Internal Controls

(Hall Ch. 3)
Definition of internal control

Common elements:
Managing the risks of the firm

Internal control is a process

Designed to provide reasonable assurance

Relationship

Objectives

Organizational
Structure

Components
The Committee of
Sponsoring Organizations
of the Treadway Commission

5 organizations formed a committee to study

issues surrounding internal control
American Institute of CPAs
American Accounting Association
Institute of Internal Auditors
Institute of Management Accountants
Financial Executives Institute
Internal Control Objectives According to
AICPA SAS

1. Safeguard assets of the firm

2. Ensure accuracy and reliability of accounting
records and information
3. Promote efficiency of the firms operations
4. Measure compliance with managements
prescribed policies and procedures

5
 Modifying Assumptions to the
Internal Control Objectives
Management Responsibility

Reasonable Assurance

Methods of Data Processing

6
Limitations of Internal Controls
Possibility of honest errors

Circumvention via collusion

Management override

Changing conditions--especially in companies

with high growth

7
Exposures of Weak Internal Controls (Risk)

Destruction of an asset

Theft of an asset

Corruption of information

Disruption of the information system

8
The Internal Controls Shield

9
Preventive, Detective, and Corrective
Controls

Figure 3-3

10
SAS 109 / COSO

Describes the relationship between the firms

internal control structure,
auditors assessment of risk, and
the planning of audit procedures
How do these three interrelate?
The weaker the internal control structure, the higher the
assessed level of risk; the higher the risk, the more auditor
procedures applied in the audit.

11
Five Internal Control Components:
SAS 109 / COSO

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

12
1: The Control Environment
Integrity and ethics of management
Organizational structure
Role of the board of directors and the audit
committee
Managements policies and philosophy
Delegation of responsibility and authority
Performance evaluation measures
External influencesregulatory agencies
Policies and practices managing human
resources
13
2: Risk Assessment
Identify, analyze and manage risks relevant to
financial reporting:
changes in external environment
risky foreign markets
significant and rapid growth that strain internal
controls
new product lines cutting positions --> fewer people--> less people

restructuring, downsizing controlling=

system
less ability to have a good control

changes in accounting policies

EX: Changes to FIFO to LIFO; change it to met
earnings expectations, but will raise red flags.

14
3: Control Activities

Policies and procedures to ensure that the

appropriate actions are taken in response to
identified risks
Fall into two distinct categories:
IT controlsrelate specifically to the computer
environment
Physical controlsprimarily pertain to human
activities

15
4: Information and Communication
The AIS should produce high quality information
which: Need good acc. info to tell how well a company is performing\
All about input, processing, output

identifies and records all valid transactions

provides timely information in appropriate detail to
permit proper classification and financial reporting
accurately measures the financial value of
transactions
accurately records transactions in the time period in
which they occurred

16
Information and Communication
Auditors must obtain sufficient knowledge of the IS to
understand:
the classes of transactions that are material
v how these transactions are initiated [input]
v the associated accounting records and accounts used in
processing [input]
the transaction processing steps involved from the
initiation of a transaction to its inclusion in the financial
statements [process]
the financial reporting process used to compile financial
statements, disclosures, and estimates [output]

[red shows relationship to the general AIS model]

17
 5: Monitoring
The process for assessing the quality of internal
control design and operation
[This is feedback in the general AIS model.]
Separate procedurestest of controls by internal
auditors
Ongoing monitoring:
computer modules integrated into routine
operations
management reports which highlight trends and
exceptions from normal performance
[red shows relationship to the general AIS model]
18
Six Types of Physical Controls

Transaction Authorization
Segregation of Duties
Supervision
Accounting Records
Access Control
Independent Verification

19
Physical Controls
Transaction Authorization
Policies set by management with respect to
certain types of transactions
general (everyday procedures) or specific (non-
routine transactions) authorizations
General--authorization that is nature to the position

Kramer approves Customer

credit and initials purchase order
Approval on customer
Purchase order
Physical Controls

Segregation of Duties
No single employee should be in a
position both to perpetrate and conceal
fraud, errors or other kinds of failures

Segregate the basic functions of event

processing
Authorizing events
Recording events
Safeguarding resources (i.e., custody)
 Nested Control Objectives for Transactions
TRANSACTION

Control
Objective 1 Authorization Processing

Control
Objective 2 Authorization Custody Recording

Control Subsidiary General

Journals Ta 1 Ledgers Ledger
Objective 3

Figure 3-4

22
The Impact of Collusion (ACFE 2014)

23
Physical Controls

Supervision
a compensation for lack of segregation;
some may be built into computer systems

Accounting Records
Evidence that only legitimate and properly
authorized transactions occurred
provide an audit trail
Proper backup of records
Physical Controls
Access Controls:
Restrict physical access to assets
Examples
Lockbox systems
Daily deposit of cash receipts
Restrictive endorsements of checks
Physical security
Background checks
Physical Controls

Independent Verifications
Procedures that check up on individuals and the
transaction processing system
Examples
Reconciliation bank, inventory, accounts receivable
Performance reviews
Personnel policies
Physical Controls in IT Contexts

Transaction Authorization
The rules are often embedded within
computer programs.
EDI/JIT: automated re-ordering of inventory without
human intervention

27
Physical Controls in IT Contexts

Segregation of Duties
A computer program may perform many tasks that
are deemed incompatible.

IT

Database
Programming Admin Operations

New
Development Maintenance
28
Physical Controls in IT Contexts
Supervision
The ability to assess competent employees
becomes more challenging due to the greater
technical knowledge required.

29
Physical Controls in IT Contexts

Accounting Records
ledger accounts and sometimes source documents
are kept magnetically
no audit trail is readily apparent

30
Physical Controls in IT Contexts

Access Control
Data consolidation exposes the organization to
computer fraud and excessive losses from disaster.

31
Physical Controls in IT Contexts

Independent Verification
When tasks are performed by the computer rather
than manually, the need for an independent check is
not necessary.
However, the programs themselves are checked.

32
 Two Types of IT Controls

General controlspertain to the entitywide

computer environment

Application controlsensure the integrity of

specific systems

33
 Application Controls
Risks within specific applications
Can affect manual procedures (e.g., entering data)
or embedded (automated) procedures
Convenient to look at in terms of:
input stage
processing stage
output stage

INPUT PROCESSING OUTPUT

34
Application Input Controls
Goal of input controls - valid,
accurate, and complete input data
Two common causes of input
errors:
transcription errors wrong character or
value
transposition errors right character or
value, but in wrong place

35
Application Input Controls

Check digits data code is added to produce a

control digit
especially useful for transcription and
transposition errors
Missing data checks control for blanks or
incorrect justifications
Numeric-alphabetic checks verify that
characters are in correct form

36
Application Input Controls

Limit checks
identify values beyond pre-set limits
Range checks
identify values outside upper and lower bounds
Reasonableness checks
compare one field to another to see if
relationship is appropriate
Validity checks
compares values to known or standard values

37
Application Processing Controls

Programmed processes that

transform input data into information
for output
Three categories:
Batch controls
Run-to-run controls
Audit trail controls

38
Application Processing Controls

Batch controls
reconcile system output with the input
originally entered into the system
Based on different types of batch
totals:
total number of records
total dollar value
hash totals sum of non-financial
numbers
39
Application Processing Controls
Run-to-run controls
use batch figures to monitor the batch as it moves
from one programmed procedure (run) to another

Audit trail controls

numerous logs used so that every transaction can
be traced through each stage of processing from its
economic source to its presentation in financial
statements

40
Transaction Log to Preserve
the Audit Trail

Figure 3-7

41
Master File Backup Controls
Sequential master file system
GFS Backup Technique

Batch system using direct access files

Destructive update approach calls for
Separate master back up procedure

Real-time system master file backup

Processed continuously, therefore
Backup at pre-specified intervals through the day

42
Application Output Controls

Goal of output controls

ensure that system output is not lost,
misdirected, or corrupted, and that
privacy is not violated.

In the following flowchart, there are

exposures at every stage.

43
Stages in the Output Process

Figure 3-12

44
Application Controls Output

Output spooling
creates a file during the printing process
that may be inappropriately accessed
Printing create two risks:
production of unauthorized copies of
output
employee browsing of sensitive data

45
Application Controls Output
Waste
can be stolen if not properly disposed of, e.g.,
shredding
Report distribution for sensitive
reports, the following are available:
use of secure mailboxes
require the user to sign for reports
deliver the reports to the user

46
Application Controls Output

End user controls

end users inspect sensitive reports for accuracy
shred after used

Controlling digital output

digital output message can be intercepted,
disrupted, destroyed, or corrupted as it passes along
communications links

47
Cost Benefit

All internal controls have associated

costs
financial
operational
behavioral

Ensure benefits outweigh costs

Sarbanes Oxley 2002
Requires CEOs and CFOs to certify that to the best of
their knowledge the filings their companies makes with
the SEC are accurate.

The officers must also certify that they have put into
place necessary internal financial controls.

These internal financial controls must be audited by the

outside auditor.

Penalty fines up to $5 million and prison up to 20 years