Chapter 7

Control and AIS

7-1
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Learning Objectives
 Explain basic control concepts and explain why computer control and security are important.

 Compare and contrast the COBIT, COSO, and ERM control frameworks.

 Describe the major elements in the internal environment of a company

 Describe the four types of control objectives that companies need to set.

 Describe the events that affect uncertainty and the techniques used to identify them.

 Explain how to assess and respond to risk using the Enterprise Risk Management (ERM) model.

 Describe control activities commonly used in companies.

 Describe how to communicate information and monitor control processes in organizations.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-2

 Internal Control

 System to provide reasonable assurance that objectives are met such

as:
 Safeguard assets.
 Maintain records in sufficient detail to report company assets accurately
and fairly.
 Provide accurate and reliable information.
 Prepare financial reports in accordance with established criteria.
 Promote and improve operational efficiency.
 Encourage adherence to prescribed managerial policies.
 Comply with applicable laws and regulations.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-3

 Internal Control

Functions Categories
 Preventive  General
 Deter problems  Overall IC system and
processes
 Detective
 Discover problems  Application
 Transactions are processed
 Corrective correctly
 Correct problems

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-4

 Sarbanes Oxley (2002)

 Designed to prevent financial statement fraud, make financial reports

more transparent, protect investors, strengthen internal controls, and
punish executives who perpetrate fraud
 Public Company Accounting Oversight Board (PCAOB)
 Oversight of auditing profession
 New Auditing Rules
 Partners must rotate periodically
 Prohibited from performing certain non-audit services

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-5

 Sarbanes Oxley (2002)
 New Roles for Audit Committee
 Be part of board of directors and be independent
 One member must be a financial expert
 Oversees external auditors
 New Rules for Management
 Financial statements and disclosures are fairly presented, were
reviewed by management, and are not misleading.
 The auditors were told about all material internal control weak-
nesses and fraud.
 New Internal Control Requirements
 Management is responsible for establishing and maintaining an
adequate internal control system.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-6

 SOX Management Rules

 Base evaluation of internal control on a recognized framework.

 Disclose all material internal control weaknesses.

 Conclude a company does not have effective financial reporting

internal controls of material weaknesses.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-7

 Internal Control Frameworks
 Control Objectives for Information and Related Technology
(COBIT)
 Business objectives
 IT resources
 IT processes

 Committee of Sponsoring Organizations (COSO)

 Internal control—integrated framework
 Control environment
 Control activities
 Risk assessment
 Information and communication
 Monitoring

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-8

 Internal Control

 Enterprise Risk Management Model

 Risk-based vs. control-based
 COSO elements +
 Setting objectives
 Event identification
 Risk assessment
 Can be controlled but also
 Accepted
 Diversified
 Shared
 Transferred

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-9

 Control Environment
 Management’s philosophy, operating style, and risk appetite

 The board of directors

 Commitment to integrity, ethical values, and competence

 Organizational structure

 Methods of assigning authority and responsibility

 Human resource standards

 External influences

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-10

 ERM—Objective Setting

 Strategic
 High-level goals aligned with corporate mission

 Operational
 Effectiveness and efficiency of operations

 Reporting
 Complete and reliable
 Improve decision making

 Compliance
 Laws and regulations are followed

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-11

 ERM—Event Identification

 “…an incident or occurrence emanating from internal or external

sources that affects implementation of strategy or achievement of
objectives.”
 Positive or negative impacts (or both)
 Events may trigger other events
 All events should be anticipated

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-12

 Risk Assessment

 Identify Risk
 Identify likelihood of risk
 Identify positive or negative impact

 Types of Risk
 Inherent
 Risk that exists before any plans are made to control it
 Residual
 Remaining risk after controls are in place to reduce it

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-13

 ERM—Risk Response

 Reduce
 Implement effective internal control

 Accept
 Do nothing, accept likelihood of risk

 Share
 Buy insurance, outsource, hedge

 Avoid
 Do not engage in activity that produces risk

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-14

 Event/Risk/Response Model

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-15

 Control Activities

 Policies and procedures to provide reasonable assurance that control

objectives are met:
 Proper authorization of transactions and activities
 Signature or code on document to signal authority over a process
 Segregation of duties
 Project development and acquisition controls
 Change management controls
 Design and use of documents and records
 Safeguarding assets, records, and data
 Independent checks on performance

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-16

 Segregation of Accounting Duties

 No one employee should be given too much responsibility

 Separate:
 Authorization
 Approving transactions and decisions
 Recording
 Preparing source documents
 Entering data into an AIS
 Maintaining accounting records
 Custody
 Handling cash, inventory, fixed assets
 Receiving incoming checks
 Writing checks

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-17

 Information and Communication

 Primary purpose of an AIS

 Gather
 Record
 Process
 Summarize
 Communicate

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-18

 Monitoring
 Evaluate internal control framework.

 Effective supervision.

 Responsibility accounting system.

 Monitor system activities.

 Track purchased software and mobile devices.

 Conduct periodic audits.

 Employ a security officer and compliance officer.

 Engage forensic specialists.

 Install fraud detection software.

 Implement a fraud hotline.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-19

 Segregation of System Duties
 Like accounting system duties should also be separated

 These duties include:

 System administration
 Network management
 Security management
 Change management
 Users
 Systems analysts
 Programmers
 Computer operators
 Information system librarian
 Data control

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-20