Transaction Processing and the Internal Control Process Chapter

Transaction Processing and the Internal Control Process Chapter 4 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 1

Learning Objective 1 Understand the nature of control exposures. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 2

Enterprise Risk Management Enterprise risk management (ERM) is a process, affected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 3

Enterprise Risk Management Enterprise risk management (ERM) has eight components: 1. Internal Environment 2. Objective Setting 3. Event Identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 4

Controls and Exposures Controls are needed to reduce exposures to potential adverse events. An exposure consists of the potential financial effect of an event multiplied by its probability of occurrence. The term risk is synonymous with the probability of occurrence. Controls tend to reduce exposures, but controls rarely affect the causes of exposures. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 5

Common Exposures 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 6

Fraud and White-Collar Crime White-collar crime describes a grouping of illegal activities that are differentiated from other illegal activities in that they occur as part of the occupation of the offender. Occurs when assets are deceitfully diverted from proper use. Often involves the entry of fictitious (i. e. fraudulent) transactions into an accounting system. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 7

Fraud and White-Collar Crime Three basic forms of theft occur in white- collar crime: 1. Employee theft involves diversion of assets by an employee for personal gain. 2. Employee-outsider theft involves diversion of assets by an employee in collusion with an outsider. 3. Management fraud concerns diversion of assets or misrepresentation of assets by management. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 8

Fraud and White-Collar Crime White-collar crime may result in fraudulent financial reporting. Fraudulent financial reporting is intentional or reckless conduct, whether by purposeful act or by omission, that results in materially misleading financial statements. Corporate crime is white-collar crime that benefits a company or organization, rather than the individuals who perpetrate the fraud. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4– 9

Fraud and White-Collar Crime Forensic accounting is one of several terms that are used to describe the activities of persons who are concerned with preventing and detecting fraud. Fraud examiner Fraud auditor Loss prevention specialist 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 10

Control Objectives and Transaction Cycles Most organizations experience the same types of economic events which generate transactions that can be grouped according to four common cycles: Revenue cycle Expenditure cycle Production cycle Finance cycle Control objectives should be developed for each transaction cycle. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 11

Control Objectives and Transaction Cycles Revenue cycle control objectives: Customers should be authorized in accordance with management’s criteria. Prices and terms of goods and services provided should be authorized in accordance with management’s criteria. All shipments of goods and services provided should result in a billing to the customer. Billings to customers should be accurately and promptly classified, summarized, and reported. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 12

Control Objectives and Transaction Cycles Expenditure cycle control objectives: Vendors should be authorized in accordance with management’s criteria. Employees should be hired in accordance with management’s criteria. Access to personnel, payroll, and disbursement records should be permitted only in accordance with management’s criteria. Compensation rates and payroll deductions should be authorized in accordance with management’s criteria. Amounts due to vendors should be accurately and promptly classified, summarized, and reported. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 13

Control Objectives and Transaction Cycles Production cycle control objectives: The production plan should be authorized in accordance with management’s criteria. Cost of goods manufactured should be accurately and promptly classified, summarized, and reported. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 14

Control Objectives and Transaction Cycles Finance cycle control objectives: The amounts and timing of debt transactions should be authorized in accordance with management’s criteria. Access to cash and securities should be permitted only in accordance with management’s criteria. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 15

Learning Objective 2 Discuss the concept of the internal control process. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 16

Components of the Internal Control Process Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1. Reliability of financial reporting 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 17

Components of the Internal Control Process 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 18

Components of the Internal Control Process The concept of internal control is based on two major premises: 1. Responsibility has to do with management and the board of directors being responsible for establishing and maintaining the internal control process. 2. Reasonable assurance has to do with the relative costs and benefits of controls. Management should not spend more on the controls than the benefits to be received from the controls. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 19

External Influences Concerning an Entity and Internal Control An organization must ensure that its activities are in compliance with laws and regulations issued by those who have jurisdiction over it and its operations: 1. Securities and Exchange Commission (SEC) 2. Financial Accounting Standards Board (FASB) 3. Foreign Corrupt Practices Act (FCPA) 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 20

External Influences Concerning an Entity and Internal Control Section 102 of the FCPA requires all companies who are subject to the SEC act of 1934 to: Make and keep books, records, and accounts, which in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer; B. Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that: A. 1. 2. 3. 4. Transactions are executed in accordance with management’s authorization; Transactions are recorded as necessary; Access to assets is permitted only in accordance with management’s authorization; Recorded accountability for assets is compared with the existing assets. 4 – 21 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood

External Influences Concerning an Entity and Internal Control The Sarbanes-Oxley Act of 2002 (SOX): Five-member Public Accounting Oversight Board (PCAOB) Significantly increased criminal penalties for white-collar crime. Greatly expands scope of laws relating to obstruction of justice. Special provisions provide whistleblower protection. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 22

External Influences Concerning an Entity and Internal Control The Sarbanes-Oxley Act of 2002 (SOX): Restrictions of nonaudit services Role of the Audit Committee Conflicts of interest Corporate responsibility for financial reports Insider trades during pension fund blackouts prohibited Prohibition of personal loans to executives and directors Code of Ethics Management assessment of internal controls 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 23

Compliance with SOX Section 404 COSO Reports – “Internal Control - Integrated Framework” Other COSO reports - ERM – Integrated Framework; Internal Control over Financial Reporting; etc. COBIT – “Control Objectives for Information and related Technology” ISO 27002 The U. S. Federal Sentencing Guidelines 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 24

Components of the Internal Control Process Control environment Risk assessment Control activities Information and communication 5. Monitoring 1. 2. 3. 4. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 25

Control Environment • The control environment is the first of the five components of internal control and is the foundation for all other components: • The collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 26

Control Environment • Factors included in the control environment: • • Integrity and ethical values Commitment to competence Management philosophy and operating style Organization structure Attention and direction provided by BOD Manner of assigning authority and responsibility Human resource policies and procedures 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 27

Control Environment • Human resources policies and procedures: • • Segregation of duties – responsibility for specific tasks in an organization should be clearly designated in manuals, job descriptions or other documents. Supervision – the direct monitoring of personnel performance by an employee who is so charged. Job rotation and forced vacations Dual control - the assignment of two individuals to perform the same work in unison. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 28

Risk Assessment • Risk Assessment is the second component of internal control: • The process of identifying, analyzing, and managing risks that affect the company’s objectives. • • Identify the changing internal and external conditions and the related actions that may be necessary. Examples include changes in operating environment, personnel, information systems, new technology, etc. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 29

Control Activities • Control Activities is the third component of internal control: • Accounting controls designed to provide reasonable assurance that the following specific control objectives are met: • • • Segregation of duties Adequate documents and records Restricted access to assets Independent checks on performance Information processing controls 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 30

Information and Communication • Information and Communication is the fourth component of internal control: • • Information refers to the organization’s accounting system. Communication relates to providing a clear understanding regarding all policies and procedures relating to controls. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 31

Information and Communication • • Accounting system – consists of the methods and records established to identify, assemble, analyze, classify, record, and report the organization’s transactions and to maintain accountability for the related assets and liabilities. Audit trail - consists of the documentary evidence of the various control techniques that a transaction was subject to during its processing. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 32

Monitoring • Monitoring is the fifth component of internal control: • • Involves the ongoing process of assessing the quality of internal controls over time and taking corrective actions when necessary to ensure the controls remain effective. The internal audit function often has the responsibility to monitor and evaluate internal controls on an ongoing basis. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 33

Monitoring • The COSO report “Guidance on Monitoring Internal Control Systems” presents a three-phase model for monitoring: 1. Establish foundation for monitoring 2. Design and execute monitoring procedures that are based on risk 3. Assess and report the results 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 34

Learning Objective 3 Identify general and application processing controls. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 35

Transaction Processing Controls Applicatio General n Controls 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 36

Transaction Processing Controls • General controls affect all transaction processing and concern the overall environment of transaction processing: • • The plan of data processing organization General operating procedures Equipment control procedures Equipment and data-access controls 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 37

Transaction Processing Controls • Application controls are specific to individual applications and are categorized according to the basic steps in the data processing cycle: Input controls • Processing controls • Output controls • 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 38

Transaction Processing Controls • Transaction processing controls may also be classified as being primarily preventative, detective, or corrective in nature: • • • Preventative controls act to prevent errors and fraud before they happen. Detective controls act to uncover errors and fraud after they have occurred. Corrective controls act to correct errors. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 39

Learning Objective 4 Discuss the behavioral assumptions inherent in traditional internal control practices. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 40

Communicating the Objectives of Internal Control • • • The principal function of internal control is to influence the behavior of people in a business system. The objectives of internal control must be seen as relevant to individuals who will comprise the control system. The system must be designed such that each employee is convinced that controls are meant to prevent difficulties or crises in the operation of the organization. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 41

Goals and Behavioral Patterns • An information system has several goals: • • Productivity Reliability of information Safeguarding of assets These goals are at times contradictory. • • Controls constrain productivity, but increase the reliability of resulting outputs. The conflict between internal controls and productivity must be considered as it may influence the behavior of people in the control system. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 42

Goals and Behavioral Patterns • • Collusion is agreement or conspiracy among two or more people to commit fraud. Factors which influence an individual’s behavior in a control system: • • • Formal plan of organization and related methods and measures employed. Groups and other sources of information pressures. Errors and irregularities are minimized when employees fully understand, accept, and internalize the objectives of the internal control system. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 43

Learning Objective 5 Describe the techniques used to analyze internal control systems. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 44

Analysis of Internal Control Processes • Internal control processes routinely collect information concerning the following: • • • Fulfillment of duties Transfer of authorities Approval Verification Reliability depends on the people who administer internal control procedures. It is essential that internal control procedures are actually performed as prescribed. 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 45

Analytic Techniques • Internal control questionnaire is a common analytic technique used in internal control analysis. • • Questionnaires are essentially checklists to ensure that a review does not omit an area of major importance. Supplement with other forms of analysis: • • • Write-ups Flowcharts Other charting techniques 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 46

Analytic Techniques Analytic flowcharts might be used in internal control analysis, particularly if the analysis involves a computer system application. • Application controls matrix provides a structured form of analysis that is particularly relevant to internal control reviews of information systems. • 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 47

Internal Control and Compliance in Small Business and Small Public Companies • The COSO report, “Internal Control over Financial Reporting-Guidance for Smaller Public Companies, ” suggest ways small companies can compensate for their size: • • Leadership Involvement Effective Board of Directors Limited Segregation of Duties and Increased Focus on Monitoring Compensating for Limitations in Information Technology 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 48

Internal Control and Compliance in Small Business and Small Public Companies • Both small and large companies can gain cost efficiencies in developing their internal control processes by using the following approaches: • • Apply a Top-Down Risk Assessment (TDRA Approach to Internal Control Assessment Focus on Changes Manage Reporting Objectives Right-Size Documentation 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 49

End of Chapter 4 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 4 – 50