6 - Chapter 6 Control and AIS Control Learning Objectives...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Chapter 6 Control and AIS Control Learning Objectives Learning Define internal control Explain the basic control concepts Describe the COSO, COBIT, & ERM models Describe the major internal environment elements Describe the major control objectives Explain uncertainty, risk assessment, & response Describe control activities Describe communication and monitoring Terminology Threat: Threat: Exposure: Risk: Threats to AIS Natural & political disasters: Natural Software & equipment malfunctions: malfunctions: Unintentional acts: Intentional acts: Factors That Exacerbate AIS Threats Computer proliferation Control issues underestimated Data security not viewed as essential Underestimated risk of loss of information Misunderstood control implications of moving from Misunderstood stand alone to interconnected systems stand Productivity and cost pressures Internal Control Defined The implemented by the board of directors, management, The and those under their direction to provide reasonable assurance the these control objectives are met: the Safeguarding assets Maintaining records that accurately and fairly represent the organization’s assets provide accurate and reliable information Providing reasonable assurance that records are maintained Providing according to GAAP according Promoting operational efficiency Encouraging adherence to managerial policies Complying with applicable laws and regulations Components of the Internal Control System People Policies Practices Procedures Modifying Assumptions Management responsibility Establishment and maintenance of the internal control system is the Establishment responsibility of management responsibility Reasonable assurance That the basic internal control objectives are met No internal control system is perfect Benefit should be greater than the cost Data processing methods Meeting the objectives should not depend on the data processing method Limitations Every internal control system is limited Error Circumvention Management override Changing conditions Internal Control is Required by Law Securities and Exchange Commission maintains that management should provide reasonable assurance that control is adequate management should provide timely, reliable financial information a system of internal controls is necessary to discharge these obligations Foreign Corrupt Practices Act (1977) requires that SEC registrants keep records that fairly and reasonably reflect the transactions of the firm and keep its financial position its maintain a system of internal controls that provides reasonable assurance that maintain the organization’s objectives are met the Sarbanes-Oxley Act (2002) See next slide Sarbanes – Oxley Act of 2002 Applies to SEC registrants Form 10-K (annual) must include Management’s annual report on internal control over financial reporting • Statement of management’s responsibility for internal control • Identification of framework used to evaluate internal control (e.g., COSO Identification model of internal control) model • Assessment and statement of effectiveness of internal control • Statement that public accounting firm auditing F/S has issued an Statement attestation report on management’s assessment of internal control attestation CPA firm’s attestation report on management’s assertion about internal control CPA (i.e., must audit internal control report as well as financial reports) (i.e., Changes in internal control Material weaknesses in internal control must be reported Material Weaknesses A material weakness is any single significant deficiency or aggregation of significant any deficiencies deficiencies that precludes internal control from providing reasonable assurance that material misstatements in the financial statements will be prevented or detected on a timely basis by employees in the normal course of performing their assigned by functions functions A significant deficiency is an internal control deficiency, or combination of deficiencies that is less severe than a material weakness, yet important enough to that merit attention by those responsible for oversight of the registrant’s financial reporting financial Types of Controls Preventive controls An ounce of prevention is worth a pound of cure Detective controls You can’t prevent everything Corrective controls If it’s broke, fix it Preventive Controls First line of defense Reduce frequency of occurrence of undesirable Reduce events events Screen out undesirable events by forcing compliance Screen with prescribed actions with Example: well designed source documents/screens Example: prevent omission of essential data prevent Detective Controls Second line of defense Devices, techniques, and procedures designed to Devices, identify and expose undesirable events that elude __________________ __________________ Reveal errors by comparing actual occurrences with Reveal __________________ __________________ Examples Corrective Controls Actions taken to reverse the effects of errors Actions identified by ________________ identified What is the difference between the second line of What defense and corrective controls? defense Examples Levels of Control Levels Undesirable Events Preventive Preventive Preventive Preventive Detective Detective Detective Corrective Corrective Corrective Committee of Sponsoring Organizations of the Treadway Commission (1985) Private sector group American Accounting Association AICPA Institute of Internal Auditors Institute of Management Accountants Financial Executives Institute Primary charge was to identify factors that could lead to Primary fraudulent financial reporting fraudulent Expanded to include improving financial reporting quality Provided guidance on internal control evaluation COSO Internal Control Model Five interrelated components Five Control environment Risk assessment Control activities Information and communication Monitoring COSO Internal Control Model Control Environment Control Integrity & Ethical Values • The standard of conduct for financial reporting • Particularly of top management • Understand and exercise oversight responsibility related to financial Understand reporting and internal controls reporting • Supports achieving effective internal control over financial reporting Importance of Board of Directors Management Philosophy & Operating Style COSO Internal Control Model Control Environment (continued) Control Organizational Structure • Supports achieving effective internal control over financial reporting • Organization retains individuals competent in financial reporting and Organization related oversight roles related • Management and employees are assigned appropriate levels of authority Management and responsibility to facilitate effective control over financial reporting and • Human resources policies and practices are designed and implemented to Human facilitate effective control over financial reporting facilitate Commitment to Financial Reporting Competencies Authority & Responsibility Human Resources COSO Internal Control Model Control Activities Control Elements of a Control Activity • Policies and procedures enable management directives to be carried out • Established and communicated throughout all levels of the organization • Actions are taken to address risks to the achievement of financial reporting Actions objectives objectives • Based on cost and potential effectiveness in mitigating risks to the Based achievement of financial reporting objectives achievement • Designed and implemented to support the achievement of financial Designed reporting objectives reporting Control Activities Linked to Risk Assessment Selection & Development of Control Activities Information Technology COSO Internal Control Model Information & Communication Information Information Needs • Information is identified, captured, and used at all levels • To support the achievement of financial reporting objectives Information Control • Information is identified, captured, processed, and distributed • Within parameters established within the control process • To support the achievement of financial reporting objectives Management Communication • All personnel, particularly those in financial reporting roles, receive a clear All message from top management that both internal control over financial reporting and individual control responsibilities must be taken seriously reporting COSO Internal Control Model Information & Communication (continued) Information Upstream Communication • Personnel have an effective and non-retributive method to communicate Personnel significant information upstream to higher management significant Board Communcication • Communication exists between management and the board • So that both have relevant information • To fulfill their roles with respect to governance and financial reporting Communication with Outside Parties • Matters affecting the achievement of financial reporting objectives are Matters communicated with outside parties communicated COSO Internal Control Model Monitoring Monitoring Ongoing Monitoring • Processes to enable management to determine whether internal control over Processes financial reporting is present and functioning financial Separate Evaluations • Separate evaluations of all five internal control components enable Separate management to determine the effectiveness of internal control over financial reporting reporting Reporting Deficiencies • Internal control deficiencies are identified and communicated in a timely Internal manner to those responsible for corrective actions and to the board manner COSO Internal Control Model Roles & Responsibilities Roles Management Roles • Exercises ownership of and responsibility for internal controls Exercises over financial reporting over Board & Audit Committee • Performs oversight responsibilities for achievement of effective Performs internal control over financial reporting internal Other Personnel • All personnel accept responsibility for actions that directly or All indirectly affect financial reporting indirectly The most important ERM component ERM Framework ERM Elements of the Internal Environment Management philosophy, operating style, and risk Management appetite appetite The board of directors Commitment to integrity, ethical values, and Commitment competence competence Organizational structure Procedures for assigning responsibility and authority Human resources policies and practices External influences Objective Setting Strategic - lay the foundation Operating Reporting Compliance Event Identification Events Affect strategy implementation Affect achievement of objectives Emanate from internal or external sources Natural disasters Expropriation Terrorism Availability of labor & Labor strife New technology New laws and regulations Election of new government officials with new political agendas See table 6-2 for more Examples Risk Assessment Types of risk Inherent – exists before internal controls are implemented Residual – remains after internal controls are implemented Four possible risk responses Reduce Accept Share Avoid Risk Assessment & Response Risk Control Activities Authorization of transactions and activities General Specific Segregation of duties Transaction authorization Recording Custody Design and use of documents and records Safeguarding assets, records, and data Independent verification Project development and acquisition controls Change management controls Segregation of Duties Transaction authorization separate from the processing, e.g.: Inventory control requests inventory acquisition Purchasing initiates the purchase Custody of assets separate from the record keeping, e.g.: The warehouse has physical custody of inventory Inventory control and cost accounting maintain inventory records Successful fraud requires collusion by two or more individuals Separate computer activities Program development Program operations Program maintenance Information and Communication An effective accounting information system will Identify and record all transactions Accurately measure the financial value of transactions Accurately record transactions in the time period in which Accurately they occurred they SAS 78 requires auditors to understand Classes of transactions material to the financial statements Accounts and accounting records used to process Accounts transactions transactions Transaction processing steps Financial report preparation processing steps Monitoring Implement effective supervision Use responsibility accounting Budgets Standard costs Performance reports Financial analysis Etc. Usage log Detect and investigate unauthorized system entry Conduct internal and external audits Employ forensic accounting specialists Etc. Monitor system activities Supervision Employ trustworthy and competent personnel Supervision must be more elaborate in IT systems High turnover Rapid changes in technology Direct unrestricted access to programs and data Activities not well understood by management Activities not readily visible by direct observation Access Control Physical access Fences Safes Electronic access systems Separation of IT activities Physical protection from natural disasters Data access restrictions Backup Record access Independent Verification After the fact assessment Personnel performance Transaction processing integrity Data accuracy Timing Depends on technology and the task Constantly, hourly, daily, weekly, monthly Examples Reconciling bank statements Comparing physical assets with accounting records Reconciling subsidiary accounts with control accounts Reviewing management reports/financial analysis IT systems can perform some verification automatically COBIT Model Control Objectives for Information and Related Technology ontrol Objectives nformation Developed by the Information Systems Audit & Control Association & Developed Foundation (ISACA) Foundation Provides IT security and control practice standards Similar to COSO, but for IT activities Presents control issues from three perspectives Presents Business objectives Information technology resources Information technology processes Groups IT processes into 5 domains of knowledge Plan & organize Acquire & implement Manage IT investment Deliver & support Monitor and evaluate COBIT Defines 34 Broad Control Objectives COBIT identifies how each control activity Satisfies information requirements Affects information technology resources Supports business processes The objectives are expected to provide reasonable assurance The reasonable of control of Selected objectives are shown on the next several slides Selected COBIT Objectives General Control Acquire and develop applications and Acquire system software system Acquire technology infrastructure Develop and maintain policies and Develop procedures procedures Objective (reasonable assurance) Applications and systems software that Applications effectively support financial reporting requirements requirements Technology infrastructure that provides Technology appropriate platforms to support financial reporting applications reporting Policies and procedures have been developed Policies and maintained that define and acquisition and maintenance processes documentation required to support the proper documentation use of applications & technological solutions use Install and test application software and Install technology infrastructure technology Systems are appropriately tested and validated Systems prior to being put into operation to determine that that financial reporting is supported controls operate as intended Manage change Source: Risks, Controls, and Security by Raval & Fichadia (2007) System changes of financial reporting System significance are authorized and tested before being put into operation Selected COBIT Objectives (cont.) (cont.) General Control Define and manage service levels Objective (reasonable assurance) Service levels are defined and managed in a Service manner that manner satisfies financial reporting requirements provides a common understanding of provides performance levels with which service quality will be measured will Manage third party services Third party services are secure, accurate, and available support processing integrity are defined appropriately in performance are contracts contracts Ensure systems security Manage the configuration Manage problems and incidents Source: Risks, Controls, and Security by Raval & Fichadia (2007) Source: Financial reporting systems are secured to Financial prevent unauthorized use, disclosure, modification, damage, or loss of data modification, IT components are well protected against IT unauthorized changes unauthorized Problems and/or incidents are properly Problems responded to, recorded, investigated, and resolved resolved Selected COBIT Objectives (cont.) (cont.) General Control Manage data Manage third party services Objective (reasonable assurance) Data recorded, processed, and reported remain Data complete, accurate, and valid throughout the update and storage process update Authorized programs are executed as planned Authorized and deviations from scheduled processing are identified and investigated, including controls over job scheduling, processing, error monitoring, and system availability monitoring, Source: Risks, Controls, and Security by Raval & Fichadia (2007) Source: END OF CHAPTER 6 END ...
View Full Document

This note was uploaded on 10/02/2010 for the course ACCT 5457 taught by Professor Polm during the Fall '10 term at Rensselaer Polytechnic Institute.

Ask a homework question - tutors are online