Control and Accounting Information Systems: Creating The Great Business Leaders

Creating the great business leaders
Control and Accounting Information

Systems
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
Fakultas Ekonomi dan
Bisnis
School of Economic and INTRODUCTION
Business
Telkom
University
 Questions to be addressed in this chapter:
 What are the basic internal control concepts, and why are computer
control and security important?
 What is the difference between the COBIT, COSO, and ERM control
frameworks?
 What are the major elements in the internal environment of a company?
 What are the four types of control objectives that companies need to set?
 What events affect uncertainty, and how can they be identified?
 How is the Enterprise Risk Management model used to assess and
respond to risk?
 What control activities are commonly used in companies?
 How do organizations communicate information and monitor control
processes?
© 2008 Prentice Hall Business Publishing 2

Accounting Information
Creating
Systems, 11/e
the great business leaders
Romney/Steinbart
Bisnis
Business
Telkom
University
 Why AIS threats are increasing

 Control risks have increased in the last few years because:
 There are computers and servers everywhere, and information is
available to an unprecedented number of workers.
 Distributed computer networks make data available to many users,
and these networks are harder to control than centralized
mainframe systems.
 Wide area networks are giving customers and suppliers access to
each other’s systems and data, making confidentiality a major
concern.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 To use IT in achieving control objectives,

accountants must:
 Understand how to protect systems from threats.
 Have a good understanding of IT and its capabilities and
risks.
 Achieving adequate security and control over the
information resources of an organization should be
a top management priority.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
OVERVIEW OF CONTROL
School of Economic and
Business CONCEPTS
Telkom
University
 Internal control is the process implemented by the board of
directors, management, and those under their direction to
provide reasonable assurance that the following control
objectives are achieved:
 Assets (including data) are safeguarded.
 Records are maintained in sufficient detail to accurately and fairly reflect
company assets.
 Accurate and reliable information is provided.
 There is reasonable assurance that financial reports are prepared in
accordance with GAAP.
 Operational efficiency is promoted and improved.
 Adherence to prescribed managerial policies is encouraged.
 The organization complies with applicable laws and regulations.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
OVERVIEW OF CONTROL
Business CONCEPTS
Telkom
University
 Internal controls perform three important

functions:
 Preventive controls
 Detective controls
 Corrective controls
• Remedy problems that have occurred by:

– Identifying the cause;
– Correcting the resulting errors; and
– Modifying the system to prevent future
problems of this sort.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
OVERVIEW OF CONTROL
Business CONCEPTS
Telkom
University
 Internal controls are often classified as:

 General controls
 Application controls
• Prevent, detect, and correct transaction errors
and fraud.
• Concerned with accuracy, completeness,
validity, and authorization of the data captured,
entered into the system, processed, stored,
transmitted to other systems, and reported.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
OVERVIEW OF CONTROL
Business CONCEPTS
Telkom
University
 An effective system of internal controls should exist

in all organizations to:
 Help them achieve their missions and goals.
 Minimize surprises.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis SOX AND THE FOREIGN CORRUPT
Business PRACTICES ACT
Telkom
University
 In the late 1990s and early 2000s, a series of multi-

million-dollar accounting frauds made headlines.
 The impact on financial markets was substantial, and
Congress responded with passage of the Sarbanes-Oxley
Act of 2002 (aka, SOX).
 Applies to publicly held companies and their auditors.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 The intent of SOX is to:

 Prevent financial statement fraud
 Make financial reports more transparent
 Protect investors
 Strengthen internal controls in publicly-held companies
 Punish executives who perpetrate fraud
 SOX has had a material impact on the way boards of
directors, management, and accountants operate.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Important aspects of SOX include:

 Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
 New rules for auditors
• They must report specific information to the company’s audit

committee, such as:
– Critical accounting policies and practices
– Alternative GAAP treatments
– Auditor-management disagreements
• Audit partners must be rotated periodically.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University

• Auditors cannot perform certain non-audit services, such as:

– Bookkeeping
– Information systems design and implementation
– Internal audit outsourcing services
– Management functions
– Human resource services

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University

 New rules for audit committees
• Members must be on the company’s board

of directors and must otherwise be
independent of the company.
• One member must be a financial expert.
• The committee hires, compensates, and
oversees the auditors, and the auditors
report directly to the committee.
Creating
Systems, 11/e
Romney/Steinbart
Bisnis
School of Economic and CONTROL FRAMEWORKS
Business
Telkom
University
 A number of frameworks have been

developed to help companies develop
good internal control systems. Three of
the most important are:
 The COBIT framework
 The COSO internal control framework
 COSO’s Enterprise Risk Management
framework (ERM)

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 A number of frameworks have been

developed to help companies develop
good internal control systems. Three of
the most important are:
 The COBIT framework
 The COSO internal control framework
 COSO’s Enterprise Risk Management
framework (ERM)

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 COBIT framework
 Also know as the Control Objectives for Information and
Related Technology framework.
 Developed by the Information Systems Audit and Control
Foundation (ISACF).
 A framework of generally applicable information systems
security and control practices for IT control.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
• To satisfy business object
Business
Telkom
University information must conform
certain criteria referred to
“business requirements fo
 The framework addresses the issueinformation.”
of control from
• The criteria are divided int
three vantage points or dimensions:
seven distinct yet overlapp
 Business objectives
categories that map into C
objectives:
– Effectiveness (relevant
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability
Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 The framework addresses the issue of control from

 IT resources
• Includes:
• People
• Application systems
• Technology
• Facilities
• Data

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 The framework addresses the issue of control from

 IT resources
 IT processes
• Broken into four domains:

– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 COSO’s internal control framework

 The Committee of Sponsoring Organizations (COSO) is a
private sector group consisting of:
 The American Accounting Association
 The AICPA
 The Institute of Internal Auditors
 The Institute of Management Accountants
 The Financial Executives Institute

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 In 1992, COSO issued the Internal Control

Integrated Framework:
 Defines internal controls.
 Provides guidance for evaluating and enhancing internal
control systems.
 Widely accepted as the authority on internal controls.
 Incorporated into policies, rules, and regulations used to
control business activities.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 COSO’s internal control model has five crucial

components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring
• The entire process must be monitored and modified

as necessary.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 ERM defines risk management as:

 A process effected by an entity’s board of directors,
management, and other personnel.
 Applied in strategy setting and across the enterprise.
 To identify potential events that may affect the entity.
 And manage risk to be within its risk appetite.
 In order to provide reasonable assurance of the
achievement of entity objectives.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Over time, ERM will probably become the most

widely adopted risk and control model.
 Consequently, its eight components are the topic of
the remainder of the chapter.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
School of Economic and INTERNAL ENVIRONMENT
Business
Telkom
University
 The following policies and procedures are
important:
 Hiring
 Compensating
 Training
 Evaluating and promoting
 Discharging
 Managing disgruntled employees
 Vacations and rotation of duties
 Confidentiality insurance and fidelity bonds

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
RISK ASSESSMENT AND RISK
Business RESPONSE
Telkom
University
 Accountants:
 Help management design effective controls to reduce
inherent risk.
 Evaluate internal control systems to ensure they are
operating effectively.
 Assess and reduce inherent risk using the risk assessment
and response strategy.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Basic principles behind ERM:

 Companies are formed to create value for owners.
 Management must decide how much uncertainty they will
accept.
 Uncertainty can result in:
 Risk
 Opportunity
• The possibility that something will happen to

positively affect the ability to create or preserve
value.
Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 The most critical component of

the ERM and the internal control
framework.
 Is the foundation on which the
other seven components rest.
 Influences how organizations:
 Establish strategies and
objectives
 Structure business activities
 Identify, access, and respond to
risk
 A deficient internal control
environment often results in risk
management and control
breakdowns.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University

important:
 Hiring
 Compensating
 Training
 Discharging
Creating
Systems, 11/e
Romney/Steinbart
Bisnis
School Economics and
Business

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 ERM defines risk management as:

 A process effected by an entity’s board of directors,
management, and other personnel.
 Applied in strategy setting and across the enterprise.
 To identify potential events that may affect the entity.
 And manage risk to be within its risk appetite.
 In order to provide reasonable assurance of the
achievement of entity objectives.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 ERM framework vs. the internal control framework

 The internal control framework has been widely adopted
as the principal way to evaluate internal controls as
required by SOX. However, there are issues with it.
 It has too narrow of a focus.
• May
 Focusing on controls first has contribute
an inherent biastotoward
systems
pastwith
problems and concerns. many controls to protect
against risks that are no longer
important.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Over time, ERM will probably become the most

widely adopted risk and control model.
 Consequently, its eight components are the topic of
the remainder of the chapter.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University

important:
 Hiring
 Compensating
 Training
 Discharging
Creating
Systems, 11/e
Romney/Steinbart
Bisnis
RISK ASSESSMENT AND RISK
Business RESPONSE
Telkom
University
 Accountants:
 Help management design effective controls to reduce
inherent risk.
 Evaluate internal control systems to ensure they are
operating effectively.
 Assess and reduce inherent risk using the risk assessment
and response strategy.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
School of Economic and CONTROL ACTIVITIES
Business
Telkom
University
 Generally, control procedures fall into one of the

following categories:
 Proper authorization of transactions and activities
 Segregation of duties
 Project development and acquisition controls
 Change management controls
 Design and use of documents and records
 Safeguard assets, records, and data
 Independent checks on performance

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Segregation of duties
 Good internal control requires that no single employee be
given too much responsibility over business transactions or
processes.
 An employee should not be in a position to commit and
conceal fraud or unintentional errors.
 Segregation of duties is discussed in two sections:
 Segregation of accounting duties
 Segregation of duties within the systems function

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 To learn a little about segregation of duties, let’s

first meet Bill.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Bill is in charge of a pile of the organization’s money

—let’s say $1,000.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$1,000
 Bill also keeps the books for that money.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$1,000
 Bill has a date tonight, and he’s a little desperate to impress

that special someone, so he takes $100 of the cash. (Thinks
he’s only borrowing it, you know.)

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$900
 Bill also records an entry in the books to show that $100 was
spent for some “legitimate” purpose. Now the balance in
the books is $900.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$900
 How will Bill ever get caught at his theft?

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Now let’s change the story. Bill is in charge of the

pile of cash.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$1,000
 But Mary keeps the books.

 This arrangement is a form of segregation of duties.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$1,000
 Bill gets in a pinch again and takes $100 of the

organization’s cash.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$1,000
 How will Bill get caught?

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University

 Effective segregation of accounting duties is achieved when
the following functions are separated:
 Authorization—Approving transactions and decisions.
 Recording—Preparing source documents; maintaining journals,
ledgers, or other files; preparing reconciliations; and preparing
performance reports.
 Custody—Handling cash, maintaining an inventory storeroom,
receiving incoming customer checks, writing checks on the
organization’s bank account.
 If any two of the preceding functions are the responsibility
of one person, then problems can arise.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
CUSTODIAL FUNCTIONS RECORDING FUNCTIONS

• Handling cash • Preparing source
• Handling inventories, tools, documents
or fixed assets • Maintaining journals,
• Writing checks ledgers, or other files
• Receiving checks in mail • Preparing reconciliations
• Preparing performance
reports
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 In a system that incorporates an effective

separation of duties, it should be difficult for any
single employee to commit embezzlement
successfully.
 But when two or more people collude, then
segregation of duties becomes impotent and
controls are overridden.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$1,000
 If this happens . . .

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
Ledger
$1,000
 Then segregation of duties is out the window.

Collusion overrides segregation.

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Segregation of duties
 Good internal control requires that no single employee be
given too much responsibility over business transactions or
processes.
 An employee should not be in a position to commit and
conceal fraud or unintentional errors.
 Segregation of duties is discussed in two sections:
 Segregation of duties within the systems function

Creating
Systems, 11/e
Romney/Steinbart
Bisnis
Business
Telkom
University
 Authority and responsibility must be divided clearly among the
following functions:
 Systems administration
 Network management
 Security management
 Change management
 Users
 Systems analysts
 Programming
 Computer operations
 Information systems library
 Data control

Creating
Systems, 11/e
Romney/Steinbart

Control and Accounting Information Systems: Creating The Great Business Leaders

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Control and Accounting Information Systems: Creating The Great Business Leaders

Uploaded by

Copyright:

Available Formats

Creating the great business leaders

Control and Accounting Information

© 2008 Prentice Hall Business Publishing 2

 Why AIS threats are increasing

© 2008 Prentice Hall Business Publishing 3

 To use IT in achieving control objectives,

© 2008 Prentice Hall Business Publishing 4

© 2008 Prentice Hall Business Publishing 5

 Internal controls perform three important

• Remedy problems that have occurred by:

© 2008 Prentice Hall Business Publishing 6

 Internal controls are often classified as:

© 2008 Prentice Hall Business Publishing 7

 An effective system of internal controls should exist

© 2008 Prentice Hall Business Publishing 8

 In the late 1990s and early 2000s, a series of multi-

© 2008 Prentice Hall Business Publishing 9

 The intent of SOX is to:

© 2008 Prentice Hall Business Publishing 10

 Important aspects of SOX include:

• They must report specific information to the company’s audit

© 2008 Prentice Hall Business Publishing 11

 Important aspects of SOX include:

• Auditors cannot perform certain non-audit services, such as:

© 2008 Prentice Hall Business Publishing 12

 Important aspects of SOX include:

• Members must be on the company’s board

 A number of frameworks have been

© 2008 Prentice Hall Business Publishing 14

 A number of frameworks have been

© 2008 Prentice Hall Business Publishing 15

© 2008 Prentice Hall Business Publishing 16

 The framework addresses the issue of control from

© 2008 Prentice Hall Business Publishing 18

 The framework addresses the issue of control from

• Broken into four domains:

© 2008 Prentice Hall Business Publishing 19

 COSO’s internal control framework

© 2008 Prentice Hall Business Publishing 20

 In 1992, COSO issued the Internal Control

© 2008 Prentice Hall Business Publishing 21

 COSO’s internal control model has five crucial

• The entire process must be monitored and modified

© 2008 Prentice Hall Business Publishing 22

 ERM defines risk management as:

© 2008 Prentice Hall Business Publishing 23

 Over time, ERM will probably become the most

© 2008 Prentice Hall Business Publishing 24

© 2008 Prentice Hall Business Publishing 25

© 2008 Prentice Hall Business Publishing 26

 Basic principles behind ERM:

• The possibility that something will happen to

 The most critical component of

© 2008 Prentice Hall Business Publishing 28

 The following policies and procedures are

© 2008 Prentice Hall Business Publishing 30

 ERM defines risk management as:

© 2008 Prentice Hall Business Publishing 31

 ERM framework vs. the internal control framework

© 2008 Prentice Hall Business Publishing 32

 Over time, ERM will probably become the most

© 2008 Prentice Hall Business Publishing 33

 The following policies and procedures are