Chapter 7

Control and AIS

Copyright 2012 Pearson Education

7-1

Learning Objectives

Explain basic control concepts and explain why computer control and security
are important.

Compare and contrast the COBIT, COSO, and ERM control frameworks.

Describe the major elements in the internal environment of a company

Describe the four types of control objectives that companies need to set.

Describe the events that affect uncertainty and the techniques used to identify
them.

Explain how to assess and respond to risk using the Enterprise Risk
Management (ERM) model.

Describe control activities commonly used in companies.

Describe how to communicate information and monitor control processes in

organizations.

Copyright 2012 Pearson Education

7-2

Internal Control
System to provide reasonable assurance that
objectives are met such as:

Safeguard assets.

Maintain records in sufficient detail to report company

assets accurately and fairly.

Provide accurate and reliable information.

Prepare financial reports in accordance with established

criteria.

Promote and improve operational efficiency.

Encourage adherence to prescribed managerial policies.

Comply with applicable laws and regulations.

Copyright 2012 Pearson Education

7-3

Internal Control

Functions

Categories

Preventive
Deter problems
Detective
Discover problems
Corrective
Correct problems

Copyright 2012 Pearson Education

General
Overall IC system and
processes
Application
Transactions are
processed correctly

7-4

Sarbanes Oxley (2002)

Designed to prevent financial statement fraud, make
financial reports more transparent, protect investors,
strengthen internal controls, and punish executives
who perpetrate fraud

Public Company Accounting Oversight Board (PCAOB)

Oversight of auditing profession

New Auditing Rules

Partners must rotate periodically
Prohibited from performing certain non-audit services

Copyright 2012 Pearson Education

7-5

Sarbanes Oxley (2002)

New Roles for Audit Committee

Be part of board of directors and be independent
One member must be a financial expert

Oversees external auditors

New Rules for Management

Financial statements and disclosures are fairly
presented, were reviewed by management, and are not
misleading.
The auditors were told about all material internal
control weak- nesses and fraud.

New Internal Control Requirements

Management is responsible for establishing and
maintaining an adequate internal control system.

Copyright 2012 Pearson Education

7-6

SOX Management Rules

Base evaluation of internal control on a recognized
framework.
Disclose all material internal control weaknesses.
Conclude a company does not have effective financial
reporting internal controls of material weaknesses.

Copyright 2012 Pearson Education

7-7

Internal Control Frameworks

Control Objectives for Information and Related
Technology (COBIT)

Business objectives
IT resources
IT processes

Committee of Sponsoring Organizations (COSO)

Internal controlintegrated framework

Control environment
Control activities
Risk assessment
Information and communication
Monitoring

Copyright 2012 Pearson Education

7-8

Internal Control
Enterprise Risk Management Model

Risk-based vs. control-based

COSO elements +

Setting objectives

Event identification

Risk assessment
Can be controlled but also
Accepted

Diversified

Shared

Transferred

Copyright 2012 Pearson Education

7-9

Control Environment
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences

Copyright 2012 Pearson Education

7-10

ERMObjective Setting
Strategic

High-level goals aligned with corporate mission

Operational

Effectiveness and efficiency of operations

Reporting

Complete and reliable

Improve decision making

Compliance

Laws and regulations are followed

Copyright 2012 Pearson Education

7-11

ERMEvent Identification
an incident or occurrence emanating from internal
or external sources that affects implementation of
strategy or achievement of objectives.

Positive or negative impacts (or both)

Events may trigger other events

All events should be anticipated

Copyright 2012 Pearson Education

7-12

Risk Assessment
Identify Risk

Identify likelihood of risk

Identify positive or negative impact

Types of Risk

Inherent
Risk that exists before any plans are made to control it

Residual
Remaining risk after controls are in place to reduce it

Copyright 2012 Pearson Education

7-13

ERMRisk Response
Reduce

Implement effective internal control

Accept

Do nothing, accept likelihood of risk

Share

Buy insurance, outsource, hedge

Avoid

Do not engage in activity that produces risk

Copyright 2012 Pearson Education

7-14

Event/Risk/Response Model

Copyright 2012 Pearson Education

7-15

Control Activities
Policies and procedures to provide reasonable
assurance that control objectives are met:

Proper authorization of transactions and activities

Signature or code on document to signal authority
over a process

Segregation of duties

Project development and acquisition controls

Change management controls

Design and use of documents and records

Safeguarding assets, records, and data

Independent checks on performance

Copyright 2012 Pearson Education

7-16

Segregation of Accounting Duties

No one employee should be given too much responsibility

Separate:

Authorization
Approving transactions and decisions
Recording
Preparing source documents
Entering data into an AIS
Maintaining accounting records
Custody
Handling cash, inventory, fixed assets
Receiving incoming checks
Writing checks

Copyright 2012 Pearson Education

7-17

Information and Communication

Primary purpose of an AIS

Gather

Record

Process

Summarize

Communicate

Copyright 2012 Pearson Education

7-18

Monitoring

Evaluate internal control framework.

Effective supervision.

Responsibility accounting system.

Monitor system activities.

Track purchased software and mobile devices.

Conduct periodic audits.

Employ a security officer and compliance officer.

Engage forensic specialists.

Install fraud detection software.

Implement a fraud hotline.

Copyright 2012 Pearson Education

7-19

Segregation of System Duties

Like accounting system duties should also be
separated
These duties include:

System administration
Network management
Security management
Change management
Users
Systems analysts
Programmers
Computer operators
Information system librarian
Data control

Copyright 2012 Pearson Education

7-20