Chapter 11 Introduction to Internal Control Systems INTRODUCTION CASE ANALYSES INTERNAL CONTROL SYSTEMS Gayton Menswear Definition of Internal Control Cuts-n-Curves Athletic Club 1992 COSO Report—Components of Internal Control Emerson Department Store 2004 COSO Report—Enterprise Risk Management 2007 COBIT, Version 4.1 REFERENCES AND RECOMMENDED READINGS TYPES OF CONTROLS ANSWERS TO TEST YOURSELF Preventive Controls Detective and Corrective Controls Interrelationship of Preventive and Detective Controls CONTROL ACTIVITIES Good Audit Trail Sound Personnel Policies and Practices Separation of Duties Physical Protection of Assets Internal Reviews of Controls EVALUATING CONTROLS Requirements of Sarbanes-Oxley Act Illustrations of Cost-Benefit Analyses A Risk Matrix AIS AT WORK—USING THE COMPANY CREDIT CARD AS A NEST EGG? SUMMARY KEY TERMS YOU SHOULD KNOW After reading this chapter, you will: 1. Be familiar with the primary control frameworks commonly used in organizations. 2. Be familiar with an internal control system and the components of this system. 3. Understand the importance of enterprise-wide risk assessment and the impact this has on internal controls. 4. Be familiar with the importance of COSO and COBIT with respect to internal control systems. 5. Understand the difference between preventive, detective, and corrective controls. 6. Be aware of some of the control activities that should be included in an organization’s internal control system. 7. Understand the reason an organization might be willing to let customers shoplift some of its merchandise inventory. TEST YOURSELF DISCUSSION QUESTIONS PROBLEMS 347 Copyright © 2010 John Wiley & Sons, Inc. 348 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems ‘‘Ultimately, all stakeholders in the company should share the same high-level goal of establishing a strong system of internal controls.’’ Robert Mueller, ‘‘Mending Broken Controls,’’ Internal Auditor (August 2008), p. 85. INTRODUCTION Protecting the assets of an organization has always been an important responsibility of management. However, the incredible advancements in IT, as well as the pervasive use of IT across firms of all sizes, have dramatically changed how managers establish and monitor internal controls. Indeed, the pervasiveness of IT also has a profound impact on internal and external auditors, and how they assess the strength of the internal control environment. Protecting such assets requires organizations to develop and implement an effective internal control system—a system that can also perform such other functions as helping ensure reliable data processing and promoting operational efficiency in an organization. This chapter and the next cover the topic of internal controls—i.e., the controls established to protect the assets of an organization. This chapter defines corporate governance, IT governance, and internal controls. We also identify the components of an internal control system, the different types of controls, and various control activities. Finally, we illustrate a cost-benefit analysis, which is a method managers use to determine which control procedures are cost effective. INTERNAL CONTROL SYSTEMS An internal control system consists of the various methods and measures designed into and implemented within an organization to achieve the following four objectives: (1) safeguard assets, (2) check the accuracy and reliability of accounting data, (3) promote operational efficiency, and (4) enforce prescribed managerial policies. An organization that achieves these four objectives is typically one with good corporate governance. This means managing an organization in a fair, transparent, and accountable manner to protect the interests of all the stakeholder groups.1 The 1992 COSO Framework is widely used by managers to organize and evaluate their corporate governance structure. This framework was developed to improve the quality of financial reporting through business ethics, effective internal controls, and corporate governance.2 Definition of Internal Control Internal control describes the policies, plans, and procedures implemented by management of an organization to protect its assets. Usually the people involved in this effort are the entity’s board of directors, the management, and other key personnel in the firm. 1 ‘‘Corporate Governance: The New Strategic Imperative,’’ a White Paper from the Economist Intelligence Unit, sponsored by KPMG International, http://www.eiu.com. 2 Source: http://www.coso.org. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 349 The reason this is important is that these individuals want reasonable assurance that the goals and objectives of the organization can be achieved (i.e., effectiveness and efficiency of operations, reliability of financial reporting, protection of assets, and compliance with applicable laws and regulations).3 Figure 11-1 identifies key laws, professional guidance, and reports that focus on internal controls. In 2001, the AICPA issued Statement on Auditing Standards (SAS) No. 94, ‘‘The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.’’ This SAS cautions the external auditors that the way firms use IT might impact any of the five internal control components (discussed in the next section). That is, auditors must realize internal controls are both manual and automated, and therefore, auditors might need to adopt new testing strategies to obtain sufficient evidence that an organization’s controls are effective. Because of the complexity of IT environments, auditors will most likely need to use computer-assisted auditing techniques (CAATs) to test the automated controls in an organization. We discuss these techniques in depth in Chapter 14. An important piece of legislation with respect to internal controls is the Sarbanes-Oxley Act of 2002. One key provision of this law is Section 404, which reaffirms that management is responsible for establishing and maintaining an adequate internal control structure, and at the end of each fiscal year must attest to the effectiveness and completeness of the internal control structure, thus making managers personally liable for this structure within the firm. We cover the Sarbanes-Oxley Act in more depth in Chapter 14. 1992 COSO Report—Components of Internal Control The 1992 COSO Report (see Figure 11-1) is important because it established a common definition of internal control for assessing control systems, as well as determined how to improve controls. According to the report, controls can serve many important purposes, and for this reason many businesses look at internal control systems as a solution to a variety of potential problems (such as dealing with rapidly changing economic and competitive environments, as well as shifting customer demands and priorities). According to the COSO report, an internal control system should consist of these five components: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. Control Environment. The control environment establishes the tone of a company and influences the control awareness of the company’s employees. It is the foundation for all the other internal control components and provides discipline and structure. Factors include: • the integrity, ethical values, and competence of an organization’s employees • management’s philosophy and operating style • the way management assigns authority and responsibility as well as organizes and develops its employees • the attention and direction provided by the board of directors 3 Committee of Sponsoring Organizations of the Treadway Commission (CSOTC), Internal Control—Integrated Framework (COSO Report), 1992. Copyright © 2010 John Wiley & Sons, Inc. 350 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems Date Act/Report Significant Provisions Pertaining to Internal Controls 1977 Foreign Corrupt Practices Act • Requires publicly-owned companies to implement internal control systems • Only applies to publicly-owned corporations registered under Section 12 of the 1934 Securities and Exchange Act 1977 Treadway Commission Report • Recommends development of a common definition for internal control, guidance for judging the effectiveness of internal control, and methods to improve internal controls 1988 SAS No. 55 • Management should establish an internal control structure that includes the following three components: the control environment, the accounting system, and the control procedures 1992 Committee of Sponsoring Organizations (COSO) Report • Title: Internal Control—Integrated Framework • Defines internal control and describes its components • Presents criteria to evaluate internal control systems • Provides guidance for public reporting on internal controls • Offers materials to evaluate an internal control system COBIT—Control Objectives for Business and IT • A Framework (set of best practices) for IT management 1995 SAS No. 78 • Replaces definition of internal control structure in SAS No. 55 with the definition of internal control given in the 1992 COSO report 2001 SAS No. 94 • Provides guidance to auditors about the effect of IT on internal controls 1992 • Provides managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices to maximize the benefits of IT and develop appropriate IT governance and control • Describes benefits and risks of IT to internal controls and how IT affects the components of internal controls 2002 Sarbanes-Oxley Act, Section 404 • Requires publicly-traded companies to issue an ‘‘internal control report’’ that states management is responsible for establishing and maintaining an adequate internal control structure • Management must assess the effectiveness of internal controls annually • The independent auditor for the firm must attest to and report on managements’ assessment annually Committee of Sponsoring Organizations (COSO) Report • Focuses on enterprise risk management 2005 COBIT, Ver. 4.0 • Includes 34 high-level objectives that cover 215 control objectives categorized in four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate 2006 SAS No. 112 • Establishes standards and provides guidance to auditors of non-public entities on communicating matters related to an entity’s internal control over financial reporting observed during a financial statement audit 2004 • Includes the five components of ICIF (control environment, risk assessment, control activities, information and communication, and monitoring) and adds three components: objective setting, event identification, and risk response • To properly apply SAS No. 112, the auditor must have a working knowledge of the COSO framework 2007 COBIT, Ver. 4.1 • Better definitions of core concepts; improved control objectives • Application controls reworked; business and IT goals improved FIGURE 11-1 Background information on internal controls. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 351 Case-in-Point 11.1 A commonly-used source of information on reported cases of material weaknesses for publicly-traded companies is Audit Analytics (www.auditanalytics.com). One of the categories in this database is ‘‘senior management, tone, or reliability.’’ A recent study of this particular category shows that audit firms issued adverse internal control opinions to 93 public companies (2005 to early 2008) because of weaknesses in ‘‘tone at the top.’’4 The personnel policies and practices that management adopts are an important aspect of the control environment. For example, an important control procedure is employee training programs that inform new hires about the company’s various policies, outline individual responsibilities, and explain how to perform duties efficiently. Similarly, an organization should also conduct regular reviews of its operations to determine if they conform to desired operating policies. Many large and medium-sized enterprises have separate internal audit departments, whose internal auditors test existing internal controls for proper functioning and use. Small enterprises usually cannot afford their own internal audit departments, but they can hire outside consultants or ask managers to test compliance with operating policies. Risk Assessment. It is not possible or even desirable to install controls for every possible risk or threat. The purpose of risk assessment is to identify organizational risks, analyze their potential in terms of costs and likelihood of occurrence, and implement only those controls whose projected benefits outweigh their costs. A general rule is: The more liquid an asset, the greater the risk of its misappropriation. To compensate for this increased risk, stronger controls are required. The COSO report recommends the use of a cost-benefit analysis (discussed and illustrated later in this chapter) to determine whether the cost to implement a specific control procedure is beneficial enough to spend the money. We expand on the topic of risk management in the next section. Control Activities. These are the policies and procedures that the management of a company develops to help protect all of the different assets of the firm. Control activities include a wide variety of activities throughout the firm and are typically a combination of manual and automated controls. Some examples of these activities are approvals, authorizations, verifications, reconciliations, reviews of operating performance, and segregation of duties. Through properly designed and implemented control procedures, management will have more confidence that assets are being safeguarded and that the accounting data processed by the accounting system are reliable. This chapter provides several examples of control procedures, and also illustrates control activities that should be included in every company’s internal control system. Information and Communication. Managers must inform employees about their roles and responsibilities pertaining to internal control. This might include giving them documents such as policies and procedures manuals (discussed later) or posting memoranda on the company’s intranet. This could also include training sessions for entry-level personnel and then annual refresher training for continuing employees. Regardless of the method, all employees need to understand how important their work is, how it relates to the work of other employees in the firm, and how that relates to strong internal controls. It is equally important that management understand the importance of keeping good working 4 Hermanson, D., Ivancevich, D., and Ivancevich, S., ‘‘Tone at the Top,’’ Internal Auditor (November 2008), pp. 39–45. Copyright © 2010 John Wiley & Sons, Inc. 352 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems relationships between all layers of management so that employees feel safe communicating any possible problems they may find. When this is the case, employees at all levels can actually enhance the effectiveness of good internal controls. Also, they will be much more likely to point out any problems they may detect, and corrective action can be initiated. Case-in-Point 11.2 Whistle-blowing systems help employees feel safe communicating problems or suspected wrongdoing to management. However, many potential whistleblowers continue to struggle with reporting problems that they witness because they are not sure how to report what they know, or fear possible consequences of doing so. One solution to this problem is to outsource the whistle-blower system—in fact, a recent survey of Chief Audit Executives reports that 60% of the organizations included in the survey have already outsourced their reporting systems.’’5 Monitoring. Evaluation of internal controls should be an ongoing process. Managers at various levels in the organization must evaluate the design and operation of controls and then initiate corrective action when specific controls are not functioning properly. This could include daily observations and scrutiny, or management might prefer regularly-scheduled evaluations. The scope and frequency of evaluations depend, to a large extent, on management’s assessment of the risks the firm faces. 2004 COSO Report—Enterprise Risk Management The 2004 COSO Enterprise Risk Management – Integrated Framework focuses on enterprise risk management (ERM) and builds upon the 1992 COSO Internal Control – Integrated Framework (ICIF). The ERM Framework (Figure 11-2) includes the five components of ICIF (control environment, risk assessment, control activities, information and communication, and monitoring) and adds three additional components: objective setting, event identification, and risk response.6 Objective Setting. ERM offers management a process for setting objectives for the firm—that is, the purposes or goals the firm hopes to achieve. ERM helps an organization determine if the objectives are aligned with the organizational strategy and that goals are consistent with the level of risk the organization is willing to take. An enterprise’s objectives are viewed from four perspectives: (1) Strategic: the high-level goals and the mission of the firm, (2) Operations: the day-to-day efficiency, performance, and profitability of the firm, (3) Reporting: the internal and external reporting of the firm, and (4) Compliance: with laws and regulations. Event Identification and Risk Response. Organizations must deal with a variety of uncertainties because many events are beyond the control of management. Examples include natural disasters, wars, unexpected actions of competitors, and changing conditions in the marketplace. However, it is critical for management to identify these external risks as quickly as possible and then consider internal and external factors regarding each event 5 Baker, N., ‘‘See No Evil, Hear No Evil, Speak No Evil,’’ Internal Auditor (April 2008), pp. 39–43. COSO website (www.erm.coso.org); F. Martens and L. Nottingham, Enterprise Risk Management: A Framework for Success, RE: Business, September 2003; and C. Chapman, Bringing ERM into Focus, Internal Auditor Magazine, June 2003. 6 Sources: Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 353 E C G N N P LI A O R TI C R E O M P R E O P S TR A TE A TI O N G IC S RISK CUBE Internal Environment Event Identification Risk Assessment Risk Response Control Activities SUBSIDIARY BUSINESS UNIT DIVISION ENTITY-LEVEL Objective Setting Information & Communication Monitoring FIGURE 11-2 2004 COSO Enterprise Risk Management—Integrated Framework. that might affect its strategy and achievement of objectives. Depending on the type or nature of events, management might be able to group some of them together and begin to detect trends that may help with risk assessment. Case-in-Point 11.3 The responsibility of the Director of the Arkansas Department of Finance and Administration (DFA) is to ensure that state agencies operate uniformly and efficiently. To help the Director achieve these DFA objectives, each state agency is required to perform a risk assessment once every two years, and must complete a ‘‘Risk Assessment and Control Activities Worksheet.’’7 This worksheet (Figure 11-3) helps department managers across the state to think about their operations through a risk-assessment lens. The objective of risk assessment is to manage and control risk by identifying threats, analyzing the risks, and implementing cost-effective countermeasures to avoid, mitigate, or transfer the risks to a third party (through insurance programs). As they identify and categorize these risks, management will be in a better position to determine the probable effects on the organization. Management can then formulate and evaluate possible response options for the organization. In developing options, managers need to consider the level of risk they are willing to assume, as well as the trade-offs between costs and benefits of each choice. A number of computerized risk assessment software tools already exist to help managers with this task. Case-in-Point 11.4 Managers need to ask themselves about the possible impact of certain risks—would it be minimal, significant, serious, or catastrophic?8 RiskPAC, a business risk software solution, helps organizations detect and eliminate vulnerabilities in information systems and data security. CPACS, the company that developed RiskPAC, defines risk assessment as identification of the major risks and threats to which an organization’s reputation, business 7 Source: 8 Source: http://www.arkansas.gov/dfa/accounting/acc ia risk.html. http://www.cpacsweb.com/riskpac.html (business continuity planning software products) Copyright © 2010 John Wiley & Sons, Inc. 354 Copyright © 2010 John Wiley & Sons, Inc. For each risk, assess the likelihood of the risk occurring. Use probable, reasonably possible, or remote. Alternatively use High, Medium of Low. For each risk with large or moderate impact and probable (high) or reasonable (medium) likelihood of occurrence, list both the actions to mitigate the risk to an acceptable level and the control activities that help ensure that those actions are carried out properly and in a timely manner. If no action is present to manage the risk and/or no control activity is present, an action plan to address the risk and an associated timeline should be included. 4 5 Source: http://www.arkansas.gov/dfa/accounting/acc ia risk.html. FIGURE 11-3 An example of a risk assessment and control activities worksheet. For each risk, estimate the potential impact on operations, financial reporting or compliance with laws and regulations, assuming that the risk occurs. Consider both quantitative and qualitative costs. Use Large, Moderate or Small. 3 (4) (5) Actions to Manage Risks/ Control Activities List all identified risks to the achievement of each goal and objective. Consider both internal and external risk factors. For each goal and objective, several different risks can be identified. (3) Likelihood 2 (2) (1) Significance/Impact Risk Assessment List all operations, financial reporting and compliance objectives associated with the activity. Goals should be clearly defined, measurable and attainable. Risks Goals & Objectives Date Prepared: Prepared By: 1 Activity: Department: Risk Assessment and Control Activities Worksheet CHAPTER 11 / Introduction to Internal Control Systems 355 processes, functions, and assets are exposed. RiskPAC helps organizations determine the possibility that a harmful incident will occur (very likely, possible, probable, very unlikely). 2007 COBIT, Version 4.19 The first edition of Control Objectives for Information and related Technology (COBIT) was issued in 1996, and the latest edition, version 4.1, was issued in 2007. The COBIT framework was created to be business focused, process oriented, controls based, and measurement driven. If we examine the mission statement for COBIT, we can quickly understand why this framework is widely used in corporate environments. ‘‘To research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals, and assurance professionals.’’10 The COBIT framework takes into consideration an organization’s business requirements, IT processes, and IT resources to support COSO requirements for the IT control environment. This suggests, rightfully so, that managers must first tend to the requirements outlined in the 1992 COSO Report and set up an internal control system that consists of these five components: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The next step managers should take is to work through the guidelines contained in the 2004 COSO Report (perhaps using a worksheet like the one in Figure 11-3) to set objectives, identify possible risk events, and then consider appropriate risk responses the organization might need to take should an event occur. Once the internal control system is in place (i.e., managers have worked through the 1992 and the 2004 COSO Frameworks), IT managers work with operational managers throughout the organization to determine how IT resources can best support the business processes. To achieve appropriate and effective governance of IT, senior managers of the organization will typically focus on five areas. First, managers need to focus on strategic alignment of IT operations with enterprise operations. Second, they must determine whether the organization is realizing the expected benefits (value) from IT investment. Third, managers should continually assess whether the level of IT investments is optimal. Fourth, senior management must determine their organization’s risk appetite and plan accordingly. And finally, they must continuously measure and assess the performance of IT resources. Here again is an opportunity for managers to consider a ‘‘dashboard’’ to have access to key indicators of these five focus areas to support timely decision-making. Perhaps it was the Sarbanes-Oxley Act, and the many governance lapses prior to the enactment of this legislation, that prompted the IT Governance Institute (ITGI) to recognize a need for and to develop a framework for IT governance. This governance framework, called Val IT, is a formal statement of principles and processes for IT management. Val IT is tightly integrated with COBIT. Although COBIT helps organizations understand if they are doing things right from an IT perspective, Val IT helps organizations understand if they are making the right investments and optimizing the returns from them. So, COBIT focuses on 9 Source: IT Governance Institute, http://www.itgi.org. IT Governance Institute, http://www.itgi.org. 10 Source: Copyright © 2010 John Wiley & Sons, Inc. 356 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems Strategic Question From a strategic perspective, are we doing the right things to obtain maximum value from our IT investment? Value Question Are the right metrics in place to ensure that the company achieves the expected benefits from the IT investment? Architecture Question Is our IT investment consistent with our IT architecture (business processes, data, information flows, software, hardware, technology)? Delivery Question Do we have the resources (effective management, change management) to get the most from our IT investment? FIGURE 11-4 The integration of COBIT and Val IT. Source: Adapted from the ISACA website (http://www.isaca.org). the execution of IT operations, and Val IT focuses on the investment decision. Figure 11-4 diagrams the integration of COBIT and Val IT, which is described in considerable depth in ‘‘The Val IT Framework 2.0 Extract.’’11 In essence, this is also a model for continuous improvement for an organization’s IT governance program. Val IT includes three very helpful publications that may be downloaded for free at the ISACA website (www.isaca.org), and these documents are: (1) Val IT Framework 2.0, (2) Val IT Getting Started with Value Management, and (3) Val IT The Business Case. TYPES OF CONTROLS A company’s control procedures are often classified into three major types: preventive controls, detective controls, and corrective controls. This section examines each of these types of control procedures in more detail. Preventive Controls Preventive controls are controls that management puts in place to prevent problems from occurring. For example, a company might install a firewall to prevent unauthorized access to the company’s network, thereby safeguarding the disclosure, alteration, or destruction of sensitive information from external hackers. Enterprise Risk Management (discussed earlier) helps managers identify areas where preventive controls should be in place. Under the section called ‘‘Event Identification’’ we said that management must identify possible 11 Source: http://www.isaca.org. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 357 events that represent a problem to the firm and then identify appropriate responses to those problems. James Cash calls this scenario planning, and it means management identifies scenarios of minor concern to major disasters that could occur.12 Management should include a number of informed individuals in these brainstorming sessions, such as the IS team, IT auditors, external auditors, and perhaps risk-management consultants. First, management documents each scenario. Then, management must establish preventive controls to minimize the likelihood of each problem they identify. As Cash points out, preventive controls are never fail-safe, so a firm always needs detective controls to help discover when preventive controls fail. We’ll talk more about the relationship of these two controls later in this chapter. Detective and Corrective Controls Because preventive controls cannot stop every possible problem from occurring, organizations also need strong detective controls that alert managers when the preventive controls fail. As an example, assume that a company’s information system prepares daily responsibility accounting performance reports for management that computes variations of actual production costs from standard production costs. If a significant variance occurs, a manager’s report signals this problem and the manager can initiate corrective action. Examples of detective security controls are log monitoring and review, system audits, file integrity checkers, and motion detection.13 Organizations can initiate corrective action only if corrective controls are in place. A company establishes corrective controls to remedy problems it discovers by the detective controls. Let’s assume, based on the above detective control example, that performance reports repeatedly disclose that the company’s actual direct labor hours for production work significantly exceed the standard direct labor hours. A corrective control procedure might be training programs that teach employees to perform their job functions more efficiently and effectively. Corrective controls are procedures a company uses to solve or correct a problem. An example of this type of corrective control procedure might be a change to the company’s procedures for creating backup copies of important business files. More than ever before, companies realize the importance of this corrective control since 9/11 and the many natural disasters that have occurred over the past few years. Case-in-Point 11.5 Faced with many instances of fraud, hotels considered possible corrective controls to protect themselves from litigation and protect their guests from identity theft, without sacrificing customer service. Let’s assume a guest calls, claiming that she forgot to pick up her folio (the record of charges and payments). She politely asks the hotel’s accounting department to fax a copy. Hotels used to oblige the customer and fax the folio, which of course includes such information as the guest’s name, address, signature, and credit card number. This seems like a nice service to a customer, but what if the person who called was not the guest? Many hotels now use the following procedures: (1) computers do not print the entire credit card number on the folio, and (2) folios are not faxed to anyone for any reason. Instead, hotels typically mail a folio only to the address on the reservation.14 12 James Cash, ‘‘It’s Reasonable to Prepare,’’ Information Week, No. 654 (October 27, 1997), p. 142. http://www.giac.org/resources/whitepaper/operations/207.php. 14 Michael Barrier, ‘‘Unmasking Hotel Fraud,’’ Internal Auditor, Vol. 58 (April 2001), p. 28. 13 Source Copyright © 2010 John Wiley & Sons, Inc. 358 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems Interrelationship of Preventive and Detective Controls Management should not treat preventive control procedures and detective control procedures separately. As we discussed earlier, these two controls work together to protect a company’s internal control system. CONTROL ACTIVITIES Because each organization’s accounting system is unique, there are no standardized control procedures that will work for every company. This means that each organization designs and implements specific controls based on its particular needs. However, certain control activities are common to every organization’s internal control system. The ones that we will examine here are: (1) a good audit trail, (2) sound personnel policies and practices, (3) separation of duties, (4) physical protection of assets, (5) internal reviews of controls, and (6) timely performance reports. Good Audit Trail The basic inputs to an organization’s AIS are business transactions that are monetarily measured. Organizations must keep an audit trail (initially discussed in Chapter 1) of these transactions within the organization’s AIS. A good audit trail enables managers and auditors to follow the path of the data recorded in transactions from the initial source documents (for instance, a sales invoice) to the final disposition of the data on a report. In addition, managers and auditors can trace data from transactions on reports (such as expenses on an income statement) back to the source documents. In both of these processes, individuals can verify the accuracy of recorded business transactions. Without a good audit trail, errors and irregularities are more likely to happen and not be detected. To establish its audit trail, a company needs a policies and procedures manual. These documents should include the following items: • A chart of accounts that describes the purpose of each general ledger account so that employees enter the debits and credits of accounting transactions in the correct accounts. • A complete description of the types of source documents individuals must use to record accounting transactions. Also, include the correct procedures to prepare and approve the data for these documents. • A comprehensive description of the authority and responsibility assigned to each individual. For example, who authorizes credit limits to customers? Sound Personnel Policies and Practices The employees at every level of a company are a very important part of the company’s system of internal control. This is becoming increasingly obvious as managers downsize and right-size their organizations to streamline operations and cut costs. Consequently, there are fewer employees and these employees have more responsibility and oversight than in the past. The obvious result is that the opportunity for misappropriation is greater than before. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 359 In addition, the capabilities of a company’s employees directly affects the quality of the goods and services provided by the company. In general, competent and honest employees are more likely to help create value for an organization. Employees work with organizational assets (e.g., handling cash, acquiring and issuing inventory, and using equipment). Competent and honest employees, coupled with fair and equitable personnel policies, lead to efficient use of the company’s assets. Most organizations post their personnel policies and procedures on their website so that they are easily accessible to all employees at any time. Case-in-Point 11.6 Employees at the University of Arizona have ready access to a wealth of information regarding the university’s personnel policies by searching the Human Resources Policy Manual (HRPM). The HRPM is available on the university website and includes policies on employment, benefits, compensation, employee relations, training and employee development, and additional university policies (e.g., conflict of interest, code of research ethics, and others).15 In general, little can be done to stop employees who are determined to embarrass, harm, or disrupt an organization. For example, several employees may conspire (collude) to embezzle cash receipts from customers. But, companies can encourage ethical behavior among employees in several ways. First, review the rules and the Code of Conduct. A number of organizations have too many ‘‘picky’’ rules that employees do not understand. To avoid this type of problem, managers should create rules that make a positive contribution to the productivity and effectiveness of a company, and then explain the rationale for these rules to employees. Secondly, managers should always lead by example. Figure 11-5 identifies some examples of personnel policies that firms might adopt. All employees should be required to take their earned vacations (personnel policy 6). This is important for two reasons. First, if an employee is embezzling assets from an organization, the employee will probably not want to take a vacation. When an individual must go on vacation, another employee performs that person’s job responsibilities and this increases the likelihood of detecting an embezzlement. Second, required vacations help employees to rest, enabling them to return refreshed and ready to perform their job functions more efficiently. 1. Specific procedures for hiring and retaining competent employees. 2. Training programs that prepare employees to perform their organizational functions efficiently. 3. Good supervision of the employees as they are working at their jobs on a daily basis. 4. Fair and equitable guidelines for employees’ salary increases and promotions. 5. Rotation of certain key employees in different jobs so that these employees become familiar with various phases of their organization’s system. 6. Vacation requirement that all employees take the time off they have earned. 7. Insurance coverage on those employees who handle assets subject to theft (fidelity bond). 8. Regular reviews of employees’ performances to evaluate whether they are carrying out their functions efficiently and effectively, with corrective action for those employees not performing up to company standards. FIGURE 11-5 Examples of personnel policies that firms might adopt. 15 Source: http://www.hr.arizona.edu/09 rel/clsstaffmanual.php. Copyright © 2010 John Wiley & Sons, Inc. 360 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems For employees who handle assets susceptible to theft, such as a company’s cash and inventory of merchandise, it is a good personnel policy (number 7) to obtain some type of insurance coverage on them. Many organizations obtain fidelity bond coverage (from an insurance company) to reduce the risk of loss caused by employee theft of assets. The insurance company investigates the backgrounds of the employees that an organization wants to have bonded. When an insurance company issues one of these bonds, it assumes liability (up to a specified dollar amount) for the employee named in the bond. Separation of Duties The purpose of separation of duties is to structure work assignments so that one employee’s work serves as a check on another employee (or employees). When managers design and implement an effective internal control system, they must try to separate certain responsibilities. If possible, managers should assign the following three functions to different employees: authorizing transactions, recording transactions, and maintaining custody of assets. Authorizing is the decision to approve transactions (e.g., a sales manager authorizing a credit sale to a customer). Recording includes functions such as preparing source documents, maintaining journals and ledgers, preparing reconciliations, and preparing performance reports. Finally, custody of assets can be either direct, such as handling cash or maintaining an inventory storeroom, or indirect, such as receiving customer checks through the mail or writing checks on a company’s bank account. If two of these three functions are the responsibility of the same employee, problems can occur. We describe three real-world cases that demonstrate the importance of separating duties. Immediately following each case is a brief analysis of the problem. Case-in-Point 11.7 The controller of a Philippine subsidiary confessed to embezzling more than $100,000 by taking advantage of currency conversions. The controller maintained two accounts—one in Philippine pesos to deposit funds collected locally and the other account in U.S. dollars so he could transfer funds from the Philippine account to the US account. The auditor became suspicious when he noticed that each transfer was rounded to the nearest thousand in pesos and dollars. For example, one day the statements showed an $885,000 (pesos) transfer from the local-currency account and a transfer of exactly $20,000 into the U.S.-dollar account. Further investigation revealed that the controller was actually withdrawing cash from the peso account, keeping some of the money, and depositing only enough pesos in the U.S. currency account to show a transaction of exactly $20,000. Because the withdrawal and the deposit took place almost simultaneously, the U.S. controller never suspected any wrongdoing.16 Analysis. The control weakness here is that the controller had responsibility for both the custody of the cash (depositing the locally-collected funds in pesos) and the recording of the transactions (the deposit of the funds in the local account and the transfer of funds to the U.S. account). Consequently, he had control of the money throughout the process and was able to manipulate cash transfers to embezzle small amounts of money each time and then falsify the transactions that were recorded in each of the bank accounts to conceal the embezzlement activity. Case-in-Point 11.8 The utilities director of Newport Beach, California, was convicted of embezzling $1.2 million from the city of Newport Beach over an 11-year period. The utilities 16 Source: J. Mike Jacka, ‘‘Rounding Up Fraud,’’ Internal Auditor, April 2001, p. 65. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 361 director forged invoices or easement documents that authorized payments, for example, to real or fictitious city property owners for the rights to put water lines through their land. Officials within the Finance Department gave him the checks for delivery to the property owners. The utilities director then forged signatures, endorsed the checks to himself, and deposited them in his own accounts. Analysis. The control weakness here is that the utilities director had physical custody of checks for the transactions he previously authorized. Due to the lack of separation of duties, the director could authorize fictitious transactions and subsequently divert the related payments to his own accounts. Case-in-Point 11.9 The executive assistant (EA) to the president of a home improvement company used a corporate credit card, gift checks, and an online payment account to embezzle $1.5 million in less than three years. The EA arranged hotel and airline reservations and coordinated activities for the sales team. She was also responsible for reviewing the corporate credit card bills and authorizing payment. The president gave her the authority to approve amounts up to $100,000. When the EA realized that no one ever asked to look at the charges on the corporate credit card bill, she began making personal purchases with the card.17 Analysis. The control weakness here is that the EA was responsible for both recording the expenses and then authorizing payment of the bills. As a result, she quickly realized that she had nearly unlimited access to a variety of sources of funds from the company, and then found other ways to have the company pay for the things she wanted (i.e., gift checks and a Paypal account that she set up). The separation of duties concept is very important in IT environments. However, the way this concept is applied in these environments is often different. In today’s information systems, for example, the computer can be programmed to perform one or more of the previously mentioned functions (i.e., authorizing transactions, recording transactions, and maintaining custody of assets). Thus, the computer replaces employees in performing the function (or functions). For example, the pumps at many gas stations today are designed so that customers can insert their debit or credit cards to pay for their gas. Consequently, the computer performs all three functions: authorizes the transaction, maintains custody of the ‘‘cash’’ asset, and records the transaction (and produces a receipt if you want one). Physical Protection of Assets A vital control activity that should be part of every organization’s internal control system is the physical protection of its assets. Beyond simple protection from the elements, the most common control is to establish accountability for the assets with custody documents. Three application areas for this are (1) inventory controls, (2) document controls, and (3) cash controls. Inventory Control. To protect inventory, organizations keep it in a storage area accessible only to employees with custodial responsibility for the inventory asset. Similarly, when purchasing inventory from vendors, another procedure is to require that each shipment of inventory be delivered directly to the storage area. When the shipment arrives, employees prepare a receiving report source document. This report, as illustrated in Figure 11-6, provides documentation about each delivery, including the date received, 17 Source: Paul Sutphen, ‘‘Stealing Funds for a Nest Egg,’’ Internal Auditor, (August 2008), pp. 87– 91. Copyright © 2010 John Wiley & Sons, Inc. 362 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems Sarah's Sporting Goods No. 7824 Receiving Report Vendor: Richards Supply Company Date Received: January 26, 2010 Shipped via: UPS Purchase Order Number: 4362 Item Number Quantity Description 7434 7677 8326 8687 100 120 300 600 Spalding basketballs Spalding footballs Spalding baseballs Penn tennis balls Remarks: Container with footballs received with water damage on outside, but footballs appear to be okay. Received by: Inspected by: Delivered to: FIGURE 11-6 Example of receiving report (items in boldface are preprinted). vendor, shipper, and purchase order number. For every type of inventory item received, the receiving report shows the item number, the quantity received (based on a count), and a description. The receiving report also includes space to identify the employee (or employees) who received, counted, and inspected the inventory items, as well as space for remarks regarding the condition of the items received. By signing the receiving report, the inventory clerk (Mark Langley in Figure 11-6) formally establishes responsibility for the inventory items. Any authorized employee can request inventory items from the storage area (for instance, to replenish the shelves of the store) and is required to sign the inventory clerk’s issuance report, which is another source document. The clerk is thereby relieved of further responsibility for these requisitioned inventory items. Document Control. Certain organizational documents are themselves valuable and must therefore be protected. Examples include the corporate charter, major contracts with other companies, blank checks (the following case-in-point), and registration statements required by the Securities and Exchange Commission. For control purposes, many organizations keep such documents in fireproof safes or in rented storage vaults offsite. Case-in-Point 11.10 The Finance Office in Inglewood, California did not have adequate controls over important documents. As a result, a janitor who cleaned the Finance Office had access to blank checks that were left on someone’s desk. The janitor took 34 blank checks, Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 363 forged the names of city officials, and then cashed them for amounts ranging from $50,000 to $470,000. Organizations that maintain physical control over blank checks may still be at risk of embezzlement. You might be wondering how this could happen—it’s due to the fact that so many banking transactions are electronic, and the method is known as a demand draft. If you write a check to your 12-year-old babysitter, she has all the information needed to clean out your account, because all she needs is your account number and bank routing number. Originally, demand drafts were used to purchase items over the phone (i.e., from telemarketers). Now, they’re commonly used to pay monthly bills by having money debited automatically from an individual’s checking account. Not surprisingly, due to the limited amount of information needed to make a demand draft, the potential for fraud is substantial. The irony of the demand draft system is that it may mean that paper checks are ultimately more risky to use than e-payments. Case-in-Point 11.11 The Urban Age Institute, a nonprofit organization that focuses on planning new urban sustainability initiatives, received an email from a would-be donor who asked for instructions on how to wire a $1,000 donation into the agency’s account. Not thinking anything unusual about the request, the group sent its account numbers. The ‘‘donor’’ used this information to print $10,000 worth of checks, which the ‘‘donor’’ cashed and then used Western Union to wire the money to her new Internet boyfriend in Nigeria. The Director at the Institute later discovered that the ‘‘donor’’ used the Institute’s account number and bank routing number to obtain checks at Qchex.com. Fortunately, the Institute discovered the fraud and was able to close its checking account before money was withdrawn to cover the $10,000 in checks, which had already been deposited into the donor’s Bank of America account.18 Cash Control. Probably the most important physical safeguards are those for cash. This asset is the most susceptible to theft by employees and to human error when employees handle large amounts of it. In addition to fidelity bond coverage for employees who handle cash, companies should also (1) make the majority of cash disbursements for authorized expenditures by check rather than in cash, and (2) deposit the daily cash receipts (either received in the mail from credit customers or through cash sales) intact at the bank. If a company has various small cash expenditures occurring during an accounting period, it is usually more efficient to pay cash for these expenditures than to write checks. For good operating efficiency, an organization should use a petty cash fund for small, miscellaneous expenditures. To exercise control over this fund, one employee, called the petty cash custodian, should have responsibility for handling petty cash transactions. This employee keeps the petty cash money in a locked box and is the only individual with access to the fund. Cash Disbursements by Check. A good audit trail of cash disbursements is essential to avoid errors and irregularities in the handling of cash. Accordingly, most organizations use pre-numbered checks to maintain accountability for both issued and unissued checks. When paying for inventory purchases, there are two basic systems for processing vendor invoices: nonvoucher systems and voucher systems. Under a nonvoucher system, every approved invoice is posted to individual vendor records in the accounts payable file and then stored in an open invoice file. When an employee writes a cash disbursement check to pay an invoice, he or she removes the invoice from the open-invoice file, marks it 18 Source: http://www.msnbc.msn.com/id/7914159/, Bob Sullivan, ‘‘Easy Check Fraud Technique Draws Scrutiny’’. Copyright © 2010 John Wiley & Sons, Inc. 364 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems Sarah's Sporting Goods No. 76742 Disbursement Voucher Date Entered: February 9, 2010 Debit Distribution Prepared by: Account No. Amount 27-330 27-339 28-019 29-321 $750.00 450.00 300.00 425.00 Vendor Number: 120 Remit to: Valley Supply Company 3617 Bridge Road Farmington, CT 06032 Vendor Invoice Number 4632 4636 Date Amount 6/30/2010 7/5/2010 Voucher Totals: Returns & Allowances Purchase Discount Net Remittance $1250.00 675.00 $150.00 0.00 $22.00 13.50 $1078.00 661.50 $1925.00 $150.00 $35.50 $1739.50 FIGURE 11-7 Example of disbursement voucher (items in boldface are preprinted). paid, and stores it in the paid-invoice file. Under a voucher system, the employee prepares a disbursement voucher that identifies the specific vendor, lists the outstanding invoices, specifies the general ledger accounts to be debited, and shows the net amount to pay the vendor after deducting any returns and allowances as well as any purchase discount. Figure 11-7 illustrates a disbursement voucher. As Figure 11-7 discloses, the disbursement voucher summarizes the information contained within a set of vendor invoices. When the company receives an invoice from a vendor for the purchase of inventory, an employee compares it to the information contained in copies of the purchase order and receiving report to determine the accuracy and validity of the invoice. An employee should also check the vendor invoice for mathematical accuracy. When the organization purchases supplies or services that do not normally involve purchase order and receiving report source documents, the appropriate supervisor approves the invoice. A voucher system has two advantages over a non-voucher system: (1) it reduces the number of cash disbursement checks that are written, because several invoices to the same vendor can be included on one disbursement voucher, and (2) the disbursement voucher is an internally-generated document. Thus, each voucher can be pre-numbered to simplify the tracking of all payables, thereby contributing to an effective audit trail over cash disbursements. Cash Receipts Deposited Intact. It is equally important to safeguard cash receipts. As an effective control procedure, an organization should deposit intact each day’s accumulation of cash receipts at a bank. In the typical retail organization, the total cash Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 365 receipts for any specific working day come from two major sources: checks arriving by mail from credit-sales customers and currency and checks received from retail cash sales. Because cash receipts are deposited intact each day, employees cannot use any of these cash inflows to make cash disbursements. Organizations use a separate checking account for cash disbursements. When organizations ‘‘deposit intact’’ the cash receipts, they can easily trace the audit trail of cash inflows to the bank deposit slip and the monthly bank statement. On the other hand, if employees use some of the day’s receipts for cash disbursements, the audit trail for cash becomes quite confusing, thereby increasing the risk of undetected errors and irregularities. Internal Reviews of Controls As a result of the Sarbanes-Oxley Act (often referred to as SOX), the internal audit function of an organization typically reports directly to the Audit Committee of the Board of Directors. This makes the internal audit department independent of the other corporate subsystems and enhances objectivity when reviewing the operations of each subsystem. The internal audit staff makes periodic reviews, called operational audits, of each department (or subsystem) within its organization. These audits focus on evaluating the efficiency and effectiveness of operations within a particular department. Upon completion of such an audit, the internal auditors make recommendations to management for improving the department’s operations. A company’s internal auditors may also be asked to perform a fraud investigation if managers suspect fraud within the organization. However, such an investigation requires specialized forensic accounting skills. If the audit department personnel do not have the requisite experience or skill to do such an investigation, the firm’s external auditors may be able to help. In addition, internal auditors might need specialized information technology (IT) skills for their work, because they are often involved in IT auditing, which we discuss in Chapter 14. In performing regular reviews of their company’s internal control system, the internal auditors may find that certain controls are not operating properly. For example, the corporate policy manual might state that separate individuals should receive and record customer payments. However, that does not guarantee that this is what actually happens. If practice is not according to policy, it is the internal auditor’s job to identify such problems and to inform management. EVALUATING CONTROLS Once controls are in place, it is a wise practice for management to evaluate them. We introduced several frameworks at the beginning of this chapter that companies might use to evaluate their internal controls, but regardless of how management chooses to evaluate their internal controls, it is clear that they must do this. Based on requirements contained in SOX, the New York Stock Exchange (NYSE) adopted rules that require all companies listed on this exchange to maintain an internal audit function to provide management and the audit committee ongoing assessments of the company’s risk management processes and system of internal control. Copyright © 2010 John Wiley & Sons, Inc. 366 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems Requirements of Sarbanes-Oxley Act As previously discussed, the Sarbanes-Oxley Act of 2002 significantly changed the way internal auditors and management view internal controls within an organization. In particular, Section 404 contains very specific actions that the management of a publicly-traded company must perform each year with respect to the system of internal controls within the organization. Specifically, the annual financial report of the company must include a report on the firm’s internal controls. This report must include the following: • A statement that management acknowledges its responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. • An assessment, as of the end of the fiscal year, of the effectiveness of the internal control structure and procedures for financial reporting. • An attestation by the company’s auditor that the assessment made by the management is accurate. A number of experts believe that some interesting synergies may have happened as a result of companies becoming SOX compliant. Recall that the purpose of SOX was to improve transparency and accountability in business processes and financial accounting. For this to happen, internal auditors and the management of companies had to study their processes very carefully. However, if these same firms already implemented an ERP, then most likely they already have reengineered some of their business processes to fit the ERP. During the evaluation of those processes, it is likely that the appropriate internal controls were considered and included, enabling SOX compliance. In addition, for management to comprehensively consider the requirements of SOX, they most likely used the Enterprise Risk Management framework in the 2004 COSO Report. Illustrations of Cost-Benefit Analyses Companies develop their own optimal internal control package by applying the cost-benefit concept. Under this concept, employees perform a cost-benefit analysis on each control procedure considered for implementation that compares the expected cost of designing, implementing, and operating each control to the control’s expected benefits. Only those controls whose benefits are expected to be greater than, or at least equal to, the expected costs are implemented. To illustrate a cost-benefit analysis, let’s assume that the West End Boutique sells fashionable high-end ladies’ clothing, jewelry, and other accessories. The owner is concerned about how much inventory customers have shoplifted during the last several months, and is considering some additional controls to minimize this shoplifting problem. If no additional controls are implemented, the company’s accountant estimates that the total annual loss to the boutique from shoplifting will be approximately $120,000. The company is considering two alternative control procedures to safeguard the company’s inventory (Figure 11-8). Based on the owner’s goal of reducing shoplifting, Alternative #1 (hiring six security guards) is the ideal control procedure to implement. Shoplifting should be practically zero, assuming that the guards are properly trained and perform their jobs in an effective manner. Even if shoplifting is completely eliminated, however, Alternative #1 should not be implemented. Why not? It costs too much. The control’s expected cost ($240,000 a year) is greater than the control’s expected benefit ($120,000 a year, which is the approximate annual shoplifting loss that would be eliminated). Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems Alternative #1 Hire six plain-clothed security guards to patrol the boutique. Based on the annual salaries that would have to be paid to the security guards, this control would cost West End Boutique an estimated $240,000 a year. 367 Alternative #2 Hire two plain-clothed security guards who would patrol the aisles, and install several cameras and mirrors throughout the company’s premises to permit managers to observe any shoplifters. The estimated annual cost of this control would be $80,000. FIGURE 11-8 Internal control alternatives for West End Boutique. If the owner implements Alternative #2 (hiring two security guards plus installing cameras and mirrors), the boutique’s accountant estimates that the total annual loss from shoplifting could be reduced from $120,000 to $25,000. The net benefit is $95,000 (=$120,000—$25,000). Because the second alternative’s expected benefit ($95,000 a year reduction of shoplifting) exceeds its expected cost ($80,000 a year), the boutique’s owner should select Alternative #2. The point of this cost-benefit analysis example is that in some situations, the design and implementation of an ideal control procedure may be impractical. We are using the term ideal control to mean a control procedure that reduces to practically zero the risk of an undetected error (such as debiting the wrong account for the purchase of office supplies) or irregularity (such as shoplifting). If a specific control’s expected cost exceeds its expected benefit, as was true with the Alternative #1 control procedure discussed above, the effect of implementing that control is a decrease in operating efficiency for the company. From a cost-benefit viewpoint, therefore, managers are sometimes forced to design and implement control procedures for specific areas of their company that are less than ideal. These managers must learn to live with the fact that, for example, some irregularities may occur in their organizational system that will not be detected by the internal control system. Another approach to cost-benefit analysis attempts to quantify the risk factor associated with a specific area of a company. Risk assessment, as discussed earlier, is an important component of an internal control system. In general, the benefits of additional control procedures result from reducing potential losses. A measure of loss should include both the exposure (that is, the amount of potential loss associated with a control problem) and the risk (that is, the probability that the control problem will occur). An example of a loss measure is expected loss, computed as follows: expected loss = risk × exposure The expected loss is based on estimates of risk and exposure. To determine the cost-effectiveness of a new control procedure, management estimates the expected loss both with and without the new procedure. On completing these calculations, the estimated benefit of the new control procedure is equal to the reduction in the estimated expected loss from implementing this procedure. Employees compare the estimated benefit to the incremental cost of the new control procedure. Whenever the estimated benefit exceeds this incremental cost, the company should implement the newly designed control procedure. Copyright © 2010 John Wiley & Sons, Inc. 368 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems Cost of payroll reprocessing Risk of data errors Reprocessing cost expected ($10,000 × risk) Cost of validation control procedure (an incremental cost) Net estimated benefit from validation control procedure Without Control Procedure With Control Procedure Net Expected Difference $10,000 15% $ 1,500 $10,000 1% $ 100 $1,400 $ $ (600) $0 600 $ 800 FIGURE 11-9 Cost-benefit analysis of payroll validation control procedure. To demonstrate this method of cost-benefit analysis, assume that a company’s payroll system prepares 12,000 checks biweekly. Data errors sometimes occur that require reprocessing the entire payroll at a projected cost of $10,000. The company’s management is considering the addition of a data validation control procedure that reduces the error rate from 15% to 1%. This validation control procedure is expected to cost $600 per pay period. Should the data validation control procedure be implemented? Figure 11-9 illustrates the analysis to answer this question. Figure 11-9 indicates that the reprocessing cost expected (=expected loss) is $1,500 without the validation control procedure and $100 with the validation control procedure. Thus, implementing this control procedure provides an estimated reprocessing cost reduction of $1,400. Because the $1,400 estimated cost reduction is greater than the $600 estimated cost of the control, the company should implement the procedure: the net estimated benefit is $800. A Risk Matrix Cost-benefit analyses suffer from at least three problems. One is that not all cost considerations can be expressed easily in monetary terms, and that nonmonetary (or qualitative) items are often as important in evaluating decision alternatives in a cost-benefit analysis. For example, when an airport contemplates whether or not to install a control that might save lives, it might be difficult to quantify the benefits. Admittedly, this is an extreme example, but the point remains: often qualitative factors exist in a decision-making situation, which requires a degree of subjectivity in the cost-benefit analyses. Another problem with cost-benefit analyses is that some managers are not comfortable with computations involving probabilities or averages. What does it mean, for example, to state that on average 2.5 laptops are lost or stolen each year? Finally, a third problem with cost-benefit analyses is that they require an evaluation of all possible risks, and a case-by-case computation of possible safeguards. Typically, companies will run out of money for controls long before they run out of risks to mitigate. A possible solution to this third problem is to develop a risk matrix, such as the one in Figure 11-10—a tool especially useful for prioritizing large risks. As you can see, a risk matrix classifies each potential risk by mitigation cost and also by likelihood of occurrence. As a result, highly-likely, costly events wind up in the upper-right corner of the matrix, and events with small likelihoods of occurrence or negligible costs wind up in the lower left corner. This helps managers see which events are most important (the upper-right ones), and therefore how to better prioritize the money spent on internal controls. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 369 Cost to Organization Likelihood of Occurrence Negligible Certain Marginal Catastrophic Hit by car Likely Hit by piano Possible Burst Dam Unlikely Rare Critical Busy Street Locust Swarm Stampede FIGURE 11-10 Example of a risk matrix. AIS AT WORK Using the Company Credit Card as a Nest Egg?19 Laura Jones, 22-years old, was very excited! She just got hired at a regional home improvement company as the executive assistant to the president. The company was eagerly planning an aggressive expansion of operations and was looking for ambitious and eager employees willing to work hard as team players. To realize growth, the president of the company knew they had to be very active in the industry, so the company sponsored booths at trade shows, attended industry conferences, and had morale-building events for its sales team in exciting places such as Hawaii. Jones’ responsibilities included making all the arrangements for these activities. She made hotel and airline reservations and coordinated activities for the sales team. She was also responsible for reviewing the corporate credit card bills and authorizing payments. The president gave her the authority to approve amounts up to $100,000. However, when Jones realized that no one ever asked to look at the charges on the corporate credit card bill, she began making personal purchases with the card. If total charges exceeded $100,000, she simply forged the president’s signature on the approval form. When she learned that the accounts payable department accepted approvals from the president by email, she would slip into the president’s office when he was at a meeting or out of town, access his computer, and send herself an ‘‘approval’’ email. But the temptation was so great that she began to find additional ways the company could pay for things she wanted. For example, she soon discovered that she could also purchase gift checks with the corporate credit card, and over a two year period she bought more than $150,000 in gift checks to buy items for herself, her family, and some friends. When Jones had been with the firm for slightly less than three years, her scheme was discovered. An agent at the credit card company noticed some questionable transactions involving Jones and the corporate credit card. When the internal auditors investigated the transactions, they discovered that Jones had embezzled more than $1.5 million. 19 Source: Paul Sutphen, ‘‘Stealing Funds for a Nest Egg,’’ Internal Auditor, (August 2008), pp. 87– 91. Copyright © 2010 John Wiley & Sons, Inc. 370 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems SUMMARY • An organization’s internal control system has four objectives: (1) to safeguard assets, (2) to check the accuracy and reliability of accounting data, (3) to promote operational efficiency, and (4) to encourage adherence to prescribed managerial policies. • It is management’s responsibility to develop an internal control system. • The control environment, risk assessment, control activities, information and communication, and monitoring are the five interrelated components that make up an internal control system. • Six control activities to include in each organization’s internal control system are: (1) a good audit trail, (2) sound personnel policies and practices, (3) separation of duties, (4) physical protection of assets, (5) internal reviews of controls by internal audit subsystem, and (6) timely performance reports. • Within these six activities, specific control procedures should be designed and implemented for each company based on its particular control needs. • To develop an optimal internal control package, management should perform a cost-benefit analysis on each potential control procedure. • A company should only implement those controls whose expected benefits exceed, or at least equal, their expected costs. KEY TERMS YOU SHOULD KNOW audit trail control activities control environment COBIT corporate governance corrective controls COSO Report, 1992 COSO Report, 2004 demand draft detective controls enterprise risk management (ERM) event identification expected loss fidelity bond ideal control internal control objective setting operational audits preventive controls risk assessment risk matrix risk response SAS No. 94 scenario planning separation of duties SOX, Section 404 Val IT TEST YOURSELF Q11-1. This term describes the policies, plans, and procedures implemented by a firm to protect the assets of the organization. a. Internal control b. SAS No. 94 c. Risk assessment d. Monitoring Q11-2. Which of the following is not one of the four objectives of an internal control system? a. Safeguard assets Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 371 b. Promote firm profitability c. Promote operational efficiency d. Encourage employees to follow managerial policies Q11-3. Section 404 affirms that management is responsible for establishing and maintaining an adequate internal control structure. This Section may be found in which of the following? a. The 1992 COSO Report b. The 2004 COSO Report c. The Sarbanes-Oxley Act of 2002 d. COBIT Q11-4. Which of the following would a manager most likely use to organize and evaluate corporate governance structure? a. The 1992 COSO Report b. The 2004 COSO Report c. The Sarbanes-Oxley Act of 2002 d. COBIT Q11-5. Which of the following would a manager most likely use for risk assessment across the organization? a. The 1992 COSO Report b. The 2004 COSO Report c. The Sarbanes-Oxley Act of 2002 d. COBIT Q11-6. An internal control system should consist of five components. Which of the following is not one of those five components? a. The control environment b. Risk assessment c. Monitoring d. Performance evaluation Q11-7. COSO recommends that firms control. to determine whether they should implement a specific a. Use cost-benefit analysis b. Conduct a risk assessment c. Consult with the internal auditors d. Identify objectives Q11-8. Which of the following is not one of the three additional components that was added in the 2004 COSO Report? a. Objective setting b. Risk assessment c. Event identification d. Risk response Q11-9. Separation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees? a. Analysis, authorizing, transactions b. Custody, monitoring, detecting c. Recording, authorizing, custody d. Analysis, recording, transactions Copyright © 2010 John Wiley & Sons, Inc. 372 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems DISCUSSION QUESTIONS 11-1. What are the primary provisions of the 1992 COSO Report? The 2004 COSO Report? 11-2. What are the primary provisions of COBIT? 11-3. Why are the COSO and COBIT frameworks so important? 11-4. Briefly discuss the interrelated components that should exist within an internal control system. In your opinion, which component is the most important and why? 11-5. Why are accountants so concerned about their organization having an efficient and effective internal control system? 11-6. Discuss what you consider to be the major differences between preventive, detective, and corrective control procedures. Give two examples of each type of control. 11-7. Why are competent employees important to an organization’s internal control system? 11-8. How can separation of duties reduce the risk of undetected errors and irregularities? 11-9. Discuss some of the advantages to an organization from using a voucher system and pre-numbered checks for its cash disbursement transactions. 11-10. What role does cost-benefit analysis play in an organization’s internal control system? 11-11. Why is it important for managers to evaluate internal controls? PROBLEMS 11-12. You have been hired by the management of Alden, Inc. to review its control procedures for the purchase, receipt, storage, and issuance of raw materials. You prepared the following comments, which describe Alden’s procedures. • Raw materials, which consist mainly of high-cost electronic components, are kept in a locked storeroom. Storeroom personnel include a supervisor and four clerks. All are well trained, competent, and adequately bonded. Raw materials are removed from the storeroom only upon written or oral authorization from one of the production foremen. • There are no perpetual inventory records; hence, the storeroom clerks do not keep records of goods received or issued. To compensate for the lack of perpetual records, a physical inventory count is taken monthly by the storeroom clerks, who are well supervised. Appropriate procedures are followed in making the inventory count. • After the physical count, the storeroom supervisor matches quantities counted against a predetermined reorder level. If the count for a given part is below the reorder level, the supervisor enters the part number on a materials requisition list and sends this list to the accounts payable clerk. The accounts payable clerk prepares a purchase order for a predetermined reorder quantity for each part and mails the purchase order to the vendor from whom the part was last purchased. • When ordered materials arrive at Alden, they are received by the storeroom clerks. The clerks count the merchandise and see that the counts agree with the shipper’s bill of lading. All vendors’ bills of lading are initialed, dated, and filed in the storeroom to serve as receiving reports. a. List the internal control weaknesses in Alden’s procedures. b. For each weakness that you identified, recommend an improvement(s). 11-13. Listed below are 12 internal control procedures or requirements for the expenditure cycle (purchasing, payroll, accounts payable, and cash disbursements) of a manufacturing enterprise. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 373 For each of the following, identify the error or misstatement that would be prevented or detected by its use. a. Duties segregated between the cash payments and cash receipts functions b. Signature plates kept under lock and key c. The accounting department matches invoices to receiving reports or special authorizations before payment d. All checks mailed by someone other than the person preparing the payment voucher e. The accounting department matches invoices to copies of purchase orders f. Keep the blank stock of checks under lock and key g. Use imprest accounts for payroll h. Bank reconciliations performed by someone other than the one who writes checks and handles cash i. Use a check protector j. Periodically conduct surprise counts of cash funds k. Orders placed with approved vendors only l. All purchases made by the purchasing department 11-14. Rogers, North, & Housour, LLC is a large, regional CPA firm. There are 74 employees at their Glen Allen, SC office. The administrative assistant at this office approached Mr. Rogers, one of the partners, to express her concerns about the inventory of miscellaneous supplies (e.g., pens, pencils, paper, floppy disks, and envelopes) that this office maintains for its clerical workers. The firm stores these supplies on shelves at the back of the office facility, easily accessible to all company employees. The administrative assistant, Sandra Collins, is concerned about the poor internal control over these office supplies. She estimates that the firm loses about $350/month due to theft of supplies by company employees. To reduce this monthly loss, Sandra recommends a separate room to store these supplies, and that a company employee be given full-time responsibility for supervising the issuance of the supplies to those employees with a properly approved requisition. By implementing these controls, Sandra believes this change might reduce the loss of supplies from employee misappropriation to practically zero. a. If you were Mr. Rogers, would you accept or reject Sandra’s control recommendations? Explain why or why not. b. Identify additional control procedures that the firm might implement to reduce the monthly loss from theft of office supplies. 11-15. Ron Mitchell is currently working his first day as a ticket seller and cashier at the First Run Movie Theater. When a customer walks up to the ticket booth, Ron collects the required admission charge and issues the movie patron a ticket. To be admitted into the theater, the customer then presents his or her ticket to the theater manager, who is stationed at the entrance. The manager tears the ticket in half, keeping one half for himself and giving the other half to the customer. While Ron was sitting in the ticket booth waiting for additional customers, he had a ‘‘brilliant’’ idea for stealing some of the cash from ticket sales. He reasoned that if he merely pocketed some of the cash collections from the sale of tickets, no one would ever know. Because approximately 300 customers attend each performance, Ron believed that it would be difficult for the theater manager to keep a running count of the actual customers entering the theater. To further support his reasoning, Ron noticed that the manager often has lengthy conversations with patrons at the door and appears to make no attempt to count the actual number of people going into the movie house. a. Will Ron Mitchell be able to steal cash receipts from the First Run Movie Theater with his method and not be caught? Explain. b. If you believe he will be caught, explain how his stealing activity will be discovered. 11-16. The Palmer Company manufactures various types of clothing products for women. To accumulate the costs of manufacturing these products, the company’s accountants have established a Copyright © 2010 John Wiley & Sons, Inc. 374 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems computerized cost accounting system. Every Monday morning, the prior week’s production cost data are batched together and processed. One of the outputs of this processing function is a production cost report for management that compares actual production costs to standard production costs, and computes variances from standard. Management focuses on the significant variances as the basis for analyzing production performance. Errors sometimes occur in processing a week’s production cost data. The cost of the reprocessing work on a week’s production cost data is estimated to average about $12,000. The company’s management is currently considering the addition of a data validation control procedure within its cost accounting system that is estimated to reduce the risk of the data errors from 16% to 2%, and this procedure is projected to cost $800/week. a. Using these data, perform a cost-benefit analysis of the data validation control procedure that management is considering for its cost accounting system. b. Based on your analysis, make a recommendation to management regarding the data validation control procedure. CASE ANALYSES 11-17. Gayton Menswear (Risk Assessment and Control Procedures) The Gayton Menswear company was founded by Fred Williams in 1986 and has grown steadily over the years. Fred now has 17 stores located throughout the central and northern parts of the state. Because Fred was an accounting major in college and worked for a large regional CPA firm for 13 years prior to opening his first store, he places a lot of value on internal controls. Further, he has always insisted on a state-of-the art accounting system that connects all of his stores’ financial transactions and reports. Fred employs two internal auditors who monitor internal controls and also seek ways to improve operational effectiveness. As part of the monitoring process, the internal auditors take turns conducting periodic reviews of the accounting records. For instance, the company takes a physical inventory at all stores once each year and an internal auditor oversees the process. Chris Domangue, the most senior internal auditor, just completed a review of the accounting records and discovered several items of concern. These were: • Physical inventory counts varied from inventory book amounts by more than 5% at two of the stores. In both cases, physical inventory was lower. • Two of the stores seem to have an unusually high amount of sales returns for cash. • In 10 of the stores gross profit has dropped significantly from the same time last year. • At four of the stores, bank deposit slips did not match cash receipts. • One of the stores had an unusual number of bounced checks. It appeared that the same employee was responsible for approving each of the bounced checks. • In seven of the stores, the amount of petty cash on hand did not correspond to the amount in the petty cash account. Requirement 1. For each of these concerns, identify a risk that may have created the problem. 2. Recommend an internal control procedure to prevent the problem in the future. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 375 11-18. Cuts-n-Curves Athletic Club (Analyzing Internal Controls) The Cuts-n-Curves Athletic Club is a state-wide chain of full-service fitness clubs that cater to the demographics of the state (about 60% of all adults are single). The clubs each have an indoor swimming pool, exercise equipment, a running track, tanning booths, and a smoothie café for after-workout refreshments. The Club in Rosemont is open seven days a week, from 6:00 a.m. to 10:00 p.m. Just inside the front doors is a reception desk where an employee greets patrons. Members must present their membership card to be scanned by the bar-code reader, and visitors pay a $16 daily fee. When the employee at the desk collects cash for daily fees, he or she also has the visitor complete a waiver form. The employee then deposits the cash in a locked box and files the forms. At the end of each day the Club accountant collects the cash box, opens it, removes the cash, and counts it. The accountant then gives a receipt for the cash amount to the employee at the desk. The accountant takes the cash to the bank each evening. The next morning, the accountant makes an entry in the cash receipts journal for the amount indicated on the bank deposit slip. Susan Richmond, the General Manager at the Rosemont Club, has some concerns about the internal controls over cash. However, she is concerned that the cost of additional controls may outweigh any benefits. She decides to ask the organization’s outside auditor to review the internal control procedures and to make suggestions for improvement. Requirements: 1. Assume that you are the outside (staff) auditor. Your manager asks you to identify any weaknesses in the existing internal control system over cash admission fees. 2. Recommend one improvement for each of the weaknesses you identified. 11-19. Emerson Department Store (Control Suggestions to Strengthen a Payroll System) As a recently hired internal auditor for the Emerson Department Store (which has approximately 500 employees on its payroll), you are currently reviewing the store’s procedures for preparing and distributing the weekly payroll. These procedures are as follows. • Each Monday morning the managers of the various departments (e.g., the women’s clothing department, the toy department, and the home appliances department) turn in their employees’ time cards for the previous week to the accountant (Morris Smith). • Morris then accumulates the total hours worked by each employee and submits this information to the store’s computer center to process the weekly payroll. • The computer center prepares a transaction tape of employees’ hours worked and then processes this tape with the employees’ payroll master tape file (containing such things as each employee’s social security number, exemptions claimed, hourly wage rate, year-to-date gross wages, FICA taxes withheld, and union dues deducted). • The computer prints out a payroll register indicating each employee’s gross wages, deductions, and net pay for the payroll period. • The payroll register is then turned over to Morris, who, with help from the secretaries, places the correct amount of currency in each employee’s pay envelope. Copyright © 2010 John Wiley & Sons, Inc. 376 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems • The pay envelopes are provided to the department managers for distribution to their employees on Monday afternoon. To date, you have been unsuccessful in persuading the store’s management to use checks rather than currency for paying the employees. Most managers that you have talked with argue that the employees prefer to receive cash in their weekly pay envelopes so that they do not have to bother going to the bank to cash their checks. Requirements: 1. Assume that the store’s management refuses to change its current system of paying the employees with cash. Identify some control procedures that could strengthen the store’s current payroll preparation and distribution system. 2. Now assume that the store’s management is willing to consider other options for paying employees. What alternatives would you suggest? REFERENCES AND RECOMMENDED READINGS Campbell, D., M. Campbell, & G. Adams. ‘‘Adding significant value with internal controls,’’ The CPA Journal (June 2006), pp. 20–25. Campbell, M., G. Adams, D. Campbell, & M. Rose. ‘‘Internal audit can deliver more value,’’ Financial Executive (Jan-Feb 2006), pp. 44–47. Committee of Sponsoring Organizations of the Treadway Commission (CSOTC). Enterprise Risk Management—Integrated Framework (COSO Report), New York: 2004. Harrington, C. ‘‘Internal audit’s new role,’’ Journal of Accountancy (September 2004), p. 65–70. Jeffrey, C. ‘‘From lemons to lemonade,’’ Risk Management (July 2008), pp. 48–51. Joseph, G. & T. Engle. ‘‘The use of control self-assessment by independent auditors,’’ The CPA Journal (December 2005), pp. 38–43. Nolan, M. ‘‘Internal audit at the crossroads,’’ Risk Management (November 2008), pp. 54–55. Shaw, J. & L. Garvin. ‘‘ERM in motion,’’ Risk Management (July 2006), pp. 24–29. Singh, G. ‘‘What can SOX do for you?’’ Risk Management (April 2008), p. 78. Thomson, J., ‘‘SOX 404 and ERM: Perfect partners or not?’’ The Journal of Corporate Accounting & Finance (March/April 2007), pp. 29–36. Walker, K. ‘‘SOX, ERP, and BPM,’’ Strategic Finance (December 2008), pp. 47–53. Wells, J. ‘‘When the boss trumps internal controls,’’ Journal of Accountancy (February 2006), pp. 55–57. ANSWERS TO TEST YOURSELF 1. a 2. b 3. c 4. a 5. b 6. d Copyright © 2010 John Wiley & Sons, Inc. 7. a 8. b 9. c Chapter 11 Introduction to Internal Control Systems INTRODUCTION CASE ANALYSES INTERNAL CONTROL SYSTEMS Gayton Menswear Definition of Internal Control Cuts-n-Curves Athletic Club 1992 COSO Report—Components of Internal Control Emerson Department Store 2004 COSO Report—Enterprise Risk Management 2007 COBIT, Version 4.1 REFERENCES AND RECOMMENDED READINGS TYPES OF CONTROLS ANSWERS TO TEST YOURSELF Preventive Controls Detective and Corrective Controls Interrelationship of Preventive and Detective Controls CONTROL ACTIVITIES Good Audit Trail Sound Personnel Policies and Practices Separation of Duties Physical Protection of Assets Internal Reviews of Controls EVALUATING CONTROLS Requirements of Sarbanes-Oxley Act Illustrations of Cost-Benefit Analyses A Risk Matrix AIS AT WORK—USING THE COMPANY CREDIT CARD AS A NEST EGG? SUMMARY KEY TERMS YOU SHOULD KNOW After reading this chapter, you will: 1. Be familiar with the primary control frameworks commonly used in organizations. 2. Be familiar with an internal control system and the components of this system. 3. Understand the importance of enterprise-wide risk assessment and the impact this has on internal controls. 4. Be familiar with the importance of COSO and COBIT with respect to internal control systems. 5. Understand the difference between preventive, detective, and corrective controls. 6. Be aware of some of the control activities that should be included in an organization’s internal control system. 7. Understand the reason an organization might be willing to let customers shoplift some of its merchandise inventory. TEST YOURSELF DISCUSSION QUESTIONS PROBLEMS 347 Copyright © 2010 John Wiley & Sons, Inc. 348 PART FOUR / Controls, Security, Privacy, and Ethics for Accounting Information Systems ‘‘Ultimately, all stakeholders in the company should share the same high-level goal of establishing a strong system of internal controls.’’ Robert Mueller, ‘‘Mending Broken Controls,’’ Internal Auditor (August 2008), p. 85. INTRODUCTION Protecting the assets of an organization has always been an important responsibility of management. However, the incredible advancements in IT, as well as the pervasive use of IT across firms of all sizes, have dramatically changed how managers establish and monitor internal controls. Indeed, the pervasiveness of IT also has a profound impact on internal and external auditors, and how they assess the strength of the internal control environment. Protecting such assets requires organizations to develop and implement an effective internal control system—a system that can also perform such other functions as helping ensure reliable data processing and promoting operational efficiency in an organization. This chapter and the next cover the topic of internal controls—i.e., the controls established to protect the assets of an organization. This chapter defines corporate governance, IT governance, and internal controls. We also identify the components of an internal control system, the different types of controls, and various control activities. Finally, we illustrate a cost-benefit analysis, which is a method managers use to determine which control procedures are cost effective. INTERNAL CONTROL SYSTEMS An internal control system consists of the various methods and measures designed into and implemented within an organization to achieve the following four objectives: (1) safeguard assets, (2) check the accuracy and reliability of accounting data, (3) promote operational efficiency, and (4) enforce prescribed managerial policies. An organization that achieves these four objectives is typically one with good corporate governance. This means managing an organization in a fair, transparent, and accountable manner to protect the interests of all the stakeholder groups.1 The 1992 COSO Framework is widely used by managers to organize and evaluate their corporate governance structure. This framework was developed to improve the quality of financial reporting through business ethics, effective internal controls, and corporate governance.2 Definition of Internal Control Internal control describes the policies, plans, and procedures implemented by management of an organization to protect its assets. Usually the people involved in this effort are the entity’s board of directors, the management, and other key personnel in the firm. 1 ‘‘Corporate Governance: The New Strategic Imperative,’’ a White Paper from the Economist Intelligence Unit, sponsored by KPMG International, http://www.eiu.com. 2 Source: http://www.coso.org. Copyright © 2010 John Wiley & Sons, Inc. CHAPTER 11 / Introduction to Internal Control Systems 349 The reason this is important is that these individuals want reasonable assurance that the goals and objectives of the organization can be achieved (i.e., effectiveness and efficiency of operations, reliability of financial reporting, protection of assets, and compliance with applicable laws and regulations).3 Figure 11-1 identifies key laws, professional guidance, and reports that focus on internal controls. In 2001, the AICPA issued Statement on Auditing Standards (SAS) No. 94, ‘‘The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.’’ This SAS cautions the external auditors that the way firms use IT might impact any of the five internal control components (discussed in the next section). That is, auditors must realize internal controls are both manual and automated, and therefore, auditors might need to adopt new testing strategies to obtain sufficient evidence that an organization’s controls are effective. Because of the complexity of IT environments, auditors will most likely need to use computer-assisted auditing techniques (CAATs) to test the automated controls in an organization. We discuss these techniques in depth in Chapter 14. An important piece of legislation with respect to internal controls is the Sarbanes-Oxley Act of 2002. One key provision of this law is Section 404, which reaffirms that management is responsible for establishing and maintaining an adequate internal control structure, and at the end of each fiscal year must attest to the effectiveness and completeness of the internal control structure, thus making managers personally liable for this structure within the firm. We cover the Sarbanes-Oxley Act in more depth in Chapter 14. 1992 COSO Report—Components of Internal Control The 1992 COSO Report (see Figure 11-1) is important because it established a common definition of internal control for assessing control systems, as well as determined how to improve controls. According to the report, controls can serve many important purposes, and for this reason many businesses look at internal control systems as a solution to a variety of potential problems (such as dealing with rapidly changing economic and competitive environments, as well as shifting customer demands and priorities). According to the COSO report, an internal control system should consist of these five components: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. Control Environment. The control environment establishes the tone of a company and influences the control awareness of the company’s employees. It is the foundation for all the other internal control components and provides discipline and structure. Factors include: • the integrity, ethical values, and competence of an organization’s employees • management’s philosophy and o...
Purchase answer to see full attachment