Sie sind auf Seite 1von 56

Practice – System

Documentation
Techniques
REVIEW

 Batch Processing
 Real Time Processing

 Source Documents
 Turnaround documents

 general ledger
 Subsidiary ledger
Practice : System Documentation

 Document Flowcharts
 To demonstrate the preparation of a document flowchart, let’s
assume that an auditor needs to flowchart a sales order system
to evaluate its internal controls and procedures. The auditor will
begin by interviewing individuals involved in the sales order
process to determine what they do. This information will be
captured in a set of facts similar to those below. Keep in mind
that the purpose here is to demonstrate flowcharting. Thus, for
clarity, the system facts are intentionally simplistic.
Sales Department Credit Department Warehouse Department Shipping Department
Customer Sales Sales
Order 2
A
Order 1

Customer Sales
Order Order 3
Credit
Check Pick Stock
record Sales
Credit Goods record Order 4
Prepare
Sales
Order Signed
Sales Sales
Pick
Order 1 Order 2
Goods

SO4
Sales
SO3 Order 3

SO2 Sales
Order 4
Sales Sales
Order 1 Order 2
Signed
N Sales
Order 1 N

Distribute SO Customer
and File
A
Customer
Order
Signed SO4
Sales SO3
Order 1
Sales
N Order 2
Sales Department Computer Operations Dept Warehouse Department Shipping Department

System Flowchart
Customer Edit and
Credit
Sales Order
1
A
Credit
Check
History

Customer
Order Sales
Order 3
AR File Pick Stock Sales
Sales Goods record Order 2
Order

Inventory
Input Sales Pick
Order Order 2
Update Goods
Program
Sales
Order 3
Sales
Customer Order 2
Order Sales
Order 1

A
Sales
Order 3
Sales Customer
Order 2
Sales
Order 1
 What are the documents that will be used by this cycle?
 For each document stated above, is this a source, product, or
turnaround document?
 What are the journals that will be used in this cycle?
 For each journal stated, is this a general or special journal?
 What are the ledgers that will be used in this cycle?
 For each ledger stated, is this a subsidiary or general ledger?
System Documentation—Payroll
 The following describes the payroll procedures for a hypothetical company.
 Every Thursday, the timekeeping clerk sends employee time cards to the payroll
department for processing. Based on the hours worked reflected on the time cards, the
employee pay rate and withholding information in the employee file, and the tax rate
reference file, the payroll clerk calculates gross pay, withholdings, and net pay for each
employee. The clerk then prepares paychecks for each employee, files copies of the
paychecks in the payroll department, and posts the earnings to the employee records.
Finally, the clerk prepares a payroll summary and sends it and the paychecks to the
cash disbursements (CD) department.
 The CD clerk reconciles the payroll summary with the paychecks and records the trans-
action in the cash disbursements journal. The clerk then files the payroll summary and
sends the paychecks to the treasurer for signing.
 The signed checks are then sent to the pay- master, who distributes them to the
employees on Friday morning.
Required:
 Prepare a data flow diagram and a flowchart of the payroll procedures previously
described.
System Flowchart
 Using the diagram on the following
page, answer the following
questions:
a. What do Symbols 1 and 2
represent?
b. What does the operation
involving Symbols
 3 and 4 depict?
c. What does the operation
involving Symbols
 4 and 5 depict?
d. What does the operation
involving Symbols 6, 8, and 9
depict?
TECHNIQUES
incorrect correct
Report Report Report
Report Process

Report Computer
Report Input Process
Store Store

Report Computer
Process
Report
Store Store
Forwarding to another column

Customer Credit
Check
Credit
record Customer Sales
Order 1

Customer
Order Customer
Signed Order
Sales Credit
Check
Order 1 record
Credit

Prepare
Sales Prepare
Order Sales
Order Signed
Sales
Order 1

SO4
SO4
SO3
SO3
SO2
SO2
Sales
Order 1 Sales
Order 1
Exemption

Customer Customer
Customer Customer Order
Order Order
Order

Process
Process

Customer

Customer
Relational
Database
LECTURE 4 – SELF PHASE REVIEW
Ethics, Fraud, and
Internal Control
LECTURE 5,6,7
BUSINESS ETHICS
 Ethics pertains to the principles of conduct that individuals use in making
choices and guiding their behavior in situations that involve the concepts of
right and wrong. More specifically, business ethics involves finding the
answers to two questions:
(1) How do managers decide what is right in conducting their business? and
(2) Once managers have recognized what is right, how do they achieve it?
 Some of the business practices and decisions in each of these areas that
have ethical implication
 Equity
 Rights
 Honesty
 Exercise of Corporate Power
Making Ethical Decisions

Ethical Principles
 Proportionality. The benefit from a decision must outweigh the risks.
Furthermore, there must be no alternative decision that provides the same or
greater benefit with less risk.
 Justice. The benefits of the decision should be distributed fairly to those
who share the risks.
 Minimize risk. Even if judged acceptable by the principles, the
decision should be implemented so as to minimize all of the risks and
avoid any unnecessary risks.
Computer Ethics

 The use of information technology in business has had a major


impact on society and thus raises significant ethical issues regarding
computer crime, working conditions, privacy, and more. Computer
ethics is “the analysis of the nature and social impact of computer
technology and the corresponding formulation and justification of
policies for the ethical use of such technology. . . . [This includes]
concerns about software as well as hardware and concerns about
networks connecting computers as well as computers themselves.
Computer Ethics

 Privacy
 Security, Accuracy and Confidentiality
 Ownership of Property
 Equity in Access
 Environmental Issues
 Artificial Intelligence
 Unemployment and Displacement
 Misuse of Computers
Sarbanes-Oxley Act and Ethical
Issues : Section 406—Code of Ethics
for Senior Financial Officers
 Section 406 of SOX requires public companies to disclose
to the SEC whether they have adopted a code of ethics
that applies to the organization’s CEO, CFO, controller,
or per- sons performing similar functions. If the company
has not adopted such a code, it must explain why. A
public company may disclose its code of ethics in
several ways: (1) included as an exhibit to its annual
report, (2) as a posting to its website, or (3) by agreeing
to pro- vide copies of the code upon request.
The SEC has ruled that compliance with Section 406
necessitates a written code of ethics that addresses the
following ethical issues.

 Conflicts of Interest.
 Full and Fair Disclosures.
 Legal Compliance.
 Internal Reporting of Code Violations
 Accountability.
Fraud and Accountants
Definitions of Fraud
Fraud denotes a false representation of a material fact made by one party
to another party with the intent to deceive and induce the other party to
justifiably rely on the fact to his or her detriment. According to common
law, a fraudulent act must meet the following five conditions:
1. False representation. There must be a false statement or a
nondisclosure.
2. Material fact. A fact must be a substantial factor in inducing someone
to act.
3. Intent. There must be the intent to deceive or the knowledge that
one’s statement is false.
4. Justifiable reliance. The misrepresentation must have been a
substantial factor on which the injured party relied.
5. Injury or loss. The deception must have caused injury or loss to the
victim of the fraud.
Auditors encounter fraud at two levels: employee fraud and
management fraud. Because each form of fraud has different
implications for auditors, we need to distinguish between the
two
Employee fraud, or fraud by non management employees, is generally
designed to directly convert cash or other assets to the employee’s
personal benefit.
 Employee fraud usually involves three steps:
(1) stealing something of value (an asset),
(2) converting the asset to a usable form (cash), and
(3) concealing the crime to avoid detection.
Management fraud is more insidious than employee fraud because it
often escapes detection until the organization has suffered irreparable
damage or loss. Usually management fraud does not involve the direct
theft of assets.
 Management fraud typically contains three special characteristics:
1. The fraud is perpetrated at levels of management above the one
to which internal control structures generally relate.
2. The fraud frequently involves using the financial statements to
create an illusion that an entity is healthier and more prosperous
than, in fact, it is.
3. If the fraud involves misappropriation of assets, it frequently is
shrouded in a maze of complex business transactions, often
involving related third parties.
The Fraud Triangle ( Factors that
Contribute to Fraud )
The Fraud Triangle consist of three
factors that contribute to or are
associated with the
management and employee
fraud.
1. Situational pressure
2. Opportunity
3. Ethics ( Rationalization)
Public accounting firms have developed checklists to
help uncover fraudulent activity during an audit.
Questions for such a checklist might include
 Do key executives have unusually high personal debt?
 Do key executives appear to be living beyond their means?
 Do key executives engage in habitual gambling?
 Do key executives appear to abuse alcohol or drugs?
 Do any of the key executives appear to lack personal codes of ethics?
 Are economic conditions unfavorable within the company’s industry?
 Does the company use several different banks, none of which sees the
company’s entire financial picture?
 Do any key executives have close associations with suppliers?
 Is the company experiencing a rapid turnover of key employees, either
through resignation or termination?
 Do one or two individuals dominate the company?
Financial Losses from Fraud

The actual cost of fraud is difficult to quantify for a number of reasons:


 (1) not all fraud is detected;
 (2) of that detected, not all is reported;
 (3) in many fraud cases, incomplete information is gathered;
 (4) information is not properly distributed to management or law
enforcement authorities; and
 (5) too often, business organizations decide to take no civil or
criminal action against the perpetrator(s) of fraud.
The Perpetrators of Frauds
ACFE
 The ACFE study examined a number of factors that characterized
the perpetrators of the frauds, including position within the
organization, collusion with others, gender, age, and education. The
median financial loss was calculated for each factor. The results of
the study are summarized in Tables 3-3 through 3-7.
Fraud Schemes
Three broad categories of fraud schemes are defined

1. Fraudulent Statements
2. Corruption
3. Asset Misappropriation
Fraud Schemes
1. Fraudulent Statements
The Underlying Problems.
 Lack of Auditor Independence.
 Lack of Director Independence.
 Questionable Executive Compensation Schemes
 Inappropriate Accounting Practices
Sarbanes-Oxley Act and Fraud (
SOX)
The act establishes a framework to modernize and reform the oversight
and regulation of public company auditing. Its principal reforms
pertain to
 (1) the creation of an accounting oversight board,
 (2) auditor independence, (
 3) corporate governance and responsibility,
 (4) disclosure requirements, and
 (5) Issuer and Management Disclosure
 (6) Fraud and Criminal Penalties
Corruption
Corruption involves an executive, manager, or employee
of the organization in collusion with an outsider.
 Bribery. Bribery involves giving, offering, soliciting, or receiving things of value to
influence an official in the performance of his or her lawful duties.
 Illegal Gratuities. An illegal gratuity involves giving, receiving, offering, or soliciting
something of value because of an official act that has been taken.
 Conflicts of Interest. Every employer should expect that his or her employees will
conduct their duties in a way that serves the interests of the employer. A conflict
of interest occurs when an employee acts on behalf of a third party during the
discharge of his or her duties or has self-interest in the activity being performed.
 Economic Extortion. Economic extortion is the use (or threat) of force (including
economic sanctions) by an individual or organization to obtain something of
value.
Asset Misappropriation
Examples of fraud schemes involving asset misappropriation
are described in the following sections.
 Charges to Expense Accounts.
 Lapping
 Transaction Fraud
 Computer Fraud Schemes.
 Data Collection.
 Program fraud
 Operations fraud
 Database Management.

Information Generation
Internal Control Concept and
Techniques
The internal control system comprises policies, practices, and
procedures employed by the organization to achieve four broad
objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records and
information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies
and procedures.
Inherent in these control objectives are four
Modifying Assumptions that guide designers and
auditors of internal controls
 Management Responsibility. This concept holds that the establishment and
maintenance of a system of internal control is a management responsibility.
 Reasonable Assurance. The internal control system should provide reasonable
assurance that the four broad objectives of internal control are met in a cost-
effective manner.
 Methods of Data Processing. Internal controls should achieve the four broad
objectives regardless of the data processing method used. The control
techniques used to achieve these objectives will, however, vary with different
types of technology.
 Limitations. Every system of internal control has limitations on its effectiveness.
These include (1) the possibility of error, (2) circumvention, (3) management
override, (4) changing conditions.
Exposures and
Risk
The absence or weakness of a control is
called an exposure. Exposures, which are
illustrated as holes in the control shield in
Figure 3-3, increase the firm’s risk to
financial loss or injury from undesirable
events. A weakness in internal control
may expose the firm to one or more of
the following types of risks:

1. Destruction of assets (both physical


assets and information).
2. Theft of assets.
3. Corruption of information or the
information system.
4. Disruption of the information system.
The Preventive–Detective–Corrective
Internal Control Model – (PDC Model)
 Preventive Controls. Prevention is the first line of defense in the control structure.
Preventive controls are passive techniques designed to reduce the frequency of
occurrence of undesirable events. Preventive controls force compliance with
prescribed or desired actions and thus screen out aberrant events.
 Detective Controls. Detective controls form the second line of defense. These are
devices, techniques, and procedures designed to identify and expose
undesirable events that elude preventive controls.
 Corrective Controls. Corrective controls are actions taken to reverse the effects
of errors detected in the previous step. There is an important distinction between
detective controls and corrective controls. Detective controls identify anomalies
and draw attention to them; corrective controls actually fix the problem.
Preventive

Detective

Corrective
Sarbanes-Oxley and Internal
Control
This entails providing an annual report addressing the following points:
1. a statement of management’s responsibility for establishing and maintaining
adequate internal control;
2. an assessment of the effectiveness of the company’s internal controls over
financial reporting;
3. a statement that the organization’s external auditors have issued an
attestation report on management’s assessment of the company’s internal
controls;
4. an explicit written conclusion as to the effectiveness of internal control over
financial reporting; and
5. a statement identifying the framework used in their assessment of internal
controls.
SAS 78/COSO Internal Control
Framework
Committee of Sponsoring Organizations of the Treadway Commission
(COSO). The SAS 78/COSO framework consists of five components:
1. The control environment,
2. Risk assessment,
3. Information and communication,
4. Monitoring, and
5. Control activities
The Control Environment
Important elements of the control environment are:
 The integrity and ethical values of management.
 The structure of the organization.
 The participation of the organization’s board of directors and the audit
committee, if one exists.
 Management’s philosophy and operating style.
 The procedures for delegating responsibility and authority.
 Management’s methods for assessing performance.
 External influences, such as examinations by regulatory agencies.
 The organization’s policies and practices for managing its human resources.
SAS 78 requires that auditors obtain sufficient knowledge to assess
the attitude and awareness of the organization’s management,
board of directors, and owners regarding internal control. The
following paragraphs provide examples of techniques that may
be used to obtain an understanding of the control environment.
 Auditors should assess the integrity of the organization’s
management and may use investigative agencies to report 1. Separate CEO and
on the backgrounds of key managers. chairman.
 Auditors should be aware of conditions that would 2. Set ethical standards.
predispose the management of an organization to commit
fraud. 3. Establish an
independent audit
 Auditors should understand a client’s business and industry committee.
and should be aware of conditions peculiar to the industry
that may affect the audit. 4. Compensation
committees.
 The board of directors should adopt, as a minimum, the
provisions of SOX. In addition, the following guidelines 5. Nominating committees.
represent established best practices. 6. Access to outside
professionals
Risk Assessment
Organizations must perform a risk assessment to identify, analyze, and manage risks
relevant to financial reporting. Risks can arise or change from circumstances such as:
1. Changes in the operating environment that impose new or changed competitive pressures
on the firm.
2. New personnel who have a different or inadequate understanding of internal control.
3. New or reengineered information systems that affect transaction processing.
4. Significant and rapid growth that strains existing internal controls.
5. The implementation of new technology into the production process or information system
that impacts transaction processing.
6. The introduction of new product lines or activities with which the organization has little
experience.
7. Organizational restructuring resulting in the reduction and/or reallocation of personnel such
that business operations and transaction processing are affected.
8. Entering into foreign markets that may impact operations (that is, the risks associated with
foreign currency transactions).
9. Adoption of a new accounting principle that impacts the preparation of financial
statements
Information and Communication
An effective accounting information system will:
 Identify and record all valid financial transactions.
 Provide timely information about transactions in sufficient detail to permit proper
 classification and financial reporting.
 Accurately measure the financial value of transactions so their effects can be recorded
in financial statements.
 Accurately record transactions in the time period in which they occurred.
 The classes of transactions that are material to the financial statements and how those
transactions are initiated.
 The accounting records and accounts that are used in the processing of material
transactions.
 The transaction processing steps involved from the initiation of a transaction to its
inclusion in the financial statements.
 The financial reporting process used to prepare financial statements, disclosures, and
accounting estimates.
Monitoring
Management must determine that internal controls are functioning as intended.
Monitoring is the process by which the quality of internal control design and
operation can be assessed. This may be accomplished by separate procedures or
by ongoing activities.

6 categories of physical control


Control Activities activities:
Control activities are the policies and
procedures used to ensure that appropriate 1. Transaction authorization
actions are taken to deal with the 2. Segregation of duties
organization’s identified risks. Control activities 3. Supervision
can be grouped into two distinct categories:
4. Accounting records
 IT controls and
5. Access control
 Physical controls.
6. Independent verification.
Monitoring
Management must determine that internal controls are functioning as intended.
Monitoring is the process by which the quality of internal control design and
operation can be assessed. This may be accomplished by separate procedures or
by ongoing activities.

6 categories of physical control


Control Activities activities:
Control activities are the policies and
procedures used to ensure that appropriate 1. Transaction authorization
actions are taken to deal with the 2. Segregation of duties
organization’s identified risks. Control activities 3. Supervision
can be grouped into two distinct categories:
4. Accounting records
 IT controls and
5. Access control
 Physical controls.
6. Independent verification.

Das könnte Ihnen auch gefallen