Chapter 3 Ethics, Fraud, and Internal Control - Internal Control Concepts and Techniques

Internal control System - Policies, practices and procedures employed by the organization to achieve the 4 broad objectives Internal Control Objectives 1. Safeguard assets of the firm 2. Ensure accuracy and reliability of accounting records and information 3. Promote efficiency of the firms operations 4. Measure compliance with managements prescribed policies and procedures Modifying Assumptions Management Responsibility The establishment and maintenance of a system of internal control is the responsibility of management. Reasonable Assurance The cost of achieving the objectives of internal control should not outweigh its benefits. Methods of Data Processing The techniques of achieving the objectives will vary with different types of technology. Limitations Possibility of errors - no system is perfect Circumvention via collusion - personnel may circumvent (manage to get around) of the system through collusion (secret agreement or cooperation especially for an illegal or deceitful purpose) Management override - management is in position to override control procedures by personally distorting transactions or making a subordinate to do so. Changing conditions - conditions may change over time making existing control ineffectual (not producing the proper effect) Exposure - Absence or weakness of a control - Undesirable events: 1. Unauthorized access to the firms asset 2. Fraud by persons inside and outside the firm 3. Errors due to employee incompetence 4. Faulty computer programs and corrupted input data 5. Mischievous acts hacker and viruses - Risk involve: 1. Destruction of an asset 2. Theft of an asset 3. Corruption of information 4. Disruption of the information system Preventive, Detective, and Corrective Internal Control Model - Offered little practical guidance for designing specific controls - Three levels of control: Preventive, Detective and Corrective control - Preventive Control 1. First line of defense 2. Passive techniques designed to reduce the frequency of occurrence of undesirable events 3. An ounce of prevention is certainly worth a pound of cure. 4. More cost-effective than detecting and correcting problems after they occur. 5. Example: well-designed source document - Detective Control

1. Second line of defense 2. Devices, techniques and procedures designed to identify and expose undesirable events that elude preventive controls 3. Comparing actual occurrence to pre-established standards. 4. This is where the problem is identified Corrective Control 1. Actions taken to reverse the effects of errors detected in the previous step 2. This is where the problem is fixed 3. There might be more than one feasible corrective action.

Sarbanes-Oxley Act/Legislation - 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and more commonly called SarbanesOxley, Sarbox or SOX - is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms. top management must now individually certify the accuracy of financial information. - penalties for fraudulent financial activity are much more severe. - increased the independence of the outside auditors who review the accuracy of corporate financial
statements, and increased the oversight role of boards of directors.

The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. Requires management of public companies to implement an adequate system of internal control over their financial reporting process. (controls over transaction processing system) Requires that corporate management certify their organizations internal controls on a quarterly and annual basis (Section 302) Requires management of public companies to assess the effectiveness of their organizations internal control. Providing an annual report of the following points: (section 404) 1. Statement of managements responsibility (establishing and maintaining internal control) 2. Assessment of the effectiveness of the companys internal control over financial reporting 3. Statement of organizations external auditors of the assessment of the companys internal control 4. Explicit written conclusion of the effectiveness of the internal control 5. Statement identifying the frameworks used in their assessment

Statement on Auditing Standards (SAS) No. 78 - Current authoritative document for specifying internal control objectives and techniques - Based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (management tool rather than an audit tool) - Developed for auditors and describes the complex relationship between firms internal control, auditors assessment of risk and planning of audit procedures. SAS 78/COSO FRAMEWORK - Five components: 1. Control Environment Sets the tone for the organization and influence the control awareness of its management and employees Important elements: Integrity and ethics of management Organizational structure Role of the board of directors and the audit committee(responsible for selecting and engaging an independent auditor for ensuring that an annual audit is conducted, for reviewing the audit report and ensuring that deficiencies are addressed)

2.

3.

4.

5.

Managements policies and philosophy Delegation of responsibility and authority Performance evaluation measures External influencesregulatory agencies Policies and practices managing human resources SAS 78/COSO requires auditors to obtain sufficient knowledge to assess the attitude and awareness of the orgs management, BOD, and owners regarding internal control Risk Assessment Identify, analyze and manage risks relevant to financial reporting: changes in external environment risky foreign markets significant and rapid growth that strain internal controls new product lines restructuring, downsizing changes in accounting policies SAS 78/COSO requires auditors to obtain knowledge about the risk assessment procedures to understand how the management identifies, prioritize, and manages the risks related to financial reporting Information and Communication quality of information impacts the managements ability to take action and make decisions. An effective AIS will: identifies and records all valid transactions provides timely information in appropriate detail (to permit proper classification and financial reporting) accurately measures the financial value of transactions (so their effects can be recorded in financial statements) accurately records transactions in the time period in which they occurred Auditors must obtain sufficient knowledge of the IS to understand: the classes of transactions that are material (and how they are initiated) the associated accounting records and accounts used in processing material transactions the transaction processing steps involved (initiation to its conclusion in the financial statements) the financial reporting process used (preparation of financial statements, disclosures and accounting estimates) Monitoring The process for assessing the quality of internal control design and operation SEPARATE PROCEDUREStest of controls by internal auditors then make specific recommendations for improvement ONGOING MONITORING: computer modules integrated into routine operations o maintain constant surveillance over functioning of internal controls management reports which highlight trends and exceptions from normal performance o timely reports allow managers in functional areas to oversee and control their operations Control Activities Policies and procedures to ensure that the appropriate actions are taken in response to identified risks Fall into two distinct categories: IT CONTROLSrelate specifically to the computer environment o General controlspertain to the entity-wide computer environment E.g. control over the data center, org database, systems development, and programs maintenance o Application controlsensure the integrity of specific systems i.e. sales order processing, accounts payable, and payroll applications

PHYSICAL CONTROLS o primarily pertain to human activities o purely manual physical custody of assets, physical use of computers to record transactions and update accounts o do not relate to computer logic rather, they relate to the human activities that trigger and utilize the results of those tasks. o Categories of Physical Control: 1. Transaction Authorization o used to ensure that employees are carrying out only (valid) authorized transactions 1. general (everyday procedures) programmed procedure 2. specific (non-routine transactions) authorizations case by case decisions, extending credit balance of the customer for specific reasons 2. Segregation of Duties (most important) o authorizing and processing a transaction o custody and recordkeeping of the asset subtasks o three objectives: 1. segregation of duties should be such authorization for a transaction is separate from processing the transaction 2. Responsibility for the custody of asset should be separate from record-keeping responsibility. Assets can be stolen or lost and the accounting records be falsified to hide the event 3. Organization should be structures so that successful fraud requires collusion between two or more individuals with incompatible responsibilities. o Journal , subsidiary ledgers, and the general ledger are maintained separately 3. Supervision o a compensation for the absence of segregation control. It is often called compensating control 4. Accounting Records o provide an audit trail of economic events (journals, source documents and ledgers o two reasons why org conduct audit trail: 1. needed for conducting day to day operations. Helps employees respond to customer inquiries by showing the current status of transactions in process. 2. It is an essential role in the financial audit of status of the firm. Enables external & internal auditors to verify selected transactions (tracing) 5. Access Controls o Ensure only authorized personnel have access to the firms assets o help to safeguard assets by restricting physical access to them 6. Independent Verification o reviewing batch totals or reconciling subsidiary accounts with control accounts o Verification Procedures - Independent checks of the accounting system to identify errors and misrepresentations