ch 6 to 8 Flashcards
Control exercised over business from outside by owners and other stakeholders
External control
Control exercised within the business by management and overseen by the board. Includes control of activities that have been outsourced.
Internal control
Father of management theory
Fayol
Comprises a plan of organization and the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed management policies.
Internal control
Plan of organization and the procedures and records that are concerned with the safeguards of assets and reliability of financial records
Accounting control
Includes but is not limited to the plan of the organization and the procedures and records that are concerned with the decision processes leading to management’s authorization of transactions
Administrative control
Broadly defined as a process, effected by the entity’s BOD, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.
Internal control
Objectives of internal control
- Effectiveness and efficienccy of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Control depends on each of the functions of management. What are these functions?
- Planning
- Organizing
- Directing and leading
- Staffing
- Coordinating
Operate control procedures and have valuable insights into where internal control is effective and how it might be improved.
Other personnel
All aspects of all processes that give reasonable assurance of the achievement of all of the organizational objectives
Internal control
Reasonable assurance
Much more than a sporting chance
Responsible for the policies of the organization that impact upon internal control. Responsible to oversee that management has effective internal control.
Board
Responsible to design, implement, monitor, and maintain effective systems of internal control.
Management
Five essential components of internal control
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
Includes the values, ethics, culture, and commitment of the organization and its members. Provides the setting necessary for effective internal control arrangements to be established and applied
Control environment
Attitude and actions of the board and management regarding the significance of control within the organization. Provides the discipline and structure for the achievement of the primary objectives of the system of internal control.
Control environment
Elements of control environment
- Integrity and ethical values
- Management’s philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies and procedures
- Competence of personnel
Identification of threats to the organization, their assessment or measurement, and deciding how they should be responded to
Risk assessment
Reflect the required performance indicators applicable to each risk as a means of establishing the thresholds of tolerance
Objectives
Objectives may be classified in a number of ways. What are some of the ways they may be classified?
- Operations objectives
- Financial reporting objectives
- Compliance objectives
All procedures the organization operates which have a control purpose.
Control component
What are the two dimensions to control activities?
- establishment of a policy which defines what has to be done to achieve the related business objective
- a procedure required which defines the processes necessary to meet policy requirements
Lifeblood of the organization
Data
What are characteristics of good data or information?
- accurate
- complete
- secure
- authorized
To harness information efficiently, there needs to be a controlled balance between:
- data
- information
- analyses
- decisions
- actions
Provide the principal means of monitoring the effectiveness of internal control systems
Information systems
Responsible for monitoring the internal control system
The board
_______ should have defined responsibilities for ongoing or day-to-day monitoring of operations, financial performance, etc.
Line management
_________ has the potential to play a vital role in independently assessing the effectiveness of controls and reporting upon the same to the board
Internal audit function
Enumerate the 6 paradigms
Paradigm 1: COSO on Internal Control
Paradigm 2: Turnbull on Internal Control
Paradigm 3: Coco on Internal Control
Paradigm 4: A Systems/Cybernetics Model of Internal Control
Paradigm 5: Control by Division with Supervision
Paradigm 6: Control by Category
Closely similar to the COSO internal control framework but developed in much less detail. It has a greater emphasis on risk.
UK’s Turnbull guidance
Less “mechanical” and more “behavioral” than the COSO internal control framework. Has advantages in application within organizations that are more participative and less hierarchical.
Internal control framework of the Canadian Institute of Chartered Accountants’ Criteria of Control Board (CoCo)
Internal control components of CoCo
- Purpose
- Commitment
- Capability
- Monitoring and Learning
How does CoCo define its elements?
Purpose - “what to do” objectives to be achieved
Capability - “ tools to do it” information, resources, supplies, and skills
Commitment - “wanting to do it” to perform the task well over time
Monitor - “are we doing it” performance and external environment
Learn - “are we doing it” how to do the task better and changes to be made
This paradigm views the organizational process as analogous to an air conditioning system. Control system is continuously interpreting information available to it.
A systems/cybernetics model of internal control
States that the control mechanism must be designed to accommodate the variety of what is to be controlled
Ashby’s cybernetics law of requisite variety
Set of related elements with a purpose. Has three main elements: input, output, and process.
(Systems/Cybernetics)
System
Changes input into output
(Systems/Cybernetics)
Process
Parts of the elements that may change
(Systems/Cybernetics)
Variables
Part of the system within which functioning of the system takes place
(Systems/Cybernetics)
Boundary
Smaller system within a larger system
(Systems/Cybernetics)
Subsystem
What happens within a system
(Systems/Cybernetics)
Internal
Variable enters from outside the system boundary or exits to beyond the system boundary
(Systems/Cybernetics)
External
Takes place beyond the boundary
(Systems/Cybernetics)
Environment of a system
Requires a system to be more open to the environment in order to cope with rapid change
(Systems/Cybernetics)
Turbulent environment
Variable of system’s behavior which is to be monitored and controlled
(Basic elements of a control system)
Control object
Part of the system which measures (or monitors) the control object
(Basic elements of a control system)
Detector
Standard against which the actual performance of the control object is compared
(Basic elements of a control system)
Reference point
Makes the comparison and assesses whether or not it is significant
(Basic elements of a control system)
Comparator (analyzer)
Takes the decision which is intended to restore actual performance to what is desired
(Basic elements of a control system)
Activator
Basic elements of a control system (System/Cybernetics)
- Control object - temperature
- Detector - temperature gauge on the thermostat
- Reference point - 22 deg
- Comparator (analyzer) - relative temperature sensor in thermostat
- Activator - control switch in thermostat
Ensures that desired states are achieved
Control
The control part of the system invariably relies upon __________
Feedback
________ passes information forward to an activator which is then able to adjust processes which have not yet taken place in the light of the actual inputs which have been achieved rom earlier processes
Feedforward
System that does not have inputs or outputs from and to the system
Closed system
System subject to uncontrolled inputs
Open system
Controls that are automated
Programmed controls
More likely to be essential when it is necessary to control inputs and outputs to and from the system
Discretionary controls
One that can adapt in order to achieve desired states
“Corrective” system
Has the flexibility to modify its processes in response to changes in the environment
“Adaptive” system
Control responses that are entirely predictable being based on predetermined system rules and functioning with no regard to environmental changes
Corrective control systems
Take control steps in response to changes in the environment and can learn from their experience
Adaptive control systems
Model of internal control based on the premise that effective control may be achieved by means of an appropriate combination of various opportunities to “divide,” together with supervision
Control by division with supervision
What are the divisions under Paradigm 5?
- Division of Duties
- Division of Fundamentally Incompatible Responsibilities
- Division of Operations
- Division of Staff
- Division of Data
- Division of Data Entry and Accounts Posting
- Division of Authority
- Division of Time
Ensure that two or more people work together on tasks where there is a risk of a lack of control
(Paradigm 5 Division)
Division of Duties
Control will be strengthened if authorization is required from someone who does not execute the task
(Paradigm 5 Division)
Division of Fundamentally Incompatible Responsibilities
Some activities conflict with each other if undertaken by the same person or group
(Paradigm 5 Division)
Division of operations
Be aware of control weaknesses that may arise when the effect of other divisions is negated because of personal relationships
(Paradigm 5 Division)
Division of staff
Modern IT databases mean that data is held once only on the IT databases, to be accessible to all users from different parts of the organization who need to access that data.
(Paradigm 5 Division)
Division of data
Consider whether control may be improved if bookkeeping activities are divided.
(Paradigm 5 Division)
Division of data entry and account postings
There are different ways in which authority to commit the organization can be allocated with varying degrees of control effectiveness
(Paradigm 5 Division)
Division of Authority
To complete a transaction promptly tends to speed up business cycle times and increase the volume of business while lowering costs.
(Paradigm 5 Division)
Division of time
A particular type of control may be appropriate in certain circumstance, and indeed more than one type of control may be needed to bear down effectively on a particular risk.
Paradigm 6: Control by category
What are the 7 categories of control?
- Preventive
- Pre-emptive
- Directive
- Performance
- Detective
- Corrective
- Investigative
Designed to limit the possibility of an undesirable outcome being realized
Preventive control
Yes/No controls that require approval before processing can proceed
Pre-emptive control
Designed to ensure that a particular outcome is achieved
Directive control
Designed to orientate and motivate the organization’s people to focus on the achievement of targets
Performance control
Post-action or post-event controls taking place after the other system’s processes have been completed and detecting unwanted consequences that have already occurred
Detective control
Designed to correct undesirable outcomes which have occurred and have been detected
Corrective control
To try to understand how the undesirable outcome occurred
Investigative control
Foundation for all other components of internal control. Sets the tone of the organization.
Control environment
Enumerate the control environment factors.
- Integrity, ethical values, and competence of entity’s people
- Philosophy and operating style
- Way management assigns authority and responsibility and organizes and develops its people
- Attention and direction provided by the BOD.
2 Control objectives for a review of the control environment
- To ensure that management conveys the message that integrity, ethical values, and commitment to competence cannot be compromised, and that employees receive and understand that message
- To ensure that management continually demonstrates by word and action, commitment to high ethical and competence standards.
Intentional, deceitful act for gain with concealment
Fraud
Theft by a person in a position of trust
Defalcation
Classifications of fraud
- management fraud
- employee fraud
- outsider fraud
- collusive fraud
Most effective antidote to fraud
Strong system of internal control in all its component parts.
Both fraud and accidental errors and losses share the characteristic of occurring in part due to breakdown in the system of internal control
What is the goal of SOX
Protect investors by improving accuracy and reliability of financial reporting and corporate disclosures.
Regulates corporate governance, risk management, auditing, and public company financial reporting with the goal of reducing accounting fraud and corporate corruption.
Who sponsored SOX?
- Senator Paul Sarbanes
- US Rep. Michael Oxley
Requires the management of US quoted companies to establish, maintain, assess and certify to an adequate internal control structure for financial reporting. Requires auditors to attest to and report on management assertions
Section 404 of SOX
Requires signing officers of a published report to certify inter alia that they have designed and evaluated internal controls over reporting.
Section 302 of SOX
Control deficiency that results in a more than remote likelihood of a misstatement of the company’s annual or interim FS that is more than inconsequential will not be prevented or detected
Significant deficiency
Deficiency in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention
Significant deficiency
A significant deficiency that results in more than a remote likelihood that a material misstatement will not be prevented or detected
Material weakness
Deficiency in internal control over financial reporting that has a reasonable possibility that a material misstatement of the company’s annual or interim FS will not be prevented or detected
Material weakness
Misstatement that is less than material yet important enough to merit attention
Significant misstatement
5 attributes of audit committee financial expert
- Understanding of:
* GAAP and FS
* internal controls and procedures for financial reporting
* audit committee functions - Ability to assess general application of principles in connection with accounting for estimates, accruals, and reserves
- Experience
* preparing, auditing, analyzing or evaluating FS
* actively supervising one or more persons engaged in such activities
To be considered independent, the member of the audit committee must not…
- accept any consulting, advisory, or other compensatory fee
- be an affiliated person
Prohibited non-audit services
- bookkeeping
- financial info systems design and implementation
- appraisal/valuation
- actuarial
- internal audit outsourcing
- management or HR functions
- broker/dealer
- legal services & expert services unrelated to audit
Assessing effectiveness of internal control
- Ownership of IC
- IC Framework
- identify objectives
- mission critical business processes
- standardizing processes
- learn & document key processes
- identify key controls in key process
- judge key control
- design & document tests
- conduct tests
- interpret results of tests
- interpret control significance of unwanted outcomes
- conclude on effectiveness of IC
- draw overall conclusions
