Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
033: Understanding Complex Internal Control Issues - published 04/27/2018
6 Plays8 months ago
Leearning Objectives:
1. You will be able to define, identify and implement Internal Control best practices.
2. You will be able to understand the COSO Model and why it is the foundation of any Internal Control program.
3. You will be able to understand roles and responsibilities for Internal Control.
4. You will be able to discuss how Internal Controls can detect and prevent fraud.
Agenda:
Section 1 - Internal Control Systems – What are they?
• Why have Internal Controls?
•Objectives
•Background
•Components
Section 2 - Internal Control Concepts & Objectives
• Control Activities within an Internal Control System
• Preventive, Detective & Corrective Controls
• Cost-Benefit Analysis for Developing Controls
Section 3 – COSO Model
• COSO – 5 Integrated Components
• COSO – 17 Principles
Section 4 - Practical Perspective
• Implications to your current processes
• Identifying Key Controls
• Summary of Key Point
Recommended
Transcript
Welcome and Introduction
00:00:00
Speaker
Welcome to today's live webinar entitled Understanding Complex Internal Control Issues. At this time, I would like to turn the call over to your host, Mr. Steven B. Jordan. Please go ahead, sir. Thank you and welcome for your support in attending our webinar. This is Steve Jordan for Lorman Education, Understanding Complex Internal Control Issues. We will cover internal controls, including those related to information systems and the COSO framework. At the end of this webinar,
00:00:30
Speaker
You should be able to do the following, describe the three objectives of internal control, contrast management's responsibilities for maintaining internal control, with the auditor's responsibilities for evaluating and reporting on internal control, explain the five components, 17 principles, and points of focus of the COSO framework, explain how general and application controls reduce IT risk And lastly, have an understanding of how to implement internal control. Let us begin.
Importance of Internal Control
00:01:02
Speaker
Internal control mitigates risk and should cross-pollinate across all divisions of an entity. And this is the paradox, because risk cannot be reduced to zero. We need to constantly raise awareness. And there's good reason, because if you look at some of the largest corporate failures and frauds, how many of these can be traced back to a poor tone at the top, the culture, attitude, and awareness?
00:01:26
Speaker
You know, we have AIG's accounting misconduct and bid rigging. Lehman Brothers Bear Stearns are examples of when boards and senior executives took oversized risk and fabricated ridiculous complex financial instruments that made little sense in hindsight. Equifax's dispute over exfiltration of consumer web portals and breach of PII, personally identifiable information.
00:01:50
Speaker
Wells Fargo, fraudulent banking practice, including bank employees forging customer signatures and fraudulently opening accounts for customers without their knowledge or consent. Enron, WorldCom, Nortel Networks, Bernie Madoff, these are all examples of frauds that were allowed to happen because of the flaws in the internal control environment. The list goes on and on. The bottom line is if the tone at the top is broken, the rest doesn't matter.
00:02:17
Speaker
Putting internal control in place can be very delicate, as with lots of things, there are trade-offs. Please give your attention to the text in yellow highlights on the slides. These are hints to polling questions. The polling questions will be brief.
00:02:42
Speaker
Good afternoon and welcome to our presentation. general This is general information only and is not legal or accounting advice. It is not intended to create and receipt does not constitute a legal relationship before making any decision or taking any action affecting your business. Consult a qualified professional.
00:03:01
Speaker
Images in this presentation are attributed to public domain or their respectful owner. If you see an image appearing that belongs to you and you do not wish it for it to appear, please email with a link to said image and it will be promptly removed.
00:03:18
Speaker
It's all about controlling the game, I suppose, and testing that. So, you know, one team is trying to move forward and the other team is trying to stop it. A process affected by the entity's board of directors, management, and other personnel designed to provide reasonable assurance regarding achievement of the entity's objectives. One of the reasons for strong internal control is because it helps the organization adhere to laws and regulations. The audit of internal control over financial reporting is met is a mandated audit by Sorbanes-Oxley.
00:03:49
Speaker
So any organization that's public publicly traded or fits the criteria that must comply with SOX must have an audit of internal control over financial reporting. Management requirements include acceptance of responsibility for the effectiveness of the entity's internal control. Management must evaluate internal control using suitable criteria. Generally speaking, the COSO framework This is essentially required management to establish a separate department that's responsible for evaluating and documenting internal control. Finally, management is responsible for writing a written assessment regarding the effectiveness of the entity's internal control as of the most recent fiscal year. So what is this saying? Management is writing a letter that becomes a part of the financial statement where they are documenting their responsibilities, that they supported this with evidence, and they are evaluating the internal control structure.
00:04:46
Speaker
The outside auditor is required to conduct what we call an integrated audit of the entity's internal control. Question, what is a control weakness? It means either a design issue or an operational issue. A design issue means the control is not properly designed or is missing. Operational issue means the control is in place, but it's not operating as designed or the person responsible for it is not qualified. Ask yourself,
00:05:14
Speaker
Is this control deficiency significant significant enough that there is more than a remote likelihood that it will not be prevented or detected? Or does the weaknesses materiality have more than a remote likelihood that it could lead to a material misstatement in the financials?
COSO Framework Overview
00:05:30
Speaker
These are reportable items.
00:05:34
Speaker
One of the reasons that a strong internal control system is important is because they
00:05:50
Speaker
Help the organization adheres to laws and regs.
00:05:57
Speaker
We're going to learn internal control is a process constantly evolving. This is another aspect of financial management and auditing that requires a high degree of professional judgment. Management designs internal control to achieve three broad objectives, reliable financial reporting, efficient and effective operations, compliance with laws and regs, the concept of achievement of objectives, so whether that be safeguarding assets, separation of duties, timely financial reporting, whatever the objective is needs to be identified before you can then design the control related to it. At a high level, if I was asked about control objectives, I would always start my answer with the words to ensure that. Control objectives are there to ensure something good happens or to ensure something bad does not happen. For example,
00:06:50
Speaker
with the sales system to ensure that we only sell to credit-worthy customers. For the purchase system to ensure the goods that are ordered are actually needed in the business itself. The payroll to ensure that we only pay our employees for work that they actually performed. Inventory to ensure that we store inventory in effective manners to maintain its quality. The cash system to ensure there is a minimum risk of cash being fraudulently misappropriated by employees.
00:07:19
Speaker
non-current assets to ensure the purchase of any non-current asset is authorized by an appropriate person and there is a business need. Look at the existing controls and are any key controls missing? A key control would prevent or detect an error or irregularity. So a company could have a control that is not a key control, but it but it is not in and of itself able to prevent or detect an error consider the possibility of a compensating control. Another way management could catch an error if there is a deficiency. You would like to see that all sales are approved by a credit manager for customers who are over 90 days outstanding. If you're in a manual environment, maybe that's not timely. But if there's a review on a weekly basis that looks at all sales and then matches to credit approval, there is some control in place. How timely is that?
00:08:13
Speaker
What's the likelihood that goods are shipped and management won't be able to recover the goods if a sale is made to a customer who is incapable of paying? Compensating controls aren't perfect in terms of preventing, but they might detect an error. Specific suitable organization objectives may include all of the following except.
00:08:40
Speaker
Eliminating risk.
00:08:43
Speaker
Establishing an internal control system costs money. The more controls a company puts in place, the more policies and procedures, the more control activities required, and the more human and technology resources necessary. Let's recognize up front that companies can neither eliminate nor can they entirely ignore internal control risk. The right answer, like so many things in life, is somewhere in between and based on a cost benefit analysis.
00:09:09
Speaker
Management's interest in establishing internal control is premised on sound business practice. A reliable system of control enables a preparation of accurate information which allows management to make sound business decisions, safeguards the assets of a company from theft, misuse, or accidental destruction, prevents waste and other inefficiencies by establishing control mechanisms to monitor activities, and plays a critical role in preventing and detecting errors and fraud.
00:09:38
Speaker
Management will use some sort of risk management methodology to define the areas at risk. And once identified, control activities can be designed to mitigate mitigate the identified risk. So let's talk about a few examples to give you an idea of what internal control looks like and feels like. Say we are looking at the sales revenue cycle. Within each cycle, we have processes.
00:10:03
Speaker
Revenue cycle is composed of customer order entry, credit approval, shipment of goods and services, cash collection, updating accounts receivable, allowance for doubtful accounts, sales returns and allowances. Here we can see the risk ranking for the revenue cycle is ranked high. What are some of the key inherent risks? Revenue recognition, authorization, billing accuracy, compliance,
00:10:30
Speaker
Well, first of all, if we're using a hotel company as an example, we want to ensure that all sales get recorded. What sorts of controls could management establish to meet this objective?
00:10:42
Speaker
Well, first, they may have a daily reconciliation process of sales to reservations. Maybe they reconciled sales to occupied rooms. We might have a security camera at the front desk to detect any theft. A manager likely reviews the daily sales reports to ensure that the room rates and occupancy rates appear reasonable. And an even bigger area for risk might be in the restaurant and lounge, as there might be more cash changing hands, as well as food and liquor inventory to safeguard. The general manager may require a supervisor to review and document all void transactions.
00:11:17
Speaker
daily inventory counts of all liquor inventory may be done, order slips should be pre-numbered consecutively, and all slips accounted for at the end of each shift. Are you starting to get a sense of what internal control is? Let's tie this back to our discussion on management assertions, what assertions are, all these activities designed to ensure, that's right, completeness and accuracy of sales. Many of these are fraud controls. We will discuss these shortly.
00:11:48
Speaker
Control systems are highly dependent on people. If people are not trustworthy or they act in concert, they will attempt to override the controls to defraud the company. If the systems are not reliable and produce information that is incorrect, then the
Sarbanes-Oxley Impact
00:12:02
Speaker
whole decision making and financial statement reporting process are called into question. Who is responsible for establishing and maintaining internal control?
00:12:15
Speaker
Management.
00:12:18
Speaker
So in fact, there are some pervasive controls that we need to consider above all else before the detailed control activities can be deemed reliable. The control environment is a term commonly referred to when describing the actions, policies, procedures that reflect the overall attitude and activity of senior management. If you look at the likes of Enron, Lehman Brothers, Bear Stearns, Global Crossing, WorldCom, Bernie Madoff, and Nortel's accounting scandals,
00:12:46
Speaker
All these stemmed from a dysfunctional control environment at best and a corrupt control environment at worst. It didn't matter how well the employees were performing their assigned tasks in these companies, as senior management was overriding the controls or establishing a tone at the top that disregarded the importance of ethics and abiding by corporate policy.
00:13:10
Speaker
Internal control includes things that pertain to maintenance of records that are accurate and fairly reflect transactions and disposition of assets. So, you notice we're looking at transactions. We're looking at assets. Provide reasonable assurance transactions are properly authorized and recorded in accordance with the accounting principles. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of company assets. We're looking at fraud.
00:13:41
Speaker
In summary, a deficiency exists when the design or operation of a control does not allow management or the employee in the normal course of affairs to prevent or detect misstatements on a timely basis. We will pick up on this concept of control environment and its importance in the next slides as we drill deeper into the topic of internal control. Why is COSO a suitable model? The Securities Exchange Commission states,
00:14:06
Speaker
The COSO framework is one of the most widely recognized and applied enterprise risk management frameworks in the world. The Committee of Sponsoring Organizations of the Treadway Commission, COSO, was started in 1985, the primary mission to develop thought, leadership, and frameworks related to enterprise risk management, internal control, and fraud deterrence. The first chairman of the National Commission was James C. Treadway, Jr., hence the popular name Treadway Commission.
00:14:36
Speaker
In 1992, COSO issued its first framework. The original 1992 COSO framework was updated in 2013. COSO's framework goes beyond internal control to focus on how entities can effectively manage risk and opportunities. Auditing standards standards are still structured around the original COSO framework. The COSO model underpins ERM and Sarbanes-Oxley. Although very effective, the COSO framework will not prevent all fraud. True or false, the COSO framework will prevent all fraud. False.
00:15:20
Speaker
Most important is the role of judgment by the users of the framework. Judgment on how controls are designed, implemented, and how you assess the overall effectiveness of your internal control.
00:15:33
Speaker
True or false, judgment is included in the internal control system?
00:15:39
Speaker
True. In each area of internal control, control objectives and sub-objectives exist. For example, in the reporting area, top-level objective would be prepare and issue reliable financial information.
00:15:54
Speaker
The detailed level applied to accounts receivable sub-objectives. All goods shipped are accurately billed in the proper period. Invoices are accurately recorded for all authorized shipments and only for such shipments. Authorized and only authorized sales returns and allowances are accurately recorded. The continued completeness and accuracy of AR is ensured. Accounts receivable records are safeguarded.
00:16:23
Speaker
All right, as you know, with the passage of Sarbanes-Oxley, internal control became a bigger part of the audit process for auditors. Prior to SOX, it was at the auditor's discretion as to what level of internal control they would look at. They weren't required to issue a report on internal control prior to SOX. What was done most times was to look at internal controls that determine the extent of testing. Today, they have to test and report on internal control as mandated by SOX.
00:16:50
Speaker
Furthermore, mandated by SOX is that management has to issue a report on internal control. So if you think back to the audit risk model, one component of the model is risk assessment. Auditors have to assess internal control risk and a along with their assessment of inherent risk is going to impact the amount of audit evidence they collect. If they can rely on internal control and they see in internal control is highly effective, they can decrease their testing in certain areas where controls are effective.
00:17:20
Speaker
Likewise, if it's not effective, then they have to increase their testing.
00:17:27
Speaker
It is not the auditor's responsibility to come in and design an internal control system for a company. Why would that be a problem? Because you'd be testing your own work and that violates what? Independence. It's management's responsibility. It's management's organization. They understand their entity better than the auditor's.
00:17:45
Speaker
So management wants to make sure internal control is in effect prior to the auditors coming in. They don't want auditors finding problems with internal control because management realizes it's going to impact the amount of reliance auditors can place on internal control and it's going to impact the amount of evidence or extend audit procedures if the auditors cannot rely on it. There is no one correct answer but clearly you would expect if you shipped goods you would want to see some form of a shipping document. We'll talk later about preventive versus versus detective controls. So when an auditor gives an opinion, what they're looking for is to ensure that the financials are free of material misstatement. Think about some of the representations or assertions management makes about the financials that the auditors are testing. For reporting purposes, auditors will issue an integrated report which consists of a report on internal control control as well as the financials.
00:18:45
Speaker
You want your internal controls to be communicated to employees in the organization so they understand how things should work and are supposed to work. You don't want the same transaction happening different ways. This prevents Division A handling the transaction this way and Division B another way. It has to be consistent becomes because it becomes efficient that way.
00:19:07
Speaker
especially from an audit perspective to know internal control is operating effectively throughout the entity, encouraging compliance with management's directives on reporting, transactions, and efficiency of operations. Auditors can only provide reasonable assurance. They don't look at 100% of the items. There's a possibility of collusion and you cannot test for that.
00:19:31
Speaker
If two or more employees decide they're going to get together to circumvent internal control, it's going to be hard to detect that.
Transaction Controls Essentials
00:19:39
Speaker
Management is required to issue report on internal control as a requirement of SOX in compliance with Section 404.
00:19:50
Speaker
SAS 109 and the PCAOB Standard II both require auditors to obtain an understanding of internal control for every audit.
00:20:00
Speaker
control over shipments. Sales reported are for only those items that have actually been shipped in the current period. So we expect to see a test of internal control to see a sale cannot be recorded until there's a corresponding shipping document matching shipping documents to sales recorded in the sales register. Auditors do not conduct a fraud audit, but have to be be aware of the risk of fraud. If they find fraud, they have to respond to it.
00:20:29
Speaker
Physical controls over assets ensure that not everybody has access to the company's checkbook. If it's a manufacturing company, not anybody can walk into the warehouse and just walk out with goods.
00:20:42
Speaker
Remember the audit risk model? Control risk has an inverse relationship to plan detection risk. Relationship between control risk and substantive evidence is direct. So the higher your control risk, the lower your plan detection risk and the more evidence required.
00:20:59
Speaker
If you have high control risk, that could be expensive. You want to keep your PDR low, means you're going to have to capture greater evidence. Control risk is just one component of the risk of material misstatement.
00:21:17
Speaker
Never far away from management assertions is the testing of internal control. What you're looking at is the controls over transactions. Are the processes and records right? Existence, occurrence, validity.
00:21:29
Speaker
Are recorded transactions real? Did they actually occur? Are they properly dated? Rights and obligations. Do transactions and assets belong to the entity? Accuracy and valuation. Are events that occurred recorded at the right value and then completeness? Are all the events that occurred reported in the accounting information system and are all information fields present? You want to make sure the sale amount is correct and is recorded for the customer the sale was made to.
00:22:00
Speaker
So now you know the records are right. What about authorization? Who has authorization? Is authorization properly segregated from custody of assets? For sales, we want to have up front some kind of credit limit policy. So we want to make sure we are not selling goods to unauthorized customers and when we we are selling goods to authorized customers that those customers have not exceeded their credit limit or that they don't have an outstanding balance that is over 90 days.
00:22:28
Speaker
Make sure transactions are being authorized before they actually happen. We need to see proof, a sign off, initials or in in an IT t environment that the person who has access, let's say the credit manager and only the credit manager has the ability to go in and authorize. We look for their signature or indication they've approved the transaction or released it if in fact they have released it.
00:22:52
Speaker
So how do we protect our assets in a warehouse? We should have controls over who goes in and out of the warehouse. We should have accountability. Not everyone should have access to move inventory.
00:23:03
Speaker
Not everyone should have access to cash or to checks.
Technology's Influence on Controls
00:23:06
Speaker
We want to see assets are physically controlled. If you're in an IT environment, look for controls over who has access to update programs and that there's some kind of record or report showing if there has been a change to the application, which should be produced automatically via a systemic change log, listing the date and time and programmer ID reference. If there's been a change to the programming or software,
00:23:33
Speaker
Okay, I'm not sure how many of you have heard of COSO before, but COSO is a standard framework used by companies for internal control. There are some extensions of COSO, especially companies that are highly automated. They may have enterprise-wide systems like SAP or Oracle, so they'll have an extension of COSO because it covers in more detail the IT environment. Please see Appendix C for extended COSO.
00:24:02
Speaker
The COSO framework has been translated into seven languages and several more are planned to be completed. COSO does a great job reflecting the importance of technology. And if you think about it, what's really happening in industry right now, really two things have started to explode and continue to explode, is the movement to the cloud and the movement away from traditional computing. By that I mean mobility. There's entire workforces that are moving to bring their own device or tablets for their day-to-day workforce enablement. Because of that, it creates significant challenges from an internal control perspective, especially with, as I mentioned before, BYOD, or the consumerization of technology. Very difficult to have a control framework applied to a but device that you don't physically own as a business. If you let your employees bring their own tablets and cell phones, what if you don't issue
00:24:58
Speaker
company issue devices and you interact with software that is not resident within your four walls or within your data centers. Significant concerns and these two shifts are already happening and they're going to continue to evolve. COSA does a great job pointing you in the right direction and really make sure you're looking at it holistically and taking into account the fact that the reality is your business process and your technology for any organization that wants to grow are now inextricably linked. COSO has five interrelated components, control environment, risk assessment, control activities, information communication, and monitoring. Operating along three main objectives and 17 broad principles provide further guidance to support the three main objectives applied across the organization, starting at the entity level and running all the way down to the process functions. As I said, it's widely established, widely accepted use framework. It's a layered effect.
00:25:57
Speaker
These are the five components of internal control that companies are expected to have. Controls addressing each of these components. What kind of tone are you setting for your employees? What message are you sending to your employees? We'll talk about setting tone at the top and the right attitude, culture, and awareness. That's an entity level control. However, however for function, we may have something such as all disbursements require two signatures. So that's a control related specifically to the function of cache disbursements. So let's see how these fit into the COSO model. How many components are in the COSO framework?
00:26:40
Speaker
Five.
00:26:44
Speaker
When I worked in internal audit at a national company, our internal controls were called the Red Book. Every single unit followed the Red Book. It didn't matter what the unit had at their location. At a minimum, they had to adhere to the controls in the Red Book. This was management's way of communicating to the employees and other business units. This is our expectation in terms of the control environment. We expect you to follow this. The control environment has five underlying principles, integrity, ethical values,
00:27:14
Speaker
Do you want to know management is instilling this in their employees by the message they are sending, a code of conduct? Two, board of directors and audit committee participation. Again, after surveying Zoxley, the audit committee took on an expanded role and they have oversight over financial reporting, which includes reporting on internal control. So they have to be involved in the process. Three, organizational structure. Is it a flat structure, a hierarchical structure,
00:27:42
Speaker
This influences the ability to promote assurance. What kind of HR practices and policies exist and how are these communicated to
Risk Assessment and Management
00:27:51
Speaker
employees? There's an overall tone at the top. Four, commitment to competence and five, accountability. The environment is an umbrella of the other four components of internal control.
00:28:03
Speaker
When designing controls for a company, consideration must be given to the risk factor by a process called risk assessment, which recognizes every organization faces risk to its success. Risk comes from external and internal sources. Assessment involves a process for identifying and analyzing risk that may prevent the organization from achieving objectives relevant to the preparation of financials in accordance or conformity with appropriate accounting standards.
00:28:33
Speaker
There are four underlying principles related to risk assessment. One, management having clear objectives. Two, determination of management on how risks should be managed. Three, consideration of potential for fraud. Four, management monitors changes. Just as auditors plan from an audit from a risk-based approach and conduct a risk assessment of the company, management should do the same thing likewise for internal control.
00:29:00
Speaker
You have to understand where your risk is and then identify what controls are in place to address that risk or what controls should be in place to address the risk. SOX put a whole new level of requirements for companies to document their internal control. You have companies whose systems migrate that move from a legacy system to an ERP system such as SAP or Microsoft Dynamics. A need to document the change in internal control due to system migration because they have a different environment.
00:29:29
Speaker
It's a cost to the company to document what their controls are. Make sure you understand where your risk is because risk changes if you move from a legacy to an ERP system, and risk changes if you're running legacy systems alongside an ERP system. The more you have human intervention, the greater your risk.
00:29:50
Speaker
You want to develop an internal control system that has cost feasibility, which is why risk assessment is so important. This assessment is done by management, but it's closely related to the auditor's assessment when they're looking at internal control.
00:30:06
Speaker
Control activities help ensure actions identified as necessary to manage risk are carried out properly and in a timely manner. There are three underlying principles related to control activities. One, develop control activities that mitigate risk to an acceptable level.
00:30:20
Speaker
two, develop general controls over technology, and three, establish appropriate policies, procedures, and expectations. Examples include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, separation of duties, controls over IT. Policies should be implemented thoughtfully, conscientiously, and consistently.
00:30:46
Speaker
In terms of control activities, these are the activities you expect to see in place to address the risk. These are the controls. There are five different types of control activities, as illustrated. We will address and discuss each of the five control activities individually. Adequate separation of duties. Processing customer orders and billing of customers are performed by different people.
00:31:09
Speaker
A person who has custody of an asset should not be in a position to steal the asset and then cover up the theft. You do not want someone to have access to recording if that same individual has custody. Make sure those responsibilities are separated because you want to be able to detect if someone is stealing or not. So imagine there's someone who has access to inventory and they they can update the inventory records. They could walk out of the warehouse with inventory.
00:31:34
Speaker
Then go into the books and records and change the inventory amount, so the inventory was never there. You need to separate these responsibilities.
00:31:43
Speaker
Huge internal control. If there's not proper separation of duties, that is probably going to be a significant weakness. There are four guidelines for separation of duties to prevent both fraud and errors. What you want to see at a minimum are, one, custody of assets from accounting, so the person who has custody of the asset cannot update the accounting records.
00:32:03
Speaker
two Authorization of transactions from custody of the related asset. Three, operational responsibility from record keeping responsibility. Four, IT t duties from user departments. The overall objective and separation of duties is you want to prevent a person or persons from perpetrating a fraud and then covering it up.
00:32:25
Speaker
Proper authorization of transactions and activities. Granting of credit should be authorized before a shipment takes place. Why is that important? Why do you have to have a credit rating before you ship goods? Because once it's gone, it's gone. What happens if a customer can't pay? What does that do to the business? What's affected? Accounts receivable. Yes. What else? Bad debts. Yes. So now you create a bad debt, you're out the goods, and you have a decrease in an asset with no corresponding increase in an asset. You want to minimize your risk of selling to a customer who won't pay or can't pay you. This is why doing credit authorizations is important.
00:33:00
Speaker
you're trying to minimize your risk of loss.
00:33:05
Speaker
Adequate documents and records, consecutively pre-numbered forms prepared at the time of the transaction, designing records and documents for multiple use, and documents that are constructed to encourage correct preparation. For example, pre-numbered shipping documents, pre-numbered sales invoices, pre-numbered purchase orders, because this creates the assertion of completeness. It's a way to check that all of the transactions that should be recorded have been recorded. Make sure documents are generated at the time of the transaction. Why is it important to generate the shipping document at the time goods are shipped versus a couple of days later? Well, I'm sorry, revenue recognition. What else? What happens if it doesn't get recorded? A loss results. If we're talking about shipping documents, if you haven't recorded the shipment, that means you haven't recorded the sale necessarily. So the shipment triggers the sale.
00:34:00
Speaker
Physical control of our assets and records. A password is required before entry into the accounts receivable master file can be made. Remember, a company's financial information is an asset. Not everyone should have access. You're controlling who should have access to the information. There's a confidentiality issue with employees, controls over HR information, payroll, and who has access. If customer information is weak and a company faces litigation, creating a huge problem,
00:34:30
Speaker
Customer information that has stolen, released, or hacked creates reputational issues for the company. Litigation issues for the company. You could possibly lose customers customers who believe their credit card information or their personally identifiable information isn't kept confidential. Customers would stop doing business with you. Would you go back and do business with someone who lost all your information or your information was hacked into?
00:34:57
Speaker
Your social security number and credit card number are are out there. You're not going to be real comfortable dealing with that company anymore.
00:35:07
Speaker
Independent checks on performance. Careful and continuous review, often called independent checks or internal verification. The person responsible for verification must be independent of those originally responsible for preparing the data. Accounts receivable master file contents are independently verified.
00:35:25
Speaker
This is what we look at in terms of doing reconciliations, bank reconciliations, reconciling master files for the general ledger. Someone is checking on a periodic basis to see if all sales have been approved by the credit manager and that that's actually happening.
IT Controls and Security
00:35:42
Speaker
Objectives of an accounting system. Identify and record valid transactions. Describe on a timely basis the transaction in sufficient detail to to permit proper classification.
00:35:53
Speaker
measure the value of the transaction appropriately, determine the time period in which the transaction occurred to permit recording in the proper period, present properly the transaction and related disclosures in the financials. If possible, managers should assign the three functions, recording, authorizing, custody to different employees.
00:36:16
Speaker
Segregation of duties is an important control activity. If possible, managers should assign which of the following three functions to different employees.
00:36:27
Speaker
Recording, authorizing custody. Information communication, the glue that holds it all together. The final two components of the coastal model are information communications and then monitoring.
00:36:39
Speaker
You're dealing with an accounting information system. There are two categories of IT controls, general controls, application controls. The general controls apply to all aspects of the IT functions. While application controls, input, processing, and output operate at the process level and apply to processing transactions. Management should have controls in place for these aspects of IT. t For example, controls over the input of customer orders or controls over the input of purchase orders.
00:37:10
Speaker
because a purchase order creates a contract once you send it out to the vendor. Determined transactions, once input into the system are subject to processing controls, management has in place and are being followed. For example, is there a control that says for all customer orders that are input, there has to be an approved customer order and approved customer number associated with that customer order. The order cannot be processed unless it's matched against an approved customer number.
00:37:36
Speaker
Another control example, all sales to customers who have an outstanding balance greater than 90 days have to be held up in a suspense file and cannot be processed. Look to see that customers with receivables over 90 days old were not shipped and if they were, was their proper approval. Overall objective here is to have accountability over your related assets. Here we have an illustration of the relationship between general and application controls. General controls manage the integrity of IT. t Application controls are around the input of data to ensure it is complete and accurate. The oval represents the general controls that provide assurance that all application controls are effective. Effective general controls reduce the types of risk identified in the green boxes outside the general control.
00:38:28
Speaker
General and application controls reduce IT risk. Technology can strengthen a company's system of internal control, but it provides challenges. Here we have a description of the six categories of general controls and three categories of application controls with specific examples for each category. The six categories of general controls have an entity-wide effect on all IT functions. Number one.
00:38:53
Speaker
Administration of the IT functions, which involve the oversight by the board of directors or senior management as a necessary function for effective IT. Two, separation of IT duties, data control should be separated into the following four categories. IT management, system development, operations, data control.
00:39:16
Speaker
Here we have an illustration of the separation of IT duties. The extent of separation of duties depends on the organization size and complexity. Do take note that in many small companies it is not practical to separate the duties to the extent we see in this illustration.
00:39:33
Speaker
Number three, system development is a general control that includes purchasing or developing software that meets the entity's needs as well as testing all new software to ensure that it is compatible with existing software.
00:39:46
Speaker
which may be done as a pilot testing or parallel testing. Four, physical and online security is often called cybersecurity. Physical controls is a general control over computer equipment, including hardware, software, and backup data files. Online access controls are general controls that include proper user IDs and passwords. Five, backup and contingency planning controls is one where IT t must have backup and contingency plans because IT t systems are subject to power failures, fire, excessive heat or humidity, and even sabotage. Six, hardware controls are general controls built into the computer equipment by the manufacturer to detect and report equipment failure. Application controls are controls that are designed for each software application. Controls may be manual or automated and include the following, input processing, output controls.
00:40:46
Speaker
Here we have examples of batch input controls such as the comparison of a record count calculated before data entry of the number of vendor invoices to be entered and the number of vendor invoices processed by the system. This would help determine if any invoices were omitted or entered more than once during data entry.
00:41:05
Speaker
Here we have examples of processing controls which are often programmed into software to prevent, detect, and correct processing errors. Examples of processing controls include the determination of the accuracy, validity, and completeness of the data.
00:41:20
Speaker
We will now discuss the types of IT t systems and their impact on internal control. The types of internal controls will vary based on the type and complexity of the IT system. We will briefly discuss a few of these systems. First is a local area network which connect equipment within a small cluster of buildings. Wide area networks are used to connect equipment in larger and even worldwide geographic areas.
00:41:44
Speaker
Database management system enables companies to share information across several platforms. Enterprise resource planning systems integrate many areas of the company into one accounting information system. Companies use firewalls, encryption techniques, and digital signatures to increase security over IT systems. In addition, IT t services are often outsourced to service centers, including application service providers and cloud computing environments.
00:42:13
Speaker
But then monitoring activities deal with management's periodic assessment. That's where the internal audit group comes in. Internal audit monitoring is essential. If you are a manufacturing facility, you might have quality control groups that come in and monitor processes. Most companies have an IT audit group looking at the IT controls because frequently financial auditors, based on their training, are not qualified to really assess IT controls.
00:42:37
Speaker
Monitoring is management's periodic assessment of whether or not internal control is being adhered to as prescribed by management. COSO is a private sector initiative and has spanned 32 years. COSO is a joint initiative of five sponsoring organizations formed in 1985, including the AICPA and Institute of Internal Auditors.
00:43:03
Speaker
These five organizations are tasked with developing a framework that improves organizational performance and governance, focused on reducing the extent of fraud in organizations and providing thought leadership in the areas of internal control, ERM, and fraud identification. Regulatory agencies such as the SEC, PCAOB, and ISACA provide guidance to the framework.
00:43:29
Speaker
While the COSO scalable model was established in 1992, its real claim to fame came from the subsequent subsequent release of SOX of 2004. During this time, COSO became the most widely used control framework used in management's assessment of internal control. However, that is not the model's sole purpose as the COSO model is relevant to all companies and institutions when establishing a solid internal control framework.
00:43:55
Speaker
The Foreign corrupt press Practices Act passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business. The act requires an effective system of internal control and makes payment of bribes to foreign officials illegal. True or false? FCPA says it's unlawful to offer payment to officials to use influence to effect a decision. True.
00:44:28
Speaker
Lockheed Aircraft Case, 1987 through 1990. Lockheed paid foreign officials to favor their company's products. Baker Hughes Case, Oil Field Equipment Services Company, 2007. SEC filed a complaint alleging violation of the books and records and internal control provisions of the SCPA. Failure to implement sufficient internal control to determine whether payments were for legitimate services. The company agreed to pay indescorgement for violations.
00:44:58
Speaker
The company was charged with falsification of books and records. Dommler, a German automotive company, FCPA charges in 2010. Dommler engaged in misconduct by paying official bribes, offshore bank accounts, and deceptive pricing arrangements in third-party intermediaries. FCPA prosecutions are increasing. True or false? True.
00:45:29
Speaker
In 2001, COSO initiated a project and engaged PricewaterhouseCoopers to develop a framework that would be readily usable by management to evaluate and improve their organization's enterprise risk management.
Audit Process and Deficiencies
00:45:42
Speaker
hi High-profile business scandals and failures led to calls for enhanced corporate governance and risk management. As a result, Sarbanes-Oxley was enacted.
00:45:54
Speaker
This law extends the longstanding requirement for public companies to maintain systems of internal control, required management to certify, and the independent auditor to attest to the effectiveness of those systems. Adherence to which organization's framework may help companies comply with SOX? COSO? We now know that management is responsible for internal control.
00:46:19
Speaker
The auditor goes through a process, including understanding the entity, examining the internal control risk, and determining risk of material misstatement. This then determines the nature, timing, and extent of further audit procedures. And from the financial statement perspective, these further audit procedures are are substantive testing, where the auditor is measuring monetary misstatement. But you notice, as part of the financial statement audit, is that we are examining the effectiveness of internal control. SOC Section 404 audit testing.
00:46:49
Speaker
that the auditor is doing is simply an expansion of the audit of the financials where we are integrating an assessment of internal control to the extent whereby we are actually able to express an opinion on internal control. When was Sarbanes-Oxley passed?
00:47:10
Speaker
July 2002. SOX is an extremely comprehensive piece of legislation that contains 11 sections. Please take note of the requirement for external auditor independence.
00:47:24
Speaker
All of the following represent one of the 11 titles of SOX except auditor dependence.
00:47:37
Speaker
The surveillance Oxley of 2002 sponsored by Paul Sarbanes and Michael Oxley represents a huge change to federal securities laws. Certain provisions of SOCs apply to privately held companies and all publicly traded companies must implement and report internal accounting control to SEC for compliance.
00:47:56
Speaker
Executives who approve shoddy or inaccurate documentation face fines up to $5 million in jail time up to 20 years. Provisions of SOX detail criminal and civil penalties for noncompliance, certification of internal auditing, and increased financial disclosure. It affects public and private U.S. companies and non-U.S. companies with a U.S. presence. Year-end financial disclosure reports are a requirement. A SOX auditor is required to review controls, policies, and procedures during a Section 404 audit.
00:48:26
Speaker
Section 302, the essence of 302 states that the CEO and CFO are directly responsible for the accuracy documentation and submission of all periodic statutory financial reports as well as the internal control structure to the SEC and are to include certifications.
00:48:47
Speaker
Organizations may not attempt to avoid these requirements by reincorporating their activities or transferring their activities outside the US. Which section of SOCS requires a CEO and CFO to certify internal control?
00:49:02
Speaker
302. Section 404, the most complicated, contested, and express expensive of all SOCS sections for compliance, all annual 10K financial reports must include an internal control report stating that management is responsible for adequate Internal control structure and assessment by management for the effectiveness of the control structure. Which section of SOC states the responsibility of management for establishing internal control? 404.
00:49:38
Speaker
Here we have an example of management's report on internal control that complies with Section 404 of SOCs and related SEC rules.
00:49:51
Speaker
There are several publications that have been released. Please refer to the COSO website on the screen.
00:49:59
Speaker
Auditors play a role in a system of internal control by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a role in either strengthening or weakening the entity's internal control system. Therefore, all employees need to be aware of the concept and purpose of internal control. Consider the nature of the transactions, routine transactions, revenue, purchases and cash receipts and disbursements, non-routine transactions, taking of inventory, calculating depreciation expense, estimation transactions, determining the allowance for doubtful accounts,
00:50:35
Speaker
Generally, routine transactions have the strongest controls. recorded Recorded transactions are valid, authorized, recorded, valued, classified. At the proper time, transactions are properly included in the subsidiary records under correctly summarized. Ensure compliance with policy and safeguard assets. For example, a CEO is not authorized to approve a corporate merger without board of director review.
00:51:00
Speaker
just as an accounting clerk is not authorized to approve a $500,000 purchase. Who is responsible for establishing and maintaining internal control? Management. With internal control, you can have a deficiency, a significant deficiency, or material deficiency. If a deficiency becomes significant, we have to decide on the likelihood of whether or not it will result result in a material weakness.
00:51:28
Speaker
If it results in a material weakness, it is a reportable item, right? Ask yourself, is there more than a remote likelihood that one or more deficiencies will result in a material misstatement? In other words, does this significant deficiency rise to the level where you will not be able to prevent or detect an error or a regularity? And what is the impact on the financials? As illustrated in this slide, the auditor must consider two dimensions of the controlled deficiency, the x-axis, likelihood,
00:51:58
Speaker
reasonably possible, y and the y-axis magnitude, insignificant, significant, or material. What we see here is that we have a matrix of magnitude and likelihood. On the x-axis, likelihood being remote on the left, we're not talking about remote right now, and all the way to the right where we have possible or probable. Then on the magnitude side, on the y-axis, we're looking at things that are not material or significant, then we have not material but significant,
00:52:26
Speaker
Then we finally have material. So what we're saying here is that if the deficiency is not material or significant or not material but significant, we're reporting to the audit committee and to management, but we're not reporting externally. It's only when we have a material weakness in our internal control that this is going to be reported externally as part of our audit of internal control. A material weakness will result in an auditor's adverse opinion or a disclaimer opinion and withdrawal due to a scope limitation due to lack of evidence. This usually means management has not documented internal control. What management must do, and frankly this is how we always complete an audit, is management must follow through with a top-down risk-based approach to identify financial reporting risk and controls, identify locations at risk that evaluate evidence related to internal control.
00:53:21
Speaker
A deficiency or combination of deficiencies in internal control such that there is reasonable possibility the material misstatement of the entity's financial statement will not be prevented or detected on a timely basis should be reported externally is a material weakness. Some examples of entity level controls within the control environment, a top-down assessment, consistent policies and procedures.
00:53:50
Speaker
entity-wide programs such as code of conduct and fraud prevention that apply to all locations and business units. So when you notice this first item here, one of the things that should come to mind as a strong human resource department is a key element of this top-down approach. Human resources is bringing in the correct people. They're making sure that the people match the jobs, but there' but they're creating this environment where we have a code of conduct. We are able to have fraud prevention.
00:54:16
Speaker
and we're able to have consistent application of these standards throughout the whole entity. As an auditor, and frankly as management, there's no question that one of the first stops is going to be from the top-down approach is human resource department. if you notice If you notice the second item, controls over management override, this is a critical element related to the overall entity level controls. We may have a very strong control related to transactions and account balances within the general ledger,
00:54:45
Speaker
But the question becomes is what happens to the financial statement after it leaves the general ledger? Say we've uploaded the data into an Excel file where management is preparing the final adjustments to the financial statement. Any adjustments that are made on this top side should actually be reflected in the financial statement journal entries or in the general ledger journal entries. We want to be sure that management is not doing what we're calling top-sided entries.
00:55:13
Speaker
where they are making adjustments to the financial statement, but these adjustments are not reflected in the general ledger and appropriate journal entries that are documented. The other piece that we want to be aware of is that we there should be very specific controls over management related to their ability to generate transactions. In a very strong control system, the accounting senior accountant would initiate manual journal entries. These would then be approved by either the Comptroller or the Director of Finance While the CFO has the ability to view all data, she actually only has read-only access to the data, so she is not able to make any changes to the financial statement. It's critical that we understand what the control structure is when we're looking at manual journal entries and who has access to initiate transactions, who has access to approve journal entries, making sure any manual journal entries are recorded and documented and signed off on. Management must develop sufficient documentation to support effectiveness
00:56:11
Speaker
of internal control, this may take many forms, electronic files, policies, job descriptions, flow charts, narratives. You notice here there's a requirement for this documentation. So within the finance department there needs to be a sub-department or it could be a part of internal audit where they're responsible for examining and documenting the internal control structure in such a way that when the auditors come in that they're actually able to see what this internal control group has been doing in regards to documenting internal control. And why are we doing this? We're doing this because this is a requirement. This is something that management must sign off on as part of the financials.
00:56:54
Speaker
True or false entity level risks are more broad and may include internal external factors while transaction level risks are more specific and apply to a specific function such as a procurement process. True.
00:57:11
Speaker
What we are trying to achieve in our entity and the departments we work in, once we establish these objectives, we can identify what risk might exist to achieving our objectives. And from there, we can determine what controls we might be able to put in place to control the risk. For example, an objective of Big Bucks Corporation might be to increase efficient use of resources. A risk to achieving that goal might be theft of Big Bucks Corporation assets. So a control to put in place to mitigate that risk is key card access to buildings where access is only given to authorized employees.
00:57:51
Speaker
Risk is anything that could jeopardize the achievement of your organization's objectives. Internal controls have the following characteristics. continuous since they are not just one single event but built directly into operations and they are dynamic to accommodate for an ever-changing environment affected by people. In other words, internal control isn't going to happen by itself. It's like the US Forest Service old campaign slogan, only you can prevent forest fires. Smokey the Bear says don't play with matches in a dry forest. Able to provide reasonable assurance.
00:58:31
Speaker
We'll talk about limitations later. adaptable to the entire entity or a particular division, business process or other level.
00:58:42
Speaker
Consider the information communication component. This is one of those intuitive steps in the process whereby we explicitly recognize that in order to manage risk, the right individuals must have the right information that is appropriate, timely, available, accurate, accessible. It's nothing more complicated than that. The implementation can be a little more complex.
00:59:02
Speaker
but the deliverable of this step is simple, so let's leave it at that. This taxonomy provides the fundamental classification of cyber risks, which is especially important in evaluating cyber risk in the second step of the cyber insurance process. Computer Security Institute, FBI, and Ernst & Young say nearly half of all network attacks come from the inside.
00:59:31
Speaker
Cost benefit analysis should be conducted to make sure the benefit of planned controls exceed the cost of implementing them. Controls are considered cost effective when their anticipated benefit exceeds their anticipated cost. An ideal control is a control procedure that reduces to practically zero the risk of an undetected error or irregularity.
00:59:53
Speaker
The benefits of additional control procedures result from risk of loss reduction.
01:00:02
Speaker
Basically, compare the cost of having the control in place versus not having the control. Notice the lower right-hand corner and $800 savings with the control in place.
01:00:17
Speaker
Let's move on to some of the key terminology you need to know to talk about internal control as it is widely accepted in the US.
COSO Framework Components
01:00:24
Speaker
We'll talk about the COSO framework and the five integrated components.
01:00:29
Speaker
The moral of the story here is that internal control isn't just something fun to add to our list of things to do. Without internal control, there isn't just risk of fraud and mismanagement of assets. There's a proven history of fraud and mismanagement actually occurring on very large scales.
01:00:49
Speaker
As we explained, most entities use the framework developed by COSO. You notice that we essentially have a three-dimensional depiction of the internal control framework. This COSO Cube provides a framework of how we consider internal control. On the top, we divide internal control into three objectives, operations, reporting, compliance. A particular objective may fall into more than one category, the same way a single objective may be the responsibility of more than one executive. The categorization does not impact how the framework is applied. On the side, you notice we have a top-down approach. We're looking at entity, division, operational units, and finally, functions.
01:01:27
Speaker
On the front here, what you notice is that these are the specific five components which form the basis of the COSO framework, and it's going to be what we will talk about over the next couple of slides. How do you remember this knowledge? Use a mnemonic, C-R-I-M-E. It would be a crime not to have internal control. Then map the five letters to each of the components.
01:01:52
Speaker
C, control activities, R, risk assessment, I, information communication, M, monitoring, E, environment. Which of the following is not one of the three objectives of COSO? Promote firm profitability.
01:02:13
Speaker
Objectives are critical to the excessive corporate strategy. For operations, such examples as achieving a 60% market share or maintain a technological leadership position in the industry, strategic and operational objectives may be subject to externalities that are beyond the control of management. And in these instances, our enterprise risk management system provides reasonable assurance that the board of directors is notified on a timely manner as to the extent of progress towards the achievement of objectives.
01:02:43
Speaker
Operational objectives are those goals describing the effective and efficient use of resources. Consider such operational objectives as maintaining a defect rate of less than 0.1% of production or achieving plant availability of 95% or containing overtime hours to less than 2% of total hours worked. Product quality and customer service. External reporting is important to ensure that the organization meets the needs of its stakeholders So consider the impact of continued flow of capital that is necessary to meet the organization's objectives. Compliance objectives ensure conformance with all applicable laws and regs. So for example, compliance with health and health and safety regulations, hazardous material regulations, environmental protections, securities laws, civil laws, compliance with the SOX Act. Failure to meet our compliance objective can result in significant fine or even threatened going concern.
01:03:39
Speaker
So obviously we need to have a mechanism in place to monitor progress. So for your entity, it would include the state and its various administrative bodies as well as federal regulations related to contracts, tax law, export controls, or payment card industry standards. A particular objective may fall into more than one category. The same way a single objective may be the responsibility of more than one executive. A categorization doesn't impact how the framework is applied. What's important to understand is that the objectives Do not exist in isolation. Consider all objectives explicit or implied to bring context to your risk management plan. Effectiveness and efficiency of operations. Then reliable financial reporting. Finally, compliance with laws and regulations.
01:04:33
Speaker
What is not an objective of COSO? Education. Here again is the COSO model. COSO's original framework was established in 1992 and was recently updated in May 2013. According to COSO, this framework is intended to be more reflective of the current environment. For instance, taking into account new risks such as bad PR via social media. Cover more business objectives, giving us more integrated approach to addressing organization-wide objectives and trying to move beyond Sarbanes-Oxley. Be flexible and customizable.
01:05:09
Speaker
The framework identifies 17 principles which are intended to formalize fundamental concepts to help organizations specify objectives, assess risk, and deploy controls. A principles-based framework allows people within an organization to make decisions based on the spirit of the principle rather than overemphasizing rules at the expense of judgment. This avoids the mentality in rules-based environment where employees might conclude that anything not forbidden is permitted. In general, one of the keys to implementing COSO is to shore up controls in the right areas. How do we define right areas? Through risk assessment, which we'll go over shortly. Well, if it's 17 principle, what holds up a principle? Imagine going into a bar, and you're ready to take a seat at a bar. And then you look at this bar stool, and there's four legs to it. The principle is the bar stool seat. The legs are your points of focus.
01:06:09
Speaker
to be discussed. The auditors are pushing you to align with COSO and do it in a way that, do it in a way because they get audited by the PCAOB. Public Company Accounting Oversight Board is a private sector non-profit corporation created by Sorbanes-Oxley to oversee the audits of public companies and other issuers in order to protect the interest of investors and further the public interest and preparation of informative, accurate, and independent audit reports.
01:06:37
Speaker
All PCAOB rules and standards must be approved by the U.S. Securities Exchange Commission.
01:06:47
Speaker
We'll now talk through each of these components, starting with environment. You can download your free COSO transition template from the resources pages. Okay, it'll be a two-tab Excel spreadsheet. There's an implementation group called COSO Implementation on LinkedIn, also on the resource page.
01:07:10
Speaker
The first component of the framework is the control environment, a set of standards, processes, and structures for carrying out internal control. The environment comprises the integrity and ethical values of an entity, as well as management's philosophy and operating style, organizational structure, how management assigns authority and responsibility, both along functional and administrative reporting lines, the competence of the entities people, personal development, including training and support, as part of the environment,
01:07:40
Speaker
The board of trustees and senior management must establish a tone at the top, a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors, including financial results, and to expect all others in the organization to do the same. This in turn establishes parameters that enable the board to carry out its governance, oversight of responsibilities, for example,
01:08:06
Speaker
Many companies such as Caterpillar Tractor have a code of conduct. This helps set a tone at the top for the company, setting expectations for company employees and others, acting in service to the company, and allowing the company to address any violations of these standards. In the same way, all leaders at the organization are responsible for setting the tone at the top and their respective departments and units. This tone should match that set by senior management, but be but can be tailored to specific needs of the business unit.
01:08:36
Speaker
The control environment is a set of what to provide the basis for carrying out internal control across the organization.
01:08:46
Speaker
Standards, processes, structures, all of the above. This diagram depicts the control environment as it relates to financial reporting. As you can see, the environment serves that um as an umbrella for the entity's framework.
01:09:02
Speaker
Listed are some of the specific areas that the control environment should cover. In addition, as part of your regular business process, you should continually monitor and update your environment for ongoing changes. An organization should demonstrate a commitment to integrity and ethical values, true or false? True.
01:09:23
Speaker
Control environment, sound personnel policies for reference.
01:09:30
Speaker
One other thing to keep in mind was when designing your environment is the difference between compliance versus integrity strategy. Compliance strategy prevents wrong. Integrity strategy fosters right. Sometimes a combination of both may be warranted. Finally, in order for the environment to be effective, it must be documented. The first step is to properly identify a process.
01:09:57
Speaker
Types of documentation include process narratives, organization charts, flow charts, questionnaires, memorandums, checklists. The second component of the framework is risk assessment, a dynamic and iterative process for identifying and assessing risk. Risk can be introduced by change, for instance,
Risk Appetite and Assessment
01:10:18
Speaker
new leaders and managers, new markets and products, growth, emerging technologies. One way to categorize risk is along four key risk areas, strategic, including political risk, talent, and succession, planning risk, risk from dependency on other organizations, financial risk, including audit findings and other things that would undermine reporting integrity, compliance risk, including fraud and noncompliance with fair employment practices, op operational risk, that programs fail to meet their objectives, natural disasters, and lack of
01:10:56
Speaker
technology availability. Proper risk assessment allows efficient use of resources.
01:11:04
Speaker
Notice how objectives, risk, and control cross-pollinate across the base of the COSO model. Note the virtual IT t component at the base of the model. Control activities include firewalls, security, system development lifecycle, change control, operations,
01:11:25
Speaker
supply chain planning, and safety stock parameters. Information communication would include IT policies, standards, emails, scorecards, dashboards, project control, and a help desk. Monitoring would include server logs, database logs, firewall logs, intrusion detection, incident response, awareness training.
01:11:49
Speaker
Risk management has surpassed compliance as a top governance risk management and compliance priority at most organizations. Avoiding a high profile data breach such as experienced by Equifax, eBay, TJ Maxx, for example. You know, public utilities are very regimented with their risk philosophy and it's well documented with all sorts of policies and committees. Similar to risk philosophy,
01:12:18
Speaker
is a concept of risk appetite. This is the amount of risk that an entity is willing to accept. Public utilities only invest in new power lines or power plants when they are sure they can recover these costs through the rates they charge their customers. Which of the following to surpass compliance is the top GRC priority of most organizations?
01:12:44
Speaker
Risk management.
01:12:46
Speaker
As mentioned earlier, we should identify objectives first, then risks, and finally controls. Here is an illustration of risk of weak internal control. Think of the goals associated with these risks, and by the end of the presentation, you'll be able to identify some of the controls we can put in place to mitigate these risks. Risk assessment is an element within the risk management process to identify and assess key risk in achieving objectives,
01:13:16
Speaker
and it forms a basis on which control activities are determined. Risk management is a process to identify and manage risk to stay within a risk appetite and tolerance level and provide assurance about achieving entity goals and objectives. Which of the following is not part of the risk assessment process? Mitigate risks. Risk assessment should occur at the business process level as well as the entity level. Apply these four risk assessment factors.
01:13:46
Speaker
One, materiality of the amounts in question. Two, complexity of the process. Three, history of accounting adjustments. Four, propensity for change in the process or control.
01:14:02
Speaker
Internal considerations include use of qualitative and quantitative methods, change in management responsibilities, weak or unresponsive tone at the top, human capital, quality of personnel hired and retained,
01:14:15
Speaker
employee sabotage, system security weakness, rapid growth, change in process or access to assets. External considerations include technology advancements, changing evolving client or constituent needs or expectations, changing legislation and new laws or regs, decentralized organization operations, natural disasters, impact of political and economic changes.
01:14:43
Speaker
Example of a risk matrix, Here we see a risk map where the x-axis shows likelihood where A, B, C, D, E, F, remote, unlikely, low, possible, probable, certain, and then the y-axis shows ma magnitude, 4 being extreme, threatening ongoing existence, high, difficult to achieve business objectives, 3, medium, makes achieving business objectives challenging, 2, low, some undesirable outcome, 1, negligible, no noticeable impact on objectives.
01:15:15
Speaker
So once we have assessed the risk, we can consider consider the entity's tolerance and appetite related to the response. If the likelihood is low and the impact is marginal, then that falls within the green area on this chart, and management may decide that resources should be directed elsewhere for more pressing needs. However, if a risk has a likelihood of reasonably possible and an anticipated impact of severe, then that falls within the red area on this chart, and management may decide to direct resources toward the mitigation of this risk.
01:15:46
Speaker
What areas are considered green, yellow, or red need to be set before a meaningful assessment can take place? One overall question to keep in mind is what is the impact to stakeholders? We're now at the point where we have to assess each risk in terms of potential magnitude and magnitude and likelihood. The magnitude of risk events can be qualified according to severity at the extreme end of the spectrum. A risk can threaten the very going concern of the entity.
01:16:14
Speaker
Risks that are determined to have a medium or high magnitude threaten to varying degrees the achievement of our business objectives, whereas risks that are deemed to have lower negatives negligible outcome are unlikely to induce any significant consequences. Evaluating likelihood using language such as remote, unlikely, low, possible, probable, and certain. With the percentage guidance noted on the model, combining these two two dimensions creates A hot map of sorts, obviously the greater the likelihood and the higher the potential magnitude, the more critical the risk. Once we have plotted all our risk events, we then get a very visual sense of where our risk management priority should lie. Using this hot map as a guide, we can next move on to developing our risk response. Now let's look at our risk
Risk Response Strategies
01:17:05
Speaker
response. There are four potential ways to deal with risk.
01:17:08
Speaker
we have that we have just identified on the hot map. Avoidance, reduction, transferring, sharing, and acceptance. Avoidance means we divest the activity. For example, if we're worried about challenges of production, we could choose to outsource production to someone else and let them assume the risk. Reduction means we take actions to reduce risk. This is a common approach for many risks as it's often difficult to avoid risky activity altogether. For example, if we're running a trading floor,
01:17:38
Speaker
Obviously, there's a risk of a rogue trader in our midst. It's common for a trading operation to have a middle office function who evaluates the trades, confirms them with the accounting parties, and monitors risk using predefined measures. Transferring sharing means we offload a portion to someone else, ensuring our business for commercial liability, fire, property insurance. Business interruption insurance provides company with compensation when an adverse event happens. We might undertake a derivative instrument such as an interest swap or a forward contract or an option contract as a means of avoiding market risk, commodity risk or foreign currency risk. Note however we now have counterparty risk to consider. Acceptance is the all too common the default approach. At times acceptance is all that can be done through though that rarely should be an acceptable rationalization
01:18:30
Speaker
The decision to accept risk should be driven by a cost-benefit analysis. Risks that are in the green zone are candidates for acceptance. For example, there may be a risk of losing a certain staff member for a variety of reasons unrelated to our HR policies. For instance, due to pregnancy, personal circumstances, or illness. And in such cases, it's not economic to address these sorts of risks. The threshold for action is driven by appetite and philosophy that was set at the outset when we looked at the environment.
01:19:00
Speaker
One final comment though, we implicitlyly implicitly want to avoid risk in the red zone. Avoiding risk is not always possible or desirable. In fact, taking on risk is the very nature of business. As long as you're being compensated for taking on incremental risk, you may very well choose acceptance as a viable strategy to a critical risk. This is where you begin to appreciate just how integrated risk management is with the overall company strategy.
01:19:35
Speaker
This is a good time to talk about confidential destruction of unwanted data. First of all, to wipe a hard drive means to completely erase the drive of all its information. Deleting everything does not wipe a hard drive and formatting does not always wipe a hard drive. You'll need to take an extra step to wipe the hard drive completely. When you format a hard drive or delete a partition, you're usually only deleting the file system making the data invisible or no longer blatantly indexed but not gone.
01:20:04
Speaker
A file recovery program or special hardware can easily recover the information. If you want to make sure that your private information is gone forever, you'll need to wipe the hard drive using special software. However, to completely ah eliminate the risk of data falling into the wrong hands when it comes to selecting ways to destroy unwanted data, organizations have a short menu. There are basically three options, overriding, which is covering up old data with information, degausing, which erases The magnetic field of the storage media had physical destruction, which employs techniques such as disk shredding. Each of these techniques has benefits and drawbacks. Degasian is expensive and cause can cause collateral damage to other equipment nearby. In fact, Department of Defense requirements call for hard drives to be degaused in an and NSA listed degauser and then physically destroyed prior to disposal. Overriding is a long process, particularly on high capacity drives because it's done selectively
01:21:03
Speaker
and some sectors or partitions may not be accessible. Physical destruction of data by disk shredding or melting renders physical storage media unusable and unreadable. Intel has found that physical destruction is an efficient method of getting rid of unwanted data when transporting storage media for degaussing is not practical or secure. Which of the following methods is not is one of the most effective ways to destroy unwanted data?
01:21:32
Speaker
physical destruction by shredding or melting. How do hackers get in? Typically, holes in the Wi-Fi security, which is the low-hanging fruit. The SEC recommends an access pin in all cases with 256-bit encryption. Do not connect personal or untrusted storage devices or hardware into computers, mobile devices, or networks. Conduct online business securely by using a secure browser and erase the web browser cache,
01:21:59
Speaker
temporary internet files cookie and history regularly. IBM Compliance
Control Activities Explained
01:22:06
Speaker
Warehouse for Legal Control captures and stores relevant emails, documents, and other unstructured content, as well as structured data, and allows managers to apply basic handling policies, such as who can access to lead or change the content. A Cognos-based dashboard is then used to retrieve and display the content for legal and operational analysis, much like a traditional business intelligence system.
01:22:29
Speaker
The companies will need additional governance and risk software to sit on top of the IBM Compliance Warehouse that applies specific compliance requirements to unstructured data to meet SOX and COSO full compliance. So next we'll look at the control activities to help reduce and manage risk. In 2008, which vendor released a compliance warehouse application for unstructured content? ib m IBM. IBM.
01:22:57
Speaker
The third component of the framework is control activities. These activities are performed at all levels of the entity and are exactly what they sound like, the activity part of the framework. While control environment and risk assessment set the stage for good controls, control activities is the bread and honey of where the control work is done.
01:23:20
Speaker
There are several types of control activities, including preventive, detective, corrective, compensating, manual, and automated. We will go over the difference between these control types next. Interrelationship of preventive and detective controls should not be treated as mutually exclusive because they are interrelated. Examples of control activities include include approval and authorization, embedded verification, reconciliation, independent review, asset security, separation of duties,
01:23:49
Speaker
Some non-financial reporting controls might include such things as standardized budget and strategic planning, anti-fraud controls, management review and discussion, general computer controls, ethic policies, background checks on all new employees, clarification of errors vis-a-vis fraud. Errors are not deliberate. Inadvertently taking an expense to the wrong account, for an example, an advertising expense shows up as amortization expense,
01:24:18
Speaker
The two accounts are next to each other in the chart of accounts, and the data entry clerk made a simple key error. Fraud occurs when someone purposely produces deceptive data. Fraud takes place when you find evidence of intent to mislead. You need to be on the lookout for two types of fraud. One, misstatements due to fraudulent reporting activity, and this type of fraud, management or owners are usually involved, and the fraud is facilitated by overriding internal control.
01:24:47
Speaker
too misstatements because of misappropriation of assets. This type of fraud is usually perpetrated by non-management employees. Red flags for fraud. No vacation, voluntary overtime, unexplained variance, complaints, no reconciliation. One employee does it all. Documentation is not original. A rush request. Who commits fraud? The three factors known as a triangle of fraud those having pressure usually caused by financial need or desire, ability to rationalize, make excuses and do not think of crime as stealing, opportunity typically arises from weak internal control or too much independence or control given to someone, how does fraud occur, examples in billing, employee submits an invoice for payment to bogus vendor or for personal expenses,
01:25:43
Speaker
Non-cash, employee steals office supplies, stamps, business services, identity of students, employees, customers, staff, et cetera. Expense reimbursement, employee files expense report claiming personal travel, non-existent meals. Skimming, employee attempts, employee accepts payment from customer but does not record. And payroll, employee takes unreported annual sick leave, claims overtime hours not worked, adds a ghost employee to payroll.
01:26:12
Speaker
Professional judgment is required to find just the right mix of your manual automated preventive and detective controls. Our goal is to reduce residual risk to an acceptable level by performing one or more control activities. Let's again consider the rogue trader example. The key control activities would include a daily reconciliation of the trading blotter, well-established trading policies and parameters, voice recording of all transactions,
01:26:40
Speaker
confirmation of trades with counterparties by someone who is not the trader, and daily trade metrics calculating the net exposure to the company. A monthly settlement process to ensure all trades are recorded. With the appropriate control environment and effective performance activities, inherent risks should be adequately mitigated. What is the distinguishing factor between errors and fraud?
01:27:08
Speaker
Intent.
01:27:11
Speaker
The first way we can categorize control activities is between preventive and detective. Preventive controls prevent the occurrence of a negative event in a proactive manner. Examples include approval required for purchases greater than $5,000, passwords required for computer access, petty cash that must be held in a lockbox, security and surveillance systems in high-risk areas, and consecutively pre-numbered checks.
01:27:41
Speaker
Preventive controls are stronger than detective controls. It is more effective and less costly to prevent something from happening rather than to attack it on the back end. Preventive control activities are the most cost effective of the three types of internal control activities because they help prevent the loss of assets in the first place and are often not very expensive to implement. Here are some other activities of preventive controls to safeguard assets.
01:28:10
Speaker
bonded insured cash handling employees, dual signature requirements on all checks over a predefined amount such as $1,000, employee background checks, employee training and required certifications, password for protected access to asset storage areas, physical locks on inventory warehouses, security camera systems, separation of duties, that is recording, authorizing, and custody all handled by separate individuals,
01:28:41
Speaker
Detective controls detect the occurrence of a negative event after the fact in a reactive manner. Examples include supervisor review and approval, reports that are run showing user activity, reconciliation of petty cash, annual physical inventory counts, review of missing and voided checks. Detective controls seek to identify when preventive controls were not effective in preventing errors and irregularities.
01:29:09
Speaker
particularly in relation to the safeguarding of assets. Further examples of detective controls are bank reconciliation. Cash per bank is reconciling to cash per books. Control totals. Cash per cash register tape is reconciled to cash received in the cash register cash register bag. Physical inventory counts. Inventory is physically counted and then compared to the inventory ledger.
01:29:35
Speaker
reconciliation of general ledger to detailed subledgers, surprise counts of cash on hand, petty cash is counted on a random and surprise basis. This chart shows corrective controls, but I would deem them as corrective actions since the correction isn't really a control itself. When detective controls identify an error or irregularity, a corrective control should then kick in to see what could or should be done to fix it and hopefully put a new system in place to prevent it the next time around. For example, data backups can be used to restore lost data in case of a fire or other disaster. Data validity checks can require users to confirm data inputs if amounts are outside a reasonable range. Insurance can be utilized to help replace damaged or stolen assets. Management variance reports can highlight variances from budget to actual for management corrective action. Training and operation manuals
01:30:35
Speaker
can be revised to prevent future errors in irregularities.
01:30:41
Speaker
There are compensating controls which may be relied upon to mitigate existing risk if a control activity that should otherwise be in place is not in place. Compensating controls can either be preventive or detective. One common scenario is when the department or unit does not have the staff resources to establish adequate separation of duties.
01:31:02
Speaker
Potential compensating control could include automation of certain transaction data that then cannot be altered by staff, that is removing humans from the process altogether. Manager review of detailed summary reports of the transactions initiated by the staff. So if one grocery staff member is a requester and our supervisor is the approver, then the overall manager of that area should on a periodic basis say monthly separately review summary reports of these transactions. Another option would be for a peer, staff, and or manager, someone separate from the personnel involved with making the transaction to select a sample of transactions and vouch back to supporting documentation.
01:31:48
Speaker
Procedures to prevent fraud. Increasing the perception of detection. It is easier to prevent fraud than detect it. Perception of detection is the most effective fraud prevention method. Employee education, job rotation, effective reporting programs. Given ah all the following fraud prevention methods within the organization, which is probably the most effective?
01:32:15
Speaker
Increasing the perception of detection. The final category of controls we'll go over is manual versus automated. Manual controls require action to be taken by employees. Examples include obtaining supervisor's approval for overtime, reconciling bank accounts, matching receiving reports to purchase orders, automated controls are built into the network infrastructure and software applications. Examples include passwords, data entry validation checks, and batch controls. Automated
Information and Communication Systems
01:32:49
Speaker
controls are more reliable and cost-effective than manual controls. The fourth component,
01:32:56
Speaker
of the framework is information communication. This component is the glue that holds the framework together. Management and employees must be able to exchange the necessary internal and external information so people can carry out their responsibilities to achieve corporate objectives. From beyond just the IT t framework, what we're really talking about is not only information from internal and external sources, primarily IT driven, but communication.
01:33:25
Speaker
Communication within the organization is extremely important to maintain the environment. Without a strong communication network within the organization, the communication is still going to be there, but is going to be based upon gossip, innuendos, and other types of information that is not very conducive to the control environment.
01:33:51
Speaker
It is important to have
Monitoring Internal Controls
01:33:52
Speaker
controls in place to identify and communicate change across the organization, true or false? True. The fifth and final component of the framework is monitoring. Monitoring activities are evaluations used to ascertain whether components of internal control are present and functioning. These evaluations can be split into two categories. One, ongoing evaluations are built into business processes and provide timely information on underlying controls.
01:34:23
Speaker
two Separate evaluations are conducted periodic periodically and variant scope and frequency based on prior assessments of risk, effectiveness of ongoing evaluations, resource prioritization, and internal audit activities. Any findings that result from monitoring should be evaluated against relevant criteria, for example, how long has the control been compromised and how high are the risks.
01:34:54
Speaker
are pernicious deficiencies that are found. Any pernicious deficiencies that are found should be communicated to the board and senior management who confirms that the findings of the audit and other reviews are promptly resolved so internal control is not compromised. Monitoring should be directed at both internal and external risk to the organization. Internal risk include payment card, procurement card,
01:35:23
Speaker
Contract compliance, IT, cash handling, ethics, travel and expense accounts, external risk includes economic downturn, decrease in product service demand, increase in competition, change in regulations, reliability of sourced goods affecting profitability. Monitoring consists of supervisor review and sign off to help ensure proper checks and balances Your organization should have a strategy for effective ongoing monitoring.
01:35:57
Speaker
Some form of self-assessment in which the users themselves can evaluate the controls helps reinforce which controls are to be performed and keeps risk management practices for employees in the forefront. Monitoring requires consideration of any changes in circumstance and should be designed to test an adequate number of key controls, develop test procedures and sampling that is appropriate for the related risk to the entity. To test control processes, first identify key controls, transactions to be tested, and applicable standards against which to test the transactions. Then determine appropriate type of testing, for example, ongoing or separate evaluations and extent of testing,
01:36:48
Speaker
For example, determining how often to test or the sample size needed. From there, create a test plan, conduct tests for effectiveness, document test results, assess results, and communicate findings and recommendations to appropriate people.
01:37:08
Speaker
Once completed, results must be analyzed and reported. If deficiencies and controls are found, They should be categorized as either design or operation deficiencies. When auditing design effectiveness, consider how does the transaction work, who ensures that the control is in place, what data or reports can be used to monitor the control, evaluate using process narratives, flowcharts, and other documentation.
01:37:40
Speaker
Testing for operating effectiveness can include Reviews of supporting documentation for proper authorization, reviews of periodic reconciliations, and reviews of policies and procedures to determine if they are being followed, all of these reviews can be performed on a sample basis.
01:37:59
Speaker
Document the evaluation of internal control at the entity and process levels, what testing was performed, who performed the work and when, the nature, timing, and extent, and results of identified deficiencies, understand the evidence obtained, and support any conclusions reached.
01:38:21
Speaker
Operating together refers to the determination that all five components collectively reduce the risk to an acceptable level in order to achieve an objective. Individuals should not be held accountable for their internal control responsibilities since this is considered an extra task, true or false.
01:38:43
Speaker
falls. Use this form to document internal controls and any weaknesses. It contains all the elements of the COSO model. The COSO integrated framework utilizes the idea of principles which articulate and expand upon components. These components have been around and included in the 1992 framework. The committee felt financial reporting really makes it far too narrow and we really should be looking at the various other activities on strategy, compliance, and operations.
01:39:13
Speaker
So driving home this idea of something beyond just financial reporting, an integrated process on transactions and performance of our controls, more clarity so each of the components now have principles, and the principles have points of focus, and then the compendium model has approaches and examples for each of the principles and points of focus. As I mentioned, there are five components and 17 principles underneath the principles. Each principle has points of focus,
01:39:42
Speaker
that should be considered, and then underneath that you'll have your controls. So if I extended this a little bit further and you factored in the compendium model, you have approaches and examples to consider as part of your control, points of focus, and principles. So that's the organization of the components all the way down to the controls. Now the layout of the 17th principle and points of focus looks like this. Let's look a little bit deeper at the framework. This illustration here is a relationship between the components and principles You can see the 17 principles are pervasive and how they map each of the components. For the principle, it is expected that each of these principles are adopted by the users of the framework. There are situations which we believe are rare where a principle may not be applicable, and that may depend on your industry or your specific business requirements, but there's an expectation that these 17 principles would be used by the users of the framework. If I take an example of a principle,
01:40:40
Speaker
These are abbreviated versions of each principle, but for introt but for information communication, number 13 uses relevant information. What you'll see in the framework is an expansion of using relevant information that the organization obtains or generates and uses relevant quality information to support function of internal control. and And underneath that, you'll have your points of focus and then examples and approaches.
01:41:07
Speaker
ok Certain things that need to be in place in order to have an effective control environment. Each of the five components need to be present and functioning. I think of it as designed, implemented, and operating effectively when I say present and functioning. How many principles make up the control environment? Five.
01:41:32
Speaker
Components and principles are suitable for all entities. All 17 principles apply to each category of the objective, as well as to the objectives and sub-objectives within each category. Components are not meant to operate each in a separate silo, but instead, collating from multiple layers, it is expected that each of those components have been integrated and are now operating together. Additionally, if they are not operating together or present and functioning, this would be considered a major deficiency. For example,
01:42:03
Speaker
If you're using the framework for SOX purposes, then it may be considered a material weakness if one of those components are not present and functioning.
01:42:13
Speaker
So there needs to be pervasive evidence in place that the 17 principles are present and functioning. All right. Internal control in the small company, due to lack of employees, internal control is seldom strong in small businesses. Specific practices for small businesses,
01:42:32
Speaker
Record all cash receipts immediately. Deposit all cash receipts intact. Make all payments by serially numbered checks with exception of petty cash disbursements. Reconcile bank accounts monthly and retain copies. Use serially numbered invoices, POs, and receiving reports. Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports. Balance subledger with control accounts.
01:42:58
Speaker
Prepare comparative financial statement monthly to disclose significant variation in any category of revenue or expense. In 2006, COSHO issued their internal control over financial reporting for smaller public companies. The guidance summarizes 20 key principles and related attributes required for effective internal control with detailed illustrations and implementation approaches for smaller companies.
01:43:27
Speaker
We spoke about the bar stool analogy in an earlier slide. Going into a bar and you're ready to take a seat at the bar and then you look at the bar stool. There's four legs to it. The principle is the bar stool seat and the legs are your points of focus, hints or suggestions. So as long as you have enough legs to sit on that seat, you feel very comfortable. You're okay. That's what points of focus really are and they're key characteristics to a principle, hints or suggestions.
01:43:52
Speaker
You look at the different ways to cross-reference to points of focus because some approaches cover more than one point of focus. In your transition analysis, when you get deeper into multi-location issues, you're going to have to break out not only the different locations, but which was fully in scope, partially in scope, and do some in-depth analysis of key controls by location that obviously aggregate to your aggregate score of a control deficiency or a material weakness.
01:44:21
Speaker
This diagram illustrates the relationship between the components, principles, and points of focus. So a point of focus is an important characteristic of a principle. These are not all required. It's guidance to help you in adopting the framework.
Control Environment Characteristics
01:44:34
Speaker
So there's a thought that the points of focus would be very useful for the user of the framework and the user to review your current controls against their related points of focus to ensure you've not missed anything.
01:44:49
Speaker
Control environment point of focus. Risk assessment points of focus.
01:44:56
Speaker
Control activities points of focus. Information communication points of focus. Monitoring activities points of focus. Please be aware of important attributes, the yellow box in the upper left-hand corner. This is a plethora of excellent steps and measures related to each applicable principle. Sort of a recipe book for applying each principle. I wish we had more time.
01:45:22
Speaker
I will toggle through these 17 principles, integrity, ethical values, independent board of directors, roles and responsibilities, committee to competence, commitment to competence, accountabilities, objective setting, risk identification and assessment, risk identification and assessment,
01:45:49
Speaker
fraud risks, impact of changes, activities that mitigate risk, IT infrastructure controls, deployment through policies and procedures, other management and quality initiatives,
01:46:09
Speaker
indicators and measurements, internal communications, external communications, ongoing and separate evaluations, of components, reporting of deficiencies in control. Please refer to the previous slides when you have more time. Implementation roadmap. In this example, we are now ready to transition to internal control, an example being over financial reporting to the framework. And this slide is a high-level graphic of potentially what a phase approach could be
01:46:45
Speaker
for adopting the COSO framework to SOX 404 external financial reporting requirement. Step one, educate and communicate. Push out documentation to your stakeholders. You're ready to begin that process of becoming aware of what's involved in the framework and the right stakeholders within the organization are aware. And they understand their roles in adopting it and understand what is required of them. Step two is conduct a preliminary assessment. So taking those 17 principles and considering the points of focus And how do they map to your existing controls? What are some of the high-level gaps to come out of that mapping exercise? where do you
01:47:24
Speaker
Where do documentation plans need to be made based on those gaps? I'll explain how to do this next. So this can be a spreadsheet-based exercise. Visualize a control matrix with 17 principles as column headings on the x-axis and existing controls on the y-axis, then evaluate i.e. check the box are existing controls hitting the principles. You need to hit the principles in order to hit the points of focus. Repeat it. Visualize a control matrix with 17 principles as column headings on the x-axis and existing controls on the y-axis that evaluate or check the box are existing controls hitting the principles. You need to hit the principles in order to hit the points of focus. Step three.
01:48:13
Speaker
would do the comprehensive assessment and develop a transition plan and action plan, and then step four, the final piece is to actually execute. When going through the mapping exercise, look for controls in place to meet all 17 principles. Be sure controls in place are documented and formalized. Assess fraud risk. Make sure any outsourced providers are paying proper attention to internal control of our financial reporting. Smaller companies in particular have been wrestling with this issue and their COSO implementation because they typically have outsourced a greater portion of the finance function than larger companies, leaving less financial expertise to oversee those relationships. The fact that people are involved and people have inherent frailties in their personalities is an overall limitation.
01:49:06
Speaker
Identify and document all controls associated with key processes. So if the process is cash receipts, three key controls might include use of a lockbox and numbered receipts when collecting cash, segregation of duties between the person who receives the cash, deposits, and reports the cash receipt, and the person preparing the reconciliation. Thirdly, review and sign off cash receipt and accounts receivable reports, and bank reconciliation by a supervisor not involved in the cash handling duties. Then identify the characteristics of controls that
01:49:42
Speaker
when functioning as intended would provide the evaluator with a level of comfort to conclude that the control is effective with respect to a given risk. So on our cash receipts example, perhaps your department does not have enough staff to enable full separation of duties. However, as long as the person who receives and deposits cash is separate from the person who records the cash, that may give you a level of comfort with regard to control as long as as long as you are reviewing bank reconciliations and other reports on a periodic basis.
01:50:21
Speaker
Quick review of control principles that can be applied on a practical level to any process. One, establish responsibility. All key tasks should be assigned, and they should be assigned to only one person. If tasks are not assigned, you run the risk of no one taking responsibility or multiple people doing duplicative work or colluding. Two, segregate duties. The following responsibilities should be segregated into separate business processes, custody, recording, authorizing, and reconciling the transaction.
01:50:51
Speaker
Remember compensating controls can be put in place where full separation of duties is not possible. At the very least, you do not want to make one employee responsible for all parts of the process. A key to defeating opportunity for fraud is to divide key functions so no one person has control over all parts of the transaction. Three, restrict access. Don't provide access to systems, information, or assets unless access is needed to complete assigned responsibilities.
01:51:21
Speaker
operate on a need to know basis. Four, document procedures and transactions. We've already talked about documentation. It's necessary to prepare evidence to show activities have occurred and verify findings. Finally, five, independently verify. Remember to check other's work. Don't let an employee have unbridled or unchecked authority. Higher risk transactions such as purchase of goods and services, cash receipts, payroll operations, inventory operations,
01:51:48
Speaker
present present higher opportunity for fraud and misappropriation. Finally, a few characteristics of good controls focused on critical points of operations integrated into established processes should not be burdensome, but part of the actual process, accurate in that they provide factual information that is useful, reliable, valid, and consistent, simple, and easy to understand, accepted by employees, cost-effective,
01:52:17
Speaker
Control should not cost more than the risk they mitigate.
01:52:23
Speaker
In our final section, we're getting near the end, we'll try to bring all the pieces together and see how you can incorporate internal control within your current processes and how the COSO framework may affect your organization. Compare components and principles to current internal control considering points of focus, identify control environment, document risk ah assessment,
01:52:44
Speaker
and potential fraud, control activities and monitoring as a result of risk assessment, controls over outsourcing to service providers, and considerations related to IT.
01:52:58
Speaker
Okay, I'm going to assume that you now have an idea of what internal control is. We're going to use a framework to describe a system of internal control of a company. The COSO framework defines the entity's controls as those that are implemented for multiple transaction cycles or for the entire organization.
01:53:13
Speaker
The control environment consists of the active promotion of ethical values and integrity throughout the organization. A commitment to the establishment of confidence and active and qualified board of directors and audit committee. Board of directors should be independent of management and exist to challenge management and scrutinize management's effectiveness. Audit committee has oversight responsibility for financial reporting and acts as a conduit between management and external auditors.
01:53:42
Speaker
Next, the control environment is influenced by management's philosophy and operating style. Employees take their cues from company leaders to determine how seriously internal control factors into their priorities.
HR and Business Structure's Role
01:53:54
Speaker
Human resource policies are critically important to ensure the company hires competent and trustworthy people. Business structure, authority, responsibility, and control methods factor into the environment as well. As we discussed, the IT systems have a pervasive impact on the effectiveness of internal control and an internal audit function can greatly enhance the operations of an entity. So there's a lot to evaluate before you can make an assessment as to whether a company has effective internal control environment or not. The other components of the COSO framework to get considered after we've assessed the environment include preparing risk assessment, designing, implementing control activities to address the risk,
01:54:40
Speaker
provide information communication to manage the risk, monitor the controls to ensure ongoing effectiveness. Risk assessment requires management to identify risk or set another way what could go wrong in a transaction cycle. Then management needs to assess the likelihood and significance of a risk occurring to identify those which are critical. And finally, the company develops a course of action to reduce risk to an acceptable level by performing control activities Activities can include manual, automated, and computer-assisted controls. For example, a computer-assisted control would be having a manager review an exception report generated by the system, let's say outstanding and unmatched purchase orders, which, by the way, would be a control to address completeness and cutoff of accounts receivable. Automated controls are those that are built into an IT system. For example, if we accept reservations from guests from our website,
01:55:39
Speaker
How can we ensure the accuracy of that information? Well, our reservation system will have a various controls built in to assure that the customer completes all the fields on the screen to ensure accuracy before accepting the reservation. These sorts of IT controls are called application controls, and they are designed to achieve three objectives. First, the information input into the system is correct, such as the example I just provided. second ensure the information is processed correctly by the system, and thirdly, ensure the outputs from the system are correct. Now, before we can safely say these application controls such as batch controls, data entry validation, check digit controls are effective, we need to ensure there's an overall system integrity. General controls such as password protection, virus checks, firewalls are akin to entity level controls only in the system sense.
01:56:34
Speaker
and that they are pervasive across multiple transaction cycles and across different software applications. For example, if someone has the ability to hack into the system and change the programming code, then it really doesn't matter how fancy or the input process and output application controls are because the overall integrity of the system would be jeopardized because a malicious individual has the opportunity to cover their tracks.
01:56:59
Speaker
The key areas for general controls can be summarized into six categories. One, admin of IT functions. Two, we have separation of IT duties and essentially that means we don't want the people who have access to the code to have access to the transactional data. Three, we want to assure there is adequate system development and maintenance controls in place. Anytime the IT system changes for whatever reason,
01:57:24
Speaker
Controls must be in place to ensure that the data transfer is transitioned accurately to the new system and that the new system contains all the necessary controls of the old system, and a record of authorized program changes is maintained. Four, we want to ensure there's adequate operational controls and support, and these controls cover such things as physical and logical access, password protection, firewalls, virus scans, which are all very important. We don't want unauthorized users gaining access to our systems.
01:57:54
Speaker
Five, backup and recovery procedures. Six, hardware controls. General controls must be effective so we can place much reliance on the application controls. And this leaves us with only those manual controls left to meet the company's objectives. So let's look at those next. Now, manual controls fall into a number of broad categories as well. We have segregation of duties, documentation, physical controls, and independent checks. Let's look at each of these in turn.
01:58:24
Speaker
Separation of duties is one of those fundamental internal control principles, which broadly states that if we can design job positions such that one person cannot control a transaction in its entirety, then it's more likely to prevent and detect an error or a fraud from happening. Segregation can be a tricky concept to evaluate, let alone remember. But the golden rules say separate the following duties from accounting.
01:58:51
Speaker
custody of the asset, operational responsibility, system development, computer operations, reconciliation and independent checking, and segregate the authorization of transactions from custody of the assets. Let's do a little knowledge check to see these kinds of rules and principles in action before we go on. Linda maintains the accounts receivable subledger and she receives the daily cash receipts so she can update the records, okay or not, no.
01:59:19
Speaker
This is not okay as she has custody of the asset, TASH, and is responsible for the accounting of the asset accounts receivable. Steve, the comptroller, from time to time, a general journal entry is misrouted. The only way to correct the journal entry is for Steve to go in to the journal entry database and to delete the journal entry. Okay or not? No, this is not okay.
01:59:47
Speaker
as Steve is now doing both the computer operations and the accounting. It's possible he could manipulate other journal entries in the database and bypass controls over posting journal entries. Do you get the idea of what segregation of duties implies? It generally means one individual does not have control of a transaction from beginning to end. Now, let's look at what is meant by adequate documentation or said another way, audit trail.
02:00:12
Speaker
This simply means there should be adequate records to establish an audit trail that can be followed for each transaction. Some principles for the proper design and use of documentation include documents should be pre-numbered consecutively or automatically numbered to ensure everything is recorded and nothing is missed. Documents should be prepared at the time the transaction transaction takes place to eliminate mistakes from memory lapses.
02:00:37
Speaker
Documents should be well-designed and easily understood to encourage correct preparation. Next, we have physical controls over assets and records to ensure that assets are not stolen or lost or damaged. Physical controls include such things as locks on doors and security cameras. Logical access is the electronic equivalent using log-on credentials and passwords. Protection of our electronic assets such as our files and our customer data is often just as important as protecting our tangible assets like cash, inventory, and fixed assets. And lastly, but not least, we have independent checks, which is our control activity that alleviates self-review bias. For example, the person who performs the bank reconciliation is checking to ensure that the people who have deposited the cash, prepared the checks, and accounted for the transactions have reported them correctly.
02:01:34
Speaker
The last two areas of the COSO framework are information communication component, which is, in essence, the ability of the accounting system to report the activity of the company in a manner that allows for management to take action. And lastly, the monitoring component ensures that the system of internal control is periodically and continuously evaluated, you ensuring it operates as designed and as effective. Monitoring often falls to the internal audit department who is independent of management and often has a direct reporting relationship to the audit committee. This has been a rather comprehensive discussion of what internal control really is. What you need to walk away from this lesson understanding is a few things. Number one, recognize that to have effective internal control at the transaction level, you first need effective controls at the entity level. Secondly, the same can be said about automated controls.
02:02:31
Speaker
Before you can rely on application controls, you need to evaluate and ensure the effectiveness of general controls, password protection, virus scans, firewalls. Thirdly, controls are established by companies to mitigate risk and control activities mitigate risk, specifically and in turn enable management to make certain assertions about various transaction cycles and balances.
02:02:58
Speaker
We've reached the end of our session on internal control. Thank you for your attention.
Limitations and Challenges of COSO
02:03:02
Speaker
We covered internal control, including internal control related to computer-based information systems and the COSO framework. To review, here are are a few of the key points we covered. Remember that the best way to identify an internal control is to first identify the risk to an objective. The subsequent control mitigates risk. Effective internal control provides reasonable assurance regarding identified risk and achieving objectives.
02:03:27
Speaker
Each component and each relevant principle needs to be present and functioning. Present refers to the design of internal control. Functioning refers to the conduct of internal control. The five components should operate together in an integrated manner, effectively reduce risk to an acceptable level. COSO has five interrelated components operating along three main objectives.
02:03:51
Speaker
And 17 broad principles provide further guidance to support the three main objectives applied across the organization, starting at the entity level and running all the way down to the process functions. Raise awareness when it comes to internal control. There are limitations of COSO. Limitations result from quality and suitability of objectives, flawed human judgment in decision making.
02:04:18
Speaker
Management's consideration of the relative cost benefit in responding to risk and establishing controls. Breakdowns occur because of human failures such as simple errors or mistakes. Controls circumvented by collusion of two or more people. Management override of internal control. Finally, as we've seen, the establishment and assessment of internal control should accompany process documentation efforts. Documentation of controls is an outgrowth of the documentation of the underlying processes.
02:04:48
Speaker
Review your current controls against the related points of focus to ensure you've not missed anything. The CLE code for today's program is Albany, spelled A-L-B-A-N-Y. Again, the CLE code for today's program is Albany, spelled A-L-B-A-N-Y. I
Small Business Control Strategies
02:05:06
Speaker
will pause for just a moment to compile the audio questions. We have no audio questions. Mr. Jordan, do you have any web questions? We have about four minutes.
02:05:14
Speaker
Let me check. Okay. First question, for a small business just starting out to try and implement internal control, what are your bare minimum suggestions to begin? IT controls, HR controls, and separation of duties. Hard to design with so little staff, but trying to make doable. Sounds to me like that individual has a good handle on it. IT general controls, ah HR controls, hiring policies,
02:05:44
Speaker
Background checks and separation of duties were possible.
Key Players in Internal Control
02:05:48
Speaker
Next question. What would make a company see acceptance is a viable option over one of the other options?
02:06:00
Speaker
Let me come back to that. Next question. Who would be the key players when developing new controls? This would be internal audit, consulting with external auditors if If they're present at a bare minimum, it would be the controller or finance director. Next question, standardizing IT controls. How critical is this to managing the enterprise system internal controls? Absolutely critical. I would consider
02:06:41
Speaker
possibly hiring outside consultants if you don't feel qualified yourself. But IT t controls is essential in today's environment. And you can refer back to the slides on general controls and application controls.
02:07:02
Speaker
Next question, records retention. What control methodologies are recommended for compliance? I would have a dedicated records room. If possible, have someone in charge of logging in and logging out any records and then have data destruction policy in place and destroy records appropriately after the statutory time period of seven years. This would include electronic media as well. Thank you very much for your time.
02:07:38
Speaker
It's always a lot of fun. I wish you all the best of luck.