APPLYING THE COSO PRINCIPLES OF INTERNAL CONTROL

Each of the following describes an internal control problem. Based on your analysis of each situation, explain which of the seventeen principles of internal control is most likely not present:

a. After conducting a survey, you find out that employees feel underpaid and that their company is against collective bargaining.

b. You meet with the companys audit committee that is made up of a retired Big 4 partner, an SEC lawyer, a member of another companys board who serves on their audit committee as a financial expert, and the companys controller.

c. After holding a focus group with some employees, you find out that they feel that the companys code of ethics is a very effective public relations document.

d. Sweet Donuts Company hires a former Big 4 senior manager to head up a new internal audit department at the recommendation of its private equity investors in anticipation of it going public. After going public, the company fires all of its internal auditors and replaces them with an outsourced internal audit service that only has two unqualified employees.

e. A companys computer system gets hacked, and one million credit card accounts get stolen, including the three-digit security codes from the back of the cards. The company didnt find out about the theft until several of their customers credit cards were charged for thousands of dollars of unordered merchandise.

f. A company decides to diversify its product line based on a competitors actions and ends up losing a lot of money but is totally surprised by the outcome.

g. A company allows a trader to use a hedging scheme to offset possible losses on decreases in commodity prices only to find out 6 months after the employee quit that the trader was using company funds to speculate on the traders behalf and was about to lose several million dollars when a number of the futures trades were to close.

h. A companys accounting department significantly underestimates the level of bad debts for the quarter.

i. The internal audit staff at a publicly traded company is aware of a weakness that could be material but fails to report it to upper management because of concern that the deficiency involves upper management and that there might be retaliation.

j. Employees seem skeptical and even confused at times about how best to perform their jobs because of the amount of autonomy they have been given.

TABLE 9.1 Seventeen Principles of Internal Control (COSO 2013) Control Ernironment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal controls. 3. Management establishes, with board oversight structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The orgarization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The orgarization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Risk Assessment 6. The orgarization specifies objectives with sufficient clarity t enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed. 8. The orgarization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The orgarization identifies and assesses changes that could significantly impact the system of intemal control. Control Activities 10. The organizations selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to affect the policies. Informations and Communication 13. The organization obtains or generates and uses relevart, quality information to support the functioning of the other components of internal control. 14. The organization internally communicates information, including objectives and responsibilities for intemal control, necessary to support the functioning of other components of internal control. 15. The organization communicates with external parties regarding matter affecting the functioning of other components of internal control. Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective actions, including senior management and the board of directors, as appropriate