Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 1 Study Unit 12 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA, CFM.

Published byMildred McCormick Modified over 7 years ago

Similar presentations

Presentation on theme: "Part 1 Study Unit 12 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA, CFM."— Presentation transcript:

1 Part 1 Study Unit 12 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA, CFM

2 12.1 - Corporate Governance and Legal Aspects of Internal Control
Definition of Corporate Governance Combination of people, policies, procedures, and processes that help ensure that an entity effectively and efficiently directs its activities toward meeting the objectives of its stakeholders. Can be internal or external Two major components are strategic direction and oversight

3 12.1 - Corporate Governance and Legal Aspects of Internal Control
Foreign corrupt practices act had its origin in the Watergate investigation. It amends the securities exchange act of 1934 which was prohibit corrupt payments to any: Foreign official Foreign political party or official thereof Candidate for political office in a foreign country Payments to foreign business owners or corporate offices are not addressed by the foreign corrupt practices act Continued

4 12.1 - Corporate Governance and Legal Aspects of Internal Control
All public companies registered under 1934 act must devise and maintain a system of internal accounting control sufficient to provide reasonable assurance that: Transactions are executed in accordance with management's general or specific authorization Transactions are recorded as necessary to permit the operation of financial statements and to maintain accountability of assets Axis assets is permitted only in accordance with management's general specific authorization Recorded assets are compared with existing assets and appropriate action is taken with respect to any differences

5 12.1 - Corporate Governance and Legal Aspects of Internal Control
Sarbanes-Oxley act Response to numerous financial reporting scandals involving large public companies The act applies to issuers of public traded securities subject to federal securities laws The act requires that each member of the audit committee, including at least one or who is a financial expert, be an independent member of the issue's Board of Directors. An independent director is not affiliated with, and receives no compensation other than that for service on the board from the issuer Prohibit non-audit services Audit partner rotation Statutory financial reporting Internal control report Continued

6 12.1 - Corporate Governance and Legal Aspects of Internal Control
Sarbanes-Oxley section Services outside the scope of practice of auditors Sarbanes-Oxley section Audit partner rotation Sarbanes-Oxley section Corporate responsibility for financial reports

7 12.1 - Corporate Governance and Legal Aspects of Internal Control
Audit approaches include: The substantive procedure approach - Also referred to as the vouching approach The balance sheet approach - Focus on balance sheet accounts, with only limited procedures being carried out on income statement/profit loss accounts The systems-based approach - Requires auditors assess effectiveness of internal controls, and then to do direct substantive procedures primary to those areas where it is considered that system objectives will not be met In the risk-based approach - Audit resources are directed towards those areas of the financial statements it may contain misstatements as a consequence of the risk faced by the business

8 12.1 Question 1 The requirement of the Foreign Corrupt Practices Act of 1977 to devise and maintain adequate internal control is assigned in the Act to the A. Chief financial officer. B. Board of directors. C. Director of internal auditing. D. Company as a whole with no designation of specific persons or positions.

9 12.1 Question 1 Answer Correct Answer: D The accounting requirements apply to all public companies that must register under the Securities Exchange Act of The responsibility is thus placed on companies, not individuals. Incorrect Answers:  A: Compliance with the FCPA is not the specific responsibility of the chief financial officer.  B: Compliance with the FCPA is not the specific responsibility of the board of directors.  C: Compliance with the FCPA is not the specific responsibility of the director of internal auditing.

10 12.1 Question 2 A major impact of the Foreign Corrupt Practices Act of 1977 is that registrants subject to the Securities Exchange Act of 1934 are now required to A. Keep records that reflect the transactions and dispositions of assets and to maintain a system of internal accounting controls. B. Provide access to records by authorized agencies of the federal government. C. Prepare financial statements in accord with international accounting standards. D. Produce full, fair, and accurate periodic reports on foreign commerce and/or foreign political party affiliations.

11 12.1 Question 2 Answer Correct Answer: A The main purpose of the Foreign Corrupt Practices Act of 1977 is to prevent bribery by firms that do business in foreign countries. A major ramification is that it requires all companies that must register with the SEC under the Securities Exchange Act of 1934 to maintain adequate accounting records and a system of internal accounting control. Incorrect Answers:  B: Authorized agents of the federal government already have access to records of SEC registrants.   C: Although some international accounting standards have been promulgated, they are incomplete and have not gained widespread acceptance.  D: There are no requirements for providing periodic reports on foreign commerce or foreign political party affiliations.

12 12.1 Question 3 Which of the following statements is false with respect to the auditor rotation provisions of Section 203 of the Sarbanes-Oxley Act of 2002? A. Companies must rotate their audit firms at least every 5 years. B. Audit firms must rotate their engagement coordinating audit partner at least every 5 years. C. Audit firms must rotate their engagement lead audit partner at least every 5 years. D. Audit firms must rotate their engagement reviewing audit partner at least every 5 years.

13 12.1 Question 3 Answer Correct Answer: A Section 203 does not require companies to change their auditors every 5 years, or at any time. Incorrect Answers:   B: This is a requirement of Section 203. Both lead (or coordinating) audit partners and reviewing audit partners cannot have served on the audit client’s engagement in the preceding 5 years.  C: This is a requirement of Section 203. Both lead (or coordinating) audit partners and reviewing audit partners cannot have served on the audit client’s engagement in the preceding 5 years.  D: This is a requirement of Section 203. Both lead (or coordinating) audit partners and reviewing audit partners cannot have served on the audit client’s engagement in the preceding 5 years.

14 12.1 Question 4 The Sarbanes-Oxley Act has strengthened auditor independence by requiring that management A Engage auditors to report in accordance with the Foreign Corrupt Practices Act. B Report the nature of disagreements with former auditors. C Select auditors through audit committees. D Hire a different CPA firm from the one that performs the audit to perform the company’s tax work.

15 12.1 Question 4 Answer Correct Answer: C The Sarbanes-Oxley Act requires that the audit committee of a public company hire and pay the external auditors. Such affiliation inhibits management from changing auditors to gain acceptance of a questionable accounting method. Also, a potential successor auditor must inquire of the predecessor auditor before accepting an engagement.

16 12.1 Question 5 Which of the following statements is false with respect to the auditor rotation provisions of Section 203 of the Sarbanes-Oxley Act of 2002? A Companies must rotate their audit firms at least every 5 years. B Audit firms must rotate their engagement coordinating audit partner at least every 5 years. C Audit firms must rotate their engagement lead audit partner at least every 5 years. D Audit firms must rotate their engagement reviewing audit partner at least every 5 years.

17 12.1 Question 5 Answer Correct Answer: A Section 203 does not require companies to change their auditors every 5 years, or at any time.

18 Internal Controls Management accountants are expected to have a thorough understanding of the risks inherent to, and the internal controls within, a business. Internal controls have always been a good idea in a well-run business, but with the passage of the Foreign Corrupt Practices Act in 1977, an effective internal control system became a legal requirement.

19 12.2 - Risk and Internal Control
The Assessment and Management of Risk Every organization faces risks, that is, unforeseen obstacles to the pursuit of its objectives. Risk may take many forms and can originate from within or from outside the organizations. Can you name some risks?

20 12.2 - Risk and Internal Control
What is risk assessment? It is a “process” to identify vulnerabilities. There's always a trade-off between cost and benefit, and therefore there's no 100% percent system of internal control. Is the ongoing process of designing and operating internal controls to help mitigate inherent risks. The severity of consequences and the likelihood of occurrence can help us quantify risks. Risk can also be assessed in qualitative terms. Can you give examples?

21 12.2 - Risk and Internal Control
“Risk management is the ongoing process of designing and operating internal controls that mitigate the risks identified in the organization's risk assessment. “ Risk can be quantified as a combination of two factors: Severity of consequences Likelihood of occurrence Risk can also be assessed in qualitative terms see example on page 394

22 12.2 - Risk and Internal Control
The AICPA audit risk model Inherent risk (IR) is the susceptibility of one of the company's objectives to obstacles arising from the nature of the objectives. Control risk (CR) is the risk that the control put in place will fail to prevent an obstacle from interfering with the achievement of the objectives. Detection risk (DR) is the risk that an obstacle to an objective will not be detected before loss has occurred. Total risk (TR) equals IR X CR X DR

23 12.2 - Risk and Internal Control
IMA's Management Accounting Glossary defines internal control as follows: And otherwise established by management to carry on the business of the enterprise in an orderly and efficient manner, to ensure adherence to management policies, safeguard the assets, and ensure as far as possible the completeness and accuracy of the records. Whose responsibility is the design and operation's system of internal controls?

24 12.2 - Risk and Internal Control
Design and operations of an organization's system of internal controls is the responsibility of management. Section 404 of the Sarbanes-Oxley act of 2002 requires publicly traded companies to issue a report stating that: Management takes responsibility for establishing and maintaining the firm's system of internal controls, and That the system has been functioning effectively over the reporting period.

25 12.2 - Risk and Internal Control
What does PCAOB stand for? Part of an annual report is the assessment of the company's internal controls. AS 5 issued by PCAOB requires the external auditors to express an opinion on both a system of internal control and the fair representation of financial statements. AS 5 focuses on material weaknesses. With respect to the AICPA's auditing standards, material weakness is a deficiency, or combination of deficiencies, and internal controls that result in a reasonable possibility of a material misstatement.

26 12.2 - Risk and Internal Control
COSO Control Objectives defined internal control as: Internal control is broadly defined as a process, affected by an entities Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operation Reliability of financial reporting Compliance with applicable laws and regulations

27 12.2 - Risk and Internal Control
Effectiveness and efficiency of operations relate to the achievement of an entities mission. Internal controls must be designed so that they focus effort on the achievement of the organization's objectives. Reliably of financial reporting is needed for investors and creditors to make sound decisions. Compliance with applicable laws and regulations entities must conduct activities according to applicable laws and regulations such as waste disposal, wage and hour issues and employee safety. The framework only states reasonable, not absolute would be economically impractical.

28 12.2 - Risk and Internal Control
COSO components of Internal Control include the: Control environment, which sets the tone of an entity and influences to control consciousness of personnel. Risk assessment is the identification and analysis of relevant risk to achievement of objectives. Control activities are the policies and procedures that help ensure management directives are carried out. Information must be identified and captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Internal control system need to be monitored, which is management's timely assessment and taking of corrective actions.

29 12.2 - Risk and Internal Control
Control environment Attitudes and actions of the Board of Directors and upper management. This includes: Organizational structure Policies Objectives and goals Management philosophy and operating style Assignment of authority and responsibility

30 12.2 - Risk and Internal Control
What is the Board of Directors role? Governing authority Overall corporate policy Fiduciary responsibility or duty Reasonable care They typically: Selecting remove officers Determined the capital structure Add, and amend, or repeal bylaws Initiate fundamental changes, such as mergers and divestitures Clear dividends Set the compensation of officers and management

31 12.2 - Risk and Internal Control
Audit committee's role Subcommittee of the Board of Directors whose purpose is to help keep the external auditors independent of management The importance of human resource policies and practices Hiring standards training policies commitment to competence

32 12.2 Question 1 One of the financial statement auditor’s major concerns is to ascertain whether internal control is designed to provide reasonable assurance that A. Profit margins are maximized, and operational efficiency is optimized. B. The chief accounting officer reviews all accounting transactions. C. Corporate morale problems are addressed immediately and effectively. D. Financial reporting is reliable.

33 12.2 Question 1 Answer Correct Answer: D Internal control is designed to provide reasonable assurance of the achievement of objectives in the categories of (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with laws and regulations. Controls relevant to a financial statement audit ordinarily pertain to the objective of preparing external financial statements that are fairly presented in conformity with GAAP or another comprehensive basis of accounting. Incorrect Answers:   A: Many factors beyond the purview of the auditor affect profits, and the controls related to operational efficiency are usually not directly relevant to an audit.  B: The chief accounting officer need not review all accounting transactions.  C: Controls relevant to a financial statement audit do not concern the treatment of corporate morale problems.

34 12.2 Question 2 To avoid creating conflict between the chief executive officer (CEO) and the audit committee, the chief audit executive (CAE) should A. Submit copies of all engagement communications to the CEO and audit committee. B. Strengthen independence through organizational status. C. Discuss all pending engagement communications to the CEO with the audit committee. D. Request board establishment of policies covering the internal audit activity’s (IAA’s) relationships with the audit committee.

35 12.2 Question 2 Answer Correct Answer: D To avoid conflict between the CEO and the audit committee, the CAE should request that the board establish policies covering the IAA’s relationships with the audit committee. The CAE should have regular communication with the board, audit committee, or other appropriate governing authority. Furthermore, the board should approve a charter that defines the purpose, authority, and responsibility of the IAA. Incorrect Answers:   A: The CEO and audit committee most likely should receive summary reports. Senior management and the board ordinarily are not involved in the details of internal audit work.  B: Independence is not sufficient to avert conflict unless reporting relationships are well defined.   C: The CEO and audit committee most likely should receive summary reports. Senior management and the board ordinarily are not involved in the details of internal audit work.

36 12.2 Question 3 Auditors must quantify control risk in numeric terms.
The PCAOB’s Auditing Standard (AS) 5 focuses on internal controls in their relation to the fair presentation of financial statements. One requirement of AS 5 is that A. Auditors must quantify control risk in numeric terms. B. A publicly-traded firm must establish and maintain a system of internal accounting control. C. External auditors must express an opinion on a firm’s internal control at the same time as the opinion on the financial statements. D. Publicly-traded firms must address each of the five interrelated components of internal control.

37 12.2 Question 3 Answer Correct Answer: C In fulfillment of the requirements of PCAOB AS 5, external auditors must express an opinion on a firm’s internal control at the same time as the opinion on the financial statements. Incorrect Answers:  A: Risk may be measured in quantitative or qualitative terms.   B: The requirement to establish and maintain a system of internal accounting control is a part of the Foreign Corrupt Practices Act.  D: Addressing internal control as a group of five interrelated components is a feature of the COSO model of internal control.

38 12.2 Question 4 Internal controls are designed to provide reasonable assurance that A Material errors or fraud will be prevented or detected and corrected within a timely period by employees in the course of performing their assigned duties. B Management’s plans have not been circumvented by worker collusion. C The internal auditing department’s guidance and oversight of management’s performance is accomplished economically and efficiently. D Management’s planning, organizing, and directing processes are properly evaluated.

39 12.2 Question 4 Answer Correct Answer: A Reasonable assurance is provided when cost-effective actions are taken to restrict deviations to a tolerable level. This implies, for example, that material errors and improper or illegal acts will be prevented or detected and corrected within a timely period by employees in the normal course of performing their assigned duties. The cost-benefit relationship is considered by management during the design of systems. The potential loss associated with any exposure or risk is weighed against the cost to control it.

40 12.2 Question 5 Which one of the following options would be most effective in deterring the commission of fraud? A Policies of strong internal control, segregation of duties, and requiring employees to take vacations. B Policies of strong internal control and punishments for unethical behavior. C Employee training, segregation of duties, and punishment for unethical behavior. D Hiring ethical employees, employee training, and segregation of duties.

41 12.2 Question 5 Answer Correct Answer: A Strong internal control policies are essential for establishing the “tone at the top.” Segregation of duties is one of the most fundamental forms of internal control. Requiring vacations makes it difficult for employees to carry on undiscovered fraud in the absence of collusion.

42

43

44 12.2 Control Procedures The control process includes:
Establishing standards for the operation to be controlled, Measuring performance against the standards, Examining and analyzing deviations, Taking corrective actions, and Reappraising the standards based on experience

45 12.2 Control Procedures Types of controls Primary controls include:
Preventive controls to deter the occurrence of unwanted events. Detective controls which alert after an unwanted event. Corrective controls to correct the negative effects of unwanted events. Direct of controls which cause or encouraging currents of desirable events Continued

46 12.2 Control Procedures Secondary controls include:
Compensatory (mitigate) controls may reduce risk when the primary controls are ineffective. Complementary controls work with other controls to reduce risk to an acceptable level. Time-based classifications: Feedback controls Concurrent controls Feedforward controls Continued

47 12.2 Control Procedures People-Based versus System-Based controls
Financial versus Operating controls: Financial controls should be based on relevant establish accounting principles Operating controls applied to production and support activities are also called administrative controls People-Based versus System-Based controls People-based controls are dependent on the intervention of humans for their proper operation. System-based controls are executed whenever needed with no human intervention. Continued

48 12.2 Control Procedures Control activities are designed in place in operation to ensure that management's directives are executed, and include: Segregation of duties, including four basic functional responsibilities Independent checks verifications Safeguarding controls Pre-numbered forms Specific document flow Continued

49 12.2 Control Procedures Segregation of duties include:
Independent checks and verifications Safeguarding controls Pre-numbered forms Specific document flow See examples starting at the bottom of page 404

50 12.2 Question 1 A proper segregation of duties requires that an individual A. Authorizing a transaction records it. B. Authorizing a transaction maintain custody of the asset that resulted from the transaction. C. Maintaining custody of an asset be entitled to access the accounting records for the asset. D. Recording a transaction not compare the accounting record of the asset with the asset itself.

51 12.2 Question 1 Answer Correct Answer: D One person should not be responsible for all phases of a transaction, i.e., for authorization, recording, and custodianship of the related assets. These duties should be performed by separate individuals to reduce the opportunities for any person to be in a position of both perpetrating and concealing errors or fraud in the normal course of his/her duties. For instance, an employee who receives and lists cash receipts should not be responsible for comparing the recorded accountability for cash with existing amounts. Incorrect Answers:  A: Authorization and recordkeeping should be separate.  B: Authorization and asset custody should be separate.  C: Recordkeeping and asset custody should be separate.

52 12.2 Question 2 A requirement for double endorsement of checks. A.
The procedure that would best discourage the resubmission of vendor invoices after they have been paid is A. A requirement for double endorsement of checks. B. The cancellation of vouchers by accounting personnel. C. The cancellation of vouchers by treasurer personnel. D. The mailing of payments directly to payees by accounting personnel.

53 12.2 Question 2 Answer Correct Answer: C Canceling vouchers and supporting papers (with perforations, ink, etc.) upon payment prevents the payment of a duplicate voucher. If the person signing the check does the canceling, the documents cannot be recycled for duplicate payments. Securing the paid-voucher file from access by the accounts payable clerk is another effective control. Incorrect Answers:   A: A single endorsement is not a control weakness if the person who signs does not have incompatible functions and if proper documentation is required before signing.  B: The vouchers should not be canceled before payment.   D: Mailing payments directly to payees does not prevent a second use of invoices by unethical personnel. Also, record keepers should not have access to signed checks.

54 12.2 Question 3 If internal control is well designed, two tasks that should be performed by different persons are A. Approval of bad debt write-offs, and reconciliation of the accounts payable subsidiary ledger and controlling account. B. Distribution of payroll checks and approval of sales returns for credit. C. Posting of amounts from both the cash receipts journal and cash payments journal to the general ledger. D. Recording of cash receipts and preparation of bank reconciliations.

55 12.2 Question 3 Answer Correct Answer: D Recording of cash establishes accountability for assets. The bank reconciliation compares that recorded accountability with actual assets. The recording of cash receipts and preparation of bank reconciliations should therefore be performed by different individuals since the preparer of a reconciliation could conceal a cash shortage. For example, if a cashier both prepares the bank deposit and performs the reconciliation, (s)he could embezzle cash and conceal the theft by falsifying the reconciliation. Incorrect Answers:  A: There is no conflict between writing off bad debts (accounts receivable) and reconciling accounts payable, which are liabilities.   B: Distribution of payroll checks and approval of sales returns are independent functions. People who perform such disparate tasks are unlikely to be able to perpetrate and conceal a fraud. In fact, some companies use personnel from an independent function to distribute payroll checks.  C: Posting both ledgers would cause no conflict as long as the individual involved did not have access to the actual cash. If a person has access to records but not the assets, there is no danger of embezzlement without collusion.

56 12.2 Question 4 One control objective of the financing/treasury cycle is the proper authorization of company transactions dealing with debt and equity instruments. Which of the following controls would best meet this objective? A Separation of responsibility for custody of funds from recording of the transaction. B Written company policies requiring review of major funding/repayment proposals by the board of directors. C Use of an underwriter in all cases of new issue of debt or equity instruments. D The company serves as its own registrar and transfer agent.

57 12.2 Question 4 Answer Correct Answer: B The control objective of authorization concerns the proper execution of transactions in accordance with management’s wishes. One means of achieving this control objective is the establishment of policies as guides to action. When a decision affects the capitalization of the entity, a policy should be in force requiring review at the highest level.

58 12.2 Question 5 Management wishes to include in its internal controls over factory payroll a procedure to ensure that employees are paid only for work actually performed. To meet this objective, which of the following internal control actions would be most appropriate? A Compare piecework records with inventory additions from production. B Have supervisors distribute paychecks to employees in their sections. C Use time cards. D Keep unclaimed paychecks in a vault.

59 12.2 Question 5 Answer Correct Answer: A Piecework is production that is compensated at a set amount per unit of output rather than time spent on the job. Comparing production amounts (inventory additions) with payments (piecework records) is therefore an appropriate control over payroll.

60 12.3 - Internal Audit Function
Growth and complexity of organizations – Growth in internal auditing. IA is considered a basic function. Some stock exchanges require IA function. Foreign Corrupt Practices Act – Expects organizations to maintain reasonable detailed and accurate accounting records and a reasonably effective internal control system. Sarbanes-Oxley Act of 2002 – CEO and CFO of a publicly traded company must certify to the effectiveness of the system of internal control.

61 12.3 - Internal Audit Function
Institute of Internal Auditors (IIA) maintains professional standards for the practice of internal audit worldwide. IIA defines internal auditing – Pg. 364 IIA’s international Standards for the Professional Practice of IA – provides “guidance” for the “conduct” of internal auditing at the organizational and individual auditor levels. Practice Advisories – concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and promoting good practices.

62 12.3 - Internal Audit Function
IA must be independent of the activities under audit and must maintain objectivity in daily duties. Independence – Attribute of the IA department Objectivity - Of the Auditors themselves CAE reports to the CEO and has direct, unhindered access to the BOD. Written IA charter – Defines purpose, authority and responsibility of activities. Establishes IA’s position, authorization to records, personnel, physical property and scope of activities.

63 12.3 - Internal Audit Scope Scope of the IA
3 principals functions of IA Aid upper management in the maintenance of internal control. Aid upper management in improving the efficiency of the firm’s operations Aid the external auditors in the conduct of the audit of financial statements.

64 Internal Audit Scope IA is larger than the external audit. It identifies. Risk exposure Adequacy and effectiveness of controls Reliability and integrity of information Effectiveness and efficiency of operations Safeguarding of assets Compliance with laws, regulations, and contracts Whether management has established adequate controls. Preventing and detecting fraud Coordinating activities and sharing information with the external auditor

65 12.3 - Reportable Incidents
Report to upper management and BOD Fraud Illegal acts Material weaknesses and significant deficiencies in internal control Significant penetrations of information security

66 12.3 - Reporting on Internal Control
BOD and IA have congruent goals The CAE’s core role is support and assurance to the BOD. BOD adds oversight of financial reporting process and ensures reliability and fairness. IA perform sufficient audit work and gather information to allow BOD to express the adequacy and effectiveness of internal control processes.

67 Financial Auditing IA provide assurance regarding financial reporting to management and BOD. Management required to provide assessment of internal control over financial reporting. Governance failures show the need for IA. IA’s role is key to improving the effectiveness of governance, risk management, and control. Senior management is more accountable for financial reporting.

68 Compliance Auditing Governmental regulation continues to increase. IA should conduct follow up and report on management’s responses to regulatory reviews. Highly regulated companies will have a compliance department with a Chief Compliance Officer. IA will audit their work to further ensure compliance.

69 12.3 - Operational Auditing
Def. – “The comprehensive review of the varied functions within an enterprise to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives.” An exam of management efficiency, effectiveness and economy of a division, department, or function. Audit spotlights problems or highlights strengths compared to policy and procedures, industry averages (best practices), management trends. Reports on results of management actions.

70 12.3 - Operational Auditing
Tools for operational audit Financial analysis Observation Questionnaire of employees Goes beyond typical financial audit Review purchasing policies, appraise compliance and safety standards, adequacy of facility, etc. The IA should not assume operational responsibility. Benchmarking tool.

71 12.3 - Internal Control according to IIA
The purpose of control is to support risk management and achievement of objectives. Controls ensures: Reliability and integrity of information Efficient and effective performance Safeguarding of assets Compliance with laws, regulations, contracts Senior management – establishment, administration and assessment of risk management and control process. Line managers assess control Internal auditors provide assurance of effectiveness of risk management and control.

72 12.3 - Internal Control according to IIA
CAE provides opinion on adequacy and effectiveness of control. CAE develops the IA plan and sets scope. Plan has to be flexible. Consider the work performed by others in plan. The should give special consideration to operations most affected by recent or expected changes. CAE’s opinion of risk and control or gaps. Communication of findings has to be timely.

73 12.3 - Internal Control according to IIA
Control evaluation Significant weaknesses or discrepancies exist. Corrections or improvement were made A pervasive condition leading to risk exists. CAE’s report on control process – once a year, to Senior Management and BOD. Role of control processes Work performed Any reliance of other assurance providers.

74 12.3 - Internal Control according to IIA
Control criteria 1st establish standards for item to be controlled. Industry stds, professional associations stds, law and government regulations After internal controls have been identified the IA applies four procedures. Ref. p. 368 Inquires of appropriate personnel Examine documentation Observe control-related activities Reperform client procedures

75 12.3 - Due Care in Internal Audit
1220 Due Professional Care states “Internal auditors must apply the care and skill expected of a reasonable prudent and competent internal auditor. Due professional care does not imply infallibility.” Due Professional Care “Exercising due professional care involves internal auditors being alert to the possibility of fraud, intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest, as well as being alert to those conditions and activities where irregularities are most likely to occur”

76 12.3 - Due Care in Internal Audit
Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. As such, due professional care requires the internal auditor to conduct examinations and verifications to a reasonable extent. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance needs to be considered whenever an internal auditor undertakes an internal audit assignment.”

77 12.3 - Due Care in Internal Audit
IIA provides the following implementation standards 1220.A1 IA must consider Extent of work needed to achieve the objective. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of governance, risk management, and control process. Probability of significant errors, fraud, or noncompliance Cost of assurance in relation to potential benefits. 1220.A2 The use of technology-based audits

78 12.3 - Due Care in Internal Audit
Be alert to the risks that might affect objectives, operations, or resources. Assurance procedures alone cannot guarantee that all significant risk will be identified. Unexpected results from procedures should be explained. Due professional care can be demonstrated if the auditor acted as any other auditor would have given the circumstances.

79 12.3 – Question 1 From a modern internal auditing perspective, which one of the following statements represents the most important benefit of an internal auditing activity to management? A Assurance that published financial statements are correct. B Assurance that fraudulent activities will be detected. C Assurance that the organization is complying with legal requirements. D Assurance that there is reasonable control over day-to-day operations.

80 12.3 – Question 1 Answer Correct Answer: D According to the definition of internal auditing, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Thus, it helps the organization to maintain effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (Standard 2120).

81 12.3 – Question 2 The chief audit executive’s responsibility for assessing and reporting on control processes includes A Communicating to senior management and the board an annual judgment about internal control. B Overseeing the establishment of internal control processes. C Implementing the organization’s governance processes. D Arriving at a single assessment based solely on the work of the internal audit activity.

82 12.3 – Question 2 Answer Correct Answer: A The CAE forms an overall opinion about the adequacy and effectiveness of the control processes. The expression of such an opinion by the CAE will be based on sufficient audit evidence obtained through the completion of audits and, if appropriate, reliance on the work of other assurance providers. The CAE communicates the opinion to senior management and the board annually (PA ).

83 12.3 – Question 3 An internal auditor fails to discover an employee fraud during an assurance engagement. The nondiscovery is most likely to suggest a violation of internal auditing standards if it was the result of a A Failure to perform a detailed review of all transactions in the area. B Determination that any possible fraud in the area would not involve a material amount. C Determination that the cost of extending procedures in the area would exceed the potential benefits. D Presumption that the internal controls in the area were adequate and effective.

84 12.3 – Question 3 Correct Answer: D The internal audit activity evaluates the adequacy and effectiveness of controls (Standard 2130.A1). Moreover, the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (Standard 2130). Thus, an internal auditor must not simply assume that controls are adequate and effective.

85 12.3 – Question 4 Which of the following is most likely to be an element of an effective regulatory compliance program? A The internal audit activity should be assigned overall responsibility for overseeing the program. B The program is communicated to employees in a video format on a one-time basis. C The organization should use monitoring and auditing systems reasonably designed to detect criminal conduct. D The organization should obtain as much information as possible when performing background checks on employees.

86 12.3 – Question 4 Correct Answer: C The organization should take reasonable steps to achieve compliance with its standards, e.g., by using monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report criminal conduct by others within the organization without fear of retribution (PA ).

87 Legal Aspects of Internal Controls
Foreign corrupt practices act had its origin in the Watergate investigation. It amends the securities exchange act of 1934 which was prohibit corrupt payments to any: Foreign official Foreign political party or official thereof Candidate for political office in a foreign country Payments to foreign business owners or corporate offices are not addressed by the foreign corrupt practices act Continued

88 Legal Aspects of Internal Controls
All public companies registered under 1934 act must devise and maintain a system of internal accounting control sufficient to provide reasonable assurance that: Transactions are executed in accordance with management's general or specific authorization Transactions are recorded as necessary to permit the operation of financial statements and to maintain accountability of assets Axis assets is permitted only in accordance with management's general specific authorization Recorded assets are compared with existing assets and appropriate action is taken with respect to any differences

89 Legal Aspects of Internal Controls
Sarbanes-Oxley act Response to numerous financial reporting scandals involving large public companies The act applies to issuers of public traded securities subject to federal securities laws The act requires that each member of the audit committee, including at least one or who is a financial expert, be an independent member of the issue's Board of Directors. An independent director is not affiliated with, and receives no compensation other than that for service on the board from the issuer Prohibit non-audit services Audit partner rotation Statutory financial reporting Internal control report Continued

90 Legal Aspects of Internal Controls
Audit approaches include: The substantive procedure approach - Also referred to as the vouching approach The balance sheet approach - Focus on balance sheet accounts, with only limited procedures being carried out on income statement/profit loss accounts The systems-based approach - Requires auditors assess effectiveness of internal controls, and then to do direct substantive procedures primary to those areas where it is considered that system objectives will not be met In the risk-based approach - Audit resources are directed towards those areas of the financial statements it may contain misstatements as a consequence of the risk faced by the business

91 Legal Aspects of Internal Controls
Sarbanes-Oxley section Services outside the scope of practice of auditors Sarbanes-Oxley section Audit partner rotation Sarbanes-Oxley section Corporate responsibility for financial reports

92 Internal Controls – Controls and Security Measures
Part 1 Study Unit 13 Internal Controls – Controls and Security Measures Patricia Burnett, CMA

93 13.1 Control Procedures The control process includes:
Establishing standards for the operation to be controlled, Measuring performance against the standards, Examining and analyzing deviations, Taking corrective actions, and Reappraising the standards based on experience

94 13.1 Control Procedures Types of controls Primary controls include:
Preventive controls to deter the occurrence of unwanted events. Detective controls which alert after an unwanted event. Corrective controls to correct the negative effects of unwanted events. Direct of controls which cause or encouraging currents of desirable events Continued

95 13.1 Control Procedures Secondary controls include:
Compensatory (mitigate) controls may reduce risk when the primary controls are ineffective. Complementary controls work with other controls to reduce risk to an acceptable level. Time-based classifications: Feedback controls Concurrent controls Feedforward controls Continued

96 13.1 Control Procedures People-Based versus System-Based controls
Financial versus Operating controls: Financial controls should be based on relevant establish accounting principles Operating controls applied to production and support activities are also called administrative controls People-Based versus System-Based controls People-based controls are dependent on the intervention of humans for their proper operation. System-based controls are executed whenever needed with no human intervention. Continued

97 13.1 Control Procedures Control activities are designed in place in operation to ensure that management's directives are executed, and include: Segregation of duties, including four basic functional responsibilities Independent checks verifications Safeguarding controls Pre-numbered forms Specific document flow Continued

98 13.1 Control Procedures Segregation of duties include:
Independent checks and verifications Safeguarding controls Pre-numbered forms Compensating Controls How does Fraud differ from errors?

99 13.1 Question 1 A proper segregation of duties requires that an individual A. Authorizing a transaction records it. B. Authorizing a transaction maintain custody of the asset that resulted from the transaction. C. Maintaining custody of an asset be entitled to access the accounting records for the asset. D. Recording a transaction not compare the accounting record of the asset with the asset itself.

100 13.1 Question 1 Answer Correct Answer: D One person should not be responsible for all phases of a transaction, i.e., for authorization, recording, and custodianship of the related assets. These duties should be performed by separate individuals to reduce the opportunities for any person to be in a position of both perpetrating and concealing errors or fraud in the normal course of his/her duties. For instance, an employee who receives and lists cash receipts should not be responsible for comparing the recorded accountability for cash with existing amounts. Incorrect Answers:  A: Authorization and recordkeeping should be separate.  B: Authorization and asset custody should be separate.  C: Recordkeeping and asset custody should be separate.

101 13.1 Question 2 A requirement for double endorsement of checks. A.
The procedure that would best discourage the resubmission of vendor invoices after they have been paid is A. A requirement for double endorsement of checks. B. The cancellation of vouchers by accounting personnel. C. The cancellation of vouchers by treasurer personnel. D. The mailing of payments directly to payees by accounting personnel.

102 13.1 Question 2 Answer Correct Answer: C Canceling vouchers and supporting papers (with perforations, ink, etc.) upon payment prevents the payment of a duplicate voucher. If the person signing the check does the canceling, the documents cannot be recycled for duplicate payments. Securing the paid-voucher file from access by the accounts payable clerk is another effective control. Incorrect Answers:   A: A single endorsement is not a control weakness if the person who signs does not have incompatible functions and if proper documentation is required before signing.  B: The vouchers should not be canceled before payment.   D: Mailing payments directly to payees does not prevent a second use of invoices by unethical personnel. Also, record keepers should not have access to signed checks.

103 13.1 Question 3 If internal control is well designed, two tasks that should be performed by different persons are A. Approval of bad debt write-offs, and reconciliation of the accounts payable subsidiary ledger and controlling account. B. Distribution of payroll checks and approval of sales returns for credit. C. Posting of amounts from both the cash receipts journal and cash payments journal to the general ledger. D. Recording of cash receipts and preparation of bank reconciliations.

104 13.1 Question 3 Answer Correct Answer: D Recording of cash establishes accountability for assets. The bank reconciliation compares that recorded accountability with actual assets. The recording of cash receipts and preparation of bank reconciliations should therefore be performed by different individuals since the preparer of a reconciliation could conceal a cash shortage. For example, if a cashier both prepares the bank deposit and performs the reconciliation, (s)he could embezzle cash and conceal the theft by falsifying the reconciliation. Incorrect Answers:  A: There is no conflict between writing off bad debts (accounts receivable) and reconciling accounts payable, which are liabilities.   B: Distribution of payroll checks and approval of sales returns are independent functions. People who perform such disparate tasks are unlikely to be able to perpetrate and conceal a fraud. In fact, some companies use personnel from an independent function to distribute payroll checks.  C: Posting both ledgers would cause no conflict as long as the individual involved did not have access to the actual cash. If a person has access to records but not the assets, there is no danger of embezzlement without collusion.

105 13.1 Question 4 One control objective of the financing/treasury cycle is the proper authorization of company transactions dealing with debt and equity instruments. Which of the following controls would best meet this objective? A Separation of responsibility for custody of funds from recording of the transaction. B Written company policies requiring review of major funding/repayment proposals by the board of directors. C Use of an underwriter in all cases of new issue of debt or equity instruments. D The company serves as its own registrar and transfer agent.

106 13.1 Question 4 Answer Correct Answer: B The control objective of authorization concerns the proper execution of transactions in accordance with management’s wishes. One means of achieving this control objective is the establishment of policies as guides to action. When a decision affects the capitalization of the entity, a policy should be in force requiring review at the highest level.

107 13.1 Question 5 Management wishes to include in its internal controls over factory payroll a procedure to ensure that employees are paid only for work actually performed. To meet this objective, which of the following internal control actions would be most appropriate? A Compare piecework records with inventory additions from production. B Have supervisors distribute paychecks to employees in their sections. C Use time cards. D Keep unclaimed paychecks in a vault.

108 13.1 Question 5 Answer Correct Answer: A Piecework is production that is compensated at a set amount per unit of output rather than time spent on the job. Comparing production amounts (inventory additions) with payments (piecework records) is therefore an appropriate control over payroll.

109 13.2 - Systems Controls and Information Security
Segregation of Duties Separate authorization, record keeping and custody 3 goals of Information Security Availability – Correct access to meet goals Confidentiality – Keep documents private Integrity – Prevent unauthorized or accidental changes to programs or data.

110 13.2 - Systems Controls and Information Security
Threats to Information Systems Input manipulation Program alteration Direct file alteration Data theft Sabotage Viruses Logic bombs Worms Trojan horses Back doors Asset theft Malicious software or malware.

111 13.2 - Systems Controls and Information Security
Systems Development Controls Input, processing, output an storage Committee approvals – developers and end users Steering committee – goal congruence Coding and documentation standards Changes to systems Development program – sand box – production Code comparison – Clean code to installed code Physical controls Limit physical access Environmental controls Logical Controls – Limiting access Authentication Password security optimization Password fatigue Authorization Users can only do what they are authorized to do.

112 13.2 - Input Controls Provides reasonable assurance that data is
Authorized, complete and accurate Online input controls – screen input Preformatting – Looks like document Edit checks – validations, drop down boxes Limit checks – reasonableness Check digits Batch input controls – Held for processing Management release Record count Financial total Hash total

113 13.2 - Processing Controls Reasonable assurance that Repeat steps
All data submitted is processed Only approved data is processed Repeat steps Validation Completeness Arithmetic controls Sequence check Run-to-run control totals Key integrity – unique identifier

114 13.2 - Output Controls Assures processing was complete and accurate.
Audit trail Error listing Followed by correction and resubmission

115 13.2 - Computer-Assisted Audit Techniques (CATTs)
Certain controls relating input, processing and output are internal to the system. Auditing around the computer – Used with simple systems Manually process transaction and compare Small number of transactions tested Effectiveness is questionable Computer is only a black box Auditing through the computer – Sophisticated Processing test data Parallel simulation Generalized audit software Data extraction techniques Creation of an integrated test facility Embedded audit modules Computer aided

116 13.2 - Computer-Assisted Audit Techniques (CATTs)
Test data – Test deck – Good and bad data Parallel system simulation GAS – Generalized audit software ACL (Audit Command Language) & IDEA (Interactive Data Extraction and Analysis) Data extraction Spreadsheet analysis Integrated test facility (ITF) – Testing done on production data. Embedded audit module Continuous monitoring of online systems – Real time. Disadvantages must have audit hooks programmed Application tracing – Step by step by auditor System mapping – Step by step by another program

117 Storage Controls Dual write routines Validity checks Physical controls

118 13.2 – Question 1 Which of the following is not a threat to information systems? A. Trojan horses. B. Worms. C. Data theft. D. Serendipity.

119 13.2 – Question 1 Answer Correct Answer: D Trojan horses and worms are threats to computerized systems. Data theft is a threat to any system. Serendipity is essentially a nonsense answer in that the word means the fortunate discovery of something good. Incorrect Answers:  A: A Trojan horse is a destructive program that masquerades as a benign application.  B: A worm is a program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer’s resources and possibly shutting the system down.  C: Data theft is a threat to all systems.

120 13.2 – Question 2 In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system should have adequate controls. The best set of controls for a payroll system includes A. Batch and hash totals, record counts of each run, proper separation of duties, passwords and user codes, and backup copies of activity and master files. B. Employee supervision, batch totals, record counts of each run, and payments by check. C. Passwords and user codes, batch totals, employee supervision, and record counts of each run. D. Batch totals, record counts, user codes, proper separation of duties, and online edit checks.

121 13.2 – Question 2 Answer Correct Answer: A Controls in a payroll system should include a proper separation of the functions of authorization, record keeping, and custody of assets; batch totals for such items as hours worked and payroll amounts; hash totals (e.g., of employee identification numbers) to test for completeness of processing; record counts for each run; special control over unclaimed checks (the person who distributes checks must not retain unclaimed checks); and backup copies of files to allow for reconstruction if information is lost. Incorrect Answers:  B: Separation of duties and backup procedures are not mentioned.  C: Separation of duties and backup procedures are not mentioned.  D: Special controls over unclaimed checks and backup procedures are omitted.

122 13.2 – Question 2 An example of an internal check is A.
Making sure that output is distributed to the proper people. B. Monitoring the work of programmers. C. Collecting accurate statistics of historical transactions while gathering data. D. Recalculating an amount to ensure its accuracy.

123 13.2 – Question 3 Answer Correct Answer: D Arithmetic proof checks (recalculations) are performed by edit routines before data are processed. A simple example is comparing total debits and total credits. Incorrect Answers:  A: It is external to computer processing.  B: It is external to computer processing.  C: It is external to computer processing.

124 13.3 - Security Measures and Business Continuity Planning
Inherent risks of the internet Password attacks Man-in-the-middle Denial-of-service Use of Data Encryption Public-key Private-key Firewalls & Anti-virus software Routine Backup and Offsite Rotation Data more valuable than hardware

125 13.3 - Security Measures and Business Continuity Planning
Disaster Recovery Planning – Contingency planning Disaster recovery is the process of resuming normal information processing. Business continuity is the continuation of business by other means during disaster period. Two major types of contingency Data center is available – power failure, viruses, hacking… Data center is not available – flood, fire, hurricane, earthquakes… Alternate Processing Facility – Physical location maintained by an outside contractor for the purpose of providing processing facilities for customers in case of disaster.

126 13.3 – Question 1 The encryption technique that requires two keys, a public key that is available to anyone for encrypting messages and a private key that is known only to the recipient for decrypting messages, is A. Rivest, Shamir, and Adelman (RSA). B. Data encryption standard (DES). C. Modulator-demodulator. D. A cypher lock.

127 13.3 – Question 1 Answer Correct Answer: A RSA is a potential encryption standard licensed to hardware and software vendors. Public-key encryption requires management of fewer keys for a given client-server environment than does private-key encryption. However, compared with DES, RSA entails more complex computations and therefore has a higher processing overhead. RSA requires two keys: The public key for encrypting messages is widely known, but the private key for decrypting messages is kept secret by the recipient. Incorrect Answers: B: DES is a shared private-key method developed by the U.S. government. It encrypts data into 64-bit blocks using a 56-bit key. DES requires only a single key for each pair of parties that want to send each other encrypted messages. C: A modem is used for telecommunications. D: A cypher lock is a physical device.

128 13.3 – Question 2 A critical aspect of a disaster recovery plan is to be able to regain operational capability as soon as possible. In order to accomplish this, an organization can have an arrangement with its computer hardware vendor to have a fully operational facility available that is configured to the user’s specific needs. This is best known as a(n) A. Uninterruptible power system. B. Parallel system. C. Cold site. D. Hot site.

129 13.3 – Question 2 Answer Correct Answer: D A disaster recovery plan may include a contract with an external contingency facility vendor. Depending on the organization’s needs, the contingency facility may be a hot site or a cold site. A hot site is an arrangement with a vendor for a fully operational facility that is configured to the user’s specific needs and that will be available within 24 hours. A hot site may also be fixed or portable and is recommended for an organization that cannot afford for its computer system to be down for even one day. Incorrect Answers: A: An uninterruptible power system is a system that is fully protected by a generator or battery backup to prevent data destruction and downtime from electrical power outages. B: A parallel system exists if a company maintains an identical system to the main system. C: A cold site is a cheaper alternative to a hot site. It is a shell facility suitable for the quick installation of computer equipment. It provides a prebuilt, environmentally controlled area with raised flooring, electrical power, and appropriate plumbing.

130 13.3 – Question 3 Of the techniques available to an auditor, which is the most valuable in providing a summary outline and overall description of the process of transactions in an information system? A. Transaction retrievals. B. Test decks. C. Software code comparisons. D. Flowcharts.

131 13.3 – Question 3 Answer Correct Answer: D Flowcharting is a useful tool for systems development as well as understanding the internal control structure. A flowchart is a pictorial diagram of the definition, analysis, or solution of a problem in which symbols are used to represent operations, data flow, transactions, equipment, etc. The processing is presented as sequential from the point of origin to final output distribution. Processing usually flows from top to bottom and left to right in the flowchart. Areas of responsibility (e.g., data processing or purchasing) are usually depicted in vertical columns or areas. Incorrect Answers: A: Transaction retrievals are used to select items for testing and review. B: Test decks are used to verify processing accuracy. C: Software code comparisons are used to validate that programs in production correspond to an authorized copy of the software.

132 Essays by Patti The essay portion of the exam will begin once you complete the multiple-choice section or after three hours, whichever comes first.

133 Essays Essays test your understanding of how specific pieces of information relate to one another, and your ability to apply your knowledge to real-life situations. It requires understanding of the content and being able to make recommendations. Your strategy should be to learn the content first, then practice multiple-choice exam-type questions, then learn how to respond to essay questions.

134 Essays How to write essay answers
You will respond to the questions asked. Directly respond to the questions asked. Are presented in a logic manner. Demonstrate an appropriate understanding of the subject matter.

135 Essays Use the same verbs (from the question) within your answer will ensure that you are responding directly and completely to the questions. You need to have an understanding of: Financial statements Time value of money concepts Elementary statistics

136 Essays Writing Skills Based on the use of: Use of standard English Organization Clarity When working through the essays, pay close attention the key words in the question, organize your response, and start writing the answer to the question.

137 Essays To make the best use of your time to complete the essay portion: Take online tutorial to become familiar with the testing screens. The tutorial is not part of your testing time and may be repeated. However, the tutorial time is limited to 20 minutes. Briefly skim through both essay questions and get an idea what each question is asking you to do (i.e. describe, analyze, calculate, etc.). Continued

138 Essays You have one hour to complete the full essay exam (more if you have finished the multiple-choice section earlier than the three-hour limit). Determine how much time you will dedicate to each essay question. Start with the question you know best. Begin by writing key words, thoughts, facts, figures, and anything else that can be used to answer the question. Continued

139 Essays Answer you answer one question, issues related to the other may occur to you. Write that information next to the appropriate question. This will build your confidence and give you a starting place when you begin the second question. Continued

140 Essays To answer each question:
Read the entire question for requirements. Be aware of the verb clues that delineate what is being asked. This well help you formulate and organize your answer. Note that you may have more than task – define, interpret… Write the basic requirements in the answer space so that you are sure to address them. Begin your answer with one or two sentences that directly answer the question. If possible, rephrase the question’s essential terms in a statement that directly answers the question. continued

141 Essays Use bullet points to show main ideas, and support each point with sufficient detail to show that you understand all the issues relevant to the question. Make it as easy as possible for graders to give you points. The goal is grading is to award you points, so show your thinking clearly and effectively. Do not write too little or too much. Finish your essay with one or two sentences that summarize you main point(s). Proofread you answer for logic, thoroughness, and clarity. continued

142 Essays Keep track of time. Do not spend too much time on one question.
If you do not have enough time to write a full essay, write an outline of your main points to show what you know in order to get partial credit.

143 Essays Each essay question actually consists of several related questions based on one scenario. The question as a whole is worth a set number of points and is graded against a scorecard to ensure consistent grading. The scorecard list appropriate terms, topics, and ideas that address the answer.

Download ppt "Part 1 Study Unit 12 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA, CFM."

Similar presentations

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Concepts.

Auditing Concepts.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
The CPA Profession Chapter 2.

The CPA Profession Chapter 2.
Purpose of the Standards

Purpose of the Standards
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
An Educational Computer Based Training Program CBTCBT.

An Educational Computer Based Training Program CBTCBT.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Similar presentations

Ads by Google