Internal Control inside the Company - Assignment Example

I. Internal Control (CMA Adapted 1289 3-4) Chapter 1 -Problem 5, Page 30 Oakdale, Inc., is a subsidiary of Solomon Publishing. Solomon periodically sends a member of its internal audit department to audit the operations of each of its subsidiaries including Oakdale. A member of Solomon’s internal audit staff recently completed a review of Oakdale’s investment cycle. The review revealed several important points. Oakdale has made both short-term and long-term investments in securities; all securities are registered in the company’s name. According to Oakdale’s corporate bylaws, long-term investment activity must be approved by its board of directors, while short-term investment activity may be approved by either the president or the treasurer. Oakdale conducts these transactions via a computer link to a registered brokerage. Purchase and sales authorizations, along with broker’s advices, are maintained in an electronic file with authorized access by Oakdale’s treasurer. An electronic inventory list is kept perpetually. The transactions are keyed in by accounting personnel who receive a buy/sale transaction sheet from the treasurer. Deposits of checks for interest and dividends earned on investments are also recorded by the accounting department. Each month, the accounting manager and the treasurer prepare journal entries required to adjust the short-term investment account. The Solomon Auditor discovered that there was insufficient backup documentation attached to the journal entries reviewed to trace all transactions. Solomon Publishing’s has established a core group of four accounting objectives utilized to guarantee sound internal control. 1- Authorization of transactions 2- Complete and accurate record keeping 3- Physical control 4- Internal verification Proposed Solution Set: The purpose of each of the four controls: 1- •Authorization of transactions is required to adequately safeguard assets against fraud and illegal transactions and provide a level of internal control. A formal system of transaction authorizations allows the commitment of company resources in accordance with management goals and objectives. Transactions must be executed according to the terms of their general or specific authorizations, by responsible personnel acting within the scope of their prescribed authority and responsibility. 2- Complete and accurate record keeping is necessary to assure that prompt, timely, and accurate recording of transactions or economic events occurs. Companies must make and keep books, records, and accounts that, in reasonable detail, accurately reflect the transactions and dispositions of assets. Furthermore, the recording of transactions is necessary to permit preparation of financial statements in conformity with GAAP. 3- Physical controls relate to safeguarding assets, documents, and records to prevent their loss, destruction, or alteration. 4- Internal verification refers to the independent review of the accuracy and propriety of another party’s work, and the testing of the recorded accountability for assets as compared to existing assets at reasonable time intervals. Applications of the Controls: Violation/Remedy A-Oakdale sold long-term securities based on the president’s approval when the board of directors’ approval is required this is a violation authorization procedures. Remedy- Implement formalized procedures (in addition to the company’s bylaws) reinforcing the policy that only the board of directors can authorize long-term security purchases, and or sales. B-Oakdale diffidence and interest checks are received by the treasurer and forwarded to the accounting department; no entry is made in the cash receipts book. It is, therefore, not possible to determine if all interest and dividend checks have been received and deposited. This is a violation of the Complete and Accurate Records procedures. Remedy- All checks should be forwarded to the group that normally opens stamps and logs incoming checks, and the checks should be recorded in the cash receipts book at the time of receipt. . (Otley, 1999)The interest and dividend checks (entries) should be reconciled by the accounting department to the monthly broker’s statements. These statements should be kept on file to assure that all checks have been received, deposited, and accounted for. C- The balance in the accounts as of the end of the month closely approximated the amounts shown on the broker’s statements. This is a violation of the complete and accurate records procedure and the internal verification procedure. Remedy- The accounting department must undertake the reconciliation of the differences and implement appropriate procedures to assure that the accounts and the brokerage statements are reconciled monthly. D-The treasurer has the authority to buy and sell securities, receives revenue, and makes journal entries related to securities. This is a violation of the authorization procedure. Remedy- Strengthen internal control so that the treasurer does not have conflicting duties. (Otley, 1999) E- Access to short-term securities is unrestricted in the accounting department. This is a violation of the physical controls procedure. Remedy- The short-term securities should be placed in a restricted facility such as a bank safe deposit box or a company safe. Access to short-term securities should be limited to a few responsible personnel and two people should be present each time the securities are accessed. Additionally, a log-book should be maintained to record any disposition of securities. II. Internal Control Chapter 2- Problem 2, Page 63 Steeplechase Enterprises, one of your Audit clients, has purchased and installed a new Electronic Data Processing (EDP) system. The new EDP system affects all current accounts receivable, billing, and shipping records. An individual operator has been permanently assigned to each of the functions, one operator for accounts receivable, one for billing, and one for shipping. Each individual operator is assigned the responsibility of running the EDP system for their assigned function; this includes all transaction processing, program changes, and reconciling. As a security measure Steeplechase Enterprises randomly rotates operators between individual functions. Further measures include access controls to the computer room and an assigned digital code for each operator. Steeplechase’s new EDP system is state of the art and robust in nature. However there are inherent vulnerabilities within the system. Each operator must initiate a manual data entry process. For instance, the billing clerk receives the shipping notice and preforms a manual sequence for every shipping notice. The billing clerk also manually enters the price of the item, and prepares daily totals that are correlated by a copy of the adding machine tape produced by the clerk. The shipping notices and adding machine tapes are then sent for data entry into the EDP system. The EDP output generated consists of a two-copy invoice along with a remittance advice and a daily sales register. The only real redundancy within the EDP system is the EDP operator who manually compares the computer-generated totals to the adding machine tapes provided by the billing clerk. This creates the inherent weakness in the Steeplechase Enterprise EDP. Problem Statement: Identify the control weaknesses present and make a specific recommendation for correcting each of them. Proposed Solution Set: A Programmers and system support personnel should have limited and monitored access to the EDP system. There activities should be restricted to testing and system maintenance only. (Otley, 1999) B The EDP system operators’ supervisor should have access to the computer room. C The tasks of maintenance, operations, and management control must be separated. (BARTH, M. B., LANDSMAN, W., & LANG, M. ,2008). D Reconciliation of the EDP log should be conducted by the computer operations supervisor or other independent employee. (BARTH, M. B., LANDSMAN, W., & LANG, M. (2008).) E EDP system documentation should be enhanced to include programs, flowcharts, and operator instructions. (Otley, 1999) F An EDP master price list file should be used to record the prices automatically for every invoice. G Processing controls, such as completeness tests, validation tests, and reasonableness tests, should be put in place to assure that errors in the input records are detected when processing occurs. (BARTH, M. B., LANDSMAN, W., & LANG, M. 2008).) H Control totals, hash totals, and record counts should be implemented to ensure the accuracy of all EDP data and to prevent errors from going unnoticed or being improperly tallied. (Vaivio, 2008) I The numerical sequence of shipping notices should be checked by the EDP system and any missing number should appear on summary control totals that are reviewed The EDP system operators’ supervisor. J Billing and cash collections should made separate from accounts receivable. (BARTH, M. B., LANDSMAN, W., & LANG, M. 2008).) III-Security and Control Assessment Chapter 3-Problem 9, Page 127 BBC Inc. is initiating a top down implementation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. The COSO framework will enable BBC to establish a firm corporate strategy for rick management, internal control and fraud deterrence. The necessity of a trickle down implementation creates a unique circumstance that BBC’s management must engage and solve in a fluid transition. The introduction of the COSO framework will require BBC to integrate a corporate wide computer information system that by nature will create a number of potentially hazardous security and control issues that must be resolved prior to system implementation date. The COSO Enterprise Risk Management Framework expands on BBC’s internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework companies such as BBC will utilize the new capacity of the framework to move toward a fuller risk management process which by nature will be more stable and secure for management. Problem Statement: Based on BBC’s plans for the implementation of a new computer system, describe the potential risks and needed controls. Classify these according to the relevant areas of the COSO framework. Proposed Solution Set: Security A-BBC should hold a training seminar. Most employees of the corporation will be using the system. The focus of the seminar is to educate users on the policies and procedures and to inform them about virus risks and appropriate counter measures they can take to prevent system compromises. B-Virus updates should be aggressively preformed on a daily basis by the systems administrator rather than on a weekly basis. C-If a password is entered incorrectly three times, the system should automatically reject any further entries. This is a security measure that prevents someone from attempting to gain unauthorized access to another user’s account. (Otley, 1999) If this situation arises, the system should log the attempt and notify system administrators of the date and time the event occurred. D-Passwords should be changed at least twice a year. The more often passwords are changed the more secure the system will be. (Otley, 1999) Furthermore, software should be installed that rejects “weak” passwords and requires users to provide complex passwords that cannot be easily blitzed to gain access to the system. E-Event monitoring should be used for purposes of a systems audit trail. The system will record the user name and then all information regarding the tasks performed during the period that they are logged into the system. F-An upper level manger should also have access to the transaction log. This will prevent any systems administrator from potentially trying to hide fraudulent actions involving the computer system. G-To prevent against physical damage in the case of fire, a water sprinkler system is not appropriate due to the damage it can cause to a computer. The automatic fire extinguishing systems should dispense an appropriate type of suppressant, such as carbon dioxide. Systems Development A-Employees should not be allowed to purchase and install software on company computers even if it is for work related reasons. All software should be purchased from a single source software provider to ensure reliability and compatibility. Program Changes A-The newly hired systems administrator should not be involved in the initial computer programming and set-up since they will be updating the system when needed. This administrator should not be permitted to acquire knowledge of how to make and hide illegal changes. B-All systems changes should be carefully documented. Creating a systemic process can help control problem manifestations that could threaten the entire system. CITATIONS: Otley, D. (1999). Performance Management: A Framework for Management Control Systems research. Management Accounting Research, 10(4), 363-382. Vaivio, J. (02/2008). Qualitative Management Accounting Research: Rationale, Pitfalls and Potential. Qualitative Research in Accounting and Management, 5(1), 64-86. BARTH, M. B., LANDSMAN, W., & LANG, M. (2008). International Accounting Standards and Accounting Quality. Journal of Accounting Research, 46(3), 467-498. Read More