Professional Documents
Culture Documents
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 315
INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of a
company?
– What are the four types of control objectives that companies
need to set?
– What events affect uncertainty, and how can they be identified?
– How is the Enterprise Risk Management model used to assess
and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and monitor
control processes?
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 3 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 4 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 5 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 8 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 9 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 11 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 12 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 13 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 14 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 15 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 17 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession, this
act incorporated language from an AICPA
pronouncement.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
– Generated significant interest among management, accountants,
and auditors in designing and evaluating internal control
systems.
– The resulting internal control improvements weren’t sufficient.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 18 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of control
– Many people feel there is a basic conflict
• Communicates company core values to employees and
between creativity
inspires and
them to live controls.
by those values.
• Draws attention to how the organization creates value.
– Robert Simons has espoused four levers of
• Helps employees understand management’s intended
controls to help companies reconcile this
direction.
conflict:
• Must be broad enough to appeal to all levels.
• A concise belief system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 19 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES
• Helps employees act ethicallyACT
by setting limits beyond
which they must not pass.
• Levers of Control
• Does not create rules and standard operating
procedures that can stifle creativity.
– Many people feel there is a basic conflict
• Encourages employees to think and act creatively to
between creativity
solve problems and and
meet controls.
customer needs as long as
they operate within limits such as:
– Robert Simons has espoused four levers
– Meeting minimum standards of performance
of
controls to help
– Shunning companies
off-limits activitiesreconcile this
conflict:
– Avoiding actions that could damage the company’s
reputation.
• A concise belief system
• A boundary system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 20 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of control
– Many people
• Ensures feeland
efficient there is a achievement
effective basic conflict
of important
controls.
between creativity and controls.
• This system measures company progress by comparing
– Robert
actualSimons
to plannedhas espoused four levers of
performance.
controls
• Helps to help companies
managers reconcile outcomes
track critical performance this
and monitor performance of individuals, departments,
conflict:
and locations.
•• AProvides
concise feedback
belief system
to enable management to adjust and
• Afine-tune.
boundary system
• A diagnostic control system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 21 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES
• Helps top-level ACT
managers with high-level activities that
demand frequent and regular attention. Examples:
– Developing company strategy.
• Levers of Control
– Setting company objectives.
– Many– people feel there
Understanding is a basic
and assessing conflict
threats and risks.
between creativity
– Monitoring and incontrols.
changes competitive conditions and
emerging technologies.
– Robert Simons has
– Developing espoused
responses fourplans
and action levers
to of
controlsproactively
to help deal
companies
with these reconcile this
high-level issues.
conflict:
• Also helps managers focus the attention of subordinates
on key strategic issues and to be more involved in their
• A concise belief system
decisions.
• •A boundary system
Data from this system are best interpreted and
discussed in face-to-face meetings.
• A diagnostic control system
• An interactive control system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 22 of 315
CONTROL FRAMEWORKS
• COBIT framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems Audit
and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 25 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 27 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 29 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 31 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 32 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 33 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 34 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 36 of 315
CONTROL FRAMEWORKS
• COSO developed a
model to illustrate
the elements of
ERM.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 37 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 39 of 315
CONTROL FRAMEWORKS
• Reporting objectives help
ensure the accuracy,
• Columns at the and
completeness, top reliability of
internal and
represent theexternal company
four types of
reports of both a financial and
objectives that
non-financial nature.
management must meet to
• Improve decision-making and
achieve
monitorcompany goals. and
company activities
–performance
Strategic objectives
more efficiently.
– Operations objectives
– Reporting objectives
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 40 of 315
CONTROL FRAMEWORKS
• • Columns at the
Compliance top
objectives help the
company the
represent comply
fourwith
types of
applicable laws and
objectives
regulations.
that
management must meet to
– External parties often set
achieve company goals.
the compliance rules.
– –Strategic objectives
Companies in the same
– Operations objectives
industry often have similar
concerns
– Reporting in this area.
objectives
– Compliance objectives
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 41 of 315
CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 42 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 43 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 44 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 45 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 46 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 47 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 50 of 315
• Management aligns identified risks
with the company’s tolerance for
CONTROL FRAMEWORKS risk by choosing to:
– Avoid
– Reduce
• The horizontal rows are
– Share
eight related risk and
– Accept
control components,
• Management takes an entity-wide
including:
or portfolio view of risks in
– Internalthe
assessing environment
likelihood of the
– Objective
risks, setting impact, and
their potential
costs-benefits of alternate
– Event identification
responses.
– Risk assessment
– Risk response
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 51 of 315
CONTROL FRAMEWORKS
• •TheTohorizontal
implement rows are
management’s
riskrelated
eight responses,
risk control
and policies
and procedures are established
control components,
and implemented throughout
including:
the various levels and
– Internal environment
functions of the organization.
•– Objective setting
Corresponds to the control
– activities element in the COSO
Event identification
– internal control framework.
Risk assessment
– Risk response
– Control activities
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 52 of 315
• Information about the company
and ERM components must be
CONTROL FRAMEWORKS identified, captured, and
communicated so employees
can fulfill their responsibilities.
• •TheInformation
horizontalmust rows beare
able to
flowrelated
eight throughriskall levels
and and
functions in the company as
control
well ascomponents,
flowing to and from
including:
external parties.
• – Employees
Internal environment
should understand
– their role and
Objective importance in
setting
– ERM
Eventand how these
identification
responsibilities relate to those
– Risk assessment
of others.
– Risk response
• Has a corresponding element
– in
Control activities
the COSO internal control
– framework.
Information and
communication
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 53 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 54 of 315
CONTROL FRAMEWORKS
• ERM Framework
• Examining Vs. the
controls without first Internal
examining purposes and
Control Framework
risks of business processes provides little context for
evaluating the results.
– The internal
• Makes control
it difficult framework has been
to know:
widely adopted
– Which controlas the principal
systems way to
are most important.
– Whether
evaluate they adequately
internal controlsdeal
as with risk.
required by SOX.
– Whether important control systems are missing.
However, there are issues with it.
• It has too narrow of a focus.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 56 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 57 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 58 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 59 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 60 of 315
INTERNAL ENVIRONMENT
• The most critical component
of the ERM and the internal
control framework.
• Is the foundation on which the
other seven components rest.
• Influences how organizations:
– Establish strategies and
objectives
– Structure business activities
– Identify, access, and respond
to risk
• A deficient internal control
environment often results in
risk management and control
breakdowns.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 61 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 62 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 63 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 64 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 65 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 66 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 67 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 68 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 69 of 315
INTERNAL ENVIRONMENT
• Public companies must have an audit
committee, composed entirely of independent,
outside directors.
– The audit committee oversees:
• The company’s internal control structure;
• Its financial reporting process; and
• Its compliance with laws, regulations, and standards.
– Works with the corporation’s external and internal
auditors.
• Hires, compensates, and oversees the auditors.
• Auditors report all critical accounting policies and practices to
the audit committee.
– Provides an independent review of management’s
actions.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 70 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 71 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 72 of 315
INTERNAL ENVIRONMENT
• Companies can endorse integrity as a basic
operating principle by actively teaching and
requiring it.
– Management should:
• Make it clear that honest reports are more important than
favorable ones.
– Management should avoid:
• Unrealistic expectations, incentives, or temptations.
• Attitude of earnings or revenue at any price.
• Overly aggressive sales practices.
• Unfair or unethical negotiation practices.
• Implied kickback offers.
• Excessive bonuses.
• Bonus plans with upper and lower cutoffs.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 73 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 74 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 75 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 76 of 315
INTERNAL ENVIRONMENT
• Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
– Reports of dishonest acts should be thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
• Companies must make a commitment to competence.
– Begins with having competent employees.
– Varies with each job but is a function of knowledge, experience,
training, and skills.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 77 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 78 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 79 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 80 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 81 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 82 of 315
INTERNAL ENVIRONMENT
• Organizational structure
– A company’s organizational structure defines
its lines of authority, responsibility, and
reporting.
• Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 83 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 84 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 85 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 86 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 87 of 315
INTERNAL ENVIRONMENT
• Methods of assigning authority and
responsibility
– Management should make sure:
• Employees understand the entity’s objectives.
• Authority and responsibility for business objectives is
assigned to specific departments and individuals.
– Ownership of responsibility encourages employees to
take initiative in solving problems and holds them
accountable for achieving objectives.
– Management:
• Must be sure to identify who is responsible for the IS security
policy.
• Should monitor results so decisions can be reviewed and, if
necessary, overruled.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 88 of 315
INTERNAL ENVIRONMENT
• Authority and responsibility are assigned through:
– Formal job descriptions
– Employee training
– Operating plans, schedules, and budgets
– Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest
– Written policies and procedures manuals (a good job reference
and job training tool) which covers:
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular transactions
• The organization’s chart of accounts
• Sample copies of forms and documents
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 89 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 90 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 91 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 92 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 93 of 315
INTERNAL ENVIRONMENT
• Hiring
– Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how well
candidates meet written job requirements.
– Employees should undergo a formal, in-depth
employment interview.
– Resumes, reference letters, and thorough
background checks are critical.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 94 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 95 of 315
INTERNAL ENVIRONMENT
• Sometimes professional firms are hired to do the
background checks because applicants are
becoming more aggressive in their deceptions.
– Some get phony degrees from online “diploma mills.”
• A Pennsylvania district attorney recently filed suit against a
Texas “university” for issuing an MBA to the DA’s 6-year-old
black cat.
– Others actually hack (or hire someone to hack) into
the systems of universities to create or alter
transcripts and other academic data.
• No employee should be exempted from
background checks. Anyone from the custodian
to the company president is capable of
committing fraud, sabotage, etc.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 96 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 97 of 315
INTERNAL ENVIRONMENT
• Compensating
– Employees should be paid a fair and
competitive wage.
– Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
– Appropriate incentives can motivate and
reinforce outstanding performance.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 98 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 99 of 315
INTERNAL ENVIRONMENT
• Policies on training
– Training programs should familiarize new employees
with:
• Their responsibilities.
• Expected performance and behavior.
• Company policies, procedures, history, culture, and operating
style.
– Training needs to be ongoing, not just one time.
– Companies who shortchange training are more likely
to experience security breaches and fraud.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 100 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 101 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 102 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 103 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 104 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 105 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 106 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 107 of 315
INTERNAL ENVIRONMENT
• Discharging
– Fired employees are disgruntled employees.
– Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
– Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 108 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 109 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 110 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 111 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 113 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 114 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 115 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 116 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 117 of 315
INTERNAL ENVIRONMENT
• External influences
– External influences that affect the control
environment include requirements imposed
by:
• FASB
• PCAOB
• SEC
• Insurance commissions
• Regulatory agencies for banks, utilities, etc.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 118 of 315
OBJECTIVE SETTING
• Objective setting is the
second ERM
component.
• It must precede many
of the other six
components.
• For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 119 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 120 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 121 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 122 of 315
OBJECTIVE SETTING
• As a rule of thumb:
– The mission and strategic objectives are
stable.
– The strategy and other objectives are more
dynamic:
• Must be adapted to changing conditions.
• Must be realigned with strategic objectives.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 123 of 315
OBJECTIVE SETTING
• Operations objectives:
– Are a product of management preferences,
judgments, and style.
– Vary significantly among entities:
• One may adopt technology; another waits until the
bugs are worked out.
– Are influenced by and must be relevant to the
industry, economic conditions, and
competitive pressures.
– Give clear direction for resource allocation—a
key success factor.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 124 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 125 of 315
EVENT IDENTIFICATION
• Events are:
– Incidents or occurrences that
emanate from internal or
external sources.
– That affect implementation of
strategy or achievement of
objectives.
– Impact can be positive,
negative, or both.
– Events can range from
obvious to obscure.
– Effects can range from
inconsequential to highly
significant.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 126 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 127 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 128 of 315
EVENT IDENTIFICATION
• Availability of capital; lower or higher costs of
capital
• Lower barriers to entry, resulting in new
• Some of these factors include:
competition
• Price movements up or down
– External factors:
• Ability to issue credit and possibility of default
• Economic• factors
Concentration of competitors, customers, or
vendors
• Presence or absence of liquidity
• Movements in the financial markets or
currency fluctuations
• Rising or lowering unemployment rates
• Mergers or acquisitions
• Potential regulatory, contractual, or criminal
legal liability
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 129 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 130 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 131 of 315
EVENT IDENTIFICATION
• Changing demographics, social
mores, family structures, and
• Some of these factors include: work/life priorities
• Consumer behavior that
– External factors: changes demand for products
• Economic factors and services or creates new
buying opportunities
• Natural environment
• Corporate citizenship
• Political factors • Privacy
• Social factors • Terrorism
• Human resource issues
causing production shortages
or stoppages
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 132 of 315
EVENT IDENTIFICATION
• New e-business technologies
• Some of these factors include: that lower infrastructure costs
or increase demand for IT-
– External factors: based services
• Economic factors • Emerging technology
• •
Natural environment Increased or decreased
availability of data
• Political factors • Interruptions or down time
• Social factors caused by external parties
• Technological factors
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 133 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 134 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 135 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 136 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 138 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 139 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 140 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 141 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 142 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 143 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 145 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• The fourth and fifth
components of
COSO’s ERM model
are risk assessment
and risk response.
• COSO indicates
there are two types
• The risk that remains after
ofmanagement
risk: implements
–internal
Inherent riskor some other
controls
–form of response
Residual to risk.
risk
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 146 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
• The most effective way to reduce
– Reduce it the likelihood and impact of risk is
to implement an effective system of
internal controls.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 147 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it • Don’t act to prevent or mitigate
it.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 148 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it • Transfer some of it to others via
– Share it activities such as insurance,
outsourcing, or hedging.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 149 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
• Don’t engage in the activity that
– Reduce it produces it.
– Accept it • May require:
– Share it – Sale of a division
– Avoid it – Exiting a product line
– Canceling an expansion plan
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 150 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Accountants:
– Help management design effective controls to
reduce inherent risk.
– Evaluate internal control systems to ensure
they are operating effectively.
– Assess and reduce inherent risk using the risk
assessment and response strategy.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 151 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 152 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate likelihood
and impact Estimate the impact of potential
– Some events pose loss from each threat
more risk because they
are more probable than Identify set of controls to
others. guard against threat
– Some events pose
more risk because their Estimate costs and benefits
dollar impact would be from instituting controls
more significant.
– Likelihood and impact Is it
must be considered Avoid,
cost- No share, or
together: beneficial
accept
to protect
– If either increases, the system risk
materiality of the event
and the need to protect Yes
against it rises. Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 153 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 154 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• All other factors equal:
– A preventive control is Estimate the impact of potential
better than a detective loss from each threat
one.
– However, if preventive Identify set of controls to
controls fail, detective guard against threat
controls are needed to
discover the problem, Estimate costs and benefits
and corrective controls from instituting controls
are needed to recover.
– Consequently, the three
Is it
complement each other, cost- No
Avoid,
and a good internal beneficial share, or
accept
control system should to protect
risk
system
have all three.
– Similarly, a company Yes
should use all four Reduce risk by implementing set of
levers of control. controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 155 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate costs and
benefits Estimate the impact of potential
loss from each threat
– It would be cost-
prohibitive to create an Identify set of controls to
internal control system guard against threat
that provided foolproof
protection against all Estimate costs and benefits
events. from instituting controls
– Also, some controls
negatively affect Is it
Avoid,
operational efficiency, cost- No share, or
beneficial
and too many controls to protect accept
can make it very system risk
inefficient. Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 156 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The benefits of an
internal control Estimate the impact of potential
procedure must loss from each threat
exceed its costs.
Identify set of controls to
• Benefits can be hard guard against threat
to quantify, but include:
– Increased sales and Estimate costs and benefits
productivity from instituting controls
– Reduced losses
– Better integration with
customers and suppliers Is it
Avoid,
cost- No
– Increased customer beneficial share, or
loyalty to protect accept
system risk
– Competitive advantages
– Lower insurance Yes
premiums Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 157 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Costs are usually
easier to measure Estimate the impact of potential
loss from each threat
than benefits.
• Primary cost is Identify set of controls to
guard against threat
personnel, including:
– Time to perform control Estimate costs and benefits
procedures from instituting controls
– Costs of hiring
additional employees to Is it
effectively segregate Avoid,
cost- No share, or
duties beneficial
to protect accept
– Costs of programming system risk
controls into a system Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 158 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Other costs of a poor
control system include: Estimate the impact of potential
– Lost sales loss from each threat
– Lower productivity
Identify set of controls to
– Drop in stock price if guard against threat
security problems arise
– Shareholder or Estimate costs and benefits
regulator lawsuits from instituting controls
– Fines and penalties
imposed by
governmental agencies Is it
Avoid,
cost- No
beneficial share, or
to protect accept
system risk
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 159 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The expected loss
related to a risk is Estimate the impact of potential
loss from each threat
measured as:
– Expected loss = Identify set of controls to
impact x likelihood guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 160 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Determine cost-
benefit effectiveness Estimate the impact of potential
loss from each threat
– After estimating
benefits and costs, Identify set of controls to
management guard against threat
determines if the control
is cost beneficial, i.e., is Estimate costs and benefits
the cost of from instituting controls
implementing a control
procedure less than the Is it
change in expected cost-
No
Avoid,
beneficia share, or
loss that would be l accept
attributable to the to protect risk
change? system
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 161 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• In evaluating costs
and benefits, Estimate the impact of potential
management must loss from each threat
consider factors other
than those in the Identify set of controls to
guard against threat
expected benefit
calculation. Estimate costs and benefits
– If an event threatens an from instituting controls
organization’s existence, it
may be worthwhile to
institute controls even if Is it
costs exceed expected cost- Avoid,
beneficia No share, or
benefits.
l accept
– The additional cost can be to protect risk
viewed as a catastrophic system
loss insurance premium. Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 162 of 315
• Expected Loss without control procedure = $800,000 x .12 = $96,000.
• RISK ASSESSMENT AND RISK
Expected loss with control procedure = $800,000 x .005 = $4,000.
• Estimated value of control procedure = $96,000 - $4,000 = $92,000.
•
RESPONSE
Estimated cost of control procedure = $43,000 (given).
• Benefits exceed costs by $92,000 - $43,000 = $49,000.
• Let’s go through an example:
• In this case, Hobby Hole should probably install the motion detectors.
– Hobby Hole is trying to decide whether to install a
motion detector system in its warehouse to reduce
the probability of a catastrophic theft.
– A catastrophic theft could result in losses of $800,000.
– Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 12%.
– Companies with motion detectors only have about a
.5% probability of catastrophic theft.
– The present value of purchasing and installing a
motion detector system and paying future security
costs is estimated to be about $43,000.
– Should Hobby Hole install the motion detectors?
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 163 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Implement the
Estimate the impact of potential
control or avoid, loss from each threat
share, or accept the
risk Identify set of controls to
guard against threat
– When controls are cost
effective, they should Estimate costs and benefits
be implemented so risk from instituting controls
can be reduced.
Is it
cost- Avoid,
beneficia No share, or
l accept
to protect risk
system
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 164 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Risks that are not
reduced must be Estimate the impact of potential
accepted, shared, or loss from each threat
avoided.
– If the risk is within the Identify set of controls to
company’s risk tolerance, guard against threat
they will typically accept
the risk. Estimate costs and benefits
– A reduce or share from instituting controls
response is used to bring
residual risk into an Is it
acceptable risk tolerance cost- Avoid,
range. beneficia No share, or
– An avoid response is l accept
typically only used when to protect risk
there is no way to cost- system
effectively bring risk into Yes
an acceptable risk Reduce risk by implementing set of
tolerance range. controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 165 of 315
CONTROL ACTIVITIES
• The sixth component of
COSO’s ERM model.
• Control activities are
policies, procedures,
and rules that provide
reasonable assurance
that management’s
control objectives are
met and their risk
responses are carried
out.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 166 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 167 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 168 of 315
CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 175 of 315
CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 176 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 180 of 315
CONTROL ACTIVITIES
Ledger
$900
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 181 of 315
CONTROL ACTIVITIES
Ledger
$900
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 184 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 186 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 187 of 315
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS RECORDING FUNCTIONS
• Handling cash • Preparing source
• Handling inventories, tools, documents
or fixed assets • Maintaining journals,
• Writing checks ledgers, or other files
• Receiving checks in mail • Preparing reconciliations
• Preparing performance
reports
• EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
AUTHORIZATION
recording for those receipts can steal some of the cash and falsify accounts to
conceal the theft. FUNCTIONS
• SOLUTION: The pink fence •(segregation
Authorization of
of custody and recording) prevents
transactions
employees from falsifying records to conceal theft of assets entrusted to them.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 188 of 315
• EXAMPLE OF PROBLEM: A
person who has custody of
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 189 of 315
• EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep
records related to the CONTROL ACTIVITIES
transactions can authorize
and record fictitious
CUSTODIAL
payments FUNCTIONS
that might, for RECORDING FUNCTIONS
example,
• Handling be sent
cashto the • Preparing source
employee’s
• Handlinghome addresstools,
inventories, documents
or the address
or fixed of a shell
assets • Maintaining journals,
company
• Writinghe creates.
checks ledgers, or other files
• SOLUTION:
• ReceivingThe purple
checks in mail • Preparing reconciliations
fence (segregation of • Preparing performance
recording and authorization) reports
prevents employees from
falsifying records to cover
up inaccurate or false
transactions that were
inappropriately authorized.
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 190 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 191 of 315
CONTROL ACTIVITIES
Ledger
$1,000
• If this happens . . .
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 192 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 193 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 194 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 195 of 315
CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
– An employee should not be in a position to commit
and conceal fraud or unintentional errors.
– Segregation of duties is discussed in two sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 196 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 197 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 198 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 199 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 200 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 201 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 202 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 203 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 204 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 205 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 206 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 207 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 208 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 209 of 315
CONTROL ACTIVITIES
• Project development and acquisition controls
– It’s important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
• Should contain appropriate controls for:
– Management review and approval
– User involvement
– Analysis
– Design
– Testing
– Implementation
– Conversion
• Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit
trail).
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 210 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 211 of 315
•
A multi-year strategic plan
CONTROL ACTIVITIES
should align the
organization’s information
system with its business
strategies and show the
• The following basic principles projects
of control
thatshould
must be be
applied to systems development in order
completed toto reduce
achieve the
long-
potential for cost overruns andrange
project failure and to
goals.
improve the efficiency and effectiveness
• Should address of the IS:
hardware,
– Strategic master plan software, personnel, and
infrastructure requirements.
• Each year, the board and top
management should prepare
and approve the plan and its
supporting budget.
• Should be evaluated several
times a year to ensure the
organization can acquire
needed components and
maintain existing ones.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 212 of 315
•
A project development plan shows
CONTROL ACTIVITIES
how a project will be completed,
including:
• Modules or tasks to be
• The following basic principles of performed
control should be
• Who will perform them
applied to systems development in order to reduce the
potential for cost overruns and•project
Anticipated completion dates
failure and to
• Project costs
improve the efficiency and effectiveness of the IS:
• Project milestones should be
– Strategic master plan
specified—points when progress
– Project controls is reviewed and actual completion
times are compared to estimates.
• Each project should be assigned
to a manager and team who are
responsible for its success or
failure.
• At project completion, a project
evaluation of the team members
should be performed.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 213 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 214 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 215 of 315
CONTROL ACTIVITIES
• To
• The following basic principles of be evaluated
control properly,
should be a
system should be assessed
applied to systems development in order to reduce the
with measures such as:
potential for cost overruns and project failure and to
– Throughput (output per
improve the efficiency and effectiveness of the IS:
unit of time)
– Strategic master plan – Utilization (percent of time
– Project controls it is used productively)
– Data processing schedule – Response time (how long it
– Steering committee takes to respond)
– System performance measurements
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 216 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 218 of 315
CONTROL ACTIVITIES
• Before third parties bid, provide clear
• When using systems integrators,
specifications, including:
companies should adhere to the same
– Exact descriptions and definitions of the system
– Explicit deadlines
basic rules used for project management
– Precise acceptance criteria
of internal
• projects. In addition, they
Although it’s expensive to develop these
should: specifications, it will save money in the end.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 219 of 315
• A sponsors committee should monitor third-party
development projects.
CONTROL ACTIVITIES
– Established by the CIO and chaired by the
project’s internal champion.
– Should include department managers from all
• When using systems integrators, units that will use the system.
– Should establish formal procedures for
companies should adhere to the same
measuring and reporting project status.
basic rules used for project management
– Best approach is to:
• Divide project into manageable tasks.
of internal projects. In addition, they
• Assign responsibility for each task.
should: • Meet on a regular basis (at least monthly)
to review progress and assess quality.
– Develop clear specifications
– Monitor the systems integration project
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 220 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 222 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 224 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 225 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 227 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 228 of 315
CONTROL ACTIVITIES
• Insiders also create less-intentional threats to
systems, including:
– Accidentally deleting company data.
– Turning viruses loose.
– Trying to fix hardware or software without appropriate
expertise (i.e., when in doubt, unplug it).
• These actions can result in crashed networks,
corrupt data, and hardware and software
malfunctions.
• Companies also face significant risks from
customers and vendors that have access to
company data.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 229 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 230 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 231 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 232 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 234 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 235 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 236 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 237 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 238 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 240 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 241 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 242 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 243 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 244 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 246 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 247 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 248 of 315
MONITORING
• The eighth
component of
COSO’s ERM
model.
• Monitoring can be
accomplished with a
series of ongoing
events or by
separate
evaluations.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 249 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer, a Chief
Compliance Officer, and security consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 250 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 251 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 252 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 253 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 254 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 255 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 256 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 257 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 258 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 260 of 315
MONITORING
• Companies that monitor system activities need to ensure
they do not violate employee privacy rights.
• Employers cannot discreetly observe communications of
employees when those employees have a “reasonable
expectation of privacy.”
• Employers must therefore ensure that employees realize
their business communications are not “private.” One
way to accomplish that objective is to have written
policies that employees agree to in writing which
indicate:
– The technology employees use on the job belongs to the
company.
– Emails received on company computers are not private and can
be read by supervisory personnel.
– Employees should not use technology in any way to contribute to
a hostile work environment.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 261 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 262 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 263 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 264 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 265 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 266 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 267 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 268 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 269 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 270 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 272 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 273 of 315
MONITORING
• Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.
– In particular demand are those with the necessary
computer skills to ferret out and combat fraudsters
who use sophisticated technology to perpetrate their
crimes.
– The Association of Certified Fraud Examiners (ACFE)
has created a professional certification program for
fraud examiners.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 274 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 275 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 276 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 277 of 315
MONITORING
• Install fraud detection software
– People who commit fraud tend to follow certain patterns and
leave behind clues.
– Software has been developed to seek out these fraud symptoms.
– Some companies employ neural networks (programs that
mimic the brain and have learning capabilities), which are very
accurate in identifying suspected fraud.
– For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
– These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 278 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 279 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 280 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 281 of 315
MONITORING
• Outsourcing is available through a number of third
parties and offers several benefits, including:
– Increased confidence on the part of employee that his/her
report is truly anonymous.
– 24/7 availability.
– Often have multilingual capabilities—an important plus for
multinational organizations.
– The outsourcer may be able to do follow up with the
employee if additional information is needed after the initial
contact.
– The employee can be advised of the outcome of his report.
– Low cost.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 282 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 283 of 315
SUMMARY
• In this chapter, you’ve learned about basic internal control
concepts and why computer control and security are so
important.
• You’ve learned about the similarities and differences between
the COBIT, COSO, and ERM control frameworks.
• You’ve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
• You’ve also learned about events that affect uncertainty and
how these events can be identified.
• You’ve explored how the Enterprise Risk Management model
is used to assess and respond to risk, as well as the control
activities that are commonly used in companies.
• Finally, you’ve learned how organizations communicate
information and monitor control processes.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 284 of 315
Implementasi ERM: Pizza Hut
• Membangun Internal environment di
Organisasi dengan mengacu kepada konsep
internal environment yang telah dibahas
sebelumnya.
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 285 of 315
Objective Setting: Revenue Cycle
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 286 of 315
Event Identification: berkaitan
objective 1
• Merancang proses penerimaan pesanan
dari pelanggan yang efektif dan efisien.
Meliputi pesanan untuk Dine In, serta Take
Away. Bagaimana proses penerimaan
pesanan ini?? Rancangan proses
penerimaan pesanan mengacu kepada
hasil analisa tahap berikutnya: Risk
Assessment
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 287 of 315
Risk Assessment: Proses
Penerimaan Pesanan
• Terdapat beberapa resiko yang mungkin
terjadi untuk aktivitas ini. Antara lain:
– Kesalahan pencatatan pesanan, baik jenis
pesanan maupun kuantitas pesanan
– Pembatalan pesanan yang sudah dipesan
– Kesalahan mencatat no Meja konsumen
• Melakxukan analisa dampak dari resiko ini,
Severity of the risk: High, Medium, Low.
Bagaimana respon terhadap hal tersebut?
Dilakukan analisa pada tahap selanjutnya,
yaitu Risk Response
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 288 of 315
Risk Response : Response berkaitan
dengan Risk yang pada event Pencatatan
pesanan ( Accept, Share, Avoid)
• Response terhadap resiko 1: severity terhadap
resiko 1 dianggap tinggi sehingga tidak boleh
terjadi ( Avoid) karena dampaknya akan sangat
merugikan perusahaan. Kesalahan pencatatan
mengakibatkan dampak yang akan menyulitkan
aktivitas berikutnya yaitu pengantaran pesanan
dan pembayaran. Kesalahan ini dapat merugikan
perusahaan dan membuat pelangga kecewa.
Response: perlu dibuat aktivitas penerimaan
pesanan yang dapat mencegah resiko yang
pertama terjadi: diperlukan Control Activity yang
mampu mencegah risk tersebut
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 289 of 315
Control Activity: Prosedur
penerimaan pesanan
• Dibuat prosedur penerimaan pesanan meliputi:
– Tahapan-tahapan penerimaan pesanan
– Dokumen penerimaan pesanan
– Prosedur konfirmasi pesanan meliputi:
• Memastikan bahwa pelanggan tahu menu yang dipesan
• Jumlah yang dipesan untuk setiap menu dibacakan kembali
– Input pesanan ke dalam aplikasi yang terintegrasi
dengan dapur dan kasir oleh penerima pesanan,
sehingga apabila terjadi kesalahan input, jelas siapa
waiters yang bertanggung jawab.
– dll
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 290 of 315
Information and Communication:
• Data: Catatan penerimaan pesanan waiters, hasil
input waiters ke dalam aplikasi
• Information: informasi berkaitan pesanan yang
harus dimasak oleh dapur, informasi ini juga
digunakan oleh kasir untuk menghitung jumlah
yang harus dibayar pelanggan.
• Communication: Bagaiman distribusi informasi
dari waiters kepada dapur dan kasir, sehingga
data akurat. Penggunaan aplikasi penjualan yang
terintegrasi merupakan solusi untuk
mempermudah pencatatan dan distribusi informasi
dengan akurat.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 291 of 315
Monitoring
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 292 of 315