Page 302 - COSO Guidance Book
P. 302

Example 8-1 (continued)

                  presence, then the cameras would be a detective control. Finally, another control would be
                  that the system compares the total of the customer’s balance added to the current sale
                  amount with the customer’s credit limit. This control should help decrease the amount of the
                  company’s bad debts. There are other controls, but these will suffice for the illustration.

                  A control matrix follows for illustration.




                          Exhibit 8-4: Control matrix

                                                                                        Collusion
                                                     Fraudulent sale    Barcode         between clerk
                      Internal controls              to perpetrator     switch          and customer


                      Security camera                       P/D              P/D              P/D

                      System credit check                    P                P                P

                      Signs indicating the presence of       P                P                P
                      a security camera


                  Note that not all controls or exposures were presented. This matrix is for illustrative purposes
                  only. Security cameras could be either a preventive or detective control, depending on
                  whether signs are posted indicating their presence. If the signs are posted, then a perpetrator
                  might have an incentive not to use a stolen or fabricated credit card because the camera will
                  record the perpetrator. The security camera would also record the switching of barcodes by
                  the customer or inappropriate action by the clerk (for example, not recording the sale to an
                  accomplice, recording a lower sales price than that on the barcode, and so on).

                  Even if a sale was made to a perpetrator with a stolen credit card, or if barcodes were
                  switched, or if the clerk was in collusion with a coconspirator, then, if the sale was recorded,
                  the amount of the exposure would not exceed the credit limit for a particular account.

                  The cameras and signs would be the primary control against the exposures. The secondary
                  control — the credit limit — helps to counter the risk in case the primary control (the security
                  camera) is not working. The primary control (security camera) has a higher level of
                  assurance at reducing the exposure risk than does the secondary control.

                  There is also a classification of controls known as tertiary controls. Tertiary controls are not
                  considered reliable but might alert employees involved in the system. For example, the clerk
                  might notice that the perpetrator with either a stolen or fabricated credit card is fidgeting. This
                  might cause the clerk to notify store security. However, fidgeting is not reliable evidence that a
                  person has criminal intent.







            © 2020 Association of International Certified Professional Accountants. All rights reserved.    8-14
   297   298   299   300   301   302   303   304   305   306   307