500 likes | 515 Views
Transaction Processing and the Internal Control Process. Chapter 4. Understand the nature of control exposures. Learning Objective 1. Enterprise Risk Management.
E N D
Transaction Processing and the Internal Control Process Chapter 4
Understand the nature of control exposures. Learning Objective 1
Enterprise Risk Management • Enterprise risk management (ERM) is a process, affected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Enterprise Risk Management • Enterprise risk management (ERM) has eight components: • Internal Environment • Objective Setting • Event Identification • Risk Assessment • Risk Response • Control Activities • Information and Communication • Monitoring
Controls and Exposures • Controls are needed to reduce exposures to potential adverse events. • An exposure consists of the potential financial effect of an event multiplied by its probability of occurrence. • The term risk is synonymous with the probability of occurrence. • Controls tend to reduce exposures, but controls rarely affect the causes of exposures.
Fraud and White-Collar Crime • White-collar crime describes a grouping of illegal activities that are differentiated from other illegal activities in that they occur as part of the occupation of the offender. • Occurs when assets are deceitfully diverted from proper use. • Often involves the entry of fictitious (i.e. fraudulent) transactions into an accounting system.
Fraud and White-Collar Crime • Three basic forms of theft occur in white-collar crime: • Employee theft involves diversion of assets by an employee for personal gain. • Employee-outsider theft involves diversion of assets by an employee in collusion with an outsider. • Management fraud concerns diversion of assets or misrepresentation of assets by management.
Fraud and White-Collar Crime • White-collar crime may result in fraudulent financial reporting. • Fraudulent financial reporting is intentional or reckless conduct, whether by purposeful act or by omission, that results in materially misleading financial statements. • Corporate crime is white-collar crime that benefits a company or organization, rather than the individuals who perpetrate the fraud.
Fraud and White-Collar Crime • Forensic accounting is one of several terms that are used to describe the activities of persons who are concerned with preventing and detecting fraud. • Fraud examiner • Fraud auditor • Loss prevention specialist
Control Objectives and Transaction Cycles • Most organizations experience the same types of economic events which generate transactions that can be grouped according to four common cycles: • Revenue cycle • Expenditure cycle • Production cycle • Finance cycle • Control objectives should be developed for each transaction cycle.
Control Objectives and Transaction Cycles • Revenue cycle control objectives: • Customers should be authorized in accordance with management’s criteria. • Prices and terms of goods and services provided should be authorized in accordance with management’s criteria. • All shipments of goods and services provided should result in a billing to the customer. • Billings to customers should be accurately and promptly classified, summarized, and reported.
Control Objectives and Transaction Cycles • Expenditure cycle control objectives: • Vendors should be authorized in accordance with management’s criteria. • Employees should be hired in accordance with management’s criteria. • Access to personnel, payroll, and disbursement records should be permitted only in accordance with management’s criteria. • Compensation rates and payroll deductions should be authorized in accordance with management’s criteria. • Amounts due to vendors should be accurately and promptly classified, summarized, and reported.
Control Objectives and Transaction Cycles • Production cycle control objectives: • The production plan should be authorized in accordance with management’s criteria. • Cost of goods manufactured should be accurately and promptly classified, summarized, and reported.
Control Objectives and Transaction Cycles • Financecycle control objectives: • The amounts and timing of debt transactions should be authorized in accordance with management’s criteria. • Access to cash and securities should be permitted only in accordance with management’s criteria.
Discuss the concept of the internal control process. Learning Objective 2
Components of the Internal Control Process • Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Reliability of financial reporting • Effectiveness and efficiency of operations • Compliance with applicable laws and regulations
Components of the Internal Control Process • The concept of internal control is based on two major premises: • Responsibility has to do with management and the board of directors being responsible for establishing and maintaining the internal control process. • Reasonable assurance has to do with the relative costs and benefits of controls. Management should not spend more on the controls than the benefits to be received from the controls.
External Influences Concerningan Entity and Internal Control • An organization must ensure that its activities are in compliance with laws and regulations issued by those who have jurisdiction over it and its operations: • Securities and Exchange Commission (SEC) • Financial Accounting Standards Board (FASB) • Foreign Corrupt Practices Act (FCPA)
External Influences Concerningan Entity and Internal Control • Section 102 of the FCPA requires all companies who are subject to the SEC act of 1934 to: • Make and keep books, records, and accounts, which in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer; • Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that: • Transactions are executed in accordance with management’s authorization; • Transactions are recorded as necessary; • Access to assets is permitted only in accordance with management’s authorization; • Recorded accountability for assets is compared with the existing assets.
External Influences Concerningan Entity and Internal Control • The Sarbanes-Oxley Act of 2002 (SOX): • Five-member Public Accounting Oversight Board (PCAOB) • Significantly increased criminal penalties for white-collar crime. • Greatly expands scope of laws relating to obstruction of justice. • Special provisions provide whistleblower protection.
External Influences Concerningan Entity and Internal Control • The Sarbanes-Oxley Act of 2002 (SOX): • Restrictions of nonaudit services • Role of the Audit Committee • Conflicts of interest • Corporate responsibility for financial reports • Insider trades during pension fund blackouts prohibited • Prohibition of personal loans to executives and directors • Code of Ethics • Management assessment of internal controls
Compliance with SOX Section 404 • COSO Reports – “Internal Control - Integrated Framework” • Other COSO reports - ERM – Integrated Framework; Internal Control over Financial Reporting; etc. • COBIT – “Control Objectives for Information and related Technology” • ISO 27002 • The U.S. Federal Sentencing Guidelines
Components of the Internal Control Process • Control environment • Risk assessment • Control activities • Information and communication • Monitoring
Control Environment • The control environment is the first of the five components of internal control and is the foundation for all other components: • The collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures.
Control Environment • Factors included in the control environment: • Integrity and ethical values • Commitment to competence • Management philosophy and operating style • Organization structure • Attention and direction provided by BOD • Manner of assigning authority and responsibility • Human resource policies and procedures
Control Environment • Human resources policies and procedures: • Segregation of duties – responsibility for specific tasks in an organization should be clearly designated in manuals, job descriptions or other documents. • Supervision – the direct monitoring of personnel performance by an employee who is so charged. • Job rotation and forced vacations • Dual control - the assignment of two individuals to perform the same work in unison.
Risk Assessment • Risk Assessment is the secondcomponent of internal control: • The process of identifying, analyzing, and managing risks that affect the company’s objectives. • Identify the changing internal and external conditions and the related actions that may be necessary. • Examples include changes in operating environment, personnel, information systems, new technology, etc.
Control Activities • Control Activities is the thirdcomponent of internal control: • Accounting controls designed to provide reasonable assurance that the following specific control objectives are met: • Segregation of duties • Adequate documents and records • Restricted access to assets • Independent checks on performance • Information processing controls
Information and Communication • Information and Communication is the fourthcomponent of internal control: • Informationrefers to the organization’s accounting system. • Communication relates to providing a clear understanding regarding all policies and procedures relating to controls.
Information and Communication • Accounting system – consists of the methods and records established to identify, assemble, analyze, classify, record, and report the organization’s transactions and to maintain accountability for the related assets and liabilities. • Audit trail - consists of the documentary evidence of the various control techniques that a transaction was subject to during its processing.
Monitoring • Monitoring is the fifthcomponent of internal control: • Involves the ongoing process of assessing the quality of internal controls over time and taking corrective actions when necessary to ensure the controls remain effective. • The internal audit function often has the responsibility to monitor and evaluate internal controls on an ongoing basis.
Monitoring • The COSO report “Guidance on Monitoring Internal Control Systems” presents a three-phase model for monitoring: • Establish foundation for monitoring • Design and execute monitoring procedures that are based on risk • Assess and report the results
Identify general and application processing controls. Learning Objective 3
Transaction Processing Controls • General controls affect all transaction processing and concern the overall environment of transaction processing: • The plan of data processing organization • General operating procedures • Equipment control procedures • Equipment and data-access controls
Transaction Processing Controls • Application controls are specific to individual applications and are categorized according to the basic steps in the data processing cycle: • Input controls • Processing controls • Output controls
Transaction Processing Controls • Transaction processing controls may also be classified as being primarily preventative, detective, or corrective in nature: • Preventative controls act to prevent errors and fraud before they happen. • Detective controls act to uncover errors and fraud after they have occurred. • Corrective controls act to correct errors.
Discuss the behavioral assumptions inherent in traditional internal control practices. Learning Objective 4
Communicating the Objectives of Internal Control • The principal function of internal control is to influence the behavior of people in a business system. • The objectives of internal control must be seen as relevant to individuals who will comprise the control system. • The system must be designed such that each employee is convinced that controls are meant to prevent difficulties or crises in the operation of the organization.
Goals and Behavioral Patterns • An information system has several goals: • Productivity • Reliability of information • Safeguarding of assets • These goals are at times contradictory. • Controls constrain productivity, but increase the reliability of resulting outputs. • The conflict between internal controls and productivity must be considered as it may influence the behavior of people in the control system.
Goals and Behavioral Patterns • Collusion is agreement or conspiracy among two or more people to commit fraud. • Factors which influence an individual’s behavior in a control system: • Formal plan of organization and related methods and measures employed. • Groups and other sources of information pressures. • Errors and irregularities are minimized when employees fully understand, accept, and internalize the objectives of the internal control system.
Describe the techniques used to analyze internal control systems. Learning Objective 5
Analysis of Internal Control Processes • Internal control processes routinely collect information concerning the following: • Fulfillment of duties • Transfer of authorities • Approval • Verification • Reliability depends on the people who administer internal control procedures. • It is essential that internal control procedures are actually performed as prescribed.
Analytic Techniques • Internal control questionnaire is a common analytic technique used in internal control analysis. • Questionnaires are essentially checklists to ensure that a review does not omit an area of major importance. • Supplement with other forms of analysis: • Write-ups • Flowcharts • Other charting techniques
Analytic Techniques • Analytic flowcharts might be used in internal control analysis, particularly if the analysis involves a computer system application. • Application controls matrix provides a structured form of analysis that is particularly relevant to internal control reviews of information systems.
Internal Control and Compliance in Small Business and Small Public Companies • The COSO report, “Internal Control over Financial Reporting-Guidance for Smaller Public Companies,” suggest ways small companies can compensate for their size: • Leadership Involvement • Effective Board of Directors • Limited Segregation of Duties and Increased Focus on Monitoring • Compensating for Limitations in Information Technology
Internal Control and Compliance in Small Business and Small Public Companies • Both small and large companies can gain cost efficiencies in developing their internal control processes by using the following approaches: • Apply a Top-Down Risk Assessment (TDRA Approach to Internal Control Assessment • Focus on Changes • Manage Reporting Objectives • Right-Size Documentation