Chapter 9 1 Chapter 9 Introduction to Internal

Chapter 9 -1

Chapter 9: Introduction to Internal Control Systems Introduction 1992 COSO Report Updates on Risk Assessment & 2013 Update Examples of Control Activities 2011 COBIT, Version 5 Types of Controls Evaluating Controls Chapter 9 -2

Introduction – Fraud (Ch 11) & Errors may be the result of many factors Ø Distractions – Concurrent tasks, work environment, personal situations, Errors Ø Complexity – It’s easier to complete a simple task than a hard one. Ø Limitations – Fatigue, cognitive limitations, etc. Chapter 9 -3

Internal Control Systems Definition Ø Policies, plans, and procedures Ø Implemented to protect a firms assets People Involved Ø Board of directors Ø Management Ø Other key personnel Chapter 9 -4

Internal Control Systems Provides reasonable assurance Ø Ø Effectiveness and efficiency of operations Reliability of financial reporting Protection of Assets Compliance with applicable laws and regulations Important Guidance Ø Ø Statement on Auditing Standard No. 94 Sarbanes-Oxley Act of 2002 Chapter 9 -5

Risk Control Strategies Avoidance- Policy, Training and Education, or Technology Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc. ) Mitigation – reducing the impact through planning and preparation Acceptance – doing nothing if the cost of protection does not justify the expense of the control Chapter 9 6 -6

Internal Control System Objectives Safeguard assets Check the accuracy and reliability of accounting data Promote operational efficiency Enforce prescribed managerial policies Chapter 9 -7

Information System Goals – CIA Triangle Confidentiality Integrity Availability Chapter 9 -8

CIA Triangle Confidentiality – Insuring that information is accessible only by those who are properly authorized Integrity – Insuring that data has not be modified without authorization Availability – Insuring that systems are operational when needed for use Chapter 9 -9

Background Information on Internal Controls Chapter 9 -10

Background Information on Internal Controls Chapter 9 -11

Background Information on Internal Controls Chapter 9 -12

1992 COSO Report Defines internal control and components Presents criteria to evaluate internal control systems Provides guidance for public reporting on internal controls Offers materials to evaluate an internal control system Chapter 9 -13

Components of Internal Control – COSO 1992 Control Environment Management’s oversight , integrity, and ethical principles Ø Attention and direction by board of directors Ø Management’s philosophy and operating style Ø Method of assigning authority and responsibility Ø Method of organizing and developing employees Ø Chapter 9 -14

Components of Internal Control – COSO 1992 Risk Assessment Ø Identify organizational risks Ø Analyze potential of risks (cost and occurrence) Ø Cost-benefit analysis Control Activities Ø Policies and procedures Ø Manual and automated Chapter 9 -15

Components of Internal Control – COSO 1992 Information and Communication Ø Inform employees Ø Roles and responsibilities Ø Importance of good working relationships Monitoring Ø Evaluation of internal controls Ø Initiate corrective action when necessary Chapter 9 -16

2004 COSO Enterprise Risk Management Framework Emphasizes enterprise risk management Includes COSO (1992) control components Three new components Objective setting Ø Event identification Ø Risk response Ø Chapter 9 -17

2004 COSO Enterprise Risk Management Framework Chapter 9 -18

Components of Internal Control – COSO 2004 Objective Setting Ø Strategic – high level goals and mission Ø Operations – day-to-day efficiency, performance, and profitability Ø Reporting – internal and external Ø Compliance – laws and regulations Chapter 9 -19

Components of Internal Control – COSO 2004 Event Identification and Risk Response Ø Identify threats Ø Analyze risks Ø Implement cost-effective countermeasures Ø Additional considerations Risk tolerance § Cost-benefit trade-offs § Chapter 9 -20

COSO 2013 Objectives Update Content - Reflect changes in business & operating environments Broaden Application - Expand operations and reporting objectives Clarify Requirements - Articulate principles to facilitate effective internal control Chapter 9 -21

COSO 1992, 2004, 2013 Chapter 9 -22

Update considers changes in business and operating environments Environments changes. . . …have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition) 23

Update articulates principles of effective internal control Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. 2. 3. 4. 5. Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 6. 7. 8. 9. Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 24

Update describes important characteristics of principles, e. g. , Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Points of Focus: • Sets the Tone at the Top • Establishes Standards of Conduct • Evaluates Adherence to Standards of Conduct • Addresses Deviations in a Timely Manner • Points of focus may not be suitable or relevant, and others may be identified • Points of focus may facilitate designing, implementing, and conducting internal control • There is no requirement to separately assess whether points of focus are in place 25

Chapter 9 -26

Risk Assessment Worksheet Chapter 9 -27

Study Break #4 Which of the following is not one of the three additional components that was added in the 2004 COSO Report? A. B. C. D. Objective setting Risk assessment Event identification Risk response Chapter 9 -28

Examples of Control Activities Good Audit Trail Sound Personnel Policies and Practices Separation of Duties Physical Protection of Assets Reviews of Operating Performance Chapter 9 -29

Good Audit Trail Use of Audit Trail Follow path of data recorded in transaction Ø Initial source documents to final disposition of data Ø Data on reports back to source documents Ø Purpose of Audit Trail Verify accuracy of recorded transactions Ø Detect errors and irregularities Ø Chapter 9 -30

Sound Personnel Policies Chapter 9 -31

Separation of Duties Purpose Ø Structure of work assignments Ø One employee’s work checks the work of another Separate Related Activities Ø Authorizing transactions Ø Recording transactions Ø Maintaining custody of assets Chapter 9 -32

Physical Protection of Assets Inventory Controls Ø Stored in safe location with limited access Ø Utilization of Receiving Report Document Controls Ø Protecting valuable organizational documents Ø Corporate charter, major contracts, blank checks, and SEC registration statements Chapter 9 -33

Physical Protection of Assets Cash Control Ø Most susceptible to theft and human error Ø Fidelity Ø Use bond coverage checks for cash disbursements Ø Deposit the daily cash receipts intact Chapter 9 -34

Reviews of Operating Performance Internal Audit Function Ø Reports to Audit Committee of Board of Directors Ø Independent of other subsystems Ø Enhances objectivity Duties of Internal Auditors Ø Operational audits Ø Regular reviews of internal control systems Chapter 9 -35

Study Break #5 Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees? A. B. C. D. Analysis, authorizing, transactions Custody, monitoring, detecting Recording, authorizing, custody Analysis, recording, transactions Chapter 9 -36

2011 COBIT, Version 5 Control Objectives for Information and related Technology (COBIT) Ø Strategic alignment Ø Realization of expected benefits of IT Ø Continual assessment of IT investment Ø Determine risk appetite Ø Measure and assess performance of IT resources Chapter 9 -37

COBIT and Val IT Integration Chapter 9 -38

Types of Controls Preventive Controls Ø Prevent problems from occurring Detective Controls Ø Alert managers when preventive controls fail Corrective controls Ø Solve or correct a problem Chapter 9 -39

Evaluating Controls Requirements of Sarbanes-Oxley Act Ø Statement of management responsibility for internal control structure Ø Assessment of effectiveness of internal control structure Ø Attestation of auditor on accuracy of management’s assessment Chapter 9 -40

Cost-Benefit Analysis Chapter 9 -41

Risk assessments are tricky Choose between two treatments for 600 people affected by a deadly disease "Saves 200 lives“ Chapter 9 -42

Risk assessments are tricky Choose between two treatments for 600 people affected by a deadly disease "400 people will die" Chapter 9 -43

A Risk Matrix Chapter 9 -44

Chapter 9 -45

The Risk Management Process Identify IT Assets Assess IT Risks monitor Identify IT Controls Document IT Controls Chapter 9 -46

Risk Management – Asset Identification Software Cash Processes People Hardware Inventory Data Facilities Chapter 9 -47

Assets Valuation - What do we stand to lose? Assets: People, Data, Hardware, Software, Facilities, (Procedures) Valuation Methods Ø Criticality to the organization’s success Ø Revenue generated Ø Profitability Ø Cost to replace Ø Cost to protect 48 Ø Embarrassment/Liability Chapter 9 -48