Controls and Accountants

Internal control is a process designed to provide reasonable
assurance regarding achievement of:




Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with laws and regulations
Accountants’ roles and controls




Managers: SOX and Public Company Accounting Oversight Board
Statement No. 2
Users: be able to apply controls appropriately
System Designers: risk / reward tradeoff for controls
Evaluators: Internal evaluation of controls, External attestation of
controls, Conduct audit of financial statements
1
Components of Internal Control

Control Environment


Risk Assessment





Performance reviews
Segregation of duties
Application (specific) controls
General controls
Information and Communication


Identification and analysis of risks that interfere with controls
Control Activities


Integrity, ethical values, management philosophy, etc.
Provide understanding of individual roles and responsibilities
Monitoring

Make sure it is working
2
Internal Control Objectives

Execution Objectives


Information System Objectives


Proper file maintenance, recording, updating, and reporting of data
in an information system
Asset Protection Objectives


Proper execution of transactions in revenue and acquisition cycles
 proper delivery of goods, collection and handling of $ …
Safeguarding of assets (not just technology assets)
Performance Objectives

Favorable performance of an organization, person, department or
service
 Even if Execution Objectives are met, performance needs to be
evaluated
3
Revenue & Acquisition Cycle Risks

Generic Revenue Risks



Delivering goods and Services
 Unauthorized sale or service, wrong product, wrong quantity,
wrong quality, wrong customer
Collecting cash
 Not collected on time, wrong amount collected
Generic Acquisition Risks


Receiving goods and Services
 Unauthorized goods received, no goods received, wrong
supplier, wrong product, duplicate receipt …
Making payments
 Unauthorized payment, late payment, no payment, pay wrong
person
4
Understanding and Assessing Revenue and
Acquisition Cycle Risks
1.
Achieve an understanding of the organization’s processes

2.
3.
4.
Identify the goods or services received (or provided) and the
cash paid out (or received) that are at risk
Restate the generic risks so that they capture the specific
situation
Assess the significance of the remaining risks

5.
Activity diagrams, workflow tables …
Probability of loss  magnitude of loss
Identify factors that contribute to significant risks

Use events to find these factors that we will later control
5
Information Systems Risks

Information is both a risk and a control


Risk of creating a transaction error, but the right information can
help control
Two main categories of Information System Risks


Recording Risks
 Information about an event is not recorded properly in
transaction file
 e.g. wrong customer associated with a purchase
 Also a timing risk of recording events too late
Updating Risks
 Summary fields in master record are not updated properly
 e.g. incorrect Quantity_on_Hand could lead to improperly
rejected orders
6
Identifying Recording Risks

Generic recording risks


Event recorded that never occurred, event not recorded at all or
late, wrong agent associated with event, wrong quantity or price
recorded, …
How to find these risks
1.
2.
3.
Understand the business processes
Review events and find data recorded on source document or in file
 Not all events record data
Restate the generic recording risks so that they capture the specific
situation.
 Ignore events that don’t record data
7
Identifying Updating Risks

Generic updating risks


Update of master omitted or duplication of update, incorrect timing
of master update, summaries updated incorrectly, wrong record
updated
How to find these risks
1.
2.
3.
Look at recording risks
 Cause incorrect updates to summary fields
Review events and find where master file updated
 Recall: master files for inventory, services, agents
Restate the generic recording risks so that they capture the specific
situation.
 Ignore events that don’t involve updates
8
Four Kinds of Controls

Workflow Controls


Performance Reviews


Analysis of performance
Input Controls



Focus on process as it moves between events
Apply to input of data into computer systems
Chapter 7
General Controls


Apply to multiple processes and workflow and input controls
Chapter 13
9
Workflow Controls
1.Segregation of Duties

For each event separate
 Authorization
 Execution
 Recording data
 Custody of resources
Server & Kitchen Staff
Ingredients?
Server & Cashier
10
Workflow Controls
2. Use of information about prior events to control activities


From document
 Sales ticket authorizes use of ingredients to prepare food
From computer file
 Summary file
• Check seats available before selling tickets

Transaction file
• Approve invoices after checking purchasing and receiving records
• Like looking at a printed purchase order
3. Required Sequence of Events

Reduce risk of getting surprised at the end of a process
 Gather insurance information before seeing the doctor
 Provide a credit card before leaving with a rental car (even if
you’re going to pay cash)
11
Workflow Controls
4. Follow-Up Events

Reduce the risk of not finishing what you start
 Unfilled (open) customer orders
 Past due invoices
5. Pre-numbered documents

Make event initiation easy to find
 Drink tickets
6. Recording of responsible agents


Make sure employees understand their responsibilities
Watch employees and let them know they’re being watched
 Checking out equipment, swiping your ID
12
Workflow Controls
7. Limitation of Access to Assets and Information


Guns, guards and gates
Passwords and badges
8. Reconciliation of Records with Physical Evidence



Make sure transaction and master file correspond to actual assets
More than just checking up on individual events as it involves
multiple events
Occurs after events are executed and recorded
 Documents initiate events
13
Performance Reviews

Compare actual data with forecasts and budgets





Review sales to find products to discontinue
Evaluate quality of suppliers
Check past-due accounts
Planned standards and budgets are often recorded during
file maintenance of master file


Ensure we’re accomplishing long term goals
Budgeted performance would be a reference field
Summary data used to implement corrective action

Total days of late shipments or number of late shipments could be
used to evaluate suppliers
14