馃攳
Lesson 15: COSO Integrated Internal Control Framework - YouTube
Channel: Executive Finance
[1]
[Applause]
[2]
[Music]
[7]
okay I'm going to assume now that you
[10]
have an idea of what an internal control
[12]
is and in this lesson we're going to use
[14]
a framework to describe a system of
[17]
internal controls of a company the
[19]
coastal framework of internal controls
[21]
defines the entities controls as those
[23]
that are implemented for multiple
[26]
transaction cycles or for the entire
[28]
organization the control environment
[30]
consists of the active promotion of
[33]
ethical values and integrity throughout
[35]
the organization a commitment to the
[37]
establishment of competence and active
[40]
and qualified Board of Directors and
[42]
Audit Committee the board directors
[44]
should be independent of management and
[46]
exists to challenge management and
[48]
scrutinized management's effectiveness
[50]
the Audit Committee has oversight
[52]
responsibility for financial reporting
[55]
and acts as a conduit between management
[57]
and the external auditors next we have
[59]
the control environment which is heavily
[62]
influenced by management's philosophy
[64]
and operating style employees take their
[66]
cues from the company's leaders to
[68]
determine how seriously internal
[70]
controls factor into their priorities
[72]
human resource policies are critically
[74]
important to ensure that the company
[75]
hires competent and trustworthy people
[77]
business structures Authority and
[79]
responsibility and management control
[81]
Memphis factor into the control
[83]
environment and as well as we've
[85]
discussed the IT systems have a
[87]
pervasive impact the existence and
[89]
effectiveness of an internal audit
[91]
function can greatly enhance the
[92]
operations of an entity so there's a lot
[95]
to evaluate before you can make an
[97]
assessment as to whether a company has
[99]
an effective control environment or not
[101]
the other components of the COSO
[104]
internal control framework they get
[105]
considered after we've assessed the
[108]
control environment include preparing
[110]
risk assessments designing and
[112]
implementing control activities to
[114]
address the risk and providing
[116]
information to communications to manage
[119]
the rest and monitoring the control
[121]
systems to ensure the ongoing
[123]
effectiveness a risk assessment requires
[125]
management to identify all the risks or
[128]
send another way what could go wrong and
[130]
if
[131]
transaction cycle then management needs
[133]
to assess the likelihood and
[134]
significance of a risk occurring to
[137]
identify those which are critical and
[139]
finally the company develops a course of
[141]
action to reduce risk to an acceptable
[143]
level by performing control activities
[146]
control activities can include manual
[148]
automated and computer assisted controls
[151]
for example a computer assistant control
[155]
would be having a manager review an
[157]
exception report generated by the system
[160]
of say outstanding and unmatched
[162]
purchase orders which by the way would
[164]
be in control to address completeness
[165]
and cutoff of accounts payable our
[168]
automated controls are those that are
[170]
built into the IT system for example if
[173]
we accept reservations from guests from
[175]
our websites how can we ensure the
[178]
accuracy of that information
[180]
well our reservation system will have to
[182]
have various controls built in to ensure
[185]
that the customer completes all of the
[187]
fields on the screen to ensure accuracy
[190]
before accepting the reservation these
[193]
sorts of IT controls are called
[194]
application controls and they are
[197]
designed to achieve three objectives
[198]
first that the information input into
[202]
the system is correct such as the
[203]
example I just provided second that the
[206]
application control ensures that the
[208]
information is processed correctly by
[211]
the system and thirdly that the
[213]
application control ensures that the
[215]
outputs from the system are correct now
[218]
before we can safely say these
[220]
application controls are effective we
[223]
need to ensure that there's overall
[225]
system integrity general computer
[227]
controls are akin to entity level
[229]
controls only in a system sense in that
[233]
they are pervasive across multiple
[235]
transaction cycles and across different
[237]
software applications for example if
[240]
someone has the ability to hack into the
[242]
system and change the programming code
[244]
that it really doesn't matter how fancy
[247]
the input process in your output
[250]
application controls are because the
[252]
overall integrity of the system is
[255]
jeopardized because the malicious
[257]
individual has the opportunity to cover
[259]
their tracks the key areas for general
[262]
computer controls can be summer
[263]
into three categories though many
[266]
literature uses more detailed categories
[268]
first we have segregation of duties and
[271]
essentially that means we don't want the
[273]
people who have access to the code to
[275]
also have access to the transactional
[277]
data secondly we want to assure that
[280]
there is adequate system acquisition
[283]
development and maintenance controls in
[285]
place anytime the IT system changes for
[288]
whatever reason controls must be in
[291]
place to ensure that the data true is
[293]
transitioned accurately to the new
[295]
system and that the new system contains
[297]
all the necessary controls that the old
[299]
system had and thirdly we want to ensure
[303]
that there's adequate operational
[305]
controls and support and these controls
[307]
cover off such things as the backup and
[309]
recovery procedures the physical and
[312]
logical access which are all very
[314]
important we don't want unauthorized
[316]
users gaining access to our systems if
[319]
general computer controls are not
[321]
effective and it's unlikely we can place
[324]
much reliance on the application
[326]
controls and this leads us with only
[328]
those manual controls left to meet the
[331]
company's objectives so let's look at
[334]
those next
[335]
now manual controls fall into a number
[337]
of broad categories as well
[339]
we have segregation of duties
[341]
documentation physical controls and
[343]
independent checks and let's look at
[345]
these each in turn segregation of duties
[347]
is one of those fundamental internal
[350]
control principles which broadly states
[352]
that if we can design job positions such
[355]
that one person cannot control a
[357]
transaction in its entirety then it's
[359]
more likely to prevent and detect an
[362]
error or a fraud from happening
[364]
segregation can be a tricky concept to
[366]
evaluate let alone remember but the
[369]
golden rules are segregate the custody
[372]
of an asset from its accounting
[374]
segregate the operational
[376]
responsibilities from the accounting
[378]
segregate the system's development from
[381]
the accounting segregate computer
[383]
operations from accounting segregate
[386]
reconciliation and independent checking
[388]
from the accounting and segregate the
[390]
authorization of the transactions from
[393]
the custody of the assets let's do a
[395]
little knowledge check
[397]
these kind of rules and principles and
[399]
actions before we go on Betty maintains
[402]
the accounts receivable subledger and
[403]
she also receives the daily cash
[405]
receipts so that she can update the
[406]
records okay or not no this is not okay
[411]
as she has custody the asset cash has
[415]
responsible for the accounting of that
[416]
asset accounts receivable this is fun
[419]
let's do one more
[420]
Brian is the controller but from time to
[423]
time the system acts up and miss posts
[425]
at general entry the only way to correct
[427]
the journal entry is for Brian to go
[429]
into the journal entry database and
[430]
delete the journal entry okay or not no
[435]
this too is not okay as Brian is now
[437]
doing both the computer operations and
[440]
the accounting it's possible that he
[442]
could manipulate other journal entries
[443]
in the database and bypass the controls
[446]
over posting journal entries do you get
[448]
the idea of what segregation of duties
[450]
implies it generally means that one
[453]
individual does not have control of a
[455]
transaction from cradle to grave
[457]
next let's look at what we meant by
[459]
adequate documentation this simply means
[461]
that there should be adequate records to
[463]
establish an audit trail that can be
[465]
followed for each transaction some
[467]
principles for the proper design and use
[469]
of documentation include documents
[471]
should be pre numbered or automatically
[473]
numbered to ensure everything is
[474]
recorded and nothing is missed documents
[477]
should be prepared at the time that the
[479]
transaction takes place to eliminate
[480]
mistakes from memory lapses documents
[484]
should be well designed and easily
[485]
understood to encourage correct
[487]
preparation next we have physical
[489]
controls over the assets and records to
[491]
ensure that assets are not stolen lost
[494]
or damaged physical controls include
[496]
such things as locks on doors and
[498]
security cameras logical axis is the
[501]
electronic equivalent using logon
[503]
credentials and passwords protection of
[506]
our electronic assets such as our files
[508]
and our customer data is often just as
[510]
important as protecting our tangible
[512]
assets like cash inventory and fixed
[514]
assets and last but certainly not least
[516]
we have independent checks which are our
[519]
control activity that alleviates
[521]
self-review bias for example the person
[524]
who performs the bank reconciliation is
[526]
checking to ensure that the people who
[528]
have deposited
[529]
cash prepare the checks and accounted
[531]
for the transactions have reported them
[533]
correctly the last two areas of the
[535]
coastal internal control framework are
[537]
the information and communications
[540]
component which is in essence the
[542]
ability of the accounting system to
[544]
report the activity of the company in a
[546]
manner that allows for management to
[548]
take action and lastly the monitoring
[550]
component ensures that the system of
[553]
internal controls is periodically and
[555]
continuously evaluated ensuring that it
[557]
operates has designed and is effective
[560]
monitoring often falls to the internal
[562]
audit department who is independent of
[564]
Management and often has a direct
[566]
reporting relationship to the Audit
[568]
Committee this has been a rather fulsome
[570]
discussion of what internal controls
[571]
really are what you need to walk away
[574]
from this lesson understanding is a few
[576]
things number one recognized that to
[578]
have effective internal controls at the
[580]
transaction level you first need
[582]
effective controls at the entity level
[585]
secondly the same can be said about our
[587]
automated controls before you can rely
[590]
on application controls you need to
[592]
evaluate and ensure the effectiveness of
[595]
general computer controls thirdly
[598]
controls are established by companies to
[600]
mitigate risk and control activities
[603]
mitigate risks specifically and in turn
[606]
enable management to make certain
[608]
assertions about various transaction
[611]
cycles and balances in the next lesson
[614]
we will talk about how we go about
[616]
auditing internal controls so we'll tell
[619]
them don't stop to get the top and get
[621]
to the top don't stop
[629]
you
Most Recent Videos:
You can go back to the homepage right here: Homepage