Chapter 10

Accounting
Information
Systems & Internal
Controls

Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
 Learning Objectives
• LO#1 Explain essential control concepts and why a
code of ethics and internal controls are important.
• LO#2 Explain the objectives and components of the
COSO internal control framework and the COSO
enterprise risk management framework.
• LO#3 Describe the overall COBIT framework and its
implications for IT governance.
• LO#4 Describe other governance frameworks related
to information systems management and security.

10-2
 LO# 1

Ethics, Sarbanes Oxley Act 2002 and

Corporate Governance
The Need for a Code of Ethics
• Ethical behavior prompted by a code of ethics can be
considered a form of internal control.
• Employees with different culture backgrounds are
likely to have different values
• Many professional associations have developed
codes of ethics to assist professionals in selecting
among decisions that are not clearly right or wrong.

10-3
 LO# 1

Ethics, Sarbanes Oxley Act 2002 and

Corporate Governance
Examples:
• the American Institute of Certified Public
Accountants (AICPA)
• the Information Systems Audit and Control
Association (ISACA)
• the Institute of Internal Auditors (IIA)
• and the Institute of Management Accountants (IMA).

10-4
 LO# 1

Sarbanes Oxley Act 2002

• SOX requires public companies registered with the
SEC and their auditors to annually assess and report
on the design and effectiveness of internal control
over financial reporting.
• Established the Public Company Accounting
Oversight Board (PCAOB) to provide independent
oversight of public accounting firms.
• PCAOB Auditing Standard No. 5 (AS 5) encourages
auditors to use a risk-based, top-down approach to
identify the key controls.

10-5
 LO# 1

Corporate Governance

• A set of processes and policies in managing an

organization with sound ethics to safeguard the
interests of its stakeholders.
• Promotes accountability, fairness, and transparency
in the organization’s relationship with its
stakeholders.

10-6
 LO# 1

Overview of Control Concepts

• Internal control involves the processes that an

organization implements to safeguard assets, provide
accurate and reliable information, promote
operational efficiency, enforce prescribed managerial
policies, and comply with applicable laws and
regulations.
• According to SOX, the establishment and
maintenance of internal controls is a management
responsibility.

10-7
 LO# 1

Overview of Control Concepts

Three main functions of internal control:

• Preventive controls deter problems before they
arise. (Authorization)
• Detective controls find problems when they arise.
(Bank reconciliations and monthly trial balances)
• Corrective controls fix problems that have been
identified. (Backup files to recover corrupted data)

10-8
 LO# 1

Overview of Control Concepts

Computerized environment:
• General controls pertain to enterprise-wide issues
such as controls over accessing the network,
developing and maintaining applications,
documenting changes of programs, etc.
• Application controls are specific to a subsystem or
an application to ensure the validity, completeness
and accuracy of the transactions.

10-9
 LO# 2

Commonly used Internal Control

Frameworks
• The SEC requires management to evaluate internal
controls based on a recognized control framework
• COSO Internal Control framework
-COSO-Committee of Sponsoring Organizations of the
Treadway Commission.
-AAA, AICPA, FEI, IIA, and IMA
-The COSO Internal Control framework is one of the
most widely accepted authority on internal control,
providing a baseline for evaluating, reporting, and
improving internal control.

10-10
 LO# 2

Commonly used Internal Control

Frameworks
• COSO 2.0
• COSO ERM framework: focuses on the strategic
alignment of the firm’s mission with its risk appetite.
• Control Objectives for Information and related
Technology (COBIT): a control framework for the
governance and management of enterprise IT.
• Information Technology Infrastructure Library (ITIL): a set
of concepts and practices for IT service management.
• International Organization for Standardization (ISO)
27000 Series: address information security issues.

10-11
 LO# 2

COSO Internal Control Framework (COSO 2.0)

1. Internal control is a process consisting of ongoing
tasks and activities. It is a means to an end, not an
end in itself.
2. Internal control is affected by people. It is not merely
about policy manuals, systems and forms. Rather, it is
about people at every level of a firm that impact
internal control.
3. Internal control can provide reasonable assurance,
not absolute assurance, to an entity’s management
and board.
4. Internal control is geared toward the achievement of
objectives in one or more separate but overlapping
categories.
5. Internal control is adaptable to the entity structure.
10-12
 LO# 2

COSO Internal Control Framework (COSO 2.0)

Three categories of objectives:

• Operations Objectives – effectiveness and efficiency
of a firm’s operations on financial performance goals
and safeguarding assets
• Reporting Objectives – reliability of reporting,
including internal and external financial and non-
financial reporting
• Compliance Objectives – adherence to applicable
laws and regulations

10-13
 LO# 2

COSO 2.0

Five components of internal control:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities

10-14
 LO# 2

Control Environment

• Sets the tone of a firm, influences the control

consciousness of its employees, and establishes the
foundation for the internal control system.
• Include the management's philosophy and operating
style, integrity and ethical values of employees,
organizational structure, the role of the audit
committee, proper board oversight for the
development and performance of internal control,
and personnel policies and practices.

10-15
 LO# 2

Risk Assessment

• A dynamic process for identifying and analyzing a

firm’s risks from external and internal environments.
• Allows a firm to understand the extent to which
potential events might affect corporate objectives.
• Risks are analyzed after considering the likelihood of
occurrence and the potential loss. The analysis
serves as a basis for determining how the risks
should be managed.

10-16
 LO# 2

Control Activities

• A firm must establish control policies, procedures,

and practices that ensure the firm’s objectives are
achieved and risk mitigation strategies are carried
out.
• Occur throughout a firm at all levels and in all
functions.

10-17
 LO# 2

Information and Communication

• Supports all other control components by

communicating effectively to ensure information
flows down, across, and up the firm, as well as
interact with external parties such as customers,
suppliers, regulators, and shareholders and inform
them about related policy positions.

10-18
 LO# 2

Monitoring Activities

• The design and effectiveness of internal controls

should be monitored by management and other
parties outside the process in an ongoing basis.
• Findings should be evaluated and deficiencies must
be communicated in a timely manner.
• Necessary modifications should be made to improve
the business process and the internal control system.

10-19
 LO# 2

COSO Enterprise Risk Management—

Integrated Framework

10-20
 LO# 2

COSO Enterprise Risk Management—

Integrated Framework
• COSO indicates that:
-ERM identifies potential events that may affect the
firm
-ERM manages risk to be within the firm’s risk appetite
-ERM provides reasonable assurance regarding the
achievement of the firm’s objectives
• In addition to internal controls, COSO ERM expands the
COSO Internal Control framework to provide a broader
view on risk management to maximize firm value.

10-21
 LO# 2

COSO Enterprise Risk Management—

Integrated Framework
Four categories of objectives:
• Strategic — high-level goals, aligned with and
supporting the firm’s mission and vision
• Operations — effectiveness and efficiency of
operations
• Reporting — reliability of internal and external
reporting
• Compliance — compliance with applicable laws and
regulations

10-22
 LO# 2

COSO Enterprise Risk Management—

Integrated Framework
Eight components of internal control:
• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring

10-23
 LO# 2

Objective Setting

• Objectives are set at the strategic level, establishing a

basis for operations, reporting and compliance, and
the chosen objectives shall support and align with
the firm's mission and are consistent with its risk
appetite.
• Based on the firm’s mission and vision, the
management sets specific objectives before
identifying potential events affecting their
achievement. Management should have in place a
process to set strategic, operations, reporting, and
compliance objectives.

10-24
 LO# 2

Event Identification

• After identifying all possible events, management

must distinguish between risks and opportunities.
• Opportunities are channeled back to management's
strategy or objective-setting processes.
• Identified risks should be forwarded to the next stage
for assessment and be managed according to the
firm’s risk appetite.

10-25
 LO# 2

Risk Response

• Management selects risk responses and develops a

set of actions to align risks with the entity's risk
tolerances and risk appetite.
• The four options to respond to risks are: reducing,
sharing, avoiding, and accepting risks.

10-26
 LO# 2

Risk Assessment and Risk Response

• Given AS 5, risk assessment is also a first step in

developing an audit plan to meet the mandate of SOX
Section 404.
• According to COSO ERM, the risks of an identified event
are analyzed on an inherent, control, and residual basis.
• Inherent risk: It exists already before management takes
any actions to address it.
• Control risk: the threat that errors or irregularities in the
underlying transactions will not be prevented, detected
and corrected by the internal control system.
• Residual risk: the product of inherent risk and control
risk

10-27
 LO# 2

Risk Assessment and Risk Response

(1) Reduce risks by designing effective business

processes and implementing internal controls.
(2) Share risks by outsourcing business processes,
buying insurance, or entering into hedging
transactions.
(3) Avoid risks by not engaging in the activities that
would produce the risk.
(4) Accept risk by relying on natural offsets of the risk
within a portfolio, or allowing the likelihood and
impact of the risk.

10-28
 LO# 2

Process to Assess Risks

10-29
 LO# 2

Risk Assessment and Risk Response

• Cost and benefit analysis is important in determining

whether to implement an internal control.
• The benefits of an internal control should exceed its
costs.
• One way to measure the benefits of a control is using
the estimated impact of a risk times the decreased
likelihood if the control is implemented.
• Expected benefit of an internal control = Impact X
Decreased Likelihood

10-30
 LO# 2

Control Activities

Physical Controls: mainly manual but could involve the

physical use of computing technology.
authorization
segregation of duties
supervision
accounting documents and records
access control
independent verification

10-31
 LO# 2

Control Activities

IT controls: processes that provide assurance for

information and help to mitigate risks associated with
the use of technology.
-- IT general controls (ITGC)
IT control environment
Access controls
Change management controls
Project development and acquisition controls
Computer operations controls
10-32
 LO# 2

Control Activities

IT controls
--IT application controls
Input controls (field checks, size checks, range
checks, validity checks, completeness checks,
Reasonableness checks, Check digit verifications,
closed-loop verifications)
Processing controls (pre-numbered documents,
sequence checks, batch totals, cross-footing balance
tests, concurrent update controls)
Output controls
10-33
 LO# 3

COBIT Framework

• IT governance is a subset of corporate governance

and includes issues regarding IT management and
security.
• IT governance is the responsibility of management,
and consists of the leadership, organizational
structures and processes that ensure that the firm’s
IT sustains and extends its business objectives.
• COBIT (Control Objectives for Information and
related Technology) is a generally accepted
framework for IT governance and management.

10-34
 LO# 3

COBIT Framework

Governance:
firm objectives: evaluating stakeholder needs
setting direction through decision making
monitoring performance, compliance and progress
Management:
activities: planning, building, running and
monitoring

10-35
 LO# 3

COBIT Framework

10-36
 LO# 3

COBIT Framework
• Provides a business focus to align business and IT
objectives;
• Defines the scope and ownership of IT process and
control;
• Is consistent with accepted IT good practices and
standards;
• Provides a common language with a set of terms and
definitions that are generally understandable by all
stakeholders; and
• Meets regulatory requirements by being consistent
with generally accepted corporate governance
standards (e.g., COSO) and IT controls expected by
regulators and auditors.

10-37
 LO# 3

COBIT Framework
Key criteria of business requirements for information:
• Effectiveness – relevant and timely information
• Efficiency – information is produced economically
• Confidentiality – protection of sensitive information
• Integrity – valid, accurate and complete information
• Availability – information is available when needed
• Compliance – information produced complying with
the laws and regulations
• Reliability – reliable information for daily decision
making
10-38
 LO# 4

Information Technology Infrastructure

Library (ITIL)
• A de facto standard in Europe for the best practices
in IT infrastructure management and service delivery.
• ITIL’s value proposition centers on providing IT
service with an understanding the business
objectives and priorities, and the role that IT services
has in achieving the objectives.
• ITIL adopts a lifecycle approach to IT services, and
organizes IT service management into five high-level
categories.

10-39
 LO# 4

Information Technology Infrastructure Library

(ITIL)
• Service Strategy (SS) — the strategic planning of IT service
management capabilities and the alignment of IT service and
business strategies
• Service Design (SD) — the design and development of IT services and
service management processes
• Service Transition (ST) — realizing the requirements of strategy and
design, and maintaining capabilities for the ongoing delivery of a
service
• Service Operation (SO) — the effective and efficient delivery and
support of services, with a benchmarked approach for event,
incident, request fulfillment, problem, and access management.
• Continual Service Improvement (CSI) — ongoing improvement of the
service and the measurement of process performance required for
the service.
10-40
 LO# 4

Information Technology Infrastructure

Library (ITIL)

10-41
 LO# 4

International Organization for

Standardization (ISO) 27000 Series
• The ISO 27000 series of standards are designed to
address information security issues.
• ISO 27000 series, particularly ISO 27001 and ISO
27002, have become the most recognized and
generally accepted sets of information security
framework and guidelines.
• The main objective of the ISO 27000 series is to
provide a model for establishing, implementing,
operating, monitoring, maintaining, and improving
an Information Security Management System (ISMS).

10-42
 LO# 4

International Organization for

Standardization (ISO) 27000 Series

10-43