720 likes | 882 Views
Part 1 Study Unit 9. Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA, CFM. Internal Controls.
E N D
Part 1 Study Unit 9 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA, CFM
Internal Controls Management accountants are expected to have a thorough understanding of the risks inherent to, and the internal controls within, a business. Internal controls have always been a good idea in a well-run business, but with the passage of the Foreign Corrupt Practices Act in 1977, an effective internal control system became a legal requirement.
9.1 Risk and the Control Environment • The Assessment and Management of Risk • Every organization faces risks, that is, unforeseen obstacles to the pursuit of its objectives. Risk may take many forms and can originate from within or from outside the organizations. • Can you name some risks?
9.1 Risk and the Control Environment • What is risk assessment? • It is a “process” to identify vulnerabilities. • There's always a trade-off between cost and benefit, and therefore there's no 100% percent system of internal control. • Is the ongoing process of designing and operating internal controls to help mitigate inherent risks. • The severity of consequences and the likelihood of occurrence can help us quantify risks. • Risk can also be assessed in qualitative terms. Can you give examples?
9.1 Risk and the Control Environment “Risk management is the ongoing process of designing and operating internal controls that mitigate the risks identified in the organization's risk assessment. “ Risk can be quantified as a combination of two factors: Severity of consequences Likelihood of occurrence Risk can also be assessed in qualitative terms see example on page 327
9.1 Risk and the Control Environment • The AICPA audit risk model • Inherent risk (IR) is the susceptibility of one of the company's objectives to obstacles arising from the nature of the objectives. • Control risk (CR) is the risk that the control put in place will fail to prevent an obstacle from interfering with the achievement of the objectives. • Detection risk (DR) is the risk that an obstacle to an objective will not be detected before loss has occurred. • Total risk (TR) equals IR X CR X DR
9.1 Risk and the Control Environment • IMA's Management Accounting Glossary defines internal control as follows: And otherwise) established by management to carry on the business of the enterprise in an orderly and efficient manner, to ensure adherence to management policies, safeguard the assets, and ensure as far as possible the completeness and accuracy of the records. Whose responsibility is the design and operation's system of internal controls?
9.1 Risk and the Control Environment • Design and operations of an organization's system of internal controls is the responsibility of management. • Section 404 of the Sarbanes-Oxley act of 2002 requires publicly traded companies to issue a report stating that: • Management takes responsibility for establishing and maintaining the firm's system of internal controls, and • That the system has been functioning effectively over the reporting period.
9.1 Risk and the Control Environment What does PCAOB stand for? Part of an annual report is the assessment of the company's internal controls. AS 5 issued by PCAOB requires the external auditors to express an opinion on both a system of internal control and the fair representation of financial statements. AS 5 focuses on material weaknesses. With respect to the AICPA's auditing standards, material weakness is a deficiency, or combination of deficiencies, and internal controls that result in a reasonable possibility of a material misstatement.
9.1 Risk and the Control Environment • COSO Control Objectives defined internal control as: Internal control is broadly defined as a process, affected by an entities Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operation • Reliabilityof financial reporting • Compliancewith applicable laws and regulations
9.1 Risk and the Control Environment Effectiveness and efficiency of operations relate to the achievement of an entities mission. Internal controls must be designed so that they focus effort on the achievement of the organization's objectives. Reliably of financial reporting is needed for investors and creditors to make sound decisions. Compliance with applicable laws and regulations entities must conduct activities according to applicable laws and regulations such as waste disposal, wage and hour issues and employee safety. The framework only states reasonable, not absolute would be economically impractical.
9.1 Risk and the Control Environment • COSO components of Internal Control include the: • Control environment, which sets the tone of an entity and influences to control consciousness of personnel. • Risk assessment is the identification and analysis of relevant risk to achievement of objectives. • Control activities are the policies and procedures that help ensure management directives are carried out. • Information must be identified and captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. • Internal control system need to be monitored, which is management's timely assessment and taking of corrective actions.
9.1 Risk and the Control Environment • Control environment • Attitudes and actions of the Board of Directors and upper management. This includes: • Organizational structure • Policies • Objectives and goals • Management philosophy and operating style • Assignment of authority and responsibility
9.1 Risk and the Control Environment • What is the Board of Directors role? • Governing authority • Overall corporate policy • Fiduciary responsibility or duty • Reasonable care • They typically: • Selecting remove officers • Determined the capital structure • Add, and amend, or repeal bylaws • Initiate fundamental changes, such as mergers and divestitures • Clear dividends • Set the compensation of officers and management
9.1 Risk and the Control Environment • Audit committee's role • Subcommittee of the Board of Directors whose purpose is to help keep the external auditors independent of management • The importance of human resource policies and practices • Hiring standards • training policies • commitment to competence
9.1 Question 1 One of the financial statement auditor’s major concerns is to ascertain whether internal control is designed to provide reasonable assurance that
9.1 Question 1 Answer Correct Answer: D Internal control is designed to provide reasonable assurance of the achievement of objectives in the categories of (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with laws and regulations. Controls relevant to a financial statement audit ordinarily pertain to the objective of preparing external financial statements that are fairly presented in conformity with GAAP or another comprehensive basis of accounting. Incorrect Answers: A: Many factors beyond the purview of the auditor affect profits, and the controls related to operational efficiency are usually not directly relevant to an audit. B: The chief accounting officer need not review all accounting transactions. C: Controls relevant to a financial statement audit do not concern the treatment of corporate morale problems.
9.1 Question 2 To avoid creating conflict between the chief executive officer (CEO) and the audit committee, the chief audit executive (CAE) should
9.1 Question 2 Answer Correct Answer: D To avoid conflict between the CEO and the audit committee, the CAE should request that the board establish policies covering the IAA’s relationships with the audit committee. The CAE should have regular communication with the board, audit committee, or other appropriate governing authority. Furthermore, the board should approve a charter that defines the purpose, authority, and responsibility of the IAA. Incorrect Answers: A: The CEO and audit committee most likely should receive summary reports. Senior management and the board ordinarily are not involved in the details of internal audit work. B: Independence is not sufficient to avert conflict unless reporting relationships are well defined. C: The CEO and audit committee most likely should receive summary reports. Senior management and the board ordinarily are not involved in the details of internal audit work.
9.1 Question 3 The PCAOB’s Auditing Standard (AS) 5 focuses on internal controls in their relation to the fair presentation of financial statements. One requirement of AS 5 is that
9.1 Question 3 Answer Correct Answer: C In fulfillment of the requirements of PCAOB AS 5, external auditors must express an opinion on a firm’s internal control at the same time as the opinion on the financial statements. Incorrect Answers: A: Risk may be measured in quantitative or qualitative terms. B: The requirement to establish and maintain a system of internal accounting control is a part of the Foreign Corrupt Practices Act. D: Addressing internal control as a group of five interrelated components is a feature of the COSO model of internal control.
9.1 Question 4 Answer Correct Answer: A Reasonable assurance is provided when cost-effective actions are taken to restrict deviations to a tolerable level. This implies, for example, that material errors and improper or illegal acts will be prevented or detected and corrected within a timely period by employees in the normal course of performing their assigned duties. The cost-benefit relationship is considered by management during the design of systems. The potential loss associated with any exposure or risk is weighed against the cost to control it.
9.1 Question 5 Answer Correct Answer: A Strong internal control policies are essential for establishing the “tone at the top.” Segregation of duties is one of the most fundamental forms of internal control. Requiring vacations makes it difficult for employees to carry on undiscovered fraud in the absence of collusion.
9.2 Control Procedures • The control process includes: • Establishing standards for the operation to be controlled, • Measuring performance against the standards, • Examining and analyzing deviations, • Taking corrective actions, and • Reappraising the standards based on experience
9.2 Control Procedures • Types of controls • Primary controls include: • Preventive controls to deter the occurrence of unwanted events. • Detective controls which alert after an unwanted event. • Corrective controls to correct the negative effects of unwanted events. • Direct of controls which cause or encouraging currents of desirable events Continued
9.2 Control Procedures • Secondary controls include: • Compensatory (mitigate) controls may reduce risk when the primary controls are ineffective. • Complementary controls work with other controls to reduce risk to an acceptable level. • Time-based classifications: • Feedback controls • Concurrent controls • Feedforward controls Continued
9.2 Control Procedures • Financial versus Operating controls: • Financial controls should be based on relevant establish accounting principles • Operating controls applied to production and support activities are also called administrative controls • People-Based versus System-Based controls • People-based controls are dependent on the intervention of humans for their proper operation. • System-based controls are executed whenever needed with no human intervention. Continued
9.2 Control Procedures • Control activities are designed in place in operation to ensure that management's directives are executed, and include: • Segregation of duties, including four basic functional responsibilities • Independent checks verifications • Safeguarding controls • Pre-numbered forms • Specific document flow Continued
9.2 Control Procedures • Segregation of duties include: • Independent checks and verifications • Safeguarding controls • Pre-numbered forms • Specific document flow See examples starting at the bottom of page 335
9.2 Question 1 A proper segregation of duties requires that an individual
9.2 Question 1 Answer Correct Answer: D One person should not be responsible for all phases of a transaction, i.e., for authorization, recording, and custodianship of the related assets. These duties should be performed by separate individuals to reduce the opportunities for any person to be in a position of both perpetrating and concealing errors or fraud in the normal course of his/her duties. For instance, an employee who receives and lists cash receipts should not be responsible for comparing the recorded accountability for cash with existing amounts. Incorrect Answers: A: Authorization and recordkeeping should be separate. B: Authorization and asset custody should be separate. C: Recordkeeping and asset custody should be separate.
9.2 Question 2 The procedure that would best discourage the resubmission of vendor invoices after they have been paid is
9.2 Question 2 Answer Correct Answer: C Canceling vouchers and supporting papers (with perforations, ink, etc.) upon payment prevents the payment of a duplicate voucher. If the person signing the check does the canceling, the documents cannot be recycled for duplicate payments. Securing the paid-voucher file from access by the accounts payable clerk is another effective control. Incorrect Answers: A: A single endorsement is not a control weakness if the person who signs does not have incompatible functions and if proper documentation is required before signing. B: The vouchers should not be canceled before payment. D: Mailing payments directly to payees does not prevent a second use of invoices by unethical personnel. Also, record keepers should not have access to signed checks.
9.2 Question 3 If internal control is well designed, two tasks that should be performed by different persons are
9.2 Question 3 Answer Correct Answer: D Recording of cash establishes accountability for assets. The bank reconciliation compares that recorded accountability with actual assets. The recording of cash receipts and preparation of bank reconciliations should therefore be performed by different individuals since the preparer of a reconciliation could conceal a cash shortage. For example, if a cashier both prepares the bank deposit and performs the reconciliation, (s)he could embezzle cash and conceal the theft by falsifying the reconciliation. Incorrect Answers: A: There is no conflict between writing off bad debts (accounts receivable) and reconciling accounts payable, which are liabilities. B: Distribution of payroll checks and approval of sales returns are independent functions. People who perform such disparate tasks are unlikely to be able to perpetrate and conceal a fraud. In fact, some companies use personnel from an independent function to distribute payroll checks. C: Posting both ledgers would cause no conflict as long as the individual involved did not have access to the actual cash. If a person has access to records but not the assets, there is no danger of embezzlement without collusion.
9.2 Question 4 Answer Correct Answer: B The control objective of authorization concerns the proper execution of transactions in accordance with management’s wishes. One means of achieving this control objective is the establishment of policies as guides to action. When a decision affects the capitalization of the entity, a policy should be in force requiring review at the highest level.
9.2 Question 5 Answer Correct Answer: A Piecework is production that is compensated at a set amount per unit of output rather than time spent on the job. Comparing production amounts (inventory additions) with payments (piecework records) is therefore an appropriate control over payroll.
Essays The essay portion of the exam will begin once you complete the multiple-choice section or after three hours, whichever comes first.
Essays Essays test your understanding of how specific pieces of information relate to one another, and your ability to apply your knowledge to real-life situations. It requires understanding of the content and being able to make recommendations. Your strategy should be to learn the content first, then practice multiple-choice exam-type questions, then learn how to respond to essay questions.
Essays • How to write essay answers • You will respond to the questions asked. • Directly respond to the questions asked. • Are presented in a logic manner. • Demonstrate an appropriate understanding of the subject matter.
Essays • Use the same verbs (from the question) within your answer will ensure that you are responding directly and completely to the questions. • You need to have an understanding of: • Financial statements • Time value of money concepts • Elementary statistics
Essays • Writing Skills • Based on the use of: • Use of standard English • Organization • Clarity • When working through the essays, pay close attention the key words in the question, organize your response, and start writing the answer to the question.
Essays • To make the best use of your time to complete the essay portion: • Take online tutorial to become familiar with the testing screens. The tutorial is not part of your testing time and may be repeated. However, the tutorial time is limited to 20 minutes. • Briefly skim through both essay questions and get an idea what each question is asking you to do (i.e. describe, analyze, calculate, etc.). Continued
Essays • You have one hour to complete the full essay exam (more if you have finished the multiple-choice section earlier than the three-hour limit). Determine how much time you will dedicate to each essay question. • Start with the question you know best. Begin by writing key words, thoughts, facts, figures, and anything else that can be used to answer the question. Continued
Essays • Answer you answer one question, issues related to the other may occur to you. Write that information next to the appropriate question. This will build your confidence and give you a starting place when you begin the second question. Continued
Essays • To answer each question: • Read the entire question for requirements. • Be aware of the verb clues that delineate what is being asked. This well help you formulate and organize your answer. Note that you may have more than task – define, interpret… • Write the basic requirements in the answer space so that you are sure to address them. • Begin your answer with one or two sentences that directly answer the question. If possible, rephrase the question’s essential terms in a statement that directly answers the question. continued