You are on page 1of 314

L

ECTURE 5

Control and Accounting Information Systems

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

1 of 315

INTRODUCTION
Why AIS threats are increasing
Control risks have increased in the last few years because:
There are computers and servers everywhere, and information is available to an unprecedented number of workers. Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems. Wide area networks are giving customers and suppliers access to each others systems and data, making confidentiality a major concern.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

2 of 315

INTRODUCTION
Historically, many organizations have not adequately protected their data due to one or more of the following reasons:
Computer control problems are often underestimated and downplayed. Control implications of moving from centralized, host-based computer systems to those of a networked system or Internetbased system are not always fully understood. Companies have not realized that data is a strategic resource and that data security must be a strategic requirement. Productivity and cost pressures may motivate management to forego time-consuming control measures.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

3 of 315

INTRODUCTION
Some vocabulary terms for this chapter:
A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. The likelihood is the probability that the threat will occur.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

4 of 315

INTRODUCTION
Control and security are important
Companies are now recognizing the problems and taking positive steps to achieve better control, including:
Devoting full-time staff to security and control concerns. Educating employees about control measures. Establishing and enforcing formal information security policies. Making controls a part of the applications development process. Moving sensitive data to more secure environments.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

5 of 315

INTRODUCTION
To use IT in achieving control objectives, accountants must:
Understand how to protect systems from threats. Have a good understanding of IT and its capabilities and risks.

Achieving adequate security and control over the information resources of an organization should be a top management priority.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 6 of 315

INTRODUCTION
Control objectives are the same regardless of the data processing method, but a computerbased AIS requires different internal control policies and procedures because:
Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files. Segregation of duties must be achieved differently in an AIS. Computers provide opportunities for enhancement of some internal controls.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 315

INTRODUCTION
One of the primary objectives of an AIS is to control a business organization.
Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness.

Management expects accountants to be control consultants by:


Taking a proactive approach to eliminating system threats; and Detecting, correcting, and recovering from threats when they do occur.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 8 of 315

INTRODUCTION
It is much easier to build controls into a system during the initial stage than to add them after the fact. Consequently, accountants and control experts should be members of the teams that develop or modify information systems.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

9 of 315

OVERVIEW OF CONTROL CONCEPTS


In todays dynamic business environment, companies must react quickly to changing conditions and markets, including steps to:
Hire creative and innovative employees. Give these employees power and flexibility to:
Satisfy changing customer demands; Pursue new opportunities to add value to the organization; and Implement process improvements.

At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded. This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

11 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and fairly reflect company assets.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

12 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and fairly reflect company assets. Accurate and reliable information is provided.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

13 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and fairly reflect company assets. Accurate and reliable information is provided. There is reasonable assurance that financial reports are prepared in accordance with GAAP.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

14 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and fairly reflect company assets. Accurate and reliable information is provided. There is reasonable assurance that financial reports are prepared in accordance with GAAP. Operational efficiency is promoted and improved. This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors authorizations.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 15 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and fairly reflect company assets. Accurate and reliable information is provided. There is reasonable assurance that financial reports are prepared in accordance with GAAP. Operational efficiency is promoted and improved. Adherence to prescribed managerial policies is encouraged.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

16 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and fairly reflect company assets. Accurate and reliable information is provided. There is reasonable assurance that financial reports are prepared in accordance with GAAP. Operational efficiency is promoted and improved. Adherence to prescribed managerial policies is encouraged. The organization complies with applicable laws and regulations.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 17 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control is a process because:
It permeates an organizations operating activities. It is an integral part of basic management activities.

Internal control provides reasonable, rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

18 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal control systems have inherent limitations, including:
They are susceptible to errors and poor decisions. They can be overridden by management or by collusion of two or more employees.

Internal control objectives are often at odds with each other.


EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

19 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal controls perform three important functions:
Preventive controls
Deter problems before they arise.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

20 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal controls perform three important functions:
Preventive controls Detective controls
Discover problems quickly when they do arise.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

21 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal controls perform three important functions:
Preventive controls Detective controls Corrective controls
Remedy problems that have occurred by: Identifying the cause; Correcting the resulting errors; and Modifying the system to prevent future problems of this sort.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

22 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal controls are often classified as:
General controls
Those designed to make sure an organizations control environment is stable and well managed. They apply to all sizes and types of systems. Examples: Security management controls.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

23 of 315

OVERVIEW OF CONTROL CONCEPTS


Internal controls are often classified as:
General controls Application controls
Prevent, detect, and correct transaction errors and fraud. Concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

24 of 315

OVERVIEW OF CONTROL CONCEPTS


An effective system of internal controls should exist in all organizations to:
Help them achieve their missions and goals. Minimize surprises.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

25 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement. The primary purpose of the act was to prevent the bribery of foreign officials to obtain business. A significant effect was to require that corporations maintain good systems of internal accounting control.
Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems. The resulting internal control improvements werent sufficient.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 26 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines.
The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act of 2002 (aka, SOX).
Applies to publicly held companies and their auditors.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

27 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


The intent of SOX is to:
Prevent financial statement fraud Make financial reports more transparent Protect investors Strengthen internal controls in publicly-held companies Punish executives who perpetrate fraud

SOX has had a material impact on the way boards of directors, management, and accountants operate.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
Has five members, three of whom cannot be CPAs. Charges fees to firms to fund the PCAOB. Sets and enforces auditing, quality control, ethics, independence, and other standards relating to audit reports. Currently recognizes FASB statements as being generally accepted.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

29 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. New rules for auditors
They must report specific information to the companys audit committee, such as: Critical accounting policies and practices Alternative GAAP treatments Auditor-management disagreements Audit partners must be rotated periodically.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

30 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. New rules for auditors
Auditors cannot perform certain non-audit services, such as: Bookkeeping Information systems design and implementation Internal audit outsourcing services Management functions Human resource services

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

31 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. New rules for auditors
Permissible non-audit services must be approved by the board of directors and disclosed to investors. Cannot audit a company if a member of top management was employed by the auditor and worked on the companys audit in the past 12 months.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

32 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. New rules for auditors New rules for audit committees
Members must be on the companys board of directors and must otherwise be independent of the company. One member must be a financial expert. The committee hires, compensates, and oversees the auditors, and the auditors report directly to the committee.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 33 of 315

SOX AND THE FOREIGN CORRUPT The CEO andPRACTICES ACT CFO must certify that:

The financial statements and disclosures are fairly Important aspects reviewed by management, and are not presented, were of SOX include: misleading. Creation of the Public Company Accounting Oversight Management is responsible for auditing profession. Board (PCAOB) to oversee the internal controls. The auditors were advised of any material internal control New rules for auditors weaknesses or fraud. New rules for audit committees Any significant changes to controls after managements evaluation were disclosed and New rules for management corrected.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

34 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

If management willfully and knowingly violates the certification, they can be: Important aspects of SOX include: Imprisoned up to 20 years Creation of the Public Company Accounting Oversight Fined up to $5 million Board (PCAOB) to oversee the auditing profession. Management and directors cannot receive loans that would not New rules for people outside the company. be available to auditors New rules disclose on a rapid and current basis material They must for audit committees changes to their financial condition.

New rules for management

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

35 of 315

SOX AND THE FOREIGN CORRUPT New internal control requirements: PRACTICES ACT

Section 404 of SOX requires companies to issue a report accompanying the financial Important aspects of SOX include: statements that: States management is responsible for Creation of the Public Company Accounting Oversight establishing and maintaining an adequate internal Board (PCAOB) to oversee the auditing profession. control structure and procedures. Contains managements assessment of the New rules for auditors companys internal controls. New rules for audit committees Attests to the accuracy of the internal controls, New rules for management including disclosures of significant defects or material noncompliance found during the tests. New internal control requirements

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

36 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. New rules for auditors SOX also requires that the auditor attests to and reports New rules for audit committees on managements internal control assessment. New rules for management describe the scope of the Each audit report must auditors internal control tests. New internal control requirements

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

37 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


After the passage of SOX, the SEC further mandated that:
Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter. The report must contain a statement identifying the framework used. Management must disclose any and all material internal control weaknesses. Management cannot conclude that the company has effective internal control if there are any material weaknesses.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Levers of control
Many people feel there core values to employees and is a basic conflict Communicates company between creativity andthose values. inspires them to live by controls. Draws attention to how the organization creates Robert Simons has espoused four levers value. of Helps employees understand managements intended controls to help companies reconcile this direction. conflict: be broad enough to appeal to all levels. Must
A concise belief system

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

39 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES by setting limits beyond Helps employees act ethicallyACT

which they must not pass. Does not create rules Levers of Control and standard operating procedures that can stifle creativity. Many people employees to is a basic conflict to feel there think and act creatively Encourages between creativity and controls. solve problems and meet customer needs as long as they operate within limits such as: Robert Simons has espoused performance of four levers Meeting minimum standards of controls to help companies reconcile this Shunning off-limits activities conflict: Avoiding actions that could damage the companys reputation. A concise belief system

A boundary system

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

40 of 315

SOX AND THE FOREIGN CORRUPT PRACTICES ACT


Levers of control
Ensures efficient there is a basic conflict Many people feeland effective achievement of important controls. between creativity and controls. This system measures company progress by comparing actual to planned performance. Robert Simons has espoused four levers of Helps managers track critical reconcile this controls to help companiesperformance outcomes and monitor performance of individuals, departments, conflict: and locations.

AProvides feedback to enable management to adjust and concise belief system Afine-tune. system boundary A diagnostic control system

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

41 of 315

demand frequent and regular attention. Examples: Developing company strategy. Levers of Control objectives. Setting company Many people feel there is a basic conflict Understanding and assessing threats and risks. Monitoring changes controls. between creativity and in competitive conditions and emerging technologies. Robert Developinghas espoused four levers of Simons responses and action plans to proactively companies high-level issues. controls to help deal with these reconcile this Also conflict: helps managers focus the attention of subordinates on key strategic issues and to be more involved in their A concise belief system decisions. A boundarythis system are best interpreted and Data from system discussed in face-to-face meetings.

SOX AND THE FOREIGN CORRUPT Helps top-level managers with high-level activities that PRACTICES ACT

A diagnostic control system An interactive control system

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

42 of 315

CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework The COSO internal control framework COSOs Enterprise Risk Management framework (ERM)
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 43 of 315

CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework The COSO internal control framework COSOs Enterprise Risk Management framework (ERM)
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 44 of 315

CONTROL FRAMEWORKS
COBIT framework
Also know as the Control Objectives for Information and Related Technology framework. Developed by the Information Systems Audit and Control Foundation (ISACF). A framework of generally applicable information systems security and control practices for IT control.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

45 of 315

CONTROL FRAMEWORKS
The COBIT framework allows:
Management to benchmark security and control practices of IT environments. Users of IT services to be assured that adequate security and control exists. Auditors to substantiate their opinions on internal control and advise on IT security and control matters.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

46 of 315

To satisfy business objectives, information must conform to certain criteria referred to as business requirements for information. The framework addresses the issue of The criteria are divided into seven distinct yet overlapping categories that map into COSO dimensions: objectives: Business objectives Effectiveness (relevant, pertinent, and timely) Efficiency Confidentiality Integrity Availability Compliance with legal requirements Reliability

CONTROL FRAMEWORKS

control from three vantage points or

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

47 of 315

CONTROL FRAMEWORKS
The framework addresses the issue of control from three vantage points or dimensions:
Business objectives IT resources Includes:

People Application systems Technology Facilities Data

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

48 of 315

CONTROL FRAMEWORKS
The framework addresses the issue of control from three vantage points or dimensions:
Business objectives IT resources IT processes Broken into four domains:
Planning and organization Acquisition and implementation Delivery and support Monitoring

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

49 of 315

CONTROL FRAMEWORKS
COBIT consolidates standards from 36 different sources into a single framework. It is having a big impact on the IS profession.
Helps managers to learn how to balance risk and control investment in an IS environment. Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate. Guides auditors as they substantiate their opinions and provide advice to management on internal controls.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 50 of 315

CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework The COSO internal control framework COSOs Enterprise Risk Management framework (ERM)
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 51 of 315

CONTROL FRAMEWORKS
COSOs internal control framework
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of:
The American Accounting Association The AICPA The Institute of Internal Auditors The Institute of Management Accountants The Financial Executives Institute

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

52 of 315

CONTROL FRAMEWORKS
In 1992, COSO issued the Internal Control Integrated Framework:
Defines internal controls. Provides guidance for evaluating and enhancing internal control systems. Widely accepted as the authority on internal controls. Incorporated into policies, rules, and regulations used to control business activities.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 53 of 315

CONTROL FRAMEWORKS
COSOs internal control model has five crucial components:
- Control environment
The core of any business is its people. Their integrity, ethical values, and competence make up the foundation on which everything else rests.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

54 of 315

CONTROL FRAMEWORKS
COSOs internal control model has five crucial components:
- Control environment - Control activities
Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

55 of 315

CONTROL FRAMEWORKS
COSOs internal control model has five crucial components:
- Control environment - Control activities - Risk assessment
The organization must be aware of and deal with the risks it faces. It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

56 of 315

CONTROL FRAMEWORKS
COSOs internal control model has five crucial components:
Control environment Control activities Risk assessment Information and communication
Information and communications systems surround the control activities. They enable the organizations people to capture and exchange information needed to conduct, manage, and control its operations.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 57 of 315

CONTROL FRAMEWORKS
COSOs internal control model has five crucial components:
Control environment Control activities Risk assessment Information and communication Monitoring
The entire process must be monitored and modified as necessary.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

58 of 315

CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework The COSO internal control framework COSOs Enterprise Risk Management framework (ERM)
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 59 of 315

CONTROL FRAMEWORKS
Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. Result: Enterprise Risk Manage Integrated Framework (ERM)
An enhanced corporate governance document. Expands on elements of preceding framework. Provides a focus on the broader subject of enterprise risk management.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 60 of 315

CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of the internal control framework and help the organization:
Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized. Achieve its financial and performance targets. Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk. Avoid adverse publicity and damage to the entitys reputation.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 61 of 315

CONTROL FRAMEWORKS
ERM defines risk management as:
A process effected by an entitys board of directors, management, and other personnel. Applied in strategy setting and across the enterprise. To identify potential events that may affect the entity. And manage risk to be within its risk appetite. In order to provide reasonable assurance of the achievement of entity objectives.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 62 of 315

CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners. Management must decide how much uncertainty they will accept. Uncertainty can result in:
Risk
The possibility that something will happen to: Adversely affect the ability to create value; or Erode existing value.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 63 of 315

CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners. Management must decide how much uncertainty they will accept. Uncertainty can result in:
Risk Opportunity
The possibility that something will happen to positively affect the ability to create or preserve value.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 64 of 315

CONTROL FRAMEWORKS
The framework should help management manage uncertainty and its associated risk to build and preserve value. To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

65 of 315

CONTROL FRAMEWORKS
COSO developed a model to illustrate the elements of ERM.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

66 of 315

CONTROL FRAMEWORKS
Columns at the top represent the four types of objectives that management must meet to achieve company goals.
Strategic objectives
Strategic objectives are high-level goals that are aligned with and support the companys mission.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

67 of 315

CONTROL FRAMEWORKS
Columns at the top represent the four types of objectives that management must meet to achieve company goals.
Strategic objectives Operations objectives Operations objectives deal with effectiveness and efficiency of company operations, such as: Performance and profitability goals Safeguarding assets
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 68 of 315

CONTROL FRAMEWORKS

Reporting objectives help ensure the accuracy, completeness, top Columns at the and reliability of internal the four types of representand external company reports of both a financial and objectives that non-financial nature. management must meet to Improve decision-making and achieve company activities and monitor company goals. performance more efficiently. Strategic objectives Operations objectives Reporting objectives

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

69 of 315

CONTROL FRAMEWORKS
Compliance objectives help the Columns at the top company comply types represent the fourwith of applicable laws and objectives that regulations. management must often set meet to External parties achieve compliancegoals. the company rules.

Companies in the same Strategic objectives Operations often have similar industry objectives concerns in this area. Reporting objectives
Compliance objectives

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

70 of 315

CONTROL FRAMEWORKS
ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them. However, strategic and operations objectives are sometimes at the mercy of external events that the company cant control. Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

71 of 315

CONTROL FRAMEWORKS
Columns on the right represent the companys units:
Entire company

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

72 of 315

CONTROL FRAMEWORKS
Columns on the right represent the companys units:
Entire company Division

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

73 of 315

CONTROL FRAMEWORKS
Columns on the right represent the companys units:
Entire company Division Business unit

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

74 of 315

CONTROL FRAMEWORKS
Columns on the right represent the companys units:
Entire company Division Business unit Subsidiary

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

75 of 315

CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment The tone or culture of the company. Provides discipline and structure and is the foundation for all other components. Essentially, the same as control environment in the COSO internal control framework.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 76 of 315

CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment Objective setting

Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the companys mission and are consistent with the companys tolerance for risk. Strategic objectives are set first as a foundation for the other three. The objectives provide guidance to companies as they identify riskcreating events and assess and respond to those risks.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 77 of 315

CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment Objective setting Event identification Requires management to identify events that may affect the companys ability to implement its strategy and achieve its objectives. Management must then determine whether these events represent: Risks (negative-impact events requiring assessment and response); or Opportunities (positive-impact events that influence strategy and objective-setting processes).
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 78 of 315

CONTROL FRAMEWORKS

Identified risks are assessed to determine how to manage them and how they affect the companys ability to achieve its objectives. Qualitative and quantitative The horizontal rows are methods are used to eight related risk and assess risks individually and by control components, category in terms of: including: Likelihood Internal environment Positive and negative Objective setting impact Event identification Effect on other organizational Risk assessment units Risks are analyzed on an inherent and a residual basis. Corresponds to the risk assessment element in COSOs internal control framework.
Romney/Steinbart 79 of 315

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

CONTROL FRAMEWORKS

Management aligns identified risks with the companys tolerance for risk by choosing to: Avoid Reduce The horizontal rows are Share eight related risk and Accept control components, Management takes an entity-wide including: or portfolio view of risks in Internal environment assessing the likelihood of the Objective setting risks, their potential impact, and costs-benefits of alternate Event identification responses. Risk assessment Risk response

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

80 of 315

CONTROL FRAMEWORKS
Tohorizontal rows are The implement managements risk responses, and eight related risk control policies and controlprocedures are established components, and implemented throughout including: the various levels and
Internal environment functions of the organization. Objective setting Corresponds to the control activities element in the COSO Event identification internal control framework. Risk assessment Risk response Control activities

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

81 of 315

CONTROL FRAMEWORKS

Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities. Information must beare to The horizontal rows able flow through all and eight related risk levels and functions in the company as controlas flowing to and from well components, including: parties. external Internal environment Employees should understand their role and importance in Objective setting ERM and how these Event identification responsibilities relate to those Risk assessment of others. Risk response Has a corresponding element in the COSO internal control Control activities framework. and Information communication

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

82 of 315

CONTROL FRAMEWORKS
The horizontal rows are eight related risk and ERM processes must be control components, monitored including: on an ongoing basis

2008 Prentice Hall Business Publishing

and modified as needed. Internal environment Accomplished with ongoing Objective setting management activities and Event identification separate evaluations. Risk assessment Deficiencies are reported to Risk response management. Control activities Corresponding module in COSO internal control Information and framework. communication Monitoring
Romney/Steinbart

Accounting Information Systems, 11/e

83 of 315

CONTROL FRAMEWORKS
The ERM model is three-dimensional. Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 84 of 315

CONTROL FRAMEWORKS
ERM Framework without first Internal Examining controls Vs. the examining purposes and risks Framework Control of business processes provides little context for evaluating the results.
The internal control framework has been Makes it difficult to know: Which control systems are most important. widely adopted as the principal way to Whether they adequately deal required evaluate internal controls as with risk. by SOX. Whether important However, there are control systems are missing. issues with it.
It has too narrow of a focus.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

85 of 315

CONTROL FRAMEWORKS
ERM framework vs. the internal control framework
The internal control framework has been widely adopted as the principal way to May contribute to systems evaluate internal controls ascontrols to protect with required by SOX. many However, there are issues with it. that are no longer against risks
important. It has too narrow of a focus. Focusing on controls first has an inherent bias toward past problems and concerns.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

86 of 315

CONTROL FRAMEWORKS
These issues led to COSOs development of the ERM framework.
Takes a risk-based, rather than controls-based, approach to the organization. Oriented toward future and constant change. Incorporates rather than replaces COSOs internal control framework and contains three additional elements:
Setting objectives. Identifying positive and negative events that may affect the companys ability to implement strategy and achieve objectives. Developing a response to assessed risk.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 87 of 315

CONTROL FRAMEWORKS
Controls are flexible and relevant because they are linked to current organizational objectives. ERM also recognizes more options than simply controlling risk, which include accepting it, avoiding it, diversifying it, sharing it, or transferring it.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

88 of 315

CONTROL FRAMEWORKS
Over time, ERM will probably become the most widely adopted risk and control model. Consequently, its eight components are the topic of the remainder of the chapter.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

89 of 315

INTERNAL ENVIRONMENT
The most critical component of the ERM and the internal control framework. Is the foundation on which the other seven components rest. Influences how organizations:
Establish strategies and objectives Structure business activities Identify, access, and respond to risk

A deficient internal control environment often results in risk management and control breakdowns.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

90 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

91 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

92 of 315

INTERNAL ENVIRONMENT
Managements philosophy, operating style, and risk appetite
An organizations management has shared beliefs and attitudes about risk. That philosophy affects everything the organization does, long- and short-term, and affects their communications. Companies also have a risk appetite, which is the amount of risk a company is willing to accept to achieve its goals and objectives. That appetite needs to be in alignment with company strategy.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 93 of 315

INTERNAL ENVIRONMENT
The more responsible managements philosophy and operating style, the more likely employees will behave responsibly. This philosophy must be clearly communicated to all employees; it is not enough to give lip service. Management must back up words with actions; if they show little concern for internal controls, then neither will employees.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

94 of 315

INTERNAL ENVIRONMENT
This component can be assessed by asking questions such as:
Does management take undue business risks or assess potential risks and rewards before acting? Does management attempt to manipulate performance measures such as net income? Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

95 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

96 of 315

INTERNAL ENVIRONMENT
The board of directors
An active and involved board of directors plays an important role in internal control. They should:
Oversee management Scrutinize managements plans, performance, and activities Approve company strategy Review financial results Annually review the companys security policy Interact with internal and external auditors
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 97 of 315

INTERNAL ENVIRONMENT
Directors should possess management, technical, or other expertise, knowledge, or experience, as well as a willingness to advocate for shareholders. At least a majority should be independent, outside directors not affiliated with the company or any of its subsidiaries.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

98 of 315

INTERNAL ENVIRONMENT
Public companies must have an audit committee, composed entirely of independent, outside directors.
The audit committee oversees:
The companys internal control structure; Its financial reporting process; and Its compliance with laws, regulations, and standards.

Works with the corporations external and internal auditors.


Hires, compensates, and oversees the auditors. Auditors report all critical accounting policies and practices to the audit committee.

Provides an independent review of managements actions.


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 99 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

100 of 315

INTERNAL ENVIRONMENT
Commitment to integrity, ethical values, and competence
Management must create an organizational culture that stresses integrity and commitment to both ethical values and competence.
Ethical standards of behavior make for good business. Tone at the top is everything. Employees will watch the actions of the CEO, and the message of those actions (good or bad) will tend to permeate the organization.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 101 of 315

INTERNAL ENVIRONMENT
Companies can endorse integrity as a basic operating principle by actively teaching and requiring it.
Management should:
Make it clear that honest reports are more important than favorable ones.

Management should avoid:


Unrealistic expectations, incentives, or temptations. Attitude of earnings or revenue at any price. Overly aggressive sales practices. Unfair or unethical negotiation practices. Implied kickback offers. Excessive bonuses. Bonus plans with upper and lower cutoffs.
Accounting Information Systems, 11/e Romney/Steinbart 102 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Management should not assume that employees would always act honestly.
Consistently reward and encourage honesty. Give verbal labels to honest and dishonest acts. The combination of these two will produce more consistent moral behavior.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

103 of 315

INTERNAL ENVIRONMENT
Management should develop clearly stated policies that explicitly describe honest and dishonest behaviors, often in the form of a written code of conduct.
In particular, such a code would cover issues that are uncertain or unclear. Dishonesty often appears when situations are gray and employees rationalize the most expedient action as opposed to making a right vs. wrong choice.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

104 of 315

INTERNAL ENVIRONMENT
SOX only requires a code of ethics for senior financial management. However, the ACFE suggests that companies create a code of conduct for all employees:
Should be written at a fifth-grade level. Should be reviewed annually with employees and signed. This approach helps employees keep themselves out of trouble. Helps the company if they need to take legal action against the employee.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 105 of 315

INTERNAL ENVIRONMENT
Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated. Those found guilty should be dismissed. Prosecution should be undertaken when possible, so that other employees are clear about consequences.

Companies must make a commitment to competence.


Begins with having competent employees. Varies with each job but is a function of knowledge, experience, training, and skills.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

106 of 315

INTERNAL ENVIRONMENT
The levers of control, particularly beliefs and boundaries systems, can be used to create the kind of commitment to integrity an organization wants.
Requires more than lip service and signing forms. Must be systems in which top management actively participates in order to:
Demonstrate the importance of the system. Create buy-in and a team spirit.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

107 of 315

INTERNAL ENVIRONMENT
Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated. Those found guilty should be dismissed. Prosecution should be undertaken when possible, so that other employees are clear about consequences.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 108 of 315

INTERNAL ENVIRONMENT
Companies must make a commitment to competence.
Begins with having competent employees. Varies with each job but is a function of knowledge, experience, training, and skills.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

109 of 315

INTERNAL ENVIRONMENT
The levers of control, particularly beliefs and boundary systems, can be used to create the kind of commitment to integrity an organization wants.
Requires more than lip service and signing forms. Must be systems in which top management actively participates in order to:
Demonstrate the importance of the system. Create buy-in and a team spirit.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

110 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

111 of 315

INTERNAL ENVIRONMENT
Organizational structure
A companys organizational structure defines its lines of authority, responsibility, and reporting.
Provides the overall framework for planning, directing, executing, controlling, and monitoring its operations.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

112 of 315

INTERNAL ENVIRONMENT
Important aspects or organizational structure:
Degree of centralization or decentralization. Assignment of responsibility for specific tasks. Direct-reporting relationships or matrix structure. Organization by industry, product, geographic location, marketing network. How the responsibility allocation affects managements information needs. Organization of accounting and IS functions. Size and nature of company activities.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

113 of 315

INTERNAL ENVIRONMENT
Statistically, fraud occurs more frequently in organizations with complex structures.
The structures may unintentionally impede communication and clear assignment of responsibility, making fraud easier to commit and conceal; or The structure may be intentionally complex to facilitate the fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

114 of 315

INTERNAL ENVIRONMENT
In todays business world, the hierarchical organizations with many layers of management are giving way to flatter organizations with selfdirected work teams.
Team members are empowered to make decisions without multiple layers of approvals. Emphasis is on continuous improvement rather than on regular evaluations. These changes have a significant impact on the nature and type of controls needed.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

115 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

116 of 315

INTERNAL ENVIRONMENT
Methods of assigning authority and responsibility
Management should make sure:
Employees understand the entitys objectives. Authority and responsibility for business objectives is assigned to specific departments and individuals.

Ownership of responsibility encourages employees to take initiative in solving problems and holds them accountable for achieving objectives. Management:
Must be sure to identify who is responsible for the IS security policy. Should monitor results so decisions can be reviewed and, if necessary, overruled.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

117 of 315

INTERNAL ENVIRONMENT
Authority and responsibility are assigned through:
Formal job descriptions Employee training Operating plans, schedules, and budgets Codes of conduct that define ethical behavior, acceptable practices, regulatory requirements, and conflicts of interest Written policies and procedures manuals (a good job reference and job training tool) which covers: Proper business practices Knowledge and experience needed by key personnel Resources provided to carry out duties Policies and procedures for handling particular transactions The organizations chart of accounts Sample copies of forms and documents
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 118 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

119 of 315

INTERNAL ENVIRONMENT
Human resources standards
Employees are both the companys greatest control strength and the greatest control weakness. Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required. Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organizations vulnerability.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

120 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 121 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 122 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Hiring
Should be based on educational background, relevant work experience, past achievements, honesty and integrity, and how well candidates meet written job requirements. Employees should undergo a formal, in-depth employment interview. Resumes, reference letters, and thorough background checks are critical.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

123 of 315

INTERNAL ENVIRONMENT
Background checks can involve:
Verifying education and experience. Talking with references. Checking for criminal records, credit issues, and other publicly available data. Note that you must have the employees or candidates written permission to conduct a background check, but that permission does not need to have an expiration date. Background checks are important because recent studies show that about 50% of resumes have been falsified or embellished.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 124 of 315

INTERNAL ENVIRONMENT
Sometimes professional firms are hired to do the background checks because applicants are becoming more aggressive in their deceptions.
Some get phony degrees from online diploma mills.
A Pennsylvania district attorney recently filed suit against a Texas university for issuing an MBA to the DAs 6-year-old black cat.

Others actually hack (or hire someone to hack) into the systems of universities to create or alter transcripts and other academic data.

No employee should be exempted from background checks. Anyone from the custodian to the company president is capable of committing fraud, sabotage, etc.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 125 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 126 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Compensating
Employees should be paid a fair and competitive wage. Poorly compensated employees are more likely to feel the resentment and financial pressures that lead to fraud. Appropriate incentives can motivate and reinforce outstanding performance.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

127 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 128 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Policies on training
Training programs should familiarize new employees with:
Their responsibilities. Expected performance and behavior. Company policies, procedures, history, culture, and operating style.

Training needs to be ongoing, not just one time. Companies who shortchange training are more likely to experience security breaches and fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

129 of 315

INTERNAL ENVIRONMENT
Many believe employee training and education are the most important elements of fraud prevention and security programs. Fraud is less likely to occur when employees believe security is everyones business. An ideal corporate culture exists when:
Employees are proud of their company and protective of its assets. They believe fraud hurts everyone and that they therefore have a responsibility to report it.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 130 of 315

INTERNAL ENVIRONMENT
These cultures do not just happen. They must be created, taught, and practiced, and the following training should be provided:
Fraud awareness
Employees should be aware of frauds prevalence and dangers, why people do it, and how to deter and detect it.

Ethical considerations
The company should promote ethical standards in its practice and its literature. Acceptable and unacceptable behavior should be defined and labeled, leaving as little gray area as possible.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

131 of 315

INTERNAL ENVIRONMENT
Punishment for fraud and unethical behavior.
Employees should know the consequences (e.g., reprimand, dismissal, prosecution) of bad behavior. Should be disseminated as a consequence rather than a threat. EXAMPLE: Using a computer to steal or commit fraud is a federal crime, and anyone doing so faces immediate dismissal and/or prosecution. The company should display notices of program and data ownership and advise employees of the penalties of misuse.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 132 of 315

INTERNAL ENVIRONMENT
Training can take place through:
Informal discussions Formal meetings Periodic memos Written guidelines Codes of ethics Circulating reports of unethical behavior and its consequences Promoting security and fraud training programs
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 133 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 134 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Evaluating and promoting
Do periodic performance appraisals to help employees understand their strengths and weaknesses. Base promotions on performance and qualifications.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

135 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 136 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Discharging
Fired employees are disgruntled employees. Disgruntled employees are more likely to commit a sabotage or fraud against the company. Employees who are terminated (whether voluntary or involuntary) should be removed from sensitive jobs immediately and denied access to information systems.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

137 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 138 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Managing disgruntled employees
Disgruntled employees may be isolated and/or unhappy, but are much likelier fraud candidates than satisfied employees. The organization can try to reduce the employees pressures through grievance channels and counseling.
Difficult to do because many employees feel that seeking counseling will stigmatize them in their jobs.

Disgruntled employees should not be allowed to continue in jobs where they could harm the organization.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 139 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 140 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Vacations and rotation of duties
Some fraud schemes, such as lapping and kiting, cannot continue without the constant attention of the perpetrator. Mandatory vacations or rotation of duties can prevent these frauds or lead to early detection. These measures will only be effective if someone else is doing the job while the usual employee is elsewhere.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 141 of 315

INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds
Accounting Information Systems, 11/e Romney/Steinbart 142 of 315

2008 Prentice Hall Business Publishing

INTERNAL ENVIRONMENT
Confidentiality agreements and fidelity bond insurance
Employees, suppliers, and contractors should be required to sign and abide by nondisclosure or confidentiality agreements. Key employees should have fidelity bond insurance coverage to protect the company against losses from fraudulent acts by those employees.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

143 of 315

INTERNAL ENVIRONMENT
In addition to the preceding policies, the company should seek prosecution and incarceration of hackers and fraud perpetrators Most fraud cases and hacker attacks go unreported. They are not prosecuted for several reasons.
Companies fear:
Public relations nightmares Copycat attacks

But unreported fraud and intrusions create a false sense of security.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

144 of 315

INTERNAL ENVIRONMENT
Law enforcement officials and courts are busy with violent crimes and may regard teen hacking as childish pranks. Fraud is difficult, costly, and time-consuming to investigate and prosecute. Law enforcement officials, lawyers, and judges often lack the computer skills needed to investigate, prosecute, and evaluate computer crimes. When cases are prosecuted and a conviction obtained, penalties are often very light. Judges often regard the perps as model citizens.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

145 of 315

INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk appetite The board of directors Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

146 of 315

INTERNAL ENVIRONMENT
External influences
External influences that affect the control environment include requirements imposed by:
FASB PCAOB SEC Insurance commissions Regulatory agencies for banks, utilities, etc.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

147 of 315

OBJECTIVE SETTING
Objective setting is the second ERM component. It must precede many of the other six components. For example, you must set objectives before you can define events that affect your ability to achieve objectives

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

148 of 315

OBJECTIVE SETTING
Top management, with board approval, must articulate why the company exists and what it hopes to achieve.
Often referred to as the corporate vision or mission.

Uses the mission statement as a base from which to set corporate objectives. The objectives:
Need to be easy to understand and measure. Should be prioritized. Should be aligned with the companys risk appetite.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 149 of 315

OBJECTIVE SETTING
Objectives set at the corporate level are linked to and integrated with a cascading series of sub-objectives in the various subunits. For each set of objectives:
Critical success factors (what has to go right) must be defined. Performance measures should be established to determine whether the objectives are met.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 150 of 315

OBJECTIVE SETTING
Objective-setting process proceeds as follows:
First, set strategic objectives, the high-level goals that support the companys mission and create value for shareholders. To meet these objectives, identify alternative ways of accomplishing them. For each alternative, identify and assess risks and implications. Formulate a corporate strategy. Then set operations, compliance, and reporting objectives.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 151 of 315

OBJECTIVE SETTING
As a rule of thumb:
The mission and strategic objectives are stable. The strategy and other objectives are more dynamic:
Must be adapted to changing conditions. Must be realigned with strategic objectives.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

152 of 315

OBJECTIVE SETTING
Operations objectives:
Are a product of management preferences, judgments, and style. Vary significantly among entities:
One may adopt technology; another waits until the bugs are worked out.

Are influenced by and must be relevant to the industry, economic conditions, and competitive pressures. Give clear direction for resource allocationa key success factor.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 153 of 315

OBJECTIVE SETTING
Compliance and reporting objectives:
Many are imposed by external entities, e.g.:
Reports to IRS or to EPA Financial reports that comply with GAAP

A companys reputation can be impacted significantly (for better or worse) by the quality of its compliance.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

154 of 315

EVENT IDENTIFICATION
Events are:
Incidents or occurrences that emanate from internal or external sources. That affect implementation of strategy or achievement of objectives. Impact can be positive, negative, or both. Events can range from obvious to obscure. Effects can range from inconsequential to highly significant.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

155 of 315

EVENT IDENTIFICATION
By their nature, events represent uncertainty:
Will they occur? If so, when? And what will the impact be? Will they trigger another event? Will they happen individually or concurrently?

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

156 of 315

EVENT IDENTIFICATION
Management must do its best to anticipate all possible eventspositive or negativethat might affect the company:
Try to determine which are most and least likely. Understand the interrelationships of events.

COSO identified many internal and external factors that could influence events and affect a companys ability to implement strategy and achieve objectives.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

157 of 315

capital Lower barriers to entry, resulting in new competition Some of these factors include: Price movements up or down External factors: to issue credit and possibility of default Ability Economic factors Concentration of competitors, customers, or vendors Presence or absence of liquidity Movements in the financial markets or currency fluctuations Rising or lowering unemployment rates Mergers or acquisitions Potential regulatory, contractual, or criminal legal liability

Availability of capital; lower or higher EVENT IDENTIFICATION costs of

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

158 of 315

EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors Natural environment
Natural disasters such as fires, floods, or earthquakes Emissions and waste Energy restrictions or shortages Restrictions limiting development

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

159 of 315

EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors Natural environment Political factors Election of government

officials with new agendas New laws and regulations Public policy, including higher or lower taxes Regulation affecting the companys ability to compete

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

160 of 315

EVENT IDENTIFICATION

Changing demographics, social mores, family structures, and work/life priorities Some of these factors include: Consumer behavior that External factors: changes demand for products and services or creates new Economic factors buying opportunities Natural environment Corporate citizenship Political factors Privacy Social factors Terrorism Human resource issues causing production shortages or stoppages

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

161 of 315

EVENT IDENTIFICATION

New e-business technologies that lower infrastructure costs Some of these factors include: or increase demand for IT External factors: based services Economic factors Emerging technology Natural environment Increased or decreased availability of data Political factors Interruptions or down time Social factors caused by external parties

Technological factors

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

162 of 315

EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Inadequate access or poor allocation of capital Availability and capability of company assets Complexity of systems

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

163 of 315

EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure Personnel
Employee skills and capability Employees acting dishonestly or unethically Workplace accidents, health or safety concerns Strikes or expiration of labor agreements

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

164 of 315

EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure Personnel Process
Process modification without proper change management procedures Poorly designed processes Process execution errors Suppliers cannot deliver quality goods on time

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

165 of 315

EVENT IDENTIFICATION
Some of these factors include:
Internal factors:

Infrastructure Personnel Process Technology

Insufficient capacity to handle peak IT usages Security breaches Data or system unavailability from internal factors Inadequate data integrity Poor systems selection/development Inadequately maintained systems
Accounting Information Systems, 11/e Romney/Steinbart 166 of 315

2008 Prentice Hall Business Publishing

EVENT IDENTIFICATION
Lists can help management identify factors, evaluate their importance, and examine those that can affect objectives. Identifying events at the activity and entity levels allows companies to focus their risk assessment on major business units or functions and align their risk tolerance and risk appetite.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

167 of 315

EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events
Often produced by special software that can tailor lists to an industry, activity, or process.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

168 of 315

EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events Perform an internal analysis
An internal committee analyzes events, contacting appropriate insiders and outsiders for input.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

169 of 315

EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events Perform an internal analysis Monitor leading events and trigger points
Appropriate transactions, activities, and events are monitored and compared to predefined criteria to determine when action is needed.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

170 of 315

EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events Perform an internal analysis Monitor leading events and trigger points Conduct workshops and interviews
Employee knowledge and expertise is gathered in structured discussions or individual interviews.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 171 of 315

EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events Perform an internal analysis Monitor leading events and trigger points Examine data on prior events to identify trends and causes that and interviews Conduct workshops help identify possible events. Perform data mining and analysis

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

172 of 315

EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events Perform an internal analysis Monitor leading events and trigger points Analyze internal and external factors Conduct workshops and interviewsthat affect inputs, processes, and outputs to identify events Perform data mininghinder analysis that might help or and the process. Analyze processes
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 173 of 315

RISK ASSESSMENT AND RISK RESPONSE


The fourth and fifth components of COSOs ERM model are risk assessment and risk response. COSO indicates The risk that exists before there are two types management takes any steps to control the likelihood or impact of risk:
of a risk.

Inherent risk

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

174 of 315

RISK ASSESSMENT AND RISK RESPONSE


The fourth and fifth components of COSOs ERM model are risk assessment and risk response. COSO indicates there are two types The risk that remains after of risk: implements management

Inherent risk some other internal controls or form of response to Residual riskrisk.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

175 of 315

RISK ASSESSMENT AND RISK RESPONSE


Companies should:
Assess inherent risk Develop a response Then assess residual risk

The ERM model indicates four ways to respond to risk:


Reduce it
The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

176 of 315

RISK ASSESSMENT AND RISK RESPONSE


Companies should:
Assess inherent risk Develop a response Then assess residual risk

The ERM model indicates four ways to respond to risk:


Reduce it Accept it
Dont act to prevent or mitigate it.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

177 of 315

RISK ASSESSMENT AND RISK RESPONSE


Companies should:
Assess inherent risk Develop a response Then assess residual risk

The ERM model indicates four ways to respond to risk:


Reduce it Accept it Share it
Transfer some of it to others via activities such as insurance, outsourcing, or hedging.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

178 of 315

RISK ASSESSMENT AND RISK RESPONSE


Companies should:
Assess inherent risk Develop a response Then assess residual risk

The ERM model indicates four ways to respond to risk:


Reduce it Accept it Share it Avoid it
Dont engage in the activity that produces it. May require: Sale of a division Exiting a product line Canceling an expansion plan
Accounting Information Systems, 11/e

2008 Prentice Hall Business Publishing

Romney/Steinbart

179 of 315

RISK ASSESSMENT AND RISK RESPONSE


Accountants:
Help management design effective controls to reduce inherent risk. Evaluate internal control systems to ensure they are operating effectively. Assess and reduce inherent risk using the risk assessment and response strategy.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

180 of 315

RISK ASSESSMENT AND RISK RESPONSE

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Event identification
The first step in risk assessment and response strategy is event identification, which we have already discussed.

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 181 of 315

RISK ASSESSMENT AND RISK RESPONSE


Estimate likelihood and impact
Some events pose more risk because they are more probable than others. Some events pose more risk because their dollar impact would be more significant. Likelihood and impact must be considered together: If either increases, the materiality of the event and the need to protect against it rises.
2008 Prentice Hall Business Publishing

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


Romney/Steinbart 182 of 315

Accounting Information Systems, 11/e

RISK ASSESSMENT AND RISK RESPONSE

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Identify controls
Management must identify one or more controls that will protect the company from each event. In evaluating benefits of each control procedure, consider effectiveness and timing.

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 183 of 315

RISK ASSESSMENT AND RISK RESPONSE


All other factors equal:
A preventive control is better than a detective one. However, if preventive controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover. Consequently, the three complement each other, and a good internal control system should have all three. Similarly, a company should use all four levers of control.
2008 Prentice Hall Business Publishing

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


Romney/Steinbart 184 of 315

Accounting Information Systems, 11/e

RISK ASSESSMENT AND RISK RESPONSE


Estimate costs and benefits
It would be costprohibitive to create an internal control system that provided foolproof protection against all events. Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient.

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 185 of 315

RISK ASSESSMENT AND RISK RESPONSE


The benefits of an internal control procedure must exceed its costs. Benefits can be hard to quantify, but include:
Increased sales and productivity Reduced losses Better integration with customers and suppliers Increased customer loyalty Competitive advantages Lower insurance premiums
2008 Prentice Hall Business Publishing

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


Romney/Steinbart 186 of 315

Accounting Information Systems, 11/e

RISK ASSESSMENT AND RISK RESPONSE


Costs are usually easier to measure than benefits. Primary cost is personnel, including:
Time to perform control procedures Costs of hiring additional employees to effectively segregate duties Costs of programming controls into a system

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 187 of 315

RISK ASSESSMENT AND RISK RESPONSE


Other costs of a poor control system include:
Lost sales Lower productivity Drop in stock price if security problems arise Shareholder or regulator lawsuits Fines and penalties imposed by governmental agencies

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 188 of 315

RISK ASSESSMENT AND RISK RESPONSE

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

The expected loss related to a risk is measured as:


Expected loss = impact x likelihood

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls

The value of a control procedure is the difference between:


Expected loss with control procedure Expected loss without it

Is it costbeneficial to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 189 of 315

RISK ASSESSMENT AND RISK RESPONSE


Determine costbenefit effectiveness
After estimating benefits and costs, management determines if the control is cost beneficial, i.e., is the cost of implementing a control procedure less than the change in expected loss that would be attributable to the change?

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls
Is it costbeneficia l
to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 190 of 315

RISK ASSESSMENT AND RISK RESPONSE


In evaluating costs and benefits, management must consider factors other than those in the expected benefit calculation.
If an event threatens an organizations existence, it may be worthwhile to institute controls even if costs exceed expected benefits. The additional cost can be viewed as a catastrophic loss insurance premium.

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls
Is it costbeneficia l
to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 191 of 315

Expected Loss without control procedure = $800,000 x .12 = $96,000. Expected loss with control procedure = $800,000 x .005 = $4,000. Estimated value of control procedure = $96,000 - $4,000 = $92,000. RESPONSE Estimated cost of control procedure = $43,000 (given). Benefits exceed costs by $92,000 - $43,000 = $49,000. Lets go through an example: In this case, Hobby Hole should probably install the motion detectors.

RISK ASSESSMENT AND RISK

Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft. A catastrophic theft could result in losses of $800,000. Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%. Companies with motion detectors only have about a .5% probability of catastrophic theft. The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000. Should Hobby Hole install the motion detectors?
Accounting Information Systems, 11/e Romney/Steinbart

2008 Prentice Hall Business Publishing

192 of 315

RISK ASSESSMENT AND RISK RESPONSE


Implement the control or avoid, share, or accept the risk
When controls are cost effective, they should be implemented so risk can be reduced.

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls
Is it costbeneficia l
to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 193 of 315

RISK ASSESSMENT AND RISK RESPONSE


Risks that are not reduced must be accepted, shared, or avoided.
If the risk is within the companys risk tolerance, they will typically accept the risk. A reduce or share response is used to bring residual risk into an acceptable risk tolerance range. An avoid response is typically only used when there is no way to costeffectively bring risk into an acceptable risk tolerance range.
2008 Prentice Hall Business Publishing

Identify the events or threats that confront the company


Estimate the likelihood or probability of each event occurring

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat
Estimate costs and benefits from instituting controls
Is it costbeneficia l
to protect system

No

Avoid, share, or accept risk

Yes

Reduce risk by implementing set of controls to guard against threat


Romney/Steinbart 194 of 315

Accounting Information Systems, 11/e

CONTROL ACTIVITIES
The sixth component of COSOs ERM model. Control activities are policies, procedures, and rules that provide reasonable assurance that managements control objectives are met and their risk responses are carried out.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

195 of 315

CONTROL ACTIVITIES
It is managements responsibility to develop a secure and adequately controlled system.
Controls are much more effective when built in on the front end. Consequently, systems analysts, designers, and end users should be involved in designing adequate computer-based control systems.

Management must also establish a set of procedures to ensure control compliance and enforcement.
Usually, the purview of the information security officer and the operations staff.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 196 of 315

CONTROL ACTIVITIES
It is critical that controls be in place during the year-end holiday season. A disproportionate amount of computer fraud and security break-ins occur during this time because:
More people are on vacation and fewer around to mind the store. Students are not tied up with school. Counterculture hackers may be lonely.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 197 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 198 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 199 of 315

CONTROL ACTIVITIES
Proper authorization of transactions and activities
Management lacks the time and resources to supervise each employee activity and decision. Consequently, they establish policies and empower employees to perform activities within policy. This empowerment is called authorization and is an important part of an organizations control procedures.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 200 of 315

CONTROL ACTIVITIES
Authorizations are often documented by signing initializing, or entering an authorization code. Computer systems can record digital signatures as a means of signing a document. Employees who process transactions should verify the presence of the appropriate authorizations. Auditors review transactions for proper authorization, as their absence indicates a possible control problem.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 201 of 315

CONTROL ACTIVITIES
Typically at least two levels of authorization:
General authorization
Management authorizes employees to handle routine transactions without special approval.

Special authorization
For activities or transactions that are of significant consequences, management review and approval is required. Might apply to sales, capital expenditures, or write-offs over a particular dollar limit.

Management should have written policies for both types of authorization and for all types of transactions.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 202 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 203 of 315

CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud or unintentional errors. Segregation of duties is discussed in two sections:
Segregation of accounting duties Segregation of duties within the systems function
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 204 of 315

CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud or unintentional errors. Segregation of duties is discussed in two sections:
Segregation of accounting duties Segregation of duties within the systems function
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 205 of 315

CONTROL ACTIVITIES

To learn a little about segregation of duties, lets first meet Bill.


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 206 of 315

CONTROL ACTIVITIES

Bill is in charge of a pile of the organizations moneylets say $1,000.


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 207 of 315

CONTROL ACTIVITIES

Ledger $1,000

Bill also keeps the books for that money.


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 208 of 315

CONTROL ACTIVITIES

Ledger $1,000

Bill has a date tonight, and hes a little desperate to impress that special someone, so he takes $100 of the cash. (Thinks hes only borrowing it, you know.)
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 209 of 315

CONTROL ACTIVITIES

Ledger $1,000

Bill has a date tonight, and hes a little desperate to impress that special someone, so he takes $100 of the cash. (Thinks hes only borrowing it, you know.)
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 210 of 315

CONTROL ACTIVITIES

Ledger $900

Bill also records an entry in the books to show that $100 was spent for some legitimate purpose. Now the balance in the books is $900.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 211 of 315

CONTROL ACTIVITIES

Ledger $900

How will Bill ever get caught at his theft?


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 212 of 315

CONTROL ACTIVITIES

Now lets change the story. Bill is in charge of the pile of cash.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 213 of 315

CONTROL ACTIVITIES

Ledger

$1,000

But Mary keeps the books. This arrangement is a form of segregation of duties.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 214 of 315

CONTROL ACTIVITIES

Ledger

$1,000

Bill gets in a pinch again and takes $100 of the organizations cash.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 215 of 315

CONTROL ACTIVITIES

Ledger

$1,000

How will Bill get caught?


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 216 of 315

CONTROL ACTIVITIES
Segregation of accounting duties
Effective segregation of accounting duties is achieved when the following functions are separated:
AuthorizationApproving transactions and decisions. RecordingPreparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports. CustodyHandling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organizations bank account.

If any two of the preceding functions are the responsibility of one person, then problems can arise.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 217 of 315

CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS Handling cash Handling inventories, tools, or fixed assets Writing checks Receiving checks in mail RECORDING FUNCTIONS Preparing source documents Maintaining journals, ledgers, or other files Preparing reconciliations Preparing performance reports

EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the AUTHORIZATION recording for those receipts can steal some of the cash and falsify accounts to FUNCTIONS conceal the theft. Authorization of SOLUTION: The pink fence (segregation of custody and recording) prevents transactions employees from falsifying records to conceal theft of assets entrusted to them.
Accounting Information Systems, 11/e Romney/Steinbart 218 of 315

2008 Prentice Hall Business Publishing

CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS Handling cash Handling inventories, tools, or fixed assets Writing checks Receiving checks in mail

EXAMPLE OF PROBLEM: A person who has custody of checks for transactions that he has authorized can authorize fictitious transactions and then steal RECORDING FUNCTIONS the payments. Preparing source SOLUTION: The green fence documents (segregation of custody and Maintaining journals, authorization) prevents ledgers, or other files employees from authorizing fictitious or inaccurate Preparing reconciliations transactions as a means of Preparing performance concealing a theft. reports

AUTHORIZATION FUNCTIONS Authorization of transactions


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 219 of 315

EXAMPLE OF PROBLEM: A person who can authorize a transaction and keep records related to the transactions can authorize and record fictitious CUSTODIAL FUNCTIONS payments that might, for example, be sent to the Handling cash employees home address Handling inventories, tools, or the fixed assetsa shell or address of company he creates. Writing checks SOLUTION: The purple mail Receiving checks in fence (segregation of recording and authorization) prevents employees from falsifying records to cover up inaccurate or false transactions that were inappropriately authorized. AUTHORIZATION FUNCTIONS Authorization of transactions

CONTROL ACTIVITIES
RECORDING FUNCTIONS Preparing source documents Maintaining journals, ledgers, or other files Preparing reconciliations Preparing performance reports

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

220 of 315

CONTROL ACTIVITIES
In a system that incorporates an effective separation of duties, it should be difficult for any single employee to commit embezzlement successfully. But when two or more people collude, then segregation of duties becomes impotent and controls are overridden.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

221 of 315

CONTROL ACTIVITIES

Ledger

$1,000

If this happens . . .
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 222 of 315

CONTROL ACTIVITIES

Ledger

$1,000

Then segregation of duties is out the window. Collusion overrides segregation.


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 223 of 315

CONTROL ACTIVITIES
Employees can collude with other employees or with customers or vendors. The most frequent form of employee/vendor collusions include:
Billing at inflated prices Performing substandard work and receiving full payment Payment for non-performance Duplicate billings Improperly funneling more work to or purchasing more goods from a colluding company
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 224 of 315

CONTROL ACTIVITIES
The most frequent form of employee/customer collusions include:
Unauthorized loans or insurance payments Receipt of assets or services at unauthorized discount prices Forgiveness of amounts owed Unauthorized extension of due dates

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

225 of 315

CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud or unintentional errors. Segregation of duties is discussed in two sections:
Segregation of accounting duties Segregation of duties within the systems function

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

226 of 315

CONTROL ACTIVITIES
Segregation of duties within the systems function
In a highly integrated information system, procedures once performed by separate individuals are combined. Therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud. To combat this threat, organizations must implement effective segregation of duties within the IS function.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 227 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration

Responsible for ensuring that the different parts of an information system operate smoothly and efficiently.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

228 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Ensures that all applicable devices are linked to the organizations internal and external networks and that the networks operate continuously and properly.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

229 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Security management Ensures that all aspects of the system are secure and protected from internal and external threats.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

230 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Security management Manages changes to the Change management organizations information system to ensure they are made smoothly and efficiently and to prevent errors and fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

231 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Security management Change management Users Record transactions, authorize data to be processed, and use system output.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

232 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Security management Change management Users Help users determine their information needs and design Systems analysts systems to meet those needs.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

233 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Security management Change management Users Systems analysts Programming Use design provided by the systems analysts to write the computer programs for the information system.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

234 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Security management Change management Users Systems analysts Run the software on the Programming companys computers. Computer operations Ensure that data are input properly, correctly processed, and needed output is produced.
Accounting Information Systems, 11/e Romney/Steinbart 235 of 315

2008 Prentice Hall Business Publishing

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Security management Change management Users Systems analysts Maintains custody of corporate databases, files, and programs in Programming a separate storage area. Computer operations Information systems library

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

236 of 315

CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration Network management Ensures that source data have Security management been properly approved. Change management Monitors the flow of work Users through the computer. Systems analysts Reconciles input and output. Programming Maintains a record of input Computer operations errors to ensure their correction Information systems library and resubmission. Data control Distributes system output.
Accounting Information Systems, 11/e Romney/Steinbart 237 of 315

2008 Prentice Hall Business Publishing

CONTROL ACTIVITIES
It is important that different people perform the preceding functions.
Allowing a person to do two or more jobs exposes the company to the possibility of fraud.

In addition to adequate segregation of duties, organizations should ensure that the people who design, develop, implement, and operate the IS are qualified and well trained. The same holds true for systems security personnel.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 238 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

239 of 315

CONTROL ACTIVITIES
Project development and acquisition controls
Its important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies. Should contain appropriate controls for: Management review and approval User involvement Analysis Design Testing Implementation Conversion Should make it possible for management to trace information inputs from source to disposition and vice versa (the audit trail).
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 240 of 315

CONTROL ACTIVITIES
Examples abound of poorly managed projects that have wasted large sums of money because certain basic principles of project management control were ignored.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

241 of 315

A multi-year strategic plan should align the organizations information system with its business strategies and show the The following basic principles projects that must be of control should be applied to systems development in order to reduce the completed to achieve longrange goals. potential for cost overruns and project failure and to Should address hardware, improve the efficiency and effectiveness of the IS: software, personnel, and Strategic master plan infrastructure requirements. Each year, the board and top management should prepare and approve the plan and its supporting budget. Should be evaluated several times a year to ensure the organization can acquire needed components and maintain existing ones.

CONTROL ACTIVITIES

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

242 of 315

A project development plan shows how a project will be completed, including: Modules or tasks to be The following basic principles of performed control should be applied to systems development Who will perform them in order to reduce the Anticipated completion potential for cost overruns andproject failure and to dates Project costs improve the efficiency and effectiveness of the IS: Project milestones should be Strategic master plan specifiedpoints when progress Project controls is reviewed and actual completion times are compared to estimates. Each project should be assigned to a manager and team who are responsible for its success or failure. At project completion, a project evaluation of the team members should be performed.

CONTROL ACTIVITIES

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

243 of 315

CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan Project controls Data processing schedule Data processing tasks should be organized according to a schedule to maximize the use of scarce computer resources.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

244 of 315

CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan Project controls Data processing schedule Steering committee A steering committee should guide and oversee systems development and acquisition.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

245 of 315

CONTROL ACTIVITIES
of control should be The following basic principles To be evaluated properly, a system should applied to systems development in order to be assessed reduce the with measures such as: potential for cost overruns and project failure and to Throughput (output per improve the efficiency and effectiveness of the IS: unit of time) Strategic master plan Utilization (percent of time Project controls it is used productively) Data processing schedule Response time (how long it takes to respond) Steering committee System performance measurements

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

246 of 315

CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan A review should be performed Project controls after a development project is Data processing schedule completed to determine if the Steering committee anticipated benefits were achieved. System performance measurements Post-implementation review Helps control project development activities and encourage accurate and objective initial cost and benefit estimates.
Accounting Information Systems, 11/e Romney/Steinbart 247 of 315

2008 Prentice Hall Business Publishing

CONTROL ACTIVITIES
To simplify and improve systems development, some companies hire a systems integratora vendor who uses common standards and manages the development effort using their own personnel and those of the client and other vendors.
Many companies rely on the integrators assurance that the project will be completed on time. Unfortunately, the integrator is often wrong. These third-party systems development projects are subject to the same cost overruns and missed deadlines as systems developed internally.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 248 of 315

CONTROL ACTIVITIES

Before third parties bid, provide clear When using systems integrators, specifications, including: Exact descriptions and definitions of the system basic rules Explicit deadlines used for project management Precise acceptance criteria of internal projects. In addition, they Although its expensive to develop these should: specifications, it will save money in the end.

companies should adhere to the same

Develop clear specifications

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

249 of 315

A sponsors committee should monitor third-party development projects. Established by the CIO and chaired by the projects internal champion. Should include department managers from all units that integrators, When using systemswill use the system. Should establish formal procedures for measuring and reporting project status. Best approach is to: basic rules used for project management Divide project into manageable tasks. of internal projects. In addition, they task. Assign responsibility for each should: Meet on a regular basis (at least monthly) to review progress and assess quality.

CONTROL ACTIVITIES

companies should adhere to the same

Develop clear specifications Monitor the systems integration project

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

250 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 251 of 315

CONTROL ACTIVITIES
Change management controls
Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances. Change management is the process of making sure that the changes do not negatively affect:
Systems reliability Security Confidentiality Integrity Availability

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

252 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 253 of 315

CONTROL ACTIVITIES
Design and use of adequate documents and records
Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data. Form and content should be kept as simple as possible to:
Promote efficient record keeping Minimize recording errors Facilitate review and verification

Documents that initiate a transaction should contain a space for authorization. Those used to transfer assets should have a space for the receiving partys signature.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 254 of 315

CONTROL ACTIVITIES
Documents should be sequentially prenumbered:
To reduce likelihood that they would be used fraudulently. To help ensure that all valid transactions are recorded.

A good audit trail facilitates:


Tracing individual transactions through the system. Correcting errors. Verifying system output.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 255 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 256 of 315

CONTROL ACTIVITIES
Safeguard assets, records, and data
When people consider safeguarding assets, they most often think of cash and physical assets, such as inventory and equipment. Another company asset that needs to be protected is information. According to the ACFEs 2004 National Fraud Survey, theft of information made up only 17.3% of non-cash misappropriations; however, the median cost of an information theft was $340,000. This cost was 126% higher than the next most costly non-asset theft. (Equipment theft had a median cost of $150,000.)

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

257 of 315

CONTROL ACTIVITIES
Many people mistakenly believe that the greatest risks companies face are from outsiders. However, employees pose a much greater risk when it comes to loss of data because:
They know the system and its weaknesses better. They are better able to hide their illegal acts.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 258 of 315

CONTROL ACTIVITIES
Insiders also create less-intentional threats to systems, including:
Accidentally deleting company data. Turning viruses loose. Trying to fix hardware or software without appropriate expertise (i.e., when in doubt, unplug it).

These actions can result in crashed networks, corrupt data, and hardware and software malfunctions. Companies also face significant risks from customers and vendors that have access to company data.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 259 of 315

CONTROL ACTIVITIES
Many steps can be taken to safeguard both information and physical assets from theft, unauthorized use, and vandalism. Chapters 7 and 8 discuss computer-based controls. In addition, it is important to:
Maintain accurate records of all assets
Periodically reconcile recorded amounts to physical counts.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

260 of 315

CONTROL ACTIVITIES
Many steps can be taken to safeguard both information and physical assets from theft, unauthorized use, and vandalism. Use computer-based Chapters 7 and 8 discuss restricted storage areas for inventories and equipment. controls. In addition, it Useimportant to: is cash registers, safes,
lockboxes, and safe Maintain accurate records of all assets deposit boxes to limit access to cash, Periodically reconcile recorded amounts to assets. securities, and paper

physical counts Restrict access to assets

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

261 of 315

CONTROL ACTIVITIES
Many steps can be taken to safeguard both information and physical assets from theft, unauthorized use, and vandalism. Chapters 7 and 8 discuss computer-based Use fireproof storage areas, controls. In addition, it is important to: backup locked filing cabinets,
of Maintain accurate records filesall assets of (including copies at off-site locations).

Periodically reconcile recorded amounts to checks Limit access to blank physical counts and documents to authorized Restrict access to assets personnel. Protect records and documents

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

262 of 315

CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 263 of 315

CONTROL ACTIVITIES

Ledger

$1,000

Lets look at Bill and Mary again. Assume that Bill stole cash but Mary did NOT alter the books.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

264 of 315

CONTROL ACTIVITIES

Ledger

$1,000

Can Bills theft be discovered if an independent party doesnt compare a count of the cash to whats recorded on the books?
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 265 of 315

CONTROL ACTIVITIES

Ledger

$1,000

Segregation of duties only has value when supplemented by independent checks.


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 266 of 315

CONTROL ACTIVITIES
Internal checks to ensure that transactions are processed accurately are an important control element. These checks should be performed by someone independent of the party(ies) responsible for the activities.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

267 of 315

CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews
Management at all levels should monitor company results and periodically compare actual performance to: Planned performance as shown in budgets, targets, and forecasts Prior-period performance The performance of competitors

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

268 of 315

CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews Analytical reviews
Examinations of relationships between different sets of data. EXAMPLE: If credit sales increased significantly during the period and there were no changes in credit policy, then bad debt expense should probably have increased also. Management should periodically analyze and review data relationships to detect fraud and other business problems.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 269 of 315

CONTROL ACTIVITIES

Check the accuracy and completeness of records by reconciling them with other records that should have the The following independent checks are same balance. EXAMPLES: Bank reconciliations Top-level reviews Comparing accounts payable control account to sum Analyticalsubsidiary accounts. of reviews

typically used:

Reconciliation of independently maintained sets of records

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

270 of 315

CONTROL ACTIVITIES
The following independent checks are typically used: Periodically, count significant assets

and reconcile the count to company Top-level reviews records. EXAMPLE: Annual physical inventory. Analytical reviews High-dollar items and critical Reconciliation of independently be counted more components should maintained sets of records frequently.

Comparison of actual quantities with recorded amounts

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

271 of 315

CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews Analytical reviews Reconciliation of independently maintained sets of records Comparison of actual quantities with recorded Ensure that debits equal amounts credits. Double-entry accounting
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 272 of 315

CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews Analytical reviews Reconciliation of independently maintained sets of records Comparison of actual quantities with recorded After one person processes a amounts transaction, another reviews Double-entry accounting work. their Independent review
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 273 of 315

INFORMATION AND COMMUNICATION


The seventh component of COSOs ERM model. The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization. So accountants must understand how: Transactions are initiated Data are captured in or converted to machine-readable form Computer files are accessed and updated Data are processed Information is reported to internal and external parties
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 274 of 315

INFORMATION AND COMMUNICATION


Accountants must also understand the accounting records and procedures, supporting documents, and specific financial statement accounts involved in processing and reporting transactions. The preceding items facilitate an audit trail which allows for transactions to be traced from origin to financial statements and vice versa.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 275 of 315

INFORMATION AND COMMUNICATION


According to the AICPA, an AIS has five primary objectives:
Identify and record all valid transactions. Properly classify transactions. Record transactions at their proper monetary value. Record transactions in the proper accounting period. Properly present transactions and related disclosures in the financial statements.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 276 of 315

INFORMATION AND COMMUNICATION


How to safeguard information and physical assets:
Create and enforce appropriate policies and procedures. Maintain accurate records of all assets. Restrict access to assets. Protect records and documents.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

277 of 315

INFORMATION AND COMMUNICATION


Accounting systems generally consist of several accounting subsystems, each designed to process transactions of a particular type. Though they differ with respect to the type of transactions processed, all accounting subsystems follow the same sequence of procedures, referred to as accounting cycles. The five major accounting cycles and their related control objectives and procedures are detailed in Chapters 1014.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 278 of 315

MONITORING
The eighth component of COSOs ERM model. Monitoring can be accomplished with a series of ongoing events or by separate evaluations.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 279 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 280 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 281 of 315

MONITORING
Perform ERM evaluation
Can measure ERM effectiveness through a formal evaluation or through a selfassessment process. A special group can be assembled to conduct the evaluation or it can be done by internal auditing.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

282 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 283 of 315

MONITORING
Implement effective supervision
Involves:
Training and assisting employees; Monitoring their performance; Correcting errors; and Safeguarding assets by overseeing employees with access.

Especially important in organizations that:


Cant afford elaborate responsibility reporting; or Are too small for segregation of duties.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 284 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 285 of 315

MONITORING
Use responsibility accounting
Includes use of:
Budgets, quotas, schedules, standard costs, and quality standards; Performance reports that compare actual with planned performance and highlight variances; and Procedures for investigating significant variances and taking timely actions to correct adverse conditions.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

286 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 287 of 315

MONITORING
Monitor system activities
Risk analysis and management software packages are available to:
Review computer and network security measures; Detect illegal entry into systems; Test for weaknesses and vulnerabilities; Report weaknesses found; and Suggest improvements.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

288 of 315

MONITORING
Cost parameters can be entered to balance acceptable levels of risk tolerance and cost-effectiveness. Software is also available to monitor and combat viruses, spyware, spam, pop-up ads, and to prevent browsers from being hijacked. Also helps companies recover from frauds and malicious actions and restore systems to pre-incident status.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 289 of 315

MONITORING
System transactions and activities should be recorded in a log which indicates who accessed what data, when, and from which terminal. Logs should be reviewed frequently to monitor system activity and trace any problems to their source. Data collected can be used to:
Evaluate employee productivity; Control company costs; Fight corporate espionage and other attacks; and Comply with legal requirements.
Accounting Information Systems, 11/e Romney/Steinbart 290 of 315

2008 Prentice Hall Business Publishing

MONITORING
Companies that monitor system activities need to ensure they do not violate employee privacy rights. Employers cannot discreetly observe communications of employees when those employees have a reasonable expectation of privacy. Employers must therefore ensure that employees realize their business communications are not private. One way to accomplish that objective is to have written policies that employees agree to in writing which indicate:
The technology employees use on the job belongs to the company. Emails received on company computers are not private and can be read by supervisory personnel. Employees should not use technology in any way to contribute to a hostile work environment.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 291 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 292 of 315

MONITORING
Track purchased software
The Business Software Alliance (BSA) aggressively tracks down and fines companies who violate software license agreements. To comply with copyrights, companies should periodically conduct software audits to ensure that.
There are enough licenses for all users; and The company is not paying for more licenses than needed.

Employees should be informed of the consequences of using unlicensed software.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

293 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 294 of 315

MONITORING
Conduct periodic audits
To monitor risk and detect fraud and errors, the company should have periodic:
External audits Internal audits Special network security audits

Auditors should test system controls and browse system usage files looking for suspicious activities (discussed in Chapter 9).

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

295 of 315

MONITORING
Again, care should be exercised that employees privacy rights are not violated. Therefore, inform employees that auditors will conduct random surveillance, which:
Avoids privacy violations Creates a perception of detection that can deter crime and reduce errors

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

296 of 315

MONITORING
Internal auditing involves:
Reviewing the reliability and integrity of financial and operating information. Providing an appraisal of internal control effectiveness. Assessing employee compliance with management policies and procedures and applicable laws and regulations. Evaluating the efficiency and effectiveness of management.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 297 of 315

MONITORING
Internal audits can detect:
Excess overtime Under-used assets Obsolete inventory Padded expense reimbursements Excessively loose budgets and quotas Poorly justified capital expenditures Production bottlenecks

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

298 of 315

MONITORING
Internal auditing should be organizationally independent of the accounting and operating functions. The head should report to the audit committee of the board of directors rather than to the controller or CFO.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

299 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 300 of 315

MONITORING
Employ a computer security officer, a Chief Compliance Officer, and computer consultants
The computer security officer (CSO) is in charge of AIS security
Should be independent of the IS function Should report to the COO or CEO

Many companies also use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 301 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 302 of 315

MONITORING
Engage forensic specialists
Forensic accountants specialize in fraud detection and investigation.
Now one of the fastest growing areas of accounting due to:
SOX SAS-99 Boards of Directors demanding that forensic accounting be an ongoing part of the financial reporting and corporate governance process.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

303 of 315

MONITORING
Most forensic accountants are CPAs and may have received special training with the FBI, CIA, or other law enforcement agencies.
In particular demand are those with the necessary computer skills to ferret out and combat fraudsters who use sophisticated technology to perpetrate their crimes. The Association of Certified Fraud Examiners (ACFE) has created a professional certification program for fraud examiners.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

304 of 315

MONITORING
Management may also need to call on computer forensic specialists for help. They assist in discovering, extracting, safeguarding, and documenting computer evidence so that its authenticity, accuracy, and integrity will not succumb to legal challenges.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

305 of 315

MONITORING
Common incidents investigated by computer forensic experts include:
Improper internet usage Fraud Sabotage Loss, theft, or corruption of data Retrieving information from emails and databases that users thought they had erased Determining who performed certain actions on a computer
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 306 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 307 of 315

MONITORING
Install fraud detection software
People who commit fraud tend to follow certain patterns and leave behind clues. Software has been developed to seek out these fraud symptoms. Some companies employ neural networks (programs that mimic the brain and have learning capabilities), which are very accurate in identifying suspected fraud. For example, if a husband and wife were each using the same credit card in two different stores at the same time, a neural network would probably flag at least one of the transactions immediately as suspicious. These networks and other recent advances in fraud detection software are significantly reducing the incidences of credit card fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

308 of 315

MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer, a Chief Compliance Officer, and computer consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 309 of 315

MONITORING
Implement a fraud hotline
People who witness fraudulent behavior are often torn between conflicting feelings.
They want to protect company assets and report fraud perpetrators. But they are uncomfortable in the whistleblower role and find it easier to remain silent.

They are particularly reluctant to report if they know of others who have suffered repercussions from doing so.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 310 of 315

MONITORING
SOX mandates that companies set up mechanisms for employees to anonymously report abuses such as fraud.
An effective way to comply with the law and resolve employee concerns is to provide access to an anonymous hotline. Anonymous reporting can be accomplished through:
Phone lines Web-based reporting Anonymous emails Snail mail

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

311 of 315

MONITORING
Outsourcing is available through a number of third parties and offers several benefits, including:
Increased confidence on the part of employee that his/her report is truly anonymous. 24/7 availability. Often have multilingual capabilitiesan important plus for multinational organizations. The outsourcer may be able to do follow up with the employee if additional information is needed after the initial contact. The employee can be advised of the outcome of his report. Low cost.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

312 of 315

MONITORING
A downside to anonymous reporting mechanisms is that they will produce a significant amount of petty or slanderous reports that do not require investigation. The ACFEs 2004 Report to the Nation indicates that companies without fraud hotlines had median fraud losses that were 140% higher than companies that had fraud hotlines.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

313 of 315

SUMMARY
In this chapter, youve learned about basic internal control concepts and why computer control and security are so important. Youve learned about the similarities and differences between the COBIT, COSO, and ERM control frameworks. Youve learned about the major elements in the internal control environment of a company and the four types of control objectives that companies need to set. Youve also learned about events that affect uncertainty and how these events can be identified. Youve explored how the Enterprise Risk Management model is used to assess and respond to risk, as well as the control activities that are commonly used in companies. Finally, youve learned how organizations communicate information and monitor control processes.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 314 of 315