自成咨询 Section D. Internal Controls 15% 1. Risk assessment, controls, and risk management a. Internal control structure and management philosophy b. Internal control policies for safeguarding and assurance c. Internal control risk d. Implications of the Sarbanes-Oxley Act of 2002 e. U.S. Foreign Corrupt Practices Act internal control requirements f. COSO Internal Control Framework 2. Internal auditing a. Responsibility and authority of the internal audit functions b. Types of audits conducted by internal auditors 自成咨询 Section D. Internal Controls 15% 3. Systems controls and security measures a. General accounting system controls b. Application and transaction controls c. Network controls d. Flowcharting to assess controls e. Backup controls f. Disaster recovery procedures 自成咨询 D.1. Risk assessment, controls, and risk management a. Internal control structure and management philosophy b. Internal control policies for safeguarding and assurance c. Internal control risk d. Implications of the Sarbanes-Oxley Act of 2002 e. U.S. Foreign Corrupt Practices Act internal control requirements f. COSO Internal Control Framework 自成咨询 Risk and Control Environment • a. Internal control structure and management philosophy • c. Internal control risk • f. COSO Internal Control Framework 自成咨询 Risks • Unforeseen obstacles to pursuit of objectives 自成咨询 Risks • Unforeseen obstacles to pursuit of objectives • Originate within/outside • Examples – Hacker breaking into university’s information systems – CEO bribing member of Congress to introduce legislation – Foreign government overthrown → assets in country expropriated 自成咨询 Risks • Unforeseen obstacles to pursuit of objectives • Originate within/outside • Examples – Accounts payable clerk establishes fictitious vendors – Spiking interest rates → long-term capital projects unprofitable – New technology → premier products obsolete – Government regulations reduced → new competitors 自成咨询 Risk assessment • Identifying vulnerabilities(弱点) of organization • Systems of internal control involve tradeoffs between cost, benefit – No system 100% effective – Risk can be mitigated, not eliminated 自成咨询 Risk assessment • Identifying vulnerabilities(弱点) of organization • Systems of internal control involve tradeoffs between cost, benefit – No system 100% effective – Risk can be mitigated, not eliminated 自成咨询 Risk management • Designing, operating internal controls that mitigate identified risks 自成咨询 Risk • Combination of – Severity of consequences – Likelihood of occurrence • Expected value of loss due to risk exposure stated numerically 自成咨询 Risk • Combination of • Expected value of loss due to risk exposure stated numerically • Severity of consequences x Likelihood of occurrence Event Consequences Likelihood Minor penetration Annoyance 90% Unauthorized Public embarrassment viewing of internal Loss of customer 8% databases confidence Unauthorized PR crisis, Customer 2% alteration of internal defection databases 自成咨询 AICPA audit risk model • Inherent risk (IR) – susceptibility of objectives to obstacles arising from nature of objective • Control risk (CR) – controls will fail to prevent obstacle from interfering with objective achievement • Detection risk (DR) – obstacle to objective will not be detected before loss occurs • Total risk (TR) = IR x CR x DR 自成咨询 AICPA audit risk model • Inherent risk (IR) – susceptibility of objectives to obstacles arising from nature of objective • Control risk (CR) – controls will fail to prevent obstacle from interfering with objective achievement • Detection risk (DR) – obstacle to objective will not be detected before loss occurs • Total risk (TR) = IR x CR x DR 自成咨询 AICPA audit risk model • Inherent risk (IR) – susceptibility of objectives to obstacles arising from nature of objective • Control risk (CR) – controls will fail to prevent obstacle from interfering with objective achievement • Detection risk (DR) – obstacle to objective will not be detected before loss occurs • Total risk (TR) = IR x CR x DR 自成咨询 System of internal control • Help manage risks • SMA 2A, Management Accounting Glossary – “The whole system of controls (financial and otherwise) established by management to carry on the business of the enterprise in an orderly and efficient manner, to ensure adherence to management policies, safeguard the assets. And ensure as far as possible the completeness and accuracy of the records.” 自成咨询 System of internal control • Proper design, operation is management’s responsibility • Sarbanes-Oxley, Section 404 requires publicly traded companies to issue report stating – Management takes responsibility for establishing, maintaining firm’s system of internal controls – System has functioned effectively over reporting period 自成咨询 PCAOB Approach • PCABO – Governed by SEC – Issued Auditing Standards • Requires – Express an opinion on both internal control and fair presentation of financial report 自成咨询 Components of Internal control 自成咨询 Internal control- COSO Framework • “Internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. 自成咨询 Internal control- COSO Framework • objectives in the following categories: • Effectiveness and efficiency of operations (经营) • Reliability of financial reporting (财务) • Compliance with applicable laws and regulation (合规) 自成咨询 COSO Framework Category Control Environment Monitoring Component 4 Control Environment 单 位 3 Risk Assessment 单 位 1 Control Activities 单 位 2 Information & Communication 单 位 1.Organizational structure 2.Policies 3.Objectives, goals 4.Management philosophy, operating style 5.Assignment philosophy, operating style 自成咨询 COSO Framework IC Framework ERM Framework 自成咨询 Control environment • Components – 1. Organizational structure – Lines of reporting, authority designed so incompatible duties not combined in same job function – Independent checks on performance facilitated 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies • • • • Stated principles require/guide/restrict action Promote conduct of authorized activities Provide satisfactory degree of assurance Procedures-detailed steps for carrying out 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies • • • • Stated principles require/guide/restrict action Promote conduct of authorized activities Provide satisfactory degree of assurance Procedures-detailed steps for carrying out 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies – 3.Objectives, goals • Realistic, achievable goals that do not tempt management to cross ethical boundaries 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies – 3.Objectives, goals • Realistic, achievable goals that do not tempt management to cross ethical boundaries 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies – 3.Objectives, goals – 4.Management philosophy, operating style • Manifests in everyday actions – Financial reporting – Accounting estimates – Selection of accounting principles 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies – 3.Objectives, goals – 4.Management philosophy, operating style • Integrity, ethical values affect all aspects of control – Ethical behavior results from standards, way they’re transmitted, how they’re reinforced 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies – 3.Objectives, goals – 4.Management philosophy, operating style • Creates better risk management atmosphere – Removing incentives for dishonest/illegal/unethical behavior – Setting example in own behavior 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies – 3.Objectives, goals – 4.Management philosophy, operating style – 5.Assignment philosophy, operating style • Improve by proper design of organizational structure • Lines of reporting can reinforce proper internal control 自成咨询 Control environment • Components – 1.Organizational structure – 2.Policies – 3.Objectives, goals – 4.Management philosophy, operating style – 5.Assignment philosophy, operating style • Improve by proper design of organizational structure • Lines of reporting can reinforce proper internal control 自成咨询 Board of directors • Required by most publicly held corporations – Inside members – officers, employees – Outside members – non-employees who hold stock • Governing authority of corporation • Responsible for establishing overall corporate policy 自成咨询 Board of directors • Fiduciary duty (信托责任) to organization, shareholders 自成咨询 Board of directors • Fiduciary duty (信托责任) to organization, shareholders • Exercise reasonable care in performance of duties – Informed about, conversant(熟悉) with pertinent(相关 的) information – Attend meetings – Analyze financial statements 自成咨询 Board of directors • Fiduciary duty (信托责任) to organization, shareholders • Exercise reasonable care in performance of duties – Informed about, conversant(熟悉) with pertinent(相关的) information – Attend meetings – Analyze financial statements • Owe duty of loyalty – Prohibits dealing with corporation unless full disclosure made – Usurping corporate opportunity w/o giving entity right of first refusal 自成咨询 Directors typically responsible for • • • • • • 1) Select and remove officers 2) Determine the capital structure 3) Add, amend, or repeal bylaws 4) Initiate fundamental changes: M&A 5) Declare dividends 6) Set compensation of officers 自成咨询 Audit committee • Subcommittee of board of directors • Helps keep external auditors independent of management – Assigned selection, compensation, oversight • Required by many stock exchanges • Crucial that composed of only outside directors 自成咨询 Audit committee • Subcommittee of board of directors • Helps keep external auditors independent of management – Assigned selection, compensation, oversight • Required by many stock exchanges • Crucial that composed of only outside directors 自成咨询 Audit committee • Maintains control environment by approving charter, overseeing work of internal audit activity • Insulates external, internal auditors from influences that may compromise independence, objectivity 自成咨询 Audit committee • Maintains control environment by approving charter, overseeing work of internal audit activity • Insulates external, internal auditors from influences that may compromise independence, objectivity 自成咨询 Importance of HR 自成咨询 Personnel • Hiring standards – Emphasize education. Past achievements, evidence of integrity, ethics – Display commitment to employ competent, trustworthy people 自成咨询 Personnel • Hiring standards • Training policies – Impart to employees • Knowledge of roles, responsibilities • Expectations about conduct, performance 自成咨询 Personnel • Hiring standards • Training policies • Competence – Knowledge, abilities necessary to complete required tasks 自成咨询 Personnel • • • • Hiring standards Training policies Competence Promotions – Periodic performance appraisals reflect commitment to rewarding competence 自成咨询 Control Procedures Internal control policies for safeguarding and assurance 自成咨询 Control activities • Ensure management’s directives executed • Include requisite steps to respond to risks that threaten attainment of objectives – Suitably designed to prevent/detect unfavorable conditions – Operate effectively 自成咨询 Control activities • Types of control activities – Preventive • Locked the door • Separate the duties – Detective • Petty cash count • Physical inventory count 自成咨询 Control procedures • Manage/limit risk in accordance w/ risk assessments • Control areas – 1.Segregation of duties, basic functional responsibilities – 2.Independent checks, verification – 3.Safeguarding controls – 4.Prenumbered forms – 5.Specific document flow 自成咨询 Segregation of duties • Assigning different employees to prevent employee acting alone from committing error/concealing fraud • Types of segregated functional responsibilities – Authority to transactions – Recording of transactions – Custody of assets affected by transactions – Periodic reconciliation of existing assets to recorded amounts 自成咨询 Segregation in three business cycles • Purchase-payable cycle – Authority to execute transaction is vested in purchasing department – Recording the transaction is done by accounts payable – Custody of assets is vested in warehouse – Periodic reconciliation of assets to records is performed by inventory control 自成咨询 Segregation in three business cycles • Sales-receivable cycle – Authority to execute transaction is vested in sales department – Recording the transaction is done by accounts receivable – Custody of assets is vested in warehouse – Periodic reconciliation of assets to records is performed by G/L 自成咨询 Segregation in three business cycles • Payroll cycle – Authority to execute transaction is vested in HR department – Recording the transaction is done by payroll department • Payroll department belongs to Financial department • If belongs to HR department, HR hiring group and HR payroll group should be separated • HR hiring group charges hiring, termination, and salary rate – Custody of assets is vested in treasurer – Periodic reconciliation of assets to records is performed by G/L 自成咨询 Independent checks, verifications • Reconciliation of recorded accountability w/ assets performed by part of organization either – 1.Unconnected w/ original transaction – 2.Without custody of assets involved 自成咨询 Independent checks, verifications • Comparison revealing assets disagreeing w/ recorded accountability provide evidence of unrecorded/improperly recorded transactions – Converse not necessarily true • Frequency of comparisons depends on nature, amount of assets involved, cost of comparison 自成咨询 Safeguarding controls • Limit access to assets to authorized personnel – Direct physical access – Indirect access through preparing/processing documents authorizing use/disposition 自成咨询 Safeguarding controls • Example: – 1) Lockbox system – 2) Deposit cash receipts 自成咨询 Safeguarding controls • Example: – 1) Lockbox system – 2) Deposit cash receipts – 3) Approval credit memos – 4) Write offs of uncollectible AR – 5) Prohibit non-IT personnel access computer operation 自成咨询 Sequentially prenumbered forms • Basis for strong internal controls 自成咨询 Sequentially prenumbered forms • Basis for strong internal controls • All hardcopies can be accounted for – Ascertain date, use, person who filled out • Missing documents can be flagged • Detect unrecorded, unauthorized transactions during reconciliation • Achievable in paperless environment 自成咨询 Sequentially prenumbered forms • Basis for strong internal controls • All hardcopies can be accounted for – Ascertain date, use, person who filled out • Missing documents can be flagged • Detect unrecorded, unauthorized transactions during reconciliation • Achievable in paperless environment • Additional procedures ensure personnel do not receive documents inappropriate to duties 自成咨询 Specific document flow • Pre-numbered document flow • Additional procedures ensure personnel do not receive documents inappropriate to duties 自成咨询 Compensating controls • Replace normal controls when cannot be feasibly implemented • Ex.: In finance, investment cycle – 2+ people perform each function – Provide oversight – Periodic communications with board – Oversight by committee of board – Internal audit’s reconciliation of securities portfolio w/ recorded information 自成咨询 Compensating controls • Replace normal controls when cannot be feasibly implemented • Ex.: In finance, investment cycle – 2+ people perform each function – Provide oversight – Periodic communications with board – Oversight by committee of board – Internal audit’s reconciliation of securities portfolio w/ recorded information 自成咨询 Fraud • Intentional • Pressures, incentives to engage in wrongdoing, opportunity • Examples – Fraudulent financial reporting – Misappropriation of assets • Internal control designed to prevent • Concealment aspects → controls cannot give absolute assurance against 自成咨询 Fraud • Intentional • Pressures, incentives to engage in wrongdoing, opportunity • Examples – Fraudulent financial reporting – Misappropriation of assets • Internal control designed to prevent • Concealment aspects → controls cannot give absolute assurance against 自成咨询 Legal Aspects of Internal Control • Implications of the Sarbanes-Oxley Act of 2002 • U.S. Foreign Corrupt Practices Act internal control requirements 自成咨询 Foreign Corrupt Practices Act • Enacted 1977 with origins in Watergate investigations • Prevent secret payments of corporate funds for purposes that congress has determined contrary to public policy • Amends Securities Exchange Act of 1934 – Prohibits domestic concern from offering/authorizing corrupt payments to foreign official/political party/official/candidate for foreign political office 自成咨询 Foreign Corrupt Practices Act • Enacted 1977 with origins in Watergate investigations • Prevent secret payments of corporate funds for purposes that congress has determined contrary to public policy • Amends Securities Exchange Act of 1934 • Only political payments to foreign officials prohibited • FCPA doesn’t address business owners/corporate officers 自成咨询 Foreign Corrupt Practices Act • Enacted 1977 with origins in Watergate investigations • Prevent secret payments of corporate funds for purposes that congress has determined contrary to public policy • Amends Securities Exchange Act of 1934 • Only political payments to foreign officials prohibited • FCPA doesn’t address business owners/corporate officers 自成咨询 Foreign Corrupt Practices Act • Corrupt payments are for inducing recipient to act/refrain from acting so domestic concern might obtain/retain business • Offer/promise of bribe prohibited, even if not consummated • Not prohibited if recipient has no discretion in carrying out governmental function • Payments allowed under written law of foreign country not prohibited 自成咨询 System of internal accounting control • Public companies must make, keep books, records, accounts in reasonable detail that accurately, fairly reflect transactions, disposition of assets • Provide reasonable assurance 自成咨询 System of internal accounting control • Provide reasonable assurance – 1.Transactions executed in accordance w/ management’s general/specific authorization – 2.Transactions recorded as necessary – 3.Access to assets permitted only in accordance w/ management’s general/specific authorization – 4.Recorded accountability for assets compared with existing assets at reasonable intervals, appropriate action taken w/ respect to differences 自成咨询 Implications of FCPA of 1977 • Extend beyond anti-bribery provisions • All American businesses, business people involved • Management particularly affected • Internal control responsibility not new • Potential for civil, criminal liabilities added burden 自成咨询 Written code of ethics • Necessity • Communicated, monitored by internal auditors for compliance • Might include explanation of FCPA, its penalties • May require written representations from employees that they have read, understood provisions 自成咨询 Sarbanes-Oxley Act of 2002 • Response to financial reporting scandals of large public companies • Contains provisions that impose new responsibilities on public companies, their auditors • Applies to issuers of publicly traded securities subject to federal securities law 自成咨询 Sarbanes-Oxley Act of 2002 • Response to financial reporting scandals of large public companies • Contains provisions that impose new responsibilities on public companies, their auditors • Applies to issuers of publicly traded securities subject to federal securities law 自成咨询 Sarbanes-Oxley Act of 2002 • Requires each member of audit committee, including at least one financial expert, be independent member of issuer’s board of directors • Independent director is not affiliated with, receives no compensation from issuer • Audit committee directly responsible for appointing, compensating, overseeing work of public accounting firm employed by issuer – Reports directly to audit committee, not to management 自成咨询 Section 404 • Requires management to establish, document internal control procedures – Include report on company’s internal control over financial reporting in annual report 自成咨询 Internal control report • 1.Statement of management’s responsibility for internal control • 2.Management’s assessment of effectiveness of internal control as of end of most recent fiscal year • 3.Identification of framework evaluating effectiveness of internal control 自成咨询 Internal control report • 4.Statement whether significant changes in controls were made after evaluation, including corrective actions • 5.Statement that external auditor issued attestation report on management’s assessment – Audit opinions expressed • Internal control • Financial statements 自成咨询 External auditor • Attests to, reports on management’s assessment • Evaluates whether structure, procedures – 1.Include records accurately, fairly reflecting firm’s transactions – 2.Provide reasonable assurance transactions recorded to permit statements to be prepared in accordance w/ GAAP 自成咨询 External auditor • Attests to, reports on management’s assessment • Evaluates whether structure, procedures • Report describes material weaknesses in internal control • Evaluation not subject of separate engagement, in conjunction w/ audit of financial statements 自成咨询 End 自成咨询 D.2. Internal Auditing a. Responsibility and authority of the internal audit function b. Types of audits conducted by internal auditors 自成咨询 The Internal audit function • Growth, complexity led to growth in field • Internal audit activity (IAA) basic to governance • Some stock exchanges require all companies to have IAA • Foreign Corrupt Practices Act – Detailed, accurate accounting records – Reasonably effective system of internal control 自成咨询 The internal audit function • The institute of internal Auditors (IIA) – Maintain professional standards for the practice worldwide – IIA definition of internal auditing • “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” 自成咨询 The internal audit function • IIA’s Standards • Practice Advisories 自成咨询 The internal audit function • IIA’s Standards – Guidance for the conduct of internal auditing • Organizational • Individual • Practice Advisories 自成咨询 The internal audit function • IIA’s Standards – Guidance for the conduct of internal auditing • Organizational • Individual • Practice Advisories – Concise, timely guidance • Code of ethics • Standards • Promoting good practices 自成咨询 The internal audit function • Organizationally independent – Attribute of internal audit department as whole • Objective attitude – Attribute of auditors themselves 自成咨询 The internal audit function • Chief executive officer (CEO) – Chief audit executive (CAE) • Unhindered access to board of directors 自成咨询 The internal audit function • Charter – Purpose, authority, responsibility of IAA – IAA’s position • Access to records, personnel, physical properties • Define scope of activities 自成咨询 The scope of internal auditing • Three principal functions – 1.Maintenance of internal control system – 2.Improving efficiency of operations – 3.Conduct of audit of financial statements 自成咨询 The scope of internal auditing • Three principal functions – 1.Maintenance of internal control system – 2.Improving efficiency of operations – 3.Conduct of audit of financial statements 自成咨询 The scope of internal auditing • Internal audit specific tasks – Improvement of risk management, control systems – Adequacy, effectiveness of controls – Reliability, integrity – Effectiveness, efficiency – Safeguarding of assets – Compliance – Adequate control criteria – Fraud – External auditor 自成咨询 Incidents • Fraud • Illegal acts • Material weaknesses, significant deficiencies in internal control • Significant penetrations of information security systems 自成咨询 Compliance auditing • Assess compliance in specific areas • Management response to regulatory body reviews 自成咨询 Operational auditing • “The comprehensive review of the varied functions within an enterprise to appraise the efficiency and economy of operations and the effectiveness with those functions achieve their objectives” 自成咨询 Operational auditing • Thorough examination of department, division, function, etc. • Appraise managerial organization, performance, techniques • Organizational objectives have been achieved – Efficiency, effectiveness, economy • Report → existing/absence of problems 自成咨询 Operational auditing • Organizational objectives have been achieved – Efficiency, effectiveness, economy • Report → existing/absence of problems 自成咨询 Operational auditing • Basic tools – Financial analysis – Observation of departmental activities – Questionnaire interviews of departmental employees 自成咨询 Operational auditing • Extension of financial audit – Reviewing purchasing policies – Appraising compliance with policies, procedures – Appraising safety standards, equipment maintenance – Reviewing production controls, scrap reporting – Reviewing facilities’ adequacy 自成咨询 Internal auditing procedures • • • • Inquiries Examine documentation Observe Reperform 自成咨询 END