E. Internal Control PDF

Section E Internal Controls CMA Part 1
Section E Internal Controls

Section E comprises 15% of the CMA Part 1 Exam. Section E is composed of three parts: (1) Governance,
Risk and Compliance; (2) Internal Auditing; and (3) Systems Controls and Security Measures.
Internal control examines all of the controls the company has developed and implemented to help achieve its
objectives. We often think of internal controls as trying to prevent something from going wrong, but they are
really set up to assist the organization in the achievement of its objectives. It is important to be very familiar
with the objectives of internal control.
Other important topics are the major internal control provisions of the Sarbanes-Oxley Act of 2002 in Sections
201, 203, 204, 302, 404, and 407 of the Act and the role of the PCAOB (Public Company Accounting
Oversight Board), which was established by the Sarbanes-Oxley Act.
Two of the main elements of internal control that you need to understand are the segregation of duties and
the elements that make up the components of internal control. It is important to know these topics,
and the other internal control topics, not only from an academic standpoint (definitions and lists, for example)
but also from a practical application standpoint. The answers to the application-related questions can be very
difficult because it may seem that all of the choices are good controls or none of the duties are ones that can
be performed by the same person. However, when you face these questions, do not spend too much time
thinking about any particular one because each has the same value, and therefore there is no benefit to
figuring out a hard question versus answering a simple one. So answer the simple questions first and spend
extra time on the hard ones only if time allows.
There are also a lot of questions from past exams that have covered specific situations relating to internal
control, internal audit, and systems control. These items may not be specifically covered in this textbook
because of the vast scope of potential topics that would need to be covered. Rather, these types of questions
are included in ExamSuccess. You do not need to remember every specific detail from a question, but you will
want to be familiar with the concepts and issues covered in those questions. The best we can advise you to do
is to learn the overall concepts and issues and then apply your best professional judgment to answering
questions about them. You will find the actual exam questions to be different from the practice questions in
your study materials, since the practice questions are previous exam questions. The actual exam questions
are always being updated and changed, so it is not likely that past exam questions will be asked again. For
Statements, as we believe questions asked on an exam today are more likely to be from the current Learning
Outcome Statements than they are likely to duplicate past exam questions.
Most of the internal control concepts covered in Governance, Risk and Compliance are adapted from the
report Internal Control Integrated Framework developed by COSO, the Committee of Sponsoring
Organizations of the Treadway Commission. It is the guide for all internal control systems.
The second part of this section is Internal Auditing. Internal Auditing focuses on the audit function that the
company operates internally, apart from the external audit of the financial statements. The internal audit
function has duties that spread far beyond the financial statements and some of these responsibilities may
not relate directly to finances. For example, the internal audit function may be involved in time or quality
audits.
When studying internal auditing, you need to prepare for this topic mostly on the definitional and conceptual
level. You need to know the characteristics of a successful internal audit function, how internal auditors test
compliance with controls and evaluate the effectiveness of controls, and the broad categories of services that
may be provided by the internal audit function.
The third part within this section is Systems Controls and Security Measures. In this part you will need to
become familiar with the terminology that is involved. Some of this you may be familiar with from work or
experience with computer systems, but it is important that you know the terminology.
186 © 2017 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Governance, Risk, and Compliance
Governance, Risk, and Compliance

The internal controls of a company are an important part of its overall operations. A strong internal control
system will provide many benefits to a company including:
Lower external audit costs.
Better control over the assets of the company.
Reliable information for use in decision-making.
A company with weak internal controls is putting itself at risk for employee theft, loss of control over the
information relating to operations, and other inefficiencies in operations and decision-making that can
damage its business.
Corporate Governance
Good corporate governance is basic to internal control.
section. What is corporate governance, why is it important, and how is it related to risk assessment, internal
control and risk management?
What is Corporate Governance?

Corporate governance includes all of the means by which businesses are directed and controlled, including the
rules, regulations, processes, customs, policies, procedures, institutions and laws that affect the way the
business is administered. Corporate governance spells out the rules and procedures to be followed in making
decisions for the corporation. Corporate governance is the joint responsibility of the board of directors and
management.
Corporate governance also involves the relationships among the various participants and stakeholders in the
corporation, such as the board of directors, the shareholders, the Chief Executive Officer (CEO), and the
managers.
Corporate governance is very concerned with

from the fact that the owners of the corporation (the shareholders) and the managers of the corporation (the
agents of the shareholders) are different people. The priorities and concerns of the managers are different
from the priorities and concerns of the shareholders. The managers are concerned with what will benefit them
seeing the value of their investment in the corporation increase. The priorities of the shareholders and the
priorities of the managers can easily be in conflict with one another, because what benefits the managers may
not benefit the owners.
Therefore, corporate governance specifies the distribution of rights and responsibilities among the
various parties with conflicting priorities and concerns in an effort to mitigate the agency problem and bring
about congruence between the goals of the shareholders and the goals of the agents. Incentives are needed
so the agents will take actions that are consistent with shareholder benefit. At the same time, however,
monitoring mechanisms are needed to control any activities of the agents that would benefit them while
hurting the shareholders.
to actions on the part of management that will cause the stock price to increase and will thus be good for all
shareholders. However, if management tries to conceal poor financial performance in an effort to keep the
stock price going up so their own bonuses remain intact, those same incentives can lead to fraudulent
financial reporting. Prevention of unintended consequences such as fraudulent financial reporting is the
responsibility of the board of directors and should be implemented through internal controls.
© 2017 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 187
Governance, Risk, and Compliance CMA Part 1
Why is Corporate Governance Important?

Corporate governance has always been an important topic for shareholders, management and the board of
directors. However, the topic took on greater importance following the dramatic downfalls of companies such
as Enron, WorldCom, Adelphia and others back in 2001-02. More recently, the world financial crisis that
began in 2008 raised again the issue of good corporate governance. AIG (American International Group) went
from being the 18th largest public company in the world in 2008 to needing an $85 billion U.S. government
bailout. The Lehman Bros. bankruptcy in September 2008 was the largest bankruptcy in U.S. history. The
lesson from this is that good governance is not just a U.S. issue but it is a global issue.
Good governance is not just a good idea for a company it is an absolute must. Considering just Enron, more
than $60 billion of shareholder wea good
corporate governance is not only important for company shareholders but it is vital for the general health and
well being
Corporate governance does not exist as a set of distinct and separate processes and structures. It is
How is Corporate Governance Related to Risk Assessment, Internal Control and Risk Management?
We said that corporate governance specifies the distribution of rights and responsibilities among the various
participants in the corporation.
The board of directors and executive management are responsible for developing and implementing
business strategies.
In setting business strategies, the board and executive management must consider risk.
In order to consider risk, the company must have an effective process for identifying, assessing and
managing risk.
In order to have an effective risk management process, the company must have an effective internal
control system, because an effective internal control system is necessary in order to communicate
and manage risk.
Therefore, governance, risk management and internal control all rely on each other.
The internal audit

has an important role in the governance function of the organization.
I reporting, the
regulations. According to IIA (Institute of Internal Auditors) Internal Auditing Standard 2110, this includes
assessing and making appropriate recommendations for improving the governance process in its accomplish-
ment of the following objectives:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance, management and accountability.
Communicating risk and control information to appropriate areas of the organization.
Coordinating the activities of and communicating information among the board, external and internal
auditors, and management.
Principles of Good Governance

A set of governance principles, called 21st Century Governance Principles for U.S. Public Companies, was
published in 2007 by a group of leading academic experts from four universities. The principles were
developed by Paul D. Lapides, Joseph V. Carcello, Dana R. Hermanson and James G. Tompkins of Kennesaw
State University; Mark S. Beasley of North Carolina State University, F. Todd DeZoort of The University of
Alabama; and Terry L. Neal of University of Tennessee. The authors stated that the purpose of the principles
statement user interests.
The principles are (some explanatory footnotes have been added by HOCK):
1) Board Purpose The board of directors should understand that its purpose is to promote and
exter-
nal and internal stakeholders (e.g. creditors, employees, etc.).
2) Board Responsibilities or areas of responsibility should be monitoring the CEO

and other senior executives and processes for managing the
enterprise, including succession planning; and monitoring risks and internal con-
trols, including the ethical tone.20 Directors should employ healthy skepticism21 in meeting these
responsibilities.
3) Interaction Sound governance requires effective interaction among the board, management, the
external auditor, the internal auditor, and legal counsel.
4) Independence professional or personal ties to

the corporation or its management other than service as a director. Independent directors must be
able and willing to be objective in their judgments. The vast majority of the directors should be inde-
pendent in both fact and appearance.
5) Expertise and Integrity The directors should possess relevant business, industry, company, and
governance expertise. The directors should reflect a mix of backgrounds and perspectives and have
unblemished records of integrity. All directors should receive detailed orientation and continuing ed-
ucation to assure they achieve and maintain the necessary level of expertise.
6) Leadership The roles of Board Chair and CEO should be separate.22 If the roles are not separate,
then the independent directors should appoint an independent lead director. The lead director and
committee chairs should provide leadership for agenda setting, meetings, and executive sessions.
7) Committees The audit, compensation and governance committees of the board should have
charters, authorized by the board, which outline how each will be organized, their duties and respon-
sibilities, and how they report to the board. Each of these committees should be composed of
independent directors only, and each committee should have access to independent outside advisors
who report directly to the committee.
8) Meetings and Information The board and its committees should meet frequently for extended
periods of time and should have unrestricted access to the information and personnel they need to
perform their duties. The independent directors and each of the committees should meet in execu-
tive session on a regular basis.
9) Internal Audit All public companies should maintain an effective, full-time internal audit function
that reports directly to the audit committee. Companies also should consider providing an internal
20
Companies need to make sure that inappropriate and unethical behavior is not tolerated. A culture of integrity is
board of directors, the audit committee, and the CEO.

21
s having an attitude of doubt but not carrying it so far as to suspect wrongdoing everywhere.
It means asking questions, gathering information, and making your own decision. In this context, it means directors should
not just accept without question the in
-to-
day basis and that makes their job more difficult than if they were on site. However, they can talk to people within the
organization at all levels and ask questions, and they should do that. They should not just assume that what they are being
told is true or is the whole truth.
22
Not too long ago, the CEO frequently served also as Chairman of the Board, and the dual role was not questioned.
because that creates a conflict of interest. The CEO would be leading the body that would be monitoring the CEO.
audit report to external stakeholders to describe the internal audit function, including its composi-
tion, responsibilities, and activities.
10) Compensation The compensation committee and full board should carefully consider the compen-
sation amount and mix (e.g., short-term vs. long-term, cash vs. equity) for executives and directors.
The compensation committee should evaluate the incentives and risks associated with a heavy em-
phasis on short-term performance-based incentive compensation for executives and directors.
11) Disclosure Proxy statements23 and other communications (required filings and press releases)
should reflect board and corporate activities and transactions in a transparent and timely manner
(e.g., financial performance, mergers and acquisitions, executive compensation, director compensa-
tion, insider trades, related-party transactions). Companies with anti-takeover provisions should
disclose why such provisions are in the best interests of their shareholders.
12) Proxy Access The board should have a process for shareholders to nominate director candidates,
including access to the proxy statement for long-term shareholders with significant ownership
stakes.
13) Evaluation The board should have procedures in place to evaluate on an annual basis the CEO,
the board committees, the board as a whole, and individual directors. The evaluation process should
be a catalyst for change in the best interests of the shareholders.
Hierarchy of Corporate Governance

Corporate governance includes all of the means by which businesses are directed and controlled. It spells out
the rules and procedures to be followed in making decisions for the corporation.
Formation, Charter, and Bylaws

U.S. corporations are formed under authority of state statutes. Application for a charter must be made to
the proper authorities of a state in order to form a corporation. A business usually incorporates in the state
where it intends to transact business but it may be formed in one state, while at the same time have its
principal place of business or conduct its business operations in another state or states. A company that
wants to have its principal place of business located in a different state from its incorporation files with the
The corporation will owe state income tax, state franchise tax, state sales taxes and any other state taxes
imposed on businesses not only to the state where it is incorporated, but also to every state where it is
licensed as a foreign corporation.
Although the means of organizing a corporation may vary from state to state to some extent, each state
usually requires that articles of incorporation (the charter) be filed with the secretary of state or another
designated official within that state.
The charter Articles of Incorporation Certificate of Incorporation

details the following:
The name of the corporation. In many states, the corporate name must contain the word corpora-
tion, incorporated, company, limited, or an abbreviation thereof. A corporate name cannot be the
same as, or deceptively similar to, the name of any other domestic corporation or any other foreign
corporation authorized to do business within the state.
s usually perpetual (meaning forever).
Its purpose and the nature of its business.
23
A proxy statement is a document containing the information that a company is required by the SEC to
provide to shareholders so they can make informed decisions about matters that will be brought up at an
annual stockholder meeting.
The authorized number of shares of capital stock that can be issued with a description of the
various classes of such stock.
Provision for amending the articles of incorporation.
Whether existing shareholders have the first right to buy new shares.
The names and addresses of the incorporators, whose powers terminate upon filing.
The names and addresses of the members of the initial board of directors, whose powers commence
(begin) upon filing.
other notices.
The persons who sign the articles of incorporation are called the incorporators
with the filing of the articles of incorporation, and the initial board of directors, named in the articles of
incorporation, takes over.
State laws typically require that incorporators be natural persons (citizens of the U.S.), and over the age
of 18. State laws vary as to the number of incorporators required, but in most states, only one incorporator
is required.
Note: A corporation, being itself a legal entity, may act as an incorporator.
Most states provide standardized forms for articles of incorporation. A corporation can use the standardized
form or file another form as long as it complies with state requirements. The articles of incorporation are filed
with the designated state official for such filings, ordinarily the secretary of state. A corporation is usually
recognized as a legal entity as soon as the articles of incorporation are filed or when the
certificate of incorporation is issued by the state. However, some states may also require additional
filings in some counties before the corporation is recognized as a legal entity.
After the articles of incorporation have been filed and the certificate of incorporation has been issued by the
state, the following steps must be carried out by the new corporation:
1) The incorporators elect the directors if they are not named in the articles,
2) The incorporators resign,
3) The directors meet to complete the organizational structure. At this meeting they:
a. Adopt bylaws for internal management of the corporation. The bylaws specify:
o The requirements for annual meetings of shareholders;
o
stitutes a majority vote on the part of shareholders;
o How directors are to be elected by the shareholders, the number of directors and the length
of their terms, specifications for meetings of the board of directors and for what constitutes a
quorum at a board meeting;
o How officers are to be elected by the board of directors, officer positions and the responsibili-
ties of each officer position;
o How the shares of the corporation shall be represented (for example, by certificates) and how
shares shall be issued and transferred;
o Specifications for payments of dividends; and
o How the bylaws can be amended. The directors ordinarily have the power to enact, amend or
repeal bylaws, but this authority may be reserved to the shareholders. Bylaws must conform
to all state laws and specifications in the articles of incorporation.
Note: Employees are not legally bound by the bylaws unless they have reason to be familiar with
them.
b. Elect officers.
c. Authorize establishment of the corporate bank account, designate the bank, and designate by
name the persons who are authorized to sign checks on the account.
d. Consider for ratification any contracts entered into before incorporation.
e.
f. Accept or reject stock subscriptions.
g. Comply with any requirements for doing business in other states. For example, if a corporation
files with another state as a foreign corporation located in that state, it will need to have a reg-
istered agent in that state.
h. Adopt a corporate seal to be used for corporate documents for which a seal is required.
i. Consider any other business as necessary for carrying on the business purpose of the corpora-
tion.
Amending the Articles of Incorporation

Most state corporation laws permit amendment of the articles. An example of an amendment might be an
increase in the number of authorized common shares of stock.
Any amendment to the articles of incorporation must be something that could have been included in the
original articles of incorporation. This means that an amendment is not allowed for something that the
corporation could not legally do.
The board of directors usually adopts a resolution containing the proposed amendment and then this
resolution must be approved by a majority of the voting shares. After shareholder approval, the articles of
amendment are filed with the state authorities. The amendments become are effective only upon the issuance
of a certificate of amendment.
agent, changing the registered agent can usually be done by the board of directors without the need for
shareholder approval.
Responsibilities of the Board of Directors

The board of directors of a company is responsible for ensuring that the company is operated in
the best interest of the shareholders, who are the owners of the company.
is to provide governance, guidance and oversight to the management of the company. The board has the
following specific responsibilities:
Selecting and overseeing management. The board of directors elects the officers of the company and
the board of directors is responsible for overseeing the activities of the officers they elect.
ement, the board determines what it expects from manage-
ment in terms of integrity and ethics and it confirms its expectations in its oversight activities.
The board has authority in key decisions and plays a role in top-level strategic objective-setting and
strategic planning.
control activities.
commit the time required to fulfill their board responsibilities, even though they may be outside, in-
dependent directors.
Board members should investigate any issues they consider important. They must be willing to ask
vities. They must have access to the neces-
sary resources to do this and must have unrestricted communications with all company personnel
including the internal auditors
sel.
Because boar
is important that the board have members who are independent of the company. An independent di-
rector has no material relationship with the company. In other words, an independent director is not
an officer or employee of the company and thus is not active in the day-to-day management of the
company. Boards of companies that are listed on secondary securities markets such as the New York
Stock Exchange are required to consist of a majority of independent directors.
Most boards of directors carry out their duties through committees. Committees of the board of directors are
made up of selected board members and are smaller, working groups of directors that are tasked with specific
oversight responsibilities. One of the committees whose membership is prescribed by SEC regulations is the
audit committee. Other usual committees are compensation, finance, nominating and employee benefits. All
of the committees of the board of dir
their members can bring specific internal control guidance in their specific areas of responsibility.
Audit Committee Requirements, Responsibilities and Authority

The responsibilities of the audit committee are particularly critical. The requirements for serving on an audit
committee of a publicly-held company have been formalized in law and regulations, first by the Sarbanes-
Oxley Act of 2002 and then, as directed by Sarbanes-Oxley, in SEC regulations. Secondary securities markets
also include audit committee requirements in their listing regulations.
According to the New York Stock Exchange, the audit committee of the board of directors of a corporation
ction of management, independent auditors, internal auditors and the board of
directors The audit committee of the board of directors is made up of members of the board of directors
who are charged with overseeing the audit function of the corporation. The audit committee members audit
committee responsibilities are in addition to their responsibilities as members of the larger board.
The SEC first recommended that boards of directors of corporations have audit committees in 1972. Within
short order, stock exchanges began requiring or at least recommending that listed companies have audit
committees. The responsibilities of audit committees have been increased over the years.
In 1987, the Treadway Commission made six recommendations for audit committees in their study aimed at
identifying the causes of fraudulent financial reporting and making recommendations to reduce its incidence.
In 1998, the New York Stock Exchange and the National Association of Securities Dealers sponsored a
committee called the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees
the Blue Ribbon Committee, published in 1999, made ten recommendations for improving the effectiveness of
audit committees and provided five guiding principles for audit committees to follow in developing policies for
of the New York Stock Exchange, the American Stock Exchange, and the NASDAQ, and the SEC adopted new
rules requiring disclosure about the functioning, governance, and independence of corporate audit
committees.
The Sarbanes-Oxley Act of 2002 increased audit

increased the qualifications required for members of audit committees, and it increased the authority of audit
committees. In response to the Sarbanes-Oxley Act, the stock exchanges and the SEC developed new rules
and regulations for the purpose of strengthening audit committees.
Under Section 3(a)(58) of the Exchange Act, as added by Section 205 of the Sarbanes-Oxley Act, the audit
committee is defined as:
A committee (or equivalent body) established by and amongst the board of directors of an issuer for
the purpose of overseeing the accounting and financial reporting processes of the issuer and audits
of the financial statements of the issuer; and
If no such committee exists with respect to an issuer, the entire board of directors of the issuer.
have a separately designated audit committee composed of members of its board or, if it fails to form a
separate committee or if it chooses, the entire board of directors will constitute the audit committee.
Thus, the
of directors are highly regulated. The requirements for, responsibilities of and authority of the audit
committee are as follows.
Requirements for Audit Committee and Audit Committee Members

1) The audit committee is to consist of at least three members. This is a listing requirement of the New
York Stock Exchange and other stock exchanges. The Sarbanes-Oxley Act and the SEC do not pre-
scribe a minimum number of members for the audit committee but do state that if the corporation
does not form an audit committee, the entire board of directors will be responsible for the audit
committee function.
2) All members of the audit committee must be independent per Section 10A 3(b)(3) of the Securities
In
order to be considered to be independent . . . a member of an audit committee of an issuer may not,
other than in his or her capacity as a member of the audit committee, the board of directors, or any
other board committee-- (i) accept any consulting, advisory, or other compensatory fee from the
issuer; or (ii) be an affiliated person of the issuer or any subsidiary thereof. words, the
members of the audit committee may not be employed by the company in any capacity.
3) In addition, the New York Stock Exchange requires a five- -

ployees of the listed company, or of its independent auditor, before they can serve on the audit
committee of a listed company.
4) One member of the committee must have accounting or financial management expertise. This
is a requirement made by stock exchanges. The Sarbanes-Oxley Act requires that if the audit com-
mittee does not include a financial expert, this fact must be disclosed.
5) All members of the audit committee must be financially literate at the time of their appointment or
must become financially literate within a reasonable period of time after their appointment to the
audit committee. This is a listing requirement of the New York Stock Exchange and other stock ex-
changes.
Responsibilities of the Audit Committee

1) The audit committee is responsible for selecting and nominating the external auditor, approving
audit fees, supervising the external auditor, overseeing auditor qualifications and independence, dis-
cussing with the auditors matters required under generally accepted auditing standards, and
reviewing the audit scope, plan and results. Rule 10A 3(b)(2) of the Securities Exchange Act of 1934
(15 U.S.C. 78f) sets forth the following as The audit com-
mittee of each issuer, in its capacity as a committee of the board of directors, shall be directly
responsible for the appointment, compensation, and oversight of the work of any registered public
accounting firm employed by that issuer (including resolution of disagreements between manage-
ment and the auditor regarding financial reporting) for the purpose of preparing or issuing an audit
report or related work, and each such registered public accounting firm shall report directly to the
audit committee.
2) The New York Stock Excha audit com-

mittee charter that the committee's purpose which, at minimum, must be to: (A)
assist board oversight of (1) the integrity of the listed company's financial statements, (2) the listed
company's compliance with legal and regulatory requirements, (3) the independent auditor's qualifi-
cations and independence, and (4) the performance of the listed company's internal audit function
and independent auditors; and (B) prepare an audit committee report as required by the SEC to be
included in the listed company's annual proxy statement
3)
procedures for (A) the receipt, retention, and treatment of complaints received by the issuer regard-
ing accounting, internal accounting controls, or auditing matters; and (B) the confidential,
anonymous submission by employees of the issuer of concerns regarding questionable accounting or
24
requirement in the Sarbanes-Oxley Act.
4) The New York Stock Exchange Listing Manual further specifies that at least annually, the Audit
obtain and review a report by the independent auditor describing: the firm's inter-
nal quality-control procedures; any material issues raised by the most recent internal quality-control
review, or peer review, of the firm, or by any inquiry or investigation by governmental or profession-
al authorities, within the preceding five years, respecting one or more independent audits carried out
by the firm, and any steps taken to deal with any such issues; and (to assess the auditor's inde-
er
auditor's qualifications, performance and independence. This evaluation should include the review
and evaluation of the lead partner of the independent auditor. In making its evaluation, the audit
committee should take into account the opinions of management and the listed company's internal
auditors (or other personnel responsible for the internal audit function). In addition to assuring the
regular rotation of the lead audit partner as required by law, 25 the audit committee should further
consider whether, in order to assure continuing auditor independence, there should be regular rota-
tion of the audit firm itself. The audit committee should present its conclusions with respect to the
24
Section 301 of the Sarbanes-Oxley Act mandated that Audit Committees of public companies establish a system for
receiving, retaining, and treating whistleblower complaints regarding accounting, internal controls, or auditing matters.
Public companies are required to establish a means for confidential, anonymous submission by employees and others about
concerns they may have regarding questionable accounting and auditing matters. Furthermore, Section 806 of Sarbanes-
Oxley authorizes the U.S. Department of Labor to protect whistleblower complainants against employers who retaliate and
also authorizes the U.S. Department of Justice to criminally charge those responsible for any retaliation. Section 1107 of
the Act makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a
law enforcement officer regarding an alleged federal offense.
25
Per Sarbanes-Oxley Act, Section 203, discussed in detail in this text in the discussion of the Sarbanes-Oxley Act in the
topic Legislative Initiatives About Internal Control.
5) In addition, the New York Stock Exchange specifically requires the following for listed companies:
o The audit committee is to review the annual and quarterly financial statements and the MD&A
(Management Discussion and Analysis) of the company and discuss them with management and
the independent auditors and review earnings press releases and earnings guidance provided to
analysts and rating agencies and discuss with management guidelines and policies to govern the
process of risk assessment and risk management.
o The audit committee is to meet periodically and separately with management and with internal
auditors and independent auditors in order to uncover issues warranting committee attention.
o The audit committee is to review with the independent auditor any audit problems or difficulties,
including any restrictions on the scope of the independent auditor's activities or on access to re-
quested information, and any significant disagreements with management and management's
response.
o The audit committee is to set clear hiring policies for employees or former employees of the in-
dependent auditors, taking into account the pressures that may exist for auditors consciously or
subconsciously when seeking a job with the company they audit.
o The audit committee is to report regularly to the full board of directors to review any issues that
arise with respect to the quality or integrity of the listed company's financial statements, the
company's compliance with legal or regulatory requirements, the performance and independence
of the company's independent auditors, or the performance of the internal audit function.
o And finally, the audit committee is to principles

and financial statement presentations, including any significant changes in the company's selec-
tion or application of accounting principles, and major issues as to the adequacy of the
company's internal controls and any special audit steps adopted in light of material control defi-
ciencies; (B) analyses prepared by management and/or the independent auditor setting forth
significant financial reporting issues and judgments made in connection with the preparation of
the financial statements, including analyses of the effects of alternative GAAP methods on the fi-
nancial statements; (C) the effect of regulatory and accounting initiatives, as well as off-balance
sheet structures, on the financial statements of the listed company; and (D) the type and
presentation of information to be included in earnings press releases (paying particular attention
to any use of "pro forma," or "adjusted" non-GAAP, information), as well as review any financial
information and earnings guidance provided to analysts and ra
6)
internal control processes, and most audit committees do this. They oversee the internal audit func-
tion and monitor internal control systems for compliance with legal and regulatory requirements.
Authority and Funding of the Audit Committee
authority to engage independent counsel and other advisers, as it determines necessary to carry out
Rule 10A-
priate funding, as determined by the audit committee, in its capacity as a committee of the board of
directors, for payment of compensation (A) to the registered public accounting firm employed by the
issuer for the purpose of rendering or issuing an audit report; and (B) to any advisers employed by
The audit committee has the authority to investigate any matter.
Responsibilities of the Chief Executive Officer (CEO)
and authority can be extensive, or they can be very limited, depending upon how much authority and
responsibility the board of directors delegates to the CEO.
A CEO should not

monitoring the CEO, the CEO should not serve as Chairman of the Board, because that creates a conflict of
interest. The CEO would be leading the body that would be monitoring the CEO.
Election of Directors
The shareholders elect the members of the board of directors. Usually, each share of stock is allowed one
vote, and usually directors are elected by a plurality (whoever gets the most votes is elected, even if it is not
a majority).
The length of the dire

may be longer, such as three years in staggered terms, with one-third of the board members up for election
ections provides for continuity on the board as
there are always some returning board members.
Note: Power for the board to increase its size without shareholder approval can be reserved in the articles
of incorporation or the bylaws of the corporation.
Internal Control CMA Part 1
Internal Control
Who Cares About Internal Control?
Ever since commercial organizations, nonprofit organizations and governments have existed, their leaders
have recognized the need to exercise control in order to ensure that their objectives were achieved. Today,
however, the leaders of an organization are not the only ones who care about its internal control policies and
procedures.
For a public company, information on the effectiveness of its internal control system is important to
investors
as well as the reliability of its financial statements.
external auditors recognize that an audit of a company with effective internal

controls can be performed more efficiently.
The potential for U.S. corporations to make illegal payments to foreign governments is of concern to
legislative and regulatory bodies and is addressed through internal control policies and proce-
dures.
The development of larger organizations with increased numbers of employees has made it neces-
sary for management to .
Even customers have an indirect interest in internal controls because a strong internal control
Internal Control Definition

According to the COSO publication, Internal Control Integrated Framework,26
Internal control is a process, effected by27 of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance.
Thus internal control is a process that is carried out (effected) by an

and other personnel that is designed to provide reasonable assurance that objectives
relating to operations, reporting, and compliance will be achieved.
1) Operations objectives relate to the effectiveness and efficiency of operations, or the extent to
basic business objectives are being achieved and its resources are being used
effectively and efficiently. Operations objectives include operational and financial performance goals
and safeguarding of assets against loss.
2) Reporting objectives include internal and external financial and non-financial reporting.
Reporting objectives include reliability, timeliness, transparency, or other requirements as set forth
by regulators, recognized sta
3) Compliance compliance with applicable laws and regula-

tions, encompassing all laws and regulations to which the company is subject.
These three categories of company objectives with which internal control is concerned are very
important to know.
26
Internal Control Integrated Framework, copyright 1992, 1994 and 2013 by the Committee of Sponsoring Organizations
of the Treadway Commission. Used by permission. The Committee of Sponsoring Organizations of the Treadway
Commission includes the following five organizations: American Institute of Certified Public Accountants (AICPA), American
Accounting Association (AAA), Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), and
Financial Executives International (FEI).
27
Section E Internal Control
The three categories address different needs and they may be the direct responsibilities of different
managers. But every internal control should be directed toward the achievement of objectives in at least one
and possibly more than one of the three categories. The three categories of objectives are distinct, but they
do overlap. Therefore, a specific control objective for a specific company could fall under more than one
category.
Fundamental Concepts
The definition of internal control reflects several fundamental concepts, as follows:
1) The purpose of internal control is to help the company achieve its objectives. The focus is on
achieving objectives. The objectives that internal control applies to fall into the three categories
above: operations, reporting, and compliance.
2) Internal control is an ongoing process. It is not something that can be done once and be completed.
It is a journey, not a destination. It consists of ongoing tasks and activities. It is a means to an end,
not an end in itself.
3) Internal control is effected (accomplished) by people. It is something that must be put into effect by
people it is not policies and procedures. People are located throughout the organization at every
level, from the members of the board of directors to the staff. Simply writing policy manuals that call
for internal control procedures is not enough. To be effective, people must put the policies and pro-
cedures into effect.
4) Internal control procedures can provide reasonable assurance only not absolute assurance
and not a guarantee to that the compa-
areas. This statement reflects the fundamental
concepts that (1) the cost of an internal control system should not exceed the expected benefits, and
(2) the overall impact of a control procedure should not hinder operating efficiency.
5) Internal control must be flexible

needs to be adaptable to apply to an entire entity or just to a particular subsidiary, division, operat-
ing unit, or business process.
The Importance of Objectives
relating to operations, reporting, and compliance, it stands to reason that internal control cannot operate
effectively unless objectives have been set. Setting objectives is part of the strategic planning process by
management and the board of directors. Objectives should be set with consideration given to laws,
regulations,
objectives.
Who Is Responsible for Internal Control?

Before we get into the details of internal controls, we should start by discussing who is responsible for internal
controls.
The board of directors is responsible for overseeing the internal control system.
oversight responsibilities include providing advice and direction to management, constructively chal-
lenging management, approving policies and major
activities. Consequently, the board of directors is an important element of internal control. The board
and senior management establish the tone for the organization concerning the importance of internal
control and the expected standards of conduct across the entity.
The CEO is ultimately responsible for the internal control system and the tone at the top. The
CEO should provide leadership and direction to the senior managers and review the way they are
controlling the business. This tone (part of the control environment) is discussed in more detail
below.
Senior managers delegate responsibility for establishment of specific internal control policies
and
Financial officers and their staffs are central to the exercise of control, as their activities cut
across as well as up and down the organization. However, all management personnel are involved,
Internal auditors play a monitoring role. They evaluate the effectiveness of the internal controls
established by management, thereby contributing to their ongoing effectiveness.
Virtually all employees are involved in internal control, because all employees produce information
used in the internal control system or carry out other activities that put the internal control systems
into effect. Furthermore, all employees are responsible for letting their managers know if they be-
come aware of problems in operations or that rules, regulations or policies are being violated.
External parties provide information that is useful to effective internal control. For example, independent
auditors audit the financial statements and often provide other useful information as well to management
and the board. Other external parties that may provide useful information include legislators, regulators,
customers, financial analysts, bond raters and the news media. However, external parties are not part of the
Note: Internal auditors evaluate the effectiveness of the control systems and contribute to their ongoing
effectiveness, but they do NOT have the primary responsibility for establishing or maintaining the control
systems.
Note:
Components of Internal Control

According to the COSO report, Internal Control Integrated Framework (2013 update), five interrelated
components comprise internal control. If the five components are present and functioning effectively, their
Thus, these components are all necessary for effective internal control to be present. They are:
1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring Activities
Embedded within these five components are 17 principles.
Component 1: Control Environment

The control environment includes the standards, processes, and structures that provide the foundation for
carrying out internal control. The board of directors and senior management are responsible for establishing
the tone at the top, including expected standards of conduct that apply to all employees. Management is
responsible for reinforcing the expectations at all levels of the organization.
It influences the control consciousness of

all the people in the organization and sets the tone for the entire organization. If the control environment
does not include the necessary factors, none of the other components of internal control will be effective.
Organizations with effective control environments have the following characteristics, exemplified by these five
principles:
1) They demonstrate a commitment to integrity and ethical values. They s tone at

the top as well as formally ethical
values and commitment to integrity.
Every company should establish standards of conduct and formal policies regarding acceptable busi-
ness practices, conflicts of interest, and expected standards of behavior. However, these official
statements only state what management wants to have happen. Corporate culture tone
at the top determines what actually does happen. Top management, especially the CEO, sets the
ethical tone by modeling the ethical and behavioral standards that are expected of everyone in the
organization. Leadership by example is the most effective means of communicating that ethical be-
havior is expected, because people imitate their leaders.
policies and procedures that are to be followed at all times, without exception, and which result in
shared values and teamwork.
Standards of integrity and ethical values extend to outsourced service providers and business part-
ners, as well. Management retains responsibility for the performance of processes it has delegated to
outsourced providers and business partners.
Processes should be in place to identify issues and evaluate the performance of individuals and
teams against the expected standards of conduct, and deviations need to be addressed in a timely
and consistent manner. The actions taken by management when violations occur send a message to
employees, and that message quickly becomes a part of the corporate culture.
2) The board of directors demonstrates independence from management and exercises over-
sight over development and performance of internal control. The board of directors is responsible
for setting corporate policy and for seeing that the company is operated in the best interest of its
owners, the shareholders. The attention and direction provided by the directors are critical.
The board of directors should have a sufficient number of members who are independent from man-
agement (not employed full-time by the company in management positions) to be independent and
objective in its evaluations and decision-making. Independence of the board from management is
critical, so that if necessary, difficult and probing questions will be raised.
Board and audit committee members should hold regular meetings with chief financial and account-
ing officers and internal and external auditors. Sufficient and timely information should be provided
to board and audit committee members.
The board of directors has oversight responsibility for internal control, but the Chief Executive Officer
and senior management have direct responsibility for developing and implementing the organiza-
3) With the oversight of the board, management establishes structures, reporting lines, and
appropriate authorities and responsibilities to enable the corporation to pursue its objectives.
The organizational structure should define the key areas of authority and responsibility
and delineate lines for reporting. The organizational structure is key to ability to
achieve its objectives, because the organizational structure provides the framework for planning, ex-
ecuting, controlling and monitoring the activities it pursues to achieve its objectives.
The structure should be organized to best carry out the strategies designed to achieve the organiza-
The existing structure should be
periodically evaluated to enable its realignment with changing priorities such as new regulations.
Authority and responsibility should be delegated to the extent necessary to achieve the organiza-
The board of directors delegates authority and assigns responsibility to senior
management. Senior management delegates authority and assigns responsibility at the entity level
and to its subunits. The way management assigns authority and responsibility for operating activities
affects the control environment because it determines how much initiative individuals are encour-
aged to use in solving problems as well as the limits of their authority.
Delegation of authority means giving up centralized control of some of the business decisions and
allowing those decisions to be made at lower levels in the organization by the people who are closest
to the day-to-day operations of the business. Delegation of authority provides the organization with
greater agility, but it also introduces complexity in risks to be managed. Senior management with
guidance from the board of directors needs to determine what is and is not acceptable, in line with
the organizat
T
delegation should be based on sound practices for identifying and minimizing risk and on weighing
potential losses against potential gains from delegation.
4) The organization demonstrates a commitment to attract, develop, and retain competent

individuals in alignment with objectives. In order for tasks to be accomplished in accordance
es and plans for achievement of those objectives, the company needs to
have competent personnel. In order to have competent personnel, management should specify the
knowledge and skills required for each position. There should be formal or informal job descriptions
that specify the competence level needed for each job, and the company should make every effort to
hire and retain competent people and to train them when necessary.
Background checks should be thorough when hiring new employees. At a minimum, t
work history and education should be confirmed and references checked. Any embellishment or un-
disclosed history should be a red flag.
Individuals who are working in positions for which they are unqualified create a risk simply because
they are not capable of adequately performing the work they are supposed to do. Their lack of capa-
bility provides an opportunity for someone else to take advantage of their lack of knowledge or skills
and perpetrate a fraud. Therefore, appropriate personnel policies and procedures are integral to an
efficient control environment.
The board of directors should evaluate the competence of the CEO, and management should evalu-
ate the competence across the organization and within outsourced providers in relation to
established policies and procedures and then act as necessary to address any shortcomings.
5) The organization holds individuals accountable for their internal control responsibilities in
pursuit of objectives.
The board of directors holds the CEO accountable for understanding the risks faced by the organiza-
objectives. The CEO and senior management are responsible for establishing accountability for inter-
nal control at all levels of the organization.
Increased delegation requires personnel with a higher level of competence and requires the company
to establish accountability. There should be effective monitoring by management of results, because
the number of undesirable or unanticipated decisions may increase with increased delegation. The
extent that individuals recognize that they will be held accountable for results greatly affects the
control environment. If a person does something that is in violation of the company
standards, some sort of disciplinary action should be taken against that person. If there is no penalty
for the violation of the internal controls of the company, then other individuals will not see the need
for compliance.
Management should regularly review

tives to ensure they do not encourage inappropriate conduct. If increases in the bottom line are the
sole focus of performance evaluations, the organization is more likely to experience unwanted be-
havior such as manipulation of accounting records and reports, offers of kickbacks, and high-
pressure sales tactics.
Internal controls are more likely to function well if management believes that the controls are important and
communicates that support to employees at all levels.
Component 2: Risk Assessment
objectives. Risk assessment involves identifying and assessing risks to the achievement of objectives, relative
Within the control environment, management is responsible for the assessment of risk. The questions should
always be asked: What could go wrong here? What assets do we need to protect?
Risk assessment is the process of identifying, analyzing and managing the risks that have the potential to
prevent the organization from achieving its objectives. Assessment of risk involves determining the dollar
value of assets that are exposed to loss as well as the probability that a loss will occur. Management must
determine how much risk it is willing to accept and then work to maintain the risk within that level.
The 17 principles are numbered consecutively, so the principles relating to the risk assessment component
will begin with no. 6:
6) T objectives must be specified clearly enough so that the risks to those objec-
tives can be assessed. Objective setting is therefore the first step in management process of risk
assessment. Objectives may be explicitly stated or they may be implicit, such as to continue a previ-
ous level of performance. strategic planning function of
management.
Broad categories of objectives that need to be specified so that the risks to them can be assessed
are:
Operations objectives , the fundamental

. They include objectives for the effectiveness and efficiency
depending on the choices management makes about structure and performance. As part of the
objective-setting process, management should specify its risk tolerance. For operations objec-
tives, risk tolerance might be expressed as an acceptable level of variance related to the
objective.
Reporting objectives address the preparation of reports, including external financial reports,
external non-financial reports, internal financial reports, and internal non-financial reports. Ex-
ternal reporting objectives are driven by rules, regulations, and standards that are external to
the organization. Internal reporting objectives are driven by strategic direction and
by reporting requirements established by management and the board of directors.
Compliance objectives include adhering to all laws and regulations that the company is subject
to. These laws and regulations establish minimum standards of behavior and may include mar-
keting, packaging, pricing, taxes, environmental protection, employee safety and welfare, and
with laws and regulations affects its reputation in its communities. It also, of course, affects the
dures.
Objectives can overlap. For example, the operations objective of safeguarding resources includes
prevention of loss through theft. The goal of ensuring reliable financial reporting includes making
sure that any such losses that may occur through the
nancial statements, a reporting objective.
Establishing these objectives is a required first step to establishing effective internal control, because
it forms the basis for assessing risk, in other words determining what could go wrong that could pre-
vent the company from achieving its objectives. If the objectives are not known, then it is not
possible to determine what could prevent the company from achieving them.
7) The organization identifies risks to the achievement of its objectives and analyzes them to
determine how the risks should be managed. The responsibility for risk identification and analysis re-
sides with management at the overall entity level and at the subunit level.
Risks can come from both internal

achieve its objectives. Change in objectives creates risk, especially. The greater the difference in
the current objectives from objectives of the past the greater the amount of change the more risk
there is. Even the objective of maintaining performance as it has been in the past carries both inter-
nal and external risks.
The risk assessment process should consider all risks that may occur. The risk assessment should be
comprehensive and consider all significant interactions between the company and external parties,
throughout the organization. External parties to include in the assessment are suppliers (current and
potential), investors, creditors, shareholders, employees, customers, buyers, intermediaries, com-
petitors, public bodies and the news media.
Once the risks have been identified, they should be analyzed in order to determine how best to
manage each one.
Risk identification
Risk identification includes identification of risks at all levels of the organizational structure, including
the overall entity and its subunits. Entity level risk identification is conducted at a high level and
does not include assessing transaction-level risks. The identification of risks at the process level is
more detailed and includes transaction-level risks. Risks originating in outsourced service providers,
key suppliers, and channel partners need to be included in the risk assessment, as they could direct-
f its objectives.
Entity-level risks arise from external or internal factors. Here are a few examples:
External factors include economic factors that impact financing availability, environmental fac-
tors such as climate change that can lead to changes in operations, reduced availability of raw
materials or loss of information systems, regulatory changes such as new reporting standards or
new laws, changing customer needs, and technological changes that affect the availability and
the use of data.
Internal factors can include decisions that affect operations and the availability of infrastruc-
ture, changes in management responsibilities that affect the way controls are implemented,
changes in personnel that can influence the control consciousness in the organization, employee
access to assets that could contribute to misappropriation of assets, and a disruption in infor-
Transaction-level risks occur at the level of subsidiaries, divisions, operating units, or functions
such as sales, production, or marketing. The potential risks depend upon what the objectives are.
For example,
An operational objective of maintaining an adequate raw materials inventory could lead to identi-
fying risks such as raw materials not meeting specifications, the failure of a key supplier, supply
disruptions in needed raw materials caused by weather conditions, or price increases above ac-
ceptable levels.
An objective of complying with existing laws and regulations leads to identifying risks associated
with lack of compliance.
The objective of protecting assets leads to identifying the risk of employee embezzlement ac-
companied by falsification of records to conceal the theft.
The number of potential risks is limitless, and practical limitations are needed. Some risks, such as a
sidered. But any situation that causes a change that could impact the system of internal control
should be included.
Risk analysis
Risk analysis forms the basis for determining how the risks will be managed. After the company has
identified its entity-level and transaction-level risks, it should perform a risk analysis to (1) assess
(2) estimate the impact of each risk; and (3)
consider how each risk should be managed by assessing what actions need to be taken.
Risks that do not have a significant impact on the company and that have a low likelihood of occur-
ring would not warrant serious concern. However, risks with a high likelihood of occurring and that
carry the possibility of significant impact usually require serious attention. Risks that are in between
these two extremes require judgment.
Once the likelihood and estimated impact of risks have been assessed, the following steps should be
taken to manage the identified risks. Risk responses fall into the following categories:
Acceptance No action is taken to affect the likelihood or impact of the risk.
Avoidance Exiting the activity or activities that give risk to the risk, such as exiting a product
line or selling a division.
Reduction Action is taken to reduce the likelihood or impact of the risk. The amount of the po-
tential loss from each identified risk should be estimated to the extent possible. Some risks are
indeterminate and can only be described as large, moderate or small.
Sharing Reducing the risk likelihood or impact by transferring or sharing the risk such as pur-
chasing insurance or forming a joint venture.
If the decision is to reduce or to share the risk, the organization determines what action to take and
develops appropriate control activities for the action. If the decision is to accept or avoid the risk,
typically no control activities are required.
8) The organization considers the potential for fraud in assessing the risks to the achievement
of its objectives. Fraud can include fraudulent reporting, possible loss of assets, and corruption.
Fraud can occur at any level and its possible impact needs to be considered as part of the risk identi-
fication and assessment. The potential for management fraud through override of controls needs to
can arise at the employee level, as well, for example if two employees collude 28 to defraud the or-
ganization. Furthermore, fraud can be perpetrated from the outside, from someone hacking into the
computer systems for example.
When management detects fraudulent reporting, inadequate safeguarding of assets, or corruption,

remediation may be necessary. In addition to dealing with the improper actions, steps may need to
be taken to make changes in the risk assessment process and in other components of the internal
control system such as control activities.
28
9) The organization identifies and assesses changes that could impact the organization
tem of internal controls.
Changes can occur in the external environment, such as in the regulatory, economic, and physical
environment in which the entity operates. Changes can also occur in the internal environment such
as new product lines, acquired or divested businesses and their impact on the internal control sys-
tem, rapid growth, changes in leadership and their attitudes toward internal control.
Note: There is a difference between risk assessment, which is a function of internal control, and the
actions taken by management to address the risks, which are a function of management and not of the
internal control system.
Component 3: Control Activities

Control activities are actions established by policies and procedures that help ensure that manage
instructions that are intended to limit risks
Control activities may be preventive or detective and can include a range of activities such as authorizations
and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is
typically built in to the selection and development of control activities.
Principles relating to Control Activities include:
10) The organization selects and develops control activities that contribute to mitigating (reduc-
ing) risks to the achievement of objectives to acceptable levels.
Control activities should be integrated with risk assessment in order to put into effect actions needed
to carry out risk responses. The risk responses decided upon dictate whether control activities are
needed or not. If management decides to accept or avoid a risk, control activities are generally not
required. The decision to reduce or share a risk generally makes control activities necessary. The
control activities include a variety of controls including both manual and automated and preventive
and detective controls.
Segregation of duties should be addressed wherever possible and if segregation of duties is not prac-
tical, management should develop alternate control activities.
A preventive control is designed to avoid an unintended event while a detective control is de-
signed to discover an unintended event before the ultimate objective has occurred (for example,
before financial statements are issued or before a manufacturing process is completed).
o Examples of preventive controls are segregation of duties, job rotation, enforced vacations,
training and competence of personnel, employee screening practices, physical control over as-
sets such as dual access controls, requirements for authorizations, and requirements for
approvals.
o Examples of detective controls are reconciliations, internal audits, periodic physical inventory
counts, variance analyses to detect ratios that might be out of line, random surprise cash
counts, supervisory review and approval of accounting work, management review and approval
of account write-offs, and exception reporting and review to identify unusual items.
11) The organization selects and develops general control activities over technology29 to support
the achievement of its objectives.
o Control activities are needed when technology is embedded in business processes, to mitigate
the risk of the technology operating improperly.
29
See General Controls in Systems Controls and Security Measures later in this section for more information about
technology general controls.
o Control activities may be partially or wholly automated using technology. Automated controls re-
quire technology general controls.
Control activities over technology designed to support the continued operation of technology and to
Technology general
controls include controls over the technology infrastructure, security management, and technology
acquisition, development and maintenance.
Activities designed and implemented to restrict technology access to authorized users to protect the
are a particularly important aspect of technology general
controls. Guarding against external threats is particularly important for an entity that depends on
telecommunications networks and the Internet.
12) The organization deploys control activities by developing policies that establish what is ex-
pected and procedures that put the policies into action. The control activities should be built
-to-day activities.
Whether a policy is in writing or not, it should establish clear responsibility and accountability. The
responsibility and accountability ultimately reside with the management of the entity and the subunit
where the risk resides. Procedures should be clear on what the responsibilities are of the personnel
performing the control activity. The procedures should be timely and should be performed diligently
and consistently by competent personnel.
Responsible personnel should investigate and if necessary take corrective action on matters identi-
fied as a result of executing control activities. For example, if a discrepancy is identified in the
process of doing a reconciliation, the discrepancy should be investigated. If an error occurred, the
error should be corrected and the correction reflected in the reconciliation.
Management should periodically review and reassess policies and procedures and related control ac-
tivities for continued relevance and revise them when necessary.
Component 4: Information and Communication

Relevant information must be identified, captured and communicated (shared) in a manner that enables
people to carry out the internal control responsibilities
objectives. Information and communication are both internal and external.
Principles relating to the Information and Communication component include:
13) The organization should obtain or generate and use relevant, quality information to support
the functioning of other components of internal control.
Relevant information can be financial or non-financial. The information can be generated from inter-
nal or external sources. Regardless of whether it is from internal or external sources and whether it
is financial or non-financial information, timely and relevant information is needed to carry out inter-
nal control responsibilities supporting all three of the categories of objectives.
o Some examples of internal sources include emails, production reports regarding quality, minutes
of meetings discussing actions in response to reports, time reports, information on number of
units shipped during a period, and internal contacts made to a whistle-blower hotline. Other
types of operating information, such as measurements of emissions generated, are needed to
monitor compliance with emissions standards.
o Some examples of external sources include data from outsourced providers, research reports,
information from regulatory bodies regarding new requirements, social media and blog postings
containing comments or opinions about the organization, and external contacts made to a whis-
tle-blower hotline. External information about economic conditions and actions of competitors is
needed for internal decision-making, such as decisions about optimum inventory levels and in-
ventory valuation.
14) The organization should internally communicate information, including objectives and responsi-
bilities for internal control, necessary to support the functioning of other components of internal
control.
Information systems must provide accurate, timely reports to appropriate personnel so they can car-
ry out their responsibilities. The people who deal with the customers every day are often the first to
know about a problem, and they should have a way to communicate that information upward. Fur-
thermore, people in the organization need to receive a clear message from top management that
their internal control responsibilities must be taken seriously.
o Internal communication includes communications between the board of directors and manage-
ment so that both have the information they need to fulfill their roles in achieving the
Members of the board of directors should also have direct access to
employees without senior management present to give board members an opportunity to ask
questions and assess matters that employees might not feel comfortable discussing in the pres-
ence of management such as management override of controls that may be taking place.
Internal communication also includes separate communication channels such as whistleblower
hotlines that enable confidential and anonymous communication when normal channels of com-
munication are not effective.
o Internal communication of information also takes place across the organization through, for ex-
ample, policies and procedures, individual authorities, responsibilities and standards of conduct,
specified objectives, and any matters of significance relating to internal control such as instances
of deterioration or non-adherence.
Internal communication can take many forms, such as dashboards, email messages, training (either
live or online), one-on-one discussions, written policies and procedures, website postings, or social
media postings. Actions also communicate. The way managers behave in the presence of their sub-
ordinates can communicate more powerfully than any words.
15) The organization should communicate with external parties regarding matters affecting the
functioning of other components of internal control.
Relevant and timely information needs to be communicated to external parties including sharehold-
ers, partners, owners, regulators, customers, financial analysts, and other external parties.
External communication also includes incoming communications from customers (customer feed-
back), consumers, suppliers, external auditors, regulators, financial analysts, and others. A whistle-
blower hotline should be available to external parties, as well.
o Communication from customers and suppliers can provide valuable input on the design and qual-
ity of the comp
o Communications from the external auditors inform management and the board about the organ-
ization s operations and control systems.
o Regulators report results of examinations and compliance reviews that can inform management
of control weaknesses.
o If the company is a public company, communications to shareholders, regulators, financial ana-

lysts and others need to provide information relevant to them, so they can understand the
o Customer complaints often mean there are operating problems that need to be addressed.
o Any outsider dealing with the company must be informed that improper actions such as kick-
backs or other improper dealings will not be tolerated.
o Outgoing communication can take the form of press releases, blogs, social media, postings on
the company website, and emails.
Component 5: Monitoring Activities

Finally, management must monitor the entire internal control system. Monitoring is an activity overseen
and/or performed at the management level for the purpose of assessing the operation and effectiveness of
existing internal controls. over
time to determine whether the components of internal control are present and are functioning. Management
must also revisit previously identified problems to make sure they have been corrected.
Monitoring ensures that the internal control system continues to operate effectively. Systems and procedures
change over time, and the way controls are applied need to change in order to continue to be effective.
Management needs to determine whether the internal control system is still relevant and whether it is still
able to address new risks that may have developed.
Information received from

its internal control. Principles relating to the Monitoring Activities component are:
16) The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
Monitoring can be done in two ways:
o through ongoing evaluations that are built into business processes during normal operations
and provide timely information, and
o through separate evaluations conducted periodically by management with the assistance of

the internal audit function.
If monitoring is done regularly during normal operations, it lessens the need for separate evalua-
tions.
Note: Monitoring should be done on a regular basis. An advantage to ongoing monitoring is that
if operating reports are used to manage ongoing operations, exceptions to anticipated results will
be recognized quickly.
17) The organization evaluates and communicates internal control deficiencies in a timely manner
to those parties responsible for taking corrective action, including senior management and the board
of directors, as appropriate.
Findings from monitoring activities are evaluated against established criteria and deficiencies are
communicated to management and the board of directors as appropriate. Remedial action should be
taken, and the results of the remedial action should also be monitored to be certain that the situa-
tion has been corrected.
An example of evaluating a monitoring activity is reviewing a reconciliation to make sure it was done
properly and in a timely manner, that the sources of information used in the reconciliation were ap-
propriate, and to look for trends in the reconciling items. All the reconciling items should have been
investigated and resolved, and management should evaluate whether there are any new risks in the
operation caused by changes in the internal and/or external environment.
Summary: The 5 Components and the 17 Principles of Internal Control
Components Principles
Control Environment 1) There is a commitment to integrity and ethical values.
2) The board of directors exercises oversight responsibility for

internal control.
3) Management establishes structures, authorities, and responsibili-

ties.
4) There is a commitment to competence.
5) Individuals are held accountable for their internal control

responsibilities.
Risk Assessment 6) Objectives are specified so risks to their achievement can be

identified and assessed.
7) Risks are identified and analyzed.
8) Potential for fraud is considered.
9) Changes that could impact internal control are identified and

assessed.
Control Activities 10) Control activities to mitigate risks are selected and developed.
11) General control activities over technology are selected and

developed.
12) Control activities are deployed through policies and procedures.
Information and
13) Relevant, quality information is obtained or generated and is used.
Communication
14) Information is communicated internally.
15) The organization communicates with external parties.
Monitoring Activities 16) Ongoing and separate evaluations are performed of the internal
control system.
17) Internal control deficiencies are evaluated and communicated for

corrective action.
What is Effective Internal Control?

An effective internal control system provides reasonable assurance
objectives by reducing to an acceptable level the risk of not achieving an entity objective. It requires that
each of the five components and relevant principles be present and functioning, and that the five
components are operating together in an integrated manner.
When an internal control system is effective, senior management and the board of directors have reasonable
assurance that the organization:
achieves effective and efficient operations or understands the extent to which operations are man-
aged effectively and efficiently,
specified reporting objectives, and
complies with applicable laws and regulations.
However, the board of directors and management cannot have absolute

objectives will be achieved. Human judgment in decision-making can be faulty, errors do occur, management
may be able to override internal controls, and through collusion, management, other personnel and/or third
parties may be able to circumvent internal controls.
Transaction Control Objectives

Commonly accepted transaction control objectives are:
Authorization. All transactions are approved by someone with the authority to approve the specific
transactions.
Completeness. All valid transactions are included in the accounting records.
Accuracy. All valid transactions are accurate, are consistent with the originating transaction data,
are correctly classified, and the information is recorded in a timely manner.
Validity. All recorded transactions fairly represent the economic events that occurred, are lawful,
.
Physical safeguards and security. Access to physical assets and information systems are con-
trolled and restricted to authorized personnel.
Error handling. Errors detected at any point in processing are promptly corrected and reported to
the appropriate level of management.
Segregation of duties. Duties are assigned in a manner that ensures that no one person is in a
position to both perpetrate and conceal an irregularity.
Types of Transaction Control Activities

Authorization and approvals. Authorization confirms that the transaction is valid, in other words
that it represents an actual economic event. Authorization generally is in the form of an approval by
a higher level of management or of another form of verification, such as an automatic comparison of
an invoice to the related purchase order receiving report. When automated authorization of payables
is utilized, invoices within the tolerance level are automatically approved for payment, while invoices
outside the tolerance level are flagged for investigation.
Verifications. Items are compared with one another or an item is compared with a policy, and if the
items do not match or the item is not consistent with policy, follow up occurs.
Physical controls. Equipment, inventories, securities, cash and other assets are secured physically
in locked or guarded areas with physical access restricted to authorized personnel and are periodical-
ly counted and compared with amounts in control records.
Controls over standing data. Standing data, such as a master file containing prices or inventory
items, is often used in the processing of transactions. Controls need to be put into place over the
process of populating, updating, and maintaining the accuracy, completeness and validity of the data
in the master files.
Reconciliations. Reconciliations compare two or more data elements and, if there are differences,
action is taken to make the data agree. For example, a bank reconciliation reconciles the balance in
the account according to internal records with the balance in the account according to the bank.
Reconciling items are items in transit and are to be expected. However, differences that cannot be
explained by items in transit must be investigated and corrective action taken. Reconciliations gen-
erally address the completeness and accuracy of processing transactions.
Supervisory controls. Supervisory controls determine whether other transaction control activities
are being performed completely, accurately, and according to policy and procedures. For example, a
supervisor may review a bank reconciliation performed by an accounting clerk to check whether the
bank balance as given on the reconciliation report matches the balance on the statement and wheth-
er reconciling items have been followed up and corrected or an appropriate explanation is provided.
Safeguarding Controls
Physical s
assets can occur through unauthorized acquisition, use, or disposition of assets or through destruction caused
by natural disasters or fire.
Prevention of loss through waste, inefficiency, or poor business decisions relate to broader operations
objectives and are not specifically considered part of asset safeguarding.
Physical protection of assets requires:
Segregation of duties.
Physical protection and controlled access to records and documents such as blank checks, purchase
orders, passwords, and so forth.
Physical protection measures to restrict access to assets, particularly cash and inventory.
Effective supervision and independent checks and verification.
Segregation of Duties
Duties need to be divided among various employees to reduce the risk of errors or inappropriate activities.
Separating functions ensures that no single individual is given too much responsibility so that no employee
is in a position to both perpetrate and conceal irregularities.
Note: Different people must always perform the following four functions of related activities:
1) Authorizing a transaction.
2) Recordkeeping: Recording the transaction, preparing source documents, maintaining journals.
3) Keeping physical custody30 of the related asset: For example, receiving checks in the mail.
4) The periodic reconciliation of the physical assets to the recorded amounts for those assets.
In a question about an effective or ineffective internal control, keep in mind that these four things must be
done by different people.
30
In the context of internal control, custody involves keeping, guarding, caring for, watching over, inspecting, preserving,
and/or maintaining the security of an item that is within the immediate personal care and control of the person to whose
custody it is entrusted.
Examples of potential internal control failures that can result from inadequate segregation of duties:
If the same person has custody of cash received and also has the authority to authorize account
write-offs, that person could receive a cash remittance on account from a customer, authorize a
fraudulent write-off of the receivable, and divert the cash collected to their own use.
If the same person who authorizes issuance of purchase orders is also responsible for recording
receipt of inventory and for performing physical inventory counts, that person could authorize the
issuance of a purchase order to a fictitious vendor using a post office box personally rented for the
purpose, then prepare a fictitious receiving record, and personally mail an invoice to the company in
the name of the fictitious vendor using the personal post office box. The accounts payable depart-
ment of the company would match the purchase order, the receiving report, and the invoice, as they
are supposed to do. Since all the documentation would match, the accounts payable department
would send a payment to the fictitious vendor for something the company never ordered or received.
Furthermore, during physical inventory counting that same person could easily mark the item as be-
ing in inventory when it never was in inventory, thereby concealing the fraud.
If the same person prepares the bank deposit and also reconciles the checking account, that person
ciliation report.
Be aware, however, that segregation of duties does not guarantee that fraud will not occur. Two or more
employees could collude with one another (work together to conspire) to commit fraud, covering for one
another and, presumably, sharing the proceeds.
Software tools are available to assist a business in identifying incompatible functions. An access management
application can help to assess segregation-of-duties and access risks and conflicts.
Note: Collusion occurs when two or more individuals work together to overcome the internal control
system and perpetrate a fraud. When two or more people work together, they are able to get around the
segregation of duties that may have been set out.
Responsibilities and Duties Needing Segregation for Financial and Accounting Positions
Following is a list of some financial and accounting positions, general information on their responsibilities, and
incompatible duties that need to be segregated. The following list is not exhaustive because more positions
and more duties can always be added. However, this will give you several good examples.
Furthermore, firms organize their accounting and financial areas in different ways, so the general duties listed
here for each position should not be considered absolute. In any particular firm, duties listed here may be the
responsibility of a different position than is indicated here and some may overlap. They are presented simply
to provide assistance to those who may not be familiar with all of the general functions of the financial area of
a business.
Title Responsibilities Examples of Incompatible Duties

Chief Financial The greatest potential for fraud at the
Officer (CFO) maintenance of its fiscal records, and preparation and senior management level is not in lack of
interpretation of its financial reports for internal segregation of duties but in management
purposes and for external financial reporting. Directs override of controls. Management
and has overall responsibility for internal control, override occurs when a manager
including developing formal internal control policies authorizes staff to not perform an
and procedures. Responsible for compliance with internal control procedure. There could
regulations and for certifying the accuracy of the be a good reason for the omission; or the
nancial statements. Oversees budgeting manager could be covering up a
and preparation of periodic financial forecasts of misappropriation of assets.
profit and loss and cash flow. Develops and maintains
the capital budget and analyzes new capital
budgeting proposals. Represents the company to
investment bankers and in quarterly earnings calls
with outside analysts and investors. Serves as a
member of senior management and takes part in the
strategic planning process. Participates in Board of
Directors meetings and presents as necessary.
CFOs are expected to work in collaboration with
others throughout the organization, direct integration
of key business processes, stimulate change and
business transformation, and serve as business
advisors to CEOs and Boards of Directors.
Corporate The treasury employee responsible for

Treasurer and funds and other assets. Custodial responsibilities establishing bank accounts should not
Treasury include opening bank accounts, supervising collection also be able to enter the new account
Function and recording of cash receipts, overseeing into the general ledger or to receive
disbursements (payables and payroll), managing cash, generate disbursements, record
investments, forecasting cash needs, securing transactions in the general ledger, or
financing, maintaining stockholder records and paying prepare bank reconciliations.
dividends, establishing credit policies, overseeing risk All investments should be authorized by a
management, and directing tax accounting. The member of senior management. The
Treasurer generally reports to the CFO. people who authorize and initiate
investment transactions should not also
record investment transactions or
reconcile investment account statements
to the general ledger.
All loans obtained in the name of the
corporation should be authorized by
senior management. Persons involved in
obtaining loans should not also record
the loan in the general ledger.

Controller and Responsible for the integrity of the balance sheet. Periodic physical counts of inventory and
Implements and documents adequate and effective fixed assets should be performed by
Function internal controls, including but not limited to periodic people who have no record-keeping or
physical counts of inventory and fixed assets. Ensures authorization responsibilities.
compliance with all applicable laws, rules, and The person who records adjustments to
regulations. Supervises the monthly closing process, inventory or fixed assets following
preparation of financial statements, accounts physical counts should not reconcile the
receivable, accounts payable, payroll, budgeting and fixed asset system to the physical count,
variance reporting, cash projections, maintenance of authorize purchases or disposals of fixed
fixed asset records, tax preparation and preparation assets, or maintain physical custody of
of information required for the annual financial fixed assets.
statement audit. The Controller generally reports to The person who maintains the fixed asset
the CFO.
system should not also reconcile the
fixed asset system to the general ledger.
Accounting The Accounting Manager is responsible for financial The person responsible for adding,
Manager and reporting. Develops, implements and maintains deleting, and mapping general ledger
Accounting systems, accounting practices and procedures to accounts to financial statements should
Function ensure accurate and timely financial statements. not also perform general ledger account
Selects and trains department staff and supervises reconciliations, record or authorize
their performance. The Accounting Manager answers transactions in the general ledger, or
approve changes to the GL chart of
complex issues that arise such as non-routine accounts or the account mapping.
reporting transactions. The Accounting Manager The person responsible for initiating and
generally reports to the Controller. preparing journal entries should not also
authorize the entries, record the entries,
or reconcile accounts.
Purchasing The Purchasing Manager/Agent purchases raw All purchase requisitions (internal re-
Function materials for manufacturing, finished goods for quests for purchases or for purchase
resale, and machinery, equipment, tools, parts and orders to be issued) should be approved
supplies as needed for the operation of a business. by someone other than the person
Requests bids, reviews requisitions for goods and initiating the purchase requisition.
services, and prepares purchase orders. Researches Purchase orders should be generated
and evaluates suppliers, their reputation, their only by employees in the purchasing
products, prices, quality and delivery capabilities. department, and employees in the pur-
Analyzes price proposals and other information to chasing department should not have
determine a reasonable price. Negotiates contracts authority to generate or approve
with suppliers and monitors their contract purchase requisitions.
performance. Monitors receipts of orders to ensure Employees authorizing purchase orders
they are received on time, traces lost shipments and should not be able to also generate the
follows up on undelivered items. Maintains records of
purchase orders.
items purchased and inventories on hand.
Employees involved in purchasing should
Depending on the organization, the Purchasing
not be able to modify the vendor master
Manager may report to the CEO, the CFO, or to the file, record vendor invoices, receive
COO (Chief Operating Officer). Some manufacturing goods and record their receipt in
organizations separate direct purchasing (raw
inventory, reconcile inventory or write off
materials), which reports to the operating areas it inventory, have custody of inventory, or
serves, from indirect purchasing, which reports to the perform physical inventory counts.
CFO.
Employees involved in purchasing should
not be responsible for approving vendor
invoices. Vendor invoices should be
approved by the employee who initiated
and authorized the purchase requisition
or another person independent of the
purchasing function.

Credit Manager Employees who authorize and maintain
and Credit activities to ensure accuracy and timeliness of work. credit limits for customers should not
Function Selects and trains department staff and supervises also be able to record adjustments to the
their balances owed by customers on their
helps them resolve any complex issues that arise. accounts.
Develops, implements and maintains systems,
procedures and policies related to credit functions.
Controls bad debt exposure by setting credit policies.
Supervises credit checks on customers, reviews
s
decisions regarding individual customer credit limits
and credit terms, and obtains guarantees or collateral
when necessary. Monitors the accounts receivable
portfolio using accounts receivable aging reports and
number of days of sales in accounts receivable,
monitor collections, stops extending credit to
delinquent accounts and initiates recovery actions
against delinquent customers. Ensures that the
Allowance for Doubtful Accounts is maintained at an
appropriate level.
Accounts The Accounts Receivable Manager oversees the The person who prepares customer
Receivable invoices should not be able to modify the
Manager and accuracy and timeliness, including the order entry customer master file, the pricing, or
Order Entry and process and invoice preparation as well as collections customer contracts.
Accounts The person who opens customer remit-
Selects and trains department staff and supervises tances should not also record payments,
Receivable
record or authorize adjustments to cus-
Functions helps them resolve any complex issues that arise with tomer accounts, prepare the bank
customers. Develops, implements and maintains deposit, or reconcile the checking
systems, procedures and policies related to accounts account(s).
receivable functions. The person who prepares the deposit
Along with the credit manager (or instead of the should not also record payments to cus-
credit manager if there is no credit manager), the tomer accounts, record or authorize
Accounts Receivable Manager controls bad debt adjustments to customer accounts, or
exposure by setting credit policies. Conducts credit reconcile the checking account(s).
The person who records payments
statements if appropriate, makes decisions regarding
individual customer credit limits and credit terms, and not also open the remittances, prepare
obtains guarantees or collateral when necessary. the deposit, or initiate adjustments or
Monitors the accounts receivable portfolio using
accounts receivable aging reports and number of
days of sales in accounts receivable, monitors
should be reviewed and approved by a
collections, stops extending credit to delinquent
supervisor not involved in recording
accounts and initiates recovery actions against
accounts receivable transactions.
delinquent customers. Ensures that the Allowance for
Doubtful Accounts is maintained at an appropriate The person who records transactions in
level. the accounts receivable system should
not also reconcile the accounts receivable
Order entry staff: Performs data input to prepare
system to the general ledger.
invoices for presentation to customers. If items are to
be shipped, the packing list should be prepared by The reconciliation of the accounts
the order entry clerk at the same time as the invoice receivable system to the general ledger
is prepared and serve as authorization to ship the should be reviewed and approved by
goods. someone other than the person who
prepares the reconciliation.
Accounts Receivable staff: Receives customer
payments on accounts and posts the receipts to the
proper account.

Accounts The Accounts Payable Manager oversees the accounts The person who matches the purchase
Payable Manager order, the receiving document, and the
and Accounts and timeliness. May oversee the payroll process as vendor invoice should not be involved in
Payable Function well. Selects and trains department staff and the purchasing or receiving process,
should not be able to modify the vendor
questions and helps them resolve any complex issues master file, or have record-keeping
that arise with vendors. Develops, implements and responsibilities for inventory, purchases,
maintains systems, procedures and policies related to payables, or returns.
accounts payable functions. The person who records accounts payable
Accounts payable staff: Pays approved expenditures transactions (vendor invoices and pay-
in a timely manner (approval of invoices should be ments) should not also be responsible for
limited to the employee who initiated and authorized reconciling the disbursement sub-ledger
the purchase requisition). Codes expenditures for to the general ledger.
recording in the accounting system. The person who records vendor invoices
should not also be responsible for
printing checks.
The person responsible for printing
checks and/or with access to blank check
stock should not have responsibility for
signing checks, recording the disburse-
ments or preparing, reviewing or ap-
proving the checking account recon-
ciliations.
The person responsible for signing checks
should not be involved in any other cash
disbursement process. If a signature
stamp is used to sign checks, the
signature stamp should remain in the
custody of the person whose signature is
on the stamp.
No one person should be able to both
authorize and initiate a wire transfer.
Wire transfers above a set amount should
be reviewed, approved and released by
additional authorizers who have been
granted authority to release payments
over that set amount.
The person responsible for approving
wire transfers should not also prepare or
review and approve bank reconciliations,
record invoices, review and authorize
journal entries in the general ledger, or
modify the vendor master file.
The person responsible for setup of new
vendors or modification of vendor records
in the vendor master file should not also
record vendor invoices, approve vendor
invoices, print checks, sign checks, or
authorize or execute wire transfers.

Accounting Clerk Performs a variety of support tasks in the accounting The person responsible for preparing
department, as assigned. Under supervision, may bank reconciliations should not also
post transactions to accounting journals, ledgers, and receive cash receipts, prepare cash
other records detailing financial transactions, compile deposits, generate or print checks,
data and prepare reports, perform reconciliations, authorize or execute wire transfers, or
investigate questionable data, and perform other have access to blank check stock.
accounting projects as needed.
Personnel or Approves changes in pay rates and changes to The person responsible for initiating
Human employee additions and deletions and
Resources new employees to be added to the payroll. Notifies changes to employee information should
Function the payroll department of terminated employees so not also have the ability to approve or
they are removed from the payroll. record the changes. Modifications should
be initiated by one employee and
reviewed and approved by another
employee.
Employees responsible for modifying the
employee master file should not also
have access to the payroll system, be
involved in the payroll process, generate
payroll checks, distribute payroll checks,
or make hiring and firing decisions.
Timekeeping The timekeeper reviews timesheet/timecard infor- Hours worked should be reviewed and
Function mation on hours worked by hourly employees and approv
verifies that hours worked by hourly employees have before the hours are transmitted to the
payroll department.
company bills clients by the hour (such as attorneys
or accountants), the timekeeper monitors billable
hours to ensure accuracy.

Payroll Clerk Calculates wages payable by multiplying the number The person who calculates the wages
of hours worked by each employee by should not also be able to modify the
hourly rate. Calculates paycheck deductions such as employee master file, approve the
taxes, health insurance, and other withholdings. payroll, generate the payroll checks,
Prepares payroll register summarizing wages and distribute payroll checks, or receive
deductions for each employee to be used in compiling payroll reports.
the journal entry to record the payroll, to prepare tax The payroll reports and payroll checks
reports, and for general research purposes. should be delivered to a supervisory-level
person who is separate from the payroll
processing area. The supervisor should
review the payroll reports and distribute
the payroll checks.
Payroll checks that are undistributed or
rejected should be investigated and
reconciled by a supervisory-level person.
The person responsible for recording the
payroll in the general ledger should not
be able to modify the employee master
file, prepare or authorize payroll,
generate payroll checks, or distribute
payroll checks.
The person who reconciles the payroll
system to the general ledger should not
be able to modify the payroll system in
any way.
As with accounts payable, the person
responsible for printing payroll checks
and/or with access to blank check stock
should not have responsibility for signing
checks, recording the disbursements, or
preparing, reviewing or approving the
checking account reconciliations.
The person responsible for signing payroll
checks should not be involved in any
other cash disbursement process. If a
signature stamp is used to sign checks,
the signature stamp should remain in the
custody of the person whose signature is
on the stamp.
Cashier A cashier in a business is a person who is responsible The person responsible for receiving cash
for receiving and disbursing cash. The supervisor of a should not also record payments, record
accounts, or reconcile checking accounts.

generally reports to the Treasurer. The person who prepares the bank
deposit should not also receive cash,
record payments, record or authorize
reconcile checking accounts.

Shipping Clerk Shipping employees should not have the
premises. Pulls inventory from the shelves, packs and ability to initiate or authorize sales
prepares shipments, prints shipping labels, tracks orders.
Returned merchandise should be
received by the shipping clerk and
forwarded to the accounting department
so the return can be recorded in the sales
and accounts receivable records.
Inventory Inventory clerk: Maintains custody over and controls An inventory clerk should not be able to
Function access to physical inventory. perform physical inventory counts,
Receiving clerk: Unloads and checks incoming modify perpetual inventory records,
shipments and verifies that the merchandise received reconcile the physical inventory counts to
is the correct type and notes the quantities received the perpetual inventory records, or
of each item. reconcile the perpetual inventory records
to the general ledger.
A receiving clerk should not be involved
in authorizing or recording purchase
orders, modifying the vendor master file,
recording invoices for payment,
or recording returned merchandise.
Physical inventory counts should be
performed by someone who does not
have day-to-day responsibility for the
physical inventory or inventory record-
keeping and reconciliation responsibili-
ties.
Manual adjustments to the inventory
records should be approved by a super-
visor before being recorded.
The person responsible for making
adjustments to the inventory records
should not also be able to record entries
in the general ledger or reconcile the
perpetual inventory system to the
physical inventory counts.
Reconciliation of the physical inventory
counts to the perpetual inventory system
and the general ledger should be
reviewed and approved by a supervisor
who does not have daily responsibilities
in the inventory process.
A supervisor should review and approve
all disposals or sales of scrapped goods
and obsolete inventory. The employee
who initiates the disposal request should
not also physically dispose of the
inventory or do any recordkeeping for the
disposal.
The person responsible for the sale of
obsolete inventory or scrap should not
also invoice the buyer and collect
payment for the sales. All invoicing and
collections should be done by the
accounting department.
Question 66: The proper segregation of duties requires that:
a) The individual who records a transaction does not compare the accounting record of the asset with
the asset itself.
b) The individual who records a transaction must maintain custody of the asset resulting from the
transaction.
c) The individual who authorizes a transaction also records it.
d) The individual who maintains custody of an asset must have access to the accounting records for
the asset.
(CMA Adapted)
Question 67: In a well-designed internal control system, two tasks that should be performed by different
people are:
a) Posting of amounts from both the cash receipts journal and cash payments journal to the general
ledger.
b) Distribution of payroll checks and approval of sales returns for credit.
c) Approval of bad debt write-offs, and reconciliation of the accounts payable subsidiary ledger and
controlling account.
d) Reconciliation of bank account and recording of cash receipts.
(CMA Adapted)
Question 68: An auditor noted that the accounts receivable department is separate from other accounting
activities. A separate credit department approves credit. Control accounts and subsidiary ledgers are
balanced monthly. Similarly, accounts are aged monthly. The accounts receivable manager writes off
delinquent accounts after 1 year, or sooner if a bankruptcy or other unusual circumstances are involved.
Credit memoranda are pre-numbered and must correlate with receiving reports. Which of the following
areas could be viewed as an internal control weakness of the above organization?
a) Credit approvals.
b) Monthly aging of receivables.
c) Write-offs of delinquent accounts.
d) Handling of credit memos.
(CIA Adapted)
Question 69: One characteristic of an effective internal control structure is the proper segregation of
duties. The combination of responsibilities that could be performed by the same person is:
a) Preparation of paychecks and check distribution.
b) Timekeeping and preparation of payroll journal entries.
c) Signing of paychecks and custody of blank payroll checks.
d) Approval of time cards and preparation of paychecks.
(CMA Adapted)
Physical Protection Controlled Access to Records and Documents

Checks should be stored in a locked area, and access to them should be limited to personnel who have
responsibility for preparing checks, subject to authorization and approvals by other individuals. The checks
should be pre-numbered, and the check numbers should be recorded in a log as they are used. Any checks
discovered missing should be promptly reported to supervisory personnel.
Purchase orders should also be pre-numbered, numbers logged as used, and access to them similarly
restricted.
Corporate credit cards should be kept in a locked cabinet and access to them controlled.
information needed by that employee to do his or her job. Employees should be instructed not to put their
passwords in an exposed area.
Physical Protection Restricted Access to Assets

When cash must be stored until it can be deposited, it should be kept in a locked, fireproof file cabinet or safe
under controlled access.
, fire, and
natural disasters. The risk of loss can be at least partially transferred through purchase of insurance, but
internal controls are vital to protect as much as possible against loss.
Inventory should be kept in a physically locked area, and the locks should be technically advanced
(not just simple combination locks).
Requisitions for inventory should be approved by authorized personnel.
The inventory area should be monitored by a gatekeeper who verifies proper authorization for
requests to move goods.
Security cameras can be used to monitor activity in the inventory area and to help identify theft and
thieves. The very existence of cameras tends to discourage employee theft.
Security alarms on doors and windows can alert local police in case of a break-in.
A security guard may be employed during hours when employees are not present if the inventory
has high value.
Regular physical inventories should be taken and missing items should be investigated.
Effective Supervision and Independent Checks and Verifications

Supervision over the performance of clerical functions is necessary. For example:
Comparison of independent sets of records is necessary, such as comparing the report of the physi-
cal count of inventory to the internal inventory records; or comparing the information on a bank
reconciliation with the actual bank statement to confirm the bank balance used in the reconciliation
is correct.
Invoices should be prepared based on verified orders. The packing slip should be prepared at the
same time the invoice is prepared, and nothing should be shipped without a packing slip. Records of
actual shipments made should be compared with internal shipping documents, which should be com-
pared with invoices issued to verify that the procedures are being followed.
The process of receiving inventory should be supervised to make sure the inventory clerk is actually
counting the items received before affirming their receipt.
Section E Legislative Initiatives About Internal Control
Legislative Initiatives About Internal Control

In the United States, various federal legislative initiatives have been created to promote or require companies
to implement internal controls. CMA candidates should be able to do the following:
Identify and describe the major internal control provisions of the Foreign Corrupt Practices Act.
Describe the major internal control provisions of the Sarbanes-Oxley Act (Sections 201, 203, 204,
302, 404, and 407).
Identify the role of the Public Company Accounting Oversight Board (PCAOB) in providing guidance
on the auditing of internal controls.
Identify the PCAOB-preferred approach to auditing internal controls as outlined in Auditing Standard
#5.
One significant issue with these federal laws is that in some cases these statutes apply only to publicly traded
companies or only to companies that report to the SEC, and in some cases they apply to all companies.
Companies that are not publicly traded and do not report to the SEC do not need to comply with many of
these laws because they do not fall under the jurisdiction of the SEC, which is the primary regulatory agency
of these internal control statutes. For example, many provisions of the Sarbanes-Oxley Act apply only to
publicly-traded companies and companies that report to the SEC, whereas some provisions apply to all
companies, even companies that do not report to the SEC. The accounting and internal control provisions of
the Foreign Corrupt Practices Act apply to all U.S. companies that are registered with and report to the SEC,
not only those with foreign operations, whereas the anti-corruption and anti-bribery provisions apply to any
company, public or private, with significant operations in the United States, regardless of whether the corrupt
act takes place inside or outside the United States.
Foreign Corrupt Practices Act (FCPA)

The Foreign Corrupt Practices Act of 1977 (FCPA), substantially revised in 1988 and amended in 1998 by the
International Anti-Bribery and Fair Competition Act of 1998, was enacted in response to disclosures of
questionable payments that had been made by large companies. Investigations by the SEC had revealed that
over 400 U.S. companies had made questionable or illegal payments in excess of $300 million to foreign
government officials, politicians, and political parties. The payments were either illegal political contributions
or payments to foreign officials that bordered on bribery.
The FCPA has two main provisions: an anti-bribery provision, and an internal control provision.
Anti-Bribery Provision
The anti-bribery provisions of the FCPA apply to all companies, regardless of whether or not they are
publicly traded.
Under the FCPA, it is illegal for any company or anyone acting on behalf of a company to bribe any
foreign official in order to obtain or retain business. In addition, a firm, or an individual acting on behalf
of a firm, will be held criminally liable if it makes payments to a third party with the knowledge that those
payments will be used by the third party as bribes.
Note: This prohibition is only against corrupt payments to a foreign official, a foreign political party or
party official, or any candidate for foreign political office.
The entire company, not any one individual or position in the company, is responsible for ensuring
that all payments are legal and lawful, although individuals are personally liable for their own actions.
Furthermore, the company must ensure that all transactions are made
general or specific authorization and are recorded properly.
Legislative Initiatives About Internal Control CMA Part 1
Note: A corrupt payment is one that is intended to cause the recipient to misuse his or her official
position in order to wrongfully direct business to the payer, whether or not the payment leads to the
desired outcome.
Internal Control Provision

The fundamental premise of the internal control requirements of the FCPA is that effective internal control
acts as a deterrent to illegal payments. Therefore, under the Foreign Corrupt Practices Act corporate
management is required to maintain books, records, and accounts that accurately and fairly reflect
transactions and to develop and maintain a system of internal accounting control.
Note: The internal control provision of the FCPA applies only to companies that are publicly traded.
Sarbanes-Oxley Act and the PCAOB

The Sarbanes-Oxley Act of 2002 (SOX or SarbOx) contains provisions impacting auditors, management, and
audit committees. Sarbanes-Oxley was enacted in response to several major incidents of financial reporting
fraud and audit failures, and it applies to all publicly-held companies in the U.S., all of their divisions, and all
of their wholly-owned subsidiaries. It also applies to any non-U.S. owned, publicly-held multinational
companies that operate in the U.S. In addition, some provisions apply also to privately-held companies; and a
privately-held company may comply with SOX in preparation for an initial public offering, in preparation for
raising private funding for a sale of the company, or on a voluntary basis (for example, using it as a best-
practices benchmark).
Title I: Public Company Accounting Oversight Board (PCAOB)

Title 1 of the Sarbanes-Oxley Act established the Public Company Accounting Oversight Board (PCAOB),
whose mandate is to oversee the auditing of public companies that are subject to the securities laws, protect
independent, non-governmental board, the PCAOB is a non-profit corporation that operates under the
authority of the SEC, which oversees the approval of its
According to the Act, public accounting firms (that is, external auditors) are required to register with the
PCAOB. Furthermore, the PCAOB is charged with developing auditing standards to be used by registered
public accounting firms in their preparation and issuance of audit reports. In addition, the PCAOB conducts
regular inspections of the registered public accounting firms to assess their degree of compliance with the Act
and it has procedures to investigate and discipline firms that commit violations.
The formation of the PCAOB constitutes the first time that auditors of U.S. public companies became subject
to external and independent oversight. Previously, the profession had been self-regulated through a formal
peer review31 program administered by the American Institute of Certified Public Accountants (AICPA). That
peer review program continues, and accounting and audit firms that are required to be inspected by the
PCAOB are also subject to peer review.
The responsibilities of the PCAOB include:
1) Registering public accounting firms that audit public companies. The Sarbanes-Oxley Act requires all
accounting firms (both U.S and non-U.S. firms) that prepare or issue audit reports on or participate
in audits of U.S. public companies to register with the PCAOB.
2) Establishing auditing and related attestation, quality control, ethics, independence, and other stand-
ards relating to the preparation of audit reports for issuers.
31
-
peers) to ensure it meets certain criteria. Peer review is performed by qualified individuals within the same profession. A
peer review is performed for an accounting and audit firm by professionals from another accounting and audit firm.
3) Conducting inspections of registered public accounting firms, annually for firms that audit more than
pliance with the Sarbanes-Oxley Act, the rules of the Board, the rules of the Securities and Exchange
Commission (SEC)
dits, issuance of audit reports, and related matters involving issuers.
4) Enforcing compliance with the Act, the rules of the Board, professional standards, and securities laws
relating to audit reports and the obligations of accountants for them.
5) Conducting investigations and disciplinary proceedings and imposing appropriate sanctions for
violations of any provision of the Sarbanes-Oxley Act, the rules of the Board, the provisions of the
securities laws relating to the preparation and issuance of audit reports, or professional standards.
6) Management of the operations and staff of the Board.
Title II: Auditor Independence
Section 201: Services Outside the Scope and Practice of Auditors

In order to maintain auditor independence, Section 201 lists specific non-audit services that may not be
provided by an external auditor to an audit client because their provision creates a fundamental conflict of
interest for the accounting firms. These services include:
1) Bookkeeping services or other services relating to keeping the accounting records or preparing the
financial statements of the audit client.
2) Financial information systems design and implementation.
3) Appraisal or valuation services, fairness opinions, or contribution-in-kind reports.
4) Actuarial services.
5) Internal audit outsourcing services.
6) Management functions.
7) Human resource services.
8) Broker/dealer, investment adviser, or investment banking services.
9) Legal services.
10) Expert services unrelated to the audit.
11) Any other service that the Public Company Accounting Oversight Board (PCAOB) determines, by
regulation, is not permissible.
Section 203: Audit Partner Rotation

A public accounting firm that is registered with the PCAOB may not provide audit services to a client if the
lead audit partner or the concurring review audit partner has performed audit services for that client in each
of the five previous fiscal years of the client. Therefore, the lead audit partner and the concurring review audit
another five years. Other audit partners32 who are part of the engagement team must rotate off after seven
years and remain off for two years if they meet certain criteria.
Specialty partners, (partners who consult with others on the audit engagement regarding technical or
industry-specific issues), do not need to rotate off. Examples of specialty partners are tax or valuation
32
-making on
contact with management and the audit committee of the audit client.
specialists. Other partners who serve as technical resources for the audit team and are not involved in the
audit per se are also not required to rotate off the audit.
The purpose
the financial statements.
Section 204: Auditor Reports to Audit Committees

Section 204 requires each public accounting that is registered with the PCAOB and performs an audit for an
issuer of publicly-
1) All critical accounting policies and practices to be used;
2) All alternative treatments of financial information within generally accepted accounting principles
tive disclosures and treatments, and the treatment preferred by the registered pubic accounting
firm; and
3) Other material written communication between the registered public accounting firm and the man-
agement of the issuer, such as any management letter or schedule of unadjusted differences.
If management of the company is using an alternative method of accounting for something, even though it is
within generally accepted accounting principles, the outside public accounting firm performing the audit must
principles being used and any other material written communications between them and management.
Title III: Corporate Responsibility

Section 302: Corporate Responsibility for Financial Reports
Sarbanes-Oxley requires that each annual or quarterly report that is filed or submitted in accordance with the
Securities Exchange Act of 1934 (that is, SEC reports) must include certifications by the principal
executive officer or officers and its principal financial officer or officers. This certification must indicate the
following:
1) Each signing officer has reviewed the report.
2) The report does not contain any untrue material statement or omit to state any material fact that
could cause the report to be misleading.
3) To the best of the knowledge, the financial statements and all the other related
information in the report fairly present in all material respects the financial condition and results of
operations of the company for all of the periods presented in the report.
For the CMA Exam, the most important certifications by the officers are connected to the internal controls of
the company, as shown in the following lists.
1) The signing officers certify that they:
o Are responsible for establishing and maintaining internal controls.
o Have designed the internal controls to ensure that they are made aware of all material in-
formation relating to the company and all subsidiaries.
o within the previous

ninety days.
o Have reported on their findings about the effectiveness of their internal controls.
2) The signing officers have of the board of

directors:
o All deficiencies and have identi-

es in its internal controls.
o Any fraud, regardless of how material it is, that involves management or other employees who
have a significant role in the
o That the signing officers have stated in their report whether or not there were any significant
changes in internal controls or in any other factors that could have a negative impact
after the date of their evaluation, including any corrective
actions that have been taken with regard to deficiencies or material weaknesses.
Note: Companies cannot avoid these requirements by reincorporating outside the United States or by
ed States. If they do this, the Act will continue to
have full legal force over them.
Title IV: Enhanced Financial Disclosures

Section 404: Management Assessment of Internal Controls
nternal Controls
Section 404(a) requires each annual report required by the SEC to:
1) State the responsibility of management for establishing and maintaining an adequate internal control
structure and procedures for financial reporting.
2) Contain an assessment internal control over

financial reporting (or ICFR).
assessment of the effectiveness of the internal controls.
In other words, according to Section 404(a) management is required to document and test its internal
financial controls and to report on their effectiveness. In many firms, the internal audit activity is very
involved in the management review and testing of the internal controls. Furthermore, according to Section
404(b) the external auditors are then required to review the supporting materials used by management
and/or internal auditing in developing their internal financial controls report. The external report is
done ontrol
environment.
The first step in a Section 404 compliance review is to identify the key processes. Here, the internal audit
activity can be of major assistance because it may already have defined the key processes during its annual
audit planning and documentation. The overall processes are generally organized in terms of the basic
accounting cycles, as shown here:
Revenue cycle: processing of sales and/or service revenue
Direct expenditures cycle: expenditures for material and direct production costs
Indirect expenditures cycle: operating costs other than for production activities
Payroll cycle: compensation of personnel
Inventory cycle: processes for the management of direct materials inventory until it is applied to
production
Fixed assets cycle: processes for accounting for property and equipment, such as periodic record-
ing of depreciation
General IT cycle: general IT controls that are applicable to all IT operations
The internal controls covering the key processes are reviewed and documented, and then these controls are
tested. The external auditor then reviews the work and attests to its adequacy.
nt in the Section 404 testing of internal controls varies from firm to

firm. It can take three forms:
1) Internal auditors may act as internal consultants in identifying the key processes, documenting the
internal controls over these processes, and performing tests of the controls. Senior management
is necessary.
2) The company might designate some other internal or external consulting resource to perform the
Section 404 reviews. In this case, internal auditors could act as a resource to support the work. They
may review and test internal control processes as assistants or contractors for the entity doing the
review.
3) Internal audit may work with and assist other corporate resources that are performing the Section
404 reviews without being directly involved with those reviews, allowing the internal audit activity to
concentrate its resources on other internal audit projects.
Management, in its assessment of internal controls, and the independent auditor, in its attestation to
, can have different testing approaches because their roles are different and
therefore they are subject to different guidance.
Guidance for the management assessment of internal controls is provided by the SEC in Release
Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06 (hereinafter simply called Release No. 33-8810).
This release, containing the interpretive guidance for management on Section 404, is intended to
enable companies to implement the requirements more effectively and efficiently.
Auditing Standard No. 5.
Although the sources of guidance are different for management and the independent auditor, the PCAOB
intentionally aligned its guidance in Auditing Standard No. 5 the
SEC Release 33-8810, particularly with regard to prescriptive requirements, definitions, and terms.
Therefore, the guidance to management and the guidance to independent auditors are not in conflict.
Both SEC Release 33-8810 (guidance Auditing Standard No. 5 (guidance

for external auditors) have the effect of efficiently focusing Section 404 compliance on the most
important matters affecting investors.
Both SEC Release 33-8810 and PCAOB Auditing Standard No. 5 prescribe a top-down, risk-based
approach to evaluating internal control over financial reporting. A top-down approach begins by identifying
the risks that a material misstatement of the financial statements would not be prevented or detected in a
timely manner. Beginning with risk assessment allows the auditor to focus on higher-risk areas while
spending less time and effort on areas of lower risk. The auditor should test those controls that are important
to the auditor's conclusion about whether the company's controls sufficiently address the assessed risk of
misstatement to each relevant assertion.33
It is important for the auditor to use a top-down approach, not a bottom-up approach. An auditor
who approaches the audit of internal controls from the bottom up would focus first on performing detailed
tests of controls at the process, transaction, and application levels. When the auditor uses a bottom-up
process, he or she often spends more time and effort than is necessary to complete the audit. Furthermore,
33
An assertion is a claim made. A management assertion is a claim made by management. Financial statement assertions
are claims made by management in presenting financial information. Examples of broad financial statement assertions are
determine whether the assertions being made by

management are correct. Most of the work of a financial audit involves evaluating and forming opinions about management
assertions.
when an auditor takes a bottom-up approach, the auditor may spend relatively little time testing and
evaluating entity-level controls but instead may rely almost exclusively on detailed tests of controls over
individual processes, transactions, and applications. Spending more effort than is necessary in lower-risk
areas can diminish the effectiveness of the audit because it may prevent a higher-risk area from receiving the
audit attention that it should.
A top-down approach ensures the proper testing of the controls for the assessed risk of misstate-
ment to each relevant assertion. If a bottom-up approach is used, those controls that address the risk of a
material misstatement may not be tested.
Section 407: Disclosure of Audit Committee Financial Expert

Section 407 of the Sarbanes-Oxley Act required, and the SEC has issued rules requiring, each issuer of
publicly-traded securities to disclose whether or
member who is a financial expert. If the Audit Committee does not have at least one member who is a
financial expert, the company must state the reasons why not.
The definition of a financial expert is a person who, through education and experience as a public accountant,
auditor or a principal accounting or financial officer of an issuer of publicly-traded securities, has
1) an understanding of generally accepted accounting principles and financial statements and the ability
to assess the general application of GAAP in connection with accounting for estimates, accruals, and
reserves;
2) experience in the preparation, auditing, or active supervision of the preparation or auditing of finan-
cial statements of generally comparable issuers34 in terms of the breadth and level of complexity of
accounting issues;
3) experience and an understanding of internal accounting controls and procedures for financial report-
ing; and
4) an understanding of Audit Committee functions.
If the company discloses that it has one financial expert on its Audit Committee, it must disclose the name of
the expert and whether that person is independent. If the company discloses that it has more than one
financial expert serving on its Audit Committee, it may, but is not required to, disclose the names of those
additional persons and indicate whether they are independent.
34
-traded securities.
CMA Part 1
The Audit Committee nominates the independent auditor and the shareholders ratify this appointment at the
annual meeting of shareholders.
For publicly traded companies, the auditor presents two reports in the Annual Report:
An opinion on whether the financial statements present fairly, in all material respects, the financial
position, results of operations, and cash flows of the company, in conformity with generally accepted
accounting principles
An opinion on how effectively the ctive internal

control over financial reporting. (This opinion is not required for companies that are not publicly
traded.)
In its capacity as auditor, the external auditor has no responsibility to make recommendations or suggestions
to the client. They have no responsibility to follow up any audit findings from the previous year. The
only responsibilities are to express an opinion about the financial statements and to express an opinion about
internal controls of the company (in the case of a publicly-traded company).
However, an external auditor that is registered with the PCAOB under the Sarbanes-Oxley Act is obligated
under Section 204 to make reports of a publicly-
traded company that include:
The accounting principles being used,
All alternative treatments being used,
The ramifications of the use of such alternative treatments,
The treatment preferred by the public accounting firm, and
All other material written communication between the registered public accounting firm and the
management of the company.
Financial Statement Opinion

For the opinion on the financial statements, the auditor conducts an independent examination of the
accounting data prepared and presented by management and expresses an opinion on them. Though the
,
. Instead, the auditor would assert that aterial
whole or an assertion that an opinion cannot be expressed and the reasons why an opinion cannot be
expressed.
The auditor may be:
Unqualified: Most audit reports are unqualified, meaning that the results are .
expresses the opinion that the financial statements present fairly, in all material respects, the finan-
cial position, results of operations, and cash flows of the company, in conformity with generally
accepted accounting principles.
Qualified: A qualified opinion contains an exception, meaning that the financial statements do
not present a true and fair picture. However, the exception is usually not significant enough to
cause the statements as a whole to be misleading to the point that they should not be used. There-
fore, it does prevent the auditor from issuing an unqualified opinion. Usually, a qualified opinion is
issued under one of these conditions:
o (that is, the work that the auditor wanted to perform)

was limited or was affected by restrictions, or
Section E s and Reports
o the statements do not present fairly position or results of operations be-

cause of a lack of conformity with generally accepted accounting principles or because of
inadequate disclosures.
A qualified opinion states that, except for this specific matter, the financial statements present
fairly in all material respects, the financial position, results of operations, and cash flows of the com-
pany in conformity with generally accepted accounting principles.
Adverse: An adverse opinion is issued when the exceptions are so material that, in the aud
judgment, a qualified opinion is not appropriate. This means that the financial statements, taken as
a whole, are not presented in conformity with generally accepted accounting principles. Ad-
verse opinions are seldom issued because most companies change their accounting upon the
instructions of the auditor, in which case an adverse opinion is not warranted.
Disclaimer: A disclaimer of opinion is used when the auditor has not been able to gather enough
information on the financial statements to express an opinion.
Internal Control Opinion

The second report, required by the Sarbanes-Oxley Act, as to whether or not the
annual report, filed with the SEC and incorporated into the annual report to shareholders, must be
accompanied by a statement that management is responsible for creating and maintaining adequate internal
their assessment of the effectiveness of these controls. The
of the effectiveness of the internal
controls, which is considered to be the core responsibility of the auditor and an integral part of the audit
report.
l
reporting come from the document Internal Control Integrated Framework issued by the Committee of
Sponsoring Organizations (COSO) of the Treadway Commission
ment is responsible for maintaining effective internal control over financial reporting and for assessing the
effectiveness of its internal control over financial reporting. Furthermore,
ts audit.
the following paragraph:
In our opinion, _____________________ maintained, in all material respects, effective internal control over
financial reporting as of _________________, based on the COSO criteria.
Internal Auditing CMA Part 1
Internal Auditing
Definition of Internal Auditing
Internal auditing has undergone major changes in the past few decades and has come to include areas of
expertise and usage beyond strictly financial and accounting matters. This growth of the role and expectations
of internal auditors has led to the development of internal auditing as a profession.
The Institute of Internal Auditors, the professional organization of internal auditors, has defined the
fundamental purpose, nature, and scope of internal auditing as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value
rations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk man-
agement, control and governance processes.
An effective internal audit function provides to management and the audit committee a means of
monitoring The monitoring
of control over operations includes the effectiveness and efficiency of operations and the organizati
compliance with applicable laws and regulations.
The functional areas of internal auditing are similar to the functional areas of internal control. Internal control
the areas of
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with
applicable laws and regulations will be achieved. Internal auditing services contribute to the achievement
of these internal control objectives by providing monitoring services for the respective controls.
The Internal Audit Charter: Establishing the Internal Audit Function

The internal audit function of a firm must have a charter. In general, a charter is a document that outlines
the principles, functions, and organization of a corporate body. In the case of the internal audit function, the
internal audit charter formally defines the internal audit activ , and responsibility. It
defines the nature of the assurance services and consulting services that the internal audit activity is
expected to provide to the organization.
The charter should establish that the Chief Audit Executive (CAE) reports to the board of directors. It
should give the internal-audit activity authority to access all records, personnel, and physical property that
may be relevant to the performance of engagements. The board of directors must approve the internal audit
charter.
Organizational Independence
The internal audit activity must have organizational independence. According to the Standards (Standard
1110), in order to have organizational independence, the Chief Audit Executive must report to a level that
allows the internal audit activity to fulfill its responsibilities. Organizational independence is achieved when
the Chief Audit Executive reports functionally to the board of directors. Reporting to the board permits the
internal audit activity to be free from interference in determining the scope of its internal auditing, performing
its work, and communicating its results. To accomplish the necessary organizational independence, the Chief
Audit Executive must communicate and interact directly with the board (Standard 1110.A1).
In other words, if the Chief Audit Executive were to report to a member of senior management, and if that
member of senior management were involved in some kind of fraud or fraudulent reporting, that senior
manager could instruct the Chief Audit Executive in how to do the auditing so that the internal audit activity
would not be able to discover the improper activities. Furthermore, the senior manager
would have the power to fire the Chief Audit Executive. When the Chief Audit Executive is hired by and
Section E Internal Auditing
reports directly to the board, no senior manager or anyone else in the organization is able to influence what
the Chief Audit Executive does. That is the definition of organizational independence.
Scope of Activities and Responsibilities

The internal audit function should cover must
, personnel, and properties. While the internal
audit scope might appear broad, there is a very specific limit to its responsibilities.
The responsibility of the internal auditor is to review and appraise policies, procedures, plans, and
records for the purpose of informing and advising management.
However, internal auditors do not have any authority or responsibility over operating activities. If
they had this responsibility, it would impair any independence and objectivity the internal auditors may have
in working in these areas because they would in essence be auditing themselves.
The responsibility of internal audit ends with the making of recommendations. Auditors should have
no authority over or responsibility for the activities they audit or the implementation of their recommenda-
tions. It is the responsibility of the board or management to implement the recommendations brought to
them by the internal auditors.
Note: The practice of internal auditing is governed by the International Standards for the Professional
Practice of Internal Auditing issued by the Institute of Internal Auditors.
Roles and Responsibilities of the Chief Audit Executive
with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Internation-
al Standards for the Professional Practice of Internal Auditing.
Managing the internal audit activity includes the following:
n the internal
audit charter,
Ensuring that the internal audit activity conforms with the Definition of Internal Auditing and the
Standards, and
Ensuring that the internal audit activity staff members conform to the Code of Ethics and the Stand-
ards.
In addition to the above, other specific responsibilities of the Chief Audit Executive include:
Establishing a risk-based plan to determine the priorities of the internal audit activity, consistent with
the organization s goals,
Communicating the internal audit

resource limitations to senior management and the board,
Establishing policies and procedures to guide the internal audit activity,
Coordinating activities with other internal and external providers of assurance and consulting ser-
vices to ensure proper coverage and minimize duplication of efforts, and
authority, responsibility, and performance relative to its plan.
Scope of Services
Based on the recommendations of the IIA, the scope of internal auditing work encompasses:
a systematic, disciplined approach to evaluating and improving the adequacy and effectiveness of
risk management, control, and governance process and the quality of performance in carrying
risk management, control, and governance process is to provide reasonable assurance that these
efficient and effective performance. Senior management and the board might also provide general
direction as to the scope of work and the activities to be audited.
The adequacy of risk management, control, and governance processes is present if management has
planned and designed for th
objectives and goals will be achieved efficiently and economically.
R recognizes the fact that there is no way to guarantee that the risk management,
control, and governance processes are working perfectly. There is always the potential for mistakes, human
error, collusion, failure to properly apply a control, or other events that will cause a control to fail. While it is
not possible to provide absolute guarantees, the internal audit function can provide reasonable assurance that
these areas of the business are operating as they should by properly designing tests and testing controls and
by properly analyzing the control activities in a company. It is also important to note that external auditors
also provide only reasonable assurance with their audit work.
Note: The size and scope of an internal audit function of a company will depend upon a number of factors,
and among these are the size and complexity of the operations of the company and the amount of risk
that the owners are willing to bear. A small company may not have an internal audit function and will
outsource to consultants or external auditors any work that would be done by an internal auditor. Large
companies will have their own internal audit function that will be led by the Chief Audit Executive (CAE)
and may have hundreds of staff members. The main thing to bear in mind is that the benefit of the internal
audit function must be greater than the cost of the internal audit function.
According to Internal Auditing Standard 2130.A1, the internal auditor assists the organization in maintaining
effective controls by evaluating the adequacy and effectiveness of controls in responding to risks within the
Reliability and integrity of financial and operational information,
Effectiveness and efficiency of operations and programs,
Safeguarding of assets, and
Compliance with laws, regulations, policies, procedures, and contracts.
Question 70: Which of the following statements represents the most important benefit that the internal
audit department provides to management?
a) Assurance that the organization is in compliance with legal requirements.
b) Assurance that fraudulent activities will be detected quickly.
c) Assurance that there is reasonable control over day-to-day operations.
d) Assurance that external financial statements are correct.
(CMA Adapted)
Testing and Evaluating the Effectiveness of the Internal Control System

The , including the board of directors,
control. In order to assist management in the fulfillment of this responsibility, internal auditors are used to
monitor the performance
This monitoring of the control system essentially has two parts:
1) Evaluating the effectiveness of controls by identifying risks and then assessing existing controls
to determine whether or not these controls, when properly executed, will adequately address these
risks. In a sense, the evaluation of the effectiveness of controls looks at how the controls are de-
signed in theory.
2) Testing compliance with controls, or the process of testing to see if the controls are being fol-
lowed. For example, if the control requires two signatures on all purchase orders, the test of
compliance would confirm that all purchase orders are signed by the proper two individuals.
The specific nature of a given test of a control will depend on the control itself. However, the details of this
testing are outside the scope the exam.
Determining Which Engagements to Conduct

The Chief Audit Executive (CAE) decides which engagements will be performed, and there are many factors
that the CAE will consider in making this decision. Many CAEs find it useful to first update the internal audit
audit universe, which is a list of all the possible audits that the internal audit activity can perform.
To understand the nature of the audit universe, the CAE should obtain input from senior management and the
board. However, even without the assistance of senior management and the board, the CAE should be able to
determine what the audit universe includes.
Usually, the audit universe includes many more potential engagements than the internal audit function has
the resources to perform. Therefore, the chief audit executive will need to prioritize which engagements
should be performed.
One of the most important elements when prioritizing engagements is the consideration of risk. According to
Internal Auditing Standard 2010 -based plan to determine the
priorities of the risk is
defined as the likelihood that the goals and objectives of the organization will not be achieved. Priority should
be given to areas where risk is assessed the highest.
In considering risk, the CAE

using the risk appetite levels set by management for the different activities or parts of the organization. If a
framework does not exist, the CAE should use his or her own judgment of risks, after consultation with senior
management and the board.
It is largely through this consideration of risk that the CAE is able to prioritize the necessary engagements.
However, risk is not the only criteria because there are other factors that will be considered, including:
The length of time since the last engagement was performed in this area
Requests from senior management, the audit committee, or other governing bodies
al audits of financial statements and management control

over financial reporting
Changing circumstances in the business, operations, programs, systems, or controls
Changes in the risk environment or control procedures in a given department
The potential benefit that could be achieved from the engagement
Changes in the skills of the available staff, because new skills may enable the internal audit activity
to conduct different types of engagements (for instance, a new employee may bring new skills, or
training may give an existing staff member new skills)
Of all of these considerations, risk assessment is generally the most important because there are both
quantitative (numerical) assessments and qualitative (characteristics) assessments of risk. Quantitative
assessments include the dollar value of the assets at risk or the potential loss, while qualitative assessments
include things such as risk in the area of fraudulent behavior or the importance of the section to the
operations of the business as a whole.
One way to measure the extent of risk in different areas is to multiply the dollar amount that is at risk of loss
by the percentage chance (that is, probability) of the loss occurring. For example, a CAE might consider and
assess the risks associated with petty cash: petty cash is available to a large number of people, the dollar
amount is generally low, and records of transactions require simple documentation. After considering these
factors, the CAE may determine that petty cash has a lower priority when compared to an area where there is
a lower risk of loss but the potential amount of the loss is much greater.
There are also risks that are not related to the assets of the company or to a specific monetary amount that
also need to be assessed. For example, control procedures (or, more accurately, lack of control procedures)
connected to the production processes of the company may also be an area of risk that would need
investigation.
Types of Engagements
Internal auditors perform two basic categories of services: assurance services and consulting services.
Assurance services involve performing an objective examination of evidence to provide an independent

opinion or conclusions regarding an entity, an operation, a function, a process, a system, or some other
subject. Examples of this type of work include financial audits, performance audits, audit of financial controls,
risk management audits, compliance audits, audits of system security, and due diligence35 engagements.
Assurance engagements provide an assessment of the reliability and/or relevance of data and operations in
specific areas.
Consulting services involve providing advice to management. Usually they are performed at the request of
the client, and their nature and scope are agreed upon with the client36 prior to the engagement. They are
intended to add value and improve
without the internal auditor assuming management responsibility.
Note: For the CMA Exam, look only at operational and compliance audits because these are the only two
types of engagements listed in the LOS.
Operational (or Performance) Audit

The purpose of an operational or performance audit is to examine and evaluate systems of internal
control, overall company operations, and the quality of performance in carrying out assigned responsibilities.
In order to assess these items, a company must have a standard level of behavior or output or some other
objective. The internal auditors will then compare the results of the operations with these standards.
35
business applies to the acquisition of a target company. Due diligence is the process of evaluating the target company or its
assets prior to making an offer for the business.
36
Internal auditors do not have external clients.
The focus of an operational or performance audit is on the three E s:
Efficiency
Effectiveness
Economy
The overall goal of these engagements is to help the company perform better by utilizing assets more
efficiently and effectively and to make certain that the activities within the company are helping the company
achieve its goals.
The main techniques for the auditor in an operational audit are analysis, the observation of departmental
activities, and questionnaires or interviews of employees.
In addition, as part of an operational audit the internal auditor will make recommendations to improve the
process or operation.
The scope of the operational or performance audit exceeds that of a financial audit. In addition to evaluating
the financial records and information (that is, the focus of a financial audit), internal auditors will also look at
areas that do not affect the financial statements or other financial reporting, including evaluating the
adequacy and effectiveness of controls related to policies, procedures, and decision-making.
Compliance Audit
A compliance audit determines the degree to which an organization is operating in an orderly way, conforming
effectively and visibly to certain specific requirements of its policies, procedures, standards, or laws, and
complying with governmental regulations. Compliance auditing is more objective than other internal auditing
applications. To perform a compliance audit, the auditor must first know the applicable policies, procedures,
standards, and laws.
In a compliance audit, the internal auditor focuses on issues of compliance (or lack of compliance). In the
case of noncompliance, the auditor will also determine the cause of the noncompliance, the cost of the
noncompliance, and appropriate actions that must be taken in order for a company to be in compliance.
Question 71: Which one of the following items is included in an operational audit but is not required in a
financial audit conducted by an external auditor?
a) Supervision of the audit team s activities and output.
b) Fact-finding, analysis, and documentation.
c) Reporting on the findings.
d) Recommendations for improvement.
(CMA Adapted)
Question 72: An example of the subject of an operational audit would be:
a) The income tax return information of a manufacturer.
b) The performance statistics on the delivery of a city s services.
c) The verification of the dollar amount of royalties due to the developer of a manufacturing process
from the user of that process.
d) The five-year revenue and expenses forecast by an entrepreneur seeking to raise venture capital
for his prospective operation.
(CMA Adapted)
Reporting to the Board

A control breakdown occurs when a control fails. Many control breakdowns are accidental and do not put the
company at significant risk. However, the internal auditor needs to identify significant control breakdowns
that could harm to the company. In addition, breakdowns and their associated risks need to be properly
reported. This reporting will be in the engagement report and may also be reported directly to the Board.
All material weaknesses37 that could cause a con

The auditor may choose to issue an interim report if the breakdown is significant. Generally, interim reports
should be issued whenever there is an issue that needs to be addressed immediately.
If an internal auditor identifies a weakness in controls, he or she should evaluate its severity to determine
whether or not the deficiency, either individually or in combination with other deficiencies, represents a
material weakness. The severity depends upon:
Whether or not there is a reasonable possibility

detect a misstatement of an account balance or disclosure
The magnitude of the potential loss resulting from the deficiency or deficiencies
The auditor should evaluate the effect of compensating controls when determining whether or not a control
deficiency is a material weakness. In order to have a mitigating effect, a compensating control should operate
at a level of precision that would prevent or detect any misstatement that would be material.
Risk factors affect whether or not there is a reasonable possibility that a deficiency or a combination of
deficiencies will result in a misstatement of an account balance or disclosure. These risk factors include:
The nature of the financial statement accounts, disclosures, and assertions involved
The susceptibility of the related asset or liability to loss or fraud, or how likely it is that something
could go wrong
The subjectivity, complexity, or extent of judgment required to determine the amount involved
The interaction or relationship of the control with other controls, including whether or not they are
interdependent or redundant
The interaction of the deficiencies (that is, if there is more than one, whether or not they collectively
could cause a material misstatement)
The possible future consequences of the deficiency
Types of Incidents That Should Be Reported to the Board

When reporting on the results of their work, internal auditors should reveal all material facts known to
them which, if not revealed, could either distort reports of operations under review or conceal unlawful
practices
that should be reported include but are not limited to:
1) Fraud. If fraud is suspected, the internal auditor should notify the appropriate level within the
organization. This level is always at least one level above the point at which the fraud is suspected.
2) Violation of any law, such as environmental regulations.
3) For a quality audit, inconsistent product quality that may cause a loss of market share.
4) A situation in which no control failure has occurred, no illegal activity is going on, and no accounting
errors have occurred may also be a reportable situation in certain circumstances. For instance, if an
37
eans important or capable of causing great consequences. A material weakness
statement irregularities is found to be ineffective. Thus a material weakness is a an important weakness that could lead to a
auditor discovers that a major supplier is not offering the organization a discount for early payment,
when the auditor knows that the supplier is offering discounts to other companies on similar pur-
chases, the goal of efficiency would indicate that he or she report this information to management.
IIA Practice Advisory 2060-1, provides guidance on this issue as follows:
ment, could adversely affect the organization and its ability to achieve its strategic, financial
reporting, operational, and compliance objectives. Significant issues may carry unacceptable expo-
sure to internal and external risks, including conditions related to control weaknesses, fraud,
irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and finan-
cial viability.
After the information is communicated to the Board, the Board decides the actions to be taken. The role of
the internal auditor is simply to report to the Board, not to make decisions.
Inherent Risk, Control Risk and Detection Risk

Note: This topic is listed in the LOS in the section Governance, Risk and Compliance. This information is
included in Internal Audit because it fits better with the topic of auditing.
Generally, audit risk and the specific risks of inherent, control and detection risk are discussed as part of a
financial statement audit, and they are applicable to any type of engagement performed by the internal
auditor. Audit risk is the risk that the auditor will come to the wrong conclusion. For example, for an internal
auditor there is a risk that after they do all of their testing and analysis they will conclude that the internal
control system is working properly, when it is not really working properly. It also is the risk that they will
conclude that the internal control system is not working properly when it is in fact working properly.
Audit risk can be looked at in these three ways:
Inherent risk: The risk that is natural in the function being audited, assuming that there are no
controls. It is the susceptibility to a material mistake
inherent risk is the calculation of pension liabilities, which by nature are extremely complex.
Control risk: The risk that an internal control will not prevent or detect a material misstatement in
a timely manner. As seen in the section on Internal Control, internal control is not a guarantee that
an organization will achieve its financial reporting, operational, and compliance objectives. No matter
how well designed and operated it is, internal control can provide only reasonable assurance to man-
are that controls may fail because of human error, or they can be circumvented by collusion, or
management may override internal control procedures.
Detection risk: For an internal auditor, this is the risk that the auditor through audit testing will not
detect a material misstatement in an account balance or class of transactions that could result in a
material weakness for the company.
Question 73: In assessing relative risks, internal auditors should be least concerned with:
a) Statistical sampling techniques.
b) Compliance with internal and external rules and regulations.
c) Reliability and integrity of information.
d) Safeguarding of assets.
(CMA Adapted)
Question 74: Inherent risk is:
a) The risk that the auditor may unknowingly fail to appropriately modify his opinion on financial
statements that are materially misstated.
b) The risk that the auditor will not detect a material misstatement that exists in an assertion.
c) The susceptibility of an assertion to a material misstatement, assuming that there are no related
internal control structure policies or procedures.
d) The risk that a material misstatement that could occur in an assertion will not be prevented or
detected on a timely basis by the entity s internal control structure policies or procedures.
(CMA Adapted)
Question 75: Control risk is the risk that a material misstatement in an account will not be prevented or
detected in a timely basis by the client s internal control structure policies or procedures. The best control
procedure for preventing or detecting fictitious payroll transactions is:
a) Personnel department authorization for hiring, pay rate, job status and termination.
b) To use and account for prenumbered payroll checks.
c) Periodic independent bank reconciliations of the payroll bank account.
d) Storage of unclaimed wages in a vault with restricted access.
(CMA Adapted)
Section E Systems Controls and Security Measures
Systems Controls and Security Measures

Introduction to Systems Controls
Extensive use of computers in operatio
exposure to inaccuracies and fraud.
Since computers apply the same steps to similar transactions, there should be no chance for clerical (human)
error in processing. However, if there is a mistake in the program itself, there will be an error in every
transaction that is processed using that defective program. Furthermore, if a clerical error is made in input, it
will of course result in an output error.
Potential for fraud is always present in organizations and is a serious problem, even without computer
processing of data. The automatic processing of data, the volume of the data processed and the complexity of
the processing are aspects of computer processing that can increase both the risk of loss and the potential
dollar loss from exposures that would exist anyway. The concentration of data storage creates exposure, as
well. The potential for fraud is further increased because of the fact that programs are used for the
processing. There is potential for fraud to be committed within the program itself. Without proper controls,
this type of fraud may go undetected for a long period of time.
Further complicating the situation is the fact that because of the nature of the system, paper audit trails
may exist for only a short period of time, since support documents may be periodically deleted. The existence
of an audit trail means that an amount appearing in a general ledger account can be verified by evidence
supporting all the individual transactions that go into the total. The audit trail must include all of the
documentary evidence for each transaction and the control techniques that the transaction was subjected to,
in order to provide assurance that the transaction was properly authorized and properly processed. When an
audit trail is absent, the reliability of an accounting information system is questionable.
On the positive side, computer systems can provide large amounts of information to management in a very
short period of time. This can enable management to maintain closer control over the activities of the
company and their results.
The objectives of controls for an information system are similar to the objectives of overall organizational
internal controls:
Promoting effectiveness and efficiency of operations in order to a
Maintaining the reliability of financial reporting through checking the accuracy and reliability of
accounting data.
Assuring compliance with all laws and regulations that the company is subject to, as well as adher-
ence to managerial policies.
Safeguarding assets.
Information system internal control guidelines are based upon two documents:
1) The report of the Committee of Sponsoring Organizations, Internal Control Integrated Framework,
which is discussed in the section of this text titled Internal Control.
2) Control Objectives for Information and related Technology (COBIT), authored by the IT Governance
Institute and published by the Information Systems Audit and Control Foundation (ISACF).
In Internal Control Integrated Framework, internal control is defined as a process designed to provide
efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
T
personnel.
Systems Controls and Security Measures CMA Part 1
The internal control system consists of five interrelated components:
1) The control environment
2) Risk assessment
3) Control activities
4) Information and communication
5) Monitoring38
Control Objectives for Information and related Technology

practices, and organizational structures designed to provide reasonable assurance that business objectives
39
The COBIT
document was used as a major resource for this section on systems control.
Common exposures to loss that result from a failure to implement controls include competitive disadvantage,
deficient revenues, loss of assets, inaccurate accounting, business interruption, statutory sanctions, erroneous
management decisions, fraud and embezzlement, and excessive costs.
The ultimate responsibility for internal control lies with management and the board.
Further, controls should be subjected to cost/benefit analysis. This means that management should not
spend more on controls than the amount the company can expect to receive in benefits from the controls.
This is a matter of judgment by management to determine what is required to attain reasonable assurance
that the control objectives are being met without spending more than can possibly be gained.
Threats to Information Systems

Sources of threats to information systems and data are many. A few of them are:
Errors can occur in system design
Errors can occur in input or input manipulation may occur
Data can be stolen over the Internet
Data and intellectual property, including trade secrets, can be stolen by employees who carry it out
on very small storage media or just email it out
Unauthorized alterations can be made to programs by programmers adding instructions that divert
assets to their own use
Data and programs can be damaged and/or become corrupted, either deliberately or accidentally
Data can be altered directly in the data file, without recording any transaction that can be detected
Viruses, Trojan Horses, and worms can infect a system, causing a system crash, stealing data, or
damaging data
Hardware can be stolen
Physical facilities as well as the data maintained in them can be damaged by natural disasters, illegal
activity or sabotage
38
Internal Control Integrated Framework, copyright 1992, 1994, and 2013 by the Committee of Sponsoring
Organizations of the Treadway Commission, two volume edition 1994, Vol. 1, pp. 3-5. Used by permission.
39
Control Objectives for Information and related Technology (COBIT), 3rd Edition, copyright 2000, IT Governance Institute,
www.itgi.org. Reprinted with permission; reproduction without permission is not permitted.
H names and social security numbers from

databases have underscored the importance of protecting information systems and data.
The first line of defense against events of this nature and threats such as those above is effective systems
controls. Controls must be a part of every system and application to preserve the integrity of the data and
reduce the risk of loss from poor records, inaccurate accounting, business interruption, fraud, violations of the
ve position. The controls must not only exist, but they
must also function effectively.
The Classification of Controls

Controls within a computer system are broken down into two types. They are general controls, which relate
to the environment; and application controls, which are controls that are specific to individual applications
and are designed to prevent, detect and correct errors and irregularities in transactions during the input,
processing and output stages. Both general controls and application controls are essential.
General controls relate to the general environment within which transaction processing takes place. They
well-managed control envi

General controls include controls over the development, modification and maintenance of computer programs,
segregation of duties, data security, administrative controls, and provision for disaster recovery. General
controls are broken down into the following categories (each is discussed in greater detail below):
The organization and operation of the computer facilities, including provision for segregation of
duties within the data processing function as well as segregation of the data processing function
from other operations. The IS activity should have a high enough level in the organization and ade-
quate authority to permit it to meet its objectives. There should be a systems control group to
monitor production, keep records, balance input and output, and see that work is completed on
schedule.
General operating procedures, including written procedures and manuals. Operating procedures
also specify the process to be followed in system development and system changes, in order to pro-
vide reasonable assurance that development of, and changes to, computer programs are authorized,
tested, and approved prior to the use of the program.
Equipment and hardware controls, including controls installed in computers that can identify
incorrect data handling or improper operation of the equipment.
Access controls to equipment and data, such as controls over physical access to the computer
system and the data that are adequate to protect the equipment and data files from damage or
theft.
Application controls are controls that are specific to individual applications. They are designed to prevent,
detect, and correct errors in transactions as they flow through the input, processing, and output stages of
work. Thus, they are broken down into these three main categories (each of which is discussed in greater
detail below):
Input controls
Processing controls
Output controls
Question 76: EDP accounting control procedures are referred to as general controls or application
controls. The primary objective of application controls in a computer environment is to:
a) Provide controls over the electronic functioning of the hardware.
b) Maintain the accuracy of the inputs, files and outputs for specific applications.
c) Ensure the separation of incompatible functions in the data processing departments.
d) Plan for the protection of the facilities and backup for the systems.
(CMA Adapted)
General Controls
Organization and operation of the computer facilities
An IT Planning or Steering Committee should oversee the IT function. Members should include senior
management, user management and representatives from the IT function. The committee should
have regular meetings and report to senior management.
The IT function should be positioned within the organization so as to ensure its authority as well as
its independence from user departments.
Staffing requirements should be evaluated whenever necessary to make sure that the IT function
has sufficient, competent staff. Management should make certain that all personnel in the organiza-
tion know their responsibilities with respect to information systems and that they have sufficient
authority to exercise their responsibilities. Responsibilities should be delegated with appropriate seg-
regation of duties, and duties should be rotated periodically at irregularly scheduled times for key
processing functions.
Segregation of duties should be maintained between and among the following functions:
o Systems analysts
o Information systems use
o Data entry
o Data control clerks
o Programmers
o Computer operation
o Network management
o System administration
o Librarian
o Systems development and maintenance
o Change management
o Security administration
o Security audit
Segregation of duties will be discussed in more detail later.
General Operating Procedures

Standard procedures for all IT operations, including network operations, should be documented.
These should include documentation of the start-up process, job scheduling, processing continuity
during operator shift changes, operations logs and procedures that ensure connection and disconnec-
tion of links to remote operations.
Task descriptions should be written for each job function; personnel should be trained in their jobs;
assigned duties should be rotated periodically for key processing functions.
Physical safeguards should be established over forms such as negotiable instruments and over
sensitive output devices such as signature cartridges. Sequential numbers on individual forms should
be printed in advance so missing forms can be detected.
The process to follow in system development and system changes should be documented in order to
provide reasonable assurance that development of, and changes to, computer programs are author-
ized, tested and approved prior to the use of the program.
Turnaround documents should be used whenever appropriate. A turnaround document is a docu-

ment created by a computer, has some additional information that has been added to it, and then is
returned to become an input document to the computer. The documents are printed with Optical
Character Recognition (OCR) fonts so that they can be read by the computer when they are scanned
and thus the information does not need to be keyed in. Some examples of turnaround documents
are invoices with a top section that the customer tears off and returns with payment (with the
amount paid filled in); or magazine subscription renewal notices that the subscriber returns with re-
newal instructions. The use of a turnaround document limits the chances of input errors occurring
and reduces the need for manual data entry.
Equipment Controls
A defined backup procedure should be in place, and the usability of the backups should be verified
regularly.
Transaction trails should be available for tracing the contents of any individual transaction record
backward or forward, and between output, processing, and source. Records of all changes to files
should be maintained.
Statistics on data input and other types of source errors should be accumulated and reviewed to
determine remedial efforts needed to reduce errors.
Equipment Access and Data Access Controls

The responsibility for logical security and physical security should be assigned to an information security
Logical security consists of access and ability to use the equipment and data. It includes Internet
security (firewalls) and virus protection procedures; access controls for users to minimize actions
they can perform; authentication processes to verify the identity of users; and cryptographic tech-
niques such as encryption of messages and digital signatures.
Unauthorized personnel, online connections and other system entry ports should be prevented from
accessing computer resources. Passwords should be changed regularly for all those authorized to ac-
cess the data. Procedures should be established for issuing, suspending and closing user accounts,
and access rights should be reviewed periodically.
All passwords should be issued with levels of authority that permit the users to access only the data
that they need to be able to access in order to do their jobs. For example, a person who does invoic-
ing needs access to the invoicing module of the accounting program but does not need access to the
general ledger module. The person who does receiving needs access to the purchase order module,
but not to invoicing.
Only authorized software from known sources should be allowed to be used in the system. Author-
ized software should be free of viruses and other malware.40
Physical security involves things such as keeping servers and associated peripheral equipment in a
separated, secure room with bars on the windows and use of blinds or reflective film on the windows
for heat blocking as well as physical protection. It also includes password protection for servers;
monitoring of hardware components to prevent them from being removed from the premises; securi-
ty for offsite backup tapes; and biometrics such as fingerprints, voice verification, and so forth to
identify a person based on physical or behavioral characteristics.
Physical security also involves the locations of wiring that connects the system, backup media, and
maintenance of uninterruptible power supplies. An IT member should escort visitors when they enter
the computer
Media library contents should be protected. Responsibilities for storage media library management
should be assigned to specific employees. Contents of the media library should be inventoried sys-
tematically, so any discrepancies can be remedied and the integrity of magnetic media is
maintained. Policies and procedures should be established for archiving.
Dual access and dual control should be established to require two independent, simultaneous actions
before processing is permitted.
Segregation of Duties
The most important organizational and operating control is the segregation of duties. Although the
traditional segregation practiced in accounting of separating the responsibilities of authorization, record
keeping and custody of assets may not be practiced in the same manner in Information Systems (since the
work is quite different), there are still specific duties in the IS environment that should be separate from one
another.
Separate Information Systems from Other Departments

IS department personnel should be separated from the departments and personnel that they support (called
. This means:
Users initiate and authorize all systems changes, and a formal written authorization is required.
Asset custody remains with the user departments.
An error log is maintained and referred to the user for correction. The data control group follows up
on errors.
Separate Responsibilities within the Information Systems Department

Responsibilities within the Information Systems Department should be separated from one another. An
individual with unlimited access to a computer, its programs, and its data could execute a fraud and at the
same time conceal it. Therefore, effective segregation of duties should be instituted by separating the
authority for and the responsibility for the function.
Although designing and implementing segregation of duties controls makes it difficult for one employee to
commit fraud, remember that segregation of duties is not perfect insurance against fraud because two
employees could collude to override the controls.
40
systems.
We will look at the various positions within a computer system and the responsibilities of each.
Systems analysts are responsible for reviewing the current system to make sure that it is meeting
the needs of the organization, and when it is not, they will provide the design specifications to the
programmers of the new system. Systems analysts should not do programming, nor should they
have access to hardware, software or data files.
Programmers are the individuals who write, test and document the systems. They are able to
modify programs, data files and controls, but should not have access to the computers and programs
that are in actual use for processing. For instance, if a bank programmer were allowed access to ac-
tual live data and had borrowed money from the bank, he or she could delete their own loan balance
while conducting a test. When programmers must do testing, they should work with copies of rec-
ords only and should not have the authority, opportunity or ability to make any changes in master
records or files.
Computer operators perform the actual operation of the computers for processing the data. They
should not have programming functions and should not be able to modify any programs. Their job
responsibilities should be rotated so no one operator is always overseeing the running of the same
application. The most critical segregation of duties is between programmers and computer
operators.
The data control group receives user input, logs it, monitors the processing of the data, reconciles
input and output, distributes output to authorized users, and checks to see that errors are corrected.
They also maintain registers of computer access codes and coordinate security controls with other
computer personnel. They must keep the computer accounts and access authorizations current at all
times. They should be organizationally independent of computer operations. Systems control
personnel should be responsible for detecting and correcting errors, not computer operators.
Transaction authorization: Users should submit a signed form with each batch of input data to
verify that the data has been authorized and that the proper batch control totals have been pre-
pared. Data control group personnel should verify the signatures and batch control totals before
submitting the input for processing.41 This would prevent a payroll clerk, for instance, from submit-
ting an unauthorized pay increase. Furthermore, no personnel in the Information Systems group
should have authority to initiate or authorize any entries or transactions.
Data conversion operators perform tasks of converting and transmitting data. They should have
no access to the library or to program documentation, nor should they have any input/output control
responsibilities.
Librarians maintain the documentation, programs and data files. They should have no access to
equipment. The librarian should restrict access to the data files and programs to authorized person-
nel at scheduled times. Furthermore, the librarian maintains records of all usage, and those records
should be reviewed regularly by the data control group for evidence of unauthorized use.
Only authorized people should be able to call program vendor technical support departments. If
vendor-
tifying callers and should give technical instructions for fixing problems only to employees who are
authorized to receive such instructions.
41
Batch control totals are any type of control total or count applied to a specific group of transactions, such as total sales
dollars in a batch of billings. Batch control totals are used to ensure that all input is processed correctly by the computer. In
batch processing, items are batched in bundles of a preset number of transactions. If a batch consists of financial
transactions, a batch control document that goes with the batch includes the bundle number, the date and the total dollar
amount of the batch. As the computer processes the batch, it checks the batch control total (the total dollar amount) for
the batch and compares the processed total with the batch control total. If they match, the batch is posted. If they do not,
the posting is rejected, and the difference must be investigated. Batch control totals can also be calculated and used for
non-financial fields in transactions. For instance, a batch control total might be the total hours worked by employees.
The database administrator controls access to various files, making program changes, and making
source code details available only to those who need to know.
The location of any off-site storage facilities should be known by as few people as possible.
No IS personnel should have access to any assets that are accounted for in the computer system.
System and Program Development and Change Controls

Systems development controls during the development stage of an information system enhance the ultimate
functions.
Controls are instituted at this stage for multiple reasons.
1) To ensure that all changes are properly authorized and are not made by individuals who lack suffi-
cient understanding of control procedures, proper approvals and the need for adequate testing.
2) To prevent errors in the resulting system that could cause major processing errors in data.
3) To limit the potential for a myriad of other problems during the development process and after its
completion.
The following are only a few of the control considerations in systems development. This is not an exhaustive
list but presented to give you an idea of what is involved. These have been adapted from the recommenda-
tions in COBIT.
1) Statement of Objectives Stage

The authorized users should submit a written request, stating the business need. The request should
be reviewed by the steering committee.
The user department management should participate in the definition and authorization of the
development, implementation, or modification project.
There should be a clear written statement defining the nature and scope of the project.
A risk assessment should be done as part of the initial proposal to document security threats, poten-
tial vulnerabilities and impacts, and the feasible security and internal control safeguards necessary to
reduce or eliminate the identified risks.
If the request is approved, resources are allocated for the next stage, which will be the feasibility study.
A clear, written statement of objectives and a risk assessment at this stage can limit the number of changes
needed later on and shorten the time required to identify solutions and get approvals later on.
2) Investigation and Feasibility Study Stage

A cost-benefit analysis is done. Questions to be answered include whether the system will provide an
adequate payback; whether it will fit into the existing software environment; whether it will run on
existing hardware or whether a hardware upgrade will be needed; whether new storage media will
be required; whether the resources are available for the project; whether the application would re-
quire extensive user or programmer training; and what effect it would have on existing systems.
The feasibility study should include an analysis of needs, costs, implementation times, and potential
risks.
In evaluating possible solutions, criteria should be developed for consideration of in-house develop-
ment, purchased solutions and outsourcing options.
The technological feasibility of each alternative for satisfying the business requirements should be
examined; and the costs and benefits associated with each alternative under consideration should be
analyzed.
Key users should be identified to assist in the analysis and recommendations.
The development team should have a good knowledge of the solutions available and limit their
consideration to proven technology rather than experimenting with new technology, unless experi-
mentation is justified by the situation.
Senior management should review the reports of the feasibility studies and approve or disapprove
proceeding with the project.
For each approved project, a master plan should be created to maintain control over the project
throughout its life, which includes a method of monitoring the time and costs incurred.
The cost-benefit analysis done at this stage is extremely important as a control tool, as this can also reduce
changes later on that could be caused by the discovery of unexpected costs. Furthermore, if the project is
seriously flawed, it can be rejected at this stage before a major investment is made.
3) Systems Analysis Stage

Business requirements satisfied by the existing system and those that the proposed system expects
to attain should be clearly defined, including user requirements, specifications as to what the new
system is supposed to accomplish, and alternatives for achieving the specifications such as in-house
development versus a vendor package.
Inputs, processing requirements and output requirements should be defined and documented.
All security requirements should be identified at the requirements phase of the project and justified,
agreed and documented.
A structured analysis process should be used.
If the information required by the users is not clear, the new system cannot possibly support the business
process, leading again to delays in implementation and additional costs to redesign the system.
4) Systems Design and Development Stage

Systems analysts, working closely with system users, create the design specifications and verify
them against the user requirements.
System flowcharts, report layouts, data conversion procedures and test plans are developed.
Design specifications should be reviewed and approved by management, the user departments and
senior management.
Detailed program specifications should be prepared to ensure that program specifications agree with
system design specifications.
Mechanisms for the collection and entry of data should be specified for the development project.
Data elements are defined. Each field in each file is listed and defined.
The file format should be defined and documented for the project to ensure that data dictionary rules
are followed.
All external and internal interfaces should be properly specified, designed and documented.
An interface between the user and the machine that is easy to use and contains online help functions
should be developed.
Hardware and software selection should identify mandatory and optional requirements. The potential
impact of new hardware and software on the performance of the overall system should be assessed.
An up-to-date inventory of hardware and software infrastructure should be available.
Acquisition policies and practices should be clearly understood, and the selection process should
focus on using reusable components.
Performance and capacity requirements should be duly considered.
Key requirements should be prioritized in case of possible scope reductions.
Adequate mechanisms for audit trails should be developed for the selected solution that provides the
ability to protect sensitive data.
Contracts with suppliers should include a definition of acceptance criteria and procedures, and
dependency on single-source suppliers should be managed.
If a vendor package or packages are to be used, they should be evaluated rigorously. Factors to
consider include the stability of the vendor, how long the system has been on the market, whether it
has a base of users and the satisfaction level of
control standards, the adequacy of the documentation, the availability of vendor technical support,
and flexibility of the system such as whether it has a report writer that users can use to develop re-
ports
a consideration.
As already mentioned, only authorized people should be able to call vendor technical support de-
partments. This is an important control, so it warrants mentioning again. The evaluation of a vendor
system should include inquiries as to the means the vendor has to identify callers to its technical
support area and determine whether the caller has authority to receive technical instructions for fix-
ing problems.
The benefits from these controls should be reduction in delays due to inadequate infrastructure, reduced
interoperability and integration problems, and reduced costs for modifications later.
5) Program Coding and Testing Stage

Programs are coded according to the specifications developed in the systems design and develop-
ment stage.
Procedures should provide for a formal evaluation and approval by management of the user depart-
ment(s) and management of the IT function of work accomplished and test results in each phase of
the cycle before work on the next phase begins.
There should be a separation between development and testing activities.
A formal process for handover from development to testing to operations should be defined.
Resources should be available for a separate testing environment, which reflects as closely as possi-
ble the live environment, and sufficient time should be allowed for the testing process.
Parallel or pilot testing should be performed, and criteria for ending the testing process should be
specified in advance.
Testing should be done both of the individual application and of the application within the system.
An independent group should do the testing and try to make the system fail.
Both in-house systems and vendor packages should be tested.
Testing is the final check to make sure the system performs as it should.
6) Systems Implementation Stage

An implementation plan should be prepared, reviewed and approved by relevant parties and also
used to measure progress. It should include site preparation, equipment acquisition and installation,
user training, installation of operating software changes and implementation of operating procedures
and conversion procedures.
Data conversion is done. Controls such as record counts, reviews of reports and other types of
reconciliations are required.
The degree and form of documentation required is agreed upon and followed in the implementation.
Documentation will include system documentation, which is narrative descriptions, flowcharts, in-
put and output forms, file and record layouts, controls, authorizations for any changes and backup
procedures. It will also include program documentation, or descriptions of the programs, program
flowcharts, program listings of source code, input and output forms, change requests, operator in-
structions and controls. Operating documentation is the information about the performance of the
program. Procedural documentation provides information about the master plan and the handling
of files, and user documentation includes all the information a user will need to be able to use the
program.
Documentation provides a basis for effective operation, use, audit and future system enhancements.
It communicates among people who are developing, implementing and maintaining a system. A de-
It is also needed for diagnosing and correcting programming errors; and it provides a basis for re-
construction of the system in case of damage or destruction.
Standard operating procedures should be documented, distributed, and maintained using knowledge
management, workflow techniques and automated tools.
Staff of the user departments and the operations group of the IT function should be trained in
accordance with the training plan.
Formal evaluation and approval of the test results and the level of security for the system by man-
agement of the user department and the IT function should cover all components of the information
system.
Before the system is put into operation, the user should validate its operation as a complete product
under conditions similar to the application environment.
The decision should be made as to whether the new system will be implemented using a parallel
conversion (running both the old and the new systems together for a period of time), a phased con-
version (converting only parts of the application at a time or only a few locations at a time), pilot
conversion (the new system is tested in just one work site before full implementation), or a direct
conversion (changing over immediately from the old system to the new).
The benefits of these controls are more seamless integration of the new system into existing business
processes, adequate documentation at a reduced cost, and greater user proficiency and satisfaction with the
training process.
7) Systems Evaluation and Maintenance Stage

After implementation, the system moves into the maintenance phase.
A process should be in place to manage coordination between and among changes, recognizing
interdependencies.
There should be segregation of duties between development and production.
Maintenance personnel should have specific assignments, their work should be monitored, and their
system access rights should be controlled.
There should be a post-

the system.
Any modifications to the system should be authorized by user management, made in accordance
with the same standards as are used for system development, and should be tested and approved
by the user and IS management. Senior management should approve major projects.
When changes are being tested, they should be tested not only by using correct information, but
also by using incorrect information to make sure that the program will detect any errors and has the
necessary controls.
Whenever system changes are implemented, associated documentation and procedures should be
updated accordingly.
For a vendor package, maintenance procedures are of concern from a systems control standpoint.
Updates released by the vendor should be installed on a timely basis. For an organization with inte-
grated software, releases must be kept compatible. If one portion of the system is upgraded and
another part is not, the two systems may no longer interface properly.
If vendor-
changes are not properly reinstalled on top of new releases, erroneous processing can result. The
organization should maintain change controls to verify that all custom changes are properly identi-
fied. A good audit trail of all program changes is necessary. Another concern with vendor update
releases when in-house changes have been made is that the changes may need to be not only rein-
stalled, but completely rewritten. The changes made to the prior release of the program might not
Heavy modification of vendor code with no intention of installing new vendor releases because of the
necessity to reinstall the modifications should be avoided, because the system becomes essentially
an in-house system without the benefit of vendor support.
The benefits of these control procedures are reduced errors and disruptions due to poorly managed changes,
reduced resources and time required for changes, and reduced number of emergency fixes.
Another thing to be aware of is that programs are written in source code, which is the language that the
programmer uses for coding the program, and they also exist in object code, which is the machine language
that the processor can understand. The source code file is converted to object code by means of a program
called a compiler, and the object code, not the source code, is what actually runs on the computer. This is
important because although in theory the source code and the object code should correspond, the
computer does not require them to correspond. It would be possible for a knowledgeable person to
make a copy of the source code, rewrite portions of the instructions, compile the modified source code into a
new object code file for use by the computer, and then destroy the modified source code file, leaving the
authorized source code file unchanged. The result is that the executable object code the actual instructions
used by the computer will not match the authorized source code. This is a weakness that can be used to
commit computer fraud, if controls over compiling and cataloging activities are not adequate. Despite the
strongest internal controls over day-to-day operations in user departments, a fraudulent change to a program
could divert company funds to an individual, and the fraud could continue for a time without being detected.
Question 77: Program documentation is a control designed primarily to ensure that:
a) Programmers have access to the tape library or information on disk files.
b) Programs are kept up-to-date and perform as intended.
c) Programs do not make mathematical errors.
d) Data has been entered and processed.
(CMA Adapted)
Question 78: The reporting of accounting information plays a central role in the regulation of business
operations. The importance of sound internal control practices is underscored by the Foreign Corrupt
Practices Act of 1977, which requires publicly-owned U.S. corporations to maintain systems of internal
control that meet certain minimum standards. Preventive controls are an integral part of virtually all
accounting processing systems, and much of the information generated by the accounting system is used
for preventive control purposes. Which one of the following is not an essential element of a sound
preventive control system?
a) Documentation of policies and procedures.
b) Implementation of state-of-the-art software and hardware.
c) Separation of responsibilities for the recording, custodial and authorization functions.
d) Sound personnel practices.
(CMA Adapted)
Question 79: The process of learning how the current system functions, determining the needs of users
and developing the logical requirements of a proposed system is referred to as:
a) Systems analysis.
b) Systems feasibility study.
c) Systems implementation.
d) Systems maintenance.
(CMA Adapted)
Question 80: The most critical aspect of separation of duties within information systems is between:
a) Programmers and computer operators.
b) Programmers and project leaders.
c) Programmers and systems analysts.
d) Systems analysts and users.
(CMA adapted)
Physical Access Controls

Computer facility controls should be in place to protect the physical assets of the computer center: the
hardware, peripherals, documentation, programs and data files in the library. The computer-processing center
should be in a locked area, and access to it should be restricted to authorized persons. Some means of
accomplishing this are:
Have company personnel wear color-coded ID badges with photos. People authorized to enter the
computer area are assigned an ID badge of a particular color.
r can be
automatically logged.
permits only authorized people to enter.
Keys may be issued to authorized personnel, or combination locks can be used to limit access. If
keys are used, they should be keys that cannot be easily duplicated, and locks need to be changed
periodically. If a combination lock is used, the combination should be changed periodically.
The location of the computer center should also be in a place where it is protected from natural
disasters as much as possible.
The computer center should be equipped with smoke and water detectors, fire suppression devices,
burglar alarms and surveillance cameras monitored by security personnel.
Insurance is the last resort, to be called upon only if all else fails, because it does not actually pro-
tect from loss but rather compensates for loss after it occurs. Insurance policies for computer
damages are usually restricted to actual monetary losses suffered, which is difficult to assess. For
example, computers may have a market value that is far less than the value of their services to the
company.
Hardware Controls for Networks

Computer networks require special controls due to the decentralized nature of the hardware.
Checkpoint processing should be used to enable recovery in case of a system failure. Checkpoint
control procedures are performed several times per hour, and during that time, the network system
will not accept posting. It stops and backs up all the data and other information needed to restart
the system. This checkpoint is recorded on separate media. Then, if a hardware failure occurs, the
company simply reverts to the last saved copy, and reprocesses only the transactions that were
posted after that checkpoint. The effect of this is similar to the rollback and recovery method.
Routing verification procedures protect against transactions routed to the wrong computer
network system address. Any transaction transmitted over the network must have a header label
identifying its destination. Before sending the transaction, the system verifies that the destination is
valid and authorized to receive data. After the transaction has been received, the system verifies
that the message went to the destination code in the header.
Message acknowledgment procedures can prevent the loss of part or all of a transaction or
message on a network. Messages are given a trailer label, which the receiving destination checks to
verify that the complete message was received.
File Security and Storage Controls

File Security Control procedures include:
Labeling the contents of discs (CDs, DVDs, external hard drives), tapes, flash drives or memory
cards, and any other removable media, both externally and internally as part of the data file.
The read-only file designation is used to prevent users from altering or writing over data.
Database Management Systems use lockout procedures to prevent two applications from
updating the same record or data item at the same time.
Note: A deadly embrace occurs when two different applications or transactions each have a
lock on data that is needed by the other application or transaction. Neither process is able to pro-
ceed, because each is waiting for the other to do something. In these cases the system must
have a method of determining which transaction goes first, and then it must let the second trans-
action be completed using the updated information after the first transaction.
se documentation, programs and data files are

assets of the organization and require protection the same as any other asset would. The data files
contain information that is critical to the enterprise, such as accounting records. Although backup
procedures could reconstruct lost or damaged data, it is less costly to prevent a data loss than to re-
pair it. Furthermore, confidential information is contained in the data files and must be protected
from misuse by unauthorized individuals.
Protection of program documentation is critical. Data can be changed within a file by someone who
knows how to do it, and technical manuals containing file descriptions are one way to get the neces-
sary information. Only authorized people who have the responsibility to repair data files that may
become corrupt should have access to technical manuals.
Application Controls
Application controls focus on preventing, detecting and correcting errors in transactions as they flow through
the input, processing and output stages of work in an information system. Here are some things that can
go wrong and that adequate controls can prevent, detect and correct:
Input loss can occur when transaction information is transmitted from one location to another.
Input duplication can occur if an input item is thought to be lost and is recreated, but the original
item is subsequently found or was never actually lost.
Inaccurate input in the form of typographical errors in numbers or in spelling.
Missing information makes the input incomplete.
Unrecorded transactions can occur as accidental failures or can be the result of theft or embezzle-
ment.
In a volume-processing environment, management authorization of every individual transaction may

not take place, allowing improper transactions to slip through.
Automated transactions may be set up for regular orders or payments to suppliers. However, unusu-
al situations can call for special transactions, and automated transactions can cause problems.
Output can be sent to the wrong people, or may be sent too late to be used.
Programming errors or clerical errors can result in incomplete processing.
Processing may be delayed.
Files can be lost during processing.
Poor documentation and a loss of knowledgeable people can result in errors and omissions.
Application controls are divided into input controls, processing controls and output controls.
Input Controls
Input controls are the controls designed to provide reasonable assurance that data entered into the system
has proper authorization, has been converted to machine-sensible form, and has been entered accurately.
Input controls can also provide some assurance that data (including data sent over communications lines) has
not been lost, suppressed, added or changed in some manner.
Input is the stage where there is the most human involvement and, as a result, the risk of errors is higher
than in the processing and output stages. Most errors in systems are the result of input errors. If
information is not entered correctly, there is no chance that the output will be correct. Processing might be
done perfectly, but if the input into the system is inaccurate or incomplete, the output will be useless.
Effective input controls are vital.
There are three classifications of input controls:
1) Data observation and recording
2) Data transcription
3) Edit tests
Data Observation and Recording

One or more observational control procedures may be practiced:
Feedback mechanisms are manual systems that attest to the accuracy of a document. For in-
stance, a sales person might ask a customer to confirm their order with a signature, attesting to the
accuracy of the data in the sales order. Feedback mechanisms include authorization, endorse-
ment and cancellation.
Dual observation means more than one employee sees the input documents. In some cases this
might mean a supervisor reviews and approves the work.
Point-of-sale devices used to encode data can decrease errors substantially. In addition, point-of-
sale devices eliminate the need to manually convert the data to machine-readable format.
Preprinted forms such as receipt and confirmation forms can ensure that all the data required for
processing has been captured. For example, if a form utilizes boxes for each character in an invento-
ry part number, it is more likely that the correct number of characters will be entered.
Batch control totals should be used in the input phase to track data as it travels from place to
place before it reaches the computer, to make sure no data is lost.
Batch control totals do not work well with real-time systems, because data is entered at remote ter-
minals sporadically and by different people. Transactions cannot be easily batched. However, entries
can and should be displayed on a screen for visual verification and checked against backup data.
Furthermore, information input can be checked against the database, and edit programs can be used
to make sure that each field has the proper format (see following topics).
Transaction trails should be created by the system that show the date, terminal ID, and individual
responsible for the input. This is particularly important in a real-time system. All inputs are logged to
a special file that contains these identifying tags to identify the transactions. Including this addition-
al, audit-oriented information along with original transaction data is called tagging.
Transaction logs also provide a source of control totals.
Data Transcription
Data transcription is the preparation of the data for processing. If data is entered from source documents,
the source documents should be organized in a way that eases the input process.
The actual data input usually takes place at a workstation with a display terminal. A preformatted input
screen can assist in the transcription process. For example, a date field to be filled in would be presented
onscreen as __/__/____.
Format checks are used to verify that data is entered in the proper mode: numeric data in a numeric field, a
date in a date field, and so forth.
Edit Tests
Edit programs or input validation routines are programs that check the validity and accuracy of input
data. They perform edit tests by examining specific fields of data and rejecting transactions if their data
fields do not meet data quality standards. Edit tests include:
Completeness, or field, checks, which ensure that data is input into all required fields and that
the data is in the proper format. For example, a field check would not permit numbers to be input
Limit checks, which ensure that only data within predefined limits will be accepted by the system.
For example, the number of days worked in a week cannot exceed 7.
Validity checks, which match the input data to an acceptable set of values or match the character-
istics of input data to an acceptable set of characteristics.
Overflow checks, which make sure that the number of digits entered in a field is not greater than
the capacity of the field.
Check digits, which determine whether a number has been transcribed properly. A check digit is a
number that is a part of an account or other type of number. The check digit is a function of the oth-
er digits within the number, determined by a mathematical algorithm. If a digit in the account
number is keyed in incorrectly, the check digit will be incorrect, and the system will generate an er-
ror message and refuse to accept the input. Check digits are commonly used in credit card account
and bank account numbers, and they are especially helpful in detecting transposition errors. If an
Key verification, or keystroke verification, is the process of inputting the information again and
comparing the two results. Key verification is often used when changing a password, to confirm that
the password has been typed correctly. Key verification can also be used to require input of the
same information twice by different people.
Hash totals are another type of control total. They are totals of nonmonetary information. For
example, if a batch contains data on receipts from accounts receivable customers, the sum of all the
ash total. The sum is, of course, useful
only for control purposes. A hash total can be run on a group of records to be input before pro-
cessing or transmission and again after processing. If the hash total changes during processing, it
indicates something has changed or may be lost.
Format checks check whether the data has been entered in the proper mode and within the proper
fields.
Reasonableness checks compare input with other information in existing records and historical
information to detect data that is not reasonable.
Numerical checks assure that numeric fields are used only for numeric data.
Overflow checks can prevent input that would exceed the capacity of a memory or field length.
Reconciliations and balancing. Reconciliations are used to determine whether differences exist
between two amounts that should be equal. If there are differences, the differences are analyzed to
detect the reason, and corrections can be made if necessary.
Corrections of errors present additional problems. Often, attempts to correct an error result in
additional errors. Error reports need to be analyzed, the action required to make the correction needs to be
determined, the incorrect data needs to be reversed and correct data needs to be input. Often, corrections
are needed in multiple data files.
Inquiries of data or master files need to be designed so there is no possibility of the inquiry changing the
information in the file.
Question 81: The online data entry control called preformatting is:
a) A check to determine if all data items for a transaction have been entered by the terminal operator.
b) A program initiated prior to regular input to discover errors in data before entry so that the errors
can be corrected.
c) The display of a document with blanks for data items to be entered by the terminal operator.
d) A series of requests for required input data that requires an acceptable response to each request
before a subsequent request is made.
(CMA Adapted)
Question 82: Routines that use the computer to check the validity and accuracy of transaction data during
input are called:
a) Operating systems.
b) Compiler programs.
c) Edit programs.
d) Integrated test facilities.
(CMA Adapted)
Processing Controls
Processing controls are controls designed to provide reasonable assurance that processing has occurred
properly and that no transactions have been lost or incorrectly added. Processing controls prevent or
discourage the improper manipulation of data and ensure satisfactory operation of hardware and software.
Processing controls include the physical security of the equipment. At one time, processing controls were
limited to the computer room. But with more and more distributed processing taking place, these controls are
moving outside the room where the computer equipment is located.
Access to the computer should be permitted only to people who are authorized to operate the equipment, and
operators should be given access only to information they need to set up and operate the equipment.
Processing controls fall into two classifications:
1) Processing controls at the time of data access
2) Controls involving data manipulation later in the processing
Data Access Controls

Transmittal documents such as batch control tickets are used to control movement of data from the source
to the processing point or from one processing point to another. Batch sequence numbers are used to
number batches consecutively to make sure all batches are accounted for.
Batch control totals were mentioned as input controls, but they are also processing controls. Batch control
totals are any type of control total or count applied to a specific group of transactions, such as total sales
dollars in a batch of billings. Batch control totals are used to ensure that all input is processed correctly by the
computer. In batch processing, items are batched in bundles of a preset number of transactions. If a batch
consists of financial transactions, a batch control document that goes with the batch includes the bundle
number, the date and the total dollar amount of the batch. As the computer processes the batch, it checks
the batch control total (the total dollar amount) for the batch and compares the processed total with the
batch control total. If they match, the batch is posted. If they do not, the posting is rejected, and the
difference must be investigated. Batch control totals can also be calculated and used for non-financial fields
in transactions. For instance, a batch control total might be the total hours worked by employees.
A hash total is another control that is both an input and a processing control. For instance, if a batch
might be computed to create a hash total. This sum is useful only for control purposes, and it is compared
with the total computed during processing to make sure nothing was lost or altered during processing.
A record count utilizes the number of transaction items and counts them twice, once when preparing the
transactions in a batch and again when performing the processing.
Data Manipulation Controls

Standard procedures should be developed and used for all processing.
Examining software documentation, such as system flowcharts, program flowcharts, data flow
diagrams and decision tables, can also be a control, because it makes sure that the programs are complete
in their data manipulation.
Computer programs are error tested by using a compiler, which checks for programming language errors.
Test data can be used to test a computer program.
System testing can be used to test the interaction of several different computer programs. Output from one
program is often input to another, and system testing tests the linkages between the programs.
There are a number of other tests of processing, such as:
Batch balancing is comparing the items actually processed against a predetermined control total.
Cross-footing compares the sum of the individual components to a total.
A zero-balance check is used when a sum should be zero. All of the numbers are added together
and the total is compared with zero.
Run-to-run totals are output control totals from one process used as input control totals over
subsequent processing. Critical information is checked to ensure that it is correct. The run-to-run to-
tals tie one process to another.
Default option is the automatic use of a predefined value when a certain value is left blank in input.
However, a default option may be correct, or it may be an incorrect value for a particular transac-
tion, so the default should not be automatically accepted.
Question 83: In an automated payroll processing environment, a department manager substituted the
time card for a terminated employee with a time card for a fictitious employee. The fictitious employee
had the same pay rate and hours worked as the terminated employee. The best control technique to
detect this action using employee identification numbers would be a:
a) Hash total.
b) Batch total.
c) Subsequent check.
d) Record count.
(CMA Adapted)
Question 84: Data input validation routines include:
a) Passwords.
b) Terminal logs.
c) Backup controls.
d) Hash totals.
(CMA Adapted)
Output Controls
Output can consist of account listings, displays, reports, files, invoices, or disbursement checks, to name just
a few of the forms output can take. Output controls are used to provide reasonable assurance that input and
processing has resulted in valid output. Controls should be in place to make sure that the output is sent to the
right people, that it is accurate and complete, it is sent in a timely manner, and that the proper reports are
retained for the appropriate time period.
The output of the system is supervised by the data control group. Output controls consist of:
Validating processing results
Controls over printed output
Validating Processing Results

Activity, or proof, listings that document processing activity provide detailed information about all changes
to master files and create an audit trail. These proof listings should be compared with the batch control totals
that went along with the input and processing functions in order to confirm that all of the transactions were
processed correctly.
Reconciliations are the analysis of differences between values in two files that should be substantially the
same. The nature of the reconciling items is used to identify whether differences are caused by errors or
whether they are valid differences.
A suspense account is used as a control total for items awaiting further processing, such as a file of back-
ordered products awaiting receipt so they can be shipped to fulfill orders.
Output control also includes review of the error logs by the control group and review of the output by the
users. End-of-job markers are printed at the end of the report and enable the user to easily determine if the
entire report has been received. A discrepancy report is a listing of items that have violated some detective
control and need to be investigated, such as a list of all past-due accounts that is sent to the credit manager.
Upstream resubmission is the resubmission of corrected error transactions as if they were new transac-
tions, so that they pass through all the same detective controls as the original transactions.
Printed Output Controls

Forms control, such as physical control over company blank checks, is one type of printed output controls.
Checks should be kept under lock and key, and only authorized persons should be permitted access.
However, there is another control needed with checks, because they are pre-numbered. The preprinted
check number on each completed check must match the system-generated number for that check,
which may or may not be also printed on the check. The preprinted numbers on the checks are
sequential; the system-generated numbers also are sequential. The starting system-generated number must
match the pre-printed number on the first check in the stack, or the numbers in the whole check run will be
off. If there is any discrepancy, it must be investigated because the starting number in the system should be
one more than the last check printed. If it does not match the preprinted number on the first check in the
stack to be printed, one or more checks could be missing.
Any form should be pre-numbered and controlled in the same manner as checks.
Companies are increasingly creating their own checks, using blank check stock and printers that print all of
their information as well as the MICR (Magnetic Ink Character Recognition) line as the check itself is printed.
The physical equipment used to create checks as well as the blank check stock must be strictly controlled.
security numbers and pay rates is confidential information and thus its distribution must be restricted. There
should be an authorized distribution list, and only enough copies of the report should be generated to
permit one report to be distributed to each person on the list. For a confidential report, it is preferable to have
a representative pick the report up personally and sign for it. If this is not possible, a bonded employee can
distribution.
Confidential reports should be shredded when they are no longer needed.
Controls Classified as Preventive, Detective and Corrective

Just as financial controls can be classified as preventive, detective and corrective, information systems
controls can be classified in the same manner.
Preventive controls prevent errors and fraud before they occur. Examples of preventive controls
are segregation of duties, job rotation, training and competence of personnel, dual access controls,
authorization, approval, endorsement and cancellation, and preformatted input.
Detective controls uncover errors and fraud after they have occurred. Examples of detective
controls are transmittal documents, batch control totals and other batch transmittal documents,
completeness checks, hash totals, batch balancing, check digits, limit checks, and validity checks.
The use of a turnaround document is also a detective control, because it checks on completeness
of input. Completeness-of-processing detective controls include run-to-run totals, reconciliations, use
of suspense accounts, and error logs. Correctness of processing detective controls are redundant
processing, overflow checks and summary processing.
Corrective controls are used to correct errors. Examples of corrective controls are discrepancy
reports and upstream resubmissions.
Controls Classified as Feedback, Feedforward and Preventive

Another way of classifying information systems controls looks at them as feedback, feedforward, or
preventive controls.
Feedback controls produce feedback that can be monitored and evaluated to determine if the
system is functioning as it is supposed to. Feedback controls are required in order to produce usable
information for end users. With the addition of feedback controls, a system becomes a self-
monitoring, self-regulating system.
A feedback loop is a part of a control system. It uses feedback to measure differences between the
actual output and the desired output. It then adjusts the operation according to those differences.
Thus, it self-corrects. A self-monitoring system is sometimes called a cybernetic system.
In a manufacturing situation, for example, where ingredients are being combined, computers may
monitor and control the mixing process, making adjustments as necessary to maintain the correct
proportions of each ingredient in the mix. In an accounting system, data entry displays or edit
sheets provide control of data entry activities, and accounting procedures such as reconciliations
provide feedback.
Another example of a feedback control is a report that summarizes variances from budgeted
amounts.
A feedforward control system may be used in addition to the feedback loop to provide better
controls. A feedforward system attempts to predict when problems and deviations will occur before
they actually occur. It gives people guidance about what problems could occur, so they can plan the
necessary changes or actions to prevent the problem or deviation from occurring. Or, if it is not pos-
sible to prevent the problem, it will enable the company to minimize the effects of the problem. A
budget is a feedforward control. Policies, procedures and rules are also feedforward controls, be-
cause they establish the way things are supposed to be done. When people have detailed
instructions, there is less chance that something will go wrong.
A preventive control attempts to stop a variance or problem from ever occurring, because it is
more cost effective to prevent a problem than it is to fix the problem after it occurs. Maintenance is
often given as an example of a preventive control. A preventive control is slightly different from a
feedforward control, in that the feedforward control simply tries to identify the potential problem,
whereas the preventive control attempts to prevent the problem from occurring. Segregation of du-
ties is a preventive control.
Question 85: An advantage of having a computer maintain an automated error log in conjunction with
computer edit programs is that:
a) Less manual work is required to determine how to correct errors.
b) Better editing techniques will result.
c) The audit trail is maintained.
d) Reports can be developed that summarize the errors by type, cause and person responsible.
(CMA Adapted)
Question 86: An employee in the receiving department keyed in a shipment from a remote terminal and
inadvertently omitted the purchase order number. The best systems control to detect this error would be:
a) Completeness test.
b) Batch total.
c) Reasonableness test.
d) Sequence check.
(CMA Adapted)
Question 87: Preventive controls are:
a) Usually more cost beneficial than detective controls.
b) Usually more costly to use than detective controls.
c) Found only in accounting transaction controls.
d) Found only in general accounting controls.
(CMA Adapted)
Question 88: Edit checks in a computerized accounting system:
a) Are preventive controls.
b) Must be installed for the system to be operational.
c) Should be performed on transactions prior to updating a master file.
d) Should be performed immediately prior to output distribution.
(CMA Adapted)

E. Internal Control PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E. Internal Control PDF

Uploaded by

Copyright:

Available Formats

Section E Internal Controls CMA Part 1

Section E Internal Controls

Governance, Risk, and Compliance

Lower external audit costs.

Better control over the assets of the company.

Reliable information for use in decision-making.

What is Corporate Governance?

Corporate governance is very concerned with

Why is Corporate Governance Important?

The internal audit

Promoting appropriate ethics and values within the organization.

Ensuring effective organizational performance, management and accountability.

Communicating risk and control information to appropriate areas of the organization.

Principles of Good Governance

statement user interests.

2) Board Responsibilities or areas of responsibility should be monitoring the CEO

4) Independence professional or personal ties to

board of directors, the audit committee, and the CEO.

Hierarchy of Corporate Governance

Formation, Charter, and Bylaws

The charter Articles of Incorporation Certificate of Incorporation

s usually perpetual (meaning forever).

Its purpose and the nature of its business.

Provision for amending the articles of incorporation.

Note: A corporation, being itself a legal entity, may act as an incorporator.

2) The incorporators resign,

o The requirements for annual meetings of shareholders;

o Specifications for payments of dividends; and

d. Consider for ratification any contracts entered into before incorporation.

f. Accept or reject stock subscriptions.

Amending the Articles of Incorporation

Responsibilities of the Board of Directors

Audit Committee Requirements, Responsibilities and Authority

The Sarbanes-Oxley Act of 2002 increased audit

Requirements for Audit Committee and Audit Committee Members

3) In addition, the New York Stock Exchange requires a five- -

Responsibilities of the Audit Committee

2) The New York Stock Excha audit com-

o And finally, the audit committee is to principles

Authority and Funding of the Audit Committee

The audit committee has the authority to investigate any matter.

Responsibilities of the Chief Executive Officer (CEO)

A CEO should not

The length of the dire

external auditors recognize that an audit of a company with effective internal

Internal Control Definition

Internal control is a process, effected by27 of directors, management, and other

Thus internal control is a process that is carried out (effected) by an

3) Compliance compliance with applicable laws and regula-

5) Internal control must be flexible

The Importance of Objectives

Who Is Responsible for Internal Control?

Components of Internal Control

4) Information and Communication

Embedded within these five components are 17 principles.

Component 1: Control Environment

It influences the control consciousness of

1) They demonstrate a commitment to integrity and ethical values. They s tone at

4) The organization demonstrates a commitment to attract, develop, and retain competent

Management should regularly review

Component 2: Risk Assessment

Operations objectives , the fundamental

Risks can come from both internal