Chapter 9:
Introduction to Internal Control Systems
Introduction
1992 COSO Report
Updates on Risk Assessment
Examples of Control Activities
Update on Monitoring
2011 COBIT, Version 5
Types of Controls
Evaluating Controls
Chapter
9-1
Internal Control Systems
Definition
Policies,
plans, and procedures
Implemented to protect a firms assets
People Involved
Board
of directors
Management
Other key personnel
Chapter
9-2
Internal Control Systems
Provides reasonable assurance
Effectiveness and efficiency of operations
Reliability of financial reporting
Protection of Assets
Compliance with applicable laws and regulations
Important Guidance
Statement on Auditing Standard No. 94
Sarbanes-Oxley Act of 2002
Chapter
9-3
Internal Control System
Objectives
Safeguard assets
Check the accuracy and reliability of
accounting data
Promote operational efficiency
Enforce prescribed managerial policies
Chapter
9-4
Study Break #1
This term describes the policies, plans, and procedures
implemented by a firm to protect the assets of the
organization.
A.
B.
C.
D.
Internal control
SAS No. 94
Risk assessment
Monitoring
Chapter
9-5
Study Break #1 - Answer
This term describes the policies, plans, and procedures
implemented by a firm to protect the assets of the
organization.
A.
B.
C.
D.
Internal control
SAS No. 94
Risk assessment
Monitoring
Chapter
9-6
Study Break #2
Which of the following is not one of the four objectives of an
internal control system?
A.
B.
C.
D.
Safeguard assets
Promote firm profitability
Promote operational efficiency
Encourage employees to follow managerial policies
Chapter
9-7
Study Break #2 - Answer
Which of the following is not one of the four objectives of an
internal control system?
A.
B.
C.
D.
Safeguard assets
Promote firm profitability
Promote operational efficiency
Encourage employees to follow managerial policies
Chapter
9-8
Background Information
on Internal Controls
Chapter
9-9
Background Information
on Internal Controls
Chapter
9-10
Background Information
on Internal Controls
Chapter
9-11
1992 COSO Report
Defines internal control and components
Presents criteria to evaluate internal control
systems
Provides guidance for public reporting on
internal controls
Offers materials to evaluate an internal control
system
Chapter
9-12
Components of Internal
Control – COSO 1992
Control Environment
Management’s oversight , integrity, and ethical
principles
Attention and direction by board of directors
Management’s philosophy and operating style
Method of assigning authority and responsibility
Method of organizing and developing employees
Chapter
9-13
Components of Internal
Control – COSO 1992
Risk Assessment
Identify
organizational risks
Analyze potential of risks (cost and occurrence)
Cost-benefit analysis
Control Activities
Policies
and procedures
Manual and automated
Chapter
9-14
Components of Internal
Control – COSO 1992
Information and Communication
Inform
employees
Roles and responsibilities
Importance of good working relationships
Monitoring
Evaluation
of internal controls
Initiate corrective action when necessary
Chapter
9-15
2004 COSO Enterprise Risk
Management Framework
Emphasizes enterprise risk management
Includes COSO (1992) control components
Three new components
Objective setting
Event identification
Risk response
Chapter
9-16
2004 COSO Enterprise Risk
Management Framework
Chapter
9-17
Components of Internal
Control – COSO 2004
Objective Setting
Strategic
– high level goals and mission
Operations – day-to-day efficiency, performance,
and profitability
Reporting – internal and external
Compliance – laws and regulations
Chapter
9-18
Components of Internal
Control – COSO 2004
Event Identification and Risk Response
Identify
threats
Analyze risks
Implement cost-effective countermeasures
Additional considerations
Risk tolerance
Cost-benefit trade-offs
Chapter
9-19
Risk Assessment Worksheet
Chapter
9-20
COSO’s 2010 Report on ERM
Commissioned survey called Enterprise Risk
Management Initiative
Survey targeted utilization of COSO ERM
Framework
Theoretically
sound
65% fairly or very familiar with framework
Board had not assigned risk oversight in over half of
organizations
State of ERM is relatively immature
Chapter
9-21
Study Break #3
An internal control system should consist of five components.
Which of the following is not one of those five components?
A.
B.
C.
D.
The control environment
Risk assessment
Monitoring
Performance evaluation
Chapter
9-22
Study Break #3 - Answer
An internal control system should consist of five components.
Which of the following is not one of those five components?
A.
B.
C.
D.
The control environment
Risk assessment
Monitoring
Performance evaluation
Chapter
9-23
Study Break #4
Which of the following is not one of the three additional
components that was added in the 2004 COSO Report?
A.
B.
C.
D.
Objective setting
Risk assessment
Event identification
Risk response
Chapter
9-24
Study Break #4 - Answer
Which of the following is not one of the three additional
components that was added in the 2004 COSO Report?
A.
B.
C.
D.
Objective setting
Risk assessment
Event identification
Risk response
Chapter
9-25