Chapter 4

Internal Control & Accounting

Information Systems

By:- Wondwossen Jerene

Department of Accounting and Finance
Arba Minch University

Advanced Accounting Information System

MSc. Accounting and Finance (1st year)
Agenda
 AIS Threats
 Internal Controls
 General controls for
information systems
 Contingency management
AIS Threats
Natural and political
disasters:
– fire or excessive heat
– floods
– earthquakes
– high winds
– war
AIS Threats
 Software errors and
equipment malfunctions
– hardware failures
– power outages and fluctuations
– undetected data transmission
errors
AIS Threats
 Unintentional acts
• accidents caused by
human carelessness
• innocent errors of omissions
• lost or misplaced data
• logic errors
• systems that do not meet
company needs
AIS Threats
 Intentional acts
• sabotage
• computer fraud
• embezzlement
• confidentiality breaches
• data theft
Agenda
 AIS Threats
 Internal Control
 Cost-benefit Analysis
 General controls for
information systems
 Contingency management
 Internal Control
The COSO (Committee of Sponsoring Organizations)
study defines internal control as the process
implemented by the board of directors, management,
and those under their direction to provide reasonable
assurance that control objectives are achieved with
regard to:
– effectiveness and efficiency of operations
– reliability of financial reporting
– compliance with applicable laws and regulations
 The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting of
five organizations:
1 American Accounting Association
2 American Institute of Certified Public
Accountants
3 Institute of Internal Auditors
4 Institute of Management Accountants
5 Financial Executives Institute
Internal Control Classifications
 The specific control procedures used in
the internal control and management
control systems may be classified using
the following four internal control
classifications:
1 Preventive, detective, and corrective
controls
2 General and application controls
3 Administrative and accounting controls
4 Input, processing, and output controls
Types of Controls
 Preventive: deter problems
before they arise
 segregating duties
 Detective: discover control
problems as soon as they arise
 bank reconciliation
 Corrective: remedy problems
discovered with detective controls
 file backups
Internal Control Model
 COSO’s internal control model has
five crucial components:
1 Control environment
2 Control activities
3 Risk assessment
4 Information and communication
5 Monitoring
1.The Control Environment
The control environment consists of many
factors, including the following:
1 Commitment to integrity and ethical
values
2 Management’s philosophy and
operating style
3 Organizational structure
1.The Control Environment…
4 The audit committee of the board
of directors
5 Methods of assigning authority
and responsibility
6 Human resources policies and
practices
7 External influences
 2. Control Activities
Generally, control activities fall into one of five
categories:
1 Proper authorization of transactions and
activities
2 Segregation of duties
3 Design and use of adequate documents and
records
4 Adequate safeguards of assets and records
5 Independent checks on performance
2.1 Proper Authorization of
Transactions and Activities
 Authorization is the empowerment
management gives employees to
perform activities and make
decisions.
 Digital signature or fingerprint is a
means of signing a document with a
piece of data that cannot be forged.
 Specific authorization is the granting
of authorization by management for
certain activities or transactions.
2.2. Segregation of Duties

 Good internal control demands that

no single employee be given too
much responsibility.
 An employee should not be in a
position to perpetrate and conceal
fraud or unintentional errors.
 Segregation of Duties
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail Authorization Functions
Authorization of
Recording Functions transactions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Segregation of Duties
 If two of these three functions are the
responsibility of a single person,
problems can arise.
 Segregation of duties prevents employees
from falsifying records in order to conceal
theft of assets entrusted to them.
 Prevent authorization of a fictitious or
inaccurate transaction as a means of
concealing asset thefts.
Segregation of Duties
 Segregation of duties prevents an
employee from falsifying records to
cover up an inaccurate or false
transaction that was inappropriately
authorized.
2.3. Design and Use of Adequate
Documents and Records
 The proper design and use of
documents and records helps ensure
the accurate and complete recording
of all relevant transaction data.
 Documents that initiate a transaction
should contain a space for
authorization.
Design and Use of Adequate
Documents and Records
 The following procedures safeguard
assets from theft, unauthorized use, and
vandalism:
– effectively supervising and segregating
duties
– maintaining accurate records of assets,
including information
– restricting physical access to cash and
paper assets
– having restricted storage areas
2.4. Adequate Safeguards of Assets and Records
 What can be used to safeguard assets?
– cash registers
– safes, lockboxes
– safety deposit boxes
– restricted and fireproof storage areas
– controlling the environment
– restricted access to computer rooms,
computer files, and information
2.5. Independent Checks on Performance
 Independent checks to ensure that
transactions are processed
accurately are another important
control element.
 What are various types of
independent checks?
– reconciliation of two independently
maintained sets of records
– comparison of actual quantities
with recorded amounts
Independent Checks on Performance…
– double-entry accounting
– batch totals
 Five batch totals are used in
computer systems:
1 A financial total is the sum of a
dollar field.
2 A hash total is the sum of a field
that would usually not be added.
Independent Checks on Performance...
3 A record count is the number of
documents processed.
4 A line count is the number of lines
of data entered.
5 A cross-footing balance test
compares the grand total of all the
rows with the grand total of all the
columns to check that they are
equal.
3. Risk Assessment
 The third component of COSO’s internal
control model is risk assessment.
 Companies must identify the threats they
face:
– strategic — doing the wrong thing
– financial — having financial resources
lost, wasted, or stolen
– information — faulty or irrelevant
information, or unreliable systems
Risk Assessment
 Companies that implement electronic
data interchange (EDI) must identify
the threats the system will face, such
as:
1 Choosing an inappropriate
technology
2 Unauthorized system access
3 Tapping into data transmissions
4 Loss of data integrity
Risk Assessment
5 Incomplete transactions
6 System failures
7 Incompatible systems
Risk Assessment
 Some threats pose a greater risk
because the probability of their
occurrence is more likely.
 What is an example?
 A company is more likely to be the
victim of a computer fraud rather
than a terrorist attack.
 Risk and exposure must be
considered together.
Cost and Benefits
 Benefit of control
procedure is difference
between
 expected loss with control
procedure(s)
 expected loss without it
Loss / Fraud Conditions
 Threat: potential adverse
or unwanted event that can
be injurious to AIS
 Exposure: potential maximum
$ loss if event occurs
 Risk: likelihood that event will occur

 Expected Loss: Risk * Exposure

 Loss / Fraud Conditions
For each AIS threat:
Expected
Exposure X Risk =
Loss
Maximum Likelihood Potential
Loss ($) of Event $ Loss
Occurring
 Exposures
Possible Expo-
Threat Symbol sure Risk
Disaster D H L+
Power Outage O M H
System Down H L L
Human Error E M M
Fraud F M L
Data Theft T L M
Sabotage S H L
Risk Assessment of Controls
Threat

Risk
Implement
Exposure Yes

Control Needs Cost

Benefi-
cial? No
Costs
4. Information and Communication

 The fourth component of COSO’s

internal control model is information
and communication.
 Accountants must understand the
following:
1 How transactions are initiated
2 How data are captured in machine-
readable form or converted from
source documents
Information and Communication
3 How computer files are accessed and
updated
4 How data are processed to prepare
information
5 How information is reported
6 How transactions are initiated
 All of these items make it possible for the
system to have an audit trail.
 An audit trail exists when individual
company transactions can be traced
through the system.
5. Monitoring Performance
 The fifth component of COSO’s
internal control model is monitoring.
 What are the key methods of
monitoring performance?
– effective supervision
– responsibility accounting
– internal auditing
Agenda
 AIS Threats
 Internal Controls
 General controls for
information systems
 Contingency management
General Controls
 General controls ensure that overall
computer environment is stable
and well managed
 General control categories:
1 Developing a security plan
2 Segregation of duties within the
systems function
General Controls
3 Project development controls
4 Physical access controls
5 Logical access controls
6 Data storage controls
7 Data transmission controls
8 Documentation standards
9 Minimizing system downtime
General Controls
10. Protection of personal computers
and client/server networks
11. Internet controls
12. Disaster recovery plans
 Security Plan
 Developing and continuously
updating a comprehensive
security plan one of most
important controls for company
 Questions to be asked:
 Who needs access to what information?
 When do they need it?
 On which systems does the information
reside?
Segregation of Duties
 In AIS, procedures that
used to be performed by
separate individuals combined
 Person with unrestricted access
 to computer,
 its programs,
 and live data
 has opportunity to both perpetrate
and conceal fraud
Segregation of Duties
 To combat this threat,
organizations must
implement compensating
control procedures
 Authority and responsibility
must be clearly divided
NOTE: must change with increasing
levels of automation
Segregation of Duties

Divide following functions:

• Systems analysis
• Programming
• Computer operations
• Users
• AIS library
• Data control
 Duty Segregation
Analyze
What about small firms?

Design
Specs Archive

Program
Use

Programs Operate Output

Project Development
Controls
 Long-range master plan
 Project development plan
 Periodic performance
evaluation
 Post-implementation review
 System performance
measurements
 Development Controls
Master
Development Periodic
Performance
Plan
Review
Post
Implement
Project Review
Development
Performance
Plan Measures

STARTED COMPLETED SYSTEM

PROJECT PROJECT OPERATION
 Physical Access Controls
 Placing computer equipment
in locked rooms and restricting
access to authorized personnel
 Having only one or two
entrances to computer room
 Requiring proper employee ID
 Requiring visitors to sign log
 Installing locks on PCs
Logical Access Controls
 Users should be allowed access only to
the data they are authorized to use and
then only to perform specific authorized
functions.
 What are some logical access controls?
– passwords
– physical possession identification
– biometric identification
– compatibility tests
Access Control Matrix

PASS- FILES PROGRAMS

WORD A B 1 2
ABC 0 1 0 0
DEF 1 2 0 0
KLM 1 1 1 1
NOP 3 0 3 0
0 – No access 2 – Update
1 – Read / display 3 – Create / delete
Data Storage Controls
 Information gives company
competitive edge and makes
it viable
 Company should identify
types of data used and level
of protection required for each
 Company must also document
steps taken to protect data
 e.g., off-site storage
 Data Transmission
Controls
 Reduce risk of data
transmission failures
– data encryption (cryptography)
– routing verification procedures
– parity bits
– message acknowledgment techniques
 Information
Information
Transmission System

Source

Message

Transmitter Channel Receiver

Signal

Destination
Noise

Information
 Transmission Controls
Parity
Bit

Encrypt

Decrypt
SEND RECEIVE
Message

Routing
Verification
Data Message
Encryption Acknowledge-
ment
 Even Parity Bit System

There are five Parity Bit

“1” bits in message
1 0 1 1 0 1 1 0 1

Message in Binary A “1” placed in parity

bit to make an even
number of “1”s.
Data Transmission Controls
 Added importance when
using electronic data
interchange (EDI) or
electronic funds transfer (EFT)
 In these types of environments,
sound internal control is achieved
using control procedures
 Symmetric Encryption
Sender Receiver
Identical
Keys

Clear Clear
Text Text
Message Message
Agenda
 AIS Threats
 Control concepts
 General controls for
information systems
 Contingency management
Contingency
Management
 Disaster Recovery
is reactive
 Contingency Management
is proactive
 Continuity Planning latest term

 Accounting standards in terms

of Disaster Recovery
….. END of Ch-4 …..