chapter 9-1. chapter 9-2 chapter 9: introduction to internal control systems introduction 1992 coso...
TRANSCRIPT
Chapter 9-1
Chapter 9-2
Chapter 9: Introduction to Internal Control
Systems
Introduction
1992 COSO Report
Updates on Risk Assessment & 2013 Update
Examples of Control Activities
2011 COBIT, Version 5
Types of Controls
Evaluating Controls
Chapter 9-3
Introduction – Fraud (Ch 11) &
Errors
Errors
Errors may be the result of many factors Distractions – Concurrent tasks, work
environment, personal situations,
Complexity – It’s easier to complete a simple task than a hard one.
Limitations – Fatigue, cognitive limitations, etc.
Chapter 9-4
Definition Policies, plans, and procedures Implemented to protect a firms assets
People Involved Board of directors Management Other key personnel
Internal Control Systems
Chapter 9-5
Provides reasonable assurance Effectiveness and efficiency of operations Reliability of financial reporting Protection of Assets Compliance with applicable laws and regulations
Important Guidance Statement on Auditing Standard No. 94 Sarbanes-Oxley Act of 2002
Internal Control Systems
Chapter 9-6
Risk Control Strategies
Avoidance- Avoidance- Policy, Training and Education, or Technology
Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.)
MitigationMitigation – reducing the impact through planning and preparation
Acceptance – doing nothing if the cost of protection does not justify the expense of the control
6
Chapter 9-7
Internal Control System Objectives
Safeguard assets
Check the accuracy and reliability of accounting data
Promote operational efficiency
Enforce prescribed managerial policies
Chapter 9-8
Information System Goals – CIA Triangle
Confidentiality Integrity
Availability
Chapter 9-9
CIA Triangle
Confidentiality – Insuring that information is accessible only by those who are properly authorized
Integrity – Insuring that data has not be modified without authorization
Availability – Insuring that systems are operational when needed for use
Chapter 9-10
Background Informationon Internal Controls
Chapter 9-11
Background Informationon Internal Controls
Chapter 9-12
Background Informationon Internal Controls
Chapter 9-13
1992 COSO Report
Defines internal control and components
Presents criteria to evaluate internal control systems
Provides guidance for public reporting on internal controls
Offers materials to evaluate an internal control system
Chapter 9-14
Control Environment Management’s oversight , integrity, and ethical
principles Attention and direction by board of directors Management’s philosophy and operating style Method of assigning authority and responsibility Method of organizing and developing employees
Components of Internal Control – COSO 1992
Chapter 9-15
Risk Assessment Identify organizational risks Analyze potential of risks (cost and occurrence) Cost-benefit analysis
Control Activities Policies and procedures Manual and automated
Components of Internal Control – COSO 1992
Chapter 9-16
Information and Communication Inform employees Roles and responsibilities Importance of good working relationships
Monitoring Evaluation of internal controls Initiate corrective action when necessary
Components of Internal Control – COSO 1992
Chapter 9-17
2004 COSO Enterprise Risk Management Framework
Emphasizes enterprise risk management
Includes COSO (1992) control components
Three new components Objective setting Event identification Risk response
Chapter 9-18
2004 COSO Enterprise Risk Management
Framework
Chapter 9-19
Objective Setting Strategic – high level goals and mission Operations – day-to-day efficiency, performance,
and profitability Reporting – internal and external Compliance – laws and regulations
Components of Internal Control – COSO 2004
Chapter 9-20
Event Identification and Risk Response Identify threats Analyze risks Implement cost-effective countermeasures Additional considerations
Risk tolerance Cost-benefit trade-offs
Components of Internal Control – COSO 2004
Chapter 9-21
COSO 2013 Objectives
Update Content - Reflect changes in business & operating environments
Broaden Application - Expand operations and reporting objectives
Clarify Requirements - Articulate principles to facilitate effective internal control
Chapter 9-22
COSO 1992, 2004, 2013
23
Environments changes... …have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules, regulations, and standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detecting fraud
COSO Cube (2013 Edition)
Update considers changes in business and operating environments
24
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Update articulates principles of effective internal control
1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability
6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change
10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures
13.Uses relevant information14.Communicates internally15.Communicates externally
16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies
25
Update describes important characteristics of principles, e.g.,
• Points of focus may not be suitable or relevant, and others may be identified
• Points of focus may facilitate designing, implementing, and conducting internal control
• There is no requirement to separately assess whether points of focus are in place
Control Environment 1. The organization demonstrates a commitment to integrity and ethical values.
Points of Focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner
Chapter 9-26
Chapter 9-27
Risk Assessment Worksheet
Chapter 9-28
Study Break #4
Which of the following is not one of the three additional components that was added in the 2004 COSO Report?
A. Objective setting
B. Risk assessment
C. Event identification
D. Risk response
Chapter 9-29
Examples of Control Activities
Good Audit Trail
Sound Personnel Policies and Practices
Separation of Duties
Physical Protection of Assets
Reviews of Operating Performance
Chapter 9-30
Good Audit Trail
Use of Audit Trail Follow path of data recorded in transaction Initial source documents to final disposition of
data Data on reports back to source documents
Purpose of Audit Trail Verify accuracy of recorded transactions Detect errors and irregularities
Chapter 9-31
Sound Personnel Policies
Chapter 9-32
Separation of Duties
Purpose Structure of work assignments One employee’s work checks the work of another
Separate Related Activities Authorizing transactions Recording transactions Maintaining custody of assets
Chapter 9-33
Physical Protection of Assets
Inventory Controls Stored in safe location with limited access Utilization of Receiving Report
Document Controls Protecting valuable organizational documents Corporate charter, major contracts, blank
checks, and SEC registration statements
Chapter 9-34
Physical Protection of Assets
Cash Control Most susceptible to theft and human error
Fidelity bond coverage
Use checks for cash disbursements
Deposit the daily cash receipts intact
Chapter 9-35
Reviews of Operating Performance
Internal Audit Function Reports to Audit Committee of Board of Directors Independent of other subsystems Enhances objectivity
Duties of Internal Auditors Operational audits Regular reviews of internal control systems
Chapter 9-36
Study Break #5
Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees?
A. Analysis, authorizing, transactions
B. Custody, monitoring, detecting
C. Recording, authorizing, custody
D. Analysis, recording, transactions
Chapter 9-37
Control Objectives for Information and related Technology (COBIT) Strategic alignment Realization of expected benefits of IT Continual assessment of IT investment Determine risk appetite Measure and assess performance of IT resources
2011 COBIT, Version 5
Chapter 9-38
COBIT and Val IT Integration
Chapter 9-39
Types of Controls
Preventive Controls Prevent problems from occurring
Detective Controls Alert managers when preventive controls fail
Corrective controls Solve or correct a problem
Chapter 9-40
Evaluating Controls
Requirements of Sarbanes-Oxley Act Statement of management responsibility for
internal control structure Assessment of effectiveness of internal control
structure Attestation of auditor on accuracy of
management’s assessment
Chapter 9-41
Cost-Benefit Analysis
Chapter 9-42
Risk assessments are tricky
Choose between two treatments for 600 people affected by a deadly disease
"Saves 200 lives“
Chapter 9-43
Risk assessments are tricky
Choose between two treatments for 600 people affected by a deadly disease
"400 people will die"
Chapter 9-44
A Risk Matrix
Chapter 9-45
Chapter 9
Chapter 9-46
The Risk Management Process
Identify IT Assets
Assess IT Risks
Identify IT Controls
Document IT Controls
monitor
Chapter 9-47
Risk Management – Asset Identification
Software
Data
Cash
Inventory
Facilities
Processes
People
Hardware
Chapter 9-48
Assets Valuation - What do we stand to lose?
Assets: People, Data, Hardware, Software, Facilities, (Procedures)
Valuation Methods Criticality to the organization’s success Revenue generated Profitability Cost to replace Cost to protect Embarrassment/Liability 48