Control and accounting information systems
1 / 60


  • Updated On :

CONTROL AND ACCOUNTING INFORMATION SYSTEMS. Chapter 6. Review and New Terms. A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. The exposure is the potential dollar loss that would occur if the threat becomes a reality.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Review and new terms l.jpg
Review and New Terms

  • A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.

  • The exposure is the potential dollar loss that would occur if the threat becomes a reality.

  • The riskis the probability that the threat will occur.

Ais threats increasing l.jpg
AIS Threats Increasing

  • Control risks have increased in the last few years:

    • Proliferation of computers and servers

    • Distributed computer networks make data available to many users

    • Wide area networks give customers and suppliers access to each other’s systems and data

  • Organizations do not adequately protect their data :

    • Computer control problems are underestimated

    • Failure to understand control implications of moving from centralized systems to a networked system or Internet-based system

    • Failure to recognize that data is a strategic resource and that data security must be a strategic requirement

    • Productivity and cost pressures

Control concepts l.jpg
Control Concepts

  • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:

    • Assets (including data) are safeguarded.

    • Records are maintained in sufficient detail to accurately and fairly reflect company assets.

    • Accurate and reliable information is provided.

    • There is reasonable assurance that financial reports are prepared in accordance with GAAP.

    • Operational efficiency is promoted and improved.

    • Adherence to prescribed managerial policies is encouraged.

    • The organization complies with applicable laws and regulations.

Internal control functions l.jpg
Internal Control Functions

  • Internal controls perform three important functions:

    • Preventive controls

    • Detective controls

    • Corrective controls

Classification of controls l.jpg
Classification of Controls

  • Internal controls are often classified as:

    • General controls

    • Application controls

Sox and the foreign corrupt practices act l.jpg
SOX and the Foreign Corrupt Practices Act

  • 1977 Foreign Corrupt Practices Act

  • all publicly traded corporations subject to SEC required to keep records that accurately & fairly represent transactions & assets in reasonable detail

  • internal control system must assure

    • transactions are authorized

    • transactions are recorded in conformity with GAAP and to maintain accountability

    • authorized access to assets

    • accountability for assets

Sox and the foreign corrupt practices act8 l.jpg
SOX and the Foreign Corrupt Practices Act

  • The intent of SOX is to:

    • Prevent financial statement fraud

    • Make financial reports more transparent

    • Protect investors

    • Strengthen internal controls in publicly-held companies

    • Punish executives who perpetrate fraud

Sox and the foreign corrupt practices act9 l.jpg
SOX and the Foreign Corrupt Practices Act

  • Important aspects of SOX include:

    • Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.

    • New rules for auditors

    • New rules for audit committees

    • New rules for management

    • New internal control requirements

Sox and the foreign corrupt practices act10 l.jpg
SOX and the Foreign Corrupt Practices Act

  • After SOX, the SEC further mandated that:

    • Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment.

    • The report must contain a statement identifying the framework used.

    • Management must disclose any and all material internal control weaknesses.

    • Management cannot conclude that the company has effective internal control if there are any material weaknesses.

Internal control frameworks l.jpg
Internal Control Frameworks

  • The COBIT framework

  • The COSO internal control framework

  • COSO’s Enterprise Risk Management framework (ERM)

Cobit framework l.jpg
COBIT Framework

  • Control Objectives for Information and Related Technology

  • Developed by the Information Systems Audit and Control Foundation (ISACF)

Cobit framework13 l.jpg
COBIT Framework

  • Allows:

    • Management to benchmark security and control practices

    • Users to be assured that adequate security and control exists

    • Auditors to substantiate their opinions on internal control

Control frameworks l.jpg
Control Frameworks

  • The framework addresses the issue of control from three vantage points:

    • Business objectives

    • IT resources

    • IT processes

Coso s internal control framework l.jpg
COSO’s Internal Control Framework

  • COSO’s Internal Control Framework

    • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of:

      • The American Accounting Association

      • The AICPA

      • The Institute of Internal Auditors

      • The Institute of Management Accountants

      • The Financial Executives Institute

Coso s internal control framework16 l.jpg
COSO’s Internal Control Framework

  • Control environment

  • Control activities

  • Risk assessment

  • Information and communication

  • Monitoring

Coso s enterprise risk management framework l.jpg
COSO’s Enterprise Risk Management Framework

  • Risk management is:

    • A process applied in strategy setting to identify potential events that may affect the entity and manage risk in order to provide reasonable assurance of the achievement of entity objectives.

Coso s enterprise risk management framework18 l.jpg
COSO’s Enterprise Risk Management Framework

  • Basic principles behind ERM:

    • Companies are formed to create value for owners.

    • Management must decide how much uncertainty they will accept.

    • Uncertainty can result in:

      • Risk

      • Opportunity

Coso s enterprise risk management framework19 l.jpg
COSO’s Enterprise Risk Management Framework


Risk & ControlComponents


Internal environment l.jpg
Internal Environment

  • Consists of the following:

    • Management’s philosophy, operating style, and risk appetite

    • The board of directors

    • Commitment to integrity, ethical values, and competence

    • Organizational structure

    • Methods of assigning authority and responsibility

    • Human resource standards

    • External influences

Internal environment21 l.jpg
Internal Environment

  • Assessment of management’s philosophy and operating style

    • Does management take undue business risks or assess potential risks and rewards before acting?

    • Does management attempt to manipulate performance measures such as net income?

    • Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?

Internal environment22 l.jpg
Internal Environment

  • The Board of Directors

    • They should:

      • Oversee management

      • Scrutinize management’s plans, performance, and activities

      • Approve company strategy

      • Review financial results

      • Annually review the company’s security policy

      • Interact with internal and external auditors

Internal environment23 l.jpg
Internal Environment

  • The audit committee oversees:

    • The company’s internal control structure;

    • Its financial reporting process;

    • Its compliance with laws, regulations, and standards.

    • Works with the corporation’s external and internal auditors.

    • Hires, compensates, and oversees the auditors.

Internal environment24 l.jpg
Internal Environment

  • Important aspects of organizational structure:

    • Degree of centralization or decentralization.

    • Assignment of responsibility for specific tasks.

    • Direct-reporting relationships or matrix structure

    • Organization by industry, product, geographic location, marketing network

    • How the responsibility allocation affects management’s information needs

    • Organization of accounting and IS functions

    • Size and nature of company activities

Internal environment25 l.jpg
Internal Environment

  • Authority and responsibility are assigned through:

    • Formal job descriptions

    • Employee training

    • Operating plans, schedules, and budgets

    • Codes of conduct

    • Written policies and procedures manuals which covers:

      • Proper business practices

      • Knowledge and experience needed by key personnel

      • Resources provided to carry out duties

      • Policies and procedures for handling particular transactions

      • The organization’s chart of accounts

      • Sample copies of forms and documents

Internal environment26 l.jpg
Internal Environment

  • Human Resources Standards

    • Employees are both the company’s greatest control strength and the greatest control weakness.

    • Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required.

    • Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization’s vulnerability.

Internal environment27 l.jpg
Internal Environment

  • Human resource policies and procedures are important:

    • Hiring

    • Compensating

    • Training

    • Evaluating and promoting

    • Discharging

    • Managing disgruntled employees

    • Vacations and rotation of duties

    • Confidentiality insurance and fidelity bonds

Internal environment28 l.jpg
Internal Environment

  • External influences

    • FASB

    • PCAOB

    • SEC

    • Insurance commissions

    • Regulatory agencies for banks, utilities, etc.

Objective setting l.jpg
Objective Setting

  • The objectives:

    • Need to be easy to understand and measure.

    • Should be prioritized.

    • Should be aligned with the company’s risk appetite.

Objective setting30 l.jpg
Objective Setting

  • For each set of objectives:

    • Critical success factors must be defined

    • Performance measures should be established to determine whether the objectives are met

Objective setting31 l.jpg
Objective Setting

  • Objective-setting process proceeds as follows:

    • First, set strategic objectives, the high-level goals that support the company’s mission and create value for shareholders.

    • To meet these objectives, identify alternative ways of accomplishing them.

    • For each alternative, identify and assess risks and implications.

    • Formulate a corporate strategy.

    • Then set operations, compliance, and reporting objectives.

Objective setting32 l.jpg
Objective Setting

  • Operations objectives:

    • Are a product of management preferences, judgments, and style

    • Vary significantly among entities

    • Are influenced by and must be relevant to the industry, economic conditions, and competitive pressures

    • Give clear direction for resource allocation

  • Compliance and reporting objectives:

    • Many are imposed by external entities

    • A company’s reputation can be impacted significantly by the quality of its compliance

Event identification l.jpg
Event Identification

  • Events are:

    • Incidents or occurrences that emanate from internal or external sources

    • That affect implementation of strategy or achievement of objectives.

    • Impact can be positive, negative, or both.

    • Events can range from obvious to obscure.

    • Effects can range from inconsequential to highly significant.

Event identification34 l.jpg
Event Identification

  • External factors:

    • Economic factors

    • Natural environment

    • Political factors

    • Social factors

    • Technological factors

Event identification35 l.jpg
Event Identification

  • Internal factors:

    • Infrastructure

    • Personnel

    • Process

    • Technology

Event identification36 l.jpg
Event Identification

  • Techniques to identify events:

    • Use comprehensive lists of potential events

    • Perform an internal analysis

    • Monitor leading events and trigger points

    • Conduct workshops and interviews

    • Perform data mining and analysis

    • Analyze processes

Risk assessment and risk response l.jpg
Risk Assessment and Risk Response

  • COSO indicates there are two types of risk:

    • Inherent risk

    • Residual risk

Risk assessment and risk response38 l.jpg
Risk Assessment and Risk Response

  • Companies should:

    • Assess inherent risk

    • Develop a response

    • Then assess residual risk

  • The ERM model indicates four ways to respond to risk:

    • Reduce it

    • Accept it

    • Share it

    • Avoid it

Risk assessment and risk response39 l.jpg
Risk Assessment and Risk Response

Identify the events or threats

that confront the company

Estimate the likelihood or

probability of each event occurring

Estimate the impact of potential

loss from each threat

Identify set of controls to

guard against threat

Estimate costs and benefits

from instituting controls

Is it


to protect


Avoid, share, or accept risk



Reduce risk by implementing set of

controls to guard against threat

Risk assessment and risk response40 l.jpg
Risk Assessment and Risk Response

  • Let’s go through an example:

    • Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft.

    • A catastrophic theft could result in losses of $800,000.

    • Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%.

    • Companies with motion detectors only have about a .5% probability of catastrophic theft.

    • The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.

    • Should Hobby Hole install the motion detectors?

Control activities l.jpg
Control Activities

  • Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.

  • Management’s responsibility to develop a secure and adequately controlled system

  • Management must also establish a set of procedures to ensure control compliance and enforcement

Control activities42 l.jpg
Control Activities

  • Categories:

    • Proper authorization of transactions and activities

    • Segregation of duties

    • Project development and acquisition controls

    • Change management controls

    • Design and use of documents and records

    • Safeguard assets, records, and data

    • Independent checks on performance

Control activities43 l.jpg
Control Activities

  • Segregation of Accounting Duties

    • Effective segregation of accounting duties is achieved when the following functions are separated:

      • Authorization—approving transactions and decisions.

      • Recording—Preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports.

      • Custody—Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account.

Control activities44 l.jpg
Control Activities


  • Preparing source documents

  • Maintaining journals, ledgers, or other files

  • Preparing reconciliations

  • Preparing performance reports


  • Handling cash

  • Handling inventories, tools, or fixed assets

  • Writing checks

  • Receiving checks in mail


  • Authorization of transactions

Control activities45 l.jpg
Control Activities

  • Employee/vendor collusions include:

    • Billing at inflated prices

    • Performing substandard work and receiving full payment

    • Payment for non-performance

    • Duplicate billings

    • Improperly funneling more work to or purchasing more goods from a colluding company

  • Employee/customer collusions include:

    • Unauthorized loans or insurance payments

    • Receipt of assets or services at unauthorized discount prices

    • Forgiveness of amounts owed

    • Unauthorized extension of due dates

Control activities46 l.jpg
Control Activities

  • Segregation of Duties Within the Systems Function

    • Systems administration

    • Network management

    • Security management

    • Change management

    • Users

    • Systems analysts

    • Programming

    • Computer operations

    • Information systems library

    • Data control

Control activities47 l.jpg
Control Activities

  • Project Development and Acquisition Controls

    • Should contain appropriate controls for:

      • Management review and approval

      • User involvement

      • Analysis

      • Design

      • Testing

      • Implementation

      • Conversion

Control activities48 l.jpg
Control Activities

  • Basic principles of control for systems development process:

    • Strategic master plan

    • Project controls

    • Data processing schedule

    • Steering committee

    • System performance measurements

    • Post-implementation review

Control activities49 l.jpg
Control Activities

  • Change Management Controls

    • Change management is the process of making sure that the changes do not negatively affect:

      • Systems reliability

      • Security

      • Confidentiality

      • Integrity

      • Availability

Control activities50 l.jpg
Control Activities

  • Design and Use of Adequate Documents and Records

    • Form and content should be kept as simple as possible to:

      • Promote efficient record keeping

      • Minimize recording errors

      • Facilitate review and verification

    • Documents that initiate a transaction should contain a space for authorization.

    • Those used to transfer assets should have a space for the receiving party’s signature.

Control activities51 l.jpg
Control Activities

  • Safeguard Assets, Records, and Data

    • Maintain accurate records of all assets

      • Periodically reconcile recorded amounts to physical counts.

      • Restrict access to assets

      • Protect records and documents

Control activities52 l.jpg
Control Activities

  • Independent checks on performance:

    • Top-level reviews

    • Analytical reviews

    • Reconciliation of independently maintained sets of records

    • Comparison of actual quantities with recorded amounts

    • Double-entry accounting

    • Independent review

Information and communication l.jpg
Information and Communication

  • The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization.

  • So accountants must understand how:

    • Transactions are initiated

    • Data are captured in or converted to machine-readable form

    • Computer files are accessed and updated

    • Data are processed

    • Information is reported to internal and external parties

Information and communication54 l.jpg
Information and Communication

  • According to the AICPA, an AIS has five primary objectives:

    • Identify and record all valid transactions.

    • Properly classify transactions.

    • Record transactions at their proper monetary value.

    • Record transactions in the proper accounting period.

    • Properly present transactions and related disclosures in the financial statements.

Monitoring l.jpg

  • Monitoring can be accomplished with a series of ongoing events or by separate evaluations.

Monitoring56 l.jpg

  • Key methods of monitoring performance include:

    • Perform ERM evaluation

    • Implement effective supervision

    • Use responsibility accounting

    • Monitor system activities

    • Track purchased software

    • Conduct periodic audits

    • Employ a computer security officer and security consultants

    • Engage forensic specialists

    • Install fraud detection software

    • Implement a fraud hotline

Monitoring57 l.jpg

  • Internal auditing involves:

    • Reviewing the reliability and integrity of financial and operating information.

    • Providing an appraisal of internal control effectiveness.

    • Assessing employee compliance with management policies and procedures and applicable laws and regulations.

    • Evaluating the efficiency and effectiveness of management.

Monitoring58 l.jpg

  • Internal audits can detect:

    • Excess overtime

    • Under-used assets

    • Obsolete inventory

    • Padded expense reimbursements

    • Excessively loose budgets and quotas

    • Poorly justified capital expenditures

    • Production bottlenecks

Erm vs internal control framework l.jpg
ERM vs. Internal Control Framework

  • Internal control framework has been widely adopted as principal way to evaluate internal controls

    • Too narrow a focus

    • Inherent bias toward past problems and concerns

  • ERM framework

    • Risk-based approach

    • Oriented toward future and constant change

    • Incorporates internal control framework plus three additional elements:

      • Setting objectives.

      • Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives.

      • Developing a response to assessed risk.

Summary l.jpg

  • We have:

    • Defined internal control concepts

    • Discussed the importance of computer control and security

    • Compared and contrasted the COBIT, COSO, and ERM control frameworks

    • Described the major elements in the internal control environment of a company

    • Defined the four types of control objectives that companies need to set

    • Determined how to identified the events that affect uncertainty

    • Explored how the Enterprise Risk Management model is used to assess and respond to risk

    • Identified the control activities that are commonly used in companies

    • Described how organizations communicate information and monitor control processes.