550 likes | 684 Vues
HAPTER 7. Control and Accounting Information Systems. INTRODUCTION. Questions to be addressed in this chapter: What are the basic internal control concepts, and why are computer control and security important? What is the difference between the COBIT, COSO, and ERM control frameworks?
E N D
HAPTER 7 Control and Accounting Information Systems
INTRODUCTION • Questions to be addressed in this chapter: • What are the basic internal control concepts, and why are computer control and security important? • What is the difference between the COBIT, COSO, and ERM control frameworks? • What are the major elements in the internal environment of a company? • What events affect uncertainty, and how can they be identified? • How is the Enterprise Risk Management model used to assess and respond to risk? • What control activities are commonly used in companies? • How do organizations communicate information and monitor control processes?
INTRODUCTION • Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because: • Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files. • Segregation of duties must be achieved differently in an AIS. • Computers provide opportunities for enhancement of some internal controls.
INTRODUCTION • One of the primary objectives of an AIS is to control a business organization. • Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness. • Management expects accountants to be control consultants by: • Taking a proactive approach to eliminating system threats; and • Detecting, correcting, and recovering from threats when they do occur.
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided. • There is reasonable assurance that financial reports are prepared in accordance with GAAP. • Operational efficiency is promoted and improved. • Adherence to prescribed managerial policies is encouraged. • The organization complies with applicable laws and regulations.
OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: • Preventive controls • Detective controls • Corrective controls
OVERVIEW OF CONTROL CONCEPTS • Internal controls are often classified as: • General controls • Application controls
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement. • The primary purpose of the act was to prevent the bribery of foreign officials to obtain business. • A significant side effect was to require that corporations maintain good systems of internal accounting control.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines. • The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Actof 2002 (aka, SOX). • Applies to publicly held companies and their auditors
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • The intent of SOX is to: • Prevent financial statement fraud • Make financial reports more transparent • Protect investors • Strengthen internal controls in publicly-held companies • Punish executives who perpetrate fraud • SOX has had a material impact on the way boards of directors, management, and accountants operate.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: • Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. • New rules for auditors • New rules for audit committees • New rules for management • New internal control requirements
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • After the passage of SOX, the SEC further mandated that: • Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter. • The report must contain a statement identifying the framework used.
CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: • The COBIT framework • The COSO internal control framework • COSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKS • COBIT consolidates standards from 36 different sources into a single framework. • It is having a big impact on the IS profession. • Helps managers to learn how to balance risk and control investment in an IS environment. • Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate. • Guides auditors as they substantiate their opinions and provide advice to management on internal controls.
CONTROL FRAMEWORKS • COSO’s Internal Control Framework • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: • The American Accounting Association • The AICPA • The Institute of Internal Auditors • The Institute of Management Accountants • The Financial Executives Institute
CONTROL FRAMEWORKS • In 1992, COSO issued the Internal Control Integrated Framework: • COSO’s internal control model has five crucial components: • Control environment • Control activities • Risk assessment • Information and communication • Monitoring
CONTROL FRAMEWORKS • The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it. • It has too narrow of a focus. • Focusing on controls first has an inherent bias toward past problems and concerns.
CONTROL FRAMEWORKS • Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. • Result: Enterprise Risk Management Integrated Framework (ERM)
CONTROL FRAMEWORKS • ERM Framework • Takes a risk-based, rather than controls-based, approach to the organization. • Oriented toward future and constant change. • Incorporates rather than replaces COSO’s internal control framework and contains three additional elements: • Setting objectives. • Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives. • Developing a response to assessed risk.
CONTROL FRAMEWORKS • COSO developed a model to illustrate the elements of ERM.
INTERNAL ENVIRONMENT • The most critical component of the ERM and the internal control framework. • Is the foundation on which the other seven components rest. • Influences how organizations: • Establish strategies and objectives • Structure business activities • Identify, access, and respond to risk • A deficient internal control environment often results in risk management and control breakdowns.
INTERNAL ENVIRONMENT • Internal environment consists of the following: • Management’s philosophy, operating style, and risk appetite • The board of directors • Commitment to integrity, ethical values, and competence • Organizational structure • Methods of assigning authority and responsibility • Human resource standards • External influences
INTERNAL ENVIRONMENT • The following human resource policies and procedures are important: • Hiring • Compensating • Training • Evaluating and promoting • Discharging • Managing disgruntled employees • Vacations and rotation of duties • Confidentiality, insurance and fidelity bonds
OBJECTIVE SETTING • Objective setting is the second ERM component. • It must precede many of the other six components. • For example, you must set objectives before you can define events that affect your ability to achieve objectives
OBJECTIVE SETTING • Top management, with board approval, must articulate why the company exists and what it hopes to achieve. • Often referred to as the corporate vision or mission. • Uses the mission statement as a base from which to set corporate objectives. • The objectives: • Need to be easy to understand and measure. • Should be prioritized. • Should be aligned with the company’s risk appetite.
EVENT IDENTIFICATION • Events are: • Incidents or occurrences that emanate from internal or external sources • That affect implementation of strategy or achievement of objectives. • Impact can be positive, negative, or both. • Events can range from obvious to obscure. • Effects can range from inconsequential to highly significant.
EVENT IDENTIFICATION • Management must do its best to anticipate all possible events—positive or negative—that might affect the company: • Try to determine which are most and least likely. • Understand the interrelationships of events. • COSO identified many internal and external factors that could influence events and affect a company’s ability to implement strategy and achieve objectives.
EVENT IDENTIFICATION • Some of these factors include: • External factors: • Economic factors • Natural environment • Political factors • Social factors • Technological factors
EVENT IDENTIFICATION • Some of these factors include: • Internal factors: • Infrastructure • Personnel • Process • Technology
RISK ASSESSMENT AND RISK RESPONSE • The fourth and fifth components of COSO’s ERM model are risk assessment and risk response. • COSO indicates there are two types of risk: • Inherent risk • Residual risk
RISK ASSESSMENT AND RISK RESPONSE • Companies should: • Assess inherent risk • Develop a response • Then assess residual risk • The ERM model indicates four ways to respond to risk: • Reduce it • Accept it • Share it • Avoid it
RISK ASSESSMENT AND RISK RESPONSE • A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. • The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. • The likelihood is the probability that the threat will occur.
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Accountants assess and reduce inherent risk using the risk assessment and response strategy Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring • The expected loss related to a risk is measured as: • Expected loss = impact x likelihood • The value of a control procedure is the difference between: • Expected loss with control procedure • Expected loss without it Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE • Let’s go through an example: • Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft. • A catastrophic theft could result in losses of $800,000. • Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%. • Companies with motion detectors only have about a .5% probability of catastrophic theft. • The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000. • Should Hobby Hole install the motion detectors?
CONTROL ACTIVITIES • The sixth component of COSO’s ERM model. • Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.
CONTROL ACTIVITIES • It is critical that controls be in place during the year-end holiday season. A disproportionate amount of computer fraud and security break-ins occur during this time because: • More people are on vacation and fewer around to mind the store. • Students are not tied up with school.
CONTROL ACTIVITIES • Generally, control procedures fall into one of the following categories: • Proper authorization of transactions and activities • Segregation of duties • Project development and acquisition controls • Change management controls • Design and use of documents and records • Safeguard assets, records, and data • Independent checks on performance
CONTROL ACTIVITIES • Proper Authorization of Transactions and Activities • Management lacks the time and resources to supervise each employee activity and decision. • Consequently, they establish policies and empower employees to perform activities within policy. • This empowerment is called authorization and is an important part of an organization’s control procedures.
CONTROL ACTIVITIES • Typically at least two levels of authorization: • General authorization • Management authorizes employees to handle routine transactions without special approval. • Special authorization • For activities or transactions that are of significant consequences, management review and approval is required. • Might apply to sales, capital expenditures, or write-offs over a particular dollar limit. • Management should have written policies for both types of authorization and for all types of transactions.
CONTROL ACTIVITIES • Segregation of Duties • Good internal control requires that no single employee be given too much responsibility over business transactions or processes. • An employee should not be in a position to commit and conceal fraud or unintentional errors. • Segregation of duties is discussed in two sections: • Segregation of accounting duties • Segregation of duties within the systems function
CONTROL ACTIVITIES • Segregation of Accounting Duties • Effective segregation of accounting duties is achieved when the following functions are separated: • Authorization—approving transactions and decisions. • Recording—Preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports. • Custody—Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account. • If any two of the preceding functions are the responsibility of one person, then problems can arise.
CONTROL ACTIVITIES RECORDING FUNCTIONS • Preparing source documents • Maintaining journals, ledgers, or other files • Preparing reconciliations • Preparing performance reports CUSTODIAL FUNCTIONS • Handling cash • Handling inventories, tools, or fixed assets • Writing checks • Receiving checks in mail • EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the recording for those receipts can steal some of the cash and falsify accounts to conceal the theft. • SOLUTION: The segregation of custody and recording prevents employees from falsifying records to conceal theft of assets entrusted to them. AUTHORIZATION FUNCTIONS • Authorization of transactions
EXAMPLE OF PROBLEM: A person who has custody of checks for transactions that he has authorized can authorize fictitious transactions and then steal the payments. • SOLUTION: The segregation of custody and authorization prevents employees from authorizing fictitious or inaccurate transactions as a means of concealing a theft. CONTROL ACTIVITIES RECORDING FUNCTIONS • Preparing source documents • Maintaining journals, ledgers, or other files • Preparing reconciliations • Preparing performance reports CUSTODIAL FUNCTIONS • Handling cash • Handling inventories, tools, or fixed assets • Writing checks • Receiving checks in mail AUTHORIZATION FUNCTIONS • Authorization of transactions
EXAMPLE OF PROBLEM: A person who can authorize a transaction and keep records related to the transactions can authorize and record fictitious payments that might, for example, be sent to the employee’s home address or the address of a shell company he creates. • SOLUTION: The segregation of recording and authorization prevents employees from falsifying records to cover up inaccurate or false transactions that were inappropriately authorized. CONTROL ACTIVITIES RECORDING FUNCTIONS • Preparing source documents • Maintaining journals, ledgers, or other files • Preparing reconciliations • Preparing performance reports CUSTODIAL FUNCTIONS • Handling cash • Handling inventories, tools, or fixed assets • Writing checks • Receiving checks in mail AUTHORIZATION FUNCTIONS • Authorization of transactions
CONTROL ACTIVITIES • Segregation of Duties Within the Systems Function • In a highly integrated information system, procedures once performed by separate individuals are combined. • Therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud. • To combat this threat, organizations must implement effective segregation of duties within the IS function.
CONTROL ACTIVITIES • Authority and responsibility must be divided clearly among the following functions: • Systems administration • Network management • Security management • Change management • Users • Systems analysts • Programming • Computer operations • Information systems library • Data control
CONTROL ACTIVITIES • Project Development and Acquisition Controls • It’s important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies. • Should contain appropriate controls for: • Management review and approval • User involvement • Analysis • Design • Testing • Implementation • Conversion
CONTROL ACTIVITIES • Change Management Controls • Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances. • Change management is the process of making sure that the changes do not negatively affect: • Systems reliability • Security • Confidentiality • Integrity • Availability
CONTROL ACTIVITIES • Design and Use of Adequate Documents and Records • Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data. • Form and content should be kept as simple as possible to: • Promote efficient record keeping • Minimize recording errors • Facilitate review and verification • Documents that initiate a transaction should contain a space for authorization. • Those used to transfer assets should have a space for the receiving party’s signature.