acct 316 acct 316 acct 316 control and accounting information systems 7 uaa – acct 316 accounting...

Acct 316 Acct 316 Acct 316 Acct 316 Acct 316 Acct 316

Acct 3

16 A

cct 3

16 A

cct 3

16

Control and Accounting Information Systems

7 UAA – ACCT 316 Accounting Information Systems

Dr. Fred Barbee

Chap

ter


Acct 3

16 A

cct 3

16 A

cct 3

16

Introduction to Internal Control

Acct 3

16 A

cct 3

16 A

cct 3

16

Internal Control . . .

Can an information system operate without internal controls?

Perhaps.

Will the organization attain its objectives?

Perhaps.


Acct 3

16 A

cct 3

16 A

cct 3

16

Why Internal Control?

Acct 3

16 A

cct 3

16 A

cct 3

16

Why Controls . . .

To Ensure system goals are achieved

To Lessen the risk of unwanted outcomes

Acct 3

16 A

cct 3

16 A

cct 3

16

Controls . . .

What are the goals that internal control is designed to achieve?

What are the typical business risks that the organization should try to avoid?


Acct 3

16 A

cct 3

16 A

cct 3

16

What are the goals that internal control is designed to help achieve?

Question

Acct 3

16 A

cct 3

16 A

cct 3

16

Internal Control Goals

The National Commission on Fraudulent Financial Reporting

Appointed

The Committee of Sponsoring Organizations (COSO)

To study internal control

Acct 3

16 A

cct 3

16 A

cct 3

16

Internal Control Goals

COSO entity objectives . . .

Operations - relating to effective and efficient use of an entity’s resources.

Financial Reporting - relating to preparation of reliable financial reports.

Compliance - relating to the entity’s compliance with applicable laws and regulations.


Acct 3

16 A

cct 3

16 A

cct 3

16

What are the typical business risks that an organization should try to avoid?

Question

Acct 3

16 A

cct 3

16 A

cct 3

16

What is Risk?

The dictionary defines risk as . . .

What is an exposure?

Hazard; peril; exposure to loss or injury.

Exposure . . .

. . . the potential financial effect of an event multiplied by its probability of occurrence.

Potential Financial

Effect of an Event

Probability of

OccurrenceExposure

Risk Analysis

THREAT EXPOSURE RISK EXPECTEDLOSS

* * =

Risk Analysis

THREAT EXPOSURE RISK EXPECTEDLOSS

* * =

Internal Controls

Controls . . .

An exposure consists of the potential financial effect of an event multiplied by its probability of occurrence.

$5,000,000

X 5% = $250,000

Potential Financial

Effect of an Event

Probability of

OccurrenceExposure

Direct Material Variances

An example of a control system in accounting

AQ X AP

Rate Varianc

e

AQ X SP SQ X SP

Quantity

Variance


Acct 3

16 A

cct 3

16 A

cct 3

16

Common Business Exposures


Erroneous Record Keeping

Erroneous Record Keeping

UnacceptableAccountingUnacceptableAccounting

BusinessInterruptions

BusinessInterruptions

Erroneous Management

Decisions

Erroneous Management

Decisions

BusinessExposures

BusinessExposures


Fraud andEmbezzlement

Fraud andEmbezzlement

StatutorySanctionsStatutorySanctions

ExcessiveCosts

ExcessiveCosts

Loss/DestructionOf Resources

Loss/DestructionOf Resources

CompetitiveDisadvantage

CompetitiveDisadvantage

BusinessExposuresBusinessExposures


Acct 3

16 A

cct 3

16 A

cct 3

16

What are the legal responsibilities of management?

Or, what are we supposed to do?

Acct 3

16 A

cct 3

16 A

cct 3

16

The establishment and maintenance of a system of internal controls is an important management obligation.

The SEC . . .

Acct 3

16 A

cct 3

16 A

cct 3

16

A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled.

The SEC . . .

Acct 3

16 A

cct 3

16 A

cct 3

16

Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis.

The SEC . . .

Acct 3

16 A

cct 3

16 A

cct 3

16

Legal Responsibilities

Management is legally responsible

for establishing and maintaining an adequate system of internal control.

Acct 3

16 A

cct 3

16 A

cct 3

16

An adequate system of internal control is necessary to management’s discharge of these obligations.

The SEC . . .

Acct 3

16 A

cct 3

16 A

cct 3

16

OK, so what if management

doesn’t do this. What then?

Enter . . .

TheForeignCorrupt

PracticesAct

Acct 3

16 A

cct 3

16 A

cct 3

16

FCPA Legal Requirement

Make and keep books, records, and accounts

that, in reasonable detail, accurately and fairly reflect the transactions of the registrant and the disposition of its assets.

Acct 3

16 A

cct 3

16 A

cct 3

16

FCPA Legal Requirement

Design and maintain

a system of internal accounting controls

sufficient to provide reasonable assurances

that certain specified objectives are met.


Acct 3

16 A

cct 3

16 A

cct 3

16

The Internal Control Structure . . .

What is Internal Control?

Acct 3

16 A

cct 3

16 A

cct 3

16

Standards of Field Work

The Field Work standards are so named because they pertain primarily to the conduct of the audit at the client’s place of business; that is, in the field.

Acct 3

16 A

cct 3

16 A

cct 3

16

Second Standard of Field Work

A sufficient understanding of the internal control structure is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed.


Acct 3

16 A

cct 3

16 A

cct 3

16

Defining Internal Control

Reviewing the Literature

Acct 3

16 A

cct 3

16 A

cct 3

16

1949 Committee on Auditing Procedure

A system of internal control should be designed to achieve objectives that are both

operational and

accounting in nature.

Acct 3

16 A

cct 3

16 A

cct 3

16

Defining Internal Control

The 1958 definition was the first to differentiate between

accounting controls and

administrative controls,

A distinction that is very important to independent auditors.

In 1963, chapter 5 of Statement on Auditing Procedure No. 33 attempted to clarify the distinction between administrative and accounting controls, stating that the independent auditor is primarily concerned with the latter when applying generally accepted auditing standards.

After 1963, there continued to be confusion concerning the scope of the auditor’s responsibility as it related to safeguarding of assets and the reliability of financial statements.


Acct 3

16 A

cct 3

16 A

cct 3

16

So . . . What is Internal Control?

Acct 3

16 A

cct 3

16 A

cct 3

16

Cohen Commission Report

Published annual reports should contain a report in which corporate management discloses the condition of the company’s internal control system.


Acct 3

16 A

cct 3

16 A

cct 3

16

Internal Control

Some Recent Additions

Acct 3

16 A

cct 3

16 A

cct 3

16


Information Systems Audit and Control Foundation –

Control Objectives for Information and Related Technology COBIT

Audience: Management; Users; IS Auditors

Focus: Information Technology

Responsibility:

Management

Size: 187 Pages – 4 Documents

COBIT

Acct 3

16 A

cct 3

16 A

cct 3

16

A set of processes including policies, procedures, practices, and organizational structure.

www.isaca.org/bkr_cbt3.htm

Internal Control Viewed as:

Acct 3

16 A

cct 3

16 A

cct 3

16

Effective & efficient operations

Confidentiality

Integrity & availability of information

Reliable financial reporting

Compliance with laws and regulations

Internal Control Objectives

Acct 3

16 A

cct 3

16 A

cct 3

16


Institute of Internal Auditors Research Foundation’s

Systems Auditability and Control (SAC)

Audience: Internal Auditors

Focus: Information Technology

Responsibility:

Management

Size: 1,193 pages in 12 modules

Systems Auditability and Control

Set of processes, subsystems, and people.

www.theiia.org

Internal Control Viewed as . . .

Acct 3

16 A

cct 3

16 A

cct 3

16

Effective & efficient operations



Internal Control Objectives

Acct 3

16 A

cct 3

16 A

cct 3

16

Acct 3

16 A

cct 3

16 A

cct 3

16


The Committee of Sponsoring Organizations of the Treadway Commission

Internal Control – Integrated Framework

Audience: Management

Focus: Overall Entity

Responsibility:

Management

Size: 353 pages in 4 volumes

COSO

Acct 3

16 A

cct 3

16 A

cct 3

16

Internal control viewed as a process.

www.coso.org

COSO

Acct 3

16 A

cct 3

16 A

cct 3

16

Internal control objectives:

Effective and efficient operations



COSO

Acct 3

16 A

cct 3

16 A

cct 3

16


American Institute of Certified Public Accountants –

Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55)

Audience: External Auditors

Focus: Financial Statement

Responsibility:

Management

Size: 63 pages in 2 documents

SAS 55 & SAS 78

Acct 3

16 A

cct 3

16 A

cct 3

16

SAS 55/78

Internal control viewed as a process.

www.aicpa.org

Acct 3

16 A

cct 3

16 A

cct 3

16

SAS 55/78

Internal control objectives:

Effective and efficient operations




Acct 3

16 A

cct 3

16 A

cct 3

16

National Commission on Fraudulent Financial Reporting

The TreadwayCommission

Acct 3

16 A

cct 3

16 A

cct 3

16

Treadway Commission

Emphasized the importance of internal control. Specifically . . .

The control environment;

Codes of conduct;

Audit committees; and

The internal audit function

Acct 3

16 A

cct 3

16 A

cct 3

16

Treadway Commission

The commission reaffirmed the Cohen Commission’s call for management reports on the effectiveness of its internal controls.

Acct 3

16 A

cct 3

16 A

cct 3

16

COSO Report . . .

COSO’s final report “Internal Control – Integrated Framework” was issued in September 1992

4 volumes

453 pages

Thousands of hours of work

Acct 3

16 A

cct 3

16 A

cct 3

16

COSO Report . . .

Provides a common definition of internal control to meet the needs of diverse users.

Provides a framework against which entities can assess and improve their internal control systems.


Acct 3

16 A

cct 3

16 A

cct 3

16


The COSO Definition

Internal control is a process, effected by an entity’s board of directors, management, and other personnel,

COSO

designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

COSO

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations.

COSO

Key Concepts

Internal control is a process. It is a means to an end, not an end in itself.

Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

COSO

Key ConceptsInternal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

Internal control is geared to the achievement of objectives in one or more overlapping categories.

COSO

It consists of several interrelated components, with

integrity, ethical values;competence, and the control environment,

serving as the foundation for the other components.

COSO

Coso’s Components

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information & Communication

5. Monitoring

COSO

Acct 3

16 A

cct 3

16 A

cct 3

16

COSO Integrated Framework

Acct 3

16 A

cct 3

16 A

cct 3

16

Control Environment

Commitment to integrity and ethical values;

Management’s philosophy and operating style;

Organizational structure

The audit committee of the board of directors.

Acct 3

16 A

cct 3

16 A

cct 3

16

Control Environment

Methods of assigning authority and responsibility.

Human resources policies and practices

External influences

Acct 3

16 A

cct 3

16 A

cct 3

16


Acct 3

16 A

cct 3

16 A

cct 3

16

Risk Assessment

Identification of risks

Analysis of risks

Management of risks

Acct 3

16 A

cct 3

16 A

cct 3

16

Typical Sources of Risk

Clerical and Operational employees

Computer programmers

Managers and Accountants

Former Employees

Customers and Suppliers

Acct 3

16 A

cct 3

16 A

cct 3

16

Typical Sources of Risk

Competitors

Outside persons

Acts of Nature

Acct 3

16 A

cct 3

16 A

cct 3

16

Types of Risks

Unintentional Errors

Deliberate Errors (Fraud)

Unintentional Losses of Assets

Thefts of Assets

Breaches of Security

Acts of violence and Natural Disasters

Acct 3

16 A

cct 3

16 A

cct 3

16

Factors That Increase Risk Exposure

Frequency

Vulnerability

Size of the potential loss

Acct 3

16 A

cct 3

16 A

cct 3

16

Problem Conditions Affecting Risk Exposures

Collusion

Computer Crime

Lack of Enforcement

Acct 3

16 A

cct 3

16 A

cct 3

16


Acct 3

16 A

cct 3

16 A

cct 3

16

Control Activities

Proper authorization of transactions and activities

Acct 3

16 A

cct 3

16 A

cct 3

16

Control Activities

Proper authorization of transactions and activitiesSegregation of duties

Segregation of Duties

Authorization Recording Custody

Must Be Separate

Acct 3

16 A

cct 3

16 A

cct 3

16

Control Activities

Proper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and records

Acct 3

16 A

cct 3

16 A

cct 3

16

Control Activities

Proper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and recordsAdequate safeguards of assets & records

Acct 3

16 A

cct 3

16 A

cct 3

16

Control Activities

Proper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and recordsAdequate safeguards of assets & recordsIndependent checks on performance.

Acct 3

16 A

cct 3

16 A

cct 3

16


Acct 3

16 A

cct 3

16 A

cct 3

16

Information and Communication

Identify, assemble, analyze, classify, record and report transactions

Maintain accountability for assets and liabilities

Open and well-defined lines of communication

Acct 3

16 A

cct 3

16 A

cct 3

16


Acct 3

16 A

cct 3

16 A

cct 3

16

Monitoring

Effective supervision

Responsibility accounting

Internal auditing


Acct 3

16 A

cct 3

16 A

cct 3

16


Classifications

Input Process Output

Sensor

Bench-mark

Detective and Corrective Controls

Corrective Controls

Preventive, Detective, and Corrective Controls

Control Classifications

By Objectives By Settings By Risk Aversion

Administrative

Accounting

General

ApplicationInput

Processing Output

CorrectivePreventive

Detective

By System ArchitecturesManual Systems

Computer Based SystemsBatch ProcessingOnline Processing

Data Base


Acct 3

16 A

cct 3

16 A

cct 3

16


Some Common Grounds

Acct 3

16 A

cct 3

16 A

cct 3

16

Some Common Ground

A system of internal control is not an end in itself.

It is, rather, a means to an end.

Internal control is a system

Clearly defined goals

Interrelated components acting in concert to achieve those goals.

Acct 3

16 A

cct 3

16 A

cct 3

16

Some Common Ground

Establishing a viable internal control system in management’s responsibility.

The strength of any internal control system is largely a function of the people who operate it.

Acct 3

16 A

cct 3

16 A

cct 3

16

Some Common Ground

Internal control cannot be expected to provide 100% assurance that the organization will reach its objectives.

Internal control is not “free;” it has a cost associated with it.