Control and Accounting Information Systems –

Part 1

Lecture 6

Copyright © Pearson Education Limited 2015.

6-1
 Learning Objectives
• Explain basic control concepts and why computer control
and security are important.

• Compare and contrast the COBIT, COSO, and ERM

control frameworks.

• Describe the major elements in the internal environment

of a company.

• Describe the four types of control objectives that

companies need to set.
Copyright © Pearson Education Limited 2015.
6-2
 Introduction
• To use IT in achieving control objectives,
accountants must:
▫ Understand how to protect systems from threats.
▫ Have a good understanding of IT and its
capabilities and risks.
• Achieving adequate security and control over the
information resources of an organization should
be a top management priority.

Copyright © Pearson Education Limited 2015.

 Why Is Control Needed?
• Any potential adverse occurrence or unwanted event
that could be injurious to either the accounting
information system or the organization is referred to
as a threat or an event.

• The potential dollar loss should a particular threat

become a reality is referred to as the exposure or
impact of the threat.

• The probability that the threat will happen is the

likelihood associated with the threat
Copyright © Pearson Education Limited 2015.
6-4
 A Primary Objective of an AIS

• Is to control the organization so the organization

can achieve its objectives

• Management expects accountants to:

▫ Take a proactive approach to eliminating system
threats.
▫ Detect, correct, and recover from threats when
they occur.

Copyright © Pearson Education Limited 2015.

6-5
 A Primary Objective of an AIS
• It is much easier to build controls into a system
during the initial stage than to add them after
the fact.
• Consequently, accountants and control experts
should be members of the teams that develop or
modify information systems.

Copyright © Pearson Education Limited 2015.

 Internal Controls
• Processes implemented to provide assurance
that the following objectives are achieved:
▫ Safeguard assets
▫ Maintain sufficient records
▫ Provide accurate and reliable information
▫ Prepare financial reports according to established
criteria
▫ Promote and improve operational efficiency
▫ Encourage adherence with management policies
▫ Comply with laws and regulations
Copyright © Pearson Education Limited 2015.
6-7
 Internal Controls
• Internal control is a process because:
▫ It permeates an organization’s operating activities.
▫ It is an integral part of basic management activities.
• Internal control provides reasonable, rather
than absolute, assurance, because complete
assurance is difficult or impossible to achieve
and prohibitively expensive.

Copyright © Pearson Education Limited 2015.

 Internal Controls
• Internal control systems have inherent
limitations, including:
▫ They are susceptible to errors and poor decisions.
▫ They can be overridden by management or by
collusion of two or more employees.
• Internal control objectives are often at odds with
each other.
▫ EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.

Copyright © Pearson Education Limited 2015.

 Functions of Internal Controls
• Preventive controls
▫ Deter problems from occurring. E.g segregating
duties, hiring qualified personnel
• Detective controls
▫ Discover problems that are not prevented. E.g
preparing bank reconciliation
• Corrective controls
▫ Identify and correct problems; correct and recover
from the problems. E.g maintaining backup copies
of files
Copyright © Pearson Education Limited 2015.
6-10
 Functions of Internal Controls
In addition to the functions of internal controls,
controls are segregated into two categories:
1.General controls which ensure that organization’s
control environment is stable and well managed.
2.Application controls that prevent, detect, and
correct transaction errors and fraud in
application programs.

Copyright © Pearson Education Limited 2015.

 Control Frameworks
• A number of frameworks have been developed to
help companies develop good internal control
systems. Three of the most important are:
• COBIT
▫ Framework for IT control
• COSO
▫ Framework for enterprise internal controls
(control-based approach)
• COSO-ERM
▫ Expands COSO framework taking a risk-based
approach
Copyright © Pearson Education Limited 2015.
6-12
 COBIT Framework
▫ Also know as the Control Objectives for
Information and Related Technology
framework.
▫ Developed by the Information Systems Audit and
Control Foundation (ISACF).
▫ A framework of generally applicable information
systems security and control practices for IT
control.

Copyright © Pearson Education Limited 2015.

 COBIT Framework
• The COBIT framework has evolved over the years and
each time there are major changes to the framework,
the framework is numbered to its current version. The
current version of COBIT for IT controls is COBIT5.
• Based on the following principles:
▫ Meeting stakeholder needs
▫ Covering the enterprise end-to-end
▫ Applying a single, integrated framework
▫ Enabling a holistic approach
▫ Separating governance from management
Copyright © Pearson Education Limited 2015.
6-14
 COBIT Framework
• The benefit of a standard framework for IT
controls is that it allows:
1.Management to benchmark their environments
and compare it to other organizations
2.Because the framework is comprehensive, it
provides assurances that IT security and controls
exist
3.Allows auditors to substantiate their internal
control opinions

Copyright © Pearson Education Limited 2015.

 COBIT5 Separates Governance from
Management

Copyright © Pearson Education Limited 2015.

6-16
 COSO’s Internal Control Framework
▫ The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting of:
 The American Accounting Association
 The AICPA
 The Institute of Internal Auditors
 The Institute of Management Accountants
 The Financial Executives Institute

Copyright © Pearson Education Limited 2015.

 COSO’s Internal Control Framework
• In 1992, COSO issued the Internal Control Integrated
Framework:
▫ Defines internal controls.
▫ Provides guidance for evaluating and enhancing internal
control systems.
▫ Widely accepted as the authority on internal controls.
▫ Incorporated into policies, rules, and regulations used to
control business activities.
• In 2013 the IC framework was updated to better deal with
current business processes and technological
advancements. The new IC keeps the 5 components of the
original framework and adds 17 principles that build and
support the concepts. Table 7-1
Copyright © Pearson Education Limited 2015.
 COSO’s Internal Control Framework
• COSO’s internal control model has five crucial
components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management Framework

• Nine years after COSO issued the preceding

framework, it began investigating how to
effectively identify, assess, and manage risk so
organizations could improve the risk
management process.
• Result: Enterprise Risk Manage Integrated
Framework (ERM)
▫ An enhanced corporate governance document.
▫ Expands on elements of preceding framework.
▫ Provides a focus on the broader subject of enterprise
risk management.
Copyright © Pearson Education Limited 2015.
 COSO’S Enterprise Risk Management
Framework
• Intent of ERM is to achieve all goals of the
internal control framework and help the
organization:
▫ Provide reasonable assurance that company objectives
and goals are achieved and problems and surprises are
minimized.
▫ Achieve its financial and performance targets.
▫ Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigate risk.
▫ Avoid adverse publicity and damage to the entity’s
reputation.

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management
Framework
• ERM defines risk management as:
▫ A process effected by an entity’s board of
directors, management, and other personnel.
▫ Applied in strategy setting and across the
enterprise.
▫ To identify potential events that may affect the
entity.
▫ And manage risk to be within its risk appetite.
▫ In order to provide reasonable assurance of the
achievement of entity objectives.

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management
Framework
• Basic principles behind ERM:
▫ Companies are formed to create value for owners.
▫ Management must decide how much uncertainty
they will accept.
▫ Uncertainty can result in:
 Risk
• The possibility that something will happen to:
– Adversely affect the ability to create value; or
– Erode existing value.

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management
Framework
• Basic principles behind ERM:
▫ Companies are formed to create value for owners.
▫ Management must decide how much uncertainty
they will accept.
▫ Uncertainty can result in:
 Risk
 Opportunity
• The possibility that something will happen to positively
affect the ability to create or preserve value.

Copyright © Pearson Education Limited 2015.

 Components of COSO Frameworks

COSO COSO-ERM
• Control (internal) • Internal environment
environment • Objective setting
• Risk assessment • Event identification
• Control activities • Risk assessment
• Information and • Risk response
communication • Control activities
• Monitoring • Information and
communication
• Monitoring
Copyright © Pearson Education Limited 2015.
7-25
 COSO’S Enterprise Risk Management
Framework
• COSO developed a
model to illustrate the
elements of ERM.

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management
Framework – Objective setting
• Objective setting is the
second ERM
component.
• It must precede many
of the other six
components.
• For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management
Framework – Objective setting
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
▫ Strategic objectives
• Strategic objectives are
high-level goals that are
aligned with and support
the company’s mission.

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management
Framework – Objective setting
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
▫ Strategic objectives
▫ Operations objectives
• Operations objectives deal with
effectiveness and efficiency of
company operations, such as:
– Performance and profitability
goals
– Safeguarding assets
Copyright © Pearson Education Limited 2015.
 COSO’S Enterprise Risk • Management
Reporting objectives help ensure
the accuracy, completeness, and
Framework – Objective setting
reliability of internal and external
• Columns
company at the top
reports of both a
represent thenon-financial
financial and four types of
objectives
nature. that
• management must meetand
Improve decision-making to
monitorcompany
achieve company activities
goals. and
▫ performance more efficiently.
Strategic objectives
▫ Operations objectives
▫ Reporting objectives

Copyright © Pearson Education Limited 2015.

 COSO’S Enterprise Risk Management
Framework – Objective setting
Compliance
•• Columns at objectives
the top help the
company comply with applicable
represent the four types of
laws and regulations.
objectives that often set the
– External parties
management
compliancemust
rules. meet to
achieve company
– Companies goals.
in the same
▫ Strategic objectives
industry often have similar
▫ concerns objectives
Operations in this area.
▫ Reporting objectives
▫ Compliance objectives

Copyright © Pearson Education Limited 2015.

 Objective Setting

• Strategic objectives
▫ High-level goals
• Operations objectives
▫ Effectiveness and efficiency of operations
• Reporting objectives
▫ Improve decision making and monitor
performance
• Compliance objectives
▫ Compliance with applicable laws and regulations
Copyright © Pearson Education Limited 2015.
7-32
 Internal Environment
• Management’s philosophy, operating style, and
risk appetite
• Commitment to integrity, ethical values, and
competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and
responsibility
• Human resource standards

Copyright © Pearson Education Limited 2015.

7-33