Controls Process of exercising a restraining or guiding influence over the activities of an object,...
-
date post
21-Dec-2015 -
Category
Documents
-
view
214 -
download
1
Transcript of Controls Process of exercising a restraining or guiding influence over the activities of an object,...
Controls
Process of exercising a restraining or guiding influence over the activities of an object, organism, or systemExist everywhereOperationalized in many ways
Control philosophy
Controls permeate, not dominateControls are everybody's, not the accountant’sControls are part of the operationControls are built into the system
Internal Control Systems
Internal control in a businessThe methods a business uses to
safeguard assets, provide accurate, reliable information,promote and improve operational efficiency,
and encourage adherence to prescribed
managerial policies
Controls in the external reporting world
Objective of IC
To reduce likelihood that a threat will come to pass and result in a loss to the organization.
Threat, likelihood, exposure
COSO
Internal Control—as defined by the professional organizations most directly involved
Internal control is a process, effected by an entity’s board of directors, management
and other personnel, to provide reasonable assurance regarding the
achievement management’s objectives in the following categories:
Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and
regulations
Components of IC
Control environmenttone at the top
Risk assessmentidentification and analysis of risks
Control activitiespolicies and procedures
Information and communicationprocessing info for people to do their jobs
Monitoringassess quality of internal control over time
Enterprise risk management
ERM is a process, effected by an entity’s board of directors, management
and other personnel, Applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Moves from emphasis on risks relating to financial reporting and compliance to emphasis on ALL risks of the business
Commitment to integrity and ethics
Management’s philosophy and styleOrganizational structureAudit committee and the board (function)Methods of assigning responsibilityHuman resources policies and practicesExternal influences
The Control Environment
C&L overheads on Control Environment—
Risk Assessment—COSO
Determine threats to the companyEstimate probability of threat occurringEstimate exposure from each threatIdentify set of controls to guard against threatEstimate costs and benefits of implementing controlsEvaluate whether to put controls in placeImplement controlsIterate
Risk Assessment—ERM
Objective setting What does the enterprise wish to do?
Event identification What could go wrong
Risk assessment Likelihood of event, exposure, cost/benefit
Risk response Avoid, reduce, share, accept…
Events/Threats(negative)
Business threats (economic, environmental, social, political…)Internal or externalOccurs at wrong time, wrong sequence, wrong actors,
wrong place…
Information threatsRecording/Processing/Reporting
Tools for identifying
Risk Assessment & Response
Calculate expected lossDetermine costs of controlsBenefit = reduction in expected loss Consider special reasons for investing in control even when
cost > benefit
Risk appetiteAvoid, accept, share, reduce
Control Activities
Authorization of transactionsSegregation of incompatible dutiesIndependent checks on performanceSafeguarding assets and informationDesign and use of adequate recordsManagement and review of activities
Lots of ways to look at these…
Segregation of duties—computer system
Systems analystProgrammerComputer operatorTesting groupAIS library
Data, programsManagement control of IS
Access and safeguarding—computer system
Data protection controlsPhysical and logical
Lock rooms, require passwordsData transmission, Internet
PreventiveLabeling, librarians, data dictionariesBackup…
Uninterruptible power sourcesDisaster recovery
Project controls
Project development and implementation controls include:Team that knows why this is being done, individuals responsibleProject plan, timeline, schedule, budgetGood RFP, good specificationsCheck references—groups and individualsSunk costs are sunk
Communication and information
Accounting (information) system(s)AIS objectives related to communication & information
Record all, valid transactionsClassifyValuationPeriodicity Presentation and disclosure
Monitoring
Effective supervisionResponsibility accountingInternal auditingFraud controls
Overall considerations
Means to an endSystem - with goals, interrelated componentsManagement’s responsibilityRequires competence, honesty, ethical behaviorReasonable assurance, not perfectionCost-benefit
Some basics of SOX
Sarbanes-Oxley Act of 2002Creates Public Company Accounting Oversight Board…
gives PCAOB rights of the 1934 Securities Act5 member board, two current or former CPAs,
three notSEC oversees the board
Identifies specific rules and procedures that the PCAOB must require/adhere to
PCAOB duties
Register public accounting firmsEstablish rules for auditing, independence, ethics, etc. for
prep of audit reportsThe SEC will recognize GAAP from bodies that meet some
requirements and meet the SEC approval—Board may qualify, FASB does qualify
Partner/staff rotation
Partners rotate 5 on, 5 offThe CEO, Controller, CFO, Chief Accounting Officer or person
in an equivalent position cannot have been employed by the company's audit firm during the 1-year period preceding the audit.
Prohibited services
Auditor may not do:Bookkeeping or services related to financial statementsAIS design or implementationInternal audit outsourcingManagement or HR functionsLegal or expert services unrelated to auditOthers…
Ok services
Pre-approved by the audit committeeDisclosed to stockholders
Pre-approval waived ifAggregate is < 5% of total revenuesNot recognized as non-audit at the time of engagementPromptly brought to attention of audit committee
Audit committees
Must be independent directorsResponsible for appointment, compensation and oversight of
“registered” public accounting firms working for the company
Oversee all complaints regarding accounting, controls and auditing
At least one “financial expert”
What is a financial expert? (McGladrey)
An understanding of financial statements and GAAPAn ability to assess application of GAAP for estimates,
accruals and reserves Experience preparing, auditing, analyzing or evaluating
financial statements that represent a breadth and level of complexity of accounting issues for the registrant's financial statements, or experience actively supervising one or more persons engaged in such activities
An understanding of internal controls and procedures for financial reporting
An understanding of audit committee functions
Responsibility for reports
CEO and CFO must certify the “appropriateness of the financial statements and disclosures…fairly present…operations and financial position”—Section 302
Restatements due to noncompliance with financial reporting requirements require disgorgement of profits by CEO and CFO
Miscellaneous
Reflect all correcting adjustmentsDisclose off-balance sheet transactionsNo personal loans to directors or executivesDesignated transactions reported within 2 business daysStudy SPEs
Reflect the “economics” of off-balance sheet transactions
Section 404—management assessment of IC
Each annual report includes an internal control reportState responsibility of mgmtAssessment of effectiveness of structure and proceduresAuditor attests to management’s assessment
Not a separate engagement
Section 404—some detail
Management makes an assessment of IC design and effectiveness
Auditor makes an assessment of IC design and effectivenessDesign—do the controls exist, for relevant assertions and
significant accountsEffectiveness—do the controls work, for relevant
assertions and significant accounts (inquiries and observations; review documents; compare supporting documents; walkthroughs; etc)
Report on management assessment; report on IC; report on financial statements
Likely Reporting Scenarios
Mgmt’sReport
Auditor’s Report
Mgmt’s Report
IC Effective
FS
No Material Weakness Effective Unqual. Unqual. Unqual.
Material weakness, identified by mgmt & auditor
Not Effective
Unqual. Adverse Unqual.
Material weakness, not identified by mgmt, but by auditor
Effective Adverse Adverse Unqual.
Material Weakness
Deficiencies can exist in design or effectivenessDeficiencies can be:
Control—would not prevent or detect misstatements in ordinary course of business
Significant—one or more control deficiencies A control deficiency that adversely affects the
company’s ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles
Must be reported to committeeMaterial—one or more significant deficiencies
A significant deficiency that, alone or with others, results in more than a remote likelihood that a material misstatement of the financials will not be prevented or detected
Must be reported publicly
IC deficiencies
Type Likelihood Magnitude
Control deficiency
Remote And/or
Inconsequential
Significant deficiency
More than remote
And More than inconsequential
Material weakness
More than remote
And Material to financial statements
Remote
Immaterial
Probable
MaterialMATERIAL
WEAKNESS
Factors to consider
Likelihood of misstatement:Susceptibility to fraudCause and frequency of exceptions to ICNature of accountsInteraction with other controls
Magnitude of misstatement:Financial statement amountsAmount of transactionsVolume of transactions/activity
Indicators of potential material weakness
Weak control environmentFraud of any magnitude in managementIdentification of material misstatement caught by auditors,
but not by firmIneffective oversight by audit committeeCommunicated deficiencies not corrected by management
Examples of material weakness
Financial close process—often related to staffing, training, time
IT general controls—pervasive problemsInventory process—particularly related to end-of periodAccount reconciliations—all accounts are analyzed and
reconciled to the supporting schedulesHandout from Accounting Horizons
Controls
Over Financial Reporting—404Relate to prep of external FS, fairly presented in
conformity with GAAPSafeguarding assetsAddress likelihood of fraud
Over Disclosure Procedures—302Information required to be disclosed is recorded,
processed, summarized, reported within prescribed time period
Ensure information is communicated to executive management timely for disclosure requirements
Management certifications
302—CEO and CFO certify periodic SEC filings—fairness of FS and operating effectiveness of disclosure controls and procedures
404—Management’s assessment of IC with auditor attestation –annual assessment and reporting by both mgmt and auditor on the effectiveness of IC over financial reporting
906—CEO and CFO: financial reporting certification and criminal penalties—all SEC reports with financials, fairness of FS and compliance with requirements of SEA of 1934
Group question
Walkthroughs must be done by the auditor him/herself. It is not permissible to use an internal auditor or other third-party to perform this task.
Several commenters objected to this prohibition on using the work of internal auditors for walkthroughs. They described situations in which internal auditors would be better able to effectively perform walkthroughs because internal auditors understood the company's business and controls better than did the auditors who would be forced to do the walkthroughs.
What is your response to the commenters?
IC in a computerized environment
Concepts of control do not changeObjectivesFramework (COSO)Structure (environment, plan, procedures)
Implementation will changeMore focus on system (imbedded) controlsContinuous rather than periodic controls
Random v. systematic errors
Categories of IC in a computerized environment
General Controls – pervasive, relate to the entire systemControl environment must be managed well to
enhance effectiveness of application controls
Application Controls – specific, relate to individual portions of the system—or types of transactionsPrevent, detect, correct errors in input,
processing, output
General Controls
System reliabilitySeparation of incompatible functionsAccessBackup and recoveryManagement of the IS function
Adopting an IS mindset
System Reliability
System reliability is defined as:“A system that operates without material error, fault or
failure during a specified time in a specified environment.”
Principles to achieve system reliability
a. Security. The system is protected against unauthorized access (both physical and logical).
b. Availability. The system is available for operation and use as committed or agreed.
c. Processing integrity. System processing is complete, accurate, timely, and authorized.
d. Confidentiality. Information designated as confidential is protected from unauthorized disclosure.
e. Privacy. Personal information obtained as a result of e-commerce is collected,used, disclosed, and retained as committed or agreed.
Criteria for implementing principles
Policies. The entity has defined and documented its policies relevant to the particular principle.
Communications. The entity has communicated its defined policies to authorized users.
Procedures. The entity uses procedures to achieve its objectives in accordance with its defined policies.
Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.
Security
Security is a management issue, not a technology issueRedundancy—Defense in depthControl categories—apply to manual and computer
PreventiveDetectiveCorrective
Electronization of business
Redesign of internal processes is often implemented to conduct e-business, and is often the result of conducting e-business.
Sometimes is an imperative for survival.Does not directly provide a competitive advantage.Can be used to more effectively implement a basic
strategy.
What makes electronization of business successful
The degree to which e-business activities fit and support the organization’s overall business strategy (understanding strategy is a method to do this)
The ability to guarantee that e-business processes satisfy the three key characteristics of any business transaction (encryption is a method to do this)ValidityIntegrityPrivacy
Characteristics
Validityauthenticate identity of other (both) parties,
so the contract is enforceableIntegrity
ensure that the information exchanged has not been altered
Privacyensure that confidentiality is maintained
Encryption—Plaintext, ciphertext, hashThere are two principal types of encryption systems:
Single-key systems: Same key is used to encrypt and decrypt the message (symmetric)
Simple, fast, and efficientExample: the Data Encryption Standard (DES)
algorithmPublic Key Infrastructure (PKI): Uses pair of keys, one to
encrypt and one to decrypt (asymmetric):Public key is available to all who want itPrivate key is kept secret and known only by
the owner of that pair of keys.
MD5 (or a similar program) creates a “digest”, which is undecipherable, but invariant for a given text stream
Digital Signatures and Digests Digital signature: A method of uniquely identifying the sender of a
message.Digital certificate: third party verification that the owner of a
private/public key pair is who the signature says it isDigest: A digital digital summary.
If any individual character in the original document changes, the value of the digest also changes. It does not provide the information, just knowledge that the information has/ has not changed
IS perspective for Business
security training
consciousness of the folks involvedfamiliarity breeds slackers
segregation of duties becomes more difficult
hard to restrict accesschanging data/programs is common
development control
mission critical v. personal usesUse of Spreadsheets—see reading for today for copious detail
ContractErin buy from
Sally
Contract-Erin buy from
SallyDES Key DES KeyEncrypted Contract
Contract is private
Public Key-Sally Encrypted Key
Private Key-Sally
Only Sallycan read
MD5
Hash Digest-1
Encrypted HashPublic Key
-ErinPrivate Key
-Erin
Hash Digest-1
MD5
Hash Digest-2
Compare
Must be from Erin
Erin’s computer
Internet orNetwork
Sally’s computer
ERIN SALLY
Digital Signature
Contract is unaltered
General Controls—audit firm list
Company level controlsMonitoring, planning, assessment—Definition of IT roles,
Assessment of significant IT activities outside the IT function…
Change controlsApproval, separation of duties, policies—Testing & QA of
changes, authorization of changes, separate developers from production environment
OperationsPolicies, roles—Formal backup policies, operational
policies and procedures well definedSecurity
Review, access, data/system—periodic review of access, policies for admitting new users/user access, review of exception logs
Key application controls
Batch totals -aid in computer environment, often embedded in the process
Source data controls – pre-numbered, turnaround, computer-readable
Online data entrypreformatpromptaccuracy (completeness)
More application controls
Input validationedit programsequence checksvalidity check
File maintenancereconcile master with other datadata security
Output controlsuser reviewreconcile batch totalsbursting documents—control over distribution, logical and
physicalerror logs
Goal oriented—explicit
Tie controls to goalsOperationsInformation
Create control plansEvaluate the usefulness of controlsFormal method