IDENTIFYING RISKS AND
CONTROLS IN BUSINESS
PROCESS
FL Jones and DV Rama
Objectives of Internal
Control (SAS No. 94)
A process … designed to provide
reasonable assurance regarding the
objectives :
1. Reliability of financial reporting
2. Effectiveness and efficiency of
operations
3. Compliance with applicable laws and
regulations
Elements of Internal Control
1.
2.
3.
4.
5.
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Elements of Internal Control
1. Control environment
2.
3.
4.
5.
Risk assessment
Control activities
Information and communication
Monitoring
Integrity, ethical values, Management
philosophy and operating style, and
organizational structure influences the
control environment.
Elements of Internal Control
1.
2.
3.
4.
5.
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Once risks are identified, they can be
analyzed to estimate their significance, to
assess their likelihood of occurring, and to
determine actions that will minimize them.
Elements of Internal Control
1.
2.
3.
4.
5.
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Control Activities




Performance reviews
Segregation of duties
Application controls
General controls
Elements of Internal Control
1.
2.
3.
4.
5.
Control environment
Risk assessment
Control procedures
Information and communication
Monitoring
The company’s information system is
a collection of procedures (automated
and manual and records established to
initiate, record, process, and report the
events in an entity’s process
Communication involves providing an
understanding of individual roles and
responsibilities
Elements of Internal Control
1.
2.
3.
4.
5.
Control environment
Risk assessment
Control procedures
Information and communication
Monitoring
Objectives and Risk
1. Execution
2. Information System
3. Asset protection
4. Performance
Objectives and Risk
1. Execution
2. Information System
3. Asset protection
4. Performance
Objectives and Risk
1. Execution
Proper execution of transactions in the
revenue and acquisition cycles
2. Information System
3. Asset protection
4. Performance
Objectives and Risk
1. Execution
Proper execution of transactions in the
revenue and acquisition cycles
Risk of not achieving execution
objectives
2. Information System
3. Asset protection
4. Performance
Objectives and Risk
1.
2.
3.
4.
Execution
Information System
Asset protection
Performance
Objectives and Risk
1. Execution
2. Information System
Proper recording, updating, and reporting of
data in an information system
3. Asset protection
4. Performance
Objectives and Risk
1. Execution
2. Information System
Proper recording, updating, and reporting of
data in an information system
Risk of not achieving
information system objectives
3. Asset protection
4. Performance
Objectives and Risk
1.
2.
3.
4.
Execution
Information System
Asset protection
Performance
Objectives and Risk
1. Execution
2. Information System
3. Asset protection
Safeguarding of assets
4. Performance
Objectives and Risk
1. Execution
2. Information System
3. Asset protection
Safeguarding of assets
Risk of loss or theft of assets
4. Performance
Objectives and Risk
1.
2.
3.
4.
Execution
Information System
Asset protection
Performance
Objectives and Risk
1. Execution
2. Information System
3. Asset protection
4. Performance
Favorable performance of an organization,
Person, department, product, or service
Objectives and Risk
1. Execution
2. Information System
3. Asset protection
4. Performance
Favorable performance of an organization,
Person, department, product, or service
Risk of not achieving
performance objectives
Other Classifications of Control Plans
• Preventive Controls: Issue is prevented from
occurring – cash receipts are immediately
deposited to avoid loss
• Detective Controls: Issue is discovered –
unauthorized disbursement is discovered during
reconciliation
• Corrective Controls: issue is corrected –
erroneous data is entered in the system and
reported on an error and summary report; a clerk
re-enters the data
Business Process Control Plans
• Business Process Control Plans - reflect information processing
policies and procedures that assist in accomplishing control goals
– The Control Environment The fact that the control environment appears at
the top of the hierarchy illustrates that the control environment comprises a
multitude of factors that can either reinforce or mitigate the effectiveness of
the pervasive and application control plans.
– Pervasive control plans also relate to a multitude of goals and processes
• Like the control environment, they provide a climate or set of
surrounding conditions in which the various business processes operate.
• They are broad in scope and apply equally to all business processes,
hence they pervade all systems.
– Business process control plans relate to those controls particular to a
specific process or subsystem, such as billing or cash receipts, or to a
particular technology used to process the data.
Control Goals of Information Process
• Update completeness
– Requires all events entered into the computer are reflected in their respective
master data
– Ex. Are all input cash receipts recorded in the AR master data?
• Update accuracy
– Requires that data entered into a computer are reflected correctly in their
respective master data
– Ex. Are all input cash receipts correctly recorded in the AR master data?
Control Goals of Information Process
• Input validity
– Input data approved and represent actual economic events and objects
– Ex. Are all cash receipts input into the process and supported by customer
payments
• Input completeness
– Requires that all valid events or objects be captured and entered into the
system
– Ex. Are all valid customer payment captured on a customer remittance advice
(RA) and entered into the process? Input accuracy (correct data entered
correctly)
• Input Accuracy
– Requires that events be correctly captured and entered into the system
– Ex. Is correct payment amount and customer number on the RA?
– Ex. Is the correct payment amount and customer number keyed into the
system?
Control Goals of the Information Process
• For business event inputs, ensure
– Input validity
– Input completeness
– Input accuracy
• For master data, ensure
– update completeness
– update accuracy
Control Goals of Operations Process
• Ensure effectiveness of operations
– A measure of success in meeting one or more operations process goals
which reflect the criteria used to judge the effectiveness of various business
processes
– Ex. Deposit cash receipts on the day received
• Ensure efficient employment of resources
– A measure of the productivity of the resources applied to achieve a set of
goals
– Ex. What is the cost of people, computers, and other resources to deposit
cash on the day received
• Ensure security of resources
– Protecting an organization’s resources from loss, destruction, disclosure,
copying, sale, or other misuse
– Ex. Are cash and information resources available when required?
– Are they put to authorized use?
Control Goals of the Operations Process
• Ensure effectiveness of operations
• Ensure efficient employment of resources
• Ensure security of resources
Causeway Company Systems Flowchart
Ethics and Controls
• COSO report stresses ethics as part of control
environment (tone at the top)
• AICPA has built ethics issues into CPA exam
• The Institute of Management Accountants has a code
of ethics which is also tested on both the CMA and
CFM exams
• Internal Auditing has ethics articles
• Many corporations have developed Codes of Conduct
General Control Model: Figure 7.1
(Text definition of IC cont.)
• Reflect management’s careful assessment
of risks.
• Be based on management’s evaluation of
costs versus benefits.
• Be built on management’s strong sense of
business ethics and personal integrity.
Gelinas, Sutton & Hunton’s Working
Definition of IC: Key Points
• A system of internal control is not an end in itself. Rather, it is a means to an
end—the end of attaining process objectives
• Internal control itself is a system. Therefore, like any system it must
– (1) have clearly defined goals and
– (2) consist of interrelated components that act in concert to achieve those goals.
– We can also say that internal control is a process
• Establishing a viable internal control system is management’s responsibility.
• The strength of any internal control system is largely a function of the people
who operate it.
• Internal control cannot be expected to provide absolute, 100% assurance that the
organization will reach its objectives. Rather, the operative phrase is that it should
provide reasonable assurance
• Internal control is not free; controls should be built in and cost effective
COSO Report, SOA, and SAS 94
• In the section addressing implementation of the Sarbanes Oxley
Act section 404, the SEC used the COSO description of internal
control.
– It went on to say that management must base its evaluation of the
effectiveness of its internal control system on a framework such as COSO
– COSO report stresses internal control is a process
• A complementary perspective on internal control is found in
Statement on Auditing Standards (SAS) 94, entitled “The Effect
on Information Technology on the Auditor’s Consideration of
Internal Control in a Financial Statement Audit.”
– This standard guides auditors in understanding the impact of IT on internal
control and assessing IT-related control risks
– Further, SAS 94 highlights how IT can be used to strengthen internal
control, while at the same time emphasizing how IT can actually weaken
some controls
Five Interrelated Components of
Internal Control
1.
2.
3.
4.
Control environment- tone at the top
Risk assessment - identification/analysis of risks
Control activities - policies and procedures
Information & communication - processing of info
in a form and time frame to enable people to do their
jobs
5. Monitoring - process that assess quality of internal
control over time
Definition of Internal Control
• From SAS 78 (1995) - adopted COSO definition:
– INTERNAL CONTROL is a process-effected by a an entity’s
board of directors, management, and other personneldesigned to provide reasonable assurance regarding the
achievement of objectives in the following categories:
• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws & regulations.
E&Y Fraud Survey
•
•
•
•
•
•
•
•
•
•
About 85 % of fraud committed by company insiders
About 55% of perpetrators were management employees
More fraud in less-developed countries
Only about 20 % of fraud comes to the public knowledge
About 40% of frauds are known to the public, 20% are kept
confidential, and the other 40% are not yet discovered
Best prevention is internal control, management reviews, and
internal audits
The #1 fraud worry to executives is asset misappropriation
The #2 fraud worry to executives is computer crime
Most organizations now have formal fraud prevention policies
including codes of corporate governance and employee conduct
Most useful fraud prevention techniques are internal controls,
management reviews, and internal audits
SAS 99
• The accounting profession too has been proactive in
dealing with corporate fraud, as it has launched an antifraud program.
• One of the manifestations of this initiative is Statement on
Auditing Standards (SAS) Number 99, entitled
Consideration of Fraud in a Financial Statement Audit.
– SAS 99 has the same title as its predecessor, SAS 82, but the new
standard is much more encompassing than the old.
– For instance, SAS 99 emphasizes brainstorming fraud risks,
increasing professional skepticism, using unpredictable audit test
patterns, and detecting management override of internal controls.
Fraud and its Relationship to Control
• Fraud: deliberate act or untruth intended to
obtain unfair or unlawful gain.
– Management charged with responsibility to prevent and/or disclose
fraud
– Control systems enable management to do this job
– Management responsible to provide internal control system per the
Foreign Corrupt Practices Act of 1977
– Section 1102 of the Sarbanes-Oxley Act specifically addresses
corporate fraud
– Instances of fraud undermine management’s ability to convince
various authorities that it is upholding its stewardship
responsibility
Common Business Exposures
1.
2.
3.
4.
5.
6.
7.
8.
9.
Erroneous recordkeeping
Unacceptable accounting
Business interruption
Erroneous management decisions
Fraud and embezzlement
Statutory sanctions
Excessive costs
Loss or destruction of resources
Competitive disadvantage
Why do we need controls?
• (1) to provide reasonable assurance that the goals
of each business process are being achieved
• (2) to mitigate the risk that the enterprise will be
exposed to some type of harm, danger, or loss
(including loss caused by fraud or other
intentional and unintentional acts)
• (3) to provide reasonable assurance that the
company is in compliance with applicable legal
and regulatory obligations.