Internal Control October 13, 2011 The next three classes 1. Today, we will discuss the current business environment and the importance of internal control 2. Next, we will go over various control features and characteristics and try to map those into “procedures” we have seen so far in this course. 3. Then, we will discuss computer related control issues. 4. Finally, we will discuss some control cases. Internal Control in Today’s Business Environment Rather than march through the history of internal control in accounting, I will start with today’s IC environment - Sarbanes-Oxley - and go backwards (but not that far) Sarbanes-Oxley is a law the fundamentally changed the nature of the accounting profession and the focus was on the “system” of internal control! All of a sudden, this stuff I have been teaching became really, really important. Sarbanes-Oxley After Enron, Global Crossing, Adelphia, and WorldCom all exposed serious frauds in 2000/2001, Congress felt compelled to Act. The result was the Sarbanes-Oxley Act of 2002. This act did primarily three things: it established a new oversight process for the public accounting profession, it required management of a company to explicitly take responsibility for fraud or even significant weaknesses in internal control (so they could not claim ignorance if a fraud occurred, as Ken Lay did), and it requires that auditors specifically test and report on the strength of internal controls for publicly traded companies. PCAOB The PCAOB is the Public Companies Accounting Oversight Board It is a five-member board that oversees public accounting and three members cannot be CPAs. Prior to SOX (Sarbanes-Oxley abbreviation), the Auditing Standards Board (of the AICPA) and the Financial Accounting Standards Board were the primary regulators of the industry. Of course, the SEC always had very strong influence. Now, however, there is DIRECT oversight by an independent board that does not reflect the views of the AICPA. Section 302 of SOX Section 302 of SOX requires that management certify their financial statements and to disclose any material (we’ll talk about this term) weaknesses in internal control. This is new. Management cannot any longer say “it’s the auditor’s fault and the fault of the accounting department.” They are now responsible and can go to prison for up to 20 years or pay fines up to $5 million. Section 404 of SOX Public companies must have a new report that is attested to by the auditor that contains managements assessment and the auditor’s attestation of the system of internal control. The auditor must disclose the nature of their internal control tests. While SOX does not explicitly hold the auditor more responsible for the conduct of their audit, the general feeling is that auditor exposure has increased. Many researchers are finding that auditors are now pricing audit risk in their audits when internal controls are not sufficient…. This is NEW! Audit Committee • The audit committee is a subset of the board of directors of a company that hires and interfaces with the auditor. • Think about the auditor for a moment. The auditor is hired by a company to investigate the company and tell everyone whether their financial statements are accurate (and honestly reported). This is a big conflict of interest. • The audit committee isolates the auditor a bit more from the influence of management. • Audit committees have been required for some time, but SOX has strengthened the separation between management and the auditor. • Audit committees: – – – – Hire, compensate, and oversee the external auditor The external auditor reports directly to the audit committee Every member must be independent of management and are on the board of directors. One member must be a financial expert (such as an accountant). What is the auditor’s responsibility? • Prior to the 1970s, the auditor was primarily responsible for identifying errors and correcting them. • The nature of errors and fraud are quite different - even if their impact on the financial statements are the same. – – – Errors do not attempt to hide themselves whereas fraud is, by definition, hidden. Errors are not expected to be really significant in amount (or if they are, they are typically discovered and corrected very easily) whereas frauds are frequently huge. Auditors are rarely accused of negligence for not discovering “errors.” • With SAS 83 and SAS 99, the auditor’s responsibility for identifying and reporting fraud was increased. • SOX REALLY increased this responsibility! How do we think about internal control? (how do we structure our evaluation?) • COBIT (Control Objectives for Information and related Technologies) developed by the Information Systems Audit and Control Foundation • Three dimensions – – – Business objectives: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability IT resources: people, software, technology, facilities, and data IT processes: planning and organization, acquisition and implementation, delivery and support, and monitoring. • Mainly focuses on COMPUTER SYSTEMS CONTROL How do we think about internal control? (how do we structure our evaluation?) • • • COSO (Committee of Sponsoring Organizations) COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. How do we think about internal control? (how do we structure our evaluation?) • The National Commission was jointly sponsored by the five major financial professional associations in the United States – – – – – • American Accounting Association American Institute of Certified Public Accountants Financial Executives Institute Institute of Internal Auditors National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange. We will focus on COSO • 1992 Integrated Framework • 2004 Enterprise Risk Management Framework - an update COSO - Integrated Framework (1992) There are five components of control • Control environment - tone of the organization • Risk assessment - what internal and external risks might allow fraud or errors to arise • Control activities - policies and procedures in place to prevent errors or fraud. • Information and communication - financial statements as well as policy manuals and other structural communications • Monitoring - checking to see if things are working as they should We now talk about each of these separately… Control Environment • Integrity and ethical values – If employees see top management engaging in unethical behavior, they are more likely to commit irregularities themselves. • Commitment to competence – Employees should be competent to perform their duties and sufficient supervision should be provided • Board of directors and audit committee should be involved (active) and independent. – This is now explicitly required by SOX – Is management risk-seeking? Are they fair in dealing with subordinates? Look at Enron’s style, for example. • Management philosophy and operating style • Organizational structure and assignment of responsibility. – Are managers accountable for their actions. Is there any monitoring of their activities? How formal is the organizational structure? Do employees know that they will be held accountable and that someone is watching what they do? • HR policies – Well documented policies and open-door policies reduce the likelihood of serious irregularities. Communication is important here. Risk assessment Management needs to assess the likelihood that various bad things (exposures) might happen. They then need to have a plan of action that will either decrease the likelihoods of errors and irregularities or mitigate the damage if something bad does happen. Control Activities This will take several slides - since it is the meat of internal control. • Authorization – – General authorization is the authorization that follows most, typical, transactions. For example, every time a sales order is accepted (approved), an accounts receivable clerk must look the customer up in the customer file and check to see that the customer has sufficient credit to allow the transaction. Specific authorization is the authorization that is needed for extraordinary or atypical transactions. For example, the controller must approve any sale of fixed assets or the accounts receivable manager must approve credit sales over $10,000 • Security for Assets and Records – Typically, we are talking about restricting physical access to assets or sensitive data here. Also, a specific individual should be held responsible (accountable) for valuable assets and sensitive data. There should be a specific individual to whom you turn if there is a problem. Control Activities • Segregation of duties – As we saw in the videos, certain activities should be performed by different people. This does two things. First, it provides a CHECK on the system. If one person makes an error, it will likely be caught by the next person in the chain. Also, though, it prevents an individual from stealing and then covering it up by altering the accounting documents (an on-book fraud). Recording should be separated from authorization and custody. We call these incompatible functions. • Adequate documents and records – – – The document trail or audit trail is how we find out what happened after the fact. We need to preserve the integrity of the document trail. Forms control and numbered documents: we should maintain control over the “recording function”. Part of this relates to using prenumbered documents. If documents are numbered, then they can all be accounted for and we can make sure that no one was able to slip in a bogus document/transaction to cover up a theft or to create fictitious income. We should also have well-defined procedures for how documents are handled, such as canceling checks or other documents and who may sign off on certain documents. Information and communication • Double entry system and financial statements are the crux of this component, but it also includes policy manuals, the chart of accounts, trial balances, and other “accounting” things that we have done all along. • Double entry system – Any time someone steals inventory (or some other asset), they must debit some account or debits will not equal credits. What can they debit? The videos suggested that an expense is the most likely target - so you know where to look. • Chart of accounts – By fixing the number of possible types of entries, there is a fixed number of possible places that a person can attempt to hide a theft. • Trial balance – A trial balance identifies certain types of errors. – Control accounts summarize the activities in subsidiary accounts and should reconcile with the totals of the subsidiary accounts. • Control accounts Monitoring • • • Internal auditing and external auditing obviously monitor the operations of a company. Internal auditors are more critical here since they are there ALL THE TIME. The problem is, the only thing they have at stake is their jobs and they work for the company - so they lack the independent perspective of the external auditors. On the other hand, the external auditors only observe what they are permitted to observe. They can be manipulated by management. They have a much larger role, now, though. They must actually attest to the strength of controls. The “cube” from 1992 The “cube” from 2004 COSO ERM framework 2004 • • • • In 2004, COSO updated the framework to what they call the Enterprise Risk Management Framework. The idea is that we need to expand the risk assessment/risk planning part of the framework. This Enterprise Risk Management – Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process. Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value. This report will better enable them to meet this challenge. Enterprise Risk Management defined… Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.