No Slide Title

Chapter9-1

Chapter 9:Introduction to Internal Control Systems

Introduction

1992 COSO Report

Updates on Risk Assessment

Examples of Control Activities

Update on Monitoring

2011 COBIT, Version 5

Types of Controls

Evaluating Controls

Chapter9-2

Definition

Policies, plans, and procedures

Implemented to protect a firms assets

People Involved

Board of directors

Management

Other key personnel

Internal Control Systems

Chapter9-3

Provides reasonable assurance

Effectiveness and efficiency of operations

Reliability of financial reporting

Protection of Assets

Compliance with applicable laws and regulations

Important Guidance

Statement on Auditing Standard No. 94

Sarbanes-Oxley Act of 2002

Internal Control Systems

Chapter9-4

Internal Control SystemObjectives

Safeguard assets

Check the accuracy and reliability ofaccounting data

Promote operational efficiency

Enforce prescribed managerial policies

Chapter9-5

Study Break #1

This term describes the policies, plans, and proceduresimplemented by a firm to protect the assets of theorganization.

A. Internal control

B. SAS No. 94

C. Risk assessment

D. Monitoring

Chapter9-6

Study Break #1 - Answer

This term describes the policies, plans, and proceduresimplemented by a firm to protect the assets of theorganization.

A. Internal control

B. SAS No. 94

C. Risk assessment

D. Monitoring

Chapter9-7

Study Break #2

Which of the following is not one of the four objectives of aninternal control system?

A. Safeguard assets

B. Promote firm profitability

C. Promote operational efficiency

D. Encourage employees to follow managerial policies

Chapter9-8

Study Break #2 - Answer

Which of the following is not one of the four objectives of aninternal control system?

A. Safeguard assets

B. Promote firm profitability

C. Promote operational efficiency

D. Encourage employees to follow managerial policies

Chapter9-9

Background Informationon Internal Controls

Chapter9-10

Background Informationon Internal Controls

Chapter9-11

Background Informationon Internal Controls

Chapter9-12

1992 COSO Report

Defines internal control and components

Presents criteria to evaluate internal controlsystems

Provides guidance for public reporting oninternal controls

Offers materials to evaluate an internal controlsystem

Chapter9-13

Control Environment

Management’s oversight , integrity, and ethicalprinciples

Attention and direction by board of directors

Management’s philosophy and operating style

Method of assigning authority and responsibility

Method of organizing and developing employees

Components of InternalControl – COSO 1992

Chapter9-14

Risk Assessment

Identify organizational risks

Analyze potential of risks (cost and occurrence)

Cost-benefit analysis

Control Activities

Policies and procedures

Manual and automated

Components of InternalControl – COSO 1992

Chapter9-15

Information and Communication

Inform employees

Roles and responsibilities

Importance of good working relationships

Monitoring

Evaluation of internal controls

Initiate corrective action when necessary

Components of InternalControl – COSO 1992

Chapter9-16

2004 COSO Enterprise RiskManagement Framework

Emphasizes enterprise risk management

Includes COSO (1992) control components

Three new components

Objective setting

Event identification

Risk response

Chapter9-17

2004 COSO Enterprise RiskManagement Framework

Chapter9-18

Objective Setting

Strategic – high level goals and mission

Operations – day-to-day efficiency, performance,and profitability

Reporting – internal and external

Compliance – laws and regulations

Components of InternalControl – COSO 2004

Chapter9-19

Event Identification and Risk Response

Identify threats

Analyze risks

Implement cost-effective countermeasures

Additional considerations

Risk tolerance

Cost-benefit trade-offs

Components of InternalControl – COSO 2004

Chapter9-20

Risk AssessmentWorksheet

Chapter9-21

Commissioned survey called Enterprise RiskManagement Initiative

Survey targeted utilization of COSO ERMFramework

Theoretically sound

65% fairly or very familiar with framework

Board had not assigned risk oversight in over half oforganizations

State of ERM is relatively immature

COSO’s 2010 Report on ERM

Chapter9-22

Study Break #3

An internal control system should consist of five components.Which of the following is not one of those five components?

A. The control environment

B. Risk assessment

C. Monitoring

D. Performance evaluation

Chapter9-23

Study Break #3 - Answer

An internal control system should consist of five components.Which of the following is not one of those five components?

A. The control environment

B. Risk assessment

C. Monitoring

D. Performance evaluation

Chapter9-24

Study Break #4

Which of the following is not one of the three additionalcomponents that was added in the 2004 COSO Report?

A. Objective setting

B. Risk assessment

C. Event identification

D. Risk response

Chapter9-25

Study Break #4 - Answer

Which of the following is not one of the three additionalcomponents that was added in the 2004 COSO Report?

A. Objective setting

B. Risk assessment

C. Event identification

D. Risk response

Chapter9-26

Examples of Control Activities

Good Audit Trail

Sound Personnel Policies and Practices

Separation of Duties

Physical Protection of Assets

Reviews of Operating Performance

Chapter9-27

Good Audit Trail

Use of Audit Trail

Follow path of data recorded in transaction

Initial source documents to final disposition ofdata

Data on reports back to source documents

Purpose of Audit Trail

Verify accuracy of recorded transactions

Detect errors and irregularities

Chapter9-28

Sound Personnel Policies

Chapter9-29

Separation of Duties

Purpose

Structure of work assignments

One employee’s work checks the work of another

Separate Related Activities

Authorizing transactions

Recording transactions

Maintaining custody of assets

Chapter9-30

Physical Protection ofAssets

Inventory Controls

Stored in safe location with limited access

Utilization of Receiving Report

Document Controls

Protecting valuable organizational documents

Corporate charter, major contracts, blankchecks, and SEC registration statements

Chapter9-31

Receiving Report

Chapter9-32

Physical Protection ofAssets

Cash Control

Most susceptible to theft and human error

Fidelity bond coverage

Use checks for cash disbursements

Deposit the daily cash receipts intact

Chapter9-33

Disbursement Voucher

Chapter9-34

Reviews of OperatingPerformance

Internal Audit Function

Reports to Audit Committee of Board of Directors

Independent of other subsystems

Enhances objectivity

Duties of Internal Auditors

Operational audits

Regular reviews of internal control systems

Chapter9-35

Study Break #5

Separation of duties is an important control activity. Ifpossible, managers should assign which of the followingthree functions to different employees?

A. Analysis, authorizing, transactions

B. Custody, monitoring, detecting

C. Recording, authorizing, custody

D. Analysis, recording, transactions

Chapter9-36

Study Break #5 - Answer

Separation of duties is an important control activity. Ifpossible, managers should assign which of the followingthree functions to different employees?

A. Analysis, authorizing, transactions

B. Custody, monitoring, detecting

C. Recording, authorizing, custody

D. Analysis, recording, transactions

Chapter9-37

2009 COSO Monitoring Guidance Report

Update on Monitoring

Chapter9-38

Control Objectives for Information andrelated Technology (COBIT)

Strategic alignment

Realization of expected benefits of IT

Continual assessment of IT investment

Determine risk appetite

Measure and assess performance of IT resources

2011 COBIT, Version 5

Chapter9-39

COBIT and Val IT Integration

Chapter9-40

Types of Controls

Preventive Controls

Prevent problems from occurring

Detective Controls

Alert managers when preventive controls fail

Corrective controls

Solve or correct a problem

Chapter9-41

Evaluating Controls

Requirements of Sarbanes-Oxley Act

Statement of management responsibility forinternal control structure

Assessment of effectiveness of internal controlstructure

Attestation of auditor on accuracy ofmanagement’s assessment

Chapter9-42

Cost-Benefit Analysis

Chapter9-43

A Risk Matrix

Chapter9-44

Reproduction or translation of this work beyond that permitted in

Section 117 of the 1976 United States Copyright Act without the

express written permission of the copyright owner is unlawful.

Request for further information should be addressed to the

Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distributionor resale. The Publisher assumes no responsibility for errors, omissions,or damages, caused by the use of these programs or from the use of theinformation contained herein.

Chapter9-45

Chapter 9