Chapter 4
Transaction Processing and the
Internal Control Process
This organization
looks like it has
weak internal
controls.
Presentation Outline
I. Business Exposures
II. Fraud and White-Collar Crime
III. The Internal Control Process
IV. The Sarbanes-Oxley Act of 2002
V. Classifying Transaction Processing
Controls
VI. Analysis of Internal Control Processes
I. Business Exposures
A. The Meaning of Exposure
B. Examples of Common Business
Exposures
A. The Meaning of Exposure
Potential Financial
Effect of Event
x
=
Exposure
Probability of
Occurrence
(Risk)
B1. Common Business
Exposures
Deficient revenues due
to decreases in
earnings resulting
from things like
excessive bad debts,
incorrect billing, and
returns from unhappy
customers.
B2. Common Business
Exposures
Loss of assets due to
theft, acts of violence,
or natural disaster
B3. Common Business
Exposures
Inaccurate accounting
causes decisions to be
made using inaccurate
information.
B4. Common Business
Exposures
Business interruption
from things like acts
of violence and
natural disaster can
damage or destroy a
business.
B5. Common Business
Exposures
Statutory sanctions
interrupting business
due to regulatory
agency penalties.
B6. Common Business
Exposures
Competitive
disadvantage
resulting from
ineffective
management
decisions.
B7. Common Business
Exposures
Fraud (perverting truth to
obtain something of
value) and
embezzlement
(fraudulent
appropriation of assets
for one’s own use).
II. Fraud and White-Collar Crime
A. Three Types of White Collar Crime
B. Fraudulent Financial Reporting
C. Corporate Crime
D. Certified Fraud Examiners
E. KPMG Survey
A. Three Types of White-Collar Crime
White-collar crime occurs when assets are deceitfully
diverted from proper use or deceitfully misrepresented
by an act or series of acts that are nonviolent in nature.
 Employee theft – involves diversion of assets by an
employee for personal gain.
 Employee-outsider theft – involves diversion of assets
by an employee in collusion with an outsider for
personal gain.
 Management fraud – concerns diversion of assets or
misrepresentation of assets by management.
B. Fraudulent Financial
Reporting
White-collar crime may
result in fraudulent
financial reporting.
This is intentional or
reckless conduct,
whether by purposeful
act or by omission,
that results in
materially misstated
financial statements.
C. Corporate Crime
Corporate crime is
white-collar crime that
benefits a company or
organization rather
than the individuals
who perpetrate the
fraud. Such
individuals may
benefit indirectly.
D. Certified Fraud Examiners
Forensic accounting is a term
used to describe the activities
of persons who are concerned
with preventing and detecting
fraud.
The National Association of
Certified Fraud Examiners
(NACFE) is a professional
organization that provides
bona fide qualifications for
certified fraud examiners
(CFEs) through the
administration of the Uniform
CFE examination.
E. KPMG Survey
The survey
results …
KPMG surveyed the 2,000 largest companies in the
United States.
Fifty-nine percent cited internal control as the most
frequent reason that frauds were discovered.
Fifty-six percent stated that poor internal controls were
the most frequent reason that fraud occurred.
III. The Internal Control Process
Internal controls keep a
close eye on employee
activities when
management can’t. This
helps employees stay
honest.
A. Purpose of Internal Control
B. Two Premises of Internal Control
C. The Foreign Corrupt Practices Act of 1977
D. Elements of Internal Control
A. Purpose of Internal Control
Don’t go
astray!
Internal control is designed
to provide reasonable
assurance regarding:
Reliability of financial
reporting.
Effectiveness and
efficiency of operations.
Compliance with laws
and regulations.
B. Two Premises of Internal
Control
Responsibility –
Management and the
board of directors are
responsible for
establishing and
maintaining the internal
control process.
Reasonable assurance –
A control should not cost
more than the potential
benefit of the control.
C. The Foreign Corrupt Practices
Act (FCPA) of 1977
The FCPA requires that all
organizations subject to
the Securities Act of
1934:
Keep an adequate
system of records.
Devise and maintain an
appropriate system of
internal accounting
controls.
D. Elements of Internal Control
Control environment – Overall values and integrity of
organization.
Risk assessment – Identification and evaluation of
risks.
Control activities – Activities undertaken to reduce
probability of loss due to significant risks.
Information and communication – Communicating
information about the control environment and control
activities.
Monitoring – Keeping watch over and changing
internal controls so that they function effectively and
efficiently.
IV. The Sarbanes-Oxley Act of
2002
A. Creation of the Public Company
Accounting Oversight Board (PCAOB)
B. Restrictions on Nonaudit Services
C. Role of the Audit Committee
D. Corporate Responsibility for Financial
Reports
E. Management Assessment of Internal
Controls
Note: This Act currently applies to only publicly-traded companies.
A. Creation of the PCAOB
 Created to oversee the auditing of public companies.
 The SEC will have “oversight and enforcement authority
over the Board.” No rule of the Board shall become
effective without prior approval of the commission. (Sec.
107)
 The Board will:
 register public accounting firms,
 establish the standards for the audit of public companies,
 conduct inspections of public accounting firms,
investigations and disciplinary hearings and have the
power to impose sanctions.
(Sec. 101)
B. Restrictions on Nonaudit Services
Public company auditors may not also provide the
following services to their audit clients:
 Bookkeeping
 Financial information systems design and
implementation
 Appraisal or valuation services
 Actuarial services
 Internal audit outsourcing
 Management or human resource services
 Broker or dealer
 Legal and expert services unrelated to audit
 Other services determined by the PCAOB
C. Role of the Audit Committee
Public companies must
maintain must
maintain an
independent audit
committee composed
of members of the
board of directors who
receive no
compensation from the
company except for
services on the board.
D. Corporate Responsibility for
Financial Reports
The CEO and CFO must
prepare a statement to
accompany the audit
report. This statement
certifies to the fairness
of the presentation of
the financial
statements and
accompanying
disclosures.
E. Management Assessment of Internal
Controls
The Sarbanes-Oxley Act requires the annual report to
contain an internal control report that:
states the responsibility of management for establishing
and maintaining an adequate internal control structure
and procedures for financial reporting and
contains an assessment, as of the end of the company’s
fiscal year, of the effectiveness of the internal control
structure and procedures of the company for financial
reporting.
Note: The external auditor must attest to and report on the above
assessment as a part of the audit process.
V. Classifying Transaction
Processing Controls
A. General and Application Controls
B. Preventive, Detective, and Corrective
Controls
A. General and Application
Controls
General controls affect all processing
transactions.
Application controls are specific to
individual applications. They include input,
processing, and output controls.
B. Preventive, Detective, and
Corrective Controls
Preventive controls – Prevent errors and
fraud before they happen.
Detective controls – Uncover errors and
fraud that have occurred.
Corrective controls - Correct errors
VI. Analysis of Internal Control
Processes
A. Internal Control Questionnaire
B. Applications Control Matrix
A. Internal Control Questionnaire
Questionnaires are available
for the review of certain
application areas. Some
weaknesses may be
compensated for by other
strengths. Testing of
controls is also necessary
since responses to a
questionnaire are not
considered conclusive
evidence about internal
controls.
B. Applications Control Matrix
Columns represent
processes under review
while rows represent the
presence/rating for a
control feature. Some
use x’s to indicate the
presence or absence of a
control. Others provide
ratings to indicate the
assessed reliability of the
control. (See p. 133)
Summary
The meaning of exposure
The cause of exposure
The concept of internal control
General and application controls
Preventive, detective, and corrective
controls
Internal control questionnaires
Applications control matrix.