COMPONENTS OF INTERNAL CONTROL. ACCT430, Notes, Chapter 7, Internal Controls

Transcription

1 ACCT430, Notes, Chapter 7, Internal Controls DEFINITION OF INTERNAL CONTROLS (COSO) (Note: COSO is the acronym for the Committee of Sponsoring Organizations, which includes American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants and Institute of Internal Auditors.) Internal Controls: A process, effected by the board, management & employees, designed to provide reasonable assurance regarding the achievement of the following objectives: - Safeguard assets - Reliable & accurate financial reporting (errors & irregularities) - Effective & efficient operations - Compliance with policies, laws and regulations ENTERPRISE RISK MANAGEMENT In response to the accounting scandals, COSO developed an expanded framework for internal controls related to identifying and analyzing risk. Here is a COSO Cube illustration of the main components. The COSO Framework was most recently updated in May, Go here for a summary: COMPONENTS OF INTERNAL CONTROL 1. The Control Environment a. Integrity and ethical values (often referred to as tone at the top : (1) establish behavioral and ethical standards (formal code) (2) remove or reduce incentives or temptations to engage in unethical behavior (executive pay based on S/T profits, etc) (3) management needs to model highest integrity ((for a good example, Sysco Systems, a bellwether stock in the tech industry, has a good ethics policy and is known for its honest accounting and reporting.) See video on Fraud and the Tone at the Top at b. Commitment to Competence: employees should possess the needed skills and knowledge and be adequately trained if internal controls are going to be effective. Acquiring a quality human resource base is a critical factor for having good internal controls (e.g. Coffey Communications). c. Board of Directors and Audit Committee: (1) board should be experienced and knowledgeable; board should be independent from management in order to represent the owners best interests; conflict of interest statements should be signed annually (2) audit committee should be competent and independent in its dealing with audit issues (must consist of at 3-5 least outside directors who are not employees). Many accounting frauds have occurred when the audit committee was asleep or too cozy with management. d. Management philosophy & operating style: (1) an extremely aggressive, high-risk style might raise different internal control issues than a conservative, risk-adverse style

2 (2) a loose informal style might tend to communicate controls orally and sporadically while a formal style might be better at emphasizing and communicating written policies and procedures. e. Organizational structure: can be an important control if well designed. Segregation of Duties: must separate the responsibilities for ARC: Authorization of transactions Recordkeeping for transactions Custody of transactions. (NOTE: Sometimes, the word Operation is also added to the list of duties to be segregated if possible. This would lead to the acronym ARCO.) -- e.g. Finance dept. usually has authorization and custody functions and accounting has recordkeeping function. These lines of authority should be clearly delineated in the organizational structure. -- e.g. Internal controls require clear job descriptions with definitions of authority, responsibility, and reporting. Human resource policies & procedures: (1) Background/reference checks on new employees (e.g. Starbucks and Rosemary Heinen) (2) Hiring procedures to ensure employees are trained and competent (3) Establish job/shift accountability; job descriptions that delineate clear lines of responsibility, authority and communication (4) Fidelity bonds for all employees in cash-sensitive positions (5) require mandatory vacations (e.g. two weeks taken consecutively) (6) require cross-training and rotation of duties. Vacation

3 Job/Shift Responsibility

4 2. Risk Assessment Internal controls require that an assessment be made of the events that might weaken or break controls. Management and auditors should brain-storm about how fraud might occur or what events that might weaken controls, such as: a. Changes in the regulatory or operating environment b. Changes in key personnel c. Implementation of new computer system d. Rapid growth domestically or internationally e. New lines of business f. Corporate restructurings g. Adoption of new accounting principles Regular review of risk mgmt/policies is critical. 3. The Accounting Information & Communication System (1) For good internal control, the AIS should properly record & classify all valid transactions in the proper accounting period, and should present adequate disclosures of information. (2) There should be a well-defined chart of accounts and a manual of accounting policies and procedures. There should be clear guidance on issues such as capitalization cutoff and retention of records (see WWU s) and other issues where GAAP is not clear or where significant judgment is required. 4. Control Activities Physical or information system checks/balances a. Performance reviews: preparing budgets and forecasts and properly investigating variances. b. Information processing controls (covered later in a separate chapter; e.g. change passwords; control over creation of new vendor files in the system, etc.).

5 c. Physical controls. Examples: (1) Safeguarding of records and files, e.g. fireproof storage, offsite backup, etc. (2) Pre-numbered documents (3) Restricted access to documents/assets (e.g. safes, locks, guards, etc.). Don t leave blank checks unsecured. Don t tape the key to the inside of the petty cash box lid. Have proper controls over inventory and supplies (e.g. wheelbarrows). (4) Mechanical or computerized sales registers (independent sales record, such as an X or Z tape) (5) Periodic physical counts comparing assets with accounting records (e.g. inventory) d. Segregation of duties: (1) As previously discussed, the acronym ARCO is used for: Authorization, Record-keeping, Custody, and Operation. (2) Important to not have one individual responsible for authorization, recordkeeping and custody, and also operation if possible. (3) Can be circumvented if there is collusion among employees. (4) Very hard to achieve proper segregation of duties in small businesses with only a few employees. The key is to have pervasive owner/manager influence, where the owner/manager is actively involved in the accounting/reporting process. An ideal control would be to have the owner/manager prepare the bank reconciliation and also perhaps make the bank deposits. Should be dual signatures required for large checks. 5. Monitoring This involves accessing the quality of internal controls over time. Examples include: a. Internal audits b. External audits c. Recording customer or employee complaints (very important to have an anonymous hotline as a great many frauds become unraveled with an employee tip) d. Reviewing reasonableness of reported information (e.g. comparing budget to actual and investigating variances) e. Having exception reports prepared and reviewed (e.g. all overrides of computer controls reviewed periodically) Control Types i) Preventative controls to prevent problems from occurring in the first place. Never failsafe but an ounce of prevention is worth a pound of cure. Example: Signature plates are kept under lock and key to prevent someone from processing an unauthorized check. ii) Detective controls alert management when preventative controls have failed. Example: Bank accounts are reconciled regularly, so that any checks written but not recorded in the accounting system are immediately identified. iii) Corrective controls procedures used to solve a problem. May also be a preventative control. Example: if a large unauthorized check is processed with signature plate, make arrangement with bank that all checks over a certain dollar amount also require a manual signature.

6 Understanding and Documenting Internal Controls Accountants generally use a combination of three methods to understand and document internal controls: Internal Control Questionnaire: Although quick, easy and comprehensive, it is inflexible (parts of it may not apply to your audit client) and can be completed without a lot of thought. Written Narrative: Although this approach forces an understanding and can be tailor-made to suit your client, it is very time consuming and may not be comprehensive (easy to overlook or exclude important items). Flowcharts: Many experienced accountants find flowcharts to be the most effective. With flowchart software (such as Microsoft Visio), professionally-looking flowcharts can be produced without too much effort. To the experienced reader, flowcharts convey a clear, comprehensive image of the system with less chance of blank spots being overlooked. But it does take experience with flowcharts to understand them well.

7 Reporting Internal Controls Weaknesses Certain terms are used by auditors to describe the magnitude of internal control weaknesses, listed below in order of increasing severity: A control deficiency exists when management or employees would not in the normal course of performing their functions detect or prevent any financial statement misstatement, material or immaterial. A significant deficiency exists when a company is not able to initiate, authorize, record, process, or report financial data reliably, resulting in a more than remote chance of a consequential misstatement occurring in the financial statements. A material weakness is when there is more than a remote chance that a material misstatement would occur in the financial statements. The first item (control deficiencies) must be communicated to management in a management letter. The last two items (significant deficiency & material weakness) must be communicated to the audit committee. Sarbanes-Oxley Act of 2002 For public companies, Section 404 requires a report on the adequacy of internal controls to be made both by management and the auditor. For auditors, this is called an integrated audit, since the audit report covers both financial statements and internal controls. Limitations of Internal Controls 1. Mistakes, judgment errors, fatigue 2. Management override (regardless of strong internal controls, management is in a position to override all internal controls.) 3. Collusion among employees. (Segregation of duties doesn t work when fraudsters collude together. However, collusion usually breaks down at some point, as members of the fraud ring fall out of favor with each other or feel slighted or taken advantage of.) 4. Cost/benefit trade-off. Some internal controls may be so costly to implement that they are not worth the benefit. For example, would it make sense to hire a full-time security guard to protect the office supply closet from unscrupulous employees stealing supplies?

8

9 Studies have consistently shown the above three factors to be present in a fraud case. Opportunity is afforded by a weakness in internal control (a perpetrator sees an opportunity to take advantage of a hold in internal controls). Financial pressure usually occurs because of a bad financial situation at home. Rationalizations for fraud include when the perpetrator feels underpaid and underappreciated at work, or feels that everyone else is doing it, or that he might lose his job if he didn t do, etc.

10 STARBUCKS: Example of a Fraud Rosemary Heinen: Claimed to have an obsessivecompulsive disorder to shop until she dropped To feed her habit, she stole from a series of employers In 1997, she declared Ch. 7 bankruptcy with assets of $400k and liabilities of $680k, including $200k of bad checks Hired by Starbucks in 1999 to work in Accts. Payable no background check Heinen created a fictitious vendor, a shell company, which billed Starbucks $3.7 million of phony invoices in 8 mos. - biggest embezzlement ever in King County STARBUCKS: Example of a Fraud Starbucks didn t know that the consulting co. wasn t licensed in WA, had no office, and that the PO box and voic was registered in Heinen s name. Heinen s house was stacked to the ceiling with stuff, including 3 Steinway pianos, 2 big screen TVs, 8 bicycles, 5 digital satellite systems, CD players stacked to the ceiling, exercise equip., jewelry, novels, hundreds of Barbie Dolls, etc. overflowing everywhere. She accumulated 34 cars, including a Model T, Porche, Aston Martin, Dodge Viper, BMW, 3 Corvettes, Mercedes Replica, etc. She also had 3 boats, including a $310k, 47-ft Bayliner

11 STARBUCKS: Example of a Fraud In 2002, Heinen was sentenced to 4 years in jail and restitution of $2.6m to Starbucks (net of recovery). She asked for special counseling and therapy while in jail to treat her disorder. Clearly, internal controls at Starbucks had a hole big enough to drive a truck through Starbucks at the time owned the Sonics basketball team. If the Sonics had a defense at porous as Starbucks internal controls, opponents would be able to do layups with no one to stop them.

12