Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Internal Controls
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Outline
• Learning objectives • Risk exposures
3-2
Learning objectives
1. Define internal control and explain its
importance in the accounting information
system.
2. Explain the basic purposes of internal
control and its relationship to risk.
3. Describe and give examples of various
kinds of risk exposures.
3-3
Learning objectives
4. Prepare a simple risk/control matrix.
5. Summarize and explain the importance of
COSO’s 2013 “Internal Control—
Integrated Framework.”
6. Critique existing internal control systems
and design effective internal controls.
3-4
Internal control definition
3-6
Internal control definition
• Key elements of the definition
– Reasonable assurance. No internal control
ever provides absolute assurance. The
benefits of a control must outweigh its costs.
– Objectives relating to:
• Operations: business processes, such as the
sales / collection process.
• Reporting: financial, tax, internal.
• Compliance: applicable laws & regulations, such
as SOX and the Foreign Corrupt Practices Act.
3-7
Internal control purposes
3-8
Internal control purposes
a procedures manual.
performance reviews.
3-9
Risk exposures
• To develop strong internal • By identifying their risk
exposures, they can
controls that achieve the
develop and implement
four purposes, many
internal controls to address
organizations think in terms them.
of risk. • “Address” can refer to
preventive, detective or
Identify risk
exposures. corrective controls.
Develop
internal
controls.
3-10
Risk exposures
• Brown’s taxonomy • Four major categories
– Financial
provides one good
– Operational
organizing structure – Strategic
3-11
Risk exposures
• Financial risk • Strategic risk
– Market risk – Legal & regulatory risk
3-12
Risk / control matrix
Disclosure of the
database of
employees' Social data encryption and human resource
Security numbers systems risk firewalls preventive process
established
procedures for
granting credit,
Granting credit including a separate sales / collection
inappropriately credit risk credit department preventive process
3-14
COSO framework
• Five components, all necessary for strong
internal control
– Control environment
– Risk assessment
– Control activities
– Information and communication
– Monitoring
3-15
COSO framework
• Control environment
– Organization’s overall attitude about internal
control
– Must be established at the top of the
organization (CEO, CFO)
– Often called the “tone at the top” or “tone
from the top”
3-16
COSO framework
• Risk assessment • Control activities
– Organization’s risk – Specific internal
exposures controls to address
– Tools like the Brown risks
framework can help – Preventive / detective /
ensure “all the bases corrective
are covered” – A control may address
multiple risks; a single
Identify risk risk may involve
exposures.
Develop multiple controls.
internal
controls.
3-17
COSO framework
• Information and communication
– How the entire internal control plan is
disseminated throughout the organization
– This framework element relates to the plan in
its totality.
• Monitoring
– Ensuring the plan’s ongoing effectiveness
– May be entrusted to the internal audit
department
3-18
COSO framework example
Information &
Control environment:
communication: Required
Open door policy from
annual training on internal
CEO / CFO regarding
control for all employees.
internal control
Control activities:
Strong network security.
Data encryption.
Firewalls. Continuous
monitoring.
3-20
3-21