Bestuurlijke informatie Voorziening A. COSO B. Control and Accounting C. Information Systems D. Controlprocessen

Ten eerste (a) COSO

Internal control: COSO Het COSO report is de linking pin tussen management control en interne controle Aandachtsgebieden: financiële verantwoordingsinformatie met onderliggend taskmanagement: interne controle strategie implementatie: management control

Management Control vs Internal Control

COSO-definitie Internal Control A process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets (added later)

Componenten van internal control Control environment Risk analysis Control activities Information and communication Monitoring

Ten Derde(c) Controlprocessen

Ontwerpen van een controlsysteem Inventarisatie van de bedreigingen en analyse van de risico’s Bepalen van de control objectives Selectie van controlmaatregelen en integratie tot een systeem (Ontwerp) Implementatie van het controlsysteem Evaluatie op kwaliteit en effectiviteit (Monitoring) Aanpassing van het controlsysteem

Ontwerpen v/e beheerssysteem (1) Het verzamelen van informatie over: Doelstellingen en het daarop gebaseerde beleid De omgeving: entiteiten met hun doelstellingen De inrichting en het functioneren van de organisatie zelf Overige beïnvloedingsfactoren

Ontwerpen v/e beheerssysteem (2) Inventarisatie van de bedreigingen en analyse van de risico’s Vaststellen van de control objectives Selectie van beheersmaatregelen en integratie tot een systeem Implementatie van het beheerssysteem Evaluatie op kwaliteit en effectiviteit Modificatie

Risico analyse Risico analyse bestaat uit de volgende stappen: Inventarisatie van mogelijke bedreigingen Inschatting van de kans, dat deze zich werkelijk voordoen Analyse van de mogelijke schade indien ze zich voordoen Volgende stap is risicomanagement op basis van de keuze tussen “afdekken” of t.z.t. “schade herstellen”

Belangrijke aspecten bij risico analyse De kwaliteit van de risico analyse is bepalend voor de kwaliteit van het beheerssysteem Er bestaat een aantal methodologieën ook in het COSO rapport is een aanpak beschreven In veel organisaties is risico analyse als aparte functie ingericht op hoog niveau in de organisatie

Categorisering van risico’s Naar hun ontstaan: Extern versus intern Naar hun invloed op de organisatie (COSO): Operational Financial Compliance

Externe risico’s vanuit hun ontstaan KAPITAALMARKT REGULATOREN EIGENAREN ARBEIDSMARKT DIVERSEN INKOOPMARKT VERKOOPMARKT ORGANISATIE

Interne risico’s vanuit hun ontstaan Benoemen van kritische aspecten voor: Leiding en uitvoering van de processen Gebruik van resources Het functioneren van leiding en medewerkers Vanuit deze aspecten vaststellen van control objectives, gericht op: Het (zo vroeg mogelijk) onderkennen van mogelijke bedreigingen Het voorkomen dat ze zich voordoen Het beperken/ elimineren van de nadelige gevolgen

Monitoring (1) De redenen voor het monitoren/ het evalueren van de werking van beheerssystemen zijn: De dynamiek van de maatschappij en daarmede noodzakelijkerwijs van de organisatie maakt ook de beheerssystemen dynamisch en aan verandering onderhevig Het functioneren van een beheerssysteem kan afwijken van de opzet

Monitoring (2) Monitoring dient een permanent proces te zijn en als zodanig onderdeel van het beheerssysteem Een interne accountantsdienst kan als (een) taak hebben het monitoren van het beheerssyteem.

Threats to Accounting Information Systems What are examples of natural and political disasters? fire or excessive heat floods earthquakes high winds war

Threats to Accounting Information Systems What are examples of software errors and equipment malfunctions? hardware failures power outages and fluctuations undetected data transmission errors

Threats to Accounting Information Systems What are examples of unintentional acts? accidents caused by human carelessness innocent errors of omissions lost or misplaced data logic errors systems that do not meet company needs

Gevaren voor Accounting Informatie Systemen What are examples of intentional acts? sabotage computer fraud embezzlement

Overview of Control Concepts What is the traditional definition of internal control? Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.

Overview of Control Concepts What is management control? Management control encompasses the following three features: It is an integral part of management responsibilities. It is designed to reduce errors, irregularities, and achieve organizational goals. It is personnel-oriented and seeks to help employees attain company goals.

Internal Control Classifications The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: Preventive, detective, and corrective controls General and application controls Administrative and accounting controls Input, processing, and output controls

Committee of Sponsoring Organizations The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of five organizations: American Accounting Association AICPA Institute of Internal Auditors Institute of Management Accountants Financial Executives Institute

Committee of Sponsoring Organizations In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems. The report has been widely accepted as the authority on internal controls.

Aanbevolen aanvullende literatuur Het COSO-raamwerk: instrument voor de beoordeling van de “interne beheersing” Remko Renes – Handboek Accountancy najaar 2003

Committee of Sponsoring Organizations The COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regards to: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations safeguarding of assets

Committee of Sponsoring Organizations COSO’s internal control model has five crucial components: Control environment Control activities Risk assessment Information and communication Monitoring

The Control Environment The first component of COSO’s internal control model is the control environment. The control environment consists of many factors, including the following: Commitment to integrity and ethical values Management’s philosophy and operating style Organizational structure

The Control Environment The audit committee of the board of directors Methods of assigning authority and responsibility Human resources policies and practices External influences

Control Activities The second component of COSO’s internal control model is control activities. Generally, control procedures fall into one of five categories: Proper authorization of transactions and activities Segregation of duties

Control Activities Design and use of adequate documents and records Adequate safeguards of assets and records Independent checks on performance

Proper Authorization of Transactions and Activities Authorization is the empowerment management gives employees to perform activities and make decisions. Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged. Specific authorization is the granting of authorization by management for certain activities or transactions.

Segregation of Duties Good internal control demands that no single employee be given too much responsibility. An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.

Segregation of Duties Custodial Functions Handling cash Handling assets Writing checks Receiving checks in mail Authorization Functions Authorization of transactions Recording Functions Preparing source documents Maintaining journals Preparing reconciliations Preparing performance reports

Segregation of Duties If two of these three functions are the responsibility of a single person, problems can arise. Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

Segregation of Duties Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.

Design and Use of Adequate Documents and Records The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data. Documents that initiate a transaction should contain a space for authorization.

Design and Use of Adequate Documents and Records The following procedures safeguard assets from theft, unauthorized use, and vandalism: effectively supervising and segregating duties maintaining accurate records of assets, including information restricting physical access to cash and paper assets having restricted storage areas

Adequate Safeguards of Assets and Records What can be used to safeguard assets? cash registers safes, lockboxes safety deposit boxes restricted and fireproof storage areas controlling the environment restricted access to computer rooms, computer files, and information

Independent Checks on Performance Independent checks to ensure that transactions are processed accurately are another important control element. What are various types of independent checks? reconciliation of two independently maintained set of records comparison of actual quantities with recorded amounts

Independent Checks on Performance double-entry accounting batch totals Five batch totals are used in computer systems: A financial total is the sum of a dollar field. A hash total is the sum of a field that would usually not be added.

Independent Checks on Performance A record count is the number of documents processed. A line count is the number of lines of data entered. A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.

Risk Assessment The third component of COSO’s internal control model is risk assessment. Companies must identify the threats they face: strategic — doing the wrong thing financial — having financial resources lost, wasted, or stolen information — faulty or irrelevant information, or unreliable systems

Risk Assessment Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as: Choosing an inappropriate technology Unauthorized system access Tapping into data transmissions Loss of data integrity

Risk Assessment Incomplete transactions System failures Incompatible systems

Risk Assessment Some threats pose a greater risk because the probability of their occurrence is more likely. What is an example? A company is more likely to be the victim of a computer fraud rather than a terrorist attack. Risk and exposure must be considered together.

Estimate Cost and Benefits No internal control system can provide foolproof protection against all internal control threats. The cost of a foolproof system would be prohibitively high. One way to calculate benefits involves calculating expected loss.

Estimate Cost and Benefits The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it. Expected loss = risk × exposure

Information and Communication The fourth component of COSO’s internal control model is information and communication. Accountants must understand the following: How transactions are initiated How data are captured in machine-readable form or converted from source documents

Information and Communication How computer files are accessed and updated How data is processed to prepare information How information is reported How transactions are initiated All of these items make it possible for the system to have an audit trail. An audit trail exists when individual company transactions can be traced through the system.

Monitoring Performance The fifth component of COSO’s internal control model is monitoring. What are the key methods of monitoring performance? effective supervision responsibility accounting internal auditing