CONTROL AND ACCOUNTING

INFORMATION SYSTEMS
Lecture 8

Learning Objectives
Explain basic control concepts and explain why
computer control and security are important.
Compare and contrast the COBIT, COSO, and
ERM control frameworks. Describe the major
elements in the internal environment of a
company
Describe the four types of control objectives that
companies need to set.
Describe the events that affect uncertainty and
the techniques used to identify them.

Learning Objectives
Explain how to assess and respond to risk using

the Enterprise Risk Management (ERM) model.

Describe control activities commonly used in
companies.
Describe how to communicate information and
monitor control processes in organizations.

Internal Control
System to provide reasonable assurance that

objectives are met such as:

Safeguard assets.
Maintain records in sufficient detail to report company

assets accurately and fairly.

Provide accurate and reliable information.
Prepare financial reports in accordance with established
criteria.
Promote and improve operational efficiency.
Encourage adherence to prescribed managerial
policies.
Comply with applicable laws and regulations.

Internal Control
Functions
Preventive

Deter problems
Detective

Discover problems
Corrective

Correct problems

Categories
General
Overall IC system

and processes
Application
Transactions are
processed correctly

Sarbanes Oxley (2002)

Designed to prevent financial statement fraud, make financial

reports more transparent, protect investors, strengthen internal

controls, and punish executives who perpetrate fraud
New Auditing Rules
Partners must rotate periodically
Prohibited from performing certain non-audit services

New Roles for Audit Committee

One member must be a financial expert
Oversees external auditors

New Rules for Management

Financial statements and disclosures are fairly presented, were reviewed by

management, and are not misleading.

The auditors were told about all material internal control weak- nesses and
fraud.
New Internal Control Requirements
Management is responsible for establishing and maintaining an adequate

internal control system.

SOX Management Rules

Base evaluation of internal control on a recognized

framework.
Disclose all material internal control weaknesses.

Internal Control Frameworks

Control Objectives for Information and Related

Technology (COBIT)
Business objectives
IT resources
IT processes

Committee of Sponsoring Organizations (COSO)

Internal controlintegrated framework

Control environment
Control activities
Risk assessment
Information and communication
Monitoring

Internal Control
Enterprise Risk Management Model
Risk-based vs. control-based
COSO elements +
Setting objectives
Event identification
Risk assessment
Can be controlled but also

Accepted
Diversified
Shared
Transferred

Control Environment
Managements philosophy, operating style, and risk

appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences

ERMObjective Setting
Strategic
High-level goals aligned with corporate mission
Operational
Effectiveness and efficiency of operations
Reporting
Complete and reliable
Improve decision making
Compliance
Laws and regulations are followed

ERMEvent Identification
an incident or occurrence emanating from internal or

external sources that affects implementation of strategy or

achievement of objectives.
Positive or negative impacts (or both)
Events may trigger other events
All events should be anticipated

Risk Assessment
Identify Risk
Identify likelihood of risk
Identify positive or negative impact
Types of Risk
Inherent
Risk that exists before any plans are made to control it

Residual
Remaining risk after controls are in place to reduce it

ERMRisk Response
Reduce
Implement effective internal control
Accept
Do nothing, accept likelihood of risk
Share
Buy insurance, outsource, hedge
Avoid
Do not engage in activity that produces risk

Event/Risk/Response Model

Control Activities
Policies and procedures to provide reasonable assurance

that control objectives are met:

Proper authorization of transactions and activities
Signature or code on document to signal authority over a process
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance

Segregation of Accounting Duties

No one employee should be given too much responsibility
Separate:
Authorization
Approving transactions and decisions
Recording

Preparing source documents

Entering data into an AIS
Maintaining accounting records
Custody

Handling cash, inventory, fixed assets

Receiving incoming checks
Writing checks

Segregation of System Duties

Like accounting system duties should also be separated
These duties include:
System administration
Network management
Security management
Change management
Users
Systems analysts
Programmers
Computer operators
Information system librarian
Data control

Information and Communication

The primary purpose of the AIS is to gather, record,

process, store, summarize, and communicate information

about an organization
So accountants must understand how:
Transactions are initiated
Data are captured in or converted to machine-readable form
Computer files are accessed and updated
Data are processed
Information is reported to internal and external parties

Monitoring
Monitoring can be accomplished with a series of ongoing

events or by separate evaluations.

Key Methods
Evaluate internal control framework.
Effective supervision.
Responsibility accounting system.
Monitor system activities.
Track purchased software and mobile devices. Conduct periodic
audits.
Employ a security officer and compliance officer.
Engage forensic specialists.
Install fraud detection software.
Implement a fraud hotline.