Why does a business organization exist
to transfer goods/services
to make a profit
risk
- exposure to the chance of injury or loss
- inherent in each transaction and event and is mitigated through internal controls
- anything that can go wrong and hurt a business
how does a business meet its goals and objectives
through series of transactions and events in business processes
types of transactions
financial
non financial
financial transactions
economic events that affect the assets, liabilities, and/or equity of the org
some event that leads to a journal entry
non financial transactions
all other events processed by the org's information system
technically not referred to as a transaction
no journal entry necessary but still an important event
how are transactions grouped
in cycles
expenditure, conversation, revenue
expenditure cycle
acquiring items and making payments
buying and paying for initial materials or inventory or fixed assets
payments can be one time or a stream
paying for labor
subsystems: purchasing/accounts payable, cash disbursements, payroll, fixed assets
conversion cycle
taking acquired resources and turning them into goods/services
tracking costs
subsystems: production planning and control, cost accounting
revenue cycle
selling goods/services and collecting cash
subsystems: sales order processing, cash receipts
business process
series of activities that accomplishes a business objective
broken into 3 different ways:
- acquisition/payment process
- conversion process
- sales/collection process
acquisition/payment process
acquiring, maintaining, and paying for resources the org needs to provide goods/services
(equivalent to expenditure cycle)
conversion process
converting the acquired resources into goods and services
typical activities: manufacturing, providing, distributing, growing, harvesting
(equivalent to conversion cycle)
sales/collection process
selling goods and services to customers and collecting payment
different ways to sell: in person, online, online order with instore pickup
(equivalent to revenue cycle)
types of risk
financial reporting risk
financial performance risk
operation risk
compliance risk
operational risk
includes cyber security, risk of tech breach of data
compliance risk
not following rules and regulations of industry
where can risk arise from
business environment
business strategy
transactions and events in business cycles/processes
how can businesses mitigate risk
establish internal controls
look for what can go wrong and then create a control
preventative controls
focus on
preventing
an error or irregularity
- upfront, make sure things don't happen
detective controls
focus on
identifying
when an error or irregularity has occurred
- find out as soon as possible to correct it and try to create preventative ones for the next time
corrective controls
focus on
recovering
from, repairing the damage from, or minimizing the cost of an error or irregularity
Sarbanes-Oxley Act of 2002 Section 404
- must prepare an annual internal control report
- must state it is responsible for designing and maintaining internal control procedures over financial reporting system
- must access these controls, ensure they're working as they're supposed to
- externa
examples of internal control activities
approvals/authorizations
separation of responsibilities
renumbered documents
security of assets
independent check on performance
reconciliations
AIS (Accounting Information Systems)
organizational component that accumulates, classifies, analyzes, and communicates relevant financial and non financial decision-making info to a company's internal and external parties
Purpose of AIS
collect and store data
transform data into info
provide assurance that
- org's data is accurate and reliable
- org's assets are safeguarded
- org is operating as managers intend
Luca Pacioli
- father of accounting
- painting by Jacopo de Barbari
- fransican monk
- tutored in homes of rich italian merchants, wrote books about math and religion
- wrote "Summa de Arithmetica, Geometria, Proportioni et Proportionality
Summa de Arithmetica, Geometria, Proportioni et Proporzionalit�
everything about arithmetic, geometry, and proportion
book that contains chapters describing the double-entry accounting and accounting cycle
flowcharts in AIS
used in system development to document a system that already exists
- help SOX Section 404 compliance
- for internal use
flowchart types
document flowchart
system flowchart
internal control flowchart
program flowchart
document flowchart
shows elements of a
manual
system; includes documents, accounting records, areas of responsibility, and tasks
system flowchart
shows elements of a
computerized
system; may have
some manual
elements; shows relationship between input, processing, and output
internal control flowchart
shows manual and computerized elements of a system;
include internal controls
program flowchart
shows sequence of logical
operations performed by a computer
in executing a program
document
rectangle with squiggle bottom
document with multiple copies
multiple rectangles with squiggly bottoms
each one has own number, track path of each one individually
manual processing
upside-down trapezoid
anything done by hand, put an explanation of what is being done
computer processing
rectangle
anything done by computer, wont be used in our project
accounting records
parallelogram
terminal
long oval
also called entrance/exit symbol
gets you in or out of certain parts of a flowchart
decision
diamond
most have a yes/no response
storage of document
upside down triangle
either permanent or temporary
need to articulate how the documents are filed (using letters: A, N, C)
data flow
solid line
physical documents moving
information flow
dotted line
nothing physical is being transported
guidelines for flowcharting
- it is an art, not a science
- flow proceeds from left to right, top to bottom
- use standard set of symbols
- clearly label all symbols
- show where documents originate and terminate
- number all document copies
- observe the sandwich rule
- use clarifi
sandwich rule
top bread is input
middle is process
bottom bread is output
clarification comments
(annotations)
important short sentences
can provide info about controls
internal controls
ex: ensuring all transactions are approved, do you have a process to show they're approved
areas of responsibility
who does what, usually a department or position within a department
shield connector
contains connectors to other pages
circle connector
connector within the same page
business ethics
principles of conduct used in decision making that involve the concepts of right and wrong
- need to balance conflicting responsibilities to stakeholders
fraud
intentional deception, misappropriation of assets or manipulation of financial data to benefit the perpetrator
fraud triangle
pressure
ethics (rationalization)
opportunity
opportunity
be in the right place at the right time
necessitates good internal controls
pressure
outside factors that influence an individual to take action
ex: pressure from bosses (quotas), personal financial pressures
rationalization
justifying behavior for a certain reason
how an individual convinces themselves that what they're doing is ok
fraud diamond
includes rationalization, incentive (pressure), capability, opportunity
capability
personality traits that result in individual seeking and taking advantage of opportunities to commit fraud
The typical organization reported losses _____ of its annual revenues to fraud.
5%
What is the most common form of fraud?
asset misappropriation
skimming
takes cash before documentation that the cash has come through the door
What is the most costly form (median loss) of fraud?
financial statement fraud
Employees in which of the following departments were responsible for the most fraud?
Accounting
Which of the following positions is associated with the highest median loss frauds in U. S.?
Owner/Executive
What is the median time a fraud lasted before detection?
1.5 years
Which of the following resulted in the highest percentage of initial detections of fraud?
Tips
Which of the following is the most common behavioral red flag of fraud?
living beyond means
True/False: Smaller business (less than 100 employees) have a higher incidence of fraud than larger businesses.
True
What percent of the cases investigated were referred to law enforcement?
~60%
What percent of cases referred to law enforcement resulted in a finding of guilt?
76%
Foreign Corrupt Practices Act 1977
- made it illegal for U.S. companies to engage in bribery in foreign countries
- required companies to have internal controls
Sarbanes-Oxley Act of 2002: Section 302
requires management of
publicly-traded
companies to:
- certify financial info in quarterly/annual reports
- certify internal controls over financial reporting on quarterly/annual basis
- disclose material changes in internal controls
Necessitates independ
Sarbanes-Oxley Act of 2002: Code of Ethics (Section 406)
requires
publicly traded
companies to
- disclose to SEC whether they have a code of ethics for CEO, CFO, controller, etc
- must provide explanation if they don't
Sarbanes-Oxley: Relationship between Accounting firm and Audit Clients
- auditors report to and are overseen by audit committee NOT management
- audit committee must pre-approve all services provided by auditor
- auditors prohibited from offering certain non-audit services to audit clients
listed out specific services that c
audit committee
members must be independent of management - cannot necessarily consist of board of directors
meets 1-2 times per month - gained more responsibility
must have new types of liability insurance
Sarbanes-Oxley Act of 2002: Assessing Effectiveness of Controls (Section 404)
requires corporate management to assess effectiveness of company's internal controls over financial reporting
ways corporate managers check to make sure controls are working
- create statement of management's responsibility to establish and maintain controls
- assess its effectiveness
- create statement that external auditors have issued an attestation report on effectiveness of controls
- conclusion on effectiveness
-
identi
Sarbanes-Oxley Act of 2002: Creation of PCAOB
Public company accounting oversight board
- 5 members
- establish standards for public accounting firms to follow when prepping and issuing audit reports
- inspect accounting firms conducting audits
how often are firms audited by PCAOB
large firms = once a year
small firms = every three years
Frameworks used in assessment
PCAOB and SEC endorse
COCO Framework
COBIT is also used
COBIT Framework
international framework issued by IT governance institute
used to evaluate IT controls
CISA
certified information systems auditor
COSO Framework
Committee of Sponsoring Organizations of the Treadway Commission
- formed because of concern about fraud
COSO Report of 1992
Internal Control Integrated Framework
- designed to help companies access/design internal controls
Updated COSO Framework 2013
maintained same definition of internal control and same 5 components of internal control system
adds 17 principles associated with components
reasons for COSO update
- changes in expectations about governance oversight
- globalization
- changes and more complexity in business
- demands and complexity in laws, rules, regulations
- use and reliance on evolving tech
- expectations about preventing and detecting fraud
internal control
process designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance
Three categories of objectives of internal controls
- effectiveness and efficiency of operations
- reliability of internal and external financial and non-financial reporting
- compliance with applicable laws and regulations
5 components of internal controls
- control environment
- risk assessment
- control activities
- information and communications
- monitoring
control environment
sets tone of organization, influencing control consciousness of people
"tone at the top"
(consider that high level employees are more likely to commit financial statement fraud)
Areas included in the control environment
- integrity and ethical values
- commitment to competence
- board of directors and audit committee participation
- management philosophy and operating style
- organization structure (who makes decisions)
- assignment of authority and responsibility
- huma
risk assessment
identifying and analyzing the relevant risks associated with the org achieving its objectives
materiality risk relationship
the higher the likelihood of loss, the larger the potential impact
control activities
policies and procedures org uses to ensure that necessary actions are taken to minimize risks associated with achieving objectives
3 major types of control activities
- preventative controls
- detective controls
- corrective controls
purpose of control activities
separation of duties
responsibilities that should be assigned to different employees
- approvals/authorizations
- prenumbered documents
- security of assets
- independent check on performance
- performance reviews
- reconciliations
types of IT controls
general
application
general controls
affect entire organization
- physical controls (gates, fences)
- access controls (passwords)
- systems development
- software acquisition and maintenance controls
- back-up and recovery controls
application controls
ensure integrity of specific systems
- embedded in software
- designed to ensure transactions are valid, authorized, completely and accurately processed
Information and communication
- identify and record all events on timely basis
- describe each event in detail
- measure proper monetary value of events
- determine time period when events occurred
- present properly events and related disclosures in financial statements
monitoring
assessing quality of internal control performance over time
assessing controls on timely basis and taking corrective actions as needed
three most common transaction cycles
sales and cash receipts
purchases and cash disbursements
payroll
documents to prepare
- payroll time card, customer purchase order, sales invoice, monthly bank statement
internal v. external
types of journals used
general journal and special journals (sales, cash receipts, purchases, cash disbursements, payroll)
use of general journal
error corrections, adjusting entries, closing entries, etc (anything not in a special journal)
general ledger
summarizes transaction in journals by account balances
detail is kept in subsidiary ledgers
subsidiary ledger
records detail of some general ledger accounts
accounts receivable, accounts payable, payroll expense
adjusting entries
accrual basis
recorded in general journal then amount in entry posted individually to appropriate general ledger account
6 categories of adjusting entries
prepaid expense
accrued expense
accrued revenue
unearned revenue
estimated items
inventory adjustment
transaction for inventory adjustment
debt - ending inventory, cost of goods sold, purchases returns and allowances, discounts
credit - beginning inventory, purchases, freight-in
steps of the accounting cycle
1. transactions occur
2. prepare documents
3. record in journals
4. post to ledgers
5. prepare unadjusted general ledger trial balance
6. prepare and post adjusting entries
7. prepare adjusted trial balance
8. prepare financial statements
9. prepare closi
payroll time card
time report that includes hours worked and authorization for payment
used to determine gross pay owed to employee
customer purchase order
- includes quantity ordered and agreed-upon price
- used to determine quantities to ship to customer and amount to bill
- document processed before transaction occurs
purchase order
issue order to buy goods or services
prepared before transaction occurs
sales invoice
total amount of sale
- provides info to customer and for recording sales transaction
- prepped after transaction occurs
vendor's invoice
receive bill for goods or services purchased, prepped after transaction
monthly bank statement
provides info to determine whether the company or bank has errors or omissions in recording cash receipts and disbursements
receiving report
receive goods or services
document prepared at same time as transaction
bill of lading/shipping document
deliver goods
document prepared at time of transaction
Source documents in sales/collection and acquisition/payment processes
payroll time card
customer purchase order
purchase order
sales invoice
vendor's invoice
monthly bank statement
receiving report
bill of lading/shipping document
Why does a business organization exist
to transfer goods/services
to make a profit
risk
#NAME?
how does a business meet its goals and objectives
through series of transactions and events in business processes
types of transactions
financial
non financial
financial transactions
economic events that affect the assets, liabilities, and/or equity of the org
some event that leads to a journal entry
non financial transactions
all other events processed by the org's information system
technically not referred to as a transaction
no journal entry necessary but still an important event
how are transactions grouped
in cycles
expenditure, conversation, revenue
expenditure cycle
acquiring items and making payments
buying and paying for initial materials or inventory or fixed assets
payments can be one time or a stream
paying for labor
subsystems: purchasing/accounts payable, cash disbursements, payroll, fixed assets
conversion cycle
taking acquired resources and turning them into goods/services
tracking costs
subsystems: production planning and control, cost accounting
revenue cycle
selling goods/services and collecting cash
subsystems: sales order processing, cash receipts
business process
series of activities that accomplishes a business objective
broken into 3 different ways:
- acquisition/payment process
- conversion process
- sales/collection process
acquisition/payment process
acquiring, maintaining, and paying for resources the org needs to provide goods/services
(equivalent to expenditure cycle)
conversion process
converting the acquired resources into goods and services
typical activities: manufacturing, providing, distributing, growing, harvesting
(equivalent to conversion cycle)
sales/collection process
selling goods and services to customers and collecting payment
different ways to sell: in person, online, online order with instore pickup
(equivalent to revenue cycle)
types of risk
financial reporting risk
financial performance risk
operation risk
compliance risk
operational risk
includes cyber security, risk of tech breach of data
compliance risk
not following rules and regulations of industry
where can risk arise from
business environment
business strategy
transactions and events in business cycles/processes
how can businesses mitigate risk
establish internal controls
look for what can go wrong and then create a control
preventative controls
focus on
preventing
an error or irregularity
- upfront, make sure things don't happen
detective controls
focus on
identifying
when an error or irregularity has occurred
- find out as soon as possible to correct it and try to create preventative ones for the next time
corrective controls
focus on
recovering
from, repairing the damage from, or minimizing the cost of an error or irregularity
Sarbanes-Oxley Act of 2002 Section 404
- must prepare an annual internal control report
- must state it is responsible for designing and maintaining internal control procedures over financial reporting system
- must access these controls, ensure they're working as they're supposed to
- externa
examples of internal control activities
approvals/authorizations
separation of responsibilities
renumbered documents
security of assets
independent check on performance
reconciliations
AIS (Accounting Information Systems)
organizational component that accumulates, classifies, analyzes, and communicates relevant financial and non financial decision-making info to a company's internal and external parties
Purpose of AIS
collect and store data
transform data into info
provide assurance that
- org's data is accurate and reliable
- org's assets are safeguarded
- org is operating as managers intend
Luca Pacioli
- father of accounting
- painting by Jacopo de Barbari
- fransican monk
- tutored in homes of rich italian merchants, wrote books about math and religion
- wrote "Summa de Arithmetica, Geometria, Proportioni et Proportionality
Summa de Arithmetica, Geometria, Proportioni et Proporzionalit�
everything about arithmetic, geometry, and proportion
book that contains chapters describing the double-entry accounting and accounting cycle
flowcharts in AIS
used in system development to document a system that already exists
- help SOX Section 404 compliance
- for internal use
flowchart types
document flowchart
system flowchart
internal control flowchart
program flowchart
document flowchart
shows elements of a
manual
system; includes documents, accounting records, areas of responsibility, and tasks
system flowchart
shows elements of a
computerized
system; may have
some manual
elements; shows relationship between input, processing, and output
internal control flowchart
shows manual and computerized elements of a system;
include internal controls
program flowchart
shows sequence of logical
operations performed by a computer
in executing a program
document
rectangle with squiggle bottom
document with multiple copies
multiple rectangles with squiggly bottoms
each one has own number, track path of each one individually
manual processing
upside-down trapezoid
anything done by hand, put an explanation of what is being done
computer processing
rectangle
anything done by computer, wont be used in our project
accounting records
parallelogram
terminal
long oval
also called entrance/exit symbol
gets you in or out of certain parts of a flowchart
decision
diamond
most have a yes/no response
storage of document
upside down triangle
either permanent or temporary
need to articulate how the documents are filed (using letters: A, N, C)
data flow
solid line
physical documents moving
information flow
dotted line
nothing physical is being transported
guidelines for flowcharting
#NAME?
sandwich rule
top bread is input
middle is process
bottom bread is output
clarification comments
(annotations)
important short sentences
can provide info about controls
internal controls
ex: ensuring all transactions are approved, do you have a process to show they're approved
areas of responsibility
who does what, usually a department or position within a department
shield connector
contains connectors to other pages
circle connector
connector within the same page
business ethics
principles of conduct used in decision making that involve the concepts of right and wrong
- need to balance conflicting responsibilities to stakeholders
fraud
intentional deception, misappropriation of assets or manipulation of financial data to benefit the perpetrator
fraud triangle
pressure
ethics (rationalization)
opportunity
opportunity
be in the right place at the right time
necessitates good internal controls
pressure
outside factors that influence an individual to take action
ex: pressure from bosses (quotas), personal financial pressures
rationalization
justifying behavior for a certain reason
how an individual convinces themselves that what they're doing is ok
fraud diamond
includes rationalization, incentive (pressure), capability, opportunity
capability
personality traits that result in individual seeking and taking advantage of opportunities to commit fraud
The typical organization reported losses _____ of its annual revenues to fraud.
5%
What is the most common form of fraud?
asset misappropriation
skimming
takes cash before documentation that the cash has come through the door
What is the most costly form (median loss) of fraud?
financial statement fraud
Employees in which of the following departments were responsible for the most fraud?
Accounting
Which of the following positions is associated with the highest median loss frauds in U. S.?
Owner/Executive
What is the median time a fraud lasted before detection?
1.5 years
Which of the following resulted in the highest percentage of initial detections of fraud?
Tips
Which of the following is the most common behavioral red flag of fraud?
living beyond means
True/False: Smaller business (less than 100 employees) have a higher incidence of fraud than larger businesses.
TRUE
What percent of the cases investigated were referred to law enforcement?
~60%
What percent of cases referred to law enforcement resulted in a finding of guilt?
76%
Foreign Corrupt Practices Act 1977
#NAME?
Sarbanes-Oxley Act of 2002: Section 302
requires management of
publicly-traded
companies to:
- certify financial info in quarterly/annual reports
- certify internal controls over financial reporting on quarterly/annual basis
- disclose material changes in internal controls
Necessitates independ
Sarbanes-Oxley Act of 2002: Code of Ethics (Section 406)
requires
publicly traded
companies to
- disclose to SEC whether they have a code of ethics for CEO, CFO, controller, etc
- must provide explanation if they don't
Sarbanes-Oxley: Relationship between Accounting firm and Audit Clients
- auditors report to and are overseen by audit committee NOT management
- audit committee must pre-approve all services provided by auditor
- auditors prohibited from offering certain non-audit services to audit clients
listed out specific services that c
audit committee
members must be independent of management - cannot necessarily consist of board of directors
meets 1-2 times per month - gained more responsibility
must have new types of liability insurance
Sarbanes-Oxley Act of 2002: Assessing Effectiveness of Controls (Section 404)
requires corporate management to assess effectiveness of company's internal controls over financial reporting
ways corporate managers check to make sure controls are working
- create statement of management's responsibility to establish and maintain controls
- assess its effectiveness
- create statement that external auditors have issued an attestation report on effectiveness of controls
- conclusion on effectiveness
-
identi
Sarbanes-Oxley Act of 2002: Creation of PCAOB
Public company accounting oversight board
- 5 members
- establish standards for public accounting firms to follow when prepping and issuing audit reports
- inspect accounting firms conducting audits
how often are firms audited by PCAOB
large firms = once a year
small firms = every three years
Frameworks used in assessment
PCAOB and SEC endorse
COCO Framework
COBIT is also used
COBIT Framework
international framework issued by IT governance institute
used to evaluate IT controls
CISA
certified information systems auditor
COSO Framework
Committee of Sponsoring Organizations of the Treadway Commission
- formed because of concern about fraud
COSO Report of 1992
Internal Control Integrated Framework
- designed to help companies access/design internal controls
Updated COSO Framework 2013
maintained same definition of internal control and same 5 components of internal control system
adds 17 principles associated with components
reasons for COSO update
#NAME?
internal control
process designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance
Three categories of objectives of internal controls
#NAME?
5 components of internal controls
#NAME?
control environment
sets tone of organization, influencing control consciousness of people
"tone at the top"
(consider that high level employees are more likely to commit financial statement fraud)
Areas included in the control environment
#NAME?
risk assessment
identifying and analyzing the relevant risks associated with the org achieving its objectives
materiality risk relationship
the higher the likelihood of loss, the larger the potential impact
control activities
policies and procedures org uses to ensure that necessary actions are taken to minimize risks associated with achieving objectives
3 major types of control activities
#NAME?
purpose of control activities
separation of duties
responsibilities that should be assigned to different employees
#NAME?
types of IT controls
general
application
general controls
affect entire organization
- physical controls (gates, fences)
- access controls (passwords)
- systems development
- software acquisition and maintenance controls
- back-up and recovery controls
application controls
ensure integrity of specific systems
- embedded in software
- designed to ensure transactions are valid, authorized, completely and accurately processed
Information and communication
#NAME?
monitoring
assessing quality of internal control performance over time
assessing controls on timely basis and taking corrective actions as needed
three most common transaction cycles
sales and cash receipts
purchases and cash disbursements
payroll
documents to prepare
#NAME?
types of journals used
general journal and special journals (sales, cash receipts, purchases, cash disbursements, payroll)
use of general journal
error corrections, adjusting entries, closing entries, etc (anything not in a special journal)
general ledger
summarizes transaction in journals by account balances
detail is kept in subsidiary ledgers
subsidiary ledger
records detail of some general ledger accounts
accounts receivable, accounts payable, payroll expense
adjusting entries
accrual basis
recorded in general journal then amount in entry posted individually to appropriate general ledger account
6 categories of adjusting entries
prepaid expense
accrued expense
accrued revenue
unearned revenue
estimated items
inventory adjustment
transaction for inventory adjustment
debt - ending inventory, cost of goods sold, purchases returns and allowances, discounts
credit - beginning inventory, purchases, freight-in
steps of the accounting cycle
1. transactions occur
2. prepare documents
3. record in journals
4. post to ledgers
5. prepare unadjusted general ledger trial balance
6. prepare and post adjusting entries
7. prepare adjusted trial balance
8. prepare financial statements
9. prepare closi
payroll time card
time report that includes hours worked and authorization for payment
used to determine gross pay owed to employee
customer purchase order
#NAME?
purchase order
issue order to buy goods or services
prepared before transaction occurs
sales invoice
total amount of sale
- provides info to customer and for recording sales transaction
- prepped after transaction occurs
vendor's invoice
receive bill for goods or services purchased, prepped after transaction
monthly bank statement
provides info to determine whether the company or bank has errors or omissions in recording cash receipts and disbursements
receiving report
receive goods or services
document prepared at same time as transaction
bill of lading/shipping document
deliver goods
document prepared at time of transaction
Source documents in sales/collection and acquisition/payment processes
payroll time card
customer purchase order
purchase order
sales invoice
vendor's invoice
monthly bank statement
receiving report
bill of lading/shipping document