Chapter 13

advertisement
Chapter 13
Control and Accounting
Information Systems
Introduction
• Control - the process of exercising a
restraining or directing influence over the
activities of an object, organism, or system
– The goal is to prevent losses from the many
possible hazards that businesses face.
• The accountant’s job is to take a proactive
approach to eliminating threats and detect,
correct, and recover from threats if they occur.
Introduction
• Threat - any potential adverse occurrence or
unwanted event that could injure either the
AIS or the organization
• Exposure - the potential dollar loss of a
particular threat if that threat occurs
• Risk - the likelihood that the threat will
actually come to pass
Overview of Control Concepts
• Historical developments
–
–
–
–
–
–
–
1949 - AIA
1958 - SAP No. 29
1972 - SAP NO. 54
1977 - Foreign Corrupt Practices Act
1981 - Research Foundation of the FEI
1988 - SAS No. 55
1992 Committee of Sponsoring Organizations
(COSO)
Overview of Control Concepts
• Internal control - the plan of organization and
the methods a business uses to safeguard assets,
provide accurate and reliable information,
promote and improve operational efficiency, and
encourage adherence to prescribed management
policies
• Management control - designed to reduce errors
and irregularities and help employees achieve
goals by following policies
Overview of Control Concepts
• Administrative controls - help ensure
operational efficiency and adherence to
managerial policies
• Accounting controls - safeguard assets and
ensure the reliability of accounting records
• Internal control structure - policies and
procedures established to provide reasonable
assurance that objectives will be achieved
Overview of Control Concepts
• Internal control classifications
–
–
–
–
Preventive, Detective, and Corrective
Feedback and Feedforward
General and Application
Input, Processing, and Output
Internal Control Classifications
• Preventive - designed to stop problems before
they arise
• Detective - designed to find problems if they
arise
• Corrective - designed to fix problems once they
are found
– Find the cause of the problems
– Correct the results of the problem
– Modify the system to keep problem from
happening again
Internal Control Classifications
• Feedback controls - measure a process and
correct it when deviations from normal
occur
• Feedforward controls - monitor a process
and inputs to that process and try to predict
potential problems
Internal Control Classifications
• General controls - ensure that the control
environment is stable and well managed to
enhance the effectiveness of application
controls
• Application controls - used to prevent,
detect, and correct errors and irregularities
during processing
Internal Control Classifications
• Input controls - ensure that only accurate,
valid, and authorized data are entered into
the system
• Processing controls - ensure that all data are
processed completely and accurately and all
applicable files are updated correctly
• Output controls - ensure that output is
properly controlled
The Foreign Corrupt
Practices Act
• Passed by Congress in 1977 in response to a
bribery scandal
– Primary purpose was to prevent the bribery of
foreign officials in order to obtain business
– Significant effect was to require all publicly
traded companies to have a good system of
internal controls
The Foreign Corrupt
Practices Act
• Requires all SEC registrants to have a system
that provides reasonable assurance that:
– Transactions are executed with management’s
authorization
– Transactions are recorded to permit preparation of
financial statements and maintain accountability for
assets
– Access to assets is permitted only with authorization
– Recorded assets are compared to existing assets and
action taken with respect to differences
Committee on Sponsoring
Organizations (COSO)
• Defined internal control as the process
implemented to provide reasonable assurance
that control objectives are achieved with
regard to:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations
Committee on Sponsoring
Organizations (COSO)
• Five interrelated components of internal
control:
–
–
–
–
–
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
The Control Environment
• Management philosophy and operating style
– Employees follow the lead of management.
– Assessing management’s philosophy:
• Does management take undue risks to achieve
objectives?
• Does management attempt to manipulate
performance measures to make the company look
better?
• Does management pressure employees to achieve
results regardless of the methods required?
The Control Environment
• Organizational structure - defines the lines of
authority and responsibility and provides the
overall framework for how things are done
• Audit Committee of the Board of Directors composed of entirely outside directors
(directors who are not employees of the
company) - provides an independent review of
management
The Control Environment
• Methods of assigning authority and
responsibility - job descriptions, employee
training, and operating plans, schedules, and
budgets
– Formal code of conduct addresses issues such as
ethics, acceptable business practices, and conflicts
of interest.
– Written policy and procedures manuals spell out
exactly what is expected of employees.
The Control Environment
• Human resources policies and procedures rules for hiring, evaluating, compensating, and
promoting employees
– Hire and promote employees based on performance.
– Background checks on applicants are very
important.
• External influences - FASB or SEC
requirements and government regulations
Control Activities
• Control activities - rules that provide reasonable
assurance that management’s control objectives
are achieved.
• Five categories:
–
–
–
–
–
Proper authorization of transactions and activities
Separation of duties
Design and use of adequate documents and records
Adequate safeguards over assets and records
Independent checks on performance
Control Activities
• Proper authorization
– General authorization - authorize employees to
handle routine transactions without explicit
approval from management (daily sales)
– Specific authorization - require employees to
obtain approval for unusual or large
transactions (sale in excess of a certain amount,
write off of an A/R over a certain amount)
Control Activities
• Separation of duties - no single employee
should have too much responsibility - must
separate the authorization, recording and
custody of assets involved in a transaction
• Documents and records - help to ensure
accurate and complete recording of all
relevant data about transactions and events
– Keep forms simple and include room for
authorization
Control Activities
• Safeguarding of assets - both physical assets
and information
–
–
–
–
–
–
–
Supervise and separate duties
Maintain accurate records
Restrict physical access to assets
Restrict access to certain critical locations
Physically protect documents and records
Control the environment
Restrict access to systems with passwords
Control Activities
• Independent checks
– Reconciliation of two independent sets of records
– Comparison of actual quantities to recorded
amounts
– Double-entry accounting
– Batch totals (financial total, hash total, record
count, line count, cross-footing balance test)
– Independent review for authorization, supporting
documentation, and accuracy
Risk Assessment
• Steps in assessing risk:
– Identify threats - natural or manmade
– Estimate the risk - likelihood that a threat will
happen
– Estimate exposure - potential dollar loss
– Identify controls - consider effectiveness and
timing
– Estimate costs and benefits - design to provide
reasonable assurance
– Determine cost/benefit effectiveness
Risk Assessment
• Compliance with the Foreign Corrupt
Practices Act
– Document existing control system
– Evaluate the quality of the internal control
system - within bounds of reasonable assurance
– Evaluate the costs and benefits of instituting
controls
– Weigh the costs and benefits to determine
whether more control is needed
Information and Communication
• The primary purpose of an AIS is to record,
process, store, and communicate information
about an organization; therefore, accountants
must understand:
–
–
–
–
–
how transactions are initiated
how data are captured
how computer files are accessed and updated
how data are processed to prepare information
how information is reported to internal users and
external parties
Information and Communication
• According to the AICPA, an AIS has 5
primary objectives
–
–
–
–
–
Identify and record all valid transactions
Properly classify transactions
Record transactions at their proper value
Record transactions in the proper period
Properly present transactions and related
disclosures in the financial statements
Monitoring Performance
• Effective supervision - training and assisting
employees, monitoring performance, correcting
errors, and safeguarding assets by overseeing
employees who have access to them
• Responsibility reporting - use of budgets,
quotas, standard costs, and investigation of
variances
Monitoring Performance
• Internal auditing - reviewing the reliability of
financial and operating information and
providing and appraisal of internal control
effectiveness
– Also involves assessing employee compliance with
policies and procedures and applicable laws and
regulations and assessing the efficiency and
effectiveness of management
– Internal audit must be separate from accounting and
operating functions of the organization
Download