Control and Accounting Information Systems

Copyright © 2015 Pearson Education, Inc.

Control and Accounting Information Systems

Chapter 7

7-1

Copyright © 2015 Pearson Education, Inc.

Learning Objectives

• Explain basic control concepts and why computer control and security are important.

• Compare and contrast the COBIT, COSO, and ERM control frameworks.

• Describe the major elements in the internal environment of a company.

• Describe the four types of control objectives that companies need to set.

• Describe the events that affect uncertainty and the techniques used to identify them.

• Explain how to assess and respond to risk using the Enterprise Risk Management model.

• Describe control activities commonly used in companies.

• Describe how to communicate information and monitor control processes in organizations.

7-2

Copyright © 2015 Pearson Education, Inc.

Why Is Control Needed?• Any potential adverse occurrence or unwanted

event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.

• The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat.

• The probability that the threat will happen is the likelihood associated with the threat

7-3

Copyright © 2015 Pearson Education, Inc.

A Primary Objective of an AIS•Is to control the organization so the

organization can achieve its objectives

•Management expects accountants to:▫Take a proactive approach to eliminating

system threats.▫Detect, correct, and recover from threats

when they occur.

7-4

Copyright © 2015 Pearson Education, Inc.

Internal Controls•Processes implemented to provide

assurance that the following objectives are achieved:▫Safeguard assets▫Maintain sufficient records▫Provide accurate and reliable information▫Prepare financial reports according to

established criteria▫Promote and improve operational efficiency▫Encourage adherence with management

policies▫Comply with laws and regulations 7-5

Copyright © 2015 Pearson Education, Inc.

Functions of Internal Controls•Preventive controls

▫Deter problems from occurring•Detective controls

▫Discover problems that are not prevented•Corrective controls

▫Identify and correct problems; correct and recover from the problems

7-6

Copyright © 2015 Pearson Education, Inc.

Control Frameworks•COBIT

▫Framework for IT control •COSO

▫Framework for enterprise internal controls (control-based approach)

•COSO-ERM▫Expands COSO framework taking a risk-

based approach

7-7

Copyright © 2015 Pearson Education, Inc.

COBIT Framework•Current framework version is COBIT5•Based on the following principles:

▫Meeting stakeholder needs▫Covering the enterprise end-to-end▫Applying a single, integrated framework▫Enabling a holistic approach▫Separating governance from management

7-8

Copyright © 2015 Pearson Education, Inc.

COBIT5 Separates Governance from Management

7-9

Copyright © 2015 Pearson Education, Inc.

Components of COSO Frameworks

COSO COSO-ERM

• Control (internal) environment

• Risk assessment• Control activities• Information and

communication• Monitoring

• Internal environment• Objective setting• Event identification• Risk assessment• Risk response• Control activities• Information and

communication• Monitoring

7-10

Copyright © 2015 Pearson Education, Inc.

Internal Environment•Management’s philosophy, operating

style, and risk appetite•Commitment to integrity, ethical values,

and competence•Internal control oversight by Board of

Directors•Organizing structure•Methods of assigning authority and

responsibility•Human resource standards

7-11

Copyright © 2015 Pearson Education, Inc.

Objective Setting

•Strategic objectives▫High-level goals

•Operations objectives▫Effectiveness and efficiency of operations

•Reporting objectives▫Improve decision making and monitor

performance•Compliance objectives

▫Compliance with applicable laws and regulations

7-12

Copyright © 2015 Pearson Education, Inc.

Event IdentificationIdentifying incidents both external and internal to the organization that could affect the achievement of the organizations objectivesKey Management Questions:•What could go wrong?•How can it go wrong?•What is the potential harm?•What can be done about it?

7-13

Copyright © 2015 Pearson Education, Inc.

Risk AssessmentRisk is assessed from two perspectives:•Likelihood

▫Probability that the event will occur•Impact

▫Estimate potential loss if event occurs

Types of risk•Inherent

▫Risk that exists before plans are made to control it

•Residual▫Risk that is left over after you control it

7-14

Copyright © 2015 Pearson Education, Inc.

Risk Response•Reduce

▫Implement effective internal control•Accept

▫Do nothing, accept likelihood and impact of risk

•Share▫Buy insurance, outsource, or hedge

•Avoid▫Do not engage in the activity

7-15

Copyright © 2015 Pearson Education, Inc.

Control Activities•Proper authorization of transactions and

activities•Segregation of duties•Project development and acquisition

controls•Change management controls•Design and use of documents and records•Safeguarding assets, records, and data•Independent checks on performance

7-16

Copyright © 2015 Pearson Education, Inc.

Segregation of Duties

7-17

Copyright © 2015 Pearson Education, Inc.

Monitoring• Perform internal control evaluations (e.g., internal

audit)• Implement effective supervision• Use responsibility accounting systems (e.g.,

budgets)• Monitor system activities• Track purchased software and mobile devices• Conduct periodic audits (e.g., external, internal,

network security)• Employ computer security officer• Engage forensic specialists• Install fraud detection software• Implement fraud hotline 7-18

Copyright © 2015 Pearson Education, Inc.

Key Terms• Threat or Event• Exposure or impact• Likelihood• Internal controls• Preventive controls• Detective controls• Corrective controls• General controls• Application controls• Belief system• Boundary system• Diagnostic control system• Interactive control system• Audit committee

• Foreign Corrupt Practices Act (FCPA)

• Sarbanes-Oxley Act (SOX)• Public Company

Accounting Oversight Board (PCAOB)

• Control Objectives for Information and Related Technology (COBIT)

• Committee of Sponsoring Organizations (COSO)

• Internal control-integrated framework (IC)

• Enterprise Risk Management Integrated Framework (ERM)

• Internal environment7-19

Copyright © 2015 Pearson Education, Inc.

Key Terms (continued)• Risk appetite• Policy and procedures

manual• Background check• Strategic objectives• Operations objectives• Reporting objectives• Compliance objectives• Event• Inherent risk• Residual risk• Expected loss• Control activities• Authorization• Digital signature

• Specific authorization• General authorization• Segregation of accounting

duties• Collusion• Segregation of systems

duties• Systems administrator• Network manager• Security management• Change management• Users• Systems analysts• Programmers• Computer operators• Information system library

7-20

Copyright © 2015 Pearson Education, Inc.

Key Terms (continued)• Data control group• Steering committee• Strategic master plan• Project development plan• Project milestones• Data processing schedule• System performance

measurements• Throughput• Utilization• Response time

• Postimplementation review

• Systems integrator• Analytical review• Audit trail• Computer security officer

(CSO)• Chief compliance officer

(CCO)• Forensic investigators• Computer forensics

specialists• Neural networks• Fraud hotline

7-21