Title: Control and Accounting Information Systems
1Control and Accounting Information Systems
7
- UAA ACCT 316 Accounting
Information Systems - Dr. Fred Barbee
Chapter
2Introduction to Internal Control
3Internal Control . . .
- Can an information system operate without
internal controls? - Perhaps.
- Will the organization attain its objectives?
- Perhaps.
4Why Internal Control?
5Why Controls . . .
- To Ensure system goals are achieved
- To Lessen the risk of unwanted outcomes
6Controls . . .
- What are the goals that internal control is
designed to achieve?
What are the typical business risks that the
organization should try to avoid?
7What are the goals that internal control is
designed to help achieve?
8Internal Control Goals
- The National Commission on Fraudulent Financial
Reporting - Appointed
- The Committee of Sponsoring Organizations (COSO)
- To study internal control
9Internal Control Goals
- COSO entity objectives . . .
- Operations - relating to effective and efficient
use of an entitys resources. - Financial Reporting - relating to preparation of
reliable financial reports. - Compliance - relating to the entitys compliance
with applicable laws and regulations.
10What are the typical business risks that an
organization should try to avoid?
11What is Risk?
- The dictionary defines risk as . . .
Hazard peril exposure to loss or injury.
12Exposure . . .
- . . . the potential financial effect of an event
multiplied by its probability of occurrence.
Potential Financial Effect of an Event
Probability of Occurrence
Exposure
X
13Risk Analysis
EXPECTEDLOSS
THREAT
EXPOSURE
RISK
14Risk Analysis
Internal Controls
EXPECTEDLOSS
THREAT
EXPOSURE
RISK
15Controls . . .
- An exposure consists of the potential financial
effect of an event multiplied by its probability
of occurrence.
Potential Financial Effect of an Event
Probability of Occurrence
Exposure
X
5
250,000
5,000,000
X
16Direct Material Variances
- An example of a control system in accounting
17Common Business Exposures
18Common Business Exposures
Business Exposures
19Common Business Exposures
Business Exposures
20What are the legal responsibilities of management?
- Or, what are we supposed to do?
21The SEC . . .
- The establishment and maintenance of a system of
internal controls is an important management
obligation.
22The SEC . . .
- A fundamental aspect of managements stewardship
responsibility is to provide shareholders with
reasonable assurance that the business is
adequately controlled.
23The SEC . . .
- Additionally, management has a responsibility to
furnish shareholders and potential investors with
reliable financial information on a timely basis.
24Legal Responsibilities
- Management is legally responsible
- for establishing and maintaining an adequate
system of internal control.
25The SEC . . .
- An adequate system of internal control is
necessary to managements discharge of these
obligations.
26OK, so what if management doesnt do this. What
then?
27 Enter . . . The Foreign Corrupt Practices Act
28FCPA Legal Requirement
- Make and keep
- books,
- records, and
- accounts
- that, in reasonable detail, accurately and
fairly reflect the transactions of the registrant
and the disposition of its assets.
29FCPA Legal Requirement
- Design and maintain
- a system of internal accounting controls
- sufficient to provide reasonable assurances
- that certain specified objectives are met.
30The Internal Control Structure . . .
What is Internal Control?
31Standards of Field Work
- The Field Work standards are so named because
they pertain primarily to the conduct of the
audit at the clients
place of business
that is, in the field.
32Second Standard of Field Work
- A sufficient understanding of the internal
control structure is to be obtained to plan
the audit and to determine the nature, timing,
and extent of tests to be performed.
33Defining Internal Control
Reviewing the Literature
341949 Committee on Auditing Procedure
- A system of internal control should be designed
to achieve objectives that are both - operational and
- accounting in nature.
35Defining Internal Control
- The 1958 definition was the first to
differentiate between - accounting controls and
- administrative controls,
- A distinction that is very important to
independent auditors.
36- In 1963, chapter 5 of Statement on Auditing
Procedure No. 33 attempted to clarify the
distinction between administrative and accounting
controls, stating that the independent auditor is
primarily concerned with the latter when applying
generally accepted auditing standards.
37- After 1963, there continued to be confusion
concerning the scope of the auditors
responsibility as it related to safeguarding of
assets and the reliability of financial
statements.
38So . . . What is Internal Control?
39Cohen Commission Report
- Published annual reports should contain a report
in which corporate management discloses the
condition of the companys internal control
system.
40Internal Control
Some Recent Additions
41Internal Control . . .
- Information Systems Audit and Control Foundation
- Control Objectives for Information and
Related Technology COBIT
42COBIT
Audience Management Users IS Auditors
Focus Information Technology
Responsibility Management
Size 187 Pages 4 Documents
43Internal Control Viewed as
- A set of processes including policies,
procedures, practices, and organizational
structure.
www.isaca.org/bkr_cbt3.htm
44Internal Control Objectives
- Effective efficient operations
- Confidentiality
- Integrity availability of information
- Reliable financial reporting
- Compliance with laws and regulations
45Internal Control . . .
- Institute of Internal Auditors Research
Foundations - Systems Auditability and Control (SAC)
46Systems Auditability and Control
Audience Internal Auditors
Focus Information Technology
Responsibility Management
Size 1,193 pages in 12 modules
47Internal Control Viewed as . . .
- Set of processes, subsystems, and people.
www.theiia.org
48Internal Control Objectives
- Effective efficient operations
- Reliable financial reporting
- Compliance with laws and regulations
49Internal Control . . .
- The Committee of Sponsoring Organizations of the
Treadway Commission - Internal Control Integrated Framework
50COSO
Audience Management
Focus Overall Entity
Responsibility Management
Size 353 pages in 4 volumes
51COSO
- Internal control viewed as a process.
www.coso.org
52COSO
- Internal control objectives
- Effective and efficient operations
- Reliable financial reporting
- Compliance with laws and regulations
53Internal Control . . .
- American Institute of Certified Public
Accountants - Consideration of the Internal Control
Structure in a Financial Statement Audit
(SAS 55)
54SAS 55 SAS 78
Audience External Auditors
Focus Financial Statement
Responsibility Management
Size 63 pages in 2 documents
55SAS 55/78
- Internal control viewed as a process.
www.aicpa.org
56SAS 55/78
- Internal control objectives
- Effective and efficient operations
- Reliable financial reporting
- Compliance with laws and regulations
57National Commission on Fraudulent Financial
Reporting
The TreadwayCommission
58Treadway Commission
- Emphasized the importance of internal control.
Specifically . . . - The control environment
- Codes of conduct
- Audit committees and
- The internal audit function
59Treadway Commission
- The commission reaffirmed the Cohen Commissions
call for management reports on the effectiveness
of its internal controls.
60COSO Report . . .
- COSOs final report Internal Control
Integrated Framework was issued in September
1992 - 4 volumes
- 453 pages
- Thousands of hours of work
61COSO Report . . .
- Provides a common definition of internal control
to meet the needs of diverse users. - Provides a framework against which entities can
assess and improve their internal control systems.
62Internal Control . . .
The COSO Definition
63COSO
- Internal control is a process, effected by an
entitys board of directors, management, and
other personnel,
64COSO
- designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories
65COSO
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.
66COSO
- Key Concepts
- Internal control is a process. It is a means to
an end, not an end in itself. - Internal control is effected by people. Its not
merely policy manuals and forms, but people at
every level of an organization.
67COSO
- Key Concepts
- Internal control can be expected to provide only
reasonable assurance, not absolute assurance, to
an entitys management and board. - Internal control is geared to the achievement of
objectives in one or more overlapping categories.
68COSO
- It consists of several interrelated components,
with - integrity,
- ethical values
- competence, and
- the control environment,
- serving as the foundation for the other
components.
69COSO
- Cosos Components
- Control Environment
- Risk Assessment
- Control Activities
- Information Communication
- Monitoring
70COSO Integrated Framework
71Control Environment
- Commitment to integrity and ethical values
- Managements philosophy and operating style
- Organizational structure
- The audit committee of the board of directors.
72Control Environment
- Methods of assigning authority and
responsibility. - Human resources policies and practices
- External influences
73COSO Integrated Framework
74Risk Assessment
- Identification of risks
- Analysis of risks
- Management of risks
75Typical Sources of Risk
- Clerical and Operational employees
- Computer programmers
- Managers and Accountants
- Former Employees
- Customers and Suppliers
76Typical Sources of Risk
- Competitors
- Outside persons
- Acts of Nature
77Types of Risks
- Unintentional Errors
- Deliberate Errors (Fraud)
- Unintentional Losses of Assets
- Thefts of Assets
- Breaches of Security
- Acts of violence and Natural Disasters
78Factors That Increase Risk Exposure
- Frequency
- Vulnerability
- Size of the potential loss
79Problem Conditions Affecting Risk Exposures
- Collusion
- Computer Crime
- Lack of Enforcement
80COSO Integrated Framework
81Control Activities
- Proper authorization of transactions and
activities
82Control Activities
- Proper authorization of transactions and
activities - Segregation of duties
83Segregation of Duties
Authorization
Recording
Custody
Must Be Separate
84Control Activities
- Proper authorization of transactions and
activities - Segregation of duties
- Design and use of adequate documents and records
85Control Activities
- Proper authorization of transactions and
activities - Segregation of duties
- Design and use of adequate documents and records
- Adequate safeguards of assets records
86Control Activities
- Proper authorization of transactions and
activities - Segregation of duties
- Design and use of adequate documents and records
- Adequate safeguards of assets records
- Independent checks on performance.
87COSO Integrated Framework
88Information and Communication
- Identify, assemble, analyze, classify, record and
report transactions - Maintain accountability for assets and
liabilities - Open and well-defined lines of communication
89COSO Integrated Framework
90Monitoring
- Effective supervision
- Responsibility accounting
- Internal auditing
91COSO Integrated Framework
Objectives
Financial Reporting
Compliance
Operations
Components
92Internal Control . . .
93Preventive, Detective, and Corrective Controls
Input
Output
Process
Sensor
Detective and Corrective Controls
Corrective Controls
Bench- mark
94Control Classifications Control Classifications Control Classifications
By Objectives By Settings By Risk Aversion
Administrative Accounting General Application Input Processing Output Corrective Preventive Detective
By System Architectures
Manual Systems Computer Based Systems Batch Processing Online Processing Data Base
95Internal Control . . .
96Some Common Ground
- A system of internal control is not an end in
itself. - It is, rather, a means to an end.
- Internal control is a system
- Clearly defined goals
- Interrelated components acting in concert to
achieve those goals.
97Some Common Ground
- Establishing a viable internal control system in
managements responsibility. - The strength of any internal control system is
largely a function of the people who operate it.
98Some Common Ground
- Internal control cannot be expected to provide
100 assurance that the organization will reach
its objectives. - Internal control is not free it has a cost
associated with it.