Control and Accounting Information

Systems

Chapter 4

1
Learning Objectives
1.  Explain basic control concepts and why computer control and security
are important.
2.  Compare and contrast the COBIT, COSO, and ERM control frameworks.
3.  Describe the major elements in the internal environment of a company.
4.  Describe the four types of control objectives that companies need to set.
5.  Describe the events that affect uncertainty and the techniques used to
identify them.
6.  Explain how to assess and respond to risk using the Enterprise Risk
Management model.
7.  Describe control activities commonly used in companies.
8.  Describe how to communicate information and monitor control
processes in organizations.
2
INTRODUCTION
Why AIS threats are increasing
▫  Control risks have increased in the last few years
because:
–  There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
–  Distributed computer networks make data available to
many users, and these networks are harder to control
than centralized mainframe systems.
–  Wide area networks are giving customers and suppliers
access to each other’s systems and data, making
confidentiality a major concern.
INTRODUCTION
Historically, many organizations have not adequately
protected their data due to one or more of the
following reasons:
▫  Computer control problems are often underestimated and
downplayed.
▫  Control implications of moving from centralized, host-
based computer systems to those of a networked system
or Internet-based system are not always fully understood.
▫  Companies have not realized that data is a strategic
resource and that data security must be a strategic
requirement.
▫  Productivity and cost pressures may motivate
management to forego time-consuming control measures.
INTRODUCTION

• Some vocabulary terms for this chapter:

▫  A threat is any potential adverse occurrence
or unwanted event that could injure the AIS or
the organization.
▫  The exposure or impact of the threat is the
potential dollar loss that would occur if the
threat becomes a reality.
▫  The likelihood is the probability that the
threat will occur.
A Primary Objective of an AIS

•  Is to control the organization so the organization

can achieve its objectives

•  Management expects accountants to:

▫  Take a proactive approach to eliminating system
threats.
▫  Detect, correct, and recover from threats when
they occur.

6
1.Internal Controls
•  Processes implemented to provide reasonable
assurance that the following objectives are
achieved:
1.  Safeguard assets
2.  Maintain sufficient records
3.  Provide accurate and reliable information
4.  Prepare financial reports according to
established criteria
5.  Promote and improve operational efficiency
6.  Encourage adherence with management policies
7.  Comply with laws and regulations
7
Internal Controls

• Internal control is a process because:

▫  It permeates an organization’s operating
activities.
▫  It is an integral part of basic management
activities.
• Internal control provides reasonable,
rather than absolute, assurance, because
complete assurance is difficult or
impossible to achieve and prohibitively
expensive.
Internal Control
Functions Categories

•  Preventive
▫  Deter problems from
occurring
•  Detective
▫  Discover problems that are
not prevented
•  Corrective
▫  Identify and correct
problems; correct and
recover from the problems
•  General
▫  Ensure that
organization’s control
environment is stable
and well managed
•  Application
▫  Prevent, detect, and
correct transaction
errors and fraud in
application programs.
9
Sarbanes Oxley (2002)
•  Designed to prevent financial statement fraud,
make financial reports more transparent, protect
investors, strengthen internal controls, and punish
executives who perpetrate fraud
▫  Public Company Accounting Oversight Board
(PCAOB)
–  Oversight of auditing profession
▫  New Auditing Rules
–  Partners must rotate periodically (5 years)
–  Prohibited from performing certain non-audit services

10
Sarbanes Oxley (2002)
▫  New Roles for Audit Committee
–  Be part of board of directors and be independent
–  One member must be a financial expert
–  Oversees external auditors
▫  New Rules for Management
–  Financial statements and disclosures are fairly
presented, were reviewed by management, and are not
misleading.
–  The auditors were told about all material internal control
weak- nesses and fraud.
▫  New Internal Control Requirements
–  Management is responsible for establishing and
maintaining an adequate internal control system.
11
SOX Management Rules
SEC (Security and Exchange Commission)
mandated that management must:
• Base evaluation of internal control on a
recognized framework.
• Disclose all material internal control
weaknesses.
• Conclude a company does not have
effective financial reporting internal
controls if there are material weaknesses.
12
2.CONTROL FRAMEWORKS
A number of frameworks have been developed
to help companies develop good internal
control systems. Three of the most important
are:
▫  COBIT
–  Framework for IT control
▫  COSO
–  Framework for enterprise internal controls
(control-based approach)
▫  COSO-ERM
–  Expands COSO framework taking a risk-based
approach
CONTROL FRAMEWORKS

• COBIT framework
▫  Also know as the Control Objectives for
Information and Related Technology
framework.
▫  Developed by the Information Systems Audit
and Control Foundation (ISACF).
▫  A framework of generally applicable
information systems security and control
practices for IT control.
CONTROL FRAMEWORKS
• The COBIT framework addresses the
issue of control from three vantage points
or dimensions:
▫  Business objectives
▫  IT resources
▫  IT processes
CONTROL FRAMEWORKS
• The COBIT framework allows:
1.  Management to benchmark security and
control practices of IT environments.
2.  Users of IT services to be assured that
adequate security and control exists.
3.  Auditors to substantiate their opinions on
internal control and advise on IT security
and control matters.
COBIT Framework

•  Current framework version is COBIT5

•  Based on the following principles:
▫  Meeting stakeholder needs
▫  Covering the enterprise end-to-end
▫  Applying a single, integrated framework
▫  Enabling a holistic approach
▫  Separating governance from management

17
COBIT5 Separates Governance from
Management

18
CONTROL FRAMEWORKS
• COSO’s Internal Control Framework
▫  The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting of:
–  The American Accounting Association
–  The AICPA
–  The Institute of Internal Auditors
–  The Institute of Management Accountants
–  The Financial Executives Institute
CONTROL FRAMEWORKS
•  In 1992, COSO issued the Internal Control
Integrated Framework: (amended in 1994)
•  COSO’s internal control model has five crucial
components:
-  Control environment
-  Control activities
-  Risk assessment
-  Information and communication
-  Monitoring
CONTROL FRAMEWORKS
• Nine years after COSO issued the
preceding framework, it began
investigating how to effectively identify,
assess, and manage risk so organizations
could improve the risk management
process.
• Result: Enterprise Risk Management
Integrated Framework (ERM)
CONTROL FRAMEWORKS
• ERM Framework
▫  Takes a risk-based, rather than controls-based,
approach to the organization.
▫  Oriented toward future and constant change.
▫  Incorporates rather than replaces COSO’s
internal control framework and contains three
additional elements:
–  Setting objectives.
–  Identifying positive and negative events that may
affect the company’s ability to implement strategy and
achieve objectives.
–  Developing a response to assessed risk.
Components of COSO Frameworks

COSO COSO-ERM

•  Control (internal) •  Internal environment

environment •  Objective setting
•  Risk assessment •  Event identification
•  Control activities •  Risk assessment
•  Information and •  Risk response
communication •  Control activities
•  Monitoring •  Information and
communication
•  Monitoring
24
COSO’S Enterprise Risk Management
Model
3.Internal Environment
1.  Management’s philosophy, operating style, and
risk appetite
2.  Commitment to integrity, ethical values, and
competence
3.  Internal control oversight by Board of
Directors
4.  Organizing structure
5.  Methods of assigning authority and
responsibility
6.  Human resource standards
7.  External influences
27
4.Objective Setting

•  Strategic objectives
▫  High-level goals
•  Operations objectives
▫  Effectiveness and efficiency of operations
•  Reporting objectives
▫  Improve decision making and monitor
performance
•  Compliance objectives
▫  Compliance with applicable laws and regulations
28
5. Event Identification

• “…an incident or occurrence emanating

from internal or external sources that
affects implementation of strategy or
achievement of objectives.”
–  Positive or negative impacts (or both)
–  Events may trigger other events
–  All events should be anticipated

29
Event Identification
Identifying incidents both external and internal to the
organization that could affect the achievement of the
organizations objectives
Key Management Questions:
•  What could go wrong?
•  How can it go wrong?
•  What is the potential harm?
•  What can be done about it?

Some of the more common techniques companies

use to identify events: lists of potential events, Perform an
internal analysis, Monitor leading events and trigger points,
Conduct workshops and interviews, Perform data mining and
analysis, Analyze business processes. 30
6.Risk Assessment
Risk is assessed from two perspectives:
•  Likelihood
▫  Probability that the event will occur
•  Impact
▫  Estimate potential loss if event occurs

Types of risk
•  Inherent
▫  Risk that exists before plans are made to control it
•  Residual
▫  Risk that is left over after you control it
7-31
Risk Response

•  Reduce
▫  Implement effective internal control
•  Accept
▫  Do nothing, accept likelihood and impact of risk
•  Share
▫  Buy insurance, outsource, or hedge
•  Avoid
▫  Do not engage in the activity

32
RISK ASSESSMENT AND Identify the events or threats
that confront the company
RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
Accountants assess
and reduce inherent Estimate the impact of potential
risk using the risk loss from each threat

assessment and Identify set of controls to

response strategy guard against threat

Estimate costs and benefits

from instituting controls

Is it
Avoid,
cost- No
beneficial share, or
to protect accept
system risk

Yes
Reduce risk by implementing set of
controls to guard against threat
RISK ASSESSMENT AND Identify the events or threats
that confront the company
RISK RESPONSE
Estimate the likelihood or
•  The expected loss probability of each event occurring

related to a risk is Estimate the impact of potential

measured as: loss from each threat
▫  Expected loss =
impact x likelihood Identify set of controls to
guard against threat
•  The value of a
control procedure Estimate costs and benefits
is the difference from instituting controls

between:
▫  Expected loss with Is it
cost- No
Avoid,
control procedure beneficial
to protect
share, or
accept
▫  Expected loss system risk
without it Yes
Reduce risk by implementing set of
controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE
•  Let’s go through an example:
▫  Hobby Hole is trying to decide whether to install a
motion detector system in its warehouse to reduce the
probability of a catastrophic theft.
▫  A catastrophic theft could result in losses of $800,000.
▫  Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 12%.
▫  Companies with motion detectors only have about a
0.5% probability of catastrophic theft.
▫  The present value of purchasing and installing a motion
detector system and paying future security costs is
estimated to be about $43,000.
▫  Should Hobby Hole install the motion detectors?
7.Control Activities
Policies and procedures to provide reasonable
assurance that control objectives are met:
1.  Proper authorization of transactions and
activities
2.  Segregation of duties
3.  Project development and acquisition controls
4.  Change management controls
5.  Design and use of documents and records
6.  Safeguarding assets, records, and data
7.  Independent checks on performance
36
CONTROL ACTIVITIES
1. Proper Authorization of
Transactions and Activities
▫  Management lacks the time and resources to
supervise each employee activity and decision.
▫  Consequently, they establish policies and
empower employees to perform activities
within policy.
▫  This empowerment is called authorization
and is an important part of an organization’s
control procedures.
CONTROL ACTIVITIES
•  Typically at least two levels of authorization:
▫  General authorization
–  Management authorizes employees to handle routine transactions
without special approval.
▫  Specific authorization
–  For activities or transactions that are of significant consequences,
management review and approval is required.
–  Might apply to sales, capital expenditures, or write-offs over a
particular dollar limit.
•  Management should have written policies for both
types of authorization and for all types of
transactions.
CONTROL ACTIVITIES
2. Segregation of Duties
▫  Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
▫  An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
▫  Segregation of duties is discussed in two sections:
–  Segregation of accounting duties
–  Segregation of duties within the systems
function
CONTROL ACTIVITIES
•  Segregation of Accounting Duties
▫  Effective segregation of accounting duties is achieved
when the following functions are separated:
–  Authorization—approving transactions and decisions.
–  Recording—Preparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations; and
preparing performance reports.
–  Custody—Handling cash, maintaining an inventory storeroom,
receiving incoming customer checks, writing checks on the
organization’s bank account.
▫  If any two of the preceding functions are the
responsibility of one person, then problems can arise.
 CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS RECORDING FUNCTIONS
•  Handling cash •  Preparing source documents
•  Handling inventories, tools, •  Maintaining journals, ledgers,
or fixed assets or other files
•  Writing checks •  Preparing reconciliations
•  Receiving checks in mail •  Preparing performance
reports

•  EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
recording for those receipts can AUTHORIZATION
steal some of the cash and falsify accounts to
FUNCTIONS
conceal the theft.
•  SOLUTION: The segregation•  of Authorization of
custody and recording prevents employees from
transactions
falsifying records to conceal theft of assets entrusted to them.
 •  EXAMPLE OF PROBLEM: A
person who has custody of
CONTROL ACTIVITIES checks for transactions that he
has authorized can authorize
fictitious transactions and then
steal the payments.
CUSTODIAL FUNCTIONS RECORDING FUNCTIONS
•  SOLUTION: The segregation
•  Handling cash •  Preparing
of custody andsource documents
authorization
•  Handling inventories, tools, •  Maintaining
prevents journals,from
employees ledgers,
or fixed assets or other files
authorizing fictitious or
•  Writing checks •  inaccurate
Preparing transactions
reconciliations as a
•  Receiving checks in mail •  means of concealing
Preparing performance a theft.
reports

AUTHORIZATION
FUNCTIONS
•  Authorization of
transactions
•  EXAMPLE OF PROBLEM: A
person who can authorize a
CONTROL ACTIVITIES
transaction and keep records
related to the transactions can
authorize and record fictitious
payments that might, for
CUSTODIAL
example, be sentFUNCTIONS
to the RECORDING FUNCTIONS
•  Handlinghome
employee’s cash address or •  Preparing source documents
the address of
•  Handling a shell
inventories, tools, •  Maintaining journals, ledgers,
company
or fixedheassets
creates. or other files
•  SOLUTION: The segregation
•  Writing checks •  Preparing reconciliations
of
•  recording
Receivingand authorization
checks in mail •  Preparing performance
prevents employees from reports
falsifying records to cover up
inaccurate or false
transactions that were
inappropriately authorized.

AUTHORIZATION
FUNCTIONS
•  Authorization of
transactions
CONTROL ACTIVITIES
•  Segregation of Duties Within the
Systems Function
▫  In a highly integrated information system,
procedures once performed by separate
individuals are combined.
▫  Therefore, anyone who has unrestricted access to
the computer, its programs, and live data could
have the opportunity to perpetrate and conceal
fraud.
▫  To combat this threat, organizations must
implement effective segregation of duties within
the IS function.
CONTROL ACTIVITIES
•  Authority and responsibility must be divided
clearly among the following functions:
▫  Systems administration
▫  Network management
▫  Security management
▫  Change management
▫  Users
▫  Systems analysts
▫  Programming
▫  Computer operations
▫  Information systems library
▫  Data control
CONTROL ACTIVITIES
3. Project Development and Acquisition Controls
▫  It’s important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
–  Should contain appropriate controls for:
–  Management review and approval
–  User involvement
–  Analysis
–  Design
–  Testing
–  Implementation
–  Conversion
CONTROL ACTIVITIES
4. Change Management Controls
▫  Organizations constantly modify their
information systems to reflect new business
practices and take advantage of information
technology advances.
▫  Change management is the process of making
sure that the changes do not negatively affect:
–  Systems reliability
–  Security
–  Confidentiality
–  Integrity
–  Availability
CONTROL ACTIVITIES
5. Design and Use of Adequate Documents and
Records
▫  Proper design and use of documents and records helps
ensure accurate and complete recording of all relevant
transaction data.
▫  Form and content should be kept as simple as possible to:
–  Promote efficient record keeping
–  Minimize recording errors
–  Facilitate review and verification
▫  Documents that initiate a transaction should contain a
space for authorization.
▫  Those used to transfer assets should have a space for the
receiving party’s signature.
CONTROL ACTIVITIES
6. Safeguard Assets, Records, and Data
▫  When people consider safeguarding assets, they most
often think of cash and physical assets, such as
inventory and equipment.
▫  Another company asset that needs to be protected is
information.
CONTROL ACTIVITIES
7. Independent checks
▫  Top-level reviews
▫  Analytical reviews
▫  Reconciliation of independently maintained sets
of records
▫  Comparison of actual quantities with recorded
amounts
▫  Double-entry accounting
▫  Independent review
8.INFORMATION AND COMMUNICATION

•  The primary purpose of the AIS is to gather,

record, process, store, summarize, and
communicate information about an
organization.
•  So accountants must understand how:
▫  Transactions are initiated
▫  Data are captured in or converted to machine-
readable form
▫  Computer files are accessed and updated
▫  Data are processed
▫  Information is reported to internal and
external parties
9.MONITORING
•  Monitoring can be accomplished with a series of
ongoing events or by separate evaluations
•  Key methods of monitoring performance include:
▫  Perform ERM evaluation (e.g., internal audit)
▫  Implement effective supervision
▫  Use responsibility accounting (e.g., budgets)
▫  Monitor system activities
▫  Track purchased software
▫  Conduct periodic audits (e.g., external, internal, network
security)
▫  Employ a computer security officer and security consultants
▫  Engage forensic specialists
▫  Install fraud detection software
▫  Implement a fraud hotline
Key Terms
•  Threat or Event
•  Exposure or impact
•  Likelihood
•  Internal controls
•  Preventive controls
•  Detective controls
•  Corrective controls
•  General controls
•  Application controls
•  Sarbanes-Oxley Act (SOX)
•  Control Objectives for
Information and Related
Technology (COBIT)
•  Committee of Sponsoring
Organizations (COSO)
•  Enterprise Risk Management
Integrated Framework (ERM)
•  Internal environment
•  Risk appetite
•  Strategic objectives
•  Operations objectives
•  Reporting objectives
•  Compliance objectives
•  Event
•  Inherent risk
•  Residual risk
•  Expected loss
•  Control activities
•  Specific authorization
•  General authorization
•  Segregation of accounting duties
•  Segregation of systems duties
•  Change management
7-53