UNIT 2

Internal Control Structure

and Risk Exposures
Internal Control

 Internal Control is a state that

management strives to achieve to provide
reasonable assurance that the firm’s
objectives will be achieved
 These controls encompass all the measures
and practices that are used to counteract
exposures to risks
 The control framework is called the
Internal Control Structure
Objectives of the Internal
Control Structure
 Promoting Effectiveness and Efficiency of
Operations
 Reliability of Financial Reporting
 Safeguarding assets
 Checking the accuracy and reliability of
accounting data
 Compliance with applicable laws and regulations
 Encouraging adherence to prescribed managerial
policies
Components and Major
Considerations of the IC Structure
Internal Control
Structure

Control Risk Control Information

& Monitoring
Environment Assessment Activities Communication

Activities related Activities related

to Financial to Information
Reporting Processing

General Application
Controls Controls
Control Environment
 The Control Environment establishes the tone of a
company, influencing the control consciousness of its
employees
 It is comprised of seven components:
• Management philosophy and operating style
• Integrity and ethical values
• Commitment to competence
• The Board of Directors and the Audit Committee
• Organizational Structure
• Assignment of authority and responsibility
• Human resources policies and practices
• External Influences
Highlights of CE Components - I
 Management Philosophy and Operating Style
 Does management emphasize short-term profits
and operating goals over long-term goals?
 Is management dominated by one or a few
individuals?
 What type of business risks does management
take and how are these risks managed?
 Is management conservative or aggressive
toward selecting from available alternative
accounting principles?
Highlights of CE Components - II
 Organization Structure
 Is an up-to-date organization chart prepared,
showing the names of key personnel?
 Is the information systems function
separated from incompatible functions?
 How is the accounting department
organized?
 Is the internal audit function separate and distinct
from accounting?
 Do subordinate managers report to more than one
supervisor?
Highlights of CE Components - III
 Assignment of Authority and Responsibility
 Does the company prepare written employee
job descriptions defining specific duties and
reporting relationships?
 Is written approval required for changes made
to information systems?
 Does the company clearly delineate
employees and managers the boundaries of
authority-responsibility relationships?
 Does the company properly delegate authority
to employees and departments?
Highlights of CE Components - IV
 Human Resource Policies and Practices
 Are new personnel indoctrinated with respect to Internal
Controls, Ethics Policies, and Corporate Code of
Conduct?
 Is the company in compliance with the ADA? The EEOA?
 Are Grievance Procedures to manage conflict in force?
 Does the company maintain a sound Employee
Relations program?
 Do employees work in a safe, healthy environment?
 Are Counseling Programs available to employees?
 Are proper Separation Programs in force for employees
who leave the firm?
 Are critical employees Bonded?
Key Functions Performed
by Audit Committees
 Establish an Internal Audit Department
 Review the Scope and Status of Audits
 Review Audit Findings with the Board and
ensure that Management has taken
proper action recommended in the Audit
Report and Letter of Reportable
Conditions
 Maintain a direct Line of Communication
among the Board, Management, External
and Internal Auditors, and periodically
arrange Meetings among the parties
Key Functions Performed
by Audit Committees
 Review the Audited Financial Statements
with the Internal Auditors and the Board
of Directors
 Require periodic Quality Reviews of the
operations of the Internal Audit
Departments to identify areas needing
improvement
 Supervise special investigations, such as
Fraud Investigations
 Assess the performance of Financial
Management
 Require the Review of Compliance with
Laws and Regulations and with Corporate
Codes of Conduct
Risk Assessment

 Top management must be directly involved

in Business Risk Assessment.
 This involves the Identification and Analysis
of Relevant Risks that may prevent the
attainment of Company-wide Objectives and
Objectives of Organizational Units and the
formation of a plan to determine how to
manage the risks.
Control Activities - I
 Control Activities as related to Financial
Reporting may be classified according to their
intended uses in a system:
• Preventive Controls block adverse events, such as errors
or losses, from occurring
• Detective Controls discover the occurrence of adverse
events such as operational inefficiency
• Corrective controls are designed to remedy problems
discovered through detective controls
• Security Measures are intended to provide adequate
safeguards over access to and use of assets and data
records
Control Activities - II
 Control Activities relating to Information
Processing may also be classified according to
where they will be applied within the system
• General controls are those controls that pertain to
all activities involving a firm’s AIS and assets
• Application controls relate to specific accounting
tasks or transactions
 The overall trend seems to be going from
specific application controls to more global
general controls
Control Activities - III
 Performance Reviews
 Comparing Budgets to Actual Values
 Relating Different Sets of Data-Operating or
Financial-to one another, together with Analyses
of the relationships and Investigative and
Corrective Actions
 Reviewing Functional Performance such as a
bank’s consumer loan manager’s review of reports
by branch, region, and loan type for loan
approvals and collections
Information & Communication
 All Transactions entered for processing are Valid and
Authorized
 All valid transactions are captured and entered for
processing on a Timely Basis and in Sufficient Detail to
permit the proper Classification of Transactions
 The input data of all entered transactions are Accurate
and Complete, with the transactions being expressed in
proper Monetary terms
 All entered transactions are processed properly to
update all affected records of Master Files and/or Other
Types of Data sets
 All required Outputs are prepared according to
Appropriate Rules to provide Accurate and Reliable
Information
 All transactions are recorded in the proper Accounting
Period
 Risk

 Business firms face risks that reduce the

chances of achieving their control objectives.
 Risk exposures arise from internal sources,
such as employees, as well as external sources,
such as computer hackers.
 Risk assessment consists of identifying
relevant risks, analyzing the extent of exposure
to those risks, and managing risks by proposing
effective control procedures.
Some Typical Sources of Risk - I
 Clerical and Operational Employees, who
process transactional data and have access to
Assets
 Computer Programmers, who have knowledge
relating to the Instructions
by which transactions are processed
 Managers and Accountants, who have access
to Records and Financial Reports and often
have Authority to Approve Transactions
Some Typical Sources of Risk - II
 Former Employees, who may still understand the
Control Structure and may harbor grudges against
the firm
 Customers and Suppliers, who generate many of the
transactions processed by the firm
 Competitors, who may desire to acquire confidential
information of the firm
 Outside Persons, such as Computer Hackers and
Criminals, who have various reasons to access the
firm’s data or its assets or to commit destructive acts
 Acts of Nature or Accidents, such as floods, fires,
and equipment breakdowns
Types of Risks

 Unintentional errors
 Deliberate Errors (Fraud)
 Unintentional Losses of Assets
 Thefts of assets
 Breaches of Security
 Acts of Violence and Natural Disasters
Factors that Increase Risk
Exposure
 Frequency - the more frequent an
occurrence of a transaction the
greater the exposure to risk
 Vulnerability - liquid and/or portable
assets contribute to risk exposure
 Size of the potential loss - the higher the
monetary value of a loss, the greater the
risk exposure
 Problem Conditions
Affecting Risk Exposures
 Collusion (both internal and external), which is
the cooperation of two or more people for a
fraudulent purpose, is difficult to counteract even
with sound control procedures
 Lack of Enforcement Management may not
prosecute wrongdoers because of the potential
embarrassment
 Computer crime poses very high degrees
of risk, and fraudulent activities are difficult
to detect
Computer Crime

 Computer crime (computer abuse) is the

use of a computer to deceive for personal gain.
 Due to the proliferation of networks and
personal computers, computer crime is
expected to significantly increase both in
frequency and amount of loss.
 It is speculated that a relatively small
proportion of computer crime gets detected and
an even smaller proportion gets reported.
Examples of Computer
Crime

 Theft of Computer Hardware & Software

 Unauthorized Use of Computer Facilities
for Personal Use
 Fraudulent Modification or Use of Data or
Programs
Reasons Why Computers
Cause Control Problems
 Processing is Concentrated
 Audit Trails may be Undermined
 Human Judgment is bypassed
 Data are stored in Device-Oriented rather than
Human-Oriented forms
 Invisible Data
 Stored data are Erasable
 Data are stored in a Compressed form
 Stored data are relatively accessible
 Computer Equipment is Powerful but Complex and
Vulnerable
Feasibility of Controls
 Audit Considerations
 Cost-Benefit Considerations
 Determine Specific Computer Resources Subject to Control
 Determine all Potential Threats to the company’s Computer System
 Assess the Relevant Risks to which the firm is exposed
 Measure the Extent of each Relevant Risk exposure in dollar terms
 Multiply the Estimated Effect of each Relevant Risk Exposure by the
Estimated Frequency of Occurrence over a Reasonable Period, such
as a year
 Compute the Cost of Installing and Maintaining a Control that is to
Counter each Relevant Risk Exposure
 Compare the Benefits against the Costs of Each Control
Methods for Thwarting
Computer Abuse
 Enlist top-management support so that awareness of
computer abuse will filter down through management
ranks.
 Implement and enforce control procedures.
 Increase employee awareness in the seriousness of
computer abuse, the amount of costs, and the
disruption it creates.
 Establish a code of conduct.
 Be aware of the common characteristics of most
computer abusers.
Methods for Thwarting
Computer Abuse
 Recognize the symptoms of computer abuse such
as:
 behavioral or lifestyle changes in an employee
 accounting irregularities such as forged, altered or
destroyed input documents or suspicious accounting
adjustments
 absent or ignored control procedures
 the presence of many odd or unusual anomalies that go
unchallenged
 Encourage ethical behavior
Control Problems Caused by
Computerization: Data Collection
Manual System Computer-based System
Characteristics Characteristics Risk Exposures Compensating
Controls

Data recorded in Data sometimes Audit trail may be Printed copies of

paper source captured without partially lost source documents
documents use of source prepared by
documents computer systems

Data reviewed for Data often not Errors, accidental Edit checks
errors by clerks subject to review or deliberate, may performed by
by clerks be entered for computer system
processing
Control Problems Caused by
Computerization: Data Processing
Manual System Computer-based System
Characteristics Characteristics Risk Exposures Compensating
Controls

Processing steps Processing steps Errors may cause Outputs reviewed by

performed by clerks performed by CPU incorrect results of users of computer
who possess judgment “blindly” in accordance processing system; carefully
with program developed computer
instructions processing programs
Processing steps Processing steps Unauthorized Restricted access to
among various clerks in concentrated within manipulation of data computer facilities;
separate departments computer CPU and theft of assets can clear procedure for
occur on larger scale authorizing changes to
programs
Processing requires use Processing does not Audit trail may be Printed journals and
of journals and ledgers require use of journals partially lost other analyses

Processing performed Processing performed Effects of errors may Editing of all data
relatively slowly very rapidly spread rapidly through during input and
files processing steps
Control Problems Caused by Computerization:
Data Storage & Retrieval
Manual System Computer-based System

Characteristics Characteristics Risk Exposures Compensating

Controls

Data stored in file Data compressed Data may be Security measures

drawers on magnetic accessed by at points of access
throughout the media (e.g., unauthorized and over data
various tapes, disks) persons or stolen library
departments
Data stored on Data stored in Data are Data files printed
hard copies in invisible, temporarily periodically;
human- readable eraseable, unusable by backup of files;
form computer-readable humans, and protection against
form might possibly be sudden power
lost losses
Stored data Stored data often Data may be Security measures
accessible on a readily accessible accessed by at points of access
piece-meal basis from various unauthorized
at various locations via persons
locations terminals
Control Problems Caused by Computerization:
Information Generation
Manual System Computer-based System

Characteristics Characteristics Risk Exposures Compensating

Controls

Outputs Outputs generated Inaccuracies may Reviews by users

generated quickly and neatly, be buried in of outputs,
laboriously and often in large impressive-looking including the
usually in small volumes outputs that users checking of
volumes accept on faith amounts
Outputs usually in Outputs provided Information stored Backup of files;
hard-copy form in various forms, on magnetic periodic printing of
including soft-copy media is subject to stored files onto
displays and voice modification (only hard-copy records
responses hard copy
provides
permanent record)
Control Problems Caused by
Computerization: Equipment
Manual System Computer-based System
Characteristics Characteristics Risk Exposures Compensating
Controls

Relatively simple, Relatively Business Backup of data

inexpensive, and complex, operations may be and power supply
mobile expensive, and in intentionally or and equipment;
fixed locations unintentionally preventive
interrupted; data maintenance of
or hardware may equipment;
be destroyed; restrictions on
operations may be access to
delayed through computer
inefficiencies facilities;
documentation of
equipment usage
and processing
procedures