Internal Control On AIT Final Topic

Control and Accounting Information Systems
Chapter 7
Copyright © 2015 Pearson Education, Inc.

7-1
INTRODUCTION
• Why AIS threats are increasing
▫ There are computers and servers everywhere, and
information is available to an unprecedented
number of workers.
▫ Distributed computer networks make data
available to many users, and these networks are
harder to control than centralized mainframe
systems.
▫ Wide area networks are giving customers and
suppliers access to each other’s systems and data,
making confidentiality a major concern.
▫ Wireless Technology
7-2
INTRODUCTION
• Historically, many organizations have not
adequately protected their data due to one or
more of the following reasons:
▫ Computer control problems are often underestimated
and downplayed.
▫ Control implications of moving from centralized, host-
based computer systems to those of a networked
system or Internet-based system are not always fully
understood.
▫ Companies have not realized that data is a strategic
resource and that data security must be a strategic
requirement.
▫ Productivity and cost pressures may motivate
management to forego time-consuming control
measures.
7-3
Why Is Control Needed?
• Any potential adverse occurrence or unwanted
event that could be injurious to either the
accounting information system or the
organization is referred to as a threat or an
event.
• The potential dollar loss should a particular
threat become a reality is referred to as the
exposure or impact of the threat.
• The probability that the threat will happen is the
likelihood associated with the threat
Copyright © 2015 Pearson Education, Inc. 7-4
A Primary Objective of an AIS
• Is to control the organization so the

organization can achieve its objectives
• Management expects accountants to:

▫ Take a proactive approach to eliminating
system threats.
▫ Detect, correct, and recover from threats when
they occur.

Internal Controls
• Processes implemented to provide
assurance that the following objectives are
achieved:
▫ Safeguard assets/data
▫ Maintain sufficient records
▫ Provide accurate and reliable information
▫ Prepare financial reports according to
established criteria
▫ Promote and improve operational efficiency
▫ Encourage adherence with management policies
▫ Comply with laws and regulations
Functions of Internal Controls
• Preventive controls
▫ Deter problems from occurring
• Detective controls
▫ Discover problems that are not prevented
• Corrective controls
▫ Identify and correct problems; correct and
recover from the problems

IC Categories
• General
▫ Overall IC system and processes
 IT infrastructure
 Software acquisition
 Systems development
 Maintenance
• Application
▫ Transactions are processed correctly
 Data accurate
 Data complete
 Data valid
 Proper authorizations
Copyright © 2015 Pearson Education, Inc. 8
Internal Control
• Preventive Control examples
▫ Hire qualified personnel
▫ Segregation of duties
▫ Chart of accounts
▫ Physical access controls
 Assets
 information
▫ Employee training

9
Internal Control
• Detective Control examples

▫ Preparing bank reconciliations
▫ Log analysis
▫ Fraud hotline
▫ Prepare monthly trial balance

10
Internal Control
• Correctives Control examples
▫ Back up copies of master and transaction files
▫ Adequate insurance
▫ Resubmission of transactions for subsequent
processing
▫ Correction of data entry errors

11
Internal Control
• It is much easier to build controls into a system
during the initial stage than to add them after
the fact.
• Management expects accountants to be control
consultants by:
▫ Taking a proactive approach to eliminating system
threats; and
▫ Detecting, correcting, and recovering from threats
when they do occur.
• Consequently, accountants and control experts
should be members of the teams that develop or
modify information systems.
7-12
Internal Control
• Internal control is a process because:
▫ It permeates an organization’s operating
activities.
▫ It is an integral part of basic management
activities.
• Internal control provides reasonable,
rather than absolute, assurance, because
complete assurance is difficult or
impossible to achieve and prohibitively
expensive.

7-13
Internal Control
• Internal control systems have inherent
limitations, including:
▫ They are susceptible to errors and poor
decisions.
▫ They can be overridden by management or by
collusion of two or more employees.
• Internal control objectives are often at
odds with each other.

7-14
FOREIGN CORRUPT PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession,
this act incorporated language from an AICPA
pronouncement.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
▫ Generated significant interest among management, accountants,
and auditors in designing and evaluating internal control
systems.
▫ The resulting internal control improvements weren’t sufficient.
 Enron, World Com, Global Crossing, and others

7-15
Sarbanes Oxley (2002)
• Designed to prevent financial statement fraud,
make financial reports more transparent,
protect investors, strengthen internal controls,
and punish executives who perpetrate fraud
▫ Public Company Accounting Oversight Board
(PCAOB)
 Oversight of auditing profession
▫ New Auditing Rules
 Partners must rotate periodically
 Prohibited from performing certain non-audit
services

7-16
Sarbanes Oxley (2002)
▫ New Roles for Audit Committee
 Be part of board of directors and be independent
 One member must be a financial expert
 Oversees external auditors
▫ New Rules for Management
 Financial statements and disclosures are fairly
presented, were reviewed by management, and are not
misleading.
 The auditors were told about all material internal
control weaknesses and fraud.
▫ New Internal Control Requirements
 Management is responsible for establishing and
maintaining an adequate internal control system.

7-17
SEC Mandate After SOX
• Base evaluation of internal control on a

recognized framework.
• Disclose all material internal control
weaknesses.
• Conclude a company does not have
effective financial reporting internal
controls of material weaknesses.

7-18
Control Frameworks
• COBIT
▫ Framework for IT control
• COSO
▫ Framework for enterprise internal controls
(control-based approach)
• COSO-ERM
▫ Expands COSO framework taking a risk-based
approach

COBIT5 Separates Governance from
Management

Components of COSO Frameworks
COSO COSO-ERM
• Control (internal) • Internal environment
environment • Objective setting
• Risk assessment • Event identification
• Control activities • Risk assessment
• Information and • Risk response
communication • Control activities
• Monitoring • Information and
communication
• Monitoring
22
Internal Environment
• Management’s philosophy, operating style, and
risk appetite
• Commitment to integrity, ethical values, and
competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and
responsibility
• Human resource standards
• External Influences
INTERNAL ENVIRONMENT
▫ Managements Philosophy, Style &
Risk Appetite can be assessed by
asking questions such as:
 Does management take undue business risks
or assess potential risks and rewards before
acting?
 Does management attempt to manipulate
performance measures such as net income?
 Does management pressure employees to
achieve results regardless of methods or do
they demand ethical behavior?
7-24
• Commitment to integrity, ethical values,
and competence
▫ Management must create an organizational
culture that stresses integrity and commitment
to both ethical values and competence.
 Ethical standards of behavior make for good
business.
 Tone at the top is everything.
 Employees will watch the actions of the
CEO, and the message of those actions
(good or bad) will tend to permeate the
organization.
7-25
• The board of directors
▫ An active and involved board of directors plays an
important role in internal control.
▫ They should:
 Oversee management
 Scrutinize management’s plans, performance, and activities
 Approve company strategy
 Review financial results
 Annually review the company’s security policy
 Interact with internal and external auditors
▫ At least a majority should be independent, outside
directors not affiliated with the company or any of its
subsidiaries

7-26
• Organizational structure
▫ A company’s organizational structure defines its lines
of authority, responsibility, and reporting.
 Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.
▫ Statistically, fraud occurs more frequently in
organizations with complex structures.
 The structures may unintentionally impede communication
and clear assignment of responsibility, making fraud easier to
commit and conceal; or
 The structure may be intentionally complex to facilitate the
fraud

7-27
• Methods of assigning authority and
responsibility
▫ Management should make sure:
 Employees understand the entity’s objectives.
 Authority and responsibility for business objectives is
assigned to specific departments and individuals.
▫ Ownership of responsibility encourages employees
to take initiative in solving problems and holds
them accountable for achieving objectives.
▫ Management:
 Must be sure to identify who is responsible for the IS
security policy.
 Should monitor results so decisions can be reviewed and,
if necessary, overruled.
7-28
• Human resources standards
▫ Employees are both the company’s greatest control
strength and the greatest control weakness.
▫ Organizations can implement human resource policies
and practices with respect to hiring, training,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
level of competence and ethical behavior required.
▫ Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency and
loyalty and reduce the organization’s vulnerability.

7-29
• The following HR policies and procedures
are important:
▫ Hiring
▫ Compensating
▫ Training
▫ Evaluating and promoting
▫ Discharging
▫ Managing disgruntled employees
▫ Vacations and rotation of duties
▫ Confidentiality insurance and fidelity bonds
7-30
• External influences
▫ External influences that affect the control
environment include requirements imposed
by:
 FASB
 PCAOB
 SEC
 Insurance commissions
 Regulatory agencies for banks, utilities, etc.

7-31
Objective Setting
• Strategic objectives
▫ High-level goals
• Operations objectives
▫ Effectiveness and efficiency of operations
• Reporting objectives
▫ Improve decision making and monitor
performance
• Compliance objectives
▫ Compliance with applicable laws and regulations

Event Identification
Identifying incidents both external and
internal to the organization that could affect
the achievement of the organizations
objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs
Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it

Risk Response
• Reduce
▫ Implement effective internal control
• Accept
▫ Do nothing, accept likelihood and impact of
risk
• Share
▫ Buy insurance, outsource, or hedge
• Avoid
▫ Do not engage in the activity

Event/Risk/Response
Model
• Event
identification
▫ The first step in risk
assessment and
response strategy is
event identification.

7-36
Event/Risk/Response
Model
• Estimate likelihood
and impact Expected loss
▫ Some events pose more =
risk because they are more Impact x likelihood
probable than others.
▫ Some events pose more
risk because their dollar
impact would be more
significant.
▫ Likelihood and impact
must be considered
together:
▫ If either increases, the
materiality of the event
and the need to protect
against it rises.

7-37
Event/Risk/Response
Model
• Identify controls
▫ Management must
identify one or more
controls that will protect
the company from each
event.
▫ In evaluating benefits of
each control procedure,
consider effectiveness
and timing.

7-38
Event/Risk/Response
Model
• All other factors equal:
▫ A preventive control is
better than a detective
one.
▫ However, if preventive
controls fail, detective
controls are needed to
discover the problem, and
corrective controls are
needed to recover.
▫ Consequently, the three
complement each other,
and a good internal
control system should
have all three.
7-39
Event/Risk/Response
Model
• Estimate costs and
benefits
▫ It would be cost-prohibitive
to create an internal control
system that provided
foolproof protection against
all events.
▫ Also, some controls
negatively affect operational
efficiency, and too many
controls can make it very
inefficient.

7-40
Event/Risk/Response
Model
• The benefits of an
internal control
procedure must exceed
its costs.
• Benefits can be hard to
quantify, but include:
▫ Increased sales and
productivity
▫ Reduced losses
▫ Better integration with
customers and suppliers
▫ Increased customer
loyalty
▫ Competitive advantages
▫ Lower insurance
premiums

7-41
Event/Risk/Response
Model
• Costs are usually
easier to measure than
benefits.
• Primary cost is
personnel, including:
▫ Time to perform control
procedures
▫ Costs of hiring
additional employees to
effectively segregate
duties
▫ Costs of programming
controls into a system

7-42
Event/Risk/Response
Model
• Determine cost-
benefit
effectiveness
▫ After estimating benefits
and costs, management
determines if the control
is cost beneficial, i.e., is
the cost of implementing
a control procedure less
than the change in
expected loss that would
be attributable to the
change?

7-43
RISK ASSESSMENT
AND
RISK RESPONSE
• Implement the
control or avoid,
share, or accept
the risk
▫ When controls are
cost effective, they
should be
implemented so risk
can be reduced.

7-44
Control Activities
• Proper authorization of transactions and
activities
• Segregation of duties
• Project development and acquisition
controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance
CONTROL ACTIVITIES
• Proper authorization of transactions
and activities
▫ Management lacks the time and resources
to supervise each employee activity and
decision.
▫ Consequently, they establish policies and
empower employees to perform activities
within policy.
▫ This empowerment is called
authorization and is an important part
of an organization’s control procedures.
CONTROL ACTIVITIES
• Authorizations are often documented by signing
initializing, or entering an authorization code.
• Computer systems can record digital
signatures as a means of signing a document.
• Employees who process transactions should
verify the presence of the appropriate
authorizations.
• Auditors review transactions for proper
authorization, as their absence indicates a
possible control problem.

CONTROL ACTIVITIES
• Typically at least two levels of authorization:
▫ General authorization
 Management authorizes employees to handle routine
transactions without special approval.
▫ Specific authorization
 For activities or transactions that are of significant
consequences, management review and approval is required.
 Might apply to sales, capital expenditures, or
write-offs over a particular dollar limit.
• Management should have written policies for
both types of authorization and for all types of
transactions.

CONTROL ACTIVITIES
• Segregation of Accounting Duties
• No one employee should be given too much
responsibility
• Separate:
▫ Authorization
 Approving transactions and decisions
▫ Recording
 Preparing source documents
 Entering data into an AIS
 Maintaining accounting records
▫ Custody
 Handling cash, inventory, fixed assets
 Receiving incoming checks
 Writing checks
7-49
7-50
Segregation of System Duties
• Like accounting system duties should also
be separated
• These duties include:
▫ System administration
▫ Network management
▫ Security management
▫ Change management
▫ Users
▫ Systems analysts
▫ Programmers
▫ Computer operators
▫ Information system librarian
▫ Data control
7-51
CONTROL ACTIVITIES
• Project development and acquisition
controls
▫ It’s important to have a formal, appropriate, and proven
methodology to govern the development,
acquisition, implementation, and maintenance
of information systems and related technologies.
 Should contain appropriate controls for:
 Management review and approval
 Strategic Master Plan(Yearly reviews and updates)
 Project development plan
▫ Tasks to be performed
▫ Project manager
 Data processing schedule
 Performance measures
 Testing
 Implementation
▫ Conversion
 Post implementation review
7-52
CONTROL ACTIVITIES
• Change management controls
▫ Organizations constantly modify their
information systems to reflect new business
practices and take advantage of information
technology advances.
▫ Change management is the process of making
sure that the changes do not negatively affect:
 Systems reliability
 Security
 Confidentiality
 Integrity
 Availability
7-53
CONTROL ACTIVITIES
• Design and use of adequate documents
and records
▫ Proper design and use of documents and records helps
ensure accurate and complete recording of all relevant
transaction data.
▫ Form and content should be kept as simple as possible
to:
 Promote efficient record keeping
 Minimize recording errors
 Facilitate review and verification
▫ Documents that initiate a transaction should contain a
space for authorization.
▫ Those used to transfer assets should have a space for
the receiving party’s signature.

7-54
CONTROL ACTIVITIES
• Documents should be sequentially pre-
numbered:
▫ To reduce likelihood that they would be used
fraudulently.
▫ To help ensure that all valid transactions are
recorded.
• A good audit trail facilitates:
▫ Tracing individual transactions through the
system.
▫ Correcting errors.
▫ Verifying system output.
7-55
CONTROL ACTIVITIES
• Safeguard assets, records, and data
▫ When people consider safeguarding assets,
they most often think of cash and physical
assets, such as inventory and equipment.
▫ Another company asset that needs to be
protected is data.

7-56
CONTROL ACTIVITIES
• The following independent checks on
performance are typically used:
▫ Top-level reviews
▫ Analytical reviews
▫ Reconciliation of independently maintained
sets of records
▫ Comparison of actual quantities with recorded
amounts
▫ Double-entry accounting
▫ Independent review

Information and Communication
• Primary purpose of an AIS
▫ Gather
▫ Record
▫ Process
▫ Summarize
▫ Communicate

7-58
Monitoring
• Perform internal control evaluations (e.g., internal
audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal,
network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline 7-59

Internal Control On AIT Final Topic

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Control On AIT Final Topic

Uploaded by

Copyright:

Available Formats

Control and Accounting Information Systems

Copyright © 2015 Pearson Education, Inc.

• Is to control the organization so the

• Management expects accountants to:

Copyright © 2015 Pearson Education, Inc. 7-5

Copyright © 2015 Pearson Education, Inc. 7-7

Copyright © 2015 Pearson Education, Inc.

• Detective Control examples

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

• Base evaluation of internal control on a

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc. 7-19

Copyright © 2015 Pearson Education, Inc. 7-20

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc. 7-32

Copyright © 2015 Pearson Education, Inc. 7-34

Copyright © 2015 Pearson Education, Inc. 7-35

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc. 47

Copyright © 2015 Pearson Education, Inc. 48

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc. 57

Copyright © 2015 Pearson Education, Inc.

You might also like