Chapter 9: Introduction to Internal Control Systems 1992 COSO Report Updates on Risk Assessment & 2013 Update Examples of Control Activities 2011 COBIT, Version 5 Types of Controls Evaluating Controls

Introduction – Fraud (Ch 11) & Errors Errors may be the result of many factors Distractions – Concurrent tasks, work environment, personal situations, Complexity – It’s easier to complete a simple task than a hard one. Limitations – Fatigue, cognitive limitations, etc. Errors

Internal Control Systems Definition Policies, plans, and procedures Implemented to protect a firms assets People Involved Board of directors Management Other key personnel

Internal Control Systems Provides reasonable assurance Effectiveness and efficiency of operations Reliability of financial reporting Protection of Assets Compliance with applicable laws and regulations Important Guidance Statement on Auditing Standard No. 94 Sarbanes-Oxley Act of 2002

Risk Control Strategies Avoidance- Policy, Training and Education, or Technology Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) Mitigation – reducing the impact through planning and preparation Acceptance – doing nothing if the cost of protection does not justify the expense of the control

Internal Control System Objectives Safeguard assets Check the accuracy and reliability of accounting data Promote operational efficiency Enforce prescribed managerial policies

Information System Goals – CIA Triangle Confidentiality Integrity Availability

CIA Triangle Confidentiality – Insuring that information is accessible only by those who are properly authorized Integrity – Insuring that data has not be modified without authorization Availability – Insuring that systems are operational when needed for use

Background Information on Internal Controls

Background Information on Internal Controls

Background Information on Internal Controls

1992 COSO Report Defines internal control and components Presents criteria to evaluate internal control systems Provides guidance for public reporting on internal controls Offers materials to evaluate an internal control system

Components of Internal Control – COSO 1992 Control Environment Management’s oversight , integrity, and ethical principles Attention and direction by board of directors Management’s philosophy and operating style Method of assigning authority and responsibility Method of organizing and developing employees

Components of Internal Control – COSO 1992 Risk Assessment Identify organizational risks Analyze potential of risks (cost and occurrence) Cost-benefit analysis Control Activities Policies and procedures Manual and automated

Components of Internal Control – COSO 1992 Information and Communication Inform employees Roles and responsibilities Importance of good working relationships Monitoring Evaluation of internal controls Initiate corrective action when necessary

2004 COSO Enterprise Risk Management Framework Emphasizes enterprise risk management Includes COSO (1992) control components Three new components Objective setting Event identification Risk response

2004 COSO Enterprise Risk Management Framework

Components of Internal Control – COSO 2004 Objective Setting Strategic – high level goals and mission Operations – day-to-day efficiency, performance, and profitability Reporting – internal and external Compliance – laws and regulations

Components of Internal Control – COSO 2004 Event Identification and Risk Response Identify threats Analyze risks Implement cost-effective countermeasures Additional considerations Risk tolerance Cost-benefit trade-offs

COSO 2013 Objectives Update Content - Reflect changes in business & operating environments Broaden Application - Expand operations and reporting objectives Clarify Requirements - Articulate principles to facilitate effective internal control

COSO 1992, 2004, 2013

Update considers changes in business and operating environments Environments changes... …have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition)

Update articulates principles of effective internal control Control Environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Risk Assessment Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Control Activities Selects and develops control activities 11. Selects and develops general controls over technology Deploys through policies and procedures Information & Communication Uses relevant information Communicates internally Communicates externally Monitoring Activities Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies

Update describes important characteristics of principles, e.g., Control Environment The organization demonstrates a commitment to integrity and ethical values. Points of Focus: Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner Points of focus may not be suitable or relevant, and others may be identified Points of focus may facilitate designing, implementing, and conducting internal control There is no requirement to separately assess whether points of focus are in place

Risk Assessment Worksheet

Study Break #4 Which of the following is not one of the three additional components that was added in the 2004 COSO Report? Objective setting Risk assessment Event identification Risk response

Examples of Control Activities Good Audit Trail Sound Personnel Policies and Practices Separation of Duties Physical Protection of Assets Reviews of Operating Performance

Good Audit Trail Use of Audit Trail Purpose of Audit Trail Follow path of data recorded in transaction Initial source documents to final disposition of data Data on reports back to source documents Purpose of Audit Trail Verify accuracy of recorded transactions Detect errors and irregularities

Sound Personnel Policies Retain as is (except for bold) - Prathima

Separation of Duties Purpose Separate Related Activities Structure of work assignments One employee’s work checks the work of another Separate Related Activities Authorizing transactions Recording transactions Maintaining custody of assets

Physical Protection of Assets Inventory Controls Stored in safe location with limited access Utilization of Receiving Report Document Controls Protecting valuable organizational documents Corporate charter, major contracts, blank checks, and SEC registration statements

Physical Protection of Assets Cash Control Most susceptible to theft and human error Fidelity bond coverage Use checks for cash disbursements Deposit the daily cash receipts intact

Reviews of Operating Performance Internal Audit Function Reports to Audit Committee of Board of Directors Independent of other subsystems Enhances objectivity Duties of Internal Auditors Operational audits Regular reviews of internal control systems

Study Break #5 Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees? Analysis, authorizing, transactions Custody, monitoring, detecting Recording, authorizing, custody Analysis, recording, transactions

2011 COBIT, Version 5 Control Objectives for Information and related Technology (COBIT) Strategic alignment Realization of expected benefits of IT Continual assessment of IT investment Determine risk appetite Measure and assess performance of IT resources

COBIT and Val IT Integration

Types of Controls Preventive Controls Detective Controls Prevent problems from occurring Detective Controls Alert managers when preventive controls fail Corrective controls Solve or correct a problem

Evaluating Controls Requirements of Sarbanes-Oxley Act Statement of management responsibility for internal control structure Assessment of effectiveness of internal control structure Attestation of auditor on accuracy of management’s assessment

Cost-Benefit Analysis

Risk assessments are tricky Choose between two treatments for 600 people affected by a deadly disease "Saves 200 lives“

Risk assessments are tricky Choose between two treatments for 600 people affected by a deadly disease "400 people will die"

A Risk Matrix

Chapter 9

The Risk Management Process Identify IT Assets Assess IT Risks Identify IT Controls Document IT Controls monitor

Risk Management – Asset Identification Processes People Hardware Software Cash Inventory Data Facilities

Assets Valuation - What do we stand to lose? Assets: People, Data, Hardware, Software, Facilities, (Procedures) Valuation Methods Criticality to the organization’s success Revenue generated Profitability Cost to replace Cost to protect Embarrassment/Liability