Download presentation
Presentation is loading. Please wait.
1
Fraud & Internal Control
ACCOUNTING INFORMATION SYSTEMS The Crossroads of Accounting & IT Chapter 10 Fraud & Internal Control © Copyright 2012 Pearson Education. All Rights Reserved.
2
How does someone bilk his clients for $50 BILLION. Meet a Ponzi Scheme
How does someone bilk his clients for $50 BILLION? Meet a Ponzi Scheme... & Bernard Madoff Madoff was sentenced to 150 years in prison for securities fraud and money laundering. © Copyright 2012 Pearson Education. All Rights Reserved.
3
Why Does Fraud Occur? Top two reasons given for why executive fraud occurs: 1. Pressure to meet goals: 81% 2. Personal gain: 72% Notice that “pressure to meet goals” exceeds the percentage stating that “personal” gain was the reason for executive fraud. © Copyright 2012 Pearson Education. All Rights Reserved.
4
Fraud: What Will I Tell my MOM?
For fraud to occur, all three must be present: 1) If there is opportunity and motive, but no means for carrying out the fraud, then the fraud cannot be accomplished. 2) If there is Motive and Means, but no Opportunity to commit the fraud, then the fraud cannot be carried out. 3) And so on… © Copyright 2012 Pearson Education. All Rights Reserved.
5
Sarbanes-Oxley Act of 2002 Section 404. Management Assessment of Internal Controls. The public accounting firm that audits the financial statements of the company must issue an attestation report regarding the effectiveness of the company’s internal control. Section 302. Corporate Responsibility for Financial Reports. Section 302 requires the chief executive officer and chief financial officer to certify in each annual or quarterly report that the signing officer reviewed the report and that the report does not contain any untrue or omission of material fact that make the statements misleading. SOX legislation affected accounting and accounting systems. © Copyright 2012 Pearson Education. All Rights Reserved.
6
Sarbanes-Oxley Act of 2002 Section 806. Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud. Known as Whistleblower Protection for Employees of Publicly Traded Companies. Section 806 provides for protection against retaliation for employees, such as company accountants, who provide information in fraud cases of publicly traded companies. Section 906. Corporate Responsibility for Financial Reports. Section 906 requires corporate management to certify reports filed with the SEC, such as the annual 10-K and quarterly 10-Q. Provides for criminal penalties of up to $5 million or 20 years imprisonment. © Copyright 2012 Pearson Education. All Rights Reserved.
7
Audit & Internal Control
Types of Audits: Audit of internal control: tests of controls to obtain evidence that internal control over financial reporting has operated effectively. Audit of financial statements: tests of controls to assess control risk. Substantive procedures collect evidence regarding accuracy, completeness, and validity of data produced by the accounting system. IT audit: tests of IT to understand how IT affects internal control over financial reporting. PCAOB expects auditors to understand how IT affects the audit and integrate IT into the audit. Integrated audit: required by Auditing Standard No. 5, integrates the audit of internal control with the audit of financial statements. More and more auditors are expected to understand how IT affects the audit, instead of relying on IT consultants to conduct the IT audit. © Copyright 2012 Pearson Education. All Rights Reserved.
8
Controls Over Financial Reporting
Preventive controls: The objective of preventive controls is to prevent errors or fraud that could result in a misstatement of the financial statements. Detective controls: The objective of detective controls is to detect errors or fraud that has occurred and that could result in a misstatement of the financial statements. © Copyright 2012 Pearson Education. All Rights Reserved.
9
Internal Control Deficiencies
Two types of deficiencies found in internal control over financial reporting: Material weakness is a deficiency such that there is a reasonable possibility that a material misstatement of financial statements will not be prevented or detected on a timely basis. Significant deficiency is less severe, but nonetheless merits attention of those responsible for oversight of financial reporting. It is possible for a material weakness in internal control over financial reporting to exist even though the financial statements are not materially misstated. © Copyright 2012 Pearson Education. All Rights Reserved.
10
COSO Internal Control - Integrated Framework Cube
SOX required organizations to use an internal control framework. Given the short time frame for implementation of SOX, many organizations used the existing COSO Internal Control framework. The COSO internal control framework, however, did not specifically address IT control concerns. © Copyright 2012 Pearson Education. All Rights Reserved.
11
Control Objectives for Information & Related Technology
COBIT Control Objectives for Information & Related Technology Some organizations found they often must also use another framework for IT controls, such as COBIT. © Copyright 2012 Pearson Education. All Rights Reserved.
12
COBIT Business Requirements
3 COBIT business requirements relate to information security (CIA): Confidentiality Integrity Availability COBIT business requirements relate to COSO objectives: Effectiveness (information is relevant, pertinent, timely, accurate, and usable) Efficiency (information is provided in the most productive and economic way) Compliance (information conforms with laws and regulations) Reliability (information can be relied upon to meet financial and compliance reporting responsibilities © Copyright 2012 Pearson Education. All Rights Reserved.
13
Mapping COBIT & COSO Frameworks
As this figure illustrates, COSO and COBIT can be mapped; however, the two frameworks were developed independently by two different organizations. © Copyright 2012 Pearson Education. All Rights Reserved.
14
© Copyright 2012 Pearson Education. All Rights Reserved.
15
IT Controls The three levels of IT controls are:
1) Entity-level controls. Affect overall control environment. 2) Application controls. Embedded within business process applications, such as accounting software. 3) IT General controls. Includes controls within IT processes support, such as program development and changes. © Copyright 2012 Pearson Education. All Rights Reserved.
16
Purchasing Cycle: Application Control Objectives
Each transaction cycle can be expanded to show the transactions in each cycle and the application control objectives. Here application control objectives are shown for processing purchases, processing accounts payable, and paying bills. © Copyright 2012 Pearson Education. All Rights Reserved.
17
Sales Cycle: Application Control Objectives
Example application control objectives are listed for processing customer orders, processing shipments, processing accounts receivable, and recording customer payments. © Copyright 2012 Pearson Education. All Rights Reserved.
18
Payroll Cycle: Application Control Objectives
Application control objectives for the payroll cycle include objectives for processing payroll and processing payroll payments. © Copyright 2012 Pearson Education. All Rights Reserved.
19
Banking/Cash: Application Control Objectives
Banking and cash application control objectives include objectives for processing funds. © Copyright 2012 Pearson Education. All Rights Reserved.
20
Financial Cycle: Application Control Objectives
Financial cycle application control objectives relate to analyzing and reconciling assets, the general ledger, and closing. © Copyright 2012 Pearson Education. All Rights Reserved.
21
Reporting Control Objectives
Reporting control objectives relate to providing financial and management reporting, such as providing timely and accurate information to management. © Copyright 2012 Pearson Education. All Rights Reserved.
22
Study Less. Learn More. Make Connections.
My Connection Study Less. Learn More. Make Connections. Exercise Identify the three levels of IT controls within an organization and give examples of each. Select a real organization and identify the 3 levels of IT controls within the organization with examples for each. © Copyright 2012 Pearson Education. All Rights Reserved.
23
AICPA’s Trust Services
Trust Services framework for evaluating information systems is based on five principles: Security. The system is protected against unauthorized access. Availability. The system is available for use as committed or agreed. Processing integrity. System processing is accurate, timely, complete, valid, and authorized. Confidentiality. Confidential information is protected as committed or agreed. Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP). The AICPA provides a trust services framework with 5 principles as guidance for evaluating information systems. © Copyright 2012 Pearson Education. All Rights Reserved.
24
Managing the Risk of Fraud
Five principles for establishing an environment to effectively manage fraud risk: Principle 1: Fraud Risk Governance. There should be a written policy to convey the expectation of the board of directors and top management regarding managing fraud risk. Principle 2: Fraud Risk Assessment. Fraud risk exposure should be assessed periodically to identify potential events the organization should mitigate. Principle 3: Fraud Prevention. Prevention techniques should be established to avoid fraud risk events and mitigate impact on the organization. Principle 4: Fraud Detection. Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized. Principle 5: Fraud Investigation and Corrective Action. A reporting process should be in place to solicit input on potential fraud. Coordinated investigation is used to address potential fraud timely and appropriately. There are five principles for managing fraud risk. © Copyright 2012 Pearson Education. All Rights Reserved.
25
How Do I Document Control HotSpots?
Build a DFD. Document controls. Document control HotSpots. DFDs can be used to identify and document control hotspots, or areas that need additional attention in order to provide adequate internal control. © Copyright 2012 Pearson Education. All Rights Reserved.
26
Step 1: Build DFD Step 1 is to build a DFD. This is what you created in chapters 4 and 5 to document business processes. © Copyright 2012 Pearson Education. All Rights Reserved.
27
Step 2: Document Controls
Step 2 is to document controls by labeling the DFD with controls. P stands for preventive control. D represents a detective control. Notice that the preventive and detective controls are numbered so they can be listed and identified in a table. © Copyright 2012 Pearson Education. All Rights Reserved.
28
Step 2: Document Controls
Step 2 is summarized with a list of preventive and detective controls as identified on the DFD. © Copyright 2012 Pearson Education. All Rights Reserved.
29
Step 3: Document Control HotSpots
Step 3 codes the DFD as cool, warm or hot. A hotspot is an area that requires addition attention to internal controls, such as event 1.4, Store Order Information. You can see from the DFD that Event 1.4 does not have any preventive or detective controls associated with the event. © Copyright 2012 Pearson Education. All Rights Reserved.
30
Study Less. Learn More. Make Connections.
My Connection Study Less. Learn More. Make Connections. Exercise Use the DFD you prepared for chapter 5 and document control HotSpots. Document controls. Document control HotSpots. © Copyright 2012 Pearson Education. All Rights Reserved.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.