InternalControl1

advertisement
Internal Control
October 13, 2011
The next three classes
1. Today, we will discuss the current business
environment and the importance of internal
control
2. Next, we will go over various control features and
characteristics and try to map those into
“procedures” we have seen so far in this course.
3. Then, we will discuss computer related control
issues.
4. Finally, we will discuss some control cases.
Internal Control in Today’s Business
Environment
Rather than march through the history of internal
control in accounting, I will start with today’s IC
environment - Sarbanes-Oxley - and go backwards
(but not that far)
Sarbanes-Oxley is a law the fundamentally changed
the nature of the accounting profession and the
focus was on the “system” of internal control!
All of a sudden, this stuff I have been teaching
became really, really important.
Sarbanes-Oxley
After Enron, Global Crossing, Adelphia, and WorldCom all
exposed serious frauds in 2000/2001, Congress felt compelled
to Act. The result was the Sarbanes-Oxley Act of 2002. This
act did primarily three things: it established a new oversight
process for the public accounting profession, it required
management of a company to explicitly take responsibility for
fraud or even significant weaknesses in internal control (so
they could not claim ignorance if a fraud occurred, as Ken Lay
did), and it requires that auditors specifically test and report
on the strength of internal controls for publicly traded
companies.
PCAOB
The PCAOB is the Public Companies Accounting Oversight
Board
It is a five-member board that oversees public accounting and
three members cannot be CPAs. Prior to SOX (Sarbanes-Oxley
abbreviation), the Auditing Standards Board (of the AICPA)
and the Financial Accounting Standards Board were the primary
regulators of the industry. Of course, the SEC always had very
strong influence. Now, however, there is DIRECT oversight by
an independent board that does not reflect the views of the
AICPA.
Section 302 of SOX
Section 302 of SOX requires that management certify their
financial statements and to disclose any material (we’ll talk
about this term) weaknesses in internal control. This is new.
Management cannot any longer say “it’s the auditor’s fault and
the fault of the accounting department.” They are now
responsible and can go to prison for up to 20 years or pay fines
up to $5 million.
Section 404 of SOX
Public companies must have a new report that is attested to by
the auditor that contains managements assessment and the
auditor’s attestation of the system of internal control. The
auditor must disclose the nature of their internal control tests.
While SOX does not explicitly hold the auditor more
responsible for the conduct of their audit, the general feeling
is that auditor exposure has increased. Many researchers are
finding that auditors are now pricing audit risk in their audits
when internal controls are not sufficient…. This is NEW!
Audit Committee
• The audit committee is a subset of the board of directors of a
company that hires and interfaces with the auditor.
• Think about the auditor for a moment. The auditor is hired by a
company to investigate the company and tell everyone whether their
financial statements are accurate (and honestly reported). This is a
big conflict of interest.
• The audit committee isolates the auditor a bit more from the
influence of management.
• Audit committees have been required for some time, but SOX has
strengthened the separation between management and the auditor.
• Audit committees:
–
–
–
–
Hire, compensate, and oversee the external auditor
The external auditor reports directly to the audit committee
Every member must be independent of management and are on the
board of directors.
One member must be a financial expert (such as an accountant).
What is the auditor’s responsibility?
• Prior to the 1970s, the auditor was primarily responsible for
identifying errors and correcting them.
• The nature of errors and fraud are quite different - even if their
impact on the financial statements are the same.
–
–
–
Errors do not attempt to hide themselves whereas fraud is, by
definition, hidden.
Errors are not expected to be really significant in amount (or if
they are, they are typically discovered and corrected very easily)
whereas frauds are frequently huge.
Auditors are rarely accused of negligence for not discovering
“errors.”
• With SAS 83 and SAS 99, the auditor’s responsibility for
identifying and reporting fraud was increased.
• SOX REALLY increased this responsibility!
How do we think about internal control?
(how do we structure our evaluation?)
• COBIT (Control Objectives for Information and related
Technologies) developed by the Information Systems Audit
and Control Foundation
• Three dimensions
–
–
–
Business objectives: effectiveness, efficiency,
confidentiality, integrity, availability, compliance, and
reliability
IT resources: people, software, technology, facilities, and
data
IT processes: planning and organization, acquisition and
implementation, delivery and support, and monitoring.
• Mainly focuses on COMPUTER SYSTEMS CONTROL
How do we think about internal control?
(how do we structure our evaluation?)
•
•
•
COSO (Committee of Sponsoring Organizations)
COSO is a voluntary private sector organization dedicated to
improving the quality of financial reporting through business ethics,
effective internal controls, and corporate governance.
COSO was originally formed in 1985 to sponsor the National
Commission on Fraudulent Financial Reporting, an independent
private sector initiative which studied the causal factors that can
lead to fraudulent financial reporting and developed
recommendations for public companies and their independent
auditors, for the SEC and other regulators, and for educational
institutions.
How do we think about internal control?
(how do we structure our evaluation?)
•
The National Commission was jointly sponsored by the five major
financial professional associations in the United States
–
–
–
–
–
•
American Accounting Association
American Institute of Certified Public Accountants
Financial Executives Institute
Institute of Internal Auditors
National Association of Accountants (now the Institute of
Management Accountants).
The Commission was wholly independent of each of the sponsoring
organizations, and contained representatives from industry, public
accounting, investment firms, and the New York Stock Exchange.
We will focus on COSO
• 1992 Integrated Framework
• 2004 Enterprise Risk Management
Framework - an update
COSO - Integrated Framework
(1992)
There are five components of control
• Control environment - tone of the organization
• Risk assessment - what internal and external risks might
allow fraud or errors to arise
• Control activities - policies and procedures in place to
prevent errors or fraud.
• Information and communication - financial statements as well
as policy manuals and other structural communications
• Monitoring - checking to see if things are working as they
should
We now talk about each of these separately…
Control Environment
• Integrity and ethical values
–
If employees see top management engaging in unethical behavior,
they are more likely to commit irregularities themselves.
• Commitment to competence
–
Employees should be competent to perform their duties and
sufficient supervision should be provided
• Board of directors and audit committee should be involved (active)
and independent.
–
This is now explicitly required by SOX
–
Is management risk-seeking? Are they fair in dealing with
subordinates? Look at Enron’s style, for example.
• Management philosophy and operating style
• Organizational structure and assignment of responsibility.
–
Are managers accountable for their actions. Is there any
monitoring of their activities? How formal is the organizational
structure? Do employees know that they will be held accountable
and that someone is watching what they do?
• HR policies
–
Well documented policies and open-door policies reduce the
likelihood of serious irregularities. Communication is important
here.
Risk assessment
Management needs to assess the likelihood that
various bad things (exposures) might happen. They
then need to have a plan of action that will either
decrease the likelihoods of errors and irregularities
or mitigate the damage if something bad does
happen.
Control Activities
This will take several slides - since it is the meat of internal control.
• Authorization
–
–
General authorization is the authorization that follows most,
typical, transactions. For example, every time a sales order is
accepted (approved), an accounts receivable clerk must look the
customer up in the customer file and check to see that the
customer has sufficient credit to allow the transaction.
Specific authorization is the authorization that is needed for
extraordinary or atypical transactions. For example, the controller
must approve any sale of fixed assets or the accounts receivable
manager must approve credit sales over $10,000
• Security for Assets and Records
–
Typically, we are talking about restricting physical access to assets
or sensitive data here. Also, a specific individual should be held
responsible (accountable) for valuable assets and sensitive data.
There should be a specific individual to whom you turn if there is a
problem.
Control Activities
• Segregation of duties
–
As we saw in the videos, certain activities should be performed by
different people. This does two things. First, it provides a CHECK
on the system. If one person makes an error, it will likely be caught
by the next person in the chain. Also, though, it prevents an
individual from stealing and then covering it up by altering the
accounting documents (an on-book fraud). Recording should be
separated from authorization and custody. We call these
incompatible functions.
• Adequate documents and records
–
–
–
The document trail or audit trail is how we find out what happened
after the fact. We need to preserve the integrity of the document
trail.
Forms control and numbered documents: we should maintain control
over the “recording function”. Part of this relates to using prenumbered documents. If documents are numbered, then they can
all be accounted for and we can make sure that no one was able to
slip in a bogus document/transaction to cover up a theft or to
create fictitious income.
We should also have well-defined procedures for how documents
are handled, such as canceling checks or other documents and who
may sign off on certain documents.
Information and communication
• Double entry system and financial statements are the crux of this
component, but it also includes policy manuals, the chart of
accounts, trial balances, and other “accounting” things that we have
done all along.
• Double entry system
–
Any time someone steals inventory (or some other asset), they must
debit some account or debits will not equal credits. What can they
debit? The videos suggested that an expense is the most likely
target - so you know where to look.
• Chart of accounts
–
By fixing the number of possible types of entries, there is a fixed
number of possible places that a person can attempt to hide a
theft.
• Trial balance
–
A trial balance identifies certain types of errors.
–
Control accounts summarize the activities in subsidiary accounts
and should reconcile with the totals of the subsidiary accounts.
• Control accounts
Monitoring
•
•
•
Internal auditing and external auditing obviously
monitor the operations of a company.
Internal auditors are more critical here since
they are there ALL THE TIME. The problem is,
the only thing they have at stake is their jobs and they work for the company - so they lack the
independent perspective of the external auditors.
On the other hand, the external auditors only
observe what they are permitted to observe.
They can be manipulated by management. They
have a much larger role, now, though. They must
actually attest to the strength of controls.
The “cube” from 1992
The “cube” from 2004
COSO ERM framework 2004
•
•
•
•
In 2004, COSO updated the framework to what they call the
Enterprise Risk Management Framework. The idea is that we need
to expand the risk assessment/risk planning part of the framework.
This Enterprise Risk Management – Integrated Framework expands
on internal control, providing a more robust and extensive focus on
the broader subject of enterprise risk management.
While it is not intended to and does not replace the internal control
framework, but rather incorporates the internal control framework
within it, companies may decide to look to this enterprise risk
management framework both to satisfy their internal control needs
and to move toward a fuller risk management process.
Among the most critical challenges for managements is determining
how much risk the entity is prepared to and does accept as it
strives to create value. This report will better enable them to
meet this challenge.
Enterprise Risk Management defined…
Enterprise risk management is a process, effected
by an entity’s board of directors, management and
other personnel, applied in strategy setting and
across the enterprise, designed to identify potential
events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.
Download