1 / 55

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

This chapter explores the roles of accountants in identifying risks and controls in business processes. It discusses the requirements of the Sarbanes-Oxley Act of 2002 and the PCAOB Standard No. 2 related to internal control assessment. It also examines the components and objectives of internal control, as well as the assessment of execution risks in the revenue and acquisition cycles.

smithdaniel
Download Presentation

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

  2. Internal Control and Accountants’ Roles Accountants as Managers – Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Management to prepare a statement describing and assessing the company’s internal control system

  3. Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include: (1) a statement that management is responsible for internal controls over financial reporting,

  4. Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include: (2) a statement identifying the framework used by management to evaluate internal controls,

  5. Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include (3) an assessment of internal controls and disclosure of any material weaknesses, and

  6. Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: • Annual reports of public companies to include: (4) a statement that a public accounting firm has issued an attestation report on management’s assessment of internal control.

  7. Internal Control and Accountants’ Roles Accountants as Users– Must understand a company’s internal controls to apply them correctly.

  8. Internal Control and Accountants’ Roles Accountants as Designers of internal control procedures – Must understand a company’s internal controls in working to achieve to compliance with regulations and company objectives and to minimize risks

  9. Internal Control and Accountants’ Roles Accountants as Evaluators– must understand internal control systems to: • Help develop management’s report that assesses internal controls (as internal auditors) • Prepare an attestation to management’s statement about internal control (as external auditors) • Conduct the audit of a company’s financial statements (as external auditors)

  10. Framework for Studying Internal Control • Components of internal control (the COCO Report) • Internal control objectives • Risk assessment

  11. Framework for Studying Internal Control The COSO Report: • 5 interrelated components of internal control: • Control environment • Risk assessment • Control activities • Information and communication • Monitoring

  12. Internal Control Components and Objectives Internal control: • Execution objectives – 2 execution objectives for the revenue cycle: • Ensure proper delivery of goods and services • Ensure proper collection and handling of cash 2 execution objectives for the acquisition cycle: • Ensure proper receiving of goods and services • Ensure proper payment and handling of cash

  13. Internal Control Components and Objectives Internal control: • Information system objectives - • Focus on recording, updating, and reporting accounting information • Important for ensuring effective execution of transactions

  14. Internal Control Components and Objectives Internal control: • Asset protection objectives - • Focus on safeguarding assets to minimize risk of theft or loss of assets

  15. Internal Control Components and Objectives Internal control: • Performance objectives – • Focus on achieving favorable performance of an organization, person, department, product, or service • Established to ensure effective operations

  16. Assessment of Execution Risks: Revenue Cycle Generic execution risks for each of the two revenue cycle transactions: 1.Delivering goods/services: • Unauthorized sale/service permitted • Authorized sale/service did not occur, occurred late, or was duplicated unintentally • Wrong type of product/service • Wrong quantity/quality • Wrong customer/address

  17. Assessment of Execution Risks: Revenue Cycle Generic execution risks for each of the two revenue cycle transactions: 2. Collecting cash: • Cash not collected or collected late • Wrong amount of cash collected

  18. Assessment of Execution Risks: Acquisition Cycle Generic execution risks for each of the two acquisition cycle transactions: 1. Receiving goods/services: • Unauthorized goods/services received • Expected receipt of goods/services did not occur, occurred late, or was duplicated unintentionally • Wrong type of product or service received • Wrong quantity/quality • Wrong supplier

  19. Assessment of Execution Risks: Acquisition Cycle Generic execution risks for each of the two acquisition cycle transactions: 2. Making payment: • Unauthorized payment • Cash not paid, paid late, or duplicate payment • Wrong amount paid • Wrong supplier paid

  20. Assessment of Execution Risks: Revenue & Acquisition Cycles Understanding and assessing execution risks – 5 steps: Step 1. Achieve understanding of the processes Step 2. Identify the at-risk goods/services provided and cash received Step 3. Restate generic risk to describe the execution risk more precisely for process under study - exclude irrelevant/immaterial risks

  21. Assessment of Execution Risks: Revenue & Acquisition Cycles Understanding and assessing execution risks – 5 steps: Step 4. Assess the significance of remaining risks Step 5. Identify factors that contribute to each significant risk – use events in the process to systematically identify factors • What control activities could be implemented to mitigate the risks?

  22. Assessment of Information Systems Risks • 2 categories of information systems risks: • Recording risks • Updating risks

  23. Assessment of Information Systems Risks • The process of recording and updating information – both a risk and a control • Risk - information will be recorded incorrectly, perhaps resulting in transaction errors and incorrect financial statements • Control – when information is correct because recorded information is used to control transactions

  24. Assessment of Information Systems Risks Recording risks: • Risks that event information is not captured accurately in an organization’s information system • Errors in recording can cause substantial losses • Recording events late can cause opportunity losses • In the acquisition cycle, recording errors can result in overpaying bills or loss of credit from failure to pay

  25. Assessment of Information Systems Risks Recording risks: • Revenue/acquisition cycles - generic recording risks • Event recorded never occurred • Event not recorded, recorded late, or duplication of recording • Wrong product/service recorded • Wrong quantity/price recorded • Wrong external/internal agent recorded • Wrong recording of other data

  26. Assessment of Information Systems Risks Recording risks: • Identifying recording risks – 3 steps Step 1. Achieve an understanding of the process under study - identify the events Step 2. Review events - identify where data are recorded in a source document or a transaction file

  27. Assessment of Information Systems Risks Recording risks: • Identifying recording risks – 3 steps • Step 3. For each event where data are recorded in a source document or transaction record: • Consider the preceding generic recording risks • Restate each generic risk to describe the risk more precisely for the particular event under consideration • Exclude any risks that are irrelevant or immaterial

  28. Assessment of Information Systems Risks Updating risks: • Risks that summary fields in master records are not properly updated • Update failures can be costly • Errors in updates can reduce the effectiveness of controls over the general ledger balances for assets and liabilities

  29. Assessment of Information Systems Risks Updating risks: • Generic risks • Update of master record omitted or unintended duplication of update • Update of master record occurred at the wrong time • If updates are scheduled, users need to know and schedule needs to be followed • Summary field updated by wrong amount • Wrong master record updated

  30. Assessment of Information Systems Risks Identifying pdating risks: • 3 steps Step 1. Identify recording risks Step 2. Identify the events that include update activity and the summary fields in updated master files

  31. Assessment of Information Systems Risks Identifying update risks: • 3 steps Step 3. For each event in updated master file • Consider the preceding generic update risks • Restate each generic risk to describe the update risk more precisely for the particular event under consideration • Exclude any update risks that are irrelevant or immaterial

  32. Recording and Updating in the General Ledger System • The General_Ledger File stores reference and summary data about the general ledger accounts. • The process of updating a general ledger account is sometimes referred to as “posting.”

  33. Recording and Updating in the General Ledger System Risks in recording and updating information in a general ledger system: • Risks • Wrong general ledger account recorded • Wrong amounts debited/credited • General ledger master record not updated at all, updated late, or updated twice • Wrong general ledger master record updated

  34. Recording and Updating in the General Ledger System Risks in recording and updating information in a general ledger system: • Important to internal control: • Policy for updating general ledger accounts should be well understood. • Often, general ledger balances are updated after a batch of transactions, not with each transaction

  35. Recording and Updating in the General Ledger System Risks in recording and updating information in a general ledger system: • Important to internal control: • Employees need to know: • Under the batch process, general ledger account balances are temporarily out of date • When updates are made

  36. Recording and Updating in the General Ledger System Controlling risks: • Identify significant risks of losses or errors • Consider ways to control the risks • Accountants, external auditors, or internal auditors evaluate existing controls and suggest additional controls where warranted

  37. Control Activities • The policies and procedures to address risks to achievement of the organization’s objectives • Manual or automated • May be implemented at various levels of the organization. • 4 types of controls: • Workflow controls • Input controls • General controls • Performance reviews

  38. Control Activities Workflow controls: • Used to control a process as it moves from one event to the next • Exploit linkages between events • Focus on: • Responsibilities for events • Sequence of events • Flow of information between events in a business process

  39. Control Activities Workflow controls: • Segregation of duties • Use of information from prior events to control activities • Required sequence of events • Follow-up on events • Sequence of prenumbered • Recording of internal agent(s) accountable for an event in a process • Limitation of access to assets and information • Reconciliation of records with physical evidence of assets

  40. Control Activities 1. Segregation of duties: • Organizations make an effort to segregate: • Authorization of events • Execution of events • Recording of event data • Custody of resources associated with the event • The overview activity diagram is best suited to understanding and documenting segregation of duties

  41. Control Activities 2. Use of information about prior events: • Information about prior events can come from documents or computer records. • 2 examples of information from computer files: • Checking summary data in master files to authorize events • Transaction records may help control events - similar to using documents before approving an invoice

  42. Control Activities 3. Required sequence of events: Often, organizations - • Have policies requiring a process to follow a particular sequence • Require a sequence of events without having prior recorded information to rely on

  43. Control Activities 4. Follow-up on events: Organizations: • Need automated or manual way to review transactions not yet concluded • Should have “open” item or aging reports to identify events needing follow up • Can design/use routine reports to flag unfinished business • Can querying a database for status reports

  44. Control Activities 5. Prenumbered documents: • Provide an opportunity to control events • Prenumbered documents created during one event are accounted for in a later event • Checking the sequence of prenumbered documents helps ensure that all events are executed and recorded appropriately

  45. Control Activities 6. Recording of internal agent(s) accountable for an event in a process: Important • Clear job descriptions and specific instructions from supervisors • Recording employee ID number at the time the event • Safeguarding of assets through use of with serial numbers, recordkeeping, and identification of custodian of the assets

  46. Control Activities 7. Limitation of access to assets and information: Safeguards • Access to assets only for employees needing them for assigned duties • Physical assets stored in secure locations • Employees badges for access • Alarms • Password required for access to data

  47. Control Activities 8. Reconciliation of records with physical evidence of assets: • Ensures that recorded event and master file data correspond to actual assets • Differs from the use of documents to control events – reconciliation: • Is broader • Usually involves data about multiple events • Occurs after the events have been executed and recorded

  48. Control Activities Input controls: • Used to control input of data into computer systems • Drop-down or look-up menus • Record-checking of data entered • Confirmation of data entered • Referential integrity controls • Format checks to limit data • Validation rules to limit the data • Defaults from data entered in prior sessions

  49. Control Activities Input controls: • Restriction against leaving a field blank • Field established as a primary key • Computer-generated values entered in records • Batch control totals taken before data entry compared to printouts after data entry • Review for errors before posting • Exception reports

  50. Control Activities General controls: • Broader controls that apply to multiple processes • Help workflow and input controls be effective • Organized into four categories: • Information systems (IS) planning • Organizing the information technology (IT) function • Identifying and developing IS solutions • Implementing and operating accounting systems

More Related