An Examination of the Audit Implications of Third-Party Risk

Filosa, Jessica Rose

23 May 2024

Doctor of Philosophy / This study explores whether companies that engage in outsourcing suffer negative audit-related consequences. Outsourcing exposes companies to third-party risk, which is the risk associated with outsourcing IT systems and/or business operations to external companies. Publicly traded companies in the United States are required to file a financial report with the Securities and Exchange Commission each year that includes a discussion of significant risks the company faces. I use this disclosure to identify companies that reveal third-party risk as a major threat to their organization and use machine learning to develop a measure that distinguishes companies exposed to third-party risk from those that are not. Using this measure, I examine whether companies exposed to third-party risk arrangements are more likely to suffer from low quality internal controls, to experience a cybersecurity incident, or to pay higher fees to their external auditor. The results do not show an association between my measure of third-party risk and the likelihood that a company reports a problem with internal controls. However, I do find that companies exposed to third-party risk are more likely to experience a cybersecurity incident. Lastly, I find that companies exposed to third-party risk pay higher fees to their external auditors in the initial year that this risk appears in their annual report. Overall, these results provide initial empirical evidence on the existence and consequences of third-party risk. The findings may be of interest to accounting professionals and managers who are in the early stages of learning to identify and manage their third-party risk exposure. Regulators may also benefit from this study as they contemplate updating the auditing standards related to outsourcing.

third-party risk

outsourcing

internal control

cybersecurity

audit fees

operational efficiency

內部控制有效性與投資效率之關聯性研究-以中國上市公司為例 / The Association between Internal Control Efficiency and Investment Effectiveness-- Evidence from China Listed Firms

許琬琪, Hsu, Wan Chi

Unknown Date

本研究以2007年至2011年中國滬深交易所A股上市公司為研究樣本，以中國證監會公佈之行政裁罰、深滬兩交易所對上市公司之處分、及企業自行揭露的內部控制評價報告之內容分析企業發生內控缺失之類型，依照中國《企業內部控制基本規範》，將內部控制缺失依內控五大要素與五大目標予以分類彙總。並將企業的投資效率分為投資不足與過度投資，分別探討內部控制有效性對公司投資效率之影響。 實證結果顯示投資不足的程度與可靠的財務報導之內控目標的內控缺失存在正向的顯著關係。而過度投資的程度與是否發生內控缺失、後勤支援活動和內控設計及執行的內控缺失類型、內控五大要素、及營運的效率效果之內控目標的內控缺失呈現顯著或單尾顯著的負向關係。整體而言，在被監管單位揭發內控缺失資訊，內控有效性較低，而自我揭露愈多內控資訊，企業內控意識可能較佳之假設下，內控缺失一定程度影響企業的投資決策，內控的有效性有助於投資效率。 / Based on the sample of A-share listed companies in China over the period of 2007-2011, the research classified the companies by under investment and over investment, and investigated the impact of internal control efficiency on firm investment effectiveness separately The study comprehensively collects internal control reports released by listed firms and collects penalties which are released by the China Securities Regulatory Commission (CSRC), the Shanghai Stock Exchange (SSE) and the Shenzhen Stock Exchange (SZSE). A further classification of internal control weaknesses was performed based on the nature of the events, COSO Internal Control — Integrated Framework and regulations of internal control in China. 　　In sum, the empirical results indicate that, for the companies under investment, the internal control weaknesses of financial reporting have significant positive impact on firm investment effectiveness. On the other hand for the companies which were over investment, those with internal control weaknesses have significant negative association with investment effectiveness. Moreover, the results show that companies with defective of logistics work or the design and execution of internal control were worse performers on investment effectiveness. Based on the COSO framework, the internal control weaknesses classified by the elements, including control environment, risk assessment, control activities, information and communication, monitoring, and the efficient and effective operations of the internal control objective are significant or one-tailed significant negative correlated to firm investment effectiveness. Collectively, if the internal control weaknesses were disclosed by the authorities, the firms had worse internal control efficiency, while the firms which were more conscious of internal control would disclose the internal control weaknesses themselves. The study shows that internal control weaknesses have impact on firm investment policy, and that internal control efficiency helps promote firm investment effectiveness.

內部控制有效性

內部控制缺失

投資效率

過度投資

投資不足

internal control efficiency

internal control weakness

investment effectiveness

under investment

over investment

Vnitřní kontrolní systém / Internal Control System

Beránková, Markéta

January 2009

This thesis deals with the internal control concept according to the COSO Integrated Framework for Internal Controls. Internal control definition, objectives and components are reviewed and commented. The emphasis is put on the auditor's understanding the entity's internal control and his responsibility to identify and assess the risk of material misstatement in the financial statements.

Intern kontroll: En fallstudie på Trafikverket

Almqvist, Johanna, Hammerin, Malin

January 2016

Internal control is something that’s grown more important for enterprises to keep in mind. The community is increasingly affected by the IT-development which demands a bigger degree of security. Enterprises needs to make sure that their systems are up to date and secure enough to keep it safe from unauthorized to take part of sensitive information. Internal control can exist in a major part of the work. If an enterprise have a goal for no harm or serious injury at work, internal control is necessary to reach that goal. The purpose for this essay is to examine how five different departments of Trafikverket practices internal control. How internal control is described. How the guidance from the managements is described and how it reaches the rest of the enterprise. This will lead to a proposal of improvement of the internal control at Trafikverket. We focus our frame of reference on the COSO-model and its five components. The components included in the COSO-model are control environment, risk valuation, control activities, information and communication and monitoring. The essay is a case-study of Trafikverket. We have chosen a qualitative method and interviewed five respondents from the different departments on Trafikverket. The respondents we interviewed works with internal control in their everyday work or have a god insight in the subject. We used a semi structured interview guide with questions based on the COSO framework. The results from our study shows that it exist big variations between how the departments work with internal control. It emerged that there are new guidelines for how the work should be done. This makes it necessary with education to implement the new ways to work. How the departments use the COSO-model varies. Some of them have incorporated the model in their new ways to work others have never heard of it. The conclusion of our study shows that the COSO-model and it´s components contribute to a functioning internal control. Implementing the components is important and the most important feature to good internal control is the corporate management. Education within the enterprise is the most effective way to inform the staff about the model and to implement it. / Intern kontroll är något som blir allt viktigare för organisationer att ha koll på. Samhället påverkas allt mer av IT-utvecklingen vilken ställer krav på en viss grad av säkerhet. Organisationer måste försäkra sig om att deras system är tillräckligt säkra för att inte obehöriga ska komma åt känslig information. Intern kontroll kan finnas i en stor del av arbetet. Om en organisation har ett mål för att ingen ska skadas allvarligt eller avlida på arbetsplatsen, krävs det interna kontroller för att uppnå målet. Syftet med uppsatsen är att undersöka hur de olika verksamhetsområdena inom Trafikverket tillämpar intern kontroll. Hur intern kontroll beskrivs i ledningssystemet och hur det når ut i verksamheten. Det ska leda till ett förbättringsförslag av den interna kontrollen hos Trafikverket. Vår teoretiska referensram fokuserar på COSO-modellen och de fem komponenter som ingår i modellen. De komponenter som ingår i COSO-modellen är kontrollmiljö, riskvärdering, kontrollaktiviteter, information och kommunikation samt övervakning. Uppsatsen är en fallstudie på Trafikverket. Vi har valt en kvalitativ metod där vi genomfört fem intervjuer på de olika verksamhetsområdena på Trafikverket. Vi har intervjuat personer som har positioner där de arbetar med intern kontroll eller har god insyn i området. Vi har använt en semistrukturerad intervjuguide där frågorna baserats på COSO:s ramverk. Resultatet av vår studie visar att det finns stora variationer i hur verksamhetsområdena arbetar med intern kontroll. Det framkom att det har kommit nya riktlinjer för hur arbetet ska utföras. Det i sin tur kräver en utbildningsinsats för att implementera arbetssätt. Hur verksamhetsområdena använder COSO-modellen i arbetet varierar. Vissa har det inarbetat i arbetssätten och känner till modellen medan andra aldrig har hört talats om den. Slutsatser av vår studie visar att COSO-modellen och dess komponenter bidrar till en fungerande intern kontroll. Att implementering av komponenterna är viktig och att det viktigaste för bra intern kontroll är företagsledningen. Utbildning inom organisationen är det effektivaste sättet att informera de anställda och implementera modellen.

Internal Control

COSO

The three Lines of Defence

Chaos theory

Trafikverket

Authority.

Intern kontroll

COSO

Ansvarslinjer

Kaosteorin

Trafikverket

Myndighet.

Bakom deras ryggar : En studie om intern kontroll

Alexandersson, Emma

January 2017

Efter 2000-talets stora skandaler fick den interna kontrollen en central roll på de flesta företagen. En stark intern kontroll kan enligt tidigare forskning skydda företag ifrån bedrägerier, fel och misstag. Denna studien syftar till att förklara variationen i företags upplysningar om intern kontroll. En kvantitativ metod har använts för att lyckas besvara detta syfte och empirin har insamlats ifrån 235 börsnoterade bolags årsredovisningar. Uppsatsen har en teoretisk referensram som är byggd på tidigare forskning samt flera olika teorier. De teorier som kommer att användas är legitimitetsteorin, agentteorin, positive accounting theory och institutionell teori. Utifrån denna referensram har fem hypoteser utvecklats. Dessa hypoteser har sedan testats med hjälp av olika statistiska analyser. Resultatet ifrån denna studien indikerar på att det finns flera faktorer som kan påverka företagens upplysningar om intern kontroll i årsredovisningarna. Slutsatsen påvisade att storlek, ägarstruktur samt tillämpningen av COSO: ramverket påverkar mängden upplysningar som anges i bolagens årsredovisningar. Studien indikerade vidare på att bransch och revisionsbyrå inte påverkar mängden upplysningar som anges i årsredovisningarna. / After the big scandals of the 21st century, internal control became a crucial role amongst most companies. According to previous research, strong internal control can protect companies from frauds, errors and mistakes. This study clarifies the variation in companies’ information concerning internal control. Furthermore, a quantitative method is used to successfully respond to this purpose and the information is composed from the annual reports of 235 listed companies in Sweden. This study has a theoretical framework that is based on previous research and several different theories. The theories that are used is legitimacy theory, agent theory, positive accounting theory and institutional theory. Consequently, based on this outline, five hypotheses are developed. Further, these hypotheses are tested using various statistical analyzes. The result of this study indicates that there are numerous of factors that may affect the company's information regarding internal control in the annual report. Conclusively, the study indicates that size, ownership structure and the application of the COSO framework affect the amount of disclosures in the company's annual reports. In addition, the study indicates that the quantity of information disclosed in the annual reports is not depended on the industry or audit firms used.

Internal control

COSO: framework

information

annual report

management

Intern kontroll

COSO:ramverket

upplysningar

årsredovisning

styrning

Business Administration

Företagsekonomi

Impacto financiero de la identificación y valoración de riesgos de incorrección de las MYPEs para la gestión de recursos y procesos operativos del sector comercial textil en la Asociación “Señor de Luren”, del 2017

Oliva Bravo, Giancarlo, Soncco Quispe, Francisco Roberto

01 September 2018

En el presente trabajo de investigación se analizó la determinación del Impacto Financiero de la Identificación y Valoración de Riesgos de Incorrección de las MYPEs para la Gestión de Recursos y Procesos Operativos del Sector Comercial Textil en la Asociación “Señor de Luren”; tomando como referencia la aplicación de la NIA 315. El tipo de investigación fue analítica, descriptiva y de campo. La población estudiada para el análisis cuantitativo se compone de 115 microempresas dedicadas al comercio textil en la Asociación Comercial “Señor de Luren”; asimismo, la población para el estudio cualitativo se compone de tres especialistas del rubro. Además, se realizó el análisis de tres casos en la cual cada empresa cumple con ciertos procedimientos particulares para un mayor entendimiento en la investigación. Se utilizó una muestra con un nivel de confianza del 0.95. Los datos fueron analizados con estadística descriptiva. Los resultados arrojaron que el 100% de los encuestados no tienen mapeados sus controles; sin embargo, aplican algunos de ellos por la experiencia que llevan en el rubro. Los microempresarios presentan deficiencias en las políticas contables; así como ineficiencia en la gestión de riesgos. Se recomienda implementar las mejoras propuestas para la Identificación y Valoración de Riesgos de Incorrección en las MYPEs y poder contar con una óptima Gestión de Recursos y de Procesos Operativos. / In the present work of investigation the determination of the Financial Impact of the Identification and Assessment of Risks of Improvement of the mechanisms for the Resource Management and Operational Processes of the Textile Trade Sector in the Association "Señor de Luren" was analyzed; As a reference for the application of ISA 315. The type of research was analytical, descriptive and field. The population studied for the quantitative analysis is composed of 115 micro enterprises dedicated to textile trade in the "Señor de Luren" Commercial Association; likewise, the population for the qualitative study is composed of three specialists of the sector. In addition, an analysis has been made of the cases in which each company meets the particular requirements for a better understanding of the research. A sample with a confidence level of 0.95 is shown. The data were analyzed with descriptive statistics. The results showed that 100% of respondents do not have their controls mapped; however, in the case of the experience they have in the field. Microentrepreneurs have deficiencies in accounting policies; As well as inefficiency in risk management. It is recommended to implement the improvements for Resource Management and of Operational Processes. / Tesis

NIA

Impacto financiero

Procesos operativos

Sector comercial textil

Control interno.

Financial impact

Operational processes

Internal control

Textile commercial sector

Intern Kontroll : En kvantitativ studie om hur medelstora företag utformar sin interna kontroll och vad som ligger till grund för utformningen / Internal Control : A quantitative study about how medium-sized companies design their internal control and what is the basis for the design

Lordh, Philip, Krantz, Erik

January 2019

Bakgrund: Nya utmaningar i samhällets näringsliv har ökat kontrollbehovet och därmed bidragit till den interna kontrollens aktualitet samt att COSO:s ramverk fått en allt större betydelse. Medelstora företag har kopplats ihop med svaga förutsättningar i arbetet mot en väl utformad och använd intern kontroll. Avsaknaden av en god intern kontroll har därmed inneburit svårigheter att undvika negativa konsekvenser. Samtidigt är företagens situation avgörande, men hur situationsanpassa har visat sig problematiskt. Syfte: Genom att undersöka användandet av COSO:s ramverk till hög respektive låg grad ämnar studien förklara hur medelstora företag i Sverige utformar sin interna kontroll. Vidare syftar studien till att kartlägga och förklara om organisatoriska faktorer kan medföra skillnad i den interna kontrollens utformning. Metod: Studien utgår ifrån en kvantitativ forskningsstrategi med en tvärsnittsdesign. En survey har genomförts av respondenter i ledande positioner på medelstora företag i fem olika branscher. Den insamlade datan har sedan genomgått ett antal statistiska analyser för att få en tydligare bild om hur och varför medelstora företag utformar sin interna kontroll på olika sätt. En del i de statistiska analyserna utgör hypotesprövning. Slutsats: Det som COSO:s ramverk ämnar att förmedla är till hög grad omedvetet använt av medelstora företag. Bristfälliga komponenter i kombination med bristfällig samverkan kan förklara varför nämnda företag antas ha svårigheter i arbetet mot en väl utformad och använd intern kontroll. Ett antal organisatoriska faktorer påverkar användandet av den interna kontrollens komponenter. Mer avgörande är däremot kunskap och medvetenhet till den nuvarande goda interna kontrollen som faktiskt finns. / Background: Challenges in business environment have increased the need and relevance of internal control, the framework created by COSO has also got attention. Medium-sized companies have been connected to weak conditions in their work towards a well designed and used internal control. Without a well designed and used internal control it is hard to avoid negative consequences. At the same time the companies situation is crucial, adaption to the specific situation has been problematic. Purpose: By investigating if COSO's framework is used to a high respectively low degree the thesis intends to explain how medium-sized companies in Sweden design their internal control. Furthermore, the thesis aims to explain whether organizational factors can cause differences in the design of internal control. Method: The thesis is based on a quantitative research strategy with a cross-sectional design. Individuals in leading positions in medium-sized companies in five different industries have participated in a survey. The data has been used in statistical analyzes to understand how and why medium-sized companies design their internal control in different ways. Some of the statistical analyzes was used to prove hypothesis. Conclusion: The information COSO's framework aims to communicate is higly unconsciously used by medium-sized companies. Defective components and their collaboration can explain why medium-sized companies have been connected with difficulties in their work towards a well designed and used internal control. Some organizational factors affects the use of the components in internal control. However, more decisive is knowledge and awareness of the internal control that actually exists.

Internal Control

COSO

Contingency theory

Medium-sized companies

Intern kontroll

COSO

Contingency teorin

Medelstora företag

Business Administration

Företagsekonomi

A contribuição da auditoria com a melhoria contínua de controle interno para minimização de riscos de fraudes nas organizações

Silva, Jeovan Lourenço da

10 December 2014

Made available in DSpace on 2016-04-25T18:40:02Z (GMT). No. of bitstreams: 1 Jeovan Lourenco da Silva.pdf: 899943 bytes, checksum: e1626b08056ec3f7436eaa2f957e302c (MD5) Previous issue date: 2014-12-10 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / This work includes exploratory and descriptive nature of the performance audit to continuous improvement of internal control to minimize risks of fraud in organizations aiming to provide a theoretical overview of the concepts of audit and risk, internal control, compliance and fraud specific objectives which relate to audit who uses methodologies for assessing the risks inherent to the activities of the company, addressing generic issues and their relationship to the internal control environment of enterprises, and then discuss the topic through the presentation of its phases and dimensions. This reference is directed to understanding the concepts of auditing and the difference between internal and external audit and the quality of audit work that can be measured. The main results refer reflection of the challenges of the audit to assist the internal control environment in order to decrease risks of fraud in companies with his work and methodology applied continuously, the need for accurate and reliable information for decision making and the relevance to that Audit has synergy with the Senior Management. Thus, the internal control environment and specializes certifies that its professionals have training to manage the major risks that the company is subject. The main gain is associated with the continuous improvement of internal control which should be incorporated into the management and culture of the organization / Este trabalho de caráter exploratório-descritivo compreende a atuação da auditoria com a melhoria contínua do controle interno para a minimização de riscos de fraudes nas organizações com o objetivo de apresentar uma visão teórica dos conceitos de auditoria, sendo risco, controle interno, compliance e fraudes os objetivos específicos os quais se relacionam com a auditoria que se utiliza de metodologias para avaliar os riscos inerentes às atividades da empresa, abordando os aspectos genéricos e a sua relação com o ambiente de controle interno das empresas, para então discorrer sobre o tema, mediante a apresentação de suas fases e dimensões. Esse referencial se orienta à compreensão dos conceitos de auditoria e a diferença entre a auditoria interna e externa e a qualidade dos trabalhos de auditoria que podem ser medidos. Os principais resultados remetem a reflexão dos desafios da auditoria em auxiliar o ambiente de controle interno visando diminuir riscos de fraudes nas empresas com os seus trabalhos e metodologia aplicada continuamente, a necessidade de informações precisas e confiáveis para tomada de decisão e a relevância para que se tenha sinergia da Auditoria com a Alta Administração. Com isso, o ambiente de controle interno se especializa e atesta que seus profissionais tenham capacitação para controlar os maiores riscos que a empresa está sujeita. O principal ganho está associado com a melhoria contínua do controle interno o qual deva ser incorporado à gestão e cultura da organização

Risco

Auditoria

Controle interno

Compliance e fraude

Risk

Audit

Internal control

Compliance and fraud

Kundinformation utvecklar den interna styrningen / Customer information develops the internal governance

SIMONSSON, LENA, EKDAHL, RICKARD

January 2011

Hur en verksamhet skall förbättrar sin interna styrning genom användning av kundinformation är ett omdiskuterat ämne. I studien ”Kundinformationen utvecklar den interna styrningen”. Undersöker författarna hur företag som tillämpar användningen av CRM i sin vardagliga verksamhet, har möjlighet att effektivisera för hur de skall nå sin vision. Detta möjliggjordes genom att fråga ett antal verksamheter, hur de ser på vikten av användandet av IT – relaterade verktyg. Skapar ett bättre sätt för verksamheten att kommunicera med kunden och samtidigt underlättar arbetet med den interna styrningen. Detta svarar författarna på när de såg till hur Balanced Scorecard teoretiskt jämfördes med hur det praktiskt tillämpas och vad i insamlingen som är viktigt för verksamheten att ta del av för att nå upp till sin vision. Hur resultatet av den insamling i senare skede går att koppla till verksamhetens interna styrning är i alla högsta grad väsentlig, då en god kommunikation kommer att betyda att en verksamhet tar mer marknadsandelar när relationen till kunden är starkare.Författarna kom fram till att för en verksamhet är kundrelationen guld värd när det gäller att ta marknadsandelar. En verksamhet som varje dag kan analysera kundens efterfrågan kommer i och med detta att kunna forma vilka mål som behövs. Inom ramen för detta är det därför viktigt att verksamheten ser ett icke-finansiellt nyckeltal, utifrån kundperspektivet, som viktigast och värderar de finansiella som tillhörande och hjälpande nyckeltal som kommer att styra upp verksamhetens ekonomi.

CRM

CRM

key figures

internal control

kundinformation

customer information

target figures

nyckeltal

intern styrning

måltal

Social Sciences

Samhällsvetenskap

L'injonction de sécurité : Définition d'un moyen d'action hétéronome qui mobilise l'autonomie / Safety Injunction : Definition of an Heteronomous Instrument Mobilizing Autonomy

Agulhon, Sophie

16 September 2016

Comme en attestent les multiples études sur les règles et les normes, la recherche en sciences sociales et particulièrement dans le domaine de la sécurité conçoit l’action essentiellement au travers de conflits entre l'autonomie et l'hétéronomie c’est-à-dire entre le fait de se dicter ou non ses propres lois. Néanmoins une approche dépassant ce clivage pour mettre en tension ces deux notions au sein de concepts d’action est non seulement possible mais surtout intéressante pour analyser le management de la sécurité. C’est pourquoi ce travail vise à faire la preuve du concept d’injonction de sécurité en tant que communication contraignante offrant une marge d’autonomie à son destinataire en vue de l’action. Ainsi, l’analyse socio-historique d’une entité de contrôle interne dans le secteur du nucléaire démontre que l’injonction de sécurité inclut à dessein des marges d’autonomie sur les moyens pour atteindre des objectifs de sûreté globaux et cherche à atteindre la subjectivité de son destinataire pour améliorer sa propre efficacité sur le terrain. / As several studies on rules and norms show, social sciences research and particularly in safety field generally deals with action by opposing autonomy and heteronomy; that is to say the ability to shape or not one’s life issues. However, an approach overcoming this opposition to tension those notions inside action concepts is possible and fruitful regarding safety management analysis. That is why this study aims to prove the concept of safety injunction as a binding communication that offers some autonomy margins to the addressee in order to handle action. Thus, a nuclear safety internal control socio-historical analysis will demonstrate that safety injunction intentionally provides autonomy margins related to means to reach safety goals and pursue addressee’s subjectivity to enhance its operational effectiveness.

Action

Autonomie

Contrôle interne

Injonction

Management de la sécurité

Nucléaire

Action

Autonomy

Injunction

Internal control

Nuclear

Safety management

363.1