CPA BEC SU1 Outline - CPA review notes PDF

Preview

Summary

CPA review notes...

Description

1

STUDY UNIT ONE BUSINESS PROCESSES, RISKS, AND INTERNAL CONTROL

1.1 1.2 1.3 1.4

Business Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Business Process Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . COSO Internal Control – Integrated Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Control and Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 4 7 19

Accountants, whether acting as an auditor during a walk-through or as a member of the controller’s team, must first gain an understanding of the intricacies of the business. Business processes include the data, transactions, activities, and systems that are necessary for successful business operation. Accountants must understand business processes to ascertain the risks associated with those processes. They can then implement appropriate controls to minimize the identified risks. 1.1 BUSINESS PROCESSES 1.

A business process is a set of related activities and tasks brought together to achieve a desired outcome. Typically, it is a series of tasks that culminate in a product, service, or business goal. a.

Business processes can be broken into the following three types of business activities: 1) 2) 3)

b. 2.

It is important to note that business activities are not necessarily independent of each other. Corporate strategy may require overlap among types of activities.

Operating processes are the activities related to the business’s core objectives. a.

For service companies, operating processes are those activities that provide services to satisfy customers’ needs. 1)

b.

c.

For example, the operating processes of an airline relate to customer transportation.

For manufacturing companies, operating processes are those activities that produce and sell products to customers. 1)

3.

Operating processes Projects Management and support processes

For example, the operating processes of an aircraft manufacturer relate to the construction and sale of aircraft.

Once operating processes are designed, they are typically continuous except for adjustments to improve efficiency or account for technological improvements.

Projects are related activities that either (a) are nonroutine or (b) contribute directly to achieving the business’s core objectives but only happen over an extended period. a.

A nonroutine project could be the activities related to a company’s selection of a new vendor, for example, an airline choosing between a Boeing 737 and an Airbus A321.

b.

A project that contributes directly to achieving core objectives over an extended period could be an airline contracting chemists to produce a more efficient biofuel. This is outside the airline’s normal operating processes for transporting customers but still contributes to its core objective of air travel.

Copyright © 2021 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].

2

SU 1: Business Processes, Risks, and Internal Control

4.

Management and support processes are the activities that supervise and support the business. These processes are required for the success of the business, but they do not directly create value for the business’s customers. Common examples of functions that provide management and support processes are human resources, accounting, and information technology departments. Often these departments provide the organizational governance and strategic direction of the business.

5.

The business model consists of the business’s objectives and how the business processes achieve these objectives. These objectives include the vision, mission, and high-level strategies. However, the business model is like an onion with multiple layers surrounding these high-level objectives, such as the annual goals and measures. Thus, once an objective is identified, the layers can be “peeled back” to determine the factors making up that objective.

6.

Accountants can help improve a business’s operations by first understanding the business model and then applying this knowledge to refine the business processes. The two main approaches to gaining an understanding of the business model are the top-down approach and the bottom-up approach. a.

The top-down approach begins by determining the business’s overarching objectives and then requires analysis of the key processes critical to achieving those objectives. 1)

A key process is a business process that would prevent the business from achieving one of its objectives if the business process were not performed.

2)

Once a key process is identified, the accountant must evaluate any subprocesses of the key process to determine whether they are required for the key process to be achieved. This continues until every process that makes up the key process is identified and the accountant has reached the activity level.

3)

The activity level is a basic activity conducted by either a person or an IT operation. a)

b)

4)

b.

Examples of activity levels performed by people include preparing a receiving report, operating a cash register for a transaction, or welding metal parts on a manufacturing line. Examples of activity levels performed by computer programs include automated scanning of barcodes to identify boxes arriving on a conveyor belt, completing a sale via an online store, or automated welding of metal on a manufacturing line.

Drawback. The accountant performing this analysis is unlikely to have detailed knowledge of every facet of the business’s activities. Therefore, there is the potential that some critical business subprocess may be overlooked and not identified.

The bottom-up approach begins by examining all the business processes at the activity level. The accountant works with each department or area of the business to identify and document their business processes. The benefit of the bottom-up approach versus the top-down approach is that the people responsible for the activities help identify and document them. 1)

Once an activity is identified, both the larger business process and related key business objective also must be identified. The following questions help with the identification process: a)

How are employees expected to implement the activity or process?

Copyright © 2021 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].

SU 1: Business Processes, Risks, and Internal Control

b) c) d)

7.

Why does the activity or process exist? How does the activity or process support the overarching strategy of the business? Does the activity or process achieve other indirect benefits for the business?

2)

After the business objectives are identified, the accountant needs to ascertain if there are inputs or other activities required to perform the activity or process. Often, departments have manuals that document related processes and activities.

3)

Drawback. This approach requires many staff members and is incredibly time intensive. The larger the business, the more difficult this approach is due to the sheer number of processes involved. Therefore, the smaller the business, the more likely an accountant would use the bottom-up approach.

Key performance indicators (KPIs) are used to provide management with an indication of how well employees are executing the processes and related activities. KPIs a. b. c. d. e.

8.

3

Are highly relevant to the business process or activity Are easily measurable and observable Have an acceptable or allowable range Are provided to employees so they can ascertain how well they are doing Are conducive to analyzing, tracking, and improving activities using data analytics

Process Mapping a.

Once an accountant begins to understand the business processes and how they are integrated into the business model, visual depictions are helpful to identify potential improvements to the processes as well as document and confirm appropriate internal controls.

b.

Process mapping is a simple form of flowcharting used to depict a business process. Below is an example of a process map for invoice processing in the purchasing department.

NOTE: PO means purchase order, and AP means accounts payable.

Figure 1-1

Copyright © 2021 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].

4

SU 1: Business Processes, Risks, and Internal Control

1.2 BUSINESS PROCESS RISKS 1.

Business Risks a.

After gaining an understanding of the overarching strategy and related business processes, accountants should develop a risk profile based on business risk.

b.

There are four general types of business risks: 1) 2) 3) 4)

c.

Strategic risks Compliance risks Reporting risks Operational risks

Each of the risks above can be further organized into external and internal risks. The depiction below is a representation of some of the business risks businesses endure. Strategic Risks

Compliance Risks

External

Internal

External

Internal

Competitors

Customer satisfaction

Regulations

Policies

Reputation

Corporate governance

Licenses & permits

Ethics

Industry & market dynamics

Strategic focus

Litigation

Corruption

Economic Technology Reporting Risks

Operational Risks

External

Internal

External

Internal

Financial statements

Internal control

Capitalization

Business process execution

Tax filings

Budgeting

Acts of God

Key employee continuity

Valuations

Performance measures (KPIs)

Supply chain

Cash management Employment levels Product development lapse

Copyright © 2021 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].

SU 1: Business Processes, Risks, and Internal Control

2.

5

Risk Management a.

Risk is the probability of an event occurring that will have an impact on the achievement of objectives. 1)

Risk management assesses and controls these risks to achieve an organization’s goals. a) b)

b.

Risk Management Processes 1)

Contexts within which risks should be managed must be identified before individual risks may be identified. Contexts include the following: a) b) c) d) e) f)

Laws and regulations Capital projects Business processes Technology Market risk (e.g., interest rates, foreign exchange rates, equity investments) Organizations

2)

Risk identification should be performed at every level of the entity (entity-level, division, business unit) relevant to the identified context(s).

3)

The risk assessment process may be formal or informal. It involves (a) assessing the significance of an event, (b) assessing the event’s likelihood, and (c) considering the means of managing the risk. a)

4)

5)

The results of assessing the likelihood and impact of the risk events identified are used to prioritize risks and produce decision-making information.

Risk responses are how an organization elects to manage individual risks. a)

c.

Management must focus on risks at all levels of the entity and take the necessary action to manage them. All risks that could affect achievement of objectives must be considered.

Each organization selects risk responses that align risks with the organization’s risk appetite (the level of risk the organization is willing to accept).

Risk monitoring (a) tracks identified risks, (b) evaluates current risk response plans, (c) monitors residual risks, and (d) identifies new risks.

Risk is measured in terms of probability and impact. 1)

The probability that a risk will occur ranges from nearly 0% to nearly 100% certainty. a) b)

2)

An event with a 0% chance of occurring is impossible and is thus not a risk. A risk with a 100% chance of occurring is certain to occur and therefore can be fully anticipated.

The magnitude of the impact varies in terms of monetary (financial loss) and nonmonetary (safety) values.

Copyright © 2021 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].

6

SU 1: Business Processes, Risks, and Internal Control

Figure 1-2

Low probability, low impact – Risks in the proximity of C are low-level risks and can generally be ignored. Low probability, high impact – Risks in the proximity of A are of high significance if they materialize but are also highly unlikely to take place. Nevertheless, an action plan should be developed to combat the risks if the risks occur. High probability, low impact – Risks in the proximity of D are of low significance if they materialize, though they are likely to occur. Although the company can continue to function while dealing with the risks, an action plan should be developed to lower the chances that the risks occur. High probability, high impact – Risks in the proximity of B are of catastrophic significance and are top priority if they materialize. An action plan must be developed to combat the risks should the risks occur. Therefore, these risks should be constantly monitored and assessed. d.

Business risks can be mapped to the business processes using ERM as discussed in Study Unit 3.

e.

Once a business risk is identified, the accountant must determine how to best respond. There are five basic responses to each risk: 1) 2) 3) 4) 5)

Acceptance Avoidance Pursuit Reduction Transfer (e.g., insurance transfers risks from the business to the insurer)

Copyright © 2021 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].

SU 1: Business Processes, Risks, and Internal Control

7

1.3 COSO INTERNAL CONTROL – INTEGRATED FRAMEWORK 1.

Overview a.

Although the COSO Internal Control – Integrated Framework is widely accepted as the standard for the design and operation of internal control systems, regulatory or legal requirements may specify another control framework or design.

b.

The COSO framework consists primarily of a definition of internal control, categories of objectives, components and related principles, and requirements of an effective system of internal control.

BACKGROUND 1-1

Treadway Commission

The Watergate investigations of 1973-74 revealed that U.S. companies were bribing government officials, politicians, and political parties in foreign countries. The result was the Foreign Corrupt Practices Act of 1977. The private sector also responded by forming the National Commission on Fraudulent Financial Reporting (NCFFR) in 1985. The NCFFR is known as the Treadway Commission because James C. Treadway was its first chair. The Treadway Commission was originally sponsored and funded by five professional accounting organizations based in the United States. This group of five became known as the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The Commission recommended that this group of five organizations cooperate in creating guidance for internal control. The result was Internal Control – Integrated Framework, published in 1992, which was modified in 1994 and again in 2013. The executive summary is available at www.coso.org/documents/990025P-Executive-Summary-final-may20.pdf.

2.

Definition of Internal Control a.

The COSO framework defines internal control as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

b.

3.

Thus, internal control is 1)

Intended to achieve three classes of objectives

2)

An ongoing process

3)

Effected by people at all organizational levels, e.g., the board, management, and all other employees

4)

Able to provide reasonable, but not absolute, assurance

5)

Adaptable to an entity’s structure

Entity Objectives a.

Setting objectives is a prerequisite to internal control.

b.

Objectives should be specific, measurable or observable, attainable, relevant, and timebased.

c.

According to the definition of internal control, there are three categories of objectives: (1) operations, (2) reporting, and (3) compliance.

Copyright © 2021 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].

8

SU 1: Business Processes, Risks, and Internal Control

1)

Operations Objectives a)

b)

2)

Operations objectives relate to achieving the entity’s mission. i)

These objectives are based more on the entity’s preferences and judgments, as opposed to laws, rules, regulations, or some other authority.

ii)

Entity-level objectives lead to related sub-objectives for operations within divisions. These objectives are directed at enhancing effectiveness and efficiency.

iii)

Appropriate objectives include improving

Financial performance, Productivity, Quality, Innovation, and Customer satisfaction. Operations objectives also include safeguarding of assets. i)

Objectives related to protecting and preserving assets form the basis for assessing risk and developing controls to mitigate such risk.

ii)

Prevention of loss through waste, inefficiency, or bad business decisions relates to broader objectives than safeguarding of assets.

Reporting Objectives a)

Reporting objectives relate to the entity’s preparation of financial and nonfinancial reports for the organization (i.e., internal users) and stakeholders (i.e., external users). i)

b)

The primary purpose of reporting objectives is to provide reliable, timely, and transparent information to users of reports. There are two broad categories of reporting objectives: (1) internal reporting objectives and (2) external reporting objectives. i)

Internal reporting objectives are influenced by the preferences and ju...