2. OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
– Adherence to prescribed managerial policies is encouraged.
– The organization complies with applicable laws and regulations.
3. OVERVIEW OF CONTROL CONCEPTS
• Internal controls are often classified as:
– General controls
• e.g. software acquisition/installation controls, that
apply to all size of systems.
– Application controls
• Completeness Check
• Accuracy Check
4. Legislative Reaction to Fraud:
THE FOREIGN CORRUPT PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
5. Legislative Reaction to Fraud:
SOX
– The impact on financial markets was
substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of 2002
(aka, SOX).
6. Legislative Reaction to Fraud:
SOX
• The intent of SOX is to:
– Prevent financial statement fraud
– Make financial reports more transparent
– Protect investors
– Strengthen internal controls in publicly-held
companies
– Punish executives who perpetrate fraud
• SOX has had a material impact on the
way boards of directors, management,
and accountants operate.
7. Legislative Reaction to Fraud:
SOX
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
– New rules for audit committees
– New rules for management
– New internal control requirements
8. Legislative Reaction to Fraud:
SOX
• After the passage of SOX, the SEC further
mandated that:
– Management must base its evaluation on a
recognized control framework, developed using a
due-process procedure that allows for public
comment. The most likely framework is the COSO
model discussed later in the chapter.
– The report must contain a statement identifying the
framework used.
– Management must disclose any and all material
internal control weaknesses.
– Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.
10. CONTROL FRAMEWORKS
• A number of frameworks have been
developed to help companies develop
good internal control systems. Three of
the most important are:
– The COBIT framework
– The COSO internal control framework
– COSO’s Enterprise Risk Management
framework (ERM)
• An enhanced corporate governance document.
• Expands on elements of preceding framework.
• Provides a focus on the broader subject of enterprise risk
management.
11. COSO’S ERM
• COSO developed a
model to illustrate
the elements of
ERM.
12. INTERNAL ENVIRONMENT
• The most critical component
of the ERM and the internal
control framework.
• Is the foundation on which the
other seven components rest.
• Influences how organizations:
– Establish strategies and
objectives
– Structure business activities
– Identify, access, and respond
to risk
• A deficient internal control
environment often results in
risk management and control
breakdowns.
13. INTERNAL ENVIRONMENT
• Internal environment consists of the following:
– Management’s attitude toward risk
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards (Background Check)
ROBA = Risk, Organizational structure, Background
check, Assigning Responsibility.
14. OBJECTIVE SETTING
• The objective of the
Sarbanes-Oxley Act is
to strengthen internal
controls in public
companies.
• AICPA’s five objectives
for accounting
information systems.
15. EVENT IDENTIFICATION
• Events are:
– Incidents or occurrences
that emanate from
internal or external
sources
– Impact can be positive,
negative, or both.
– System design should
identify all potential
events.
16. RISK ASSESSMENT AND RISK
RESPONSE
– Inherent risk:
• The risk before
internal controls
– Residual risk
• The risk after
management
implements internal
controls.
17. RISK ASSESSMENT
AND RISK RESPONSE
Identify the events or threats
that confront the company
Estimate the likelihood or
probability of each event occurring
Estimate the impact of potential
loss from each threat
Identify set of controls to
guard against threat
Estimate costs and benefits
from instituting controls
Is it
cost-beneficia
l
to protect
system
Avoid,
share, or
accept
risk
Yes
No
Reduce risk by implementing set of
controls to guard against threat
Threats
Probability
Impact of
Loss
Identify
Controls
Cost and
Benefits
18. CONTROL ACTIVITIES
• The sixth component of
COSO’s ERM model.
• Control activities are
policies, procedures,
and rules that provide
reasonable assurance
that management’s
control objectives are
met and their risk
responses are carried
out.
19. CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
-Proper authorization of transaction
-Segregation of duties
-Change management controls
• Design and use of documents and records
– Documents that initiate a transaction should contain a
space for authorization
• Safeguard assets, records, and data
• Independent checks on performance
20. CONTROL ACTIVITIES
• To learn a little about segregation of
duties, let’s first meet Bill.
21. CONTROL ACTIVITIES
• Bill has charge of a pile of the
organization’s money—let’s say $1,000.
23. CONTROL ACTIVITIES
Ledger
$1,000
• Bill has a date tonight, and he’s a little desperate to
impress that special someone, so he takes $100 of
the cash. (Thinks he’s only borrowing it, you know.)
24. CONTROL ACTIVITIES
Ledger
$1,000
• Bill has a date tonight, and he’s a little desperate to
impress that special someone, so he takes $100 of
the cash. (Thinks he’s only borrowing it, you know.)
25. CONTROL ACTIVITIES
Ledger
$1,000
• Bill also records an entry in the books to show that
$100 was spent for some “legitimate” purpose. Now
the balance in the books is $900.
31. CONTROL ACTIVITIES
• Segregation of Accounting Duties
– Effective segregation of accounting duties is achieved
when the following functions are separated:
• Authorization—approving transactions and decisions.
• Recording—Preparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations; and
preparing performance reports.
• Custody—Handling cash, maintaining an inventory
storeroom, receiving incoming customer checks, writing
checks on the organization’s bank account.
– If any two of the preceding functions are the
responsibility of one person, then problems can arise.
32. CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
• Handling cash
• Handling inventories, tools,
or fixed assets
• Writing checks
• Receiving checks in mail
RECORDING FUNCTIONS
• Preparing source
AUTHORIZATION
FUNCTIONS
• General Authorization
• Specific authorization
documents
• Maintaining journals,
ledgers, or other files
• Preparing reconciliations
• Preparing performance
reports
33. Can you tell me what seems wrong?
• An employee receiving checks in the mail and
records receipts in the Cash Receipts journal
• An employee authorizes credit sales and has
custody of Finished Goods Inventory
• An employee enters sales transactions into the
accounting system and has custody of Finished
Goods inventory.
• An employee receives checks in the mail and
has access to the Petty Cash Fund.
34. CONTROL ACTIVITIES
• In a system that incorporates an effective
separation of duties, it should be difficult
for any single employee to commit
embezzlement successfully.
• But when two or more people collude,
then segregation of duties becomes
impotent and controls are overridden.
36. CONTROL ACTIVITIES
Ledger
$1,000
• Then segregation of duties is out the window.
Collusion overrides segregation.
37. CONTROL ACTIVITIES
• Generally, control procedures fall into one of the
following categories:
– Proper authorization of transactions and activities
– Segregation of duties
– Project development and acquisition controls
• Strategic master plan
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
38. CONTROL ACTIVITIES
Ledger
$1,000
• Let’s look at Bill and Mary again. Assume that Bill
stole cash but Mary did NOT alter the books.
39. CONTROL ACTIVITIES
Ledger
$1,000
• Can Bill’s theft be discovered if an independent
party doesn’t compare a count of the cash to what’s
recorded on the books?
40. CONTROL ACTIVITIES
Ledger
$1,000
• Segregation of duties only has value when
supplemented by independent checks.
41. CONTROL ACTIVITIES
• The following independent checks are
typically used:
– Top-level reviews
– Analytical reviews
– Reconciliation of independently maintained
sets of records
– Comparison of actual quantities with recorded
amounts
42. CONTROL ACTIVITIES
• The following independent checks are
typically used:
– Top-level reviews
– Analytical reviews
• Examinations of relationships between different sets of
data.
• EXAMPLE: If credit sales increased significantly during
the period and there were no changes in credit policy,
then bad debt expense should probably have increased
also.
• Management should periodically analyze and review
data relationships to detect fraud and other business
problems.
43. INFORMATION AND COMMUNICATION
• The seventh component of
COSO’s ERM model.
• The primary purpose of the AIS is
to gather, record, process, store,
summarize, and communicate
information about an organization.
• So accountants must understand
how:
– Transactions are initiated
– Data are captured in or
converted to machine-readable
form
– Computer files are accessed
and updated
– Data are processed
– Information is reported to
internal and external parties
44. INFORMATION AND COMMUNICATION
• According to the AICPA, an AIS has five
primary objectives:
– Identify and record all valid transactions.
– Properly classify transactions.
– Record transactions at their proper monetary
value.
– Record transactions in the proper accounting
period.
– Properly present transactions and related
disclosures in the financial statements.
45. MONITORING
• Internal Monitoring
• When independent
auditors come to
clients’ site, it is an
independent review,
not an operation
monitoring.
46. MONITORING
• Key methods of monitoring performance include:
– Implement effective supervision
– Monitor system activities
– Track purchased software licenses.
– Employ internal auditors to review the system
– Employ a computer security officer
– Install fraud detection software
– Implement a fraud hotline