Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing
Uploaded by donalyn1242

2. Internal Controls A401 Edited

advertisement 
A401
Internal Controls
INTERNAL CONTROL:
COSO Definition
A process, effected by an entity’s board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in
the following categories:
Effectiveness & efficiency of operations
Reliability of financial reporting
Compliance with applicable laws & regulations
COSO, 1992, p. 9
INTERNAL CONTROL:
PSA 315 Definition
The process designed and effected by
those charged with governance,
management, and other personnel to
provide reasonable assurance about the
achievement of the entity’s objective
with regard to reliability of financial
reporting, effectiveness, and efficiency
of operations and compliance with
applicable laws and regulations.
Four Essential Concepts
#1
Internal control is a process.
#2
Internal control is effected by those
charged with governance,
management, and other personnel.
#3
Internal control can be expected to
provide reasonable assurance of
achieving the entity’s objectives.

Limitations:
 Cost – benefit concerns
 Directed at routine transactions
 Human error
 Possibility of collusion
 Possibility of control override
 Inadequacy of procedures due to changes
#4
Internal control is designed to help
achieve the entity’s objectives.

Categories of the objectives:
 Effectiveness and efficiency of operations
 Compliance with laws and regulations
 Reliability of financial reporting
Control categories according
to business objectives
Operational controls
Operational controls are controls that help
to reduce operational risks, or identify
failures in operational systems when these
occur. The nature of operational risks
varies between companies, because their
operations differ widely.
In general terms, operational risks are
risks of failures in operations due to
factors such as human error, a failure in
processes, a failure in systems, and so on.
Compliance controls
Compliance controls are concerned with making
sure that an entity complies with all the
requirements of relevant legislation and
regulations.
When regulations are specific, compliance controls
often involve detailed procedures for checking that
every regulation has been properly complied with,
and that there is documentary evidence that the
checks have been made. This is often called a boxticking approach to compliance.

A box-ticking approach to compliance control is more
usually associated with a rules-based approach to
regulation rather than a principles-based approach.
Financial controls
Financial controls have been explained as internal
accounting controls that are sufficient to provide
reasonable assurance that: „





transactions are made only in accordance with the general
or specific authorisation of management „
transactions are recorded so that financial statements can
be prepared in accordance with accounting standards and
generally-accepted accounting principles „
transactions are recorded so that assets can be accounted
for „
access to assets is only allowed in accordance with the
general or specific authorisation of management „
the accounting records for assets are compared with actual
assets at reasonable intervals of time, and appropriate
action is taken whenever there are found to be differences.
SPAMSOAP
Some years ago, a guideline of the UK Auditing Practices
Board identified eight categories of internal (financial)
controls, which can be remembered by the mnemonic
SPAMSOAP.
Segregation of Duties
Where possible, duties should be
divided between two or more people
Physical Controls
These are measures to protect assets
against theft, loss or physical damage
Authorization &
These are controls over spending decisions
and decisions to enter into transactions.
Management controls
Controls applied by management.
An example is the system of budgeting.
approval controls
SPAMSOAP
Some years ago, a guideline of the UK Auditing Practices
Board identified eight categories of internal (financial)
controls, which can be remembered by the mnemonic
SPAMSOAP.
Supervision
Controls can be applied by supervising the
work done by employees
Organization Controls
There should be lines of reporting from
junior to senior staff
Arithmetical &
Examples are control total checks and
bank reconciliation checks
Personnel controls
There should be controls over the selection
and training of employees
accounting controls
Types of Controls
In general, controls can be classified into:
Directive – designed to encourage or cause a
desirable outcome to be achieved
Preventive – keep errors or irregularities from
occurring
Detective – search for and identify errors after they
have occurred
Corrective – designed to prevent recurrence of errors
Types of Controls
RISKS: UNDESIRABLE EVENTS
Preventi
ve
Prevent
ive
Prevent
ive
Detective
Detective
Detective
Correctiv
e
Correctiv
e
Correctiv
e
Directive
Broad in nature
Can also be classified as preventive
Examples:





Job descriptions
Policies and procedures
Trainings
Laws and regulations
Meetings
Preventive
More cost effective than detective controls
Examples:
 Segregation of duties
 Authorization / approval matrix
 Locking your office to prevent theft
Detective
More expensive than preventive controls but still essential to
measure the effectiveness of preventive controls
Examples:





Reviews and comparisons
Periodic physical inventory counts
Supervisory reviews
Exception reports
Reconciling monthly account statements
Corrective
Used when improper outcomes occur and
are detected
Usually the last recourse, but can be costly
Examples:



Disciplinary actions
Filing suits in court
Full restoration of a system backup files after evidence
is found that data have been improperly altered
Reflection:
Observe USJR. What examples can you
give for each of the three control
categories?
Operational controls
__________________________________
 Compliance controls
__________________________________
 Financial controls
__________________________________

Internal Control System, Defined
Means all the policies and procedures
(internal controls) adopted by the
management of an entity to assist in
achieving management’s objective of
ensuring, as far as practicable, the orderly
and efficient conduct of its business, including
adherence to management policies, the
safeguarding of assets, the prevention and
detection of fraud and error, the accuracy
and completeness of the accounting records,
and the timely preparation of reliable financial
information.
Components of internal
control
The components:
Control Environment
Risk Assessment
Information and Communication
Systems
Control activities
Monitoring
CONTROL ENVIRONMENT
Management’s & board of director’s
attitude, awareness, & actions
regarding internal control
Captures importance of control in
management’s operating style
“Tone at the top”
Foundation for effective internal control,
providing discipline and structure.
Control Environment (cont’d)
Factors reflected in the control
environment include:







Communication and enforcement of
integrity and ethical values
Commitment to competence
Management philosophy and operating style
Active participation of those charged with
governance
Personnel policies and procedures
Assignment of responsibility and authority
Organizational structure
RISK ASSESSMENT
Risk assessment is the process used by
companies to identify and assess the risks
that the company faces, and changes in
those risks. The risk assessment process
involves prioritising the risks, and (if possible)
putting a quantitative measurement to them.
Risk assessment
Business risk – the risk that the entity’s
business objectives will not be attained as a
result of internal and external factors such as











Technological developments
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New business models, products, or activities
Corporate restructurings
Expanded foreign operations
New accounting pronouncements
Changes in customer demands
Economic changes
Risk assessment: an example
A manufacturing company might categorise
its operational risks as: selling and markets,
delivery, production, and purchasing and
resources. Most of these risk categories
involve more than one function or
department within the company. Selling and
markets is an aspect of operations that
affects not just the marketing department,
but also research and development, quality
control and customer services, and so on.
Risk assessment: a reflection
If you were to assess the risks for USJR,
identify at least three risk categories,
preferably spread across the different
company objectives.
________________________________
________________________________
________________________________
________________________________
________________________________
________________________________
________________________________
INFORMATION AND
COMMUNICATION SYSTEMS
Within a system of internal control, there
must be a system for reporting to
management information about risks, the
effectiveness of controls, failures in control
and the success of action to remove
weaknesses in controls and reduce risks.
The information provided needs to be
timely, relevant and reliable.
Information and
communication systems
Information system

Financial reporting system
 Consists of the procedures and records established
to initiate, record, process, and report entity
transactions and to maintain accountability for the
related assets, liabilities, and equity.

CLASSIFY, MEASURE, SUMMARIZE, DISCLOSE
Communication


Involves providing an understanding of
individual roles and responsibilities pertaining
to internal control over financial reporting.
Can be made electronically, orally, and
through the actions of management.
CONTROL ACTIVITIES
Are the policies and procedures that help ensure
that management directives are carried out.


Performance Reviews
Information Processing







Proper authorization of transactions and activities
Segregation of duties
Adequate documents and records
Safeguards over access to assets
Independent checks on performance
Physical Controls
Segregation of Duties




Management (authorization)
Custody (transaction execution)
Accounting (recording transactions)
Monitoring (independent checks on performance)
CONTROL ACTIVITIES
Categories
Preventive controls

Intended to prevent misstatement
Detective controls

Detect misstatements that have occurred
Control Activities
Categories
General Controls



Control activities that prevent or detect irregularities for all
accounting systems
Policies and procedures that relate to many applications and
support the functioning or application controls by helping to
ensure the continued proper operation of information
systems.
Examples: Controls over data center and network
operations; system software acquisition, change, and
maintenance; access security; application system acquisition,
development, maintenance
Application Controls



Controls that pertain to the processing of certain types of
transaction.
Controls that apply to the processing of individual
applications. These controls help ensure that transactions
occurred, are authorized, and are completely and accurately
recorded and processed.
Examples: Checking the arithmetical accuracy of records,
maintaining and reviewing accounts and trial balances,
automated controls such as edit checks of input data and
numerical sequence checks, and manual follow up of
exception reports.
Control Activities
Authorization
All transactions should be authorized
by responsible personnel acting
within scope of prescribed authority,
responsibility

Specific authorization
 Required for each transaction
 Typically unusual transactions

General authorization
 Policies, procedures for typical transactions
Segregation Of Duties
Optimum segregation of duties exists when
collusion is necessary to circumvent controls
Separate functions for




Custody (transaction execution)
Authorization (management)
Recording (accounting)
Monitoring (independent checks on performance)
Design, Use Documents &
Records
Evidence of executed transactions

Represent an audit trail
Impact efficiency



Designed for multiple use
Prenumbered consecutively
Easy to complete
Access To Assets &
Records
Access limited to authorized personnel
by



Locks for physical protection
Limits on employee access online
Codes to authorize access
Example of control activities
Example of control activities
Monitoring
Process of assessing the quality of internal
control performance over time.
Involves assessing the design and operation
of controls on a timely basis.

Ongoing monitoring
 For recurring activities

Separate monitoring
 Self-assessment performed by managers over the
controls in their areas of responsibility
 Independent checks performed by outsiders such as
internal or independent auditors.
CASE ANALYSIS
CASE 1
In Yaya Company, operations director Ben Janoon
recently realised there had been an increase in
products failing the final quality checks. These
checks were carried out in the QC (quality control)
laboratory, which tested finished goods products
before being released for sale. The product failure
rate had risen from 1% of items two years ago to
4% now, and this meant an increase of hundreds
of items of output a month which were not sold on
to Yaya's customers. The failed products had no
value to the company once they had failed QC as
the rework costs were not economic. Because the
increase was gradual, it took a while for Mr Janoon
to realise that the failure rate had risen.
A thorough review of the main production
operation revealed nothing that might explain the
increased failure and so attention was focused
instead on the QC laboratory. For some years, the
QC laboratory at Yaya, managed by Jane Goo, had
been marginalised in the company, with its two
staff working in a remote laboratory well away
from other employees. Operations director Ben
Janoon, who designed the internal control systems
in Yaya, rarely visited the QC lab because of its
remote location. He never asked for information on
product failure rates to be reported to him and did
not understand the science involved in the QC
process. He relied on the two QC staff, Jane Goo
and her assistant John Zong, both of whom did
have relevant scientific qualifications.
The two QC staff considered themselves
low paid. Whilst in theory they reported to
Mr Janoon, in practice, they conducted
their work with little contact with
colleagues. The work was routine and
involved testing products against a set of
compliance standards. A single signature
on a product compliance report was
required to pass or fail in QC and these
reports were then filed away with no-one
else seeing them.
It was eventually established that Jane
Goo had found a local buyer to pay her
directly for any of Yaya's products which
had failed the QC tests. The increased
failure rate had resulted from her signing
products as having 'failed QC' when, in
fact, they had passed. She kept the
proceeds from the sales for herself, and
also paid her assistant, John Zong, a
proportion of the proceeds from the sale
of the failed products.
Required:


(a) Explain the internal control deficiencies
that led to the increased product failures at
Yaya.
(b) Propose recommendations to address
the internal control deficiencies noted.
end
Related documents
US Government Structure Diagram - fill in
US Government Structure Diagram - fill in
ACCT3431, Ch 11a
ACCT3431, Ch 11a
Your GMC ID check event is due to be held on Thursday 28 March
Your GMC ID check event is due to be held on Thursday 28 March
My name is …………………………………………….. The date is ……………………………………………. Measurement using our bodies
My name is …………………………………………….. The date is ……………………………………………. Measurement using our bodies
Download
advertisement