Chapter 3 Ethics, Fraud, and Internal Control - Internal Control Concepts and Techniques

Internal control System- Policies, practices and procedures employed by the organization to achieve the 4 broad objectives

Internal Control Objectives1. Safeguard assets of the firm2. Ensure accuracy and reliability of accounting records and information3. Promote efficiency of the firm’s operations4. Measure compliance with management’s prescribed policies and procedures

Modifying Assumptions• Management Responsibility

• The establishment and maintenance of a system of internal control is the responsibility of management.• Reasonable Assurance

• The cost of achieving the objectives of internal control should not outweigh its benefits.• Methods of Data Processing

• The techniques of achieving the objectives will vary with different types of technology.• Limitations

• Possibility of errors - no system is perfect• Circumvention via collusion - personnel may circumvent (manage to get around) of the system

through collusion (secret agreement or cooperation especially for an illegal or deceitful purpose)

• Management override - management is in position to override control procedures by personally distorting transactions or making a subordinate to do so.

• Changing conditions - conditions may change over time making existing control ineffectual (not producing the proper effect)

Exposure- Absence or weakness of a control- Undesirable events:

1. Unauthorized access to the firm’s asset2. Fraud by persons inside and outside the firm3. Errors due to employee incompetence4. Faulty computer programs and corrupted input data5. Mischievous acts – hacker and viruses

- Risk involve:1. Destruction of an asset2. Theft of an asset 3. Corruption of information 4. Disruption of the information system

Preventive, Detective, and Corrective Internal Control Model- Offered little practical guidance for designing specific controls- Three levels of control: Preventive, Detective and Corrective control- Preventive Control

1. First line of defense2. Passive techniques designed to reduce the frequency of occurrence of undesirable events3. An ounce of prevention is certainly worth a pound of cure.4. More cost-effective than detecting and correcting problems after they occur.5. Example: well-designed source document

- Detective Control1. Second line of defense2. Devices, techniques and procedures designed to identify and expose undesirable events that elude

preventive controls3. Comparing actual occurrence to pre-established standards. 4. This is where the problem is identified

- Corrective Control1. Actions taken to reverse the effects of errors detected in the previous step2. This is where the problem is fixed3. There might be more than one feasible corrective action.

Sarbanes-Oxley Act/Legislation- 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing

Accountability and Responsibility Act' (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX

- is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms.

-  top management must now individually certify the accuracy of financial information. - penalties for fraudulent financial activity are much more severe.- increased the independence of the outside auditors who review the accuracy of corporate financial

statements, and increased the oversight role of boards of directors.- The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal

penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law.

- Requires management of public companies to implement an adequate system of internal control over their financial reporting process. (controls over transaction processing system)

- Requires that corporate management certify their organization’s internal controls on a quarterly and annual basis (Section 302)

- Requires management of public companies to assess the effectiveness of their organization’s internal control. Providing an annual report of the following points: (section 404)

1. Statement of management’s responsibility (establishing and maintaining internal control)2. Assessment of the effectiveness of the company’s internal control over financial reporting3. Statement of organization’s external auditors of the assessment of the company’s internal control4. Explicit written conclusion of the effectiveness of the internal control5. Statement identifying the frameworks used in their assessment

Statement on Auditing Standards (SAS) No. 78- Current authoritative document for specifying internal control objectives and techniques- Based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (management

tool rather than an audit tool)- Developed for auditors and describes the complex relationship between firm’s internal control, auditor’s

assessment of risk and planning of audit procedures.

SAS 78/COSO FRAMEWORK- Five components:

1. Control Environment Sets the tone for the organization and influence the control awareness of its management and

employees Important elements:

Integrity and ethics of management Organizational structure

Role of the board of directors and the audit committee(responsible for selecting and engaging an independent auditor for ensuring that an annual audit is conducted, for reviewing the audit report and ensuring that deficiencies are addressed)

Management’s policies and philosophy Delegation of responsibility and authority Performance evaluation measures External influences—regulatory agencies Policies and practices managing human resources

SAS 78/COSO requires auditors to obtain sufficient knowledge to assess the attitude and awareness of the org’s management, BOD, and owners regarding internal control

2. Risk Assessment Identify, analyze and manage risks relevant to financial reporting:

changes in external environment risky foreign markets significant and rapid growth that strain internal controls new product lines restructuring, downsizing changes in accounting policies

SAS 78/COSO requires auditors to obtain knowledge about the risk assessment procedures to understand how the management identifies, prioritize, and manages the risks related to financial reporting

3. Information and Communication quality of information impacts the management’s ability to take action and make decisions. An effective AIS will:

identifies and records all valid transactions provides timely information in appropriate detail (to permit proper classification and financial

reporting) accurately measures the financial value of transactions (so their effects can be recorded in

financial statements) accurately records transactions in the time period in which they occurred

Auditors must obtain sufficient knowledge of the IS to understand: the classes of transactions that are material (and how they are initiated) the associated accounting records and accounts used in processing material transactions the transaction processing steps involved (initiation to its conclusion in the financial statements) the financial reporting process used (preparation of financial statements, disclosures and

accounting estimates)4. Monitoring

The process for assessing the quality of internal control design and operation SEPARATE PROCEDURES —test of controls by internal auditors then make specific recommendations

for improvement ONGOING MONITORING :

computer modules integrated into routine operationso maintain constant surveillance over functioning of internal controls

management reports which highlight trends and exceptions from normal performanceo timely reports allow managers in functional areas to oversee and control their operations

5. Control Activities Policies and procedures to ensure that the appropriate actions are taken in response to identified

risks Fall into two distinct categories:

IT CONTROLS—relate specifically to the computer environmento General controls—pertain to the entity-wide computer environment

E.g. control over the data center, org database, systems development, and programs maintenance

o Application controls—ensure the integrity of specific systems i.e. sales order processing, accounts payable, and payroll applications

PHYSICAL CONTROLSo primarily pertain to human activitieso purely manual

physical custody of assets, physical use of computers to record transactions and update accounts

o do not relate to computer logic rather, they relate to the human activities that trigger and utilize the results of those tasks.

o Categories of Physical Control:1. Transaction Authorization

o used to ensure that employees are carrying out only (valid) authorized transactions

1. general (everyday procedures) programmed procedure2. specific (non-routine transactions) authorizations – case by

case decisions, extending credit balance of the customer for specific reasons

2. Segregation of Duties ( most important)o authorizing and processing a transactiono custody and recordkeeping of the asset subtaskso three objectives:

1. segregation of duties should be such authorization for a transaction is separate from processing the transaction

2. Responsibility for the custody of asset should be separate from record-keeping responsibility. Assets can be stolen or lost and the accounting records be falsified to hide the event

3. Organization should be structures so that successful fraud requires collusion between two or more individuals with incompatible responsibilities.

o Journal , subsidiary ledgers, and the general ledger are maintained separately

3. Supervision o a compensation for the absence of segregation control. It is often

called compensating control4. Accounting Records

o provide an audit trail of economic events (journals, source documents and ledgers

o two reasons why org conduct audit trail:1. needed for conducting day to day operations. Helps

employees respond to customer inquiries by showing the current status of transactions in process.

2. It is an essential role in the financial audit of status of the firm. Enables external & internal auditors to verify selected transactions (tracing)

5. Access Controls o Ensure only authorized personnel have access to the firm’s assetso help to safeguard assets by restricting physical access to them

6. Independent Verification o reviewing batch totals or reconciling subsidiary accounts with

control accounts

o Verification Procedures - Independent checks of the accounting system to identify errors and misrepresentations