ACC 377 - Chapter 3: Risk Management & Internal Controls

What is the most common type of risk response? Describe it.

Risk mitigation, which involves applying internal controls to business processes.

• Allows companies to create competitive advantage.

• Still considers, calculates, and reduces risk.

Internal Control

A process that specifically mitigates risk to the company’s financial information.

• Mitigates the risk of poor-quality information for internal decision-makers & external stakeholders.

• Critical management responsibility for AIS.

What do internal controls provide for a company?

Internal controls provide reasonable assurance that there is an acceptable level of risk.

• Involves human judgment - can be fallible.

• Must compare actual vs. target residual to determine if further mitigation is needed.

Controls/Control Activities

A mechanism that is part of the internal control process to mitigate risk.

• Includes rules, policies, and procedures.

• Provides assurance that risk is at an acceptable level.

• Differ in function, location, and style.

What are the 3 functions of internal controls?

1. Preventative control.

2. Detective control.

3. Corrective control.

Preventative Control

A type of internal control that prevents problems from happening.

• The most common control used.

• Prohibits and deters a risk outcome before it occurs.

• Physical control.

What are examples of preventative controls?

1. Firewall 🡲 prevents unauthorized access to company network.

2. Policy & procedure documentation 🡲 most common preventative control.

3. Segregation of duties 🡲 different employees authorize, record, and have custody of assets.

4. Doors, locks, wall.

Detective Control

A type of internal control that alerts management to an issue when it has occurred.

• Monitors business processes to…

  • Identify fraud risk.

  • Quality control.

  • Legal compliance.

• Identifies risk during/after a risk outcome occurs.

• Technological control.

What are examples of detective controls?

1. Reconciling cash with sales receipts 🡲 discourages employee theft.

2. Physical inventory count 🡲 detects irregularities from errors or fraud.

3. Security camera, trip sensors, motion sensors.

Corrective Control

A type of internal control that changes undesirable outcomes if preventative or detective controls fail.

• Used when other controls are not cost-effective.

• Remedies the outcome after a risk has occurred.

• Reaction control.

What are examples of corrective controls?

1. Disciplinary action.

2. Software patches.

3. Policy updates.

4. Call police, chase the culprits, recover stolen assets.

What are the weaknesses to internal controls?

1. Management override.

2. Collusion.

Management Override

A weakness to internal controls that occurs when internal control activities do NOT work due to management’s failure to follow policy or procedures.

Collusion

A weakness of internal control where a secretive agreement is made to deceive others.

• 2 or more people work together to circumvent controls.

Time-Based Model of Controls

A measure of the residual risk for technology attacks by comparing the relationship of the 3 control functions.

• Effective controls = P > (D + C).

• Difficult to derive accurate measurements - is NOT a mathematical formula.

Physical Control

A tangible control that governs individuals and their activities for how they will respond if a disruptive event occurs.

IT-General Control (ITGC)

A location of controls that applies to the entire operation of a system and its environment.

• Target specific risk statements that define a unique technology risk.

• Includes all corporate applications 🡲 i.e. email, passwords, web browsers, time-keeping software, servers, etc.

What are the key features of IT-general controls (ITGCs)?

1. Systems security 🡲 targets risk of external, unauthorized users from acting against company data.

2. Data backups 🡲 all servers are backed to secondary equipment, stored in different locations, and can be retrieved online.

3. Duplicate environment 🡲 all changes are made in a copy of the software.

Application

A software that captures & records accounting business events.

• Includes an AIS.

Application Control

A control that only applies to a specific application, including all business processes and accounts linked to it.

• Transaction control + AIS = relates only to accounting transactions.

Manual Control

A type of control implementation that is executed by people or physical interactions.

• Used when human judgement or physical interaction is required.

• Prone to human error or intentional manipulation - increases risk!

• Unavoidable for physical inventory of document review.

Is often the focus of audit assessments.

Automated Controls

A type of control implementation that uses technology to implement control activities and requires NO human intervention.

• NOT prone to human error or override 🡲 more reliable and consistent.

• Includes embedded IT controls and robotics.

• May be unfeasible based on company size, overhead, & budget.

What is the difference between manual control and physical control?

• Manual control is executed by people or physical interaction.

• Physical control is mitigating risk caused by the actions of people.

What is the difference between manual control and automated control?

• Manual control provides insight and nuance using humans.

• Automated controls keep controls updated using computers.

Continuous Monitoring

A data analytics technology that internal auditors use to create detective controls with rules-based programming to monitor business data for risks.

• Monitors KPIs or detect red flags for fraud 🡲 confirms process is working properly.

• Uses data stored in AIS.

Proactive Approach

A type of risk approach that identifies and eliminates potential problems before they occur.

• Used by automated controls.

Reactive Approach

A type of risk approach that identifies and eliminates potential problems after they occur.

What are 3 types of entities that can perform risk assessments?

1. Business operations 🡲 1st line of defense.

2. Risk management & compliance 🡲 2nd line of defense.

3. Internal audit 🡲 3rd line of defense.

What is the 1st line of defense to assess internal controls?

Management has ownership and responsibility to enforce mitigation measures (prevent, detect, correct) and prevent identified risks.

• Financial/tax accountants.

• System analysts.

• Other accounting professionals, except audit/compliance officers.

*Reports only to executive management.

What is the 2nd line of defense to assess internal controls?

ERM team (management) identifies and assess organizational risks to aid the 1st line of defense.

• Accounting compliance officers.

Ensures that controls address risk and monitors them for compliance.

*Reports only to executive management.

What is the 3rd line of defense to assess internal controls?

Internal audit tests internal controls to provide assurance of their effectiveness.

• Functions independent of a company.

*Reports to executive management AND board of directors.

Maturity Model

A model that shows how far along a company is in its journey to reach the ideal state.

• Compares current state to a predetermined set of best practices.

• Provides a plan for continuous improvement.

What are the 4 phases of the Maturity Model?

1. Limited.

2. Informal.

3. Defined.

4. Optimized.

Limited Phase

The first phase of the maturity model where business processes are poorly defined and employees use multiple ways to achieve the same outcome.

• Supervisors and managers make their own decisions on controls.

• Reactive 🡲 only addresses issues as they occur.

• Relies on key individuals for team responsibilities.

Informal Phase

The second phase of the maturity model where some business are defined but it has informal maturity.

• Still has informal documentation and inconsistencies.

• Relies on key individuals.

• More defined but lacks company-wide oversight and implementation.

Defined Phase

The third phase of the maturity model where policies, procedures, and controls are formally documents.

• Has a consistent environment.

• NO key individuals are required.

• Has automated controls for more protection against errors.

*Often the final stage achieved due to limited resources.

Optimized Phase

The fourth phase of the maturity model where risk management & controls are implemented at a business-wide level.

• The “gold standard” of maturity.

• Leadership has top-down approach.

• Proactive 🡲 addresses issues before they occur.

Can focus on innovative projects and strategic support for internal audit.

Internal Audit

An independent function in a company that tests internal controls to provide assurance of their effectiveness.

• Adds value to a business by providing assurance, insight, and objectivity.

Independence

The auditor is removed from the business process and has no influence over the outcome of business processes.

Assurance

The auditor ensures that the organization is operating in accordance with management plans.

Insight

The auditor discovers improvements for policies, procedures, controls, and risk management.

Objectivity

The auditor assess a company from an independent consulting perspective.

Audit Committee

A committee that provides objective oversight of a company and has direct communication with the internal audit department.

Framework

A published set of specifications and criteria that defines a strategy to achieve certain objectives.

• Provides a roadmap but does NOT prescribe how it must be.

Sarbanes-Oxley Act of 2002 (SOX)

A U.S. federal law that protects investors from fraud by improving the reliability and accuracy of financial statements.

• Focuses on internal control structure.

• Mandates audit trails.

• Shifts responsibility for failed controls directly to management.

• Provides enhanced efficiency and security.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

An organization committed to fighting corporate fraud by providing guidance to executives and other entities for fraud prevention and response.

• Helps publicly-traded companies comply with SOX & SEC framework requirement.

Internal Control Integrated Framework

A controls-based approach to risk management that is widely accepted as the authoritative guidance on internal controls and SOX compliance.

• Defines internal control.

• Gives criteria for developing, implementing, and monitoring internal control systems.

• Consists of control objectives, related principles, and COSO cube.

What are the 3 control objectives?

1. Operations objectives.

2. Reporting objectives.

3. Compliance objectives.

Operations Objectives

A type of control objective related to the effectiveness and efficiency of a company’s…

• Daily functions.

• Allocation of resources.

• Operation & financial performance.

• Prevention of losses.

Reporting Objectives

A type of control objective related to the reporting of financial information externally & internally, as well as reporting non-financial information.

• Relates to useful information that includes relevance, faithful representation, timeliness, and reliability.

Compliance Objectives

A type of control objective related to internal control goals for adhering to applicable laws/regulations.

Control Components

The parts involved in implementing an effective internal control system.

• Flows from top to bottom.

• Helps framework users understand & judge effective control.

What are the 5 steps to effectively implement internal controls?

1. Control environment.

2. Risk assessment.

3. Control activities.

4. Information & communication.

5. Monitoring.

What is the control environment?

The first step to implement internal controls and is the foundational component that sets the overall tone for integrity and ethics in an organization, including management’s attitude toward ethical behavior.

• Poor tone at the top = Poor control environment.

• Relaxed environment = Increase risk for management to override internal control.

What is risk assessment?

The second step to implement internal controls which requires management to constantly identify, categorize, and prioritize risk by observing internal & external risk.

• Identify potential fraud with risk assessments.

• Determine impact on the functionality of internal controls.

What are control activities?

The third step to implement internal controls which includes the policies & procedures that address risk and support achieving company objectives.

What is information & communication?

The fourth step to implement internal controls that consists of internal and external communications.

• Includes financial reports, policies, and procedures.

What is monitoring?

The fifth step to implement internal controls by assessing the controls and determining whether changes must be made.

• Management monitors business process with detective controls.

COSO Cube

A model depiction of how all parts of the Internal Control Integrated Framework are related.

Enterprise Risk Management Integrated Framework

A risk-based approach that provides a plan for organizations to manage risk by considering strategic planning, in addition to internal controls.

• Importance of risk in creating strategies and company performance.

• Improve risk management by addressing more than just internal control.

Enterprise Risk Management Framework

An updated version of the ERM-Integrated Framework that aims to improve risk management beyond internal controls.

• Embeds risk management throughout organizations.

• More comprehensive and considers all risks.

• All functions are applied to all levels of an organization.

What are the 5 components of the Enterprise Risk Management Framework?

1. Governance & culture.

2. Strategy & objective setting.

3. Performance.

4. Review & revision.

5. Information, communication, & reporting.

Governance and Culture

A component of the ERM framework to set the company tone and establish ERM oversight responsibilities.

• Includes mechanisms that hold an organization and its employees accountable.

• Governance = Structure & processes designed to control and operation and organization.

Strategy and Objective Settings

A component of the ERM framework that focuses on the strategic planning process.

• Determines risk appetite.

• Aligns with business objectives.

Performance

A component of the ERM framework that assesses and identifies risks and responses to them at a portfolio-view level.

• Reports to key stakeholders.

Review and Revision

A component of the ERM framework that reviews performance to determine how well an ERM is functioning and identify necessary revisions.

Information, Communication, and Reporting

A component of the ERM framework that continually gathers and shares necessary information from both internal and external sources.

What are the roles of the board of directions (BOD)?

1. Make executive decisions on behalf of shareholders.

2. Acts as a fiduciary.

3. Set broad organization goals.

4. Support executive duties.

5. Ensure adequate resources.

What are the roles of management?

1. Planning, directing, and controlling organization activities.

2. Pursue objectives set by BOD.

3. Any task of a CEO (elected by BOD, part of management).

What are the components of the COSO Internal Control Framework?

• Control internal environment.

• Risk assessment.

• Control activities.

• Information & communication.

• Monitoring.

What are the components of the COSO ERM Framework?

• Control internal environment.

• Objective setting.

• Event identification.

• Risk assessment.

• Risk response.

• Control activities.

• Information & communication.

• Monitoring.