Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

About This Presentation

Title:

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

Description:

Password required for access to data. Control Activities ... Used to control input of data into computer systems. Drop-down or look-up menus ... – PowerPoint PPT presentation

Number of Views:90

Avg rating:3.0/5.0

Slides: 57

Provided by: denni92

Category:

more less

Transcript and Presenter's Notes

Title: Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

1
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN
BUSINESS PROCESSES
2
Internal Control and Accountants Roles

Accountants as
Managers
Sarbanes-Oxley Act of 2002 and Standard No. 2 of
the Public Company Accounting Oversight Board
(PCAOB) requires
Management to prepare a statement describing and
assessing the companys internal control system

3
Internal Control and Accountants Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of
the Public Company Accounting Oversight Board
(PCAOB) requires
Annual reports of public companies to include
(1) a statement that management is responsible
for internal controls over financial reporting,

4
Internal Control and Accountants Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of
the Public Company Accounting Oversight Board
(PCAOB) requires
Annual reports of public companies to include
(2) a statement identifying the framework used by
management to evaluate internal controls,

5
Internal Control and Accountants Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of
the Public Company Accounting Oversight Board
(PCAOB) requires
Annual reports of public companies to include
(3) an assessment of internal controls and
disclosure of any material weaknesses, and

6
Internal Control and Accountants Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of
the Public Company Accounting Oversight Board
(PCAOB) requires
Annual reports of public companies to include
(4) a statement that a public accounting firm has
issued an attestation report on managements
assessment of internal control.

7
Internal Control and Accountants Roles

Accountants as
Users
Must understand a companys internal controls to
apply them correctly.

8
Internal Control and Accountants Roles

Accountants as
Designers of internal control procedures
Must understand a companys internal controls in
working to achieve compliance with regulations
and company objectives and to minimize risks

9
Internal Control and Accountants Roles

Accountants as
Evaluators must understand internal control
systems to
Help develop managements report that assesses
internal controls (as internal auditors)
Prepare an attestation to managements statement
about internal control (as external auditors)
Conduct the audit of a companys financial
statements (as external auditors)

10
Framework for Studying Internal Control

Components of internal control (the COSO Report)
Internal control objectives
Risk assessment

11
Framework for Studying Internal Control

The COSO Report
5 interrelated components of internal control
Control environment
Risk assessment
Control activities
Information and communication
Monitoring

12
Internal Control Objectives

Objective Type
Execution Proper execution of transactions in
the revenue and acquisition cycles
Information system Proper file maintenance,
recording, updating, and reporting of data
Asset protection Safeguarding of assets
Performance Favorable performance of an
organization, person, department, product or
service.

13
Internal Control Objectives - Execution

2 execution objectives for the revenue cycle
Ensure proper delivery of goods and services
Ensure proper collection and handling of cash
2 execution objectives for the acquisition
cycle
Ensure proper receiving of goods and services
Ensure proper payment and handling of cash

14
Internal Control Objectives

Internal control
Information system objectives -
Focus on recording, updating, and reporting
accounting information
Important for ensuring effective execution of
transactions

15
Internal Control Objectives

Internal control
Asset protection objectives -
Focus on safeguarding assets to minimize risk of
theft or loss of assets

16
Internal Control Objectives

Internal control
Performance objectives
Focus on achieving favorable performance of an
organization, person, department, product, or
service
Established to ensure effective operations

17
Assessment of Execution Risks Revenue Cycle

Generic execution risks for each of the two
revenue cycle transactions
1.Delivering goods/services
Unauthorized sale/service permitted
Authorized sale/service did not occur, occurred
late, or was duplicated unintentionally
Wrong type of product/service
Wrong quantity/quality
Wrong customer/address

18
Assessment of Execution Risks Revenue Cycle

Generic execution risks for each of the two
revenue cycle transactions
2. Collecting cash
Cash not collected or collected late
Wrong amount of cash collected

19
Assessment of Execution Risks Acquisition Cycle

Generic execution risks for each of the two
acquisition cycle transactions
1. Receiving goods/services
Unauthorized goods/services received
Expected receipt of goods/services did not occur,
occurred late, or was duplicated unintentionally
Wrong type of product or service received
Wrong quantity/quality
Wrong supplier

20
Assessment of Execution Risks Acquisition Cycle

Generic execution risks for each of the two
acquisition cycle transactions
2. Making payment
Unauthorized payment
Cash not paid, paid late, or duplicate payment
Wrong amount paid
Wrong supplier paid

21
Assessment of Execution Risks Revenue
Acquisition Cycles

Understanding and assessing execution risks 5
steps
Step 1. Achieve understanding of the processes
Step 2. Identify the at-risk goods/services
provided and cash received
Step 3. Restate generic risk to describe the
execution risk more precisely for process under
study - exclude irrelevant/immaterial risks

22
Assessment of Execution Risks Revenue
Acquisition Cycles

Understanding and assessing execution risks 5
steps
Step 4. Assess the significance of remaining
risks
Step 5. Identify factors that contribute to each
significant risk use events in the process to
systematically identify factors
What control activities could be implemented to
mitigate the risks?

23
Assessment of Information Systems Risks

2 categories of information systems risks
Recording risks
Updating risks

24
Assessment of Information Systems Risks

The process of recording
and updating information
both a risk and a control
Risk - information will be recorded incorrectly,
perhaps resulting in transaction errors and
incorrect financial statements
Control when information is correct because
recorded information is used to control
transactions

25
Assessment of Information Systems Risks

Recording risks
Risks that event information is not captured
accurately in an organizations information
system
Errors in recording can cause substantial losses
Recording events late can cause opportunity
losses
In the acquisition cycle, recording errors can
result in overpaying bills or loss of credit from
failure to pay

26
Assessment of Information Systems Risks

Recording risks
Revenue/acquisition cycles - generic recording
risks
Event recorded never occurred
Event not recorded, recorded late, or
duplication of recording
Wrong product/service recorded
Wrong quantity/price recorded
Wrong external/internal agent recorded
Wrong recording of other data

27
Assessment of Information Systems Risks

Recording risks
Identifying recording risks 3 steps
Step 1. Achieve an understanding of the process
under study - identify the events
Step 2. Review events - identify where data are
recorded in a source document or a transaction
file

28
Assessment of Information Systems Risks

Recording risks
Identifying recording risks 3 steps
Step 3. For each event where data are recorded in
a source document or transaction record
Consider the preceding generic recording risks
Restate each generic risk to describe the risk
more precisely for the particular event under
consideration
Exclude any risks that are irrelevant or
immaterial

29
Assessment of Information Systems Risks

Updating risks
Risks that summary fields in master records are
not properly updated
Update failures can be costly
Errors in updates can reduce the effectiveness of
controls over the general ledger balances for
assets and liabilities

30
Assessment of Information Systems Risks

Updating risks
Generic risks
Update of master record omitted or unintended
duplication of update
Update of master record occurred at the wrong
time
If updates are scheduled, users need to know and
schedule needs to be followed
Summary field updated by wrong amount
Wrong master record updated

31
Assessment of Information Systems Risks

Identifying updating risks
3 steps
Step 1. Identify recording risks
Step 2. Identify the events that include update
activity and the summary fields in updated master
files

32
Assessment of Information Systems Risks

Identifying update risks
3 steps
Step 3. For each event in updated master file
Consider the preceding generic update risks
Restate each generic risk to describe the update
risk more precisely for the particular event
under consideration
Exclude any update risks that are irrelevant or
immaterial

33
Recording and Updating in the General Ledger
System

The General Ledger File stores reference and
summary data about the general ledger accounts.
The process of updating a general ledger account
is sometimes referred to as posting.

34
Recording and Updating in the General Ledger
System

Risks in recording and updating information in a
general ledger system
Risks
Wrong general ledger account recorded
Wrong amounts debited/credited
General ledger master record not updated at all,
updated late, or updated twice
Wrong general ledger master record updated

35
Recording and Updating in the General Ledger
System

Risks in recording and updating information in a
general ledger system
Important to internal control
Policy for updating general ledger accounts
should be well understood.
Often, general ledger balances are updated after
a batch of transactions, not with each
transaction

36
Recording and Updating in the General Ledger
System

Risks in recording and updating information in a
general ledger system
Important to internal control
Employees need to know
Under the batch process, general ledger account
balances are temporarily out of date
When updates are made

37
Recording and Updating in the General Ledger
System

Controlling risks
Identify significant risks of losses or errors
Consider ways to control the risks
Accountants, external auditors, or internal
auditors evaluate existing controls and suggest
additional controls where warranted

38
Control Activities

The policies and procedures to address risks to
achievement of the organizations objectives
Manual or automated
May be implemented at various levels of the
organization.
4 types of controls
Workflow controls
Input controls
General controls
Performance reviews

39
Control Activities

Workflow controls
Used to control a process as it moves from one
event to the next
Exploit linkages between events
Focus on
Responsibilities for events
Sequence of events
Flow of information between events in a business
process

40
Control Activities

Workflow controls
Segregation of duties
Use of information from prior events to control
activities
Required sequence of events
Follow-up on events
Sequence of prenumbered
Recording of internal agent(s) accountable for an
event in a process
Limitation of access to assets and information
Reconciliation of records with physical evidence
of assets

41
Control Activities

1. Segregation of duties
Organizations make an effort to segregate
Authorization of events
Execution of events
Recording of event data
Custody of resources associated with the event
The overview activity diagram is best suited to
understanding and documenting segregation of
duties

42
Control Activities

2. Use of information about prior events
Information about prior events can come from
documents or computer records.
2 examples of information from computer files
Checking summary data in master files to
authorize events
Transaction records may help control events -
similar to using documents before approving an
invoice

43
Control Activities

3. Required sequence of events
Often, organizations -
Have policies requiring a process to follow a
particular sequence
Require a sequence of events without having prior
recorded information to rely on

44
Control Activities

4. Follow-up on events
Organizations
Need automated or manual way to review
transactions not yet concluded
Should have open item or aging reports to
identify events needing follow up
Can design/use routine reports to flag unfinished
business
Can querying a database for status reports

45
Control Activities

5. Prenumbered documents
Provide an opportunity to control events
Prenumbered documents created during one event
are accounted for in a later event
Checking the sequence of prenumbered documents
helps ensure that all events are executed and
recorded appropriately

46
Control Activities

6. Recording of internal agent(s) accountable for
an event in a process
Important
Clear job descriptions and specific instructions
from supervisors
Recording employee ID number at the time the
event
Safeguarding of assets through use of with serial
numbers, recordkeeping, and identification of
custodian of the assets

47
Control Activities

7. Limitation of access to assets and
information
Safeguards
Access to assets only for employees needing them
for assigned duties
Physical assets stored in secure locations
Employees badges for access
Alarms
Password required for access to data

48
Control Activities

8. Reconciliation of records with physical
evidence of assets
Ensures that recorded event and master file data
correspond to actual assets
Differs from the use of documents to control
events reconciliation
Is broader
Usually involves data about multiple events
Occurs after the events have been executed and
recorded

49
Control Activities

Input controls
Used to control input of data into computer
systems
Drop-down or look-up menus
Record-checking of data entered
Confirmation of data entered
Referential integrity controls
Format checks to limit data
Validation rules to limit the data
Defaults from data entered in prior sessions

50
Control Activities

Input controls
Restriction against leaving a field blank
Field established as a primary key
Computer-generated values entered in records
Batch control totals taken before data entry
compared to printouts after data entry
Review for errors before posting
Exception reports

51
Control Activities

General controls
Broader controls that apply to multiple processes
Help workflow and input controls be effective
Organized into four categories
Information systems (IS) planning
Organizing the information technology (IT)
function
Identifying and developing IS solutions
Implementing and operating accounting systems

52
Control Activities

Performance reviews
Measure performance by comparing actual data with
budgets, forecasts, or prior-period data
Include analyzing data, identifying problems, and
taking corrective action
Ensure events support broader long-term goals
Typically involve comparing actual results to
plans, standards, and prior performance

53
Control Activities

Performance reviews
Often result in taking corrective action
Require an information system (AIS in particular)
that records and stores information about
standards and actual outcomes
Requires reports that allow for meaningful
analysis of actual results

54
Control Activities

Performance reviews
And master records
Related in two ways
Planned standards and budget figures (reference
data) are typically recorded during file
maintenance activities in master records
Summary data stored in master records are often
used to implement corrective action
Summary fields in master records can also help in
reviewing performance

55
KEYTERMS