Chapter 4

advertisement
Chapter 4
IDENTIFYING RISKS
AND CONTROLS
IN BUSINESS
PROCESSES
Internal Control and
Accountants’ Roles
Accountants as
Managers –
Sarbanes-Oxley Act of 2002
and Standard No. 2 of the
Public Company Accounting
Oversight Board (PCAOB)
requires:
 Management to prepare a
statement describing and
assessing the company’s
internal control system
Internal Control and
Accountants’ Roles
Sarbanes-Oxley Act of 2002
and Standard No. 2 of the
Public Company Accounting
Oversight Board (PCAOB)
requires:
 Annual reports of public
companies to include:
(1) a statement that
management is
responsible for internal
controls over financial
reporting,
Internal Control and
Accountants’ Roles
Sarbanes-Oxley Act of 2002
and Standard No. 2 of the
Public Company Accounting
Oversight Board (PCAOB)
requires:
 Annual reports of public
companies to include:
(2) a statement
identifying the
framework used by
management to
evaluate internal
controls,
Internal Control and
Accountants’ Roles
Sarbanes-Oxley Act of 2002
and Standard No. 2 of the
Public Company Accounting
Oversight Board (PCAOB)
requires:
 Annual reports of public
companies to include
(3) an assessment of
internal controls and
disclosure of any
material weaknesses,
and
Internal Control and
Accountants’ Roles
Sarbanes-Oxley Act of 2002
and Standard No. 2 of the
Public Company Accounting
Oversight Board (PCAOB)
requires:
 Annual reports of public
companies to include:
(4) a statement that a
public accounting firm
has issued an
attestation report on
management’s
assessment of internal
control.
Internal Control and
Accountants’ Roles
Accountants as
Users –
Must understand a
company’s internal
controls to apply them
correctly.
Internal Control and
Accountants’ Roles
Accountants as
Designers of internal
control procedures –
Must understand a
company’s internal
controls in working to
achieve to compliance
with regulations and
company objectives and
to minimize risks
Internal Control and
Accountants’ Roles
Accountants as
Evaluators – must understand
internal control systems to:
 Help develop management’s
report that assesses
internal controls (as
internal auditors)
 Prepare an attestation to
management’s statement
about internal control (as
external auditors)
 Conduct the audit of a
company’s financial
statements (as external
auditors)
Framework for Studying
Internal Control



Components of internal
control (the COCO
Report)
Internal control
objectives
Risk assessment
Framework for Studying
Internal Control
The COSO Report:
 5 interrelated
components of internal
control:
 Control environment
 Risk assessment
 Control activities
 Information and
communication
 Monitoring
Internal Control
Components and
Objectives
Internal control:
 Execution objectives –
2 execution objectives for
the revenue cycle:
 Ensure proper delivery of
goods and services
 Ensure proper collection
and handling of cash
2 execution objectives for
the acquisition cycle:
 Ensure proper receiving of
goods and services
 Ensure proper payment
and handling of cash
Internal Control
Components and
Objectives
Internal control:
 Information system
objectives  Focus on recording,
updating, and reporting
accounting information
 Important for ensuring
effective execution of
transactions
Internal Control
Components and
Objectives
Internal control:
 Asset protection
objectives  Focus on safeguarding
assets to minimize risk
of theft or loss of
assets
Internal Control
Components and
Objectives
Internal control:
 Performance objectives –
 Focus on achieving
favorable performance
of an organization,
person, department,
product, or service
 Established to ensure
effective operations
Assessment of
Execution Risks:
Revenue Cycle
Generic execution risks for
each of the two revenue
cycle transactions:
1.Delivering goods/services:
 Unauthorized sale/service
permitted
 Authorized sale/service
did not occur, occurred
late, or was duplicated
unintentally
 Wrong type of
product/service
 Wrong quantity/quality
 Wrong customer/address
Assessment of
Execution Risks:
Revenue Cycle
Generic execution risks for
each of the two revenue
cycle transactions:
2. Collecting cash:
 Cash not collected or
collected late
 Wrong amount of cash
collected
Assessment of
Execution Risks:
Acquisition Cycle
Generic execution risks for
each of the two acquisition
cycle transactions:
1. Receiving goods/services:
 Unauthorized
goods/services received
 Expected receipt of
goods/services did not
occur, occurred late, or
was duplicated
unintentionally
 Wrong type of product or
service received
 Wrong quantity/quality
 Wrong supplier
Assessment of
Execution Risks:
Acquisition Cycle
Generic execution risks for
each of the two acquisition
cycle transactions:
2. Making payment:
 Unauthorized payment
 Cash not paid, paid late,
or duplicate payment
 Wrong amount paid
 Wrong supplier paid
Assessment of Execution
Risks: Revenue &
Acquisition Cycles
Understanding and assessing
execution risks – 5 steps:
Step 1. Achieve understanding
of the processes
Step 2. Identify the at-risk
goods/services provided and
cash received
Step 3. Restate generic risk to
describe the execution risk
more precisely for process
under study - exclude
irrelevant/immaterial risks
Assessment of Execution
Risks: Revenue &
Acquisition Cycles
Understanding and
assessing execution risks –
5 steps:
Step 4. Assess the significance
of remaining risks
Step 5. Identify factors that
contribute to each
significant risk – use events
in the process to
systematically identify
factors
 What control activities could
be implemented to mitigate
the risks?
Assessment of
Information Systems
Risks

2 categories of information
systems risks:
 Recording risks
 Updating risks
Assessment of
Information Systems
Risks

The process of recording
and updating information –
both a risk and a control
 Risk - information will be
recorded incorrectly,
perhaps resulting in
transaction errors and
incorrect financial
statements
 Control – when information
is correct because recorded
information is used to
control transactions
Assessment of
Information Systems
Risks
Recording risks:
 Risks that event information
is not captured accurately in
an organization’s information
system
 Errors in recording can cause
substantial losses
 Recording events late can
cause opportunity losses
 In the acquisition cycle,
recording errors can result in
overpaying bills or loss of
credit from failure to pay
Assessment of
Information Systems
Risks
Recording risks:
 Revenue/acquisition cycles generic recording risks
 Event recorded never
occurred
 Event not recorded,
recorded late, or
duplication of recording
 Wrong product/service
recorded
 Wrong quantity/price
recorded
 Wrong external/internal
agent recorded
 Wrong recording of other
data
Assessment of
Information Systems
Risks
Recording risks:

Identifying recording risks
– 3 steps
Step 1. Achieve an
understanding of the
process under study identify the events
Step 2. Review events identify where data are
recorded in a source
document or a
transaction file
Assessment of
Information Systems
Risks
Recording risks:
 Identifying recording risks –
3 steps
 Step 3. For each event
where data are recorded in
a source document or
transaction record:
 Consider the preceding
generic recording risks
 Restate each generic risk
to describe the risk more
precisely for the particular
event under consideration
 Exclude any risks that are
irrelevant or immaterial
Assessment of
Information Systems
Risks
Updating risks:

Risks that summary
fields in master records
are not properly
updated

Update failures can be
costly

Errors in updates can
reduce the effectiveness
of controls over the
general ledger balances
for assets and liabilities
Assessment of
Information Systems
Risks
Updating risks:
 Generic risks
 Update of master record
omitted or unintended
duplication of update
 Update of master record
occurred at the wrong time
 If updates are scheduled,
users need to know and
schedule needs to be
followed
 Summary field updated by
wrong amount
 Wrong master record
updated
Assessment of
Information Systems
Risks
Identifying pdating risks:
 3 steps
Step 1. Identify
recording risks
Step 2. Identify the
events that include
update activity and
the summary fields in
updated master files
Assessment of
Information Systems
Risks
Identifying update risks:
 3 steps
Step 3. For each event in
updated master file
 Consider the preceding
generic update risks
 Restate each generic risk
to describe the update
risk more precisely for
the particular event
under consideration
 Exclude any update risks
that are irrelevant or
immaterial
Recording and Updating
in the General Ledger
System


The General_Ledger File
stores reference and
summary data about the
general ledger accounts.
The process of updating a
general ledger account is
sometimes referred to as
“posting.”
Recording and Updating
in the General Ledger
System

Risks in recording and
updating information in a
general ledger system:
Risks
 Wrong general ledger
account recorded
 Wrong amounts
debited/credited
 General ledger master
record not updated at all,
updated late, or updated
twice
 Wrong general ledger
master record updated
Recording and Updating
in the General Ledger
System

Risks in recording and
updating information in a
general ledger system:
Important to internal control:
 Policy for updating general
ledger accounts should be
well understood.
 Often, general ledger
balances are updated after
a batch of transactions, not
with each transaction
Recording and Updating
in the General Ledger
System

Risks in recording and
updating information in a
general ledger system:
Important to internal
control:
 Employees need to
know:
 Under the batch
process, general
ledger account
balances are
temporarily out of
date
 When updates are
made
Recording and Updating
in the General Ledger
System
Controlling risks:
 Identify significant risks of
losses or errors
 Consider ways to control
the risks
 Accountants, external
auditors, or internal
auditors evaluate existing
controls and suggest
additional controls where
warranted
Control Activities




The policies and procedures
to address risks to
achievement of the
organization’s objectives
Manual or automated
May be implemented at
various levels of the
organization.
4 types of controls:
 Workflow controls
 Input controls
 General controls
 Performance reviews
Control Activities
Workflow controls:
 Used to control a process
as it moves from one event
to the next
 Exploit linkages between
events
 Focus on:
 Responsibilities for
events
 Sequence of events
 Flow of information
between events in a
business process
Control Activities








Workflow controls:
Segregation of duties
Use of information from prior
events to control activities
Required sequence of events
Follow-up on events
Sequence of prenumbered
Recording of internal
agent(s) accountable for an
event in a process
Limitation of access to assets
and information
Reconciliation of records
with physical evidence of
assets
Control Activities
1. Segregation of duties:


Organizations make an
effort to segregate:
 Authorization of events
 Execution of events
 Recording of event data
 Custody of resources
associated with the
event
The overview activity
diagram is best suited to
understanding and
documenting segregation
of duties
Control Activities
2. Use of information about
prior events:
 Information about prior
events can come from
documents or computer
records.
 2 examples of information
from computer files:
 Checking summary data in
master files to authorize
events
 Transaction records may
help control events similar to using documents
before approving an
invoice
Control Activities
3. Required sequence of
events:
Often, organizations  Have policies requiring a
process to follow a
particular sequence
 Require a sequence of
events without having
prior recorded information
to rely on
Control Activities
4. Follow-up on events:
Organizations:
 Need automated or manual
way to review transactions
not yet concluded
 Should have “open” item or
aging reports to identify
events needing follow up
 Can design/use routine
reports to flag unfinished
business
 Can querying a database for
status reports
Control Activities
5. Prenumbered documents:
 Provide an opportunity to
control events
 Prenumbered documents
created during one event
are accounted for in a later
event
 Checking the sequence of
prenumbered documents
helps ensure that all
events are executed and
recorded appropriately
Control Activities
6. Recording of internal
agent(s) accountable for an
event in a process:
Important
 Clear job descriptions and
specific instructions from
supervisors
 Recording employee ID
number at the time the
event
 Safeguarding of assets
through use of with serial
numbers, recordkeeping,
and identification of
custodian of the assets
Control Activities
7. Limitation of access to
assets and information:
Safeguards
 Access to assets only for
employees needing them
for assigned duties
 Physical assets stored in
secure locations
 Employees badges for
access
 Alarms
 Password required for
access to data
Control Activities
8. Reconciliation of records
with physical evidence of
assets:
 Ensures that recorded event
and master file data
correspond to actual assets
 Differs from the use of
documents to control
events – reconciliation:
 Is broader
 Usually involves data
about multiple events
 Occurs after the events
have been executed and
recorded
Control Activities
Input controls:
 Used to control input of data
into computer systems
 Drop-down or look-up
menus
 Record-checking of data
entered
 Confirmation of data entered
 Referential integrity controls
 Format checks to limit data
 Validation rules to limit the
data
 Defaults from data entered
in prior sessions
Control Activities
Input controls:
 Restriction against
leaving a field blank
 Field established as a
primary key
 Computer-generated
values entered in records
 Batch control totals taken
before data entry
compared to printouts
after data entry
 Review for errors before
posting
 Exception reports
Control Activities



General controls:
Broader controls that apply
to multiple processes
Help workflow and input
controls be effective
Organized into four
categories:
 Information systems (IS)
planning
 Organizing the information
technology (IT) function
 Identifying and developing
IS solutions
 Implementing and
operating accounting
systems
Control Activities
Performance reviews:
 Measure performance by
comparing actual data with
budgets, forecasts, or priorperiod data
 Include analyzing data,
identifying problems, and
taking corrective action
 Ensure events support
broader long-term goals
 Typically involve comparing
actual results to plans,
standards, and prior
performance
Control Activities
Performance reviews:
 Often result in taking
corrective action
 Require an information
system (AIS in particular)
that records and stores
information about
standards and actual
outcomes
 Requires reports that
allow for meaningful
analysis of actual results
Control Activities

Performance reviews:
And master records
 Related in two ways:
 Planned standards and
budget figures (reference
data) are typically
recorded during file
maintenance activities in
master records
 Summary data stored in
master records are often
used to implement
corrective action
 Summary fields in master
records can also help in
reviewing performance
KEYTERMS







Application controls
Control activities
Control environment
Execution risk
General controls
Information system risks
Input controls
KEYTERMS







Internal controls
Performance reviews
Recording risks
Risk assessment
Segregation of duties
Update risks
Workflow controls
Download