CHAPTER 3: Internal Controls INTERNAL CONTROL DEFINITION AND IMPORTANCE I. DEFINITION Internal control – “a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance” [defined by COSO] COSO – Committee of Sponsoring Organizations of the Treadway Commission Important Elements of the COSO definition: 1. Internal control is a process 2. Internal control necessarily involves people throughout the organization. 3. Internal controls are designed to provide reasonable assurance. II.
IMPORTANCE 1. Safeguarding assets 2. Ensuring financial statement reliability 3. Promoting operational efficiency 4. Encouraging compliance with management’s directives Internal is also legally mandated by several important pieces of LEGISLATION: 1. Foreign Corrupt Practices Act (FCPA) -passed by the US congress in 1977 -requires corporations covered by its provision to maintain an adequate system of internal accounting controls -subject to fines and imprisonment
2. Sarbanes-Oxley Act of 2002 (SOX) -in response to corporate scandals of the late 20th century Provisions related to internal controls: Management and the external auditors must assess the company’s internal controls on an annual basis Acknowledgement that the manager is personally and organizationally responsible for the design and implementations of internal controls Disclose any internal control changes if has noticeable effect Inform the auditors and the board of directors’ audit committee of any significant problems/ weaknesses in internal control Managers must personally sign the required certifications and reports
RISKS Inappropriate risk-taking behavior is at the heart of many fraud cases Taxonomy – an organizational structure for knowledge BROWN’S TAXONOMY OF RISK: 1. Financial risks – related to monetary activities a. Market risk – changes in company’s stock prices, investment values, and interest rates b. Credit risk – customer’s unwillingness or inability to pay amounts owed to the organization c. Liquidity risk – possibility that a company will not have sufficient cash and near-cash assets available to meet its short-term obligations 2. Operational risks – concern the people, assets, and technologies used to create value for the organization’s customers a. Systems risk – relates directly to information technology (IT) b. Human error risk – possibility that people in the organization will make mistakes 3. Strategic risks – “relate to entity’s decision-making process at the senior management and board of directors level” a. Legal and regulatory risk – concerned that those parties might break laws that result in financial, legal, or operational sanctions b. Business strategic risk – comprises poor decision making related to a company’s basis for competing in its markets 4. Hazard risk a. Director’s and officers’ liability COSO’S INTERNAL CONTROL INTEGRATED FRAMEWORK COSO comprises FIVE PROFESSIONAL ACCOUNTING ORGANIZATIONS: 1. American Accounting Association 2. American Institute of Certified Public Accountants 3. Financial Executives Institute 4. Institute of Internal Auditors 5. Institute of Management Accountants Originally published in 1992 Updated in 2013
Similarities and differences between the original and updated frameworks SIMILARITIES 1. Internal control definition 2. Objective categories: operations, reporting, and compliance 3. Components of a strong internal control plan 4. Necessity for all plan components to work together 5. Importance of judgement in establishing sound internal control DIFFERENCES 1. Environmental changes, such as economic conditions and legal consideration 2. Expanded objectives for operations and reporting 3. Creation of fundamental concepts that supports the components 4. Additional examples and approaches FIVE (5) COMPONENTS OF THE COSO INTERNAL CONTROL INTEGRATED FRAMEWORK 1. Control Environment : establishing the “tone at the top” Ensures that internal control is seen as a serious, important, worthy topic throughout the organization 2. Risk assessment: clarifying an organization’s risk exposures Identify an organization’s risk exposures as a precursor to creating internal controls 3. Control activities : developing specific controls to address the risk exposures Policies, processes, and procedures that will address the risks in a cost-effective way and provide reasonable assurance that the goal will be achieved Organizations can “address” risks in at least three ways 1. Prevention 2. Detection 3. Correction 4. Information and communication: ensuring stakeholders know about the internal control plan 5. Monitoring process : creating a process for keeping the plain update and relevant
COSO offered the following explanation of effective internal control: Each of the five components and relevant principles is present and functioning. “Present” – determination that the components and relevant principles exist “Functioning” – components and principles continue to exist The five components operate together in an integrated manner. “Operating together” – determination that all five components collectively reduce the risk of not achieving an objective INTERNAL CONTROL EXAMPLES 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.
Adequate documentation Background checks Backup of computer files Backup of power supplies Bank reconciliation Batch control totals Data encryption Documentation matching Echo checks Firewalls Insurance and bonding Internal audits Limit checks Lockbox systems Physical security Preformatted data entry screens Prenumbered documentations Restrictive endorsement and daily deposits of checks received 19. Segregation duties 20. User training
CHAPTER 4: Management Concepts ENTERPRISE RISK MANAGEMENT Enterprise Risk Management – is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and management risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of an entity objectives. COSO discusses FIVE CATEGORIES OF OBJECTIVES for most organizations: 1. Strategic 2. Operations 3. Reporting 4. Compliance 5. Safeguarding of resources EIGHT (8) ENTERPRISE RISK MANAGEMENT ELEMENTS: 1. Internal Environment : overall organizational attitude about ERM Tone of an organization Sets the basis for how risk is viewed and addressed by an entity’s people (risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate 2. Objective Setting : what an organization is trying to accomplish Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite 3. Event Identification : events that could interfere with achieving the objectives Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. 4. Risk Assessment : chance that the interfering events will occur Risks are analyzed, considering the likelihood and impact, as a basis for determining how they should be managed.
5. Risk Response : generic ways to manage risks (events) Management selects risk response – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite 6. Control Activities : specific ways to manage risks (events) Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out 7. Information and Communication : ways to share the ERM plan Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities 8. Monitoring : ways to ensure the ERM plan stays relevant ERM is monitored and modifications made as necessary NATURE OF BUSINESS PROCESS MANAGEMENT Business Process Management: A business improvement strategy based on documenting, analyzing, and redesigning processes for greater performance. A systematic approach to analyzing, redesigning Important ideas in each definition of BPM: Improving performance Promoting efficiency Responding to the needs of clients Analyzing processes systematically and strategically GENERALIZED MODEL OF BPM (suggested by Seppanen, Kumar, and Chandra) 1. Select the process and define its boundaries. 2. Observe, document, and map the process steps and flow. 3. Collect process-related data. 4. Analyze the collected data. 5. Identify and prioritize potential process improvements. 6. Optimize the process. 7. Implement and monitor process improvements.
Why AIS students should know something about business process management: 1. BPM can assist managers in providing accounting information that conforms to elements of the FASB Conceptual Framework. Managing business process can ensure that relevant, reliable information is furnished in a cost-effective way. 2. BPM can help managers promote strong internal control. 3. BPM frequently involves strategic uses of information technology. 4. BPM is a natural outgrowth if accountant’s intimate involvement with business processes.
BEHAVIORAL ISSUES IN AIS 1. Many people are uncomfortable with change. 2. Fraud is a serious problem in all types of organizations. 3. Business today is a global endeavor. 4. When elements of an AIS change, people need to be trained in new technologies, processes and procedures to be effective. 4.
BASIC PRINCIPLES 1. Understand how business processes interact with/support organizational strategy. 2. Move away from the “we’ve always done it this way” mentality. 3. Enlist top management support; ensure that top management can describe current business processed before trying to reengineer/ maintain/ modify the processes. 4. Managing business processes is fundamentally about people, not technology or documents. 5. Don’t rely on external consultants to the exclusion of internal employees; value the experience of people in the organization who are close to the process. 6. When using consultants, make sure the task is well defined, with specific deliverables defined by the company. 7. Communicate early; communicate often. Deal immediately with objections/ issues as they arise.
EXPECTANCY THEORY Motivation is the product of THREE FACTORS: 1. Expectancy – “Will I be successful?” 2. Instrumentality – “Will I be rewarded?” 3. Valence – “Do I value the reward?” Motivation = Expectancy X Instrumentality X Valence Multiplied : If just one of the three factors is zero, motivation will be zero as well.