Internal controls are policies and procedures a company uses to ensure the accuracy and validity of their data. Risks are threats to that data that could be internal or external of the company (Hunton, Bryant, & Bagranoff, 2004). The following paragraphs will identify and analyze the risks and internal controls as they relate to the information systems for Kudler Find Foods. This will give Kudler information on how to evaluate risks and the application of the internal controls and this document will discuss other external risks associate with buying a new accounting information system (AIS).
Identifying and Analyzing Risks There are many types of risks that a company has to confront each day in information technology (IT). The four main types of risk are business, audit, security, and continuity risks. A business risk is when a company will not be able to achieve its goals and objectives; this could be union issues, a competing company, fraud, or production equipment failure. Audit risks include misstatement of financials by an auditor or a failure by an auditor to uncover fraud or material errors.
A security risk can be a host of things that would ruin the integrity and access of the data, which can also lead to fraud or misuse of other information from internal (like employees) to external (like hackers) sources. And, finally, continuity risks are information system risks that have to do with backup, recovery and day to day availability of the system. When unplanned risks occur, management and auditor need to act quickly to intercept the risk, balance the risk with cost-effective countermeasures, since it is impossible to plan all risks (Hunton, Bryant, & Bagranoff, 2004).
It is important to thoroughly evaluate the AIS selected for risks as it includes confidential customer, vendor, payroll and corporate information within the master databases. The types of risks associated with Kudler’s new AIS system are system setup, data transfer and implementation issues, the AIS exceeding server capacity, other technology issues, and internal security breaches such as fraud, loss, or misuse of data.
Typically the risks to AIS systems are primarily internal threats, as processing occurs behind the Company’s firewalls and system access is usually limited to only company employees. Kudler has multiple stores, so it might be web-enabled, allowing vendor users and employees to access the system over the Internet, which will expose their system to external threats. This increased connectivity might make unauthorized access easier for hackers and therefore data loss, industrial espionage, fraud and system outages could occur as well (Goldenberg, 2011).
Internal controls are vital to put into place from this point of assessing the risks. Identifying and Analyzing Internal Controls The purposes of internal controls for an AIS are to protect the data resources against fraud, damage, and loss. It is also to ensure accuracy, validity, and reliability of the financials and operating data, which will help Kudler to stay compliant with its policies and procedures of the company and make better decision making strategies.
For best business practices, internal controls need to be put into place, as the risks are many for Kudler, but in order for management to document their understanding of internal controls, they should use a flowchart to highlights risk issues and areas needing control. Attached are Appendix A, B, C, and D Data Flowcharts for Kudler. On these charts are highlighted areas of possible risks and potential internal controls to put into place (Apollo Group, 2013). The first step to developing an effective internal control system is to identify the areas where exploitation or errors are likely to occur.
Separation of duties is the key to eliminate many fraudulent concerns surrounding accounting and finance. No employee should handle more than one of the following responsibilities: record keeping, authorization, reconciliations, and custody of assets. The following areas in accounting should also be reviewed for internal risks: * Cash receipts and disbursements: This will include deposits recorded and made promptly to the bank, checks signed and reviewed by management, petty cash secured and roperly recorded, bank reconciliations are done monthly and reviewed by Management, AP and AR master data files are secured with end user controlled passwords.
* Payroll: This will include that all payroll changes should be approved by a supervisor, that disbursements are for actual employees, and tax filing are filed in compliance. * Fixed Assets: This will include all purchases of Fixed Assets are properly labeled and recorded and are used solely for work purposes, should be reviewed by Management monthly. Ordering (Inventory): This will include all orders are approved before placing, audits are done of inventory regularly, and inventory is properly recorded in compliance with depreciation schedules. * System changes: Approval of all changes that will occur to the system must be assigned by the Security Administrator to the Programmers and the Programmers must work with the end users for the changes and then get approval from Management before implementing the changes (BDO Consulting, 2009).
Controls Outside of the System Other controls outside of the system that Kudler should evaluate for risks and improvement could be environmental controls, such as physical access to the building or utilities, or operational controls, such as personnel policies, strategic planning, administration, and supply chain, or even reputation controls, such as internal or external communications and media issues.
Achieving understandable business controls on any level requires Kudler to clearly state procedures for handling each area, including a system of checks and balances in which segregation of duties has been established from beginning to end of the process. Management has the responsibility for setting a tone and degree of accountability and preciseness regarding the company’s assets and responsibilities. Management fulfills that responsibility in part by approving many aspects of the internal controls (Disaster Recovery Journal, 2011). Conclusion
It is the responsibility of Kudler Fine Foods’ management to understand, monitor, and control risks. This document has shed some light on potential risks the company could face, but being prepared for all risks is impossible. Evaluating and implementing a system of internal controls allows the company to have peace of mind that the organization is able to deal effectively with managing its data, resources, and operations from certain risks. Internal controls also support reliable reporting and compliance with laws and regulations, which are necessary for best practices in business.