Embed Size (px)
Citation preview
Internal Control
The next two classes
1. Today, we will discuss the current business environment and the importance of internal control
2. Next, we will go over various control features and characteristics and try to map those into “procedures” we have seen so far in this course.
3. Then, we will discuss computer related control issues.
4. Finally, we will discuss some control cases.
Internal Control in Today’s Business Environment
Rather than march through the history of internal control in accounting, I will start with today’s IC environment - Sarbanes-Oxley - and go backwards (but not that far)Sarbanes-Oxley is a law that fundamentally changed the nature of the accounting profession and the focus was on the “system” of internal control!
All of a sudden, this stuff I have been teaching became really, really important.
Sarbanes-Oxley
After Enron, Global Crossing, Adelphia, and WorldCom all exposed serious frauds in 2000/2001, Congress felt compelled to Act. The result was the Sarbanes-Oxley Act of 2002. This act did primarily three things: SOX-Online
1) It established a new oversight process for the public accounting profession
2) It required management of a company to explicitly take responsibility for fraud or even significant weaknesses in internal control (so they could not claim ignorance if a fraud occurred, as Ken Lay did) IC Strength Video
3) It requires that auditors specifically test and report on the strength of internal controls for publicly traded companies.
Happy Birthday to Sarbanes-Oxley
PCAOB
The PCAOB is the Public Companies Accounting Oversight Board
It is a five-member board that oversees public accounting and three members cannot be CPAs. Prior to SOX (Sarbanes-Oxley abbreviation), the Auditing Standards Board (of the AICPA) and the Financial Accounting Standards Board were the primary regulators of the industry. Of course, the SEC always had very strong influence. Now, however, there is DIRECT oversight by an independent board that does not reflect the views of the AICPA.
Section 302 of SOX
Section 302 of SOX requires that management certify their financial statements and to disclose any material (we’ll talk about this term) weaknesses in internal control. This is new. Management cannot any longer say “it’s the auditor’s fault and the fault of the accounting department.” They are now responsible and can go to prison for up to 20 years or pay fines up to $5 million.
Section 404 of SOX
Public companies must have a new report that is attested to by the auditor that contains managements assessment and the auditor’s attestation of the system of internal control. The auditor must disclose the nature of their internal control tests.
While SOX does not explicitly hold the auditor more responsible for the conduct of their audit, the general feeling is that auditor exposure has increased. Many researchers are finding that auditors are now pricing audit risk in their audits when internal controls are not sufficient…. This is NEW!
Sarbanes-Oxley Act (wikipedia)
Audit Committee
• The audit committee is a subset of the board of directors of a company that hires and interfaces with the auditor.
• Think about the auditor for a moment. The auditor is hired by a company to investigate the company and tell everyone whether their financial statements are accurate (and honestly reported). This is a big conflict of interest.
• The audit committee isolates the auditor a bit more from the influence of management.
• Audit committees have been required for some time, but SOX has strengthened the separation between management and the auditor.
• Audit committees:– Hire, compensate, and oversee the external auditor– The external auditor reports directly to the audit committee– Every member must be independent of management and are on the
board of directors.– One member must be a financial expert (such as an accountant).
What is the auditor’s responsibility?
• Prior to the 1970s, the auditor was primarily responsible for identifying errors and correcting them.
• The nature of errors and fraud are quite different - even if their impact on the financial statements are the same.
– Errors do not attempt to hide themselves whereas fraud is, by definition, hidden.
– Errors are not expected to be really significant in amount (or if they are, they are typically discovered and corrected very easily) whereas frauds are frequently huge.
– Auditors are rarely accused of negligence for not discovering “errors.”
• With SAS 83 and SAS 99, the auditor’s responsibility for identifying and reporting fraud was increased.
• SOX REALLY increased this responsibility!
How do we think about internal control?
(how do we structure our evaluation?)• COSO (Committee of Sponsoring Organizations)• COSO is a voluntary private sector organization dedicated to
improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.
• COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.
How do we think about internal control?
(how do we structure our evaluation?)• The National Commission was jointly sponsored by the five
major financial professional associations in the United States– American Accounting Association– American Institute of Certified Public Accountants– Financial Executives Institute– Institute of Internal Auditors– National Association of Accountants (now the Institute of
Management Accountants). • The Commission was wholly independent of each of the
sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.
We will focus on COSO
• 1992 Integrated Framework
• 2004 Enterprise Risk Management Framework - an update
COSO - Integrated Framework(1992)
There are five components of control• Control environment - tone of the organization• Risk assessment - what internal and external risks might
allow fraud or errors to arise• Control activities - policies and procedures in place to
prevent errors or fraud.• Information and communication - financial statements as
well as policy manuals and other structural communications
• Monitoring - checking to see if things are working as they should
We now talk about each of these separately… But first … Let’s take a lighter look at COSO COSO Video
Control Environment• Integrity and ethical values
– If employees see top management engaging in unethical behavior, they are more likely to commit irregularities themselves.
• Commitment to competence– Employees should be competent to perform their duties and
sufficient supervision should be provided
• Board of directors and audit committee should be involved (active) and independent.
– This is now explicitly required by SOX
• Management philosophy and operating style– Is management risk-seeking? Are they fair in dealing with
subordinates How do they view their customers?
• Organizational structure and assignment of responsibility. – Are managers accountable for their actions. Is their any monitoring
of their activities? How formal is the organizational structure? Do employees know that they will be held accountable and that someone is watching what they do?
• HR policies– Well documented policies and open-door policies reduce the
likelihood of serious irregularities. Communication is important here.
Look at Enron’s style, for example.– Enron1 Enron 2 (WARNING – EXPLICIT LANGUAGE)
Risk assessment
Management needs to assess the likelihood that various bad things (exposures) might happen. They then need to have a plan of action that will either decrease the likelihoods of errors and irregularities or mitigate the damage if something bad does happen. (expanded with the 2004 Enterprise Risk Management Framework)
Control ActivitiesThis will take several slides - since it is the meat of internal control.
• Authorization– General authorization is the authorization that follows most,
typical, transactions. For example, every time a sales order is accepted (approved), an accounts receivable clerk must look the customer up in the customer file and check to see that the customer has sufficient credit to allow the transaction.
– Specific authorization is the authorization that is needed for extraordinary or atypical transactions. For example, the controller must approve any sale of fixed assets or the accounts receivable manager must approve credit sales over $10,000
• Security for Assets and Records– Typically, we are talking about restricting physical access to
assets or sensitive data here. Also, a specific individual should be held responsible (accountable) for valuable assets and sensitive data. There should be a specific individual to whom you turn if there is a problem.
Control Activities• Segregation of duties
– As we saw in the videos, certain activities should be performed by different people. This does two things. First, it provides a CHECK on the system. If one person makes an error, it will likely be caught by the next person in the chain. Also, though, it prevents an individual from stealing and then covering it up by altering the accounting documents (an on-book fraud). Recording should be separated from authorization and custody. We call these incompatible functions.
• Adequate documents and records– The document trail or audit trail is how we find out what happened
after the fact. We need to preserve the integrity of the document trail.
– Forms control and numbered documents: we should maintain control over the “recording function”. Part of this relates to using pre- numbered documents. If documents are numbered, then they can all be accounted for and we can make sure that no one was able to slip in a bogus document/transaction to cover up a theft or to create fictitious income.
– We should also have well-defined procedures for how documents are handled, such as canceling checks or other documents and who may sign off on certain documents.
Information and communication• Double entry system and financial statements are the crux of
this component, but it also includes policy manuals, the chart of accounts, trial balances, and other “accounting” things that we have done all along.
• Double entry system– Any time someone steals inventory (or some other asset), they
must debit some account or debits will not equal credits. What can they debit? The videos suggested that an expense is the most likely target - so you know where to look.
• Chart of accounts– By fixing the number of possible types of entries, there is a
fixed number of possible places that a person can attempt to hide a theft.
• Trial balance– A trial balance identifies certain types of errors.
• Control accounts– Control accounts summarize the activities in subsidiary
accounts and should reconcile with the totals of the subsidiary accounts.
Monitoring
• Internal auditing and external auditing obviously monitor the operations of a company.
• Internal auditors are more critical here since they are there ALL THE TIME. The problem is, the only thing they have at stake is their jobs - and they work for the company - so they lack the independent perspective of the external auditors.
• On the other hand, the external auditors only observe what they are permitted to observe. They can be manipulated by management. They have a much larger role, now, though. They must actually attest to the strength of controls.
The “cube” from 1992
The “cube” from 2004
COSO ERM framework 2004• In 2004, COSO updated the framework to what they call the
Enterprise Risk Management Framework. The idea is that we need to expand the risk assessment/risk planning part of the framework.
• This Enterprise Risk Management – Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management.
• While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.
• Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value. This report will better enable them to meet this challenge.
Enterprise Risk Management defined…
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
How do we think about internal control?
(how do we structure our evaluation?)• COBIT (Control Objectives for Information and related Technologies) developed by the Information Systems Audit and Control Foundation
• Three dimensions – Business objectives: effectiveness,
efficiency,, integrity, availability, compliance, and reliability
– IT resources: people, software, technology, facilities, and data
– IT domains: planning and organization, acquisition and implementation, delivery and support, and monitoring – (4 domains 34 generic processes)
• Mainly focuses on COMPUTER SYSTEMS
COBIT video COBIT site
The resources made available to—and built up by—IT
The resources made available to—and built up by—IT
What the stakeholders expect from IT
What the stakeholders expect from IT
How IT is organised to respond to the requirements
How IT is organised to respond to the requirements
Key Driving Forces for COBIT
Data Application
systems Technology Facilities People
Plan and Organise
Aquire and Implement
Deliver and Support
Monitor and Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
reliability
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
2007 IT Governance Institute. All rights reserved. www.itgi.org 25
IT Resources
IT Processes
Business Requirements
COBIT Domain (process) exampleDeliver and Support (DS)
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
Plan and Organize (PO)
Acquire and Implement (AI)
Deliver and Support (DS)
Monitor and Evaluate (ME)
Sample COBIT ProcessDS6 Identify and Allocate Costs
DS6.1 Definition of ServicesIdentify all IT costs, and map them to IT services to support a transparent cost model. IT services should be linked to business processes such that the business can identify associated service billing levels.
DS6.2 IT AccountingCapture and allocate actual costs according to the enterprise cost model. Variances between forecasts and actual costs should be analysed and reported on, in compliance with the enterprise’s financial measurement systems.
DS6.3 Cost Modelling and ChargingEstablish and use an IT costing model based on the service definitions that support the calculation of chargeback rates per service.The IT cost model should ensure that charging for services is identifiable, measurable and predictable by users to encourage proper use of resources.
DS6.4 Cost Model MaintenanceRegularly review and benchmark the appropriateness of the cost/recharge model to maintain its relevance and appropriateness to the revolving business and IT activities.
