Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES"— Presentation transcript:

1 Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

2 Internal Control and Accountants’ Roles
Accountants as Managers – Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Management to prepare a statement describing and assessing the company’s internal control system

3 Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include: (1) a statement that management is responsible for internal controls over financial reporting,

4 Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include: (2) a statement identifying the framework used by management to evaluate internal controls,

5 Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include (3) an assessment of internal controls and disclosure of any material weaknesses, and

6 Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include: (4) a statement that a public accounting firm has issued an attestation report on management’s assessment of internal control.

7 Internal Control and Accountants’ Roles
Accountants as Users – Must understand a company’s internal controls to apply them correctly.

8 Internal Control and Accountants’ Roles
Accountants as Designers of internal control procedures – Must understand a company’s internal controls in working to achieve to compliance with regulations and company objectives and to minimize risks

9 Internal Control and Accountants’ Roles
Accountants as Evaluators – must understand internal control systems to: Help develop management’s report that assesses internal controls (as internal auditors) Prepare an attestation to management’s statement about internal control (as external auditors) Conduct the audit of a company’s financial statements (as external auditors)

10 Framework for Studying Internal Control
Components of internal control (the COCO Report) Internal control objectives Risk assessment

11 Framework for Studying Internal Control
The COSO Report: 5 interrelated components of internal control: Control environment Risk assessment Control activities Information and communication Monitoring

12 Internal Control Components and Objectives
Execution objectives – 2 execution objectives for the revenue cycle: Ensure proper delivery of goods and services Ensure proper collection and handling of cash 2 execution objectives for the acquisition cycle: Ensure proper receiving of goods and services Ensure proper payment and handling of cash

13 Internal Control Components and Objectives
Information system objectives - Focus on recording, updating, and reporting accounting information Important for ensuring effective execution of transactions

14 Internal Control Components and Objectives
Asset protection objectives - Focus on safeguarding assets to minimize risk of theft or loss of assets

15 Internal Control Components and Objectives
Performance objectives – Focus on achieving favorable performance of an organization, person, department, product, or service Established to ensure effective operations

16 Assessment of Execution Risks: Revenue Cycle
Generic execution risks for each of the two revenue cycle transactions: 1.Delivering goods/services: Unauthorized sale/service permitted Authorized sale/service did not occur, occurred late, or was duplicated unintentally Wrong type of product/service Wrong quantity/quality Wrong customer/address

17 Assessment of Execution Risks: Revenue Cycle
Generic execution risks for each of the two revenue cycle transactions: 2. Collecting cash: Cash not collected or collected late Wrong amount of cash collected

18 Assessment of Execution Risks: Acquisition Cycle
Generic execution risks for each of the two acquisition cycle transactions: 1. Receiving goods/services: Unauthorized goods/services received Expected receipt of goods/services did not occur, occurred late, or was duplicated unintentionally Wrong type of product or service received Wrong quantity/quality Wrong supplier

19 Assessment of Execution Risks: Acquisition Cycle
Generic execution risks for each of the two acquisition cycle transactions: 2. Making payment: Unauthorized payment Cash not paid, paid late, or duplicate payment Wrong amount paid Wrong supplier paid

20 Assessment of Execution Risks: Revenue & Acquisition Cycles
Understanding and assessing execution risks – 5 steps: Step 1. Achieve understanding of the processes Step 2. Identify the at-risk goods/services provided and cash received Step 3. Restate generic risk to describe the execution risk more precisely for process under study - exclude irrelevant/immaterial risks

21 Assessment of Execution Risks: Revenue & Acquisition Cycles
Understanding and assessing execution risks – 5 steps: Step 4. Assess the significance of remaining risks Step 5. Identify factors that contribute to each significant risk – use events in the process to systematically identify factors What control activities could be implemented to mitigate the risks?

22 Assessment of Information Systems Risks
2 categories of information systems risks: Recording risks Updating risks

23 Assessment of Information Systems Risks
The process of recording and updating information – both a risk and a control Risk - information will be recorded incorrectly, perhaps resulting in transaction errors and incorrect financial statements Control – when information is correct because recorded information is used to control transactions

24 Assessment of Information Systems Risks
Recording risks: Risks that event information is not captured accurately in an organization’s information system Errors in recording can cause substantial losses Recording events late can cause opportunity losses In the acquisition cycle, recording errors can result in overpaying bills or loss of credit from failure to pay

25 Assessment of Information Systems Risks
Recording risks: Revenue/acquisition cycles - generic recording risks Event recorded never occurred Event not recorded, recorded late, or duplication of recording Wrong product/service recorded Wrong quantity/price recorded Wrong external/internal agent recorded Wrong recording of other data

26 Assessment of Information Systems Risks
Recording risks: Identifying recording risks – 3 steps Step 1. Achieve an understanding of the process under study - identify the events Step 2. Review events - identify where data are recorded in a source document or a transaction file

27 Assessment of Information Systems Risks
Recording risks: Identifying recording risks – 3 steps Step 3. For each event where data are recorded in a source document or transaction record: Consider the preceding generic recording risks Restate each generic risk to describe the risk more precisely for the particular event under consideration Exclude any risks that are irrelevant or immaterial

28 Assessment of Information Systems Risks
Updating risks: Risks that summary fields in master records are not properly updated Update failures can be costly Errors in updates can reduce the effectiveness of controls over the general ledger balances for assets and liabilities

29 Assessment of Information Systems Risks
Updating risks: Generic risks Update of master record omitted or unintended duplication of update Update of master record occurred at the wrong time If updates are scheduled, users need to know and schedule needs to be followed Summary field updated by wrong amount Wrong master record updated

30 Assessment of Information Systems Risks
Identifying pdating risks: 3 steps Step 1. Identify recording risks Step 2. Identify the events that include update activity and the summary fields in updated master files

31 Assessment of Information Systems Risks
Identifying update risks: 3 steps Step 3. For each event in updated master file Consider the preceding generic update risks Restate each generic risk to describe the update risk more precisely for the particular event under consideration Exclude any update risks that are irrelevant or immaterial

32 Recording and Updating in the General Ledger System
The General_Ledger File stores reference and summary data about the general ledger accounts. The process of updating a general ledger account is sometimes referred to as “posting.”

33 Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system: Risks Wrong general ledger account recorded Wrong amounts debited/credited General ledger master record not updated at all, updated late, or updated twice Wrong general ledger master record updated

34 Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system: Important to internal control: Policy for updating general ledger accounts should be well understood. Often, general ledger balances are updated after a batch of transactions, not with each transaction

35 Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system: Important to internal control: Employees need to know: Under the batch process, general ledger account balances are temporarily out of date When updates are made

36 Recording and Updating in the General Ledger System
Controlling risks: Identify significant risks of losses or errors Consider ways to control the risks Accountants, external auditors, or internal auditors evaluate existing controls and suggest additional controls where warranted

37 Control Activities The policies and procedures to address risks to achievement of the organization’s objectives Manual or automated May be implemented at various levels of the organization. 4 types of controls: Workflow controls Input controls General controls Performance reviews

38 Control Activities Workflow controls:
Used to control a process as it moves from one event to the next Exploit linkages between events Focus on: Responsibilities for events Sequence of events Flow of information between events in a business process

39 Control Activities Workflow controls: Segregation of duties
Use of information from prior events to control activities Required sequence of events Follow-up on events Sequence of prenumbered Recording of internal agent(s) accountable for an event in a process Limitation of access to assets and information Reconciliation of records with physical evidence of assets

40 Control Activities Organizations make an effort to segregate:
1. Segregation of duties: Organizations make an effort to segregate: Authorization of events Execution of events Recording of event data Custody of resources associated with the event The overview activity diagram is best suited to understanding and documenting segregation of duties

41 Control Activities 2. Use of information about prior events:
Information about prior events can come from documents or computer records. 2 examples of information from computer files: Checking summary data in master files to authorize events Transaction records may help control events - similar to using documents before approving an invoice

42 Control Activities 3. Required sequence of events:
Often, organizations - Have policies requiring a process to follow a particular sequence Require a sequence of events without having prior recorded information to rely on

43 Control Activities 4. Follow-up on events: Organizations:
Need automated or manual way to review transactions not yet concluded Should have “open” item or aging reports to identify events needing follow up Can design/use routine reports to flag unfinished business Can querying a database for status reports

44 Control Activities 5. Prenumbered documents:
Provide an opportunity to control events Prenumbered documents created during one event are accounted for in a later event Checking the sequence of prenumbered documents helps ensure that all events are executed and recorded appropriately

45 Control Activities 6. Recording of internal agent(s) accountable for an event in a process: Important Clear job descriptions and specific instructions from supervisors Recording employee ID number at the time the event Safeguarding of assets through use of with serial numbers, recordkeeping, and identification of custodian of the assets

46 Control Activities Safeguards
7. Limitation of access to assets and information: Safeguards Access to assets only for employees needing them for assigned duties Physical assets stored in secure locations Employees badges for access Alarms Password required for access to data

47 Control Activities 8. Reconciliation of records with physical evidence of assets: Ensures that recorded event and master file data correspond to actual assets Differs from the use of documents to control events – reconciliation: Is broader Usually involves data about multiple events Occurs after the events have been executed and recorded

48 Control Activities Input controls:
Used to control input of data into computer systems Drop-down or look-up menus Record-checking of data entered Confirmation of data entered Referential integrity controls Format checks to limit data Validation rules to limit the data Defaults from data entered in prior sessions

49 Control Activities Input controls:
Restriction against leaving a field blank Field established as a primary key Computer-generated values entered in records Batch control totals taken before data entry compared to printouts after data entry Review for errors before posting Exception reports

50 Control Activities General controls:
Broader controls that apply to multiple processes Help workflow and input controls be effective Organized into four categories: Information systems (IS) planning Organizing the information technology (IT) function Identifying and developing IS solutions Implementing and operating accounting systems

51 Control Activities Performance reviews:
Measure performance by comparing actual data with budgets, forecasts, or prior-period data Include analyzing data, identifying problems, and taking corrective action Ensure events support broader long-term goals Typically involve comparing actual results to plans, standards, and prior performance

52 Control Activities Performance reviews:
Often result in taking corrective action Require an information system (AIS in particular) that records and stores information about standards and actual outcomes Requires reports that allow for meaningful analysis of actual results

53 Control Activities Performance reviews: And master records
Related in two ways: Planned standards and budget figures (reference data) are typically recorded during file maintenance activities in master records Summary data stored in master records are often used to implement corrective action Summary fields in master records can also help in reviewing performance

54 KEYTERMS Application controls Control activities Control environment
Execution risk General controls Information system risks Input controls

55 KEYTERMS Internal controls Performance reviews Recording risks
Risk assessment Segregation of duties Update risks Workflow controls

Download ppt "Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES"

Similar presentations

Chapter 14 Audit of the Sales and Collection Cycle

Chapter 14 Audit of the Sales and Collection Cycle
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.

Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Internal Controls Becoming Compliant. Design & Implementation of Internal Controls. Design: Need to show that a framework is in place to establish internal.

Internal Controls Becoming Compliant. Design & Implementation of Internal Controls. Design: Need to show that a framework is in place to establish internal.
Auditing Concepts.

Auditing Concepts.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
7-1 FRAUD, INTERNAL CONTROL, AND CASH Financial Accounting, Sixth Edition 7.

7-1 FRAUD, INTERNAL CONTROL, AND CASH Financial Accounting, Sixth Edition 7.
Chapter 5 Expenditure Cycle Applications. Expenditure Documents i.Purchase Requisitions ii.Purchase Orders iii.Receiving Report iv.Voucher Systems v.Invoice.

Chapter 5 Expenditure Cycle Applications. Expenditure Documents i.Purchase Requisitions ii.Purchase Orders iii.Receiving Report iv.Voucher Systems v.Invoice.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Chapter 12 The Revenue Cycle: Sales to Cash Collections Copyright © 2012 Pearson Education 12-1.

Chapter 12 The Revenue Cycle: Sales to Cash Collections Copyright © 2012 Pearson Education 12-1.
Chapter 11 THE REVENUE CYCLE. Introduction Revenue cycle: 1. Respond to customer inquiries 2. Develop agreements with customers to provide goods and services.

Chapter 11 THE REVENUE CYCLE. Introduction Revenue cycle: 1. Respond to customer inquiries 2. Develop agreements with customers to provide goods and services.
Accounting Information Systems: A Business Process Approach Chapter Nine: The Acquisition Cycle - Purchasing and Receiving.

Accounting Information Systems: A Business Process Approach Chapter Nine: The Acquisition Cycle - Purchasing and Receiving.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.

Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Copyright © 2007 Prentice-Hall. All rights reserved 1 Internal Control & Cash Chapter 8.

Copyright © 2007 Prentice-Hall. All rights reserved 1 Internal Control & Cash Chapter 8.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING

Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING.

Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING.

Similar presentations

Ads by Google