Bestuurlijke informatie Voorziening

Presentatie over: "Bestuurlijke informatie Voorziening"— Transcript van de presentatie:

1 Bestuurlijke informatie Voorziening
A. COSO B. Control and Accounting C. Information Systems D. Controlprocessen

2 Ten eerste (a) COSO

3 Internal control: COSO
Het COSO report is de linking pin tussen management control en interne controle Aandachtsgebieden: financiële verantwoordingsinformatie met onderliggend taskmanagement: interne controle strategie implementatie: management control

4 Management Control vs Internal Control

5 COSO-definitie Internal Control
A process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets (added later)

6 Componenten van internal control
Control environment Risk analysis Control activities Information and communication Monitoring

7 Ten Derde(c) Controlprocessen

8 Ontwerpen van een controlsysteem
Inventarisatie van de bedreigingen en analyse van de risico’s Bepalen van de control objectives Selectie van controlmaatregelen en integratie tot een systeem (Ontwerp) Implementatie van het controlsysteem Evaluatie op kwaliteit en effectiviteit (Monitoring) Aanpassing van het controlsysteem

9 Ontwerpen v/e beheerssysteem (1)
Het verzamelen van informatie over: Doelstellingen en het daarop gebaseerde beleid De omgeving: entiteiten met hun doelstellingen De inrichting en het functioneren van de organisatie zelf Overige beïnvloedingsfactoren

10 Ontwerpen v/e beheerssysteem (2)
Inventarisatie van de bedreigingen en analyse van de risico’s Vaststellen van de control objectives Selectie van beheersmaatregelen en integratie tot een systeem Implementatie van het beheerssysteem Evaluatie op kwaliteit en effectiviteit Modificatie

11 Risico analyse Risico analyse bestaat uit de volgende stappen:
Inventarisatie van mogelijke bedreigingen Inschatting van de kans, dat deze zich werkelijk voordoen Analyse van de mogelijke schade indien ze zich voordoen Volgende stap is risicomanagement op basis van de keuze tussen “afdekken” of t.z.t. “schade herstellen”

12 Belangrijke aspecten bij risico analyse
De kwaliteit van de risico analyse is bepalend voor de kwaliteit van het beheerssysteem Er bestaat een aantal methodologieën ook in het COSO rapport is een aanpak beschreven In veel organisaties is risico analyse als aparte functie ingericht op hoog niveau in de organisatie

13 Categorisering van risico’s
Naar hun ontstaan: Extern versus intern Naar hun invloed op de organisatie (COSO): Operational Financial Compliance

14 Externe risico’s vanuit hun ontstaan
KAPITAALMARKT REGULATOREN EIGENAREN ARBEIDSMARKT DIVERSEN INKOOPMARKT VERKOOPMARKT ORGANISATIE

15 Interne risico’s vanuit hun ontstaan
Benoemen van kritische aspecten voor: Leiding en uitvoering van de processen Gebruik van resources Het functioneren van leiding en medewerkers Vanuit deze aspecten vaststellen van control objectives, gericht op: Het (zo vroeg mogelijk) onderkennen van mogelijke bedreigingen Het voorkomen dat ze zich voordoen Het beperken/ elimineren van de nadelige gevolgen

16 Monitoring (1) De redenen voor het monitoren/ het evalueren van de werking van beheerssystemen zijn: De dynamiek van de maatschappij en daarmede noodzakelijkerwijs van de organisatie maakt ook de beheerssystemen dynamisch en aan verandering onderhevig Het functioneren van een beheerssysteem kan afwijken van de opzet

17 Monitoring (2) Monitoring dient een permanent proces te zijn en als zodanig onderdeel van het beheerssysteem Een interne accountantsdienst kan als (een) taak hebben het monitoren van het beheerssyteem.

18 Threats to Accounting Information Systems
What are examples of natural and political disasters? fire or excessive heat floods earthquakes high winds war

19 Threats to Accounting Information Systems
What are examples of software errors and equipment malfunctions? hardware failures power outages and fluctuations undetected data transmission errors

20 Threats to Accounting Information Systems
What are examples of unintentional acts? accidents caused by human carelessness innocent errors of omissions lost or misplaced data logic errors systems that do not meet company needs

21 Gevaren voor Accounting Informatie Systemen
What are examples of intentional acts? sabotage computer fraud embezzlement

22 Overview of Control Concepts
What is the traditional definition of internal control? Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.

23 Overview of Control Concepts
What is management control? Management control encompasses the following three features: It is an integral part of management responsibilities. It is designed to reduce errors, irregularities, and achieve organizational goals. It is personnel-oriented and seeks to help employees attain company goals.

24 Internal Control Classifications
The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: Preventive, detective, and corrective controls General and application controls Administrative and accounting controls Input, processing, and output controls

25 Committee of Sponsoring Organizations
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of five organizations: American Accounting Association AICPA Institute of Internal Auditors Institute of Management Accountants Financial Executives Institute

26 Committee of Sponsoring Organizations
In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems. The report has been widely accepted as the authority on internal controls.

27 Aanbevolen aanvullende literatuur
Het COSO-raamwerk: instrument voor de beoordeling van de “interne beheersing” Remko Renes – Handboek Accountancy najaar 2003

28 Committee of Sponsoring Organizations
The COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regards to: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations safeguarding of assets

29 Committee of Sponsoring Organizations
COSO’s internal control model has five crucial components: Control environment Control activities Risk assessment Information and communication Monitoring

30 The Control Environment
The first component of COSO’s internal control model is the control environment. The control environment consists of many factors, including the following: Commitment to integrity and ethical values Management’s philosophy and operating style Organizational structure

31 The Control Environment
The audit committee of the board of directors Methods of assigning authority and responsibility Human resources policies and practices External influences

32 Control Activities The second component of COSO’s internal control model is control activities. Generally, control procedures fall into one of five categories: Proper authorization of transactions and activities Segregation of duties

33 Control Activities Design and use of adequate documents and records
Adequate safeguards of assets and records Independent checks on performance

34 Proper Authorization of Transactions and Activities
Authorization is the empowerment management gives employees to perform activities and make decisions. Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged. Specific authorization is the granting of authorization by management for certain activities or transactions.

35 Segregation of Duties Good internal control demands that no single employee be given too much responsibility. An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.

36 Segregation of Duties Custodial Functions Handling cash
Handling assets Writing checks Receiving checks in mail Authorization Functions Authorization of transactions Recording Functions Preparing source documents Maintaining journals Preparing reconciliations Preparing performance reports

37 Segregation of Duties If two of these three functions are the responsibility of a single person, problems can arise. Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

38 Segregation of Duties Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.

39 Design and Use of Adequate Documents and Records
The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data. Documents that initiate a transaction should contain a space for authorization.

40 Design and Use of Adequate Documents and Records
The following procedures safeguard assets from theft, unauthorized use, and vandalism: effectively supervising and segregating duties maintaining accurate records of assets, including information restricting physical access to cash and paper assets having restricted storage areas

41 Adequate Safeguards of Assets and Records
What can be used to safeguard assets? cash registers safes, lockboxes safety deposit boxes restricted and fireproof storage areas controlling the environment restricted access to computer rooms, computer files, and information

42 Independent Checks on Performance
Independent checks to ensure that transactions are processed accurately are another important control element. What are various types of independent checks? reconciliation of two independently maintained set of records comparison of actual quantities with recorded amounts

43 Independent Checks on Performance
double-entry accounting batch totals Five batch totals are used in computer systems: A financial total is the sum of a dollar field. A hash total is the sum of a field that would usually not be added.

44 Independent Checks on Performance
A record count is the number of documents processed. A line count is the number of lines of data entered. A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.

45 Risk Assessment The third component of COSO’s internal control model is risk assessment. Companies must identify the threats they face: strategic — doing the wrong thing financial — having financial resources lost, wasted, or stolen information — faulty or irrelevant information, or unreliable systems

46 Risk Assessment Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as: Choosing an inappropriate technology Unauthorized system access Tapping into data transmissions Loss of data integrity

47 Risk Assessment Incomplete transactions System failures
Incompatible systems

48 Risk Assessment Some threats pose a greater risk because the probability of their occurrence is more likely. What is an example? A company is more likely to be the victim of a computer fraud rather than a terrorist attack. Risk and exposure must be considered together.

49 Estimate Cost and Benefits
No internal control system can provide foolproof protection against all internal control threats. The cost of a foolproof system would be prohibitively high. One way to calculate benefits involves calculating expected loss.

50 Estimate Cost and Benefits
The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it. Expected loss = risk × exposure

51 Information and Communication
The fourth component of COSO’s internal control model is information and communication. Accountants must understand the following: How transactions are initiated How data are captured in machine-readable form or converted from source documents

52 Information and Communication
How computer files are accessed and updated How data is processed to prepare information How information is reported How transactions are initiated All of these items make it possible for the system to have an audit trail. An audit trail exists when individual company transactions can be traced through the system.

53 Monitoring Performance
The fifth component of COSO’s internal control model is monitoring. What are the key methods of monitoring performance? effective supervision responsibility accounting internal auditing