671 likes | 1.3k Views
CONTROL AND ACCOUNTING INFORMATION SYSTEMS. Chapter 6. Review and New Terms. A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. The exposure is the potential dollar loss that would occur if the threat becomes a reality.
E N D
Review and New Terms • A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. • The exposure is the potential dollar loss that would occur if the threat becomes a reality. • The riskis the probability that the threat will occur.
AIS Threats Increasing • Control risks have increased in the last few years: • Proliferation of computers and servers • Distributed computer networks make data available to many users • Wide area networks give customers and suppliers access to each other’s systems and data • Organizations do not adequately protect their data : • Computer control problems are underestimated • Failure to understand control implications of moving from centralized systems to a networked system or Internet-based system • Failure to recognize that data is a strategic resource and that data security must be a strategic requirement • Productivity and cost pressures
Control Concepts • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided. • There is reasonable assurance that financial reports are prepared in accordance with GAAP. • Operational efficiency is promoted and improved. • Adherence to prescribed managerial policies is encouraged. • The organization complies with applicable laws and regulations.
Internal Control Functions • Internal controls perform three important functions: • Preventive controls • Detective controls • Corrective controls
Classification of Controls • Internal controls are often classified as: • General controls • Application controls
SOX and the Foreign Corrupt Practices Act • 1977 Foreign Corrupt Practices Act • all publicly traded corporations subject to SEC required to keep records that accurately & fairly represent transactions & assets in reasonable detail • internal control system must assure • transactions are authorized • transactions are recorded in conformity with GAAP and to maintain accountability • authorized access to assets • accountability for assets
SOX and the Foreign Corrupt Practices Act • The intent of SOX is to: • Prevent financial statement fraud • Make financial reports more transparent • Protect investors • Strengthen internal controls in publicly-held companies • Punish executives who perpetrate fraud
SOX and the Foreign Corrupt Practices Act • Important aspects of SOX include: • Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. • New rules for auditors • New rules for audit committees • New rules for management • New internal control requirements
SOX and the Foreign Corrupt Practices Act • After SOX, the SEC further mandated that: • Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. • The report must contain a statement identifying the framework used. • Management must disclose any and all material internal control weaknesses. • Management cannot conclude that the company has effective internal control if there are any material weaknesses.
Internal Control Frameworks • The COBIT framework • The COSO internal control framework • COSO’s Enterprise Risk Management framework (ERM)
COBIT Framework • Control Objectives for Information and Related Technology • Developed by the Information Systems Audit and Control Foundation (ISACF)
COBIT Framework • Allows: • Management to benchmark security and control practices • Users to be assured that adequate security and control exists • Auditors to substantiate their opinions on internal control
Control Frameworks • The framework addresses the issue of control from three vantage points: • Business objectives • IT resources • IT processes
COSO’s Internal Control Framework • COSO’s Internal Control Framework • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: • The American Accounting Association • The AICPA • The Institute of Internal Auditors • The Institute of Management Accountants • The Financial Executives Institute
COSO’s Internal Control Framework • Control environment • Control activities • Risk assessment • Information and communication • Monitoring
COSO’s Enterprise Risk Management Framework • Risk management is: • A process applied in strategy setting to identify potential events that may affect the entity and manage risk in order to provide reasonable assurance of the achievement of entity objectives.
COSO’s Enterprise Risk Management Framework • Basic principles behind ERM: • Companies are formed to create value for owners. • Management must decide how much uncertainty they will accept. • Uncertainty can result in: • Risk • Opportunity
COSO’s Enterprise Risk Management Framework Objectives Risk & ControlComponents Units
Internal Environment • Consists of the following: • Management’s philosophy, operating style, and risk appetite • The board of directors • Commitment to integrity, ethical values, and competence • Organizational structure • Methods of assigning authority and responsibility • Human resource standards • External influences
Internal Environment • Assessment of management’s philosophy and operating style • Does management take undue business risks or assess potential risks and rewards before acting? • Does management attempt to manipulate performance measures such as net income? • Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?
Internal Environment • The Board of Directors • They should: • Oversee management • Scrutinize management’s plans, performance, and activities • Approve company strategy • Review financial results • Annually review the company’s security policy • Interact with internal and external auditors
Internal Environment • The audit committee oversees: • The company’s internal control structure; • Its financial reporting process; • Its compliance with laws, regulations, and standards. • Works with the corporation’s external and internal auditors. • Hires, compensates, and oversees the auditors.
Internal Environment • Important aspects of organizational structure: • Degree of centralization or decentralization. • Assignment of responsibility for specific tasks. • Direct-reporting relationships or matrix structure • Organization by industry, product, geographic location, marketing network • How the responsibility allocation affects management’s information needs • Organization of accounting and IS functions • Size and nature of company activities
Internal Environment • Authority and responsibility are assigned through: • Formal job descriptions • Employee training • Operating plans, schedules, and budgets • Codes of conduct • Written policies and procedures manuals which covers: • Proper business practices • Knowledge and experience needed by key personnel • Resources provided to carry out duties • Policies and procedures for handling particular transactions • The organization’s chart of accounts • Sample copies of forms and documents
Internal Environment • Human Resources Standards • Employees are both the company’s greatest control strength and the greatest control weakness. • Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required. • Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization’s vulnerability.
Internal Environment • Human resource policies and procedures are important: • Hiring • Compensating • Training • Evaluating and promoting • Discharging • Managing disgruntled employees • Vacations and rotation of duties • Confidentiality insurance and fidelity bonds
Internal Environment • External influences • FASB • PCAOB • SEC • Insurance commissions • Regulatory agencies for banks, utilities, etc.
Objective Setting • The objectives: • Need to be easy to understand and measure. • Should be prioritized. • Should be aligned with the company’s risk appetite.
Objective Setting • For each set of objectives: • Critical success factors must be defined • Performance measures should be established to determine whether the objectives are met
Objective Setting • Objective-setting process proceeds as follows: • First, set strategic objectives, the high-level goals that support the company’s mission and create value for shareholders. • To meet these objectives, identify alternative ways of accomplishing them. • For each alternative, identify and assess risks and implications. • Formulate a corporate strategy. • Then set operations, compliance, and reporting objectives.
Objective Setting • Operations objectives: • Are a product of management preferences, judgments, and style • Vary significantly among entities • Are influenced by and must be relevant to the industry, economic conditions, and competitive pressures • Give clear direction for resource allocation • Compliance and reporting objectives: • Many are imposed by external entities • A company’s reputation can be impacted significantly by the quality of its compliance
Event Identification • Events are: • Incidents or occurrences that emanate from internal or external sources • That affect implementation of strategy or achievement of objectives. • Impact can be positive, negative, or both. • Events can range from obvious to obscure. • Effects can range from inconsequential to highly significant.
Event Identification • External factors: • Economic factors • Natural environment • Political factors • Social factors • Technological factors
Event Identification • Internal factors: • Infrastructure • Personnel • Process • Technology
Event Identification • Techniques to identify events: • Use comprehensive lists of potential events • Perform an internal analysis • Monitor leading events and trigger points • Conduct workshops and interviews • Perform data mining and analysis • Analyze processes
Risk Assessment and Risk Response • COSO indicates there are two types of risk: • Inherent risk • Residual risk
Risk Assessment and Risk Response • Companies should: • Assess inherent risk • Develop a response • Then assess residual risk • The ERM model indicates four ways to respond to risk: • Reduce it • Accept it • Share it • Avoid it
Risk Assessment and Risk Response Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
Risk Assessment and Risk Response • Let’s go through an example: • Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft. • A catastrophic theft could result in losses of $800,000. • Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%. • Companies with motion detectors only have about a .5% probability of catastrophic theft. • The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000. • Should Hobby Hole install the motion detectors?
Control Activities • Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out. • Management’s responsibility to develop a secure and adequately controlled system • Management must also establish a set of procedures to ensure control compliance and enforcement
Control Activities • Categories: • Proper authorization of transactions and activities • Segregation of duties • Project development and acquisition controls • Change management controls • Design and use of documents and records • Safeguard assets, records, and data • Independent checks on performance
Control Activities • Segregation of Accounting Duties • Effective segregation of accounting duties is achieved when the following functions are separated: • Authorization—approving transactions and decisions. • Recording—Preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports. • Custody—Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account.
Control Activities RECORDING FUNCTIONS • Preparing source documents • Maintaining journals, ledgers, or other files • Preparing reconciliations • Preparing performance reports CUSTODIAL FUNCTIONS • Handling cash • Handling inventories, tools, or fixed assets • Writing checks • Receiving checks in mail AUTHORIZATION FUNCTIONS • Authorization of transactions
Control Activities • Employee/vendor collusions include: • Billing at inflated prices • Performing substandard work and receiving full payment • Payment for non-performance • Duplicate billings • Improperly funneling more work to or purchasing more goods from a colluding company • Employee/customer collusions include: • Unauthorized loans or insurance payments • Receipt of assets or services at unauthorized discount prices • Forgiveness of amounts owed • Unauthorized extension of due dates
Control Activities • Segregation of Duties Within the Systems Function • Systems administration • Network management • Security management • Change management • Users • Systems analysts • Programming • Computer operations • Information systems library • Data control
Control Activities • Project Development and Acquisition Controls • Should contain appropriate controls for: • Management review and approval • User involvement • Analysis • Design • Testing • Implementation • Conversion
Control Activities • Basic principles of control for systems development process: • Strategic master plan • Project controls • Data processing schedule • Steering committee • System performance measurements • Post-implementation review
Control Activities • Change Management Controls • Change management is the process of making sure that the changes do not negatively affect: • Systems reliability • Security • Confidentiality • Integrity • Availability
Control Activities • Design and Use of Adequate Documents and Records • Form and content should be kept as simple as possible to: • Promote efficient record keeping • Minimize recording errors • Facilitate review and verification • Documents that initiate a transaction should contain a space for authorization. • Those used to transfer assets should have a space for the receiving party’s signature.