Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES Internal Control and Accountants’ Roles Accountants as Managers – Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Management to prepare a statement describing and assessing the company’s internal control system Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include: (1) a statement that management is responsible for internal controls over financial reporting, Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include: (2) a statement identifying the framework used by management to evaluate internal controls, Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include (3) an assessment of internal controls and disclosure of any material weaknesses, and Internal Control and Accountants’ Roles Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires: Annual reports of public companies to include: (4) a statement that a public accounting firm has issued an attestation report on management’s assessment of internal control. Internal Control and Accountants’ Roles Accountants as Users – Must understand a company’s internal controls to apply them correctly. Internal Control and Accountants’ Roles Accountants as Designers of internal control procedures – Must understand a company’s internal controls in working to achieve to compliance with regulations and company objectives and to minimize risks Internal Control and Accountants’ Roles Accountants as Evaluators – must understand internal control systems to: Help develop management’s report that assesses internal controls (as internal auditors) Prepare an attestation to management’s statement about internal control (as external auditors) Conduct the audit of a company’s financial statements (as external auditors) Framework for Studying Internal Control Components of internal control (the COCO Report) Internal control objectives Risk assessment Framework for Studying Internal Control The COSO Report: 5 interrelated components of internal control: Control environment Risk assessment Control activities Information and communication Monitoring Internal Control Components and Objectives Internal control: Execution objectives – 2 execution objectives for the revenue cycle: Ensure proper delivery of goods and services Ensure proper collection and handling of cash 2 execution objectives for the acquisition cycle: Ensure proper receiving of goods and services Ensure proper payment and handling of cash Internal Control Components and Objectives Internal control: Information system objectives Focus on recording, updating, and reporting accounting information Important for ensuring effective execution of transactions Internal Control Components and Objectives Internal control: Asset protection objectives Focus on safeguarding assets to minimize risk of theft or loss of assets Internal Control Components and Objectives Internal control: Performance objectives – Focus on achieving favorable performance of an organization, person, department, product, or service Established to ensure effective operations Assessment of Execution Risks: Revenue Cycle Generic execution risks for each of the two revenue cycle transactions: 1.Delivering goods/services: Unauthorized sale/service permitted Authorized sale/service did not occur, occurred late, or was duplicated unintentally Wrong type of product/service Wrong quantity/quality Wrong customer/address Assessment of Execution Risks: Revenue Cycle Generic execution risks for each of the two revenue cycle transactions: 2. Collecting cash: Cash not collected or collected late Wrong amount of cash collected Assessment of Execution Risks: Acquisition Cycle Generic execution risks for each of the two acquisition cycle transactions: 1. Receiving goods/services: Unauthorized goods/services received Expected receipt of goods/services did not occur, occurred late, or was duplicated unintentionally Wrong type of product or service received Wrong quantity/quality Wrong supplier Assessment of Execution Risks: Acquisition Cycle Generic execution risks for each of the two acquisition cycle transactions: 2. Making payment: Unauthorized payment Cash not paid, paid late, or duplicate payment Wrong amount paid Wrong supplier paid Assessment of Execution Risks: Revenue & Acquisition Cycles Understanding and assessing execution risks – 5 steps: Step 1. Achieve understanding of the processes Step 2. Identify the at-risk goods/services provided and cash received Step 3. Restate generic risk to describe the execution risk more precisely for process under study - exclude irrelevant/immaterial risks Assessment of Execution Risks: Revenue & Acquisition Cycles Understanding and assessing execution risks – 5 steps: Step 4. Assess the significance of remaining risks Step 5. Identify factors that contribute to each significant risk – use events in the process to systematically identify factors What control activities could be implemented to mitigate the risks? Assessment of Information Systems Risks 2 categories of information systems risks: Recording risks Updating risks Assessment of Information Systems Risks The process of recording and updating information – both a risk and a control Risk - information will be recorded incorrectly, perhaps resulting in transaction errors and incorrect financial statements Control – when information is correct because recorded information is used to control transactions Assessment of Information Systems Risks Recording risks: Risks that event information is not captured accurately in an organization’s information system Errors in recording can cause substantial losses Recording events late can cause opportunity losses In the acquisition cycle, recording errors can result in overpaying bills or loss of credit from failure to pay Assessment of Information Systems Risks Recording risks: Revenue/acquisition cycles generic recording risks Event recorded never occurred Event not recorded, recorded late, or duplication of recording Wrong product/service recorded Wrong quantity/price recorded Wrong external/internal agent recorded Wrong recording of other data Assessment of Information Systems Risks Recording risks: Identifying recording risks – 3 steps Step 1. Achieve an understanding of the process under study identify the events Step 2. Review events identify where data are recorded in a source document or a transaction file Assessment of Information Systems Risks Recording risks: Identifying recording risks – 3 steps Step 3. For each event where data are recorded in a source document or transaction record: Consider the preceding generic recording risks Restate each generic risk to describe the risk more precisely for the particular event under consideration Exclude any risks that are irrelevant or immaterial Assessment of Information Systems Risks Updating risks: Risks that summary fields in master records are not properly updated Update failures can be costly Errors in updates can reduce the effectiveness of controls over the general ledger balances for assets and liabilities Assessment of Information Systems Risks Updating risks: Generic risks Update of master record omitted or unintended duplication of update Update of master record occurred at the wrong time If updates are scheduled, users need to know and schedule needs to be followed Summary field updated by wrong amount Wrong master record updated Assessment of Information Systems Risks Identifying pdating risks: 3 steps Step 1. Identify recording risks Step 2. Identify the events that include update activity and the summary fields in updated master files Assessment of Information Systems Risks Identifying update risks: 3 steps Step 3. For each event in updated master file Consider the preceding generic update risks Restate each generic risk to describe the update risk more precisely for the particular event under consideration Exclude any update risks that are irrelevant or immaterial Recording and Updating in the General Ledger System The General_Ledger File stores reference and summary data about the general ledger accounts. The process of updating a general ledger account is sometimes referred to as “posting.” Recording and Updating in the General Ledger System Risks in recording and updating information in a general ledger system: Risks Wrong general ledger account recorded Wrong amounts debited/credited General ledger master record not updated at all, updated late, or updated twice Wrong general ledger master record updated Recording and Updating in the General Ledger System Risks in recording and updating information in a general ledger system: Important to internal control: Policy for updating general ledger accounts should be well understood. Often, general ledger balances are updated after a batch of transactions, not with each transaction Recording and Updating in the General Ledger System Risks in recording and updating information in a general ledger system: Important to internal control: Employees need to know: Under the batch process, general ledger account balances are temporarily out of date When updates are made Recording and Updating in the General Ledger System Controlling risks: Identify significant risks of losses or errors Consider ways to control the risks Accountants, external auditors, or internal auditors evaluate existing controls and suggest additional controls where warranted Control Activities The policies and procedures to address risks to achievement of the organization’s objectives Manual or automated May be implemented at various levels of the organization. 4 types of controls: Workflow controls Input controls General controls Performance reviews Control Activities Workflow controls: Used to control a process as it moves from one event to the next Exploit linkages between events Focus on: Responsibilities for events Sequence of events Flow of information between events in a business process Control Activities Workflow controls: Segregation of duties Use of information from prior events to control activities Required sequence of events Follow-up on events Sequence of prenumbered Recording of internal agent(s) accountable for an event in a process Limitation of access to assets and information Reconciliation of records with physical evidence of assets Control Activities 1. Segregation of duties: Organizations make an effort to segregate: Authorization of events Execution of events Recording of event data Custody of resources associated with the event The overview activity diagram is best suited to understanding and documenting segregation of duties Control Activities 2. Use of information about prior events: Information about prior events can come from documents or computer records. 2 examples of information from computer files: Checking summary data in master files to authorize events Transaction records may help control events similar to using documents before approving an invoice Control Activities 3. Required sequence of events: Often, organizations Have policies requiring a process to follow a particular sequence Require a sequence of events without having prior recorded information to rely on Control Activities 4. Follow-up on events: Organizations: Need automated or manual way to review transactions not yet concluded Should have “open” item or aging reports to identify events needing follow up Can design/use routine reports to flag unfinished business Can querying a database for status reports Control Activities 5. Prenumbered documents: Provide an opportunity to control events Prenumbered documents created during one event are accounted for in a later event Checking the sequence of prenumbered documents helps ensure that all events are executed and recorded appropriately Control Activities 6. Recording of internal agent(s) accountable for an event in a process: Important Clear job descriptions and specific instructions from supervisors Recording employee ID number at the time the event Safeguarding of assets through use of with serial numbers, recordkeeping, and identification of custodian of the assets Control Activities 7. Limitation of access to assets and information: Safeguards Access to assets only for employees needing them for assigned duties Physical assets stored in secure locations Employees badges for access Alarms Password required for access to data Control Activities 8. Reconciliation of records with physical evidence of assets: Ensures that recorded event and master file data correspond to actual assets Differs from the use of documents to control events – reconciliation: Is broader Usually involves data about multiple events Occurs after the events have been executed and recorded Control Activities Input controls: Used to control input of data into computer systems Drop-down or look-up menus Record-checking of data entered Confirmation of data entered Referential integrity controls Format checks to limit data Validation rules to limit the data Defaults from data entered in prior sessions Control Activities Input controls: Restriction against leaving a field blank Field established as a primary key Computer-generated values entered in records Batch control totals taken before data entry compared to printouts after data entry Review for errors before posting Exception reports Control Activities General controls: Broader controls that apply to multiple processes Help workflow and input controls be effective Organized into four categories: Information systems (IS) planning Organizing the information technology (IT) function Identifying and developing IS solutions Implementing and operating accounting systems Control Activities Performance reviews: Measure performance by comparing actual data with budgets, forecasts, or priorperiod data Include analyzing data, identifying problems, and taking corrective action Ensure events support broader long-term goals Typically involve comparing actual results to plans, standards, and prior performance Control Activities Performance reviews: Often result in taking corrective action Require an information system (AIS in particular) that records and stores information about standards and actual outcomes Requires reports that allow for meaningful analysis of actual results Control Activities Performance reviews: And master records Related in two ways: Planned standards and budget figures (reference data) are typically recorded during file maintenance activities in master records Summary data stored in master records are often used to implement corrective action Summary fields in master records can also help in reviewing performance KEYTERMS Application controls Control activities Control environment Execution risk General controls Information system risks Input controls KEYTERMS Internal controls Performance reviews Recording risks Risk assessment Segregation of duties Update risks Workflow controls