Acct 316 Acct 316 Acct 316 Control and Accounting Information Systems 7 UAA – ACCT 316 Accounting Information Systems Dr. Fred Barbee Chapter

Acct 316 Acct 316 Acct 316 Introduction to Internal Control

Acct 316 Acct 316 Acct 316 Internal Control... Can an information system operate without internal controls? Perhaps. Will the organization attain its objectives? Perhaps.

Acct 316 Acct 316 Acct 316 Why Internal Control?

Acct 316 Acct 316 Acct 316 Why Controls... To Ensure system goals are achieved To Lessen the risk of unwanted outcomes

Acct 316 Acct 316 Acct 316 Controls... What are the goals that internal control is designed to achieve? What are the typical business risks that the organization should try to avoid?

Acct 316 Acct 316 Acct 316 What are the goals that internal control is designed to help achieve? Question

Acct 316 Acct 316 Acct 316 Internal Control Goals The National Commission on Fraudulent Financial Reporting Appointed The Committee of Sponsoring Organizations (COSO) To study internal control

Acct 316 Acct 316 Acct 316 Internal Control Goals COSO entity objectives...  Operations - relating to effective and efficient use of an entity’s resources.  Financial Reporting - relating to preparation of reliable financial reports.  Compliance - relating to the entity’s compliance with applicable laws and regulations.

Acct 316 Acct 316 Acct 316 What are the typical business risks that an organization should try to avoid? Question

Acct 316 Acct 316 Acct 316 What is Risk? The dictionary defines risk as... What is an exposure? Hazard; peril; exposure to loss or injury.

Exposure the potential financial effect of an event multiplied by its probability of occurrence. Potential Financial Effect of an Event Probability of Occurrence Exposure

Risk Analysis THREATEXPOSURERISK EXPECTED LOSS * * =

THREATEXPOSURERISK EXPECTED LOSS * * = Internal Controls

Controls... An exposure consists of the potential financial effect of an event multiplied by its probability of occurrence. $5,000,000X 5% = $250,000 Potential Financial Effect of an Event Probability of Occurrence Exposure

Direct Material Variances An example of a control system in accounting AQ X AP Rate Variance AQ X SPSQ X SP Quantity Variance

Acct 316 Acct 316 Acct 316 Common Business Exposures

Erroneous Record Keeping Unacceptable Accounting Unacceptable Accounting Business Interruptions Business Interruptions Erroneous Management Decisions Erroneous Management Decisions Business Exposures Business Exposures

Common Business Exposures Fraud and Embezzlement Fraud and Embezzlement Statutory Sanctions Statutory Sanctions Excessive Costs Excessive Costs Loss/Destruction Of Resources Loss/Destruction Of Resources Competitive Disadvantage Competitive Disadvantage Business Exposures Business Exposures

Acct 316 Acct 316 Acct 316 What are the legal responsibilities of management? Or, what are we supposed to do?

Acct 316 Acct 316 Acct 316 The establishment and maintenance of a system of internal controls is an important management obligation. The SEC...

Acct 316 Acct 316 Acct 316 A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. The SEC...

Acct 316 Acct 316 Acct 316 Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis. The SEC...

Acct 316 Acct 316 Acct 316 Legal Responsibilities Management is legally responsible for establishing and maintaining an adequate system of internal control.

Acct 316 Acct 316 Acct 316 An adequate system of internal control is necessary to management’s discharge of these obligations. The SEC...

Acct 316 Acct 316 Acct 316 OK, so what if management doesn’t do this. What then?

Enter... The Foreign Corrupt Practices Act

Acct 316 Acct 316 Acct 316 FCPA Legal Requirement Make and keep books, records, and accounts that, in reasonable detail, accurately and fairly reflect the transactions of the registrant and the disposition of its assets.

Acct 316 Acct 316 Acct 316 FCPA Legal Requirement Design and maintain a system of internal accounting controls sufficient to provide reasonable assurances that certain specified objectives are met.

Acct 316 Acct 316 Acct 316 The Internal Control Structure... What is Internal Control?

Acct 316 Acct 316 Acct 316 Standards of Field Work The Field Work standards are so named because they pertain primarily to the conduct of the audit at the client’s place of business; that is, in the field.

Acct 316 Acct 316 Acct 316 Second Standard of Field Work A sufficient understanding of the internal control structure is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed.

Acct 316 Acct 316 Acct 316 Defining Internal Control Reviewing the Literature

Acct 316 Acct 316 Acct Committee on Auditing Procedure A system of internal control should be designed to achieve objectives that are both operational and accounting in nature.

Acct 316 Acct 316 Acct 316 Defining Internal Control The 1958 definition was the first to differentiate between accounting controls and administrative controls, A distinction that is very important to independent auditors.

In 1963, chapter 5 of Statement on Auditing Procedure No. 33 attempted to clarify the distinction between administrative and accounting controls, stating that the independent auditor is primarily concerned with the latter when applying generally accepted auditing standards.

After 1963, there continued to be confusion concerning the scope of the auditor’s responsibility as it related to safeguarding of assets and the reliability of financial statements.

Acct 316 Acct 316 Acct 316 So... What is Internal Control?

Acct 316 Acct 316 Acct 316 Cohen Commission Report Published annual reports should contain a report in which corporate management discloses the condition of the company’s internal control system.

Acct 316 Acct 316 Acct 316 Internal Control Some Recent Additions

Acct 316 Acct 316 Acct 316 Internal Control... Information Systems Audit and Control Foundation – Control Objectives for Information and Related Technology COBIT

Audience:Management; Users; IS Auditors Focus:Information Technology Responsibility:Management Size:187 Pages – 4 Documents COBIT

Acct 316 Acct 316 Acct 316 A set of processes including policies, procedures, practices, and organizational structure. Internal Control Viewed as:

Acct 316 Acct 316 Acct 316 Effective & efficient operations Confidentiality Integrity & availability of information Reliable financial reporting Compliance with laws and regulations Internal Control Objectives

Acct 316 Acct 316 Acct 316 Internal Control... Institute of Internal Auditors Research Foundation’s Systems Auditability and Control (SAC)

Audience:Internal Auditors Focus:Information Technology Responsibility:Management Size:1,193 pages in 12 modules Systems Auditability and Control

Set of processes, subsystems, and people. Internal Control Viewed as... Acct 316 Acct 316 Acct 316

Effective & efficient operations Reliable financial reporting Compliance with laws and regulations Internal Control Objectives Acct 316 Acct 316 Acct 316

Internal Control... The Committee of Sponsoring Organizations of the Treadway Commission Internal Control – Integrated Framework

Audience:Management Focus:Overall Entity Responsibility:Management Size:353 pages in 4 volumes COSO

Acct 316 Acct 316 Acct 316 Internal control viewed as a process. COSO

Acct 316 Acct 316 Acct 316 Internal control objectives: Effective and efficient operations Reliable financial reporting Compliance with laws and regulations COSO

Acct 316 Acct 316 Acct 316 Internal Control... American Institute of Certified Public Accountants – Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55)

Audience:External Auditors Focus:Financial Statement Responsibility:Management Size:63 pages in 2 documents SAS 55 & SAS 78

Acct 316 Acct 316 Acct 316 SAS 55/78 Internal control viewed as a process.

Acct 316 Acct 316 Acct 316 SAS 55/78 Internal control objectives: Effective and efficient operations Reliable financial reporting Compliance with laws and regulations

Acct 316 Acct 316 Acct 316 National Commission on Fraudulent Financial Reporting The Treadway Commission

Acct 316 Acct 316 Acct 316 Treadway Commission Emphasized the importance of internal control. Specifically... The control environment; Codes of conduct; Audit committees; and The internal audit function

Acct 316 Acct 316 Acct 316 Treadway Commission The commission reaffirmed the Cohen Commission’s call for management reports on the effectiveness of its internal controls.

Acct 316 Acct 316 Acct 316 COSO Report... COSO’s final report “Internal Control – Integrated Framework” was issued in September volumes 453 pages Thousands of hours of work

Acct 316 Acct 316 Acct 316 COSO Report... Provides a common definition of internal control to meet the needs of diverse users. Provides a framework against which entities can assess and improve their internal control systems.

Acct 316 Acct 316 Acct 316 Internal Control... The COSO Definition

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, COSO

designed to provide reasonable assurance regarding the achievement of objectives in the following categories: COSO

Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations. COSO

Key Concepts Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization. COSO

Key Concepts Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. Internal control is geared to the achievement of objectives in one or more overlapping categories. COSO

It consists of several interrelated components, with integrity, ethical values; competence, and the control environment, serving as the foundation for the other components. COSO

Coso’s Components  Control Environment  Risk Assessment  Control Activities  Information & Communication  Monitoring COSO

Acct 316 Acct 316 Acct 316 COSO Integrated Framework

Acct 316 Acct 316 Acct 316 Control Environment Commitment to integrity and ethical values; Management’s philosophy and operating style; Organizational structure The audit committee of the board of directors.

Acct 316 Acct 316 Acct 316 Control Environment Methods of assigning authority and responsibility. Human resources policies and practices External influences

Acct 316 Acct 316 Acct 316 COSO Integrated Framework

Acct 316 Acct 316 Acct 316 Risk Assessment Identification of risks Analysis of risks Management of risks

Acct 316 Acct 316 Acct 316 Typical Sources of Risk Clerical and Operational employees Computer programmers Managers and Accountants Former Employees Customers and Suppliers

Acct 316 Acct 316 Acct 316 Typical Sources of Risk Competitors Outside persons Acts of Nature

Acct 316 Acct 316 Acct 316 Types of Risks Unintentional Errors Deliberate Errors (Fraud) Unintentional Losses of Assets Thefts of Assets Breaches of Security Acts of violence and Natural Disasters

Acct 316 Acct 316 Acct 316 Factors That Increase Risk Exposure Frequency Vulnerability Size of the potential loss

Acct 316 Acct 316 Acct 316 Problem Conditions Affecting Risk Exposures Collusion Computer Crime Lack of Enforcement

Acct 316 Acct 316 Acct 316 COSO Integrated Framework

Acct 316 Acct 316 Acct 316 Control Activities Proper authorization of transactions and activities

Acct 316 Acct 316 Acct 316 Control Activities Proper authorization of transactions and activities Segregation of duties

Segregation of Duties AuthorizationRecordingCustody Must Be Separate

Acct 316 Acct 316 Acct 316 Control Activities Proper authorization of transactions and activities Segregation of duties Design and use of adequate documents and records

Acct 316 Acct 316 Acct 316 Control Activities Proper authorization of transactions and activities Segregation of duties Design and use of adequate documents and records Adequate safeguards of assets & records

Acct 316 Acct 316 Acct 316 Control Activities Proper authorization of transactions and activities Segregation of duties Design and use of adequate documents and records Adequate safeguards of assets & records Independent checks on performance.

Acct 316 Acct 316 Acct 316 COSO Integrated Framework

Acct 316 Acct 316 Acct 316 Information and Communication Identify, assemble, analyze, classify, record and report transactions Maintain accountability for assets and liabilities Open and well-defined lines of communication

Acct 316 Acct 316 Acct 316 COSO Integrated Framework

Acct 316 Acct 316 Acct 316 Monitoring Effective supervision Responsibility accounting Internal auditing

COSO Integrated Framework

Acct 316 Acct 316 Acct 316 Internal Control... Classifications

Input Process Output Sensor Bench- mark Detective and Corrective Controls Corrective Controls Preventive, Detective, and Corrective Controls

Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base

Acct 316 Acct 316 Acct 316 Internal Control... Some Common Grounds

Acct 316 Acct 316 Acct 316 Some Common Ground  A system of internal control is not an end in itself. It is, rather, a means to an end.  Internal control is a system Clearly defined goals Interrelated components acting in concert to achieve those goals.

Acct 316 Acct 316 Acct 316 Some Common Ground  Establishing a viable internal control system in management’s responsibility.  The strength of any internal control system is largely a function of the people who operate it.

Acct 316 Acct 316 Acct 316 Some Common Ground  Internal control cannot be expected to provide 100% assurance that the organization will reach its objectives. ‘Internal control is not “free;” it has a cost associated with it.