Choose a publicly traded company from the list below

$21.00

Description

Choose a publicly traded company from the list below:

o Amazon Inc.

I have to review the company’s annual report and any additional company information.
I need help in writing a 700 to 800 word paper based on research of the selected company. Include the following in your paper:

o A description of the company
o An explanation of the company’s internal control procedures
o A detailed description of management’s position on internal controls
o The auditor’s impression and position on internal controls
o Major systems and system implementation issues or concerns

• Cite at least two sources in your paper. I need the information based on this attachment and this site to get the free annual report of the company http://finance.yahoo.com.
• Format your paper consistent with APA guidelines.

Chapter 8
Introduction to Internal
Control Systems

INTRODUCTION

DISCUSSION QUESTIONS

INTERNAL CONTROL SYSTEMS: DEFINITION
AND FRAMEWORKS

PROBLEMS

Definition of Internal Control
1992 COSO Report–Components of Internal Control

CASE ANALYSES
Emerson Department Store
Alden, Inc.

2004 COSO Report
2005 Cobit, Version 4.0

PREVENTIVE, DETECTIVE, AND CORRECTIVE
CONTROLS
Preventive Controls

Herron Company

REFERENCES AND RECOMMENDED
READINGS
ANSWERS TO TEST YOURSELF

Detective and Corrective Controls
Interrelationship of Preventive and Detective Controls

CONTROL ACTIVITIES WITHIN AN INTERNAL
CONTROL SYSTEM
Good Audit Trail
Sound Personnel Policies and Practices
Separation of Duties
Physical Protection of Assets
Internal Reviews of Controls
Timely Performance Reports

COST-BENEFIT CONCEPT FOR DEVELOPING
CONTROLS
Illustrations of Cost-Benefit Analyses

AIS AT WORK—NO CONTROLS FOR PTO
TREASURER?
SUMMARY

After reading this chapter, you will:
1. Be familiar with an internal control system and
the components of this system.
2. Understand the importance of enterprise-wide
risk assessment and the impact this has on internal controls.
3. Be familiar with the roles played by COSO and
Cobit in the internal control area.
4. Understand the difference between preventive,
detective, and corrective controls.
5. Be aware of some of the control activities that
should be included in an organization’s internal
control system.
6. Understand the reason an organization might
be willing to let customers shoplift some of its
merchandise inventory.

KEY TERMS YOU SHOULD KNOW
TEST YOURSELF

239

240

PART THREE / Controls, Security, Privacy, and Ethics for Accounting Information Systems

Under Sarbanes-Oxley, CEOs and CFOs must certify the effectiveness of their internal
controls. Thus, . . . the industry has to address the question: ‘‘How do the CEO and CFO,
who are now required to attest to the completeness of their internal controls, actually
know that there are no improprieties at some distant operation?’’
A. Wayne Avellanet, Strategic Finance
(September 2003), p. 26

INTRODUCTION
An organization’s financial resources must be protected from such activities as loss, waste,
or theft. Protecting such assets requires an organization to develop and implement an
internal control system within its AIS, as well as within other parts of the organizational
system. In addition to protecting assets, an internal control system performs other functions,
such as helping ensure reliable data processing and promoting operational efficiency in an
organization.
This chapter and the next cover the topic of internal controls—that is, the controls
established to protect the assets of an organization. This chapter defines corporate
governance, IT governance, and internal controls. We also identify the components of
an internal control system, the different types of controls, and various control activities.
Finally, we illustrate a cost-benefit analysis, which is a method managers use to determine
which control procedures are cost-effective.

INTERNAL CONTROL SYSTEMS: DEFINITION
AND FRAMEWORKS
An internal control system consists of the various methods and measures designed into
and implemented within an organizational system to achieve the following four objectives:
(1) to safeguard assets, (2) to check the accuracy and reliability of accounting data, (3) to
promote operational efficiency, and (4) to encourage adherence to prescribed managerial
policies. An organization that achieves these four objectives is typically one that has good
‘‘corporate governance.’’ This means managing an organization in a fair, transparent,
and accountable manner to protect the interests of all the stakeholder groups.1 The 1992
COSO Framework is widely used by managers to organize and evaluate their corporate
governance structure. This framework was developed to improve the quality of financial
reporting through business ethics, effective internal controls, and corporate governance.2

Definition of Internal Control
Internal control describes the policies, plans, and procedures implemented by a firm
to protect its assets. Usually the people involved in this effort are the entity’s board of
1 ‘‘Corporate

Governance: The New Strategic Imperative,’’ a White Paper from the Economist Intelligence Unit,
sponsored by KPMG International, 2002. http://www.eiu.com.
2 http://www.coso.org

CHAPTER 8 / Introduction to Internal Control Systems

241

directors, management, and other personnel in the firm. The reason this is important
is that these individuals want reasonable assurance that the goals and objectives of the
organization can be achieved (i.e., effectiveness and efficiency of operations, reliability
of financial reporting, protection of assets, and compliance with applicable laws and
regulations).3

Case-in-Point 8.1 For over 60 years, the United Services Organization (USO), in partnership with the Department of Defense (DOD), has provided support and entertainment to U.S.
armed forces. In 2000, Congress provided $23.8 million in grants to USO. However, a recent
GAO audit discovered that the USO did not have sufficient financial and management controls.
This suggests that the USO could not be reasonably sure that they used all appropriated
funds as DOD intended. Based on limited testing, GAO found problems with payments totaling
about $433,000, including about $86,000 in improper expenditures, $3,000 in questionable
expenditures, and $344,000 for unsupported expenditures.4
A brief history will help us understand the importance of internal controls. In Figure 8-1
we identify key laws, professional guidance, and reports that focus on internal controls.
Protecting the assets of an organization has always been an important responsibility
of management. However, the incredible advancements in IT, as well as the pervasive
use of IT across firms of all sizes, have dramatically changed how managers establish and
monitor internal controls. Indeed, the pervasiveness of IT also has a profound impact on
internal and external auditors, and how they assess the strength of the internal control
environment.
In 2001, the AICPA issued SAS No. 94, ‘‘The Effect of Information Technology on
the Auditor’s Consideration of Internal Control in a Financial Statement Audit.’’ This SAS
cautions the external auditors that the way firms use IT might impact any of the five
internal control components (discussed in the next section). That is, auditors must realize
internal controls are both manual and automated, and therefore, auditors might need to
adopt new testing strategies to obtain sufficient evidence that an organization’s controls
are effective. Because of the complexity of IT environments, auditors will most likely need
to use computer-assisted auditing techniques (CAATs) to test the automated controls
in an organization. We discuss these techniques in depth in Chapter 11.
An important piece of legislation with respect to internal controls is the SarbanesOxley Act of 2002. One key provision of this law is Section 404, which reaffirms that
management is responsible for establishing and maintaining an adequate internal control
structure and at the end of each fiscal year must attest to the effectiveness and completeness
of the internal control structure, thus making managers personally liable for this structure
within the firm. We cover the Sarbanes-Oxley Act in more depth in Chapter 11.

1992 COSO Report–Components of Internal Control
The 1992 COSO Report (see Figure 8-1) is important because it established a common
definition of internal control for assessing control systems, as well as determined how to
improve controls. According to the report, controls can serve many important purposes,
and for this reason many businesses look at internal control systems as a solution to
3 Committee

of Sponsoring Organizations of the Treadway Commission (CSOTC), Internal Control—Integrated
Framework (COSO Report), 1992.
4 ‘‘Defense Management: DOD Needs to Strengthen Internal Controls over Funds Used to Support USO Activities,’’
General Accounting Office Reports & Testimony vol. 2004, iss. 2 (February 2004) (GAO-04-56)

242

Date

PART THREE / Controls, Security, Privacy, and Ethics for Accounting Information Systems

Act/Report

Significant Provisions or Recommendations

1977

Foreign Corrupt
Practices Act

• Illegal for publicly owned corporations to bribe foreign officials
• Board members and managers personally liable if illegal payments made
• Required publicly owned companies to implement internal control systems to provide
reasonable assurance that the company: (1) can account for assets, (2) records
transactions in accordance with generally accepted accounting principles, (3) controls
access to assets, and (4) periodically compares existing assets to the accounting records
• Only applies to publicly owned corporations registered under Section 12 of the 1934
Securities and Exchange Act

1977

Treadway
Commission
Report

• Recommended development of (1) a common definition for internal control, (2) guidance
for judging the effectiveness of internal control, and (3) methods to improve internal
controls

1988

SAS No. 55

• Management should establish an internal control structure that includes the following three
components: the control environment, the accounting system, and the control procedures

1992

Committee of
Sponsoring
Organizations
(COSO)
Report

•
•
•
•
•

1995

SAS No. 78

• Replaced definition of internal control structure in SAS No. 55 with the definition of internal
control given in the 1992 COSO report

1992

CobiT—Control
Objectives for
Business and
IT

• A framework (set of best practices) for IT management
• Created by the Information Systems Audit and Control Assoc. (ISACA) and the IT
Governance Institute (ITGI) in 1992
• Provides managers, auditors, and IT users a set of generally accepted measures,
indicators, processes, and best practices to maximize the benefits of IT and develop
appropriate IT governance and control

2001

International
Federation for
Information
Processing

• Sponsored conference “Integrity and Internal Control in Information Systems” to encourage
IT security specialists and internal control specialists to work together to develop reliable
business systems for companies (requires well-designed and implemented internal control
systems)
• Goal is to enable business managers of companies to have more confidence in the
integrity of their information systems and the data generated from those systems

2001

SAS No. 94

• Provides guidance to auditors about the effect of information technology on internal control
• Describes benefits and risks of IT to internal control, and how IT affects the components of
internal control

2002

Sarbanes-Oxley
Act,
Section 404

• Requires publicly traded companies to issue an “internal control report” that states
management is responsible for establishing and maintaining an adequate internal control
structure
• Management must assess the effectiveness of internal controls annually
• The independent auditor for the firm must attest to and report on managements’
assessment annually

2004

Committee of
Sponsoring
Organizations
(COSO)
Report

• Enterprise Risk Management—Integrated Framework
• Focuses on enterprise risk management
• Builds on the 1992 COSO Internal Control—Integrated Framework, due to widespread
acceptance of ICIF
• The Framework includes the five components of ICIF (control environment, risk
assessment, control activities, information and communication, and monitoring) and adds
three additional components: objective setting, event identification, and risk response

2005

CobiT, Version
4.0

• Includes 34 high-level objectives that cover 215 control objectives categorized in four
domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor
and Evaluate

Internal Control—Integrated Framework
Defines internal control and describes its components
Presents criteria to evaluate internal control systems
Provides guidance for public reporting on internal controls
Offers materials to evaluate an internal control system

FIGURE 8-1 Background information on internal controls.

CHAPTER 8 / Introduction to Internal Control Systems

243

a variety of potential problems (such as dealing with rapidly changing economic and
competitive environments, as well as shifting customer demands and priorities). According
to the COSO report, an internal control system should consist of these five components:
(1) the control environment, (2) risk assessment, (3) control activities, (4) information and
communication, and (5) monitoring.

Control Environment. The control environment establishes the tone of a company
and influences the control awareness of the company’s employees. It is the foundation for
all the other internal control components and provides discipline and structure. Factors
include:
1. The integrity, ethical values, and competence of an organization’s employees.
2. Management’s philosophy and operating style.
3. The way management assigns authority and responsibility as well as organizes and
develops its employees.
4. The attention and direction provided by the board of directors.
Management should establish an effective control environment for the organization to
promote operational efficiency and encourage adherence to its policies. It is important for
managers, as well as owners, of companies to have positive attitudes about the importance
of controls. Otherwise, the controls introduced into their systems will likely be ineffective.
Personnel policies and practices also come under the control environment. For
example, an important control procedure is employee training programs that inform new
hires about the company’s various policies, outline individual responsibilities, and explain
how to perform duties efficiently. Similarly, an organization should also conduct regular
reviews of its operations to determine if they conform to desired operating policies. Many
large and medium-size enterprises have separate internal audit departments, whose internal
auditors test existing internal controls for proper functioning and use. Small enterprises
usually cannot afford their own internal audit departments, but they can hire outside
consultants or ask managers to test compliance with operating policies.

Risk Assessment. Every organization faces risks, which come from both external and
internal parts of the organization. It is not possible or even desirable to install controls
for every possible threat. Therefore, the purpose of risk assessment is to identify
organizational risks, analyze their potential in terms of costs and likelihood of occurrence,
and install those controls whose projected benefits outweigh their costs.
Organizations establish control procedures to safeguard company assets, as well as to
provide reasonable assurance that one or more company employees do not misappropriate
assets. A general rule is: The more liquid an asset, the greater the risk of its misappropriation.
To compensate for this increased risk, stronger controls are required. The COSO report
recommends the use of a cost-benefit analysis (discussed and illustrated later in this
chapter) to determine whether the cost to implement a specific control procedure is
beneficial enough to spend the money. We will expand on the topic of risk management
in the next section.
Control Activities. These are the policies and procedures that a company develops to
help protect the assets of the firm. Control activities include a wide variety of activities
throughout the firm and are typically a combination of manual controls and automated
controls. Some examples of these activities are approvals, authorizations, verifications,

244

PART THREE / Controls, Security, Privacy, and Ethics for Accounting Information Systems

reconciliations, reviews of operating performance, and segregation of duties. Through
properly designed and implemented control procedures (also referred to as ‘‘accounting
control procedures’’), management will have more confidence that assets are being
safeguarded and that the accounting data processed by the accounting system are reliable.
This chapter provides several examples of control procedures, and also illustrates control
activities that should be included in every company’s internal control system.

Information and Communication. It is management’s responsibility to make sure
that its company’s accounting system is collecting, measuring, processing, and communicating financial data from business transactions to interested users of these data, whether
these individuals are inside the firm or outside the firm. Those outside the firm might
include financial analysts, investors, and creditors. Managers and management accountants
at all levels of the firm are making decisions on a daily basis and must have access to the
appropriate data.
Communication means organizations must tell employees their roles and responsibilities pertaining to internal control. This might include documents such as policies and
procedures manuals (discussed later) or memoranda on the company’s intranet. This could
also include training sessions for entry-level personnel and then annual refresher training
for continuing employees. Regardless of the method, all employees need to understand
how important their work is, how it relates to the work of other employees in the firm,
and how that relates to strong internal controls. It is equally important that management
understand the importance of keeping good working relationships between all layers of
management so that employees feel safe communicating any possible problems they may
find. When this is the case, employees at all levels can actually enhance the effectiveness
of good internal controls. Also, they will be much more likely to point out any problems
they may detect (e.g., the control procedure for the cash asset is not functioning properly)
and corrective action can be initiated.

Monitoring. The process that assesses the quality of internal control performance over
time is called monitoring, and this is a management responsibility. Managers at various
levels in the organization must evaluate the design and operation of controls and then
initiate corrective action when specific controls are not functioning properly. Typically,
evaluation of internal controls is an ongoing process. This could include daily observations
and scrutiny or management might prefer regularly scheduled evaluations. The scope and
frequency of evaluations depend, to a large extent, on management’s assessment of the
risks the firm faces.

2004 COSO Report
The 2004 COSO Enterprise Risk Management–Integrated Framework focuses on enterprise risk management (ERM). The 2004 Framework builds upon the 1992 COSO
Internal Control–Integrated Framework (ICIF). This was important due to the widespread
acceptance of ICIF. The ERM Framework (Figure 8-2) includes the five components of
ICIF (control environment, risk assessment, control activities, information and communication, and monitoring) and adds three additional components: objective setting, event
identification, and risk response.5
5 COSO web site (www.erm.coso.org); F. Martens and L. Nottingham, ‘‘Enterprise Risk Management: A Framework
for Success,’’ RE: Business (September 2003); C. Chapman, ‘‘Bringing ERM into Focus,’’ Internal Auditor
Magazine (June 2003).

CHAPTER 8 / Introduction to Internal Control Systems

245

E
O
M
P
LI

C

E
P
O
R
R

A

TI

N

N

C

G

S
O
N
TI
A

O
P
E
R

S
TR

A

TE
G
IC

RISK CUBE

Internal Environment

Event Identification
Risk Assessment
Risk Response
Control Activities

SUBSIDIARY
BUSINESS UNIT
DIVISION
ENTITY-LEVEL

Objective Setting

Information & Communication
Monitoring

FIGURE 8-2 2004 COSO Enterprise Risk Management—Integrated Framework.

Objective Setting. ERM offers management a process for setting objectives for the
firm—that is, the purposes or goals the firm hopes to achieve. ERM helps an organization
determine if the objectives are aligned with the organizational strategy and that goals
are consistent with the level of risk the organization is willing to take. An enterprise’s
objectives are viewed from four perspectives:
1.
2.
3.
4.

Strategic: the high-level goals and the mission of the firm.
Operations: the day-to-day efficiency, performance, and profitability of the firm.
Reporting: the internal and external reporting of the firm.
Compliance: with laws and regulations.

Event Identification and Risk Response. Organizations must deal with a variety
of uncertainties because many events are beyond the control of management. Examples
include natural disasters, wars, unexpected actions of competitors, and changing conditions
in the marketplace. However, it is critical for management to identify these external risks
as quickly as possible and then consider internal and external factors regarding each event
that might affect its strategy and achievement of objectives. Depending on the type or
nature of events, management might be able to group some of them together and begin to
detect trends that may help with risk assessment.
The objective of risk assessment is to manage and control risk by identifying threats,
analyzing the risks, and implementing cost-effective countermeasures to avoid, mitigate,
or transfer the risks to a third party (through insurance programs). As they identify and
categorize these risks, management will be in a better position to determine the probable
effects of these risks on the organization. Management can then formulate and evaluate
possible response options for the organization. In developing options, managers need to
consider the level of risk they are willing to assume, as well as the cost verses benefit of
each choice. A number of computerized risk assessment software tools already exist to
help managers with this task.

246

PART THREE / Controls, Security, Privacy, and Ethics for Accounting Information Systems

Case-in-Point 8.2 RiskPAC, a business risk software solution, helps organizations detect
and eliminate vulnerabilities in information systems and data security. CPACS, the company
that developed RiskPAC, defines risk assessment as identification of the major risks and threats
to which an organization’s reputation, business processes, functions, and assets are exposed.
RiskPAC helps organizations determine the possibility that a harmful incident will occur (very
likely, possible, probably, very unlikely). Managers need to ask themselves about the possible
impact of certain risks—would it be minimal, significant, serious, or catastrophic? 6

2005 COBIT, Version 4.07
The first edition of Control Objectives for Information and Related Technology (CobiT),
issued in 1996, now has a fourth edition (issued in 2005). The CobiT framework was
created to be business focused, process oriented, controls based, and measurement driven.
If we examine the mission statement for CobiT, we can quickly discern the reason this
framework is so widely used in corporate environments: ‘‘To research, develop, publicize
and promote an authoritative, up-to-date international set of generally accepted information
technology control objectives for day-to-day use by business managers, IT professionals
and assurance professionals.’’8
The framework takes into consideration an organization’s business requirements, IT
processes, and IT resources to support COSO requirements for the IT control environment.
This suggests, rightfully so, that managers must first tend to the requirements outlined
in the 1992 COSO Report and set up an internal control system that consists of these
five components: (1) the control environment, (2) risk assessment, (3) control activities,
(4) information and communication, and (5) monitoring. Once the internal control system
is in place, the IT managers work with managers throughout the organization to determine
how IT resources can best support the business processes.
To achieve appropriate and effective governance of IT, senior managers of the
organization will typically focus on five areas. First, managers need to focus on strategic
alignment of IT operations with enterprise operations. Second, they must determine
whether the organization is realizing the expected benefits (value) from IT investment.
Third, managers should continually assess whether the level of IT investments is optimal.
Fourth, senior management must determine their organization’s risk appetite and plan
accordingly. And finally, they must continuously measure and assess the performance
of IT resources. Here again is an opportunity for managers to consider a ‘‘dashboard’’
to have access to key indicators of these five focus areas to support timely decision
making.

PREVENTIVE, DETECTIVE, AND CORRECTIVE CONTROLS
We mentioned the importance of control procedures in the section on control activities.

Reviews

There are no reviews yet.

Be the first to review “Choose a publicly traded company from the list below”

Your email address will not be published. Required fields are marked *

Choose a publicly traded company from the list below

$32.00

Description

Choose a publicly traded company from the list below:

o Amazon Inc.

I have to review the company’s annual report and any additional company information.
I need help in writing a 700 to 800 word paper based on research of the selected company. Include the following in your paper:

o A description of the company
o An explanation of the company’s internal control procedures
o A detailed description of management’s position on internal controls
o The auditor’s impression and position on internal controls
o Major systems and system implementation issues or concerns

• Cite at least two sources in your paper. I need the information based on this attachment and this site to get the free annual report of the company http://finance.yahoo.com.
• Format your paper consistent with APA guidelines.

Reviews

There are no reviews yet.

Be the first to review “Choose a publicly traded company from the list below”

Your email address will not be published. Required fields are marked *