Title: Chapter 8 Introduction to Internal Control Systems
1Chapter 8Introduction to Internal Control Systems
Presentation Outline
1. Introduction 2. Internal Control Systems
Definition and Frameworks 3. Preventive,
Detective, and Corrective Controls 4. Control
Activities Within An Internal Control System 5.
Cost-Benefit Concept for Developing Controls
2INTERNAL CONTROL SYSTEMS DEFINITION AND
FRAMEWORKS
- Internal Control is a process, implemented by an
entitys board of directors, management and other
personnel, designed to provide reasonable
assurance regarding the achievement of the
following objectives - Safeguard assets, including preventive or
detective, on a timely basis, the unauthorized
acquisition, use of disposition of material
company assets - Ensure the reliability and accuracy of accounting
data. - Maintaining records in sufficient detail to
accurately and fairly reflect company assets - Providing accurate and reliable information
- Providing reasonable assurance that financial
reporting is prepared in accordance with GAAP - Promote and improve operational efficiency,
including making sure company receipts and
expenditures are made in accordance with
management and directors authorizations - Encourage adherence to prescribed managerial
policies - Comply with applicable laws and regulations
3Foreign Corrupt Practices Act
- In 1977 the FCPA was passed after the Securities
and Exchange Commission became aware of foreign
bribes paid by publicly-held companies to secure
export sales. - These bribes were made possible due to lax
internal controls. - The goal of the FCPA was to heighten awareness in
a sound internal control structure. - The FCPA requires that publicly-held companies
design and implement a system of control
procedures that provide reasonable assurance
that - assets are accounted for appropriately
- transactions are in conformity to GAAP
- access to assets is properly controlled
- periodic comparisons of existing assets to the
accounting records are made
4Committee of Sponsoring Organizations
- As a result of the FCPA, a study was done by The
Treadway Commission to examine the causes of
fraudulent financial reporting and give
recommendations to reduce its occurrence. - The Committee of Sponsoring Organizations (COSO)
was formed to develop a common definition for
internal control and provide guidance for judging
its effectiveness.
- According to the COSO, internal control......
- is a process. It is a means to an end, not an
end in itself. - is affected by people at every level of the
organization. - cannot be expected to provide more than
reasonable assurance. - is geared to the achievement of the entitys
objectives in all areas, not just financial
reporting. - consists of interrelated components.
5Sarbanes-Oxley Act
- In response to the wave of corporate accounting
scandals including Enron, WorldCom, Xerox, Tyco,
and others, Congress passed the Sarbanes-Oxley
Act of 2002 (SOX), which may be the most sweeping
piece of legislation to impact financial
reporting and the accounting profession since the
SEC Acts of 1933 and 1934. Impacts of SOX - 1. Public Company Accounting Oversight Board
(PCAOB). - SOX created a five-member PCAOB which sets and
enforces auditing, quality control, ethics,
independence, and other standards relating to
audit reports. - 2. New rules for auditors (Section 201 Services
Outside the Scope of Practice of Auditors) - Auditors must report information such as critical
accounting policies and practices, alternative
GAAP treatments, and auditor-management
disagreements to the companys audit committee. - SOX prohibits auditors from performing non-audit
services such as bookkeeping, information systems
design and implementation, internal audit
outsourcing services, management functions, and
human resource services. - SOX prohibits audit firm providing services to
companies whose top management was the auditors
of the company in the proceeding 12 months.
6Sarbanes-Oxley Act
- 3. New rules for audit committees
- Audit committee members must be on the companys
board of directors and be independent of the
company. - The audit committee hires, compensates, and
oversees the auditors, who report directly to
them. - 4. New rules for management (Section 302
Corporate Responsibility for Financial Reports) - SOX requires the CEO and CFO to certify that
financial statements and disclosures are fairly
presented, were reviewed by management, and are
not misleading. - If management willfully and knowingly violates
the certification, they can be imprisoned for up
to 20 years and fined up to 5,000,000 - 5. New internal control requirements (Section
404 Management Assessment of Internal Controls) - SOX requires companies to issue a report
accompanying the financial statements that states
management is responsible for establishing and
maintaining an adequate internal control
structure and appropriate control procedures. - Management must assess the companys internal
controls and attest to their accuracy, note of
significant defects or material noncompliance
found during their internal control tests. - The companys auditor must attest to as well as
report on the managements internal control
assessment and describe the scope of the
auditors internal control tests.
7Components of Internal ControlCOSOs Enterprise
Risk Management (ERM) Framework
- Five interrelated components of COSOs internal
control model - Control Environment
- Risk Assessment
- Control Activities
- Information Communication
- Monitoring
- Which of the following is not a component of
internal control? - Control risk.
- Monitoring.
- Information and communication.
- The control environment.
81. Control Environment
- The Control Environment establishes the tone of a
company, influencing the control awareness of the
companys employees. - Factors included within the control environment
are - Management philosophy and operating style
- Integrity and ethical values
- Competence of employees and commitment to
competence - The attention and direction of the Board of
Directors and Audit Committee - Organizational Structure
- Assignment of authority and responsibility
- Which of the following factors are included in an
entitys control environment? - Audit Committee Integrity and Organizational
- Participation Ethical Values
Structure - Yes Yes No
- Yes No Yes
- No Yes Yes
- Yes Yes Yes
92. Risk Assessment
- Identify threats
- Estimate the likelihood of threat occurring
- Estimate exposure - potential dollar loss
- Expected Loss Risk/Likelihood Exposure
- Identify controls to protect from the threats
- Estimate costs/benefits
- Determine cost/benefit effectiveness
-
- Type of Risks/Treats
- Unintentional errors
- Deliberate errors (fraud)
- Unintentional losses of assets
- Thefts of assets
- Breaches of security
- Acts of violence
- Factors that Increase Risk Exposure
- Frequency - the more frequent an occurrence of a
transaction the greater the exposure to risk. - Vulnerability - liquid and/or portable assets
contribute to risk exposure. - Size of the potential loss - the higher the
monetary value of a loss, the greater the risk
exposure.
10COST-BENEFIT CONCEPT FOR DEVELOPING CONTROLS
- An ideal control is a control procedure that
reduces to practically zero the risk of an
undetected error or irregularity. - A cost-benefit analysis should be conducted in
order to make sure that the benefits of planned
controls exceed the cost of incorporating them in
the system. - Costs of controls include one time costs,
recurring costs, additional losses caused by
control failure and opportunity cost.
- Internal control can provide only reasonable
assurance of achieving an entitys control
objectives. The likelihood of achieving those
objectives is affected by which limitation
inherent to internal control? - The auditors primary responsibility is the
detection of fraud. - The board of directors is active and independent.
- The cost of internal control should not exceed
its benefits. - Management monitors internal control.
113. Control Activities
- Control policies and procedures must be
established and executed to help ensure that the
actions identified by management as necessary to
address risks are effectively carried out.
124. Information and Communication
- Surrounding the control activities are
information and communication systems that enable
the organization to capture and exchange the
information needed to conduct, manage, and
control its operations. - The term information refers to the accounting
system, which includes that methods and records
used to record, process, summarize, and report a
companys transactions and maintain
accountability for assets, liabilities and
equity. - Communication refers to providing a companys
personnel with an understanding of their roles
and responsibilities pertaining to internal
control over financial reporting.
135. Monitoring
- The entire process must be monitored, and
modified as necessary so the system can react
dynamically and change as conditions warrant. - Monitoring of performance is done by
- Internal audit
- Responsibility accounting
- Supervision
14TYPES OF CONTROL PROCEDURES
- Control Procedures may be classified according to
their intended uses (functions) in a system - Preventive Controls - designed to prevent some
potential problem from occurring when an activity
is performed - Examples hiring qualified personnel,
appropriately segregating duties, controlling
physical access to assets, facilities, and
information - Detective Controls - discover the occurrence of
adverse events such as operational inefficiency. - Examples duplicate checking of calculations and
preparing bank reconciliations and monthly trial
balances - Corrective controls - designed to remedy problems
discovered through detective controls. - Examples maintaining backup copies of
transaction files and master files and adhering
to procedures for correcting data entry errors
15CONTROL ACTIVITIES WITHIN AN INTERNAL CONTROL
SYSTEM
- Good Audit Trail
- Sound Personnel Policies and Practices
- Segregation of Duties
- Physical Protection of Assets
- Internal Reviews of Controls
- Timely Performance Reports
161. Good Audit Trail
- An audit trail enables auditors and accountants
within the organization to follow the path of
transaction data from source documents to
ultimate disposition in a financial report and
vice-versa. - Without a good audit trail, it is more likely
that errors and irregularities in processing data
will not be detected. - To establish its audit trail, a company needs
- A chart of accounts that describes the purpose of
each ledger account - A complete description of the types of source
documents and the correct procedures to prepare
and approve the data for these documents - A comprehensive description of the authority and
responsibilities each individual is assigned.
172. Sound Personnel Policies and Practices
- Examples of sound personnel policies are
- specific hiring procedures
- supervision
- rotating of duties for key employees
- enforced vacations
- regular performance reviews
- proper training
- fidelity bond coverage on those employees who
handle liquid assets.
183. Segregation of Duties
- Segregating activities and responsibilities of a
companys employees allows different people to
perform various tasks of a specific transaction. - The main functions that should be kept separate
are custody of assets, recording transactions,
and authorizing transactions.
- Proper segregation of duties reduces the
opportunities to allow persons to be in positions
both to - Journalize entries and prepare financial
statements. - Record cash receipts and cash disbursements.
- Establish internal control and authorize
transactions. - Perpetrate and conceal errors and fraudulent acts.
- Proper segregation of functional responsibilities
to achieve effective internal control calls for
separation of the functions of - Authorization, execution, and payment.
- Authorization, recording, and custody.
- Custody, execution, and reporting.
- Authorization, payment, and recording.
193. Segregation of Duties
- The Gardner Company, a client of your firm, has
come to you with the following problem It has
three clerical employees, who must perform the
following functions - Maintain the general ledger
- Maintain the accounts payable ledger
- Maintain the accounts receivable ledger
- Prepare checks for signature
- Maintain the disbursements journal
- Issue credits on returns and allowances
- Reconcile the bank account
- Handle and deposit cash receipts
- Assuming equal abilities among the three
employees, the company asks you to assign the
eight functions to them to maximize internal
control. Assume that these employees will perform
no accounting functions other than the ones
listed. - List four possible unsatisfactory pairings of the
functions - State how you would distribute the functions
among the three employees.
204. Physical Protection of Assets
- Keeping a companys assets in a safe physical
location minimizes the risk of damage to the
assets or theft by employees or outsiders. - A voucher system is an example of an accounting
control procedure that protects against
unauthorized cash disbursements. - A petty cash fund may be used for small
expenditures where writing a check would be
inefficient.
- An independent auditor is concerned with controls
designed to safeguard assets that are relevant to
the reliability of financial reporting. Adequate
safeguards over access to and use of assets means
protection from - Any management decision that would unprofitably
use company resources. - Only those losses arising from fraud.
- Losses such as those arising from setting a
product price too low and subsequently realizing
operating losses from the products sale. - Losses arising from access by unauthorized
persons.
215. Internal Reviews of Controls
- Internal audit is a service function within many
large companies. - As a separate subsystem, they report to
high-level management or to the board of
directors in order to remain independent and
objective. - They perform periodic reviews, called operational
audits, on each department within the
organization in order to evaluate the efficiency
and effectiveness of that particular department.
226. Timely Performance Reports
- Performance reports provide information to
management on how efficiently and effectively its
companys internal controls are functioning. - These reports should provide timely feedback to
management on the success or failure of the
companys internal controls.
238-16 Alden, Inc. Internal Control Case
- You have been hired by the management of Alden,
Inc., to review its control procedures for the
purchase, receipt, storage, and issuance of raw
materials. You prepared the following comments,
which describe Aldens procedures. - Raw materials, which consist mainly of high-cost
electronic components, are kept in a locked
storeroom. Storeroom personnel include a
supervisor and four clerks. All are well trained,
competent, and adequately bonded. Raw materials
are removed from the storeroom only upon written
or oral authorization from one of the production
foremen. - There are no perpetual inventory records hence,
the storeroom clerks do not keep records of goods
received or issued. To compensate for the lack of
perpetual records, a physical inventory count is
taken monthly by the storeroom clerks, who are
well supervised. Appropriate procedures are
followed in making the inventory count. - After the physical count, the storeroom
supervisor matches quantities counted against a
predetermined reorder level. If the count for a
given part is below the reorder level, the
supervisor enters the part number on a materials
requisition list and sends this list to the
accounts payable clerk. The accounts payable
clerk prepares a purchase order for a
predetermined reorder quantity for each part and
mails the purchase order to the vendor from whom
the part was last purchased. - When ordered materials arrive at Alden, they are
received by the storeroom clerks. The clerks
count the merchandise and see that the counts
agree with the shippers bill of lading. All
vendors bill of lading are initialed, dated, and
files in the storeroom to serve as receiving
reports.