Lecture 4 Internal Controls, SOX, COSO, and COBIT

Lecture 4 Internal Controls, SOX, COSO, and COBIT - Ethics,...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Ethics, Risks, and Controls Lecture 4 Business Ethics Principles of conduct used in decision making that involve the concepts of right and wrong Need to balance conflicting responsibilities to stakeholders Fraud Intentional deception, misappropriation of assets or manipulation of financial data to benefit the perpetrator Fraud Triangle Pressure Ethics Opportunity ACFE Occupational Fraud Report to the Nation every two years Surveys members Special survey in 2009 to assess effect of economic downturn The Relationship between Risks, Opportunities, and Controls Risks A risk is any exposure to the chance of injury or loss. These risks include the chance of injury or loss from errors or intentional actions by management and employees. Opportunities and Risk Opportunity and risk go hand in hand. Controls A control is an activity we perform to minimize or eliminate a risk. Legislating Internal Controls Foreign Corrupt Practices Act 1977 Main purpose was to make it illegal for U.S. companies to engage in bribery in foreign countries Required companies to have internal controls Sarbanes-Oxley Act of 2002: Issuer and Management Disclosures Section 302 requires management of publicly-traded companies to certify financial information in quarterly and annual reports certify internal controls over financial reporting on a quarterly and annual basis disclose material changes in the company's internal controls Sarbanes-Oxley Act of 2002: Code of Ethics Section 406 requires publicly-traded companies to Disclose to SEC whether they have a code of ethics that applies to CEO, CFO, controller, or others in similar position Explain why if it does not have a code of ethics Sarbanes-Oxley Act of 2002: Creation of PCAOB Five members Funded by public companies and accounting firms that audit public companies Issue or adopt standards Inspect accounting firms conducting audits Sarbanes-Oxley: Relationship Between Accounting Firm and Audit Clients Auditors report to and are overseen by audit committee rather than management Audit committee must pre-approve all services provided by its auditor Auditors prohibited from offering certain non-audit services to audit clients Sarbanes-Oxley: Relationship Between Accounting Firm and Audit Clients Lead audit partner and review partner must be rotated off engagements every 5 years Accounting firm can not provide audit services to a company if one of its top officials worked for the firm and on the company's audit during the prior year Sarbanes-Oxley Act of 2002: Assessing Effectiveness of Controls Section 404 Requires corporate management to assess the effectiveness of the company's internal controls over financial reporting: Statement of management's responsibility to establish and maintain controls Assessment of effectiveness Statement that external auditors have issued an attestation report on the effectiveness of the control (No longer required for small companies) A conclusion on the effectiveness of the controls Identify the framework used in the assessment PCAOB: Standard No. 5 Attestation Report on Effectiveness of Controls Requires auditors to understand transaction flows, including the internal controls Determine significant accounts Determine likely sources of potential misstatements that would cause financial statements to be materially misstated Determine whether material weaknesses exist PCAOB: Standard No. 5 Attestation Report on Effectiveness of Controls Material weakness Deficiency, or combination of deficiencies, in internal controls over financial reporting, so there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis If there is one or more material weaknesses, the internal controls over financial reporting cannot be considered effective Framework to Use in Assessment PCAOB and SEC endorsed COSO Framework Any other framework should encompass the same themes COBIT is a popular companion framework COSO Framework Committee of Sponsoring Organizations (COSO) of the Treadway Commission Committee formed because of concern about fraud 1992 issued report: Internal Control Integrated Framework (COSO Report) Framework designed to help companies assess internal controls COBIT Framework Edition 4.1 Issued by IT Governance Institute Framework for evaluating IT controls 34 IT processes Over 300 control objectives Consideration of Fraud in Audit SAS No. 99 provides guidelines of fraud detection Auditors are blend consideration of fraud into all phases of the audit process COSO Framework Internal Control System: A set of rules, policies, and procedures an organization implements to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Internal Control Systems Components: Control Environment Risk Assessment Control Activities Information and Communications Monitoring Control Environment The control environment sets the tone of the organization, which influences the control consciousness of its people. Control Environment It includes the following areas: Integrity and ethical behavior Commitment to competence Board of directors and audit committee participation Management philosophy and operating style Organization structure Assignment of authority and responsibility Human resource policies and practices Risk Assessment Risk assessment involves identifying and analyzing the relevant risks associated with the organization achieving its objectives. Materiality and Risk High Likelihood Of Loss Materiality Risk Low Small Large Size of Potential Impact Control Activities Control activities are the policies and procedures an organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Control Activities Three major types: Preventive controls focus on preventing an error or irregularity. Detective controls focus on identifying when an error or irregularity has occurred. Corrective controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity. Control Activities Separation of Duties Responsibilities for the following should be assigned to different employees: --authorizing (approving) a transaction --recording the transaction --custody of assets related to the transaction Control Activities Sound Personnel Policies: Procedures for hiring competent and reliable employees Training employees properly Supervision of employees Vacations Fidelity bonding Performance reviews Control Activities Timely Performance Reports Reviews of an entity's performance. Compare actual data to budgeted data or prior period data Compare data within and across various units, subdivisions, or functional areas Control Activities Physical Control Over Assets --Keep assets in a safe, secure location --Limit access --Reconcile Control Activities: IT Controls General Controls: Pertain to entity-wide concerns: Physical controls Access controls Systems development Software acquisition and maintenance controls Application Controls: Insure integrity of specific systems: Embedded in software Designed to ensure transactions are valid, authorized, and completely and accurately processed Information and Communication The information system should: Identify and record all events on a timely basis. Describe each event in sufficient detail. Measure the proper monetary value of each event. Determine the time period in which events occurred. Present properly the events and related disclosures in the financial statements. Monitoring Monitoring is the process of assessing the quality of internal control performance over time. Monitoring involves assessing controls on a timely basis and taking corrective actions as needed. ...
View Full Document

Ask a homework question - tutors are online