Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
-
date post
22-Dec-2015 -
Category
Documents
-
view
266 -
download
1
Transcript of Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES
Assessment of Execution Risks: Revenue Cycle
Generic execution risks for each of the two revenue cycle transactions:
1.Delivering goods/services: Unauthorized
sale/service permitted Authorized sale/service
did not occur, occurred late, or was duplicated unintentally
Wrong type of product/service
Wrong quantity/quality Wrong
customer/address
Assessment of Execution Risks: Revenue Cycle
Generic execution risks for each of the two revenue cycle transactions:
2. Collecting cash: Cash not collected or
collected late Wrong amount of
cash collected
Assessment of Execution Risks: Acquisition Cycle
Generic execution risks for each of the two acquisition cycle transactions:
1. Receiving goods/services: Unauthorized
goods/services received Expected receipt of
goods/services did not occur, occurred late, or was duplicated unintentionally
Wrong type of product or service received
Wrong quantity/quality Wrong supplier
Assessment of Execution Risks: Acquisition Cycle
Generic execution risks for each of the two acquisition cycle transactions:
2. Making payment: Unauthorized
payment Cash not paid, paid
late, or duplicate payment
Wrong amount paid Wrong supplier paid
Assessment of Execution Risks: Revenue & Acquisition Cycles
Understanding and assessing execution risks – 5 steps:
Step 1. Achieve understanding of the processes
Step 2. Identify the at-risk goods/services provided and cash received
Step 3. Restate generic risk to describe the execution risk more precisely for process under study - exclude irrelevant/immaterial risks
Assessment of Execution Risks: Revenue & Acquisition Cycles
Understanding and assessing execution risks – 5 steps:
Step 4. Assess the significance of remaining risks
Step 5. Identify factors that contribute to each significant risk – use events in the process to systematically identify factors
What control activities could be implemented to mitigate the risks?
Assessment of Information Systems Risks
2 categories of information systems risks: Recording risks Updating risks
Assessment of Information Systems Risks
The process of recording and updating information – both a risk and a control Risk - information will be
recorded incorrectly, perhaps resulting in transaction errors and incorrect financial statements
Control – when information is correct because recorded information is used to control transactions
Assessment of Information Systems Risks
Recording risks: Risks that event
information is not captured accurately in an organization’s information system
Errors in recording can cause substantial losses
Recording events late can cause opportunity losses
In the acquisition cycle, recording errors can result in overpaying bills or loss of credit from failure to pay
Assessment of Information Systems Risks
Recording risks: Revenue/acquisition cycles
- generic recording risks Event recorded never
occurred Event not recorded,
recorded late, or duplication of recording
Wrong product/service recorded
Wrong quantity/price recorded
Wrong external/internal agent recorded
Wrong recording of other data
Assessment of Information Systems Risks
Recording risks: Identifying recording
risks – 3 stepsStep 1. Achieve an
understanding of the process under study - identify the events
Step 2. Review events - identify where data are recorded in a source document or a transaction file
Assessment of Information Systems Risks
Recording risks: Identifying recording risks
– 3 steps Step 3. For each event
where data are recorded in a source document or transaction record: Consider the preceding generic recording risks
Restate each generic risk to describe the risk more precisely for the particular event under consideration
Exclude any risks that are irrelevant or immaterial
Assessment of Information Systems Risks
Updating risks: Risks that summary
fields in master records are not properly updated
Update failures can be costly
Errors in updates can reduce the effectiveness of controls over the general ledger balances for assets and liabilities
Assessment of Information Systems Risks
Updating risks: Generic risks
Update of master record omitted or unintended duplication of update
Update of master record occurred at the wrong time
If updates are scheduled, users need to know and schedule needs to be followed
Summary field updated by wrong amount
Wrong master record updated
Assessment of Information Systems Risks
Identifying pdating risks:
3 stepsStep 1. Identify
recording risks Step 2. Identify the
events that include update activity and the summary fields in updated master files
Assessment of Information Systems Risks
Identifying update risks: 3 steps
Step 3. For each event in updated master file
Consider the preceding generic update risks
Restate each generic risk to describe the update risk more precisely for the particular event under consideration
Exclude any update risks that are irrelevant or immaterial
Recording and Updating in the General Ledger System
The General_Ledger File stores reference and summary data about the general ledger accounts.
The process of updating a general ledger account is sometimes referred to as “posting.”
Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system:
Risks Wrong general ledger
account recorded Wrong amounts
debited/credited General ledger master
record not updated at all, updated late, or updated twice
Wrong general ledger master record updated
Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system:
Important to internal control: Policy for updating general
ledger accounts should be well understood.
Often, general ledger balances are updated after a batch of transactions, not with each transaction
Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system:
Important to internal control: Employees need to
know: Under the batch process, general ledger account balances are temporarily out of date
When updates are made
Recording and Updating in the General Ledger System
Controlling risks: Identify significant risks
of losses or errors Consider ways to control
the risks Accountants, external
auditors, or internal auditors evaluate existing controls and suggest additional controls where warranted
Control Activities The policies and
procedures to address risks to achievement of the organization’s objectives
Manual or automated May be implemented at
various levels of the organization.
4 types of controls: Workflow controls Input controls General controls Performance reviews
Control Activities
Workflow controls: Used to control a
process as it moves from one event to the next
Exploit linkages between events
Focus on: Responsibilities for
events Sequence of events Flow of information
between events in a business process
Control Activities
Workflow controls: Segregation of duties Use of information from
prior events to control activities
Required sequence of events
Follow-up on events Sequence of prenumbered Recording of internal
agent(s) accountable for an event in a process
Limitation of access to assets and information
Reconciliation of records with physical evidence of assets
Control Activities
1. Segregation of duties: Organizations make an
effort to segregate: Authorization of events Execution of events Recording of event
data Custody of resources
associated with the event
The overview activity diagram is best suited to understanding and documenting segregation of duties
Control Activities
2. Use of information about prior events:
Information about prior events can come from documents or computer records.
2 examples of information from computer files: Checking summary data
in master files to authorize events
Transaction records may help control events - similar to using documents before approving an invoice
Control Activities
3. Required sequence of events:
Often, organizations - Have policies requiring
a process to follow a particular sequence
Require a sequence of events without having prior recorded information to rely on
Control Activities
4. Follow-up on events:Organizations: Need automated or manual
way to review transactions not yet concluded
Should have “open” item or aging reports to identify events needing follow up
Can design/use routine reports to flag unfinished business
Can querying a database for status reports
Control Activities
5. Prenumbered documents:
Provide an opportunity to control events
Prenumbered documents created during one event are accounted for in a later event
Checking the sequence of prenumbered documents helps ensure that all events are executed and recorded appropriately
Control Activities
6. Recording of internal agent(s) accountable for an event in a process:
Important Clear job descriptions
and specific instructions from supervisors
Recording employee ID number at the time the event
Safeguarding of assets through use of with serial numbers, recordkeeping, and identification of custodian of the assets
Control Activities
7. Limitation of access to assets and information:
Safeguards Access to assets only
for employees needing them for assigned duties
Physical assets stored in secure locations
Employees badges for access
Alarms Password required for
access to data
Control Activities
8. Reconciliation of records with physical evidence of assets:
Ensures that recorded event and master file data correspond to actual assets
Differs from the use of documents to control events – reconciliation: Is broader Usually involves data
about multiple events Occurs after the events
have been executed and recorded
Control Activities
Input controls: Used to control input of
data into computer systems Drop-down or look-up
menus Record-checking of data
entered Confirmation of data
entered Referential integrity
controls Format checks to limit data Validation rules to limit the
data Defaults from data entered
in prior sessions
Control Activities
Input controls: Restriction against
leaving a field blank Field established as a
primary key Computer-generated
values entered in records Batch control totals taken
before data entry compared to printouts after data entry
Review for errors before posting
Exception reports
Control Activities
General controls: Broader controls that apply
to multiple processes Help workflow and input
controls be effective Organized into four
categories: Information systems (IS)
planning Organizing the
information technology (IT) function
Identifying and developing IS solutions
Implementing and operating accounting systems
Control Activities
Performance reviews: Measure performance by
comparing actual data with budgets, forecasts, or prior-period data
Include analyzing data, identifying problems, and taking corrective action
Ensure events support broader long-term goals
Typically involve comparing actual results to plans, standards, and prior performance
Control Activities
Performance reviews: Often result in taking
corrective action Require an information
system (AIS in particular) that records and stores information about standards and actual outcomes
Requires reports that allow for meaningful analysis of actual results
Control Activities
Performance reviews: And master records
Related in two ways: Planned standards and budget figures (reference data) are typically recorded during file maintenance activities in master records
Summary data stored in master records are often used to implement corrective action
Summary fields in master records can also help in reviewing performance
KEYTERMS
Application controls Control activities Control environment Execution risk General controls Information system
risks Input controls
KEYTERMS
Internal controls Performance reviews Recording risks Risk assessment Segregation of duties Update risks Workflow controls