430 likes | 776 Views
Chapter 9: Introduction to Internal Control Systems. Introduction 1992 COSO Report Updates on Risk Assessment Examples of Control Activities 2011 COBIT, Version 5 Types of Controls Evaluating Controls. Introduction – Fraud (Ch 11) & Errors. Errors may be the result of many factors
E N D
Chapter 9: Introduction to Internal Control Systems • Introduction • 1992 COSO Report • Updates on Risk Assessment • Examples of Control Activities • 2011 COBIT, Version 5 • Types of Controls • Evaluating Controls
Introduction – Fraud (Ch 11) & Errors • Errors may be the result of many factors • Distractions – Concurrent tasks, work environment, personal situations, • Complexity – It’s easier to complete a simple task than a hard one. • Limitations – Fatigue, cognitive limitations, etc. Errors
Internal Control Systems • Definition • Policies, plans, and procedures • Implemented to protect a firms assets • People Involved • Board of directors • Management • Other key personnel
Internal Control Systems • Provides reasonable assurance • Effectiveness and efficiency of operations • Reliability of financial reporting • Protection of Assets • Compliance with applicable laws and regulations • Important Guidance • Statement on Auditing Standard No. 94 • Sarbanes-Oxley Act of 2002
Risk Control Strategies • Avoidance- Policy, Training and Education, or Technology • Transference– shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) • Mitigation – reducing the impact through planning and preparation • Acceptance – doing nothingif the cost of protection does not justify the expense of the control
Internal Control System Objectives • Safeguard assets • Check the accuracy and reliability of accounting data • Promote operational efficiency • Enforce prescribed managerial policies
Information System Goals – CIA Triangle Integrity Confidentiality Availability
CIA Triangle • Confidentiality – Insuring that information is accessible only by those who are properly authorized • Integrity – Insuring that data has not be modified without authorization • Availability – Insuring that systems are operational when needed for use
1992 COSO Report • Defines internal control and components • Presents criteria to evaluate internal control systems • Provides guidance for public reporting on internal controls • Offers materials to evaluate an internal control system
Components of Internal Control – COSO 1992 • Control Environment • Management’s oversight , integrity, and ethical principles • Attention and direction by board of directors • Management’s philosophy and operating style • Method of assigning authority and responsibility • Method of organizing and developing employees
Components of Internal Control – COSO 1992 • Risk Assessment • Identify organizational risks • Analyze potential of risks (cost and occurrence) • Cost-benefit analysis • Control Activities • Policies and procedures • Manual and automated
Components of Internal Control – COSO 1992 • Information and Communication • Inform employees • Roles and responsibilities • Importance of good working relationships • Monitoring • Evaluation of internal controls • Initiate corrective action when necessary
2004 COSO Enterprise Risk Management Framework • Emphasizes enterprise risk management • Includes COSO (1992) control components • Three new components • Objective setting • Event identification • Risk response
Components of Internal Control – COSO 2004 • Objective Setting • Strategic – high level goals and mission • Operations – day-to-day efficiency, performance, and profitability • Reporting – internal and external • Compliance – laws and regulations
Components of Internal Control – COSO 2004 • Event Identification and Risk Response • Identify threats • Analyze risks • Implement cost-effective countermeasures • Additional considerations • Risk tolerance • Cost-benefit trade-offs
Study Break #4 Which of the following is not one of the three additional components that was added in the 2004 COSO Report? • Objective setting • Risk assessment • Event identification • Risk response
Examples of Control Activities • Good Audit Trail • Sound Personnel Policies and Practices • Separation of Duties • Physical Protection of Assets • Reviews of Operating Performance
Good Audit Trail • Use of Audit Trail • Follow path of data recorded in transaction • Initial source documents to final disposition of data • Data on reports back to source documents • Purpose of Audit Trail • Verify accuracy of recorded transactions • Detect errors and irregularities
Separation of Duties • Purpose • Structure of work assignments • One employee’s work checks the work of another • Separate Related Activities • Authorizing transactions • Recording transactions • Maintaining custody of assets
Physical Protection of Assets • Inventory Controls • Stored in safe location with limited access • Utilization of Receiving Report • Document Controls • Protecting valuable organizational documents • Corporate charter, major contracts, blank checks, and SEC registration statements
Physical Protection of Assets • Cash Control • Most susceptible to theft and human error • Fidelity bond coverage • Use checks for cash disbursements • Deposit the daily cash receipts intact
Reviews of Operating Performance • Internal Audit Function • Reports to Audit Committee of Board of Directors • Independent of other subsystems • Enhances objectivity • Duties of Internal Auditors • Operational audits • Regular reviews of internal control systems
Study Break #5 Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees? • Analysis, authorizing, transactions • Custody, monitoring, detecting • Recording, authorizing, custody • Analysis, recording, transactions
2011 COBIT, Version 5 • Control Objectives for Information and related Technology (COBIT) • Strategic alignment • Realization of expected benefits of IT • Continual assessment of IT investment • Determine risk appetite • Measure and assess performance of IT resources
Types of Controls • Preventive Controls • Prevent problems from occurring • Detective Controls • Alert managers when preventive controls fail • Corrective controls • Solve or correct a problem
Evaluating Controls • Requirements of Sarbanes-Oxley Act • Statement of management responsibility for internal control structure • Assessment of effectiveness of internal control structure • Attestation of auditor on accuracy of management’s assessment
The Risk Management Process Identify IT Assets Assess IT Risks monitor Identify IT Controls Document IT Controls
Risk Management – Asset Identification Processes Cash Software Hardware People Inventory Data Facilities
Assets Valuation - What do we stand to lose? • Assets: People, Data, Hardware, Software, Facilities, (Procedures) • Valuation Methods • Criticality to the organization’s success • Revenue generated • Profitability • Cost to replace • Cost to protect • Embarrassment/Liability