Pearson Education Limited Edinburgh Gate Harlow Essex CM20 2JE England and Associated Companies throughout the world

Transcription

1

2 Pearson Education Limited Edinburgh Gate Harlow Essex CM20 2JE England and Associated Companies throughout the world Visit us on the World Wide Web at: Pearson Education Limited 2014 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without either the prior written permission of the publisher or a licence permitting restricted copying in the United Kingdom issued by the Copyright Licensing Agency Ltd, Saffron House, 6 10 Kirby Street, London EC1N 8TS. All trademarks used herein are the property of their respective owners. The use of any trademark in this text does not vest in the author or publisher any trademark ownership rights in such trademarks, nor does the use of such trademarks imply any affiliation with or endorsement of this book by such owners. ISBN 10: ISBN 10: ISBN 13: ISBN 13: British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Printed in the United States of America

3 Cashier Accounts Receivable General Ledger FIGURE 7 Remittance Advices Cash Prepare Remittance Advices Post to Ledger From Cashier A From Accounts Receivable B Illustration Remittance Advices Prepare Compare and Post Cash A B General Ledger Dr. Cash Cr. Accounts Receivable Deposit People are an essential element in every internal control process. People are not perfect; they commit errors of omission and commission. If people were perfect, internal control would be an unnecessary waste of resources. Internal control is people. An internal control process consists of people checking the work of other people. The principal function of internal control is to influence the behavior of people in a business system. There is a paradox inherent in a system of internal control. s such as rules and procedures are imposed on people who ideally, from a more humanistic view, should be responsible for their own self-control and self-direction. This inconsistency must be dealt with in every organizational control system. Management s job is to ensure the efficiency of operations. Thus behaviors and activities need to be organized and controlled so that the organization s goals are attained. A system of internal control does interfere to some extent with an individual s self-control. By promoting the interests and safeguarding the assets of the overall organization, however, a system of internal control is really protecting the interest and integrity of each individual employee who is a part of that organization. The objectives of internal control must be seen as relevant to the individuals who will comprise the control system. The system must be designed such that each employee is convinced that controls are meant to prevent difficulties or crises in the operation of the organization that otherwise could affect him or her very personally. Goals and Behavior Patterns An information system has several goals; chief among them is productivity. Reliability of information and the safeguarding of assets are also important goals. These goals are at times contradictory. Productivity in an information system is often constrained by the consideration of reliability. s are redundant. They constrain productivity but increase the reliability of resulting outputs. This conflict between internal controls and productivity must be acknowledged 133

4 and carefully considered by the analyst because it may influence the behavior of people in a control system. A common behavior caused by this goal conflict is the omission of an internal control duty (such as counting documents) in the interest of increasing production. Consider a clerk manually posting invoices. If the clerk double-checks each posting, the number of postings is approximately 50% of what would have been performed without double-checking. If the clerk s performance is evaluated by postings per time period, there will be a temptation to omit the double-checking for at least some items if the clerk falls behind schedule. Internal control duties typically require a trade-off with production. The basic motivational problem is that productivity is usually measurable and forms the basis for performance evaluation, whereas reliability and degree of internal control are not as easily measured or incorporated into performance reviews. The systems analyst should keep this in mind in designing and evaluating internal controls. The goals of an internal control system are achieved through the actions of the people in the system. The reliance on a formal plan of organization and related methods and measures to attain these goals entails important assumptions concerning collusion, reporting of irregularities, power relationships, and other behavior patterns within the organization. Organizational independence and segregation of duties are consistent with good internal control only if the probability of collusion between two or more duly segregated employees is low. Collusion is agreement or conspiracy among two or more people to commit fraud. In a purchase procedure, control over acquisitions is obtained when duly segregated personnel from both receiving and stores acknowledge that the materials have been received by stores. Both must sign for the material, and neither could deceive the other without collusion or fraud. Of course, errors of omission are possible, such as both parties miscounting quantities. In fact, the same error (a shortage) could occur unintentionally as well as intentionally. However, if unintentional, the error would not be covered up, and other controls probably would uncover the discrepancy. Justification for the assumption that the probability of collusion between two or more people will be low is found in the formal plan of organization. For one individual to suggest an irregularity to another person and be rejected would entail prohibitive costs to the first individual. He or she will be turned in by the second individual and hence lose his or her job or incur another punishment. This entails a related assumption that employees will always report irregularities to those higher up in the organization. This assumption, in turn, requires several others. One is that the formal plan of organization as denoted in procedures manuals and the like solely determines power relations in a system. A related assumption is that actions not specified by a system are dysfunctional or wrong that is, deviations suggest irregularities that should be reported to those higher up. CASE IN POINT Probably the most famous collusion fraud of all time involved Equity Funding Corporation of America, a nationally prominent financial conglomerate. As many as 100 company employees were involved in a scheme that included creating, maintaining, and selling fictitious insurance policies. The case was so famous that the story was retold in the movie Billion Dollar Bubble. Numerous factors influence an individual s behavior in a control system. One important influence is the formal plan of organization and the related methods and measures employed by an organization. Other factors do exist, however. Groups and other sources of informal pressure bear on an individual s behavior and may at times mitigate the desired, formally planned relationships between people in the system. For example, an individual with lengthy service may 134

5 convince a young coworker that the omission of a control step is okay and need not be reported, because it s been done that way in the past. A receiving clerk transferring goods to inventory may convince the inventory clerk just to sign and not waste time counting the items she or he is receiving. A clerk performing a bank reconciliation may not examine several checks in detail because it is near quitting time. What might be called people failure is the source of all theft and fraud in a system and is a prime contributor to serious errors of the production type and other ineffectiveness and inefficiency. In cases of defalcations, the procedures did not fail, the people did. The variety and complexity of human behavior and the value constraints (principles of just, humane, compassionate conduct) we work within combine to make the production of people-proof procedures infeasible. As long as people have access to valuables, there will be the possibility of theft, sabotage, and serious error. These possibilities are minimized when employees fully understand, accept, and internalize the objectives of the internal control system of which they are an essential element. Analysis of Internal Processes The analysis of an internal control process requires an understanding of the process both as it is designed and as it actually operates. The actual process may or may not conform to expectations. Documentation may be outdated, and the structure may be operating under new procedures. Procedures may have changed informally to adapt to circumstances not foreseen when the original system was designed and documented. Internal control processes routinely collect information concerning fulfillment of duties, transfer of authority, approval, and verification. This documentation of internal control duties must be examined to evaluate the reliability of the system s operation. Reliability depends on the people who administer internal control procedures. Designing an internal control process is only the first part of the problem; it is essential that internal control duties are actually performed as prescribed. There are several reasons why internal control duties may not be administered. New employees or perhaps even experienced employees may not understand their duties. More common is the omission of an internal control duty (such as counting documents) in order to increase production. Analytic Techniques The internal control questionnaire is a common analytic technique used in internal control analysis. Internal control questionnaires traditionally have been a central element in an audit program; accordingly, questionnaires are a standard form in public accounting firms, internal audit departments, and other organizations that are regularly involved in reviews of internal controls. Questionnaires are available for the review of specific application areas as well as for special reviews such as computer center audits. At times, the analyst may design a questionnaire specifically for a particular audit, or she or he may modify a standard questionnaire to better suit the needs or nature of a particular audit. Questionnaires are usually designed so that an affirmative answer to a question indicates an adequate degree of internal control, and a negative answer indicates the need for further information or a potential weakness in the structure. However, a negative answer does not always indicate a weakness because other controls may compensate for the omission identified by the negative response. Questionnaires are essentially checklists to ensure that a review does not omit an area of major importance. Figure 8 illustrates a portion of a questionnaire for sales and shipping procedures. Questionnaires are only tools; the manner in which they are used is extremely important. The questionnaire should be filled in on the basis of actual observations and inquiries. But filling 135

6 FIGURE 8 Portion of an Internal Questionnaire Sales and Shipping 1. Are sales orders adequately controlled? 2. Are all orders approved by the credit manager or department before shipment? 3. Is the credit department entirely independent of the sales department? 4. Are sales prices and credit terms based on approved standard price lists? 5. If so, are any deviations from standard approved a. by an officer? b. by another? Explain. 6. If not, are all sales prices and credit terms approved by the sales manager or in the sales department? 7. Are prenumbered shipping advices prepared for all goods shipped? 8. Are the quantities shown on the shipping advices double-checked in the shipping department? 9. Does the billing clerk or some other designated employee receive the shipping advices directly from the shipping department? (If so, identify this employee.) 10. Does this employee check the numerical sequence of shipping advices to assure that all are accounted for? in the questionnaire is not the essence of the review. The essence of a review is the analyst s analysis of his or her findings. Questionnaires do serve as documentation that a review was undertaken; however, questionnaires are necessarily standardized and therefore are not equally applicable in all circumstances. Their use often must be supplemented with other forms of analysis, such as write-ups, flowcharts, or other charting techniques. Analytic flowcharts might be used in internal control analysis, particularly if the analysis involves a computer system application. Flowcharting itself is not a form of structured analysis but rather a technique to organize data for analysis. An application controls matrix provides a structured form of analysis that is particularly relevant to internal control reviews of information systems. The rows of the matrix consist of various control techniques. The columns of the matrix consist of activities or data values in the system under review. The matrix organization provides a structured method for the systematic evaluation of each activity or data item with respect to each type of control activity listed in the rows. Figure 9 illustrates an application controls matrix that is preprinted with a comprehensive list of controls. An application controls matrix can be designed as needed in any specific situation by providing one s own list of controls as the rows of the matrix. To use the matrix, the analyst identifies the activities or data items that should be subject to control and lists them as the columns of the matrix. A matrix can be used systematically to evaluate an analytic or other type of flowchart by listing the sequence of operations shown in the chart as the columns of the matrix. Each row/column contribution of control/activity or control/data items can then be evaluated systematically. The analyst might enter an X or other symbol in each row/column box where a control existed and/or was performed, leaving blank those c ombinations that were absent. Another technique would be to rate the strength or relative reliability of each present control/activity combination by assigning numbers or letters to indicate relative strength or reliability. A 1 might indicate highly reliable, a 3 reliable, a 5 functioning but not reliable, and so on. CASE IN POINT External auditors routinely use analytical techniques as part of evaluating clients internal controls. The results of the analytical review plus tests of compliance help the auditor determine the extent to which transactions and accounts need to be tested. 136

7 Transaction/ Process Characteristics that Constitute s FIGURE 9 Feature PREVENTIVE CONTROLS Reliability of personnel Segregation of duties Definition of responsibilities Rotation of duties Training of personnel Competence of personnel Secure custody Dual access/dual controls Standardization Mechanization Forms design Prenumbered forms Precoded forms Authorization Endorsement Cancellation Simultaneous preparation Documentation Formatted input DETECTIVE CONTROLS Accountability of Input Anticipation Transmittal documents serial numbers register Completeness of Input Amount control total Document control total Line control count Hash total totals balancing Visual verification Turnaround document Passwords Correctness of Input Format Completeness check Check digits Reasonableness Limit check Validity check Read back Dating Expiration Keystroke verification Approval Exception input Default option Labeling Completeness of Processing Run-to-run totals Balancing Reconciliation Aging Suspense file Suspense account Matching Clearing account Tickler file Periodic audit Activity log Correctness of Processing Redundant processing Summary processing Sequence checking Overflow checks Scan before distribution Trailer label CORRECTIVE CONTROLS Discrepancy reports Transaction trail Error source statistics Automatic error correction Upstream resubmission Backup and recovery Application s Matrix Internal and Compliance in Small Business and Small Public Companies Although SOX compliance applies only to public companies, both public and private small companies face similar special needs in developing their internal control processes. When we think of public companies, we tend to think of large organizations such as Microsoft or General Motors, but some public companies are so small (i.e., microcap companies) that they have only a handful of employees. 137