Internal Control • Internal Control is a state that management strives to achieve to provide reasonable assurance that the firm’s objectives will be achieved • These controls encompass all the measures and practices that are used to counteract exposures to risks • The control framework is called the Internal Control Structure
Objectives of the Internal Control Structure • Promoting Effectiveness and Efficiency of Operations • Reliability of Financial Reporting • Safeguarding assets • Checking the accuracy and reliability of accounting data • Compliance with applicable laws and regulations • Encouraging adherence to prescribed managerial policies
Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities related to Financial Reporting Activities related to Information Processing General Controls Application Controls Components and Major Considerations of the IC Structure Internal Control Structure
Control Environment • The Control Environment establishes the tone of a company, influencing the control consciousness of its employees • It is comprised of seven components: • Management philosophy and operating style • Integrity and ethical values • Commitment to competence • The Board of Directors and the Audit Committee • Organizational Structure • Assignment of authority and responsibility • Human resources policies and practices • External Influences
Highlights of CE Components - I • Management Philosophy and Operating Style • Does management emphasize short-term profits and operating goals over long-term goals? • Is management dominated by one or a few individuals? • What type of business risks does management take and how are these risks managed? • Is management conservative or aggressive toward selecting from available alternative accounting principles?
Highlights of CE Components - II • Organization Structure • Is an up-to-date organization chart prepared, showing the names of key personnel? • Is the information systems functionseparated from incompatible functions? • How is the accounting departmentorganized? • Is the internal audit function separate and distinct from accounting? • Do subordinate managers report to more than one supervisor?
Highlights of CE Components - III • Assignment of Authority and Responsibility • Does the company prepare written employee job descriptions defining specific duties and reporting relationships? • Is written approval required for changes made to information systems? • Does the company clearly delineate employees and managers the boundaries of authority-responsibility relationships? • Does the company properly delegate authority to employees and departments?
Highlights of CE Components - IV • Human Resource Policies and Practices • Are new personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct? • Is the company in compliance with the ADA? The EEOA? • Are Grievance Procedures to manage conflict in force? • Does the company maintain a sound Employee Relations program? • Do employees work in a safe, healthy environment? • Are Counseling Programs available to employees? • Are proper Separation Programs in force for employees who leave the firm? • Are critical employees Bonded?
Key Functions Performed by Audit Committees • Establish an Internal Audit Department • Review the Scope and Status of Audits • Review Audit Findings with the Board and ensure that Management has taken proper action recommended in the Audit Report and Letter of Reportable Conditions • Maintain a direct Line of Communication among the Board, Management, External and Internal Auditors, and periodically arrange Meetings among the parties
Key Functions Performed by Audit Committees • Review the Audited Financial Statements with the Internal Auditors and the Board of Directors • Require periodic Quality Reviews of the operations of the Internal Audit Departments to identify areas needing improvement • Supervise special investigations, such as Fraud Investigations • Assess the performance of Financial Management • Require the Review of Compliance with Laws and Regulations and with Corporate Codes of Conduct
Risk Assessment • Top management must be directly involved in Business Risk Assessment. • This involves the Identification and Analysis of Relevant Risks that may prevent the attainment of Company-wide Objectives and Objectives of Organizational Units and the formation of a plan to determine how to manage the risks.
Control Activities - I • Control Activities as related to Financial Reporting may be classified according to their intended uses in a system: • Preventive Controls block adverse events, such as errors or losses, from occurring • Detective Controls discover the occurrence of adverse events such as operational inefficiency • Corrective controls are designed to remedy problems discovered through detective controls • Security Measuresare intended to provide adequate safeguards over access to and use of assets and data records
Control Activities - II • Control Activities relating to Information Processing may also be classified according to where they will be applied within the system • General controls are those controls that pertain to all activities involving a firm’s AIS and assets • Application controls relate to specific accounting tasks or transactions • The overall trend seems to be going from specific application controls to more global general controls
Control Activities - III • Performance Reviews • Comparing Budgets to Actual Values • Relating Different Sets of Data-Operating or Financial-to one another, together with Analyses of the relationships and Investigative and Corrective Actions • Reviewing Functional Performance such as a bank’s consumer loan manager’s review of reports by branch, region, and loan type for loan approvals and collections
Information & Communication • All Transactions entered for processing are Valid and Authorized • All valid transactions are captured and entered for processing on a Timely Basis and in Sufficient Detail to permit the proper Classification of Transactions • The input data of all entered transactions are Accurate and Complete, with the transactions being expressed in proper Monetary terms • All entered transactions are processed properly to update all affected records of Master Files and/or Other Types of Data sets • All required Outputs are prepared according to Appropriate Rules to provide Accurate and Reliable Information • All transactions are recorded in the proper Accounting Period
Risk • Business firms facerisksthat reduce the chances of achieving their control objectives. • Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers. • Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.
Some Typical Sources of Risk - I • Clerical and Operational Employees, who process transactional data and have access to Assets • Computer Programmers, who have knowledge relating to the Instructionsby which transactions are processed • Managers and Accountants, who have access to Records and Financial Reports and often have Authority to Approve Transactions
Some Typical Sources of Risk - II • Former Employees, who may still understand the Control Structure and may harbor grudges against the firm • Customers and Suppliers, who generate many of the transactions processed by the firm • Competitors, who may desire to acquire confidential information of the firm • Outside Persons, such as Computer Hackers and Criminals, who have various reasons to access the firm’s data or its assets or to commit destructive acts • Acts of Nature or Accidents, such as floods, fires, and equipment breakdowns
Types of Risks • Unintentional errors • Deliberate Errors (Fraud) • Unintentional Losses of Assets • Thefts of assets • Breaches of Security • Acts of Violence and Natural Disasters
Factors that Increase Risk Exposure • Frequency - the more frequent an occurrence of a transaction thegreater the exposure to risk • Vulnerability - liquid and/or portable assets contribute to risk exposure • Size of the potential loss- the higher the monetary value of a loss, the greater the risk exposure
Problem Conditions Affecting Risk Exposures • Collusion (both internal and external), which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures • Lack of Enforcement Management may not prosecute wrongdoers because of the potential embarrassment • Computercrime poses very high degreesof risk, and fraudulent activities are difficultto detect
Computer Crime • Computer crime (computer abuse)is the use of a computer to deceive for personal gain. • Due to the proliferation of networks and personal computers, computer crime is expected to significantly increase both in frequency and amount of loss. • It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported.
Examples of Computer Crime • Theft of Computer Hardware & Software • Unauthorized Use of Computer Facilities for Personal Use • Fraudulent Modification or Use of Data or Programs
Reasons Why Computers Cause Control Problems • Processing is Concentrated • Audit Trails may be Undermined • Human Judgment is bypassed • Data are stored in Device-Oriented rather than Human-Oriented forms • Invisible Data • Stored data are Erasable • Data are stored in a Compressed form • Stored data are relatively accessible • Computer Equipment is Powerful but Complex and Vulnerable
Feasibility of Controls • Audit Considerations • Cost-Benefit Considerations • Determine Specific Computer Resources Subject to Control • Determine all Potential Threats to the company’s Computer System • Assess the Relevant Risks to which the firm is exposed • Measure the Extent of each Relevant Risk exposure in dollar terms • Multiply the Estimated Effect of each Relevant Risk Exposure by the Estimated Frequency of Occurrence over a Reasonable Period, such as a year • Compute the Cost of Installing and Maintaining a Control that is to Counter each Relevant Risk Exposure • Compare the Benefits against the Costs of Each Control
Legislation • The Foreign Corrupt Practices Act of 1977 • Of the Federal Legislation governing the use of computers, The Computer Fraud and Abuse Act of 1984 (amended in 1986)is perhaps the most important • This act makes it a federal crime to intentionally access a computer for such purposes as: (1) obtaining top-secret military information, personal, financial or credit information • (2) committing a fraud • (3) altering or destroying federal information
Methods for Thwarting Computer Abuse • Enlist top-management support so that awareness of computer abuse will filter down through management ranks. • Implement and enforce control procedures. • Increase employee awareness in the seriousness of computer abuse, the amount of costs, and the disruption it creates. • Establish a code of conduct. • Be aware of the common characteristics of most computer abusers.
Methods for Thwarting Computer Abuse • Recognize the symptoms of computer abuse such as: • behavioral or lifestyle changes in an employee • accounting irregularities such as forged, altered or destroyed input documents or suspicious accounting adjustments • absent or ignored control procedures • the presence of many odd or unusual anomalies that go unchallenged • Encourage ethical behavior
Control Problems Caused by Computerization: Data Collection Manual System Computer-based System
Control Problems Caused by Computerization: Data Processing Manual System Computer-based System
Control Problems Caused by Computerization: Data Storage & Retrieval Manual System Computer-based System
Control Problems Caused by Computerization: Information Generation Manual System Computer-based System
Control Problems Caused by Computerization: Equipment Manual System Computer-based System
Internal Control and Accountants’ Roles Accountants as Managers – Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Management to prepare a statement describing and assessing the company’s internal control system
Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include: (1) a statement that management is responsible for internal controls over financial reporting,
Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include: (2) a statement identifying the framework used by management to evaluate internal controls,
Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include (3) an assessment of internal controls and disclosure of any material weaknesses, and
Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include: (4) a statement that a public accounting firm has issued an attestation report on management’s assessment of internal control.
Internal Control and Accountants’ Roles Accountants as Users– Must understand a company’s internal controls to apply them correctly.
Internal Control and Accountants’ Roles Accountants as Designers of internal control procedures – Must understand a company’s internal controls in working to achieve to compliance with regulations and company objectives and to minimize risks
Internal Control and Accountants’ Roles Accountants as Evaluators– must understand internal control systems to: • Help develop management’s report that assesses internal controls (as internal auditors) • Prepare an attestation to management’s statement about internal control (as external auditors) • Conduct the audit of a company’s financial statements (as external auditors)
Framework for Studying Internal Control • Components of internal control (the COCO Report) • Internal control objectives • Risk assessment
Framework for Studying Internal Control The COSO Report: • 5 interrelated components of internal control: • Control environment • Risk assessment • Control activities • Information and communication • Monitoring
Internal Control Components and Objectives Internal control: • Execution objectives – 2 execution objectives for the revenue cycle: • Ensure proper delivery of goods and services • Ensure proper collection and handling of cash 2 execution objectives for the acquisition cycle: • Ensure proper receiving of goods and services • Ensure proper payment and handling of cash
Internal Control Components and Objectives Internal control: • Information system objectives - • Focus on recording, updating, and reporting accounting information • Important for ensuring effective execution of transactions
Internal Control Components and Objectives Internal control: • Asset protection objectives - • Focus on safeguarding assets to minimize risk of theft or loss of assets
Internal Control Components and Objectives Internal control: • Performance objectives – • Focus on achieving favorable performance of an organization, person, department, product, or service • Established to ensure effective operations