Introduction to Internal Control:

Internal Conrol- read this chapter, helps better explain the info being presenting
A process designed to provide reasonable assurance to achieve:
  • Effectiveness and efficiency of operations - an entity's basic business objectives, including performance and profitability goals and safeguarding of resources
  • Reliability of financial reporting - the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly
  • Compliance with applicable laws and regulations-complying with those laws and regulations to which the entity is subject to.
Internal controls are generally designed by managment, the board of directors, or other executives to provide reasonable assurance that errors or fraud do not adversely affect the company in operations, financial reporting, or compliance. The three types of controls are preventative, detective, and corrective. Preventative controls try to prevent fraud or errors from occuring. Detective controls try to find fraud or errors. Corrective controls are to fix errors or fraud once they have occured (i.e. they work after the fact).

Is comprised of five components (Five Interrelated Components of Internal Control):
  • Control environment - A state of control consciousness that reflects the organization's (primarily the board of directors' and management's) general awareness of and commitment to the importance of control throughout the organization (tone at the top).
  • Risk assessment - Are performed by the organization after risks are identified to determine the effect that risks may have on achievement of objectives. Two factors must be considered: Likelihood and impact. Likelihood is the possibility that an event will occur, and impact is the effect of an event's occurrence (Identification/analysis of risks) Note that inherent risks will exist in the absnece of any actions that management might take to reduce the likelihood or impact.
    • an important step in risk assessment is to compare the amount of loss at risk due to an event (likelihood x impact) to the cost of implementing a control to prevent, detect, or correct the event; if the cost of the control is greater than the benefit of avoiding the risk, or just reducing the risk, it should not be persued.
  • Control activities - It is the sixth ERM component, are policies and procedures that help ensure that risk responses are carried out. These controls include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security procedures and segregation of duties.
  • Information and communication - This is the seventh ERM component and argues that pertinent information must be identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. This also requires that appropriate, timely and quality information come from internal & external entities through the company to help manage risk and make decisions. Employees must recognize their role in relation to others and the company.
  • Monitoring - The entirety of ERM is monitored, and modifications are made as necessary. Monitoring is accomplished through ongoing management acitivities, separate evaluations, or both.
Business Process Control Goals
Since a control, by definition, mitigates risk and aids in the achievement of objectives, the control goal, then, is equivalent to the objective. There are two categories of control goals.

I. Control goals of operations processes (aimed specifically to ensure effective and efficient activities)
  • Effectiveness of operations - a measure to determine if the goals are being met. Is the process achieving its objective?
  • Efficiency in use of resources - measures the productivity of the resources used to achieve a set of goals. Do the costs outweigh the benefits? If the costs outweigh the benefits, the system probably needs to be scrutinized as it is not efficient right now.
  • Security of resources - ensure that all physical (assets such as cash) and nonphysical resources(information) are always available when required and protect from loss, destruction, disclosure, copying, sale, or other misuse.
II. Control goals of information processes (aimed specifically to ensure the reliability of financial reporting)
  • Input validity - input data is approved and represents actual economic events and objects. Did the events and objects actually take place?
  • Input completeness - requires that all valid events or objects be captured and entered into the system. Are all events and objects recorded in the system?
  • Input accuracy - requires that events be correctly caputred and entered into the system. Is all the data relating to the events and objects recorded correctly? This is done to find and minimize errors.
  • Update completeness - all events that are entered into the system also must be in the master data. The goal with this is to try and minimize operational and programming errors.
  • Update accuracy - data entered into the system must be reflected correctly in their respective master data.
A Control Hierarchy
  • The Control Environment - Overall policies and procedures that demonstrate an organization's commitment to the importance of control. Overall it enhances the effectiveness of the pervasive and application control plans (Overall Protection).
  • Pervasive Control Plans (Chapter 8) - Control plans that relate to a multitude of goals and processes. Like the control environment, they provide a climate or set of surroundign conditions in which the various business processes operate (Second Level of Protection).
  • Business Process Control Plans (Chapters 9-14) - Plans that relate those particular controls specific to a business process, such as billing or cash receipts (Third Level of Protection).

Practice the homework and other examples from the back of the chapter...important for the test!

This article "The Loss Where No One Looked" :from the Wall Street Journal By DAVID GAUTHIER-VILLARS and CARRICK MOLLENKAMP
January 28, 2008; Page C1 illustrates some concepts discussed in chapter 7 relating to Enterprise Risk Management. Specifically it highlights the importance of two of the components of ERP: risk assessment, which looks at likelihood and impact of risk, and control activities, which examines policies and procedures to make sure risk responses are carried out.

The article focuses on a low level trader named Jerome Kerviel that circumvents internal controls and ends up costing Société Générale €4.9 billion ($7.2 billion). He would make trades in futures and place fake balancing trades to make it appear that he was operating within his risk limit (his job was considered minimal risk). Along the way, he would delete the ficticious trades and reentered them after his books had been checked for the day. In this way he would make it appear that his future contracts were in balance concerning risk and not cause any alarms while he was actually assuming tremendous positions on futures that were un-hedged. The article is interesting and relates to our reading because it explains how the company was focused on making sure their risk was minimized on the exotic derivative products they were managing, and a low risk division they did not consider will end up costing them billions.

SAS No. 94 was issued to provide guidance to auditors concerning the proper assessment of internal control activities in IT systems. The auditing standard states that computer-assisted auditing techniques (CAATs) are needed to test automated controls in certain types of IT environments.

SAS No. 99
1)Requires the auditor to gather information necessary to identify risks of material misstatement
2)Requires the auditor to use the information gathered to identify risks that may result in a material misstatement.
3)Requires the auditor to evaluate the entity’s programs and controls that address the identified risks of material misstatement.
4)Requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect the assessment

Related Reading

The COSO definition of Internal Controls
SEC interpertive Guidance on internal controls (PDF):