ction D Section D - Internal Controls Section D - Internal Controls Section D comprises 15% of the CMA Part 1 Exam. This section is composed of three parts - Risk Assess ment, Controls and Risk Management; Internal Auditing; and Systems Controls and Security Measures. Internal control examines all of the controls that the company has set up and put in place to help achieve its objectives. We often think of internal controls as trying to prevent something from going wrong, but they are really set up to assist the organization in the achievement of its objectives. It is important to be very familiar with the objectives of internal control. Other important topics are the major internal control provisions of the Sarbanes-Oxley Act of 2002 in Sections 302 and 404 of the Act and the role of the PCAOB (Public Company Accounting Oversight Board), which was established by the Sarbanes-Oxley Act. Two of the main elements of internal control that you need to understand are the segregation of duties and the elements that make up the components of internal control. It is important to know these topics, and the other internal control topiCS, not only from an academic standpoint (definitions and lists, for example) but also from a practical application standpoint. The answers to the application related questions can be very difficult because it may seem that all of the choices are good controls or none of the duties are ones that can be performed by the same person. However, when you face these questions, dont spend too much time thinking about any particular one because each has the same value, and therefore there is no benefit to figuring out a hard question versus answering a simple one. There are also a lot of questions from past exams that have covered speCific situations relating to internal control, internal audit, and systems control. These items are not covered in specifics in this textbook because of the vast scope of potential topics that would need to be covered. Rather, these types of questions are included in ExamSuccess. You do not need to remember every speCific detail from a question, but you will want to be familiar with the concepts and issues covered in those questions. The best we can advise you to do is to learn the overall concepts and issues and then apply your best professional judgment to answering questions about them. You will find the actual exam questions to be different from the practice questions in your study materials, since the practice questions are previous exam questions. The actual exam questions are always being updated and changed, so it is not likely that past exam questions will be asked again. For that reason, we have determined not to try to teach to the study questions in this section of the study materials. In this textbook, we prefer to focus on the topics covered in the ICMAs current Learning Outcome Statements, as we believe questions asked on an exam today are more likely to be from the current Learning Outcome Statements than they are likely to duplicate past exam questions. Most of the concepts covered in the Risk Assessment, Controls and Risk Management portion of this section are adapted from the report Intemal Control- Integrated Framework developed by COSO, the Committee of Sponsoring Organizations of the Treadway Commission. The sponsoring organizations included the American Institute of Certified Public Accountants, the American Accounting Association, the Institute of Internal Auditors, the Institute of Management Accountants, and Financial Executives Institute. The report was published in 1992 and is the guide for all internal control systems. The second part of this section is Internal Auditing. This focuses on the audit function that the company operates internally, apart from the external audit of the financial statements. The internal audit function has duties that spread far beyond the financial statements and some of these responsibilities may not relate to money directly. For example, the internal audit function may be involved in time or quality audits. When studying for internal audit, you need to prepare for this topic on two levels. First, as usual, is the definitional and conceptual level. You need to know the characteristics of a successful internal audit function, how internal auditors test compliance with controls and evaluate the effectiveness of controls, and understand the reporting relationships and how they are set up. On the second level you must be able to answer questions about the work that internal auditors do, and in some cases, what types of procedures should be performed or how and to whom certain things should be reported. 289 Section D - Internal Controls CMA Part 1 Other important information includes the internal control and auditing provisions of relevant legislation, especially the Sarbanes-Oxley Act and the related guidance in PCAOB Auditing Standard 5 and SEC Release 33-8810. The third part within this section is Systems Controls and Security Measures. In this part you will need to become familiar with the terminology that is involved. Some of this you may be familiar with from work or experience with computer systems, but it is important that you know the terminology. 290 Section D Risk Assessment, Controls and Risk Management Risk Assessment, Controls and Risk Management The internal controls of a company are an important part of its overall operations. A strong internal control system will provide many benefits to a company including: • Lower external audit costs, • Better control over the assets of the company, and • Reliable information for use in decision-making. A company with weak internal controls is putting itself at risk for employee theft, loss of control over the information relating to operations, and other inefficiencies in operations and decision-making that can damage its business. Internal Control Definition and Objectives According to the COSO publication, Internal Control- Integrated Framework, internal control is a method, or process, that is carried out by an entitys board of directors, management and other personnel that is designed to provide reasonable assurance that the companys objectives in the following three categories will be achieved: 1) Effectiveness and efficiency of operations, or the extent to which the companys basic business objectives are being achieved and its resources are being used effectively and efficiently. These in clude performance goals, profitability goals and safeguarding of resources. 2) Reliability of financial reporting, including preparation of all published financial information. In addition to the full set of financial statements, this includes interim and condensed financial state ments and any selected financial data from those statements, such as earnings releases, that are reported publicly. 3) Compliance with applicable laws and regulations, encompassing all laws and regulations to which the company is subject. These three categories of objectives are distinct, but they do overlap. A specific control objective of a specific company could fall under more than one category. However, the three categories address different needs and they may be the direct responsibility of different managers. Objectives numbered 2) and 3), the financial reporting and compliance objectives, are based largely on standards that are imposed by external entities, such as the SEC, financial reporting standards, and laws of the land. A companys achievement of these objectives is within the companys control, because it depends upon how activities that are within the companys control are performed. Internal control can provide reasonable assurance of the companys achieving these objectives. v Internal Control - Integrated Framework, copyright 1992, 1994 by the Committee of Sponsoring Organizations of the Treadway Commission. Used by permission. The Committee of Sponsoring Organizations of the Treadway Commission includes the following five organizations: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), and Financial Executives International (FEI). 291 Risk Assessment, Controls and Risk Management CMA Part 1 However, objective number 1), achievement of operations objectives, may not be within the companys control. Achievement of operations objectives is dependent upon management judgment and decisions and many times on external events that are beyond managements control. Good internal control cannot prevent bad judgments and decisions, and it cannot control external events. For this reason, an internal control system cannot provide reasonable assurance that operations objectives will be met. An internal control system can only provide reasonable assurance that management and the board of directors are being made aware of whether or not the company is progressing toward its operational objectives, and being made aware in a timely manner. Therefore, internal control can be judged effective if members of management have reasonable assurance that: 1) They understand the extent to which the companys operations objectives are being achieved; 2) Published financial statements are being prepared reliably; and 3) Applicable laws and regulations are being complied with. As a process, internal control is a means to an end, not an end in itself. Internal control can provide reasonable assurance but not a guarantee that these objectives will be met. People, not policy manuals or forms, carry out internal control. Internal control is a process; and its effectiveness is the condition of the process or the state of the process at any given point in time. Development of Internal Control Concepts Ever since commercial organizations, nonprofit organizations and governments have existed, their leaders have recognized the need to exercise control in order to ensure that their objectives were achieved. Today, however, the leaders of an organization are not the only ones who care about its internal control poliCies and procedures. • For a public company, information on the effectiveness of its internal control system is important to investors to enable them to evaluate managements performance of its stewardship responsibilities as well as the reliability of its financial statements. • The companys external auditors recognize that an audit of a company with effective internal controls can be performed more efficiently. • The potential for U.S. corporations to make illegal political contributions or illegal payments to foreign governments is of concern to legislative and regulatory bodies and is addressed through internal control policies and procedures. • The development of larger organizations with increased numbers of employees has made it neces sary for management to limit and direct employees authority and discretion. • Even customers have an indirect interest in internal controls because a strong internal control system may reduce the costs of production, and therefore also reduce products prices. 292 Section D Risk Assessment, Controls and Risk Management Who Is Responsible for Internal Control? Before we get into the details of internal controls, we should start by discussing who is responsible for internal controls. Many people believe that the internal audit function has primary responsibility for establishing and maintaining the internal control system. But the COSO report, Internal Control - Integrated Framework (1992) corrected that belief. The COSO report advanced the practice of corporate governance by delineating the responsibility of each group or person listed below to maintain and assess internal controls as follows: o The board of directors is responsible for overseeing the internal control system, providing gover nance, guidance and insight. o The CEO is ultimately responsible for the internal control system and the tone at the top. The CEO should provide leadership and direction to the senior managers and review the way they are controlling the business. This tone (called the control environment) is discussed in more detail be low. o Senior managers delegate responsibility for establishment of specific internal control policies and procedures to personnel responsible for each units functions. o Financial officers and their staffs are central to the exercise of control, as their activities cut across as well as up and down the organization. However, all management personnel are involved, especially in controlling their own units activities. o Internal auditors play a monitoring role. They evaluate the effectiveness of the internal controls established by management, thereby contributing to their ongoing effectiveness. o Virtually all employees are involved in internal control, because all employees produce Information used in the internal control system or carry out other activities that put the internal control systems into effect. Furthermore, all employees are responsible for letting their managers know if they be come aware of problems in operations or that rules, regulations or policies are being violated. External parties provide information that is useful to effective internal control. For example, independent auditors audit the financial statements and often provide other useful information as well to management and the board. Other external parties that may provide useful information include legislators, regulators, customers, financial analysts, bond raters and the news media. However, external parties are not part of the companys internal control system, and they are not responsible for it. Note: Internal auditors evaluate the effectiveness of the control systems and contribute to their ongoing effectiveness, but they do NOT have the primary responsibility for establishing or maintaining the control systems. The COSO report changed the concept of internal controls from narrow, technical terms of financial reporting to include all aspects of business operations and compliance, and it established a standard against which all organizations could measure their internal control systems. Note: Internal control should be an explicit or implicit part of everyones job description. 293 Risk Assessment, Controls and Risk Management CMA Part 1 Components of Internal Control According to the COSO report, Internal Control - Integrated Framework, five interrelated components comprise internal control. They are: 1) Control Ji,nvironment 2) Risk Assessment 3) ,ontrol Activities 4) Information and Communication 5) Monitoring Note: These elements may be remembered by the mnemonic CRIME as identified by the bold letters in the list above, though CRIME does not put the components in the correct order. It important to know that the Control Environment is the basis for all the other components and thus should come first, not last (as it would using the mnemonic CRIME). You should know not only what these components are, but what each term means and includes. Component 1: The Control Environment The control environment provides the foundation for all the other components. It influences the control consciousness of all the people in the organization and sets the tone for the entire organization. Control environment factors that influence the scope and effectiveness of the control environment include: • The integrity and ethical values of the entitys people. The effectiveness of internal controls is directly dependent upon the integrity and ethical values of the people who create, administer and monitor them. Therefore, integrity and ethical values affect the design, administration and monitor ing of the other internal control components. Every company should have a code of conduct and formal policies regarding acceptable business practice, conflicts of interest, and expected standards of behavior. • A commitment to competence. In order for tasks to be accomplished in accordance with the companys objectives and plans for achievement of those objectives, the company needs to have competent personnel. In order to have competent personnel, management should specify the know ledge and skills required for each position. There should be formal or informal job descriptions. • The attention and direction provided by the board of directors and/or audit committee have significant influence over the tone at the top and thus over the control environment. Important fac tors are their independence from management, the experience and stature of their members, the extent of their involvement and their oversight over activities, the appropriateness of their actions and their willingness to ask the difficult questions. Board and audit committee members should hold regular meetings with chief financial and accounting officers and internal and external auditors. Suffi cient and timely information should be provided to board and audit committee members. The responsibilities of the board of directors and of the audit committee are discussed in detail later. • Managements philosophy and operating style. This affects the way the company is managed. Companies may be managed informally through face to face contact or formally through written poli cies, performance indicators and exception reports. Management philosophy and operating style also include things like conservative or aggressive accounting principles and accounting estimates, and attitudes toward functions and personnel. The nature of the business risks taken by management is important, such as whether management enters into high-risk ventures or is conservative in accept ing risks. • The companys organizational structure provides the framework for planning, executing, control ling and monitoring the activities it pursues to achieve its objectives. These activities may be part of the primary activities or the support activities in the companys value chain as discussed in Section C 294 Section D Risk Assessment, Controls and Risk Management of this book in the section on Business Process Performance. Key areas of authority and responsibili ty and appropriate lines of reporting need to be established. The type of organizational structure a company needs depends on its size and its activities. A large organization needs a highly structured organization with formal reporting lines and responsibilities; while that amount of formality might not be needed and in fact could impede the flow of information in a smaller organization. The structure, whatever it is, should be organized to best carry out the strategies designed to achieve the organiza tions objectives and to provide the necessary information flow. • The way management assigns authority and responsibility for operating activities affects the control environment because it determines how much initiative individuals are encouraged to use in solving problems and the limits of their authority. Delegation of authority means giving up centra lized control of some of the business decisions and allowing those decisions to be made at lower levels in the organization by the people who are closest to the day-to-day operations of the business. This can help an organization to reduce defects in manufacturing, reduce cycle time or increase cus tomer satisfaction, thereby increasing its competitiveness. However, the challenge is to delegate only to the extent required to achieve the organizations objectives. The delegation should be based on sound practices for identifying and minimizing risk and on weighing potential losses against potential gains from delegation. Increased delegation requires personnel with a higher level of competence and greater accountability. There should be effective monitoring by management of results, because the number of undesirable or unanticipated decisions may increase. The extent that individuals rec ognize that they will be held accountable for results greatly affects the control environment. • Human resource policies and practices let employees know what levels of integrity, ethical behavior and competence are expected of them. These policies and practices include hiring, orienta tion, training, evaluating, counseling, promoting and compensating employees. All of these demonstrate the organizations commitment to hiring competent and trustworthy people, its expec tations with respect to their performance and behavior, its commitment to advancing qualified personnel, and its desire to provide competitive compensation and incentives to motivate and rein force outstanding performance. Policies with respect to remedial actions to be taken when necessary communicate to employees that violations of expected behavior will not be tolerated. Training needs to be ongoing. Internal controls are more likely to function well if management believes that the controls are important and communicates that support to employees at all levels. If management believes controls are meaningless or even an obstacle, employees will pick up on this attitude. And in spite of formal policies saying otherwise, employees will then view internal controls as red tape to be cut through to get the job done. Organizations with effective control environments set a positive tone at the top. • They transmit guidance both verbally and by example, communicating the entitys values, standards and code of conduct; and they follow up on violations. There are mechanisms to encour age employee reporting of suspected violations, and disciplinary actions are taken when employees fail to report them. • They foster a control consciousness by setting formal and clearly communicated poliCies and procedures that are to be followed at all times, without exception, and which result in shared values and teamwork. • They specify the competence level needed for particular jobs; hire and retain competent people; and assign authority and responsibility appropriately. Individuals who are working in posi tions that they are not qualified for are a risk simply because they are not capable of performing the work that they are supposed to. This provides an opportunity for someone else to take advantage of their lack of knowledge or skills in perpetrating fraud. For this reason, personnel policies and proce dures are integral to an efficient control environment. 295 Risk Assessment, Controls and Risk Management CMA Part 1 • The board of directors is responsible for setting corporate policy and for seeing that the company is operated in the best interest of shareholders, the owners. The attention and direction provided by the directors are critical. The board consists of both inside and outside directors who have adequate expertise and are active and involved. Independence of the board from management is critical, so that if necessary, difficult and probing questions will be raised. A companys organizational structure is key to its ability to achieve its objectives, because the organization al structure provides the framework for all its activities. Aspects of establishing an organizational structure include: • Defining the key areas of authority and responsibility and delineating lines for reporting. • The companys organizational structure should be whatever best suits its needs and will enable it to accomplish its objectives. It may be centralized or decentralized. It may have direct report ing relationships or reporting may be more like a matrix. It may be organized by industry, product line, geographical location or distribution network, or it may be organized functionally. • Authority and responsibility should be delegated to the extent necessary to achieve the organi zations objectives. • The control environment is influenced by the fact that all individuals in the organization realize that they will be held accountable for their actions. If a person does something that is in violation of the companys policies and standards, some sort of disciplinary action should be taken against that person. If there is no penalty for the violation of the internal controls of the company, then other in dividuals will not see the need for compliance. Component 2: Risk Assessment Within the control environment, management is responsible for the assessment of risk. A risk is anything that endangers the achievement of an objective. The questions should always be asked: What could go wrong here? What assets do we need to protect? Risk assessment is the process of identifying, analyzing and managing the risks that have the potential to prevent the organization from achieving its objectives. Assessment of risk involves determining the dollar value of assets that are exposed to loss as well as the probability that a loss will occur. Management must determine how much risk it is willing to accept and then work to maintain within that level the amount of risk it accepts. Therefore, the companys objectives must be established before the risks to them can be assessed. Objective setting is therefore a key part of the management process of risk assessment. Objectives may be explicitly stated or they may be implicit, such as to continue a previous level of performance. Entity-level, or company-level, objectives are often expressed through the companys strategic plan, which begins with its mission statement and addresses the long-term objectives of the organization. Strategic planning looks at the strategies as well as the organizational objectives and goals by examining both the external and Internal factors that affect the company. The companys strengths and weaknesses as well as its opportunities and threats are assessed, and this process leads to the companys overall strategy. This overall strategy then leads to more specific objectives that are established for specific activities such as sales, production and engineering. Specific activity-level objectives include goals relating to the product line, the companys market, its financing, and its profit goals. These specific objectives need to be consistent with one another and with the overall strategy and objectives. When these entity-level and activity-level objectives have been set, the company can determine what its critical success factors are. We discussed critical success factors in Business Process Performance in Section C. Critical success factors are the aspects of the companys performance that are essential to its competitive advantage and therefore to its success. Therefore, they are key things that must go right if the company is to attain its objectives. 296 Section D Risk Assessment, Controls and Risk Management Broad categories of objectives, which also relate to the objectives of internal control, are: • Operations objectives relate to the achievement of the companys mission. They include objectives for the effectiveness and efficiency of the companys operations and performance and profitability goals. They also include the safeguarding of company resources against loss. A companys operations objectives will vary depending on the choices management makes about structure and performance. • Financial reporting objectives address the preparation of published financial statements. They include publishing reliable reports and prevention of fraudulent financial reporting. Companies need to achieve these objectives in order to meet their external obligations and requirements. • Compliance objectives include adhering to all laws and regulations that the company is subject to. These laws and regulations establish minimum standards of behavior and may include marketing, packaging, pricing, taxes, environmental protection, employee safety and welfare, and international trade as well as many others. A companys record of compliance or noncompliance with laws and regulations affects its reputation in its communities. It also of course affects the companys risk of being the recipient of disciplinary procedures. Objectives can overlap. For example, the operations objective of safeguarding resources includes prevention of loss through theft. However, the goal of ensuring reliable financial reporting includes making sure that any such losses that may occur through theft are properly reflected in the companys financial statements, a financial reporting objective. Establishing these objectives is a required first step to establishing effective internal control, because it fonns the basis for assessing risk, i.e., what could go wrong that could prevent the company from achieving its objectives. Risk Identification Risks can come from both internal and external factors that can affect the companys ability to achieve its objectives. The greater the difference in the current objectives from objectives of the past, the more risk there is. Even the objective of maintaining performance as it has been in the past carries both internal and external risks. The risk assessment process should consider all risks that may occur. The risk assessment should be comprehensive and consider all significant interactions between the company and external parties. External parties to include in the assessment are suppliers (current and potential), investors, creditors, shareholders, employees, customers, buyers, intermediaries, competitors, public bodies and the news media. Here are just a few examples of potential risks, both internal and external: • Internal risks include employee embezzlement accompanied by falsification of records to conceal the theft, lack of compliance with government regulations or other illegal acts by employees, such as taking a bribe. They can include disruption in computer systems, poor management deciSions, errors or accidents. Changes in management responsibilities can affect control activities; and an ineffective board or audit committee may leave openings for fraudulent actions. • External risks include changes in technology, changes in the market in which an entity operates, actions taken by a competitor, new legislation bringing new reqUirements, natural disasters, eco nomic changes, a failure of a key supplier, or being sued, defrauded, or robbed. 297 Risk Assessment, Controls and Risk Management CMA Part 1 Risk Analysis The risk assessment forms the basis for determining how the risks will be managed. After the company has identified its entity-level and activity-level risks, it should perform a risk analysis to (1) estimate the significance of each risk; (2) assess the likelihood or frequency of each risks occurring; and (3) consider how each risk should be managed by assessing what actions need to be taken. Risks that do not have a significant effect on the company and that have a low likelihood of occurring would not warrant serious concern. However, significant risks with a high likelihood of occurring usually require serious attention. Risks that are in between these two extremes require judgment. Once the significance and likelihood of risks have been assessed, the following steps should be taken to manage the identified risks: 1) The amount of potential loss from each identified risk should be estimated to the extent possible. Some risks are indeterminate and can only be described as large, moderate or small. 2) Consider how each risk should be managed by determining what can be done and analyzing the costs, if any, associated with managing each risk. Some actions can virtually eliminate the risk or offset its effect if it does occur, such as hedging financial exposures or purchasing insurance. Some actions can reduce the level of risk but not eliminate it. 3) Procedures should be established to ensure that the plans for implementing the risk management are implemented. These procedures are the control activities, discussed in the next component. Note: There is a difference between risk assessment, which is a function of intemal control, and the plans or other actions taken by management to address the risks, which are a function of management and not of the internal control system. Component 3: Control Activities After the risks have been assessed, controls should be designed to limit the risk. To accomplish this, control activities are implemented. Control activities are the policies that address the identified risks and procedures that ensure that management directives are carried out, thus helping ensure that the organizations objectives will be achieved. Therefore, controls should be designed to limit risk wherever risk exposure is determined to exist, in order to protect the organizations ability to achieve its objectives. This risk could be in the form of loss of assets, or it could be a misstatement of accounting or management infonnation. The identified risks cannot be completely eliminated, but designing appropriate control activities and ensuring that those control activities are implemented can minimize them. In addition, management must comprehend laws and regulations imposed on the organization from the outside and ensure that compliance poliCies and procedures are in place. 298 Section D Risk Assessment, Controls and Risk Management Classifications of Control Activities There are five classifications of control activities based on when they occur within the activity being carried out and what their objective is. The types of controls and examples of them are: Type of Control Meaning Example(s) of Control Preventive To avoid the occurrence of an • Segregation of duties, unwanted event • Suitable authorization of transactions, • Checking creditworthiness of customers before shipping goods. • Physical controls to safeguard assets such as equipment, inventories, securities, cash and other assets. Detective Te detect (discover) an • Bank reconciliations and regular reconciliations unwanted event that has between other physical assets and amounts already occurred shown on control records. • Checking for missing document numbers in prenumbered documents. • Top-level reviews of performance reports with variances from budgets, forecasts, prior periods and competitors. • Managers of various activities review direct functional performance reports. Directive To ensure (encourage) the Managers of a construction company instructing occurrence of a desirable project managers to hire local workers in order to event create a favorable image in the communities in which it operates. Corrective To correct an undesirable Procedures put in place to remedy problems event that has already discovered by detective controls, such as steps occurred taken to identify the cause of the problem, to correct errors arising from the problem, and to modify the processing system to minimize future occurrences of the problem. Compensating To compensate for an internal A bank reconciliation may be a compensating control weakness by doing control as well as a detective control, because it more of other controls can compensate for flaws in the controls that are typically established over the receipts or disbursement processes. Additionally, control activities can be grouped according to the three categories of objectives: 1) Financial reporting, 2) Operations, and 3) Compliance. 299 Risk Assessment, Controls and Risk Management CMA Part 1 Examples of control activities are: 1) Top level reviews: Reviewing actual results versus budgets, forecasts, prior periods and competi tors; tracking the extent to which targets are being met and plans are being implemented. 2) Direct functional or activity management: Managers who direct functions review appropriate performance reports, such as collections of past-due accounts. 3) Information processing: Controls to check accuracy, completeness and authorization of transac tions; control of new system development and existing system modifications; control of access to data files and programs. 4) Independent checks: Checks performed by someone other than the person responsible for the original operation are generally more effective at assuring that transactions are processed and activi ties are performed accurately. A new pair of eyes will spot mistakes more often than those of the originator of the work. 5) Performance indicators: Performance indicators include relating different sets of data to one another and investigating unexpected results. The data may be operating or financial data. Perfor mance indicators would include purchase price variances, percentage of returns to total orders, etc. By investigating unexpected results, management can see areas where the organizations objectives are in danger of not being achieved. 6) Physical controls to safeguard assets: The most visible safeguarding controls include controls to protect the organizations assets from losses due to natural disasters like floods and tornadoes. However, safeguarding controls also include physical protection measures to restrict access to as sets and documents such as records and blank checks, purchase orders, bank codes, etc., to authorized personnel. Inventory, equipment, securities, cash and other assets must be physically se cured to safeguard them. Access to warehouses and inventory storage areas should be restricted to authorized individuals. Items must be counted periodically and compared with control records. 7) Documents and records: Source documents are designed to facilitate collection of all relevant information; audit trails should be maintained. Source documents should be pre-numbered in order to account for all documents, reducing the likelihood of fraudulent use. 8) Authorization: Employees should be appropriately empowered to perform tasks, receive specific documents and make decisions that impact assets. Their authority must involve some kind of valida tion such as signature or authorization. 9) Segregation of duties: Duties should be divided among different people. This reduces the risk of error or inappropriate activities. It ensures that no individual is given so much responsibility that he or she is in a position to both perpetrate and conceal an irregularity. Responsibility for authorizing transactions, recording them and handling the related asset should be segregated. For example, the manager of the credit department who authorizes credit sales should not also be responsible for re cording accounts receivable transactions or handling cash receipts. Though segregation of duties is listed last, it is perhaps one of the most important internal controls for the Exam. Therefore, it will be discussed in more detail later. 300 Section D Risk Assessment, Controls and Risk Management Component 4: Information and Communication Relevant information must be identified, captured and communicated in a manner that enables people to carry out their responsibilities. This means reports must contain the information that management needs and must be available in a timely manner for management to be able to act on that information. 1) Communication must be ongoing, both within and between various levels and activities of the organization. This starts with communication by top management to the rest of the organization. 2) All staff must understand their roles in the internal control system and be able to communicate significant information upstream. 3) Reports containing operational, financial and compliance information required for informed decisions - both internally generated and external information - must be available. 4) Supervisors must communicate duties and responsibilities to the employees that report to them, and employees must alert management to potential problems as soon as they arise or become apparent. 5) Some information must be communicated to those outside the organization, such as vendors, and must also be available from external sources. Some examples of information that is essential are: 1) Financial information is used internally to monitor performance for the purpose of making operating decisions and allocating resources, in addition to its use in developing financial statements for exter nal financial reporting. 2) Operating information is required on purchases, sales and other transactions as well as competitors actions, product releases, and economic conditions. Other operating information might be needed to achieve compliance, such as personnel reports and emissions information. Some examples of communication that must take place are: 1) Information systems must provide reports to appropriate personnel so they can carry out their responsibilities. 2) All personnel need to receive clear communication from top management that their internal control responsibilities must be taken seriously. Each person needs to understand his or her role in the in ternal control system and how the system works. People need to understand that when something unexpected occurs, attention must be given to the cause of the event as well as to the event itself. If this is not done, a potential weakness in the system may go unidentified. Weaknesses must be identified and action taken to prevent another occurrence. 3) People need to know what behavior is expected of them and what behavior is unacceptable. For example, the information must be communicated that it is not acceptable to meet the budget by the use of creative accounting or other fraudulent activities. 4) Employees need to know that if they report a suspected violation of the companys code of conduct, they will not get into trouble for it. This is what is known as whistle-blower protection. A whistle blower is someone who blows the whistle to alert management to something going on that is not proper. If protection for whistle blowers is not in place, they may not come forward because of fear of reprisal, and an opportunity to learn about something important may be missed. 5) In addition, communications between management and the Board of Directors are vital. Senior management must inform board members about performance, new developments, major initiatives, potential risks, and any other relevant information. The Board needs this information in order to be effective at carrying out its oversight responsibilities and in providing advice and counsel. The Board also needs to communicate to management what information it needs
Posted on: Fri, 22 Nov 2013 05:58:38 +0000
Trending Topics
Recently Viewed Topics
© 2015