490 likes | 861 Vues
HAPTER 6. Control and Accounting Information Systems. INTRODUCTION. Questions to be addressed in this chapter: What are the basic internal control concepts, and why are computer control and security important? What is the difference between the COBIT, COSO, and ERM control frameworks?
E N D
HAPTER 6 Control and Accounting Information Systems
INTRODUCTION • Questions to be addressed in this chapter: • What are the basic internal control concepts, and why are computer control and security important? • What is the difference between the COBIT, COSO, and ERM control frameworks? • What are the major elements in the internal environment of a company? • What are the four types of control objectives that companies need to set? • What events affect uncertainty, and how can they be identified? • How is the Enterprise Risk Management model used to assess and respond to risk? • What control activities are commonly used in companies? • How do organizations communicate information and monitor control processes?
INTRODUCTION • Some vocabulary terms for this chapter: • A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. • The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. • The likelihood is the probability that the threat will occur.
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: • Assets (including data) are safeguarded. • Records are maintained in sufficient detail to accurately and fairly reflect company assets. • Accurate and reliable information is provided. • There is reasonable assurance that financial reports are prepared in accordance with GAAP. • Operational efficiency is promoted and improved. • Adherence to prescribed managerial policies is encouraged. • The organization complies with applicable laws and regulations.
OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: • Preventive controls • Detective controls • Corrective controls • Remedy problems that have occurred by: • Identifying the cause; • Correcting the resulting errors; and • Modifying the system to prevent future problems of this sort.
OVERVIEW OF CONTROL CONCEPTS • An effective system of internal controls should exist in all organizations to: • Help them achieve their missions and goals. • Minimize surprises.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement. • The primary purpose of the act was to prevent the bribery of foreign officials to obtain business. • A significant effect was to require that corporations maintain good systems of internal accounting control. • Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems. • The resulting internal control improvements weren’t sufficient.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines. • The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Actof 2002 (aka, SOX). • Applies to publicly held companies and their auditors.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • The intent of SOX is to: • Prevent financial statement fraud • Make financial reports more transparent • Protect investors • Strengthen internal controls in publicly-held companies • Punish executives who perpetrate fraud • SOX has had a material impact on the way boards of directors, management, and accountants operate.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: • Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. • New rules for auditors • New rules for audit committees • New rules for management • New internal control requirements • SOX also requires that the auditor attests to and reports on management’s internal control assessment. • Each audit report must describe the scope of the auditor’s internal control tests.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • After the passage of SOX, the SEC further mandated that: • Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter. • The report must contain a statement identifying the framework used. • Management must disclose any and all material internal control weaknesses. • Management cannot conclude that the company has effective internal control if there are any material weaknesses.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Levers of Control • Many people feel there is a basic conflict between creativity and controls. • Robert Simons has espoused four levers of controls to help companies reconcile this conflict: • A concise belief system • A boundary system • A diagnostic control system • An interactive control system
CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: • The COBIT framework • The COSO internal control framework • COSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKS • COSO’s internal control framework • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: • The American Accounting Association • The AICPA • The Institute of Internal Auditors • The Institute of Management Accountants • The Financial Executives Institute
CONTROL FRAMEWORKS • In 1992, COSO issued the Internal Control Integrated Framework: • Defines internal controls. • Provides guidance for evaluating and enhancing internal control systems. • Widely accepted as the authority on internal controls. • Incorporated into policies, rules, and regulations used to control business activities.
CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: • Control environment • Control activities • Risk assessment • Information and communication • Monitoring • The entire process must be monitored and modified as necessary.
CONTROL FRAMEWORKS • Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. • Result: Enterprise Risk Manage Integrated Framework (ERM) • An enhanced corporate governance document. • Expands on elements of preceding framework. • Provides a focus on the broader subject of enterprise risk management.
CONTROL FRAMEWORKS • Basic principles behind ERM: • Companies are formed to create value for owners. • Management must decide how much uncertainty they will accept. • Uncertainty can result in: • Risk • Opportunity
CONTROL FRAMEWORKS • These issues led to COSO’s development of the ERM framework. • Takes a risk-based, rather than controls-based, approach to the organization. • Oriented toward future and constant change. • Incorporates rather than replaces COSO’s internal control framework and contains three additional elements: • Setting objectives. • Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives. • Developing a response to assessed risk.
CONTROL FRAMEWORKS • Columns at the top represent the four types of objectives that management must meet to achieve company goals. • Strategic objectives • Operations objectives • Reporting objectives • Compliance objectives
CONTROL FRAMEWORKS • Columns on the right represent the company’s units: • Entire company • Division • Business unit • Subsidiary
INTERNAL ENVIRONMENT • The most critical component of the ERM and the internal control framework. • Is the foundation on which the other seven components rest. • Influences how organizations: • Establish strategies and objectives • Structure business activities • Identify, access, and respond to risk • A deficient internal control environment often results in risk management and control breakdowns.
INTERNAL ENVIRONMENT • Internal environment consists of the following: • Management’s philosophy, operating style, and risk appetite • The board of directors • Commitment to integrity, ethical values, and competence • Organizational structure • Methods of assigning authority and responsibility • Human resource standards • External influences
OBJECTIVE SETTING • Objective setting is the second ERM component. • It must precede many of the other six components. • For example, you must set objectives before you can define events that affect your ability to achieve objectives
OBJECTIVE SETTING • Objectives set at the corporate level are linked to and integrated with a cascading series of sub-objectives in the various sub-units. • For each set of objectives: • Critical success factors (what has to go right) must be defined. • Performance measures should be established to determine whether the objectives are met.
OBJECTIVE SETTING • Objective-setting process proceeds as follows: • First, set strategic objectives, the high-level goals that support the company’s mission and create value for shareholders. • To meet these objectives, identify alternative ways of accomplishing them. • For each alternative, identify and assess risks and implications. • Formulate a corporate strategy. • Then set operations, compliance, and reporting objectives.
EVENT IDENTIFICATION • Events are: • Incidents or occurrences that emanate from internal or external sources. • That affect implementation of strategy or achievement of objectives. • Impact can be positive, negative, or both. • Events can range from obvious to obscure. • Effects can range from inconsequential to highly significant.
EVENT IDENTIFICATION • Management must do its best to anticipate all possible events—positive or negative—that might affect the company: • Try to determine which are most and least likely. • Understand the interrelationships of events. • COSO identified many internal and external factors that could influence events and affect a company’s ability to implement strategy and achieve objectives.
EVENT IDENTIFICATION • New e-business technologies that lower infrastructure costs or increase demand for IT-based services • Emerging technology • Increased or decreased availability of data • Interruptions or down time caused by external parties • Some of these factors include: • External factors: • Economic factors • Natural environment • Political factors • Social factors • Technological factors
EVENT IDENTIFICATION • Some of these factors include: • Internal factors: • Infrastructure • Personnel • Process • Technology • Insufficient capacity to handle peak IT usages • Security breaches • Data or system unavailability from internal factors • Inadequate data integrity • Poor systems selection/development • Inadequately maintained systems
EVENT IDENTIFICATION • Companies usually use two or more of the following techniques together to identify events: • Use comprehensive lists of potential events • Perform an internal analysis • Monitor leading events and trigger points • Conduct workshops and interviews • Perform data mining and analysis • Analyze processes
RISK ASSESSMENT AND RISK RESPONSE • The fourth and fifth components of COSO’s ERM model are risk assessment and risk response. • COSO indicates there are two types of risk: • Inherent risk • Residual risk
RISK ASSESSMENT AND RISK RESPONSE • Companies should: • Assess inherent risk • Develop a response • Then assess residual risk • The ERM model indicates four ways to respond to risk: • Reduce it • Accept it • Share it • Avoid it
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring • The benefits of an internal control procedure must exceed its costs. • Benefits can be hard to quantify, but include: • Increased sales and productivity • Reduced losses • Better integration with customers and suppliers • Increased customer loyalty • Competitive advantages • Lower insurance premiums Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring • Costs are usually easier to measure than benefits. • Primary cost is personnel, including: • Time to perform control procedures • Costs of hiring additional employees to effectively segregate duties • Costs of programming controls into a system Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring • Other costs of a poor control system include: • Lost sales • Lower productivity • Drop in stock price if security problems arise • Shareholder or regulator lawsuits • Fines and penalties imposed by governmental agencies Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring • The expected loss related to a risk is measured as: • Expected loss = impact x likelihood • The value of a control procedure is the difference between: • Expected loss with control procedure • Expected loss without it Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE • Let’s go through an example: • Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft. • A catastrophic theft could result in losses of $800,000. • Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%. • Companies with motion detectors only have about a .5% probability of catastrophic theft. • The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000. • Should Hobby Hole install the motion detectors? • Expected Loss without control procedure = $800,000 x .12 = $96,000. • Expected loss with control procedure = $800,000 x .005 = $4,000. • Estimated value of control procedure = $96,000 - $4,000 = $92,000. • Estimated cost of control procedure = $43,000 (given). • Benefits exceed costs by $92,000 - $43,000 = $49,000. • In this case, Hobby Hole should probably install the motion detectors.
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring • Risks that are not reduced must be accepted, shared, or avoided. • If the risk is within the company’s risk tolerance, they will typically accept the risk. • A reduce or share response is used to bring residual risk into an acceptable risk tolerance range. • An avoid response is typically only used when there is no way to cost-effectively bring risk into an acceptable risk tolerance range. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
CONTROL ACTIVITIES • The sixth component of COSO’s ERM model. • Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.
CONTROL ACTIVITIES • It is management’s responsibility to develop a secure and adequately controlled system. • Controls are much more effective when built in on the front end. • Consequently, systems analysts, designers, and end users should be involved in designing adequate computer-based control systems. • Management must also establish a set of procedures to ensure control compliance and enforcement. • Usually, the purview of the information security officer and the operations staff.
CONTROL ACTIVITIES • Generally, control procedures fall into one of the following categories: • Proper authorization of transactions and activities • Segregation of duties • Project development and acquisition controls • Change management controls • Design and use of documents and records • Safeguard assets, records, and data • Independent checks on performance
INFORMATION AND COMMUNICATION • The seventh component of COSO’s ERM model. • The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization. • So accountants must understand how: • Transactions are initiated • Data are captured in or converted to machine-readable form • Computer files are accessed and updated • Data are processed • Information is reported to internal and external parties
INFORMATION AND COMMUNICATION • According to the AICPA, an AIS has five primary objectives: • Identify and record all valid transactions. • Properly classify transactions. • Record transactions at their proper monetary value. • Record transactions in the proper accounting period. • Properly present transactions and related disclosures in the financial statements.
MONITORING • Key methods of monitoring performance include: • Perform ERM evaluation • Implement effective supervision • Use responsibility accounting • Monitor system activities • Track purchased software • Conduct periodic audits • Employ a computer security officer, a Chief Compliance Officer, and computer consultants • Engage forensic specialists • Install fraud detection software • Implement a fraud hotline
SUMMARY • In this chapter, you’ve learned about basic internal control concepts and why computer control and security are so important. • You’ve learned about the similarities and differences between the COBIT, COSO, and ERM control frameworks. • You’ve learned about the major elements in the internal control environment of a company and the four types of control objectives that companies need to set. • You’ve also learned about events that affect uncertainty and how these events can be identified. • You’ve explored how the Enterprise Risk Management model is used to assess and respond to risk, as well as the control activities that are commonly used in companies. • Finally, you’ve learned how organizations communicate information and monitor control processes.