Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | grace-powell |
View: | 277 times |
Download: | 6 times |
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Control and Accounting Information Systems
7 UAA – ACCT 316 Accounting Information Systems
Dr. Fred Barbee
Chap
ter
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Introduction to Internal Control
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
Can an information system operate without internal controls?
Perhaps.
Will the organization attain its objectives?
Perhaps.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Why Internal Control?
Acct 3
16 A
cct 3
16 A
cct 3
16
Why Controls . . .
To Ensure system goals are achieved
To Lessen the risk of unwanted outcomes
Acct 3
16 A
cct 3
16 A
cct 3
16
Controls . . .
What are the goals that internal control is designed to achieve?
What are the typical business risks that the organization should try to avoid?
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
What are the goals that internal control is designed to help achieve?
Question
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control Goals
The National Commission on Fraudulent Financial Reporting
Appointed
The Committee of Sponsoring Organizations (COSO)
To study internal control
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control Goals
COSO entity objectives . . .
Operations - relating to effective and efficient use of an entity’s resources.
Financial Reporting - relating to preparation of reliable financial reports.
Compliance - relating to the entity’s compliance with applicable laws and regulations.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
What are the typical business risks that an organization should try to avoid?
Question
Acct 3
16 A
cct 3
16 A
cct 3
16
What is Risk?
The dictionary defines risk as . . .
What is an exposure?
Hazard; peril; exposure to loss or injury.
Exposure . . .
. . . the potential financial effect of an event multiplied by its probability of occurrence.
Potential Financial
Effect of an Event
Probability of
OccurrenceExposure
Risk Analysis
THREAT EXPOSURE RISK EXPECTEDLOSS
* * =
Risk Analysis
THREAT EXPOSURE RISK EXPECTEDLOSS
* * =
Internal Controls
Controls . . .
An exposure consists of the potential financial effect of an event multiplied by its probability of occurrence.
$5,000,000
X 5% = $250,000
Potential Financial
Effect of an Event
Probability of
OccurrenceExposure
Direct Material Variances
An example of a control system in accounting
AQ X AP
Rate Varianc
e
AQ X SP SQ X SP
Quantity
Variance
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Common Business Exposures
Common Business Exposures
Erroneous Record Keeping
Erroneous Record Keeping
UnacceptableAccountingUnacceptableAccounting
BusinessInterruptions
BusinessInterruptions
Erroneous Management
Decisions
Erroneous Management
Decisions
BusinessExposures
BusinessExposures
Common Business Exposures
Fraud andEmbezzlement
Fraud andEmbezzlement
StatutorySanctionsStatutorySanctions
ExcessiveCosts
ExcessiveCosts
Loss/DestructionOf Resources
Loss/DestructionOf Resources
CompetitiveDisadvantage
CompetitiveDisadvantage
BusinessExposuresBusinessExposures
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
What are the legal responsibilities of management?
Or, what are we supposed to do?
Acct 3
16 A
cct 3
16 A
cct 3
16
The establishment and maintenance of a system of internal controls is an important management obligation.
The SEC . . .
Acct 3
16 A
cct 3
16 A
cct 3
16
A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled.
The SEC . . .
Acct 3
16 A
cct 3
16 A
cct 3
16
Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis.
The SEC . . .
Acct 3
16 A
cct 3
16 A
cct 3
16
Legal Responsibilities
Management is legally responsible
for establishing and maintaining an adequate system of internal control.
Acct 3
16 A
cct 3
16 A
cct 3
16
An adequate system of internal control is necessary to management’s discharge of these obligations.
The SEC . . .
Acct 3
16 A
cct 3
16 A
cct 3
16
OK, so what if management
doesn’t do this. What then?
Enter . . .
TheForeignCorrupt
PracticesAct
Acct 3
16 A
cct 3
16 A
cct 3
16
FCPA Legal Requirement
Make and keep books, records, and accounts
that, in reasonable detail, accurately and fairly reflect the transactions of the registrant and the disposition of its assets.
Acct 3
16 A
cct 3
16 A
cct 3
16
FCPA Legal Requirement
Design and maintain
a system of internal accounting controls
sufficient to provide reasonable assurances
that certain specified objectives are met.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
The Internal Control Structure . . .
What is Internal Control?
Acct 3
16 A
cct 3
16 A
cct 3
16
Standards of Field Work
The Field Work standards are so named because they pertain primarily to the conduct of the audit at the client’s place of business; that is, in the field.
Acct 3
16 A
cct 3
16 A
cct 3
16
Second Standard of Field Work
A sufficient understanding of the internal control structure is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Defining Internal Control
Reviewing the Literature
Acct 3
16 A
cct 3
16 A
cct 3
16
1949 Committee on Auditing Procedure
A system of internal control should be designed to achieve objectives that are both
operational and
accounting in nature.
Acct 3
16 A
cct 3
16 A
cct 3
16
Defining Internal Control
The 1958 definition was the first to differentiate between
accounting controls and
administrative controls,
A distinction that is very important to independent auditors.
In 1963, chapter 5 of Statement on Auditing Procedure No. 33 attempted to clarify the distinction between administrative and accounting controls, stating that the independent auditor is primarily concerned with the latter when applying generally accepted auditing standards.
After 1963, there continued to be confusion concerning the scope of the auditor’s responsibility as it related to safeguarding of assets and the reliability of financial statements.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
So . . . What is Internal Control?
Acct 3
16 A
cct 3
16 A
cct 3
16
Cohen Commission Report
Published annual reports should contain a report in which corporate management discloses the condition of the company’s internal control system.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control
Some Recent Additions
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
Information Systems Audit and Control Foundation –
Control Objectives for Information and Related Technology COBIT
Audience: Management; Users; IS Auditors
Focus: Information Technology
Responsibility:
Management
Size: 187 Pages – 4 Documents
COBIT
Acct 3
16 A
cct 3
16 A
cct 3
16
A set of processes including policies, procedures, practices, and organizational structure.
www.isaca.org/bkr_cbt3.htm
Internal Control Viewed as:
Acct 3
16 A
cct 3
16 A
cct 3
16
Effective & efficient operations
Confidentiality
Integrity & availability of information
Reliable financial reporting
Compliance with laws and regulations
Internal Control Objectives
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
Institute of Internal Auditors Research Foundation’s
Systems Auditability and Control (SAC)
Audience: Internal Auditors
Focus: Information Technology
Responsibility:
Management
Size: 1,193 pages in 12 modules
Systems Auditability and Control
Set of processes, subsystems, and people.
www.theiia.org
Internal Control Viewed as . . .
Acct 3
16 A
cct 3
16 A
cct 3
16
Effective & efficient operations
Reliable financial reporting
Compliance with laws and regulations
Internal Control Objectives
Acct 3
16 A
cct 3
16 A
cct 3
16
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
The Committee of Sponsoring Organizations of the Treadway Commission
Internal Control – Integrated Framework
Audience: Management
Focus: Overall Entity
Responsibility:
Management
Size: 353 pages in 4 volumes
COSO
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal control viewed as a process.
www.coso.org
COSO
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal control objectives:
Effective and efficient operations
Reliable financial reporting
Compliance with laws and regulations
COSO
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
American Institute of Certified Public Accountants –
Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55)
Audience: External Auditors
Focus: Financial Statement
Responsibility:
Management
Size: 63 pages in 2 documents
SAS 55 & SAS 78
Acct 3
16 A
cct 3
16 A
cct 3
16
SAS 55/78
Internal control viewed as a process.
www.aicpa.org
Acct 3
16 A
cct 3
16 A
cct 3
16
SAS 55/78
Internal control objectives:
Effective and efficient operations
Reliable financial reporting
Compliance with laws and regulations
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
National Commission on Fraudulent Financial Reporting
The TreadwayCommission
Acct 3
16 A
cct 3
16 A
cct 3
16
Treadway Commission
Emphasized the importance of internal control. Specifically . . .
The control environment;
Codes of conduct;
Audit committees; and
The internal audit function
Acct 3
16 A
cct 3
16 A
cct 3
16
Treadway Commission
The commission reaffirmed the Cohen Commission’s call for management reports on the effectiveness of its internal controls.
Acct 3
16 A
cct 3
16 A
cct 3
16
COSO Report . . .
COSO’s final report “Internal Control – Integrated Framework” was issued in September 1992
4 volumes
453 pages
Thousands of hours of work
Acct 3
16 A
cct 3
16 A
cct 3
16
COSO Report . . .
Provides a common definition of internal control to meet the needs of diverse users.
Provides a framework against which entities can assess and improve their internal control systems.
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
The COSO Definition
Internal control is a process, effected by an entity’s board of directors, management, and other personnel,
COSO
designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
COSO
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
COSO
Key Concepts
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
COSO
Key ConceptsInternal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
Internal control is geared to the achievement of objectives in one or more overlapping categories.
COSO
It consists of several interrelated components, with
integrity, ethical values;competence, and the control environment,
serving as the foundation for the other components.
COSO
Coso’s Components
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information & Communication
5. Monitoring
COSO
Acct 3
16 A
cct 3
16 A
cct 3
16
COSO Integrated Framework
Acct 3
16 A
cct 3
16 A
cct 3
16
Control Environment
Commitment to integrity and ethical values;
Management’s philosophy and operating style;
Organizational structure
The audit committee of the board of directors.
Acct 3
16 A
cct 3
16 A
cct 3
16
Control Environment
Methods of assigning authority and responsibility.
Human resources policies and practices
External influences
Acct 3
16 A
cct 3
16 A
cct 3
16
COSO Integrated Framework
Acct 3
16 A
cct 3
16 A
cct 3
16
Risk Assessment
Identification of risks
Analysis of risks
Management of risks
Acct 3
16 A
cct 3
16 A
cct 3
16
Typical Sources of Risk
Clerical and Operational employees
Computer programmers
Managers and Accountants
Former Employees
Customers and Suppliers
Acct 3
16 A
cct 3
16 A
cct 3
16
Typical Sources of Risk
Competitors
Outside persons
Acts of Nature
Acct 3
16 A
cct 3
16 A
cct 3
16
Types of Risks
Unintentional Errors
Deliberate Errors (Fraud)
Unintentional Losses of Assets
Thefts of Assets
Breaches of Security
Acts of violence and Natural Disasters
Acct 3
16 A
cct 3
16 A
cct 3
16
Factors That Increase Risk Exposure
Frequency
Vulnerability
Size of the potential loss
Acct 3
16 A
cct 3
16 A
cct 3
16
Problem Conditions Affecting Risk Exposures
Collusion
Computer Crime
Lack of Enforcement
Acct 3
16 A
cct 3
16 A
cct 3
16
COSO Integrated Framework
Acct 3
16 A
cct 3
16 A
cct 3
16
Control Activities
Proper authorization of transactions and activities
Acct 3
16 A
cct 3
16 A
cct 3
16
Control Activities
Proper authorization of transactions and activitiesSegregation of duties
Segregation of Duties
Authorization Recording Custody
Must Be Separate
Acct 3
16 A
cct 3
16 A
cct 3
16
Control Activities
Proper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and records
Acct 3
16 A
cct 3
16 A
cct 3
16
Control Activities
Proper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and recordsAdequate safeguards of assets & records
Acct 3
16 A
cct 3
16 A
cct 3
16
Control Activities
Proper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and recordsAdequate safeguards of assets & recordsIndependent checks on performance.
Acct 3
16 A
cct 3
16 A
cct 3
16
COSO Integrated Framework
Acct 3
16 A
cct 3
16 A
cct 3
16
Information and Communication
Identify, assemble, analyze, classify, record and report transactions
Maintain accountability for assets and liabilities
Open and well-defined lines of communication
Acct 3
16 A
cct 3
16 A
cct 3
16
COSO Integrated Framework
Acct 3
16 A
cct 3
16 A
cct 3
16
Monitoring
Effective supervision
Responsibility accounting
Internal auditing
COSO Integrated Framework
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
Classifications
Input Process Output
Sensor
Bench-mark
Detective and Corrective Controls
Corrective Controls
Preventive, Detective, and Corrective Controls
Control Classifications
By Objectives By Settings By Risk Aversion
Administrative
Accounting
General
ApplicationInput
Processing Output
CorrectivePreventive
Detective
By System ArchitecturesManual Systems
Computer Based SystemsBatch ProcessingOnline Processing
Data Base
Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316
Acct 3
16 A
cct 3
16 A
cct 3
16
Internal Control . . .
Some Common Grounds
Acct 3
16 A
cct 3
16 A
cct 3
16
Some Common Ground
A system of internal control is not an end in itself.
It is, rather, a means to an end.
Internal control is a system
Clearly defined goals
Interrelated components acting in concert to achieve those goals.
Acct 3
16 A
cct 3
16 A
cct 3
16
Some Common Ground
Establishing a viable internal control system in management’s responsibility.
The strength of any internal control system is largely a function of the people who operate it.
Acct 3
16 A
cct 3
16 A
cct 3
16
Some Common Ground
Internal control cannot be expected to provide 100% assurance that the organization will reach its objectives.
Internal control is not “free;” it has a cost associated with it.