Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
64 Cards in this Set
- Front
- Back
|
Internal Control
|
a process effected by an entity's board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.
|
|
|
Internal control is a process
|
Because internal control is a process, it is subject to process improvement; and single correct answers to control problems seldom exist. Accountants must use judgement and experience in designing and implementing internal controls; the controls must be periodically reviewed to ensure their continued effectiveness.
|
|
|
Internal control necessarily involves people in the organization
|
COSO and Lander definitions lay the responsibility for internal control squarely at the feet of management and the BOD. Internal controls require discussion during design, implementation, and evaluation. They impact human behavior and control systems designers and as far as possible must anticipate their behavioral impact.
|
|
|
Internal controls are designed to provide reasonable assurance.
|
Internal controls should not, and probably cannot, be designed to provide absolute assurance of anything. Internal controls are subject to a cost benefit constraint. Their cost must be outweighed by the benefit.
|
|
|
Accounting controls are subject to a cost benefit analysis. What section covers this idea?
|
Internal controls provide reasonable assurance.
|
|
|
Reasonable is defined as
|
governed by or being in accordance with reason or sound thinking; being within the bouds of common sense; not excessive or extreme.
|
|
|
Internal controls provide reasonable assurance in a few common areas, such as operations, financial reporting, and humab behavior.
|
There are 4 purposes of internal controls: safeguarding assets, ensuring financial statement reliability, promoting operational efficiency, and encouraging compliance with management's directives. In short, they are there to help insure that no one steals from the company and everyone follows the rules.
|
|
|
4 purposes of internal controls
|
safeguarding assets, ensuring financial statement reliability, promoting operational efficiency, encouraging compliance with managers directives.
|
|
|
Foreign corrupt practices act
|
Passed in 1977 by US congress
In some countries bribery was an acceptable way of doing business. the FCPA was enacted to stop those practices by US businesses and to restore some confidence in US business practices aroud the world. REQUIRES companies to maintain an adequate system of internal controls. MEntions the concept of reasonable assurance. Companies failing to comply can be subject to fines and imprisonment. |
|
|
Sarbanes Oxley
|
Enacted in 2002 as a response to corporate scandals. SOX is the most sweeping accounting related legislation business professionals have seen since the FCPA. Under SOX management and external auditors must assess the company;s internal controls an on annual basis. Management has certain required disclosures when reporting to the SEC. These include acknowledgment that management is personally and organizationally responsible for the deisng and implementation of internal controls. Especiall as they replte to reasonable assurance of reliable financial statements. Management must disvlose any internal control chnages if they have a noticeable effect on internal controls over financial reporting. Management must certify that they have informed the auditors and the BOD audit committee of any significant problems or weakness in internal control. Management must also PERSONALLY sign the required certificiations and cannot be delegated.
|
|
|
What is the role of accountants in the internal controls process?
|
Accountants can be involved in the design, implementation, or evaluation of internal controls as an external auditor, internal auditor, controller, or consultant.
|
|
|
Risk is part of everyday life.
|
The question is are businesses taking unnecesary risks?
|
|
|
Brown's Taxonomy of Risk catgories
|
1. Financial risks are related to monetary activities.
2. Operational risks concern the people, assets, and techbologies used to create value for the organization's customers. 3. Strategic risks relate to the entity's decision making processes at the senior management and BOD level. 4. Hazard risk deals with directors' and officers' liability. |
|
|
Financial risk according to BROWN
|
Financial risks are related to monetary activities.
Includes 3 types: market risk which refers to changes in a company's stock prices, investment values, and interest rates. 2. Credit risk is associated with customer's unwillingness or inability to pay amounts owed to the organization. 3. Liquidity risk - involves the possibility that a company will not have sufficient cash and near cash assets to meet its short term obligations. |
|
|
Market risk
|
Refers to changes in a company's stock prices, investment values, and interest rates. For exmaple, if a company fails to diversify it's investments, it runs the risk of a significant decrease in value that will impact financial statements.
|
|
|
credit risk
|
associated with customer's unwillingness or inability to pay amounts owed to the organization. For example if you go to a retail store they will likely approve you for a small amount whithout a solid investigation which will probably boost sales however the company has a higher risk of nonrepayment.
|
|
|
liquidity risk
|
involves the possibility that a company will not have sufficient cash and near cash assets avail to meet it's short term obligations. If a company has no budget or spending plan for cash it is exposed to this risk.
|
|
|
Operational risks and subcategories BROWN
|
Operational risks concern the people, assets, and technologies used to create value for the organization's customers.
1. System risk relates directly to IT. 2. Human error - recognizes the possibility that people in the organization may make mistakes. |
|
|
Systems risk
|
relats tdirectly to information technology. AS ogranizations become increasingly dependent on computers there's the risk that IT resources will fail at a critical moment.
|
|
|
Human error
|
Recognizes the possibility that people in the organization may make mistakes. These mistakes may include asset misappropriation and/or theft, divulgence of trade secerets, legal action from breaking the law and or other consequences.
|
|
|
Strategic risk under BROWN
|
Strategic risk related to the entity's decision making process at the senior management and BOD level.
1. legal and regulatory risk is concerned with the change that those parties may break laws that result in finanicla, legal, or operational sanctions. For example, if the CEO or CFO were to knowingly falsify the reports required by SOX they may be subject to government penalties. 2. Business strategy risk comprises poor decision making related to a company's basis for competing in its market. You may remember web grocer is now out of business because they did not adequately consider the risk associated with trying to develop a new market for a previously nonexistent service. |
|
|
Legal and regulatory risk
|
legal and regulatory risk is concerned with the change that those parties may break laws that result in finanicla, legal, or operational sanctions. For example, if the CEO or CFO were to knowingly falsify the reports required by SOX they may be subject to government penalties
|
|
|
Business strategy risk
|
Business strategy risk comprises poor decision making related to a company's basis for competing in its market. You may remember web grocer is now out of business because they did not adequately consider the risk associated with trying to develop a new market for a previously nonexistent service.
|
|
|
Hazard risk BROWN
|
Has a single category. directors' and officers' liability. Organizations in which directors and officers are accused of mismanagement by shareholders, government agencies, employees, or other stakeholders bear this risk in a very direct way.
|
|
|
COSO
|
Committee of Sponsoring organizations of the Treadway Commission
|
|
|
COSO is composed of?
|
Institute of Management Accountants, American Institute of Certified Public Accountants, American Accounting Association, Institute of Internal Auditors, and the Financial Executive Institute.
|
|
|
5 components of COSO for effective internal control
|
1. Control environment
2. Risk Assessment, 3. Control Activities 4. Information and communication 5. Monitoring |
|
|
Control environment according to COSO
|
Control environment refers to the tone at the top of the organization. IT reminds accountants and managers that without the clear demonstrated commitment of upper management and opinion leaders in the organization, internal control will not be taken seriously.
|
|
|
Risk Assessment under COSO
|
Involves using a taxonomy, business experience, research, and dialogue to identify the risks associated with operations. By identifying risks, we can design appropriate, cost effective internal controls to provide reasonable assurance of safeguarding assets, ensuring financial statement reliability, promoting operational efficiency, and encouraging compliance with management's directives.
|
|
|
Control activities under COSO
|
refer to the actual controls implemented on the basis of risk assessment. Preventive controls help prevent errors and irregulatiries from happening. Detective controls such as airport metal detectors help stakeholders determine when an error has occurred. Finally, corrective controls which cincludes punishment for subverting internal controls focus on fixing a problem, error, or irregularity after it hasoccurred.
|
|
|
IT controls according to COSO
|
general controls apply to an entire IS system examples would be backing up files regularly and installing virus detectiona nd removal software.
Application controls are associated with specific IT applications such as quickbooks and peachtree do not allow users to make journal entries where debits and credits are not equal. |
|
|
Information and communication under COSO
|
For an internal contol system to be effective, its purpose, methods, and results must be communicated throughout the organization. Employees at all levels should understand risk and how to minimize them.
|
|
|
Monitoring COSO
|
Managers must determine the quality of internal contros. Monitoring systems can eb automated but many involve human interacton. The results of monitoring should be used to guide employee behavior.
|
|
|
Enterprise Risk Management : Integrated Framework
|
Enterprise Risk Management is a process, effected by an entity's BOD, management and others, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regaring the achievenment of company objectives.
|
|
|
ERM framework has 8 elements of control
|
internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, monitoring
|
|
|
Internal environment ERM
|
Encompasses the tone of an organization and sets the basis for how risk is viewed and adddressed by an entity's people including risk appetite, integrity and ethical values, and the environment in which they operate.
|
|
|
Objective setting ERM
|
Objectives must be set before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives suport and align with the entity's mission and are consistent with risk appetite.
|
|
|
Event Identification ERM
|
Internal and external events affecting achievement of an entity's objectives must be identified, distinguished between risks and opportunities. Opportunities are channelled back to management's strategy or objective setting process.
|
|
|
Risk Assessment ERM
|
Risks are analyzed, considering likelihod and impact, as a basis for determinging how they should be managed. Risks are assessed on an inherent and a residual basis.
|
|
|
Risk Response ERM
|
Management selects risk responses -- Avoiding, reducing, accepting or sharing risk-developing a set of actions to align risks with a company's tolerance and risk appetite.
|
|
|
Control Activities ERM
|
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
|
|
|
Information and communication ERM
|
RElevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.
|
|
|
Monitoring ERM
|
The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evals, or both.
|
|
|
Internal control examples
|
1. Adequate documentation
2. background checks 3. backup of computer files 4. backup of power suplies 5. bank reconciliation 6. batch control totals 7. data encryption 8. document matching 9. edit checks 10. firewalls 11. insurance and bonding 12. internal audits 13. limit checks 14. lockbox systems 15. physical security 16. preformatted data entry screens 17. prenumbered documents 18, restrictive endorsement of checks and daily deposits 19. segregation of duties 20. user training. |
|
|
How is adequate documentation an internal control?
|
Understanding how things are supposed to happen in an AIS system is an imp first step in designing and assessing internal controls. flowcharts and / or data flow diagrams help you critique internal controls and determine if they are functioning effectively.
|
|
|
How is a background check an internal control?
|
Background checks, especially for those handling large amounts of money are essnetial, if a background check reveals financial difficulties or criminal convictions that may create pressure to breach an internal control..
|
|
|
How is a backup of computer files an internal control?
|
IF done regularly backing up files takes only a few minutes, whereas recreating files from scratch takes FOREVER. Daily backups ensure that no more than one day's work is lost in the event of a systems failure.
|
|
|
How is a backup of power supplies an internal control?
|
While a computer does not run indefinitely on a backup power supply, it will run long enough to give a user time to save the file they are working on ensuring those are not lost.
|
|
|
How is a bank reconciliation an internal control?
|
The basic purpose is to account for timint differences between the account holder's records and the bank's records of a cash account. Reconciling at least monthly can be helpful in spotting out of sequence checks, fraudulent signatures, and errors in the IS.
|
|
|
how are batch control totals internal controls?
|
When an IS system is processing a batch of documents you can calculate various control totals to promote data integrity.
|
|
|
How is data encryption an internal control?
|
Without data encryption hackers and other computer criminals can easily access, change, and/or steal data. Compromising data integrity and privacy throughout the organization.
|
|
|
How is document matching an internal control?
|
Document matching helps ensure that vendor invoices are only paid when merchandise has been properly ordered and invoiced.
|
|
|
How are edit checks internal controls?
|
the information system "echoes" the data you're entered back yo you before you complete the final processing. That process allows you to edit the data for any errors or other changes.
|
|
|
How are firewalls internal controls?
|
Firewalls can prevent unauthorized intrusions into an accounting information systema dn warn users when such intrusions are detected.
|
|
|
How is insurance and bonding an internal control?
|
While insurance and bonidng cannot prevent internal control breaches, they can help organizations correct any financial losses they experiene as a result. IF you've ever hired contractors to work in your home they were probably bonded. Companies often bond key employees as a safeguard against error and/or fraud.
|
|
|
How is an internal auditing an internal control?
|
OInternal audits can reveal indivations of fraud, waste, and inefficiency, thus strengthening an internal control system.
|
|
|
How are limit checks an internal control?
|
Most general ledger packages limit transaction dates to the current year; they don't allow users to pre or post date transactions.
|
|
|
How is lockbox system an internal control?
|
Lockbox systems help promote strong internal control over cash. Rather than remigtting payment directly to an organization, customer's send payment to a lockbox and the independent company monitors the lockbox and deposits cash into the bank.
|
|
|
how is physical security an internal control?
|
Simple actions such as locking doors and securing computers helps.
|
|
|
How does using preformatted data entry screens an effective internal control?
|
Using preformatted data entry scrends for things like customer orders and cash disbursement processing greatly improves data entry efficiency.
|
|
|
How doe using prenumbered documents help internal controls?
|
A seriously out of sequence document could be a warning sign of an internal control breach or fraud.
|
|
|
how does restrictively endorsing checks and depositing cash daily help internal controls?
|
Restrictive endorsements give the bank more specific instructions which limit the uses of the endorsed check; the most common is "for deposit only" often with an account number. If cash is deposited it is secure.
|
|
|
How does segregation of duties promote internal control?
|
IS MOST IMPORTANT. 3 different people should each take on one responsibility with respect to a specific asset; authorization for use, physical custody, and recordkeeping.
|
|
|
How is user training an internal control?
|
All internal control processes in the world are virtually useless if peopld don't know how to apply them. Employees should receive periodic training reminders about important internal controls their rationals and why they exist.
|
