Chapter V.

Control and Accounting Information Systems

Learning Objective 1

• Explain basic control concepts and why computer control and security are important.

• Compare and contrast the COBIT, COSO, and ERM control frameworks.

• Describe the major elements in the internal environment of a company.

• Describe the four types of control objectives that companies need to set.

• Describe the events that affect uncertainty and the techniques used to identify them.

• Explain how to assess and respond to risk using the Enterprise Risk Management model.

• Describe control activities commonly used in companies.

• Describe how to communicate information and monitor control processes in organizations.

(Based on Romney Books)

Learning Objective 2

1. Describe general approaches to analyzing vulnerabilities and threats in information systems.

2. Identify active and passive threats to information systems.

(Based on Bodnar Books)

A. Overview
The term information security involves protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order to
provide –
a. Confidentiality: preserving authorized restrictions on access and disclosure.
b. Integrity: guarding against improper information modification or destruction.
c. Availability: ensuring timely and reliable access.
The information security management system (ISMS) is an organizational internal control
process that controls the special risks associated with information within the organization.
1. The ISMS has the basic elements of any information system, such as
hardware, databases, procedures, and reports.
2. The ISMS is part of the larger enterprise risk management (ERM)
process by which management balances risk versus opportunities.
(Based on Bodnar)
B. The Information Security In The Organization
The information security system must be managed by a chief security officer (CSO).
a. This individual should report directly to the board of directors in order to maintain
complete independence.
 b. A primary duty of the CSO is to present reports to the BOD for approval covering
each phase of the life cycle:

Life-Cycle Phase Report to BOD

Summary of all relevant

Systems Analysis loss exposures

Detailed plans for

Systems Design controlling and managing
losses

Systems Specifics on security

Implementation system performance,
including an itemization
of losses and security
breaches, analysis of
Systems Operation,
compliance, and costs of
Evaluation, and Control
operating the security
system

Tabel 1. The Security System Organization

C. Why Control Needs

1. Any potential adverse occurrence or unwanted event that could be injurious to either
the accounting information system or the organization is referred to as a threat or an
event.
2. The potential dollar loss should a particular threat become a reality is referred to as the
exposure or impact of the threat.
3. The probability that the threat will happen is the likelihood associated with the threat
D. Primary Objective of An AIS
a. Is to control the organization so the organization can achieve its objectives
b. Management expects accountants to:
i. Take a proactive approach to eliminating system threats.
ii. Detect, correct, and recover from threats when they occur.
E. Internal Control
a. Processes implemented to provide assurance that the following objectives are
achieved:
i. Safeguard assets
ii. Maintain sufficient records
iii. Provide accurate and reliable information
iv. Prepare financial reports according to established criteria
v. Promote and improve operational efficiency
vi. Encourage adherence with management policies
 vii. Comply with laws and regulations
F. Function of Internal Control
a. Preventive controls
i. Deter problems from occurring
b. Detective controls
i. Discover problems that are not prevented
c. Corrective controls
i. Identify and correct problems; correct and recover from the problems
G. Control Frameworks
a. COBIT
i. Framework for IT control
1. Current framework version is COBIT5
2. Based on the following principles:

a. Meeting stakeholder needs

b. Covering the enterprise end-to-end

c. Applying a single, integrated framework

d. Enabling a holistic approach

e. Separating governance from management

Picture 14. COBIT 5 Separate Governance from Management

b. COSO
i. Framework for enterprise internal controls (control-based approach)
ii. Components of COSO Frameworks

1. Control (internal) environment

2. Risk assessment

3. Control activities

4. Information and communication

 5. Monitoring

c. COSO-ERM
i. Expands COSO framework taking a risk-based approach
ii. Components of Coso-ERM Frameworks
1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring
H. Internal Environment
a. Management’s philosophy, operating style, and risk appetite
b. Commitment to integrity, ethical values, and competence
c. Internal control oversight by Board of Directors
d. Organizing structure
e. Methods of assigning authority and responsibility
f. Human resource standards
I. Objective Setting

a. Strategic objectives

i. High-level goals

b. Operations objectives

i. Effectiveness and efficiency of operations

c. Reporting objectives

i. Improve decision making and monitor performance

d. Compliance objectives

i. Compliance with applicable laws and regulations

J. Event Identification
Identifying incidents both external and internal to the organization that could affect
the achievement of the organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
K. Risk Response
a. Reduce
 i. Implement effective internal control
b. Accept
i. Do nothing, accept likelihood and impact of risk
c. Share
i. Buy insurance, outsource, or hedge
d. Avoid
i. Do not engage in the activity
L. Control Activities
a. Proper authorization of transactions and activities
b. Segregation of duties
c. Project development and acquisition controls
d. Change management controls
e. Design and use of documents and records
f. Safeguarding assets, records, and data
g. Independent checks on performance

Picture 15. Segregation of Duties

M. Monitoring
a. Perform internal control evaluations (e.g., internal audit)
b. Implement effective supervision
c. Use responsibility accounting systems (e.g., budgets)
d. Monitor system activities
e. Track purchased software and mobile devices
f. Conduct periodic audits (e.g., external, internal, network security)
g. Employ computer security officer
h. Engage forensic specialists
i. Install fraud detection software
j. Implement fraud hotline