P1 SEC E - Internal Controls

This section looks at the creation of an effective corporate governance structure and the manner in which that structure provides oversight and monitoring of an organization's actions, policies, and decisions; several interrelated approaches to establishing control; the assessment and management of risk; the process of internal auditing and responsibilities of auditors; and measures taken to ensure the security and reliability of systems and the information they provide.

Risk

Exposure to circumstances that may increase the likelihood of loss.

Audit risk

The likelihood that a company’s FS are materially misstated and the auditor expresses an inappropriate audit opinion. An inappropriate audit opinion can be extremely costly.

Data flow diagram

A graphical description of the source and destination of data that shows how data flows within an organization.

Rollback backup

This involves undoing changes to a database up to a point where it was known to function correctly.

Checkpoint backup

This is a process where data is backed up at pre-specified checkpoints.

Grandfather-father-son backup

Describes this process of maintaining at least three backups so data can be recreated from any of them.

Tax preparation services

These are not prohibited under the services that the Sarbanes-Oxley Act disallows to be provided to an audit client.

Limitations of an internal control system

• Employees of a company colluding to commit fraud.

• Existing controls are being purposefully overridden by management.

• Rigid company policies and procedures that do not adapt to changes in the business environment.

• Inappropriate human judgment, leading to faulty decisions.

Cloud storage

Refers to storage on the internet, through a cloud storage service provider. Storage limits depend upon the requirements of the user, hence large amounts of data can be stored. Employees will be able to access data and work from any location, with internet-connected devices.

Local Area Network (LAN)

Refers to a group of interconnected devices within a limited area. It is not used for storage, rather, it allows organizations to process and share information in a secured way.

Bot

An automated software program that performs repetitive, pre-determined tasks.

Whistleblower policy

Adopting a ________ is an effective way to show commitment toward integrity and ethical values, which is a crucial element of an internal control environment.

Internal controls that can be applied for managing funds at the point of sale

• Customers should be encouraged to report to the store manager in case they are refused an invoice for their purchases.

• Restricting the access to the cash drawers and emptying the drawers before the start of a new shift.

How COSO Components correlate with one another

Control environment and risk assessment can be considered as essentially strategic in nature, trying to pull together into one big picture the overview of the internal control systems.

While control activities and information and communication fall under operative, since they deal with the details of the internal control system disseminating information that is coming from the top.

Then the monitoring functions are the bridges in between these two, designed to ensure that these two groups are aligned; that the execution (operative) does not deviate from what is envisioned (strategic).

Why some physical assets and information are protected by different types and layers of controls

Although all assets and types of data are important, certain assets or information are more important and should therefore be secured by different types and layers of controls.

Role of Database administrator (DBA)

To manage the information system and provide support services to end users. When the database is small, they can also be responsible for database security by controlling access to the database, managing procedures for backup and recovery, and ensuring data integrity.

Skimming

A fraud scheme that involves an employee receiving cash payments from customers, recording the payment, and then charging an expense account. The employee can then divert the cash charged as an expense for personal gain.

Diversion of payment from slow-paying customers

This fraud scheme occurs when an employee writes off a doubtful account but subsequently receives payment from the same customer. If an employee also has custodial roles over cash receipts, he/she can steal the payment without anyone noticing.

Kiting

A method of fraud in which an employee can write checks and take advantage of clearing days to hide any amount embezzled.

Lapping

A scheme where cash payments from one customer are stolen, then the theft is hidden by offsetting the receivable using the payment of another customer who paid at a later time.

Compatibility check

The most appropriate control to verify that the user is authorized to execute a particular online transaction. It verifies the user information, such as user ID, password and security profile is correct.

Encryption techniques

• Public & Private key

• Authentication key

Operating system

When attempting to restore computing facilities at an alternate site following a disaster, this system should be restored first.

Develop unique account numbers for each user

The most appropriate technique to restrict access to computer programs and databases to authorized personnel.

Advantages & Disadvantages of Single Sign-on password

• Convenient to users as it does not need to remember multiple passwords and user-IDs and can assess all IT resources using single sign-on data.

• May become a single-point of failure if the sign-on does not work and the user is not able to access any of the IT resources.

Examples of processing, input, output controls

• Transaction logs : processing control

• Check digit and validity check : input controls

• Spooling : output control

Document flowchart

An effective way to visualize how the document (a copy of a shipping order) flows through various departments.

COSO not required

FCPA does not specify the particular set of controls a company must implement. Other frameworks are permissible as long as they encompass the components of a control environment, risk assessment, information and communication procedures, monitoring activities and control procedures.

Replicate itself

A computer virus is different from a “Trojan Horse” because the virus can:

Key verification

In situations where it is crucial that data be entered correctly into an accounting information system, the best method of data control would be to use:

Internal control audit with FS audit

The U.S. Public Company Accounting Oversight Board (PCAOB) seeks to protect investors by requiring public companies to integrate:

Data control group

Responsible for reprocessing the errors detected during the processing of data within the computer department.

Reasonable assurance

The benefits of internal control must always exceed the costs of implementing them. Implementing a system of absolute assurance is costly; thus only ______ can be obtained.

Facility and hardware controls

Control access to the building, locate data center away from public areas, give access to only authorized personnel, use key codes or biometrics for entrance, etc.

Outside attorneys and consultants

All committees of the board should have access to _______ other than the corporation’s normal counsel and consultants.

Network controls

Use private network or use virtual private networks to secure connection to Internet, add password protection and require periodic password change, encrypt data before data transmission, ensure correct destination address by routing verification, verify message delivery via message acknowledgement, detect and defend attacks through virus protection software and firewall, alert intrusion by intrusion detection system, etc.

Backup controls

Include identification of vital systems to be backup regularly, development of disaster recovery plan, testing of backup communications and resources

Sound disaster recovery plan components

• Establish priorities for recovery process

• Identification of software and hardware needed for critical processes

• Identify all data files and program files required for recovery

• Store files in off-site storage Identify who has responsibility for various activities, which activities are needed first

• Set up and check arrangements for backup facilities

• Test and review recovery plan

Bank deposits not always correspond with cash receipts.

Cause: cash received after bank deposits.

Action: have a separate individual reconcile incoming cash receipts to bank deposits.

Physical inventory counts sometimes differ from perpetual inventory record, and sometimes there have been alterations to physical counts and perpetual records.

Cause: timing differences.

Actions: limit access to physical inventory, require and document specific approvals for adjustments to records,

Unexpected and unexplained decrease in gross profit percentage.

Causes: unauthorized discounts or credits provided to customers.

Actions: establish policies for discounts credits, document approvals.

Transaction processing controls

Include: passwords to limit access to input or change data, segregation of duties to safeguard assets, and control totals to ensure data accuracy.

Virus protection controls

Include: ensuring that latest edition of anti-virus software is installed and updated, firewalls set up to deter incoming risks, and limit internet access to business-related purposes to reduce chances of viruses.

Social engineering

Outside personnel posing as employees of the organization attempt to solicit confidential information from actual employees of the firm.  

Engagement letter

Outlines the scope, work, and processes to be undertaken by external auditors during the audit and should be signed by all involved parties.

Inherent and residual risks

These are elements that are relevant to assess the risk of an entity.

Elements relevant to assess the control activities of an entity

• Independence checks on performance and adequacy of documents and records  

• Physical control over assets, segregation of duties, and authorization of transactions

Elements relevant to assess the control environment of an entity

Ethical values, organizational structure, management philosophy, and operating style

Manual methods of input controls

• Dual observation

• Approval mechanism

• Supervisory procedure

Detection & audit risk

By conducting the substantive test at the year end, the risk of non-detection of a material misstatement is largely reduced, thus, reducing the:

AS issued by the PCAOB apply only to issuers.

The most important distinction between auditing standards (AS) issued by the PCAOB and statements on auditing standards (SAS) issued by the ASB is:

Example of network control

An organization implementing a standardized password update policy for employees with access to sensitive information. Because passwords, whether there is a single or double factor authentication, provide a gateway for individuals to gain access to potentially sensitive information.

Similarities & difference between firewalls and antivirus software

Firewalls and antivirus software both play important roles in protecting computer networks. However, they perform different tasks. Firewalls prevent malicious information from entering a computer network while antivirus software isolates and removes corrupt files from a computer network. Both are needed to protect an organization’s computer network.

Audit subcommittee of the Board

The internal audit function should report to the _______ to create a business environment that is ethical in nature, and supportive of employees reporting possible unethical behavior, a control system is necessary.

Authorization, recording, custody and reconciliation

The principle of segregation of duties calls for the separation of which of these sets of responsibilities.

Validity check

A test which ascertains whether data adheres to specified rules or standards. The company could create a list of existing job numbers and disallow data entry if new jobs use a previously used job number.

Hash totals

A sum of numbers in a specified field of a record or batch of records that is used for control purposes. Distinguishable from other totals because it does not have any financial significance.

Negative implication of having a system with single sign-on functionality

If an employee password is hacked or stolen, an unauthorized person can gain access to multiple systems or datasets within the organization.

Circle

Represents a connector to a different element on the flowchart.

Diamond

Denotes a point of decision on the flowchart. For example, the customer will be approved or declined in a credit check.

Rectangle

Denotes a process on the flowchart.

Cylinder

Refers to a database or magnetic disk storage on the flowchart.

Limit check

Ensures that only data which falls within a pre-defined limit is entered into the system.

Completeness

The use of prenumbered sales invoices support ________. A company uses prenumbered sales invoices to ensure that all sales are accounted for. If sales invoices are prenumbered, it is easier to check and trace which sales were skipped or missed.

Check digit

A form of redundancy check to establish if a number is entered correctly. This check is used to find out typo errors when numbers are entered into a system.

Controls related to safeguarding of assets

• Physical stock-taking will help in keeping track of all assets and will help in the reconciliation of recorded inventory and actual physical inventory.

• Labeling, numbering, and tagging of assets help in keeping track of all assets.

• Perform background checks on all employees, as such checks help in establishing the honesty and integrity of employees. The chances of misappropriation of assets are reduced if employees are honest with high moral values.

Limitation of firewalls

Firewalls primarily help protect against malicious traffic, but not against malicious programs. Hence, if the user accidentally installs malware, the firewall cannot stop it from making changes to the system.

FCPA Requirement concerning internal controls

An issuer should maintain a system of internal controls that provide reasonable assurance that financial objectives are met.

Balancing

A processing control that refers to validating the accuracy of values that refer to the same set of transactions by comparing their totals.

Standardization

A processing control that refers to procedures developed to improve consistency in transaction processing.

Redundant processing

A processing control where transactions are processed twice, and results are compared to check the correctness of the procedure.

Matching

A processing control thar refers to the process of comparing items from independent sources to ensure the accuracy of the amounts indicated.

Ex. In settling accounts payable, an accounting clerk compares the purchase order, receiving report, and supplier's invoice to make sure the amounts align and avoid events of fraud and overpayments.

Bugging

An act of planting a microphone or a camera with an intention of spying on individuals or companies.

Denial of Service

A form of cyber-attack in which a network or a website is disabled or disrupted, making them unavailable for legitimate users.

Spamming

Refers to the act by an individual or a company sending emails in bulk to other individuals, thus, creating “digital junk”.

Cost-benefit relationship

A primary criterion that should be considered in designing an internal control.

Firewall vulnerability

Can be minimized by requiring all employees accessing the information systems to use passwords.

External audit function

Should conduct risk assessment procedures, and then conduct appropriate levels of analytical procedures and substantive tests of both financial and nonfinancial information.

Risk to internal controls that can occur during the merger and acquisition process

Due to the many changes in the reporting process that occur during a merger or acquisition, there is a serious risk that controls may be ignored or overwritten.

Purpose of disaster planning

To minimize potential losses and disruption of business activities.

Why the roles of the Chairman and CEO should be separated

To avoid conflict of interest and ensure that too much power is not vested with one individual.

Management is dominated by one individual.

Management philosophy and operating style would most likely have a significant influence on the entity's control environment when:

Risk associated with automation over the accounting process

Automation may, either by accident or through collusion, lead to violations of internal control policies and procedures.

Factors can lead to violation of the FCPA

• Failure to authorize and trace payments made by employees to outsiders.

• Failure to inventorize company assets and reconcile them on a regular basis.

• Failure to record transactions in accordance with relevant accounting standards.

Bonding employees

Helps protect the organization in the case of unethical or fraudulent activity by employees tasked with handling cash.

Nature of internal controls over financial reporting and safeguarding of assets

As the entity grows, management becomes more reliant on the efficacy of its internal controls to help ensure accurate and reliable financial reports are generated, and risks of misstatement are held to tolerable levels even with an increasing volume of transactions and compliance requirements.

Authorize transactions and record cash disbursements.

Proper segregation of duties reduces the opportunities to allow individuals to be in positions to both:

How technology controls and procedures should be updated

Technology, including technology controls, should be updated at a continuous rate to reflect and align with changes in the technology landscape.

Component

The control environment is a _______ of an organization’s internal control system.

Cross-training

Enables different employees to review different types of work performed by other employees to prevent unethical activity.

How agency problems can be mitigated

By compensating trustees with financial and nonfinancial incentives to influence their behavior and mindset.

Anonymous employee hotline/portal

Helps improve culture and governance since employees can report possible unethical activity without the fear of negative repercussions.

Tone at the top

The philosophy of management toward internal controls and how the organization operates, and it is embodied both via training and specific policies.

Top-down, risk-based approach

A required approach for external auditors to attest to and report on public firms’ internal controls over financial reporting.

Audit risk model

Inherent risk x Control risk x Detection risk

Personnel Controls

• Hiring

• Training

• Job Rotation & Mandatory vacations

Sarbanes-Oxley Act of 2002 (SOX)

Corporate governance today is heavily influenced by this, which improved corporate governance standards.

• 201 → No side jobs

• 203 → Rotate every 5 years

• 301 → Committee independence

• 302 → CEO signs

• 404 → Controls established

• 407 → Expert present

Audit committee

Responsible for the oversight of the financial reporting process. For the companies that have an internal audit function, the internal auditors should report directly to them. Also responsible for hiring independent external auditors.

CSR

In addition to generating a profit for shareholders, BOD often encourage good ______ activities that address the needs of other corporate stakeholders.

Top management

Has a strong influence on the culture and philosophy of a company, which impacts the effectiveness of internal controls.