Chapter 9: Introduction to Internal Control Systems 1992 COSO Report Updates on Risk Assessment Examples of Control Activities Update on Monitoring 2011 COBIT, Version 5 Types of Controls Evaluating Controls
Internal Control Systems Definition Policies, plans, and procedures Implemented to protect a firms assets People Involved Board of directors Management Other key personnel
Internal Control Systems Provides reasonable assurance Effectiveness and efficiency of operations Reliability of financial reporting Protection of Assets Compliance with applicable laws and regulations Important Guidance Statement on Auditing Standard No. 94 Sarbanes-Oxley Act of 2002
Internal Control System Objectives Safeguard assets Check the accuracy and reliability of accounting data Promote operational efficiency Enforce prescribed managerial policies
Study Break #1 This term describes the policies, plans, and procedures implemented by a firm to protect the assets of the organization. Internal control SAS No. 94 Risk assessment Monitoring
Study Break #1 - Answer This term describes the policies, plans, and procedures implemented by a firm to protect the assets of the organization. Internal control SAS No. 94 Risk assessment Monitoring
Study Break #2 Which of the following is not one of the four objectives of an internal control system? Safeguard assets Promote firm profitability Promote operational efficiency Encourage employees to follow managerial policies
Study Break #2 - Answer Which of the following is not one of the four objectives of an internal control system? Safeguard assets Promote firm profitability Promote operational efficiency Encourage employees to follow managerial policies
Background Information on Internal Controls
Background Information on Internal Controls
Background Information on Internal Controls
1992 COSO Report Defines internal control and components Presents criteria to evaluate internal control systems Provides guidance for public reporting on internal controls Offers materials to evaluate an internal control system
Components of Internal Control – COSO 1992 Control Environment Management’s oversight , integrity, and ethical principles Attention and direction by board of directors Management’s philosophy and operating style Method of assigning authority and responsibility Method of organizing and developing employees
Components of Internal Control – COSO 1992 Risk Assessment Identify organizational risks Analyze potential of risks (cost and occurrence) Cost-benefit analysis Control Activities Policies and procedures Manual and automated
Components of Internal Control – COSO 1992 Information and Communication Inform employees Roles and responsibilities Importance of good working relationships Monitoring Evaluation of internal controls Initiate corrective action when necessary
2004 COSO Enterprise Risk Management Framework Emphasizes enterprise risk management Includes COSO (1992) control components Three new components Objective setting Event identification Risk response
2004 COSO Enterprise Risk Management Framework
Components of Internal Control – COSO 2004 Objective Setting Strategic – high level goals and mission Operations – day-to-day efficiency, performance, and profitability Reporting – internal and external Compliance – laws and regulations
Components of Internal Control – COSO 2004 Event Identification and Risk Response Identify threats Analyze risks Implement cost-effective countermeasures Additional considerations Risk tolerance Cost-benefit trade-offs
Risk Assessment Worksheet
COSO’s 2010 Report on ERM Commissioned survey called Enterprise Risk Management Initiative Survey targeted utilization of COSO ERM Framework Theoretically sound 65% fairly or very familiar with framework Board had not assigned risk oversight in over half of organizations State of ERM is relatively immature
Study Break #3 An internal control system should consist of five components. Which of the following is not one of those five components? The control environment Risk assessment Monitoring Performance evaluation
Study Break #3 - Answer An internal control system should consist of five components. Which of the following is not one of those five components? The control environment Risk assessment Monitoring Performance evaluation
Study Break #4 Which of the following is not one of the three additional components that was added in the 2004 COSO Report? Objective setting Risk assessment Event identification Risk response
Study Break #4 - Answer Which of the following is not one of the three additional components that was added in the 2004 COSO Report? Objective setting Risk assessment Event identification Risk response
Examples of Control Activities Good Audit Trail Sound Personnel Policies and Practices Separation of Duties Physical Protection of Assets Reviews of Operating Performance
Good Audit Trail Use of Audit Trail Purpose of Audit Trail Follow path of data recorded in transaction Initial source documents to final disposition of data Data on reports back to source documents Purpose of Audit Trail Verify accuracy of recorded transactions Detect errors and irregularities
Sound Personnel Policies Retain as is (except for bold) - Prathima
Separation of Duties Purpose Separate Related Activities Structure of work assignments One employee’s work checks the work of another Separate Related Activities Authorizing transactions Recording transactions Maintaining custody of assets
Physical Protection of Assets Inventory Controls Stored in safe location with limited access Utilization of Receiving Report Document Controls Protecting valuable organizational documents Corporate charter, major contracts, blank checks, and SEC registration statements
Receiving Report
Physical Protection of Assets Cash Control Most susceptible to theft and human error Fidelity bond coverage Use checks for cash disbursements Deposit the daily cash receipts intact
Disbursement Voucher
Reviews of Operating Performance Internal Audit Function Reports to Audit Committee of Board of Directors Independent of other subsystems Enhances objectivity Duties of Internal Auditors Operational audits Regular reviews of internal control systems
Study Break #5 Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees? Analysis, authorizing, transactions Custody, monitoring, detecting Recording, authorizing, custody Analysis, recording, transactions
Study Break #5 - Answer Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees? Analysis, authorizing, transactions Custody, monitoring, detecting Recording, authorizing, custody Analysis, recording, transactions
Update on Monitoring 2009 COSO Monitoring Guidance Report
2011 COBIT, Version 5 Control Objectives for Information and related Technology (COBIT) Strategic alignment Realization of expected benefits of IT Continual assessment of IT investment Determine risk appetite Measure and assess performance of IT resources
COBIT and Val IT Integration
Types of Controls Preventive Controls Detective Controls Prevent problems from occurring Detective Controls Alert managers when preventive controls fail Corrective controls Solve or correct a problem
Evaluating Controls Requirements of Sarbanes-Oxley Act Statement of management responsibility for internal control structure Assessment of effectiveness of internal control structure Attestation of auditor on accuracy of management’s assessment
Cost-Benefit Analysis
A Risk Matrix
Copyright Copyright 2012 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Chapter 9