Control and Accounting Information

Systems

Chapter 7

7-1
Learning Objectives
• Explain basic control concepts and why computer control and security are important.

• Compare and contrast the COBIT, COSO, and ERM control frameworks.

• Describe the major elements in the internal environment of a company.

• Describe the four types of control objectives that companies need to set.

• Describe the events that affect uncertainty and the techniques used to identify them.

• Explain how to assess and respond to risk using the Enterprise Risk Management model.

• Describe control activities commonly used in companies.

• Describe how to communicate information and monitor control processes in

organizations.

7-2
Why Is Control Needed?
• Any potential adverse occurrence or unwanted event
that could be injurious to either the accounting
information system or the organization is referred to as a
threat or an event.

• The potential dollar loss should a particular threat

become a reality is referred to as the exposure or
impact of the threat.

• The probability that the threat will happen is the

likelihood associated with the threat
7-3
A Primary Objective of an AIS
• Is to control the organization so the organization can
achieve its objectives

• Management expects accountants to:

▫ Take a proactive approach to eliminating system threats.
▫ Detect, correct, and recover from threats when they
occur.

7-4
Internal Controls
Processes implemented to provide assurance that the
following objectives are achieved:
 Safeguard assets
 Maintain sufficient records
 Provide accurate and reliable information
 Prepare financial reports according to established
criteria
 Promote and improve operational efficiency
 Encourage adherence with management policies
 Comply with laws and regulations

7-5
 Functions of Internal Controls
Preventive controls
 Deter problems from occurring
Detective controls
 Discover problems that are not prevented
Corrective controls
 Identify and correct problems; correct and recover from
the problems

7-6
Control Frameworks
COBIT
 Framework for IT control
COSO
 Framework for enterprise internal controls (control-
based approach)
COSO-ERM
 Expands COSO framework taking a risk-based approach

7-7
COBIT Framework
Current framework version is COBIT5
Based on the following principles:
 Meeting stakeholder needs
 Covering the enterprise end-to-end
 Applying a single, integrated framework
 Enabling a holistic approach
 Separating governance from management

7-8
COBIT5 Separates Governance from
Management

7-9
Components of COSO Frameworks
COSO COSO-ERM
 Control (internal)  Internal environment
environment  Objective setting
 Risk assessment  Event identification
 Control activities  Risk assessment
 Information and  Risk response
communication  Control activities
 Monitoring  Information and
communication
 Monitoring

7-10
Internal Environment
Management’s philosophy, operating style, and risk
appetite
Commitment to integrity, ethical values, and
competence
Internal control oversight by Board of Directors
Organizing structure
Methods of assigning authority and responsibility
Human resource standards

7-11
Objective Setting
Strategic objectives
 High-level goals
Operations objectives
 Effectiveness and efficiency of operations
Reporting objectives
 Improve decision making and monitor performance
Compliance objectives
 Compliance with applicable laws and regulations

7-12
Event Identification
Identifying incidents both external and internal to the
organization that could affect the achievement of the
organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?

7-13
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs

Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
7-14
Risk Response
Reduce
 Implement effective internal control
Accept
 Do nothing, accept likelihood and impact of risk
Share
 Buy insurance, outsource, or hedge
Avoid
 Do not engage in the activity

7-15
Control Activities
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance

7-16
Segregation of Duties

7-17
Monitoring
• Perform internal control evaluations (e.g., internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal, network
security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
7-18
Key Terms
Threat or Event
Exposure or impact
Likelihood
Internal controls
Preventive controls
Detective controls
Corrective controls
General controls
Application controls
Belief system
Boundary system
Diagnostic control system
Interactive control system
Audit committee
Foreign Corrupt Practices Act
(FCPA)
Sarbanes-Oxley Act (SOX)
Public Company Accounting
Oversight Board (PCAOB)
Control Objectives for
Information and Related
Technology (COBIT)
Committee of Sponsoring
Organizations (COSO)
Internal control-integrated
framework (IC)
Enterprise Risk Management
Integrated Framework (ERM)
Internal environment
7-19
Key Terms (continued)
Risk appetite  Specific authorization
Policy and procedures manual General authorization
Background check Segregation of accounting duties
Strategic objectives Collusion
Operations objectives Segregation of systems duties
Reporting objectives Systems administrator
Compliance objectives Network manager

Event Security management

Inherent risk Change management

Residual risk Users

Expected loss Systems analysts

Programmers
Control activities
Computer operators
Authorization
Information system library 7-20
Digital signature
Key Terms (continued)
Postimplementation review
Data control group
Systems integrator
Steering committee
Analytical review
Strategic master plan
Audit trail
Project development plan
Computer security officer
Project milestones (CSO)
Data processing schedule Chief compliance officer
System performance (CCO)
Forensic investigators
measurements
Computer forensics
Throughput
specialists
Utilization
Neural networks
Response time Fraud hotline 7-21