1 / 55

HAPTER 6

HAPTER 6. Control and Accounting Information Systems. INTRODUCTION. Why AIS threats are increasing Control risks have increased in the last few years because: There are computers and servers everywhere, and information is available to an unprecedented number of workers.

fiona
Download Presentation

HAPTER 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HAPTER 6 Control and Accounting Information Systems

  2. INTRODUCTION • Why AIS threats are increasing • Control risks have increased in the last few years because: • There are computers and servers everywhere, and information is available to an unprecedented number of workers. • Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems. • Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.

  3. INTRODUCTION • Historically, many organizations have not adequately protected their data due to one or more of the following reasons: • Computer control problems are often underestimated and downplayed. • Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet-based system are not always fully understood. • Companies have not realized that data is a strategic resource and that data security must be a strategic requirement. • Productivity and cost pressures may motivate management to forego time-consuming control measures.

  4. INTRODUCTION • Some vocabulary terms for this chapter: • A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. • The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. • The likelihood is the probability that the threat will occur.

  5. INTRODUCTION • Control and security are important • Companies are now recognizing the problems and taking positive steps to achieve better control, including: • Devoting full-time staff to security and control concerns. • Educating employees about control measures. • Establishing and enforcing formal information security policies. • Making controls a part of the applications development process. • Moving sensitive data to more secure environments.

  6. INTRODUCTION • To use IT in achieving control objectives, accountants must: • Understand how to protect systems from threats. • Have a good understanding of IT and its capabilities and risks. • Achieving adequate security and control over the information resources of an organization should be a top management priority.

  7. INTRODUCTION • Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because: • Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files. • Segregation of duties must be achieved differently in an AIS. • Computers provide opportunities for enhancement of some internal controls.

  8. INTRODUCTION • One of the primary objectives of an AIS is to control a business organization. • Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness. • Management expects accountants to be control consultants by: • Taking a proactive approach to eliminating system threats; and • Detecting, correcting, and recovering from threats when they do occur.

  9. INTRODUCTION • It is much easier to build controls into a system during the initial stage than to add them after the fact. • Consequently, accountants and control experts should be members of the teams that develop or modify information systems.

  10. OVERVIEW OF CONTROL CONCEPTS • In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to: • Hire creative and innovative employees. • Give these employees power and flexibility to: • Satisfy changing customer demands; • Pursue new opportunities to add value to the organization; and • Implement process improvements. • At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity.

  11. OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.

  12. OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets.

  13. OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided.

  14. OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided. • There is reasonable assurance that financial reports are prepared in accordance with GAAP.

  15. OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided. • There is reasonable assurance that financial reports are prepared in accordance with GAAP. • Operational efficiency is promoted and improved. • This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations.

  16. OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided. • There is reasonable assurance that financial reports are prepared in accordance with GAAP. • Operational efficiency is promoted and improved. • Adherence to prescribed managerial policies is encouraged.

  17. OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided. • There is reasonable assurance that financial reports are prepared in accordance with GAAP. • Operational efficiency is promoted and improved. • Adherence to prescribed managerial policies is encouraged. • The organization complies with applicable laws and regulations.

  18. OVERVIEW OF CONTROL CONCEPTS • Internal control is a process because: • It permeates an organization’s operating activities. • It is an integral part of basic management activities. • Internal control provides reasonable, rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.

  19. OVERVIEW OF CONTROL CONCEPTS • Internal control systems have inherent limitations, including: • They are susceptible to errors and poor decisions. • They can be overridden by management or by collusion of two or more employees. • Internal control objectives are often at odds with each other. • EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.

  20. OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: • Preventive controls • Deter problems before they arise.

  21. OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: • Preventive controls • Detective controls • Discover problems quickly when they do arise.

  22. OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: • Preventive controls • Detective controls • Corrective controls • Remedy problems that have occurred by: • Identifying the cause; • Correcting the resulting errors; and • Modifying the system to prevent future problems of this sort.

  23. OVERVIEW OF CONTROL CONCEPTS • Internal controls are often classified as: • General controls • Those designed to make sure an organization’s control environment is stable and well managed. • They apply to all sizes and types of systems. • Examples: Security management controls.

  24. OVERVIEW OF CONTROL CONCEPTS • Internal controls are often classified as: • General controls • Application controls • Prevent, detect, and correct transaction errors and fraud. • Concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.

  25. OVERVIEW OF CONTROL CONCEPTS • An effective system of internal controls should exist in all organizations to: • Help them achieve their missions and goals. • Minimize surprises.

  26. SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement. • The primary purpose of the act was to prevent the bribery of foreign officials to obtain business. • A significant effect was to require that corporations maintain good systems of internal accounting control. • Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems. • The resulting internal control improvements weren’t sufficient.

  27. SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines. • The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Actof 2002 (aka, SOX). • Applies to publicly held companies and their auditors.

  28. SOX AND THE FOREIGN CORRUPT PRACTICES ACT • The intent of SOX is to: • Prevent financial statement fraud • Make financial reports more transparent • Protect investors • Strengthen internal controls in publicly-held companies • Punish executives who perpetrate fraud • SOX has had a material impact on the way boards of directors, management, and accountants operate.

  29. CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: • The COBIT framework • The COSO internal control framework • COSO’s Enterprise Risk Management framework (ERM)

  30. CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: • The COBIT framework • The COSO internal control framework • COSO’s Enterprise Risk Management framework (ERM)

  31. CONTROL FRAMEWORKS • COBIT framework • Also know as the Control Objectives for Information and Related Technology framework. • Developed by the Information Systems Audit and Control Foundation (ISACF). • A framework of generally applicable information systems security and control practices for IT control.

  32. CONTROL FRAMEWORKS • The COBIT framework allows: • Management to benchmark security and control practices of IT environments. • Users of IT services to be assured that adequate security and control exists. • Auditors to substantiate their opinions on internal control and advise on IT security and control matters.

  33. CONTROL FRAMEWORKS • To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.” • The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives: • Effectiveness (relevant, pertinent, and timely) • Efficiency • Confidentiality • Integrity • Availability • Compliance with legal requirements • Reliability • The framework addresses the issue of control from three vantage points or dimensions: • Business objectives

  34. CONTROL FRAMEWORKS • The framework addresses the issue of control from three vantage points or dimensions: • Business objectives • IT resources • Includes: • People • Application systems • Technology • Facilities • Data

  35. CONTROL FRAMEWORKS • The framework addresses the issue of control from three vantage points or dimensions: • Business objectives • IT resources • IT processes • Broken into four domains: • Planning and organization • Acquisition and implementation • Delivery and support • Monitoring

  36. CONTROL FRAMEWORKS • COBIT consolidates standards from 36 different sources into a single framework. • It is having a big impact on the IS profession. • Helps managers to learn how to balance risk and control investment in an IS environment. • Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate. • Guides auditors as they substantiate their opinions and provide advice to management on internal controls.

  37. CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: • The COBIT framework • The COSO internal control framework • COSO’s Enterprise Risk Management framework (ERM)

  38. CONTROL FRAMEWORKS • COSO’s internal control framework • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: • The American Accounting Association • The AICPA • The Institute of Internal Auditors • The Institute of Management Accountants • The Financial Executives Institute

  39. CONTROL FRAMEWORKS • In 1992, COSO issued the Internal Control Integrated Framework: • Defines internal controls. • Provides guidance for evaluating and enhancing internal control systems. • Widely accepted as the authority on internal controls. • Incorporated into policies, rules, and regulations used to control business activities.

  40. CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: • Control environment • The core of any business is its people. • Their integrity, ethical values, and competence make up the foundation on which everything else rests.

  41. CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: • Control environment • Control activities • Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.

  42. CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: • Control environment • Control activities • Risk assessment • The organization must be aware of and deal with the risks it faces. • It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.

  43. CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: • Control environment • Control activities • Risk assessment • Information and communication • Information and communications systems surround the control activities. • They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations.

  44. CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: • Control environment • Control activities • Risk assessment • Information and communication • Monitoring • The entire process must be monitored and modified as necessary.

  45. CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: • The COBIT framework • The COSO internal control framework • COSO’s Enterprise Risk Management framework (ERM)

  46. CONTROL FRAMEWORKS • Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. • Result: Enterprise Risk Manage Integrated Framework (ERM) • An enhanced corporate governance document. • Expands on elements of preceding framework. • Provides a focus on the broader subject of enterprise risk management.

  47. CONTROL FRAMEWORKS • Intent of ERM is to achieve all goals of the internal control framework and help the organization: • Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized. • Achieve its financial and performance targets. • Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk. • Avoid adverse publicity and damage to the entity’s reputation.

  48. CONTROL FRAMEWORKS • ERM defines risk management as: • A process effected by an entity’s board of directors, management, and other personnel. • Applied in strategy setting and across the enterprise. • To identify potential events that may affect the entity. • And manage risk to be within its risk appetite. • In order to provide reasonable assurance of the achievement of entity objectives.

  49. CONTROL FRAMEWORKS • Basic principles behind ERM: • Companies are formed to create value for owners. • Management must decide how much uncertainty they will accept. • Uncertainty can result in: • Risk • The possibility that something will happen to: • Adversely affect the ability to create value; or • Erode existing value.

  50. CONTROL FRAMEWORKS • Basic principles behind ERM: • Companies are formed to create value for owners. • Management must decide how much uncertainty they will accept. • Uncertainty can result in: • Risk • Opportunity • The possibility that something will happen to positively affect the ability to create or preserve value.

More Related