Chapter 8 - Understanding the Internal Controls System Flashcards
What is a system of internal controls?
It is the policies and procedures designed, implemented, and maintained by management to provide reasonable assurance that:
1. There is reliable financial information
2. Effectiveness and efficiency in operations
3. Compliance with relevant laws and regulations
What are policies
Statements of what should or should not be done in an organization to affect controls.
What are procedures? How are procedures created?
Actions done to implement the policies. They may be created through formal documentation mandates or the result of behaviors that are not mandated but conditioned
What are the 4 broad objectives of management implementing internal controls
- Provide a strategic high level goals that support the mission of the entity
- Reliable financial reporting
- Efficiency and effectiveness of operations
- Compliance with laws and regulations
What does management publicly report on? What are the three levels to design and implement an effective system of control over financial reporting?
They report on the effectiveness of internal controls over the financial reporting.
- Entity
- Information technology
- Business Process.
Describe the following control parts:
1. Entity Controls
2. Information Technology
3. Business Process
Entity - Controls that have a pervasive effect on the achievement of the organizations objectives for internal control, like the governance structure
Information Technology and General Controls - Controls that relate to the operating system, applications, and databases supporting the operation of information systems and forms the foundation of the information technology environment. , system access controls
Business Process - Controls embedded within a specific key financial business process like payroll.
What are the two key concepts that underlie managements design and implementation of controls
- Reasonable Assurance - Provides reasonable assurance that financial statements are fairly presented, includes a cost and benefits analysis, low level of control risk.
- Inherent Limitations - Effectiveness of the system depends on the competence and dependability of the people using it even if the technology was perfect and ideal.
What is management override?
The ability of management and / or those charged with governance to manipulate accounting records and prepare misleading and / or fraudulent financial statements by overriding internal controls, even where the controls may otherwise appear to be operating effectively.
What is collusion?
A cooperative effort among employees or management to defraud a business of cash, inventory, or other assets.
What are the responsibilities of management for public companies in Canada?
Which framework do they use?
What is COSO
What are management two parts of the assessment of internal control over financial reporting
Publicly report on the operating effectiveness of internal controls
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework
COSO is the GAAP equivalent for internal controls, the framework used to assess the effectiveness of internal controls
- Evaluate and design of internal controls over financial reporting
- Management must test the operating effectiveness of those controls
What is the auditors main responsibility in assessment of the clients internal controls? Why? Is this responsibility always necessary?
Understand, identify, and evaluate the internal controls that are relevant to the audit -
Identify the risk of material misstatement at the financial statement level and assertion level.
Yes this responsibility is always necessary even if we do not intend to rely on the controls as we must understand the organizations circumstances and situation
What are relevant controls? Provide an example of a control that may not be relevant in general but may be relevant in a specific circumstance.
Controls that relate to reliability of financial reporting like compliance with laws and the safeguarding of assets.
Operation controls / Internal management information may not be relevant except where the information produced is used to develop analytical procedures or the information is required for the disclosure of the financial statement.
What are direct controls?
Controls that are precise enough to address RMM at the assertion level. Address the risk of the integrity of the information.
What are indirect controls?
Controls that are not sufficiently precise to prevent, detect, or correct misstatements at the assertion level but which support direct controls and therefore, have an indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis.
What is the output of understanding internal controls? What are the three parts of internal controls and why are they important / briefly describe them
Identifying RMM at the financial statement level and assertion level.
Three parts include risk assessment, monitoring, and the control environment. They are indirect controls however they have direct control aspects, if they are deficient it could have a pervasive risk on the overall financial statement risk.
How does the auditor assess RMM at the financial statement level and inherently the assertion level?
How does the auditor assess RMM at the assertion level specifically?
Three parts include risk assessment, monitoring, and the control environment.
Understanding how the information is processed (the IS) and identification /evaluation of controls in the controls in the control activities components.
What are control activities?
These are controls to ensure the proper application of policies in all components of internal control and can be direct or indirect
What are the five components of internal controls?
- Control environment
- Risk Assessment
- Control Activities
- Monitoring
- Information and communication
What is the control environment?
Actions, policies, procedures that are set in place by management and those in charge of governance to provide an overall tone of the perspective on control creating a pervasive effect on identifying risk and implementing good controls., they provide the foundation for all other components
Describe how the control environment works?
If the management and governance seem to care about the controls, policies, and procedures than others will follow their lead and also care, improving the control environment. If management ignores it then the staff will also likely ignore it.
Describe integrity and ethical values - Control environment
The ethical values demonstrated by the tone of management and the board of directors provide signals to the employees of what is most important.
There should be a clear code of conduct and ethics to describe the position of the firm to the employees and to outsiders.
There should be processes to evaluate performance of individuals and teams, in addition to addressing deviations in a timely manner.
Describe the board of directors - Control environment
They have appropriate background, expertise, independent and scrutinize management behaviors.
North American exchanges have the creation of the audit committee who financially literate, independent.
What is the role of the audit committee?
- Consider the potential for management override of internal controls
- Oversee management fraud risk assessment process and anti fraud programs and controls
- Maintain ongoing communications with both internal and external auditors.
- Approves audit and non audit services
- Safeguards to the potential threats to auditors independence
Describe the structure, authority, and responsibility
It has an organizational structure that is appropriate for its size and operating activities, with clear defining lines of responsibility and authority.
Describe commitment to competence?
If employees are competent and trustworthy, than other controls can be absent, and reliable financial statements still result. Relevant standards for HR such as hiring, training, motivating, evaluating, promotion, compensating, transferring, and termination of employments are indicators of this principle.
We also assess whether the firm provides sufficient accounting and financial personnel to keep pace with complexity of the business.
Describe accountability
A firm should have a structure and a tone the establishes and enforces individual accountability for internal control, there should be rewards, incentives, and measures.W
What is risk assessment?
It is the process of identifying and analyzing the risk and its impact on the financial statements in accordance to GAAP, risks that prevent the firm from reaching its objectives.
What are the four underlying principles to risk assessment?
- Have clear objectives in order to identify and assess the risks relating to its objectives.
- How the risks should be managed
- Organizations consideration for potential fraud behavior.
- Monitor changes that could impact internal control.
How do we ensure that organizations meet its objective of reliable external financial reporting?
Management should consider whether the reporting objectives are consistent with relevant financial reporting framework and its appropriate circumstances, looking at both internal and external risks, and involve levels of management with the necessary expertise.
What are control features that could reduce fraud risks?
- Management and board promotion of a culture of honesty and high ethics.
- Audit committee oversight of management and internal auditors
- Specific management responsibilities for managing risks and fraud \
- Articulated and effective fraud risk management process
- Effective general, application control activities that address specific risks of fraud such as segregation of duties.
What is the impact of change on risk
Management should have processes that identify and evaluate changes in the external and external environment that could impact the system of control. New business models or frameworks may make control useless, thus assessment is required.
What is monitoring?
Monitoring is the process of assessing whether the controls have worked and refining it and making it better as necessary, with any issues being identified, reported, and fixed.
What is the frequency of monitoring? What is the role of internal audit functions? How do they know when to make adjustments to the system?
Monitoring should contain both a real time on going basis, and also periodic separate evaluations. The role of internal audit functions is essential for monitoring internal controls, and often they perform the periodic reviews. Studies of internal controls, exceptions, as well as internal audit reports.
Describe evaluation and communication of deficiencies - Monitoring
Reported in a timely manner to those responsible for corrective action, and the internal control assessed and fixed within a short time frame.
What is the purpose of the accounting information system and communication?
- Initiate, record, process, and report the entity’s transaction and to maintain accountability for the related asset, includes both the business process and the accounting system (accounting software, spreadsheets, etc)
What are the 4 parts of the accounting information system. Briefly describe them
- Inputs - Transactions, events, conditions
- Business process - Initiate, record, process, and report/ resolve errors/ process overrides
- Accounting system - Transfer info from TP to GL, capture information not transaction based, accumulate, record, process, summarize info ton be disclosed in f/s/ post standard and other JE
- Outputs - Financial statements `
What items should controls be developed and implemented for?
- Completeness and accuracy of data
- Capture of data at the necessary frequency
- Provision of information when needed
- Protection of sensitive data
- Retention of data to comply with the relevant business, audit, and regulatory needs.
What is effective internal and external communications `
Internally:
- Training orientation for new employees starting a new position and discussing the nature of the positions responsibilities.
- Whistleblowing also implemented for employees to feel safe and to be anonymous when reporting information they deem to be unethical and management should take actions
Externally:
- Processes to discuss information to external parties in a relevant and timely manner
- Two way street and process that tracks the communications with customers, vendors, regulators, and other relevant stakeholders.
What are control activities?
Activities that includes the policies and procedures that allow the organization to reach its goals and financial reporting goals. They ensure the proper application of the policies in all the other components of the entity’s system of internal control.
What are manual controls? Are they effective?
Application controls done by people. They are only effective if the people are competent and they exercise care.
What are automated controls? Are they effective
Application controls done by computers. Performed on data within the IT application and have embedded checks on data validity, accuracy, and completeness. If it is properly designed it is effective
What are 3 ways to assess whether the risks have been addressed?
- If the relevant business processes, IT, and locations have control activities are needed.
- Control activities related to the integrity of information sent to and received from outsourced service providers.
- Controls performed by outsourced service providers are adequate.
What are the focused controls for control activities in the auditors identification and evaluation?
Processing controls for specific business processes, like processing sales or cash. It should be a combination of preventive and detective controls.
What are preventive controls?
What are detective controls?
Which one is more effective?
They are designed to stop errors or fraud from occurring.
They identify errors or irregularities after they have occurred so that corrective actions can be taken.
Preventive controls are more effective.
What are the three types of preventive/detective controls?
- Input controls - Ensure completeness, accuracy, and validity of the reference data in the processing
- Processing - Prevent and detect errors while transactions are being processed.
- Output - Focus on detecting errors after processing
What is a business process/application system?
It is a structured set of activities designed to produce specific output.
What are 5 controls for business processes?
- Proper authorization and approval
- Adequate documents and records.
- Physical and logical control over assets and records
- Segregation of duties
- Independence checksW
What is general authorization?
What is specific authorization?
What is authorization?
Policies set by management allow subordinates or the automated process to approve all transactions within the limits set by the policy.
Polices set by management allow subordinates or the automated process to approve specific individual transactions within the limits set by the policy.
Affirming that a transaction is valid
What are 4 principles of adequate documents and records? Why is each one important
- Prenumbered, or automatically numbered consecutively - Help to control missing records and aid in locating records when they are needed at a later date.
- Prepared at the time a transaction takes place, or as soon as possible thereafter. Minimize cutoff errors.
- Design for multiple use, when possible, to minimize the number of different forms - Minimizes input errors and increase efficiency.
- Designed to encourage correct preparation - Minimizes input errors, done by providing internal checks
What is a chart of accounts? Why is it useful?
Classifies transactions into individual balance sheet and income statement accounts. It prevents classification errors if it accurately describes which type of transaction should be in each account.
What are physical / logical controls?
Most important protective measure for safeguarding physical assets and records is the use of a physical or a logical control.
What is the segregation of duties?
The assignment of various steps in a process to different people. Reduce the opportunity for a person to be in a position to perpetuate fraud.
What is the main principle of the segregation of duties?
Split it among the different people such that:
1. One has control of the physical asset
2. The other records it
3. Authorization to acquire or dispose.
What are the 4 types of segregation of duties to prevent fraud? What do they prevent?
- Separate custody of assets - Prevents theft
- Separate authorization of transactions from custody of related assets - Prevents embezzlement
- Separate operational responsibility from record keeping - Prevent biased estimates and / or fraudulent financial reporting
- Separate reconciliation from data entry. - Prevent theft and fraud
What are verifications? What assertions does verification confirm?
Compare two or more items with each other:
or compare a follow up action to an original action
or to a policy
when the two items do not match or the item is not consistent with policy.
Verification confirms the completeness and accuracy assertions.
What is a vital step if it is a manual review?
They perform internal verification procedures are independent of the individual preparing the original data.
What is a performance review?
Important means of highlighting unexpected variations that should be investigated and if necessary, corrected. It relates different sets of data.
What is general controls?
Apply to all aspects of the IT function. This includes access controls, system change, and IT operations management. It is customized to the system in use.
What are application controls?
Apply to business process level and apply to the processing transactions, such as controls over the processing of sales or cash receipts
What are the implications of IT controls being different across classes of transactions and accounts / related disclosures?
They have to evaluate the application control for each class of transaction or account in which the auditor plans to reduce assessed control risk. Application controls tend to only be effective if general controls are effective.
What are the three general controls for IT
- Access management - Access to hardware restricted, passwords and user ID’s limit access to software and data files
- System development and change - Teams of users, programmers, analysts develop and thoroughly test software
- IT operations management - Written backup plans are prepared
What is cybersecurity?
The information technology and internal control processes an organization has in place to protect computers, networks, programs, and data from unauthorized access.
What are physical controls
These are controls such as badges to enter a building, keypads, security gates, etc. They are physical controls over the computer equipment
What are online access controls?
These are controls such as user ID< password, MMFA, reducing the likelihood that unauthorized changes are made to software applications and data files.
What are the three parts of the systems development and change and development management?
- Software is developed in house or purchased externally on organizations needs. The firm will involve both IT and non IOT, key users, ensuring all information is accounted for, and concerns addressed.
- Test the software to ensure it is compatible with existing hardware and software to see if it can handle the volume of transactions.
- Proper documentation with testing done in non production environments approved by independent individuals
What is pilot testing
What is parallel testing?
A new system is implemented in one part of the organization while another location continues to rely on the old system
The old and new systems operate simultaneously in all locations. This is costly, therefore rarely used except where the cost of an error is sufficiently large to justify the cost of testing.
What are the different parts of the IT operations management?
- Managing data and systems backup
- Interfacing between programs
- Management of data security.
What are hardware controls?
Built into computer equipment by manufacturers to detect and report equipment failures.
What are backups?
What are disaster recovery plans?
- Copies of systems and data that can be used to bring failed systems back online
- DRP planning for potential IT disruptions. The purpose of the DRP is to enable the business to continue operations in the event of a failure of information systems.
What are typical controls for input manual systems - Application controls?
- Managements authorization of transactions
- Adequate preparation of input source documents
- Competent personnel.
What are typical controls for input automatic systems - Application Controls?
- Adequately designed input screens with preformatted prompts.
- Pull down menu lists
- Computer validation tests
- Online based input controls, customers and suppliers perform the inputs
- Immediate error correction procedures
- Accumulation of errors in an error file
What is financial total
Summary total of field amounts for all records in a batch that represent a meaningful total, such as dollar amounts.
What is hash total
Summary total of codes from all records in a batch that do not represent a meaningful total
What is record count
Summary total of physical records in a batch.
What is validation testing?
What is sequence testing?
- Ensures that a particular type of transaction is appropriate for processing
- Determines that data submitted for processing are in the correct order
What is arithmetic accuracy test?
What is data reasonableness test?
- Checks for accuracy of processed data
- Determines whether data exceed prespecified amounts
What is completeness test
Determines that every field in a record has been completed.
What is the most important type of output control
What are the 4 common controls for output?
- The most important output control is the review of data for reasonableness by someone knowledgeable with the output
- Reconcile computer produced output to manual controls total
- Compare the number of units processed to the number of units submitted for processing
- Compare a sample of transaction output to input source documents.
- Verify dates and times of processing to identify any out of sequence processing.
Describe the organization of the IT function.
- As the level of complexity in IT systems increase, separation of authorization, record keeping, and custody often become blurred. We separate IT related functions
IT Management -Oversight of the IT function ensure activities carried out consistent with IT plan
Systems Development - Design the application system, coordinate development, acquisition, and changes to IT systems, and primary users outside IT
Operations - Day to day operations of the computer, following the schedule established by the CIO, look for efficiency and malfunctions
Data Control - independently asses the quality of input and reasonableness of output. They use databases to store information shared by accounting and other functions.
What are benefits of using technology for internal controls?
- Consistently applies predefined business rules and performs complex calculations in processing large volumes of data
- Enhances the timeliness, availability, and accuracy of the information
- Facilitates the additional analysis of information
- Enhances the ability to monitor performance as well as policies and procedures.
- Reduces the risk that controls can be circumvented
- Enhances the ability to achieve effective segregation of duties through security controls in IT, applications, databases, and operating systems.
What are risks of using technology for internal controls? - Part 1
- Reliance on systems or programs that are inaccurately processing data, inaccurate data, or both
- Failure to make necessary changes or appropriate changes to systems or programs
- Potential loss of data or inability to access data as required.
What are risks of using technology for internal controls? - Part 2
- Unauthorized or erroneous changes to data in master files
- Unauthorized changes to systems of programs
- Inappropriate manual intervention
- Risks introduced when using 3rd party services
- Cybersecurity risks
What are risks of using technology for internal controls? - Part 3
- Possibility of IT personnel gaining access privileges beyond necessary
- Multiple users who have access to common databases, could result in the destruction of data or manipulation of data.
What are the 4 components of the IT System? Why does the auditor care about these aspects?
- IT Infrastructure - Servers, network, internet
- Personal Computing - Use of cellphones and laptops
- Outsourced IT - Cloud based solutions
4, IT governance - How IT is managed
It allows them to get a better understanding of the entity.
What are the 3 factors that make IT systems complex?
- Type of IT applications and data management systems
- The complexity of the infrastructure
- Degree to which the organization relies on third parties for outsourcing
Describe the type of IT application
Those purchased outside will have fewer programming errors and are more reliable
Those complex ones internally are more likely to have errors and bugs
What are database management systems?
Allows clients to create databases that include information that can be shared across multiple applications. Many applications share files, rather than each application having its own file.
What is Enterprise Resource Planning (ERP)
Integrate numerous aspects of an organizations activities into one accounting system. Share data across accounting and non accounting functions
What are Virtual Private Networks (VPN’s)
Encrypted connection over the internet from a device to a network.
What are virtual desktops?
Preconfigured images of operating systems and applications. Users access it through laptop or device, and they are granted right to access
What are Local Access Networks
Link equipment within a single or small cluster of buildings and are used only within a company. They transfer data and programs from one computer or workstation using network system software.
What are wide area networks?
Link equipment in large geographic regions, including global operations.
What are encryption techniques?
Protect the security of electronic communication when information is transmitted and when it is stored. It turns the data file into a code, The receiver or use must have a decryption program to decode the message or data.
What is a public key and public key?
Encryption technique, where one key (the public key) is used for encoding the message and another key (private key) is used for decoding the message. Public key is distributed to all approved users of the e-commerce system. Private key is only provided to internal users with the authority to decode the message
What are digital signatures? Who gives it? What does it consist of? What does it have to provide authenticity
Electronic certificates that are used to authenticate the validity of individuals and companies conducting business electronically.
It is given by certification authorities. Contains the holders name, public key, certification authority, certificate expiration.
It has a private key with the signature of the one with authority.
What is a firewall?
A system of hardware and software that monitors and controls the flow of e-commerce communications by channeling all network connections through controls that verify external users, grant access to authorized users, deny access to unauthorized users, direct authorized users to request programs or data
What are the 4 characteristics of a firewall?
- Hides the structure of the network
- Provides an audit trail of communication with public parties
- Generates alarms when suspicious activity is suspected
- Defend itself and / or the organization against attacks.
What are service centers?
An organization that provides IT service for companies on an outsourcing basis.
What are application service providers?
Third party entities that manage and supply software applications or software related services to customers through the internet.
What are cloud computing environments?
A computer resource deployment and procurement model that enables an organization to obtain IT resources and applications at an IT service center shared with other organizations from any location via an internet connection. It may be on the site or it may be somewhere else.
What is the best control for a small business?
- Knowledge and concern of the top operating person, who is the owner manager. Having close relationships allows for good assessments and competence of the employees
- Monitor the budget to the actual revenues and expenses.
- Improves efficiency if the owner performs duties like signing cheques, assessing records, bank recs, examining AR, approving credit, etc.
