1 / 40

Chapter 9: Introduction to Internal Control Systems

Chapter 9: Introduction to Internal Control Systems. Introduction 1992 COSO Report Updates on Risk Assessment Examples of Control Activities 2011 COBIT, Version 5 Types of Controls Evaluating Controls. Introduction – Fraud (Ch 11) & Errors. Errors may be the result of many factors

harsha
Download Presentation

Chapter 9: Introduction to Internal Control Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 9: Introduction to Internal Control Systems • Introduction • 1992 COSO Report • Updates on Risk Assessment • Examples of Control Activities • 2011 COBIT, Version 5 • Types of Controls • Evaluating Controls

  2. Introduction – Fraud (Ch 11) & Errors • Errors may be the result of many factors • Distractions – Concurrent tasks, work environment, personal situations, • Complexity – It’s easier to complete a simple task than a hard one. • Limitations – Fatigue, cognitive limitations, etc. Errors

  3. Internal Control Systems • Definition • Policies, plans, and procedures • Implemented to protect a firms assets • People Involved • Board of directors • Management • Other key personnel

  4. Internal Control Systems • Provides reasonable assurance • Effectiveness and efficiency of operations • Reliability of financial reporting • Protection of Assets • Compliance with applicable laws and regulations • Important Guidance • Statement on Auditing Standard No. 94 • Sarbanes-Oxley Act of 2002

  5. Risk Control Strategies • Avoidance- Policy, Training and Education, or Technology • Transference– shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) • Mitigation – reducing the impact through planning and preparation • Acceptance – doing nothingif the cost of protection does not justify the expense of the control

  6. Internal Control System Objectives • Safeguard assets • Check the accuracy and reliability of accounting data • Promote operational efficiency • Enforce prescribed managerial policies

  7. Information System Goals – CIA Triangle Integrity Confidentiality Availability

  8. CIA Triangle • Confidentiality – Insuring that information is accessible only by those who are properly authorized • Integrity – Insuring that data has not be modified without authorization • Availability – Insuring that systems are operational when needed for use

  9. Background Informationon Internal Controls

  10. Background Informationon Internal Controls

  11. Background Informationon Internal Controls

  12. 1992 COSO Report • Defines internal control and components • Presents criteria to evaluate internal control systems • Provides guidance for public reporting on internal controls • Offers materials to evaluate an internal control system

  13. Components of Internal Control – COSO 1992 • Control Environment • Management’s oversight , integrity, and ethical principles • Attention and direction by board of directors • Management’s philosophy and operating style • Method of assigning authority and responsibility • Method of organizing and developing employees

  14. Components of Internal Control – COSO 1992 • Risk Assessment • Identify organizational risks • Analyze potential of risks (cost and occurrence) • Cost-benefit analysis • Control Activities • Policies and procedures • Manual and automated

  15. Components of Internal Control – COSO 1992 • Information and Communication • Inform employees • Roles and responsibilities • Importance of good working relationships • Monitoring • Evaluation of internal controls • Initiate corrective action when necessary

  16. 2004 COSO Enterprise Risk Management Framework • Emphasizes enterprise risk management • Includes COSO (1992) control components • Three new components • Objective setting • Event identification • Risk response

  17. 2004 COSO Enterprise Risk Management Framework

  18. Components of Internal Control – COSO 2004 • Objective Setting • Strategic – high level goals and mission • Operations – day-to-day efficiency, performance, and profitability • Reporting – internal and external • Compliance – laws and regulations

  19. Components of Internal Control – COSO 2004 • Event Identification and Risk Response • Identify threats • Analyze risks • Implement cost-effective countermeasures • Additional considerations • Risk tolerance • Cost-benefit trade-offs

  20. Risk Assessment Worksheet

  21. Study Break #4 Which of the following is not one of the three additional components that was added in the 2004 COSO Report? • Objective setting • Risk assessment • Event identification • Risk response

  22. Examples of Control Activities • Good Audit Trail • Sound Personnel Policies and Practices • Separation of Duties • Physical Protection of Assets • Reviews of Operating Performance

  23. Good Audit Trail • Use of Audit Trail • Follow path of data recorded in transaction • Initial source documents to final disposition of data • Data on reports back to source documents • Purpose of Audit Trail • Verify accuracy of recorded transactions • Detect errors and irregularities

  24. Sound Personnel Policies

  25. Separation of Duties • Purpose • Structure of work assignments • One employee’s work checks the work of another • Separate Related Activities • Authorizing transactions • Recording transactions • Maintaining custody of assets

  26. Physical Protection of Assets • Inventory Controls • Stored in safe location with limited access • Utilization of Receiving Report • Document Controls • Protecting valuable organizational documents • Corporate charter, major contracts, blank checks, and SEC registration statements

  27. Physical Protection of Assets • Cash Control • Most susceptible to theft and human error • Fidelity bond coverage • Use checks for cash disbursements • Deposit the daily cash receipts intact

  28. Reviews of Operating Performance • Internal Audit Function • Reports to Audit Committee of Board of Directors • Independent of other subsystems • Enhances objectivity • Duties of Internal Auditors • Operational audits • Regular reviews of internal control systems

  29. Study Break #5 Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees? • Analysis, authorizing, transactions • Custody, monitoring, detecting • Recording, authorizing, custody • Analysis, recording, transactions

  30. 2011 COBIT, Version 5 • Control Objectives for Information and related Technology (COBIT) • Strategic alignment • Realization of expected benefits of IT • Continual assessment of IT investment • Determine risk appetite • Measure and assess performance of IT resources

  31. COBIT and Val IT Integration

  32. Types of Controls • Preventive Controls • Prevent problems from occurring • Detective Controls • Alert managers when preventive controls fail • Corrective controls • Solve or correct a problem

  33. Evaluating Controls • Requirements of Sarbanes-Oxley Act • Statement of management responsibility for internal control structure • Assessment of effectiveness of internal control structure • Attestation of auditor on accuracy of management’s assessment

  34. Cost-Benefit Analysis

  35. A Risk Matrix

  36. Chapter 9

  37. The Risk Management Process Identify IT Assets Assess IT Risks monitor Identify IT Controls Document IT Controls

  38. Risk Management – Asset Identification Processes Cash Software Hardware People Inventory Data Facilities

  39. Assets Valuation - What do we stand to lose? • Assets: People, Data, Hardware, Software, Facilities, (Procedures) • Valuation Methods • Criticality to the organization’s success • Revenue generated • Profitability • Cost to replace • Cost to protect • Embarrassment/Liability

More Related