CHAPTER FOUR

CONTROL AND ACCOUNTING INFORMATION SYSTEMS

Why AIS Threats Are Increasing
Control risks have increased in the last few years because:
• There are computers and servers everywhere, and information is available to an
unprecedented number of workers.
• Distributed computer networks make data available to many users, and these networks
are harder to control than centralized mainframe systems.
• Wide area networks are giving customers and suppliers access to each other’s systems
and data, making confidentiality a major concern.
Historically, many organizations have not adequately protected their data due to one or more
of the following reasons:
– Computer control problems are often underestimated and downplayed.
– Control implications of moving from centralized, host-based computer systems to those
of a networked system or Internet-based system are not always fully understood.
– Companies have not realized that data is a strategic resource and that data security must
be a strategic requirement.
– Productivity and cost pressures may motivate management to forego time-consuming
control measures.
• Some vocabulary terms for this chapter:
– A threat is any potential adverse occurrence or unwanted event that could injure the
AIS or the organization.
– The exposure or impact of the threat is the potential dollar loss that would occur if the
threat becomes a reality.
– The likelihood is the probability that the threat will occur.
Why Control and Security are Important
Companies are now recognizing the problems and taking positive steps to achieve better
control, including:
• Devoting full-time staff to security and control concerns.
• Educating employees about control measures.
• Establishing and enforcing formal information security policies.
• Making controls a part of the applications development process.
• Moving sensitive data to more secure environments.
• To use IT in achieving control objectives, accountants must:
– Understand how to protect systems from threats.
– Have a good understanding of IT and its capabilities and risks.
• Achieving adequate security and control over the information resources of an
organization should be a top management priority.
• Control objectives are the same regardless of the data processing method, but a
computer-based AIS requires different internal control policies and procedures
because:
– Computer processing may reduce clerical errors but increase risks of unauthorized
access or modification of data files.

Accounting Information System- Chapter-4 1

 –
Segregation of duties must be achieved differently in an AIS.
–
Computers provide opportunities for enhancement of some internal controls.
•
One of the primary objectives of an AIS is to control a business organization.
–
Accountants must help by designing effective control systems and auditing or
reviewing control systems already in place to ensure their effectiveness.
• Management expects accountants to be control consultants by:
– Taking a proactive approach to eliminating system threats; and
– Detecting, correcting, and recovering from threats when they do occur.
• It is much easier to build controls into a system during the initial stage than to add them
after the fact.
• Consequently, accountants and control experts should be members of the teams that
develop or modify information systems.
OVERVIEW OF CONTROL CONCEPTS
• In today’s dynamic business environment, companies must react quickly to changing
conditions and markets, including steps to:
– Hire creative and innovative employees.
– Give these employees power and flexibility to:
• Satisfy changing customer demands;
• Pursue new opportunities to add value to the organization; and
• Implement process improvements.
• At the same time, the company needs control systems so they are not exposed to
excessive risks or behaviors that could harm their reputation for honesty and integrity.
• Internal control is the process implemented by the board of directors, management,
and those under their direction to provide reasonable assurance that the following
control objectives are achieved:
– Assets (including data) are safeguarded: This objective includes prevention or
timely detection of unauthorized acquisition, use, or disposal of material
company assets.
– Records are maintained in sufficient detail to accurately and fairly reflect
company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are prepared in accordance
with IFRS/GAAP.
– Operational efficiency is promoted and improved: This objective includes
ensuring that company receipts and expenditures are made in accordance with
management and directors’ authorizations.
– Adherence to prescribed managerial policies is encouraged.
– The organization complies with applicable laws and regulations.
• Internal control is a process because it permeates an organization’s operating
activities and is an integral part of basic management activities.
• Internal control provides reasonable, rather than absolute, assurance, because
providing complete assurance is difficult or impossible to achieve and prohibitively
expensive. In addition, all internal control systems have inherent limitations, such as

Accounting Information System- Chapter-4 2

 being susceptible to errors and mistakes, faulty judgments and decision making, being
overridden by management, or two or more employees colluding with each other.
• Internal control objectives are often at odds with each other.
– EXAMPLE: Controls to safeguard assets may also reduce operational
efficiency.
Internal controls perform three important functions:
1. Preventive controls: Deter problems before they arise. Hiring highly qualified
personnel; appropriately segregating employees duties; and effectively controlling
physical access to assets, facilities, and information are effective preventive controls.
2. Detective controls: Discover problems quickly when they do arise. Examples include
duplicate checking of calculations and preparing bank reconciliations and monthly trial
balances.
3. Corrective controls: Remedy control problems that have been discovered. They include
procedures taken to identifying the cause f a problem, correct resulting errors and
difficulties, and modifying the system so that future problems are minimized or
eliminated. Examples include maintain backup copies of transaction files and master
files and adhering to procedures for correcting data entry errors, as well as those for
resubmitting transactions for subsequent processing.
Internal controls are often classified as:
1) General controls: are designed to make sure an organization’s control environment is
stable and well managed. They apply to all sizes and types of systems, from large and
complex mainframe systems to client/server systems to desktop and laptop computer
systems. Some of the more important general controls are information system
management controls; security management controls; IT infrastructure controls; and
software acquisition, development, and maintenance controls.
2) Application controls: Prevent, detect, and correct transaction errors and fraud. They
are concerned with accuracy, completeness, validity, and authorization of the data
captured, entered into the system, processed, stored, transmitted to other systems, and
reported.
An effective system of internal controls should exist in all organizations to help them achieve
their missions, as well as their performance and profitability goals, while minimizing
surprises along the way.
Levers of Control
Many people feel there is a basic conflict between creativity and controls. Robert Simons, a
Harvard business professor, has espoused four levers of controls to help companies reconcile
this conflict.
1. A concise belief system
The first is a concise belief system that communicates company core values to employees and
inspires them to live by them. It should draw attention to how the organization creates value
and help employees understand the direction management wants the company to take. It has to
be broad enough to appeal to employee groups at all organizational levels.

2. A boundary system

Accounting Information System- Chapter-4 3

A boundary system helps employees act ethically by setting limits beyond which an
employee must not pass.
• Does not create rules and standard operating procedures that can stifle
creativity.
• Encourages employees to think and act creatively to solve problems and meet
customer needs as long as they operate within limits such as:
– Meeting minimum standards of performance
– Shunning off-limits activities
– Avoiding actions that could damage the company’s reputation.
3. A diagnostic control system
To ensure the efficient and effective achievement of important goals and controls, a diagnostic
control system measures company progress by comparing actual to planned performance.
• Helps managers track critical performance outcomes and monitor performance of
individuals, departments, and locations.
• Provides feedback to enable management to adjust and fine-tune.
4. Interactive control system
An interactive control system helps top-level managers with high-level activities that demand
frequent and regular attention. Examples:
• Developing company strategy.
• Setting company objectives.
• Understanding and assessing threats and risks.
• Monitoring changes in competitive conditions and emerging technologies.
• Developing responses and action plans to proactively deal with these high-level
issues.
The system also helps managers focus the attention of subordinates on key strategic issues and
to be more involved in their decisions. Data generated by an interactive system are best
interpreted and discussed in face-to-face meetings of superiors, subordinates, and peers.

CONTROL FRAMEWORKS
A number of control frameworks have been developed to help companies develop good
internal control systems. Three of the most important are:
The COBIT framework
The COSO internal control framework
COSO’ s Enterprise Risk Management framework (ERM)
1. COBIT Framework
– Also known as the Control Objectives for Information and Related
Technology framework.
– Developed by the Information Systems Audit and Control Foundation (ISACF).
– COBIT is a framework of generally applicable information systems security and
control practices for IT control. The framework allows (1) management to
benchmark the security and control practices of IT environments, (2) users of IT
services to be assured that adequate security and control exist, and (3) auditors to

Accounting Information System- Chapter-4 4

 substantiate their opinions on internal control and to advise on IT security and
control matters.
The framework addresses the issue of control from three vantage points or dimensions:
i. Business objectives: To satisfy business objectives, information must conform to
certain criteria called “ business requirements for information. The criteria are divided
into seven distinct yet overlapping categories that map into COSO objectives:
effectiveness (relevant, pertinent, and timely), efficiency, confidentiality, integrity,
availability, compliance with legal requirements, and reliability.
ii. IT resources: This includes people, application systems, technology, facilities, and
data.
iii. IT processes: These are broken into four domains: planning and organization,
acquisition and implementation, delivery and support, and monitoring and evaluation.

• COBIT consolidates standards from 36 different sources into a single framework.

• It is having a big impact on the IS profession.
– Helps managers to learn how to balance risk and control investment in an IS
environment.
– Provides users with greater assurance that security and IT controls provided by
internal and third parties are adequate.
– Guides auditors as they substantiate their opinions and provide advice to
management on internal controls.

• COSO’ s Internal Control Framework

– The Committee of Sponsoring Organizations (COSO) is a private sector group
consisting of:
• The American Accounting Association
• The AICPA
• The Institute of Internal Auditors
• The Institute of Management Accountants
• The Financial Executives Institute
• In 1992, COSO issued the Internal Control Integrated Framework:
– Defines internal controls.
– Provides guidance for evaluating and enhancing internal control systems.
– Widely accepted as the authority on internal controls.
– Incorporated into policies, rules, and regulations used to control business
activities.
• COSO’ s internal control model has five crucial components:
– Control environment
• The core of any business is its people.
• Their integrity, ethical values, and competence make up the foundation on which
everything else rests.
– Control activities

Accounting Information System- Chapter-4 5

 • Policies and procedures must be established and executed to ensure that actions
identified by management as necessary to address risks are, in fact, carried out.
– Risk assessment
• The organization must be aware of and deal with the risks it faces.
• It must set objectives for its diverse activities and establish mechanisms to
identify, analyze, and manage the related risks.
– Information and communication
• Information and communications systems surround the control activities.
• They enable the organization’s people to capture and exchange information
needed to conduct, manage, and control its operations.
– Monitoring
• The entire process must be monitored and modified as necessary.
– COSO’ s Enterprise Risk Management framework (ERM)
• Nine years after COSO issued the preceding framework, it began investigating how to
effectively identify, assess, and manage risk so organizations could improve the risk
management process.
• Result: Enterprise Risk Manage Integrated Framework (ERM)
– An enhanced corporate governance document.
– Expands on elements of preceding framework.
– Provides a focus on the broader subject of enterprise risk management.
• Intent of ERM is to achieve all goals of the internal control framework and help the
organization:
– Provide reasonable assurance that company objectives and goals are achieved
and problems and surprises are minimized.
– Achieve its financial and performance targets.
– Assess risks continuously and identify steps to take and resources to allocate
to overcome or mitigate risk.
– Avoid adverse publicity and damage to the entity’s reputation.
• ERM defines risk management as:
– A process effected by an entity’s board of directors, management, and other
personnel
– Applied in strategy setting and across the enterprise
– To identify potential events that may affect the entity
– And manage risk to be within its risk appetite
– In order to provide reasonable assurance of the achievement of entity
objectives.

Accounting Information System- Chapter-4 6