign the
  eight functions to them to maximize internal
  control. Assume that these employees will perform
  no accounting functions other than the ones
  listed.
• List four possible unsatisfactory pairings of the
  functions
• State how you would distribute the functions
  among the three employees.

20
4. Physical Protection of Assets

• Keeping a companys assets in a safe physical
  location minimizes the risk of damage to the
  assets or theft by employees or outsiders.
• A voucher system is an example of an accounting
  control procedure that protects against
  unauthorized cash disbursements.
• A petty cash fund may be used for small
  expenditures where writing a check would be
  inefficient.

• An independent auditor is concerned with controls
  designed to safeguard assets that are relevant to
  the reliability of financial reporting. Adequate
  safeguards over access to and use of assets means
  protection from
• Any management decision that would unprofitably
  use company resources.
• Only those losses arising from fraud.
• Losses such as those arising from setting a
  product price too low and subsequently realizing
  operating losses from the products sale.
• Losses arising from access by unauthorized
  persons.

21
5. Internal Reviews of Controls

• Internal audit is a service function within many
  large companies.
• As a separate subsystem, they report to
  high-level management or to the board of
  directors in order to remain independent and
  objective.
• They perform periodic reviews, called operational
  audits, on each department within the
  organization in order to evaluate the efficiency
  and effectiveness of that particular department.

22
6. Timely Performance Reports

• Performance reports provide information to
  management on how efficiently and effectively its
  companys internal controls are functioning.
• These reports should provide timely feedback to
  management on the success or failure of the
  companys internal controls.

23
8-16 Alden, Inc. Internal Control Case

• You have been hired by the management of Alden,
  Inc., to review its control procedures for the
  purchase, receipt, storage, and issuance of raw
  materials. You prepared the following comments,
  which describe Aldens procedures.
• Raw materials, which consist mainly of high-cost
  electronic components, are kept in a locked
  storeroom. Storeroom personnel include a
  supervisor and four clerks. All are well trained,
  competent, and adequately bonded. Raw materials
  are removed from the storeroom only upon written
  or oral authorization from one of the production
  foremen.
• There are no perpetual inventory records hence,
  the storeroom clerks do not keep records of goods
  received or issued. To compensate for the lack of
  perpetual records, a physical inventory count is
  taken monthly by the storeroom clerks, who are
  well supervised. Appropriate procedures are
  followed in making the inventory count.
• After the physical count, the storeroom
  supervisor matches quantities counted against a
  predetermined reorder level. If the count for a
  given part is below the reorder level, the
  supervisor enters the part number on a materials
  requisition list and sends this list to the
  accounts payable clerk. The accounts payable
  clerk prepares a purchase order for a
  predetermined reorder quantity for each part and
  mails the purchase order to the vendor from whom
  the part was last purchased.
• When ordered materials arrive at Alden, they are
  received by the storeroom clerks. The clerks
  count the merchandise and see that the counts
  agree with the shippers bill of lading. All
  vendors bill of lading are initialed, dated, and
  files in the storeroom to serve as receiving
  reports.