CONTROL AND ACCOUNTING INFORMATION SYSTEMS

1
CONTROL AND ACCOUNTING INFORMATION SYSTEMS

• Chapter 6

2
Review and New Terms

• A threat is any potential adverse occurrence or
  unwanted event that could injure the AIS or the
  organization.
• The exposure is the potential dollar loss that
  would occur if the threat becomes a reality.
• The risk is the probability that the threat will
  occur.

3
AIS Threats Increasing

• Control risks have increased in the last few
  years
• Proliferation of computers and servers
• Distributed computer networks make data available
  to many users
• Wide area networks give customers and suppliers
  access to each others systems and data
• Organizations do not adequately protect their
  data
• Computer control problems are underestimated
• Failure to understand control implications of
  moving from centralized systems to a networked
  system or Internet-based system
• Failure to recognize that data is a strategic
  resource and that data security must be a
  strategic requirement
• Productivity and cost pressures

4
Control Concepts

• Internal control is the process implemented by
  the board of directors, management, and those
  under their direction to provide reasonable
  assurance that the following control objectives
  are achieved
• Assets (including data) are safeguarded.
• Records are maintained in sufficient detail to
  accurately and fairly reflect company assets.
• Accurate and reliable information is provided.
• There is reasonable assurance that financial
  reports are prepared in accordance with GAAP.
• Operational efficiency is promoted and improved.
• Adherence to prescribed managerial policies is
  encouraged.
• The organization complies with applicable laws
  and regulations.

5
Internal Control Functions

• Internal controls perform three important
  functions
• Preventive controls
• Detective controls
• Corrective controls

6
Classification of Controls

• Internal controls are often classified as
• General controls
• Application controls

7
SOX and the Foreign Corrupt Practices Act

• 1977 Foreign Corrupt Practices Act
• all publicly traded corporations subject to SEC
  required to keep records that accurately fairly
  represent transactions assets in reasonable
  detail
• internal control system must assure
• transactions are authorized
• transactions are recorded in conformity with GAAP
  and to maintain accountability
• authorized access to assets
• accountability for assets

8
SOX and the Foreign Corrupt Practices Act

• The intent of SOX is to
• Prevent financial statement fraud
• Make financial reports more transparent
• Protect investors
• Strengthen internal controls in publicly-held
  companies
• Punish executives who perpetrate fraud

9
SOX and the Foreign Corrupt Practices Act

• Important aspects of SOX include
• Creation of the Public Company Accounting
  Oversight Board (PCAOB) to oversee the auditing
  profession.
• New rules for auditors
• New rules for audit committees
• New rules for management
• New internal control requirements

10
SOX and the Foreign Corrupt Practices Act

• After SOX, the SEC further mandated that
• Management must base its evaluation on a
  recognized control framework, developed using a
  due-process procedure that allows for public
  comment.
• The report must contain a statement identifying
  the framework used.
• Management must disclose any and all material
  internal control weaknesses.
• Management cannot conclude that the company has
  effective internal control if there are any
  material weaknesses.

11
Internal Control Frameworks

• The COBIT framework
• The COSO internal control framework
• COSOs Enterprise Risk Management framework (ERM)

12
COBIT Framework

• Control Objectives for Information and Related
  Technology
• Developed by the Information Systems Audit and
  Control Foundation (ISACF)

13
COBIT Framework

• Allows
• Management to benchmark security and control
  practices
• Users to be assured that adequate security and
  control exists
• Auditors to substantiate their opinions on
  internal control

14
Control Frameworks

• The framework addresses the issue of control from
  three vantage points
• Business objectives
• IT resources
• IT processes

15
COSOs Internal Control Framework

• COSOs Internal Control Framework
• The Committee of Sponsoring Organizations (COSO)
  is a private sector group consisting of
• The American Accounting Association
• The AICPA
• The Institute of Internal Auditors
• The Institute of Management Accountants
• The Financial Executives Institute

16
COSOs Internal Control Framework

• Control environment
• Control activities
• Risk assessment
• Information and communication
• Monitoring

17
COSOs Enterprise Risk Management Framework

• Risk management is
• A process applied in strategy setting to identify
  potential events that may affect the entity and
  manage risk in order to provide reasonable
  assurance of the achievement of entity objectives.

18
COSOs Enterprise Risk Management Framework

• Basic principles behind ERM
• Companies are formed to create value for owners.
• Management must decide how much uncertainty they
  will accept.
• Uncertainty can result in
• Risk
• Opportunity

19
COSOs Enterprise Risk Management Framework
Objectives
Risk ControlComponents
Units
20
Internal Environment

• Consists of the following
• Managements philosophy, operating style, and
  risk appetite
• The board of directors
• Commitment to integrity, ethical values, and
  competence
• Organizational structure
• Methods of assigning authority and responsibility
• Human resource standards
• External influences

21
Internal Environment

• Assessment of managements philosophy and
  operating style
• Does management take undue business risks or
  assess potential risks and rewards before acting?
• Does management attempt to manipulate performance
  measures such as net income?
• Does management pressure employees to achieve
  results regardless of methods or do they demand
  ethical behavior?

22
Internal Environment

• The Board of Directors
• They should
• Oversee management
• Scrutinize managements plans, performance, and
  activities
• Approve company strategy
• Review financial results
• Annually review the companys security policy
• Interact with internal and external auditors

23
Internal Environment

• The audit committee oversees
• The companys internal control structure
• Its financial reporting process
• Its compliance with laws, regulations, and
  standards.
• Works with the corporations external and
  internal auditors.
• Hires, compensates, and oversees the auditors.

24
Internal Environment

• Important aspects of organizational structure
• Degree of centralization or decentralization.
• Assignment of responsibility for specific tasks.
• Direct-reporting relationships or matrix
  structure
• Organization by industry, product, geographic
  location, marketing network
• How the responsibility allocation affects
  managements information needs
• Organization of accounting and IS functions
• Size and nature of company activities

25
Internal Environment

• Authority and responsibility are assigned
  through
• Formal job descriptions
• Employee training
• Operating plans, schedules, and budgets
• Codes of conduct
• Written policies and procedures manuals which
  covers
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular
  transactions
• The organizations chart of accounts
• Sample copies of forms and documents

26
Internal Environment

• Human Resources Standards
• Employees are both the companys greatest control
  strength and the greatest control weakness.
• Organizations can implement human resource
  policies and practices with respect to hiring,
  training, compensating, evaluating, counseling,
  promoting, and discharging employees that send
  messages about the level of competence and
  ethical behavior required.
• Policies on working conditions, incentives, and
  career advancement can powerfully encourage
  efficiency and loyalty and reduce the
  organizations vulnerability.

27
Internal Environment

• Human resource policies and procedures are
  important
• Hiring
• Compensating
• Training
• Evaluating and promoting
• Discharging
• Managing disgruntled employees
• Vacations and rotation of duties
• Confidentiality insurance and fidelity bonds

28
Internal Environment

• External influences
• FASB
• PCAOB
• SEC
• Insurance commissions
• Regulatory agencies for banks, utilities, etc.

29
Objective Setting

• The objectives
• Need to be easy to understand and measure.
• Should be prioritized.
• Should be aligned with the companys risk
  appetite.

30
Objective Setting

• For each set of objectives
• Critical success factors must be defined
• Performance measures should be established to
  determine whether the objectives are met

31
Objective Setting

• Objective-setting process proceeds as follows
• First, set strategic objectives, the high-level
  goals that support the companys mission and
  create value for shareholders.
• To meet these objectives, identify alternative
  ways of accomplishing them.
• For each alternative, identify and assess risks
  and implications.
• Formulate a corporate strategy.
• Then set operations, compliance, and reporting
  objectives.

32
Objective Setting

• Operations objectives
• Are a product of management preferences,
  judgments, and style
• Vary significantly among entities
• Are influenced by and must be relevant to the
  industry, economic conditions, and competitive
  pressures
• Give clear direction for resource allocation
• Compliance and reporting objectives
• Many are imposed by external entities
• A companys reputation can be impacted
  significantly by the quality of its compliance

33
Event Identification

• Events are
• Incidents or occurrences that emanate from
  internal or external sources
• That affect implementation of strategy or
  achievement of objectives.
• Impact can be positive, negative, or both.
• Events can range from obvious to obscure.
• Effects can range from inconsequential to highly
  significant.

34
Event Identification

• External factors
• Economic factors
• Natural environment
• Political factors
• Social factors
• Technological factors

35
Event Identification

• Internal factors
• Infrastructure
• Personnel
• Process
• Technology

36
Event Identification

• Techniques to identify events
• Use comprehensive lists of potential events
• Perform an internal analysis
• Monitor leading events and trigger points
• Conduct workshops and interviews
• Perform data mining and analysis
• Analyze processes

37
Risk Assessment and Risk Response

• COSO indicates there are two types of risk
• Inherent risk
• Residual risk

38
Risk Assessment and Risk Response

• Companies should
• Assess inherent risk
• Develop a response
• Then assess residual risk
• The ERM model indicates four ways to respond to
  risk
• Reduce it
• Accept it
• Share it
• Avoid it

39
Risk Assessment and Risk Response
Identify the events or threats that confront the
company
Estimate the likelihood or probability of each
event occurring
Estimate the impact of potential loss from each
threat
Identify set of controls to guard against threat
Estimate costs and benefits from instituting
controls
Is it cost-beneficial to protect system
Avoid, share, or accept risk
No
Yes
Reduce risk by implementing set of controls to
guard against threat
40
Risk Assessment and Risk Response

• Lets go through an example
• Hobby Hole is trying to decide whether to install
  a motion detector system in its warehouse to
  reduce the probability of a catastrophic theft.
• A catastrophic theft could result in losses of
  800,000.
• Local crime statistics suggest that the
  probability of a catastrophic theft at Hobby Hole
  is 12.
• Companies with motion detectors only have about a
  .5 probability of catastrophic theft.
• The present value of purchasing and installing a
  motion detector system and paying future security
  costs is estimated to be about 43,000.
• Should Hobby Hole install the motion detectors?

41
Control Activities

• Control activities are policies, procedures, and
  rules that provide reasonable assurance that
  managements control objectives are met and their
  risk responses are carried out.
• Managements responsibility to develop a secure
  and adequately controlled system
• Management must also establish a set of
  procedures to ensure control compliance and
  enforcement

42
Control Activities

• Categories
• Proper authorization of transactions and
  activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguard assets, records, and data
• Independent checks on performance

43
Control Activities

• Segregation of Accounting Duties
• Effective segregation of accounting duties is
  achieved when the following functions are
  separated
• Authorizationapproving transactions and
  decisions.
• RecordingPreparing source documents maintaining
  journals, ledgers, or other files preparing
  reconciliations and preparing performance
  reports.
• CustodyHandling cash, maintaining an inventory
  storeroom, receiving incoming customer checks,
  writing checks on the organizations bank account.

44
Control Activities

• RECORDING FUNCTIONS
• Preparing source documents
• Maintaining journals, ledgers, or other files
• Preparing reconciliations
• Preparing performance reports

• CUSTODIAL FUNCTIONS
• Handling cash
• Handling inventories, tools, or fixed assets
• Writing checks
• Receiving checks in mail

• AUTHORIZATION FUNCTIONS
• Authorization of transactions

45
Control Activities

• Employee/vendor collusions include
• Billing at inflated prices
• Performing substandard work and receiving full
  payment
• Payment for non-performance
• Duplicate billings
• Improperly funneling more work to or purchasing
  more goods from a colluding company
• Employee/customer collusions include
• Unauthorized loans or insurance payments
• Receipt of assets or services at unauthorized
  discount prices
• Forgiveness of amounts owed
• Unauthorized extension of due dates

46
Control Activities

• Segregation of Duties Within the Systems Function
• Systems administration
• Network management
• Security management
• Change management
• Users
• Systems analysts
• Programming
• Computer operations
• Information systems library
• Data control

47
Control Activities

• Project Development and Acquisition Controls
• Should contain appropriate controls for
• Management review and approval
• User involvement
• Analysis
• Design
• Testing
• Implementation
• Conversion

48
Control Activities

• Basic principles of control for systems
  development process
• Strategic master plan
• Project controls
• Data processing schedule
• Steering committee
• System performance measurements
• Post-implementation review

49
Control Activities

• Change Management Controls
• Change management is the process of making sure
  that the changes do not negatively affect
• Systems reliability
• Security
• Confidentiality
• Integrity
• Availability

50
Control Activities

• Design and Use of Adequate Documents and Records
• Form and content should be kept as simple as
  possible to
• Promote efficient record keeping
• Minimize recording errors
• Facilitate review and verification
• Documents that initiate a transaction should
  contain a space for authorization.
• Those used to transfer assets should have a space
  for the receiving partys signature.

51
Control Activities

• Safeguard Assets, Records, and Data
• Maintain accurate records of all assets
• Periodically reconcile recorded amounts to
  physical counts.
• Restrict access to assets
• Protect records and documents

52
Control Activities

• Independent checks on performance
• Top-level reviews
• Analytical reviews
• Reconciliation of independently maintained sets
  of records
• Comparison of actual quantities with recorded
  amounts
• Double-entry accounting
• Independent review

53
Information and Communication

• The primary purpose of the AIS is to gather,
  record, process, store, summarize, and
  communicate information about an organization.
• So accountants must understand how
• Transactions are initiated
• Data are captured in or converted to
  machine-readable form
• Computer files are accessed and updated
• Data are processed
• Information is reported to internal and external
  parties

54
Information and Communication

• According to the AICPA, an AIS has five primary
  objectives
• Identify and record all valid transactions.
• Properly classify transactions.
• Record transactions at their proper monetary
  value.
• Record transactions in the proper accounting
  period.
• Properly present transactions and related
  disclosures in the financial statements.

55
Monitoring

• Monitoring can be accomplished with a series of
  ongoing events or by separate evaluations.

56
Monitoring

• Key methods of monitoring performance include
• Perform ERM evaluation
• Implement effective supervision
• Use responsibility accounting
• Monitor system activities
• Track purchased software
• Conduct periodic audits
• Employ a computer security officer and security
  consultants
• Engage forensic specialists
• Install fraud detection software
• Implement a fraud hotline

57
Monitoring

• Internal auditing involves
• Reviewing the reliability and integrity of
  financial and operating information.
• Providing an appraisal of internal control
  effectiveness.
• Assessing employee compliance with management
  policies and procedures and applicable laws and
  regulations.
• Evaluating the efficiency and effectiveness of
  management.

58
Monitoring

• Internal audits can detect
• Excess overtime
• Under-used assets
• Obsolete inventory
• Padded expense reimbursements
• Excessively loose budgets and quotas
• Poorly justified capital expenditures
• Production bottlenecks

59
ERM vs. Internal Control Framework

• Internal control framework has been widely
  adopted as principal way to evaluate internal
  controls
• Too narrow a focus
• Inherent bias toward past problems and concerns
• ERM framework
• Risk-based approach
• Oriented toward future and constant change
• Incorporates internal control framework plus
  three additional elements
• Setting objectives.
• Identifying positive and negative events that may
  affect the companys ability to implement
  strategy and achieve objectives.
• Developing a response to assessed risk.

60
Summary

• We have
• Defined internal control concepts
• Discussed the importance of computer control and
  security
• Compared and contrasted the COBIT, COSO, and ERM
  control frameworks
• Described the major elements in the internal
  control environment of a company
• Defined the four types of control objectives that
  companies need to set
• Determined how to identified the events that
  affect uncertainty
• Explored how the Enterprise Risk Management model
  is used to assess and respond to risk
• Identified the control activities that are
  commonly used in companies
• Described how organizations communicate
  information and monitor control processes.