Chapter 4Transaction Processing and the

Internal Control ProcessThis organization looks like it has weak internal

controls.

Presentation Outline

I. Business Exposures

II. Fraud and White-Collar Crime

III. The Internal Control Process

IV. The Sarbanes-Oxley Act of 2002

V. Classifying Transaction Processing Controls

VI. Analysis of Internal Control Processes

I. Business Exposures

A. The Meaning of Exposure

B. Examples of Common Business Exposures

A. The Meaning of Exposure

Potential FinancialEffect of Event x

Probability ofOccurrence

(Risk)

=

Exposure

B1. Common Business Exposures

Deficient revenues due to decreases in

earnings resulting from things like

excessive bad debts, incorrect billing, and returns from unhappy

customers.

B2. Common Business Exposures

Loss of assets due to theft, acts of violence,

or natural disaster

B3. Common Business Exposures

Inaccurate accounting causes decisions to be made using inaccurate

information.

B4. Common Business Exposures

Business interruption from things like acts

of violence and natural disaster can damage or destroy a

business.

B5. Common Business Exposures

Statutory sanctions interrupting business

due to regulatory agency penalties.

B6. Common Business Exposures

Competitive disadvantage resulting from

ineffective management

decisions.

B7. Common Business Exposures

Fraud (perverting truth to obtain something of

value) and embezzlement

(fraudulent appropriation of assets

for one’s own use).

II. Fraud and White-Collar Crime

A. Three Types of White Collar Crime

B. Fraudulent Financial Reporting

C. Corporate Crime

D. Certified Fraud Examiners

E. KPMG Survey

A. Three Types of White-Collar Crime

White-collar crime occurs when assets are deceitfully diverted from proper use or deceitfully misrepresented by an act or series of acts that are nonviolent in nature.

Employee theft – involves diversion of assets by an employee for personal gain.

Employee-outsider theft – involves diversion of assets by an employee in collusion with an outsider for

personal gain.Management fraud – concerns diversion of assets or

misrepresentation of assets by management.

B. Fraudulent Financial Reporting

White-collar crime may result in fraudulent financial reporting. This is intentional or

reckless conduct, whether by purposeful

act or by omission, that results in

materially misstated financial statements.

C. Corporate Crime

Corporate crime is white-collar crime that benefits a company or

organization rather than the individuals who perpetrate the

fraud. Such individuals may

benefit indirectly.

D. Certified Fraud ExaminersForensic accounting is a term used to describe the activities of persons who are concerned with preventing and detecting

fraud.The National Association of Certified Fraud Examiners (NACFE) is a professional organization that provides bona fide qualifications for certified fraud examiners

(CFEs) through the administration of the

Uniform CFE examination.

E. KPMG Survey

KPMG surveyed the 2,000 largest companies in the United States.

Fifty-nine percent cited internal control as the most frequent reason that frauds were discovered.

Fifty-six percent stated that poor internal controls were the most frequent reason that fraud occurred.

The survey results …

III. The Internal Control Process

A. Purpose of Internal ControlB. Two Premises of Internal Control

C. The Foreign Corrupt Practices Act of 1977D. Elements of Internal Control

Internal controls keep a close eye on employee

activities when management can’t. This

helps employees stay honest.

A. Purpose of Internal Control

Internal control is designed to provide reasonable assurance regarding:Reliability of financial reporting.Effectiveness and efficiency of operations.Compliance with laws and regulations.

Don’t go astray!

B. Two Premises of Internal Control

Responsibility – Management and the board of directors are responsible for establishing and maintaining the internal control process.Reasonable assurance – A control should not cost more than the potential benefit of the control.

C. The Foreign Corrupt Practices Act (FCPA) of 1977

The FCPA requires that all organizations subject to the Securities Act of 1934:Keep an adequate system of records.Devise and maintain an appropriate system of internal accounting controls.

D. Elements of Internal Control

Control environment – Overall values and integrity of organization.Risk assessment – Identification and evaluation of risks.Control activities – Activities undertaken to reduce probability of loss due to significant risks.Information and communication – Communicating information about the control environment and control activities.Monitoring – Keeping watch over and changing internal controls so that they function effectively and efficiently.

IV. The Sarbanes-Oxley Act of 2002

A. Creation of the Public Company Accounting Oversight Board (PCAOB)

B. Restrictions on Nonaudit ServicesC. Role of the Audit Committee

D. Corporate Responsibility for Financial Reports

E. Management Assessment of Internal Controls

Note: This Act currently applies to only publicly-traded companies.

A. Creation of the PCAOBCreated to oversee the auditing of public companies.

The SEC will have “oversight and enforcement authority over the Board.” No rule of the Board shall become

effective without prior approval of the commission. (Sec. 107)

The Board will:register public accounting firms,

establish the standards for the audit of public companies,conduct inspections of public accounting firms,

investigations and disciplinary hearings and have the power to impose sanctions.

(Sec. 101)

B. Restrictions on Nonaudit ServicesPublic company auditors may not also provide the following

services to their audit clients: Bookkeeping

Financial information systems design and implementation Appraisal or valuation services

Actuarial services Internal audit outsourcing

Management or human resource services Broker or dealer

Legal and expert services unrelated to audit Other services determined by the PCAOB

C. Role of the Audit Committee

Public companies must maintain must

maintain an independent audit

committee composed of members of the

board of directors who receive no

compensation from the company except for

services on the board.

D. Corporate Responsibility for Financial Reports

The CEO and CFO must prepare a statement to accompany the audit

report. This statement certifies to the fairness of the presentation of

the financial statements and accompanying

disclosures.

E. Management Assessment of Internal Controls

The Sarbanes-Oxley Act requires the annual report to contain an internal control report that:

states the responsibility of management for establishing and maintaining an adequate internal control structure

and procedures for financial reporting and

contains an assessment, as of the end of the company’s fiscal year, of the effectiveness of the internal control structure and procedures of the company for financial

reporting.

Note: The external auditor must attest to and report on the above assessment as a part of the audit process.

V. Classifying Transaction Processing Controls

A. General and Application Controls

B. Preventive, Detective, and Corrective Controls

A. General and Application Controls

General controls affect all processing transactions.

Application controls are specific to individual applications. They include input, processing, and output controls.

B. Preventive, Detective, and Corrective Controls

Preventive controls – Prevent errors and fraud before they happen.

Detective controls – Uncover errors and fraud that have occurred.

Corrective controls - Correct errors

VI. Analysis of Internal Control Processes

A. Internal Control Questionnaire

B. Applications Control Matrix

A. Internal Control QuestionnaireQuestionnaires are available

for the review of certain application areas. Some

weaknesses may be compensated for by other

strengths. Testing of controls is also necessary

since responses to a questionnaire are not considered conclusive evidence about internal

controls.

B. Applications Control Matrix

Columns represent processes under review while rows represent the

presence/rating for a control feature. Some use x’s to indicate the

presence or absence of a control. Others provide ratings to indicate the

assessed reliability of the control. (See p. 133)

Summary

The meaning of exposure

The cause of exposure

The concept of internal control

General and application controls

Preventive, detective, and corrective controls

Internal control questionnaires

Applications control matrix.