390 likes | 814 Views
The Internal Control Structure. The Relationship between Risks, Opportunities, and Controls. Risks A risk is any exposure to the chance of injury or loss. Opportunities and Objectives
E N D
The Relationship between Risks, Opportunities, and Controls • Risks • A risk is any exposure to the chance of injury or loss. • Opportunities and Objectives • Opportunity and risk go hand in hand. You can't have an opportunity without some risk and with every risk there is some potential opportunity.
The Relationship between Risks, Opportunities, and Controls • Controls • A control is an activity we perform to minimize or eliminate a risk.
Internal Control • Internal Control is a state that management strives to achieve to provide reasonable assurance that the firm’s objectives will be achieved. • These controls encompass all the measures and practices that are used to counteract exposures to risks. • The control framework is called the Internal Control Structure.
The Relationship between Risks, Opportunities, and Controls • Internal controls encompass a set of rules, policies, and procedures an organization implements to provide reasonable assurance that: • (a) its financial reports are reliable, • (b) its operations are effective and efficient, and • (c) its activities comply with applicable laws and regulations.
Internal Control Systems • The organization's board of directors, management, and other personnel are responsible for the internal control system.
Components of the Internal Control Structure • Control Environment • Accounting System • Specific Control Policies, Procedures and Security Measures
Control Environment • The Control Environment establishes the tone of a company, influencing the control consciousness of its employees. • It is comprised of seven components: • Management philosophy and operating style • Integrity and ethical values • Commitment to competence • The Board of Directors and the Audit Committee • Organizational Structure • Assignment of authority and responsibility • Human resources policies and practices
Accounting System • The Accounting System relates to safeguarding assets and checking the accuracy and reliability of accounting data. • The Accounting System measures, processes and communicates financial data from transactions to internal and external users.
Control Procedures • Control Procedures may be classified according to their intended uses in a system: • Preventive Controls block adverse events, such as errors or losses, from occurring. • Detective Controls discover the occurrence of adverse events such as operational inefficiency. • Corrective controls are designed to remedy problems discovered through detective controls.
Control Procedures • Control Procedures may also be classified according to where they will be applied within the system. • General controls are those controls that pertain to all activities involving a firm’s AIS and assets. • Application controls relate to specific accounting tasks or transactions. • Security Measures are intended to provide adequate safeguards over access to and use of assets and data records.
Risk • Business firms facerisksthat reduce the chances of achieving its control objectives. • Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers. • Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.
Types of Risks • Unintentional errors • Deliberate Errors (Fraud) • Unintentional Losses of Assets • Thefts of assets • Breaches of Security • Acts of Violence
Factors that increase Risk Exposure • Frequency - the more frequent an occurrence of a transaction the greater the exposure to risk. • Vulnerability - liquid and/or portable assets contribute to risk exposure. • Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure.
Problem Conditions Affecting Risk Exposures • Collusion, which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures. • Management may not prosecute wrongdoers because of the potential embarrassment. • Computercrime poses very high degrees of risk, and fraudulent activities are difficult to detect.
Feasibility of Controls • The Internal Control Structure should be fully auditable, thus auditors should be consulted during the system design stage. • A cost-benefit analysis should be conducted in order to make sure that the benefits of planned controls exceed the cost of incorporating them in the system. • Costs of controls include one time costs, recurring costs, additional losses caused by control failure and opportunity cost.
Forces for the Improvement of Controls • In recent decades various forces have arisen to encourage the improvement of internal control systems. • The most influential forces have been: • managers • professional associations • governmental bodies.
Management as a Force for Improving Controls • Managers have become increasingly aware of the tremendous losses that can occur to assets entrusted to their care, and of the potential problems that result from inaccurate or incomplete information. • Because of their vital stake in a sound internal control structure, managers are a force for improvement of controls.
Ethical Concerns of Professional Associations • Professional accounting associations have self-imposed and self-enforced codes of ethics or professional conduct. • Ethics committees have been established to provide association members with continuing education, advice and assistance with investigations. • The feasibility of a universal code of conduct is being studied that would combine computer professional ethics and accounting association ethics.
Information and Communication • The information system consists of the methods and records used to record, maintain, and report the events of an entity, as well as to maintain accountability for the related assets, liabilities, and equity. The quality of the system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. • .
Information and Communication • The information system should do each of the following to provide accurate and complete information in the accounting system and correctly report the results of operations: • Identify and record all business events on a timely basis. • Describe each event in sufficient detail. • Measure the proper monetary value of each event. • Determine the time period in which events occurred. • Present properly the events and related disclosures in the financial statements
Information and Communication • The communication aspect of this component deals with providing an understanding of individual roles and responsibilities pertaining to internal controls. • People should understand how their activities relate to the work of others and how exceptions should be reported to higher levels of management.
Information and Communication • Open communication channels help insure that exceptions are reported and acted upon. • Communication also includes the policy manuals, accounting manuals, and financial reporting manuals.
Provisions of the Foreign Corrupt Practices Act • The FCPA requires that publicly-held companies design and implement a system of control procedures that provide reasonable assurance that: • assets are accounted for appropriately • transactions are in conformity to GAAP • access to assets is properly controlled • periodic comparisons of existing assets to the accounting records are made
Essential Elements of an Internal Control Structure • A good Audit Trail • Sound Personnel Policies and Competent Employees • Segregation of related organizational duties • Physical Protection of assets • Internal Reviews of Controls • Timely Performance Reports
Audit Trail • An audit trail enables auditors and accountants within the organization to follow the path of transaction data from source documents to ultimate disposition in a financial report and vice-versa. • A computerized AIS tends to fragment the paper trail, thus making the system’s audit trail difficult to follow.
Sound Personnel Policies and Competent Employees • Inefficient use of the company’s assets may occur without competent and honest employees. • Examples of sound personnel policies are: • specific hiring procedures • supervision • rotating of duties • enforced vacations • regular performance reviews • proper training • fidelity bond coverage on those employees who handle liquid assets.
Segregation of Related Organizational Duties • Segregating activities and responsibilities of a company’s employees allows different people to perform various tasks of a specific transaction. • The main functions that should be kept separate are custody, recordkeeping and authorization of the transaction.
Physical Protection of Assets • Keeping a company’s assets in a safe physical location minimizes the risk of damage to the assets or theft by employees or outsiders. • A voucher system is an example of an accounting control procedure that protects against unauthorized cash disbursements. • A petty cash fund may be used for small expenditures where writing a check would be inefficient.
Internal Reviews of Controls • Internal audit is a service function within many large companies. • As a separate subsystem, they report to high-level management or to the board of directors in order to remain independent and objective. • They perform periodic reviews, called operational audits, on each department within the organization in order to evaluate the efficiency and effectiveness of that particular department.
Timely Performance Reports • Performance reports provide information to management on how efficiently and effectively its company’s internal controls are functioning. • These reports should provide timely feedback to management on the success or failure of the company’s internal controls.
Information Processing Risks • Recording risks include recording incomplete, inaccurate, or invalid data about a business event. Incomplete data results in not having all the relevant characteristics about an operating event. Inaccuracies arise from recording data that do not accurately represent the event. Invalid refers to data that are recorded about a fabricated event.
Information Processing Risks • Maintaining risks are essentially the same as those for recording. The only difference is the data relates to resources, agents, and locations rather than to operating events. The risk relating to maintenance processes is that changes with respect to the organization's resources, agents, and locations will go either undetected or unrecorded (e.g., customer or employee moves, customer declares bankruptcy, or location is destroyed through a natural disaster).
Information Processing Risks • Reporting risks include data that are improperly accessed, improperly summarized, provided to unauthorized individuals, or not provided in a timely manner.