1. Chapter 4 Internal Controls McGraw-Hill/Irwin
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.

2. Outline Objectives Definition of internal control
Internal control purposes
Risk exposures
COSO frameworks
Examples
4-2

3. Objectives When you finish this chapter, you should be able to:
Define “internal control” and explain its importance in the accounting information system
Explain the basic purposes of internal control
Describe and give examples of various kinds of risk exposures
Conduct a comprehensive risk assessment
Summarize and explain the importance of the COSO documents on internal control
Critique existing internal control systems and design effective internal controls
4-3

4. Definition of internal control
Most definitions of internal control contain four common elements:
Internal control is a process
Internal controls are designed to provide reasonable assurance
Internal control necessarily involves people in the organization
Internal controls provide that reasonable assurance in a few common areas
4-4

5. Internal control purposes
Broadly speaking, internal controls should help organizations:
Safeguard their assets
Ensure the reliability of financial statements
Promote operating efficiency
Encourage compliance with management’s directives
4-5

6. Risk exposures
One good way to start designing internal controls is to think about an organization’s risks. Among the many good ways to think about risk is Brown’s taxonomy.
4-6

7. Risk exposures Operational risk Financial risk
Systems risk: related to information technology
Human error risk: people in the organization might make mistakes
Financial risk
Market risk: changes in stock prices, investment values, interest rates
Credit risk: customers’ unwillingness or inability to pay their debts
Liquidity risk: insufficient cash to pay debts
4-7

8. Risk exposures Hazard risk Strategic risks
Officers’ and directors’ liability: people might break laws, resulting in personal penalties
Strategic risks
Legal and regulatory risk: people might break laws, resulting in penalties for the organization
Business strategy risk: poor decision making related to market competition
4-8

9. COSO frameworks
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed frameworks related to internal control (1985) and enterprise risk management (2004).
4-9

10. COSO frameworks Internal Control: Integrated Framework
Control environment: the tone at the top
Risk assessment: using a taxonomy to identify organizational risks
Control activities: actual responses to risk.
Preventive, detective, corrective
General, application
Information and communication: keeping people informed
Monitoring: periodic reviews and updates
In 2006, COSO published “Internal Control over Financial Reporting—Guidance for Smaller Public Companies” to provide suggestions for implementing Internal Control: Integrated Framework.
4-10

11. COSO frameworks Enterprise Risk Management: Integrated Framework
Internal environment: tone at the top
Objective setting: organizational goals
Strategic
Reporting
Operations
Compliance
Event identification: what can happen that may impede goals
Internal
External
Risk assessment: likelihood and impact
Inherent
Residual
4-11

12. COSO frameworks
Enterprise Risk Management: Integrated Framework (continued)
Risk response: generic ways to deal with risk
Avoid
Accept
Reduce
Share
Control activities: specific procedures for responding to risk
Information and communication: keep people informed about what’s happening with risk and the plan
Monitoring: Ongoing activities and / or separate evaluations that ensure the plan is updated as needed
4-12

13. Examples
Although every organization’s approach to internal control is slightly different, certain controls are common in many organizations. The following slides contain some examples.
4-13

14. Examples Adequate documentation Background checks
Back-up computer files
Back-up power supplies
Bank reconciliation
Batch control totals
Data encryption
Document matching
Edit checks
4-14

15. Examples Firewalls Insurance and bonding Internal audits Limit checks
Lockbox systems
Physical security
Preformatted data entry screens
Prenumbered documents
Restrictive endorsements of checks
4-15

16. Examples Daily deposit of cash receipts Segregation of duties
User training
All internal controls have associated costs—financial, operational and behavioral. The key is ensuring that the benefits outweigh the costs.
4-16

17. Why do we need controls?
(1) to provide reasonable assurance that the goals of each business process are being achieved
(2) to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts)
(3) to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.

18. Components of Enterprise Risk Management
Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

19. Components of Enterprise Risk Management (Continued)
Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

20. Risk vs. Exposure
Estimate the annual dollar loss that would occur (i.e., the impact) should a costly event, say a destructive fire, take place. For argument sake, say that the estimated loss is –$1,000,000.
Estimate the annual probability that the event will occur (i.e., the likelihood). Suppose the estimate is 5 percent.
Multiply item 1 by item 2 to get an initial expected gross risk (loss) of –$50,000 (–$1,000,000 × 0.05), which is the maximum amount or upper limit that should be paid for controls and the related risk reduction offered by such controls, in a given year. Next, we illustrate a recommendation plan using one corrective control, a fire insurance policy, and one preventive control, a sprinkler system.
Assume that the company would pay $1,000 annually (cost of control) for a $20,000 fire insurance policy (reduced risk exposure due to control). The estimated monetary damage remains at $1 million and expected gross risk (loss) remains at –$50,000, because there is still a 5 percent chance that a fire could occur. But, the company’s residual expected risk exposure is now –$31,000 [–$50,000 + ($20,000 – $1,000)]. Our expected loss is reduced by the amount of the insurance policy (less the cost of the policy).

21. Risk vs. Exposure (Cont.)
Next, you recommend that the company install a sprinkler system with a 5-year annualized cost (net present value) of $10,000 each year to install and maintain (cost of control). At this point you might be tempted to say that the company’s residual expected risk just increased to –$41,000 (–$31,000 – $10,000), but wait! The sprinkler system lowered the likelihood of a damaging fire from 5 to 2 percent. In conjunction with this lower probability, the insurance company agreed to increase its coverage to $30,000 while holding the annual premium constant at $1,000.
Thus, the residual expected risk exposure is –$1,000, calculated as follows: Expected gross risk (–$20,000 or –$1,000,000 × 0.02) plus the insurance policy ($30,000) equals a gain of $10,000, but we must subtract the insurance premium ($1,000) and the sprinkler system ($10,000), leaving the residual expected risk at –$1,000.

22. Recent Internal Control Legislation
Sarbanes-Oxley Act (SOA) of 2002
Created public company accounting oversight board (PCAOB)
Increased accountability for company officers and board of directors
Increased white collar crime penalties
Prohibits audit firms from providing design and implementation of financial information systems

23. Sarbanes-Oxley Act of 2002 (SOA)
Section 302—CEOs and CFOs must certify quarterly and annual financial statements
Section 404—Mandates the annual report filed with the SEC include an internal control report

24. Outline of SOA 2002

25. Definition of Internal Control
From SAS 78 (1995) - adopted COSO (Committee of Sponsoring Organizations) definition:
INTERNAL CONTROL is a process-effected by an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness & efficiency of operations
Reliability of financial reporting
Compliance with applicable laws & regulations.

26. General Control Model

27. Five Interrelated Components of Internal Control
1. Control environment- tone at the top
2. Risk assessment - identification/analysis of risks
3. Control activities - policies and procedures
4. Information & communication - processing of info in a form and time frame to enable people to do their jobs
5. Monitoring - process that assess quality of internal control over time

28. COSO Report, SOX Act, and SAS 94
In the section addressing implementation of the Sarbanes Oxley Act section 404, the SEC used the COSO description of internal control.
It went on to say that management must base its evaluation of the effectiveness of its internal control system on a framework such as COSO
COSO report stresses internal control is a process
A complementary perspective on internal control is found in Statement on Auditing Standards (SAS) 94, entitled “The Effect on Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.”
This standard guides auditors in understanding the impact of IT on internal control and assessing IT-related control risks
Further, SAS 94 highlights how IT can be used to strengthen internal control, while at the same time emphasizing how IT can actually weaken some controls

30. Business Process Control Goals
In 1996 ISACA (INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION) issued COBIT (CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY)  CONTAINS 34 IT PROCESSES ON PERVASIVE AND GENERAL CONTROLS.

31. Business Process Control Goals
Control Goals - ends to be obtained
Control goals of operations processes
Control goals of information processes

32. Control Goals of the Operations Process
Ensure effectiveness of operations
Ensure efficient employment of resources
Ensure security of resources

33. Control Goals of Operations Process
Ensure effectiveness of operations
A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes
Ex. Deposit cash receipts on the day received
Ensure efficient employment of resources
A measure of the productivity of the resources applied to achieve a set of goals
Ex. What is the cost of people, computers, and other resources to deposit cash on the day received
Ensure security of resources
Protecting an organization’s resources from loss, destruction, disclosure, copying, sale, or other misuse
Ex. Are cash and information resources available when required?
Are they put to authorized use?

34. Control Goals of the Information Process
For business event inputs, ensure
Input validity
Input completeness
Input accuracy
For master data, ensure
update completeness
update accuracy

35. Control Goals of Information Process
Input validity
Input data approved and represent actual economic events and objects
Ex. Are all cash receipts input into the process and supported by customer payments
Input completeness
Requires that all valid events or objects be captured and entered into the system
Ex. Are all valid customer payment captured on a customer remittance advice (RA) and entered into the process? Input accuracy (correct data entered correctly)
Input Accuracy
Requires that events be correctly captured and entered into the system
Ex. Is correct payment amount and customer number on the RA?
Ex. Is the correct payment amount and customer number keyed into the system?

36. Control Goals of Information Process
Update completeness
Requires all events entered into the computer are reflected in their respective master data
Ex. Are all input cash receipts recorded in the AR master data?
Update accuracy
Requires that data entered into a computer are reflected correctly in their respective master data
Ex. Are all input cash receipts correctly recorded in the AR master data?

37. Business Process Control Plans
Business Process Control Plans - reflect information processing policies and procedures that assist in accomplishing control goals
The Control Environment The fact that the control environment appears at the top of the hierarchy illustrates that the control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans.
Pervasive control plans also relate to a multitude of goals and processes
Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate.
They are broad in scope and apply equally to all business processes, hence they pervade all systems.
Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.

38. Control Goals for the Cash Receipts Process
Control Goals of the Lenox Cash Receipts Business Process
Control goals of the operations process
Control goals of the information process
Ensure effectiveness of operations
Ensure efficient employment of resources (e.g., people and computers)
Ensure security of resources (e.g., checks and AR master data)
For the remittance advice inputs, ensure:
For the AR master data, ensure: A B IV IC IA UC UA
Effectiveness goals include:
A – Timely deposit of checks
B – Comply with compensating balance agreements with the depository bank
IV = Input validity
IC = Input completeness
IA = Input accuracy
UC = Update completeness
UA = Update accuracy

39. Fraud and its Relationship to Control
Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain.
Management charged with responsibility to prevent and/or disclose fraud
Control systems enable management to do this job
Management responsible to provide internal control system per the Foreign Corrupt Practices Act of 1977
Section 1102 of the Sarbanes-Oxley Act specifically addresses corporate fraud
Instances of fraud undermine management’s ability to convince various authorities that it is upholding its stewardship responsibility

40. SAS 99
The accounting profession too has been proactive in dealing with corporate fraud, as it has launched an anti-fraud program.
One of the manifestations of this initiative is Statement on Auditing Standards (SAS) Number 99, entitled Consideration of Fraud in a Financial Statement Audit.
SAS 99 has the same title as its predecessor, SAS 82, but the new standard is much more encompassing than the old.
For instance, SAS 99 emphasizes brainstorming fraud risks, increasing professional skepticism, using unpredictable audit test patterns, and detecting management override of internal controls.

41. E&Y Fraud Survey About 85 % of fraud committed by company insiders
About 55% of perpetrators were management employees
More fraud in less-developed countries
About 40% of frauds are known to the public, 20% are kept confidential, and the other 40% are not yet discovered
Best prevention is internal control, management reviews, and internal audits
The #1 fraud worry to executives is asset misappropriation
The #2 fraud worry to executives is computer crime
Most organizations now have formal fraud prevention policies including codes of corporate governance and employee conduct
Most useful fraud prevention techniques are internal controls, management reviews, and internal audits

42. Ethics and Controls
COSO report stresses ethics as part of control environment (tone at the top)
AICPA has built ethics issues into CPA exam
The Institute of Management Accountants has a code of ethics which is also tested on both the CMA and CFM exams
Internal Auditing has ethics articles
Many corporations have developed Codes of Conduct

43. Other Classifications of Control Plans
Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss
Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation
Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data

44. Key Points of Internal Controls
A system of internal control is not an end in itself. Rather, it is a means to an end—the end of attaining process objectives
Internal control itself is a system.
Establishing a viable internal control system is management’s responsibility.
The strength of any internal control system is largely a function of the people who operate it.
Internal control cannot be expected to provide absolute, 100% assurance that the organization will reach its objectives. Rather, the operative phrase is that it should provide reasonable assurance
Internal control is not free; controls should be built in and cost effective

45. Control Activities Within an Internal Control System
A good Audit Trail
Sound Personnel Policies and Competent Employees
Separation of duties
Physical Protection of assets
Internal Reviews of Controls by Internal Audit Subsystem
Timely Performance Reports

46. Good Audit Trail
An audit trail enables auditors and accountants within the organization to follow the path of transaction data from the initial source documents to the final disposition in a financial report and vice-versa.
Without a good audit trail, it is more likely that errors and irregularities in processing data will not be detected.

47. Sound Personnel Policies and Competent Employees
Examples of sound personnel policies are:
Specific hiring procedures
Training programs
Good supervision
Fair and equitable guidelines for employees’ salary increases
Rotation of certain key employees in different jobs
Enforced vacations
Insurance coverage on those employees who handle liquid assets
Regular performance reviews

48. Separation of Duties
Segregating activities and responsibilities of a company’s employees allows different people to perform various tasks of a specific transaction.
The main functions that should be kept separate are custody of assets recording transactions, and authorizing transactions.

49. Physical Protection of Assets
Keeping a company’s assets in a safe physical location minimizes the risk of damage to the assets or theft by employees or outsiders.
A voucher system is an example of an accounting control procedure that protects against unauthorized cash disbursements.
A petty cash fund may be used for small expenditures where writing a check would be inefficient.

50. Internal Reviews of Controls by Internal Audit Subsystem
Internal audit is a service function within many large companies.
As a separate subsystem, they report to high-level management or to the board of directors in order to remain independent and objective.
They perform periodic reviews, called operational audits, on each department within the organization in order to evaluate the efficiency and effectiveness of that particular department.

51. Timely Performance Reports
Performance reports provide information to management on how efficiently and effectively its company’s internal controls are functioning.
These reports should provide timely feedback to management on the success or failure of the company’s internal controls.