Chapter 8-1

Introduction to Internal Control Systems Introduction Internal Control Systems

Chapter 8

Definition Framework

Preventive, Detective, and Corrective Controls Control Activities within an Internal Control System Cost-Benefit Concept for Developing Controls
Chapter 8-2

Introduction
An organizations financial resources can be protected from loss, waste, or theft by developing an internal control system implementing it within its AIS An internal control system ensures reliable data processing promotes operational efficiency
Chapter 8-3

Internal Control
An internal control system consists of
various methods

designed and implemented

several measures

planned and executed

Chapter 8-4

Internal Control
It aims to achieve four main objectives:
to safeguard assets to check the accuracy and reliability of accounting data to promote operational efficiency to encourage adherence to prescribed managerial policies

Chapter 8-5

Internal Control
Describes the policies, plans, and procedures implemented by a firm to protect its assets. people involved include:

board of directors management other personnel

provides reasonable assurance of:

Chapter 8-6

effectiveness and efficiency, reliability of financial reporting, and compliance with applicable laws and regulations

Objectives of the Internal Control Structure

The objectives of the Control Structure are:
Safeguarding assets Checking the accuracy and reliability of accounting data Promoting operational efficiency Encouraging adherence to prescribed managerial policies
Chapter 8-7

Background Information on Internal Controls

The key laws, professional guidance, and reports that focus on internal controls are:
Foreign Corrupt Practices Act 1977 Treadway Commission Report 1977 SAS No. 55 1988 Committee of Sponsoring Organizations (COSO) Report 1992

SAS No. 78 1995

Control Objectives for Business and IT (COBIT) 1995
Chapter 8-8

Information Federation for Information Processing 2001

Background Information on Internal Controls

SAD No. 94 2001 Sarbanes-Oxley Act, Section 404 2002 Committee of Sponsoring Organizations (COSO) Report 2004 CobiT, Version 4.0 2005

Chapter 8-9

Foreign Corrupt Practices Act

In 1977 the Foreign Corrupt Practices Act (FCPA) makes
it illegal for publicly owned corporations to bribe foreign officials board members and managers personally liable if illegal payments are made only applies to publicly owned corporations
Chapter 8-10

Provisions of the Foreign Corrupt Practices Act

The FCPA requires that
publicly held companies

design and implement a system of control procedures

The control system must provide assurance that:

assets are accounted for appropriately transactions are in conformity to GAAP access to assets is properly controlled periodic comparisons of existing assets to the accounting records are made
Chapter 8-11

Background of Internal Controls

The Treadway Commission Report recommended:

a common definition for internal control guidance for judging the effectiveness of internal control methods to improve internal control

Chapter 8-12

Background of Internal Controls

Results of The Committee of Sponsoring Organizations (COSO) in 1992
defines internal control and describes its components presents criteria to evaluate internal control systems provides guidance for public reporting on internal controls offers materials to evaluate an internal control Chapter 8-13 system

Background of Internal Controls

The International Federation for Information Processing in 2001 sponsored conference Integrity and Internal Control in Information Systems (ISACF) encouraged IT and Internal control specialist:
to work together to develop reliable systems which would enable managers to have more confidence in the integrity of their information systems and the data generated from those systems
Chapter 8-14

Components of Internal Control According to the 1992 COSO Report

Control Environment Risk Assessment Control Activities Information and Communication Monitoring
Chapter 8-15

The Control Environment

The Control Environment
establishes the tone of a company, influences the control awareness of the employees.

Factors included within the control environment are:

Integrity, ethical values and competence of employees Management philosophy and operating style Assignment of authority and responsibility The attention and direction provided by the board of directors
Chapter 8-16

Risk Assessment
Risk assessment involves
recognition that every organization faces risks to its success recognition that the sources are internal and external identification, analysis and action to achieve the companys goals use of cost-benefit analysis
Chapter 8-17

Control Activities
Control activities:

are the policies and procedures that ensure

management directives are carried out, protection of the assets of the firm

include a combination of

manual controls automated controls.

Chapter 8-18

Control Activities
Can be categorized as approvals authorizations verifications reconciliations reviews of operating performance segregation of duties
Chapter 8-19

Information and Communication

Managements responsibility to make sure the accounting system,
collects measures processes communicates to individuals inside and outside the firm
Chapter 8-20

Information and Communication

Communication helps personnel understand their roles and responsibilities to internal control by the use of:

policies and procedures manuals training sessions for new employees refreshers training for continuing employees
Chapter 8-21

Monitoring
Monitoring
is the process that assesses the quality of internal control performance over time involves evaluating the design and operation of controls on a timely basis, initiating corrective action when specific controls are not functioning properly.
Chapter 8-22

2004 COSO Enterprise Risk Management Framework

Internal Environment Objective Setting

Subsidiary Business Unit

Event Identification Risk Assessment

Division

Risk Response
Control Activities Information & Communication Monitoring
Chapter 8-23

2004 Framework added elements to 1992 COSO

Objective setting Event identification Risk response

Chapter 8-24

Objective Setting

Enterprises objectives are viewed from these four perspectives: Strategic; high level goals and mission Operations; day to day goals Reporting; internal and external Compliance; with laws and regulations
Chapter 8-25

Event Identification and Risk Response

Identify threats Analyze the risks Implement cost-effective countermeasures

Chapter 8-26

Control Procedures Analysis

Control Procedures can be classified as
Preventive Controls

to prevent some potential problem from occurring when an activity is performed

Detective Controls

alert us when preventive controls have failed

to remedy problems discovered through detective controls

Corrective controls

Chapter 8-27

Interrelationship of Preventive and Detective Controls

Preventive and detective control procedures should not be treated as mutually exclusive. are interrelated

Chapter 8-28

Control Activities
Within an Internal Control System are the following features
a good Audit Trail sound personnel policies and competent employees separation of duties physical protection of assets internal reviews of controls by internal audit subsystem Timely Performance Reports Chapter
8-29

Good Audit Trail

An audit trail enables auditors and accountants
to follow the transaction data

from the initial source documents to the final disposition in a financial report and vice-versa errors and irregularities

to detect, in the processing data

Chapter 8-30

Sound Personnel Policies

Examples of sound personnel policies are:
Specific hiring procedures Training programs Good supervision Fair and equitable guidelines for employees salary increases

Chapter 8-31

Sound Personnel Policies

Rotation of certain key employees in different jobs Enforced vacations Insurance coverage on those employees who handle liquid assets Regular performance reviews

Chapter 8-32

Separation of Duties
Segregating activities and responsibilities of employees allows different people to perform various tasks of a specific transaction The main functions that should be kept separate are custody of assets recording transactions authorizing transactions

Chapter 8-33

Physical Protection of Assets

Protection of assets is keeping a companys assets in a safe physical location minimizing the risk of damage to the assets or avoiding theft by employees or outsiders

Chapter 8-34

Physical Protection of Assets

Examples of accounting control procedure a voucher system protects against unauthorized cash disbursements. a petty cash fund is used for small expenditures where writing a check would be inefficient. cash receipts deposited intact each day
Chapter 8-35

Internal Reviews of Controls

Internal auditors
report to high-level management or to the board of directors in order to remain independent and objective as a separate subsystem

Chapter 8-36

perform periodic reviews on each department to evaluate their efficiency and effectiveness make recommendations of ways cost of control procedures can be reduced

Timely Performance Reports

Performance reports provide information to management on

efficiency of the internal controls and effectiveness of the internal controls

These reports should provide timely feedback to management on the success of the internal controls or failure of the internal controls
Chapter 8-37

Cost-Benefit Concept for Developing Controls

A cost-benefit analysis
should be conducted to make sure that the benefits of planned controls exceed the cost of implementing them in the system controls are considered cost-effective when their anticipated benefits exceed their anticipated costs an ideal control is a control procedure that reduces to practically zero the risk of an undetected error or irregularity.
Chapter 8-38

Cost Benefit Analysis

The benefits of additional control procedures result from risk of loss reductions. should include a measure of loss

the exposure (potential loss associated with a control problem) and risk (probability that the control problem will occur). Expected loss = risk X exposure

are calculated as
Chapter 8-39

Copyright
Copyright 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 8-40

Chapter 8

Chapter 8-41