Chapter 4 Transaction Processing and the Internal Control

Chapter 4 Transaction Processing and the Internal Control Process This organization looks like it has weak internal controls.

Presentation Outline I. Business Exposures II. Fraud and White-Collar Crime III. The Internal Control Process IV. The Sarbanes-Oxley Act of 2002 V. Classifying Transaction Processing Controls VI. Analysis of Internal Control Processes

I. Business Exposures A. The Meaning of Exposure B. Examples of Common Business Exposures

A. The Meaning of Exposure Potential Financial Effect of Event x = Exposure Probability of Occurrence (Risk)

B 1. Common Business Exposures Deficient revenues due to decreases in earnings resulting from things like excessive bad debts, incorrect billing, and returns from unhappy customers.

B 2. Common Business Exposures Loss of assets due to theft, acts of violence, or natural disaster

B 3. Common Business Exposures Inaccurate accounting causes decisions to be made using inaccurate information.

B 4. Common Business Exposures Business interruption from things like acts of violence and natural disaster can damage or destroy a business.

B 5. Common Business Exposures Statutory sanctions interrupting business due to regulatory agency penalties.

B 6. Common Business Exposures Competitive disadvantage resulting from ineffective management decisions.

B 7. Common Business Exposures Fraud (perverting truth to obtain something of value) and embezzlement (fraudulent appropriation of assets for one’s own use).

II. Fraud and White-Collar Crime A. Three Types of White Collar Crime B. Fraudulent Financial Reporting C. Corporate Crime D. Certified Fraud Examiners E. KPMG Survey

A. Three Types of White-Collar Crime White-collar crime occurs when assets are deceitfully diverted from proper use or deceitfully misrepresented by an act or series of acts that are nonviolent in nature. v Employee theft – involves diversion of assets by an employee for personal gain. v Employee-outsider theft – involves diversion of assets by an employee in collusion with an outsider for personal gain. v Management fraud – concerns diversion of assets or misrepresentation of assets by management.

B. Fraudulent Financial Reporting White-collar crime may result in fraudulent financial reporting. This is intentional or reckless conduct, whether by purposeful act or by omission, that results in materially misstated financial statements.

C. Corporate Crime Corporate crime is whitecollar crime that benefits a company or organization rather than the individuals who perpetrate the fraud. Such individuals may benefit indirectly.

D. Certified Fraud Examiners Forensic accounting is a term used to describe the activities of persons who are concerned with preventing and detecting fraud. The National Association of Certified Fraud Examiners (NACFE) is a professional organization that provides bona fide qualifications for certified fraud examiners (CFEs) through the administration of the Uniform CFE examination.

E. KPMG Survey The survey results … KPMG surveyed the 2, 000 largest companies in the United States. Fifty-nine percent cited internal control as the most frequent reason that frauds were discovered. Fifty-six percent stated that poor internal controls were the most frequent reason that fraud occurred.

III. The Internal Control Process Internal controls keep a close eye on employee activities when management can’t. This helps employees stay honest. A. Purpose of Internal Control B. Two Premises of Internal Control C. The Foreign Corrupt Practices Act of 1977 D. Elements of Internal Control

A. Purpose of Internal Control Don’t go astray! Internal control is designed to provide reasonable assurance regarding: Reliability of financial reporting. Effectiveness and efficiency of operations. Compliance with laws and regulations.

B. Two Premises of Internal Control Responsibility – Management and the board of directors are responsible for establishing and maintaining the internal control process. Reasonable assurance – A control should not cost more than the potential benefit of the control.

C. The Foreign Corrupt Practices Act (FCPA) of 1977 The FCPA requires that all organizations subject to the Securities Act of 1934: Keep an adequate system of records. Devise and maintain an appropriate system of internal accounting controls.

D. Elements of Internal Control environment – Overall values and integrity of organization. Risk assessment – Identification and evaluation of risks. Control activities – Activities undertaken to reduce probability of loss due to significant risks. Information and communication – Communicating information about the control environment and control activities. Monitoring – Keeping watch over and changing internal controls so that they function effectively and efficiently.

IV. The Sarbanes-Oxley Act of 2002 A. Creation of the Public Company Accounting Oversight Board (PCAOB) B. Restrictions on Nonaudit Services C. Role of the Audit Committee D. Corporate Responsibility for Financial Reports E. Management Assessment of Internal Controls Note: This Act currently applies to only publicly-traded companies.

A. Creation of the PCAOB 1. Created to oversee the auditing of public companies. 2. The SEC will have “oversight and enforcement authority over the Board. ” No rule of the Board shall become effective without prior approval of the commission. (Sec. 107) 3. The Board will: 1. register public accounting firms, 2. establish the standards for the audit of public companies, 3. conduct inspections of public accounting firms, investigations and disciplinary hearings and have the power to impose sanctions. (Sec. 101)

B. Restrictions on Nonaudit Services Public company auditors may not also provide the following services to their audit clients: ü Bookkeeping ü Financial information systems design and implementation ü Appraisal or valuation services ü Actuarial services ü Internal audit outsourcing ü Management or human resource services ü Broker or dealer ü Legal and expert services unrelated to audit ü Other services determined by the PCAOB

C. Role of the Audit Committee Public companies must maintain an independent audit committee composed of members of the board of directors who receive no compensation from the company except for services on the board.

D. Corporate Responsibility for Financial Reports The CEO and CFO must prepare a statement to accompany the audit report. This statement certifies to the fairness of the presentation of the financial statements and accompanying disclosures.

E. Management Assessment of Internal Controls The Sarbanes-Oxley Act requires the annual report to contain an internal control report that: states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and contains an assessment, as of the end of the company’s fiscal year, of the effectiveness of the internal control structure and procedures of the company for financial reporting. Note: The external auditor must attest to and report on the above assessment as a part of the audit process.

V. Classifying Transaction Processing Controls A. General and Application Controls B. Preventive, Detective, and Corrective Controls

A. General and Application Controls General controls affect all processing transactions. Application controls are specific to individual applications. They include input, processing, and output controls.

B. Preventive, Detective, and Corrective Controls Preventive controls – Prevent errors and fraud before they happen. Detective controls – Uncover errors and fraud that have occurred. Corrective controls - Correct errors

VI. Analysis of Internal Control Processes A. Internal Control Questionnaire B. Applications Control Matrix

A. Internal Control Questionnaires are available for the review of certain application areas. Some weaknesses may be compensated for by other strengths. Testing of controls is also necessary since responses to a questionnaire are not considered conclusive evidence about internal controls.

B. Applications Control Matrix Columns represent processes under review while rows represent the presence/rating for a control feature. Some use x’s to indicate the presence or absence of a control. Others provide ratings to indicate the assessed reliability of the control. (See p. 133)

Summary The meaning of exposure The cause of exposure The concept of internal control General and application controls Preventive, detective, and corrective controls Internal control questionnaires Applications control matrix.