Internal Control Systems

ACC 444 Enterprise Process Analysis

1
Management Blues
In most companies, top level management and owners
cant possibly oversee every detailed aspect of their
business
So what do they worry about most? Things that can
possibly go wrongsuch as:
assets being stolen
errors in capturing, processing and reporting critical
financial and non-financial information
operating inefficiencies;
non-compliance with established policies

Internal Control Systems
ACC 444 Enterprise Process Analysis
2
INTRODUCTION
Additionally, from the AIS perspective, control
risks have increased in the last few years because:
a) There are computers and servers everywhere,
and information is available to an unprecedented
number of workers.
b) Distributed computer networks make data
available to many users, and these networks are
harder to control than centralized mainframe
systems.
c) Wide area networks are giving customers and
suppliers access to each others systems and
data, making confidentiality a major concern.
Internal Control Systems
ACC 444 Enterprise Process Analysis
3
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by management to provide
reasonable assurance that the following control objectives are
achieved:
Assets (including data) are safeguarded.
Records accurately and fairly reflect company assets.
Accurate and reliable information is provided.
Financial reports are prepared in accordance with GAAP.
Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
The organization complies with applicable laws and regulations.
Internal controls perform three important functions:
Preventive controls
Detective controls
Corrective controls

Internal Control Systems
ACC 444 Enterprise Process Analysis
4
SOX
In the late 1990s and early 2000s, a series of multi-million-dollar
accounting frauds made headlines.
The impact on financial markets was substantial, and
Congress responded with passage of the Sarbanes-Oxley
Act of 2002 (aka, SOX).
a) Applies to publicly held companies and their auditors
The intent of SOX is to:
Prevent financial statement fraud
Make financial reports more transparent
Protect investors
Strengthen internal controls in publicly-held companies
Punish executives who perpetrate fraud
SOX has had a material impact on the way boards of directors,
management, and accountants operate.


Internal Control Systems
ACC 444 Enterprise Process Analysis
5
SOX
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB)
to oversee the auditing profession.
New rules for auditors
New rules for audit committees
New rules for management
New internal control requirements
After the passage of SOX, the SEC (Securities & Exchange Commission)
further mandated that:
Management must evaluate and report on the companys internal
controls, using a recognized control framework (the most likely
framework is the COSO model discussed later).
External auditors must also report on the state of the companys
internal controls.

Internal Control Systems
ACC 444 Enterprise Process Analysis
6
CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop
good internal control systems. Three of the most important are:
The COBIT framework
a) Also know as the Control Objectives for Information and Related
Technology framework.
b) A framework of generally applicable information systems security and
control practices for IT control.
The COSO internal control framework
a) Defines internal controls.
b) Provides guidance for evaluating and enhancing internal control systems.
c) Widely accepted as the authority on internal controls.
COSOs Enterprise Risk Management framework (ERM)
a) An enhanced corporate governance document.
b) Takes a risk-based, rather than controls-based, approach to the
organization.
c) Oriented toward future and constant change.
d) Incorporates rather than replaces COSOs internal control framework
Internal Control Systems
ACC 444 Enterprise Process Analysis
7
CONTROL FRAMEWORKS
COSOs Internal Control Framework
The Committee of Sponsoring Organizations (COSO)
is a private sector group consisting of:
a) The American Accounting Association
b) The AICPA
c) The Institute of Internal Auditors
d) The Institute of Management Accountants
e) The Financial Executives Institute
Internal Control Systems
ACC 444 Enterprise Process Analysis
8
CONTROL FRAMEWORKS
In 1992, COSO issued the Internal
Control Integrated Framework:
Defines internal controls.
Provides guidance for evaluating
and enhancing internal control
systems.
Widely accepted as the authority
on internal controls.
Incorporated into policies, rules,
and regulations used to control
business activities.
In 2012, COSO updated the original framework to consider changes in
business, operating, and regulatory environments
Internal Control Systems
ACC 444 Enterprise Process Analysis
9
Internal Control Systems
ACC 444 Enterprise Process Analysis
15
ERM FRAMEWORK
COSO developed a model
to illustrate the elements
of ERM.
The ERM model is three-
dimensional.
Means that each of the
eight risk and control
elements are applied to
the four objectives in the
entire company and/or
one of its subunits.
Internal Control Systems
ACC 444 Enterprise Process Analysis
17
Internal Environment
Factors that influence the control environment:
Managements philosophy, operating style, & risk appetite
(managements attitude towards internal controls & risks)
The Board of Directors (competent, active & involved; majority
independent; audit committee composed of independent directors only)
Commitment to integrity, ethical values & competence (management
practicing & preaching honesty, punishing dishonesty)
Organizational structure (appropriate reporting relationships)
Methods of assigning authority and responsibility (clearly defined roles &
responsibilities)
Human resource standards (for hiring, compensating, training,
evaluating, promoting, discharging, etc.)
External influences (pressures from outside; eg., regulations, wall street
expectations, etc.)
Internal Control Systems
ACC 444 Enterprise Process Analysis
18
INTERNAL CONTROL SYSTEMS



TO BE CONTINUED..
Internal Control Systems
ACC 444 Enterprise Process Analysis
19
OBJECTIVE SETTING
Objective setting is the second
ERM component.
It must precede many of the
other six components.
For example, you must set
objectives before you can
define events that affect your
ability to achieve objectives
Internal Control Systems
ACC 444 Enterprise Process Analysis
21
EVENT IDENTIFICATION
Events are:
Incidents or occurrences that
emanate from internal or
external sources
That affect implementation of
strategy or achievement of
objectives.
Impact can be positive,
negative, or both.
Events can range from
obvious to obscure.
Effects can range from
inconsequential to highly
significant.
By their nature, events
represent uncertainty
Internal Control Systems
ACC 444 Enterprise Process Analysis
23
RISK ASSESSMENT AND RISK RESPONSE
COSO indicates there are two
types of risk:
Inherent risk (i.e., before controls
are implemented)
Residual risk (i.e., after controls
are implemented)
Companies should:
Assess inherent risk
Develop a response
Then assess residual risk
Four ways to respond to risk:
Reduce it
Accept it
Share it
Avoid it


RISK ASSESSMENT AND RISK
RESPONSE PROCESS
Identify the events or threats
that confront the company
Estimate the likelihood or
probability of each event occurring
Estimate the impact of potential
loss from each threat
Identify set of controls to
guard against threat
Estimate costs and benefits
from instituting controls
Reduce risk by implementing set of
controls to guard against threat
Is it
cost-
beneficial
to protect
system
Avoid,
share, or
accept
risk
Yes
No
Internal Control Systems
ACC 444 Enterprise Process Analysis
26
CONTROL ACTIVITIES
The sixth component of
COSOs ERM model.
Control activities are
policies, procedures, and rules
that provide reasonable
assurance that managements
control objectives are met and
their risk responses are carried
out.

Internal Control Systems
ACC 444 Enterprise Process Analysis
27
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
Internal Control Systems
ACC 444 Enterprise Process Analysis
28
Incompatible Duties
Incompatible duties that should be segregated:
a) Authorizationapproving transactions and decisions.
b) RecordingPreparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations; and
preparing performance reports.
c) CustodyHandling cash, maintaining an inventory storeroom,
receiving incoming customer checks, writing checks on the
organizations bank account.

If any two of the preceding functions are the responsibility of one
person, then problems can arise.
Also, when two or more people collude, then segregation of duties
becomes ineffective and controls are overridden.
Internal Control Systems
ACC 444 Enterprise Process Analysis
32
Segregation of Duties - Examples
At most movie theaters, one employee is
responsible for issuing tickets and collecting cash
while another employee collects those tickets
when you enter the theater. How does this
practice provide segregation of duties that helps
the theater ensure all sales are properly
accounted for?

Internal Control Systems
ACC 444 Enterprise Process Analysis
34
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the
following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Information systems library
Data control
It is important that different people perform the preceding
functions.
Internal Control Systems
ACC 444 Enterprise Process Analysis
35
CONTROL ACTIVITIES
Adequate Documentation
Documentation allows management to verify that assigned
responsibilities were completed correctly.
How is this achieved in a non-paper environment?
What types of problems can arise from inadequate documentation?
Example
Many restaurants issue customer checks with prenumbered sequence
codes and food servers use them to write up customer orders. Servers
turn in all checks that were not used at the end of their shift. How
does this policy provide documentation that helps the restaurant
ensure that all sales transactions have been properly accounted for?



Internal Control Systems
ACC 444 Enterprise Process Analysis
36
INFORMATION AND COMMUNICATION
The seventh component of COSOs ERM
model.
The primary purpose of the AIS is to
gather, record, process, store,
summarize, and communicate information
about an organization.
So accountants must understand how:
Transactions are initiated
Data are captured in or
converted to machine-readable
form
Computer files are accessed and
updated
Data are processed
Information is reported to
internal and external parties

Internal Control Systems
ACC 444 Enterprise Process Analysis
38
MONITORING
The eighth component of
COSOs ERM model.
Monitoring can be
accomplished with a
series of ongoing events
or by separate
evaluations.
Internal Control Systems
ACC 444 Enterprise Process Analysis
41
INHERENT LIMITATIONS OF INTERNAL
CONTROL SYSTEMS
Internal control systems have inherent limitations, including:
They are susceptible to errors and poor decisions.
They can be overridden by management or by collusion of two
or more employees.
Internal control objectives are often at odds with each other.
EXAMPLE: Controls to safeguard assets may also reduce
operational efficiency.