COMPONENTS OF INTERNAL CONTROL. ACCT430, Notes, Chapter 7, Internal Controls



Similar documents
Internal Controls and Fraud Detection & Prevention. Harold Monk and Jennifer Christensen

MEMORANDUM. Municipal Officials. From: Karen Horn, Director, Public Policy and Advocacy; and Abby Friedman, Director, Municipal Assistance Center

Guide to Internal Control Over Financial Reporting

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

INTERNAL ACCOUNTING CONTROLS CHECKLIST FOR NTMA CHAPTERS

Internal Control Requirements December 11, 2002

ACCOUNTING AND FINANCIAL REPORTING REGULATION MANUAL

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Steven Boyer Vice-President, Gallagher Bassett Services Inc.

Internal Control Questionnaire and Assessment

Fraud: Real Stories, Real People, Real Impact

MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS

Internal Control Systems

UNDERSTANDING INTERNAL CONTROLS. A Reference Guide for Managing University Business Practices

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

5:31-7 Appendix B LOCAL AUTHORITIES - ACCOUNTING AND AUDITING IF ANY ARE NOT APPLICABLE, INSERT N/A AS YOUR ANSWER. FIRE DISTRICT YEAR UNDER AUDIT

FRAUD RISK ASSESSMENT

The Basics of Internal Controls

Checks and Balances Internal Controls. West Virginia State Auditor s Office Chief Inspector Division

Fraud Awareness Training

Is There Anyway to Prevent Fraud? Bill Gady, CGA CPA Partner

Communicating Internal Control Related Matters Identified in an Audit

1. SEGREGATION OF DUTIES IS ESSENTIAL

P L A N A D V I S O R Y. The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets

ATTACHMENT L. 2012/13 Internal Control Questionnaire for Workforce Organizations/Programs

How To Audit A Financial Statement

Consideration of Fraud in a Financial Statement Audit

Accounts Payable Best Practices

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Fraud Control Theory

AUD. Auditing & Attestation. Roger Philipp, CPA

Financial Services Group

Accounting software & data

How To Find Out If A Company Misstatement Is True

M-IC. Comptroller of the Currency Administrator of National Banks. Internal Control. Comptroller s Handbook. January 2001.

Master Document Audit Program

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS

A Municipal Checklist for Internal Control-Part I, Cash Controls

Fraud Prevention and Deterrence

FINANCIAL MANAGEMENT POLICIES AND PROCEDURES

CITY OF BURLINGTON COSO FRAMEWORK & COMPLIANCE

ATTESTATION REPORT OF DODGE COUNTY COURT JULY 1, 2013 THROUGH JUNE 30, 2015

FINANCIAL CONTROLS POLICIES AND PROCEDURES FOR SMALL NONPROFIT ORGANIZATIONS

Cash, Petty Cash, Change Funds, and Credit Cards

NONPROFIT FINANCIAL MANAGEMENT SELF ASSESSMENT TOOL

INTERNAL CONTROL POLICIES

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Standard Procedures and Controls for the Title Industry. Prepared by the ALTA Internal Auditing Committee ALTA

September 28, Audit s Role in Governance, Risk Management and Internal Control

How To Prevent Fraud On A Credit Card

Imperial County. Office of the Auditor-Controller. Internal Audit Standard Practice Manual

CHAPTER 7 - SARBANES-OXLEY, INTERNAL CONTROL, CASH. Material Copyright- Protected: Janice Stoudemire and Barbara wagers

INTERNAL CONTROL QUESTIONNAIRE OFFICE OF INTERNAL AUDIT UNIVERSITY OF THE VIRGIN ISLANDS

FRAUD PREVENTION STRATEGIES FOR HEALTH CARE A FORENSIC ACCOUNTANT S PERSPECTIVE

Conversion. Concealment methods. Example #1: Skimming. Example #2: Skimming GASBO Conference. Thomas Buckhoff, Ph.D.

Internal Control Guide & Resources

Sample Financial institution Risk Management Policy 2011

Avoiding Theft in Your Nonprofit Ohio Attorney General Mike DeWine

Module 6 Documenting Processes and Controls

Standards for Internal Control

Chapter 9 The Study of Internal Control and Assessment of Control Risk

Making Your Fraud Vision 20 / 20. Thomas R. Strause, CIA, CFE, CBA, CISA, CFSA, CICA Partner FOS tstrause@fosaudit.

TITLE: Fraud Prevention and Detection Program IDENTIFIER: S-FW-LD-1008 APPROVED: Executive Cabinet (Pending)

Chapter 12 Solutions to Problems

Chapter 4 Cash and Internal Controls

RISK MANAGEMENT & INTERNAL CONTROLS

Cash Receipts Internal Controls

Centre for Corporate Governance. Sample listing of fraud schemes

UCLA Policy 360: Internal Control Guidelines for Campus Departments

10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process

Sharon Kurek, CPA, CFE Director of Internal Audit

Fundamentals Level Skills Module, Paper F8 (IRL) 1 (a) Audit procedures procurement and purchases system

INFORMATION TECHNOLOGY CONTROLS

AUDIT COMMITTEE CHARTER

[300] Accounting and internal control systems and audit risk assessments

Payment Systems and Funds Transfer Internal Control Questionnaire

SOLUTION: AUDIT AND INTERNAL REVIEW, MAY 2014

Manual of Accounting Policies and Procedures Bridgewater State College Foundation Bridgewater Alumni Association

LOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE

GENERAL PAYROLL CONTROLS Dates in scope:

Internal Control Guidelines

SAMPLE NPO Fiscal Policies & Procedures

Ethics, Fraud, and Internal Control

Department of Consumer Affairs Cash Disbursements by Agency Checks

Internal Controls. A short presentation from Your Internal Audit Department

Table of Contents: Chapter 2 Internal Control

Internal Controls Best Practices

Governance and Greater Financial Awareness in Nonprofit Organizations

Fraud Checklist. From the enquiries made and procedures performed in completing Part B of this checklist we consider the risk of irregularities to be

ETHICS, FRAUD, AND INTERNAL CONTROL

Transcription:

ACCT430, Notes, Chapter 7, Internal Controls DEFINITION OF INTERNAL CONTROLS (COSO) (Note: COSO is the acronym for the Committee of Sponsoring Organizations, which includes American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants and Institute of Internal Auditors.) Internal Controls: A process, effected by the board, management & employees, designed to provide reasonable assurance regarding the achievement of the following objectives: - Safeguard assets - Reliable & accurate financial reporting (errors & irregularities) - Effective & efficient operations - Compliance with policies, laws and regulations ENTERPRISE RISK MANAGEMENT In response to the accounting scandals, COSO developed an expanded framework for internal controls related to identifying and analyzing risk. Here is a COSO Cube illustration of the main components. The COSO Framework was most recently updated in May, 2013. Go here for a summary: http://www.coso.org/documents/coso%20mcnallytransition%20articlefinal%20coso%20version%20proof_5-31-13.pdf COMPONENTS OF INTERNAL CONTROL 1. The Control Environment a. Integrity and ethical values (often referred to as tone at the top : (1) establish behavioral and ethical standards (formal code) (2) remove or reduce incentives or temptations to engage in unethical behavior (executive pay based on S/T profits, etc) (3) management needs to model highest integrity ((for a good example, Sysco Systems, a bellwether stock in the tech industry, has a good ethics policy and is known for its honest accounting and reporting.) See video on Fraud and the Tone at the Top at http://www.youtube.com/watch?v=x2mjke6x5ne b. Commitment to Competence: employees should possess the needed skills and knowledge and be adequately trained if internal controls are going to be effective. Acquiring a quality human resource base is a critical factor for having good internal controls (e.g. Coffey Communications). c. Board of Directors and Audit Committee: (1) board should be experienced and knowledgeable; board should be independent from management in order to represent the owners best interests; conflict of interest statements should be signed annually (2) audit committee should be competent and independent in its dealing with audit issues (must consist of at 3-5 least outside directors who are not employees). Many accounting frauds have occurred when the audit committee was asleep or too cozy with management. d. Management philosophy & operating style: (1) an extremely aggressive, high-risk style might raise different internal control issues than a conservative, risk-adverse style

(2) a loose informal style might tend to communicate controls orally and sporadically while a formal style might be better at emphasizing and communicating written policies and procedures. e. Organizational structure: can be an important control if well designed. Segregation of Duties: must separate the responsibilities for ARC: Authorization of transactions Recordkeeping for transactions Custody of transactions. (NOTE: Sometimes, the word Operation is also added to the list of duties to be segregated if possible. This would lead to the acronym ARCO.) -- e.g. Finance dept. usually has authorization and custody functions and accounting has recordkeeping function. These lines of authority should be clearly delineated in the organizational structure. -- e.g. Internal controls require clear job descriptions with definitions of authority, responsibility, and reporting. Human resource policies & procedures: (1) Background/reference checks on new employees (e.g. Starbucks and Rosemary Heinen) (2) Hiring procedures to ensure employees are trained and competent (3) Establish job/shift accountability; job descriptions that delineate clear lines of responsibility, authority and communication (4) Fidelity bonds for all employees in cash-sensitive positions (5) require mandatory vacations (e.g. two weeks taken consecutively) (6) require cross-training and rotation of duties. Vacation

Job/Shift Responsibility

2. Risk Assessment Internal controls require that an assessment be made of the events that might weaken or break controls. Management and auditors should brain-storm about how fraud might occur or what events that might weaken controls, such as: a. Changes in the regulatory or operating environment b. Changes in key personnel c. Implementation of new computer system d. Rapid growth domestically or internationally e. New lines of business f. Corporate restructurings g. Adoption of new accounting principles Regular review of risk mgmt/policies is critical. 3. The Accounting Information & Communication System (1) For good internal control, the AIS should properly record & classify all valid transactions in the proper accounting period, and should present adequate disclosures of information. (2) There should be a well-defined chart of accounts and a manual of accounting policies and procedures. There should be clear guidance on issues such as capitalization cutoff and retention of records (see WWU s) and other issues where GAAP is not clear or where significant judgment is required. 4. Control Activities Physical or information system checks/balances a. Performance reviews: preparing budgets and forecasts and properly investigating variances. b. Information processing controls (covered later in a separate chapter; e.g. change passwords; control over creation of new vendor files in the system, etc.).

c. Physical controls. Examples: (1) Safeguarding of records and files, e.g. fireproof storage, offsite backup, etc. (2) Pre-numbered documents (3) Restricted access to documents/assets (e.g. safes, locks, guards, etc.). Don t leave blank checks unsecured. Don t tape the key to the inside of the petty cash box lid. Have proper controls over inventory and supplies (e.g. wheelbarrows). (4) Mechanical or computerized sales registers (independent sales record, such as an X or Z tape) (5) Periodic physical counts comparing assets with accounting records (e.g. inventory) d. Segregation of duties: (1) As previously discussed, the acronym ARCO is used for: Authorization, Record-keeping, Custody, and Operation. (2) Important to not have one individual responsible for authorization, recordkeeping and custody, and also operation if possible. (3) Can be circumvented if there is collusion among employees. (4) Very hard to achieve proper segregation of duties in small businesses with only a few employees. The key is to have pervasive owner/manager influence, where the owner/manager is actively involved in the accounting/reporting process. An ideal control would be to have the owner/manager prepare the bank reconciliation and also perhaps make the bank deposits. Should be dual signatures required for large checks. 5. Monitoring This involves accessing the quality of internal controls over time. Examples include: a. Internal audits b. External audits c. Recording customer or employee complaints (very important to have an anonymous hotline as a great many frauds become unraveled with an employee tip) d. Reviewing reasonableness of reported information (e.g. comparing budget to actual and investigating variances) e. Having exception reports prepared and reviewed (e.g. all overrides of computer controls reviewed periodically) Control Types i) Preventative controls to prevent problems from occurring in the first place. Never failsafe but an ounce of prevention is worth a pound of cure. Example: Signature plates are kept under lock and key to prevent someone from processing an unauthorized check. ii) Detective controls alert management when preventative controls have failed. Example: Bank accounts are reconciled regularly, so that any checks written but not recorded in the accounting system are immediately identified. iii) Corrective controls procedures used to solve a problem. May also be a preventative control. Example: if a large unauthorized check is processed with signature plate, make arrangement with bank that all checks over a certain dollar amount also require a manual signature.

Understanding and Documenting Internal Controls Accountants generally use a combination of three methods to understand and document internal controls: Internal Control Questionnaire: Although quick, easy and comprehensive, it is inflexible (parts of it may not apply to your audit client) and can be completed without a lot of thought. Written Narrative: Although this approach forces an understanding and can be tailor-made to suit your client, it is very time consuming and may not be comprehensive (easy to overlook or exclude important items). Flowcharts: Many experienced accountants find flowcharts to be the most effective. With flowchart software (such as Microsoft Visio), professionally-looking flowcharts can be produced without too much effort. To the experienced reader, flowcharts convey a clear, comprehensive image of the system with less chance of blank spots being overlooked. But it does take experience with flowcharts to understand them well.

Reporting Internal Controls Weaknesses Certain terms are used by auditors to describe the magnitude of internal control weaknesses, listed below in order of increasing severity: A control deficiency exists when management or employees would not in the normal course of performing their functions detect or prevent any financial statement misstatement, material or immaterial. A significant deficiency exists when a company is not able to initiate, authorize, record, process, or report financial data reliably, resulting in a more than remote chance of a consequential misstatement occurring in the financial statements. A material weakness is when there is more than a remote chance that a material misstatement would occur in the financial statements. The first item (control deficiencies) must be communicated to management in a management letter. The last two items (significant deficiency & material weakness) must be communicated to the audit committee. Sarbanes-Oxley Act of 2002 For public companies, Section 404 requires a report on the adequacy of internal controls to be made both by management and the auditor. For auditors, this is called an integrated audit, since the audit report covers both financial statements and internal controls. Limitations of Internal Controls 1. Mistakes, judgment errors, fatigue 2. Management override (regardless of strong internal controls, management is in a position to override all internal controls.) 3. Collusion among employees. (Segregation of duties doesn t work when fraudsters collude together. However, collusion usually breaks down at some point, as members of the fraud ring fall out of favor with each other or feel slighted or taken advantage of.) 4. Cost/benefit trade-off. Some internal controls may be so costly to implement that they are not worth the benefit. For example, would it make sense to hire a full-time security guard to protect the office supply closet from unscrupulous employees stealing supplies?

Studies have consistently shown the above three factors to be present in a fraud case. Opportunity is afforded by a weakness in internal control (a perpetrator sees an opportunity to take advantage of a hold in internal controls). Financial pressure usually occurs because of a bad financial situation at home. Rationalizations for fraud include when the perpetrator feels underpaid and underappreciated at work, or feels that everyone else is doing it, or that he might lose his job if he didn t do, etc.

STARBUCKS: Example of a Fraud Rosemary Heinen: Claimed to have an obsessivecompulsive disorder to shop until she dropped To feed her habit, she stole from a series of employers In 1997, she declared Ch. 7 bankruptcy with assets of $400k and liabilities of $680k, including $200k of bad checks Hired by Starbucks in 1999 to work in Accts. Payable no background check Heinen created a fictitious vendor, a shell company, which billed Starbucks $3.7 million of phony invoices in 8 mos. - biggest embezzlement ever in King County STARBUCKS: Example of a Fraud Starbucks didn t know that the consulting co. wasn t licensed in WA, had no office, and that the PO box and voicemail was registered in Heinen s name. Heinen s house was stacked to the ceiling with stuff, including 3 Steinway pianos, 2 big screen TVs, 8 bicycles, 5 digital satellite systems, CD players stacked to the ceiling, exercise equip., jewelry, novels, hundreds of Barbie Dolls, etc. overflowing everywhere. She accumulated 34 cars, including a Model T, Porche, Aston Martin, Dodge Viper, BMW, 3 Corvettes, Mercedes Replica, etc. She also had 3 boats, including a $310k, 47-ft Bayliner

STARBUCKS: Example of a Fraud In 2002, Heinen was sentenced to 4 years in jail and restitution of $2.6m to Starbucks (net of recovery). She asked for special counseling and therapy while in jail to treat her disorder. Clearly, internal controls at Starbucks had a hole big enough to drive a truck through Starbucks at the time owned the Sonics basketball team. If the Sonics had a defense at porous as Starbucks internal controls, opponents would be able to do layups with no one to stop them.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information