2. Internal auditing

advertisement
自成咨询
Section D. Internal Controls 15%
1. Risk assessment, controls, and risk management
a. Internal control structure and management philosophy
b. Internal control policies for safeguarding and assurance
c. Internal control risk
d. Implications of the Sarbanes-Oxley Act of 2002
e. U.S. Foreign Corrupt Practices Act internal control
requirements
f. COSO Internal Control Framework
2. Internal auditing
a. Responsibility and authority of the internal audit functions
b. Types of audits conducted by internal auditors
自成咨询
Section D. Internal Controls 15%
3. Systems controls and security measures
a. General accounting system controls
b. Application and transaction controls
c. Network controls
d. Flowcharting to assess controls
e. Backup controls
f. Disaster recovery procedures
自成咨询
D.1. Risk assessment, controls,
and risk management
a. Internal control structure and management philosophy
b. Internal control policies for safeguarding and assurance
c. Internal control risk
d. Implications of the Sarbanes-Oxley Act of 2002
e. U.S. Foreign Corrupt Practices Act internal control
requirements
f. COSO Internal Control Framework
自成咨询
Risk and Control Environment
• a. Internal control structure and
management philosophy
• c. Internal control risk
• f. COSO Internal Control Framework
自成咨询
Risks
• Unforeseen obstacles to pursuit of
objectives
自成咨询
Risks
• Unforeseen obstacles to pursuit of
objectives
• Originate within/outside
• Examples
– Hacker breaking into university’s information
systems
– CEO bribing member of Congress to introduce
legislation
– Foreign government overthrown → assets in
country expropriated
自成咨询
Risks
• Unforeseen obstacles to pursuit of
objectives
• Originate within/outside
• Examples
– Accounts payable clerk establishes fictitious
vendors
– Spiking interest rates → long-term capital projects
unprofitable
– New technology → premier products obsolete
– Government regulations reduced → new
competitors
自成咨询
Risk assessment
• Identifying vulnerabilities(弱点) of
organization
• Systems of internal control involve
tradeoffs between cost, benefit
– No system 100% effective
– Risk can be mitigated, not eliminated
自成咨询
Risk assessment
• Identifying vulnerabilities(弱点) of
organization
• Systems of internal control involve
tradeoffs between cost, benefit
– No system 100% effective
– Risk can be mitigated, not eliminated
自成咨询
Risk management
• Designing, operating internal controls that
mitigate identified risks
自成咨询
Risk
• Combination of
– Severity of consequences
– Likelihood of occurrence
• Expected value of loss due to risk
exposure stated numerically
自成咨询
Risk
• Combination of
• Expected value of loss due to risk
exposure stated numerically
• Severity of consequences x Likelihood of
occurrence
Event
Consequences
Likelihood
Minor penetration
Annoyance
90%
Unauthorized
Public embarrassment
viewing of internal
Loss of customer
8%
databases
confidence
Unauthorized
PR crisis, Customer
2%
alteration of internal
defection
databases
自成咨询
AICPA audit risk model
• Inherent risk (IR) – susceptibility of
objectives to obstacles arising from nature
of objective
• Control risk (CR) – controls will fail to
prevent obstacle from interfering with
objective achievement
• Detection risk (DR) – obstacle to objective
will not be detected before loss occurs
• Total risk (TR) = IR x CR x DR
自成咨询
AICPA audit risk model
• Inherent risk (IR) – susceptibility of
objectives to obstacles arising from nature
of objective
• Control risk (CR) – controls will fail to
prevent obstacle from interfering with
objective achievement
• Detection risk (DR) – obstacle to objective
will not be detected before loss occurs
• Total risk (TR) = IR x CR x DR
自成咨询
AICPA audit risk model
• Inherent risk (IR) – susceptibility of
objectives to obstacles arising from nature
of objective
• Control risk (CR) – controls will fail to
prevent obstacle from interfering with
objective achievement
• Detection risk (DR) – obstacle to objective
will not be detected before loss occurs
• Total risk (TR) = IR x CR x DR
自成咨询
System of internal control
• Help manage risks
• SMA 2A, Management Accounting
Glossary
– “The whole system of controls (financial and
otherwise) established by management to carry on
the business of the enterprise in an orderly and
efficient manner, to ensure adherence to
management policies, safeguard the assets. And
ensure as far as possible the completeness and
accuracy of the records.”
自成咨询
System of internal control
• Proper design, operation is management’s
responsibility
• Sarbanes-Oxley, Section 404 requires
publicly traded companies to issue report
stating
– Management takes responsibility for establishing,
maintaining firm’s system of internal controls
– System has functioned effectively over reporting
period
自成咨询
PCAOB Approach
• PCABO
– Governed by SEC
– Issued Auditing Standards
• Requires
– Express an opinion on both internal control and
fair presentation of financial report
自成咨询
Components of Internal control
自成咨询
Internal control- COSO Framework
• “Internal control is broadly defined as a process,
effected by an entity’s board of directors,
management, and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives.
自成咨询
Internal control- COSO Framework
• objectives in the following categories:
• Effectiveness and efficiency of operations (经营)
• Reliability of financial reporting (财务)
• Compliance with applicable laws and regulation (合规)
自成咨询
COSO Framework
Category
Control Environment
Monitoring
Component
4
Control
Environment
单
位
3
Risk Assessment
单
位
1
Control Activities
单
位
2
Information &
Communication
单
位
1.Organizational structure
2.Policies
3.Objectives, goals
4.Management philosophy,
operating style
5.Assignment philosophy,
operating style
自成咨询
COSO Framework
IC Framework
ERM Framework
自成咨询
Control environment
• Components
– 1. Organizational structure
– Lines of reporting, authority designed so
incompatible duties not combined in same job
function
– Independent checks on performance facilitated
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
•
•
•
•
Stated principles require/guide/restrict action
Promote conduct of authorized activities
Provide satisfactory degree of assurance
Procedures-detailed steps for carrying out
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
•
•
•
•
Stated principles require/guide/restrict action
Promote conduct of authorized activities
Provide satisfactory degree of assurance
Procedures-detailed steps for carrying out
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
• Realistic, achievable goals that do not tempt
management to cross ethical boundaries
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
• Realistic, achievable goals that do not tempt
management to cross ethical boundaries
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style
• Manifests in everyday actions
– Financial reporting
– Accounting estimates
– Selection of accounting principles
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style
• Integrity, ethical values affect all aspects of control
– Ethical behavior results from standards, way they’re
transmitted, how they’re reinforced
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style
• Creates better risk management atmosphere
– Removing incentives for dishonest/illegal/unethical behavior
– Setting example in own behavior
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style
– 5.Assignment philosophy, operating style
• Improve by proper design of organizational
structure
• Lines of reporting can reinforce proper internal
control
自成咨询
Control environment
• Components
– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style
– 5.Assignment philosophy, operating style
• Improve by proper design of organizational
structure
• Lines of reporting can reinforce proper internal
control
自成咨询
Board of directors
• Required by most publicly held
corporations
– Inside members – officers, employees
– Outside members – non-employees who hold stock
• Governing authority of corporation
• Responsible for establishing overall
corporate policy
自成咨询
Board of directors
• Fiduciary duty (信托责任) to organization,
shareholders
自成咨询
Board of directors
• Fiduciary duty (信托责任) to organization,
shareholders
• Exercise reasonable care in performance of
duties
– Informed about, conversant(熟悉) with pertinent(相关
的) information
– Attend meetings
– Analyze financial statements
自成咨询
Board of directors
• Fiduciary duty (信托责任) to organization,
shareholders
• Exercise reasonable care in performance of duties
– Informed about, conversant(熟悉) with pertinent(相关的)
information
– Attend meetings
– Analyze financial statements
• Owe duty of loyalty
– Prohibits dealing with corporation unless full disclosure made
– Usurping corporate opportunity w/o giving entity right of first
refusal
自成咨询
Directors typically responsible for
•
•
•
•
•
•
1) Select and remove officers
2) Determine the capital structure
3) Add, amend, or repeal bylaws
4) Initiate fundamental changes: M&A
5) Declare dividends
6) Set compensation of officers
自成咨询
Audit committee
• Subcommittee of board of directors
• Helps keep external auditors independent
of management
– Assigned selection, compensation, oversight
• Required by many stock exchanges
• Crucial that composed of only outside
directors
自成咨询
Audit committee
• Subcommittee of board of directors
• Helps keep external auditors independent
of management
– Assigned selection, compensation, oversight
• Required by many stock exchanges
• Crucial that composed of only outside
directors
自成咨询
Audit committee
• Maintains control environment by
approving charter, overseeing work of
internal audit activity
• Insulates external, internal auditors from
influences that may compromise
independence, objectivity
自成咨询
Audit committee
• Maintains control environment by
approving charter, overseeing work of
internal audit activity
• Insulates external, internal auditors from
influences that may compromise
independence, objectivity
自成咨询
Importance of HR
自成咨询
Personnel
• Hiring standards
– Emphasize education. Past achievements, evidence
of integrity, ethics
– Display commitment to employ competent,
trustworthy people
自成咨询
Personnel
• Hiring standards
• Training policies
– Impart to employees
• Knowledge of roles, responsibilities
• Expectations about conduct, performance
自成咨询
Personnel
• Hiring standards
• Training policies
• Competence
– Knowledge, abilities necessary to complete
required tasks
自成咨询
Personnel
•
•
•
•
Hiring standards
Training policies
Competence
Promotions
– Periodic performance appraisals reflect
commitment to rewarding competence
自成咨询
Control Procedures
Internal control policies for safeguarding
and assurance
自成咨询
Control activities
• Ensure management’s directives executed
• Include requisite steps to respond to risks
that threaten attainment of objectives
– Suitably designed to prevent/detect
unfavorable conditions
– Operate effectively
自成咨询
Control activities
• Types of control activities
– Preventive
• Locked the door
• Separate the duties
– Detective
• Petty cash count
• Physical inventory count
自成咨询
Control procedures
• Manage/limit risk in accordance w/ risk
assessments
• Control areas
– 1.Segregation of duties, basic functional
responsibilities
– 2.Independent checks, verification
– 3.Safeguarding controls
– 4.Prenumbered forms
– 5.Specific document flow
自成咨询
Segregation of duties
• Assigning different employees to prevent
employee acting alone from committing
error/concealing fraud
• Types of segregated functional
responsibilities
– Authority to transactions
– Recording of transactions
– Custody of assets affected by transactions
– Periodic reconciliation of existing assets to
recorded amounts
自成咨询
Segregation in three business cycles
• Purchase-payable cycle
– Authority to execute transaction is vested in
purchasing department
– Recording the transaction is done by
accounts payable
– Custody of assets is vested in warehouse
– Periodic reconciliation of assets to records is
performed by inventory control
自成咨询
Segregation in three business cycles
• Sales-receivable cycle
– Authority to execute transaction is vested in
sales department
– Recording the transaction is done by
accounts receivable
– Custody of assets is vested in warehouse
– Periodic reconciliation of assets to records is
performed by G/L
自成咨询
Segregation in three business cycles
• Payroll cycle
– Authority to execute transaction is vested in HR
department
– Recording the transaction is done by payroll
department
• Payroll department belongs to Financial department
• If belongs to HR department, HR hiring group and HR payroll
group should be separated
• HR hiring group charges hiring, termination, and salary rate
– Custody of assets is vested in treasurer
– Periodic reconciliation of assets to records is performed
by G/L
自成咨询
Independent checks,
verifications
• Reconciliation of recorded accountability
w/ assets performed by part of
organization either
– 1.Unconnected w/ original transaction
– 2.Without custody of assets involved
自成咨询
Independent checks,
verifications
• Comparison revealing assets disagreeing
w/ recorded accountability provide
evidence of unrecorded/improperly
recorded transactions
– Converse not necessarily true
• Frequency of comparisons depends on
nature, amount of assets involved, cost of
comparison
自成咨询
Safeguarding controls
• Limit access to assets to authorized
personnel
– Direct physical access
– Indirect access through preparing/processing
documents authorizing use/disposition
自成咨询
Safeguarding controls
• Example:
– 1) Lockbox system
– 2) Deposit cash receipts
自成咨询
Safeguarding controls
• Example:
– 1) Lockbox system
– 2) Deposit cash receipts
– 3) Approval credit memos
– 4) Write offs of uncollectible AR
– 5) Prohibit non-IT personnel access computer
operation
自成咨询
Sequentially prenumbered forms
• Basis for strong internal controls
自成咨询
Sequentially prenumbered forms
• Basis for strong internal controls
• All hardcopies can be accounted for
– Ascertain date, use, person who filled out
• Missing documents can be flagged
• Detect unrecorded, unauthorized
transactions during reconciliation
• Achievable in paperless environment
自成咨询
Sequentially prenumbered forms
• Basis for strong internal controls
• All hardcopies can be accounted for
– Ascertain date, use, person who filled out
• Missing documents can be flagged
• Detect unrecorded, unauthorized
transactions during reconciliation
• Achievable in paperless environment
• Additional procedures ensure personnel
do not receive documents inappropriate to
duties
自成咨询
Specific document flow
• Pre-numbered document flow
• Additional procedures ensure personnel
do not receive documents inappropriate to
duties
自成咨询
Compensating controls
• Replace normal controls when cannot be
feasibly implemented
• Ex.: In finance, investment cycle
– 2+ people perform each function
– Provide oversight
– Periodic communications with board
– Oversight by committee of board
– Internal audit’s reconciliation of securities
portfolio w/ recorded information
自成咨询
Compensating controls
• Replace normal controls when cannot be
feasibly implemented
• Ex.: In finance, investment cycle
– 2+ people perform each function
– Provide oversight
– Periodic communications with board
– Oversight by committee of board
– Internal audit’s reconciliation of securities
portfolio w/ recorded information
自成咨询
Fraud
• Intentional
• Pressures, incentives to engage in
wrongdoing, opportunity
• Examples
– Fraudulent financial reporting
– Misappropriation of assets
• Internal control designed to prevent
• Concealment aspects → controls cannot
give absolute assurance against
自成咨询
Fraud
• Intentional
• Pressures, incentives to engage in
wrongdoing, opportunity
• Examples
– Fraudulent financial reporting
– Misappropriation of assets
• Internal control designed to prevent
• Concealment aspects → controls cannot
give absolute assurance against
自成咨询
Legal Aspects of Internal Control
• Implications of the Sarbanes-Oxley Act of
2002
• U.S. Foreign Corrupt Practices Act internal
control requirements
自成咨询
Foreign Corrupt Practices Act
• Enacted 1977 with origins in Watergate
investigations
• Prevent secret payments of corporate funds
for purposes that congress has determined
contrary to public policy
• Amends Securities Exchange Act of 1934
– Prohibits domestic concern from
offering/authorizing corrupt payments to foreign
official/political party/official/candidate for foreign
political office
自成咨询
Foreign Corrupt Practices Act
• Enacted 1977 with origins in Watergate
investigations
• Prevent secret payments of corporate funds
for purposes that congress has determined
contrary to public policy
• Amends Securities Exchange Act of 1934
• Only political payments to foreign officials
prohibited
• FCPA doesn’t address business
owners/corporate officers
自成咨询
Foreign Corrupt Practices Act
• Enacted 1977 with origins in Watergate
investigations
• Prevent secret payments of corporate funds
for purposes that congress has determined
contrary to public policy
• Amends Securities Exchange Act of 1934
• Only political payments to foreign officials
prohibited
• FCPA doesn’t address business
owners/corporate officers
自成咨询
Foreign Corrupt Practices Act
• Corrupt payments are for inducing
recipient to act/refrain from acting so
domestic concern might obtain/retain
business
• Offer/promise of bribe prohibited, even if
not consummated
• Not prohibited if recipient has no discretion
in carrying out governmental function
• Payments allowed under written law of
foreign country not prohibited
自成咨询
System of internal accounting
control
• Public companies must make, keep books,
records, accounts in reasonable detail that
accurately, fairly reflect transactions,
disposition of assets
• Provide reasonable assurance
自成咨询
System of internal accounting
control
• Provide reasonable assurance
– 1.Transactions executed in accordance w/
management’s general/specific authorization
– 2.Transactions recorded as necessary
– 3.Access to assets permitted only in accordance w/
management’s general/specific authorization
– 4.Recorded accountability for assets compared with
existing assets at reasonable intervals, appropriate
action taken w/ respect to differences
自成咨询
Implications of FCPA of 1977
• Extend beyond anti-bribery provisions
• All American businesses, business people
involved
• Management particularly affected
• Internal control responsibility not new
• Potential for civil, criminal liabilities added
burden
自成咨询
Written code of ethics
• Necessity
• Communicated, monitored by internal
auditors for compliance
• Might include explanation of FCPA, its
penalties
• May require written representations from
employees that they have read,
understood provisions
自成咨询
Sarbanes-Oxley Act of 2002
• Response to financial reporting scandals
of large public companies
• Contains provisions that impose new
responsibilities on public companies, their
auditors
• Applies to issuers of publicly traded
securities subject to federal securities law
自成咨询
Sarbanes-Oxley Act of 2002
• Response to financial reporting scandals
of large public companies
• Contains provisions that impose new
responsibilities on public companies, their
auditors
• Applies to issuers of publicly traded
securities subject to federal securities law
自成咨询
Sarbanes-Oxley Act of 2002
• Requires each member of audit committee,
including at least one financial expert, be
independent member of issuer’s board of
directors
• Independent director is not affiliated with,
receives no compensation from issuer
• Audit committee directly responsible for
appointing, compensating, overseeing work of
public accounting firm employed by issuer
– Reports directly to audit committee, not to
management
自成咨询
Section 404
• Requires management to establish,
document internal control procedures
– Include report on company’s internal control
over financial reporting in annual report
自成咨询
Internal control report
• 1.Statement of management’s
responsibility for internal control
• 2.Management’s assessment of
effectiveness of internal control as of end
of most recent fiscal year
• 3.Identification of framework evaluating
effectiveness of internal control
自成咨询
Internal control report
• 4.Statement whether significant changes
in controls were made after evaluation,
including corrective actions
• 5.Statement that external auditor issued
attestation report on management’s
assessment
– Audit opinions expressed
• Internal control
• Financial statements
自成咨询
External auditor
• Attests to, reports on management’s
assessment
• Evaluates whether structure, procedures
– 1.Include records accurately, fairly reflecting
firm’s transactions
– 2.Provide reasonable assurance transactions
recorded to permit statements to be prepared
in accordance w/ GAAP
自成咨询
External auditor
• Attests to, reports on management’s
assessment
• Evaluates whether structure, procedures
• Report describes material weaknesses in
internal control
• Evaluation not subject of separate
engagement, in conjunction w/ audit of
financial statements
自成咨询
End
自成咨询
D.2. Internal Auditing
a. Responsibility and authority of the internal audit function
b. Types of audits conducted by internal auditors
自成咨询
The Internal audit function
• Growth, complexity led to growth in field
• Internal audit activity (IAA) basic to
governance
• Some stock exchanges require all
companies to have IAA
• Foreign Corrupt Practices Act
– Detailed, accurate accounting records
– Reasonably effective system of internal
control
自成咨询
The internal audit function
• The institute of internal Auditors (IIA)
– Maintain professional standards for the
practice worldwide
– IIA definition of internal auditing
• “Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.”
自成咨询
The internal audit function
• IIA’s Standards
• Practice Advisories
自成咨询
The internal audit function
• IIA’s Standards
– Guidance for the conduct of internal auditing
• Organizational
• Individual
• Practice Advisories
自成咨询
The internal audit function
• IIA’s Standards
– Guidance for the conduct of internal auditing
• Organizational
• Individual
• Practice Advisories
– Concise, timely guidance
• Code of ethics
• Standards
• Promoting good practices
自成咨询
The internal audit function
• Organizationally independent
– Attribute of internal audit department as whole
• Objective attitude
– Attribute of auditors themselves
自成咨询
The internal audit function
• Chief executive officer (CEO)
– Chief audit executive (CAE)
• Unhindered access to board of directors
自成咨询
The internal audit function
• Charter
– Purpose, authority, responsibility of IAA
– IAA’s position
• Access to records, personnel, physical properties
• Define scope of activities
自成咨询
The scope of internal auditing
• Three principal functions
– 1.Maintenance of internal control system
– 2.Improving efficiency of operations
– 3.Conduct of audit of financial statements
自成咨询
The scope of internal auditing
• Three principal functions
– 1.Maintenance of internal control system
– 2.Improving efficiency of operations
– 3.Conduct of audit of financial statements
自成咨询
The scope of internal auditing
• Internal audit specific tasks
– Improvement of risk management, control
systems
– Adequacy, effectiveness of controls
– Reliability, integrity
– Effectiveness, efficiency
– Safeguarding of assets
– Compliance
– Adequate control criteria
– Fraud
– External auditor
自成咨询
Incidents
• Fraud
• Illegal acts
• Material weaknesses, significant
deficiencies in internal control
• Significant penetrations of information
security systems
自成咨询
Compliance auditing
• Assess compliance in specific areas
• Management response to regulatory body
reviews
自成咨询
Operational auditing
• “The comprehensive review of the varied
functions within an enterprise to appraise
the efficiency and economy of operations
and the effectiveness with those functions
achieve their objectives”
自成咨询
Operational auditing
• Thorough examination of department,
division, function, etc.
• Appraise managerial organization,
performance, techniques
• Organizational objectives have been
achieved
– Efficiency, effectiveness, economy
• Report → existing/absence of problems
自成咨询
Operational auditing
• Organizational objectives have been
achieved
– Efficiency, effectiveness, economy
• Report → existing/absence of problems
自成咨询
Operational auditing
• Basic tools
– Financial analysis
– Observation of departmental activities
– Questionnaire interviews of departmental
employees
自成咨询
Operational auditing
• Extension of financial audit
– Reviewing purchasing policies
– Appraising compliance with policies,
procedures
– Appraising safety standards, equipment
maintenance
– Reviewing production controls, scrap
reporting
– Reviewing facilities’ adequacy
自成咨询
Internal auditing procedures
•
•
•
•
Inquiries
Examine documentation
Observe
Reperform
自成咨询
END
Download