Lecture 06 Topic 3A

System Reliability and Internal Controls

System Reliability

One basic function of AIS is to provide information which is useful for decision-making
purpose. Information produced by AIS, which includes financial statements, management
reports, etc. must provide an accurate, complete and timely picture of the organisation’s
activities. To provide this type of information, Accounting Information Systems must be
reliable.

System reliability has five fundamental principles:

i. Confidentiality

Restricting system access to authorized users only to maintain confidentiality of

sensitive information. Managers have to decide which information is sensitive and
needs to be protected from unauthorized disclosure. Encryption is a fundamental
control for confidential information

“Encryption: Process of transforming normal text, called plain text, into unreadable
gibberish, called cipher text. It is important particularly when confidential data is
being transmitted from remote terminals because data transmission lines can be
electronically be monitored without user’s knowledge”

ii. Privacy

Focuses on protecting personal information about customers rather than

organisational data. Personal information about customers collected through e-
commerce is collected, used, disclosed, and maintained in an appropriate manner.
Encryption also can be used to protect privacy

iii. Processing Integrity

Integrity of the system to ensure that processing is complete, accurate, timely, and
authorized. Data is accurately and completely processed in a timely manner.
Controls which can be used include: (source data controls)

 Form designs
 Cancellation and storage of documents
 Authorisation and segregation of duties
 Scanning (visual)
 Data matching
 File labels
 Batch totals
 Reviews and reconciliations, etc.
iv. Availability

The system is available to meet operational and contractual obligations. Loss of

system availability can cause significant financial losses. Hence system availability
is concerned with ensuring that the system is available for use whenever needed.
Threats to system availability include:

 Hardware and software failure

 Natural and man-made disasters
 Human error
 Warms and viruses
 Denial of service attacks and other acts of sabotage

How to control:

 Preventive maintenance - UPS (uninterrupted power supply), fault

tolerance
 Physical location and design of rules honouring computing resources
 Back-up procedures

v. Security

Security of the system against unauthorized physical and logical access. It is the
most important of all principles. Information security is the foundation of system’s
reliability
 Security procedures reserve system access to authorised users only hence
protecting the confidentiality of sensitive organizational data and the
privacy of the personal identifying information collected from customers
 Security procedures provide for processing integrity by preventing
submission of unauthorised or fictitious transactions as well as
unauthorized change to stored data and programs.
 Security procedures provide protection against a variety of attacks such as
viruses, and worms hence ensuring that the system is available

Relationship among Components of System Reliability

Further readings: Chapter 7 and 8: Romney, M. B & Steinbart, P. J (2009), Accounting
Information Systems; 11th edition, Pearson International Edition.

Given this introduction, one will pause and ask whether we need controls in AIS

 Before dwelling on control for AIS, we must recognize the fact that controlling is one
of the primary functions performed by the managers. And the application of the controls
in any systems is like that in management functions.
 In systems, the major reason for controls are:
a. To provide reasonable assurance that the goal of each system are being achieved
b. To mitigate (alleviate/lessen/ease) the risk the organisation will be exposed to some
type of harm, danger or loss.
c. To provide reasonable assurance that certain legal obligations are being met.

Common Business Exposures with relation to Accounting Information Systems

i. Erroneous Record-keeping
 Recording of transactions contrary to established accounting principles
 Caused by incomplete or inaccurate processing of transactions
ii. Unacceptable accounting
 Establishment/implementation of accounting policies that are not generally
acceptable or inappropriate to the circumstances
 Caused by improper interpretation or wilful disregard of IFRS or other sets
of accounting standards
iii. Fraud and embezzlement
 May be perpetrated at different levels (against management or by
management)
 Caused by direct misappropriation of funds or by deliberate communication
of misinformation to management/investors
 Unintentional loss of physical resources (cash, etc.)
 Due to lack of adequate safeguards of resources.
iv. Business interruption
v. Erroneous management decisions
vi. Statutory sanctions
vii. Excessive costs e.g. unnecessary expenses involves in running organisation caused
by failure to approved limit of expenditure.
viii. Loss or destruction of resources
ix. Competitive disadvantages

Hence organisations need to adopt internal control policies and procedures to ensure that
systems (AIS) achieve its objectives or mitigate the risks to the system. i.e. to maintain accurate
information and reliable operations.
 Internal Controls
What are internal controls?

The users of accounting information rely on the accuracy of the system's reports and displays.
Organisations adopt internal control policies and procedures to maintain accurate information
and reliable operations. Internal control is a process, effected by an entity's board of directors,
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

 Effectiveness and efficiency of operations.

 Reliability of financial reporting.
 Compliance with applicable laws and regulations.

Features of Internal Control

i. Process - combination of many processes that occur as a part of organization

activities

ii. People - make internal controls work. Management, board of directors and
accountants. Accountants by participating in system design help to create internal
control

iii. Objectives

a. Safeguarding assets
b. Ensuring accurate and reliable accounting data
The above are important to accountants and hence, accounting controls
c. Promoting operational efficiency
d. Encouraging managers to follow management policies
The above are important to managers and hence administrative controls

iv. Reasonable assurance - cannot guarantee that management’s objectives will be

obtained, can only provide reasonable assurance of attaining them.

Limitations of Internal Control

i. Errors - poor judgement due to poor training, lack of experience, lack of

knowledge, etc.
ii. Collusion - difficult to prevent, to minimize, hire honest people
iii. Management Override - controls should reflect authority levels

Threats to accounting data

i. Errors - An error is an accidental misstatement of accounting information. Arise

from poor judgement due to lack of knowledge. Lack of attention
ii. Irregularities - An irregularity is an intentional misstatement. Management
fraud (intentionally misstates financial information). Defalcation – theft of assets
from the company for personal use
COSO1 Framework of Internal Controls

In order to address divergent meanings attached to internal control by different stakeholders,

COSO (a thought leader in executive management and governance) came up with an official
definition to cater for the needs of groups of people and a framework to explain the components
of internal control.

It is a CRIME not to have good internal controls, therefore to have good internal controls
we would see:

C - Control Activities R - Risk Assessment I - Information Systems (the actual process)

M - Monitoring of Controls E - Environment

1. Control Activities

These are policies and procedures that management adopts to provide reasonable assurance
that management directives are carried out. They help ensure that actions are taken to address
risks to the achievement of the organization's objectives. ACCA MAPS [Mnemonic].

a. Approval - a senior employee like a manager to sign off an action. (Same as

authorisation) e.g. an employee wants to do overtime, a manager should
authorise this in advance.
b. Computer Controls - having passwords, backups, virus checks
c. Comparison - looking at budget versus actual and reviewing for variances, any
variances should then be investigated.
d. Arithmetic Controls - recalculating an employee’s work, sequence checking.
(A check procedure.)
e. Maintain and review control accounts - like wages, PAYE, bank.
f. Account Reconciliations.
g. Physical Controls - restricted access, either through locking doors, or code
entry, CCTV, safes.
h. Segregation of Duties - division of responsibilities to reduce the risk of fraud.
E.g. one person dealing with ordering, processing purchase invoices and bank
payments is a lack of segregation of duties, different people should process
different stages of a system. splitting the responsibility on a transaction stream.

2. Risk Assessment Process

Management's process of identifying and analysing the risks that might prevent the
organization from achieving its objectives. If the entity has robust procedures for assessing the
business risks it faces, the risk of misstatement or fraud will be low.

1
Committee of Sponsoring Organizations of the Treadway Commission
Risks includes:

1. Competition
2. Economic or technological change
3. Government regulation
4. Natural catastrophes
5. Risks from internal factors

a. disruption of the information system

b. errors due to untrained or unmotivated employees or to changes in management
responsibilities, and
c. the result of an effective board of directors or audit committee.

3. The Information System

The information system is the set of formal procedures by which data are collected, processed
into information, and distributed to users. The system accepts input, called transactions, which
are converted through various processes into output information that goes to users.

Good communication system is crucial for efficient financial control systems, transaction
cycles, application controls and general controls.

 Debit and credit analysis

 Chart of accounts
 Standard journal vouchers
 Trial balance
 Control accounts e.g. accounts receivables, inventory, assets, and common stock.

Control Implications of Manual Systems - weaknesses (the bad news about manual
systems)

 Manual systems are operated by people and are therefore more prone to simple errors
and mistakes
 Information is transferred from document to document leading to misposting or other
transcription errors
 Controls can be more easily bypassed, ignored or overridden

Control Implications of manual systems - strengths (the good news about manual systems
is that they are better at:)

 Dealing with 'one off' transactions

 Where the exercise of judgement is important
Control Implications of computerised systems - strengths

 Consistent processing
 Accurate calculation
 Capacity to handle high volumes

Control Implications of computerised systems - weaknesses

 Little exercise of judgement

 Access to system = access to controls
 Widespread impact of errors in:
o Installation
o Programming
o Override

4. Monitoring of controls

A component that assesses the quality of internal control performance over time. If a control is
either ineffective or simply does not function (permanent supervision and special evaluation).

 Ongoing Monitoring Activities e.g. clerical checks, reconciliations, comparing assets

on hand with the accounting records, control procedures carried out by computer
programs, management review of summaries of changes in account balances, and
review of users of computer reports.
 Separate Evaluations e.g. evaluating a section of controls
 Independent Auditors
 Internal Auditors

5. Control Environment

Sets the tone for the organisation. Management should have the right attitude. Base for all other
components and creates conditions (discipline and structure) for efficient controls. The control
environment is defined in ISA 315 as being made up of:

 communication and enforcement of ethical values: because management creates,

administers, and monitors the system of internal control, its effectiveness is limited by
management attitudes toward integrity and ethical
 commitment to competence
 participation by those charged with governance
 management's philosophy and operating style
 management need to have awareness and action in place
 organisational structure
 assignment of responsibility
 human resources policies and practices - staff training, recruitment procedures, etc.
 Certified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) is a globally recognized certification in the field
of audit, control and security of information systems. CISA gained worldwide acceptance
having uniform certification criteria, the certification a high degree of visibility and recognition
in the fields of IT security, IT audit, IT risk management and governance.
Vacancies in the areas of IT security management, IT audit or IT risk management often ask
for a CISA certification. The certification is extremely challenging and is associated with a
high failure rate. CISA is awarded by the Information Systems Audit and Control
Association (ISACA).

Accounting Manual
A manual that contains pertinent accounting rules and other information for a business or
organization. Accounting manuals can contain guidelines for various policies and procedures.
They also often specify organizational rules and standards for corporate accounts.
The classification of the various types of accounts used by a company or organization is
frequently referred to as a chart of accounts. This chart is also usually included in an
accounting manual. These manuals will differ from one organization to another depending on
the type and size of the organization.