Accounting information systems 12th SIMKIN and norman chapter 09

Chapter 9: Introduction to Internal Control Systems Introduction 1992 COSO Report Updates on Risk Assessment Examples of Control Activities Update on Monitoring 2011 COBIT, Version 5...

Chapter 9:

Introduction to Internal Control Systems

Introduction

1992 COSO Report

Updates on Risk Assessment

Examples of Control Activities

Update on Monitoring

2011 COBIT, Version 5

 Policies, plans, and procedures

 Implemented to protect a firms assets

People Involved

 Board of directors

 Management

 Other key personnel

Internal Control Systems

Provides reasonable assurance

 Effectiveness and efficiency of operations

 Reliability of financial reporting

 Protection of Assets

 Compliance with applicable laws and regulations

Important Guidance

 Statement on Auditing Standard No 94

Internal Control Systems

Internal Control System

Objectives

Safeguard assets

Check the accuracy and reliability of

accounting data

Promote operational efficiency

Enforce prescribed managerial policies

Study Break #1

This term describes the policies, plans, and procedures

implemented by a firm to protect the assets of the

Study Break #1 - Answer

This term describes the policies, plans, and procedures

implemented by a firm to protect the assets of the

Study Break #2

Which of the following is not one of the four objectives of an

internal control system?

A Safeguard assets

B Promote firm profitability

C Promote operational efficiency

D Encourage employees to follow managerial policies

Study Break #2 - Answer

Which of the following is not one of the four objectives of an

internal control system?

A Safeguard assets

B Promote firm profitability

C Promote operational efficiency

D Encourage employees to follow managerial policies

Background Information

on Internal Controls

Background Information

on Internal Controls

Background Information

on Internal Controls

1992 COSO Report

Defines internal control and components

Presents criteria to evaluate internal control

Control Environment

 Management’s oversight , integrity, and ethical

principles

 Attention and direction by board of directors

 Management’s philosophy and operating style

 Method of assigning authority and responsibility

 Method of organizing and developing employees

Components of Internal

Control – COSO 1992

Risk Assessment

 Identify organizational risks

 Analyze potential of risks (cost and occurrence)

 Cost-benefit analysis

Control Activities

 Policies and procedures

 Manual and automated

Components of Internal

Control – COSO 1992

Information and Communication

 Inform employees

 Roles and responsibilities

 Importance of good working relationships

Monitoring

 Evaluation of internal controls

Components of Internal

Control – COSO 1992

2004 COSO Enterprise Risk

Management Framework

Emphasizes enterprise risk management

Includes COSO (1992) control components

Three new components

 Objective setting

 Event identification

 Risk response

2004 COSO Enterprise Risk

Management Framework

Objective Setting

 Strategic – high level goals and mission

 Operations – day-to-day efficiency, performance, and profitability

 Reporting – internal and external

 Compliance – laws and regulations

Components of Internal

Control – COSO 2004

Event Identification and Risk Response

Risk Assessment Worksheet

Commissioned survey called Enterprise Risk

Management Initiative

Survey targeted utilization of COSO ERM

Framework

 Theoretically sound

 65% fairly or very familiar with framework

 Board had not assigned risk oversight in over half of COSO’s 2010 Report on ERM

Study Break #3 - Answer

An internal control system should consist of five components Which of the following is not one of those five components?

A The control environment

B Risk assessment

C Monitoring

D Performance evaluation

Study Break #4

Which of the following is not one of the three additional

components that was added in the 2004 COSO Report?

A Objective setting

B Risk assessment

C Event identification

D Risk response

Study Break #4 - Answer

Which of the following is not one of the three additional

components that was added in the 2004 COSO Report?

A Objective setting

B Risk assessment

C Event identification

D Risk response

Examples of Control Activities

Good Audit Trail

Sound Personnel Policies and Practices

Separation of Duties

Physical Protection of Assets

Reviews of Operating Performance

Good Audit Trail

Use of Audit Trail

 Follow path of data recorded in transaction

 Initial source documents to final disposition of

data

 Data on reports back to source documents

Purpose of Audit Trail

 Verify accuracy of recorded transactions

Sound Personnel Policies

Separation of Duties

Purpose

 Structure of work assignments

 One employee’s work checks the work of another

Separate Related Activities

 Authorizing transactions

 Recording transactions

 Maintaining custody of assets

Physical Protection of

Assets

Inventory Controls

 Stored in safe location with limited access

 Utilization of Receiving Report

Document Controls

 Protecting valuable organizational documents

 Corporate charter, major contracts, blank

checks, and SEC registration statements

Receiving Report

Physical Protection of

Assets

Cash Control

 Most susceptible to theft and human error

 Fidelity bond coverage

 Use checks for cash disbursements

 Deposit the daily cash receipts intact

Disbursement Voucher

Reviews of Operating

Performance

Internal Audit Function

 Reports to Audit Committee of Board of Directors

 Independent of other subsystems

Study Break #5

Separation of duties is an important control activity If

possible, managers should assign which of the following

three functions to different employees?

A Analysis, authorizing, transactions

B Custody, monitoring, detecting

C Recording, authorizing, custody

D Analysis, recording, transactions

Study Break #5 - Answer

Separation of duties is an important control activity If

possible, managers should assign which of the following

three functions to different employees?

A Analysis, authorizing, transactions

B Custody, monitoring, detecting

C Recording, authorizing, custody

D Analysis, recording, transactions

2009 COSO Monitoring Guidance Report

Update on Monitoring

Control Objectives for Information and

related Technology (COBIT)

 Strategic alignment

 Realization of expected benefits of IT

 Continual assessment of IT investment

 Determine risk appetite

 Measure and assess performance of IT resources

2011 COBIT, Version 5

COBIT and Val IT Integration

Evaluating Controls

Requirements of Sarbanes-Oxley Act

 Statement of management responsibility for

internal control structure

 Assessment of effectiveness of internal control

structure

 Attestation of auditor on accuracy of

management’s assessment

Cost-Benefit Analysis

A Risk Matrix

Copyright 2012 John Wiley & Sons, Inc All rights reserved

Reproduction or translation of this work beyond that permitted in

Section 117 of the 1976 United States Copyright Act without the

express written permission of the copyright owner is unlawful

Request for further information should be addressed to the

Permissions Department, John Wiley & Sons, Inc The purchaser

may make backup copies for his/her own use only and not for

distribution or resale The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 9