acct 316 acct 316 acct 316 control and accounting information systems 7 uaa – acct 316 accounting...

Click here to load reader

Post on 11-Jan-2016




6 download

Embed Size (px)


  • Control and Accounting Information SystemsUAA ACCT 316 Accounting Information SystemsDr. Fred Barbee7Chapter

  • Introduction to Internal Control

  • Internal Control . . .Can an information system operate without internal controls?Perhaps.Will the organization attain its objectives?Perhaps.

  • Why Internal Control?

  • Why Controls . . . To Ensure system goals are achieved

    To Lessen the risk of unwanted outcomes

  • Controls . . . What are the goals that internal control is designed to achieve?What are the typical business risks that the organization should try to avoid?

  • What are the goals that internal control is designed to help achieve?


  • Internal Control GoalsThe National Commission on Fraudulent Financial ReportingAppointed

    The Committee of Sponsoring Organizations (COSO)To study internal control

  • Internal Control GoalsCOSO entity objectives . . .Operations - relating to effective and efficient use of an entitys resources.Financial Reporting - relating to preparation of reliable financial reports.Compliance - relating to the entitys compliance with applicable laws and regulations.

  • What are the typical business risks that an organization should try to avoid?Question

  • What is Risk?The dictionary defines risk as . . .What is an exposure?Hazard; peril; exposure to loss or injury.

  • Exposure . . . . . . the potential financial effect of an event multiplied by its probability of occurrence.

    Potential Financial Effect of an Event

    Probability of Occurrence



  • Risk AnalysisTHREATEXPOSURERISKEXPECTED LOSS**=Internal Controls

  • Controls . . . An exposure consists of the potential financial effect of an event multiplied by its probability of occurrence.$5,000,000X5%=$250,000

    Potential Financial Effect of an Event

    Probability of Occurrence


  • Direct Material VariancesAn example of a control system in accounting

  • Common Business Exposures

  • Common Business ExposuresBusinessExposures

  • Common Business ExposuresBusinessExposures

  • What are the legal responsibilities of management?Or, what are we supposed to do?

  • The SEC . . .The establishment and maintenance of a system of internal controls is an important management obligation.

  • The SEC . . .A fundamental aspect of managements stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled.

  • The SEC . . .Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis.

  • Legal ResponsibilitiesManagement is legally responsiblefor establishing and maintaining an adequate system of internal control.

  • The SEC . . .An adequate system of internal control is necessary to managements discharge of these obligations.

  • OK, so what if management doesnt do this. What then?

  • Enter . . .


  • FCPA Legal RequirementMake and keep books, records, and accounts that, in reasonable detail, accurately and fairly reflect the transactions of the registrant and the disposition of its assets.

  • FCPA Legal RequirementDesign and maintain a system of internal accounting controls sufficient to provide reasonable assurances that certain specified objectives are met.

  • The Internal Control Structure . . .What is Internal Control?

  • Standards of Field WorkThe Field Work standards are so named because they pertain primarily to the conduct of the audit at the clients place of business; that is, in the field.

  • Second Standard of Field WorkA sufficient understanding of the internal control structure is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed.

  • Defining Internal ControlReviewing the Literature

  • 1949 Committee on Auditing ProcedureA system of internal control should be designed to achieve objectives that are both operational and accounting in nature.

  • Defining Internal ControlThe 1958 definition was the first to differentiate between accounting controls and administrative controls, A distinction that is very important to independent auditors.

  • In 1963, chapter 5 of Statement on Auditing Procedure No. 33 attempted to clarify the distinction between administrative and accounting controls, stating that the independent auditor is primarily concerned with the latter when applying generally accepted auditing standards.

  • After 1963, there continued to be confusion concerning the scope of the auditors responsibility as it related to safeguarding of assets and the reliability of financial statements.

  • So . . . What is Internal Control?

  • Cohen Commission ReportPublished annual reports should contain a report in which corporate management discloses the condition of the companys internal control system.

  • Internal ControlSome Recent Additions

  • Internal Control . . .Information Systems Audit and Control Foundation Control Objectives for Information and Related Technology COBIT


    Audience:Management; Users; IS Auditors

    Focus:Information Technology


    Size:187 Pages 4 Documents

  • A set of processes including policies, procedures, practices, and organizational structure.Internal Control Viewed as:

  • Internal Control ObjectivesEffective & efficient operationsConfidentialityIntegrity & availability of informationReliable financial reportingCompliance with laws and regulations

  • Internal Control . . .Institute of Internal Auditors Research Foundations Systems Auditability and Control (SAC)

  • Systems Auditability and Control

    Audience:Internal Auditors

    Focus:Information Technology


    Size:1,193 pages in 12 modules

  • Internal Control Viewed as . . .Set of processes, subsystems, and people.

  • Internal Control ObjectivesEffective & efficient operationsReliable financial reportingCompliance with laws and regulations

  • Internal Control . . .The Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework

  • COSO


    Focus:Overall Entity


    Size:353 pages in 4 volumes

  • Internal control viewed as a process.COSO

  • Internal control objectives:Effective and efficient operationsReliable financial reportingCompliance with laws and regulationsCOSO

  • Internal Control . . .American Institute of Certified Public Accountants Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55)

  • SAS 55 & SAS 78

    Audience:External Auditors

    Focus:Financial Statement


    Size:63 pages in 2 documents

  • SAS 55/78Internal control viewed as a process.

  • SAS 55/78Internal control objectives:Effective and efficient operationsReliable financial reportingCompliance with laws and regulations

  • National Commission on Fraudulent Financial ReportingThe Treadway Commission

  • Treadway CommissionEmphasized the importance of internal control. Specifically . . .The control environment;Codes of conduct;Audit committees; andThe internal audit function

  • Treadway CommissionThe commission reaffirmed the Cohen Commissions call for management reports on the effectiveness of its internal controls.

  • COSO Report . . .COSOs final report Internal Control Integrated Framework was issued in September 19924 volumes453 pagesThousands of hours of work

  • COSO Report . . .Provides a common definition of internal control to meet the needs of diverse users.Provides a framework against which entities can assess and improve their internal control systems.

  • Internal Control . . .The COSO Definition

  • Internal control is a process, effected by an entitys board of directors, management, and other personnel, COSO

  • designed to provide reasonable assurance regarding the achievement of objectives in the following categories:COSO

  • Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations.COSO

  • Key ConceptsInternal control is a process. It is a means to an end, not an end in itself.Internal control is effected by people. Its not merely policy manuals and forms, but people at every level of an organization.COSO

  • Key ConceptsInternal control can be expected to provide only reasonable assurance, not absolute assurance, to an entitys management and board.Internal control is geared to the achievement of objectives in one or more overlapping categories.COSO

  • It consists of several interrelated components, with integrity, ethical values;competence, and the control environment, serving as the foundation for the other components.COSO

  • Cosos ComponentsControl EnvironmentRisk AssessmentControl ActivitiesInformation & CommunicationMonitoringCOSO

  • COSO Integrated Framework

  • Control Environment Commitment to integrity and ethical values;Managements philosophy and operating style;Organizational structureThe audit committee of the board of directors.

  • Control Environment Methods of assigning authority and responsibility.Human resources policies and practicesExternal influences

  • COSO Integrated Framework

  • Risk AssessmentIdentification of risksAnalysis of risksManagement of risks

  • Typical Sources of RiskClerical and Operational employeesComputer programmersManagers and AccountantsFormer EmployeesCustomers and Suppliers

  • Typical Sources of RiskCompetitorsOutside personsActs of Nature

  • Types of RisksUnintentional ErrorsDeliberate Errors (Fraud)Unintentional Losses of AssetsThefts of AssetsBreaches of SecurityActs of violence and Natural Disasters

  • Factors That Increase Risk ExposureFrequencyVulnerabilitySize of the potential loss

  • Problem Conditions Affecting Risk ExposuresCollusionComputer CrimeLack of Enforcement

  • COSO Integrated Framework

  • Control ActivitiesProper authorization of transactions and activities

  • Control ActivitiesProper authorization of transactions and activitiesSegregation of duties

  • Segregation of DutiesAuthorizationRecordingCustodyMust Be Separate

  • Control ActivitiesProper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and records

  • Control ActivitiesProper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and recordsAdequate safeguards of assets & records

  • Control ActivitiesProper authorization of transactions and activitiesSegregation of dutiesDesign and use of adequate documents and recordsAdequate safeguards of assets & recordsIndependent checks on performance.

  • COSO Integrated Framework

  • Information and CommunicationIdentify, assemble, analyze, classify, record and report transactionsMaintain accountability for assets and liabilitiesOpen and well-defined lines of communication

  • COSO Integrated Framework

  • MonitoringEffective supervisionResponsibility accountingInternal auditing

  • COSO Integrated Framework

  • Internal Control . . .Classifications

  • InputProcessOutputSensorBench-markDetective and Corrective ControlsCorrective ControlsPreventive, Detective, and Corrective Controls

  • Control ClassificationsBy ObjectivesBy SettingsBy Risk AversionAdministrative


    ApplicationInput Processing OutputCorrectivePreventive


    By System ArchitecturesManual SystemsComputer Based SystemsBatch ProcessingOnline ProcessingData Base

  • Internal Control . . .Some Common Grounds

  • Some Common GroundA system of internal control is not an end in itself.It is, rather, a means to an end.Internal control is a systemClearly defined goalsInterrelated components acting in concert to achieve those goals.

  • Some Common GroundEstablishing a viable internal control system in managements responsibility.The strength of any internal control system is largely a function of the people who operate it.

  • Some Common GroundInternal control cannot be expected to provide 100% assurance that the organization will reach its objectives.Internal control is not free; it has a cost associated with it.

    Since control does mean different things to different people, we need to establish a good working definition.Internal control runs to the very heart of the practice of public accounting as can be seen in the Second Standard of Field Work of the ten generally accepted auditing standards GAAS). From the 1940s to the mid-1970s, most of the discussion of control appeared in the auditing literature.

    Lets review the literature briefly.This confusion led to further refinement of the definitions of administrative and accounting controls in 1972From the 1940s to the mid-1970s, most of the discussion of control appeared in the auditing literature.

    Lets review the literature briefly.The 1980s witnessed a number of business failures and alleged audit inadequacies.This led to both Congressional hearings and to private-sector initiatives to set out house in order.

    In recent years increased attention has been devoted to internal control by auditors, managers, accountants, and legislators.

    Five recently issued documents are the results of continuing efforts to define, assess, report on, and improve internal control.Primary audience: Management, Users, IS Auditors:Focus: Information TechnologyResponsibility: ManagementSize: 187 pages in four documentsPrimary Audience: Internal AuditorsFocus: Information TechnologyResponsibility: ManagementSize: 1,193 pages in 12 modulesPrimary Audience: ManagementFocus: Overall EntityResponsibility: ManagementSize: 353 pages in four volumesAudience: External AuditorsFocus: Financial StatementsResponsibility: ManagementSize: 63 pages in two documentsIn 1985, the National Commission on Fraudulent Financial Reporting (The Treadway Commission) was created.This commission was jointly sponsored by AICPA, AAAFEI, IIA, and IMAThe commission reported in 1987.Currently the COSO Chairman is John Flaherty, Chairman, Retired VP and General Auditor for PepsiCo, Inc.Finally, the commission called for the sponsoring organizations to work together to reach a consensus on the various internal control concepts and definitions that had evolved over the years.From this COSO was formed in 1985 and undertook a multi-year study leading to the publication in March 1991 of an exposure draft entitled Internal Control Integrated Framework.

    The control environment is the foundation for all other components of internal control. Control ClassificationsControls may be classified byObjectivesRisk AversionSettingsSystems Architecture