Embed Size (px)
Citation preview
自成咨询
Section D. Internal Controls 15%
1. Risk assessment, controls, and risk managementa. Internal control structure and management philosophyb. Internal control policies for safeguarding and assurancec. Internal control riskd. Implications of the Sarbanes-Oxley Act of 2002e. U.S. Foreign Corrupt Practices Act internal control requirementsf. COSO Internal Control Framework
2. Internal auditinga. Responsibility and authority of the internal audit functionsb. Types of audits conducted by internal auditors
自成咨询
Section D. Internal Controls 15%
3. Systems controls and security measuresa. General accounting system controlsb. Application and transaction controlsc. Network controlsd. Flowcharting to assess controlse. Backup controlsf. Disaster recovery procedures
自成咨询
D.1. Risk assessment, controls, and risk management
a. Internal control structure and management philosophyb. Internal control policies for safeguarding and assurancec. Internal control riskd. Implications of the Sarbanes-Oxley Act of 2002e. U.S. Foreign Corrupt Practices Act internal control requirementsf. COSO Internal Control Framework
自成咨询
Risk and Control Environment
• a. Internal control structure and management philosophy
• c. Internal control risk
• f. COSO Internal Control Framework
自成咨询
Risks• Unforeseen obstacles to pursuit of
objectives
自成咨询
Risks• Unforeseen obstacles to pursuit of objectives
• Originate within/outside
• Examples– Hacker breaking into university’s information systems– CEO bribing member of Congress to introduce
legislation– Foreign government overthrown → assets in country
expropriated
自成咨询
Risks• Unforeseen obstacles to pursuit of objectives• Originate within/outside• Examples
– Accounts payable clerk establishes fictitious vendors– Spiking interest rates → long-term capital projects
unprofitable– New technology → premier products obsolete– Government regulations reduced → new competitors
自成咨询
Risk assessment
• Identifying vulnerabilities(弱点 ) of organization
• Systems of internal control involve tradeoffs between cost, benefit– No system 100% effective– Risk can be mitigated, not eliminated
自成咨询
Risk assessment
• Identifying vulnerabilities(弱点 ) of organization
• Systems of internal control involve tradeoffs between cost, benefit– No system 100% effective– Risk can be mitigated, not eliminated
自成咨询
Risk management
• Designing, operating internal controls that mitigate identified risks
自成咨询
Risk• Combination of
– Severity of consequences– Likelihood of occurrence
• Expected value of loss due to risk exposure stated numerically
自成咨询
Risk• Combination of
• Expected value of loss due to risk exposure stated numerically
• Severity of consequences x Likelihood of occurrence
Event Consequences Likelihood
Minor penetration Annoyance 90% Unauthorized Public embarrassment viewing of internal Loss of customer 8% databases confidence Unauthorized PR crisis, Customer 2%alteration of internal defection databases
自成咨询
AICPA audit risk model
• Inherent risk (IR) – susceptibility of objectives to obstacles arising from nature of objective
• Control risk (CR) – controls will fail to prevent obstacle from interfering with objective achievement
• Detection risk (DR) – obstacle to objective will not be detected before loss occurs
• Total risk (TR) = IR x CR x DR
自成咨询
AICPA audit risk model
• Inherent risk (IR) – susceptibility of objectives to obstacles arising from nature of objective
• Control risk (CR) – controls will fail to prevent obstacle from interfering with objective achievement
• Detection risk (DR) – obstacle to objective will not be detected before loss occurs
• Total risk (TR) = IR x CR x DR
自成咨询
AICPA audit risk model
• Inherent risk (IR) – susceptibility of objectives to obstacles arising from nature of objective
• Control risk (CR) – controls will fail to prevent obstacle from interfering with objective achievement
• Detection risk (DR) – obstacle to objective will not be detected before loss occurs
• Total risk (TR) = IR x CR x DR
自成咨询
System of internal control
• Help manage risks• SMA 2A, Management Accounting
Glossary– “The whole system of controls (financial and
otherwise) established by management to carry on the business of the enterprise in an orderly and efficient manner, to ensure adherence to management policies, safeguard the assets. And ensure as far as possible the completeness and accuracy of the records.”
自成咨询
System of internal control
• Proper design, operation is management’s responsibility
• Sarbanes-Oxley, Section 404 requires publicly traded companies to issue report stating– Management takes responsibility for establishing,
maintaining firm’s system of internal controls– System has functioned effectively over reporting
period
自成咨询
PCAOB Approach
• PCABO– Governed by SEC– Issued Auditing Standards
• Requires– Express an opinion on both internal control and
fair presentation of financial report
自成咨询
Components of Internal control
自成咨询
Internal control- COSO Framework• “Internal control is broadly defined as a process,
effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.
自成咨询
Internal control- COSO Framework• objectives in the following categories:
• Effectiveness and efficiency of operations (经营 )• Reliability of financial reporting (财务 )• Compliance with applicable laws and regulation (合规 )
自成咨询
Control Control EnvironmentEnvironment
Risk AssessmentRisk Assessment
Control ActivitiesControl Activities
Information & Information & CommunicationCommunication
MonitoringMonitoring
营经
务财
规合
单位 1
单位 2
单位 3
单位 4
Control Environment
1.Organizational structure2.Policies3.Objectives, goals4.Management philosophy, operating style5.Assignment philosophy, operating style
Component
Category
COSO Framework
自成咨询
COSO Framework
IC Framework ERM Framework
自成咨询
Control environment
• Components– 1. Organizational structure– Lines of reporting, authority designed so
incompatible duties not combined in same job function
– Independent checks on performance facilitated
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies• Stated principles require/guide/restrict action• Promote conduct of authorized activities• Provide satisfactory degree of assurance• Procedures-detailed steps for carrying out
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies• Stated principles require/guide/restrict action• Promote conduct of authorized activities• Provide satisfactory degree of assurance• Procedures-detailed steps for carrying out
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals• Realistic, achievable goals that do not tempt
management to cross ethical boundaries
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals• Realistic, achievable goals that do not tempt
management to cross ethical boundaries
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style• Manifests in everyday actions
– Financial reporting
– Accounting estimates
– Selection of accounting principles
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style• Integrity, ethical values affect all aspects of control
– Ethical behavior results from standards, way they’re transmitted, how they’re reinforced
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style• Creates better risk management atmosphere
– Removing incentives for dishonest/illegal/unethical behavior
– Setting example in own behavior
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style
– 5.Assignment philosophy, operating style• Improve by proper design of organizational structure• Lines of reporting can reinforce proper internal
control
自成咨询
Control environment
• Components– 1.Organizational structure
– 2.Policies
– 3.Objectives, goals
– 4.Management philosophy, operating style
– 5.Assignment philosophy, operating style• Improve by proper design of organizational structure• Lines of reporting can reinforce proper internal
control
自成咨询
Board of directors
• Required by most publicly held corporations– Inside members – officers, employees– Outside members – non-employees who hold stock
• Governing authority of corporation
• Responsible for establishing overall corporate policy
自成咨询
Board of directors
• Fiduciary duty (信托责任 ) to organization, shareholders
自成咨询
Board of directors• Fiduciary duty (信托责任 ) to organization,
shareholders
• Exercise reasonable care in performance of duties– Informed about, conversant(熟悉 ) with pertinent(相关
的 ) information– Attend meetings– Analyze financial statements
自成咨询
Board of directors• Fiduciary duty (信托责任 ) to organization,
shareholders• Exercise reasonable care in performance of duties
– Informed about, conversant(熟悉 ) with pertinent(相关的 ) information
– Attend meetings
– Analyze financial statements
• Owe duty of loyalty– Prohibits dealing with corporation unless full disclosure made
– Usurping corporate opportunity w/o giving entity right of first refusal
自成咨询
Directors typically responsible for
• 1) Select and remove officers
• 2) Determine the capital structure
• 3) Add, amend, or repeal bylaws
• 4) Initiate fundamental changes: M&A
• 5) Declare dividends
• 6) Set compensation of officers
自成咨询
Audit committee
• Subcommittee of board of directors
• Helps keep external auditors independent of management– Assigned selection, compensation, oversight
• Required by many stock exchanges
• Crucial that composed of only outside directors
自成咨询
Audit committee
• Subcommittee of board of directors
• Helps keep external auditors independent of management– Assigned selection, compensation, oversight
• Required by many stock exchanges
• Crucial that composed of only outside directors
自成咨询
Audit committee
• Maintains control environment by approving charter, overseeing work of internal audit activity
• Insulates external, internal auditors from influences that may compromise independence, objectivity
自成咨询
Audit committee
• Maintains control environment by approving charter, overseeing work of internal audit activity
• Insulates external, internal auditors from influences that may compromise independence, objectivity
自成咨询
Importance of HR
自成咨询
Personnel
• Hiring standards– Emphasize education. Past achievements, evidence
of integrity, ethics– Display commitment to employ competent,
trustworthy people
自成咨询
Personnel
• Hiring standards
• Training policies– Impart to employees
• Knowledge of roles, responsibilities• Expectations about conduct, performance
自成咨询
Personnel
• Hiring standards
• Training policies
• Competence– Knowledge, abilities necessary to complete
required tasks
自成咨询
Personnel
• Hiring standards
• Training policies
• Competence
• Promotions– Periodic performance appraisals reflect
commitment to rewarding competence
自成咨询
Control Procedures
Internal control policies for safeguarding and assurance
自成咨询
Control activities
• Ensure management’s directives executed
• Include requisite steps to respond to risks that threaten attainment of objectives– Suitably designed to prevent/detect
unfavorable conditions– Operate effectively
自成咨询
Control activities
• Types of control activities– Preventive
• Locked the door• Separate the duties
– Detective• Petty cash count• Physical inventory count
自成咨询
Control procedures
• Manage/limit risk in accordance w/ risk assessments
• Control areas– 1.Segregation of duties, basic functional
responsibilities– 2.Independent checks, verification– 3.Safeguarding controls– 4.Prenumbered forms– 5.Specific document flow
自成咨询
Segregation of duties
• Assigning different employees to prevent employee acting alone from committing error/concealing fraud
• Types of segregated functional responsibilities– Authority to transactions– Recording of transactions– Custody of assets affected by transactions– Periodic reconciliation of existing assets to
recorded amounts
自成咨询
Segregation in three business cycles• Purchase-payable cycle
– Authority to execute transaction is vested in purchasing department
– Recording the transaction is done by accounts payable
– Custody of assets is vested in warehouse– Periodic reconciliation of assets to records is
performed by inventory control
自成咨询
Segregation in three business cycles• Sales-receivable cycle
– Authority to execute transaction is vested in sales department
– Recording the transaction is done by accounts receivable
– Custody of assets is vested in warehouse– Periodic reconciliation of assets to records is
performed by G/L
自成咨询
Segregation in three business cycles• Payroll cycle
– Authority to execute transaction is vested in HR department
– Recording the transaction is done by payroll department
• Payroll department belongs to Financial department• If belongs to HR department, HR hiring group and HR payroll
group should be separated• HR hiring group charges hiring, termination, and salary rate
– Custody of assets is vested in treasurer– Periodic reconciliation of assets to records is performed
by G/L
自成咨询
Independent checks, verifications
• Reconciliation of recorded accountability w/ assets performed by part of organization either– 1.Unconnected w/ original transaction– 2.Without custody of assets involved
自成咨询
Independent checks, verifications
• Comparison revealing assets disagreeing w/ recorded accountability provide evidence of unrecorded/improperly recorded transactions– Converse not necessarily true
• Frequency of comparisons depends on nature, amount of assets involved, cost of comparison
自成咨询
Safeguarding controls
• Limit access to assets to authorized personnel– Direct physical access– Indirect access through preparing/processing
documents authorizing use/disposition
自成咨询
Safeguarding controls
• Example:– 1) Lockbox system– 2) Deposit cash receipts
自成咨询
Safeguarding controls
• Example:– 1) Lockbox system– 2) Deposit cash receipts– 3) Approval credit memos– 4) Write offs of uncollectible AR– 5) Prohibit non-IT personnel access computer
operation
自成咨询
Sequentially prenumbered forms• Basis for strong internal controls
自成咨询
Sequentially prenumbered forms• Basis for strong internal controls
• All hardcopies can be accounted for– Ascertain date, use, person who filled out
• Missing documents can be flagged
• Detect unrecorded, unauthorized transactions during reconciliation
• Achievable in paperless environment
自成咨询
Sequentially prenumbered forms• Basis for strong internal controls• All hardcopies can be accounted for
– Ascertain date, use, person who filled out
• Missing documents can be flagged• Detect unrecorded, unauthorized transactions
during reconciliation• Achievable in paperless environment• Additional procedures ensure personnel do not
receive documents inappropriate to duties
自成咨询
Specific document flow• Pre-numbered document flow
• Additional procedures ensure personnel do not receive documents inappropriate to duties
自成咨询
Compensating controls
• Replace normal controls when cannot be feasibly implemented
• Ex.: In finance, investment cycle– 2+ people perform each function– Provide oversight– Periodic communications with board– Oversight by committee of board– Internal audit’s reconciliation of securities
portfolio w/ recorded information
自成咨询
Compensating controls
• Replace normal controls when cannot be feasibly implemented
• Ex.: In finance, investment cycle– 2+ people perform each function– Provide oversight– Periodic communications with board– Oversight by committee of board– Internal audit’s reconciliation of securities
portfolio w/ recorded information
自成咨询
Fraud• Intentional
• Pressures, incentives to engage in wrongdoing, opportunity
• Examples– Fraudulent financial reporting– Misappropriation of assets
• Internal control designed to prevent
• Concealment aspects → controls cannot give absolute assurance against
自成咨询
Fraud• Intentional
• Pressures, incentives to engage in wrongdoing, opportunity
• Examples– Fraudulent financial reporting– Misappropriation of assets
• Internal control designed to prevent
• Concealment aspects → controls cannot give absolute assurance against
自成咨询
Legal Aspects of Internal Control
• Implications of the Sarbanes-Oxley Act of 2002
• U.S. Foreign Corrupt Practices Act internal control requirements
自成咨询
Foreign Corrupt Practices Act
• Enacted 1977 with origins in Watergate investigations
• Prevent secret payments of corporate funds for purposes that congress has determined contrary to public policy
• Amends Securities Exchange Act of 1934– Prohibits domestic concern from offering/authorizing
corrupt payments to foreign official/political party/official/candidate for foreign political office
自成咨询
Foreign Corrupt Practices Act• Enacted 1977 with origins in Watergate
investigations• Prevent secret payments of corporate funds for
purposes that congress has determined contrary to public policy
• Amends Securities Exchange Act of 1934• Only political payments to foreign officials prohibited• FCPA doesn’t address business owners/corporate
officers
自成咨询
Foreign Corrupt Practices Act• Enacted 1977 with origins in Watergate
investigations• Prevent secret payments of corporate funds for
purposes that congress has determined contrary to public policy
• Amends Securities Exchange Act of 1934• Only political payments to foreign officials prohibited• FCPA doesn’t address business owners/corporate
officers
自成咨询
Foreign Corrupt Practices Act• Corrupt payments are for inducing recipient
to act/refrain from acting so domestic concern might obtain/retain business
• Offer/promise of bribe prohibited, even if not consummated
• Not prohibited if recipient has no discretion in carrying out governmental function
• Payments allowed under written law of foreign country not prohibited
自成咨询
System of internal accounting control
• Public companies must make, keep books, records, accounts in reasonable detail that accurately, fairly reflect transactions, disposition of assets
• Provide reasonable assurance
自成咨询
System of internal accounting control
• Provide reasonable assurance– 1.Transactions executed in accordance w/
management’s general/specific authorization– 2.Transactions recorded as necessary– 3.Access to assets permitted only in accordance w/
management’s general/specific authorization– 4.Recorded accountability for assets compared with
existing assets at reasonable intervals, appropriate action taken w/ respect to differences
自成咨询
Implications of FCPA of 1977
• Extend beyond anti-bribery provisions
• All American businesses, business people involved
• Management particularly affected
• Internal control responsibility not new
• Potential for civil, criminal liabilities added burden
自成咨询
Written code of ethics
• Necessity
• Communicated, monitored by internal auditors for compliance
• Might include explanation of FCPA, its penalties
• May require written representations from employees that they have read, understood provisions
自成咨询
Sarbanes-Oxley Act of 2002
• Response to financial reporting scandals of large public companies
• Contains provisions that impose new responsibilities on public companies, their auditors
• Applies to issuers of publicly traded securities subject to federal securities law
自成咨询
Sarbanes-Oxley Act of 2002
• Response to financial reporting scandals of large public companies
• Contains provisions that impose new responsibilities on public companies, their auditors
• Applies to issuers of publicly traded securities subject to federal securities law
自成咨询
Sarbanes-Oxley Act of 2002• Requires each member of audit committee,
including at least one financial expert, be independent member of issuer’s board of directors
• Independent director is not affiliated with, receives no compensation from issuer
• Audit committee directly responsible for appointing, compensating, overseeing work of public accounting firm employed by issuer– Reports directly to audit committee, not to management
自成咨询
Section 404
• Requires management to establish, document internal control procedures– Include report on company’s internal control
over financial reporting in annual report
自成咨询
Internal control report
• 1.Statement of management’s responsibility for internal control
• 2.Management’s assessment of effectiveness of internal control as of end of most recent fiscal year
• 3.Identification of framework evaluating effectiveness of internal control
自成咨询
Internal control report
• 4.Statement whether significant changes in controls were made after evaluation, including corrective actions
• 5.Statement that external auditor issued attestation report on management’s assessment– Audit opinions expressed
• Internal control• Financial statements
自成咨询
External auditor
• Attests to, reports on management’s assessment
• Evaluates whether structure, procedures– 1.Include records accurately, fairly reflecting
firm’s transactions– 2.Provide reasonable assurance transactions
recorded to permit statements to be prepared in accordance w/ GAAP
自成咨询
External auditor
• Attests to, reports on management’s assessment
• Evaluates whether structure, procedures
• Report describes material weaknesses in internal control
• Evaluation not subject of separate engagement, in conjunction w/ audit of financial statements
自成咨询
End
自成咨询
D.2. Internal Auditing
a. Responsibility and authority of the internal audit functionb. Types of audits conducted by internal auditors
自成咨询
The Internal audit function
• Growth, complexity led to growth in field
• Internal audit activity (IAA) basic to governance
• Some stock exchanges require all companies to have IAA
• Foreign Corrupt Practices Act– Detailed, accurate accounting records– Reasonably effective system of internal control
自成咨询
The internal audit function
• The institute of internal Auditors (IIA)– Maintain professional standards for the
practice worldwide– IIA definition of internal auditing
• “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
自成咨询
The internal audit function
• IIA’s Standards
• Practice Advisories
自成咨询
The internal audit function
• IIA’s Standards– Guidance for the conduct of internal auditing
• Organizational• Individual
• Practice Advisories
自成咨询
The internal audit function
• IIA’s Standards– Guidance for the conduct of internal auditing
• Organizational• Individual
• Practice Advisories– Concise, timely guidance
• Code of ethics• Standards• Promoting good practices
自成咨询
The internal audit function
• Organizationally independent– Attribute of internal audit department as whole
• Objective attitude– Attribute of auditors themselves
自成咨询
The internal audit function
• Chief executive officer (CEO)– Chief audit executive (CAE)
• Unhindered access to board of directors
自成咨询
The internal audit function
• Charter– Purpose, authority, responsibility of IAA– IAA’s position
• Access to records, personnel, physical properties• Define scope of activities
自成咨询
The scope of internal auditing
• Three principal functions– 1.Maintenance of internal control system– 2.Improving efficiency of operations– 3.Conduct of audit of financial statements
自成咨询
The scope of internal auditing
• Three principal functions– 1.Maintenance of internal control system– 2.Improving efficiency of operations– 3.Conduct of audit of financial statements
自成咨询
The scope of internal auditing• Internal audit specific tasks
– Improvement of risk management, control systems– Adequacy, effectiveness of controls– Reliability, integrity– Effectiveness, efficiency– Safeguarding of assets– Compliance– Adequate control criteria– Fraud– External auditor
自成咨询
Incidents
• Fraud
• Illegal acts
• Material weaknesses, significant deficiencies in internal control
• Significant penetrations of information security systems
自成咨询
Compliance auditing
• Assess compliance in specific areas
• Management response to regulatory body reviews
自成咨询
Operational auditing
• “The comprehensive review of the varied functions within an enterprise to appraise the efficiency and economy of operations and the effectiveness with those functions achieve their objectives”
自成咨询
Operational auditing
• Thorough examination of department, division, function, etc.
• Appraise managerial organization, performance, techniques
• Organizational objectives have been achieved – Efficiency, effectiveness, economy
• Report → existing/absence of problems
自成咨询
Operational auditing
• Organizational objectives have been achieved – Efficiency, effectiveness, economy
• Report → existing/absence of problems
自成咨询
Operational auditing
• Basic tools– Financial analysis– Observation of departmental activities– Questionnaire interviews of departmental
employees
自成咨询
Operational auditing
• Extension of financial audit– Reviewing purchasing policies– Appraising compliance with policies,
procedures– Appraising safety standards, equipment
maintenance – Reviewing production controls, scrap
reporting– Reviewing facilities’ adequacy
自成咨询
Internal auditing procedures
• Inquiries
• Examine documentation
• Observe
• Reperform
自成咨询
END
